Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 04:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe
-
Size
90KB
-
MD5
8e46472e228fead7744a1ac190d531d0
-
SHA1
8c86fbdcec42628a395dc5c71d07e19df5f79e39
-
SHA256
2c0bf2bf4fdefeaa58d2616b0acc0e7ac84c02a78714be67653ba5774aba4f9f
-
SHA512
6c3a4d10e36eb0359d99cef534b56da68d3666afd1bcc2a7946ce7def5aea340e4fb719c7827ae97854a1d1b62a5e58df03ca0c3b41dc1486435003f872d7463
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDodtzac0Hobv0byLufTJfJVK:ymb3NkkiQ3mdBjFodt27HobvcyLufNfm
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
Processes:
resource yara_rule behavioral1/memory/2956-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2324-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2120-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3020-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3020-40-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2640-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2812-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2696-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2696-74-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2680-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3004-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1192-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2600-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2764-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1848-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2788-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/844-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2888-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2240-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2780-239-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/880-248-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/644-266-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/272-275-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1756-293-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3020-2970-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
pjddv.exexxfrrrl.exebtbtbn.exedddvd.exepvvjv.exexfxfxfr.exebbtbhn.exepppjv.exefxrfxfr.exebhbtbh.exetnbtth.exevvpvp.exexxfflrx.exerrlxflx.exebtnnnb.exevdjvv.exepppvj.exe3rflxfr.exexrffrlr.exe1bntht.exetntbnt.exeppjpj.exe9xrrxxl.exellfrxlx.exehntttn.exevvdvd.exerxlffxr.exetbhhhb.exennhnhn.exedvjpp.exedvpvd.exellrffff.exennhtnt.exe7ddjd.exepjdpd.exejppdd.exeffxrxlx.exebbtntb.exe7htttb.exe9pjpd.exejjdjv.exerlfrrxl.exelfrrxxl.exe9bthht.exenntbnt.exenhtbnn.exejdvvd.exe3lxlrxx.exerllrxxf.exebhnthh.exebtbbbb.exettbhbb.exejdjvp.exexflrrlr.exerllrxlr.exethhnhh.exedpdjp.exejvpjj.exe5rfrrrf.exellrxlrx.exebbthbb.exe3bhhnt.exejjdpp.exevvvdj.exepid process 2324 pjddv.exe 2120 xxfrrrl.exe 3020 btbtbn.exe 2640 dddvd.exe 2812 pvvjv.exe 2696 xfxfxfr.exe 2680 bbtbhn.exe 2440 pppjv.exe 3004 fxrfxfr.exe 1192 bhbtbh.exe 2600 tnbtth.exe 2668 vvpvp.exe 2764 xxfflrx.exe 1848 rrlxflx.exe 2396 btnnnb.exe 2788 vdjvv.exe 2916 pppvj.exe 844 3rflxfr.exe 2888 xrffrlr.exe 2240 1bntht.exe 2660 tntbnt.exe 268 ppjpj.exe 1640 9xrrxxl.exe 2780 llfrxlx.exe 880 hntttn.exe 2192 vvdvd.exe 644 rxlffxr.exe 272 tbhhhb.exe 980 nnhnhn.exe 1756 dvjpp.exe 1676 dvpvd.exe 3040 llrffff.exe 2324 nnhtnt.exe 2512 7ddjd.exe 2964 pjdpd.exe 2708 jppdd.exe 2644 ffxrxlx.exe 2636 bbtntb.exe 2576 7htttb.exe 2580 9pjpd.exe 2468 jjdjv.exe 2416 rlfrrxl.exe 2492 lfrrxxl.exe 2440 9bthht.exe 2464 nntbnt.exe 1856 nhtbnn.exe 2488 jdvvd.exe 2784 3lxlrxx.exe 2736 rllrxxf.exe 1936 bhnthh.exe 2348 btbbbb.exe 1648 ttbhbb.exe 1516 jdjvp.exe 1380 xflrrlr.exe 2792 rllrxlr.exe 2928 thhnhh.exe 2360 dpdjp.exe 1244 jvpjj.exe 2140 5rfrrrf.exe 588 llrxlrx.exe 1468 bbthbb.exe 1840 3bhhnt.exe 1764 jjdpp.exe 2256 vvvdj.exe -
Processes:
resource yara_rule behavioral1/memory/2956-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2324-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2120-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3020-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2812-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2812-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2812-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2812-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2696-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2680-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2440-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2440-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3004-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1192-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2600-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2764-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1848-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2788-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/844-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2888-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2240-203-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2780-239-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/880-248-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/644-266-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/272-275-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1756-293-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exepjddv.exexxfrrrl.exebtbtbn.exedddvd.exepvvjv.exexfxfxfr.exebbtbhn.exepppjv.exefxrfxfr.exebhbtbh.exetnbtth.exevvpvp.exexxfflrx.exerrlxflx.exebtnnnb.exedescription pid process target process PID 2956 wrote to memory of 2324 2956 8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe pjddv.exe PID 2956 wrote to memory of 2324 2956 8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe pjddv.exe PID 2956 wrote to memory of 2324 2956 8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe pjddv.exe PID 2956 wrote to memory of 2324 2956 8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe pjddv.exe PID 2324 wrote to memory of 2120 2324 pjddv.exe xxfrrrl.exe PID 2324 wrote to memory of 2120 2324 pjddv.exe xxfrrrl.exe PID 2324 wrote to memory of 2120 2324 pjddv.exe xxfrrrl.exe PID 2324 wrote to memory of 2120 2324 pjddv.exe xxfrrrl.exe PID 2120 wrote to memory of 3020 2120 xxfrrrl.exe btbtbn.exe PID 2120 wrote to memory of 3020 2120 xxfrrrl.exe btbtbn.exe PID 2120 wrote to memory of 3020 2120 xxfrrrl.exe btbtbn.exe PID 2120 wrote to memory of 3020 2120 xxfrrrl.exe btbtbn.exe PID 3020 wrote to memory of 2640 3020 btbtbn.exe dddvd.exe PID 3020 wrote to memory of 2640 3020 btbtbn.exe dddvd.exe PID 3020 wrote to memory of 2640 3020 btbtbn.exe dddvd.exe PID 3020 wrote to memory of 2640 3020 btbtbn.exe dddvd.exe PID 2640 wrote to memory of 2812 2640 dddvd.exe pvvjv.exe PID 2640 wrote to memory of 2812 2640 dddvd.exe pvvjv.exe PID 2640 wrote to memory of 2812 2640 dddvd.exe pvvjv.exe PID 2640 wrote to memory of 2812 2640 dddvd.exe pvvjv.exe PID 2812 wrote to memory of 2696 2812 pvvjv.exe xfxfxfr.exe PID 2812 wrote to memory of 2696 2812 pvvjv.exe xfxfxfr.exe PID 2812 wrote to memory of 2696 2812 pvvjv.exe xfxfxfr.exe PID 2812 wrote to memory of 2696 2812 pvvjv.exe xfxfxfr.exe PID 2696 wrote to memory of 2680 2696 xfxfxfr.exe bbtbhn.exe PID 2696 wrote to memory of 2680 2696 xfxfxfr.exe bbtbhn.exe PID 2696 wrote to memory of 2680 2696 xfxfxfr.exe bbtbhn.exe PID 2696 wrote to memory of 2680 2696 xfxfxfr.exe bbtbhn.exe PID 2680 wrote to memory of 2440 2680 bbtbhn.exe pppjv.exe PID 2680 wrote to memory of 2440 2680 bbtbhn.exe pppjv.exe PID 2680 wrote to memory of 2440 2680 bbtbhn.exe pppjv.exe PID 2680 wrote to memory of 2440 2680 bbtbhn.exe pppjv.exe PID 2440 wrote to memory of 3004 2440 pppjv.exe fxrfxfr.exe PID 2440 wrote to memory of 3004 2440 pppjv.exe fxrfxfr.exe PID 2440 wrote to memory of 3004 2440 pppjv.exe fxrfxfr.exe PID 2440 wrote to memory of 3004 2440 pppjv.exe fxrfxfr.exe PID 3004 wrote to memory of 1192 3004 fxrfxfr.exe bhbtbh.exe PID 3004 wrote to memory of 1192 3004 fxrfxfr.exe bhbtbh.exe PID 3004 wrote to memory of 1192 3004 fxrfxfr.exe bhbtbh.exe PID 3004 wrote to memory of 1192 3004 fxrfxfr.exe bhbtbh.exe PID 1192 wrote to memory of 2600 1192 bhbtbh.exe tnbtth.exe PID 1192 wrote to memory of 2600 1192 bhbtbh.exe tnbtth.exe PID 1192 wrote to memory of 2600 1192 bhbtbh.exe tnbtth.exe PID 1192 wrote to memory of 2600 1192 bhbtbh.exe tnbtth.exe PID 2600 wrote to memory of 2668 2600 tnbtth.exe vvpvp.exe PID 2600 wrote to memory of 2668 2600 tnbtth.exe vvpvp.exe PID 2600 wrote to memory of 2668 2600 tnbtth.exe vvpvp.exe PID 2600 wrote to memory of 2668 2600 tnbtth.exe vvpvp.exe PID 2668 wrote to memory of 2764 2668 vvpvp.exe xxfflrx.exe PID 2668 wrote to memory of 2764 2668 vvpvp.exe xxfflrx.exe PID 2668 wrote to memory of 2764 2668 vvpvp.exe xxfflrx.exe PID 2668 wrote to memory of 2764 2668 vvpvp.exe xxfflrx.exe PID 2764 wrote to memory of 1848 2764 xxfflrx.exe rrlxflx.exe PID 2764 wrote to memory of 1848 2764 xxfflrx.exe rrlxflx.exe PID 2764 wrote to memory of 1848 2764 xxfflrx.exe rrlxflx.exe PID 2764 wrote to memory of 1848 2764 xxfflrx.exe rrlxflx.exe PID 1848 wrote to memory of 2396 1848 rrlxflx.exe btnnnb.exe PID 1848 wrote to memory of 2396 1848 rrlxflx.exe btnnnb.exe PID 1848 wrote to memory of 2396 1848 rrlxflx.exe btnnnb.exe PID 1848 wrote to memory of 2396 1848 rrlxflx.exe btnnnb.exe PID 2396 wrote to memory of 2788 2396 btnnnb.exe vdjvv.exe PID 2396 wrote to memory of 2788 2396 btnnnb.exe vdjvv.exe PID 2396 wrote to memory of 2788 2396 btnnnb.exe vdjvv.exe PID 2396 wrote to memory of 2788 2396 btnnnb.exe vdjvv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\pjddv.exec:\pjddv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\xxfrrrl.exec:\xxfrrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\btbtbn.exec:\btbtbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\dddvd.exec:\dddvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\pvvjv.exec:\pvvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\xfxfxfr.exec:\xfxfxfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\bbtbhn.exec:\bbtbhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\pppjv.exec:\pppjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\fxrfxfr.exec:\fxrfxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\bhbtbh.exec:\bhbtbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\tnbtth.exec:\tnbtth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\vvpvp.exec:\vvpvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\xxfflrx.exec:\xxfflrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\rrlxflx.exec:\rrlxflx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\btnnnb.exec:\btnnnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\vdjvv.exec:\vdjvv.exe17⤵
- Executes dropped EXE
PID:2788 -
\??\c:\pppvj.exec:\pppvj.exe18⤵
- Executes dropped EXE
PID:2916 -
\??\c:\3rflxfr.exec:\3rflxfr.exe19⤵
- Executes dropped EXE
PID:844 -
\??\c:\xrffrlr.exec:\xrffrlr.exe20⤵
- Executes dropped EXE
PID:2888 -
\??\c:\1bntht.exec:\1bntht.exe21⤵
- Executes dropped EXE
PID:2240 -
\??\c:\tntbnt.exec:\tntbnt.exe22⤵
- Executes dropped EXE
PID:2660 -
\??\c:\ppjpj.exec:\ppjpj.exe23⤵
- Executes dropped EXE
PID:268 -
\??\c:\9xrrxxl.exec:\9xrrxxl.exe24⤵
- Executes dropped EXE
PID:1640 -
\??\c:\llfrxlx.exec:\llfrxlx.exe25⤵
- Executes dropped EXE
PID:2780 -
\??\c:\hntttn.exec:\hntttn.exe26⤵
- Executes dropped EXE
PID:880 -
\??\c:\vvdvd.exec:\vvdvd.exe27⤵
- Executes dropped EXE
PID:2192 -
\??\c:\rxlffxr.exec:\rxlffxr.exe28⤵
- Executes dropped EXE
PID:644 -
\??\c:\tbhhhb.exec:\tbhhhb.exe29⤵
- Executes dropped EXE
PID:272 -
\??\c:\nnhnhn.exec:\nnhnhn.exe30⤵
- Executes dropped EXE
PID:980 -
\??\c:\dvjpp.exec:\dvjpp.exe31⤵
- Executes dropped EXE
PID:1756 -
\??\c:\dvpvd.exec:\dvpvd.exe32⤵
- Executes dropped EXE
PID:1676 -
\??\c:\llrffff.exec:\llrffff.exe33⤵
- Executes dropped EXE
PID:3040 -
\??\c:\nnhtnt.exec:\nnhtnt.exe34⤵
- Executes dropped EXE
PID:2324 -
\??\c:\7ddjd.exec:\7ddjd.exe35⤵
- Executes dropped EXE
PID:2512 -
\??\c:\pjdpd.exec:\pjdpd.exe36⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jppdd.exec:\jppdd.exe37⤵
- Executes dropped EXE
PID:2708 -
\??\c:\ffxrxlx.exec:\ffxrxlx.exe38⤵
- Executes dropped EXE
PID:2644 -
\??\c:\bbtntb.exec:\bbtntb.exe39⤵
- Executes dropped EXE
PID:2636 -
\??\c:\7htttb.exec:\7htttb.exe40⤵
- Executes dropped EXE
PID:2576 -
\??\c:\9pjpd.exec:\9pjpd.exe41⤵
- Executes dropped EXE
PID:2580 -
\??\c:\jjdjv.exec:\jjdjv.exe42⤵
- Executes dropped EXE
PID:2468 -
\??\c:\rlfrrxl.exec:\rlfrrxl.exe43⤵
- Executes dropped EXE
PID:2416 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe44⤵
- Executes dropped EXE
PID:2492 -
\??\c:\9bthht.exec:\9bthht.exe45⤵
- Executes dropped EXE
PID:2440 -
\??\c:\nntbnt.exec:\nntbnt.exe46⤵
- Executes dropped EXE
PID:2464 -
\??\c:\nhtbnn.exec:\nhtbnn.exe47⤵
- Executes dropped EXE
PID:1856 -
\??\c:\jdvvd.exec:\jdvvd.exe48⤵
- Executes dropped EXE
PID:2488 -
\??\c:\3lxlrxx.exec:\3lxlrxx.exe49⤵
- Executes dropped EXE
PID:2784 -
\??\c:\rllrxxf.exec:\rllrxxf.exe50⤵
- Executes dropped EXE
PID:2736 -
\??\c:\bhnthh.exec:\bhnthh.exe51⤵
- Executes dropped EXE
PID:1936 -
\??\c:\btbbbb.exec:\btbbbb.exe52⤵
- Executes dropped EXE
PID:2348 -
\??\c:\ttbhbb.exec:\ttbhbb.exe53⤵
- Executes dropped EXE
PID:1648 -
\??\c:\jdjvp.exec:\jdjvp.exe54⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xflrrlr.exec:\xflrrlr.exe55⤵
- Executes dropped EXE
PID:1380 -
\??\c:\rllrxlr.exec:\rllrxlr.exe56⤵
- Executes dropped EXE
PID:2792 -
\??\c:\thhnhh.exec:\thhnhh.exe57⤵
- Executes dropped EXE
PID:2928 -
\??\c:\dpdjp.exec:\dpdjp.exe58⤵
- Executes dropped EXE
PID:2360 -
\??\c:\jvpjj.exec:\jvpjj.exe59⤵
- Executes dropped EXE
PID:1244 -
\??\c:\5rfrrrf.exec:\5rfrrrf.exe60⤵
- Executes dropped EXE
PID:2140 -
\??\c:\llrxlrx.exec:\llrxlrx.exe61⤵
- Executes dropped EXE
PID:588 -
\??\c:\bbthbb.exec:\bbthbb.exe62⤵
- Executes dropped EXE
PID:1468 -
\??\c:\3bhhnt.exec:\3bhhnt.exe63⤵
- Executes dropped EXE
PID:1840 -
\??\c:\jjdpp.exec:\jjdpp.exe64⤵
- Executes dropped EXE
PID:1764 -
\??\c:\vvvdj.exec:\vvvdj.exe65⤵
- Executes dropped EXE
PID:2256 -
\??\c:\fxrlxfx.exec:\fxrlxfx.exe66⤵PID:3016
-
\??\c:\fxxlrfl.exec:\fxxlrfl.exe67⤵PID:1280
-
\??\c:\9bthbh.exec:\9bthbh.exe68⤵PID:836
-
\??\c:\7hhttt.exec:\7hhttt.exe69⤵PID:2152
-
\??\c:\ddjvp.exec:\ddjvp.exe70⤵PID:2224
-
\??\c:\jdpvp.exec:\jdpvp.exe71⤵PID:2204
-
\??\c:\9lflxxf.exec:\9lflxxf.exe72⤵PID:1756
-
\??\c:\lrfffrx.exec:\lrfffrx.exe73⤵PID:3032
-
\??\c:\9bbbnt.exec:\9bbbnt.exe74⤵PID:2040
-
\??\c:\7thhtt.exec:\7thhtt.exe75⤵PID:3000
-
\??\c:\jjvdp.exec:\jjvdp.exe76⤵PID:2120
-
\??\c:\1vpvv.exec:\1vpvv.exe77⤵PID:1784
-
\??\c:\fxlfrxl.exec:\fxlfrxl.exe78⤵PID:3060
-
\??\c:\rlxxxff.exec:\rlxxxff.exe79⤵PID:1564
-
\??\c:\3lxfrxr.exec:\3lxfrxr.exe80⤵PID:2688
-
\??\c:\nhbbhn.exec:\nhbbhn.exe81⤵PID:2628
-
\??\c:\5ttntt.exec:\5ttntt.exe82⤵PID:2448
-
\??\c:\5vvdp.exec:\5vvdp.exe83⤵PID:2588
-
\??\c:\9djjd.exec:\9djjd.exe84⤵PID:2556
-
\??\c:\rxlrxxr.exec:\rxlrxxr.exe85⤵PID:2680
-
\??\c:\3xllrrf.exec:\3xllrrf.exe86⤵PID:2452
-
\??\c:\5bthth.exec:\5bthth.exe87⤵PID:1644
-
\??\c:\nhbbhb.exec:\nhbbhb.exe88⤵PID:2480
-
\??\c:\vpjdd.exec:\vpjdd.exe89⤵PID:2720
-
\??\c:\3rfllll.exec:\3rfllll.exe90⤵PID:1776
-
\??\c:\1lxxllr.exec:\1lxxllr.exe91⤵PID:1604
-
\??\c:\7thtnb.exec:\7thtnb.exe92⤵PID:2332
-
\??\c:\5hbbhb.exec:\5hbbhb.exe93⤵PID:1580
-
\??\c:\dvjpv.exec:\dvjpv.exe94⤵PID:2312
-
\??\c:\ppvjj.exec:\ppvjj.exe95⤵PID:1044
-
\??\c:\rlrxlrl.exec:\rlrxlrl.exe96⤵PID:1300
-
\??\c:\lfrlrlr.exec:\lfrlrlr.exe97⤵PID:1084
-
\??\c:\hhhnht.exec:\hhhnht.exe98⤵PID:2920
-
\??\c:\btbbhh.exec:\btbbhh.exe99⤵PID:2936
-
\??\c:\jjvjj.exec:\jjvjj.exe100⤵PID:3036
-
\??\c:\dvpvv.exec:\dvpvv.exe101⤵PID:2240
-
\??\c:\1lfflfl.exec:\1lfflfl.exe102⤵PID:1264
-
\??\c:\llxflrx.exec:\llxflrx.exe103⤵PID:1636
-
\??\c:\bthtbh.exec:\bthtbh.exe104⤵PID:1480
-
\??\c:\bnbhnn.exec:\bnbhnn.exe105⤵PID:556
-
\??\c:\9vjvd.exec:\9vjvd.exe106⤵PID:1028
-
\??\c:\vjvdv.exec:\vjvdv.exe107⤵PID:2388
-
\??\c:\rfrxflx.exec:\rfrxflx.exe108⤵PID:1072
-
\??\c:\fxfxfrx.exec:\fxfxfrx.exe109⤵PID:760
-
\??\c:\1hbnnt.exec:\1hbnnt.exe110⤵PID:2208
-
\??\c:\tnhnhn.exec:\tnhnhn.exe111⤵PID:1240
-
\??\c:\dpvvv.exec:\dpvvv.exe112⤵PID:980
-
\??\c:\dvjjd.exec:\dvjjd.exe113⤵PID:2228
-
\??\c:\5lfllfr.exec:\5lfllfr.exe114⤵PID:1908
-
\??\c:\rlxfxlx.exec:\rlxfxlx.exe115⤵PID:2124
-
\??\c:\1bnbnt.exec:\1bnbnt.exe116⤵PID:2040
-
\??\c:\nbnnht.exec:\nbnnht.exe117⤵PID:2064
-
\??\c:\xrxxfxl.exec:\xrxxfxl.exe118⤵PID:2528
-
\??\c:\bbbbnt.exec:\bbbbnt.exe119⤵PID:1276
-
\??\c:\thtthh.exec:\thtthh.exe120⤵PID:2820
-
\??\c:\bbnnht.exec:\bbnnht.exe121⤵PID:2548
-
\??\c:\pppvd.exec:\pppvd.exe122⤵PID:2816
-
\??\c:\9lrxllr.exec:\9lrxllr.exe123⤵PID:2812
-
\??\c:\9rlrflr.exec:\9rlrflr.exe124⤵PID:2584
-
\??\c:\hhhntb.exec:\hhhntb.exe125⤵PID:2760
-
\??\c:\tbbnnt.exec:\tbbnnt.exe126⤵PID:2592
-
\??\c:\vvjdv.exec:\vvjdv.exe127⤵PID:2484
-
\??\c:\jpjvj.exec:\jpjvj.exe128⤵PID:1800
-
\??\c:\5fxxxxl.exec:\5fxxxxl.exe129⤵PID:1420
-
\??\c:\xlfxxxf.exec:\xlfxxxf.exe130⤵PID:2664
-
\??\c:\bthhnh.exec:\bthhnh.exe131⤵PID:2600
-
\??\c:\tnbbnn.exec:\tnbbnn.exe132⤵PID:1816
-
\??\c:\vpdjp.exec:\vpdjp.exe133⤵PID:2308
-
\??\c:\vjpjj.exec:\vjpjj.exe134⤵PID:1052
-
\??\c:\3rlrrxl.exec:\3rlrrxl.exe135⤵PID:1744
-
\??\c:\fxffxxl.exec:\fxffxxl.exe136⤵PID:1628
-
\??\c:\7ntbnt.exec:\7ntbnt.exe137⤵PID:2336
-
\??\c:\tnnntn.exec:\tnnntn.exe138⤵PID:1312
-
\??\c:\dvpvd.exec:\dvpvd.exe139⤵PID:1224
-
\??\c:\lxrlrrx.exec:\lxrlrrx.exe140⤵PID:2940
-
\??\c:\xfrlrlx.exec:\xfrlrlx.exe141⤵PID:1212
-
\??\c:\rrxfrfx.exec:\rrxfrfx.exe142⤵PID:2100
-
\??\c:\5rffllx.exec:\5rffllx.exe143⤵PID:476
-
\??\c:\lfrxlxl.exec:\lfrxlxl.exe144⤵PID:492
-
\??\c:\hbnntt.exec:\hbnntt.exe145⤵PID:2824
-
\??\c:\nhnhbb.exec:\nhnhbb.exe146⤵PID:1640
-
\??\c:\7pdjv.exec:\7pdjv.exe147⤵PID:448
-
\??\c:\7jvdv.exec:\7jvdv.exe148⤵PID:468
-
\??\c:\rrlrflr.exec:\rrlrflr.exe149⤵PID:748
-
\??\c:\7bbhnt.exec:\7bbhnt.exe150⤵PID:320
-
\??\c:\9tnbhb.exec:\9tnbhb.exe151⤵PID:1708
-
\??\c:\bntbbb.exec:\bntbbb.exe152⤵PID:2980
-
\??\c:\vdppp.exec:\vdppp.exe153⤵PID:800
-
\??\c:\frlrfxx.exec:\frlrfxx.exe154⤵PID:1740
-
\??\c:\7rlrlxl.exec:\7rlrlxl.exe155⤵PID:1424
-
\??\c:\hthntt.exec:\hthntt.exe156⤵PID:2952
-
\??\c:\nhtbbh.exec:\nhtbbh.exe157⤵PID:1924
-
\??\c:\jpddj.exec:\jpddj.exe158⤵PID:2040
-
\??\c:\1vpdd.exec:\1vpdd.exe159⤵PID:2324
-
\??\c:\lflrrrf.exec:\lflrrrf.exe160⤵PID:2560
-
\??\c:\rrrrxfl.exec:\rrrrxfl.exe161⤵PID:2096
-
\??\c:\5nnbnh.exec:\5nnbnh.exe162⤵PID:2684
-
\??\c:\bhntbt.exec:\bhntbt.exe163⤵PID:2808
-
\??\c:\ppjpp.exec:\ppjpp.exe164⤵PID:2700
-
\??\c:\pddpp.exec:\pddpp.exe165⤵PID:1964
-
\??\c:\5fxlxfl.exec:\5fxlxfl.exe166⤵PID:2908
-
\??\c:\xfrrxfl.exec:\xfrrxfl.exe167⤵PID:2472
-
\??\c:\htnbnt.exec:\htnbnt.exe168⤵PID:2136
-
\??\c:\5httbh.exec:\5httbh.exe169⤵PID:344
-
\??\c:\3ppdj.exec:\3ppdj.exe170⤵PID:1428
-
\??\c:\1vddj.exec:\1vddj.exe171⤵PID:1192
-
\??\c:\xxrrxxr.exec:\xxrrxxr.exe172⤵PID:2656
-
\??\c:\rfrrxfr.exec:\rfrrxfr.exe173⤵PID:1980
-
\??\c:\tthnbh.exec:\tthnbh.exe174⤵PID:1528
-
\??\c:\5tnnth.exec:\5tnnth.exe175⤵PID:2304
-
\??\c:\1jdjv.exec:\1jdjv.exe176⤵PID:1612
-
\??\c:\dvddp.exec:\dvddp.exe177⤵PID:2160
-
\??\c:\rlxrrxf.exec:\rlxrrxf.exe178⤵PID:1040
-
\??\c:\1frfrxx.exec:\1frfrxx.exe179⤵PID:1620
-
\??\c:\1hhhbt.exec:\1hhhbt.exe180⤵PID:1748
-
\??\c:\bbhtnn.exec:\bbhtnn.exe181⤵PID:2880
-
\??\c:\1jjjv.exec:\1jjjv.exe182⤵PID:2888
-
\??\c:\dvjjv.exec:\dvjjv.exe183⤵PID:2752
-
\??\c:\3rlxllr.exec:\3rlxllr.exe184⤵PID:664
-
\??\c:\lfflxfr.exec:\lfflxfr.exe185⤵PID:576
-
\??\c:\hbbbnb.exec:\hbbbnb.exe186⤵PID:2596
-
\??\c:\thnntb.exec:\thnntb.exe187⤵PID:2772
-
\??\c:\tnbnth.exec:\tnbnth.exe188⤵PID:2780
-
\??\c:\jjvvv.exec:\jjvvv.exe189⤵PID:1288
-
\??\c:\ddppp.exec:\ddppp.exe190⤵PID:1988
-
\??\c:\rrlrflr.exec:\rrlrflr.exe191⤵PID:2384
-
\??\c:\lflxllr.exec:\lflxllr.exe192⤵PID:1768
-
\??\c:\xrffllr.exec:\xrffllr.exe193⤵PID:2220
-
\??\c:\btnthn.exec:\btnthn.exe194⤵PID:2076
-
\??\c:\3bnntt.exec:\3bnntt.exe195⤵PID:1232
-
\??\c:\jddjv.exec:\jddjv.exe196⤵PID:2008
-
\??\c:\pjppv.exec:\pjppv.exe197⤵PID:1676
-
\??\c:\rlffllx.exec:\rlffllx.exe198⤵PID:3028
-
\??\c:\hbnttt.exec:\hbnttt.exe199⤵PID:2616
-
\??\c:\ppdpj.exec:\ppdpj.exe200⤵PID:2040
-
\??\c:\pjdjj.exec:\pjdjj.exe201⤵PID:2512
-
\??\c:\jdvvj.exec:\jdvvj.exe202⤵PID:1592
-
\??\c:\1lflxfl.exec:\1lflxfl.exe203⤵PID:2820
-
\??\c:\7hnhnb.exec:\7hnhnb.exe204⤵PID:2548
-
\??\c:\jvpvv.exec:\jvpvv.exe205⤵PID:2640
-
\??\c:\5rffllr.exec:\5rffllr.exe206⤵PID:2448
-
\??\c:\xlrfflr.exec:\xlrfflr.exe207⤵PID:2536
-
\??\c:\5htbhn.exec:\5htbhn.exe208⤵PID:2556
-
\??\c:\nhtnbn.exec:\nhtnbn.exe209⤵PID:2496
-
\??\c:\1dvvj.exec:\1dvvj.exe210⤵PID:2432
-
\??\c:\jdpjp.exec:\jdpjp.exe211⤵PID:1416
-
\??\c:\lxrlxxl.exec:\lxrlxxl.exe212⤵PID:1420
-
\??\c:\ffxlxll.exec:\ffxlxll.exe213⤵PID:1192
-
\??\c:\rflrrrl.exec:\rflrrrl.exe214⤵PID:2604
-
\??\c:\hhtbbh.exec:\hhtbbh.exe215⤵PID:2764
-
\??\c:\bbhnbh.exec:\bbhnbh.exe216⤵PID:2668
-
\??\c:\vpddd.exec:\vpddd.exe217⤵PID:548
-
\??\c:\vvdjv.exec:\vvdjv.exe218⤵PID:1508
-
\??\c:\lfrxlxf.exec:\lfrxlxf.exe219⤵PID:1520
-
\??\c:\rlxfrrx.exec:\rlxfrrx.exe220⤵PID:1308
-
\??\c:\9tnnbh.exec:\9tnnbh.exe221⤵PID:1332
-
\??\c:\btnhnt.exec:\btnhnt.exe222⤵PID:2392
-
\??\c:\jjppd.exec:\jjppd.exe223⤵PID:2912
-
\??\c:\3dddv.exec:\3dddv.exe224⤵PID:2260
-
\??\c:\ppjpj.exec:\ppjpj.exe225⤵PID:2924
-
\??\c:\9fxlxlr.exec:\9fxlxlr.exe226⤵PID:2400
-
\??\c:\fxflxfl.exec:\fxflxfl.exe227⤵PID:588
-
\??\c:\hbnttb.exec:\hbnttb.exe228⤵PID:1636
-
\??\c:\hbtbhn.exec:\hbtbhn.exe229⤵PID:1096
-
\??\c:\pjjdp.exec:\pjjdp.exe230⤵PID:1128
-
\??\c:\jjvdd.exec:\jjvdd.exe231⤵PID:896
-
\??\c:\1ppvd.exec:\1ppvd.exe232⤵PID:748
-
\??\c:\rlxxrrf.exec:\rlxxrrf.exe233⤵PID:1280
-
\??\c:\rrlrxxl.exec:\rrlrxxl.exe234⤵PID:1708
-
\??\c:\bbntnb.exec:\bbntnb.exe235⤵PID:1240
-
\??\c:\tnbnnn.exec:\tnbnnn.exe236⤵PID:1504
-
\??\c:\1jvpd.exec:\1jvpd.exe237⤵PID:1792
-
\??\c:\3jpjp.exec:\3jpjp.exe238⤵PID:1424
-
\??\c:\3frrffl.exec:\3frrffl.exe239⤵PID:3032
-
\??\c:\rlrrfll.exec:\rlrrfll.exe240⤵PID:2124
-
\??\c:\httnbb.exec:\httnbb.exe241⤵PID:2564
-
\??\c:\tthhtb.exec:\tthhtb.exe242⤵PID:1600