Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 04:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
90c265c8c51b35a28b063a18c6009630_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
5 signatures
150 seconds
General
-
Target
90c265c8c51b35a28b063a18c6009630_NeikiAnalytics.exe
-
Size
386KB
-
MD5
90c265c8c51b35a28b063a18c6009630
-
SHA1
29967c5b848715e0f62a81bb896fb4c1c9b7a222
-
SHA256
ba7c451b0e05eedb123aa06adca9b85d67369f22f89f1aecfe9ce666f3fda527
-
SHA512
053f44c521caef261786b6530f734867085eff024fc775afcf351dbe147dcecf0af0ddbe0098ae90ab3098ff090c4516aad9cd51572867a495a20b733e705d18
-
SSDEEP
6144:n3C9BRIG0asYFm71mPfkVB8dKwaO5CVwthW:n3C9uYA7okVqdKwaO5CVMhW
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
Processes:
resource yara_rule behavioral2/memory/4764-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4204-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1084-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1512-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3348-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1932-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4912-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3352-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/816-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4444-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3584-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3880-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4376-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1108-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4052-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4680-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4936-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2240-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3820-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3744-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3364-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5068-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1556-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1084-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4676-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
ddvvd.exe3lxlfll.exepjjvj.exexrrlrll.exelxfflll.exehnhnbt.exehhnhnh.exedpjpj.exennnhnn.exe3nnnnt.exebhhhhn.exerfllffl.exehnbtnn.exedvvpj.exexrlflff.exelfllllx.exebtnnnt.exejdddp.exebbttnn.exe9ttnnn.exejdpjp.exerxrflfx.exebthttn.exeddjvv.exehtbbtb.exe5pvpp.exerffxxlf.exe3hhtnb.exe1dpjp.exelxlffrf.exexrxlrfl.exe3vddd.exerfffxrr.exebttnnh.exe1thbhh.exedppvp.exefrxxxfx.exettbbhh.exeppjdd.exedjppp.exexrxrrrr.exetbbntn.exevdpjv.exefffxrfx.exe5lflfll.exenhhhbb.exedvjdd.exe1flfxrl.exennbbnn.exehtbbbb.exejjddp.exerrrlffx.exe1hhbbb.exeppddv.exerllxlxf.exe1hhhbb.exejpvvj.exelfrlrlr.exexlxrllf.exedppjd.exejddvp.exexlrrrrx.exevdjdd.exefffxrll.exepid process 4204 ddvvd.exe 1084 3lxlfll.exe 1512 pjjvj.exe 3348 xrrlrll.exe 1932 lxfflll.exe 4912 hnhnbt.exe 3352 hhnhnh.exe 816 dpjpj.exe 4444 nnnhnn.exe 3584 3nnnnt.exe 4976 bhhhhn.exe 3880 rfllffl.exe 3048 hnbtnn.exe 4376 dvvpj.exe 1108 xrlflff.exe 4052 lfllllx.exe 1624 btnnnt.exe 4680 jdddp.exe 5072 bbttnn.exe 4532 9ttnnn.exe 4936 jdpjp.exe 2300 rxrflfx.exe 3820 bthttn.exe 2240 ddjvv.exe 3744 htbbtb.exe 3364 5pvpp.exe 5068 rffxxlf.exe 1556 3hhtnb.exe 1084 1dpjp.exe 4676 lxlffrf.exe 2720 xrxlrfl.exe 5064 3vddd.exe 3680 rfffxrr.exe 2156 bttnnh.exe 3548 1thbhh.exe 1784 dppvp.exe 3776 frxxxfx.exe 4280 ttbbhh.exe 4864 ppjdd.exe 4608 djppp.exe 4792 xrxrrrr.exe 3880 tbbntn.exe 4860 vdpjv.exe 2364 fffxrfx.exe 2896 5lflfll.exe 4052 nhhhbb.exe 3116 dvjdd.exe 4944 1flfxrl.exe 1916 nnbbnn.exe 3704 htbbbb.exe 3728 jjddp.exe 2392 rrrlffx.exe 1236 1hhbbb.exe 2300 ppddv.exe 1368 rllxlxf.exe 3420 1hhhbb.exe 4516 jpvvj.exe 4360 lfrlrlr.exe 4204 xlxrllf.exe 4764 dppjd.exe 4296 jddvp.exe 1084 xlrrrrx.exe 3100 vdjdd.exe 4512 fffxrll.exe -
Processes:
resource yara_rule behavioral2/memory/4764-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4204-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1084-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1512-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3348-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1932-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4912-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3352-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/816-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4444-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3584-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3880-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4376-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1108-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4052-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4680-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4936-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2240-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3820-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3744-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3364-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5068-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1556-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1084-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4676-197-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
90c265c8c51b35a28b063a18c6009630_NeikiAnalytics.exeddvvd.exe3lxlfll.exepjjvj.exexrrlrll.exelxfflll.exehnhnbt.exehhnhnh.exedpjpj.exennnhnn.exe3nnnnt.exebhhhhn.exerfllffl.exehnbtnn.exedvvpj.exexrlflff.exelfllllx.exebtnnnt.exejdddp.exebbttnn.exe9ttnnn.exejdpjp.exedescription pid process target process PID 4764 wrote to memory of 4204 4764 90c265c8c51b35a28b063a18c6009630_NeikiAnalytics.exe ddvvd.exe PID 4764 wrote to memory of 4204 4764 90c265c8c51b35a28b063a18c6009630_NeikiAnalytics.exe ddvvd.exe PID 4764 wrote to memory of 4204 4764 90c265c8c51b35a28b063a18c6009630_NeikiAnalytics.exe ddvvd.exe PID 4204 wrote to memory of 1084 4204 ddvvd.exe 3lxlfll.exe PID 4204 wrote to memory of 1084 4204 ddvvd.exe 3lxlfll.exe PID 4204 wrote to memory of 1084 4204 ddvvd.exe 3lxlfll.exe PID 1084 wrote to memory of 1512 1084 3lxlfll.exe pjjvj.exe PID 1084 wrote to memory of 1512 1084 3lxlfll.exe pjjvj.exe PID 1084 wrote to memory of 1512 1084 3lxlfll.exe pjjvj.exe PID 1512 wrote to memory of 3348 1512 pjjvj.exe xrrlrll.exe PID 1512 wrote to memory of 3348 1512 pjjvj.exe xrrlrll.exe PID 1512 wrote to memory of 3348 1512 pjjvj.exe xrrlrll.exe PID 3348 wrote to memory of 1932 3348 xrrlrll.exe lxfflll.exe PID 3348 wrote to memory of 1932 3348 xrrlrll.exe lxfflll.exe PID 3348 wrote to memory of 1932 3348 xrrlrll.exe lxfflll.exe PID 1932 wrote to memory of 4912 1932 lxfflll.exe hnhnbt.exe PID 1932 wrote to memory of 4912 1932 lxfflll.exe hnhnbt.exe PID 1932 wrote to memory of 4912 1932 lxfflll.exe hnhnbt.exe PID 4912 wrote to memory of 3352 4912 hnhnbt.exe hhnhnh.exe PID 4912 wrote to memory of 3352 4912 hnhnbt.exe hhnhnh.exe PID 4912 wrote to memory of 3352 4912 hnhnbt.exe hhnhnh.exe PID 3352 wrote to memory of 816 3352 hhnhnh.exe dpjpj.exe PID 3352 wrote to memory of 816 3352 hhnhnh.exe dpjpj.exe PID 3352 wrote to memory of 816 3352 hhnhnh.exe dpjpj.exe PID 816 wrote to memory of 4444 816 dpjpj.exe nnnhnn.exe PID 816 wrote to memory of 4444 816 dpjpj.exe nnnhnn.exe PID 816 wrote to memory of 4444 816 dpjpj.exe nnnhnn.exe PID 4444 wrote to memory of 3584 4444 nnnhnn.exe 3nnnnt.exe PID 4444 wrote to memory of 3584 4444 nnnhnn.exe 3nnnnt.exe PID 4444 wrote to memory of 3584 4444 nnnhnn.exe 3nnnnt.exe PID 3584 wrote to memory of 4976 3584 3nnnnt.exe bhhhhn.exe PID 3584 wrote to memory of 4976 3584 3nnnnt.exe bhhhhn.exe PID 3584 wrote to memory of 4976 3584 3nnnnt.exe bhhhhn.exe PID 4976 wrote to memory of 3880 4976 bhhhhn.exe rfllffl.exe PID 4976 wrote to memory of 3880 4976 bhhhhn.exe rfllffl.exe PID 4976 wrote to memory of 3880 4976 bhhhhn.exe rfllffl.exe PID 3880 wrote to memory of 3048 3880 rfllffl.exe hnbtnn.exe PID 3880 wrote to memory of 3048 3880 rfllffl.exe hnbtnn.exe PID 3880 wrote to memory of 3048 3880 rfllffl.exe hnbtnn.exe PID 3048 wrote to memory of 4376 3048 hnbtnn.exe dvvpj.exe PID 3048 wrote to memory of 4376 3048 hnbtnn.exe dvvpj.exe PID 3048 wrote to memory of 4376 3048 hnbtnn.exe dvvpj.exe PID 4376 wrote to memory of 1108 4376 dvvpj.exe xrlflff.exe PID 4376 wrote to memory of 1108 4376 dvvpj.exe xrlflff.exe PID 4376 wrote to memory of 1108 4376 dvvpj.exe xrlflff.exe PID 1108 wrote to memory of 4052 1108 xrlflff.exe lfllllx.exe PID 1108 wrote to memory of 4052 1108 xrlflff.exe lfllllx.exe PID 1108 wrote to memory of 4052 1108 xrlflff.exe lfllllx.exe PID 4052 wrote to memory of 1624 4052 lfllllx.exe btnnnt.exe PID 4052 wrote to memory of 1624 4052 lfllllx.exe btnnnt.exe PID 4052 wrote to memory of 1624 4052 lfllllx.exe btnnnt.exe PID 1624 wrote to memory of 4680 1624 btnnnt.exe jdddp.exe PID 1624 wrote to memory of 4680 1624 btnnnt.exe jdddp.exe PID 1624 wrote to memory of 4680 1624 btnnnt.exe jdddp.exe PID 4680 wrote to memory of 5072 4680 jdddp.exe bbttnn.exe PID 4680 wrote to memory of 5072 4680 jdddp.exe bbttnn.exe PID 4680 wrote to memory of 5072 4680 jdddp.exe bbttnn.exe PID 5072 wrote to memory of 4532 5072 bbttnn.exe 9ttnnn.exe PID 5072 wrote to memory of 4532 5072 bbttnn.exe 9ttnnn.exe PID 5072 wrote to memory of 4532 5072 bbttnn.exe 9ttnnn.exe PID 4532 wrote to memory of 4936 4532 9ttnnn.exe jdpjp.exe PID 4532 wrote to memory of 4936 4532 9ttnnn.exe jdpjp.exe PID 4532 wrote to memory of 4936 4532 9ttnnn.exe jdpjp.exe PID 4936 wrote to memory of 2300 4936 jdpjp.exe rxrflfx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90c265c8c51b35a28b063a18c6009630_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\90c265c8c51b35a28b063a18c6009630_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\ddvvd.exec:\ddvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\3lxlfll.exec:\3lxlfll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\pjjvj.exec:\pjjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\xrrlrll.exec:\xrrlrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\lxfflll.exec:\lxfflll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\hnhnbt.exec:\hnhnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\hhnhnh.exec:\hhnhnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\dpjpj.exec:\dpjpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\nnnhnn.exec:\nnnhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\3nnnnt.exec:\3nnnnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\bhhhhn.exec:\bhhhhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\rfllffl.exec:\rfllffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\hnbtnn.exec:\hnbtnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\dvvpj.exec:\dvvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\xrlflff.exec:\xrlflff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\lfllllx.exec:\lfllllx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\btnnnt.exec:\btnnnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\jdddp.exec:\jdddp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\bbttnn.exec:\bbttnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\9ttnnn.exec:\9ttnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\jdpjp.exec:\jdpjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\rxrflfx.exec:\rxrflfx.exe23⤵
- Executes dropped EXE
PID:2300 -
\??\c:\bthttn.exec:\bthttn.exe24⤵
- Executes dropped EXE
PID:3820 -
\??\c:\ddjvv.exec:\ddjvv.exe25⤵
- Executes dropped EXE
PID:2240 -
\??\c:\htbbtb.exec:\htbbtb.exe26⤵
- Executes dropped EXE
PID:3744 -
\??\c:\5pvpp.exec:\5pvpp.exe27⤵
- Executes dropped EXE
PID:3364 -
\??\c:\rffxxlf.exec:\rffxxlf.exe28⤵
- Executes dropped EXE
PID:5068 -
\??\c:\3hhtnb.exec:\3hhtnb.exe29⤵
- Executes dropped EXE
PID:1556 -
\??\c:\1dpjp.exec:\1dpjp.exe30⤵
- Executes dropped EXE
PID:1084 -
\??\c:\lxlffrf.exec:\lxlffrf.exe31⤵
- Executes dropped EXE
PID:4676 -
\??\c:\xrxlrfl.exec:\xrxlrfl.exe32⤵
- Executes dropped EXE
PID:2720 -
\??\c:\3vddd.exec:\3vddd.exe33⤵
- Executes dropped EXE
PID:5064 -
\??\c:\rfffxrr.exec:\rfffxrr.exe34⤵
- Executes dropped EXE
PID:3680 -
\??\c:\bttnnh.exec:\bttnnh.exe35⤵
- Executes dropped EXE
PID:2156 -
\??\c:\1thbhh.exec:\1thbhh.exe36⤵
- Executes dropped EXE
PID:3548 -
\??\c:\dppvp.exec:\dppvp.exe37⤵
- Executes dropped EXE
PID:1784 -
\??\c:\frxxxfx.exec:\frxxxfx.exe38⤵
- Executes dropped EXE
PID:3776 -
\??\c:\ttbbhh.exec:\ttbbhh.exe39⤵
- Executes dropped EXE
PID:4280 -
\??\c:\ppjdd.exec:\ppjdd.exe40⤵
- Executes dropped EXE
PID:4864 -
\??\c:\djppp.exec:\djppp.exe41⤵
- Executes dropped EXE
PID:4608 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe42⤵
- Executes dropped EXE
PID:4792 -
\??\c:\tbbntn.exec:\tbbntn.exe43⤵
- Executes dropped EXE
PID:3880 -
\??\c:\vdpjv.exec:\vdpjv.exe44⤵
- Executes dropped EXE
PID:4860 -
\??\c:\fffxrfx.exec:\fffxrfx.exe45⤵
- Executes dropped EXE
PID:2364 -
\??\c:\5lflfll.exec:\5lflfll.exe46⤵
- Executes dropped EXE
PID:2896 -
\??\c:\nhhhbb.exec:\nhhhbb.exe47⤵
- Executes dropped EXE
PID:4052 -
\??\c:\dvjdd.exec:\dvjdd.exe48⤵
- Executes dropped EXE
PID:3116 -
\??\c:\1flfxrl.exec:\1flfxrl.exe49⤵
- Executes dropped EXE
PID:4944 -
\??\c:\nnbbnn.exec:\nnbbnn.exe50⤵
- Executes dropped EXE
PID:1916 -
\??\c:\htbbbb.exec:\htbbbb.exe51⤵
- Executes dropped EXE
PID:3704 -
\??\c:\jjddp.exec:\jjddp.exe52⤵
- Executes dropped EXE
PID:3728 -
\??\c:\rrrlffx.exec:\rrrlffx.exe53⤵
- Executes dropped EXE
PID:2392 -
\??\c:\1hhbbb.exec:\1hhbbb.exe54⤵
- Executes dropped EXE
PID:1236 -
\??\c:\ppddv.exec:\ppddv.exe55⤵
- Executes dropped EXE
PID:2300 -
\??\c:\rllxlxf.exec:\rllxlxf.exe56⤵
- Executes dropped EXE
PID:1368 -
\??\c:\1hhhbb.exec:\1hhhbb.exe57⤵
- Executes dropped EXE
PID:3420 -
\??\c:\jpvvj.exec:\jpvvj.exe58⤵
- Executes dropped EXE
PID:4516 -
\??\c:\lfrlrlr.exec:\lfrlrlr.exe59⤵
- Executes dropped EXE
PID:4360 -
\??\c:\xlxrllf.exec:\xlxrllf.exe60⤵
- Executes dropped EXE
PID:4204 -
\??\c:\dppjd.exec:\dppjd.exe61⤵
- Executes dropped EXE
PID:4764 -
\??\c:\jddvp.exec:\jddvp.exe62⤵
- Executes dropped EXE
PID:4296 -
\??\c:\xlrrrrx.exec:\xlrrrrx.exe63⤵
- Executes dropped EXE
PID:1084 -
\??\c:\vdjdd.exec:\vdjdd.exe64⤵
- Executes dropped EXE
PID:3100 -
\??\c:\fffxrll.exec:\fffxrll.exe65⤵
- Executes dropped EXE
PID:4512 -
\??\c:\hhhbtt.exec:\hhhbtt.exe66⤵PID:4804
-
\??\c:\1nhbbt.exec:\1nhbbt.exe67⤵PID:2960
-
\??\c:\vjjdd.exec:\vjjdd.exe68⤵PID:3352
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe69⤵PID:1064
-
\??\c:\xxffffl.exec:\xxffffl.exe70⤵PID:3688
-
\??\c:\htnnhn.exec:\htnnhn.exe71⤵PID:3960
-
\??\c:\ddpdj.exec:\ddpdj.exe72⤵PID:3748
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe73⤵PID:1828
-
\??\c:\lxfxlll.exec:\lxfxlll.exe74⤵PID:3764
-
\??\c:\thntnn.exec:\thntnn.exe75⤵PID:1400
-
\??\c:\dvjvp.exec:\dvjvp.exe76⤵PID:3912
-
\??\c:\frrlfxr.exec:\frrlfxr.exe77⤵PID:2656
-
\??\c:\hbthnn.exec:\hbthnn.exe78⤵PID:2104
-
\??\c:\hhbtth.exec:\hhbtth.exe79⤵PID:4660
-
\??\c:\pddvp.exec:\pddvp.exe80⤵PID:3320
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe81⤵PID:4100
-
\??\c:\hnbtnn.exec:\hnbtnn.exe82⤵PID:3116
-
\??\c:\pjdpj.exec:\pjdpj.exe83⤵PID:1896
-
\??\c:\rxflxxr.exec:\rxflxxr.exe84⤵PID:1972
-
\??\c:\hhntnn.exec:\hhntnn.exe85⤵PID:3612
-
\??\c:\vjjvp.exec:\vjjvp.exe86⤵PID:1080
-
\??\c:\xlrlllf.exec:\xlrlllf.exe87⤵PID:3792
-
\??\c:\rrflrlx.exec:\rrflrlx.exe88⤵PID:4604
-
\??\c:\hhtttt.exec:\hhtttt.exe89⤵PID:4868
-
\??\c:\jvdvp.exec:\jvdvp.exe90⤵PID:4600
-
\??\c:\xlxrxrl.exec:\xlxrxrl.exe91⤵PID:608
-
\??\c:\frxllfx.exec:\frxllfx.exe92⤵PID:4132
-
\??\c:\tttttt.exec:\tttttt.exe93⤵PID:4296
-
\??\c:\vjppj.exec:\vjppj.exe94⤵PID:3784
-
\??\c:\pjdjv.exec:\pjdjv.exe95⤵PID:3212
-
\??\c:\rlllrrr.exec:\rlllrrr.exe96⤵PID:1756
-
\??\c:\hthnhb.exec:\hthnhb.exe97⤵PID:2404
-
\??\c:\tnhbnh.exec:\tnhbnh.exe98⤵PID:4444
-
\??\c:\jpjdj.exec:\jpjdj.exe99⤵PID:1428
-
\??\c:\xflxrxr.exec:\xflxrxr.exe100⤵PID:2620
-
\??\c:\ntttnn.exec:\ntttnn.exe101⤵PID:4776
-
\??\c:\vjdvj.exec:\vjdvj.exe102⤵PID:3560
-
\??\c:\rfrrrrr.exec:\rfrrrrr.exe103⤵PID:3048
-
\??\c:\nthbbb.exec:\nthbbb.exe104⤵PID:3844
-
\??\c:\tbhhbh.exec:\tbhhbh.exe105⤵PID:4584
-
\??\c:\dvvvd.exec:\dvvvd.exe106⤵PID:3200
-
\??\c:\lrfxrlf.exec:\lrfxrlf.exe107⤵PID:4416
-
\??\c:\bbbtnn.exec:\bbbtnn.exe108⤵PID:2372
-
\??\c:\5vvpj.exec:\5vvpj.exe109⤵PID:2616
-
\??\c:\rfffxrl.exec:\rfffxrl.exe110⤵PID:1520
-
\??\c:\tthbnh.exec:\tthbnh.exe111⤵PID:3220
-
\??\c:\dvddd.exec:\dvddd.exe112⤵PID:1688
-
\??\c:\flxrlfx.exec:\flxrlfx.exe113⤵PID:3728
-
\??\c:\bbtttt.exec:\bbtttt.exe114⤵PID:2392
-
\??\c:\pdvpp.exec:\pdvpp.exe115⤵PID:4556
-
\??\c:\3xlxrfl.exec:\3xlxrfl.exe116⤵PID:2520
-
\??\c:\tnnhbt.exec:\tnnhbt.exe117⤵PID:5060
-
\??\c:\3djdv.exec:\3djdv.exe118⤵PID:2352
-
\??\c:\xrrxrff.exec:\xrrxrff.exe119⤵PID:3580
-
\??\c:\fllfrlf.exec:\fllfrlf.exe120⤵PID:3328
-
\??\c:\nhnhbh.exec:\nhnhbh.exe121⤵PID:2720
-
\??\c:\jpdpj.exec:\jpdpj.exe122⤵PID:3696
-
\??\c:\lllfxxr.exec:\lllfxxr.exe123⤵PID:2156
-
\??\c:\3tbbhn.exec:\3tbbhn.exe124⤵PID:2404
-
\??\c:\nbnhhn.exec:\nbnhhn.exe125⤵PID:4424
-
\??\c:\dvpjd.exec:\dvpjd.exe126⤵PID:4280
-
\??\c:\lfxrffx.exec:\lfxrffx.exe127⤵PID:3748
-
\??\c:\lxxxrll.exec:\lxxxrll.exe128⤵PID:812
-
\??\c:\ttntnt.exec:\ttntnt.exe129⤵PID:3624
-
\??\c:\dvdvj.exec:\dvdvj.exe130⤵PID:3048
-
\??\c:\xrrllll.exec:\xrrllll.exe131⤵PID:1660
-
\??\c:\ntbbnn.exec:\ntbbnn.exe132⤵PID:1284
-
\??\c:\jpdpv.exec:\jpdpv.exe133⤵PID:2896
-
\??\c:\pjvdv.exec:\pjvdv.exe134⤵PID:4660
-
\??\c:\lfrrrfx.exec:\lfrrrfx.exe135⤵PID:2076
-
\??\c:\bnhbtt.exec:\bnhbtt.exe136⤵PID:4216
-
\??\c:\jdddv.exec:\jdddv.exe137⤵PID:4252
-
\??\c:\dvvpv.exec:\dvvpv.exe138⤵PID:3984
-
\??\c:\llrlrrx.exec:\llrlrrx.exe139⤵PID:1264
-
\??\c:\htbttn.exec:\htbttn.exe140⤵PID:4580
-
\??\c:\ppddj.exec:\ppddj.exe141⤵PID:1396
-
\??\c:\fxlfxff.exec:\fxlfxff.exe142⤵PID:3252
-
\??\c:\5flfffx.exec:\5flfffx.exe143⤵PID:3124
-
\??\c:\3tnhhn.exec:\3tnhhn.exe144⤵PID:4868
-
\??\c:\djdvv.exec:\djdvv.exe145⤵PID:4536
-
\??\c:\ffrlrlf.exec:\ffrlrlf.exe146⤵PID:4132
-
\??\c:\hbnnnn.exec:\hbnnnn.exe147⤵PID:4756
-
\??\c:\1pppj.exec:\1pppj.exe148⤵PID:3212
-
\??\c:\pjddd.exec:\pjddd.exe149⤵PID:3548
-
\??\c:\rxffxxf.exec:\rxffxxf.exe150⤵PID:4496
-
\??\c:\bnnnhh.exec:\bnnnhh.exe151⤵PID:3960
-
\??\c:\7tbbtt.exec:\7tbbtt.exe152⤵PID:4976
-
\??\c:\1vdvd.exec:\1vdvd.exe153⤵PID:1828
-
\??\c:\rrrllfx.exec:\rrrllfx.exe154⤵PID:3708
-
\??\c:\bbnnhn.exec:\bbnnhn.exe155⤵PID:2928
-
\??\c:\1ttnhh.exec:\1ttnhh.exe156⤵PID:4860
-
\??\c:\pvjdv.exec:\pvjdv.exe157⤵PID:3868
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe158⤵PID:3140
-
\??\c:\hthhbb.exec:\hthhbb.exe159⤵PID:1624
-
\??\c:\bntnhb.exec:\bntnhb.exe160⤵PID:2888
-
\??\c:\vdvvp.exec:\vdvvp.exe161⤵PID:4680
-
\??\c:\xrfflxx.exec:\xrfflxx.exe162⤵PID:5072
-
\??\c:\bhhbtt.exec:\bhhbtt.exe163⤵PID:4936
-
\??\c:\pjvdd.exec:\pjvdd.exe164⤵PID:876
-
\??\c:\lllffff.exec:\lllffff.exe165⤵PID:3612
-
\??\c:\rfffxfx.exec:\rfffxfx.exe166⤵PID:4288
-
\??\c:\1hnhbb.exec:\1hnhbb.exe167⤵PID:4604
-
\??\c:\tbbtnn.exec:\tbbtnn.exe168⤵PID:1396
-
\??\c:\dvjjj.exec:\dvjjj.exe169⤵PID:3252
-
\??\c:\lxfxxxr.exec:\lxfxxxr.exe170⤵PID:1084
-
\??\c:\tbhbnn.exec:\tbhbnn.exe171⤵PID:4508
-
\??\c:\1tthhh.exec:\1tthhh.exe172⤵PID:2336
-
\??\c:\5jpvv.exec:\5jpvv.exe173⤵PID:3328
-
\??\c:\rffxrfx.exec:\rffxrfx.exe174⤵PID:3212
-
\??\c:\lffxxxx.exec:\lffxxxx.exe175⤵PID:4572
-
\??\c:\1hhtnb.exec:\1hhtnb.exe176⤵PID:4312
-
\??\c:\ddjjv.exec:\ddjjv.exe177⤵PID:4788
-
\??\c:\jdjdv.exec:\jdjdv.exe178⤵PID:4924
-
\??\c:\5xfrllr.exec:\5xfrllr.exe179⤵PID:4432
-
\??\c:\7hnhnh.exec:\7hnhnh.exe180⤵PID:3584
-
\??\c:\pjvvp.exec:\pjvvp.exe181⤵PID:4952
-
\??\c:\jjpjj.exec:\jjpjj.exe182⤵PID:464
-
\??\c:\fxxlllr.exec:\fxxlllr.exe183⤵PID:3912
-
\??\c:\bhnnhh.exec:\bhnnhh.exe184⤵PID:4040
-
\??\c:\vpvpv.exec:\vpvpv.exe185⤵PID:3240
-
\??\c:\fxxrlll.exec:\fxxrlll.exe186⤵PID:1660
-
\??\c:\rflxrfr.exec:\rflxrfr.exe187⤵PID:1340
-
\??\c:\ttnntb.exec:\ttnntb.exe188⤵PID:1200
-
\??\c:\jpdpj.exec:\jpdpj.exe189⤵PID:2616
-
\??\c:\ppvpj.exec:\ppvpj.exe190⤵PID:2980
-
\??\c:\xxfrfrx.exec:\xxfrfrx.exe191⤵PID:3220
-
\??\c:\thhbbt.exec:\thhbbt.exe192⤵PID:1688
-
\??\c:\dpvpj.exec:\dpvpj.exe193⤵PID:876
-
\??\c:\xrfrrxr.exec:\xrfrrxr.exe194⤵PID:884
-
\??\c:\hhnhbb.exec:\hhnhbb.exe195⤵PID:4288
-
\??\c:\bttnbb.exec:\bttnbb.exe196⤵PID:2520
-
\??\c:\jjvpd.exec:\jjvpd.exe197⤵PID:1396
-
\??\c:\9xlxffr.exec:\9xlxffr.exe198⤵PID:3252
-
\??\c:\lrrlfrl.exec:\lrrlfrl.exe199⤵PID:1084
-
\??\c:\htbtbt.exec:\htbtbt.exe200⤵PID:3784
-
\??\c:\1pvpp.exec:\1pvpp.exe201⤵PID:968
-
\??\c:\ddvpp.exec:\ddvpp.exe202⤵PID:3548
-
\??\c:\lflfxrr.exec:\lflfxrr.exe203⤵PID:3212
-
\??\c:\nhtnbt.exec:\nhtnbt.exe204⤵PID:4300
-
\??\c:\bntnnn.exec:\bntnnn.exe205⤵PID:4036
-
\??\c:\1jdvp.exec:\1jdvp.exe206⤵PID:764
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe207⤵PID:4924
-
\??\c:\tbnnhn.exec:\tbnnhn.exe208⤵PID:3256
-
\??\c:\nbttnn.exec:\nbttnn.exe209⤵PID:3584
-
\??\c:\vdpdv.exec:\vdpdv.exe210⤵PID:4952
-
\??\c:\fxfxlfx.exec:\fxfxlfx.exe211⤵PID:2656
-
\??\c:\1xxrrrr.exec:\1xxrrrr.exe212⤵PID:3912
-
\??\c:\hhhbtt.exec:\hhhbtt.exe213⤵PID:4040
-
\??\c:\ppvjd.exec:\ppvjd.exe214⤵PID:3080
-
\??\c:\vpdvj.exec:\vpdvj.exe215⤵PID:1660
-
\??\c:\lfllrlf.exec:\lfllrlf.exe216⤵PID:4308
-
\??\c:\nhhbtt.exec:\nhhbtt.exe217⤵PID:4944
-
\??\c:\pdjvp.exec:\pdjvp.exe218⤵PID:5072
-
\??\c:\djdvd.exec:\djdvd.exe219⤵PID:4936
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe220⤵PID:3220
-
\??\c:\btbtbn.exec:\btbtbn.exe221⤵PID:3612
-
\??\c:\7jddv.exec:\7jddv.exe222⤵PID:1968
-
\??\c:\djvpj.exec:\djvpj.exe223⤵PID:4604
-
\??\c:\xlrlxxl.exec:\xlrlxxl.exe224⤵PID:4288
-
\??\c:\ntbbtn.exec:\ntbbtn.exe225⤵PID:5060
-
\??\c:\jvvpj.exec:\jvvpj.exe226⤵PID:3580
-
\??\c:\ppvvd.exec:\ppvvd.exe227⤵PID:4508
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe228⤵PID:4756
-
\??\c:\tttnhh.exec:\tttnhh.exe229⤵PID:660
-
\??\c:\jpvdd.exec:\jpvdd.exe230⤵PID:4496
-
\??\c:\5jdvp.exec:\5jdvp.exe231⤵PID:1376
-
\??\c:\lxrfxrx.exec:\lxrfxrx.exe232⤵PID:3212
-
\??\c:\btnntb.exec:\btnntb.exe233⤵PID:4064
-
\??\c:\jvdvv.exec:\jvdvv.exe234⤵PID:4372
-
\??\c:\lxrxfff.exec:\lxrxfff.exe235⤵PID:1632
-
\??\c:\tttnnn.exec:\tttnnn.exe236⤵PID:4776
-
\??\c:\9nnhhh.exec:\9nnhhh.exe237⤵PID:3708
-
\??\c:\vpvpp.exec:\vpvpp.exe238⤵PID:3584
-
\??\c:\xxlxxrl.exec:\xxlxxrl.exe239⤵PID:4952
-
\??\c:\bhnnhh.exec:\bhnnhh.exe240⤵PID:4464
-
\??\c:\hntbtb.exec:\hntbtb.exe241⤵PID:3036
-
\??\c:\dddvj.exec:\dddvj.exe242⤵PID:4040