Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 03:04
Behavioral task
behavioral1
Sample
3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe
Resource
win7-20240611-en
5 signatures
150 seconds
General
-
Target
3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe
-
Size
457KB
-
MD5
5dbcc6550af3f61d4d620b0ff1b010c0
-
SHA1
c46b04f4caf8b76229b358999046dc2418c45956
-
SHA256
3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f
-
SHA512
871bdc1a3e903b927e0fc817f6a2eaff5fcd02092b41e3df33b57c9ec9de5b57c70001ea9f5c53ff8025038dd1bfebc6a81fd509e90aeab475178a3a973d0da7
-
SSDEEP
12288:04wFHoSyd0V3eFp3IDvSbh5nPYERM8mXzplo4M3:rd0gFp3lz1/uzplof
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/1080-7-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/220-8-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4376-19-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1612-25-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1252-26-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/412-32-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2676-39-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4216-47-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2092-52-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4992-65-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4716-66-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2980-108-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1436-136-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4912-159-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3308-170-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4304-203-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/868-215-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4312-225-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4864-249-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3168-260-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4188-296-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1416-307-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/216-317-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3748-343-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3556-361-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4328-368-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2124-398-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4396-409-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4540-420-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3176-433-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2788-356-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1072-443-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3152-292-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3680-287-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4864-245-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/5064-231-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3712-227-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2760-211-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3296-207-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2856-199-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2916-196-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3312-176-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4368-157-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4632-141-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4908-126-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3844-119-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2600-101-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/964-90-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3268-89-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3688-78-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2132-77-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/464-461-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1688-465-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/5116-472-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4188-490-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/2980-508-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1248-528-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3892-553-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1716-615-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/1628-633-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4548-679-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4168-737-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/4960-813-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral2/memory/3520-838-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
jvvpp.exevppjd.exe7rlxrlx.exenbnnhn.exedpdvj.exelfrlrrl.exetntnnn.exerllfxrl.exefrxxrrl.exebhtthb.exefrfxrxr.exeffffxxx.exexffxrrl.exeflrfxrr.exebtttnn.exevpdvj.exefxfxrrl.exe3nnthn.exeppvvp.exeflrfllf.exe5hnnhh.exedpjdd.exejvdpj.exelllffrl.exevpjvp.exerxrlllf.exenbhttn.exe5jvpj.exefxfxlff.exetnnnbn.exevvpjd.exe5rxrrrl.exerlffxlf.exe7ntnbb.exevdjjj.exe1pppp.exelflffff.exe5tbtbn.exebtnnhb.exevdddd.exerfrlfff.exe1rlfxxr.exe9tbthh.exerxxllfx.exelxrrlll.exehbbttt.exe5vpvv.exepjddd.exe5rlfrlf.exe1btnhh.exepjvpj.exelxffrxx.exehbnhtn.exedpvjv.exelrrrxxr.exefxxlxrl.exehbnhhb.exejvpvj.exe5pvjv.exelrflxxr.exe5bhhbb.exevvpjd.exevpjdv.exexxffrlf.exepid process 220 jvvpp.exe 4376 vppjd.exe 1612 7rlxrlx.exe 1252 nbnnhn.exe 412 dpdvj.exe 2676 lfrlrrl.exe 4216 tntnnn.exe 2092 rllfxrl.exe 4972 frxxrrl.exe 4992 bhtthb.exe 4716 frfxrxr.exe 2132 ffffxxx.exe 3688 xffxrrl.exe 3268 flrfxrr.exe 964 btttnn.exe 2600 vpdvj.exe 2524 fxfxrrl.exe 2980 3nnthn.exe 3844 ppvvp.exe 3088 flrfllf.exe 4908 5hnnhh.exe 1436 dpjdd.exe 4632 jvdpj.exe 1796 lllffrl.exe 3632 vpjvp.exe 4912 rxrlllf.exe 4368 nbhttn.exe 1092 5jvpj.exe 3308 fxfxlff.exe 3312 tnnnbn.exe 1824 vvpjd.exe 3356 5rxrrrl.exe 3000 rlffxlf.exe 2916 7ntnbb.exe 2856 vdjjj.exe 4304 1pppp.exe 3296 lflffff.exe 2760 5tbtbn.exe 868 btnnhb.exe 748 vdddd.exe 4312 rfrlfff.exe 1936 1rlfxxr.exe 5064 9tbthh.exe 4376 rxxllfx.exe 8 lxrrlll.exe 3176 hbbttt.exe 4864 5vpvv.exe 1628 pjddd.exe 4840 5rlfrlf.exe 4228 1btnhh.exe 3168 pjvpj.exe 3340 lxffrxx.exe 3816 hbnhtn.exe 3056 dpvjv.exe 1216 lrrrxxr.exe 2424 fxxlxrl.exe 4728 hbnhhb.exe 3680 jvpvj.exe 1380 5pvjv.exe 3152 lrflxxr.exe 4188 5bhhbb.exe 4500 vvpjd.exe 1416 vpjdv.exe 2600 xxffrlf.exe -
Processes:
resource yara_rule behavioral2/memory/1080-0-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\jvvpp.exe upx behavioral2/memory/1080-7-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/220-8-0x0000000000400000-0x0000000000438000-memory.dmp upx \??\c:\vppjd.exe upx behavioral2/memory/4376-12-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\7rlxrlx.exe upx behavioral2/memory/4376-19-0x0000000000400000-0x0000000000438000-memory.dmp upx \??\c:\nbnnhn.exe upx behavioral2/memory/1612-25-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1252-26-0x0000000000400000-0x0000000000438000-memory.dmp upx \??\c:\dpdvj.exe upx C:\lfrlrrl.exe upx behavioral2/memory/412-32-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2676-39-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\tntnnn.exe upx \??\c:\rllfxrl.exe upx behavioral2/memory/4216-47-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\frxxrrl.exe upx behavioral2/memory/2092-52-0x0000000000400000-0x0000000000438000-memory.dmp upx \??\c:\bhtthb.exe upx C:\frfxrxr.exe upx behavioral2/memory/4992-65-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4716-66-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\vpdvj.exe upx C:\3nnthn.exe upx behavioral2/memory/2980-108-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3844-113-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\flrfllf.exe upx \??\c:\5hnnhh.exe upx \??\c:\dpjdd.exe upx behavioral2/memory/1436-136-0x0000000000400000-0x0000000000438000-memory.dmp upx \??\c:\jvdpj.exe upx \??\c:\lllffrl.exe upx C:\vpjvp.exe upx \??\c:\rxrlllf.exe upx behavioral2/memory/4912-159-0x0000000000400000-0x0000000000438000-memory.dmp upx \??\c:\5jvpj.exe upx behavioral2/memory/3308-170-0x0000000000400000-0x0000000000438000-memory.dmp upx \??\c:\fxfxlff.exe upx \??\c:\tnnnbn.exe upx \??\c:\vvpjd.exe upx behavioral2/memory/3356-186-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4304-203-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/868-215-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4312-225-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3176-241-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1628-250-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4864-249-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3168-260-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3056-271-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4188-296-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/1416-307-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/216-317-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3748-343-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3892-357-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3556-361-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4328-368-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3372-375-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3100-388-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2228-399-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/2124-398-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/4396-409-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral2/memory/3496-410-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exejvvpp.exevppjd.exe7rlxrlx.exenbnnhn.exedpdvj.exelfrlrrl.exetntnnn.exerllfxrl.exefrxxrrl.exebhtthb.exefrfxrxr.exeffffxxx.exexffxrrl.exeflrfxrr.exebtttnn.exevpdvj.exefxfxrrl.exe3nnthn.exeppvvp.exeflrfllf.exe5hnnhh.exedescription pid process target process PID 1080 wrote to memory of 220 1080 3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe jvvpp.exe PID 1080 wrote to memory of 220 1080 3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe jvvpp.exe PID 1080 wrote to memory of 220 1080 3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe jvvpp.exe PID 220 wrote to memory of 4376 220 jvvpp.exe rxxllfx.exe PID 220 wrote to memory of 4376 220 jvvpp.exe rxxllfx.exe PID 220 wrote to memory of 4376 220 jvvpp.exe rxxllfx.exe PID 4376 wrote to memory of 1612 4376 vppjd.exe vpjjd.exe PID 4376 wrote to memory of 1612 4376 vppjd.exe vpjjd.exe PID 4376 wrote to memory of 1612 4376 vppjd.exe vpjjd.exe PID 1612 wrote to memory of 1252 1612 7rlxrlx.exe nbnnhn.exe PID 1612 wrote to memory of 1252 1612 7rlxrlx.exe nbnnhn.exe PID 1612 wrote to memory of 1252 1612 7rlxrlx.exe nbnnhn.exe PID 1252 wrote to memory of 412 1252 nbnnhn.exe dpdvj.exe PID 1252 wrote to memory of 412 1252 nbnnhn.exe dpdvj.exe PID 1252 wrote to memory of 412 1252 nbnnhn.exe dpdvj.exe PID 412 wrote to memory of 2676 412 dpdvj.exe hbhbbt.exe PID 412 wrote to memory of 2676 412 dpdvj.exe hbhbbt.exe PID 412 wrote to memory of 2676 412 dpdvj.exe hbhbbt.exe PID 2676 wrote to memory of 4216 2676 lfrlrrl.exe tntnnn.exe PID 2676 wrote to memory of 4216 2676 lfrlrrl.exe tntnnn.exe PID 2676 wrote to memory of 4216 2676 lfrlrrl.exe tntnnn.exe PID 4216 wrote to memory of 2092 4216 tntnnn.exe rllfxrl.exe PID 4216 wrote to memory of 2092 4216 tntnnn.exe rllfxrl.exe PID 4216 wrote to memory of 2092 4216 tntnnn.exe rllfxrl.exe PID 2092 wrote to memory of 4972 2092 rllfxrl.exe frxxrrl.exe PID 2092 wrote to memory of 4972 2092 rllfxrl.exe frxxrrl.exe PID 2092 wrote to memory of 4972 2092 rllfxrl.exe frxxrrl.exe PID 4972 wrote to memory of 4992 4972 frxxrrl.exe bhtthb.exe PID 4972 wrote to memory of 4992 4972 frxxrrl.exe bhtthb.exe PID 4972 wrote to memory of 4992 4972 frxxrrl.exe bhtthb.exe PID 4992 wrote to memory of 4716 4992 bhtthb.exe frxlrlr.exe PID 4992 wrote to memory of 4716 4992 bhtthb.exe frxlrlr.exe PID 4992 wrote to memory of 4716 4992 bhtthb.exe frxlrlr.exe PID 4716 wrote to memory of 2132 4716 frfxrxr.exe ffffxxx.exe PID 4716 wrote to memory of 2132 4716 frfxrxr.exe ffffxxx.exe PID 4716 wrote to memory of 2132 4716 frfxrxr.exe ffffxxx.exe PID 2132 wrote to memory of 3688 2132 ffffxxx.exe xffxrrl.exe PID 2132 wrote to memory of 3688 2132 ffffxxx.exe xffxrrl.exe PID 2132 wrote to memory of 3688 2132 ffffxxx.exe xffxrrl.exe PID 3688 wrote to memory of 3268 3688 xffxrrl.exe flrfxrr.exe PID 3688 wrote to memory of 3268 3688 xffxrrl.exe flrfxrr.exe PID 3688 wrote to memory of 3268 3688 xffxrrl.exe flrfxrr.exe PID 3268 wrote to memory of 964 3268 flrfxrr.exe 9hbtnt.exe PID 3268 wrote to memory of 964 3268 flrfxrr.exe 9hbtnt.exe PID 3268 wrote to memory of 964 3268 flrfxrr.exe 9hbtnt.exe PID 964 wrote to memory of 2600 964 btttnn.exe vpdvj.exe PID 964 wrote to memory of 2600 964 btttnn.exe vpdvj.exe PID 964 wrote to memory of 2600 964 btttnn.exe vpdvj.exe PID 2600 wrote to memory of 2524 2600 vpdvj.exe fxfxrrl.exe PID 2600 wrote to memory of 2524 2600 vpdvj.exe fxfxrrl.exe PID 2600 wrote to memory of 2524 2600 vpdvj.exe fxfxrrl.exe PID 2524 wrote to memory of 2980 2524 fxfxrrl.exe 3nnthn.exe PID 2524 wrote to memory of 2980 2524 fxfxrrl.exe 3nnthn.exe PID 2524 wrote to memory of 2980 2524 fxfxrrl.exe 3nnthn.exe PID 2980 wrote to memory of 3844 2980 3nnthn.exe ppvvp.exe PID 2980 wrote to memory of 3844 2980 3nnthn.exe ppvvp.exe PID 2980 wrote to memory of 3844 2980 3nnthn.exe ppvvp.exe PID 3844 wrote to memory of 3088 3844 ppvvp.exe flrfllf.exe PID 3844 wrote to memory of 3088 3844 ppvvp.exe flrfllf.exe PID 3844 wrote to memory of 3088 3844 ppvvp.exe flrfllf.exe PID 3088 wrote to memory of 4908 3088 flrfllf.exe 5hnnhh.exe PID 3088 wrote to memory of 4908 3088 flrfllf.exe 5hnnhh.exe PID 3088 wrote to memory of 4908 3088 flrfllf.exe 5hnnhh.exe PID 4908 wrote to memory of 1436 4908 5hnnhh.exe dpjdd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\jvvpp.exec:\jvvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\vppjd.exec:\vppjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\7rlxrlx.exec:\7rlxrlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\nbnnhn.exec:\nbnnhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\dpdvj.exec:\dpdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\lfrlrrl.exec:\lfrlrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\tntnnn.exec:\tntnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\rllfxrl.exec:\rllfxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\frxxrrl.exec:\frxxrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\bhtthb.exec:\bhtthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\frfxrxr.exec:\frfxrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\ffffxxx.exec:\ffffxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\xffxrrl.exec:\xffxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\flrfxrr.exec:\flrfxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\btttnn.exec:\btttnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\vpdvj.exec:\vpdvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\3nnthn.exec:\3nnthn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\ppvvp.exec:\ppvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\flrfllf.exec:\flrfllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\5hnnhh.exec:\5hnnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\dpjdd.exec:\dpjdd.exe23⤵
- Executes dropped EXE
PID:1436 -
\??\c:\jvdpj.exec:\jvdpj.exe24⤵
- Executes dropped EXE
PID:4632 -
\??\c:\lllffrl.exec:\lllffrl.exe25⤵
- Executes dropped EXE
PID:1796 -
\??\c:\vpjvp.exec:\vpjvp.exe26⤵
- Executes dropped EXE
PID:3632 -
\??\c:\rxrlllf.exec:\rxrlllf.exe27⤵
- Executes dropped EXE
PID:4912 -
\??\c:\nbhttn.exec:\nbhttn.exe28⤵
- Executes dropped EXE
PID:4368 -
\??\c:\5jvpj.exec:\5jvpj.exe29⤵
- Executes dropped EXE
PID:1092 -
\??\c:\fxfxlff.exec:\fxfxlff.exe30⤵
- Executes dropped EXE
PID:3308 -
\??\c:\tnnnbn.exec:\tnnnbn.exe31⤵
- Executes dropped EXE
PID:3312 -
\??\c:\vvpjd.exec:\vvpjd.exe32⤵
- Executes dropped EXE
PID:1824 -
\??\c:\5rxrrrl.exec:\5rxrrrl.exe33⤵
- Executes dropped EXE
PID:3356 -
\??\c:\rlffxlf.exec:\rlffxlf.exe34⤵
- Executes dropped EXE
PID:3000 -
\??\c:\7ntnbb.exec:\7ntnbb.exe35⤵
- Executes dropped EXE
PID:2916 -
\??\c:\vdjjj.exec:\vdjjj.exe36⤵
- Executes dropped EXE
PID:2856 -
\??\c:\1pppp.exec:\1pppp.exe37⤵
- Executes dropped EXE
PID:4304 -
\??\c:\lflffff.exec:\lflffff.exe38⤵
- Executes dropped EXE
PID:3296 -
\??\c:\5tbtbn.exec:\5tbtbn.exe39⤵
- Executes dropped EXE
PID:2760 -
\??\c:\btnnhb.exec:\btnnhb.exe40⤵
- Executes dropped EXE
PID:868 -
\??\c:\vdddd.exec:\vdddd.exe41⤵
- Executes dropped EXE
PID:748 -
\??\c:\rfrlfff.exec:\rfrlfff.exe42⤵
- Executes dropped EXE
PID:4312 -
\??\c:\1rlfxxr.exec:\1rlfxxr.exe43⤵
- Executes dropped EXE
PID:1936 -
\??\c:\tbtbnb.exec:\tbtbnb.exe44⤵PID:3712
-
\??\c:\9tbthh.exec:\9tbthh.exe45⤵
- Executes dropped EXE
PID:5064 -
\??\c:\rxxllfx.exec:\rxxllfx.exe46⤵
- Executes dropped EXE
PID:4376 -
\??\c:\lxrrlll.exec:\lxrrlll.exe47⤵
- Executes dropped EXE
PID:8 -
\??\c:\hbbttt.exec:\hbbttt.exe48⤵
- Executes dropped EXE
PID:3176 -
\??\c:\5vpvv.exec:\5vpvv.exe49⤵
- Executes dropped EXE
PID:4864 -
\??\c:\pjddd.exec:\pjddd.exe50⤵
- Executes dropped EXE
PID:1628 -
\??\c:\5rlfrlf.exec:\5rlfrlf.exe51⤵
- Executes dropped EXE
PID:4840 -
\??\c:\1btnhh.exec:\1btnhh.exe52⤵
- Executes dropped EXE
PID:4228 -
\??\c:\pjvpj.exec:\pjvpj.exe53⤵
- Executes dropped EXE
PID:3168 -
\??\c:\lxffrxx.exec:\lxffrxx.exe54⤵
- Executes dropped EXE
PID:3340 -
\??\c:\hbnhtn.exec:\hbnhtn.exe55⤵
- Executes dropped EXE
PID:3816 -
\??\c:\dpvjv.exec:\dpvjv.exe56⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lrrrxxr.exec:\lrrrxxr.exe57⤵
- Executes dropped EXE
PID:1216 -
\??\c:\fxxlxrl.exec:\fxxlxrl.exe58⤵
- Executes dropped EXE
PID:2424 -
\??\c:\hbnhhb.exec:\hbnhhb.exe59⤵
- Executes dropped EXE
PID:4728 -
\??\c:\jvpvj.exec:\jvpvj.exe60⤵
- Executes dropped EXE
PID:3680 -
\??\c:\5pvjv.exec:\5pvjv.exe61⤵
- Executes dropped EXE
PID:1380 -
\??\c:\lrflxxr.exec:\lrflxxr.exe62⤵
- Executes dropped EXE
PID:3152 -
\??\c:\5bhhbb.exec:\5bhhbb.exe63⤵
- Executes dropped EXE
PID:4188 -
\??\c:\vvpjd.exec:\vvpjd.exe64⤵
- Executes dropped EXE
PID:4500 -
\??\c:\vpjdv.exec:\vpjdv.exe65⤵
- Executes dropped EXE
PID:1416 -
\??\c:\xxffrlf.exec:\xxffrlf.exe66⤵
- Executes dropped EXE
PID:2600 -
\??\c:\bnnhbt.exec:\bnnhbt.exe67⤵PID:3948
-
\??\c:\bnbtnh.exec:\bnbtnh.exe68⤵PID:216
-
\??\c:\ppppj.exec:\ppppj.exe69⤵PID:3848
-
\??\c:\llfxrlx.exec:\llfxrlx.exe70⤵PID:3092
-
\??\c:\lxllxxr.exec:\lxllxxr.exe71⤵PID:1180
-
\??\c:\bbhhhh.exec:\bbhhhh.exe72⤵PID:3264
-
\??\c:\9pvpd.exec:\9pvpd.exe73⤵PID:2808
-
\??\c:\jdjjd.exec:\jdjjd.exe74⤵PID:1436
-
\??\c:\rffxrrl.exec:\rffxrrl.exe75⤵PID:2816
-
\??\c:\7xxfrrl.exec:\7xxfrrl.exe76⤵PID:3748
-
\??\c:\nhnntb.exec:\nhnntb.exe77⤵PID:848
-
\??\c:\djvjd.exec:\djvjd.exe78⤵PID:4352
-
\??\c:\vppvp.exec:\vppvp.exe79⤵PID:4912
-
\??\c:\rxrxrll.exec:\rxrxrll.exe80⤵PID:2788
-
\??\c:\htthbn.exec:\htthbn.exe81⤵PID:3892
-
\??\c:\xxlxfxf.exec:\xxlxfxf.exe82⤵PID:3556
-
\??\c:\xrlrxxf.exec:\xrlrxxf.exe83⤵PID:4328
-
\??\c:\btnbtn.exec:\btnbtn.exe84⤵PID:4348
-
\??\c:\bthbbh.exec:\bthbbh.exe85⤵PID:2444
-
\??\c:\jjjdp.exec:\jjjdp.exe86⤵PID:3372
-
\??\c:\rffxxfl.exec:\rffxxfl.exe87⤵PID:3356
-
\??\c:\nnnttb.exec:\nnnttb.exe88⤵PID:1492
-
\??\c:\bnbtnn.exec:\bnbtnn.exe89⤵PID:2916
-
\??\c:\ppvpj.exec:\ppvpj.exe90⤵PID:3100
-
\??\c:\jppjd.exec:\jppjd.exe91⤵PID:4344
-
\??\c:\rflfxxx.exec:\rflfxxx.exe92⤵PID:2124
-
\??\c:\llrlrrr.exec:\llrlrrr.exe93⤵PID:2228
-
\??\c:\bbbttn.exec:\bbbttn.exe94⤵PID:4392
-
\??\c:\djppj.exec:\djppj.exe95⤵PID:4396
-
\??\c:\dddvp.exec:\dddvp.exe96⤵PID:3496
-
\??\c:\rfffxxr.exec:\rfffxxr.exe97⤵PID:2100
-
\??\c:\3xfxrrl.exec:\3xfxrrl.exe98⤵PID:4540
-
\??\c:\tttnnn.exec:\tttnnn.exe99⤵PID:1868
-
\??\c:\vpjjd.exec:\vpjjd.exe100⤵PID:1612
-
\??\c:\9rxrffx.exec:\9rxrffx.exe101⤵PID:1764
-
\??\c:\lffxxxr.exec:\lffxxxr.exe102⤵PID:8
-
\??\c:\hntthb.exec:\hntthb.exe103⤵PID:3176
-
\??\c:\hbhbbt.exec:\hbhbbt.exe104⤵PID:2676
-
\??\c:\jjjdd.exec:\jjjdd.exe105⤵PID:1072
-
\??\c:\rfrfrlx.exec:\rfrfrlx.exe106⤵PID:4768
-
\??\c:\1llfrrl.exec:\1llfrrl.exe107⤵PID:1528
-
\??\c:\bbtnnh.exec:\bbtnnh.exe108⤵PID:3436
-
\??\c:\thhhnb.exec:\thhhnb.exe109⤵PID:4220
-
\??\c:\vpvdv.exec:\vpvdv.exe110⤵PID:464
-
\??\c:\rfxxrrl.exec:\rfxxrrl.exe111⤵PID:1688
-
\??\c:\bthbbt.exec:\bthbbt.exe112⤵PID:3776
-
\??\c:\vppdd.exec:\vppdd.exe113⤵PID:5116
-
\??\c:\frxlrlr.exec:\frxlrlr.exe114⤵PID:4716
-
\??\c:\thnhbb.exec:\thnhbb.exe115⤵PID:2812
-
\??\c:\btthbb.exec:\btthbb.exe116⤵PID:1736
-
\??\c:\dpjjj.exec:\dpjjj.exe117⤵PID:3924
-
\??\c:\rfllxxr.exec:\rfllxxr.exe118⤵PID:3152
-
\??\c:\nbbnht.exec:\nbbnht.exe119⤵PID:4188
-
\??\c:\9hbtnt.exec:\9hbtnt.exe120⤵PID:964
-
\??\c:\nntnbt.exec:\nntnbt.exe121⤵PID:2660
-
\??\c:\xrxrxrf.exec:\xrxrxrf.exe122⤵PID:2600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-