Analysis
-
max time kernel
150s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 07:00
Behavioral task
behavioral1
Sample
4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe
-
Size
295KB
-
MD5
6e78b3587b564ef2502534846cb91a60
-
SHA1
d5959cea30350f3a510e4fedfc04630cad7cf5bd
-
SHA256
4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499
-
SHA512
19bc7f9ebdcf424152987bb19c122cbd0d7861e7c97b988324965593f55721cecebca73ca2ac0b39b8d5966ee3935f32829d18ebda32523149d9540529513436
-
SSDEEP
6144:ccm4FmowdHoSQkuObHq9ltAszBd+za/p1slTjZXvEQo9dftOa:K4wFHoSQkuUHk1zBR/pMT9XvEhdff
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/2444-6-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2904-11-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/396-68-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1172-236-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3476-244-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1176-265-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2604-279-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4164-288-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3684-303-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4076-302-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2000-328-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4176-292-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2772-275-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/888-262-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4492-257-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2820-250-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3664-247-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1156-240-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3748-232-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4720-225-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3016-221-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1572-218-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4032-213-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4760-209-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2376-199-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3716-189-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2128-185-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4652-169-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4584-154-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4708-142-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4580-137-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3964-125-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2612-109-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2304-103-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1028-92-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4448-86-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1624-80-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1008-74-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1056-62-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3824-56-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4664-50-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4540-44-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3108-38-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4244-26-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1504-21-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4180-17-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/780-344-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4680-355-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2332-365-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4944-369-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3628-373-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3016-375-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4812-418-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1400-431-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4608-472-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2668-544-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1280-568-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4996-698-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1844-706-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2124-710-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4972-738-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4140-849-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4508-1132-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3372-1238-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
bntnhh.exevdpvj.exedjdvv.exerlxrxxx.exebbbttt.exennnntb.exeppvvp.exe9pjdv.exe1lxxxfr.exennnhbb.exehtbbtb.exedpdvv.exejddvv.exerxllrrx.exelxflfff.exetnnnhh.exebntnnn.exedpppj.exevjpjd.exexrxfxxx.exehbtnnn.exebhbhhh.exedpddv.exejpdjj.exe1lrlfll.exefxrxrxx.exehthnnt.exennhbtt.exedvdvp.exepddpp.exe5xxlffx.exethnhbt.exetttnbb.exeddjdv.exe5jdjv.exelxxlllf.exe3xxlfxr.exehttntt.exepjpvd.exe5pvvj.exexxrxxlf.exe9xxxrrr.exenbhhbt.exe9hbbbh.exevjpdv.exerlrflxr.exefrrlxxr.exetthbtn.exebhnhbb.exevjpjd.exe5dvjp.exelllfxxr.exehthhhb.exebbhtnn.exeppjpp.exe5xrlxrx.exe9xxrlfx.exebnttnh.exenhntnb.exe3djdv.exerxrrrlx.exe1flfffx.exejjddv.exe7llffff.exepid process 2904 bntnhh.exe 4180 vdpvj.exe 1504 djdvv.exe 4244 rlxrxxx.exe 3108 bbbttt.exe 4540 nnnntb.exe 4664 ppvvp.exe 3824 9pjdv.exe 1056 1lxxxfr.exe 396 nnnhbb.exe 1008 htbbtb.exe 1624 dpdvv.exe 4448 jddvv.exe 1028 rxllrrx.exe 2328 lxflfff.exe 2304 tnnnhh.exe 2612 bntnnn.exe 3204 dpppj.exe 2540 vjpjd.exe 3964 xrxfxxx.exe 1060 hbtnnn.exe 4580 bhbhhh.exe 4708 dpddv.exe 1568 jpdjj.exe 4584 1lrlfll.exe 2936 fxrxrxx.exe 2704 hthnnt.exe 4652 nnhbtt.exe 4112 dvdvp.exe 4996 pddpp.exe 2128 5xxlffx.exe 3716 thnhbt.exe 2016 tttnbb.exe 3376 ddjdv.exe 2376 5jdjv.exe 4184 lxxlllf.exe 4172 3xxlfxr.exe 4760 httntt.exe 4032 pjpvd.exe 1572 5pvvj.exe 3016 xxrxxlf.exe 4720 9xxxrrr.exe 2184 nbhhbt.exe 3748 9hbbbh.exe 1172 vjpdv.exe 1156 rlrflxr.exe 3476 frrlxxr.exe 3664 tthbtn.exe 2820 bhnhbb.exe 1580 vjpjd.exe 4492 5dvjp.exe 888 lllfxxr.exe 1176 hthhhb.exe 4408 bbhtnn.exe 3556 ppjpp.exe 2772 5xrlxrx.exe 2604 9xxrlfx.exe 1712 bnttnh.exe 2268 nhntnb.exe 2276 3djdv.exe 4164 rxrrrlx.exe 4176 1flfffx.exe 1096 jjddv.exe 4076 7llffff.exe -
Processes:
resource yara_rule behavioral2/memory/2444-0-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\bntnhh.exe upx behavioral2/memory/2444-6-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2904-11-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\djdvv.exe upx \??\c:\rlxrxxx.exe upx \??\c:\bbbttt.exe upx \??\c:\1lxxxfr.exe upx behavioral2/memory/396-68-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\jddvv.exe upx \??\c:\vjpjd.exe upx \??\c:\fxrxrxx.exe upx C:\5xxlffx.exe upx behavioral2/memory/1172-236-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3476-244-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1176-265-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2604-279-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4164-288-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3684-303-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4500-310-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4076-302-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2636-317-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2936-321-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2000-328-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4176-292-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2772-275-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/888-262-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4492-257-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2820-250-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3664-247-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1156-240-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3748-232-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4720-225-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3016-221-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1572-218-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4032-213-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4760-209-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2376-199-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3716-189-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2128-185-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\thnhbt.exe upx \??\c:\pddpp.exe upx behavioral2/memory/4652-169-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\dvdvp.exe upx \??\c:\nnhbtt.exe upx \??\c:\hthnnt.exe upx behavioral2/memory/4584-154-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\1lrlfll.exe upx behavioral2/memory/4708-142-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\jpdjj.exe upx behavioral2/memory/4580-137-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\dpddv.exe upx \??\c:\bhbhhh.exe upx behavioral2/memory/3964-125-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\hbtnnn.exe upx \??\c:\xrxfxxx.exe upx behavioral2/memory/2612-109-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\dpppj.exe upx behavioral2/memory/2304-103-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\bntnnn.exe upx \??\c:\tnnnhh.exe upx behavioral2/memory/1028-92-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\lxflfff.exe upx behavioral2/memory/4448-86-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exebntnhh.exevdpvj.exedjdvv.exerlxrxxx.exebbbttt.exennnntb.exeppvvp.exe9pjdv.exe1lxxxfr.exennnhbb.exehtbbtb.exedpdvv.exejddvv.exerxllrrx.exelxflfff.exetnnnhh.exebntnnn.exedpppj.exevjpjd.exexrxfxxx.exehbtnnn.exedescription pid process target process PID 2444 wrote to memory of 2904 2444 4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe bntnhh.exe PID 2444 wrote to memory of 2904 2444 4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe bntnhh.exe PID 2444 wrote to memory of 2904 2444 4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe bntnhh.exe PID 2904 wrote to memory of 4180 2904 bntnhh.exe vdpvj.exe PID 2904 wrote to memory of 4180 2904 bntnhh.exe vdpvj.exe PID 2904 wrote to memory of 4180 2904 bntnhh.exe vdpvj.exe PID 4180 wrote to memory of 1504 4180 vdpvj.exe djdvv.exe PID 4180 wrote to memory of 1504 4180 vdpvj.exe djdvv.exe PID 4180 wrote to memory of 1504 4180 vdpvj.exe djdvv.exe PID 1504 wrote to memory of 4244 1504 djdvv.exe rlxrxxx.exe PID 1504 wrote to memory of 4244 1504 djdvv.exe rlxrxxx.exe PID 1504 wrote to memory of 4244 1504 djdvv.exe rlxrxxx.exe PID 4244 wrote to memory of 3108 4244 rlxrxxx.exe bbbttt.exe PID 4244 wrote to memory of 3108 4244 rlxrxxx.exe bbbttt.exe PID 4244 wrote to memory of 3108 4244 rlxrxxx.exe bbbttt.exe PID 3108 wrote to memory of 4540 3108 bbbttt.exe nnnntb.exe PID 3108 wrote to memory of 4540 3108 bbbttt.exe nnnntb.exe PID 3108 wrote to memory of 4540 3108 bbbttt.exe nnnntb.exe PID 4540 wrote to memory of 4664 4540 nnnntb.exe ppvvp.exe PID 4540 wrote to memory of 4664 4540 nnnntb.exe ppvvp.exe PID 4540 wrote to memory of 4664 4540 nnnntb.exe ppvvp.exe PID 4664 wrote to memory of 3824 4664 ppvvp.exe 9pjdv.exe PID 4664 wrote to memory of 3824 4664 ppvvp.exe 9pjdv.exe PID 4664 wrote to memory of 3824 4664 ppvvp.exe 9pjdv.exe PID 3824 wrote to memory of 1056 3824 9pjdv.exe 1lxxxfr.exe PID 3824 wrote to memory of 1056 3824 9pjdv.exe 1lxxxfr.exe PID 3824 wrote to memory of 1056 3824 9pjdv.exe 1lxxxfr.exe PID 1056 wrote to memory of 396 1056 1lxxxfr.exe nnnhbb.exe PID 1056 wrote to memory of 396 1056 1lxxxfr.exe nnnhbb.exe PID 1056 wrote to memory of 396 1056 1lxxxfr.exe nnnhbb.exe PID 396 wrote to memory of 1008 396 nnnhbb.exe htbbtb.exe PID 396 wrote to memory of 1008 396 nnnhbb.exe htbbtb.exe PID 396 wrote to memory of 1008 396 nnnhbb.exe htbbtb.exe PID 1008 wrote to memory of 1624 1008 htbbtb.exe dpdvv.exe PID 1008 wrote to memory of 1624 1008 htbbtb.exe dpdvv.exe PID 1008 wrote to memory of 1624 1008 htbbtb.exe dpdvv.exe PID 1624 wrote to memory of 4448 1624 dpdvv.exe jddvv.exe PID 1624 wrote to memory of 4448 1624 dpdvv.exe jddvv.exe PID 1624 wrote to memory of 4448 1624 dpdvv.exe jddvv.exe PID 4448 wrote to memory of 1028 4448 jddvv.exe rxllrrx.exe PID 4448 wrote to memory of 1028 4448 jddvv.exe rxllrrx.exe PID 4448 wrote to memory of 1028 4448 jddvv.exe rxllrrx.exe PID 1028 wrote to memory of 2328 1028 rxllrrx.exe lxflfff.exe PID 1028 wrote to memory of 2328 1028 rxllrrx.exe lxflfff.exe PID 1028 wrote to memory of 2328 1028 rxllrrx.exe lxflfff.exe PID 2328 wrote to memory of 2304 2328 lxflfff.exe tnnnhh.exe PID 2328 wrote to memory of 2304 2328 lxflfff.exe tnnnhh.exe PID 2328 wrote to memory of 2304 2328 lxflfff.exe tnnnhh.exe PID 2304 wrote to memory of 2612 2304 tnnnhh.exe bntnnn.exe PID 2304 wrote to memory of 2612 2304 tnnnhh.exe bntnnn.exe PID 2304 wrote to memory of 2612 2304 tnnnhh.exe bntnnn.exe PID 2612 wrote to memory of 3204 2612 bntnnn.exe dpppj.exe PID 2612 wrote to memory of 3204 2612 bntnnn.exe dpppj.exe PID 2612 wrote to memory of 3204 2612 bntnnn.exe dpppj.exe PID 3204 wrote to memory of 2540 3204 dpppj.exe vjpjd.exe PID 3204 wrote to memory of 2540 3204 dpppj.exe vjpjd.exe PID 3204 wrote to memory of 2540 3204 dpppj.exe vjpjd.exe PID 2540 wrote to memory of 3964 2540 vjpjd.exe xrxfxxx.exe PID 2540 wrote to memory of 3964 2540 vjpjd.exe xrxfxxx.exe PID 2540 wrote to memory of 3964 2540 vjpjd.exe xrxfxxx.exe PID 3964 wrote to memory of 1060 3964 xrxfxxx.exe hbtnnn.exe PID 3964 wrote to memory of 1060 3964 xrxfxxx.exe hbtnnn.exe PID 3964 wrote to memory of 1060 3964 xrxfxxx.exe hbtnnn.exe PID 1060 wrote to memory of 4580 1060 hbtnnn.exe bhbhhh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\bntnhh.exec:\bntnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\vdpvj.exec:\vdpvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\djdvv.exec:\djdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\rlxrxxx.exec:\rlxrxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\bbbttt.exec:\bbbttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\nnnntb.exec:\nnnntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\ppvvp.exec:\ppvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\9pjdv.exec:\9pjdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\1lxxxfr.exec:\1lxxxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\nnnhbb.exec:\nnnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\htbbtb.exec:\htbbtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\dpdvv.exec:\dpdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\jddvv.exec:\jddvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\rxllrrx.exec:\rxllrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\lxflfff.exec:\lxflfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\tnnnhh.exec:\tnnnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\bntnnn.exec:\bntnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\dpppj.exec:\dpppj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\vjpjd.exec:\vjpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\xrxfxxx.exec:\xrxfxxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\hbtnnn.exec:\hbtnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\bhbhhh.exec:\bhbhhh.exe23⤵
- Executes dropped EXE
PID:4580 -
\??\c:\dpddv.exec:\dpddv.exe24⤵
- Executes dropped EXE
PID:4708 -
\??\c:\jpdjj.exec:\jpdjj.exe25⤵
- Executes dropped EXE
PID:1568 -
\??\c:\1lrlfll.exec:\1lrlfll.exe26⤵
- Executes dropped EXE
PID:4584 -
\??\c:\fxrxrxx.exec:\fxrxrxx.exe27⤵
- Executes dropped EXE
PID:2936 -
\??\c:\hthnnt.exec:\hthnnt.exe28⤵
- Executes dropped EXE
PID:2704 -
\??\c:\nnhbtt.exec:\nnhbtt.exe29⤵
- Executes dropped EXE
PID:4652 -
\??\c:\dvdvp.exec:\dvdvp.exe30⤵
- Executes dropped EXE
PID:4112 -
\??\c:\pddpp.exec:\pddpp.exe31⤵
- Executes dropped EXE
PID:4996 -
\??\c:\5xxlffx.exec:\5xxlffx.exe32⤵
- Executes dropped EXE
PID:2128 -
\??\c:\thnhbt.exec:\thnhbt.exe33⤵
- Executes dropped EXE
PID:3716 -
\??\c:\tttnbb.exec:\tttnbb.exe34⤵
- Executes dropped EXE
PID:2016 -
\??\c:\ddjdv.exec:\ddjdv.exe35⤵
- Executes dropped EXE
PID:3376 -
\??\c:\5jdjv.exec:\5jdjv.exe36⤵
- Executes dropped EXE
PID:2376 -
\??\c:\lxxlllf.exec:\lxxlllf.exe37⤵
- Executes dropped EXE
PID:4184 -
\??\c:\3xxlfxr.exec:\3xxlfxr.exe38⤵
- Executes dropped EXE
PID:4172 -
\??\c:\httntt.exec:\httntt.exe39⤵
- Executes dropped EXE
PID:4760 -
\??\c:\pjpvd.exec:\pjpvd.exe40⤵
- Executes dropped EXE
PID:4032 -
\??\c:\5pvvj.exec:\5pvvj.exe41⤵
- Executes dropped EXE
PID:1572 -
\??\c:\xxrxxlf.exec:\xxrxxlf.exe42⤵
- Executes dropped EXE
PID:3016 -
\??\c:\9xxxrrr.exec:\9xxxrrr.exe43⤵
- Executes dropped EXE
PID:4720 -
\??\c:\nbhhbt.exec:\nbhhbt.exe44⤵
- Executes dropped EXE
PID:2184 -
\??\c:\9hbbbh.exec:\9hbbbh.exe45⤵
- Executes dropped EXE
PID:3748 -
\??\c:\vjpdv.exec:\vjpdv.exe46⤵
- Executes dropped EXE
PID:1172 -
\??\c:\rlrflxr.exec:\rlrflxr.exe47⤵
- Executes dropped EXE
PID:1156 -
\??\c:\frrlxxr.exec:\frrlxxr.exe48⤵
- Executes dropped EXE
PID:3476 -
\??\c:\tthbtn.exec:\tthbtn.exe49⤵
- Executes dropped EXE
PID:3664 -
\??\c:\bhnhbb.exec:\bhnhbb.exe50⤵
- Executes dropped EXE
PID:2820 -
\??\c:\vjpjd.exec:\vjpjd.exe51⤵
- Executes dropped EXE
PID:1580 -
\??\c:\5dvjp.exec:\5dvjp.exe52⤵
- Executes dropped EXE
PID:4492 -
\??\c:\lllfxxr.exec:\lllfxxr.exe53⤵
- Executes dropped EXE
PID:888 -
\??\c:\hthhhb.exec:\hthhhb.exe54⤵
- Executes dropped EXE
PID:1176 -
\??\c:\bbhtnn.exec:\bbhtnn.exe55⤵
- Executes dropped EXE
PID:4408 -
\??\c:\ppjpp.exec:\ppjpp.exe56⤵
- Executes dropped EXE
PID:3556 -
\??\c:\5xrlxrx.exec:\5xrlxrx.exe57⤵
- Executes dropped EXE
PID:2772 -
\??\c:\9xxrlfx.exec:\9xxrlfx.exe58⤵
- Executes dropped EXE
PID:2604 -
\??\c:\bnttnh.exec:\bnttnh.exe59⤵
- Executes dropped EXE
PID:1712 -
\??\c:\nhntnb.exec:\nhntnb.exe60⤵
- Executes dropped EXE
PID:2268 -
\??\c:\3djdv.exec:\3djdv.exe61⤵
- Executes dropped EXE
PID:2276 -
\??\c:\rxrrrlx.exec:\rxrrrlx.exe62⤵
- Executes dropped EXE
PID:4164 -
\??\c:\1flfffx.exec:\1flfffx.exe63⤵
- Executes dropped EXE
PID:4176 -
\??\c:\jjddv.exec:\jjddv.exe64⤵
- Executes dropped EXE
PID:1096 -
\??\c:\7llffff.exec:\7llffff.exe65⤵
- Executes dropped EXE
PID:4076 -
\??\c:\5ntnhh.exec:\5ntnhh.exe66⤵PID:3684
-
\??\c:\llfxlfx.exec:\llfxlfx.exe67⤵PID:4468
-
\??\c:\rllffff.exec:\rllffff.exe68⤵PID:4500
-
\??\c:\bthbnn.exec:\bthbnn.exe69⤵PID:1568
-
\??\c:\3jjjd.exec:\3jjjd.exe70⤵PID:2636
-
\??\c:\5pppv.exec:\5pppv.exe71⤵PID:2936
-
\??\c:\lrrlrlf.exec:\lrrlrlf.exe72⤵PID:2000
-
\??\c:\xxxfxlf.exec:\xxxfxlf.exe73⤵PID:408
-
\??\c:\7hbttt.exec:\7hbttt.exe74⤵PID:4112
-
\??\c:\pjvpd.exec:\pjvpd.exe75⤵PID:3084
-
\??\c:\pddvp.exec:\pddvp.exe76⤵PID:4872
-
\??\c:\lxrlfxr.exec:\lxrlfxr.exe77⤵PID:3800
-
\??\c:\xxxrrfx.exec:\xxxrrfx.exe78⤵PID:780
-
\??\c:\hhnnnn.exec:\hhnnnn.exe79⤵PID:4604
-
\??\c:\vjvpj.exec:\vjvpj.exe80⤵PID:3372
-
\??\c:\pddvv.exec:\pddvv.exe81⤵PID:4680
-
\??\c:\1lfrllx.exec:\1lfrllx.exe82⤵PID:4172
-
\??\c:\nhbbbt.exec:\nhbbbt.exe83⤵PID:2332
-
\??\c:\thbtnh.exec:\thbtnh.exe84⤵PID:4944
-
\??\c:\pvdvp.exec:\pvdvp.exe85⤵PID:3628
-
\??\c:\5lrrxrf.exec:\5lrrxrf.exe86⤵PID:3016
-
\??\c:\thbtnh.exec:\thbtnh.exe87⤵PID:5044
-
\??\c:\jdppj.exec:\jdppj.exe88⤵PID:4752
-
\??\c:\dpjdv.exec:\dpjdv.exe89⤵PID:4160
-
\??\c:\fxlffll.exec:\fxlffll.exe90⤵PID:1500
-
\??\c:\htbtnn.exec:\htbtnn.exe91⤵PID:2492
-
\??\c:\hbbnbn.exec:\hbbnbn.exe92⤵PID:4732
-
\??\c:\9jdvp.exec:\9jdvp.exe93⤵PID:3148
-
\??\c:\xfrlxxl.exec:\xfrlxxl.exe94⤵PID:1744
-
\??\c:\1lllfff.exec:\1lllfff.exe95⤵PID:3664
-
\??\c:\5ttnhb.exec:\5ttnhb.exe96⤵PID:2024
-
\??\c:\hhnnhb.exec:\hhnnhb.exe97⤵PID:1580
-
\??\c:\5dvjd.exec:\5dvjd.exe98⤵PID:1504
-
\??\c:\rrlfrfx.exec:\rrlfrfx.exe99⤵PID:4812
-
\??\c:\fffxllx.exec:\fffxllx.exe100⤵PID:4552
-
\??\c:\hhbtbt.exec:\hhbtbt.exe101⤵PID:2212
-
\??\c:\tbhbtt.exec:\tbhbtt.exe102⤵PID:4244
-
\??\c:\ppvdv.exec:\ppvdv.exe103⤵PID:1400
-
\??\c:\lxlfrrl.exec:\lxlfrrl.exe104⤵PID:3556
-
\??\c:\rlfxlfr.exec:\rlfxlfr.exe105⤵PID:3768
-
\??\c:\5hnhbb.exec:\5hnhbb.exe106⤵PID:112
-
\??\c:\bthtnh.exec:\bthtnh.exe107⤵PID:2852
-
\??\c:\1vdjd.exec:\1vdjd.exe108⤵PID:2592
-
\??\c:\pdvpp.exec:\pdvpp.exe109⤵PID:2252
-
\??\c:\3flfrrl.exec:\3flfrrl.exe110⤵PID:2248
-
\??\c:\tnnbnh.exec:\tnnbnh.exe111⤵PID:688
-
\??\c:\ttnnhb.exec:\ttnnhb.exe112⤵PID:2268
-
\??\c:\dvvjv.exec:\dvvjv.exe113⤵PID:1624
-
\??\c:\jddvp.exec:\jddvp.exe114⤵PID:1636
-
\??\c:\5xrlxxr.exec:\5xrlxxr.exe115⤵PID:4164
-
\??\c:\llrlxxl.exec:\llrlxxl.exe116⤵PID:5064
-
\??\c:\3ttbbh.exec:\3ttbbh.exe117⤵PID:4608
-
\??\c:\dddvp.exec:\dddvp.exe118⤵PID:2916
-
\??\c:\jdpjp.exec:\jdpjp.exe119⤵PID:3972
-
\??\c:\xrxrxrf.exec:\xrxrxrf.exe120⤵PID:2760
-
\??\c:\llxrrrr.exec:\llxrrrr.exe121⤵PID:1068
-
\??\c:\hbbthb.exec:\hbbthb.exe122⤵PID:2304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-