Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 06:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a12e352e8cd27ff7da407d3b0b79f370_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a12e352e8cd27ff7da407d3b0b79f370_NeikiAnalytics.exe
-
Size
69KB
-
MD5
a12e352e8cd27ff7da407d3b0b79f370
-
SHA1
b830ce40672c1d1442c194aaa8fbda07290b93e3
-
SHA256
476c9a1faa2aef960e233a96ef6f703cf210d60217e23e8eee57d18f4a67b5a5
-
SHA512
1ee3e452b0a9d505b6e0a7b4698df45195a956126d707feab3dbf3d8b2eef5a706400c15dc335c026c92f516be3eb3440184f55634eeda59623e123fa8f28bba
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUwcsbY/7:ymb3NkkiQ3mdBjF0yjcsMz
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral1/memory/2216-7-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2216-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2544-21-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3068-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2572-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2700-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2272-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2720-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1184-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2932-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2976-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2804-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1352-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1144-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1864-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2296-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1720-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/816-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/540-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2776-219-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1216-227-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1660-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1064-263-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1944-272-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
pjjjp.exexxlxrrf.exehbntbn.exeppdjv.exexxrrflx.exefrlrrxx.exenbhhhh.exe9vpjp.exe1jvdd.exerllrrfx.exexllfrrl.exenbbthh.exe5vjpv.exedvpvd.exeffrxrxf.exeffxlxlx.exettnnbh.exentntnh.exe5jdvp.exejvjvj.exelxlrffr.exehbnnbb.exehbtnbn.exedjvvj.exefxrxxlx.exe1xrxllr.exetnhttb.exetthhnt.exejdpvd.exejpjpv.exellflrrx.exexrxfxrl.exenhbbhh.exenhntbb.exedpjvv.exe7rllxfr.exe1lxflll.exettnbnh.exehhhntt.exeddpjj.exe5vvvj.exe1frrflf.exexrlrrfl.exe3thtnn.exehbhhth.exedjpdd.exe7vjpv.exerrxxlxf.exe7lxxflr.exexxlxrrf.exe7hhnhh.exennbhbh.exe7dvpp.exe9pjjv.exe3lrxxxf.exefxfrfrx.exehbhtnt.exe9bnbnt.exevpdjp.exejdjpd.exexflflxl.exeffxxrrx.exerlxfrxf.exe9ttbnb.exepid process 2544 pjjjp.exe 3068 xxlxrrf.exe 2572 hbntbn.exe 2700 ppdjv.exe 2272 xxrrflx.exe 2720 frlrrxx.exe 1184 nbhhhh.exe 2516 9vpjp.exe 2932 1jvdd.exe 2976 rllrrfx.exe 2804 xllfrrl.exe 2356 nbbthh.exe 1352 5vjpv.exe 856 dvpvd.exe 2888 ffrxrxf.exe 1144 ffxlxlx.exe 1864 ttnnbh.exe 2296 ntntnh.exe 1720 5jdvp.exe 816 jvjvj.exe 540 lxlrffr.exe 2776 hbnnbb.exe 1216 hbtnbn.exe 1660 djvvj.exe 108 fxrxxlx.exe 1092 1xrxllr.exe 1064 tnhttb.exe 1944 tthhnt.exe 1632 jdpvd.exe 1284 jpjpv.exe 900 llflrrx.exe 2216 xrxfxrl.exe 1628 nhbbhh.exe 2080 nhntbb.exe 868 dpjvv.exe 3068 7rllxfr.exe 2724 1lxflll.exe 2668 ttnbnh.exe 1436 hhhntt.exe 2760 ddpjj.exe 2636 5vvvj.exe 2736 1frrflf.exe 2632 xrlrrfl.exe 2516 3thtnn.exe 2932 hbhhth.exe 2452 djpdd.exe 2352 7vjpv.exe 1912 rrxxlxf.exe 2356 7lxxflr.exe 1884 xxlxrrf.exe 2916 7hhnhh.exe 2808 nnbhbh.exe 1852 7dvpp.exe 1160 9pjjv.exe 2148 3lrxxxf.exe 1644 fxfrfrx.exe 2064 hbhtnt.exe 1728 9bnbnt.exe 608 vpdjp.exe 1200 jdjpd.exe 1432 xflflxl.exe 1100 ffxxrrx.exe 1988 rlxfrxf.exe 1280 9ttbnb.exe -
Processes:
resource yara_rule behavioral1/memory/2216-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2544-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2544-21-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3068-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3068-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3068-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3068-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2572-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2700-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2272-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2720-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1184-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2932-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2976-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1352-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1144-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1864-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2296-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1720-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/816-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/540-210-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2776-219-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1216-227-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1660-237-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1064-263-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1944-272-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a12e352e8cd27ff7da407d3b0b79f370_NeikiAnalytics.exepjjjp.exexxlxrrf.exehbntbn.exeppdjv.exexxrrflx.exefrlrrxx.exenbhhhh.exe9vpjp.exe1jvdd.exerllrrfx.exexllfrrl.exenbbthh.exe5vjpv.exedvpvd.exeffrxrxf.exedescription pid process target process PID 2216 wrote to memory of 2544 2216 a12e352e8cd27ff7da407d3b0b79f370_NeikiAnalytics.exe pjjjp.exe PID 2216 wrote to memory of 2544 2216 a12e352e8cd27ff7da407d3b0b79f370_NeikiAnalytics.exe pjjjp.exe PID 2216 wrote to memory of 2544 2216 a12e352e8cd27ff7da407d3b0b79f370_NeikiAnalytics.exe pjjjp.exe PID 2216 wrote to memory of 2544 2216 a12e352e8cd27ff7da407d3b0b79f370_NeikiAnalytics.exe pjjjp.exe PID 2544 wrote to memory of 3068 2544 pjjjp.exe xxlxrrf.exe PID 2544 wrote to memory of 3068 2544 pjjjp.exe xxlxrrf.exe PID 2544 wrote to memory of 3068 2544 pjjjp.exe xxlxrrf.exe PID 2544 wrote to memory of 3068 2544 pjjjp.exe xxlxrrf.exe PID 3068 wrote to memory of 2572 3068 xxlxrrf.exe hbntbn.exe PID 3068 wrote to memory of 2572 3068 xxlxrrf.exe hbntbn.exe PID 3068 wrote to memory of 2572 3068 xxlxrrf.exe hbntbn.exe PID 3068 wrote to memory of 2572 3068 xxlxrrf.exe hbntbn.exe PID 2572 wrote to memory of 2700 2572 hbntbn.exe ppdjv.exe PID 2572 wrote to memory of 2700 2572 hbntbn.exe ppdjv.exe PID 2572 wrote to memory of 2700 2572 hbntbn.exe ppdjv.exe PID 2572 wrote to memory of 2700 2572 hbntbn.exe ppdjv.exe PID 2700 wrote to memory of 2272 2700 ppdjv.exe xxrrflx.exe PID 2700 wrote to memory of 2272 2700 ppdjv.exe xxrrflx.exe PID 2700 wrote to memory of 2272 2700 ppdjv.exe xxrrflx.exe PID 2700 wrote to memory of 2272 2700 ppdjv.exe xxrrflx.exe PID 2272 wrote to memory of 2720 2272 xxrrflx.exe frlrrxx.exe PID 2272 wrote to memory of 2720 2272 xxrrflx.exe frlrrxx.exe PID 2272 wrote to memory of 2720 2272 xxrrflx.exe frlrrxx.exe PID 2272 wrote to memory of 2720 2272 xxrrflx.exe frlrrxx.exe PID 2720 wrote to memory of 1184 2720 frlrrxx.exe nbhhhh.exe PID 2720 wrote to memory of 1184 2720 frlrrxx.exe nbhhhh.exe PID 2720 wrote to memory of 1184 2720 frlrrxx.exe nbhhhh.exe PID 2720 wrote to memory of 1184 2720 frlrrxx.exe nbhhhh.exe PID 1184 wrote to memory of 2516 1184 nbhhhh.exe 9vpjp.exe PID 1184 wrote to memory of 2516 1184 nbhhhh.exe 9vpjp.exe PID 1184 wrote to memory of 2516 1184 nbhhhh.exe 9vpjp.exe PID 1184 wrote to memory of 2516 1184 nbhhhh.exe 9vpjp.exe PID 2516 wrote to memory of 2932 2516 9vpjp.exe 1jvdd.exe PID 2516 wrote to memory of 2932 2516 9vpjp.exe 1jvdd.exe PID 2516 wrote to memory of 2932 2516 9vpjp.exe 1jvdd.exe PID 2516 wrote to memory of 2932 2516 9vpjp.exe 1jvdd.exe PID 2932 wrote to memory of 2976 2932 1jvdd.exe rllrrfx.exe PID 2932 wrote to memory of 2976 2932 1jvdd.exe rllrrfx.exe PID 2932 wrote to memory of 2976 2932 1jvdd.exe rllrrfx.exe PID 2932 wrote to memory of 2976 2932 1jvdd.exe rllrrfx.exe PID 2976 wrote to memory of 2804 2976 rllrrfx.exe xllfrrl.exe PID 2976 wrote to memory of 2804 2976 rllrrfx.exe xllfrrl.exe PID 2976 wrote to memory of 2804 2976 rllrrfx.exe xllfrrl.exe PID 2976 wrote to memory of 2804 2976 rllrrfx.exe xllfrrl.exe PID 2804 wrote to memory of 2356 2804 xllfrrl.exe nbbthh.exe PID 2804 wrote to memory of 2356 2804 xllfrrl.exe nbbthh.exe PID 2804 wrote to memory of 2356 2804 xllfrrl.exe nbbthh.exe PID 2804 wrote to memory of 2356 2804 xllfrrl.exe nbbthh.exe PID 2356 wrote to memory of 1352 2356 nbbthh.exe 5vjpv.exe PID 2356 wrote to memory of 1352 2356 nbbthh.exe 5vjpv.exe PID 2356 wrote to memory of 1352 2356 nbbthh.exe 5vjpv.exe PID 2356 wrote to memory of 1352 2356 nbbthh.exe 5vjpv.exe PID 1352 wrote to memory of 856 1352 5vjpv.exe dvpvd.exe PID 1352 wrote to memory of 856 1352 5vjpv.exe dvpvd.exe PID 1352 wrote to memory of 856 1352 5vjpv.exe dvpvd.exe PID 1352 wrote to memory of 856 1352 5vjpv.exe dvpvd.exe PID 856 wrote to memory of 2888 856 dvpvd.exe ffrxrxf.exe PID 856 wrote to memory of 2888 856 dvpvd.exe ffrxrxf.exe PID 856 wrote to memory of 2888 856 dvpvd.exe ffrxrxf.exe PID 856 wrote to memory of 2888 856 dvpvd.exe ffrxrxf.exe PID 2888 wrote to memory of 1144 2888 ffrxrxf.exe ffxlxlx.exe PID 2888 wrote to memory of 1144 2888 ffrxrxf.exe ffxlxlx.exe PID 2888 wrote to memory of 1144 2888 ffrxrxf.exe ffxlxlx.exe PID 2888 wrote to memory of 1144 2888 ffrxrxf.exe ffxlxlx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a12e352e8cd27ff7da407d3b0b79f370_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a12e352e8cd27ff7da407d3b0b79f370_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\pjjjp.exec:\pjjjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\xxlxrrf.exec:\xxlxrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\hbntbn.exec:\hbntbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\ppdjv.exec:\ppdjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\xxrrflx.exec:\xxrrflx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\frlrrxx.exec:\frlrrxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\nbhhhh.exec:\nbhhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\9vpjp.exec:\9vpjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\1jvdd.exec:\1jvdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\rllrrfx.exec:\rllrrfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\xllfrrl.exec:\xllfrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\nbbthh.exec:\nbbthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\5vjpv.exec:\5vjpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\dvpvd.exec:\dvpvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\ffrxrxf.exec:\ffrxrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\ffxlxlx.exec:\ffxlxlx.exe17⤵
- Executes dropped EXE
PID:1144 -
\??\c:\ttnnbh.exec:\ttnnbh.exe18⤵
- Executes dropped EXE
PID:1864 -
\??\c:\ntntnh.exec:\ntntnh.exe19⤵
- Executes dropped EXE
PID:2296 -
\??\c:\5jdvp.exec:\5jdvp.exe20⤵
- Executes dropped EXE
PID:1720 -
\??\c:\jvjvj.exec:\jvjvj.exe21⤵
- Executes dropped EXE
PID:816 -
\??\c:\lxlrffr.exec:\lxlrffr.exe22⤵
- Executes dropped EXE
PID:540 -
\??\c:\hbnnbb.exec:\hbnnbb.exe23⤵
- Executes dropped EXE
PID:2776 -
\??\c:\hbtnbn.exec:\hbtnbn.exe24⤵
- Executes dropped EXE
PID:1216 -
\??\c:\djvvj.exec:\djvvj.exe25⤵
- Executes dropped EXE
PID:1660 -
\??\c:\fxrxxlx.exec:\fxrxxlx.exe26⤵
- Executes dropped EXE
PID:108 -
\??\c:\1xrxllr.exec:\1xrxllr.exe27⤵
- Executes dropped EXE
PID:1092 -
\??\c:\tnhttb.exec:\tnhttb.exe28⤵
- Executes dropped EXE
PID:1064 -
\??\c:\tthhnt.exec:\tthhnt.exe29⤵
- Executes dropped EXE
PID:1944 -
\??\c:\jdpvd.exec:\jdpvd.exe30⤵
- Executes dropped EXE
PID:1632 -
\??\c:\jpjpv.exec:\jpjpv.exe31⤵
- Executes dropped EXE
PID:1284 -
\??\c:\llflrrx.exec:\llflrrx.exe32⤵
- Executes dropped EXE
PID:900 -
\??\c:\xrxfxrl.exec:\xrxfxrl.exe33⤵
- Executes dropped EXE
PID:2216 -
\??\c:\nhbbhh.exec:\nhbbhh.exe34⤵
- Executes dropped EXE
PID:1628 -
\??\c:\nhntbb.exec:\nhntbb.exe35⤵
- Executes dropped EXE
PID:2080 -
\??\c:\dpjvv.exec:\dpjvv.exe36⤵
- Executes dropped EXE
PID:868 -
\??\c:\7rllxfr.exec:\7rllxfr.exe37⤵
- Executes dropped EXE
PID:3068 -
\??\c:\1lxflll.exec:\1lxflll.exe38⤵
- Executes dropped EXE
PID:2724 -
\??\c:\ttnbnh.exec:\ttnbnh.exe39⤵
- Executes dropped EXE
PID:2668 -
\??\c:\hhhntt.exec:\hhhntt.exe40⤵
- Executes dropped EXE
PID:1436 -
\??\c:\ddpjj.exec:\ddpjj.exe41⤵
- Executes dropped EXE
PID:2760 -
\??\c:\5vvvj.exec:\5vvvj.exe42⤵
- Executes dropped EXE
PID:2636 -
\??\c:\1frrflf.exec:\1frrflf.exe43⤵
- Executes dropped EXE
PID:2736 -
\??\c:\xrlrrfl.exec:\xrlrrfl.exe44⤵
- Executes dropped EXE
PID:2632 -
\??\c:\3thtnn.exec:\3thtnn.exe45⤵
- Executes dropped EXE
PID:2516 -
\??\c:\hbhhth.exec:\hbhhth.exe46⤵
- Executes dropped EXE
PID:2932 -
\??\c:\djpdd.exec:\djpdd.exe47⤵
- Executes dropped EXE
PID:2452 -
\??\c:\7vjpv.exec:\7vjpv.exe48⤵
- Executes dropped EXE
PID:2352 -
\??\c:\rrxxlxf.exec:\rrxxlxf.exe49⤵
- Executes dropped EXE
PID:1912 -
\??\c:\7lxxflr.exec:\7lxxflr.exe50⤵
- Executes dropped EXE
PID:2356 -
\??\c:\xxlxrrf.exec:\xxlxrrf.exe51⤵
- Executes dropped EXE
PID:1884 -
\??\c:\7hhnhh.exec:\7hhnhh.exe52⤵
- Executes dropped EXE
PID:2916 -
\??\c:\nnbhbh.exec:\nnbhbh.exe53⤵
- Executes dropped EXE
PID:2808 -
\??\c:\7dvpp.exec:\7dvpp.exe54⤵
- Executes dropped EXE
PID:1852 -
\??\c:\9pjjv.exec:\9pjjv.exe55⤵
- Executes dropped EXE
PID:1160 -
\??\c:\3lrxxxf.exec:\3lrxxxf.exe56⤵
- Executes dropped EXE
PID:2148 -
\??\c:\fxfrfrx.exec:\fxfrfrx.exe57⤵
- Executes dropped EXE
PID:1644 -
\??\c:\hbhtnt.exec:\hbhtnt.exe58⤵
- Executes dropped EXE
PID:2064 -
\??\c:\9bnbnt.exec:\9bnbnt.exe59⤵
- Executes dropped EXE
PID:1728 -
\??\c:\vpdjp.exec:\vpdjp.exe60⤵
- Executes dropped EXE
PID:608 -
\??\c:\jdjpd.exec:\jdjpd.exe61⤵
- Executes dropped EXE
PID:1200 -
\??\c:\xflflxl.exec:\xflflxl.exe62⤵
- Executes dropped EXE
PID:1432 -
\??\c:\ffxxrrx.exec:\ffxxrrx.exe63⤵
- Executes dropped EXE
PID:1100 -
\??\c:\rlxfrxf.exec:\rlxfrxf.exe64⤵
- Executes dropped EXE
PID:1988 -
\??\c:\9ttbnb.exec:\9ttbnb.exe65⤵
- Executes dropped EXE
PID:1280 -
\??\c:\7tnttt.exec:\7tnttt.exe66⤵PID:2328
-
\??\c:\pppvd.exec:\pppvd.exe67⤵PID:972
-
\??\c:\djpjj.exec:\djpjj.exe68⤵PID:2248
-
\??\c:\xxlrxxf.exec:\xxlrxxf.exe69⤵PID:2212
-
\??\c:\xlrxllr.exec:\xlrxllr.exe70⤵PID:3004
-
\??\c:\thtbth.exec:\thtbth.exe71⤵PID:2860
-
\??\c:\hthhnh.exec:\hthhnh.exe72⤵PID:1664
-
\??\c:\3pjvp.exec:\3pjvp.exe73⤵PID:2256
-
\??\c:\vpvvp.exec:\vpvvp.exe74⤵PID:2132
-
\??\c:\9frxxlx.exec:\9frxxlx.exe75⤵PID:3060
-
\??\c:\flrrrlx.exec:\flrrrlx.exe76⤵PID:1628
-
\??\c:\bnbntb.exec:\bnbntb.exe77⤵PID:2080
-
\??\c:\tnnhnh.exec:\tnnhnh.exe78⤵PID:3048
-
\??\c:\bnbhbh.exec:\bnbhbh.exe79⤵PID:3032
-
\??\c:\dvppd.exec:\dvppd.exe80⤵PID:2472
-
\??\c:\jvjvv.exec:\jvjvv.exe81⤵PID:2832
-
\??\c:\1flrfxf.exec:\1flrfxf.exe82⤵PID:2764
-
\??\c:\5rxlrrx.exec:\5rxlrrx.exe83⤵PID:2652
-
\??\c:\9tbnhn.exec:\9tbnhn.exe84⤵PID:2512
-
\??\c:\nnbhnh.exec:\nnbhnh.exe85⤵PID:2476
-
\??\c:\pdddp.exec:\pdddp.exe86⤵PID:2424
-
\??\c:\5jpjp.exec:\5jpjp.exe87⤵PID:2752
-
\??\c:\rfrlllr.exec:\rfrlllr.exe88⤵PID:2932
-
\??\c:\1rxrxxf.exec:\1rxrxxf.exe89⤵PID:2964
-
\??\c:\tbhttt.exec:\tbhttt.exe90⤵PID:1896
-
\??\c:\btnbth.exec:\btnbth.exe91⤵PID:1240
-
\??\c:\hbnnnt.exec:\hbnnnt.exe92⤵PID:2356
-
\??\c:\pjpvj.exec:\pjpvj.exe93⤵PID:1352
-
\??\c:\jpddj.exec:\jpddj.exe94⤵PID:1956
-
\??\c:\xxlrrxf.exec:\xxlrrxf.exe95⤵PID:2772
-
\??\c:\frffllr.exec:\frffllr.exe96⤵PID:1764
-
\??\c:\fxfrllr.exec:\fxfrllr.exe97⤵PID:1872
-
\??\c:\3nbnbb.exec:\3nbnbb.exe98⤵PID:2968
-
\??\c:\btbbbt.exec:\btbbbt.exe99⤵PID:2560
-
\??\c:\vjpvp.exec:\vjpvp.exe100⤵PID:612
-
\??\c:\jdjdj.exec:\jdjdj.exe101⤵PID:2264
-
\??\c:\pvjdd.exec:\pvjdd.exe102⤵PID:692
-
\??\c:\1xxlxfr.exec:\1xxlxfr.exe103⤵PID:1048
-
\??\c:\rrfrflx.exec:\rrfrflx.exe104⤵PID:312
-
\??\c:\lllrlll.exec:\lllrlll.exe105⤵PID:1504
-
\??\c:\btbhnn.exec:\btbhnn.exe106⤵PID:1988
-
\??\c:\hbnnhb.exec:\hbnnhb.exe107⤵PID:1280
-
\??\c:\jddjp.exec:\jddjp.exe108⤵PID:1056
-
\??\c:\jvjjj.exec:\jvjjj.exe109⤵PID:1116
-
\??\c:\3fxlxfr.exec:\3fxlxfr.exe110⤵PID:1564
-
\??\c:\lrfrfrl.exec:\lrfrfrl.exe111⤵PID:1104
-
\??\c:\1xxlrxl.exec:\1xxlrxl.exe112⤵PID:892
-
\??\c:\nhbbhn.exec:\nhbbhn.exe113⤵PID:1768
-
\??\c:\bbhnbn.exec:\bbhnbn.exe114⤵PID:2400
-
\??\c:\3jvdd.exec:\3jvdd.exe115⤵PID:2380
-
\??\c:\dvpjp.exec:\dvpjp.exe116⤵PID:2548
-
\??\c:\xlfrxfl.exec:\xlfrxfl.exe117⤵PID:2164
-
\??\c:\ffxfrrf.exec:\ffxfrrf.exe118⤵PID:2180
-
\??\c:\fxflxlr.exec:\fxflxlr.exe119⤵PID:2080
-
\??\c:\hthhhh.exec:\hthhhh.exe120⤵PID:2572
-
\??\c:\nnhnhn.exec:\nnhnhn.exe121⤵PID:2700
-
\??\c:\jppvj.exec:\jppvj.exe122⤵PID:2712
-
\??\c:\ppjpp.exec:\ppjpp.exe123⤵PID:2500
-
\??\c:\llxfflx.exec:\llxfflx.exe124⤵PID:2520
-
\??\c:\rlxfxfl.exec:\rlxfxfl.exe125⤵PID:2540
-
\??\c:\tnhnnt.exec:\tnhnnt.exe126⤵PID:2768
-
\??\c:\btbthn.exec:\btbthn.exe127⤵PID:2412
-
\??\c:\tnhtbh.exec:\tnhtbh.exe128⤵PID:1500
-
\??\c:\1pjpv.exec:\1pjpv.exe129⤵PID:2976
-
\??\c:\3jpdp.exec:\3jpdp.exe130⤵PID:2932
-
\??\c:\3dppv.exec:\3dppv.exe131⤵PID:1364
-
\??\c:\lxxlxrf.exec:\lxxlxrf.exe132⤵PID:1896
-
\??\c:\1lxlrrr.exec:\1lxlrrr.exe133⤵PID:2704
-
\??\c:\bntbhn.exec:\bntbhn.exe134⤵PID:856
-
\??\c:\btbntt.exec:\btbntt.exe135⤵PID:2936
-
\??\c:\dddpv.exec:\dddpv.exe136⤵PID:1956
-
\??\c:\7vjpv.exec:\7vjpv.exe137⤵PID:2312
-
\??\c:\rxlflfl.exec:\rxlflfl.exe138⤵PID:1764
-
\??\c:\rrrlrxr.exec:\rrrlrxr.exe139⤵PID:1976
-
\??\c:\1lfxxrr.exec:\1lfxxrr.exe140⤵PID:1760
-
\??\c:\hnbhbh.exec:\hnbhbh.exe141⤵PID:1428
-
\??\c:\tntbnt.exec:\tntbnt.exe142⤵PID:1604
-
\??\c:\5jddd.exec:\5jddd.exe143⤵PID:600
-
\??\c:\pdvpd.exec:\pdvpd.exe144⤵PID:2280
-
\??\c:\rlflrll.exec:\rlflrll.exe145⤵PID:2288
-
\??\c:\llxrfrx.exec:\llxrfrx.exe146⤵PID:1660
-
\??\c:\9rlrffr.exec:\9rlrffr.exe147⤵PID:632
-
\??\c:\bbntbb.exec:\bbntbb.exe148⤵PID:1120
-
\??\c:\tnbhnn.exec:\tnbhnn.exe149⤵PID:1060
-
\??\c:\9ppjv.exec:\9ppjv.exe150⤵PID:2852
-
\??\c:\1ppjp.exec:\1ppjp.exe151⤵PID:2248
-
\??\c:\dpjpj.exec:\dpjpj.exe152⤵PID:1524
-
\??\c:\1rffxxr.exec:\1rffxxr.exe153⤵PID:1284
-
\??\c:\lfrxxfr.exec:\lfrxxfr.exe154⤵PID:892
-
\??\c:\hbnnbb.exec:\hbnnbb.exe155⤵PID:1624
-
\??\c:\nbhnbb.exec:\nbhnbb.exe156⤵PID:2400
-
\??\c:\7ttttb.exec:\7ttttb.exe157⤵PID:2544
-
\??\c:\jdpvd.exec:\jdpvd.exe158⤵PID:2604
-
\??\c:\pjjpd.exec:\pjjpd.exe159⤵PID:2372
-
\??\c:\frxlflf.exec:\frxlflf.exe160⤵PID:2676
-
\??\c:\fxllrxf.exec:\fxllrxf.exe161⤵PID:3068
-
\??\c:\hbhbhh.exec:\hbhbhh.exe162⤵PID:2624
-
\??\c:\tthnbb.exec:\tthnbb.exe163⤵PID:3024
-
\??\c:\pjvvv.exec:\pjvvv.exe164⤵PID:2720
-
\??\c:\jdpvj.exec:\jdpvj.exe165⤵PID:2460
-
\??\c:\9fxflrl.exec:\9fxflrl.exe166⤵PID:2520
-
\??\c:\ffrxffl.exec:\ffrxffl.exe167⤵PID:2528
-
\??\c:\xrfrxfl.exec:\xrfrxfl.exe168⤵PID:1788
-
\??\c:\tnntbn.exec:\tnntbn.exe169⤵PID:1756
-
\??\c:\hbtthn.exec:\hbtthn.exe170⤵PID:1908
-
\??\c:\vpjvd.exec:\vpjvd.exe171⤵PID:1904
-
\??\c:\djjjj.exec:\djjjj.exe172⤵PID:1640
-
\??\c:\pdppv.exec:\pdppv.exe173⤵PID:1960
-
\??\c:\lllxxrr.exec:\lllxxrr.exe174⤵PID:1896
-
\??\c:\nhhntt.exec:\nhhntt.exe175⤵PID:1676
-
\??\c:\hhhtbt.exec:\hhhtbt.exe176⤵PID:2564
-
\??\c:\bthnth.exec:\bthnth.exe177⤵PID:1164
-
\??\c:\dpjpv.exec:\dpjpv.exe178⤵PID:2176
-
\??\c:\dvdpd.exec:\dvdpd.exe179⤵PID:1160
-
\??\c:\ffxlffx.exec:\ffxlffx.exe180⤵PID:2968
-
\??\c:\lllrflx.exec:\lllrflx.exe181⤵PID:268
-
\??\c:\hthtbh.exec:\hthtbh.exe182⤵PID:592
-
\??\c:\ntthhn.exec:\ntthhn.exe183⤵PID:336
-
\??\c:\jjjpd.exec:\jjjpd.exe184⤵PID:1668
-
\??\c:\hnbbnt.exec:\hnbbnt.exe185⤵PID:1048
-
\??\c:\nnhnhh.exec:\nnhnhh.exe186⤵PID:1848
-
\??\c:\5nbhhn.exec:\5nbhhn.exe187⤵PID:1100
-
\??\c:\vjddp.exec:\vjddp.exe188⤵PID:1068
-
\??\c:\vjpvd.exec:\vjpvd.exe189⤵PID:2920
-
\??\c:\lfrxlrl.exec:\lfrxlrl.exe190⤵PID:1120
-
\??\c:\ttnhnb.exec:\ttnhnb.exe191⤵PID:2836
-
\??\c:\ttntbb.exec:\ttntbb.exe192⤵PID:2852
-
\??\c:\btthbh.exec:\btthbh.exe193⤵PID:2880
-
\??\c:\vpjpd.exec:\vpjpd.exe194⤵PID:2088
-
\??\c:\vjvdd.exec:\vjvdd.exe195⤵PID:2684
-
\??\c:\rxlfxxf.exec:\rxlfxxf.exe196⤵PID:2208
-
\??\c:\xfrflxx.exec:\xfrflxx.exe197⤵PID:2132
-
\??\c:\thhnnt.exec:\thhnnt.exe198⤵PID:1748
-
\??\c:\hbhhhn.exec:\hbhhhn.exe199⤵PID:2644
-
\??\c:\vpvdp.exec:\vpvdp.exe200⤵PID:2656
-
\??\c:\vpjdj.exec:\vpjdj.exe201⤵PID:2620
-
\??\c:\5rxllrf.exec:\5rxllrf.exe202⤵PID:3032
-
\??\c:\xrflrxr.exec:\xrflrxr.exe203⤵PID:2592
-
\??\c:\nnbbnt.exec:\nnbbnt.exe204⤵PID:2596
-
\??\c:\1tnntt.exec:\1tnntt.exe205⤵PID:2272
-
\??\c:\djvpp.exec:\djvpp.exe206⤵PID:1888
-
\??\c:\jdpjv.exec:\jdpjv.exe207⤵PID:2484
-
\??\c:\xflrrxf.exec:\xflrrxf.exe208⤵PID:2160
-
\??\c:\llxlxfr.exec:\llxlxfr.exe209⤵PID:864
-
\??\c:\bbnbnn.exec:\bbnbnn.exe210⤵PID:2752
-
\??\c:\thhntt.exec:\thhntt.exe211⤵PID:2972
-
\??\c:\3pdjj.exec:\3pdjj.exe212⤵PID:1920
-
\??\c:\jjdpv.exec:\jjdpv.exe213⤵PID:2000
-
\??\c:\vdppv.exec:\vdppv.exe214⤵PID:1936
-
\??\c:\lfxxlxl.exec:\lfxxlxl.exe215⤵PID:2356
-
\??\c:\1lxlfrl.exec:\1lxlfrl.exe216⤵PID:1896
-
\??\c:\hbtbnt.exec:\hbtbnt.exe217⤵PID:1108
-
\??\c:\7bbbhn.exec:\7bbbhn.exe218⤵PID:2564
-
\??\c:\1jvpv.exec:\1jvpv.exe219⤵PID:2808
-
\??\c:\dvdvv.exec:\dvdvv.exe220⤵PID:2176
-
\??\c:\xrxllrf.exec:\xrxllrf.exe221⤵PID:2344
-
\??\c:\xxrfxfr.exec:\xxrfxfr.exe222⤵PID:2052
-
\??\c:\7xrfflx.exec:\7xrfflx.exe223⤵PID:2096
-
\??\c:\nhnnbb.exec:\nhnnbb.exe224⤵PID:592
-
\??\c:\3bnbht.exec:\3bnbht.exe225⤵PID:2264
-
\??\c:\9dvdj.exec:\9dvdj.exe226⤵PID:692
-
\??\c:\ddvvj.exec:\ddvvj.exe227⤵PID:608
-
\??\c:\ffrfrxx.exec:\ffrfrxx.exe228⤵PID:1504
-
\??\c:\1xlxrff.exec:\1xlxrff.exe229⤵PID:1080
-
\??\c:\htnnbb.exec:\htnnbb.exe230⤵PID:1068
-
\??\c:\vpvvj.exec:\vpvvj.exe231⤵PID:2920
-
\??\c:\1xxllfr.exec:\1xxllfr.exe232⤵PID:1120
-
\??\c:\5ntnht.exec:\5ntnht.exe233⤵PID:2836
-
\??\c:\7hhtbh.exec:\7hhtbh.exe234⤵PID:2852
-
\??\c:\ppdpd.exec:\ppdpd.exe235⤵PID:2880
-
\??\c:\ppjjv.exec:\ppjjv.exe236⤵PID:2088
-
\??\c:\lxrfflr.exec:\lxrfflr.exe237⤵PID:2216
-
\??\c:\xlflrfx.exec:\xlflrfx.exe238⤵PID:2256
-
\??\c:\fflflll.exec:\fflflll.exe239⤵PID:2548
-
\??\c:\btthht.exec:\btthht.exe240⤵PID:1360
-
\??\c:\nbtbnn.exec:\nbtbnn.exe241⤵PID:2604
-
\??\c:\pjddv.exec:\pjddv.exe242⤵PID:2612