Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 06:20
Behavioral task
behavioral1
Sample
a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe
-
Size
106KB
-
MD5
a1b174eee27b1da19240e54c5199d2f0
-
SHA1
38fa52f8d87214333eeb2a41fb485a1bef431919
-
SHA256
a31242815ff470c5578bf6e79a2ffcce619e2d51a8da457e6b2e8425107724e2
-
SHA512
0abb76c1526a826091a1fed9dc3b7d1d2a65c81eaa4c5b517bb531e8f9b5b41a3424824e90f67c2af88fc847c7b52ada621a38042cf95dd0eeba8ab8fb677479
-
SSDEEP
3072:khOmTsF93UYfwC6GIoutpYcvrqrE66krop7BcgJ:kcm4FmowdHoSphraHcp7yw
Malware Config
Signatures
-
Detect Blackmoon payload 40 IoCs
Processes:
resource yara_rule behavioral1/memory/1956-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2712-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2592-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1964-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2568-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2412-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2868-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/112-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2624-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1260-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/988-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2352-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1340-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1696-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2212-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/680-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1392-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1456-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1016-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2324-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1348-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2016-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1036-504-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/956-518-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1852-561-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1056-777-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2600-896-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1892-1036-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1692-1070-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/792-1081-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2196-1121-0x00000000005C0000-0x00000000005E7000-memory.dmp family_blackmoon behavioral1/memory/2724-1239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2340-1322-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1956-1422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
nnbthh.exettnnhn.exeppvjd.exe9fxxfxx.exe7ntnbt.exedvddv.exexfrxfrf.exefrlflfl.exethhnhn.exevpvpd.exellflxlx.exexffffrx.exetnhbnt.exe3dpdv.exeppvdp.exeffxflrx.exetbtttn.exebnttnt.exeddpdp.exe9xxfxlf.exebhbhnh.exebtnnnn.exe7vjpp.exe5fxffff.exefxxrxfl.exetnhhnt.exejdppd.exerxxfxrl.exenhbnnh.exevjvjj.exe7xrffll.exerxlxrlf.exenbhnth.exejdpjp.exepdppp.exevvvdv.exe1frrrxf.exenhntbb.exe7jdpd.exe3vppv.exerfrflff.exenhbbhh.exe3tnbhn.exepjppp.exejvjjp.exe1frffff.exerlflxll.exetnhbbh.exe5vvdj.exevvpvp.exeffxxxrx.exexflffrr.exebtnnbb.exe5nhntt.exetnttnn.exedvddd.exexxlrrrr.exefxfrflx.exenbnthh.exe1btbnh.exevpjjj.exeppjjp.exexlffflr.exexrlrxxf.exepid process 1840 nnbthh.exe 2712 ttnnhn.exe 2588 ppvjd.exe 2592 9fxxfxx.exe 1964 7ntnbt.exe 2688 dvddv.exe 2568 xfrxfrf.exe 2412 frlflfl.exe 2868 thhnhn.exe 112 vpvpd.exe 2624 llflxlx.exe 2748 xffffrx.exe 1260 tnhbnt.exe 988 3dpdv.exe 624 ppvdp.exe 2352 ffxflrx.exe 1340 tbtttn.exe 2036 bnttnt.exe 2432 ddpdp.exe 1236 9xxfxlf.exe 1696 bhbhnh.exe 2212 btnnnn.exe 680 7vjpp.exe 1392 5fxffff.exe 528 fxxrxfl.exe 1456 tnhhnt.exe 1708 jdppd.exe 1016 rxxfxrl.exe 1588 nhbnnh.exe 1648 vjvjj.exe 1996 7xrffll.exe 2256 rxlxrlf.exe 2252 nbhnth.exe 1956 jdpjp.exe 1444 pdppp.exe 1612 vvvdv.exe 2324 1frrrxf.exe 2608 nhntbb.exe 2588 7jdpd.exe 2500 3vppv.exe 2416 rfrflff.exe 2184 nhbbhh.exe 2440 3tnbhn.exe 2568 pjppp.exe 2404 jvjjp.exe 2876 1frffff.exe 2868 rlflxll.exe 2632 tnhbbh.exe 2728 5vvdj.exe 844 vvpvp.exe 1760 ffxxxrx.exe 1620 xflffrr.exe 1576 btnnbb.exe 2276 5nhntt.exe 2904 tnttnn.exe 1348 dvddd.exe 2016 xxlrrrr.exe 2892 fxfrflx.exe 2492 nbnthh.exe 2432 1btbnh.exe 1896 vpjjj.exe 1900 ppjjp.exe 1732 xlffflr.exe 768 xrlrxxf.exe -
Processes:
resource yara_rule behavioral1/memory/1956-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1956-3-0x0000000000220000-0x0000000000247000-memory.dmp upx C:\nnbthh.exe upx behavioral1/memory/1956-8-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\ttnnhn.exe upx behavioral1/memory/2712-18-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ppvjd.exe upx behavioral1/memory/2712-26-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\9fxxfxx.exe upx behavioral1/memory/2588-35-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\7ntnbt.exe upx behavioral1/memory/2592-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1964-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2688-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1964-54-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dvddv.exe upx C:\xfrxfrf.exe upx behavioral1/memory/2688-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2568-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2568-73-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\frlflfl.exe upx behavioral1/memory/2412-83-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\thhnhn.exe upx C:\vpvpd.exe upx behavioral1/memory/2868-91-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\llflxlx.exe upx behavioral1/memory/112-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2624-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2624-110-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xffffrx.exe upx C:\tnhbnt.exe upx behavioral1/memory/2748-120-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\3dpdv.exe upx behavioral1/memory/1260-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/988-137-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ppvdp.exe upx C:\ffxflrx.exe upx behavioral1/memory/2352-154-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tbtttn.exe upx behavioral1/memory/1340-156-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bnttnt.exe upx C:\ddpdp.exe upx behavioral1/memory/2432-172-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\9xxfxlf.exe upx C:\bhbhnh.exe upx C:\btnnnn.exe upx behavioral1/memory/1696-197-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\7vjpp.exe upx behavioral1/memory/2212-206-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\5fxffff.exe upx behavioral1/memory/680-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1392-224-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\fxxrxfl.exe upx \??\c:\tnhhnt.exe upx behavioral1/memory/1456-233-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jdppd.exe upx behavioral1/memory/1456-241-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rxxfxrl.exe upx behavioral1/memory/1016-252-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nhbnnh.exe upx C:\vjvjj.exe upx behavioral1/memory/1648-268-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\7xrffll.exe upx C:\rxlxrlf.exe upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exennbthh.exettnnhn.exeppvjd.exe9fxxfxx.exe7ntnbt.exedvddv.exexfrxfrf.exefrlflfl.exethhnhn.exevpvpd.exellflxlx.exexffffrx.exetnhbnt.exe3dpdv.exeppvdp.exedescription pid process target process PID 1956 wrote to memory of 1840 1956 a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe nnbthh.exe PID 1956 wrote to memory of 1840 1956 a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe nnbthh.exe PID 1956 wrote to memory of 1840 1956 a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe nnbthh.exe PID 1956 wrote to memory of 1840 1956 a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe nnbthh.exe PID 1840 wrote to memory of 2712 1840 nnbthh.exe ttnnhn.exe PID 1840 wrote to memory of 2712 1840 nnbthh.exe ttnnhn.exe PID 1840 wrote to memory of 2712 1840 nnbthh.exe ttnnhn.exe PID 1840 wrote to memory of 2712 1840 nnbthh.exe ttnnhn.exe PID 2712 wrote to memory of 2588 2712 ttnnhn.exe ppvjd.exe PID 2712 wrote to memory of 2588 2712 ttnnhn.exe ppvjd.exe PID 2712 wrote to memory of 2588 2712 ttnnhn.exe ppvjd.exe PID 2712 wrote to memory of 2588 2712 ttnnhn.exe ppvjd.exe PID 2588 wrote to memory of 2592 2588 ppvjd.exe 9fxxfxx.exe PID 2588 wrote to memory of 2592 2588 ppvjd.exe 9fxxfxx.exe PID 2588 wrote to memory of 2592 2588 ppvjd.exe 9fxxfxx.exe PID 2588 wrote to memory of 2592 2588 ppvjd.exe 9fxxfxx.exe PID 2592 wrote to memory of 1964 2592 9fxxfxx.exe 7ntnbt.exe PID 2592 wrote to memory of 1964 2592 9fxxfxx.exe 7ntnbt.exe PID 2592 wrote to memory of 1964 2592 9fxxfxx.exe 7ntnbt.exe PID 2592 wrote to memory of 1964 2592 9fxxfxx.exe 7ntnbt.exe PID 1964 wrote to memory of 2688 1964 7ntnbt.exe dvddv.exe PID 1964 wrote to memory of 2688 1964 7ntnbt.exe dvddv.exe PID 1964 wrote to memory of 2688 1964 7ntnbt.exe dvddv.exe PID 1964 wrote to memory of 2688 1964 7ntnbt.exe dvddv.exe PID 2688 wrote to memory of 2568 2688 dvddv.exe xfrxfrf.exe PID 2688 wrote to memory of 2568 2688 dvddv.exe xfrxfrf.exe PID 2688 wrote to memory of 2568 2688 dvddv.exe xfrxfrf.exe PID 2688 wrote to memory of 2568 2688 dvddv.exe xfrxfrf.exe PID 2568 wrote to memory of 2412 2568 xfrxfrf.exe frlflfl.exe PID 2568 wrote to memory of 2412 2568 xfrxfrf.exe frlflfl.exe PID 2568 wrote to memory of 2412 2568 xfrxfrf.exe frlflfl.exe PID 2568 wrote to memory of 2412 2568 xfrxfrf.exe frlflfl.exe PID 2412 wrote to memory of 2868 2412 frlflfl.exe thhnhn.exe PID 2412 wrote to memory of 2868 2412 frlflfl.exe thhnhn.exe PID 2412 wrote to memory of 2868 2412 frlflfl.exe thhnhn.exe PID 2412 wrote to memory of 2868 2412 frlflfl.exe thhnhn.exe PID 2868 wrote to memory of 112 2868 thhnhn.exe vpvpd.exe PID 2868 wrote to memory of 112 2868 thhnhn.exe vpvpd.exe PID 2868 wrote to memory of 112 2868 thhnhn.exe vpvpd.exe PID 2868 wrote to memory of 112 2868 thhnhn.exe vpvpd.exe PID 112 wrote to memory of 2624 112 vpvpd.exe llflxlx.exe PID 112 wrote to memory of 2624 112 vpvpd.exe llflxlx.exe PID 112 wrote to memory of 2624 112 vpvpd.exe llflxlx.exe PID 112 wrote to memory of 2624 112 vpvpd.exe llflxlx.exe PID 2624 wrote to memory of 2748 2624 llflxlx.exe xffffrx.exe PID 2624 wrote to memory of 2748 2624 llflxlx.exe xffffrx.exe PID 2624 wrote to memory of 2748 2624 llflxlx.exe xffffrx.exe PID 2624 wrote to memory of 2748 2624 llflxlx.exe xffffrx.exe PID 2748 wrote to memory of 1260 2748 xffffrx.exe tnhbnt.exe PID 2748 wrote to memory of 1260 2748 xffffrx.exe tnhbnt.exe PID 2748 wrote to memory of 1260 2748 xffffrx.exe tnhbnt.exe PID 2748 wrote to memory of 1260 2748 xffffrx.exe tnhbnt.exe PID 1260 wrote to memory of 988 1260 tnhbnt.exe 3dpdv.exe PID 1260 wrote to memory of 988 1260 tnhbnt.exe 3dpdv.exe PID 1260 wrote to memory of 988 1260 tnhbnt.exe 3dpdv.exe PID 1260 wrote to memory of 988 1260 tnhbnt.exe 3dpdv.exe PID 988 wrote to memory of 624 988 3dpdv.exe ppvdp.exe PID 988 wrote to memory of 624 988 3dpdv.exe ppvdp.exe PID 988 wrote to memory of 624 988 3dpdv.exe ppvdp.exe PID 988 wrote to memory of 624 988 3dpdv.exe ppvdp.exe PID 624 wrote to memory of 2352 624 ppvdp.exe ffxflrx.exe PID 624 wrote to memory of 2352 624 ppvdp.exe ffxflrx.exe PID 624 wrote to memory of 2352 624 ppvdp.exe ffxflrx.exe PID 624 wrote to memory of 2352 624 ppvdp.exe ffxflrx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a1b174eee27b1da19240e54c5199d2f0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\nnbthh.exec:\nnbthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\ttnnhn.exec:\ttnnhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\ppvjd.exec:\ppvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\9fxxfxx.exec:\9fxxfxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\7ntnbt.exec:\7ntnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\dvddv.exec:\dvddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\xfrxfrf.exec:\xfrxfrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\frlflfl.exec:\frlflfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\thhnhn.exec:\thhnhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\vpvpd.exec:\vpvpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\llflxlx.exec:\llflxlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\xffffrx.exec:\xffffrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\tnhbnt.exec:\tnhbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\3dpdv.exec:\3dpdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\ppvdp.exec:\ppvdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\ffxflrx.exec:\ffxflrx.exe17⤵
- Executes dropped EXE
PID:2352 -
\??\c:\tbtttn.exec:\tbtttn.exe18⤵
- Executes dropped EXE
PID:1340 -
\??\c:\bnttnt.exec:\bnttnt.exe19⤵
- Executes dropped EXE
PID:2036 -
\??\c:\ddpdp.exec:\ddpdp.exe20⤵
- Executes dropped EXE
PID:2432 -
\??\c:\9xxfxlf.exec:\9xxfxlf.exe21⤵
- Executes dropped EXE
PID:1236 -
\??\c:\bhbhnh.exec:\bhbhnh.exe22⤵
- Executes dropped EXE
PID:1696 -
\??\c:\btnnnn.exec:\btnnnn.exe23⤵
- Executes dropped EXE
PID:2212 -
\??\c:\7vjpp.exec:\7vjpp.exe24⤵
- Executes dropped EXE
PID:680 -
\??\c:\5fxffff.exec:\5fxffff.exe25⤵
- Executes dropped EXE
PID:1392 -
\??\c:\fxxrxfl.exec:\fxxrxfl.exe26⤵
- Executes dropped EXE
PID:528 -
\??\c:\tnhhnt.exec:\tnhhnt.exe27⤵
- Executes dropped EXE
PID:1456 -
\??\c:\jdppd.exec:\jdppd.exe28⤵
- Executes dropped EXE
PID:1708 -
\??\c:\rxxfxrl.exec:\rxxfxrl.exe29⤵
- Executes dropped EXE
PID:1016 -
\??\c:\nhbnnh.exec:\nhbnnh.exe30⤵
- Executes dropped EXE
PID:1588 -
\??\c:\vjvjj.exec:\vjvjj.exe31⤵
- Executes dropped EXE
PID:1648 -
\??\c:\7xrffll.exec:\7xrffll.exe32⤵
- Executes dropped EXE
PID:1996 -
\??\c:\rxlxrlf.exec:\rxlxrlf.exe33⤵
- Executes dropped EXE
PID:2256 -
\??\c:\nbhnth.exec:\nbhnth.exe34⤵
- Executes dropped EXE
PID:2252 -
\??\c:\jdpjp.exec:\jdpjp.exe35⤵
- Executes dropped EXE
PID:1956 -
\??\c:\pdppp.exec:\pdppp.exe36⤵
- Executes dropped EXE
PID:1444 -
\??\c:\vvvdv.exec:\vvvdv.exe37⤵
- Executes dropped EXE
PID:1612 -
\??\c:\1frrrxf.exec:\1frrrxf.exe38⤵
- Executes dropped EXE
PID:2324 -
\??\c:\nhntbb.exec:\nhntbb.exe39⤵
- Executes dropped EXE
PID:2608 -
\??\c:\7jdpd.exec:\7jdpd.exe40⤵
- Executes dropped EXE
PID:2588 -
\??\c:\3vppv.exec:\3vppv.exe41⤵
- Executes dropped EXE
PID:2500 -
\??\c:\rfrflff.exec:\rfrflff.exe42⤵
- Executes dropped EXE
PID:2416 -
\??\c:\nhbbhh.exec:\nhbbhh.exe43⤵
- Executes dropped EXE
PID:2184 -
\??\c:\3tnbhn.exec:\3tnbhn.exe44⤵
- Executes dropped EXE
PID:2440 -
\??\c:\pjppp.exec:\pjppp.exe45⤵
- Executes dropped EXE
PID:2568 -
\??\c:\jvjjp.exec:\jvjjp.exe46⤵
- Executes dropped EXE
PID:2404 -
\??\c:\1frffff.exec:\1frffff.exe47⤵
- Executes dropped EXE
PID:2876 -
\??\c:\rlflxll.exec:\rlflxll.exe48⤵
- Executes dropped EXE
PID:2868 -
\??\c:\tnhbbh.exec:\tnhbbh.exe49⤵
- Executes dropped EXE
PID:2632 -
\??\c:\5vvdj.exec:\5vvdj.exe50⤵
- Executes dropped EXE
PID:2728 -
\??\c:\vvpvp.exec:\vvpvp.exe51⤵
- Executes dropped EXE
PID:844 -
\??\c:\ffxxxrx.exec:\ffxxxrx.exe52⤵
- Executes dropped EXE
PID:1760 -
\??\c:\xflffrr.exec:\xflffrr.exe53⤵
- Executes dropped EXE
PID:1620 -
\??\c:\btnnbb.exec:\btnnbb.exe54⤵
- Executes dropped EXE
PID:1576 -
\??\c:\5nhntt.exec:\5nhntt.exe55⤵
- Executes dropped EXE
PID:2276 -
\??\c:\tnttnn.exec:\tnttnn.exe56⤵
- Executes dropped EXE
PID:2904 -
\??\c:\dvddd.exec:\dvddd.exe57⤵
- Executes dropped EXE
PID:1348 -
\??\c:\xxlrrrr.exec:\xxlrrrr.exe58⤵
- Executes dropped EXE
PID:2016 -
\??\c:\fxfrflx.exec:\fxfrflx.exe59⤵
- Executes dropped EXE
PID:2892 -
\??\c:\nbnthh.exec:\nbnthh.exe60⤵
- Executes dropped EXE
PID:2492 -
\??\c:\1btbnh.exec:\1btbnh.exe61⤵
- Executes dropped EXE
PID:2432 -
\??\c:\vpjjj.exec:\vpjjj.exe62⤵
- Executes dropped EXE
PID:1896 -
\??\c:\ppjjp.exec:\ppjjp.exe63⤵
- Executes dropped EXE
PID:1900 -
\??\c:\xlffflr.exec:\xlffflr.exe64⤵
- Executes dropped EXE
PID:1732 -
\??\c:\xrlrxxf.exec:\xrlrxxf.exe65⤵
- Executes dropped EXE
PID:768 -
\??\c:\5xlffff.exec:\5xlffff.exe66⤵PID:1036
-
\??\c:\5nbnth.exec:\5nbnth.exe67⤵PID:1768
-
\??\c:\dvpjv.exec:\dvpjv.exe68⤵PID:1136
-
\??\c:\7jjjp.exec:\7jjjp.exe69⤵PID:956
-
\??\c:\3xlfxxf.exec:\3xlfxxf.exe70⤵PID:108
-
\??\c:\lrxrxrf.exec:\lrxrxrf.exe71⤵PID:788
-
\??\c:\htbbhb.exec:\htbbhb.exe72⤵PID:872
-
\??\c:\bnthnt.exec:\bnthnt.exe73⤵PID:2808
-
\??\c:\ddvpv.exec:\ddvpv.exe74⤵PID:1588
-
\??\c:\5dvdd.exec:\5dvdd.exe75⤵PID:1852
-
\??\c:\5flflfl.exec:\5flflfl.exe76⤵PID:2364
-
\??\c:\xrxrxxx.exec:\xrxrxxx.exe77⤵PID:876
-
\??\c:\thhnbt.exec:\thhnbt.exe78⤵PID:1856
-
\??\c:\nnhbhh.exec:\nnhbhh.exe79⤵PID:1628
-
\??\c:\pvvvv.exec:\pvvvv.exe80⤵PID:1516
-
\??\c:\dvjvv.exec:\dvjvv.exe81⤵PID:3032
-
\??\c:\3lxflfl.exec:\3lxflfl.exe82⤵PID:2984
-
\??\c:\tttthn.exec:\tttthn.exe83⤵PID:2548
-
\??\c:\thhbnn.exec:\thhbnn.exe84⤵PID:2660
-
\??\c:\vpdpp.exec:\vpdpp.exe85⤵PID:2556
-
\??\c:\ddjdd.exec:\ddjdd.exe86⤵PID:1964
-
\??\c:\rlxxffr.exec:\rlxxffr.exe87⤵PID:2684
-
\??\c:\7fxllrx.exec:\7fxllrx.exe88⤵PID:2700
-
\??\c:\1bthtb.exec:\1bthtb.exe89⤵PID:2948
-
\??\c:\1hntth.exec:\1hntth.exe90⤵PID:2412
-
\??\c:\pvddj.exec:\pvddj.exe91⤵PID:2872
-
\??\c:\7frrxfx.exec:\7frrxfx.exe92⤵PID:2636
-
\??\c:\xrrlfll.exec:\xrrlfll.exe93⤵PID:2648
-
\??\c:\tbhbtt.exec:\tbhbtt.exe94⤵PID:2640
-
\??\c:\htnbhn.exec:\htnbhn.exe95⤵PID:2740
-
\??\c:\ppddp.exec:\ppddp.exe96⤵PID:2748
-
\??\c:\lfxfffr.exec:\lfxfffr.exe97⤵PID:1532
-
\??\c:\lfrflxf.exec:\lfrflxf.exe98⤵PID:1596
-
\??\c:\bnhnbb.exec:\bnhnbb.exe99⤵PID:1004
-
\??\c:\nnhnhn.exec:\nnhnhn.exe100⤵PID:2276
-
\??\c:\9jpvv.exec:\9jpvv.exe101⤵PID:836
-
\??\c:\xrllxfr.exec:\xrllxfr.exe102⤵PID:1096
-
\??\c:\rllflll.exec:\rllflll.exe103⤵PID:2040
-
\??\c:\1hhbnt.exec:\1hhbnt.exe104⤵PID:2220
-
\??\c:\hhnnnh.exec:\hhnnnh.exe105⤵PID:2236
-
\??\c:\pvdvp.exec:\pvdvp.exe106⤵PID:2432
-
\??\c:\llfrfrx.exec:\llfrfrx.exe107⤵PID:1896
-
\??\c:\9xlxflx.exec:\9xlxflx.exe108⤵PID:2216
-
\??\c:\7ntnhn.exec:\7ntnhn.exe109⤵PID:1056
-
\??\c:\nbhttt.exec:\nbhttt.exe110⤵PID:2788
-
\??\c:\jjvdv.exec:\jjvdv.exe111⤵PID:1392
-
\??\c:\vvvpd.exec:\vvvpd.exe112⤵PID:1388
-
\??\c:\3lfrrrx.exec:\3lfrrrx.exe113⤵PID:304
-
\??\c:\ttnhtb.exec:\ttnhtb.exe114⤵PID:1280
-
\??\c:\3tntbh.exec:\3tntbh.exe115⤵PID:1456
-
\??\c:\jvppj.exec:\jvppj.exe116⤵PID:1844
-
\??\c:\9ddvp.exec:\9ddvp.exe117⤵PID:3040
-
\??\c:\flrrfll.exec:\flrrfll.exe118⤵PID:1668
-
\??\c:\fllrflx.exec:\fllrflx.exe119⤵PID:1648
-
\??\c:\5vjpd.exec:\5vjpd.exe120⤵PID:1644
-
\??\c:\ddvjj.exec:\ddvjj.exe121⤵PID:2364
-
\??\c:\rlflxlf.exec:\rlflxlf.exe122⤵PID:1728
-
\??\c:\bbntnn.exec:\bbntnn.exe123⤵PID:2060
-
\??\c:\btthtt.exec:\btthtt.exe124⤵PID:1500
-
\??\c:\1jddd.exec:\1jddd.exe125⤵PID:1608
-
\??\c:\jjpdd.exec:\jjpdd.exe126⤵PID:2536
-
\??\c:\fxrxflx.exec:\fxrxflx.exe127⤵PID:2668
-
\??\c:\xrllrll.exec:\xrllrll.exe128⤵PID:2600
-
\??\c:\hhhbht.exec:\hhhbht.exe129⤵PID:2504
-
\??\c:\vpvvd.exec:\vpvvd.exe130⤵PID:2592
-
\??\c:\7pddp.exec:\7pddp.exe131⤵PID:1964
-
\??\c:\rrlrrrf.exec:\rrlrrrf.exe132⤵PID:2184
-
\??\c:\bbnbbb.exec:\bbnbbb.exe133⤵PID:2472
-
\??\c:\ttntbn.exec:\ttntbn.exe134⤵PID:2424
-
\??\c:\vdppv.exec:\vdppv.exe135⤵PID:2864
-
\??\c:\frxrfrx.exec:\frxrfrx.exe136⤵PID:2464
-
\??\c:\7rrrflx.exec:\7rrrflx.exe137⤵PID:112
-
\??\c:\ffxrfrf.exec:\ffxrfrf.exe138⤵PID:2852
-
\??\c:\nnbhnt.exec:\nnbhnt.exe139⤵PID:2732
-
\??\c:\ppdpj.exec:\ppdpj.exe140⤵PID:2844
-
\??\c:\pvjvj.exec:\pvjvj.exe141⤵PID:2272
-
\??\c:\rlxlxlf.exec:\rlxlxlf.exe142⤵PID:1760
-
\??\c:\9frxfxl.exec:\9frxfxl.exe143⤵PID:2340
-
\??\c:\nbhbnb.exec:\nbhbnb.exe144⤵PID:2304
-
\??\c:\nbhnbb.exec:\nbhnbb.exe145⤵PID:1252
-
\??\c:\jjppd.exec:\jjppd.exe146⤵PID:1560
-
\??\c:\lfffxrr.exec:\lfffxrr.exe147⤵PID:2024
-
\??\c:\1fxxrfx.exec:\1fxxrfx.exe148⤵PID:2172
-
\??\c:\tnnthh.exec:\tnnthh.exe149⤵PID:1672
-
\??\c:\hbnhnt.exec:\hbnhnt.exe150⤵PID:1892
-
\??\c:\vjdjv.exec:\vjdjv.exe151⤵PID:2208
-
\??\c:\xffffff.exec:\xffffff.exe152⤵PID:480
-
\??\c:\rrfllrf.exec:\rrfllrf.exe153⤵PID:536
-
\??\c:\tbtbht.exec:\tbtbht.exe154⤵PID:668
-
\??\c:\9dvvd.exec:\9dvvd.exe155⤵PID:2788
-
\??\c:\5pdvj.exec:\5pdvj.exe156⤵PID:1692
-
\??\c:\7lfffff.exec:\7lfffff.exe157⤵PID:792
-
\??\c:\1lrxfff.exec:\1lrxfff.exe158⤵PID:1888
-
\??\c:\hbhnbh.exec:\hbhnbh.exe159⤵PID:956
-
\??\c:\3pjjv.exec:\3pjjv.exe160⤵PID:1460
-
\??\c:\pjvjv.exec:\pjvjv.exe161⤵PID:3020
-
\??\c:\1frllrr.exec:\1frllrr.exe162⤵PID:2128
-
\??\c:\tnbntt.exec:\tnbntt.exe163⤵PID:2196
-
\??\c:\9tnbnn.exec:\9tnbnn.exe164⤵PID:2168
-
\??\c:\dpdpv.exec:\dpdpv.exe165⤵PID:2256
-
\??\c:\pvppd.exec:\pvppd.exe166⤵PID:1416
-
\??\c:\9fllllr.exec:\9fllllr.exe167⤵PID:2068
-
\??\c:\nbttbb.exec:\nbttbb.exe168⤵PID:1628
-
\??\c:\bntbnn.exec:\bntbnn.exe169⤵PID:2716
-
\??\c:\jdvvv.exec:\jdvvv.exe170⤵PID:1608
-
\??\c:\jpjjj.exec:\jpjjj.exe171⤵PID:2536
-
\??\c:\rrxrfrx.exec:\rrxrfrx.exe172⤵PID:2668
-
\??\c:\bbtthb.exec:\bbtthb.exe173⤵PID:2600
-
\??\c:\hbnhtn.exec:\hbnhtn.exe174⤵PID:2428
-
\??\c:\pvvjv.exec:\pvvjv.exe175⤵PID:2152
-
\??\c:\vpvvd.exec:\vpvvd.exe176⤵PID:2564
-
\??\c:\jjpjp.exec:\jjpjp.exe177⤵PID:2392
-
\??\c:\lxlxxlf.exec:\lxlxxlf.exe178⤵PID:2700
-
\??\c:\jpdpj.exec:\jpdpj.exe179⤵PID:2388
-
\??\c:\7jjpp.exec:\7jjpp.exe180⤵PID:2580
-
\??\c:\fxrxflf.exec:\fxrxflf.exe181⤵PID:2868
-
\??\c:\nhbhbh.exec:\nhbhbh.exe182⤵PID:1740
-
\??\c:\ddvdv.exec:\ddvdv.exe183⤵PID:2724
-
\??\c:\dvdpv.exec:\dvdpv.exe184⤵PID:1248
-
\??\c:\1xlrfrf.exec:\1xlrfrf.exe185⤵PID:2844
-
\??\c:\1thnhn.exec:\1thnhn.exe186⤵PID:1568
-
\??\c:\9ttthb.exec:\9ttthb.exe187⤵PID:1620
-
\??\c:\lfrrxlx.exec:\lfrrxlx.exe188⤵PID:2340
-
\??\c:\thtntb.exec:\thtntb.exe189⤵PID:2044
-
\??\c:\jjdpj.exec:\jjdpj.exe190⤵PID:2028
-
\??\c:\pvdvv.exec:\pvdvv.exe191⤵PID:1908
-
\??\c:\ffrxlrf.exec:\ffrxlrf.exe192⤵PID:2024
-
\??\c:\5xfrfxf.exec:\5xfrfxf.exe193⤵PID:2220
-
\??\c:\tbbbtb.exec:\tbbbtb.exe194⤵PID:2236
-
\??\c:\hhbnbh.exec:\hhbnbh.exe195⤵PID:1892
-
\??\c:\vvvjv.exec:\vvvjv.exe196⤵PID:1896
-
\??\c:\pjjpv.exec:\pjjpv.exe197⤵PID:2372
-
\??\c:\xfllrlf.exec:\xfllrlf.exe198⤵PID:336
-
\??\c:\ttbbtn.exec:\ttbbtn.exe199⤵PID:668
-
\??\c:\bnnthn.exec:\bnnthn.exe200⤵PID:2788
-
\??\c:\djdvp.exec:\djdvp.exe201⤵PID:808
-
\??\c:\7vpdj.exec:\7vpdj.exe202⤵PID:792
-
\??\c:\rlrxffl.exec:\rlrxffl.exe203⤵PID:924
-
\??\c:\rrlxlfl.exec:\rrlxlfl.exe204⤵PID:1280
-
\??\c:\htbnhh.exec:\htbnhh.exe205⤵PID:1460
-
\??\c:\nnntth.exec:\nnntth.exe206⤵PID:3020
-
\??\c:\dvddp.exec:\dvddp.exe207⤵PID:2128
-
\??\c:\7vpdp.exec:\7vpdp.exe208⤵PID:1684
-
\??\c:\llfrlxr.exec:\llfrlxr.exe209⤵PID:1648
-
\??\c:\rfrfrrf.exec:\rfrfrrf.exe210⤵PID:1852
-
\??\c:\rrxlrfr.exec:\rrxlrfr.exe211⤵PID:1652
-
\??\c:\1nntbn.exec:\1nntbn.exe212⤵PID:1956
-
\??\c:\pjjjv.exec:\pjjjv.exe213⤵PID:1856
-
\??\c:\3jjvj.exec:\3jjvj.exe214⤵PID:3032
-
\??\c:\rllxrxl.exec:\rllxrxl.exe215⤵PID:2192
-
\??\c:\lrlrxxl.exec:\lrlrxxl.exe216⤵PID:2772
-
\??\c:\nhhnth.exec:\nhhnth.exe217⤵PID:2768
-
\??\c:\tnbnhn.exec:\tnbnhn.exe218⤵PID:2720
-
\??\c:\hbnbtt.exec:\hbnbtt.exe219⤵PID:2592
-
\??\c:\pjvvv.exec:\pjvvv.exe220⤵PID:2500
-
\??\c:\fffrrfr.exec:\fffrrfr.exe221⤵PID:2440
-
\??\c:\5rlxlll.exec:\5rlxlll.exe222⤵PID:2084
-
\??\c:\ntnbtb.exec:\ntnbtb.exe223⤵PID:2568
-
\??\c:\5thhbn.exec:\5thhbn.exe224⤵PID:2876
-
\??\c:\1vjjv.exec:\1vjjv.exe225⤵PID:1952
-
\??\c:\jdjdj.exec:\jdjdj.exe226⤵PID:1548
-
\??\c:\9dvvp.exec:\9dvvp.exe227⤵PID:1884
-
\??\c:\7lxllrf.exec:\7lxllrf.exe228⤵PID:2728
-
\??\c:\1lrfrrf.exec:\1lrfrrf.exe229⤵PID:1552
-
\??\c:\nhtbnn.exec:\nhtbnn.exe230⤵PID:1260
-
\??\c:\bbbhhn.exec:\bbbhhn.exe231⤵PID:1572
-
\??\c:\pvppp.exec:\pvppp.exe232⤵PID:988
-
\??\c:\3vdpj.exec:\3vdpj.exe233⤵PID:1636
-
\??\c:\9ffrxlx.exec:\9ffrxlx.exe234⤵PID:1620
-
\??\c:\xlxfxxf.exec:\xlxfxxf.exe235⤵PID:2340
-
\??\c:\nnhbtn.exec:\nnhbtn.exe236⤵PID:2276
-
\??\c:\nhnhhb.exec:\nhnhhb.exe237⤵PID:2008
-
\??\c:\ddpdv.exec:\ddpdv.exe238⤵PID:2916
-
\??\c:\vpjpd.exec:\vpjpd.exe239⤵PID:2004
-
\??\c:\7xrxffl.exec:\7xrxffl.exe240⤵PID:1672
-
\??\c:\xrlfrfl.exec:\xrlfrfl.exe241⤵PID:1984
-
\??\c:\nnhhtb.exec:\nnhhtb.exe242⤵PID:1508