Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 06:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe
-
Size
140KB
-
MD5
a14c6ca278e42faaeefdffe8d4a21950
-
SHA1
32ab2cb04f3e23e2af6c31c66859cc82b29aa03d
-
SHA256
f3f178b342fde0b43c905b90880ce4d82096905c7f9fd6b4905923d706fac7d3
-
SHA512
a56b12146c447b0a8807aca22634ace83e08b60f200b317cba42d44d0798a93db22b850784a028c5077fe8e9266afbd2c528f4aecb28140f3f4fc8b446690dfe
-
SSDEEP
3072:ymb3NkkiQ3mdBjFomR7UsyJC+n0Gsgyek1f:n3C9BRomRph+0GsgyeYf
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral1/memory/2300-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2704-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2424-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2540-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2716-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2368-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2344-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1012-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2772-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1888-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1952-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2156-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1164-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1104-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2256-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/672-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1472-221-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/676-239-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1796-248-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2892-266-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2284-275-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1508-284-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1756-293-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2060-303-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
rfhddnl.exehlfhfbx.exelxhdlbb.exenfnftt.exehlppd.exehdbvn.exerfblpr.exenpbfb.exejhxpf.exertjxf.exevdjdnn.exetnvdp.exettjdn.exehdtnntd.exelbfrrn.exehxdxljh.exejjnnvnh.exetfdhdpl.exepnbnxpl.exexdrht.exexvrdh.exedbpnb.exenvtxx.exevflnh.exepltvd.exehbnvbbl.exetxftvlf.exefrrljpn.exefbdrn.exelnrxhd.exebfrfd.exevpfvtb.exentvfjn.exedrfvdpv.exepppvntp.exexvhhxnv.exerpdvxj.exevdbfjxj.exerrpfb.exehplrbn.exerrbrnx.exejttntb.exedrpdhb.exetrdvld.exevbprdf.exedrvfb.exedxrhrn.exeprjbdr.exevtdvxl.exedfdtr.exepnvrlx.exefdtnv.exebffjpf.exebhvdb.exefvnnrf.exedrhfrrv.exerrnvx.exehlnbh.exebphnltj.exetthft.exefprlp.exepfjbj.exevhdjdvl.exepnftnp.exepid process 2704 rfhddnl.exe 2424 hlfhfbx.exe 2540 lxhdlbb.exe 2716 nfnftt.exe 2368 hlppd.exe 2500 hdbvn.exe 2344 rfblpr.exe 2800 npbfb.exe 1012 jhxpf.exe 1124 rtjxf.exe 652 vdjdnn.exe 2772 tnvdp.exe 1888 ttjdn.exe 1952 hdtnntd.exe 2156 lbfrrn.exe 2508 hxdxljh.exe 1164 jjnnvnh.exe 1104 tfdhdpl.exe 2256 pnbnxpl.exe 672 xdrht.exe 2544 xvrdh.exe 1472 dbpnb.exe 3064 nvtxx.exe 676 vflnh.exe 1796 pltvd.exe 1548 hbnvbbl.exe 2892 txftvlf.exe 2284 frrljpn.exe 1508 fbdrn.exe 1756 lnrxhd.exe 2060 bfrfd.exe 1684 vpfvtb.exe 1624 ntvfjn.exe 1208 drfvdpv.exe 2784 pppvntp.exe 2916 xvhhxnv.exe 2564 rpdvxj.exe 884 vdbfjxj.exe 2540 rrpfb.exe 2648 hplrbn.exe 2560 rrbrnx.exe 2012 jttntb.exe 2384 drpdhb.exe 2996 trdvld.exe 1724 vbprdf.exe 1332 drvfb.exe 1284 dxrhrn.exe 636 prjbdr.exe 2692 vtdvxl.exe 3012 dfdtr.exe 1976 pnvrlx.exe 1888 fdtnv.exe 1924 bffjpf.exe 2432 bhvdb.exe 2280 fvnnrf.exe 1784 drhfrrv.exe 2428 rrnvx.exe 2244 hlnbh.exe 584 bphnltj.exe 2136 tthft.exe 3000 fprlp.exe 2292 pfjbj.exe 3020 vhdjdvl.exe 1488 pnftnp.exe -
Processes:
resource yara_rule behavioral1/memory/2300-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2300-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2704-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2424-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2716-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2368-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2368-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2500-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2344-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2344-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2344-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1012-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2772-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1888-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1952-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2156-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1164-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1104-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2256-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/672-203-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1472-221-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/676-239-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1796-248-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2892-266-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2284-275-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1508-284-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1756-293-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2060-303-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exerfhddnl.exehlfhfbx.exelxhdlbb.exenfnftt.exehlppd.exehdbvn.exerfblpr.exenpbfb.exejhxpf.exertjxf.exevdjdnn.exetnvdp.exettjdn.exehdtnntd.exelbfrrn.exedescription pid process target process PID 2300 wrote to memory of 2704 2300 a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe rfhddnl.exe PID 2300 wrote to memory of 2704 2300 a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe rfhddnl.exe PID 2300 wrote to memory of 2704 2300 a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe rfhddnl.exe PID 2300 wrote to memory of 2704 2300 a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe rfhddnl.exe PID 2704 wrote to memory of 2424 2704 rfhddnl.exe hlfhfbx.exe PID 2704 wrote to memory of 2424 2704 rfhddnl.exe hlfhfbx.exe PID 2704 wrote to memory of 2424 2704 rfhddnl.exe hlfhfbx.exe PID 2704 wrote to memory of 2424 2704 rfhddnl.exe hlfhfbx.exe PID 2424 wrote to memory of 2540 2424 hlfhfbx.exe lxhdlbb.exe PID 2424 wrote to memory of 2540 2424 hlfhfbx.exe lxhdlbb.exe PID 2424 wrote to memory of 2540 2424 hlfhfbx.exe lxhdlbb.exe PID 2424 wrote to memory of 2540 2424 hlfhfbx.exe lxhdlbb.exe PID 2540 wrote to memory of 2716 2540 lxhdlbb.exe nfnftt.exe PID 2540 wrote to memory of 2716 2540 lxhdlbb.exe nfnftt.exe PID 2540 wrote to memory of 2716 2540 lxhdlbb.exe nfnftt.exe PID 2540 wrote to memory of 2716 2540 lxhdlbb.exe nfnftt.exe PID 2716 wrote to memory of 2368 2716 nfnftt.exe hlppd.exe PID 2716 wrote to memory of 2368 2716 nfnftt.exe hlppd.exe PID 2716 wrote to memory of 2368 2716 nfnftt.exe hlppd.exe PID 2716 wrote to memory of 2368 2716 nfnftt.exe hlppd.exe PID 2368 wrote to memory of 2500 2368 hlppd.exe hdbvn.exe PID 2368 wrote to memory of 2500 2368 hlppd.exe hdbvn.exe PID 2368 wrote to memory of 2500 2368 hlppd.exe hdbvn.exe PID 2368 wrote to memory of 2500 2368 hlppd.exe hdbvn.exe PID 2500 wrote to memory of 2344 2500 hdbvn.exe rfblpr.exe PID 2500 wrote to memory of 2344 2500 hdbvn.exe rfblpr.exe PID 2500 wrote to memory of 2344 2500 hdbvn.exe rfblpr.exe PID 2500 wrote to memory of 2344 2500 hdbvn.exe rfblpr.exe PID 2344 wrote to memory of 2800 2344 rfblpr.exe npbfb.exe PID 2344 wrote to memory of 2800 2344 rfblpr.exe npbfb.exe PID 2344 wrote to memory of 2800 2344 rfblpr.exe npbfb.exe PID 2344 wrote to memory of 2800 2344 rfblpr.exe npbfb.exe PID 2800 wrote to memory of 1012 2800 npbfb.exe jhxpf.exe PID 2800 wrote to memory of 1012 2800 npbfb.exe jhxpf.exe PID 2800 wrote to memory of 1012 2800 npbfb.exe jhxpf.exe PID 2800 wrote to memory of 1012 2800 npbfb.exe jhxpf.exe PID 1012 wrote to memory of 1124 1012 jhxpf.exe rtjxf.exe PID 1012 wrote to memory of 1124 1012 jhxpf.exe rtjxf.exe PID 1012 wrote to memory of 1124 1012 jhxpf.exe rtjxf.exe PID 1012 wrote to memory of 1124 1012 jhxpf.exe rtjxf.exe PID 1124 wrote to memory of 652 1124 rtjxf.exe vdjdnn.exe PID 1124 wrote to memory of 652 1124 rtjxf.exe vdjdnn.exe PID 1124 wrote to memory of 652 1124 rtjxf.exe vdjdnn.exe PID 1124 wrote to memory of 652 1124 rtjxf.exe vdjdnn.exe PID 652 wrote to memory of 2772 652 vdjdnn.exe tnvdp.exe PID 652 wrote to memory of 2772 652 vdjdnn.exe tnvdp.exe PID 652 wrote to memory of 2772 652 vdjdnn.exe tnvdp.exe PID 652 wrote to memory of 2772 652 vdjdnn.exe tnvdp.exe PID 2772 wrote to memory of 1888 2772 tnvdp.exe ttjdn.exe PID 2772 wrote to memory of 1888 2772 tnvdp.exe ttjdn.exe PID 2772 wrote to memory of 1888 2772 tnvdp.exe ttjdn.exe PID 2772 wrote to memory of 1888 2772 tnvdp.exe ttjdn.exe PID 1888 wrote to memory of 1952 1888 ttjdn.exe hdtnntd.exe PID 1888 wrote to memory of 1952 1888 ttjdn.exe hdtnntd.exe PID 1888 wrote to memory of 1952 1888 ttjdn.exe hdtnntd.exe PID 1888 wrote to memory of 1952 1888 ttjdn.exe hdtnntd.exe PID 1952 wrote to memory of 2156 1952 hdtnntd.exe lbfrrn.exe PID 1952 wrote to memory of 2156 1952 hdtnntd.exe lbfrrn.exe PID 1952 wrote to memory of 2156 1952 hdtnntd.exe lbfrrn.exe PID 1952 wrote to memory of 2156 1952 hdtnntd.exe lbfrrn.exe PID 2156 wrote to memory of 2508 2156 lbfrrn.exe hxdxljh.exe PID 2156 wrote to memory of 2508 2156 lbfrrn.exe hxdxljh.exe PID 2156 wrote to memory of 2508 2156 lbfrrn.exe hxdxljh.exe PID 2156 wrote to memory of 2508 2156 lbfrrn.exe hxdxljh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\rfhddnl.exec:\rfhddnl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\hlfhfbx.exec:\hlfhfbx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\lxhdlbb.exec:\lxhdlbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\nfnftt.exec:\nfnftt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\hlppd.exec:\hlppd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\hdbvn.exec:\hdbvn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\rfblpr.exec:\rfblpr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\npbfb.exec:\npbfb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\jhxpf.exec:\jhxpf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\rtjxf.exec:\rtjxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\vdjdnn.exec:\vdjdnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\tnvdp.exec:\tnvdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\ttjdn.exec:\ttjdn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\hdtnntd.exec:\hdtnntd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\lbfrrn.exec:\lbfrrn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\hxdxljh.exec:\hxdxljh.exe17⤵
- Executes dropped EXE
PID:2508 -
\??\c:\jjnnvnh.exec:\jjnnvnh.exe18⤵
- Executes dropped EXE
PID:1164 -
\??\c:\tfdhdpl.exec:\tfdhdpl.exe19⤵
- Executes dropped EXE
PID:1104 -
\??\c:\pnbnxpl.exec:\pnbnxpl.exe20⤵
- Executes dropped EXE
PID:2256 -
\??\c:\xdrht.exec:\xdrht.exe21⤵
- Executes dropped EXE
PID:672 -
\??\c:\xvrdh.exec:\xvrdh.exe22⤵
- Executes dropped EXE
PID:2544 -
\??\c:\dbpnb.exec:\dbpnb.exe23⤵
- Executes dropped EXE
PID:1472 -
\??\c:\nvtxx.exec:\nvtxx.exe24⤵
- Executes dropped EXE
PID:3064 -
\??\c:\vflnh.exec:\vflnh.exe25⤵
- Executes dropped EXE
PID:676 -
\??\c:\pltvd.exec:\pltvd.exe26⤵
- Executes dropped EXE
PID:1796 -
\??\c:\hbnvbbl.exec:\hbnvbbl.exe27⤵
- Executes dropped EXE
PID:1548 -
\??\c:\txftvlf.exec:\txftvlf.exe28⤵
- Executes dropped EXE
PID:2892 -
\??\c:\frrljpn.exec:\frrljpn.exe29⤵
- Executes dropped EXE
PID:2284 -
\??\c:\fbdrn.exec:\fbdrn.exe30⤵
- Executes dropped EXE
PID:1508 -
\??\c:\lnrxhd.exec:\lnrxhd.exe31⤵
- Executes dropped EXE
PID:1756 -
\??\c:\bfrfd.exec:\bfrfd.exe32⤵
- Executes dropped EXE
PID:2060 -
\??\c:\vpfvtb.exec:\vpfvtb.exe33⤵
- Executes dropped EXE
PID:1684 -
\??\c:\ntvfjn.exec:\ntvfjn.exe34⤵
- Executes dropped EXE
PID:1624 -
\??\c:\drfvdpv.exec:\drfvdpv.exe35⤵
- Executes dropped EXE
PID:1208 -
\??\c:\pppvntp.exec:\pppvntp.exe36⤵
- Executes dropped EXE
PID:2784 -
\??\c:\xvhhxnv.exec:\xvhhxnv.exe37⤵
- Executes dropped EXE
PID:2916 -
\??\c:\rpdvxj.exec:\rpdvxj.exe38⤵
- Executes dropped EXE
PID:2564 -
\??\c:\vdbfjxj.exec:\vdbfjxj.exe39⤵
- Executes dropped EXE
PID:884 -
\??\c:\rrpfb.exec:\rrpfb.exe40⤵
- Executes dropped EXE
PID:2540 -
\??\c:\hplrbn.exec:\hplrbn.exe41⤵
- Executes dropped EXE
PID:2648 -
\??\c:\rrbrnx.exec:\rrbrnx.exe42⤵
- Executes dropped EXE
PID:2560 -
\??\c:\jttntb.exec:\jttntb.exe43⤵
- Executes dropped EXE
PID:2012 -
\??\c:\drpdhb.exec:\drpdhb.exe44⤵
- Executes dropped EXE
PID:2384 -
\??\c:\trdvld.exec:\trdvld.exe45⤵
- Executes dropped EXE
PID:2996 -
\??\c:\vbprdf.exec:\vbprdf.exe46⤵
- Executes dropped EXE
PID:1724 -
\??\c:\drvfb.exec:\drvfb.exe47⤵
- Executes dropped EXE
PID:1332 -
\??\c:\dxrhrn.exec:\dxrhrn.exe48⤵
- Executes dropped EXE
PID:1284 -
\??\c:\prjbdr.exec:\prjbdr.exe49⤵
- Executes dropped EXE
PID:636 -
\??\c:\vtdvxl.exec:\vtdvxl.exe50⤵
- Executes dropped EXE
PID:2692 -
\??\c:\dfdtr.exec:\dfdtr.exe51⤵
- Executes dropped EXE
PID:3012 -
\??\c:\pnvrlx.exec:\pnvrlx.exe52⤵
- Executes dropped EXE
PID:1976 -
\??\c:\fdtnv.exec:\fdtnv.exe53⤵
- Executes dropped EXE
PID:1888 -
\??\c:\bffjpf.exec:\bffjpf.exe54⤵
- Executes dropped EXE
PID:1924 -
\??\c:\bhvdb.exec:\bhvdb.exe55⤵
- Executes dropped EXE
PID:2432 -
\??\c:\fvnnrf.exec:\fvnnrf.exe56⤵
- Executes dropped EXE
PID:2280 -
\??\c:\drhfrrv.exec:\drhfrrv.exe57⤵
- Executes dropped EXE
PID:1784 -
\??\c:\rrnvx.exec:\rrnvx.exe58⤵
- Executes dropped EXE
PID:2428 -
\??\c:\hlnbh.exec:\hlnbh.exe59⤵
- Executes dropped EXE
PID:2244 -
\??\c:\bphnltj.exec:\bphnltj.exe60⤵
- Executes dropped EXE
PID:584 -
\??\c:\tthft.exec:\tthft.exe61⤵
- Executes dropped EXE
PID:2136 -
\??\c:\fprlp.exec:\fprlp.exe62⤵
- Executes dropped EXE
PID:3000 -
\??\c:\pfjbj.exec:\pfjbj.exe63⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vhdjdvl.exec:\vhdjdvl.exe64⤵
- Executes dropped EXE
PID:3020 -
\??\c:\pnftnp.exec:\pnftnp.exe65⤵
- Executes dropped EXE
PID:1488 -
\??\c:\rlvph.exec:\rlvph.exe66⤵PID:1788
-
\??\c:\xrnphjb.exec:\xrnphjb.exe67⤵PID:2644
-
\??\c:\rnxnbp.exec:\rnxnbp.exe68⤵PID:3016
-
\??\c:\dhnvrf.exec:\dhnvrf.exe69⤵PID:2024
-
\??\c:\xlbpt.exec:\xlbpt.exe70⤵PID:1832
-
\??\c:\fdltb.exec:\fdltb.exe71⤵PID:1484
-
\??\c:\vbffbbf.exec:\vbffbbf.exe72⤵PID:1464
-
\??\c:\rnxjln.exec:\rnxjln.exe73⤵PID:1752
-
\??\c:\bvrfrr.exec:\bvrfrr.exe74⤵PID:1572
-
\??\c:\dlvtth.exec:\dlvtth.exe75⤵PID:2060
-
\??\c:\bvfrvf.exec:\bvfrvf.exe76⤵PID:2152
-
\??\c:\tbtpnnp.exec:\tbtpnnp.exe77⤵PID:868
-
\??\c:\lbtvrlx.exec:\lbtvrlx.exe78⤵PID:2300
-
\??\c:\prxnbxx.exec:\prxnbxx.exe79⤵PID:2908
-
\??\c:\rlblrjp.exec:\rlblrjp.exe80⤵PID:2460
-
\??\c:\nxnjbr.exec:\nxnjbr.exe81⤵PID:2568
-
\??\c:\jldnfx.exec:\jldnfx.exe82⤵PID:1940
-
\??\c:\fvtpt.exec:\fvtpt.exe83⤵PID:2472
-
\??\c:\dbvxpf.exec:\dbvxpf.exe84⤵PID:2680
-
\??\c:\xlrbxff.exec:\xlrbxff.exe85⤵PID:2852
-
\??\c:\nnlbdjp.exec:\nnlbdjp.exe86⤵PID:2604
-
\??\c:\hvlnlbx.exec:\hvlnlbx.exe87⤵PID:2380
-
\??\c:\xdrbp.exec:\xdrbp.exe88⤵PID:2404
-
\??\c:\rdrff.exec:\rdrff.exe89⤵PID:2348
-
\??\c:\frrvrb.exec:\frrvrb.exe90⤵PID:1724
-
\??\c:\jljxjt.exec:\jljxjt.exe91⤵PID:1172
-
\??\c:\ffpbt.exec:\ffpbt.exe92⤵PID:1596
-
\??\c:\fnfbr.exec:\fnfbr.exe93⤵PID:2812
-
\??\c:\bhvfbl.exec:\bhvfbl.exe94⤵PID:1984
-
\??\c:\dftxbb.exec:\dftxbb.exe95⤵PID:2028
-
\??\c:\ppplxrv.exec:\ppplxrv.exe96⤵PID:1648
-
\??\c:\fprlf.exec:\fprlf.exe97⤵PID:1952
-
\??\c:\rpnhj.exec:\rpnhj.exe98⤵PID:2628
-
\??\c:\hvfpd.exec:\hvfpd.exe99⤵PID:2004
-
\??\c:\jblhj.exec:\jblhj.exe100⤵PID:1772
-
\??\c:\fntdhx.exec:\fntdhx.exe101⤵PID:1784
-
\??\c:\ndhfh.exec:\ndhfh.exe102⤵PID:324
-
\??\c:\jxxbdh.exec:\jxxbdh.exe103⤵PID:2064
-
\??\c:\fhhfd.exec:\fhhfd.exe104⤵PID:2988
-
\??\c:\ffhbpfh.exec:\ffhbpfh.exe105⤵PID:2744
-
\??\c:\njhtxff.exec:\njhtxff.exe106⤵PID:1080
-
\??\c:\prtpbhd.exec:\prtpbhd.exe107⤵PID:3060
-
\??\c:\xlpxb.exec:\xlpxb.exe108⤵PID:1576
-
\??\c:\thdhbrv.exec:\thdhbrv.exe109⤵PID:1152
-
\??\c:\vdvdj.exec:\vdvdj.exe110⤵PID:1680
-
\??\c:\pdbdr.exec:\pdbdr.exe111⤵PID:1828
-
\??\c:\rrjxv.exec:\rrjxv.exe112⤵PID:908
-
\??\c:\tdxvfdf.exec:\tdxvfdf.exe113⤵PID:888
-
\??\c:\vvpfr.exec:\vvpfr.exe114⤵PID:1616
-
\??\c:\ttrfljv.exec:\ttrfljv.exe115⤵PID:2216
-
\??\c:\tfnfr.exec:\tfnfr.exe116⤵PID:960
-
\??\c:\jdbnrf.exec:\jdbnrf.exe117⤵PID:900
-
\??\c:\lnhtdj.exec:\lnhtdj.exe118⤵PID:2088
-
\??\c:\rfjxv.exec:\rfjxv.exe119⤵PID:2132
-
\??\c:\xrrtb.exec:\xrrtb.exe120⤵PID:1708
-
\??\c:\bfnhdr.exec:\bfnhdr.exe121⤵PID:2904
-
\??\c:\lxrfx.exec:\lxrfx.exe122⤵PID:2520
-
\??\c:\vrfvfvx.exec:\vrfvfvx.exe123⤵PID:2556
-
\??\c:\rnvth.exec:\rnvth.exe124⤵PID:2916
-
\??\c:\xnbtl.exec:\xnbtl.exe125⤵PID:2564
-
\??\c:\nxnbl.exec:\nxnbl.exe126⤵PID:2600
-
\??\c:\dnlvtd.exec:\dnlvtd.exe127⤵PID:884
-
\??\c:\bvlxhp.exec:\bvlxhp.exe128⤵PID:2648
-
\??\c:\rhdhpj.exec:\rhdhpj.exe129⤵PID:2560
-
\??\c:\rxnvbn.exec:\rxnvbn.exe130⤵PID:2012
-
\??\c:\lrbhvv.exec:\lrbhvv.exe131⤵PID:2344
-
\??\c:\jjrhndn.exec:\jjrhndn.exe132⤵PID:2796
-
\??\c:\rvxvx.exec:\rvxvx.exe133⤵PID:2996
-
\??\c:\lfhlv.exec:\lfhlv.exe134⤵PID:1372
-
\??\c:\vllvd.exec:\vllvd.exe135⤵PID:1284
-
\??\c:\rtddjh.exec:\rtddjh.exe136⤵PID:636
-
\??\c:\dhfhdf.exec:\dhfhdf.exe137⤵PID:1140
-
\??\c:\rvdbp.exec:\rvdbp.exe138⤵PID:3012
-
\??\c:\xhhthd.exec:\xhhthd.exe139⤵PID:2584
-
\??\c:\fdltvv.exec:\fdltvv.exe140⤵PID:1888
-
\??\c:\vpbnxvp.exec:\vpbnxvp.exe141⤵PID:2288
-
\??\c:\jnhtdhp.exec:\jnhtdhp.exe142⤵PID:1688
-
\??\c:\vlnrhxf.exec:\vlnrhxf.exe143⤵PID:1176
-
\??\c:\fdfxj.exec:\fdfxj.exe144⤵PID:1196
-
\??\c:\bbhdv.exec:\bbhdv.exe145⤵PID:1100
-
\??\c:\nvtpnj.exec:\nvtpnj.exe146⤵PID:2272
-
\??\c:\vfljbl.exec:\vfljbl.exe147⤵PID:2268
-
\??\c:\ndnjxft.exec:\ndnjxft.exe148⤵PID:2136
-
\??\c:\vdxrpp.exec:\vdxrpp.exe149⤵PID:2744
-
\??\c:\xtpjdtr.exec:\xtpjdtr.exe150⤵PID:1080
-
\??\c:\bfbff.exec:\bfbff.exe151⤵PID:3020
-
\??\c:\njpjbv.exec:\njpjbv.exe152⤵PID:1488
-
\??\c:\vlbjln.exec:\vlbjln.exe153⤵PID:676
-
\??\c:\rlbnbn.exec:\rlbnbn.exe154⤵PID:2644
-
\??\c:\bfvdfld.exec:\bfvdfld.exe155⤵PID:1068
-
\??\c:\lvjxb.exec:\lvjxb.exe156⤵PID:1716
-
\??\c:\jxrhjt.exec:\jxrhjt.exe157⤵PID:2024
-
\??\c:\tfxpp.exec:\tfxpp.exe158⤵PID:2056
-
\??\c:\nrpjxx.exec:\nrpjxx.exe159⤵PID:1484
-
\??\c:\fnxtjdv.exec:\fnxtjdv.exe160⤵PID:2128
-
\??\c:\lbpjfx.exec:\lbpjfx.exe161⤵PID:1572
-
\??\c:\tnrvj.exec:\tnrvj.exe162⤵PID:2180
-
\??\c:\ffrxh.exec:\ffrxh.exe163⤵PID:1584
-
\??\c:\tjxdjhb.exec:\tjxdjhb.exe164⤵PID:868
-
\??\c:\hbpfx.exec:\hbpfx.exe165⤵PID:2096
-
\??\c:\tbttdf.exec:\tbttdf.exe166⤵PID:2524
-
\??\c:\dhtthnl.exec:\dhtthnl.exe167⤵PID:2484
-
\??\c:\tlbtrr.exec:\tlbtrr.exe168⤵PID:2576
-
\??\c:\vfpnnh.exec:\vfpnnh.exe169⤵PID:2552
-
\??\c:\llvnj.exec:\llvnj.exe170⤵PID:2540
-
\??\c:\tptbjbl.exec:\tptbjbl.exe171⤵PID:2468
-
\??\c:\prvdpvf.exec:\prvdpvf.exe172⤵PID:2496
-
\??\c:\ndfhpxd.exec:\ndfhpxd.exe173⤵PID:2328
-
\??\c:\hnpxv.exec:\hnpxv.exe174⤵PID:2856
-
\??\c:\lrdbrf.exec:\lrdbrf.exe175⤵PID:2376
-
\??\c:\hjbvt.exec:\hjbvt.exe176⤵PID:1300
-
\??\c:\ndffhvr.exec:\ndffhvr.exe177⤵PID:2348
-
\??\c:\nlxbv.exec:\nlxbv.exe178⤵PID:1124
-
\??\c:\pvjvfvr.exec:\pvjvfvr.exe179⤵PID:1596
-
\??\c:\pxpjxl.exec:\pxpjxl.exe180⤵PID:1636
-
\??\c:\rnnrrlb.exec:\rnnrrlb.exe181⤵PID:2788
-
\??\c:\hbrjx.exec:\hbrjx.exe182⤵PID:2224
-
\??\c:\dbbhvvl.exec:\dbbhvvl.exe183⤵PID:1920
-
\??\c:\ljpvnv.exec:\ljpvnv.exe184⤵PID:1980
-
\??\c:\djhbr.exec:\djhbr.exe185⤵PID:2308
-
\??\c:\nbdjp.exec:\nbdjp.exe186⤵PID:2508
-
\??\c:\dfntprt.exec:\dfntprt.exe187⤵PID:1460
-
\??\c:\jrrhn.exec:\jrrhn.exe188⤵PID:2296
-
\??\c:\jjbph.exec:\jjbph.exe189⤵PID:592
-
\??\c:\jbrjl.exec:\jbrjl.exe190⤵PID:2960
-
\??\c:\vrhdt.exec:\vrhdt.exe191⤵PID:1568
-
\??\c:\dlxbhbr.exec:\dlxbhbr.exe192⤵PID:2084
-
\??\c:\dxndllv.exec:\dxndllv.exe193⤵PID:3068
-
\??\c:\tfhnxp.exec:\tfhnxp.exe194⤵PID:1316
-
\??\c:\thxtdtb.exec:\thxtdtb.exe195⤵PID:984
-
\??\c:\nhxbt.exec:\nhxbt.exe196⤵PID:1088
-
\??\c:\hjplpr.exec:\hjplpr.exe197⤵PID:2044
-
\??\c:\nbhvp.exec:\nbhvp.exe198⤵PID:1056
-
\??\c:\xtvrln.exec:\xtvrln.exe199⤵PID:608
-
\??\c:\dndxdpp.exec:\dndxdpp.exe200⤵PID:980
-
\??\c:\dplfnxl.exec:\dplfnxl.exe201⤵PID:948
-
\??\c:\jdxpn.exec:\jdxpn.exe202⤵PID:1660
-
\??\c:\pxddrp.exec:\pxddrp.exe203⤵PID:3040
-
\??\c:\xhtpj.exec:\xhtpj.exe204⤵PID:572
-
\??\c:\bxhhj.exec:\bxhhj.exe205⤵PID:2076
-
\??\c:\ltndbj.exec:\ltndbj.exe206⤵PID:2616
-
\??\c:\rtfrf.exec:\rtfrf.exe207⤵PID:1588
-
\??\c:\nvffv.exec:\nvffv.exe208⤵PID:2956
-
\??\c:\jdbvfbn.exec:\jdbvfbn.exe209⤵PID:2424
-
\??\c:\rvlfnn.exec:\rvlfnn.exe210⤵PID:2532
-
\??\c:\vrdnlt.exec:\vrdnlt.exe211⤵PID:2924
-
\??\c:\dnvlrx.exec:\dnvlrx.exe212⤵PID:2580
-
\??\c:\jvvfv.exec:\jvvfv.exe213⤵PID:2120
-
\??\c:\hnvvlxh.exec:\hnvvlxh.exe214⤵PID:2596
-
\??\c:\rjbfrb.exec:\rjbfrb.exe215⤵PID:2388
-
\??\c:\txvhphd.exec:\txvhphd.exe216⤵PID:2500
-
\??\c:\rdfnnr.exec:\rdfnnr.exe217⤵PID:2336
-
\??\c:\flfdjt.exec:\flfdjt.exe218⤵PID:1916
-
\??\c:\rpnnt.exec:\rpnnt.exe219⤵PID:2404
-
\??\c:\hvflbpd.exec:\hvflbpd.exe220⤵PID:1632
-
\??\c:\blxtlj.exec:\blxtlj.exe221⤵PID:1816
-
\??\c:\dhnfh.exec:\dhnfh.exe222⤵PID:1332
-
\??\c:\dlntjvn.exec:\dlntjvn.exe223⤵PID:840
-
\??\c:\bvftbx.exec:\bvftbx.exe224⤵PID:2812
-
\??\c:\bljlxpn.exec:\bljlxpn.exe225⤵PID:2148
-
\??\c:\lnnxj.exec:\lnnxj.exe226⤵PID:1912
-
\??\c:\btljl.exec:\btljl.exe227⤵PID:1952
-
\??\c:\ntndr.exec:\ntndr.exe228⤵PID:1640
-
\??\c:\xlblp.exec:\xlblp.exe229⤵PID:2656
-
\??\c:\nnprt.exec:\nnprt.exe230⤵PID:1240
-
\??\c:\vbxtl.exec:\vbxtl.exe231⤵PID:1720
-
\??\c:\ltdpjrd.exec:\ltdpjrd.exe232⤵PID:2740
-
\??\c:\jxjdxr.exec:\jxjdxr.exe233⤵PID:2972
-
\??\c:\jtblbl.exec:\jtblbl.exe234⤵PID:1712
-
\??\c:\hjtdpvd.exec:\hjtdpvd.exe235⤵PID:308
-
\??\c:\xjrbpll.exec:\xjrbpll.exe236⤵PID:3000
-
\??\c:\rhfbx.exec:\rhfbx.exe237⤵PID:1404
-
\??\c:\bxrrlfj.exec:\bxrrlfj.exe238⤵PID:3064
-
\??\c:\ppfvdrd.exec:\ppfvdrd.exe239⤵PID:2032
-
\??\c:\hrbpfd.exec:\hrbpfd.exe240⤵PID:2732
-
\??\c:\vdxff.exec:\vdxff.exe241⤵PID:2160
-
\??\c:\rbbbn.exec:\rbbbn.exe242⤵PID:3016