Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 03:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
874ff4c5a20e952fe08932841695db10_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
5 signatures
150 seconds
General
-
Target
874ff4c5a20e952fe08932841695db10_NeikiAnalytics.exe
-
Size
70KB
-
MD5
874ff4c5a20e952fe08932841695db10
-
SHA1
0b3d599757d9028630fa8f20046908283dd0a081
-
SHA256
1f1ae97ea8ebb16eadfc8013b0347c2b9fc8cd591fe5cc42ab72f84b52b1d370
-
SHA512
3e086d74b836893fa3877a13a1709efe5819422e10ebf333e651c3d54ed3ce8e85fd97e42c6b7ebf30402a33811082e4765a38963c3defcf351c7ad5f5e186dd
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIgUVyiAnfF:ymb3NkkiQ3mdBjFIgUEBF
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
Processes:
resource yara_rule behavioral2/memory/2364-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4192-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5064-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3040-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2452-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1316-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3948-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1772-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/764-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2008-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4880-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4880-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4636-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4076-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/900-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4716-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4852-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1040-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4060-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1636-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/980-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1488-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3728-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/888-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3916-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
hntnhh.exehbbtnt.exexrxrxxf.exetttnhb.exettbtnh.exedppjd.exe1jjdd.exexxxxrrl.exetnnhbt.exe5pdpv.exevpjdv.exefxfxxrr.exexlllflf.exehbnhth.exedvvvp.exedpdvp.exefxfxrlf.exettnnhh.exebtbtnn.exe1djdd.exeflrlfxr.exerxlflfx.exebtbhbh.exethnbbb.exeppppv.exe1frlxxr.exerlffxxx.exebhhbtt.exehbtnhn.exevjvvd.exe9jpjd.exellffxxr.exe3rrrlrl.exehhhbtt.exevvjdv.exe9llxxxf.exelffffff.exe3bhhtt.exehttttt.exejjpjv.exedpdjj.exefrxrllf.exebnnhbt.exe7hhbtt.exedpppp.exejpvpp.exe1xfxllf.exelfxlrlf.exehbhbtt.exethhbtn.exevdjjd.exepjpjj.exerfllffx.exefxxrlrl.exebnnnht.exethhbbb.exepjvpj.exerlfxxxf.exerlrrxxf.exebnnnbb.exebhttnt.exeppddp.exejddvj.exerffxllf.exepid process 4192 hntnhh.exe 5064 hbbtnt.exe 3040 xrxrxxf.exe 2452 tttnhb.exe 1316 ttbtnh.exe 1772 dppjd.exe 3948 1jjdd.exe 764 xxxxrrl.exe 2008 tnnhbt.exe 4880 5pdpv.exe 4636 vpjdv.exe 4076 fxfxxrr.exe 2748 xlllflf.exe 900 hbnhth.exe 3752 dvvvp.exe 4716 dpdvp.exe 1344 fxfxrlf.exe 4852 ttnnhh.exe 1040 btbtnn.exe 4060 1djdd.exe 1636 flrlfxr.exe 680 rxlflfx.exe 980 btbhbh.exe 1488 thnbbb.exe 3728 ppppv.exe 888 1frlxxr.exe 1728 rlffxxx.exe 5100 bhhbtt.exe 4592 hbtnhn.exe 3916 vjvvd.exe 940 9jpjd.exe 4528 llffxxr.exe 3140 3rrrlrl.exe 1952 hhhbtt.exe 4088 vvjdv.exe 4700 9llxxxf.exe 4996 lffffff.exe 1212 3bhhtt.exe 1900 httttt.exe 4128 jjpjv.exe 2400 dpdjj.exe 4500 frxrllf.exe 1632 bnnhbt.exe 5064 7hhbtt.exe 4672 dpppp.exe 3856 jpvpp.exe 2392 1xfxllf.exe 876 lfxlrlf.exe 3416 hbhbtt.exe 3304 thhbtn.exe 3664 vdjjd.exe 1564 pjpjj.exe 1492 rfllffx.exe 1928 fxxrlrl.exe 2780 bnnnht.exe 3288 thhbbb.exe 4092 pjvpj.exe 4704 rlfxxxf.exe 3796 rlrrxxf.exe 2264 bnnnbb.exe 856 bhttnt.exe 3840 ppddp.exe 756 jddvj.exe 1156 rffxllf.exe -
Processes:
resource yara_rule behavioral2/memory/2364-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4192-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5064-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3040-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2452-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1316-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3948-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1772-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/764-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2008-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4880-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4880-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4636-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4076-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/900-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4716-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4852-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1040-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4060-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1636-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/980-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1488-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3728-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/888-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3916-198-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
874ff4c5a20e952fe08932841695db10_NeikiAnalytics.exehntnhh.exehbbtnt.exexrxrxxf.exetttnhb.exettbtnh.exedppjd.exe1jjdd.exexxxxrrl.exetnnhbt.exe5pdpv.exevpjdv.exefxfxxrr.exexlllflf.exehbnhth.exedvvvp.exedpdvp.exefxfxrlf.exettnnhh.exebtbtnn.exe1djdd.exeflrlfxr.exedescription pid process target process PID 2364 wrote to memory of 4192 2364 874ff4c5a20e952fe08932841695db10_NeikiAnalytics.exe hntnhh.exe PID 2364 wrote to memory of 4192 2364 874ff4c5a20e952fe08932841695db10_NeikiAnalytics.exe hntnhh.exe PID 2364 wrote to memory of 4192 2364 874ff4c5a20e952fe08932841695db10_NeikiAnalytics.exe hntnhh.exe PID 4192 wrote to memory of 5064 4192 hntnhh.exe hbbtnt.exe PID 4192 wrote to memory of 5064 4192 hntnhh.exe hbbtnt.exe PID 4192 wrote to memory of 5064 4192 hntnhh.exe hbbtnt.exe PID 5064 wrote to memory of 3040 5064 hbbtnt.exe xrxrxxf.exe PID 5064 wrote to memory of 3040 5064 hbbtnt.exe xrxrxxf.exe PID 5064 wrote to memory of 3040 5064 hbbtnt.exe xrxrxxf.exe PID 3040 wrote to memory of 2452 3040 xrxrxxf.exe tttnhb.exe PID 3040 wrote to memory of 2452 3040 xrxrxxf.exe tttnhb.exe PID 3040 wrote to memory of 2452 3040 xrxrxxf.exe tttnhb.exe PID 2452 wrote to memory of 1316 2452 tttnhb.exe ttbtnh.exe PID 2452 wrote to memory of 1316 2452 tttnhb.exe ttbtnh.exe PID 2452 wrote to memory of 1316 2452 tttnhb.exe ttbtnh.exe PID 1316 wrote to memory of 1772 1316 ttbtnh.exe dppjd.exe PID 1316 wrote to memory of 1772 1316 ttbtnh.exe dppjd.exe PID 1316 wrote to memory of 1772 1316 ttbtnh.exe dppjd.exe PID 1772 wrote to memory of 3948 1772 dppjd.exe 1jjdd.exe PID 1772 wrote to memory of 3948 1772 dppjd.exe 1jjdd.exe PID 1772 wrote to memory of 3948 1772 dppjd.exe 1jjdd.exe PID 3948 wrote to memory of 764 3948 1jjdd.exe xxxxrrl.exe PID 3948 wrote to memory of 764 3948 1jjdd.exe xxxxrrl.exe PID 3948 wrote to memory of 764 3948 1jjdd.exe xxxxrrl.exe PID 764 wrote to memory of 2008 764 xxxxrrl.exe tnnhbt.exe PID 764 wrote to memory of 2008 764 xxxxrrl.exe tnnhbt.exe PID 764 wrote to memory of 2008 764 xxxxrrl.exe tnnhbt.exe PID 2008 wrote to memory of 4880 2008 tnnhbt.exe 5pdpv.exe PID 2008 wrote to memory of 4880 2008 tnnhbt.exe 5pdpv.exe PID 2008 wrote to memory of 4880 2008 tnnhbt.exe 5pdpv.exe PID 4880 wrote to memory of 4636 4880 5pdpv.exe vpjdv.exe PID 4880 wrote to memory of 4636 4880 5pdpv.exe vpjdv.exe PID 4880 wrote to memory of 4636 4880 5pdpv.exe vpjdv.exe PID 4636 wrote to memory of 4076 4636 vpjdv.exe fxfxxrr.exe PID 4636 wrote to memory of 4076 4636 vpjdv.exe fxfxxrr.exe PID 4636 wrote to memory of 4076 4636 vpjdv.exe fxfxxrr.exe PID 4076 wrote to memory of 2748 4076 fxfxxrr.exe xlllflf.exe PID 4076 wrote to memory of 2748 4076 fxfxxrr.exe xlllflf.exe PID 4076 wrote to memory of 2748 4076 fxfxxrr.exe xlllflf.exe PID 2748 wrote to memory of 900 2748 xlllflf.exe hbnhth.exe PID 2748 wrote to memory of 900 2748 xlllflf.exe hbnhth.exe PID 2748 wrote to memory of 900 2748 xlllflf.exe hbnhth.exe PID 900 wrote to memory of 3752 900 hbnhth.exe dvvvp.exe PID 900 wrote to memory of 3752 900 hbnhth.exe dvvvp.exe PID 900 wrote to memory of 3752 900 hbnhth.exe dvvvp.exe PID 3752 wrote to memory of 4716 3752 dvvvp.exe dpdvp.exe PID 3752 wrote to memory of 4716 3752 dvvvp.exe dpdvp.exe PID 3752 wrote to memory of 4716 3752 dvvvp.exe dpdvp.exe PID 4716 wrote to memory of 1344 4716 dpdvp.exe fxfxrlf.exe PID 4716 wrote to memory of 1344 4716 dpdvp.exe fxfxrlf.exe PID 4716 wrote to memory of 1344 4716 dpdvp.exe fxfxrlf.exe PID 1344 wrote to memory of 4852 1344 fxfxrlf.exe ttnnhh.exe PID 1344 wrote to memory of 4852 1344 fxfxrlf.exe ttnnhh.exe PID 1344 wrote to memory of 4852 1344 fxfxrlf.exe ttnnhh.exe PID 4852 wrote to memory of 1040 4852 ttnnhh.exe btbtnn.exe PID 4852 wrote to memory of 1040 4852 ttnnhh.exe btbtnn.exe PID 4852 wrote to memory of 1040 4852 ttnnhh.exe btbtnn.exe PID 1040 wrote to memory of 4060 1040 btbtnn.exe 1djdd.exe PID 1040 wrote to memory of 4060 1040 btbtnn.exe 1djdd.exe PID 1040 wrote to memory of 4060 1040 btbtnn.exe 1djdd.exe PID 4060 wrote to memory of 1636 4060 1djdd.exe flrlfxr.exe PID 4060 wrote to memory of 1636 4060 1djdd.exe flrlfxr.exe PID 4060 wrote to memory of 1636 4060 1djdd.exe flrlfxr.exe PID 1636 wrote to memory of 680 1636 flrlfxr.exe rxlflfx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\874ff4c5a20e952fe08932841695db10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\874ff4c5a20e952fe08932841695db10_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\hntnhh.exec:\hntnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\hbbtnt.exec:\hbbtnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\xrxrxxf.exec:\xrxrxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\tttnhb.exec:\tttnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\ttbtnh.exec:\ttbtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\dppjd.exec:\dppjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\1jjdd.exec:\1jjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\xxxxrrl.exec:\xxxxrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\tnnhbt.exec:\tnnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\5pdpv.exec:\5pdpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\vpjdv.exec:\vpjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\fxfxxrr.exec:\fxfxxrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\xlllflf.exec:\xlllflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\hbnhth.exec:\hbnhth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\dvvvp.exec:\dvvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\dpdvp.exec:\dpdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\fxfxrlf.exec:\fxfxrlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\ttnnhh.exec:\ttnnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\btbtnn.exec:\btbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\1djdd.exec:\1djdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\flrlfxr.exec:\flrlfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\rxlflfx.exec:\rxlflfx.exe23⤵
- Executes dropped EXE
PID:680 -
\??\c:\btbhbh.exec:\btbhbh.exe24⤵
- Executes dropped EXE
PID:980 -
\??\c:\thnbbb.exec:\thnbbb.exe25⤵
- Executes dropped EXE
PID:1488 -
\??\c:\ppppv.exec:\ppppv.exe26⤵
- Executes dropped EXE
PID:3728 -
\??\c:\1frlxxr.exec:\1frlxxr.exe27⤵
- Executes dropped EXE
PID:888 -
\??\c:\rlffxxx.exec:\rlffxxx.exe28⤵
- Executes dropped EXE
PID:1728 -
\??\c:\bhhbtt.exec:\bhhbtt.exe29⤵
- Executes dropped EXE
PID:5100 -
\??\c:\hbtnhn.exec:\hbtnhn.exe30⤵
- Executes dropped EXE
PID:4592 -
\??\c:\vjvvd.exec:\vjvvd.exe31⤵
- Executes dropped EXE
PID:3916 -
\??\c:\9jpjd.exec:\9jpjd.exe32⤵
- Executes dropped EXE
PID:940 -
\??\c:\llffxxr.exec:\llffxxr.exe33⤵
- Executes dropped EXE
PID:4528 -
\??\c:\3rrrlrl.exec:\3rrrlrl.exe34⤵
- Executes dropped EXE
PID:3140 -
\??\c:\hhhbtt.exec:\hhhbtt.exe35⤵
- Executes dropped EXE
PID:1952 -
\??\c:\vvjdv.exec:\vvjdv.exe36⤵
- Executes dropped EXE
PID:4088 -
\??\c:\9llxxxf.exec:\9llxxxf.exe37⤵
- Executes dropped EXE
PID:4700 -
\??\c:\lffffff.exec:\lffffff.exe38⤵
- Executes dropped EXE
PID:4996 -
\??\c:\3bhhtt.exec:\3bhhtt.exe39⤵
- Executes dropped EXE
PID:1212 -
\??\c:\httttt.exec:\httttt.exe40⤵
- Executes dropped EXE
PID:1900 -
\??\c:\jjpjv.exec:\jjpjv.exe41⤵
- Executes dropped EXE
PID:4128 -
\??\c:\dpdjj.exec:\dpdjj.exe42⤵
- Executes dropped EXE
PID:2400 -
\??\c:\frxrllf.exec:\frxrllf.exe43⤵
- Executes dropped EXE
PID:4500 -
\??\c:\bnnhbt.exec:\bnnhbt.exe44⤵
- Executes dropped EXE
PID:1632 -
\??\c:\7hhbtt.exec:\7hhbtt.exe45⤵
- Executes dropped EXE
PID:5064 -
\??\c:\dpppp.exec:\dpppp.exe46⤵
- Executes dropped EXE
PID:4672 -
\??\c:\jpvpp.exec:\jpvpp.exe47⤵
- Executes dropped EXE
PID:3856 -
\??\c:\1xfxllf.exec:\1xfxllf.exe48⤵
- Executes dropped EXE
PID:2392 -
\??\c:\lfxlrlf.exec:\lfxlrlf.exe49⤵
- Executes dropped EXE
PID:876 -
\??\c:\hbhbtt.exec:\hbhbtt.exe50⤵
- Executes dropped EXE
PID:3416 -
\??\c:\thhbtn.exec:\thhbtn.exe51⤵
- Executes dropped EXE
PID:3304 -
\??\c:\vdjjd.exec:\vdjjd.exe52⤵
- Executes dropped EXE
PID:3664 -
\??\c:\pjpjj.exec:\pjpjj.exe53⤵
- Executes dropped EXE
PID:1564 -
\??\c:\rfllffx.exec:\rfllffx.exe54⤵
- Executes dropped EXE
PID:1492 -
\??\c:\fxxrlrl.exec:\fxxrlrl.exe55⤵
- Executes dropped EXE
PID:1928 -
\??\c:\bnnnht.exec:\bnnnht.exe56⤵
- Executes dropped EXE
PID:2780 -
\??\c:\thhbbb.exec:\thhbbb.exe57⤵
- Executes dropped EXE
PID:3288 -
\??\c:\pjvpj.exec:\pjvpj.exe58⤵
- Executes dropped EXE
PID:4092 -
\??\c:\rlfxxxf.exec:\rlfxxxf.exe59⤵
- Executes dropped EXE
PID:4704 -
\??\c:\rlrrxxf.exec:\rlrrxxf.exe60⤵
- Executes dropped EXE
PID:3796 -
\??\c:\bnnnbb.exec:\bnnnbb.exe61⤵
- Executes dropped EXE
PID:2264 -
\??\c:\bhttnt.exec:\bhttnt.exe62⤵
- Executes dropped EXE
PID:856 -
\??\c:\ppddp.exec:\ppddp.exe63⤵
- Executes dropped EXE
PID:3840 -
\??\c:\jddvj.exec:\jddvj.exe64⤵
- Executes dropped EXE
PID:756 -
\??\c:\rffxllf.exec:\rffxllf.exe65⤵
- Executes dropped EXE
PID:1156 -
\??\c:\rrrrlrr.exec:\rrrrlrr.exe66⤵PID:2340
-
\??\c:\ttntnn.exec:\ttntnn.exe67⤵PID:3252
-
\??\c:\nnbhhh.exec:\nnbhhh.exe68⤵PID:680
-
\??\c:\jdppp.exec:\jdppp.exe69⤵PID:3764
-
\??\c:\vdvdd.exec:\vdvdd.exe70⤵PID:2960
-
\??\c:\fxfffff.exec:\fxfffff.exe71⤵PID:3728
-
\??\c:\lxfxllf.exec:\lxfxllf.exe72⤵PID:1116
-
\??\c:\nhhnbb.exec:\nhhnbb.exe73⤵PID:1180
-
\??\c:\bththh.exec:\bththh.exe74⤵PID:2548
-
\??\c:\jdjjp.exec:\jdjjp.exe75⤵PID:1332
-
\??\c:\ppvpj.exec:\ppvpj.exe76⤵PID:4812
-
\??\c:\jpdvj.exec:\jpdvj.exe77⤵PID:2172
-
\??\c:\xlxrxrx.exec:\xlxrxrx.exe78⤵PID:4028
-
\??\c:\xrllfll.exec:\xrllfll.exe79⤵PID:2352
-
\??\c:\hnhbhn.exec:\hnhbhn.exe80⤵PID:4356
-
\??\c:\hhbbbb.exec:\hhbbbb.exe81⤵PID:4088
-
\??\c:\btnhbb.exec:\btnhbb.exe82⤵PID:116
-
\??\c:\pjpjv.exec:\pjpjv.exe83⤵PID:2424
-
\??\c:\dpvpj.exec:\dpvpj.exe84⤵PID:2248
-
\??\c:\lrrfxxr.exec:\lrrfxxr.exe85⤵PID:4520
-
\??\c:\lflrxxf.exec:\lflrxxf.exe86⤵PID:3168
-
\??\c:\bntttt.exec:\bntttt.exe87⤵PID:2400
-
\??\c:\hnnhhh.exec:\hnnhhh.exe88⤵PID:2216
-
\??\c:\dvvvd.exec:\dvvvd.exe89⤵PID:1624
-
\??\c:\vpjjj.exec:\vpjjj.exe90⤵PID:4556
-
\??\c:\lllllll.exec:\lllllll.exe91⤵PID:1148
-
\??\c:\3lrxrrx.exec:\3lrxrrx.exe92⤵PID:3100
-
\??\c:\bbbhhb.exec:\bbbhhb.exe93⤵PID:792
-
\??\c:\hbhhnn.exec:\hbhhnn.exe94⤵PID:412
-
\??\c:\jdddp.exec:\jdddp.exe95⤵PID:4132
-
\??\c:\xrffxfx.exec:\xrffxfx.exe96⤵PID:4308
-
\??\c:\7xffffl.exec:\7xffffl.exe97⤵PID:2740
-
\??\c:\btttnn.exec:\btttnn.exe98⤵PID:440
-
\??\c:\btntbh.exec:\btntbh.exe99⤵PID:2472
-
\??\c:\bbhbbh.exec:\bbhbbh.exe100⤵PID:1208
-
\??\c:\ddpvd.exec:\ddpvd.exe101⤵PID:4076
-
\??\c:\3rxrrrr.exec:\3rxrrrr.exe102⤵PID:4384
-
\??\c:\ttbbbt.exec:\ttbbbt.exe103⤵PID:2332
-
\??\c:\jvdvv.exec:\jvdvv.exe104⤵PID:3368
-
\??\c:\vpppj.exec:\vpppj.exe105⤵PID:2944
-
\??\c:\dvdvv.exec:\dvdvv.exe106⤵PID:1736
-
\??\c:\xxfxfff.exec:\xxfxfff.exe107⤵PID:4056
-
\??\c:\rffxrrr.exec:\rffxrrr.exe108⤵PID:1040
-
\??\c:\btttnn.exec:\btttnn.exe109⤵PID:1300
-
\??\c:\5dpjd.exec:\5dpjd.exe110⤵PID:3952
-
\??\c:\ppddv.exec:\ppddv.exe111⤵PID:1972
-
\??\c:\bntnhb.exec:\bntnhb.exe112⤵PID:1224
-
\??\c:\vpjjv.exec:\vpjjv.exe113⤵PID:1552
-
\??\c:\lflfrrr.exec:\lflfrrr.exe114⤵PID:2292
-
\??\c:\btbbnn.exec:\btbbnn.exe115⤵PID:884
-
\??\c:\jvvdd.exec:\jvvdd.exe116⤵PID:2668
-
\??\c:\bnhbnn.exec:\bnhbnn.exe117⤵PID:1456
-
\??\c:\jvpjd.exec:\jvpjd.exe118⤵PID:1188
-
\??\c:\lfxfrrl.exec:\lfxfrrl.exe119⤵PID:4900
-
\??\c:\tnnhnn.exec:\tnnhnn.exe120⤵PID:4924
-
\??\c:\pdvpj.exec:\pdvpj.exe121⤵PID:916
-
\??\c:\hthbtb.exec:\hthbtb.exe122⤵PID:3600
-
\??\c:\nbttnn.exec:\nbttnn.exe123⤵PID:3656
-
\??\c:\vpjjd.exec:\vpjjd.exe124⤵PID:3992
-
\??\c:\rllxrll.exec:\rllxrll.exe125⤵PID:5052
-
\??\c:\fxxrlxr.exec:\fxxrlxr.exe126⤵PID:3784
-
\??\c:\ttbbbh.exec:\ttbbbh.exe127⤵PID:116
-
\??\c:\dvpjv.exec:\dvpjv.exe128⤵PID:1900
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe129⤵PID:464
-
\??\c:\xlxfxxr.exec:\xlxfxxr.exe130⤵PID:692
-
\??\c:\9htnhb.exec:\9htnhb.exe131⤵PID:4500
-
\??\c:\bttnhh.exec:\bttnhh.exe132⤵PID:2216
-
\??\c:\vjjvp.exec:\vjjvp.exe133⤵PID:3916
-
\??\c:\jddvj.exec:\jddvj.exe134⤵PID:4816
-
\??\c:\vvpjj.exec:\vvpjj.exe135⤵PID:1148
-
\??\c:\rfflfff.exec:\rfflfff.exe136⤵PID:876
-
\??\c:\ntnnhn.exec:\ntnnhn.exe137⤵PID:412
-
\??\c:\hbnhnn.exec:\hbnhnn.exe138⤵PID:1564
-
\??\c:\nbhbtt.exec:\nbhbtt.exe139⤵PID:2776
-
\??\c:\jpvvj.exec:\jpvvj.exe140⤵PID:5080
-
\??\c:\dvpjd.exec:\dvpjd.exe141⤵PID:2316
-
\??\c:\djjdv.exec:\djjdv.exe142⤵PID:4396
-
\??\c:\llrrrrx.exec:\llrrrrx.exe143⤵PID:4904
-
\??\c:\frrfxrl.exec:\frrfxrl.exe144⤵PID:2332
-
\??\c:\bhntnn.exec:\bhntnn.exe145⤵PID:5048
-
\??\c:\bthtnn.exec:\bthtnn.exe146⤵PID:856
-
\??\c:\1vpdv.exec:\1vpdv.exe147⤵PID:3840
-
\??\c:\jdddv.exec:\jdddv.exe148⤵PID:756
-
\??\c:\9ffxllf.exec:\9ffxllf.exe149⤵PID:1156
-
\??\c:\hbbttn.exec:\hbbttn.exe150⤵PID:4464
-
\??\c:\nhbttt.exec:\nhbttt.exe151⤵PID:644
-
\??\c:\jjjpp.exec:\jjjpp.exe152⤵PID:680
-
\??\c:\9jddv.exec:\9jddv.exe153⤵PID:1224
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe154⤵PID:1552
-
\??\c:\btnnhh.exec:\btnnhh.exe155⤵PID:3728
-
\??\c:\7tbtnn.exec:\7tbtnn.exe156⤵PID:1116
-
\??\c:\fxffxxf.exec:\fxffxxf.exe157⤵PID:2668
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe158⤵PID:1456
-
\??\c:\nttnbb.exec:\nttnbb.exe159⤵PID:1332
-
\??\c:\7vpdp.exec:\7vpdp.exe160⤵PID:3688
-
\??\c:\xrlrfll.exec:\xrlrfll.exe161⤵PID:2172
-
\??\c:\hhbbtt.exec:\hhbbtt.exe162⤵PID:916
-
\??\c:\hnbthn.exec:\hnbthn.exe163⤵PID:3600
-
\??\c:\dvjdd.exec:\dvjdd.exe164⤵PID:3656
-
\??\c:\9jjdv.exec:\9jjdv.exe165⤵PID:1512
-
\??\c:\lfflfff.exec:\lfflfff.exe166⤵PID:5052
-
\??\c:\9nttnn.exec:\9nttnn.exe167⤵PID:4400
-
\??\c:\7bhbtt.exec:\7bhbtt.exe168⤵PID:116
-
\??\c:\pddvv.exec:\pddvv.exe169⤵PID:3504
-
\??\c:\lxxrllf.exec:\lxxrllf.exe170⤵PID:464
-
\??\c:\rfxfxlr.exec:\rfxfxlr.exe171⤵PID:692
-
\??\c:\hbbhht.exec:\hbbhht.exe172⤵PID:3768
-
\??\c:\djjjd.exec:\djjjd.exe173⤵PID:2216
-
\??\c:\pjpjp.exec:\pjpjp.exe174⤵PID:3916
-
\??\c:\rxxxxxf.exec:\rxxxxxf.exe175⤵PID:2708
-
\??\c:\frrlllf.exec:\frrlllf.exe176⤵PID:2616
-
\??\c:\htntnh.exec:\htntnh.exe177⤵PID:3316
-
\??\c:\thnnhh.exec:\thnnhh.exe178⤵PID:4588
-
\??\c:\vpdvj.exec:\vpdvj.exe179⤵PID:440
-
\??\c:\3jdvp.exec:\3jdvp.exe180⤵PID:2588
-
\??\c:\dpvpd.exec:\dpvpd.exe181⤵PID:5080
-
\??\c:\bbthhh.exec:\bbthhh.exe182⤵PID:2316
-
\??\c:\thnhtt.exec:\thnhtt.exe183⤵PID:232
-
\??\c:\dvjjj.exec:\dvjjj.exe184⤵PID:2948
-
\??\c:\pvdvv.exec:\pvdvv.exe185⤵PID:4472
-
\??\c:\fxrlfxf.exec:\fxrlfxf.exe186⤵PID:5048
-
\??\c:\ffrxllf.exec:\ffrxllf.exe187⤵PID:3468
-
\??\c:\ntnnhb.exec:\ntnnhb.exe188⤵PID:3840
-
\??\c:\dvddj.exec:\dvddj.exe189⤵PID:756
-
\??\c:\pvdvj.exec:\pvdvj.exe190⤵PID:1156
-
\??\c:\7rrlffx.exec:\7rrlffx.exe191⤵PID:60
-
\??\c:\bntntn.exec:\bntntn.exe192⤵PID:644
-
\??\c:\tttttt.exec:\tttttt.exe193⤵PID:456
-
\??\c:\vjpvv.exec:\vjpvv.exe194⤵PID:1224
-
\??\c:\jdpdj.exec:\jdpdj.exe195⤵PID:1836
-
\??\c:\xrrrllx.exec:\xrrrllx.exe196⤵PID:3728
-
\??\c:\xlfxxxf.exec:\xlfxxxf.exe197⤵PID:1116
-
\??\c:\btttbb.exec:\btttbb.exe198⤵PID:2548
-
\??\c:\bnbthh.exec:\bnbthh.exe199⤵PID:1456
-
\??\c:\djjdp.exec:\djjdp.exe200⤵PID:1332
-
\??\c:\ppvpj.exec:\ppvpj.exe201⤵PID:1468
-
\??\c:\5xlfxxx.exec:\5xlfxxx.exe202⤵PID:1764
-
\??\c:\hbnhnh.exec:\hbnhnh.exe203⤵PID:916
-
\??\c:\btbbhb.exec:\btbbhb.exe204⤵PID:3600
-
\??\c:\dvddp.exec:\dvddp.exe205⤵PID:3656
-
\??\c:\fxrrlff.exec:\fxrrlff.exe206⤵PID:1512
-
\??\c:\rlffxxf.exec:\rlffxxf.exe207⤵PID:1732
-
\??\c:\nntttt.exec:\nntttt.exe208⤵PID:4220
-
\??\c:\nbtnnt.exec:\nbtnnt.exe209⤵PID:4544
-
\??\c:\djjjd.exec:\djjjd.exe210⤵PID:1592
-
\??\c:\vvdvv.exec:\vvdvv.exe211⤵PID:1632
-
\??\c:\xrrllll.exec:\xrrllll.exe212⤵PID:692
-
\??\c:\bbbthh.exec:\bbbthh.exe213⤵PID:1480
-
\??\c:\9hhhbb.exec:\9hhhbb.exe214⤵PID:2216
-
\??\c:\vjjdv.exec:\vjjdv.exe215⤵PID:1148
-
\??\c:\ddppd.exec:\ddppd.exe216⤵PID:876
-
\??\c:\lflffff.exec:\lflffff.exe217⤵PID:3324
-
\??\c:\fxxrllf.exec:\fxxrllf.exe218⤵PID:4880
-
\??\c:\bhnhnn.exec:\bhnhnn.exe219⤵PID:4484
-
\??\c:\htnhtb.exec:\htnhtb.exe220⤵PID:4588
-
\??\c:\pjvvp.exec:\pjvvp.exe221⤵PID:3596
-
\??\c:\vdjdv.exec:\vdjdv.exe222⤵PID:1568
-
\??\c:\lfffxll.exec:\lfffxll.exe223⤵PID:2748
-
\??\c:\lrxxxxr.exec:\lrxxxxr.exe224⤵PID:4492
-
\??\c:\ttbbbh.exec:\ttbbbh.exe225⤵PID:5084
-
\??\c:\btbhhn.exec:\btbhhn.exe226⤵PID:4384
-
\??\c:\dvjvv.exec:\dvjvv.exe227⤵PID:1504
-
\??\c:\fxxrfff.exec:\fxxrfff.exe228⤵PID:3172
-
\??\c:\rllfxxx.exec:\rllfxxx.exe229⤵PID:1036
-
\??\c:\fxxfrfx.exec:\fxxfrfx.exe230⤵PID:3208
-
\??\c:\7tbttb.exec:\7tbttb.exe231⤵PID:2344
-
\??\c:\jvjpd.exec:\jvjpd.exe232⤵PID:1004
-
\??\c:\jvppp.exec:\jvppp.exe233⤵PID:2340
-
\??\c:\pdpjv.exec:\pdpjv.exe234⤵PID:3252
-
\??\c:\lxrxrxx.exec:\lxrxrxx.exe235⤵PID:2968
-
\??\c:\3xrllrr.exec:\3xrllrr.exe236⤵PID:3388
-
\??\c:\nhtttt.exec:\nhtttt.exe237⤵PID:2732
-
\??\c:\ddddv.exec:\ddddv.exe238⤵PID:1588
-
\??\c:\vdjdp.exec:\vdjdp.exe239⤵PID:4860
-
\??\c:\vddvp.exec:\vddvp.exe240⤵PID:3540
-
\??\c:\lrfxxxr.exec:\lrfxxxr.exe241⤵PID:2668
-
\??\c:\nnttnn.exec:\nnttnn.exe242⤵PID:4448