Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 01:25
Behavioral task
behavioral1
Sample
6a58833123f7831e8ed5c7cccecaca40_NeikiAnalytics.exe
Resource
win7-20240419-en
5 signatures
150 seconds
General
-
Target
6a58833123f7831e8ed5c7cccecaca40_NeikiAnalytics.exe
-
Size
363KB
-
MD5
6a58833123f7831e8ed5c7cccecaca40
-
SHA1
414dc1c5eedabd5bf1a48df79ca4fffc1f93f8d3
-
SHA256
6a074ff0d9ef136ecf4db7cffb2a49d77f633d376f2e470bdaae6986b334c306
-
SHA512
fe949deb08d8383d73660e0f753367eccae889cdcf51d8476290355e7ef5d132f75b688afd5de16280c74b3dd411833e610bde42e9d122649e49c98b107843e2
-
SSDEEP
6144:9cm4FmowdHoSdSyEAxyx/ZrTTr4qIMgE8T:/4wFHoSQuxy3rTXIM18T
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1412-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2968-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4348-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/836-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3256-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3256-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/676-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3756-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2072-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1180-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1744-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/680-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1236-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4504-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4084-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2968-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/512-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4908-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3732-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3552-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3700-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1464-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2168-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/724-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1188-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3160-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3396-489-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-529-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-578-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1108-582-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4192-593-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-599-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1668-625-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-668-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2904-713-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-720-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-742-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1684-746-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-930-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-958-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1468 flfxrrr.exe 2968 vvppd.exe 4348 xrfxlfl.exe 4688 7xfxrrf.exe 4800 7flfxxx.exe 836 9pvjd.exe 3256 nnhhbb.exe 4952 5rrllfx.exe 1016 9jpdv.exe 676 5nhbnb.exe 4956 pvjdv.exe 3756 vdvpj.exe 1944 lrlxfxl.exe 4652 pjjdv.exe 2072 frfrlrl.exe 1180 dpvpd.exe 2324 vjddv.exe 4048 hnnttn.exe 3212 dvvvj.exe 2600 dppdv.exe 3316 1ffxxrf.exe 1476 5vjdv.exe 2180 rffxrrl.exe 3012 dvvjd.exe 908 vdjjj.exe 4868 httnhh.exe 1528 jjpjj.exe 2152 bhnhhh.exe 2904 7pddp.exe 2488 7llfflr.exe 1744 7httnn.exe 3156 1jpjd.exe 680 jjjdd.exe 1920 fxfxfxf.exe 5056 1dddj.exe 3260 7xffrxl.exe 5016 fxxrlxr.exe 876 hbbbbt.exe 3668 rxfllxl.exe 728 nnnbth.exe 1336 vdjvp.exe 1236 rflffxr.exe 4504 rfxxrlf.exe 4328 1thbtt.exe 4824 jdjdv.exe 4260 3llfffr.exe 4936 1rffxrl.exe 3160 hhbtnb.exe 1536 jvvjj.exe 4084 tnhbtt.exe 2968 jjvpv.exe 3464 fflfxxr.exe 4348 3tthhh.exe 512 jdvpj.exe 4908 fllrlfx.exe 3684 lxlffrl.exe 688 hhbttt.exe 3732 djpjj.exe 3552 rrlfxfx.exe 3700 hbhbbb.exe 4508 jjddv.exe 4224 1jjdv.exe 4104 frxrllf.exe 1608 tntntb.exe -
resource yara_rule behavioral2/memory/1412-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000500000002326f-3.dat upx behavioral2/memory/1412-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233d4-8.dat upx behavioral2/memory/1468-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2968-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233d5-13.dat upx behavioral2/memory/4348-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233d6-21.dat upx behavioral2/memory/4688-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4348-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233d7-29.dat upx behavioral2/files/0x00070000000233d8-33.dat upx behavioral2/memory/4800-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233d9-38.dat upx behavioral2/memory/836-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3256-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233da-45.dat upx behavioral2/memory/3256-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4952-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233db-51.dat upx behavioral2/files/0x00070000000233dc-56.dat upx behavioral2/files/0x00070000000233dd-61.dat upx behavioral2/memory/676-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233de-67.dat upx behavioral2/files/0x00070000000233df-72.dat upx behavioral2/memory/3756-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000233d1-78.dat upx behavioral2/memory/1944-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e0-86.dat upx behavioral2/memory/2072-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e2-91.dat upx behavioral2/files/0x00070000000233e3-96.dat upx behavioral2/memory/1180-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e4-102.dat upx behavioral2/memory/4048-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e5-109.dat upx behavioral2/memory/3212-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2324-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e6-114.dat upx behavioral2/memory/2600-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e7-122.dat upx behavioral2/files/0x00070000000233e8-125.dat upx behavioral2/memory/3316-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1476-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e9-133.dat upx behavioral2/files/0x00070000000233ea-139.dat upx behavioral2/memory/2180-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233eb-143.dat upx behavioral2/files/0x00070000000233ec-148.dat upx behavioral2/files/0x00070000000233ed-153.dat upx behavioral2/files/0x00070000000233ee-158.dat upx behavioral2/files/0x00070000000233ef-163.dat upx behavioral2/memory/2904-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233f0-169.dat upx behavioral2/files/0x00070000000233f1-174.dat upx behavioral2/files/0x00070000000233f2-180.dat upx behavioral2/memory/1744-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/680-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5056-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3260-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5016-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3668-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1236-219-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1412 wrote to memory of 1468 1412 6a58833123f7831e8ed5c7cccecaca40_NeikiAnalytics.exe 81 PID 1412 wrote to memory of 1468 1412 6a58833123f7831e8ed5c7cccecaca40_NeikiAnalytics.exe 81 PID 1412 wrote to memory of 1468 1412 6a58833123f7831e8ed5c7cccecaca40_NeikiAnalytics.exe 81 PID 1468 wrote to memory of 2968 1468 flfxrrr.exe 82 PID 1468 wrote to memory of 2968 1468 flfxrrr.exe 82 PID 1468 wrote to memory of 2968 1468 flfxrrr.exe 82 PID 2968 wrote to memory of 4348 2968 vvppd.exe 83 PID 2968 wrote to memory of 4348 2968 vvppd.exe 83 PID 2968 wrote to memory of 4348 2968 vvppd.exe 83 PID 4348 wrote to memory of 4688 4348 xrfxlfl.exe 84 PID 4348 wrote to memory of 4688 4348 xrfxlfl.exe 84 PID 4348 wrote to memory of 4688 4348 xrfxlfl.exe 84 PID 4688 wrote to memory of 4800 4688 7xfxrrf.exe 85 PID 4688 wrote to memory of 4800 4688 7xfxrrf.exe 85 PID 4688 wrote to memory of 4800 4688 7xfxrrf.exe 85 PID 4800 wrote to memory of 836 4800 7flfxxx.exe 86 PID 4800 wrote to memory of 836 4800 7flfxxx.exe 86 PID 4800 wrote to memory of 836 4800 7flfxxx.exe 86 PID 836 wrote to memory of 3256 836 9pvjd.exe 87 PID 836 wrote to memory of 3256 836 9pvjd.exe 87 PID 836 wrote to memory of 3256 836 9pvjd.exe 87 PID 3256 wrote to memory of 4952 3256 nnhhbb.exe 88 PID 3256 wrote to memory of 4952 3256 nnhhbb.exe 88 PID 3256 wrote to memory of 4952 3256 nnhhbb.exe 88 PID 4952 wrote to memory of 1016 4952 5rrllfx.exe 89 PID 4952 wrote to memory of 1016 4952 5rrllfx.exe 89 PID 4952 wrote to memory of 1016 4952 5rrllfx.exe 89 PID 1016 wrote to memory of 676 1016 9jpdv.exe 90 PID 1016 wrote to memory of 676 1016 9jpdv.exe 90 PID 1016 wrote to memory of 676 1016 9jpdv.exe 90 PID 676 wrote to memory of 4956 676 5nhbnb.exe 91 PID 676 wrote to memory of 4956 676 5nhbnb.exe 91 PID 676 wrote to memory of 4956 676 5nhbnb.exe 91 PID 4956 wrote to memory of 3756 4956 pvjdv.exe 92 PID 4956 wrote to memory of 3756 4956 pvjdv.exe 92 PID 4956 wrote to memory of 3756 4956 pvjdv.exe 92 PID 3756 wrote to memory of 1944 3756 vdvpj.exe 93 PID 3756 wrote to memory of 1944 3756 vdvpj.exe 93 PID 3756 wrote to memory of 1944 3756 vdvpj.exe 93 PID 1944 wrote to memory of 4652 1944 lrlxfxl.exe 94 PID 1944 wrote to memory of 4652 1944 lrlxfxl.exe 94 PID 1944 wrote to memory of 4652 1944 lrlxfxl.exe 94 PID 4652 wrote to memory of 2072 4652 pjjdv.exe 95 PID 4652 wrote to memory of 2072 4652 pjjdv.exe 95 PID 4652 wrote to memory of 2072 4652 pjjdv.exe 95 PID 2072 wrote to memory of 1180 2072 frfrlrl.exe 96 PID 2072 wrote to memory of 1180 2072 frfrlrl.exe 96 PID 2072 wrote to memory of 1180 2072 frfrlrl.exe 96 PID 1180 wrote to memory of 2324 1180 dpvpd.exe 97 PID 1180 wrote to memory of 2324 1180 dpvpd.exe 97 PID 1180 wrote to memory of 2324 1180 dpvpd.exe 97 PID 2324 wrote to memory of 4048 2324 vjddv.exe 98 PID 2324 wrote to memory of 4048 2324 vjddv.exe 98 PID 2324 wrote to memory of 4048 2324 vjddv.exe 98 PID 4048 wrote to memory of 3212 4048 hnnttn.exe 99 PID 4048 wrote to memory of 3212 4048 hnnttn.exe 99 PID 4048 wrote to memory of 3212 4048 hnnttn.exe 99 PID 3212 wrote to memory of 2600 3212 dvvvj.exe 100 PID 3212 wrote to memory of 2600 3212 dvvvj.exe 100 PID 3212 wrote to memory of 2600 3212 dvvvj.exe 100 PID 2600 wrote to memory of 3316 2600 dppdv.exe 101 PID 2600 wrote to memory of 3316 2600 dppdv.exe 101 PID 2600 wrote to memory of 3316 2600 dppdv.exe 101 PID 3316 wrote to memory of 1476 3316 1ffxxrf.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a58833123f7831e8ed5c7cccecaca40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6a58833123f7831e8ed5c7cccecaca40_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\flfxrrr.exec:\flfxrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\vvppd.exec:\vvppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\xrfxlfl.exec:\xrfxlfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\7xfxrrf.exec:\7xfxrrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\7flfxxx.exec:\7flfxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\9pvjd.exec:\9pvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\nnhhbb.exec:\nnhhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\5rrllfx.exec:\5rrllfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\9jpdv.exec:\9jpdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\5nhbnb.exec:\5nhbnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\pvjdv.exec:\pvjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\vdvpj.exec:\vdvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\lrlxfxl.exec:\lrlxfxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\pjjdv.exec:\pjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\frfrlrl.exec:\frfrlrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\dpvpd.exec:\dpvpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\vjddv.exec:\vjddv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\hnnttn.exec:\hnnttn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\dvvvj.exec:\dvvvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\dppdv.exec:\dppdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\1ffxxrf.exec:\1ffxxrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\5vjdv.exec:\5vjdv.exe23⤵
- Executes dropped EXE
PID:1476 -
\??\c:\rffxrrl.exec:\rffxrrl.exe24⤵
- Executes dropped EXE
PID:2180 -
\??\c:\dvvjd.exec:\dvvjd.exe25⤵
- Executes dropped EXE
PID:3012 -
\??\c:\vdjjj.exec:\vdjjj.exe26⤵
- Executes dropped EXE
PID:908 -
\??\c:\httnhh.exec:\httnhh.exe27⤵
- Executes dropped EXE
PID:4868 -
\??\c:\jjpjj.exec:\jjpjj.exe28⤵
- Executes dropped EXE
PID:1528 -
\??\c:\bhnhhh.exec:\bhnhhh.exe29⤵
- Executes dropped EXE
PID:2152 -
\??\c:\7pddp.exec:\7pddp.exe30⤵
- Executes dropped EXE
PID:2904 -
\??\c:\7llfflr.exec:\7llfflr.exe31⤵
- Executes dropped EXE
PID:2488 -
\??\c:\7httnn.exec:\7httnn.exe32⤵
- Executes dropped EXE
PID:1744 -
\??\c:\1jpjd.exec:\1jpjd.exe33⤵
- Executes dropped EXE
PID:3156 -
\??\c:\jjjdd.exec:\jjjdd.exe34⤵
- Executes dropped EXE
PID:680 -
\??\c:\fxfxfxf.exec:\fxfxfxf.exe35⤵
- Executes dropped EXE
PID:1920 -
\??\c:\1dddj.exec:\1dddj.exe36⤵
- Executes dropped EXE
PID:5056 -
\??\c:\7xffrxl.exec:\7xffrxl.exe37⤵
- Executes dropped EXE
PID:3260 -
\??\c:\fxxrlxr.exec:\fxxrlxr.exe38⤵
- Executes dropped EXE
PID:5016 -
\??\c:\hbbbbt.exec:\hbbbbt.exe39⤵
- Executes dropped EXE
PID:876 -
\??\c:\rxfllxl.exec:\rxfllxl.exe40⤵
- Executes dropped EXE
PID:3668 -
\??\c:\nnnbth.exec:\nnnbth.exe41⤵
- Executes dropped EXE
PID:728 -
\??\c:\vdjvp.exec:\vdjvp.exe42⤵
- Executes dropped EXE
PID:1336 -
\??\c:\rflffxr.exec:\rflffxr.exe43⤵
- Executes dropped EXE
PID:1236 -
\??\c:\rfxxrlf.exec:\rfxxrlf.exe44⤵
- Executes dropped EXE
PID:4504 -
\??\c:\1thbtt.exec:\1thbtt.exe45⤵
- Executes dropped EXE
PID:4328 -
\??\c:\jdjdv.exec:\jdjdv.exe46⤵
- Executes dropped EXE
PID:4824 -
\??\c:\3llfffr.exec:\3llfffr.exe47⤵
- Executes dropped EXE
PID:4260 -
\??\c:\1rffxrl.exec:\1rffxrl.exe48⤵
- Executes dropped EXE
PID:4936 -
\??\c:\hhbtnb.exec:\hhbtnb.exe49⤵
- Executes dropped EXE
PID:3160 -
\??\c:\jvvjj.exec:\jvvjj.exe50⤵
- Executes dropped EXE
PID:1536 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe51⤵PID:3308
-
\??\c:\tnhbtt.exec:\tnhbtt.exe52⤵
- Executes dropped EXE
PID:4084 -
\??\c:\jjvpv.exec:\jjvpv.exe53⤵
- Executes dropped EXE
PID:2968 -
\??\c:\fflfxxr.exec:\fflfxxr.exe54⤵
- Executes dropped EXE
PID:3464 -
\??\c:\3tthhh.exec:\3tthhh.exe55⤵
- Executes dropped EXE
PID:4348 -
\??\c:\jdvpj.exec:\jdvpj.exe56⤵
- Executes dropped EXE
PID:512 -
\??\c:\fllrlfx.exec:\fllrlfx.exe57⤵
- Executes dropped EXE
PID:4908 -
\??\c:\lxlffrl.exec:\lxlffrl.exe58⤵
- Executes dropped EXE
PID:3684 -
\??\c:\hhbttt.exec:\hhbttt.exe59⤵
- Executes dropped EXE
PID:688 -
\??\c:\djpjj.exec:\djpjj.exe60⤵
- Executes dropped EXE
PID:3732 -
\??\c:\rrlfxfx.exec:\rrlfxfx.exe61⤵
- Executes dropped EXE
PID:3552 -
\??\c:\hbhbbb.exec:\hbhbbb.exe62⤵
- Executes dropped EXE
PID:3700 -
\??\c:\jjddv.exec:\jjddv.exe63⤵
- Executes dropped EXE
PID:4508 -
\??\c:\1jjdv.exec:\1jjdv.exe64⤵
- Executes dropped EXE
PID:4224 -
\??\c:\frxrllf.exec:\frxrllf.exe65⤵
- Executes dropped EXE
PID:4104 -
\??\c:\tntntb.exec:\tntntb.exe66⤵
- Executes dropped EXE
PID:1608 -
\??\c:\pdjdv.exec:\pdjdv.exe67⤵PID:1952
-
\??\c:\lxlfxxf.exec:\lxlfxxf.exe68⤵PID:4816
-
\??\c:\bnnhhb.exec:\bnnhhb.exe69⤵PID:1996
-
\??\c:\pdjvp.exec:\pdjvp.exe70⤵PID:1464
-
\??\c:\fflfxrf.exec:\fflfxrf.exe71⤵PID:3916
-
\??\c:\vddvp.exec:\vddvp.exe72⤵PID:1612
-
\??\c:\xxlfxxr.exec:\xxlfxxr.exe73⤵PID:2168
-
\??\c:\nhbtnn.exec:\nhbtnn.exe74⤵PID:2324
-
\??\c:\dpppj.exec:\dpppj.exe75⤵PID:1592
-
\??\c:\vvdvp.exec:\vvdvp.exe76⤵PID:4544
-
\??\c:\9fxrllf.exec:\9fxrllf.exe77⤵PID:4632
-
\??\c:\hbhhhh.exec:\hbhhhh.exe78⤵PID:1140
-
\??\c:\hnbnbn.exec:\hnbnbn.exe79⤵PID:2704
-
\??\c:\5vdpj.exec:\5vdpj.exe80⤵PID:2080
-
\??\c:\vpvpj.exec:\vpvpj.exe81⤵PID:3536
-
\??\c:\lxfxxxx.exec:\lxfxxxx.exe82⤵PID:4520
-
\??\c:\hnhhbb.exec:\hnhhbb.exe83⤵PID:724
-
\??\c:\tthttt.exec:\tthttt.exe84⤵PID:1188
-
\??\c:\pjdvj.exec:\pjdvj.exe85⤵PID:1656
-
\??\c:\lrlxxlf.exec:\lrlxxlf.exe86⤵PID:1824
-
\??\c:\9hnhhh.exec:\9hnhhh.exe87⤵PID:3000
-
\??\c:\pvjdv.exec:\pvjdv.exe88⤵PID:4584
-
\??\c:\rxxfflx.exec:\rxxfflx.exe89⤵PID:3156
-
\??\c:\bthbtt.exec:\bthbtt.exe90⤵PID:1080
-
\??\c:\bnnhbt.exec:\bnnhbt.exe91⤵PID:1920
-
\??\c:\jpjpj.exec:\jpjpj.exe92⤵PID:5056
-
\??\c:\rlfllfr.exec:\rlfllfr.exe93⤵PID:208
-
\??\c:\hbnbhh.exec:\hbnbhh.exe94⤵PID:1588
-
\??\c:\vpdpp.exec:\vpdpp.exe95⤵PID:212
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe96⤵PID:1108
-
\??\c:\7nnhhh.exec:\7nnhhh.exe97⤵PID:4436
-
\??\c:\pvddd.exec:\pvddd.exe98⤵PID:1660
-
\??\c:\1lfxffl.exec:\1lfxffl.exe99⤵PID:2480
-
\??\c:\xxllrff.exec:\xxllrff.exe100⤵PID:672
-
\??\c:\3nntbh.exec:\3nntbh.exe101⤵PID:3300
-
\??\c:\vvvvp.exec:\vvvvp.exe102⤵PID:4328
-
\??\c:\1rlrrxf.exec:\1rlrrxf.exe103⤵PID:4824
-
\??\c:\nnhhnn.exec:\nnhhnn.exe104⤵PID:2188
-
\??\c:\pdpjv.exec:\pdpjv.exe105⤵PID:4360
-
\??\c:\xrxlxff.exec:\xrxlxff.exe106⤵PID:3160
-
\??\c:\bhbbtt.exec:\bhbbtt.exe107⤵PID:3672
-
\??\c:\3vdvj.exec:\3vdvj.exe108⤵PID:3308
-
\??\c:\rlfxlff.exec:\rlfxlff.exe109⤵PID:3912
-
\??\c:\rrlflll.exec:\rrlflll.exe110⤵PID:1252
-
\??\c:\bnbnnh.exec:\bnbnnh.exe111⤵PID:2384
-
\??\c:\jjjdv.exec:\jjjdv.exe112⤵PID:4348
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe113⤵PID:1652
-
\??\c:\flxxrrx.exec:\flxxrrx.exe114⤵PID:5008
-
\??\c:\ttbtnn.exec:\ttbtnn.exe115⤵PID:1028
-
\??\c:\jvvpp.exec:\jvvpp.exe116⤵PID:380
-
\??\c:\jjppj.exec:\jjppj.exe117⤵PID:836
-
\??\c:\ffrlrrx.exec:\ffrlrrx.exe118⤵PID:2536
-
\??\c:\hntttn.exec:\hntttn.exe119⤵PID:4116
-
\??\c:\vvvdd.exec:\vvvdd.exe120⤵PID:448
-
\??\c:\3vdvp.exec:\3vdvp.exe121⤵PID:4040
-
\??\c:\rxrrfff.exec:\rxrrfff.exe122⤵PID:4224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-