Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 00:58
Behavioral task
behavioral1
Sample
6557454829abcde179ec52561b76de30_NeikiAnalytics.exe
Resource
win7-20240419-en
5 signatures
150 seconds
General
-
Target
6557454829abcde179ec52561b76de30_NeikiAnalytics.exe
-
Size
455KB
-
MD5
6557454829abcde179ec52561b76de30
-
SHA1
ef1d718fe0d5d1ce9bc3dcb86cb132d6e36746c4
-
SHA256
bc2cdd3947a740b2b9c918ac0e6697ae676e7215a984614cb8cf3f3af06176d4
-
SHA512
9105cb50920f4f99429f9a1a3c449c185dfb8b0c48bc716858f68403a3af07e38e1a8bd3c9a0646233ead8f683e0f49d5ed54ff762d8ce1cb2c62f957d878f39
-
SSDEEP
12288:y4wFHoS3eFp3IDvSbh5nPYERAAUDCa4NYmL:HFp3lz1XUDCaGYmL
Malware Config
Signatures
-
Detect Blackmoon payload 37 IoCs
resource yara_rule behavioral1/memory/2332-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/108-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2332-17-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2976-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2552-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2552-33-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2544-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2680-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2440-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1904-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2420-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1564-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2644-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1808-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1564-165-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1304-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2024-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/576-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1168-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3020-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1032-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1680-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2160-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1480-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2052-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3056-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2924-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2960-466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-527-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2416-670-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-775-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1756-788-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2852-866-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-910-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1436-1017-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2332 lxffrff.exe 2976 9vvvj.exe 2552 9ddpd.exe 2680 jdvvj.exe 2544 pjvpd.exe 2440 rflrxxl.exe 2576 7jjdp.exe 2420 ppdjv.exe 1904 jdvdp.exe 1564 9dddp.exe 2644 ttnthn.exe 2772 vdjpd.exe 2896 jddvv.exe 1808 rxxlxfx.exe 1552 tthtbh.exe 308 frffxff.exe 1304 bbbhnn.exe 1176 pjjpj.exe 2024 nntthn.exe 2956 fxrflrf.exe 576 bbthbt.exe 700 lllllrr.exe 1168 nhbbnt.exe 3020 rllrlrl.exe 2832 bhbthn.exe 1204 xxfrxrl.exe 1288 dppjv.exe 1032 fxrxlfx.exe 680 vvddv.exe 1680 9flxrxr.exe 1656 1nthtb.exe 2160 pdjdd.exe 1416 lrfrfff.exe 1872 thhtnt.exe 108 dddpj.exe 1480 xllxxxl.exe 2720 5hbbbt.exe 2052 jjjpd.exe 2616 vdddp.exe 2604 rrrlflx.exe 2540 tbtnth.exe 3056 jjjvj.exe 2648 1xlrxlx.exe 1888 hhhbnn.exe 2460 1nbnnb.exe 2448 9jvpv.exe 2924 rlffxfx.exe 1884 nnbhnt.exe 2664 thhthh.exe 2760 9pdjv.exe 2644 9fxxffl.exe 1528 hnnhtn.exe 1484 thhhtb.exe 1436 jjjvj.exe 868 5frrffl.exe 1764 fllflrf.exe 1552 tnhnbh.exe 2512 dvpvp.exe 2960 djppj.exe 1252 fffrfrx.exe 2972 nhtbhb.exe 1196 vvvpd.exe 1400 7lxrxxx.exe 1388 hhnbnb.exe -
resource yara_rule behavioral1/memory/108-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c000000012279-9.dat upx behavioral1/memory/2332-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/108-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2332-17-0x00000000003A0000-0x00000000003C7000-memory.dmp upx behavioral1/files/0x0038000000016126-18.dat upx behavioral1/memory/2976-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016591-25.dat upx behavioral1/memory/2976-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2552-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2552-33-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00080000000167e8-38.dat upx behavioral1/files/0x0008000000016c3a-45.dat upx behavioral1/memory/2544-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2680-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c57-57.dat upx behavioral1/files/0x0007000000016c5b-65.dat upx behavioral1/memory/2576-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2440-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016ccd-76.dat upx behavioral1/files/0x0008000000016d7d-83.dat upx behavioral1/memory/1904-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2420-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016fa9-94.dat upx behavioral1/files/0x000600000001708c-101.dat upx behavioral1/memory/1564-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000171ad-113.dat upx behavioral1/memory/2644-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001738e-120.dat upx behavioral1/memory/2896-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001738f-128.dat upx behavioral1/files/0x0038000000016228-137.dat upx behavioral1/memory/1808-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000173e2-147.dat upx behavioral1/files/0x00060000000173e5-153.dat upx behavioral1/files/0x0006000000017436-163.dat upx behavioral1/memory/1304-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000174ef-172.dat upx behavioral1/memory/2024-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017577-182.dat upx behavioral1/files/0x00060000000175f7-190.dat upx behavioral1/memory/576-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000175fd-199.dat upx behavioral1/memory/700-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017603-208.dat upx behavioral1/memory/1168-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d000000018689-218.dat upx behavioral1/memory/1168-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186a2-228.dat upx behavioral1/memory/3020-226-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001870e-235.dat upx behavioral1/memory/1204-236-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001871c-244.dat upx behavioral1/files/0x0005000000018749-252.dat upx behavioral1/memory/1032-260-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001878f-261.dat upx behavioral1/files/0x000600000001902f-268.dat upx behavioral1/memory/1680-279-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019254-277.dat upx behavioral1/files/0x000500000001925a-286.dat upx behavioral1/memory/2160-295-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1480-321-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2052-334-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3056-359-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 108 wrote to memory of 2332 108 6557454829abcde179ec52561b76de30_NeikiAnalytics.exe 28 PID 108 wrote to memory of 2332 108 6557454829abcde179ec52561b76de30_NeikiAnalytics.exe 28 PID 108 wrote to memory of 2332 108 6557454829abcde179ec52561b76de30_NeikiAnalytics.exe 28 PID 108 wrote to memory of 2332 108 6557454829abcde179ec52561b76de30_NeikiAnalytics.exe 28 PID 2332 wrote to memory of 2976 2332 lxffrff.exe 29 PID 2332 wrote to memory of 2976 2332 lxffrff.exe 29 PID 2332 wrote to memory of 2976 2332 lxffrff.exe 29 PID 2332 wrote to memory of 2976 2332 lxffrff.exe 29 PID 2976 wrote to memory of 2552 2976 9vvvj.exe 30 PID 2976 wrote to memory of 2552 2976 9vvvj.exe 30 PID 2976 wrote to memory of 2552 2976 9vvvj.exe 30 PID 2976 wrote to memory of 2552 2976 9vvvj.exe 30 PID 2552 wrote to memory of 2680 2552 9ddpd.exe 31 PID 2552 wrote to memory of 2680 2552 9ddpd.exe 31 PID 2552 wrote to memory of 2680 2552 9ddpd.exe 31 PID 2552 wrote to memory of 2680 2552 9ddpd.exe 31 PID 2680 wrote to memory of 2544 2680 jdvvj.exe 32 PID 2680 wrote to memory of 2544 2680 jdvvj.exe 32 PID 2680 wrote to memory of 2544 2680 jdvvj.exe 32 PID 2680 wrote to memory of 2544 2680 jdvvj.exe 32 PID 2544 wrote to memory of 2440 2544 pjvpd.exe 33 PID 2544 wrote to memory of 2440 2544 pjvpd.exe 33 PID 2544 wrote to memory of 2440 2544 pjvpd.exe 33 PID 2544 wrote to memory of 2440 2544 pjvpd.exe 33 PID 2440 wrote to memory of 2576 2440 rflrxxl.exe 34 PID 2440 wrote to memory of 2576 2440 rflrxxl.exe 34 PID 2440 wrote to memory of 2576 2440 rflrxxl.exe 34 PID 2440 wrote to memory of 2576 2440 rflrxxl.exe 34 PID 2576 wrote to memory of 2420 2576 7jjdp.exe 35 PID 2576 wrote to memory of 2420 2576 7jjdp.exe 35 PID 2576 wrote to memory of 2420 2576 7jjdp.exe 35 PID 2576 wrote to memory of 2420 2576 7jjdp.exe 35 PID 2420 wrote to memory of 1904 2420 ppdjv.exe 36 PID 2420 wrote to memory of 1904 2420 ppdjv.exe 36 PID 2420 wrote to memory of 1904 2420 ppdjv.exe 36 PID 2420 wrote to memory of 1904 2420 ppdjv.exe 36 PID 1904 wrote to memory of 1564 1904 jdvdp.exe 37 PID 1904 wrote to memory of 1564 1904 jdvdp.exe 37 PID 1904 wrote to memory of 1564 1904 jdvdp.exe 37 PID 1904 wrote to memory of 1564 1904 jdvdp.exe 37 PID 1564 wrote to memory of 2644 1564 9dddp.exe 38 PID 1564 wrote to memory of 2644 1564 9dddp.exe 38 PID 1564 wrote to memory of 2644 1564 9dddp.exe 38 PID 1564 wrote to memory of 2644 1564 9dddp.exe 38 PID 2644 wrote to memory of 2772 2644 ttnthn.exe 39 PID 2644 wrote to memory of 2772 2644 ttnthn.exe 39 PID 2644 wrote to memory of 2772 2644 ttnthn.exe 39 PID 2644 wrote to memory of 2772 2644 ttnthn.exe 39 PID 2772 wrote to memory of 2896 2772 vdjpd.exe 40 PID 2772 wrote to memory of 2896 2772 vdjpd.exe 40 PID 2772 wrote to memory of 2896 2772 vdjpd.exe 40 PID 2772 wrote to memory of 2896 2772 vdjpd.exe 40 PID 2896 wrote to memory of 1808 2896 jddvv.exe 41 PID 2896 wrote to memory of 1808 2896 jddvv.exe 41 PID 2896 wrote to memory of 1808 2896 jddvv.exe 41 PID 2896 wrote to memory of 1808 2896 jddvv.exe 41 PID 1808 wrote to memory of 1552 1808 rxxlxfx.exe 42 PID 1808 wrote to memory of 1552 1808 rxxlxfx.exe 42 PID 1808 wrote to memory of 1552 1808 rxxlxfx.exe 42 PID 1808 wrote to memory of 1552 1808 rxxlxfx.exe 42 PID 1552 wrote to memory of 308 1552 tthtbh.exe 43 PID 1552 wrote to memory of 308 1552 tthtbh.exe 43 PID 1552 wrote to memory of 308 1552 tthtbh.exe 43 PID 1552 wrote to memory of 308 1552 tthtbh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\6557454829abcde179ec52561b76de30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6557454829abcde179ec52561b76de30_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:108 -
\??\c:\lxffrff.exec:\lxffrff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\9vvvj.exec:\9vvvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\9ddpd.exec:\9ddpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\jdvvj.exec:\jdvvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\pjvpd.exec:\pjvpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\rflrxxl.exec:\rflrxxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\7jjdp.exec:\7jjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\ppdjv.exec:\ppdjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\jdvdp.exec:\jdvdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\9dddp.exec:\9dddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\ttnthn.exec:\ttnthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\vdjpd.exec:\vdjpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\jddvv.exec:\jddvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\rxxlxfx.exec:\rxxlxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\tthtbh.exec:\tthtbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\frffxff.exec:\frffxff.exe17⤵
- Executes dropped EXE
PID:308 -
\??\c:\bbbhnn.exec:\bbbhnn.exe18⤵
- Executes dropped EXE
PID:1304 -
\??\c:\pjjpj.exec:\pjjpj.exe19⤵
- Executes dropped EXE
PID:1176 -
\??\c:\nntthn.exec:\nntthn.exe20⤵
- Executes dropped EXE
PID:2024 -
\??\c:\fxrflrf.exec:\fxrflrf.exe21⤵
- Executes dropped EXE
PID:2956 -
\??\c:\bbthbt.exec:\bbthbt.exe22⤵
- Executes dropped EXE
PID:576 -
\??\c:\lllllrr.exec:\lllllrr.exe23⤵
- Executes dropped EXE
PID:700 -
\??\c:\nhbbnt.exec:\nhbbnt.exe24⤵
- Executes dropped EXE
PID:1168 -
\??\c:\rllrlrl.exec:\rllrlrl.exe25⤵
- Executes dropped EXE
PID:3020 -
\??\c:\bhbthn.exec:\bhbthn.exe26⤵
- Executes dropped EXE
PID:2832 -
\??\c:\xxfrxrl.exec:\xxfrxrl.exe27⤵
- Executes dropped EXE
PID:1204 -
\??\c:\dppjv.exec:\dppjv.exe28⤵
- Executes dropped EXE
PID:1288 -
\??\c:\fxrxlfx.exec:\fxrxlfx.exe29⤵
- Executes dropped EXE
PID:1032 -
\??\c:\vvddv.exec:\vvddv.exe30⤵
- Executes dropped EXE
PID:680 -
\??\c:\9flxrxr.exec:\9flxrxr.exe31⤵
- Executes dropped EXE
PID:1680 -
\??\c:\1nthtb.exec:\1nthtb.exe32⤵
- Executes dropped EXE
PID:1656 -
\??\c:\pdjdd.exec:\pdjdd.exe33⤵
- Executes dropped EXE
PID:2160 -
\??\c:\lrfrfff.exec:\lrfrfff.exe34⤵
- Executes dropped EXE
PID:1416 -
\??\c:\thhtnt.exec:\thhtnt.exe35⤵
- Executes dropped EXE
PID:1872 -
\??\c:\dddpj.exec:\dddpj.exe36⤵
- Executes dropped EXE
PID:108 -
\??\c:\xllxxxl.exec:\xllxxxl.exe37⤵
- Executes dropped EXE
PID:1480 -
\??\c:\5hbbbt.exec:\5hbbbt.exe38⤵
- Executes dropped EXE
PID:2720 -
\??\c:\jjjpd.exec:\jjjpd.exe39⤵
- Executes dropped EXE
PID:2052 -
\??\c:\vdddp.exec:\vdddp.exe40⤵
- Executes dropped EXE
PID:2616 -
\??\c:\rrrlflx.exec:\rrrlflx.exe41⤵
- Executes dropped EXE
PID:2604 -
\??\c:\tbtnth.exec:\tbtnth.exe42⤵
- Executes dropped EXE
PID:2540 -
\??\c:\jjjvj.exec:\jjjvj.exe43⤵
- Executes dropped EXE
PID:3056 -
\??\c:\1xlrxlx.exec:\1xlrxlx.exe44⤵
- Executes dropped EXE
PID:2648 -
\??\c:\hhhbnn.exec:\hhhbnn.exe45⤵
- Executes dropped EXE
PID:1888 -
\??\c:\1nbnnb.exec:\1nbnnb.exe46⤵
- Executes dropped EXE
PID:2460 -
\??\c:\9jvpv.exec:\9jvpv.exe47⤵
- Executes dropped EXE
PID:2448 -
\??\c:\rlffxfx.exec:\rlffxfx.exe48⤵
- Executes dropped EXE
PID:2924 -
\??\c:\nnbhnt.exec:\nnbhnt.exe49⤵
- Executes dropped EXE
PID:1884 -
\??\c:\thhthh.exec:\thhthh.exe50⤵
- Executes dropped EXE
PID:2664 -
\??\c:\9pdjv.exec:\9pdjv.exe51⤵
- Executes dropped EXE
PID:2760 -
\??\c:\9fxxffl.exec:\9fxxffl.exe52⤵
- Executes dropped EXE
PID:2644 -
\??\c:\hnnhtn.exec:\hnnhtn.exe53⤵
- Executes dropped EXE
PID:1528 -
\??\c:\thhhtb.exec:\thhhtb.exe54⤵
- Executes dropped EXE
PID:1484 -
\??\c:\jjjvj.exec:\jjjvj.exe55⤵
- Executes dropped EXE
PID:1436 -
\??\c:\5frrffl.exec:\5frrffl.exe56⤵
- Executes dropped EXE
PID:868 -
\??\c:\fllflrf.exec:\fllflrf.exe57⤵
- Executes dropped EXE
PID:1764 -
\??\c:\tnhnbh.exec:\tnhnbh.exe58⤵
- Executes dropped EXE
PID:1552 -
\??\c:\dvpvp.exec:\dvpvp.exe59⤵
- Executes dropped EXE
PID:2512 -
\??\c:\djppj.exec:\djppj.exe60⤵
- Executes dropped EXE
PID:2960 -
\??\c:\fffrfrx.exec:\fffrfrx.exe61⤵
- Executes dropped EXE
PID:1252 -
\??\c:\nhtbhb.exec:\nhtbhb.exe62⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vvvpd.exec:\vvvpd.exe63⤵
- Executes dropped EXE
PID:1196 -
\??\c:\7lxrxxx.exec:\7lxrxxx.exe64⤵
- Executes dropped EXE
PID:1400 -
\??\c:\hhnbnb.exec:\hhnbnb.exe65⤵
- Executes dropped EXE
PID:1388 -
\??\c:\pvvpj.exec:\pvvpj.exe66⤵PID:2944
-
\??\c:\rxxrlrf.exec:\rxxrlrf.exe67⤵PID:3060
-
\??\c:\bbntnh.exec:\bbntnh.exe68⤵PID:404
-
\??\c:\ddvvj.exec:\ddvvj.exe69⤵PID:2796
-
\??\c:\9vpdv.exec:\9vpdv.exe70⤵PID:872
-
\??\c:\rrfrlrx.exec:\rrfrlrx.exe71⤵PID:1896
-
\??\c:\thnbhb.exec:\thnbhb.exe72⤵PID:1768
-
\??\c:\jjjvd.exec:\jjjvd.exe73⤵PID:2192
-
\??\c:\ppjpd.exec:\ppjpd.exe74⤵PID:1660
-
\??\c:\rrfrxfx.exec:\rrfrxfx.exe75⤵PID:2276
-
\??\c:\7tnnbn.exec:\7tnnbn.exe76⤵PID:2296
-
\??\c:\vdppv.exec:\vdppv.exe77⤵PID:352
-
\??\c:\dddvv.exec:\dddvv.exe78⤵PID:2860
-
\??\c:\rxflllf.exec:\rxflllf.exe79⤵PID:2084
-
\??\c:\tnnnbb.exec:\tnnnbb.exe80⤵PID:2868
-
\??\c:\djpjp.exec:\djpjp.exe81⤵PID:1416
-
\??\c:\xrlxxfx.exec:\xrlxxfx.exe82⤵PID:1516
-
\??\c:\nntbhh.exec:\nntbhh.exe83⤵PID:2488
-
\??\c:\7vppv.exec:\7vppv.exe84⤵PID:2064
-
\??\c:\pvjpj.exec:\pvjpj.exe85⤵PID:1604
-
\??\c:\lrfrrrx.exec:\lrfrrrx.exe86⤵PID:2608
-
\??\c:\1thbbt.exec:\1thbbt.exe87⤵PID:2560
-
\??\c:\vdjjj.exec:\vdjjj.exe88⤵PID:2680
-
\??\c:\frxfrrf.exec:\frxfrrf.exe89⤵PID:2672
-
\??\c:\fxrrflx.exec:\fxrrflx.exe90⤵PID:2716
-
\??\c:\3nnbhn.exec:\3nnbhn.exe91⤵PID:2440
-
\??\c:\jdpvd.exec:\jdpvd.exe92⤵PID:2416
-
\??\c:\rrrflrf.exec:\rrrflrf.exe93⤵PID:2480
-
\??\c:\nnttbn.exec:\nnttbn.exe94⤵PID:2920
-
\??\c:\pppjv.exec:\pppjv.exe95⤵PID:1544
-
\??\c:\ddjvv.exec:\ddjvv.exe96⤵PID:2508
-
\??\c:\rxrfrxl.exec:\rxrfrxl.exe97⤵PID:2748
-
\??\c:\5bhbhh.exec:\5bhbhh.exe98⤵PID:2784
-
\??\c:\hnnbhn.exec:\hnnbhn.exe99⤵PID:2780
-
\??\c:\jddpd.exec:\jddpd.exe100⤵PID:1772
-
\??\c:\lrlfrfx.exec:\lrlfrfx.exe101⤵PID:1812
-
\??\c:\nnhbnt.exec:\nnhbnt.exe102⤵PID:1356
-
\??\c:\nhbthn.exec:\nhbthn.exe103⤵PID:2380
-
\??\c:\djdvj.exec:\djdvj.exe104⤵PID:2476
-
\??\c:\fxllxrx.exec:\fxllxrx.exe105⤵PID:1336
-
\??\c:\hbtttb.exec:\hbtttb.exe106⤵PID:1240
-
\??\c:\hhhhtt.exec:\hhhhtt.exe107⤵PID:1176
-
\??\c:\pjjdd.exec:\pjjdd.exe108⤵PID:2040
-
\??\c:\ttntnt.exec:\ttntnt.exe109⤵PID:2900
-
\??\c:\btntbb.exec:\btntbb.exe110⤵PID:624
-
\??\c:\vdvvj.exec:\vdvvj.exe111⤵PID:1756
-
\??\c:\xrxllxr.exec:\xrxllxr.exe112⤵PID:1704
-
\??\c:\vjppv.exec:\vjppv.exe113⤵PID:2208
-
\??\c:\xxfrllr.exec:\xxfrllr.exe114⤵PID:1088
-
\??\c:\tbbntb.exec:\tbbntb.exe115⤵PID:2384
-
\??\c:\nnhnbn.exec:\nnhnbn.exe116⤵PID:1676
-
\??\c:\vpdvp.exec:\vpdvp.exe117⤵PID:908
-
\??\c:\llxrflf.exec:\llxrflf.exe118⤵PID:1896
-
\??\c:\nthtnb.exec:\nthtnb.exe119⤵PID:1664
-
\??\c:\thhntn.exec:\thhntn.exe120⤵PID:2192
-
\??\c:\jvdpv.exec:\jvdpv.exe121⤵PID:1132
-
\??\c:\lflrffx.exec:\lflrffx.exe122⤵PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-