Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 01:11
Behavioral task
behavioral1
Sample
6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe
Resource
win7-20240221-en
7 signatures
150 seconds
General
-
Target
6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe
-
Size
169KB
-
MD5
6798c0237d21fdbe504b8ae4f7250450
-
SHA1
adb3afeb25d0e6d5e2c89fe7f5c350f7c88df4b6
-
SHA256
1c3293d3f07582f50f6d67e1055811df49f0235e29f90a6413a77db5fff51bba
-
SHA512
efecd97dfb07ad81656e17c342dbf06de6148519149da12ffaa1e7f01b3fd2627f6307b70ffce0ae58363ed3e50dcf25b852d92aaba5ef98ca1e102a98b60abe
-
SSDEEP
1536:HvQBeOGtrYS3srx93UBWfwC6Ggnouy8CUYj7FK4O8A1o4XEc3YtxD8/Ai2V:HhOmTsF93UYfwC6GIoutX8Ki3c3YT8Vu
Score
10/10
Malware Config
Signatures
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral1/memory/2888-2-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2940-12-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2940-18-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/2688-31-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2584-28-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2584-27-0x00000000002E0000-0x0000000000326000-memory.dmp family_blackmoon behavioral1/memory/2408-50-0x0000000000260000-0x00000000002A6000-memory.dmp family_blackmoon behavioral1/memory/2408-49-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2584-64-0x00000000002E0000-0x0000000000326000-memory.dmp family_blackmoon behavioral1/memory/2372-69-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2448-81-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1652-100-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2408-91-0x0000000000260000-0x00000000002A6000-memory.dmp family_blackmoon behavioral1/memory/2088-89-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/764-112-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/764-110-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/1472-121-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2360-130-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1760-139-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/944-148-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1824-157-0x0000000000350000-0x0000000000396000-memory.dmp family_blackmoon behavioral1/memory/1340-165-0x0000000000450000-0x0000000000496000-memory.dmp family_blackmoon behavioral1/memory/636-170-0x0000000000230000-0x0000000000276000-memory.dmp family_blackmoon behavioral1/memory/636-175-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2564-184-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/268-195-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/816-204-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1340-205-0x0000000000450000-0x0000000000496000-memory.dmp family_blackmoon behavioral1/memory/3052-221-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2028-230-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/1160-239-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1160-240-0x00000000005E0000-0x0000000000626000-memory.dmp family_blackmoon behavioral1/memory/1312-250-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2024-308-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2264-315-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2116-329-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2764-355-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2424-368-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2488-369-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2832-390-0x00000000002B0000-0x00000000002F6000-memory.dmp family_blackmoon behavioral1/memory/2832-389-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/584-495-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2880-520-0x0000000000260000-0x00000000002A6000-memory.dmp family_blackmoon behavioral1/memory/2972-527-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1160-536-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/1736-565-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1736-566-0x0000000000230000-0x0000000000276000-memory.dmp family_blackmoon behavioral1/memory/2108-573-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2204-586-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/2204-587-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/2112-595-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2940-621-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/2956-640-0x00000000002C0000-0x0000000000306000-memory.dmp family_blackmoon behavioral1/memory/2512-654-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/2512-652-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/2404-662-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/2832-694-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/2832-721-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/2656-732-0x0000000000220000-0x0000000000266000-memory.dmp family_blackmoon behavioral1/memory/1532-825-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2224-864-0x00000000003A0000-0x00000000003E6000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2940 vhnbjlx.exe 2584 bjrxbnf.exe 2688 vjpblx.exe 2408 rnpdvf.exe 2396 nbnnhhb.exe 2372 xrlhlf.exe 2448 npbjbrv.exe 2088 pfhrpv.exe 1652 hrdtt.exe 764 ftfnb.exe 1472 vttjlh.exe 2360 pnhtpx.exe 1760 xnffrn.exe 944 fbhxd.exe 1824 jflxh.exe 1340 xpldxrd.exe 636 lbxxfhd.exe 2564 lrbhd.exe 268 nxthbt.exe 816 npxbd.exe 600 nhtjnr.exe 3052 fpfblvv.exe 2028 pvlrplv.exe 1160 bltlbfn.exe 1312 vjjjbv.exe 1144 jrbxx.exe 1032 bhjpdv.exe 616 rrbjfv.exe 2108 vvpnttj.exe 1980 drpjfx.exe 2904 jntbpx.exe 2024 jbnnrd.exe 2264 llvnxxj.exe 1512 ndfvrtn.exe 2116 ldbrb.exe 2628 lnlflnv.exe 2584 dnbnv.exe 2688 bjltrv.exe 2764 fpbtt.exe 2408 xjvvvht.exe 2424 lthll.exe 2488 jphpp.exe 2376 njplxt.exe 2832 ndjpttt.exe 1164 rrbrlff.exe 1324 jrlfpph.exe 1280 tjldjh.exe 908 jdtjnjv.exe 1544 vdjbbd.exe 2656 jxxjjlp.exe 948 fdlbtl.exe 2196 tvtrrv.exe 940 rtvhh.exe 812 vrxbdp.exe 1528 hphvblb.exe 840 pnbthn.exe 1568 bpvtv.exe 2716 rldfn.exe 2412 bjhrhb.exe 2564 jrfvnd.exe 584 hftll.exe 2244 hdpdfj.exe 1924 drfxdf.exe 2916 hjntvjt.exe -
resource yara_rule behavioral1/memory/2720-0-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2888-2-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2940-12-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x000b0000000155e2-9.dat upx behavioral1/files/0x0024000000015c3c-19.dat upx behavioral1/memory/2688-31-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0008000000015c7c-30.dat upx behavioral1/files/0x0007000000015c87-39.dat upx behavioral1/memory/2720-38-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2584-28-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0007000000015cb9-51.dat upx behavioral1/memory/2408-49-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2408-48-0x0000000000260000-0x00000000002A6000-memory.dmp upx behavioral1/files/0x0008000000015e02-60.dat upx behavioral1/files/0x00070000000165ae-70.dat upx behavioral1/memory/2372-69-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2448-72-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2448-81-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0005000000018698-79.dat upx behavioral1/files/0x00050000000186a0-92.dat upx behavioral1/memory/1652-100-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000018ae2-98.dat upx behavioral1/memory/764-101-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2088-89-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/764-112-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0014000000015c52-111.dat upx behavioral1/memory/1472-121-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000018ae8-119.dat upx behavioral1/files/0x0006000000018b15-128.dat upx behavioral1/memory/2360-130-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/1760-139-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000018b33-137.dat upx behavioral1/memory/944-148-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000018b37-149.dat upx behavioral1/files/0x0006000000018b42-156.dat upx behavioral1/files/0x0006000000018b4a-166.dat upx behavioral1/files/0x0006000000018b6a-176.dat upx behavioral1/memory/636-175-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2564-184-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000018b73-185.dat upx behavioral1/files/0x0006000000018b96-193.dat upx behavioral1/memory/268-195-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000018ba2-203.dat upx behavioral1/memory/816-204-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000018d06-213.dat upx behavioral1/memory/3052-221-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x00050000000192c9-222.dat upx behavioral1/files/0x00050000000192f4-231.dat upx behavioral1/memory/1160-239-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x000500000001931b-241.dat upx behavioral1/memory/1312-250-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0005000000019333-249.dat upx behavioral1/files/0x0005000000019368-258.dat upx behavioral1/files/0x0005000000019377-266.dat upx behavioral1/files/0x000500000001939b-274.dat upx behavioral1/files/0x00050000000193b0-282.dat upx behavioral1/files/0x0005000000019410-290.dat upx behavioral1/memory/2024-300-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x000500000001946b-299.dat upx behavioral1/memory/2024-308-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2264-315-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2116-329-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2584-336-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2764-355-0x0000000000400000-0x0000000000446000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Serverx = "C:\\Windows\\system32\\Serverx.exe" 6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Serverx.exe 6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Serverx.exe 6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2888 2720 6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe 28 PID 2720 wrote to memory of 2888 2720 6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe 28 PID 2720 wrote to memory of 2888 2720 6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe 28 PID 2720 wrote to memory of 2888 2720 6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe 28 PID 2888 wrote to memory of 2940 2888 6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe 29 PID 2888 wrote to memory of 2940 2888 6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe 29 PID 2888 wrote to memory of 2940 2888 6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe 29 PID 2888 wrote to memory of 2940 2888 6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe 29 PID 2940 wrote to memory of 2584 2940 vhnbjlx.exe 30 PID 2940 wrote to memory of 2584 2940 vhnbjlx.exe 30 PID 2940 wrote to memory of 2584 2940 vhnbjlx.exe 30 PID 2940 wrote to memory of 2584 2940 vhnbjlx.exe 30 PID 2584 wrote to memory of 2688 2584 bjrxbnf.exe 31 PID 2584 wrote to memory of 2688 2584 bjrxbnf.exe 31 PID 2584 wrote to memory of 2688 2584 bjrxbnf.exe 31 PID 2584 wrote to memory of 2688 2584 bjrxbnf.exe 31 PID 2688 wrote to memory of 2408 2688 vjpblx.exe 32 PID 2688 wrote to memory of 2408 2688 vjpblx.exe 32 PID 2688 wrote to memory of 2408 2688 vjpblx.exe 32 PID 2688 wrote to memory of 2408 2688 vjpblx.exe 32 PID 2408 wrote to memory of 2396 2408 rnpdvf.exe 33 PID 2408 wrote to memory of 2396 2408 rnpdvf.exe 33 PID 2408 wrote to memory of 2396 2408 rnpdvf.exe 33 PID 2408 wrote to memory of 2396 2408 rnpdvf.exe 33 PID 2396 wrote to memory of 2372 2396 nbnnhhb.exe 34 PID 2396 wrote to memory of 2372 2396 nbnnhhb.exe 34 PID 2396 wrote to memory of 2372 2396 nbnnhhb.exe 34 PID 2396 wrote to memory of 2372 2396 nbnnhhb.exe 34 PID 2372 wrote to memory of 2448 2372 xrlhlf.exe 35 PID 2372 wrote to memory of 2448 2372 xrlhlf.exe 35 PID 2372 wrote to memory of 2448 2372 xrlhlf.exe 35 PID 2372 wrote to memory of 2448 2372 xrlhlf.exe 35 PID 2448 wrote to memory of 2088 2448 npbjbrv.exe 36 PID 2448 wrote to memory of 2088 2448 npbjbrv.exe 36 PID 2448 wrote to memory of 2088 2448 npbjbrv.exe 36 PID 2448 wrote to memory of 2088 2448 npbjbrv.exe 36 PID 2088 wrote to memory of 1652 2088 pfhrpv.exe 37 PID 2088 wrote to memory of 1652 2088 pfhrpv.exe 37 PID 2088 wrote to memory of 1652 2088 pfhrpv.exe 37 PID 2088 wrote to memory of 1652 2088 pfhrpv.exe 37 PID 1652 wrote to memory of 764 1652 hrdtt.exe 38 PID 1652 wrote to memory of 764 1652 hrdtt.exe 38 PID 1652 wrote to memory of 764 1652 hrdtt.exe 38 PID 1652 wrote to memory of 764 1652 hrdtt.exe 38 PID 764 wrote to memory of 1472 764 ftfnb.exe 39 PID 764 wrote to memory of 1472 764 ftfnb.exe 39 PID 764 wrote to memory of 1472 764 ftfnb.exe 39 PID 764 wrote to memory of 1472 764 ftfnb.exe 39 PID 1472 wrote to memory of 2360 1472 vttjlh.exe 40 PID 1472 wrote to memory of 2360 1472 vttjlh.exe 40 PID 1472 wrote to memory of 2360 1472 vttjlh.exe 40 PID 1472 wrote to memory of 2360 1472 vttjlh.exe 40 PID 2360 wrote to memory of 1760 2360 pnhtpx.exe 41 PID 2360 wrote to memory of 1760 2360 pnhtpx.exe 41 PID 2360 wrote to memory of 1760 2360 pnhtpx.exe 41 PID 2360 wrote to memory of 1760 2360 pnhtpx.exe 41 PID 1760 wrote to memory of 944 1760 xnffrn.exe 42 PID 1760 wrote to memory of 944 1760 xnffrn.exe 42 PID 1760 wrote to memory of 944 1760 xnffrn.exe 42 PID 1760 wrote to memory of 944 1760 xnffrn.exe 42 PID 944 wrote to memory of 1824 944 fbhxd.exe 43 PID 944 wrote to memory of 1824 944 fbhxd.exe 43 PID 944 wrote to memory of 1824 944 fbhxd.exe 43 PID 944 wrote to memory of 1824 944 fbhxd.exe 43
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6798c0237d21fdbe504b8ae4f7250450_NeikiAnalytics.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\vhnbjlx.exec:\vhnbjlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\bjrxbnf.exec:\bjrxbnf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\vjpblx.exec:\vjpblx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\rnpdvf.exec:\rnpdvf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\nbnnhhb.exec:\nbnnhhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\xrlhlf.exec:\xrlhlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\npbjbrv.exec:\npbjbrv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\pfhrpv.exec:\pfhrpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\hrdtt.exec:\hrdtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\ftfnb.exec:\ftfnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\vttjlh.exec:\vttjlh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\pnhtpx.exec:\pnhtpx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\xnffrn.exec:\xnffrn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\fbhxd.exec:\fbhxd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\jflxh.exec:\jflxh.exe18⤵
- Executes dropped EXE
PID:1824 -
\??\c:\xpldxrd.exec:\xpldxrd.exe19⤵
- Executes dropped EXE
PID:1340 -
\??\c:\lbxxfhd.exec:\lbxxfhd.exe20⤵
- Executes dropped EXE
PID:636 -
\??\c:\lrbhd.exec:\lrbhd.exe21⤵
- Executes dropped EXE
PID:2564 -
\??\c:\nxthbt.exec:\nxthbt.exe22⤵
- Executes dropped EXE
PID:268 -
\??\c:\npxbd.exec:\npxbd.exe23⤵
- Executes dropped EXE
PID:816 -
\??\c:\nhtjnr.exec:\nhtjnr.exe24⤵
- Executes dropped EXE
PID:600 -
\??\c:\fpfblvv.exec:\fpfblvv.exe25⤵
- Executes dropped EXE
PID:3052 -
\??\c:\pvlrplv.exec:\pvlrplv.exe26⤵
- Executes dropped EXE
PID:2028 -
\??\c:\bltlbfn.exec:\bltlbfn.exe27⤵
- Executes dropped EXE
PID:1160 -
\??\c:\vjjjbv.exec:\vjjjbv.exe28⤵
- Executes dropped EXE
PID:1312 -
\??\c:\jrbxx.exec:\jrbxx.exe29⤵
- Executes dropped EXE
PID:1144 -
\??\c:\bhjpdv.exec:\bhjpdv.exe30⤵
- Executes dropped EXE
PID:1032 -
\??\c:\rrbjfv.exec:\rrbjfv.exe31⤵
- Executes dropped EXE
PID:616 -
\??\c:\vvpnttj.exec:\vvpnttj.exe32⤵
- Executes dropped EXE
PID:2108 -
\??\c:\drpjfx.exec:\drpjfx.exe33⤵
- Executes dropped EXE
PID:1980 -
\??\c:\jntbpx.exec:\jntbpx.exe34⤵
- Executes dropped EXE
PID:2904 -
\??\c:\jbnnrd.exec:\jbnnrd.exe35⤵
- Executes dropped EXE
PID:2024 -
\??\c:\llvnxxj.exec:\llvnxxj.exe36⤵
- Executes dropped EXE
PID:2264 -
\??\c:\ndfvrtn.exec:\ndfvrtn.exe37⤵
- Executes dropped EXE
PID:1512 -
\??\c:\ldbrb.exec:\ldbrb.exe38⤵
- Executes dropped EXE
PID:2116 -
\??\c:\lnlflnv.exec:\lnlflnv.exe39⤵
- Executes dropped EXE
PID:2628 -
\??\c:\dnbnv.exec:\dnbnv.exe40⤵
- Executes dropped EXE
PID:2584 -
\??\c:\bjltrv.exec:\bjltrv.exe41⤵
- Executes dropped EXE
PID:2688 -
\??\c:\fpbtt.exec:\fpbtt.exe42⤵
- Executes dropped EXE
PID:2764 -
\??\c:\xjvvvht.exec:\xjvvvht.exe43⤵
- Executes dropped EXE
PID:2408 -
\??\c:\lthll.exec:\lthll.exe44⤵
- Executes dropped EXE
PID:2424 -
\??\c:\jphpp.exec:\jphpp.exe45⤵
- Executes dropped EXE
PID:2488 -
\??\c:\njplxt.exec:\njplxt.exe46⤵
- Executes dropped EXE
PID:2376 -
\??\c:\ndjpttt.exec:\ndjpttt.exe47⤵
- Executes dropped EXE
PID:2832 -
\??\c:\rrbrlff.exec:\rrbrlff.exe48⤵
- Executes dropped EXE
PID:1164 -
\??\c:\jrlfpph.exec:\jrlfpph.exe49⤵
- Executes dropped EXE
PID:1324 -
\??\c:\tjldjh.exec:\tjldjh.exe50⤵
- Executes dropped EXE
PID:1280 -
\??\c:\jdtjnjv.exec:\jdtjnjv.exe51⤵
- Executes dropped EXE
PID:908 -
\??\c:\vdjbbd.exec:\vdjbbd.exe52⤵
- Executes dropped EXE
PID:1544 -
\??\c:\jxxjjlp.exec:\jxxjjlp.exe53⤵
- Executes dropped EXE
PID:2656 -
\??\c:\fdlbtl.exec:\fdlbtl.exe54⤵
- Executes dropped EXE
PID:948 -
\??\c:\tvtrrv.exec:\tvtrrv.exe55⤵
- Executes dropped EXE
PID:2196 -
\??\c:\rtvhh.exec:\rtvhh.exe56⤵
- Executes dropped EXE
PID:940 -
\??\c:\vrxbdp.exec:\vrxbdp.exe57⤵
- Executes dropped EXE
PID:812 -
\??\c:\hphvblb.exec:\hphvblb.exe58⤵
- Executes dropped EXE
PID:1528 -
\??\c:\pnbthn.exec:\pnbthn.exe59⤵
- Executes dropped EXE
PID:840 -
\??\c:\bpvtv.exec:\bpvtv.exe60⤵
- Executes dropped EXE
PID:1568 -
\??\c:\rldfn.exec:\rldfn.exe61⤵
- Executes dropped EXE
PID:2716 -
\??\c:\bjhrhb.exec:\bjhrhb.exe62⤵
- Executes dropped EXE
PID:2412 -
\??\c:\jrfvnd.exec:\jrfvnd.exe63⤵
- Executes dropped EXE
PID:2564 -
\??\c:\hftll.exec:\hftll.exe64⤵
- Executes dropped EXE
PID:584 -
\??\c:\hdpdfj.exec:\hdpdfj.exe65⤵
- Executes dropped EXE
PID:2244 -
\??\c:\drfxdf.exec:\drfxdf.exe66⤵
- Executes dropped EXE
PID:1924 -
\??\c:\hjntvjt.exec:\hjntvjt.exe67⤵
- Executes dropped EXE
PID:2916 -
\??\c:\bpndljl.exec:\bpndljl.exe68⤵PID:2880
-
\??\c:\nllhhlp.exec:\nllhhlp.exe69⤵PID:2972
-
\??\c:\btrjhd.exec:\btrjhd.exe70⤵PID:1444
-
\??\c:\tbhrbv.exec:\tbhrbv.exe71⤵PID:1160
-
\??\c:\htbptj.exec:\htbptj.exe72⤵PID:2052
-
\??\c:\ptndttr.exec:\ptndttr.exe73⤵PID:960
-
\??\c:\xvnjjf.exec:\xvnjjf.exe74⤵PID:320
-
\??\c:\dblhx.exec:\dblhx.exe75⤵PID:1736
-
\??\c:\bxnbdfd.exec:\bxnbdfd.exe76⤵PID:2072
-
\??\c:\vlvjlj.exec:\vlvjlj.exe77⤵PID:2108
-
\??\c:\xtprtn.exec:\xtprtn.exe78⤵PID:2204
-
\??\c:\tlbhjhb.exec:\tlbhjhb.exe79⤵PID:2112
-
\??\c:\ptfxpr.exec:\ptfxpr.exe80⤵PID:2060
-
\??\c:\bvlvjj.exec:\bvlvjj.exe81⤵PID:2956
-
\??\c:\bxbbxjb.exec:\bxbbxjb.exe82⤵PID:1524
-
\??\c:\vvxxp.exec:\vvxxp.exe83⤵PID:2940
-
\??\c:\jxxtlt.exec:\jxxtlt.exe84⤵PID:2504
-
\??\c:\pnntxh.exec:\pnntxh.exe85⤵PID:2508
-
\??\c:\drtdfn.exec:\drtdfn.exe86⤵PID:2700
-
\??\c:\rjvvdx.exec:\rjvvdx.exe87⤵PID:2680
-
\??\c:\pxpnfrd.exec:\pxpnfrd.exe88⤵PID:2512
-
\??\c:\rttbv.exec:\rttbv.exe89⤵PID:2404
-
\??\c:\xtjnxfp.exec:\xtjnxfp.exe90⤵PID:1908
-
\??\c:\lfndldp.exec:\lfndldp.exe91⤵PID:3068
-
\??\c:\htfhpdh.exec:\htfhpdh.exe92⤵PID:2820
-
\??\c:\bfrpl.exec:\bfrpl.exe93⤵PID:2152
-
\??\c:\rbjxv.exec:\rbjxv.exe94⤵PID:2832
-
\??\c:\lrxlrjx.exec:\lrxlrjx.exe95⤵PID:1660
-
\??\c:\fjnxbl.exec:\fjnxbl.exe96⤵PID:1324
-
\??\c:\vblnpv.exec:\vblnpv.exe97⤵PID:1280
-
\??\c:\bfffr.exec:\bfffr.exe98⤵PID:908
-
\??\c:\hlhnrr.exec:\hlhnrr.exe99⤵PID:1544
-
\??\c:\fphdf.exec:\fphdf.exe100⤵PID:2656
-
\??\c:\jrfhp.exec:\jrfhp.exe101⤵PID:288
-
\??\c:\fxphphd.exec:\fxphphd.exe102⤵PID:1800
-
\??\c:\thfpprh.exec:\thfpprh.exe103⤵PID:956
-
\??\c:\frrptf.exec:\frrptf.exe104⤵PID:2336
-
\??\c:\fndlp.exec:\fndlp.exe105⤵PID:1300
-
\??\c:\lxjtd.exec:\lxjtd.exe106⤵PID:1872
-
\??\c:\thpvbpn.exec:\thpvbpn.exe107⤵PID:1568
-
\??\c:\hjxhpxj.exec:\hjxhpxj.exe108⤵PID:2216
-
\??\c:\lxfvtdr.exec:\lxfvtdr.exe109⤵PID:552
-
\??\c:\bnnjn.exec:\bnnjn.exe110⤵PID:2780
-
\??\c:\pbjxvdp.exec:\pbjxvdp.exe111⤵PID:1964
-
\??\c:\vbnff.exec:\vbnff.exe112⤵PID:1924
-
\??\c:\nbvrrpn.exec:\nbvrrpn.exe113⤵PID:2916
-
\??\c:\ltdfpt.exec:\ltdfpt.exe114⤵PID:2028
-
\??\c:\rvbhp.exec:\rvbhp.exe115⤵PID:1532
-
\??\c:\xpjhxhh.exec:\xpjhxhh.exe116⤵PID:2768
-
\??\c:\fbnxvtf.exec:\fbnxvtf.exe117⤵PID:1160
-
\??\c:\bdpptjt.exec:\bdpptjt.exe118⤵PID:1028
-
\??\c:\jhddr.exec:\jhddr.exe119⤵PID:960
-
\??\c:\fhfpvt.exec:\fhfpvt.exe120⤵PID:2224
-
\??\c:\ddbbr.exec:\ddbbr.exe121⤵PID:1464
-
\??\c:\hdpvfrr.exec:\hdpvfrr.exe122⤵PID:1956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-