Analysis
-
max time kernel
150s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 04:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe
-
Size
90KB
-
MD5
8e46472e228fead7744a1ac190d531d0
-
SHA1
8c86fbdcec42628a395dc5c71d07e19df5f79e39
-
SHA256
2c0bf2bf4fdefeaa58d2616b0acc0e7ac84c02a78714be67653ba5774aba4f9f
-
SHA512
6c3a4d10e36eb0359d99cef534b56da68d3666afd1bcc2a7946ce7def5aea340e4fb719c7827ae97854a1d1b62a5e58df03ca0c3b41dc1486435003f872d7463
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDodtzac0Hobv0byLufTJfJVK:ymb3NkkiQ3mdBjFodt27HobvcyLufNfm
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
Processes:
resource yara_rule behavioral2/memory/2784-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4292-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4128-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4916-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4692-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4136-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4244-49-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4088-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1420-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3724-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4960-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2080-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1136-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3604-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2544-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2568-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1496-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2608-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1656-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2288-156-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1880-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1984-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4868-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4332-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3396-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
3jjvp.exelxfxrrl.exe9tnbth.exedvpjv.exepjpdv.exellrllll.exethhtnh.exevppjd.exerrlrllx.exe7thttn.exe1jppp.exejjpjv.exelfrlffx.exebhhhhh.exebthbnn.exexlxrxrl.exelllxffx.exebnnnhh.exepdpjd.exelllflrl.exelffxrlf.exe3hnhbt.exe9vvvj.exefxxlxfx.exentnnhh.exejjjjd.exefrffxll.exenhbttb.exejvvpj.exelrxrlll.exe3thbhh.exepjjjd.exe3lrrlfx.exe7ffflrr.exehtbbtt.exepvdvp.exedvpjj.exehntnhn.exevppjv.exevpjdd.exerrrlfxl.exe9nbtnn.exebbbhbn.exevvpvv.exerflxrrr.exerrrrrrl.exenttnhh.exenntttt.exeddjdj.exejjpjj.exelfflffx.exerffxrll.exetnbbtb.exejvjdv.exedvjdv.exellrxxfl.exefxxffrf.exentnbnh.exedjpjd.exevpjdd.exellfflfr.exethtnhn.exebthhhh.exevppjj.exepid process 4292 3jjvp.exe 4128 lxfxrrl.exe 4136 9tnbth.exe 4916 dvpjv.exe 4692 pjpdv.exe 4244 llrllll.exe 4088 thhtnh.exe 1420 vppjd.exe 3724 rrlrllx.exe 4960 7thttn.exe 4912 1jppp.exe 2080 jjpjv.exe 1136 lfrlffx.exe 3604 bhhhhh.exe 4988 bthbnn.exe 2544 xlxrxrl.exe 2568 lllxffx.exe 1496 bnnnhh.exe 4880 pdpjd.exe 2608 lllflrl.exe 1656 lffxrlf.exe 4444 3hnhbt.exe 2288 9vvvj.exe 3904 fxxlxfx.exe 1880 ntnnhh.exe 1984 jjjjd.exe 4868 frffxll.exe 4332 nhbttb.exe 2412 jvvpj.exe 3396 lrxrlll.exe 4056 3thbhh.exe 3792 pjjjd.exe 1668 3lrrlfx.exe 740 7ffflrr.exe 1100 htbbtt.exe 5080 pvdvp.exe 628 dvpjj.exe 4352 hntnhn.exe 4580 vppjv.exe 1920 vpjdd.exe 1736 rrrlfxl.exe 3584 9nbtnn.exe 4628 bbbhbn.exe 2060 vvpvv.exe 3768 rflxrrr.exe 744 rrrrrrl.exe 2708 nttnhh.exe 4744 nntttt.exe 2588 ddjdj.exe 912 jjpjj.exe 760 lfflffx.exe 2312 rffxrll.exe 1512 tnbbtb.exe 5056 jvjdv.exe 396 dvjdv.exe 2284 llrxxfl.exe 4828 fxxffrf.exe 2452 ntnbnh.exe 1012 djpjd.exe 5092 vpjdd.exe 2568 llfflfr.exe 5020 thtnhn.exe 1884 bthhhh.exe 2512 vppjj.exe -
Processes:
resource yara_rule behavioral2/memory/2784-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4292-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4128-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4916-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4916-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4692-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4136-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4244-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4088-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1420-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3724-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4960-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2080-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1136-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3604-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2544-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2568-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1496-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2608-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1656-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2288-156-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1880-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1984-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4868-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4332-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3396-198-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe3jjvp.exelxfxrrl.exe9tnbth.exedvpjv.exepjpdv.exellrllll.exethhtnh.exevppjd.exerrlrllx.exe7thttn.exe1jppp.exejjpjv.exelfrlffx.exebhhhhh.exebthbnn.exexlxrxrl.exelllxffx.exebnnnhh.exepdpjd.exelllflrl.exelffxrlf.exedescription pid process target process PID 2784 wrote to memory of 4292 2784 8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe 3jjvp.exe PID 2784 wrote to memory of 4292 2784 8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe 3jjvp.exe PID 2784 wrote to memory of 4292 2784 8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe 3jjvp.exe PID 4292 wrote to memory of 4128 4292 3jjvp.exe lxfxrrl.exe PID 4292 wrote to memory of 4128 4292 3jjvp.exe lxfxrrl.exe PID 4292 wrote to memory of 4128 4292 3jjvp.exe lxfxrrl.exe PID 4128 wrote to memory of 4136 4128 lxfxrrl.exe 9tnbth.exe PID 4128 wrote to memory of 4136 4128 lxfxrrl.exe 9tnbth.exe PID 4128 wrote to memory of 4136 4128 lxfxrrl.exe 9tnbth.exe PID 4136 wrote to memory of 4916 4136 9tnbth.exe dvpjv.exe PID 4136 wrote to memory of 4916 4136 9tnbth.exe dvpjv.exe PID 4136 wrote to memory of 4916 4136 9tnbth.exe dvpjv.exe PID 4916 wrote to memory of 4692 4916 dvpjv.exe pjpdv.exe PID 4916 wrote to memory of 4692 4916 dvpjv.exe pjpdv.exe PID 4916 wrote to memory of 4692 4916 dvpjv.exe pjpdv.exe PID 4692 wrote to memory of 4244 4692 pjpdv.exe llrllll.exe PID 4692 wrote to memory of 4244 4692 pjpdv.exe llrllll.exe PID 4692 wrote to memory of 4244 4692 pjpdv.exe llrllll.exe PID 4244 wrote to memory of 4088 4244 llrllll.exe thhtnh.exe PID 4244 wrote to memory of 4088 4244 llrllll.exe thhtnh.exe PID 4244 wrote to memory of 4088 4244 llrllll.exe thhtnh.exe PID 4088 wrote to memory of 1420 4088 thhtnh.exe vppjd.exe PID 4088 wrote to memory of 1420 4088 thhtnh.exe vppjd.exe PID 4088 wrote to memory of 1420 4088 thhtnh.exe vppjd.exe PID 1420 wrote to memory of 3724 1420 vppjd.exe rrlrllx.exe PID 1420 wrote to memory of 3724 1420 vppjd.exe rrlrllx.exe PID 1420 wrote to memory of 3724 1420 vppjd.exe rrlrllx.exe PID 3724 wrote to memory of 4960 3724 rrlrllx.exe 7thttn.exe PID 3724 wrote to memory of 4960 3724 rrlrllx.exe 7thttn.exe PID 3724 wrote to memory of 4960 3724 rrlrllx.exe 7thttn.exe PID 4960 wrote to memory of 4912 4960 7thttn.exe 1jppp.exe PID 4960 wrote to memory of 4912 4960 7thttn.exe 1jppp.exe PID 4960 wrote to memory of 4912 4960 7thttn.exe 1jppp.exe PID 4912 wrote to memory of 2080 4912 1jppp.exe jjpjv.exe PID 4912 wrote to memory of 2080 4912 1jppp.exe jjpjv.exe PID 4912 wrote to memory of 2080 4912 1jppp.exe jjpjv.exe PID 2080 wrote to memory of 1136 2080 jjpjv.exe lfrlffx.exe PID 2080 wrote to memory of 1136 2080 jjpjv.exe lfrlffx.exe PID 2080 wrote to memory of 1136 2080 jjpjv.exe lfrlffx.exe PID 1136 wrote to memory of 3604 1136 lfrlffx.exe bhhhhh.exe PID 1136 wrote to memory of 3604 1136 lfrlffx.exe bhhhhh.exe PID 1136 wrote to memory of 3604 1136 lfrlffx.exe bhhhhh.exe PID 3604 wrote to memory of 4988 3604 bhhhhh.exe bthbnn.exe PID 3604 wrote to memory of 4988 3604 bhhhhh.exe bthbnn.exe PID 3604 wrote to memory of 4988 3604 bhhhhh.exe bthbnn.exe PID 4988 wrote to memory of 2544 4988 bthbnn.exe xlxrxrl.exe PID 4988 wrote to memory of 2544 4988 bthbnn.exe xlxrxrl.exe PID 4988 wrote to memory of 2544 4988 bthbnn.exe xlxrxrl.exe PID 2544 wrote to memory of 2568 2544 xlxrxrl.exe lllxffx.exe PID 2544 wrote to memory of 2568 2544 xlxrxrl.exe lllxffx.exe PID 2544 wrote to memory of 2568 2544 xlxrxrl.exe lllxffx.exe PID 2568 wrote to memory of 1496 2568 lllxffx.exe bnnnhh.exe PID 2568 wrote to memory of 1496 2568 lllxffx.exe bnnnhh.exe PID 2568 wrote to memory of 1496 2568 lllxffx.exe bnnnhh.exe PID 1496 wrote to memory of 4880 1496 bnnnhh.exe pdpjd.exe PID 1496 wrote to memory of 4880 1496 bnnnhh.exe pdpjd.exe PID 1496 wrote to memory of 4880 1496 bnnnhh.exe pdpjd.exe PID 4880 wrote to memory of 2608 4880 pdpjd.exe lllflrl.exe PID 4880 wrote to memory of 2608 4880 pdpjd.exe lllflrl.exe PID 4880 wrote to memory of 2608 4880 pdpjd.exe lllflrl.exe PID 2608 wrote to memory of 1656 2608 lllflrl.exe lffxrlf.exe PID 2608 wrote to memory of 1656 2608 lllflrl.exe lffxrlf.exe PID 2608 wrote to memory of 1656 2608 lllflrl.exe lffxrlf.exe PID 1656 wrote to memory of 4444 1656 lffxrlf.exe 3hnhbt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8e46472e228fead7744a1ac190d531d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\3jjvp.exec:\3jjvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\9tnbth.exec:\9tnbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\dvpjv.exec:\dvpjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\pjpdv.exec:\pjpdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\llrllll.exec:\llrllll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\thhtnh.exec:\thhtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\vppjd.exec:\vppjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\rrlrllx.exec:\rrlrllx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\7thttn.exec:\7thttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\1jppp.exec:\1jppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\jjpjv.exec:\jjpjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\lfrlffx.exec:\lfrlffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\bhhhhh.exec:\bhhhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\bthbnn.exec:\bthbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\xlxrxrl.exec:\xlxrxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\lllxffx.exec:\lllxffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\bnnnhh.exec:\bnnnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\pdpjd.exec:\pdpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\lllflrl.exec:\lllflrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\lffxrlf.exec:\lffxrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\3hnhbt.exec:\3hnhbt.exe23⤵
- Executes dropped EXE
PID:4444 -
\??\c:\9vvvj.exec:\9vvvj.exe24⤵
- Executes dropped EXE
PID:2288 -
\??\c:\fxxlxfx.exec:\fxxlxfx.exe25⤵
- Executes dropped EXE
PID:3904 -
\??\c:\ntnnhh.exec:\ntnnhh.exe26⤵
- Executes dropped EXE
PID:1880 -
\??\c:\jjjjd.exec:\jjjjd.exe27⤵
- Executes dropped EXE
PID:1984 -
\??\c:\frffxll.exec:\frffxll.exe28⤵
- Executes dropped EXE
PID:4868 -
\??\c:\nhbttb.exec:\nhbttb.exe29⤵
- Executes dropped EXE
PID:4332 -
\??\c:\jvvpj.exec:\jvvpj.exe30⤵
- Executes dropped EXE
PID:2412 -
\??\c:\lrxrlll.exec:\lrxrlll.exe31⤵
- Executes dropped EXE
PID:3396 -
\??\c:\3thbhh.exec:\3thbhh.exe32⤵
- Executes dropped EXE
PID:4056 -
\??\c:\pjjjd.exec:\pjjjd.exe33⤵
- Executes dropped EXE
PID:3792 -
\??\c:\3lrrlfx.exec:\3lrrlfx.exe34⤵
- Executes dropped EXE
PID:1668 -
\??\c:\7ffflrr.exec:\7ffflrr.exe35⤵
- Executes dropped EXE
PID:740 -
\??\c:\htbbtt.exec:\htbbtt.exe36⤵
- Executes dropped EXE
PID:1100 -
\??\c:\pvdvp.exec:\pvdvp.exe37⤵
- Executes dropped EXE
PID:5080 -
\??\c:\dvpjj.exec:\dvpjj.exe38⤵
- Executes dropped EXE
PID:628 -
\??\c:\hntnhn.exec:\hntnhn.exe39⤵
- Executes dropped EXE
PID:4352 -
\??\c:\vppjv.exec:\vppjv.exe40⤵
- Executes dropped EXE
PID:4580 -
\??\c:\vpjdd.exec:\vpjdd.exe41⤵
- Executes dropped EXE
PID:1920 -
\??\c:\rrrlfxl.exec:\rrrlfxl.exe42⤵
- Executes dropped EXE
PID:1736 -
\??\c:\9nbtnn.exec:\9nbtnn.exe43⤵
- Executes dropped EXE
PID:3584 -
\??\c:\bbbhbn.exec:\bbbhbn.exe44⤵
- Executes dropped EXE
PID:4628 -
\??\c:\vvpvv.exec:\vvpvv.exe45⤵
- Executes dropped EXE
PID:2060 -
\??\c:\rflxrrr.exec:\rflxrrr.exe46⤵
- Executes dropped EXE
PID:3768 -
\??\c:\rrrrrrl.exec:\rrrrrrl.exe47⤵
- Executes dropped EXE
PID:744 -
\??\c:\nttnhh.exec:\nttnhh.exe48⤵
- Executes dropped EXE
PID:2708 -
\??\c:\nntttt.exec:\nntttt.exe49⤵
- Executes dropped EXE
PID:4744 -
\??\c:\ddjdj.exec:\ddjdj.exe50⤵
- Executes dropped EXE
PID:2588 -
\??\c:\jjpjj.exec:\jjpjj.exe51⤵
- Executes dropped EXE
PID:912 -
\??\c:\lfflffx.exec:\lfflffx.exe52⤵
- Executes dropped EXE
PID:760 -
\??\c:\rffxrll.exec:\rffxrll.exe53⤵
- Executes dropped EXE
PID:2312 -
\??\c:\tnbbtb.exec:\tnbbtb.exe54⤵
- Executes dropped EXE
PID:1512 -
\??\c:\jvjdv.exec:\jvjdv.exe55⤵
- Executes dropped EXE
PID:5056 -
\??\c:\dvjdv.exec:\dvjdv.exe56⤵
- Executes dropped EXE
PID:396 -
\??\c:\llrxxfl.exec:\llrxxfl.exe57⤵
- Executes dropped EXE
PID:2284 -
\??\c:\fxxffrf.exec:\fxxffrf.exe58⤵
- Executes dropped EXE
PID:4828 -
\??\c:\ntnbnh.exec:\ntnbnh.exe59⤵
- Executes dropped EXE
PID:2452 -
\??\c:\djpjd.exec:\djpjd.exe60⤵
- Executes dropped EXE
PID:1012 -
\??\c:\vpjdd.exec:\vpjdd.exe61⤵
- Executes dropped EXE
PID:5092 -
\??\c:\llfflfr.exec:\llfflfr.exe62⤵
- Executes dropped EXE
PID:2568 -
\??\c:\thtnhn.exec:\thtnhn.exe63⤵
- Executes dropped EXE
PID:5020 -
\??\c:\bthhhh.exec:\bthhhh.exe64⤵
- Executes dropped EXE
PID:1884 -
\??\c:\vppjj.exec:\vppjj.exe65⤵
- Executes dropped EXE
PID:2512 -
\??\c:\3lrrrrr.exec:\3lrrrrr.exe66⤵PID:3420
-
\??\c:\rrflffx.exec:\rrflffx.exe67⤵PID:1040
-
\??\c:\tbhbtt.exec:\tbhbtt.exe68⤵PID:4376
-
\??\c:\bhntbt.exec:\bhntbt.exe69⤵PID:3540
-
\??\c:\1jjjd.exec:\1jjjd.exe70⤵PID:5008
-
\??\c:\pjjvp.exec:\pjjvp.exe71⤵PID:1952
-
\??\c:\rxxrxrr.exec:\rxxrxrr.exe72⤵PID:4788
-
\??\c:\ttnnhn.exec:\ttnnhn.exe73⤵PID:4856
-
\??\c:\rrfxrrl.exec:\rrfxrrl.exe74⤵PID:4404
-
\??\c:\thttnn.exec:\thttnn.exe75⤵PID:3044
-
\??\c:\hbtntn.exec:\hbtntn.exe76⤵PID:4340
-
\??\c:\dvdjj.exec:\dvdjj.exe77⤵PID:468
-
\??\c:\rfxxxxr.exec:\rfxxxxr.exe78⤵PID:3868
-
\??\c:\rrrlxrl.exec:\rrrlxrl.exe79⤵PID:64
-
\??\c:\tnhbtt.exec:\tnhbtt.exe80⤵PID:3224
-
\??\c:\5vdpv.exec:\5vdpv.exe81⤵PID:1640
-
\??\c:\7djjd.exec:\7djjd.exe82⤵PID:2144
-
\??\c:\7lxrxxf.exec:\7lxrxxf.exe83⤵PID:4996
-
\??\c:\ffrxrrr.exec:\ffrxrrr.exe84⤵PID:676
-
\??\c:\htnnhh.exec:\htnnhh.exe85⤵PID:5040
-
\??\c:\pvdvj.exec:\pvdvj.exe86⤵PID:920
-
\??\c:\jpddv.exec:\jpddv.exe87⤵PID:4708
-
\??\c:\fffrlrl.exec:\fffrlrl.exe88⤵PID:3032
-
\??\c:\htnnnt.exec:\htnnnt.exe89⤵PID:1584
-
\??\c:\ttbhbh.exec:\ttbhbh.exe90⤵PID:3412
-
\??\c:\pjjjj.exec:\pjjjj.exe91⤵PID:2944
-
\??\c:\fffxrxx.exec:\fffxrxx.exe92⤵PID:4776
-
\??\c:\fxrrllf.exec:\fxrrllf.exe93⤵PID:3060
-
\??\c:\3ntntb.exec:\3ntntb.exe94⤵PID:3316
-
\??\c:\ddpjv.exec:\ddpjv.exe95⤵PID:1844
-
\??\c:\ppvpp.exec:\ppvpp.exe96⤵PID:2572
-
\??\c:\1xllxxr.exec:\1xllxxr.exe97⤵PID:2112
-
\??\c:\xlrffff.exec:\xlrffff.exe98⤵PID:968
-
\??\c:\hbbtnh.exec:\hbbtnh.exe99⤵PID:2104
-
\??\c:\jjdvv.exec:\jjdvv.exe100⤵PID:4912
-
\??\c:\xrrfrlf.exec:\xrrfrlf.exe101⤵PID:636
-
\??\c:\nnnbtn.exec:\nnnbtn.exe102⤵PID:1484
-
\??\c:\7pvvv.exec:\7pvvv.exe103⤵PID:4568
-
\??\c:\1lrlxfl.exec:\1lrlxfl.exe104⤵PID:3328
-
\??\c:\hbhhnn.exec:\hbhhnn.exe105⤵PID:4908
-
\??\c:\bntnhb.exec:\bntnhb.exe106⤵PID:776
-
\??\c:\vppvj.exec:\vppvj.exe107⤵PID:4584
-
\??\c:\dddvp.exec:\dddvp.exe108⤵PID:3208
-
\??\c:\xflfrrl.exec:\xflfrrl.exe109⤵PID:5012
-
\??\c:\nhhbnh.exec:\nhhbnh.exe110⤵PID:4544
-
\??\c:\ntbtnh.exec:\ntbtnh.exe111⤵PID:3764
-
\??\c:\vjjjd.exec:\vjjjd.exe112⤵PID:1032
-
\??\c:\dvvdv.exec:\dvvdv.exe113⤵PID:408
-
\??\c:\flrxxfl.exec:\flrxxfl.exe114⤵PID:5016
-
\??\c:\frxrlff.exec:\frxrlff.exe115⤵PID:3540
-
\??\c:\ththbb.exec:\ththbb.exe116⤵PID:4976
-
\??\c:\rffxlll.exec:\rffxlll.exe117⤵PID:4468
-
\??\c:\xrxllll.exec:\xrxllll.exe118⤵PID:2908
-
\??\c:\5hhhbh.exec:\5hhhbh.exe119⤵PID:2240
-
\??\c:\nntnhh.exec:\nntnhh.exe120⤵PID:4332
-
\??\c:\7pjjd.exec:\7pjjd.exe121⤵PID:3312
-
\??\c:\dpvpp.exec:\dpvpp.exe122⤵PID:464
-
\??\c:\rllffff.exec:\rllffff.exe123⤵PID:2536
-
\??\c:\ffxxxrr.exec:\ffxxxrr.exe124⤵PID:1292
-
\??\c:\btbbnt.exec:\btbbnt.exe125⤵PID:4372
-
\??\c:\jddvv.exec:\jddvv.exe126⤵PID:3236
-
\??\c:\xxrllll.exec:\xxrllll.exe127⤵PID:1668
-
\??\c:\rxllflf.exec:\rxllflf.exe128⤵PID:1840
-
\??\c:\htbbth.exec:\htbbth.exe129⤵PID:4452
-
\??\c:\nhttbb.exec:\nhttbb.exe130⤵PID:628
-
\??\c:\1nbbbh.exec:\1nbbbh.exe131⤵PID:4320
-
\??\c:\dvvvv.exec:\dvvvv.exe132⤵PID:3636
-
\??\c:\9vddv.exec:\9vddv.exe133⤵PID:3412
-
\??\c:\rlrrrrx.exec:\rlrrrrx.exe134⤵PID:2596
-
\??\c:\rrrrrrl.exec:\rrrrrrl.exe135⤵PID:2520
-
\??\c:\hnntbn.exec:\hnntbn.exe136⤵PID:3468
-
\??\c:\nnhbtb.exec:\nnhbtb.exe137⤵PID:1340
-
\??\c:\dvddv.exec:\dvddv.exe138⤵PID:2588
-
\??\c:\dvdvv.exec:\dvdvv.exe139⤵PID:860
-
\??\c:\lxfxxxx.exec:\lxfxxxx.exe140⤵PID:1324
-
\??\c:\rllrllf.exec:\rllrllf.exe141⤵PID:2408
-
\??\c:\bthhhh.exec:\bthhhh.exe142⤵PID:4272
-
\??\c:\ttthhn.exec:\ttthhn.exe143⤵PID:1596
-
\??\c:\7djjp.exec:\7djjp.exe144⤵PID:3268
-
\??\c:\flrrrfr.exec:\flrrrfr.exe145⤵PID:776
-
\??\c:\fxlfxrf.exec:\fxlfxrf.exe146⤵PID:4584
-
\??\c:\1bbttb.exec:\1bbttb.exe147⤵PID:3208
-
\??\c:\nhhhbb.exec:\nhhhbb.exe148⤵PID:4456
-
\??\c:\dvdvv.exec:\dvdvv.exe149⤵PID:4544
-
\??\c:\xrfxllx.exec:\xrfxllx.exe150⤵PID:1948
-
\??\c:\xrlfxxx.exec:\xrlfxxx.exe151⤵PID:1660
-
\??\c:\bnnnnn.exec:\bnnnnn.exe152⤵PID:408
-
\??\c:\vjpvd.exec:\vjpvd.exe153⤵PID:2924
-
\??\c:\pjvpp.exec:\pjvpp.exe154⤵PID:4176
-
\??\c:\lrlfxrf.exec:\lrlfxrf.exe155⤵PID:4956
-
\??\c:\nttthh.exec:\nttthh.exe156⤵PID:1984
-
\??\c:\thhhhn.exec:\thhhhn.exe157⤵PID:3564
-
\??\c:\jddvd.exec:\jddvd.exe158⤵PID:4868
-
\??\c:\xxrrxxf.exec:\xxrrxxf.exe159⤵PID:4428
-
\??\c:\ppvpp.exec:\ppvpp.exe160⤵PID:468
-
\??\c:\xffxxxr.exec:\xffxxxr.exe161⤵PID:1040
-
\??\c:\vpjdv.exec:\vpjdv.exe162⤵PID:3312
-
\??\c:\lxfflll.exec:\lxfflll.exe163⤵PID:2536
-
\??\c:\btbbbh.exec:\btbbbh.exe164⤵PID:1292
-
\??\c:\3vpjv.exec:\3vpjv.exe165⤵PID:4372
-
\??\c:\jddpj.exec:\jddpj.exe166⤵PID:4608
-
\??\c:\httnbb.exec:\httnbb.exe167⤵PID:1100
-
\??\c:\dvjjj.exec:\dvjjj.exe168⤵PID:920
-
\??\c:\fxfffll.exec:\fxfffll.exe169⤵PID:764
-
\??\c:\3nbtbb.exec:\3nbtbb.exe170⤵PID:3192
-
\??\c:\ppppp.exec:\ppppp.exe171⤵PID:4336
-
\??\c:\jddpj.exec:\jddpj.exe172⤵PID:4080
-
\??\c:\5xflflr.exec:\5xflflr.exe173⤵PID:4628
-
\??\c:\1xffllr.exec:\1xffllr.exe174⤵PID:4888
-
\??\c:\3hbbhh.exec:\3hbbhh.exe175⤵PID:4744
-
\??\c:\nhhtnn.exec:\nhhtnn.exe176⤵PID:4940
-
\??\c:\vvdvj.exec:\vvdvj.exe177⤵PID:760
-
\??\c:\5djdv.exec:\5djdv.exe178⤵PID:3580
-
\??\c:\rlrlfff.exec:\rlrlfff.exe179⤵PID:860
-
\??\c:\lxxrrrr.exec:\lxxrrrr.exe180⤵PID:2396
-
\??\c:\nhnhth.exec:\nhnhth.exe181⤵PID:3964
-
\??\c:\5tbhtn.exec:\5tbhtn.exe182⤵PID:3284
-
\??\c:\pjpjd.exec:\pjpjd.exe183⤵PID:2544
-
\??\c:\jjvpj.exec:\jjvpj.exe184⤵PID:3308
-
\??\c:\dvjdj.exec:\dvjdj.exe185⤵PID:1784
-
\??\c:\frlfxxr.exec:\frlfxxr.exe186⤵PID:1364
-
\??\c:\bbnbtt.exec:\bbnbtt.exe187⤵PID:2920
-
\??\c:\btttnn.exec:\btttnn.exe188⤵PID:4544
-
\??\c:\nbbbbt.exec:\nbbbbt.exe189⤵PID:2196
-
\??\c:\jjjdd.exec:\jjjdd.exe190⤵PID:2608
-
\??\c:\jjpjd.exec:\jjpjd.exe191⤵PID:2288
-
\??\c:\xxrlxxx.exec:\xxrlxxx.exe192⤵PID:4020
-
\??\c:\3nnhbb.exec:\3nnhbb.exe193⤵PID:4028
-
\??\c:\tnhhbb.exec:\tnhhbb.exe194⤵PID:3444
-
\??\c:\jjpjj.exec:\jjpjj.exe195⤵PID:4984
-
\??\c:\djddv.exec:\djddv.exe196⤵PID:4404
-
\??\c:\xflfxxx.exec:\xflfxxx.exe197⤵PID:3720
-
\??\c:\xrlfxxx.exec:\xrlfxxx.exe198⤵PID:2772
-
\??\c:\tntttn.exec:\tntttn.exe199⤵PID:3300
-
\??\c:\nbttnt.exec:\nbttnt.exe200⤵PID:4540
-
\??\c:\pjjjv.exec:\pjjjv.exe201⤵PID:3228
-
\??\c:\djpvv.exec:\djpvv.exe202⤵PID:3792
-
\??\c:\9vpjv.exec:\9vpjv.exe203⤵PID:4968
-
\??\c:\xfxxffx.exec:\xfxxffx.exe204⤵PID:1684
-
\??\c:\rxlfxxx.exec:\rxlfxxx.exe205⤵PID:5080
-
\??\c:\hnnnhh.exec:\hnnnhh.exe206⤵PID:1840
-
\??\c:\ttnhhh.exec:\ttnhhh.exe207⤵PID:3436
-
\??\c:\jjjjd.exec:\jjjjd.exe208⤵PID:3660
-
\??\c:\5vppj.exec:\5vppj.exe209⤵PID:1584
-
\??\c:\rlrflxf.exec:\rlrflxf.exe210⤵PID:2604
-
\??\c:\xrlxrrl.exec:\xrlxrrl.exe211⤵PID:2232
-
\??\c:\9hhbtb.exec:\9hhbtb.exe212⤵PID:4944
-
\??\c:\3bthth.exec:\3bthth.exe213⤵PID:2708
-
\??\c:\vjpjd.exec:\vjpjd.exe214⤵PID:412
-
\??\c:\dvdjd.exec:\dvdjd.exe215⤵PID:3272
-
\??\c:\xrxrfrl.exec:\xrxrfrl.exe216⤵PID:2880
-
\??\c:\1xrlrrr.exec:\1xrlrrr.exe217⤵PID:2312
-
\??\c:\nbbtnn.exec:\nbbtnn.exe218⤵PID:4140
-
\??\c:\nttnhb.exec:\nttnhb.exe219⤵PID:3888
-
\??\c:\jpvpp.exec:\jpvpp.exe220⤵PID:3860
-
\??\c:\vdvdp.exec:\vdvdp.exe221⤵PID:1596
-
\??\c:\fxrrllf.exec:\fxrrllf.exe222⤵PID:1316
-
\??\c:\lfrrlrr.exec:\lfrrlrr.exe223⤵PID:3268
-
\??\c:\tnbtnn.exec:\tnbtnn.exe224⤵PID:1632
-
\??\c:\tnbbtb.exec:\tnbbtb.exe225⤵PID:4696
-
\??\c:\pjdvj.exec:\pjdvj.exe226⤵PID:4460
-
\??\c:\ddddp.exec:\ddddp.exe227⤵PID:1508
-
\??\c:\xxxrrrr.exec:\xxxrrrr.exe228⤵PID:1660
-
\??\c:\fxffxrr.exec:\fxffxrr.exe229⤵PID:976
-
\??\c:\bhtbhb.exec:\bhtbhb.exe230⤵PID:408
-
\??\c:\thntbb.exec:\thntbb.exe231⤵PID:1952
-
\??\c:\3pjvp.exec:\3pjvp.exe232⤵PID:3568
-
\??\c:\pdjjv.exec:\pdjjv.exe233⤵PID:3984
-
\??\c:\lffxrll.exec:\lffxrll.exe234⤵PID:4816
-
\??\c:\thtnht.exec:\thtnht.exe235⤵PID:2908
-
\??\c:\hnbthn.exec:\hnbthn.exe236⤵PID:3564
-
\??\c:\hhnnbb.exec:\hhnnbb.exe237⤵PID:1348
-
\??\c:\vvpjv.exec:\vvpjv.exe238⤵PID:2512
-
\??\c:\pdvpp.exec:\pdvpp.exe239⤵PID:468
-
\??\c:\xrxxxxf.exec:\xrxxxxf.exe240⤵PID:1040
-
\??\c:\hnntnn.exec:\hnntnn.exe241⤵PID:4892
-
\??\c:\ntttnn.exec:\ntttnn.exe242⤵PID:4556