Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 05:04
Behavioral task
behavioral1
Sample
40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe
Resource
win7-20240611-en
5 signatures
150 seconds
General
-
Target
40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe
-
Size
255KB
-
MD5
196339094dab57b7da5314be5c6ef4e0
-
SHA1
d09ce666f2438782c950f49fa01d1ab3448286d0
-
SHA256
40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319
-
SHA512
d77d30bf3b880e04eb55e4dbb85aeba36b16a93fd5def4e76537d1fbb2b059cc678f88c9a1687086fffd9f0629dbbd697c13d50e7cee50a947b2e21153776430
-
SSDEEP
6144:kcm4FmowdHoSphraHcpOaKHpolTjZXvEQo9dfrP:y4wFHoS3eFaKHpKT9XvEhdfrP
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/4276-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3372-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2448-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1548-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3592-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3752-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3568-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3344-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/788-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1624-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3820-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1592-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/984-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3740-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/948-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2484-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3324-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3156-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2912-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1784-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-509-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-529-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1228-564-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-586-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1340-767-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-857-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-918-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-1135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3364-1452-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
9grdp.exego3tf.exe9egn65.exe8iij16m.exe3458ln7.exeo888n5.exeke0e6.exe432x4.exeppldh.exev2f79k.exetq67nw8.exe424p6.exe596crx.exel85sd.exe7qq62.exe95eb5.exe7uak63.exefm7sa.exekf038a.exest8ir1m.exet2w7ht5.exensgwnc1.exe3q1g9.exeq65fc.exeeb93q.exert03f34.exere7l2wc.exe3l14c.exe144txs.exe59ner.exe1ggjji.exennr12.exeprrdrdj.exekga77g.exepp7k62.exep98uiv8.exe2w88s.exeoe91q28.exe4uvg0.exe38gf9.exeha4ul9.exen33bk.exe84t30.exe4bcn376.exe2sj60b3.exe499ols.exe4jk33.exe51b40.exee3lps.exef05lb4.exek58l776.exe1u71g5g.exee533j1.exe5l4bk1.execn87sc.exe7isnu.exe8x8415.exed9w0e.exea25xli.exeq54xp5x.exe2gq82.exejp8cv7r.exe52il0.exe9ajd8c0.exepid process 1688 9grdp.exe 3980 go3tf.exe 4856 9egn65.exe 3616 8iij16m.exe 3372 3458ln7.exe 216 o888n5.exe 2448 ke0e6.exe 1128 432x4.exe 5032 ppldh.exe 4608 v2f79k.exe 1548 tq67nw8.exe 2884 424p6.exe 2168 596crx.exe 3592 l85sd.exe 2112 7qq62.exe 3112 95eb5.exe 4208 7uak63.exe 984 fm7sa.exe 3752 kf038a.exe 3568 st8ir1m.exe 3948 t2w7ht5.exe 4604 nsgwnc1.exe 3344 3q1g9.exe 2408 q65fc.exe 4496 eb93q.exe 1832 rt03f34.exe 1552 re7l2wc.exe 4912 3l14c.exe 3932 144txs.exe 2432 59ner.exe 4040 1ggjji.exe 4944 nnr12.exe 1384 prrdrdj.exe 3880 kga77g.exe 3980 pp7k62.exe 4984 p98uiv8.exe 5024 2w88s.exe 788 oe91q28.exe 212 4uvg0.exe 2260 38gf9.exe 1176 ha4ul9.exe 2904 n33bk.exe 4020 84t30.exe 760 4bcn376.exe 4940 2sj60b3.exe 1432 499ols.exe 1624 4jk33.exe 2672 51b40.exe 3820 e3lps.exe 2236 f05lb4.exe 2404 k58l776.exe 1592 1u71g5g.exe 412 e533j1.exe 3368 5l4bk1.exe 4588 cn87sc.exe 984 7isnu.exe 3608 8x8415.exe 3620 d9w0e.exe 4224 a25xli.exe 4848 q54xp5x.exe 4384 2gq82.exe 3740 jp8cv7r.exe 3344 52il0.exe 2408 9ajd8c0.exe -
Processes:
resource yara_rule behavioral2/memory/4276-0-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\9grdp.exe upx behavioral2/memory/4276-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1688-11-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\go3tf.exe upx C:\9egn65.exe upx behavioral2/memory/3980-19-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\8iij16m.exe upx behavioral2/memory/4856-20-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\3458ln7.exe upx behavioral2/memory/3616-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3372-32-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\o888n5.exe upx behavioral2/memory/216-38-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ke0e6.exe upx C:\432x4.exe upx behavioral2/memory/2448-46-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ppldh.exe upx behavioral2/memory/1128-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5032-56-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\v2f79k.exe upx behavioral2/memory/4608-62-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tq67nw8.exe upx behavioral2/memory/1548-67-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\424p6.exe upx behavioral2/memory/2884-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1548-72-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\596crx.exe upx C:\l85sd.exe upx behavioral2/memory/3592-89-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\7qq62.exe upx C:\95eb5.exe upx behavioral2/memory/2112-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3112-98-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\7uak63.exe upx behavioral2/memory/4208-108-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\fm7sa.exe upx C:\kf038a.exe upx C:\st8ir1m.exe upx behavioral2/memory/3752-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3568-123-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\t2w7ht5.exe upx C:\nsgwnc1.exe upx behavioral2/memory/3948-131-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\3q1g9.exe upx behavioral2/memory/4604-136-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\q65fc.exe upx behavioral2/memory/2408-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3344-142-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\eb93q.exe upx C:\rt03f34.exe upx C:\re7l2wc.exe upx behavioral2/memory/1832-160-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\3l14c.exe upx behavioral2/memory/4912-170-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\144txs.exe upx C:\59ner.exe upx behavioral2/memory/3932-175-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1ggjji.exe upx behavioral2/memory/2432-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5020-184-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nnr12.exe upx C:\prrdrdj.exe upx behavioral2/memory/1384-197-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe9grdp.exego3tf.exe9egn65.exe8iij16m.exe3458ln7.exeo888n5.exeke0e6.exe432x4.exeppldh.exev2f79k.exetq67nw8.exe424p6.exe596crx.exel85sd.exe7qq62.exe95eb5.exe7uak63.exefm7sa.exekf038a.exest8ir1m.exet2w7ht5.exedescription pid process target process PID 4276 wrote to memory of 1688 4276 40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe 9grdp.exe PID 4276 wrote to memory of 1688 4276 40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe 9grdp.exe PID 4276 wrote to memory of 1688 4276 40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe 9grdp.exe PID 1688 wrote to memory of 3980 1688 9grdp.exe go3tf.exe PID 1688 wrote to memory of 3980 1688 9grdp.exe go3tf.exe PID 1688 wrote to memory of 3980 1688 9grdp.exe go3tf.exe PID 3980 wrote to memory of 4856 3980 go3tf.exe 9egn65.exe PID 3980 wrote to memory of 4856 3980 go3tf.exe 9egn65.exe PID 3980 wrote to memory of 4856 3980 go3tf.exe 9egn65.exe PID 4856 wrote to memory of 3616 4856 9egn65.exe 8iij16m.exe PID 4856 wrote to memory of 3616 4856 9egn65.exe 8iij16m.exe PID 4856 wrote to memory of 3616 4856 9egn65.exe 8iij16m.exe PID 3616 wrote to memory of 3372 3616 8iij16m.exe 3458ln7.exe PID 3616 wrote to memory of 3372 3616 8iij16m.exe 3458ln7.exe PID 3616 wrote to memory of 3372 3616 8iij16m.exe 3458ln7.exe PID 3372 wrote to memory of 216 3372 3458ln7.exe o888n5.exe PID 3372 wrote to memory of 216 3372 3458ln7.exe o888n5.exe PID 3372 wrote to memory of 216 3372 3458ln7.exe o888n5.exe PID 216 wrote to memory of 2448 216 o888n5.exe ke0e6.exe PID 216 wrote to memory of 2448 216 o888n5.exe ke0e6.exe PID 216 wrote to memory of 2448 216 o888n5.exe ke0e6.exe PID 2448 wrote to memory of 1128 2448 ke0e6.exe 432x4.exe PID 2448 wrote to memory of 1128 2448 ke0e6.exe 432x4.exe PID 2448 wrote to memory of 1128 2448 ke0e6.exe 432x4.exe PID 1128 wrote to memory of 5032 1128 432x4.exe ppldh.exe PID 1128 wrote to memory of 5032 1128 432x4.exe ppldh.exe PID 1128 wrote to memory of 5032 1128 432x4.exe ppldh.exe PID 5032 wrote to memory of 4608 5032 ppldh.exe v2f79k.exe PID 5032 wrote to memory of 4608 5032 ppldh.exe v2f79k.exe PID 5032 wrote to memory of 4608 5032 ppldh.exe v2f79k.exe PID 4608 wrote to memory of 1548 4608 v2f79k.exe tq67nw8.exe PID 4608 wrote to memory of 1548 4608 v2f79k.exe tq67nw8.exe PID 4608 wrote to memory of 1548 4608 v2f79k.exe tq67nw8.exe PID 1548 wrote to memory of 2884 1548 tq67nw8.exe 424p6.exe PID 1548 wrote to memory of 2884 1548 tq67nw8.exe 424p6.exe PID 1548 wrote to memory of 2884 1548 tq67nw8.exe 424p6.exe PID 2884 wrote to memory of 2168 2884 424p6.exe 596crx.exe PID 2884 wrote to memory of 2168 2884 424p6.exe 596crx.exe PID 2884 wrote to memory of 2168 2884 424p6.exe 596crx.exe PID 2168 wrote to memory of 3592 2168 596crx.exe l85sd.exe PID 2168 wrote to memory of 3592 2168 596crx.exe l85sd.exe PID 2168 wrote to memory of 3592 2168 596crx.exe l85sd.exe PID 3592 wrote to memory of 2112 3592 l85sd.exe 7qq62.exe PID 3592 wrote to memory of 2112 3592 l85sd.exe 7qq62.exe PID 3592 wrote to memory of 2112 3592 l85sd.exe 7qq62.exe PID 2112 wrote to memory of 3112 2112 7qq62.exe 95eb5.exe PID 2112 wrote to memory of 3112 2112 7qq62.exe 95eb5.exe PID 2112 wrote to memory of 3112 2112 7qq62.exe 95eb5.exe PID 3112 wrote to memory of 4208 3112 95eb5.exe 7uak63.exe PID 3112 wrote to memory of 4208 3112 95eb5.exe 7uak63.exe PID 3112 wrote to memory of 4208 3112 95eb5.exe 7uak63.exe PID 4208 wrote to memory of 984 4208 7uak63.exe fm7sa.exe PID 4208 wrote to memory of 984 4208 7uak63.exe fm7sa.exe PID 4208 wrote to memory of 984 4208 7uak63.exe fm7sa.exe PID 984 wrote to memory of 3752 984 fm7sa.exe kf038a.exe PID 984 wrote to memory of 3752 984 fm7sa.exe kf038a.exe PID 984 wrote to memory of 3752 984 fm7sa.exe kf038a.exe PID 3752 wrote to memory of 3568 3752 kf038a.exe st8ir1m.exe PID 3752 wrote to memory of 3568 3752 kf038a.exe st8ir1m.exe PID 3752 wrote to memory of 3568 3752 kf038a.exe st8ir1m.exe PID 3568 wrote to memory of 3948 3568 st8ir1m.exe t2w7ht5.exe PID 3568 wrote to memory of 3948 3568 st8ir1m.exe t2w7ht5.exe PID 3568 wrote to memory of 3948 3568 st8ir1m.exe t2w7ht5.exe PID 3948 wrote to memory of 4604 3948 t2w7ht5.exe nsgwnc1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\9grdp.exec:\9grdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\go3tf.exec:\go3tf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\9egn65.exec:\9egn65.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\8iij16m.exec:\8iij16m.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\3458ln7.exec:\3458ln7.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\o888n5.exec:\o888n5.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\ke0e6.exec:\ke0e6.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\432x4.exec:\432x4.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\ppldh.exec:\ppldh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\v2f79k.exec:\v2f79k.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\tq67nw8.exec:\tq67nw8.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\424p6.exec:\424p6.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\596crx.exec:\596crx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\l85sd.exec:\l85sd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\7qq62.exec:\7qq62.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\95eb5.exec:\95eb5.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\7uak63.exec:\7uak63.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\fm7sa.exec:\fm7sa.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\kf038a.exec:\kf038a.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\st8ir1m.exec:\st8ir1m.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\t2w7ht5.exec:\t2w7ht5.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\nsgwnc1.exec:\nsgwnc1.exe23⤵
- Executes dropped EXE
PID:4604 -
\??\c:\3q1g9.exec:\3q1g9.exe24⤵
- Executes dropped EXE
PID:3344 -
\??\c:\q65fc.exec:\q65fc.exe25⤵
- Executes dropped EXE
PID:2408 -
\??\c:\eb93q.exec:\eb93q.exe26⤵
- Executes dropped EXE
PID:4496 -
\??\c:\rt03f34.exec:\rt03f34.exe27⤵
- Executes dropped EXE
PID:1832 -
\??\c:\re7l2wc.exec:\re7l2wc.exe28⤵
- Executes dropped EXE
PID:1552 -
\??\c:\3l14c.exec:\3l14c.exe29⤵
- Executes dropped EXE
PID:4912 -
\??\c:\144txs.exec:\144txs.exe30⤵
- Executes dropped EXE
PID:3932 -
\??\c:\59ner.exec:\59ner.exe31⤵
- Executes dropped EXE
PID:2432 -
\??\c:\1ggjji.exec:\1ggjji.exe32⤵
- Executes dropped EXE
PID:4040 -
\??\c:\3e4xa2r.exec:\3e4xa2r.exe33⤵PID:5020
-
\??\c:\nnr12.exec:\nnr12.exe34⤵
- Executes dropped EXE
PID:4944 -
\??\c:\prrdrdj.exec:\prrdrdj.exe35⤵
- Executes dropped EXE
PID:1384 -
\??\c:\kga77g.exec:\kga77g.exe36⤵
- Executes dropped EXE
PID:3880 -
\??\c:\pp7k62.exec:\pp7k62.exe37⤵
- Executes dropped EXE
PID:3980 -
\??\c:\p98uiv8.exec:\p98uiv8.exe38⤵
- Executes dropped EXE
PID:4984 -
\??\c:\2w88s.exec:\2w88s.exe39⤵
- Executes dropped EXE
PID:5024 -
\??\c:\oe91q28.exec:\oe91q28.exe40⤵
- Executes dropped EXE
PID:788 -
\??\c:\4uvg0.exec:\4uvg0.exe41⤵
- Executes dropped EXE
PID:212 -
\??\c:\38gf9.exec:\38gf9.exe42⤵
- Executes dropped EXE
PID:2260 -
\??\c:\ha4ul9.exec:\ha4ul9.exe43⤵
- Executes dropped EXE
PID:1176 -
\??\c:\n33bk.exec:\n33bk.exe44⤵
- Executes dropped EXE
PID:2904 -
\??\c:\84t30.exec:\84t30.exe45⤵
- Executes dropped EXE
PID:4020 -
\??\c:\4bcn376.exec:\4bcn376.exe46⤵
- Executes dropped EXE
PID:760 -
\??\c:\2sj60b3.exec:\2sj60b3.exe47⤵
- Executes dropped EXE
PID:4940 -
\??\c:\499ols.exec:\499ols.exe48⤵
- Executes dropped EXE
PID:1432 -
\??\c:\4jk33.exec:\4jk33.exe49⤵
- Executes dropped EXE
PID:1624 -
\??\c:\51b40.exec:\51b40.exe50⤵
- Executes dropped EXE
PID:2672 -
\??\c:\e3lps.exec:\e3lps.exe51⤵
- Executes dropped EXE
PID:3820 -
\??\c:\f05lb4.exec:\f05lb4.exe52⤵
- Executes dropped EXE
PID:2236 -
\??\c:\k58l776.exec:\k58l776.exe53⤵
- Executes dropped EXE
PID:2404 -
\??\c:\1u71g5g.exec:\1u71g5g.exe54⤵
- Executes dropped EXE
PID:1592 -
\??\c:\e533j1.exec:\e533j1.exe55⤵
- Executes dropped EXE
PID:412 -
\??\c:\5l4bk1.exec:\5l4bk1.exe56⤵
- Executes dropped EXE
PID:3368 -
\??\c:\cn87sc.exec:\cn87sc.exe57⤵
- Executes dropped EXE
PID:4588 -
\??\c:\7isnu.exec:\7isnu.exe58⤵
- Executes dropped EXE
PID:984 -
\??\c:\8x8415.exec:\8x8415.exe59⤵
- Executes dropped EXE
PID:3608 -
\??\c:\d9w0e.exec:\d9w0e.exe60⤵
- Executes dropped EXE
PID:3620 -
\??\c:\a25xli.exec:\a25xli.exe61⤵
- Executes dropped EXE
PID:4224 -
\??\c:\q54xp5x.exec:\q54xp5x.exe62⤵
- Executes dropped EXE
PID:4848 -
\??\c:\2gq82.exec:\2gq82.exe63⤵
- Executes dropped EXE
PID:4384 -
\??\c:\jp8cv7r.exec:\jp8cv7r.exe64⤵
- Executes dropped EXE
PID:3740 -
\??\c:\52il0.exec:\52il0.exe65⤵
- Executes dropped EXE
PID:3344 -
\??\c:\9ajd8c0.exec:\9ajd8c0.exe66⤵
- Executes dropped EXE
PID:2408 -
\??\c:\75r817t.exec:\75r817t.exe67⤵PID:948
-
\??\c:\966q38.exec:\966q38.exe68⤵PID:2484
-
\??\c:\ulbir43.exec:\ulbir43.exe69⤵PID:1744
-
\??\c:\ug2l5.exec:\ug2l5.exe70⤵PID:1900
-
\??\c:\k7vm31.exec:\k7vm31.exe71⤵PID:3324
-
\??\c:\s7db394.exec:\s7db394.exe72⤵PID:5084
-
\??\c:\5l02rge.exec:\5l02rge.exe73⤵PID:4320
-
\??\c:\h7u61.exec:\h7u61.exe74⤵PID:4400
-
\??\c:\153ft.exec:\153ft.exe75⤵PID:2916
-
\??\c:\a49a7di.exec:\a49a7di.exe76⤵PID:2824
-
\??\c:\79wqhh.exec:\79wqhh.exe77⤵PID:1412
-
\??\c:\0w3o7.exec:\0w3o7.exe78⤵PID:2472
-
\??\c:\v5lnhdx.exec:\v5lnhdx.exe79⤵PID:3156
-
\??\c:\t9k53.exec:\t9k53.exe80⤵PID:4700
-
\??\c:\7fj4o.exec:\7fj4o.exe81⤵PID:3356
-
\??\c:\l15wk4x.exec:\l15wk4x.exe82⤵PID:464
-
\??\c:\gp99f.exec:\gp99f.exe83⤵PID:4420
-
\??\c:\21823.exec:\21823.exe84⤵PID:1160
-
\??\c:\e7cdo3.exec:\e7cdo3.exe85⤵PID:1128
-
\??\c:\3uj323n.exec:\3uj323n.exe86⤵PID:2768
-
\??\c:\254b8.exec:\254b8.exe87⤵PID:5032
-
\??\c:\96xo270.exec:\96xo270.exe88⤵PID:4608
-
\??\c:\o150ve.exec:\o150ve.exe89⤵PID:4340
-
\??\c:\6bk1l.exec:\6bk1l.exe90⤵PID:1640
-
\??\c:\a3i836c.exec:\a3i836c.exe91⤵PID:3088
-
\??\c:\1iag3.exec:\1iag3.exe92⤵PID:4636
-
\??\c:\6m5n60t.exec:\6m5n60t.exe93⤵PID:4668
-
\??\c:\lnb254.exec:\lnb254.exe94⤵PID:4308
-
\??\c:\0g26p87.exec:\0g26p87.exe95⤵PID:4416
-
\??\c:\13334.exec:\13334.exe96⤵PID:2116
-
\??\c:\915914.exec:\915914.exe97⤵PID:2912
-
\??\c:\q254u7.exec:\q254u7.exe98⤵PID:700
-
\??\c:\1jc0j5.exec:\1jc0j5.exe99⤵PID:1844
-
\??\c:\42eb153.exec:\42eb153.exe100⤵PID:2256
-
\??\c:\wjolc.exec:\wjolc.exe101⤵PID:828
-
\??\c:\s21m3.exec:\s21m3.exe102⤵PID:3624
-
\??\c:\ekeld0.exec:\ekeld0.exe103⤵PID:4224
-
\??\c:\l92k2oj.exec:\l92k2oj.exe104⤵PID:2976
-
\??\c:\5q9pa9.exec:\5q9pa9.exe105⤵PID:4604
-
\??\c:\8q5175.exec:\8q5175.exe106⤵PID:4620
-
\??\c:\ar1729m.exec:\ar1729m.exe107⤵PID:560
-
\??\c:\b89w87.exec:\b89w87.exe108⤵PID:3968
-
\??\c:\l8814.exec:\l8814.exe109⤵PID:3508
-
\??\c:\6371krp.exec:\6371krp.exe110⤵PID:648
-
\??\c:\559h4.exec:\559h4.exe111⤵PID:1568
-
\??\c:\rmjtij6.exec:\rmjtij6.exe112⤵PID:1784
-
\??\c:\w94l771.exec:\w94l771.exe113⤵PID:1092
-
\??\c:\97w2a42.exec:\97w2a42.exe114⤵PID:3008
-
\??\c:\7bu5w.exec:\7bu5w.exe115⤵PID:3640
-
\??\c:\f6tem7.exec:\f6tem7.exe116⤵PID:2788
-
\??\c:\xb51etq.exec:\xb51etq.exe117⤵PID:4944
-
\??\c:\o183d.exec:\o183d.exe118⤵PID:1384
-
\??\c:\356be.exec:\356be.exe119⤵PID:2724
-
\??\c:\f8o7916.exec:\f8o7916.exe120⤵PID:3388
-
\??\c:\0n393j2.exec:\0n393j2.exe121⤵PID:228
-
\??\c:\r6w6l50.exec:\r6w6l50.exe122⤵PID:2392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-