Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 03:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
84466ac43b4575dde674e9aaf216ad00_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
84466ac43b4575dde674e9aaf216ad00_NeikiAnalytics.exe
-
Size
122KB
-
MD5
84466ac43b4575dde674e9aaf216ad00
-
SHA1
eb64efa57ca3e30fbc6f984379a39db32f4a142b
-
SHA256
ecc6f2a9b8dff8cb0ac127ae33dac08ec3e56e8ab28018fd4c27b32e5708ca85
-
SHA512
f95a708c15fa1eb80eb919482fbcc2d6bea7dc737fb900c9b771b435738fde869e8cd3d04d97c72595983f1f3ab38fea016652fd411ee83f5c433507effe9f9e
-
SSDEEP
3072:ymb3NkkiQ3mdBjFWXkj7afoHvmQ+EZMYX90Ifcmp:n3C9BRW0j/uVEZFmIk+
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
Processes:
resource yara_rule behavioral2/memory/2356-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4120-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3976-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1204-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1520-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4144-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3984-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5004-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/856-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3680-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2136-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/552-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1908-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3664-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4372-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3916-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3280-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2824-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4692-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1588-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3076-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3756-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
jpvpd.exellrlxrl.exennhhhb.exenhbthh.exevppjp.exe9vdvj.exe1tthtn.exejppjv.exexxxlxxf.exe3ttntt.exevppvp.exejdjdd.exe3fxrxrl.exehbnbnn.exedppjv.exefxrxrxr.exehhtnnn.exeppdvj.exe3vvjj.exe9xxxrrl.exennbbnn.exedppjv.exerlrrfxr.exehbnhbb.exevvdvd.exe9rlfffr.exennhhhh.exetthbnh.exeffffrrl.exerffxlfx.exevpvvv.exepjddv.exerxrlxrf.exe3bnhhb.exedvppd.exepddvd.exe5lrfrlf.exe3bbthh.exehbhbnh.exedpdjv.exe1lfxllf.exelxrfxrl.exehnhhbt.exe3tttnn.exedpvjp.exelrlfllx.exelffxrll.exenbhtnh.exe1dddj.exefrxlrxx.exe1fffrrl.exe1tttnh.exevjjdv.exejjvvd.exerllfrrl.exelrffxrr.exenhhbth.exepdjjj.exerrrlllf.exehbhntb.exenhnnhh.exejppjd.exe1fxlxfr.exerlfxrrl.exepid process 4120 jpvpd.exe 3976 llrlxrl.exe 1204 nnhhhb.exe 1520 nhbthh.exe 4672 vppjp.exe 4144 9vdvj.exe 3984 1tthtn.exe 5004 jppjv.exe 2148 xxxlxxf.exe 3168 3ttntt.exe 2008 vppvp.exe 856 jdjdd.exe 3680 3fxrxrl.exe 2136 hbnbnn.exe 2576 dppjv.exe 2192 fxrxrxr.exe 4508 hhtnnn.exe 552 ppdvj.exe 1908 3vvjj.exe 4688 9xxxrrl.exe 3664 nnbbnn.exe 4372 dppjv.exe 3916 rlrrfxr.exe 1976 hbnhbb.exe 1404 vvdvd.exe 2824 9rlfffr.exe 3280 nnhhhh.exe 4692 tthbnh.exe 1588 ffffrrl.exe 3076 rffxlfx.exe 3756 vpvvv.exe 4920 pjddv.exe 1200 rxrlxrf.exe 4784 3bnhhb.exe 2500 dvppd.exe 4968 pddvd.exe 4312 5lrfrlf.exe 4384 3bbthh.exe 2356 hbhbnh.exe 348 dpdjv.exe 944 1lfxllf.exe 732 lxrfxrl.exe 1000 hnhhbt.exe 4048 3tttnn.exe 1368 dpvjp.exe 1420 lrlfllx.exe 1984 lffxrll.exe 4624 nbhtnh.exe 1068 1dddj.exe 4832 frxlrxx.exe 3624 1fffrrl.exe 2544 1tttnh.exe 4132 vjjdv.exe 2764 jjvvd.exe 1616 rllfrrl.exe 4436 lrffxrr.exe 3396 nhhbth.exe 1916 pdjjj.exe 3488 rrrlllf.exe 4532 hbhntb.exe 1812 nhnnhh.exe 792 jppjd.exe 2252 1fxlxfr.exe 3208 rlfxrrl.exe -
Processes:
resource yara_rule behavioral2/memory/2356-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4120-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3976-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3976-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1204-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1520-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4144-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4144-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4144-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4144-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3984-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5004-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2148-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2148-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/856-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3680-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2136-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/552-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1908-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3664-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4372-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3916-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3280-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2824-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4692-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1588-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3076-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3756-205-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
84466ac43b4575dde674e9aaf216ad00_NeikiAnalytics.exejpvpd.exellrlxrl.exennhhhb.exenhbthh.exevppjp.exe9vdvj.exe1tthtn.exejppjv.exexxxlxxf.exe3ttntt.exevppvp.exejdjdd.exe3fxrxrl.exehbnbnn.exedppjv.exefxrxrxr.exehhtnnn.exeppdvj.exe3vvjj.exe9xxxrrl.exennbbnn.exedescription pid process target process PID 2356 wrote to memory of 4120 2356 84466ac43b4575dde674e9aaf216ad00_NeikiAnalytics.exe jpvpd.exe PID 2356 wrote to memory of 4120 2356 84466ac43b4575dde674e9aaf216ad00_NeikiAnalytics.exe jpvpd.exe PID 2356 wrote to memory of 4120 2356 84466ac43b4575dde674e9aaf216ad00_NeikiAnalytics.exe jpvpd.exe PID 4120 wrote to memory of 3976 4120 jpvpd.exe llrlxrl.exe PID 4120 wrote to memory of 3976 4120 jpvpd.exe llrlxrl.exe PID 4120 wrote to memory of 3976 4120 jpvpd.exe llrlxrl.exe PID 3976 wrote to memory of 1204 3976 llrlxrl.exe nnhhhb.exe PID 3976 wrote to memory of 1204 3976 llrlxrl.exe nnhhhb.exe PID 3976 wrote to memory of 1204 3976 llrlxrl.exe nnhhhb.exe PID 1204 wrote to memory of 1520 1204 nnhhhb.exe nhbthh.exe PID 1204 wrote to memory of 1520 1204 nnhhhb.exe nhbthh.exe PID 1204 wrote to memory of 1520 1204 nnhhhb.exe nhbthh.exe PID 1520 wrote to memory of 4672 1520 nhbthh.exe vppjp.exe PID 1520 wrote to memory of 4672 1520 nhbthh.exe vppjp.exe PID 1520 wrote to memory of 4672 1520 nhbthh.exe vppjp.exe PID 4672 wrote to memory of 4144 4672 vppjp.exe 9vdvj.exe PID 4672 wrote to memory of 4144 4672 vppjp.exe 9vdvj.exe PID 4672 wrote to memory of 4144 4672 vppjp.exe 9vdvj.exe PID 4144 wrote to memory of 3984 4144 9vdvj.exe 1tthtn.exe PID 4144 wrote to memory of 3984 4144 9vdvj.exe 1tthtn.exe PID 4144 wrote to memory of 3984 4144 9vdvj.exe 1tthtn.exe PID 3984 wrote to memory of 5004 3984 1tthtn.exe jppjv.exe PID 3984 wrote to memory of 5004 3984 1tthtn.exe jppjv.exe PID 3984 wrote to memory of 5004 3984 1tthtn.exe jppjv.exe PID 5004 wrote to memory of 2148 5004 jppjv.exe xxxlxxf.exe PID 5004 wrote to memory of 2148 5004 jppjv.exe xxxlxxf.exe PID 5004 wrote to memory of 2148 5004 jppjv.exe xxxlxxf.exe PID 2148 wrote to memory of 3168 2148 xxxlxxf.exe 3ttntt.exe PID 2148 wrote to memory of 3168 2148 xxxlxxf.exe 3ttntt.exe PID 2148 wrote to memory of 3168 2148 xxxlxxf.exe 3ttntt.exe PID 3168 wrote to memory of 2008 3168 3ttntt.exe vppvp.exe PID 3168 wrote to memory of 2008 3168 3ttntt.exe vppvp.exe PID 3168 wrote to memory of 2008 3168 3ttntt.exe vppvp.exe PID 2008 wrote to memory of 856 2008 vppvp.exe jdjdd.exe PID 2008 wrote to memory of 856 2008 vppvp.exe jdjdd.exe PID 2008 wrote to memory of 856 2008 vppvp.exe jdjdd.exe PID 856 wrote to memory of 3680 856 jdjdd.exe 3fxrxrl.exe PID 856 wrote to memory of 3680 856 jdjdd.exe 3fxrxrl.exe PID 856 wrote to memory of 3680 856 jdjdd.exe 3fxrxrl.exe PID 3680 wrote to memory of 2136 3680 3fxrxrl.exe hbnbnn.exe PID 3680 wrote to memory of 2136 3680 3fxrxrl.exe hbnbnn.exe PID 3680 wrote to memory of 2136 3680 3fxrxrl.exe hbnbnn.exe PID 2136 wrote to memory of 2576 2136 hbnbnn.exe dppjv.exe PID 2136 wrote to memory of 2576 2136 hbnbnn.exe dppjv.exe PID 2136 wrote to memory of 2576 2136 hbnbnn.exe dppjv.exe PID 2576 wrote to memory of 2192 2576 dppjv.exe fxrxrxr.exe PID 2576 wrote to memory of 2192 2576 dppjv.exe fxrxrxr.exe PID 2576 wrote to memory of 2192 2576 dppjv.exe fxrxrxr.exe PID 2192 wrote to memory of 4508 2192 fxrxrxr.exe hhtnnn.exe PID 2192 wrote to memory of 4508 2192 fxrxrxr.exe hhtnnn.exe PID 2192 wrote to memory of 4508 2192 fxrxrxr.exe hhtnnn.exe PID 4508 wrote to memory of 552 4508 hhtnnn.exe ppdvj.exe PID 4508 wrote to memory of 552 4508 hhtnnn.exe ppdvj.exe PID 4508 wrote to memory of 552 4508 hhtnnn.exe ppdvj.exe PID 552 wrote to memory of 1908 552 ppdvj.exe 3vvjj.exe PID 552 wrote to memory of 1908 552 ppdvj.exe 3vvjj.exe PID 552 wrote to memory of 1908 552 ppdvj.exe 3vvjj.exe PID 1908 wrote to memory of 4688 1908 3vvjj.exe 9xxxrrl.exe PID 1908 wrote to memory of 4688 1908 3vvjj.exe 9xxxrrl.exe PID 1908 wrote to memory of 4688 1908 3vvjj.exe 9xxxrrl.exe PID 4688 wrote to memory of 3664 4688 9xxxrrl.exe nnbbnn.exe PID 4688 wrote to memory of 3664 4688 9xxxrrl.exe nnbbnn.exe PID 4688 wrote to memory of 3664 4688 9xxxrrl.exe nnbbnn.exe PID 3664 wrote to memory of 4372 3664 nnbbnn.exe dppjv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84466ac43b4575dde674e9aaf216ad00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\84466ac43b4575dde674e9aaf216ad00_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\jpvpd.exec:\jpvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\llrlxrl.exec:\llrlxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\nnhhhb.exec:\nnhhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\nhbthh.exec:\nhbthh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\vppjp.exec:\vppjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\9vdvj.exec:\9vdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\1tthtn.exec:\1tthtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\jppjv.exec:\jppjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\xxxlxxf.exec:\xxxlxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\3ttntt.exec:\3ttntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\vppvp.exec:\vppvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\jdjdd.exec:\jdjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\3fxrxrl.exec:\3fxrxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\hbnbnn.exec:\hbnbnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\dppjv.exec:\dppjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\fxrxrxr.exec:\fxrxrxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\hhtnnn.exec:\hhtnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\ppdvj.exec:\ppdvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\3vvjj.exec:\3vvjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\9xxxrrl.exec:\9xxxrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\nnbbnn.exec:\nnbbnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\dppjv.exec:\dppjv.exe23⤵
- Executes dropped EXE
PID:4372 -
\??\c:\rlrrfxr.exec:\rlrrfxr.exe24⤵
- Executes dropped EXE
PID:3916 -
\??\c:\hbnhbb.exec:\hbnhbb.exe25⤵
- Executes dropped EXE
PID:1976 -
\??\c:\vvdvd.exec:\vvdvd.exe26⤵
- Executes dropped EXE
PID:1404 -
\??\c:\9rlfffr.exec:\9rlfffr.exe27⤵
- Executes dropped EXE
PID:2824 -
\??\c:\nnhhhh.exec:\nnhhhh.exe28⤵
- Executes dropped EXE
PID:3280 -
\??\c:\tthbnh.exec:\tthbnh.exe29⤵
- Executes dropped EXE
PID:4692 -
\??\c:\ffffrrl.exec:\ffffrrl.exe30⤵
- Executes dropped EXE
PID:1588 -
\??\c:\rffxlfx.exec:\rffxlfx.exe31⤵
- Executes dropped EXE
PID:3076 -
\??\c:\vpvvv.exec:\vpvvv.exe32⤵
- Executes dropped EXE
PID:3756 -
\??\c:\pjddv.exec:\pjddv.exe33⤵
- Executes dropped EXE
PID:4920 -
\??\c:\rxrlxrf.exec:\rxrlxrf.exe34⤵
- Executes dropped EXE
PID:1200 -
\??\c:\3bnhhb.exec:\3bnhhb.exe35⤵
- Executes dropped EXE
PID:4784 -
\??\c:\dvppd.exec:\dvppd.exe36⤵
- Executes dropped EXE
PID:2500 -
\??\c:\pddvd.exec:\pddvd.exe37⤵
- Executes dropped EXE
PID:4968 -
\??\c:\5lrfrlf.exec:\5lrfrlf.exe38⤵
- Executes dropped EXE
PID:4312 -
\??\c:\3bbthh.exec:\3bbthh.exe39⤵
- Executes dropped EXE
PID:4384 -
\??\c:\hbhbnh.exec:\hbhbnh.exe40⤵
- Executes dropped EXE
PID:2356 -
\??\c:\dpdjv.exec:\dpdjv.exe41⤵
- Executes dropped EXE
PID:348 -
\??\c:\1lfxllf.exec:\1lfxllf.exe42⤵
- Executes dropped EXE
PID:944 -
\??\c:\lxrfxrl.exec:\lxrfxrl.exe43⤵
- Executes dropped EXE
PID:732 -
\??\c:\hnhhbt.exec:\hnhhbt.exe44⤵
- Executes dropped EXE
PID:1000 -
\??\c:\3tttnn.exec:\3tttnn.exe45⤵
- Executes dropped EXE
PID:4048 -
\??\c:\dpvjp.exec:\dpvjp.exe46⤵
- Executes dropped EXE
PID:1368 -
\??\c:\lrlfllx.exec:\lrlfllx.exe47⤵
- Executes dropped EXE
PID:1420 -
\??\c:\lffxrll.exec:\lffxrll.exe48⤵
- Executes dropped EXE
PID:1984 -
\??\c:\nbhtnh.exec:\nbhtnh.exe49⤵
- Executes dropped EXE
PID:4624 -
\??\c:\1dddj.exec:\1dddj.exe50⤵
- Executes dropped EXE
PID:1068 -
\??\c:\frxlrxx.exec:\frxlrxx.exe51⤵
- Executes dropped EXE
PID:4832 -
\??\c:\1fffrrl.exec:\1fffrrl.exe52⤵
- Executes dropped EXE
PID:3624 -
\??\c:\1tttnh.exec:\1tttnh.exe53⤵
- Executes dropped EXE
PID:2544 -
\??\c:\vjjdv.exec:\vjjdv.exe54⤵
- Executes dropped EXE
PID:4132 -
\??\c:\jjvvd.exec:\jjvvd.exe55⤵
- Executes dropped EXE
PID:2764 -
\??\c:\rllfrrl.exec:\rllfrrl.exe56⤵
- Executes dropped EXE
PID:1616 -
\??\c:\lrffxrr.exec:\lrffxrr.exe57⤵
- Executes dropped EXE
PID:4436 -
\??\c:\nhhbth.exec:\nhhbth.exe58⤵
- Executes dropped EXE
PID:3396 -
\??\c:\pdjjj.exec:\pdjjj.exe59⤵
- Executes dropped EXE
PID:1916 -
\??\c:\rrrlllf.exec:\rrrlllf.exe60⤵
- Executes dropped EXE
PID:3488 -
\??\c:\hbhntb.exec:\hbhntb.exe61⤵
- Executes dropped EXE
PID:4532 -
\??\c:\nhnnhh.exec:\nhnnhh.exe62⤵
- Executes dropped EXE
PID:1812 -
\??\c:\jppjd.exec:\jppjd.exe63⤵
- Executes dropped EXE
PID:792 -
\??\c:\1fxlxfr.exec:\1fxlxfr.exe64⤵
- Executes dropped EXE
PID:2252 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe65⤵
- Executes dropped EXE
PID:3208 -
\??\c:\tbhhbb.exec:\tbhhbb.exe66⤵PID:1408
-
\??\c:\1hhnht.exec:\1hhnht.exe67⤵PID:1156
-
\??\c:\7vpjv.exec:\7vpjv.exe68⤵PID:3664
-
\??\c:\lrfrfxr.exec:\lrfrfxr.exe69⤵PID:1924
-
\??\c:\frxxrrl.exec:\frxxrrl.exe70⤵PID:3964
-
\??\c:\tbbthh.exec:\tbbthh.exe71⤵PID:3992
-
\??\c:\dvdvp.exec:\dvdvp.exe72⤵PID:4984
-
\??\c:\frxlfxx.exec:\frxlfxx.exe73⤵PID:4056
-
\??\c:\7nnbnn.exec:\7nnbnn.exe74⤵PID:4820
-
\??\c:\jjpjd.exec:\jjpjd.exe75⤵PID:3400
-
\??\c:\xlrlfff.exec:\xlrlfff.exe76⤵PID:760
-
\??\c:\bbbbtt.exec:\bbbbtt.exe77⤵PID:4692
-
\??\c:\5nthbb.exec:\5nthbb.exe78⤵PID:1320
-
\??\c:\5djdp.exec:\5djdp.exe79⤵PID:3928
-
\??\c:\rlfxllf.exec:\rlfxllf.exe80⤵PID:4900
-
\??\c:\nhnbhh.exec:\nhnbhh.exe81⤵PID:5052
-
\??\c:\3vvpj.exec:\3vvpj.exe82⤵PID:4920
-
\??\c:\dvdjd.exec:\dvdjd.exe83⤵PID:4500
-
\??\c:\7xfxxxl.exec:\7xfxxxl.exe84⤵PID:4364
-
\??\c:\1ttnbb.exec:\1ttnbb.exe85⤵PID:4304
-
\??\c:\pjdvp.exec:\pjdvp.exe86⤵PID:4968
-
\??\c:\rffxrrl.exec:\rffxrrl.exe87⤵PID:2604
-
\??\c:\hbbnhn.exec:\hbbnhn.exe88⤵PID:224
-
\??\c:\bbnhbb.exec:\bbnhbb.exe89⤵PID:1708
-
\??\c:\9vvpj.exec:\9vvpj.exe90⤵PID:4756
-
\??\c:\jjdvp.exec:\jjdvp.exe91⤵PID:3176
-
\??\c:\rllfrrr.exec:\rllfrrr.exe92⤵PID:3864
-
\??\c:\bbhbtn.exec:\bbhbtn.exe93⤵PID:3192
-
\??\c:\dvpvj.exec:\dvpvj.exe94⤵PID:1032
-
\??\c:\vddvj.exec:\vddvj.exe95⤵PID:2340
-
\??\c:\lflxffl.exec:\lflxffl.exe96⤵PID:2120
-
\??\c:\nhbnhh.exec:\nhbnhh.exe97⤵PID:4976
-
\??\c:\thtntt.exec:\thtntt.exe98⤵PID:2184
-
\??\c:\jddpj.exec:\jddpj.exe99⤵PID:5076
-
\??\c:\3lfxllf.exec:\3lfxllf.exe100⤵PID:2072
-
\??\c:\lxffrxr.exec:\lxffrxr.exe101⤵PID:3648
-
\??\c:\7nnhbt.exec:\7nnhbt.exe102⤵PID:2008
-
\??\c:\dvpjd.exec:\dvpjd.exe103⤵PID:856
-
\??\c:\dpjdp.exec:\dpjdp.exe104⤵PID:1832
-
\??\c:\lllrrxx.exec:\lllrrxx.exe105⤵PID:3396
-
\??\c:\ttnhbb.exec:\ttnhbb.exe106⤵PID:1264
-
\??\c:\dppjv.exec:\dppjv.exe107⤵PID:2180
-
\??\c:\fxlxffx.exec:\fxlxffx.exe108⤵PID:4532
-
\??\c:\frlfxrl.exec:\frlfxrl.exe109⤵PID:1440
-
\??\c:\bnhnbb.exec:\bnhnbb.exe110⤵PID:3924
-
\??\c:\btnhnn.exec:\btnhnn.exe111⤵PID:3348
-
\??\c:\hbbttt.exec:\hbbttt.exe112⤵PID:5056
-
\??\c:\dvdvj.exec:\dvdvj.exe113⤵PID:3732
-
\??\c:\ddpjd.exec:\ddpjd.exe114⤵PID:3916
-
\??\c:\flxfxrr.exec:\flxfxrr.exe115⤵PID:4944
-
\??\c:\5bbtnn.exec:\5bbtnn.exe116⤵PID:4584
-
\??\c:\3ttnhn.exec:\3ttnhn.exe117⤵PID:1744
-
\??\c:\pjjdp.exec:\pjjdp.exe118⤵PID:916
-
\??\c:\jdppp.exec:\jdppp.exe119⤵PID:4972
-
\??\c:\3lfxlfx.exec:\3lfxlfx.exe120⤵PID:4448
-
\??\c:\lrrfxrl.exec:\lrrfxrl.exe121⤵PID:1664
-
\??\c:\httttt.exec:\httttt.exe122⤵PID:1412
-
\??\c:\bhnhtn.exec:\bhnhtn.exe123⤵PID:5108
-
\??\c:\vjdvp.exec:\vjdvp.exe124⤵PID:3076
-
\??\c:\vpjdd.exec:\vpjdd.exe125⤵PID:2056
-
\??\c:\frxrrrl.exec:\frxrrrl.exe126⤵PID:2284
-
\??\c:\xlffrll.exec:\xlffrll.exe127⤵PID:636
-
\??\c:\9tbtbt.exec:\9tbtbt.exe128⤵PID:1472
-
\??\c:\btbthh.exec:\btbthh.exe129⤵PID:2652
-
\??\c:\dpjjd.exec:\dpjjd.exe130⤵PID:4304
-
\??\c:\lrxrrrl.exec:\lrxrrrl.exe131⤵PID:1796
-
\??\c:\lxlxrrl.exec:\lxlxrrl.exe132⤵PID:220
-
\??\c:\bttnhh.exec:\bttnhh.exe133⤵PID:348
-
\??\c:\htbttt.exec:\htbttt.exe134⤵PID:1708
-
\??\c:\pjpjp.exec:\pjpjp.exe135⤵PID:4756
-
\??\c:\lxxrxxr.exec:\lxxrxxr.exe136⤵PID:4592
-
\??\c:\1ffxffx.exec:\1ffxffx.exe137⤵PID:3152
-
\??\c:\5ffxrlr.exec:\5ffxrlr.exe138⤵PID:1396
-
\??\c:\ntbtbb.exec:\ntbtbb.exe139⤵PID:2488
-
\??\c:\1vpjv.exec:\1vpjv.exe140⤵PID:2512
-
\??\c:\jjdjd.exec:\jjdjd.exe141⤵PID:1612
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe142⤵PID:2944
-
\??\c:\rxxxxxr.exec:\rxxxxxr.exe143⤵PID:816
-
\??\c:\nntttt.exec:\nntttt.exe144⤵PID:4996
-
\??\c:\nhhbnn.exec:\nhhbnn.exe145⤵PID:1352
-
\??\c:\7pvvp.exec:\7pvvp.exe146⤵PID:1916
-
\??\c:\7jddd.exec:\7jddd.exe147⤵PID:4504
-
\??\c:\5lrllfl.exec:\5lrllfl.exe148⤵PID:4568
-
\??\c:\rlfxxxr.exec:\rlfxxxr.exe149⤵PID:4840
-
\??\c:\hhttbb.exec:\hhttbb.exe150⤵PID:4452
-
\??\c:\btnhnn.exec:\btnhnn.exe151⤵PID:2296
-
\??\c:\3pdpd.exec:\3pdpd.exe152⤵PID:1652
-
\??\c:\3jjjv.exec:\3jjjv.exe153⤵PID:4060
-
\??\c:\flrrllf.exec:\flrrllf.exe154⤵PID:1444
-
\??\c:\nbhtbt.exec:\nbhtbt.exe155⤵PID:3992
-
\??\c:\jdpdv.exec:\jdpdv.exe156⤵PID:1192
-
\??\c:\5rlxllf.exec:\5rlxllf.exe157⤵PID:4056
-
\??\c:\tnnhtn.exec:\tnnhtn.exe158⤵PID:1836
-
\??\c:\5ntntt.exec:\5ntntt.exe159⤵PID:4432
-
\??\c:\vppjd.exec:\vppjd.exe160⤵PID:4972
-
\??\c:\rllfrrl.exec:\rllfrrl.exe161⤵PID:1664
-
\??\c:\lfffxxr.exec:\lfffxxr.exe162⤵PID:1412
-
\??\c:\thbtnn.exec:\thbtnn.exe163⤵PID:1756
-
\??\c:\9dvpd.exec:\9dvpd.exe164⤵PID:3076
-
\??\c:\pjdvp.exec:\pjdvp.exe165⤵PID:2056
-
\??\c:\frrfrrl.exec:\frrfrrl.exe166⤵PID:4920
-
\??\c:\9hbtnt.exec:\9hbtnt.exe167⤵PID:4528
-
\??\c:\nbnhnh.exec:\nbnhnh.exe168⤵PID:1472
-
\??\c:\vvppj.exec:\vvppj.exe169⤵PID:4600
-
\??\c:\ddjjj.exec:\ddjjj.exe170⤵PID:4304
-
\??\c:\xfrlxxr.exec:\xfrlxxr.exe171⤵PID:4192
-
\??\c:\thbbtn.exec:\thbbtn.exe172⤵PID:5004
-
\??\c:\5pvpp.exec:\5pvpp.exe173⤵PID:5072
-
\??\c:\fxlxlfx.exec:\fxlxlfx.exe174⤵PID:2068
-
\??\c:\rxxlffx.exec:\rxxlffx.exe175⤵PID:4884
-
\??\c:\9htbtn.exec:\9htbtn.exe176⤵PID:3736
-
\??\c:\bbtnnn.exec:\bbtnnn.exe177⤵PID:3680
-
\??\c:\1pdvd.exec:\1pdvd.exe178⤵PID:2688
-
\??\c:\vvppd.exec:\vvppd.exe179⤵PID:4532
-
\??\c:\tntnbb.exec:\tntnbb.exe180⤵PID:4052
-
\??\c:\ntnnbb.exec:\ntnnbb.exe181⤵PID:712
-
\??\c:\vdjdp.exec:\vdjdp.exe182⤵PID:1448
-
\??\c:\jpdvj.exec:\jpdvj.exe183⤵PID:4688
-
\??\c:\lffxxxl.exec:\lffxxxl.exe184⤵PID:3664
-
\??\c:\5bhbnb.exec:\5bhbnb.exe185⤵PID:3964
-
\??\c:\5vvvj.exec:\5vvvj.exe186⤵PID:1540
-
\??\c:\llfrxlx.exec:\llfrxlx.exe187⤵PID:2456
-
\??\c:\hbnnhh.exec:\hbnnhh.exe188⤵PID:1192
-
\??\c:\rlfllrl.exec:\rlfllrl.exe189⤵PID:4772
-
\??\c:\bntthh.exec:\bntthh.exe190⤵PID:3700
-
\??\c:\hhhbtb.exec:\hhhbtb.exe191⤵PID:3280
-
\??\c:\vpjjv.exec:\vpjjv.exe192⤵PID:1588
-
\??\c:\rlrlllf.exec:\rlrlllf.exe193⤵PID:1668
-
\??\c:\fxxxrll.exec:\fxxxrll.exe194⤵PID:436
-
\??\c:\rrxxrlf.exec:\rrxxrlf.exe195⤵PID:3756
-
\??\c:\tbhhbb.exec:\tbhhbb.exe196⤵PID:4108
-
\??\c:\hbbthh.exec:\hbbthh.exe197⤵PID:2620
-
\??\c:\jjpdp.exec:\jjpdp.exe198⤵PID:632
-
\??\c:\vpvvj.exec:\vpvvj.exe199⤵PID:2276
-
\??\c:\rxrlffx.exec:\rxrlffx.exe200⤵PID:228
-
\??\c:\xflfxrr.exec:\xflfxrr.exe201⤵PID:2280
-
\??\c:\bhtnbt.exec:\bhtnbt.exe202⤵PID:4292
-
\??\c:\bbbnbb.exec:\bbbnbb.exe203⤵PID:4600
-
\??\c:\3jddd.exec:\3jddd.exe204⤵PID:1800
-
\??\c:\vppvp.exec:\vppvp.exe205⤵PID:3412
-
\??\c:\fllrfff.exec:\fllrfff.exe206⤵PID:2364
-
\??\c:\5rrlflx.exec:\5rrlflx.exe207⤵PID:1520
-
\??\c:\7hhbtn.exec:\7hhbtn.exe208⤵PID:348
-
\??\c:\hbhhhb.exec:\hbhhhb.exe209⤵PID:732
-
\??\c:\pppjd.exec:\pppjd.exe210⤵PID:1420
-
\??\c:\3jpdp.exec:\3jpdp.exe211⤵PID:3984
-
\??\c:\flrlfxx.exec:\flrlfxx.exe212⤵PID:5004
-
\??\c:\frfxxxr.exec:\frfxxxr.exe213⤵PID:2148
-
\??\c:\1bhbbb.exec:\1bhbbb.exe214⤵PID:3404
-
\??\c:\nhtnbb.exec:\nhtnbb.exe215⤵PID:816
-
\??\c:\dvvpj.exec:\dvvpj.exe216⤵PID:2008
-
\??\c:\pdjdd.exec:\pdjdd.exe217⤵PID:1996
-
\??\c:\pdpjd.exec:\pdpjd.exe218⤵PID:3112
-
\??\c:\1fllxff.exec:\1fllxff.exe219⤵PID:4508
-
\??\c:\hntnhh.exec:\hntnhh.exe220⤵PID:1908
-
\??\c:\hbbnhh.exec:\hbbnhh.exe221⤵PID:1440
-
\??\c:\jdjdv.exec:\jdjdv.exe222⤵PID:1852
-
\??\c:\fxxrllf.exec:\fxxrllf.exe223⤵PID:4452
-
\??\c:\flrrlrf.exec:\flrrlrf.exe224⤵PID:4496
-
\??\c:\rrllllf.exec:\rrllllf.exe225⤵PID:3216
-
\??\c:\3htnnb.exec:\3htnnb.exe226⤵PID:5096
-
\??\c:\btbthn.exec:\btbthn.exe227⤵PID:1444
-
\??\c:\ppddp.exec:\ppddp.exe228⤵PID:4960
-
\??\c:\vjvpj.exec:\vjvpj.exe229⤵PID:3780
-
\??\c:\9xfllrr.exec:\9xfllrr.exe230⤵PID:3556
-
\??\c:\fxflfxx.exec:\fxflfxx.exe231⤵PID:760
-
\??\c:\hbnnhh.exec:\hbnnhh.exe232⤵PID:4480
-
\??\c:\tthbtn.exec:\tthbtn.exe233⤵PID:4972
-
\??\c:\vpvjp.exec:\vpvjp.exe234⤵PID:4616
-
\??\c:\pjvvd.exec:\pjvvd.exe235⤵PID:3320
-
\??\c:\9lrffxx.exec:\9lrffxx.exe236⤵PID:3756
-
\??\c:\lrxxffl.exec:\lrxxffl.exe237⤵PID:4108
-
\??\c:\tnnbtn.exec:\tnnbtn.exe238⤵PID:2620
-
\??\c:\nhhhbt.exec:\nhhhbt.exe239⤵PID:4952
-
\??\c:\jvppd.exec:\jvppd.exe240⤵PID:2276
-
\??\c:\5xfxlll.exec:\5xfxlll.exe241⤵PID:3876
-
\??\c:\llllllf.exec:\llllllf.exe242⤵PID:2280