Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 00:58
Behavioral task
behavioral1
Sample
6557454829abcde179ec52561b76de30_NeikiAnalytics.exe
Resource
win7-20240419-en
5 signatures
150 seconds
General
-
Target
6557454829abcde179ec52561b76de30_NeikiAnalytics.exe
-
Size
455KB
-
MD5
6557454829abcde179ec52561b76de30
-
SHA1
ef1d718fe0d5d1ce9bc3dcb86cb132d6e36746c4
-
SHA256
bc2cdd3947a740b2b9c918ac0e6697ae676e7215a984614cb8cf3f3af06176d4
-
SHA512
9105cb50920f4f99429f9a1a3c449c185dfb8b0c48bc716858f68403a3af07e38e1a8bd3c9a0646233ead8f683e0f49d5ed54ff762d8ce1cb2c62f957d878f39
-
SSDEEP
12288:y4wFHoS3eFp3IDvSbh5nPYERAAUDCa4NYmL:HFp3lz1XUDCaGYmL
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1500-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2668-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3272-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2264-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1036-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3424-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1340-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1168-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1872-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3360-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2160-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4132-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3476-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4196-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3700-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/696-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2168-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/324-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1780-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2000-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3552-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3492-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2836-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3720-495-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4196-546-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/740-558-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1528-599-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-683-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-750-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-757-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-768-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-829-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-854-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3800-946-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3248 djjjp.exe 2408 pdjdp.exe 4844 xrxrflf.exe 2668 ppdvv.exe 4516 lrxxxlr.exe 3272 rfxlfrr.exe 5028 1nbtbb.exe 2812 vpvvv.exe 2264 xxfffxx.exe 1036 xlxxrll.exe 3424 nttnbt.exe 4544 pjppj.exe 1340 ffxxflf.exe 4540 nbtbnh.exe 4828 5jpdv.exe 1236 ffrrrll.exe 1168 3rffxxx.exe 1872 hhhtnt.exe 4716 xrffxfx.exe 5020 bnbbbb.exe 4708 xflxflr.exe 400 bnhhbb.exe 4936 djddj.exe 2160 rflfxxx.exe 4632 hbhhbb.exe 3360 3djdj.exe 4748 xrllxxl.exe 4772 tnttnh.exe 3876 bntnhb.exe 4132 rfrfxxr.exe 4468 hnhhtn.exe 404 pvvvd.exe 3476 tbnbnt.exe 2868 pjppp.exe 860 xrrlffx.exe 4744 hhnnhn.exe 3236 jpppp.exe 3268 xrfxxxx.exe 4440 nbbtth.exe 4680 bntttt.exe 2904 ffxrrxf.exe 3248 hhnhhh.exe 960 dpddd.exe 640 fflffff.exe 4248 rxlfrrr.exe 388 bnnhbb.exe 2020 vvvvj.exe 448 rflffff.exe 4196 tntntt.exe 3700 ppjvv.exe 2192 lxfxrrl.exe 4464 hbhbbb.exe 740 dppvp.exe 696 lrfxrxr.exe 2168 nnthbb.exe 3424 vpvjj.exe 2680 llrfflf.exe 324 9bhbtt.exe 1780 jvjdd.exe 1428 xxlxrll.exe 4828 jvdvv.exe 4892 rffflll.exe 3656 bhttht.exe 2820 ddppj.exe -
resource yara_rule behavioral2/memory/1500-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002328e-3.dat upx behavioral2/memory/1500-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3248-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023402-12.dat upx behavioral2/memory/3248-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023403-14.dat upx behavioral2/memory/2408-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023404-23.dat upx behavioral2/memory/4844-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2668-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023405-30.dat upx behavioral2/memory/4516-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3272-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023408-47.dat upx behavioral2/files/0x0007000000023409-53.dat upx behavioral2/memory/2264-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002340a-59.dat upx behavioral2/memory/1036-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5028-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023407-41.dat upx behavioral2/files/0x0007000000023406-36.dat upx behavioral2/files/0x000700000002340b-64.dat upx behavioral2/files/0x000700000002340c-69.dat upx behavioral2/memory/3424-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4544-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002340d-77.dat upx behavioral2/memory/4544-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1340-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002340e-84.dat upx behavioral2/memory/4540-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000233ff-89.dat upx behavioral2/files/0x000700000002340f-94.dat upx behavioral2/memory/4828-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023411-100.dat upx behavioral2/memory/1168-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023412-108.dat upx behavioral2/files/0x0007000000023413-111.dat upx behavioral2/memory/1872-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023414-117.dat upx behavioral2/files/0x0007000000023415-123.dat upx behavioral2/files/0x0007000000023416-128.dat upx behavioral2/memory/400-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023417-133.dat upx behavioral2/memory/4936-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023418-139.dat upx behavioral2/files/0x000700000002341a-151.dat upx behavioral2/files/0x000700000002341b-158.dat upx behavioral2/files/0x000700000002341d-169.dat upx behavioral2/files/0x000700000002341c-164.dat upx behavioral2/memory/4748-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3360-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4632-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023419-146.dat upx behavioral2/memory/2160-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002341e-174.dat upx behavioral2/files/0x000700000002341f-179.dat upx behavioral2/memory/4132-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023420-184.dat upx behavioral2/memory/404-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3476-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3236-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2904-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3248-222-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 3248 1500 6557454829abcde179ec52561b76de30_NeikiAnalytics.exe 83 PID 1500 wrote to memory of 3248 1500 6557454829abcde179ec52561b76de30_NeikiAnalytics.exe 83 PID 1500 wrote to memory of 3248 1500 6557454829abcde179ec52561b76de30_NeikiAnalytics.exe 83 PID 3248 wrote to memory of 2408 3248 djjjp.exe 84 PID 3248 wrote to memory of 2408 3248 djjjp.exe 84 PID 3248 wrote to memory of 2408 3248 djjjp.exe 84 PID 2408 wrote to memory of 4844 2408 pdjdp.exe 85 PID 2408 wrote to memory of 4844 2408 pdjdp.exe 85 PID 2408 wrote to memory of 4844 2408 pdjdp.exe 85 PID 4844 wrote to memory of 2668 4844 xrxrflf.exe 86 PID 4844 wrote to memory of 2668 4844 xrxrflf.exe 86 PID 4844 wrote to memory of 2668 4844 xrxrflf.exe 86 PID 2668 wrote to memory of 4516 2668 ppdvv.exe 87 PID 2668 wrote to memory of 4516 2668 ppdvv.exe 87 PID 2668 wrote to memory of 4516 2668 ppdvv.exe 87 PID 4516 wrote to memory of 3272 4516 lrxxxlr.exe 88 PID 4516 wrote to memory of 3272 4516 lrxxxlr.exe 88 PID 4516 wrote to memory of 3272 4516 lrxxxlr.exe 88 PID 3272 wrote to memory of 5028 3272 rfxlfrr.exe 89 PID 3272 wrote to memory of 5028 3272 rfxlfrr.exe 89 PID 3272 wrote to memory of 5028 3272 rfxlfrr.exe 89 PID 5028 wrote to memory of 2812 5028 1nbtbb.exe 90 PID 5028 wrote to memory of 2812 5028 1nbtbb.exe 90 PID 5028 wrote to memory of 2812 5028 1nbtbb.exe 90 PID 2812 wrote to memory of 2264 2812 vpvvv.exe 91 PID 2812 wrote to memory of 2264 2812 vpvvv.exe 91 PID 2812 wrote to memory of 2264 2812 vpvvv.exe 91 PID 2264 wrote to memory of 1036 2264 xxfffxx.exe 92 PID 2264 wrote to memory of 1036 2264 xxfffxx.exe 92 PID 2264 wrote to memory of 1036 2264 xxfffxx.exe 92 PID 1036 wrote to memory of 3424 1036 xlxxrll.exe 93 PID 1036 wrote to memory of 3424 1036 xlxxrll.exe 93 PID 1036 wrote to memory of 3424 1036 xlxxrll.exe 93 PID 3424 wrote to memory of 4544 3424 nttnbt.exe 94 PID 3424 wrote to memory of 4544 3424 nttnbt.exe 94 PID 3424 wrote to memory of 4544 3424 nttnbt.exe 94 PID 4544 wrote to memory of 1340 4544 pjppj.exe 96 PID 4544 wrote to memory of 1340 4544 pjppj.exe 96 PID 4544 wrote to memory of 1340 4544 pjppj.exe 96 PID 1340 wrote to memory of 4540 1340 ffxxflf.exe 97 PID 1340 wrote to memory of 4540 1340 ffxxflf.exe 97 PID 1340 wrote to memory of 4540 1340 ffxxflf.exe 97 PID 4540 wrote to memory of 4828 4540 nbtbnh.exe 99 PID 4540 wrote to memory of 4828 4540 nbtbnh.exe 99 PID 4540 wrote to memory of 4828 4540 nbtbnh.exe 99 PID 4828 wrote to memory of 1236 4828 5jpdv.exe 100 PID 4828 wrote to memory of 1236 4828 5jpdv.exe 100 PID 4828 wrote to memory of 1236 4828 5jpdv.exe 100 PID 1236 wrote to memory of 1168 1236 ffrrrll.exe 101 PID 1236 wrote to memory of 1168 1236 ffrrrll.exe 101 PID 1236 wrote to memory of 1168 1236 ffrrrll.exe 101 PID 1168 wrote to memory of 1872 1168 3rffxxx.exe 102 PID 1168 wrote to memory of 1872 1168 3rffxxx.exe 102 PID 1168 wrote to memory of 1872 1168 3rffxxx.exe 102 PID 1872 wrote to memory of 4716 1872 hhhtnt.exe 103 PID 1872 wrote to memory of 4716 1872 hhhtnt.exe 103 PID 1872 wrote to memory of 4716 1872 hhhtnt.exe 103 PID 4716 wrote to memory of 5020 4716 xrffxfx.exe 105 PID 4716 wrote to memory of 5020 4716 xrffxfx.exe 105 PID 4716 wrote to memory of 5020 4716 xrffxfx.exe 105 PID 5020 wrote to memory of 4708 5020 bnbbbb.exe 106 PID 5020 wrote to memory of 4708 5020 bnbbbb.exe 106 PID 5020 wrote to memory of 4708 5020 bnbbbb.exe 106 PID 4708 wrote to memory of 400 4708 xflxflr.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\6557454829abcde179ec52561b76de30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6557454829abcde179ec52561b76de30_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\djjjp.exec:\djjjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\pdjdp.exec:\pdjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\xrxrflf.exec:\xrxrflf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\ppdvv.exec:\ppdvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\lrxxxlr.exec:\lrxxxlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\rfxlfrr.exec:\rfxlfrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\1nbtbb.exec:\1nbtbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\vpvvv.exec:\vpvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\xxfffxx.exec:\xxfffxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\xlxxrll.exec:\xlxxrll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\nttnbt.exec:\nttnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\pjppj.exec:\pjppj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\ffxxflf.exec:\ffxxflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\nbtbnh.exec:\nbtbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\5jpdv.exec:\5jpdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\ffrrrll.exec:\ffrrrll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\3rffxxx.exec:\3rffxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\hhhtnt.exec:\hhhtnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\xrffxfx.exec:\xrffxfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\bnbbbb.exec:\bnbbbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\xflxflr.exec:\xflxflr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\bnhhbb.exec:\bnhhbb.exe23⤵
- Executes dropped EXE
PID:400 -
\??\c:\djddj.exec:\djddj.exe24⤵
- Executes dropped EXE
PID:4936 -
\??\c:\rflfxxx.exec:\rflfxxx.exe25⤵
- Executes dropped EXE
PID:2160 -
\??\c:\hbhhbb.exec:\hbhhbb.exe26⤵
- Executes dropped EXE
PID:4632 -
\??\c:\3djdj.exec:\3djdj.exe27⤵
- Executes dropped EXE
PID:3360 -
\??\c:\xrllxxl.exec:\xrllxxl.exe28⤵
- Executes dropped EXE
PID:4748 -
\??\c:\tnttnh.exec:\tnttnh.exe29⤵
- Executes dropped EXE
PID:4772 -
\??\c:\bntnhb.exec:\bntnhb.exe30⤵
- Executes dropped EXE
PID:3876 -
\??\c:\rfrfxxr.exec:\rfrfxxr.exe31⤵
- Executes dropped EXE
PID:4132 -
\??\c:\hnhhtn.exec:\hnhhtn.exe32⤵
- Executes dropped EXE
PID:4468 -
\??\c:\pvvvd.exec:\pvvvd.exe33⤵
- Executes dropped EXE
PID:404 -
\??\c:\tbnbnt.exec:\tbnbnt.exe34⤵
- Executes dropped EXE
PID:3476 -
\??\c:\pjppp.exec:\pjppp.exe35⤵
- Executes dropped EXE
PID:2868 -
\??\c:\xrrlffx.exec:\xrrlffx.exe36⤵
- Executes dropped EXE
PID:860 -
\??\c:\hhnnhn.exec:\hhnnhn.exe37⤵
- Executes dropped EXE
PID:4744 -
\??\c:\jpppp.exec:\jpppp.exe38⤵
- Executes dropped EXE
PID:3236 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe39⤵
- Executes dropped EXE
PID:3268 -
\??\c:\nbbtth.exec:\nbbtth.exe40⤵
- Executes dropped EXE
PID:4440 -
\??\c:\bntttt.exec:\bntttt.exe41⤵
- Executes dropped EXE
PID:4680 -
\??\c:\ffxrrxf.exec:\ffxrrxf.exe42⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hhnhhh.exec:\hhnhhh.exe43⤵
- Executes dropped EXE
PID:3248 -
\??\c:\dpddd.exec:\dpddd.exe44⤵
- Executes dropped EXE
PID:960 -
\??\c:\fflffff.exec:\fflffff.exe45⤵
- Executes dropped EXE
PID:640 -
\??\c:\rxlfrrr.exec:\rxlfrrr.exe46⤵
- Executes dropped EXE
PID:4248 -
\??\c:\bnnhbb.exec:\bnnhbb.exe47⤵
- Executes dropped EXE
PID:388 -
\??\c:\vvvvj.exec:\vvvvj.exe48⤵
- Executes dropped EXE
PID:2020 -
\??\c:\rflffff.exec:\rflffff.exe49⤵
- Executes dropped EXE
PID:448 -
\??\c:\tntntt.exec:\tntntt.exe50⤵
- Executes dropped EXE
PID:4196 -
\??\c:\ppjvv.exec:\ppjvv.exe51⤵
- Executes dropped EXE
PID:3700 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe52⤵
- Executes dropped EXE
PID:2192 -
\??\c:\hbhbbb.exec:\hbhbbb.exe53⤵
- Executes dropped EXE
PID:4464 -
\??\c:\dppvp.exec:\dppvp.exe54⤵
- Executes dropped EXE
PID:740 -
\??\c:\lrfxrxr.exec:\lrfxrxr.exe55⤵
- Executes dropped EXE
PID:696 -
\??\c:\nnthbb.exec:\nnthbb.exe56⤵
- Executes dropped EXE
PID:2168 -
\??\c:\vpvjj.exec:\vpvjj.exe57⤵
- Executes dropped EXE
PID:3424 -
\??\c:\llrfflf.exec:\llrfflf.exe58⤵
- Executes dropped EXE
PID:2680 -
\??\c:\9bhbtt.exec:\9bhbtt.exe59⤵
- Executes dropped EXE
PID:324 -
\??\c:\jvjdd.exec:\jvjdd.exe60⤵
- Executes dropped EXE
PID:1780 -
\??\c:\xxlxrll.exec:\xxlxrll.exe61⤵
- Executes dropped EXE
PID:1428 -
\??\c:\jvdvv.exec:\jvdvv.exe62⤵
- Executes dropped EXE
PID:4828 -
\??\c:\rffflll.exec:\rffflll.exe63⤵
- Executes dropped EXE
PID:4892 -
\??\c:\bhttht.exec:\bhttht.exe64⤵
- Executes dropped EXE
PID:3656 -
\??\c:\ddppj.exec:\ddppj.exe65⤵
- Executes dropped EXE
PID:2820 -
\??\c:\rrffxxf.exec:\rrffxxf.exe66⤵PID:2864
-
\??\c:\xlrllll.exec:\xlrllll.exe67⤵PID:3588
-
\??\c:\xrllxxr.exec:\xrllxxr.exe68⤵PID:5100
-
\??\c:\jvvpd.exec:\jvvpd.exe69⤵PID:4136
-
\??\c:\xrffrrl.exec:\xrffrrl.exe70⤵PID:4708
-
\??\c:\tnbthh.exec:\tnbthh.exe71⤵PID:4072
-
\??\c:\dddvp.exec:\dddvp.exe72⤵PID:3664
-
\??\c:\lxfxxrl.exec:\lxfxxrl.exe73⤵PID:4768
-
\??\c:\bhtnhh.exec:\bhtnhh.exe74⤵PID:2184
-
\??\c:\pjpjd.exec:\pjpjd.exe75⤵PID:3488
-
\??\c:\lllxrrl.exec:\lllxrrl.exe76⤵PID:2000
-
\??\c:\tnbttt.exec:\tnbttt.exe77⤵PID:1916
-
\??\c:\9pdvp.exec:\9pdvp.exe78⤵PID:3900
-
\??\c:\vjdvj.exec:\vjdvj.exe79⤵PID:4772
-
\??\c:\xxflrxr.exec:\xxflrxr.exe80⤵PID:3876
-
\??\c:\nntnnh.exec:\nntnnh.exe81⤵PID:4132
-
\??\c:\hnnhtn.exec:\hnnhtn.exe82⤵PID:2848
-
\??\c:\ddvdv.exec:\ddvdv.exe83⤵PID:5064
-
\??\c:\lxxlrrf.exec:\lxxlrrf.exe84⤵PID:3552
-
\??\c:\bthnbh.exec:\bthnbh.exe85⤵PID:3008
-
\??\c:\nttnbb.exec:\nttnbb.exe86⤵PID:1080
-
\??\c:\5ddvp.exec:\5ddvp.exe87⤵PID:1172
-
\??\c:\9xfxrrr.exec:\9xfxrrr.exe88⤵PID:4580
-
\??\c:\xxllrrr.exec:\xxllrrr.exe89⤵PID:1876
-
\??\c:\hnbbhh.exec:\hnbbhh.exe90⤵PID:3244
-
\??\c:\pjppp.exec:\pjppp.exe91⤵PID:1100
-
\??\c:\xllfxxr.exec:\xllfxxr.exe92⤵PID:212
-
\??\c:\rrxxffl.exec:\rrxxffl.exe93⤵PID:2972
-
\??\c:\3hbtnn.exec:\3hbtnn.exe94⤵PID:3428
-
\??\c:\vjppj.exec:\vjppj.exe95⤵PID:3492
-
\??\c:\pvjdp.exec:\pvjdp.exe96⤵PID:5104
-
\??\c:\rlxlfxr.exec:\rlxlfxr.exe97⤵PID:4112
-
\??\c:\tbntht.exec:\tbntht.exe98⤵PID:2812
-
\??\c:\jvppv.exec:\jvppv.exe99⤵PID:3188
-
\??\c:\jpdvv.exec:\jpdvv.exe100⤵PID:4100
-
\??\c:\1rrrrrr.exec:\1rrrrrr.exe101⤵PID:2836
-
\??\c:\nnhbtt.exec:\nnhbtt.exe102⤵PID:2396
-
\??\c:\nbhbhb.exec:\nbhbhb.exe103⤵PID:4992
-
\??\c:\3pvvd.exec:\3pvvd.exe104⤵PID:208
-
\??\c:\lxffxxx.exec:\lxffxxx.exe105⤵PID:1436
-
\??\c:\ntbttn.exec:\ntbttn.exe106⤵PID:5024
-
\??\c:\ppdpv.exec:\ppdpv.exe107⤵PID:872
-
\??\c:\vdjdd.exec:\vdjdd.exe108⤵PID:4352
-
\??\c:\5xxrrxx.exec:\5xxrrxx.exe109⤵PID:3620
-
\??\c:\btnnhb.exec:\btnnhb.exe110⤵PID:5004
-
\??\c:\pvpjd.exec:\pvpjd.exe111⤵PID:5080
-
\??\c:\rfxlxfr.exec:\rfxlxfr.exe112⤵PID:4136
-
\??\c:\thtnnn.exec:\thtnnn.exe113⤵PID:2152
-
\??\c:\pjpjd.exec:\pjpjd.exe114⤵PID:4936
-
\??\c:\xlrlxxx.exec:\xlrlxxx.exe115⤵PID:3312
-
\??\c:\7ntnhh.exec:\7ntnhh.exe116⤵PID:2184
-
\??\c:\xfllffx.exec:\xfllffx.exe117⤵PID:4748
-
\??\c:\tbhtnn.exec:\tbhtnn.exe118⤵PID:4736
-
\??\c:\ntnhnn.exec:\ntnhnn.exe119⤵PID:4416
-
\??\c:\dvpjp.exec:\dvpjp.exe120⤵PID:3836
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe121⤵PID:1056
-
\??\c:\5hnhbb.exec:\5hnhbb.exe122⤵PID:1000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-