Analysis
-
max time kernel
150s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe
-
Size
140KB
-
MD5
a14c6ca278e42faaeefdffe8d4a21950
-
SHA1
32ab2cb04f3e23e2af6c31c66859cc82b29aa03d
-
SHA256
f3f178b342fde0b43c905b90880ce4d82096905c7f9fd6b4905923d706fac7d3
-
SHA512
a56b12146c447b0a8807aca22634ace83e08b60f200b317cba42d44d0798a93db22b850784a028c5077fe8e9266afbd2c528f4aecb28140f3f4fc8b446690dfe
-
SSDEEP
3072:ymb3NkkiQ3mdBjFomR7UsyJC+n0Gsgyek1f:n3C9BRomRph+0GsgyeYf
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
Processes:
resource yara_rule behavioral2/memory/3780-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4176-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3896-22-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2192-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4300-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1660-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3552-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2972-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1664-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2652-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/60-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1148-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/876-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4996-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3104-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4628-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5072-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4364-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1100-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/544-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4420-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1464-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3576-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4940-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3608-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3636-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3036-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
pjvjd.exepdvjv.exe3lrfllr.exexrxrlfx.exehbnbhb.exejjpdv.exevjvjd.exellxllxl.exebttnbb.exepjpjd.exerffxlfx.exentnhbt.exejvddv.exevjjdv.exe1xxrfff.exehthbtt.exehnnhth.exevjpdv.exelxrfrlx.exenntnnh.exe7vpjv.exejdjjd.exe3ffxfxl.exebhbtnh.exejdvpd.exelfxlxrl.exenhhttn.exejdjdp.exefrlfrlf.exethhhhb.exetnbthh.exeppdjv.exe5rrlxrl.exenttbtn.exedvpjv.exevpvpp.exexlfrfrf.exehnnhtn.exe9ttnbb.exevddjv.exerlxrffr.exelrxxflr.exe5bhttn.exe5nhthb.exedvpjv.exejjvvv.exefxxxrxr.exe1flfxxr.exentnbth.exethnbth.exedvdvv.exeddpjd.exehnnbtn.exenhbttn.exe9jvdj.exepjjdv.exefxlrxfl.exefxxrrll.exennnbtn.exejdpjj.exefxlfxxr.exexxfffxx.exethhnnh.exejddvv.exepid process 4176 pjvjd.exe 2972 pdvjv.exe 3896 3lrfllr.exe 2192 xrxrlfx.exe 3552 hbnbhb.exe 4300 jjpdv.exe 1660 vjvjd.exe 1016 llxllxl.exe 1664 bttnbb.exe 2652 pjpjd.exe 1116 rffxlfx.exe 60 ntnhbt.exe 1148 jvddv.exe 876 vjjdv.exe 4996 1xxrfff.exe 3104 hthbtt.exe 1108 hnnhth.exe 4628 vjpdv.exe 5072 lxrfrlx.exe 2072 nntnnh.exe 4364 7vpjv.exe 1100 jdjjd.exe 544 3ffxfxl.exe 4420 bhbtnh.exe 1464 jdvpd.exe 3576 lfxlxrl.exe 4940 nhhttn.exe 3608 jdjdp.exe 3488 frlfrlf.exe 3636 thhhhb.exe 3036 tnbthh.exe 3756 ppdjv.exe 2248 5rrlxrl.exe 4068 nttbtn.exe 4280 dvpjv.exe 2540 vpvpp.exe 3000 xlfrfrf.exe 4320 hnnhtn.exe 628 9ttnbb.exe 884 vddjv.exe 2448 rlxrffr.exe 2900 lrxxflr.exe 4300 5bhttn.exe 3508 5nhthb.exe 4956 dvpjv.exe 1596 jjvvv.exe 4536 fxxxrxr.exe 1332 1flfxxr.exe 4332 ntnbth.exe 3740 thnbth.exe 2268 dvdvv.exe 3404 ddpjd.exe 976 hnnbtn.exe 4388 nhbttn.exe 3240 9jvdj.exe 1056 pjjdv.exe 1456 fxlrxfl.exe 2820 fxxrrll.exe 8 nnnbtn.exe 3772 jdpjj.exe 1288 fxlfxxr.exe 3624 xxfffxx.exe 2412 thhnnh.exe 1512 jddvv.exe -
Processes:
resource yara_rule behavioral2/memory/3780-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4176-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3896-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2192-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4300-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1660-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1016-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3552-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2972-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1664-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2652-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2652-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/60-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1148-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/876-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4996-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3104-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4628-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5072-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4364-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1100-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/544-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4420-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1464-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3576-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4940-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3608-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3636-198-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3036-203-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exepjvjd.exepdvjv.exe3lrfllr.exexrxrlfx.exehbnbhb.exejjpdv.exevjvjd.exellxllxl.exebttnbb.exepjpjd.exerffxlfx.exentnhbt.exejvddv.exevjjdv.exe1xxrfff.exehthbtt.exehnnhth.exevjpdv.exelxrfrlx.exenntnnh.exe7vpjv.exedescription pid process target process PID 3780 wrote to memory of 4176 3780 a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe pjvjd.exe PID 3780 wrote to memory of 4176 3780 a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe pjvjd.exe PID 3780 wrote to memory of 4176 3780 a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe pjvjd.exe PID 4176 wrote to memory of 2972 4176 pjvjd.exe pdvjv.exe PID 4176 wrote to memory of 2972 4176 pjvjd.exe pdvjv.exe PID 4176 wrote to memory of 2972 4176 pjvjd.exe pdvjv.exe PID 2972 wrote to memory of 3896 2972 pdvjv.exe 3lrfllr.exe PID 2972 wrote to memory of 3896 2972 pdvjv.exe 3lrfllr.exe PID 2972 wrote to memory of 3896 2972 pdvjv.exe 3lrfllr.exe PID 3896 wrote to memory of 2192 3896 3lrfllr.exe xrxrlfx.exe PID 3896 wrote to memory of 2192 3896 3lrfllr.exe xrxrlfx.exe PID 3896 wrote to memory of 2192 3896 3lrfllr.exe xrxrlfx.exe PID 2192 wrote to memory of 3552 2192 xrxrlfx.exe hbnbhb.exe PID 2192 wrote to memory of 3552 2192 xrxrlfx.exe hbnbhb.exe PID 2192 wrote to memory of 3552 2192 xrxrlfx.exe hbnbhb.exe PID 3552 wrote to memory of 4300 3552 hbnbhb.exe jjpdv.exe PID 3552 wrote to memory of 4300 3552 hbnbhb.exe jjpdv.exe PID 3552 wrote to memory of 4300 3552 hbnbhb.exe jjpdv.exe PID 4300 wrote to memory of 1660 4300 jjpdv.exe vjvjd.exe PID 4300 wrote to memory of 1660 4300 jjpdv.exe vjvjd.exe PID 4300 wrote to memory of 1660 4300 jjpdv.exe vjvjd.exe PID 1660 wrote to memory of 1016 1660 vjvjd.exe llxllxl.exe PID 1660 wrote to memory of 1016 1660 vjvjd.exe llxllxl.exe PID 1660 wrote to memory of 1016 1660 vjvjd.exe llxllxl.exe PID 1016 wrote to memory of 1664 1016 llxllxl.exe bttnbb.exe PID 1016 wrote to memory of 1664 1016 llxllxl.exe bttnbb.exe PID 1016 wrote to memory of 1664 1016 llxllxl.exe bttnbb.exe PID 1664 wrote to memory of 2652 1664 bttnbb.exe pjpjd.exe PID 1664 wrote to memory of 2652 1664 bttnbb.exe pjpjd.exe PID 1664 wrote to memory of 2652 1664 bttnbb.exe pjpjd.exe PID 2652 wrote to memory of 1116 2652 pjpjd.exe rffxlfx.exe PID 2652 wrote to memory of 1116 2652 pjpjd.exe rffxlfx.exe PID 2652 wrote to memory of 1116 2652 pjpjd.exe rffxlfx.exe PID 1116 wrote to memory of 60 1116 rffxlfx.exe ntnhbt.exe PID 1116 wrote to memory of 60 1116 rffxlfx.exe ntnhbt.exe PID 1116 wrote to memory of 60 1116 rffxlfx.exe ntnhbt.exe PID 60 wrote to memory of 1148 60 ntnhbt.exe jvddv.exe PID 60 wrote to memory of 1148 60 ntnhbt.exe jvddv.exe PID 60 wrote to memory of 1148 60 ntnhbt.exe jvddv.exe PID 1148 wrote to memory of 876 1148 jvddv.exe vjjdv.exe PID 1148 wrote to memory of 876 1148 jvddv.exe vjjdv.exe PID 1148 wrote to memory of 876 1148 jvddv.exe vjjdv.exe PID 876 wrote to memory of 4996 876 vjjdv.exe 1xxrfff.exe PID 876 wrote to memory of 4996 876 vjjdv.exe 1xxrfff.exe PID 876 wrote to memory of 4996 876 vjjdv.exe 1xxrfff.exe PID 4996 wrote to memory of 3104 4996 1xxrfff.exe hthbtt.exe PID 4996 wrote to memory of 3104 4996 1xxrfff.exe hthbtt.exe PID 4996 wrote to memory of 3104 4996 1xxrfff.exe hthbtt.exe PID 3104 wrote to memory of 1108 3104 hthbtt.exe hnnhth.exe PID 3104 wrote to memory of 1108 3104 hthbtt.exe hnnhth.exe PID 3104 wrote to memory of 1108 3104 hthbtt.exe hnnhth.exe PID 1108 wrote to memory of 4628 1108 hnnhth.exe vjpdv.exe PID 1108 wrote to memory of 4628 1108 hnnhth.exe vjpdv.exe PID 1108 wrote to memory of 4628 1108 hnnhth.exe vjpdv.exe PID 4628 wrote to memory of 5072 4628 vjpdv.exe lxrfrlx.exe PID 4628 wrote to memory of 5072 4628 vjpdv.exe lxrfrlx.exe PID 4628 wrote to memory of 5072 4628 vjpdv.exe lxrfrlx.exe PID 5072 wrote to memory of 2072 5072 lxrfrlx.exe nntnnh.exe PID 5072 wrote to memory of 2072 5072 lxrfrlx.exe nntnnh.exe PID 5072 wrote to memory of 2072 5072 lxrfrlx.exe nntnnh.exe PID 2072 wrote to memory of 4364 2072 nntnnh.exe 7vpjv.exe PID 2072 wrote to memory of 4364 2072 nntnnh.exe 7vpjv.exe PID 2072 wrote to memory of 4364 2072 nntnnh.exe 7vpjv.exe PID 4364 wrote to memory of 1100 4364 7vpjv.exe jdjjd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a14c6ca278e42faaeefdffe8d4a21950_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\pjvjd.exec:\pjvjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\pdvjv.exec:\pdvjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\3lrfllr.exec:\3lrfllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\hbnbhb.exec:\hbnbhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\jjpdv.exec:\jjpdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\vjvjd.exec:\vjvjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\llxllxl.exec:\llxllxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\bttnbb.exec:\bttnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\pjpjd.exec:\pjpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\rffxlfx.exec:\rffxlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\ntnhbt.exec:\ntnhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\jvddv.exec:\jvddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\vjjdv.exec:\vjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\1xxrfff.exec:\1xxrfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\hthbtt.exec:\hthbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\hnnhth.exec:\hnnhth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\vjpdv.exec:\vjpdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\lxrfrlx.exec:\lxrfrlx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\nntnnh.exec:\nntnnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\7vpjv.exec:\7vpjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\jdjjd.exec:\jdjjd.exe23⤵
- Executes dropped EXE
PID:1100 -
\??\c:\3ffxfxl.exec:\3ffxfxl.exe24⤵
- Executes dropped EXE
PID:544 -
\??\c:\bhbtnh.exec:\bhbtnh.exe25⤵
- Executes dropped EXE
PID:4420 -
\??\c:\jdvpd.exec:\jdvpd.exe26⤵
- Executes dropped EXE
PID:1464 -
\??\c:\lfxlxrl.exec:\lfxlxrl.exe27⤵
- Executes dropped EXE
PID:3576 -
\??\c:\nhhttn.exec:\nhhttn.exe28⤵
- Executes dropped EXE
PID:4940 -
\??\c:\jdjdp.exec:\jdjdp.exe29⤵
- Executes dropped EXE
PID:3608 -
\??\c:\frlfrlf.exec:\frlfrlf.exe30⤵
- Executes dropped EXE
PID:3488 -
\??\c:\thhhhb.exec:\thhhhb.exe31⤵
- Executes dropped EXE
PID:3636 -
\??\c:\tnbthh.exec:\tnbthh.exe32⤵
- Executes dropped EXE
PID:3036 -
\??\c:\ppdjv.exec:\ppdjv.exe33⤵
- Executes dropped EXE
PID:3756 -
\??\c:\5rrlxrl.exec:\5rrlxrl.exe34⤵
- Executes dropped EXE
PID:2248 -
\??\c:\nttbtn.exec:\nttbtn.exe35⤵
- Executes dropped EXE
PID:4068 -
\??\c:\dvpjv.exec:\dvpjv.exe36⤵
- Executes dropped EXE
PID:4280 -
\??\c:\vpvpp.exec:\vpvpp.exe37⤵
- Executes dropped EXE
PID:2540 -
\??\c:\xlfrfrf.exec:\xlfrfrf.exe38⤵
- Executes dropped EXE
PID:3000 -
\??\c:\hnnhtn.exec:\hnnhtn.exe39⤵
- Executes dropped EXE
PID:4320 -
\??\c:\9ttnbb.exec:\9ttnbb.exe40⤵
- Executes dropped EXE
PID:628 -
\??\c:\vddjv.exec:\vddjv.exe41⤵
- Executes dropped EXE
PID:884 -
\??\c:\rlxrffr.exec:\rlxrffr.exe42⤵
- Executes dropped EXE
PID:2448 -
\??\c:\lrxxflr.exec:\lrxxflr.exe43⤵
- Executes dropped EXE
PID:2900 -
\??\c:\5bhttn.exec:\5bhttn.exe44⤵
- Executes dropped EXE
PID:4300 -
\??\c:\5nhthb.exec:\5nhthb.exe45⤵
- Executes dropped EXE
PID:3508 -
\??\c:\dvpjv.exec:\dvpjv.exe46⤵
- Executes dropped EXE
PID:4956 -
\??\c:\jjvvv.exec:\jjvvv.exe47⤵
- Executes dropped EXE
PID:1596 -
\??\c:\fxxxrxr.exec:\fxxxrxr.exe48⤵
- Executes dropped EXE
PID:4536 -
\??\c:\1flfxxr.exec:\1flfxxr.exe49⤵
- Executes dropped EXE
PID:1332 -
\??\c:\ntnbth.exec:\ntnbth.exe50⤵
- Executes dropped EXE
PID:4332 -
\??\c:\thnbth.exec:\thnbth.exe51⤵
- Executes dropped EXE
PID:3740 -
\??\c:\dvdvv.exec:\dvdvv.exe52⤵
- Executes dropped EXE
PID:2268 -
\??\c:\ddpjd.exec:\ddpjd.exe53⤵
- Executes dropped EXE
PID:3404 -
\??\c:\hnnbtn.exec:\hnnbtn.exe54⤵
- Executes dropped EXE
PID:976 -
\??\c:\nhbttn.exec:\nhbttn.exe55⤵
- Executes dropped EXE
PID:4388 -
\??\c:\9jvdj.exec:\9jvdj.exe56⤵
- Executes dropped EXE
PID:3240 -
\??\c:\pjjdv.exec:\pjjdv.exe57⤵
- Executes dropped EXE
PID:1056 -
\??\c:\fxlrxfl.exec:\fxlrxfl.exe58⤵
- Executes dropped EXE
PID:1456 -
\??\c:\fxxrrll.exec:\fxxrrll.exe59⤵
- Executes dropped EXE
PID:2820 -
\??\c:\nnnbtn.exec:\nnnbtn.exe60⤵
- Executes dropped EXE
PID:8 -
\??\c:\jdpjj.exec:\jdpjj.exe61⤵
- Executes dropped EXE
PID:3772 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe62⤵
- Executes dropped EXE
PID:1288 -
\??\c:\xxfffxx.exec:\xxfffxx.exe63⤵
- Executes dropped EXE
PID:3624 -
\??\c:\thhnnh.exec:\thhnnh.exe64⤵
- Executes dropped EXE
PID:2412 -
\??\c:\jddvv.exec:\jddvv.exe65⤵
- Executes dropped EXE
PID:1512 -
\??\c:\pjvjd.exec:\pjvjd.exe66⤵PID:2420
-
\??\c:\5fxrllf.exec:\5fxrllf.exe67⤵PID:3716
-
\??\c:\xxlxlxf.exec:\xxlxlxf.exe68⤵PID:4396
-
\??\c:\tbbbnn.exec:\tbbbnn.exe69⤵PID:1552
-
\??\c:\btnhbb.exec:\btnhbb.exe70⤵PID:3676
-
\??\c:\3ppjv.exec:\3ppjv.exe71⤵PID:4216
-
\??\c:\vdjjd.exec:\vdjjd.exe72⤵PID:4808
-
\??\c:\xlffxxx.exec:\xlffxxx.exe73⤵PID:1420
-
\??\c:\5llfffx.exec:\5llfffx.exe74⤵PID:3128
-
\??\c:\btbbbb.exec:\btbbbb.exe75⤵PID:3048
-
\??\c:\ppddv.exec:\ppddv.exe76⤵PID:1912
-
\??\c:\vvdvj.exec:\vvdvj.exe77⤵PID:3032
-
\??\c:\3lrlxxx.exec:\3lrlxxx.exe78⤵PID:2468
-
\??\c:\xlrlffx.exec:\xlrlffx.exe79⤵PID:4468
-
\??\c:\btthhh.exec:\btthhh.exe80⤵PID:4080
-
\??\c:\hthhhh.exec:\hthhhh.exe81⤵PID:4272
-
\??\c:\5jddj.exec:\5jddj.exe82⤵PID:4768
-
\??\c:\jpppd.exec:\jpppd.exe83⤵PID:3984
-
\??\c:\rxxxlll.exec:\rxxxlll.exe84⤵PID:1372
-
\??\c:\7flfrrr.exec:\7flfrrr.exe85⤵PID:2624
-
\??\c:\tnnnhh.exec:\tnnnhh.exe86⤵PID:1916
-
\??\c:\tbbbnn.exec:\tbbbnn.exe87⤵PID:2672
-
\??\c:\vddvp.exec:\vddvp.exe88⤵PID:748
-
\??\c:\jdjdd.exec:\jdjdd.exe89⤵PID:4384
-
\??\c:\1rlfxrr.exec:\1rlfxrr.exe90⤵PID:3524
-
\??\c:\hnnhbt.exec:\hnnhbt.exe91⤵PID:4540
-
\??\c:\hbhbnn.exec:\hbhbnn.exe92⤵PID:4572
-
\??\c:\vvvpd.exec:\vvvpd.exe93⤵PID:220
-
\??\c:\ppvpd.exec:\ppvpd.exe94⤵PID:1596
-
\??\c:\llffxfx.exec:\llffxfx.exe95⤵PID:4536
-
\??\c:\hbhntt.exec:\hbhntt.exe96⤵PID:4548
-
\??\c:\bbbtnn.exec:\bbbtnn.exe97⤵PID:1308
-
\??\c:\dvpvp.exec:\dvpvp.exe98⤵PID:4632
-
\??\c:\dvpdd.exec:\dvpdd.exe99⤵PID:2796
-
\??\c:\ffflfrr.exec:\ffflfrr.exe100⤵PID:4908
-
\??\c:\ffrlxxx.exec:\ffrlxxx.exe101⤵PID:3612
-
\??\c:\bbtnhh.exec:\bbtnhh.exe102⤵PID:3104
-
\??\c:\nnhbnn.exec:\nnhbnn.exe103⤵PID:1848
-
\??\c:\pjdvp.exec:\pjdvp.exe104⤵PID:2132
-
\??\c:\vppjp.exec:\vppjp.exe105⤵PID:4860
-
\??\c:\rlrrlxx.exec:\rlrrlxx.exe106⤵PID:432
-
\??\c:\7xlffff.exec:\7xlffff.exe107⤵PID:2848
-
\??\c:\tttthh.exec:\tttthh.exe108⤵PID:5024
-
\??\c:\9hbttt.exec:\9hbttt.exe109⤵PID:2632
-
\??\c:\7pvvv.exec:\7pvvv.exe110⤵PID:4844
-
\??\c:\pdvpp.exec:\pdvpp.exe111⤵PID:4172
-
\??\c:\xrlfxxf.exec:\xrlfxxf.exe112⤵PID:1356
-
\??\c:\tnnhnn.exec:\tnnhnn.exe113⤵PID:3284
-
\??\c:\nhtnhb.exec:\nhtnhb.exe114⤵PID:2324
-
\??\c:\jddvp.exec:\jddvp.exe115⤵PID:1552
-
\??\c:\3ttnhh.exec:\3ttnhh.exe116⤵PID:1540
-
\??\c:\ntnnbb.exec:\ntnnbb.exe117⤵PID:4216
-
\??\c:\dddvj.exec:\dddvj.exe118⤵PID:4076
-
\??\c:\pddvv.exec:\pddvv.exe119⤵PID:3608
-
\??\c:\llxrffx.exec:\llxrffx.exe120⤵PID:3128
-
\??\c:\frllllr.exec:\frllllr.exe121⤵PID:4204
-
\??\c:\btnntt.exec:\btnntt.exe122⤵PID:224
-
\??\c:\tnnbtt.exec:\tnnbtt.exe123⤵PID:944
-
\??\c:\pddvp.exec:\pddvp.exe124⤵PID:2468
-
\??\c:\5ppjp.exec:\5ppjp.exe125⤵PID:4896
-
\??\c:\dppdv.exec:\dppdv.exe126⤵PID:2912
-
\??\c:\frxrllf.exec:\frxrllf.exe127⤵PID:2284
-
\??\c:\xrrxrrx.exec:\xrrxrrx.exe128⤵PID:4272
-
\??\c:\bttttn.exec:\bttttn.exe129⤵PID:4768
-
\??\c:\3hntnt.exec:\3hntnt.exe130⤵PID:4176
-
\??\c:\1ddvp.exec:\1ddvp.exe131⤵PID:1372
-
\??\c:\pddvp.exec:\pddvp.exe132⤵PID:316
-
\??\c:\9xfxrrl.exec:\9xfxrrl.exe133⤵PID:3476
-
\??\c:\bnhbtb.exec:\bnhbtb.exe134⤵PID:1696
-
\??\c:\hbbthh.exec:\hbbthh.exe135⤵PID:748
-
\??\c:\ddvpj.exec:\ddvpj.exe136⤵PID:1532
-
\??\c:\vjpjj.exec:\vjpjj.exe137⤵PID:2396
-
\??\c:\5xlfrrl.exec:\5xlfrrl.exe138⤵PID:4640
-
\??\c:\frxxrrr.exec:\frxxrrr.exe139⤵PID:3260
-
\??\c:\5lrrxxf.exec:\5lrrxxf.exe140⤵PID:220
-
\??\c:\hhhntt.exec:\hhhntt.exe141⤵PID:5068
-
\??\c:\tttttt.exec:\tttttt.exe142⤵PID:4516
-
\??\c:\7djdd.exec:\7djdd.exe143⤵PID:4548
-
\??\c:\pjjjv.exec:\pjjjv.exe144⤵PID:3188
-
\??\c:\rlxrlff.exec:\rlxrlff.exe145⤵PID:2268
-
\??\c:\9lxrrxx.exec:\9lxrrxx.exe146⤵PID:876
-
\??\c:\rfffxfx.exec:\rfffxfx.exe147⤵PID:3472
-
\??\c:\nhhbtt.exec:\nhhbtt.exe148⤵PID:464
-
\??\c:\hthntn.exec:\hthntn.exe149⤵PID:1092
-
\??\c:\jjddj.exec:\jjddj.exe150⤵PID:3692
-
\??\c:\dvpdv.exec:\dvpdv.exe151⤵PID:4180
-
\??\c:\xflfxxr.exec:\xflfxxr.exe152⤵PID:2364
-
\??\c:\rrllffx.exec:\rrllffx.exe153⤵PID:3772
-
\??\c:\nntntt.exec:\nntntt.exe154⤵PID:4060
-
\??\c:\1hnhtt.exec:\1hnhtt.exe155⤵PID:3624
-
\??\c:\pvvpj.exec:\pvvpj.exe156⤵PID:2412
-
\??\c:\xrflrrx.exec:\xrflrrx.exe157⤵PID:1644
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe158⤵PID:4420
-
\??\c:\nntnbb.exec:\nntnbb.exe159⤵PID:3716
-
\??\c:\vvpvj.exec:\vvpvj.exe160⤵PID:4824
-
\??\c:\vjvpv.exec:\vjvpv.exe161⤵PID:3164
-
\??\c:\rxlflrl.exec:\rxlflrl.exe162⤵PID:4480
-
\??\c:\btnhbb.exec:\btnhbb.exe163⤵PID:2352
-
\??\c:\nhnhbb.exec:\nhnhbb.exe164⤵PID:3956
-
\??\c:\pjjjj.exec:\pjjjj.exe165⤵PID:780
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe166⤵PID:2408
-
\??\c:\frxfxxx.exec:\frxfxxx.exe167⤵PID:3248
-
\??\c:\hbnhbb.exec:\hbnhbb.exe168⤵PID:4680
-
\??\c:\9pjdv.exec:\9pjdv.exe169⤵PID:4124
-
\??\c:\3vdvp.exec:\3vdvp.exe170⤵PID:3964
-
\??\c:\7ffxrrl.exec:\7ffxrrl.exe171⤵PID:4932
-
\??\c:\bthhbb.exec:\bthhbb.exe172⤵PID:4492
-
\??\c:\pjdvp.exec:\pjdvp.exe173⤵PID:1204
-
\??\c:\dvppd.exec:\dvppd.exe174⤵PID:3780
-
\??\c:\rllfxxr.exec:\rllfxxr.exe175⤵PID:3896
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe176⤵PID:4320
-
\??\c:\tnhbbb.exec:\tnhbbb.exe177⤵PID:1292
-
\??\c:\3bnnnb.exec:\3bnnnb.exe178⤵PID:4880
-
\??\c:\dppjd.exec:\dppjd.exe179⤵PID:1496
-
\??\c:\pjjdv.exec:\pjjdv.exe180⤵PID:3004
-
\??\c:\rlrrlll.exec:\rlrrlll.exe181⤵PID:4036
-
\??\c:\bbbbth.exec:\bbbbth.exe182⤵PID:1660
-
\??\c:\hbbtnh.exec:\hbbtnh.exe183⤵PID:4356
-
\??\c:\djpdv.exec:\djpdv.exe184⤵PID:1272
-
\??\c:\5ppdd.exec:\5ppdd.exe185⤵PID:1596
-
\??\c:\jddvd.exec:\jddvd.exe186⤵PID:4332
-
\??\c:\3xfrrrl.exec:\3xfrrrl.exe187⤵PID:3688
-
\??\c:\nhnnnh.exec:\nhnnnh.exe188⤵PID:3740
-
\??\c:\btthbt.exec:\btthbt.exe189⤵PID:1148
-
\??\c:\7vvdv.exec:\7vvdv.exe190⤵PID:4028
-
\??\c:\vjjdv.exec:\vjjdv.exe191⤵PID:4692
-
\??\c:\jpvdj.exec:\jpvdj.exe192⤵PID:4388
-
\??\c:\fllfxxr.exec:\fllfxxr.exe193⤵PID:3024
-
\??\c:\fxrrlll.exec:\fxrrlll.exe194⤵PID:3252
-
\??\c:\tnbthh.exec:\tnbthh.exe195⤵PID:5012
-
\??\c:\nntnnn.exec:\nntnnn.exe196⤵PID:3692
-
\??\c:\jdpjp.exec:\jdpjp.exe197⤵PID:4180
-
\??\c:\jvvpj.exec:\jvvpj.exe198⤵PID:5088
-
\??\c:\xrxrfxx.exec:\xrxrfxx.exe199⤵PID:1288
-
\??\c:\xxlrllf.exec:\xxlrllf.exe200⤵PID:3708
-
\??\c:\httnhh.exec:\httnhh.exe201⤵PID:3624
-
\??\c:\bttnhh.exec:\bttnhh.exe202⤵PID:1512
-
\??\c:\pjjvp.exec:\pjjvp.exe203⤵PID:1644
-
\??\c:\vdpjv.exec:\vdpjv.exe204⤵PID:4088
-
\??\c:\fxxlxxr.exec:\fxxlxxr.exe205⤵PID:688
-
\??\c:\lrrlffx.exec:\lrrlffx.exe206⤵PID:4992
-
\??\c:\7ntnbb.exec:\7ntnbb.exe207⤵PID:3676
-
\??\c:\htbbbb.exec:\htbbbb.exe208⤵PID:3236
-
\??\c:\9pjvj.exec:\9pjvj.exe209⤵PID:4044
-
\??\c:\lxxrffx.exec:\lxxrffx.exe210⤵PID:4076
-
\??\c:\xxlfxff.exec:\xxlfxff.exe211⤵PID:3128
-
\??\c:\bnhtnb.exec:\bnhtnb.exe212⤵PID:3756
-
\??\c:\hntnbb.exec:\hntnbb.exe213⤵PID:4672
-
\??\c:\vpvpj.exec:\vpvpj.exe214⤵PID:2060
-
\??\c:\vjpjj.exec:\vjpjj.exe215⤵PID:3984
-
\??\c:\lfllxfx.exec:\lfllxfx.exe216⤵PID:4768
-
\??\c:\rlllffx.exec:\rlllffx.exe217⤵PID:2548
-
\??\c:\7tbtnn.exec:\7tbtnn.exe218⤵PID:316
-
\??\c:\hhbhhh.exec:\hhbhhh.exe219⤵PID:3476
-
\??\c:\vpjdd.exec:\vpjdd.exe220⤵PID:3524
-
\??\c:\xrxxxrl.exec:\xrxxxrl.exe221⤵PID:2440
-
\??\c:\fllllff.exec:\fllllff.exe222⤵PID:664
-
\??\c:\7hhhbb.exec:\7hhhbb.exe223⤵PID:1468
-
\??\c:\bnnnhh.exec:\bnnnhh.exe224⤵PID:4392
-
\??\c:\jjjvp.exec:\jjjvp.exe225⤵PID:1596
-
\??\c:\rrlfxff.exec:\rrlfxff.exe226⤵PID:1096
-
\??\c:\lfxrllf.exec:\lfxrllf.exe227⤵PID:4748
-
\??\c:\hbhbtb.exec:\hbhbtb.exe228⤵PID:4484
-
\??\c:\ddvpj.exec:\ddvpj.exe229⤵PID:2544
-
\??\c:\fxxfrfx.exec:\fxxfrfx.exe230⤵PID:4028
-
\??\c:\xfrlfxr.exec:\xfrlfxr.exe231⤵PID:3472
-
\??\c:\bnnnbt.exec:\bnnnbt.exe232⤵PID:3196
-
\??\c:\dvjpp.exec:\dvjpp.exe233⤵PID:2832
-
\??\c:\jvvjp.exec:\jvvjp.exe234⤵PID:3952
-
\??\c:\7lrxlrl.exec:\7lrxlrl.exe235⤵PID:2576
-
\??\c:\1bbthh.exec:\1bbthh.exe236⤵PID:2364
-
\??\c:\tbhntb.exec:\tbhntb.exe237⤵PID:3772
-
\??\c:\vpjvj.exec:\vpjvj.exe238⤵PID:4060
-
\??\c:\rxxlxxl.exec:\rxxlxxl.exe239⤵PID:2632
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe240⤵PID:4832
-
\??\c:\bntnhb.exec:\bntnhb.exe241⤵PID:4012
-
\??\c:\thntht.exec:\thntht.exe242⤵PID:4420