Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 06:25
Behavioral task
behavioral1
Sample
a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe
-
Size
401KB
-
MD5
a28f8b1b77c473d40cbd24126057c790
-
SHA1
ddebcc4087b10b9f22dd66b0ab8e50f634342725
-
SHA256
84e5f90c2df0a0a9672eeeeae569ecd3a1e4e86089917a65dc9ca78bbc7738a9
-
SHA512
837f8d665ffd28d06efd75df6cb17672e68c93ecbed5d80b1dea45ec9b55628e9fd44579a0e22e285a323440161cace55ce4d84abf9ee43844c2ee23de9078f3
-
SSDEEP
6144:kcm4FmowdHoSph3Ymu8wdHoSM05d34iWRbzami3e:y4wFHoS3zuxHoSTd34iWRhiu
Malware Config
Signatures
-
Detect Blackmoon payload 39 IoCs
Processes:
resource yara_rule behavioral1/memory/2240-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1656-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2980-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2572-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2504-50-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2504-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2376-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2456-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1856-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/404-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1572-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/780-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/648-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3064-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2176-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/936-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/844-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/912-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2332-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1552-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1664-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2440-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2732-383-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1528-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/268-491-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2820-505-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2528-608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2116-634-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2608-647-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-667-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2448-700-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1320-794-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/928-801-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-871-0x0000000000320000-0x0000000000347000-memory.dmp family_blackmoon behavioral1/memory/2552-890-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1036-1104-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
bbtthn.exelfrrxrx.exentnhnn.exe1jvpv.exe9nbttt.exedvpdj.exe5lxxfff.exe5tnhnh.exevjjpd.exerlxrrrx.exejdppv.exepjjjj.exehhbhtb.exe7tbbhb.exerfrrrrx.exexrlxflr.exe1tbbhh.exejpdpv.exe7xrrfll.exe9ntntn.exejdvdd.exexfflxxx.exenbbbtb.exeddvjj.exefrlxxxl.exebbtbhb.exejddjv.exeffxflrl.exe9frrlll.exebtbbhb.exe3rlrffl.exelffflll.exe1dvdd.exepdpjj.exe3xffrxl.exe1btntn.exetttnth.exelfrxxrx.exe1bnntb.exepdppv.exe9fxffxf.exetnnttt.exejvjpd.exerlllrrf.exefrlrxrf.exe1hnhth.exepdppp.exe9ffxxxf.exehbbhnt.exebbtbhh.exe1ppjd.exefrfxxrx.exerrllxxl.exenhtttt.exedpjjd.exefxlrxrf.exexrlrflx.exetbbhbh.exejdvvd.exepjdjv.exe9llrfrf.exebhnhtn.exepdpvj.exe9rffrrf.exepid process 1656 bbtthn.exe 2980 lfrrxrx.exe 2572 ntnhnn.exe 2504 1jvpv.exe 2796 9nbttt.exe 2104 dvpdj.exe 2376 5lxxfff.exe 2456 5tnhnh.exe 2896 vjjpd.exe 2612 rlxrrrx.exe 2740 jdppv.exe 2752 pjjjj.exe 1856 hhbhtb.exe 780 7tbbhb.exe 404 rfrrrrx.exe 1572 xrlxflr.exe 2272 1tbbhh.exe 648 jpdpv.exe 3064 7xrrfll.exe 2188 9ntntn.exe 2176 jdvdd.exe 268 xfflxxx.exe 936 nbbbtb.exe 1416 ddvjj.exe 844 frlxxxl.exe 1756 bbtbhb.exe 1020 jddjv.exe 2924 ffxflrl.exe 1960 9frrlll.exe 2332 btbbhb.exe 912 3rlrffl.exe 2136 lffflll.exe 1552 1dvdd.exe 1664 pdpjj.exe 1656 3xffrxl.exe 2616 1btntn.exe 2684 tttnth.exe 2484 lfrxxrx.exe 2412 1bnntb.exe 2404 pdppv.exe 2440 9fxffxf.exe 2396 tnnttt.exe 2880 jvjpd.exe 2456 rlllrrf.exe 1908 frlrxrf.exe 2732 1hnhth.exe 2736 pdppp.exe 1580 9ffxxxf.exe 1932 hbbhnt.exe 1528 bbtbhh.exe 320 1ppjd.exe 1568 frfxxrx.exe 1364 rrllxxl.exe 1468 nhtttt.exe 2120 dpjjd.exe 1472 fxlrxrf.exe 2872 xrlrflx.exe 2024 tbbhbh.exe 2580 jdvvd.exe 2204 pjdjv.exe 612 9llrfrf.exe 268 bhnhtn.exe 336 pdpvj.exe 2248 9rffrrf.exe -
Processes:
resource yara_rule behavioral1/memory/2240-0-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bbtthn.exe upx behavioral1/memory/2240-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1656-9-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lfrrxrx.exe upx behavioral1/memory/2980-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1656-18-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ntnhnn.exe upx behavioral1/memory/2572-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2980-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2572-38-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1jvpv.exe upx behavioral1/memory/2504-39-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\9nbttt.exe upx behavioral1/memory/2504-49-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dvpdj.exe upx behavioral1/memory/2796-58-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\5lxxfff.exe upx behavioral1/memory/2376-70-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\5tnhnh.exe upx C:\vjjpd.exe upx behavioral1/memory/2456-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2896-94-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rlxrrrx.exe upx C:\jdppv.exe upx behavioral1/memory/2740-104-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pjjjj.exe upx C:\hhbhtb.exe upx behavioral1/memory/1856-122-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\7tbbhb.exe upx behavioral1/memory/404-140-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\xrlxflr.exe upx \??\c:\rfrrrrx.exe upx behavioral1/memory/1572-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/780-138-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1tbbhh.exe upx behavioral1/memory/2272-157-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jpdpv.exe upx behavioral1/memory/648-167-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\7xrrfll.exe upx behavioral1/memory/3064-183-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\9ntntn.exe upx behavioral1/memory/2188-184-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jdvdd.exe upx behavioral1/memory/2176-195-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\xfflxxx.exe upx C:\nbbbtb.exe upx behavioral1/memory/936-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/936-219-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ddvjj.exe upx C:\frlxxxl.exe upx C:\bbtbhb.exe upx behavioral1/memory/844-235-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jddjv.exe upx C:\ffxflrl.exe upx C:\9frrlll.exe upx C:\btbbhb.exe upx behavioral1/memory/912-279-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\3rlrffl.exe upx behavioral1/memory/2332-277-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\lffflll.exe upx behavioral1/memory/2136-287-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1552-295-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1552-302-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exebbtthn.exelfrrxrx.exentnhnn.exe1jvpv.exe9nbttt.exedvpdj.exe5lxxfff.exe5tnhnh.exevjjpd.exerlxrrrx.exejdppv.exepjjjj.exehhbhtb.exe7tbbhb.exerfrrrrx.exedescription pid process target process PID 2240 wrote to memory of 1656 2240 a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe bbtthn.exe PID 2240 wrote to memory of 1656 2240 a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe bbtthn.exe PID 2240 wrote to memory of 1656 2240 a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe bbtthn.exe PID 2240 wrote to memory of 1656 2240 a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe bbtthn.exe PID 1656 wrote to memory of 2980 1656 bbtthn.exe lfrrxrx.exe PID 1656 wrote to memory of 2980 1656 bbtthn.exe lfrrxrx.exe PID 1656 wrote to memory of 2980 1656 bbtthn.exe lfrrxrx.exe PID 1656 wrote to memory of 2980 1656 bbtthn.exe lfrrxrx.exe PID 2980 wrote to memory of 2572 2980 lfrrxrx.exe ntnhnn.exe PID 2980 wrote to memory of 2572 2980 lfrrxrx.exe ntnhnn.exe PID 2980 wrote to memory of 2572 2980 lfrrxrx.exe ntnhnn.exe PID 2980 wrote to memory of 2572 2980 lfrrxrx.exe ntnhnn.exe PID 2572 wrote to memory of 2504 2572 ntnhnn.exe 1jvpv.exe PID 2572 wrote to memory of 2504 2572 ntnhnn.exe 1jvpv.exe PID 2572 wrote to memory of 2504 2572 ntnhnn.exe 1jvpv.exe PID 2572 wrote to memory of 2504 2572 ntnhnn.exe 1jvpv.exe PID 2504 wrote to memory of 2796 2504 1jvpv.exe 9nbttt.exe PID 2504 wrote to memory of 2796 2504 1jvpv.exe 9nbttt.exe PID 2504 wrote to memory of 2796 2504 1jvpv.exe 9nbttt.exe PID 2504 wrote to memory of 2796 2504 1jvpv.exe 9nbttt.exe PID 2796 wrote to memory of 2104 2796 9nbttt.exe dvpdj.exe PID 2796 wrote to memory of 2104 2796 9nbttt.exe dvpdj.exe PID 2796 wrote to memory of 2104 2796 9nbttt.exe dvpdj.exe PID 2796 wrote to memory of 2104 2796 9nbttt.exe dvpdj.exe PID 2104 wrote to memory of 2376 2104 dvpdj.exe 5lxxfff.exe PID 2104 wrote to memory of 2376 2104 dvpdj.exe 5lxxfff.exe PID 2104 wrote to memory of 2376 2104 dvpdj.exe 5lxxfff.exe PID 2104 wrote to memory of 2376 2104 dvpdj.exe 5lxxfff.exe PID 2376 wrote to memory of 2456 2376 5lxxfff.exe 5tnhnh.exe PID 2376 wrote to memory of 2456 2376 5lxxfff.exe 5tnhnh.exe PID 2376 wrote to memory of 2456 2376 5lxxfff.exe 5tnhnh.exe PID 2376 wrote to memory of 2456 2376 5lxxfff.exe 5tnhnh.exe PID 2456 wrote to memory of 2896 2456 5tnhnh.exe vjjpd.exe PID 2456 wrote to memory of 2896 2456 5tnhnh.exe vjjpd.exe PID 2456 wrote to memory of 2896 2456 5tnhnh.exe vjjpd.exe PID 2456 wrote to memory of 2896 2456 5tnhnh.exe vjjpd.exe PID 2896 wrote to memory of 2612 2896 vjjpd.exe rlxrrrx.exe PID 2896 wrote to memory of 2612 2896 vjjpd.exe rlxrrrx.exe PID 2896 wrote to memory of 2612 2896 vjjpd.exe rlxrrrx.exe PID 2896 wrote to memory of 2612 2896 vjjpd.exe rlxrrrx.exe PID 2612 wrote to memory of 2740 2612 rlxrrrx.exe jdppv.exe PID 2612 wrote to memory of 2740 2612 rlxrrrx.exe jdppv.exe PID 2612 wrote to memory of 2740 2612 rlxrrrx.exe jdppv.exe PID 2612 wrote to memory of 2740 2612 rlxrrrx.exe jdppv.exe PID 2740 wrote to memory of 2752 2740 jdppv.exe pjjjj.exe PID 2740 wrote to memory of 2752 2740 jdppv.exe pjjjj.exe PID 2740 wrote to memory of 2752 2740 jdppv.exe pjjjj.exe PID 2740 wrote to memory of 2752 2740 jdppv.exe pjjjj.exe PID 2752 wrote to memory of 1856 2752 pjjjj.exe hhbhtb.exe PID 2752 wrote to memory of 1856 2752 pjjjj.exe hhbhtb.exe PID 2752 wrote to memory of 1856 2752 pjjjj.exe hhbhtb.exe PID 2752 wrote to memory of 1856 2752 pjjjj.exe hhbhtb.exe PID 1856 wrote to memory of 780 1856 hhbhtb.exe 7tbbhb.exe PID 1856 wrote to memory of 780 1856 hhbhtb.exe 7tbbhb.exe PID 1856 wrote to memory of 780 1856 hhbhtb.exe 7tbbhb.exe PID 1856 wrote to memory of 780 1856 hhbhtb.exe 7tbbhb.exe PID 780 wrote to memory of 404 780 7tbbhb.exe rfrrrrx.exe PID 780 wrote to memory of 404 780 7tbbhb.exe rfrrrrx.exe PID 780 wrote to memory of 404 780 7tbbhb.exe rfrrrrx.exe PID 780 wrote to memory of 404 780 7tbbhb.exe rfrrrrx.exe PID 404 wrote to memory of 1572 404 rfrrrrx.exe xrlxflr.exe PID 404 wrote to memory of 1572 404 rfrrrrx.exe xrlxflr.exe PID 404 wrote to memory of 1572 404 rfrrrrx.exe xrlxflr.exe PID 404 wrote to memory of 1572 404 rfrrrrx.exe xrlxflr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a28f8b1b77c473d40cbd24126057c790_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\bbtthn.exec:\bbtthn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\lfrrxrx.exec:\lfrrxrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\ntnhnn.exec:\ntnhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\1jvpv.exec:\1jvpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\9nbttt.exec:\9nbttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\dvpdj.exec:\dvpdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\5lxxfff.exec:\5lxxfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\5tnhnh.exec:\5tnhnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\vjjpd.exec:\vjjpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\rlxrrrx.exec:\rlxrrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\jdppv.exec:\jdppv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\pjjjj.exec:\pjjjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\hhbhtb.exec:\hhbhtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\7tbbhb.exec:\7tbbhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\rfrrrrx.exec:\rfrrrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\xrlxflr.exec:\xrlxflr.exe17⤵
- Executes dropped EXE
PID:1572 -
\??\c:\1tbbhh.exec:\1tbbhh.exe18⤵
- Executes dropped EXE
PID:2272 -
\??\c:\jpdpv.exec:\jpdpv.exe19⤵
- Executes dropped EXE
PID:648 -
\??\c:\7xrrfll.exec:\7xrrfll.exe20⤵
- Executes dropped EXE
PID:3064 -
\??\c:\9ntntn.exec:\9ntntn.exe21⤵
- Executes dropped EXE
PID:2188 -
\??\c:\jdvdd.exec:\jdvdd.exe22⤵
- Executes dropped EXE
PID:2176 -
\??\c:\xfflxxx.exec:\xfflxxx.exe23⤵
- Executes dropped EXE
PID:268 -
\??\c:\nbbbtb.exec:\nbbbtb.exe24⤵
- Executes dropped EXE
PID:936 -
\??\c:\ddvjj.exec:\ddvjj.exe25⤵
- Executes dropped EXE
PID:1416 -
\??\c:\frlxxxl.exec:\frlxxxl.exe26⤵
- Executes dropped EXE
PID:844 -
\??\c:\bbtbhb.exec:\bbtbhb.exe27⤵
- Executes dropped EXE
PID:1756 -
\??\c:\jddjv.exec:\jddjv.exe28⤵
- Executes dropped EXE
PID:1020 -
\??\c:\ffxflrl.exec:\ffxflrl.exe29⤵
- Executes dropped EXE
PID:2924 -
\??\c:\9frrlll.exec:\9frrlll.exe30⤵
- Executes dropped EXE
PID:1960 -
\??\c:\btbbhb.exec:\btbbhb.exe31⤵
- Executes dropped EXE
PID:2332 -
\??\c:\3rlrffl.exec:\3rlrffl.exe32⤵
- Executes dropped EXE
PID:912 -
\??\c:\lffflll.exec:\lffflll.exe33⤵
- Executes dropped EXE
PID:2136 -
\??\c:\1dvdd.exec:\1dvdd.exe34⤵
- Executes dropped EXE
PID:1552 -
\??\c:\pdpjj.exec:\pdpjj.exe35⤵
- Executes dropped EXE
PID:1664 -
\??\c:\3xffrxl.exec:\3xffrxl.exe36⤵
- Executes dropped EXE
PID:1656 -
\??\c:\1btntn.exec:\1btntn.exe37⤵
- Executes dropped EXE
PID:2616 -
\??\c:\tttnth.exec:\tttnth.exe38⤵
- Executes dropped EXE
PID:2684 -
\??\c:\lfrxxrx.exec:\lfrxxrx.exe39⤵
- Executes dropped EXE
PID:2484 -
\??\c:\1bnntb.exec:\1bnntb.exe40⤵
- Executes dropped EXE
PID:2412 -
\??\c:\pdppv.exec:\pdppv.exe41⤵
- Executes dropped EXE
PID:2404 -
\??\c:\9fxffxf.exec:\9fxffxf.exe42⤵
- Executes dropped EXE
PID:2440 -
\??\c:\tnnttt.exec:\tnnttt.exe43⤵
- Executes dropped EXE
PID:2396 -
\??\c:\jvjpd.exec:\jvjpd.exe44⤵
- Executes dropped EXE
PID:2880 -
\??\c:\rlllrrf.exec:\rlllrrf.exe45⤵
- Executes dropped EXE
PID:2456 -
\??\c:\frlrxrf.exec:\frlrxrf.exe46⤵
- Executes dropped EXE
PID:1908 -
\??\c:\1hnhth.exec:\1hnhth.exe47⤵
- Executes dropped EXE
PID:2732 -
\??\c:\pdppp.exec:\pdppp.exe48⤵
- Executes dropped EXE
PID:2736 -
\??\c:\9ffxxxf.exec:\9ffxxxf.exe49⤵
- Executes dropped EXE
PID:1580 -
\??\c:\hbbhnt.exec:\hbbhnt.exe50⤵
- Executes dropped EXE
PID:1932 -
\??\c:\bbtbhh.exec:\bbtbhh.exe51⤵
- Executes dropped EXE
PID:1528 -
\??\c:\1ppjd.exec:\1ppjd.exe52⤵
- Executes dropped EXE
PID:320 -
\??\c:\frfxxrx.exec:\frfxxrx.exe53⤵
- Executes dropped EXE
PID:1568 -
\??\c:\rrllxxl.exec:\rrllxxl.exe54⤵
- Executes dropped EXE
PID:1364 -
\??\c:\nhtttt.exec:\nhtttt.exe55⤵
- Executes dropped EXE
PID:1468 -
\??\c:\dpjjd.exec:\dpjjd.exe56⤵
- Executes dropped EXE
PID:2120 -
\??\c:\fxlrxrf.exec:\fxlrxrf.exe57⤵
- Executes dropped EXE
PID:1472 -
\??\c:\xrlrflx.exec:\xrlrflx.exe58⤵
- Executes dropped EXE
PID:2872 -
\??\c:\tbbhbh.exec:\tbbhbh.exe59⤵
- Executes dropped EXE
PID:2024 -
\??\c:\jdvvd.exec:\jdvvd.exe60⤵
- Executes dropped EXE
PID:2580 -
\??\c:\pjdjv.exec:\pjdjv.exe61⤵
- Executes dropped EXE
PID:2204 -
\??\c:\9llrfrf.exec:\9llrfrf.exe62⤵
- Executes dropped EXE
PID:612 -
\??\c:\bhnhtn.exec:\bhnhtn.exe63⤵
- Executes dropped EXE
PID:268 -
\??\c:\pdpvj.exec:\pdpvj.exe64⤵
- Executes dropped EXE
PID:336 -
\??\c:\9rffrrf.exec:\9rffrrf.exe65⤵
- Executes dropped EXE
PID:2248 -
\??\c:\rxlllff.exec:\rxlllff.exe66⤵PID:2820
-
\??\c:\tnhtht.exec:\tnhtht.exe67⤵PID:1028
-
\??\c:\vjddd.exec:\vjddd.exe68⤵PID:804
-
\??\c:\lfrrrxf.exec:\lfrrrxf.exe69⤵PID:1020
-
\??\c:\9xllrrx.exec:\9xllrrx.exe70⤵PID:2908
-
\??\c:\nbnhnt.exec:\nbnhnt.exe71⤵PID:568
-
\??\c:\pvddd.exec:\pvddd.exe72⤵PID:1740
-
\??\c:\1xrrrrr.exec:\1xrrrrr.exe73⤵PID:1736
-
\??\c:\lrlxlrf.exec:\lrlxlrf.exe74⤵PID:1840
-
\??\c:\tnnbtt.exec:\tnnbtt.exe75⤵PID:2144
-
\??\c:\pjjjj.exec:\pjjjj.exe76⤵PID:2588
-
\??\c:\pjdvv.exec:\pjdvv.exe77⤵PID:1204
-
\??\c:\xlxfflf.exec:\xlxfflf.exe78⤵PID:2596
-
\??\c:\bhhnbb.exec:\bhhnbb.exe79⤵PID:2568
-
\??\c:\nhhhnt.exec:\nhhhnt.exe80⤵PID:2812
-
\??\c:\pddjv.exec:\pddjv.exe81⤵PID:2528
-
\??\c:\rlffrlf.exec:\rlffrlf.exe82⤵PID:2540
-
\??\c:\3hbbht.exec:\3hbbht.exe83⤵PID:2796
-
\??\c:\bhthbh.exec:\bhthbh.exe84⤵PID:2400
-
\??\c:\jdvdj.exec:\jdvdj.exe85⤵PID:2116
-
\??\c:\flfrxlr.exec:\flfrxlr.exe86⤵PID:2424
-
\??\c:\fxxfrrf.exec:\fxxfrrf.exe87⤵PID:2036
-
\??\c:\nttbhn.exec:\nttbhn.exe88⤵PID:2608
-
\??\c:\vjvpv.exec:\vjvpv.exe89⤵PID:2456
-
\??\c:\5xrrxfx.exec:\5xrrxfx.exe90⤵PID:2612
-
\??\c:\lfxfrrx.exec:\lfxfrrx.exe91⤵PID:2740
-
\??\c:\5bntbt.exec:\5bntbt.exe92⤵PID:2752
-
\??\c:\jvpvd.exec:\jvpvd.exe93⤵PID:2264
-
\??\c:\3jddp.exec:\3jddp.exe94⤵PID:2256
-
\??\c:\xrxxfxf.exec:\xrxxfxf.exe95⤵PID:1696
-
\??\c:\1tttbb.exec:\1tttbb.exe96⤵PID:2448
-
\??\c:\9tnttt.exec:\9tnttt.exe97⤵PID:2892
-
\??\c:\ddppp.exec:\ddppp.exe98⤵PID:864
-
\??\c:\1vpvd.exec:\1vpvd.exe99⤵PID:284
-
\??\c:\3xlllrx.exec:\3xlllrx.exe100⤵PID:2152
-
\??\c:\thhhhb.exec:\thhhhb.exe101⤵PID:868
-
\??\c:\3vjpv.exec:\3vjpv.exe102⤵PID:2172
-
\??\c:\vpvpv.exec:\vpvpv.exe103⤵PID:2168
-
\??\c:\llxlxlr.exec:\llxlxlr.exe104⤵PID:2176
-
\??\c:\bhnhth.exec:\bhnhth.exe105⤵PID:540
-
\??\c:\bthntt.exec:\bthntt.exe106⤵PID:1420
-
\??\c:\7ddjj.exec:\7ddjj.exe107⤵PID:1480
-
\??\c:\lxllxxl.exec:\lxllxxl.exe108⤵PID:924
-
\??\c:\rrrlrrx.exec:\rrrlrrx.exe109⤵PID:1248
-
\??\c:\3bnnhh.exec:\3bnnhh.exe110⤵PID:1320
-
\??\c:\9hhbhh.exec:\9hhbhh.exe111⤵PID:2196
-
\??\c:\3fxlflr.exec:\3fxlflr.exe112⤵PID:928
-
\??\c:\frlfffl.exec:\frlfffl.exe113⤵PID:2220
-
\??\c:\tnhntb.exec:\tnhntb.exe114⤵PID:2112
-
\??\c:\thnbbt.exec:\thnbbt.exe115⤵PID:904
-
\??\c:\5vjdd.exec:\5vjdd.exe116⤵PID:2836
-
\??\c:\dpjjp.exec:\dpjjp.exe117⤵PID:3032
-
\??\c:\1xlxxlr.exec:\1xlxxlr.exe118⤵PID:1672
-
\??\c:\1nnnnt.exec:\1nnnnt.exe119⤵PID:2136
-
\??\c:\bbnnbb.exec:\bbnnbb.exe120⤵PID:2588
-
\??\c:\1dpvd.exec:\1dpvd.exe121⤵PID:1204
-
\??\c:\xxrfllr.exec:\xxrfllr.exe122⤵PID:2564
-
\??\c:\9frxffr.exec:\9frxffr.exe123⤵PID:3024
-
\??\c:\thhnnt.exec:\thhnnt.exe124⤵PID:1540
-
\??\c:\jjjpj.exec:\jjjpj.exe125⤵PID:2552
-
\??\c:\xrflrxf.exec:\xrflrxf.exe126⤵PID:2760
-
\??\c:\hthhhn.exec:\hthhhn.exe127⤵PID:2392
-
\??\c:\3bthhh.exec:\3bthhh.exe128⤵PID:2440
-
\??\c:\pdjjp.exec:\pdjjp.exe129⤵PID:2056
-
\??\c:\lfrxxxf.exec:\lfrxxxf.exe130⤵PID:2108
-
\??\c:\rlxfrfx.exec:\rlxfrfx.exe131⤵PID:2688
-
\??\c:\bthhhh.exec:\bthhhh.exe132⤵PID:2704
-
\??\c:\pvjjp.exec:\pvjjp.exe133⤵PID:2764
-
\??\c:\jjddv.exec:\jjddv.exe134⤵PID:2736
-
\??\c:\5lrrxxf.exec:\5lrrxxf.exe135⤵PID:2740
-
\??\c:\lxrrxxl.exec:\lxrrxxl.exe136⤵PID:472
-
\??\c:\bbhtht.exec:\bbhtht.exe137⤵PID:2264
-
\??\c:\dpjjj.exec:\dpjjj.exe138⤵PID:404
-
\??\c:\xrrrlfx.exec:\xrrrlfx.exe139⤵PID:1696
-
\??\c:\vpjvj.exec:\vpjvj.exe140⤵PID:1612
-
\??\c:\djjvd.exec:\djjvd.exe141⤵PID:1468
-
\??\c:\bbttbh.exec:\bbttbh.exe142⤵PID:2120
-
\??\c:\5vppv.exec:\5vppv.exe143⤵PID:2180
-
\??\c:\dpdvv.exec:\dpdvv.exe144⤵PID:2872
-
\??\c:\rxrrxrr.exec:\rxrrxrr.exe145⤵PID:2160
-
\??\c:\hbnttb.exec:\hbnttb.exe146⤵PID:2580
-
\??\c:\hnnnnb.exec:\hnnnnb.exe147⤵PID:2168
-
\??\c:\jvppv.exec:\jvppv.exe148⤵PID:608
-
\??\c:\xfxflxl.exec:\xfxflxl.exe149⤵PID:540
-
\??\c:\7flffxf.exec:\7flffxf.exe150⤵PID:2348
-
\??\c:\3bbtbh.exec:\3bbtbh.exe151⤵PID:1792
-
\??\c:\1dvdj.exec:\1dvdj.exe152⤵PID:844
-
\??\c:\xlffrrx.exec:\xlffrrx.exe153⤵PID:1060
-
\??\c:\lfxxllr.exec:\lfxxllr.exe154⤵PID:1028
-
\??\c:\bnbhnt.exec:\bnbhnt.exe155⤵PID:1752
-
\??\c:\7pvvd.exec:\7pvvd.exe156⤵PID:1960
-
\??\c:\pjdpv.exec:\pjdpv.exe157⤵PID:380
-
\??\c:\1rxflfl.exec:\1rxflfl.exe158⤵PID:2332
-
\??\c:\fxfxffl.exec:\fxfxffl.exe159⤵PID:1036
-
\??\c:\nhthnh.exec:\nhthnh.exe160⤵PID:2020
-
\??\c:\3dvjp.exec:\3dvjp.exe161⤵PID:2280
-
\??\c:\rrllrlf.exec:\rrllrlf.exe162⤵PID:2240
-
\??\c:\bthhtt.exec:\bthhtt.exe163⤵PID:2664
-
\??\c:\tbhnnn.exec:\tbhnnn.exe164⤵PID:2576
-
\??\c:\3pdpd.exec:\3pdpd.exe165⤵PID:2592
-
\??\c:\5xlrllx.exec:\5xlrllx.exe166⤵PID:2536
-
\??\c:\5xxrflx.exec:\5xxrflx.exe167⤵PID:2584
-
\??\c:\nnhnbb.exec:\nnhnbb.exe168⤵PID:2928
-
\??\c:\vpdvd.exec:\vpdvd.exe169⤵PID:2796
-
\??\c:\3jdpv.exec:\3jdpv.exe170⤵PID:2400
-
\??\c:\rfllrrf.exec:\rfllrrf.exe171⤵PID:2388
-
\??\c:\btthnt.exec:\btthnt.exe172⤵PID:2932
-
\??\c:\5tbbnh.exec:\5tbbnh.exe173⤵PID:2900
-
\??\c:\jvpvv.exec:\jvpvv.exe174⤵PID:2708
-
\??\c:\jvjpv.exec:\jvjpv.exe175⤵PID:2668
-
\??\c:\5llxlrx.exec:\5llxlrx.exe176⤵PID:2468
-
\??\c:\3btnbh.exec:\3btnbh.exe177⤵PID:2728
-
\??\c:\3pdvd.exec:\3pdvd.exe178⤵PID:2736
-
\??\c:\djpvd.exec:\djpvd.exe179⤵PID:2740
-
\??\c:\rlxrrxl.exec:\rlxrrxl.exe180⤵PID:472
-
\??\c:\rlxrffr.exec:\rlxrffr.exe181⤵PID:2264
-
\??\c:\btnntb.exec:\btnntb.exe182⤵PID:1536
-
\??\c:\dvjpd.exec:\dvjpd.exe183⤵PID:1596
-
\??\c:\5vdjj.exec:\5vdjj.exe184⤵PID:1696
-
\??\c:\xrffllx.exec:\xrffllx.exe185⤵PID:1364
-
\??\c:\hbnhnt.exec:\hbnhnt.exe186⤵PID:1456
-
\??\c:\1thhhn.exec:\1thhhn.exe187⤵PID:2888
-
\??\c:\dvjvd.exec:\dvjvd.exe188⤵PID:2236
-
\??\c:\xrfflrx.exec:\xrfflrx.exe189⤵PID:2872
-
\??\c:\lfxxrrx.exec:\lfxxrrx.exe190⤵PID:2212
-
\??\c:\htnttb.exec:\htnttb.exe191⤵PID:2580
-
\??\c:\tthnbb.exec:\tthnbb.exe192⤵PID:2816
-
\??\c:\3ppvd.exec:\3ppvd.exe193⤵PID:268
-
\??\c:\vpddj.exec:\vpddj.exe194⤵PID:1260
-
\??\c:\rlrxxfl.exec:\rlrxxfl.exe195⤵PID:1732
-
\??\c:\hhhhbh.exec:\hhhhbh.exe196⤵PID:1792
-
\??\c:\7bhtbh.exec:\7bhtbh.exe197⤵PID:1756
-
\??\c:\9djdj.exec:\9djdj.exe198⤵PID:1060
-
\??\c:\7dvdj.exec:\7dvdj.exe199⤵PID:1928
-
\??\c:\lrlxxrl.exec:\lrlxxrl.exe200⤵PID:1752
-
\??\c:\bbnhhb.exec:\bbnhhb.exe201⤵PID:568
-
\??\c:\btnbhn.exec:\btnbhn.exe202⤵PID:3044
-
\??\c:\1jdvv.exec:\1jdvv.exe203⤵PID:1736
-
\??\c:\dpvvd.exec:\dpvvd.exe204⤵PID:1032
-
\??\c:\xlffflr.exec:\xlffflr.exe205⤵PID:1672
-
\??\c:\3ttthn.exec:\3ttthn.exe206⤵PID:1520
-
\??\c:\1htthh.exec:\1htthh.exe207⤵PID:2832
-
\??\c:\9pvvj.exec:\9pvvj.exe208⤵PID:2520
-
\??\c:\5flfrrr.exec:\5flfrrr.exe209⤵PID:2596
-
\??\c:\fxllxrr.exec:\fxllxrr.exe210⤵PID:2384
-
\??\c:\7bbbnn.exec:\7bbbnn.exe211⤵PID:2308
-
\??\c:\btntbh.exec:\btntbh.exe212⤵PID:2656
-
\??\c:\jdvdd.exec:\jdvdd.exe213⤵PID:2928
-
\??\c:\7frxxll.exec:\7frxxll.exe214⤵PID:2512
-
\??\c:\1frlrxf.exec:\1frlrxf.exe215⤵PID:2400
-
\??\c:\5nbtbt.exec:\5nbtbt.exe216⤵PID:2396
-
\??\c:\9djjj.exec:\9djjj.exe217⤵PID:2440
-
\??\c:\jvdvv.exec:\jvdvv.exe218⤵PID:2884
-
\??\c:\lffllrf.exec:\lffllrf.exe219⤵PID:2896
-
\??\c:\7tnttb.exec:\7tnttb.exe220⤵PID:2444
-
\??\c:\hhbbhn.exec:\hhbbhn.exe221⤵PID:1580
-
\??\c:\7jppj.exec:\7jppj.exe222⤵PID:1868
-
\??\c:\5rlxlxf.exec:\5rlxlxf.exe223⤵PID:1212
-
\??\c:\9lrrfrx.exec:\9lrrfrx.exe224⤵PID:2740
-
\??\c:\btnntt.exec:\btnntt.exe225⤵PID:780
-
\??\c:\tnbnbb.exec:\tnbnbb.exe226⤵PID:404
-
\??\c:\vpddj.exec:\vpddj.exe227⤵PID:3052
-
\??\c:\xlfffff.exec:\xlfffff.exe228⤵PID:1568
-
\??\c:\fxrxrrx.exec:\fxrxrrx.exe229⤵PID:1504
-
\??\c:\bnhbhh.exec:\bnhbhh.exe230⤵PID:2096
-
\??\c:\vjvjd.exec:\vjvjd.exe231⤵PID:1472
-
\??\c:\jdpvv.exec:\jdpvv.exe232⤵PID:2032
-
\??\c:\frllllr.exec:\frllllr.exe233⤵PID:2208
-
\??\c:\flrlxfr.exec:\flrlxfr.exe234⤵PID:2200
-
\??\c:\3hbbhn.exec:\3hbbhn.exe235⤵PID:2360
-
\??\c:\3jdvv.exec:\3jdvv.exe236⤵PID:788
-
\??\c:\rllrxfr.exec:\rllrxfr.exe237⤵PID:2148
-
\??\c:\xlxfllx.exec:\xlxfllx.exe238⤵PID:1420
-
\??\c:\hbnbnn.exec:\hbnbnn.exe239⤵PID:2248
-
\??\c:\nhhbnb.exec:\nhhbnb.exe240⤵PID:1640
-
\??\c:\5ppdv.exec:\5ppdv.exe241⤵PID:1120
-
\??\c:\fxlxffx.exec:\fxlxffx.exe242⤵PID:2068