Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a29c23a7c7fdaab16e175c63399c94c0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a29c23a7c7fdaab16e175c63399c94c0_NeikiAnalytics.exe
-
Size
344KB
-
MD5
a29c23a7c7fdaab16e175c63399c94c0
-
SHA1
56e634fc66647bc5ad00205818bccf0544bc0f3c
-
SHA256
919b2a29aefdb252232ba8e98f46e795e881740c467da9f1d4d4553d643e29a6
-
SHA512
7f992f7d59ca89b070c2c7513cf3faa484623f1d6b3c4a8fd871bb941ea68875703250fd463baf5f0a9d5c9948e725268cced12930e48de3e515eb768da7afa1
-
SSDEEP
6144:n3C9BRo/AIX2MUXownfWQkyCpxwJz9e0pQowLh3EhToK9cT085mnFhXjmnwJQyIq:n3C9uDnUXoSWlnwJv90aKToFqwfIBc
Malware Config
Signatures
-
Detect Blackmoon payload 32 IoCs
Processes:
resource yara_rule behavioral2/memory/216-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1012-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4940-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4500-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1196-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/424-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4696-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4920-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2812-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3196-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3992-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4540-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/208-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2584-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1992-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4608-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1332-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2800-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3428-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4568-82-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5040-75-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2120-68-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2120-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5048-60-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4036-53-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1240-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3368-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2308-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
rrxxxxr.exenntbbb.exehhbnnt.exedjvdv.exelfrrrrx.exe5hnnnt.exentbhhn.exepvjjv.exerxlllrf.exexlflrrr.exetntbhn.exejvvvp.exelrlllll.exefxxrxrl.exetntnnh.exehtbtth.exejdjdd.exerxfllrr.exerlxrrrl.exetttbth.exevpddd.exevpvvv.exexrxfflr.exetbhhnt.exebthhhb.exevvpvv.exejdddv.exerlrrrrr.exetbbttt.exehhhbbb.exepjddp.exelllrrxx.exe3lxrxff.exetnbbhn.exeddvvd.exevdjjj.exeflfllrf.exetnnnht.exebbbttt.exejjddp.exedpvpv.exexxlllll.exenhhhnh.exehbbbht.exejvpjj.exelfrxfrr.exetttbtb.exennhhhb.exedpddj.exexrffflr.exexfffffx.exetbhtnt.exejpvvv.exeppvdp.exerfffxrl.exetthbhh.exejppjv.exelxfxxrl.exebttnhb.exepvjjp.exepdppp.exetnhthh.exevvddv.exefffffff.exepid process 2308 rrxxxxr.exe 3368 nntbbb.exe 1012 hhbnnt.exe 1240 djvdv.exe 4940 lfrrrrx.exe 4036 5hnnnt.exe 5048 ntbhhn.exe 2120 pvjjv.exe 5040 rxlllrf.exe 4568 xlflrrr.exe 3428 tntbhn.exe 2800 jvvvp.exe 1332 lrlllll.exe 4608 fxxrxrl.exe 1992 tntnnh.exe 464 htbtth.exe 2584 jdjdd.exe 208 rxfllrr.exe 4540 rlxrrrl.exe 1088 tttbth.exe 2672 vpddd.exe 560 vpvvv.exe 3992 xrxfflr.exe 3196 tbhhnt.exe 2812 bthhhb.exe 4920 vvpvv.exe 4696 jdddv.exe 424 rlrrrrr.exe 1196 tbbttt.exe 4500 hhhbbb.exe 1888 pjddp.exe 4592 lllrrxx.exe 728 3lxrxff.exe 4216 tnbbhn.exe 2364 ddvvd.exe 2128 vdjjj.exe 2224 flfllrf.exe 2472 tnnnht.exe 4148 bbbttt.exe 3132 jjddp.exe 1700 dpvpv.exe 4284 xxlllll.exe 4864 nhhhnh.exe 2640 hbbbht.exe 5072 jvpjj.exe 4444 lfrxfrr.exe 4388 tttbtb.exe 2236 nnhhhb.exe 772 dpddj.exe 1012 xrffflr.exe 4296 xfffffx.exe 3592 tbhtnt.exe 4892 jpvvv.exe 4488 ppvdp.exe 4996 rfffxrl.exe 2460 tthbhh.exe 2572 jppjv.exe 3432 lxfxxrl.exe 3376 bttnhb.exe 2820 pvjjp.exe 4608 pdppp.exe 2940 tnhthh.exe 2244 vvddv.exe 1848 fffffff.exe -
Processes:
resource yara_rule behavioral2/memory/216-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1012-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4940-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4500-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1196-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/424-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4696-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4920-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2812-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3196-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3992-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4540-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/208-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2584-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1992-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4608-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1332-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2800-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3428-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4568-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5040-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2120-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5048-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4036-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1240-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3368-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2308-10-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a29c23a7c7fdaab16e175c63399c94c0_NeikiAnalytics.exerrxxxxr.exenntbbb.exehhbnnt.exedjvdv.exelfrrrrx.exe5hnnnt.exentbhhn.exepvjjv.exerxlllrf.exexlflrrr.exetntbhn.exejvvvp.exelrlllll.exefxxrxrl.exetntnnh.exehtbtth.exejdjdd.exerxfllrr.exerlxrrrl.exetttbth.exevpddd.exedescription pid process target process PID 216 wrote to memory of 2308 216 a29c23a7c7fdaab16e175c63399c94c0_NeikiAnalytics.exe rrxxxxr.exe PID 216 wrote to memory of 2308 216 a29c23a7c7fdaab16e175c63399c94c0_NeikiAnalytics.exe rrxxxxr.exe PID 216 wrote to memory of 2308 216 a29c23a7c7fdaab16e175c63399c94c0_NeikiAnalytics.exe rrxxxxr.exe PID 2308 wrote to memory of 3368 2308 rrxxxxr.exe nntbbb.exe PID 2308 wrote to memory of 3368 2308 rrxxxxr.exe nntbbb.exe PID 2308 wrote to memory of 3368 2308 rrxxxxr.exe nntbbb.exe PID 3368 wrote to memory of 1012 3368 nntbbb.exe hhbnnt.exe PID 3368 wrote to memory of 1012 3368 nntbbb.exe hhbnnt.exe PID 3368 wrote to memory of 1012 3368 nntbbb.exe hhbnnt.exe PID 1012 wrote to memory of 1240 1012 hhbnnt.exe djvdv.exe PID 1012 wrote to memory of 1240 1012 hhbnnt.exe djvdv.exe PID 1012 wrote to memory of 1240 1012 hhbnnt.exe djvdv.exe PID 1240 wrote to memory of 4940 1240 djvdv.exe lfrrrrx.exe PID 1240 wrote to memory of 4940 1240 djvdv.exe lfrrrrx.exe PID 1240 wrote to memory of 4940 1240 djvdv.exe lfrrrrx.exe PID 4940 wrote to memory of 4036 4940 lfrrrrx.exe 5hnnnt.exe PID 4940 wrote to memory of 4036 4940 lfrrrrx.exe 5hnnnt.exe PID 4940 wrote to memory of 4036 4940 lfrrrrx.exe 5hnnnt.exe PID 4036 wrote to memory of 5048 4036 5hnnnt.exe ntbhhn.exe PID 4036 wrote to memory of 5048 4036 5hnnnt.exe ntbhhn.exe PID 4036 wrote to memory of 5048 4036 5hnnnt.exe ntbhhn.exe PID 5048 wrote to memory of 2120 5048 ntbhhn.exe pvjjv.exe PID 5048 wrote to memory of 2120 5048 ntbhhn.exe pvjjv.exe PID 5048 wrote to memory of 2120 5048 ntbhhn.exe pvjjv.exe PID 2120 wrote to memory of 5040 2120 pvjjv.exe rxlllrf.exe PID 2120 wrote to memory of 5040 2120 pvjjv.exe rxlllrf.exe PID 2120 wrote to memory of 5040 2120 pvjjv.exe rxlllrf.exe PID 5040 wrote to memory of 4568 5040 rxlllrf.exe xlflrrr.exe PID 5040 wrote to memory of 4568 5040 rxlllrf.exe xlflrrr.exe PID 5040 wrote to memory of 4568 5040 rxlllrf.exe xlflrrr.exe PID 4568 wrote to memory of 3428 4568 xlflrrr.exe tntbhn.exe PID 4568 wrote to memory of 3428 4568 xlflrrr.exe tntbhn.exe PID 4568 wrote to memory of 3428 4568 xlflrrr.exe tntbhn.exe PID 3428 wrote to memory of 2800 3428 tntbhn.exe jvvvp.exe PID 3428 wrote to memory of 2800 3428 tntbhn.exe jvvvp.exe PID 3428 wrote to memory of 2800 3428 tntbhn.exe jvvvp.exe PID 2800 wrote to memory of 1332 2800 jvvvp.exe lrlllll.exe PID 2800 wrote to memory of 1332 2800 jvvvp.exe lrlllll.exe PID 2800 wrote to memory of 1332 2800 jvvvp.exe lrlllll.exe PID 1332 wrote to memory of 4608 1332 lrlllll.exe pdppp.exe PID 1332 wrote to memory of 4608 1332 lrlllll.exe pdppp.exe PID 1332 wrote to memory of 4608 1332 lrlllll.exe pdppp.exe PID 4608 wrote to memory of 1992 4608 fxxrxrl.exe tntnnh.exe PID 4608 wrote to memory of 1992 4608 fxxrxrl.exe tntnnh.exe PID 4608 wrote to memory of 1992 4608 fxxrxrl.exe tntnnh.exe PID 1992 wrote to memory of 464 1992 tntnnh.exe htbtth.exe PID 1992 wrote to memory of 464 1992 tntnnh.exe htbtth.exe PID 1992 wrote to memory of 464 1992 tntnnh.exe htbtth.exe PID 464 wrote to memory of 2584 464 htbtth.exe jdjdd.exe PID 464 wrote to memory of 2584 464 htbtth.exe jdjdd.exe PID 464 wrote to memory of 2584 464 htbtth.exe jdjdd.exe PID 2584 wrote to memory of 208 2584 jdjdd.exe rxfllrr.exe PID 2584 wrote to memory of 208 2584 jdjdd.exe rxfllrr.exe PID 2584 wrote to memory of 208 2584 jdjdd.exe rxfllrr.exe PID 208 wrote to memory of 4540 208 rxfllrr.exe rlxrrrl.exe PID 208 wrote to memory of 4540 208 rxfllrr.exe rlxrrrl.exe PID 208 wrote to memory of 4540 208 rxfllrr.exe rlxrrrl.exe PID 4540 wrote to memory of 1088 4540 rlxrrrl.exe tttbth.exe PID 4540 wrote to memory of 1088 4540 rlxrrrl.exe tttbth.exe PID 4540 wrote to memory of 1088 4540 rlxrrrl.exe tttbth.exe PID 1088 wrote to memory of 2672 1088 tttbth.exe vpddd.exe PID 1088 wrote to memory of 2672 1088 tttbth.exe vpddd.exe PID 1088 wrote to memory of 2672 1088 tttbth.exe vpddd.exe PID 2672 wrote to memory of 560 2672 vpddd.exe vpvvv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a29c23a7c7fdaab16e175c63399c94c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a29c23a7c7fdaab16e175c63399c94c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\rrxxxxr.exec:\rrxxxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\nntbbb.exec:\nntbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\hhbnnt.exec:\hhbnnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\djvdv.exec:\djvdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\lfrrrrx.exec:\lfrrrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\5hnnnt.exec:\5hnnnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\ntbhhn.exec:\ntbhhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\pvjjv.exec:\pvjjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\rxlllrf.exec:\rxlllrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\xlflrrr.exec:\xlflrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\tntbhn.exec:\tntbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\jvvvp.exec:\jvvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\lrlllll.exec:\lrlllll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\fxxrxrl.exec:\fxxrxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\tntnnh.exec:\tntnnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\htbtth.exec:\htbtth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\jdjdd.exec:\jdjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\rxfllrr.exec:\rxfllrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\rlxrrrl.exec:\rlxrrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\tttbth.exec:\tttbth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\vpddd.exec:\vpddd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\vpvvv.exec:\vpvvv.exe23⤵
- Executes dropped EXE
PID:560 -
\??\c:\xrxfflr.exec:\xrxfflr.exe24⤵
- Executes dropped EXE
PID:3992 -
\??\c:\tbhhnt.exec:\tbhhnt.exe25⤵
- Executes dropped EXE
PID:3196 -
\??\c:\bthhhb.exec:\bthhhb.exe26⤵
- Executes dropped EXE
PID:2812 -
\??\c:\vvpvv.exec:\vvpvv.exe27⤵
- Executes dropped EXE
PID:4920 -
\??\c:\jdddv.exec:\jdddv.exe28⤵
- Executes dropped EXE
PID:4696 -
\??\c:\rlrrrrr.exec:\rlrrrrr.exe29⤵
- Executes dropped EXE
PID:424 -
\??\c:\tbbttt.exec:\tbbttt.exe30⤵
- Executes dropped EXE
PID:1196 -
\??\c:\hhhbbb.exec:\hhhbbb.exe31⤵
- Executes dropped EXE
PID:4500 -
\??\c:\pjddp.exec:\pjddp.exe32⤵
- Executes dropped EXE
PID:1888 -
\??\c:\lllrrxx.exec:\lllrrxx.exe33⤵
- Executes dropped EXE
PID:4592 -
\??\c:\3lxrxff.exec:\3lxrxff.exe34⤵
- Executes dropped EXE
PID:728 -
\??\c:\tnbbhn.exec:\tnbbhn.exe35⤵
- Executes dropped EXE
PID:4216 -
\??\c:\ddvvd.exec:\ddvvd.exe36⤵
- Executes dropped EXE
PID:2364 -
\??\c:\vdjjj.exec:\vdjjj.exe37⤵
- Executes dropped EXE
PID:2128 -
\??\c:\flfllrf.exec:\flfllrf.exe38⤵
- Executes dropped EXE
PID:2224 -
\??\c:\tnnnht.exec:\tnnnht.exe39⤵
- Executes dropped EXE
PID:2472 -
\??\c:\bbbttt.exec:\bbbttt.exe40⤵
- Executes dropped EXE
PID:4148 -
\??\c:\jjddp.exec:\jjddp.exe41⤵
- Executes dropped EXE
PID:3132 -
\??\c:\dpvpv.exec:\dpvpv.exe42⤵
- Executes dropped EXE
PID:1700 -
\??\c:\xxlllll.exec:\xxlllll.exe43⤵
- Executes dropped EXE
PID:4284 -
\??\c:\nhhhnh.exec:\nhhhnh.exe44⤵
- Executes dropped EXE
PID:4864 -
\??\c:\hbbbht.exec:\hbbbht.exe45⤵
- Executes dropped EXE
PID:2640 -
\??\c:\jvpjj.exec:\jvpjj.exe46⤵
- Executes dropped EXE
PID:5072 -
\??\c:\lfrxfrr.exec:\lfrxfrr.exe47⤵
- Executes dropped EXE
PID:4444 -
\??\c:\tttbtb.exec:\tttbtb.exe48⤵
- Executes dropped EXE
PID:4388 -
\??\c:\nnhhhb.exec:\nnhhhb.exe49⤵
- Executes dropped EXE
PID:2236 -
\??\c:\dpddj.exec:\dpddj.exe50⤵
- Executes dropped EXE
PID:772 -
\??\c:\xrffflr.exec:\xrffflr.exe51⤵
- Executes dropped EXE
PID:1012 -
\??\c:\xfffffx.exec:\xfffffx.exe52⤵
- Executes dropped EXE
PID:4296 -
\??\c:\tbhtnt.exec:\tbhtnt.exe53⤵
- Executes dropped EXE
PID:3592 -
\??\c:\jpvvv.exec:\jpvvv.exe54⤵
- Executes dropped EXE
PID:4892 -
\??\c:\ppvdp.exec:\ppvdp.exe55⤵
- Executes dropped EXE
PID:4488 -
\??\c:\rfffxrl.exec:\rfffxrl.exe56⤵
- Executes dropped EXE
PID:4996 -
\??\c:\tthbhh.exec:\tthbhh.exe57⤵
- Executes dropped EXE
PID:2460 -
\??\c:\jppjv.exec:\jppjv.exe58⤵
- Executes dropped EXE
PID:2572 -
\??\c:\lxfxxrl.exec:\lxfxxrl.exe59⤵
- Executes dropped EXE
PID:3432 -
\??\c:\bttnhb.exec:\bttnhb.exe60⤵
- Executes dropped EXE
PID:3376 -
\??\c:\pvjjp.exec:\pvjjp.exe61⤵
- Executes dropped EXE
PID:2820 -
\??\c:\pdppp.exec:\pdppp.exe62⤵
- Executes dropped EXE
PID:4608 -
\??\c:\tnhthh.exec:\tnhthh.exe63⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vvddv.exec:\vvddv.exe64⤵
- Executes dropped EXE
PID:2244 -
\??\c:\fffffff.exec:\fffffff.exe65⤵
- Executes dropped EXE
PID:1848 -
\??\c:\thbbtt.exec:\thbbtt.exe66⤵PID:5020
-
\??\c:\ddvdv.exec:\ddvdv.exe67⤵PID:2148
-
\??\c:\rxlfllx.exec:\rxlfllx.exe68⤵PID:2284
-
\??\c:\frffrrl.exec:\frffrrl.exe69⤵PID:3520
-
\??\c:\tthhtb.exec:\tthhtb.exe70⤵PID:4768
-
\??\c:\jvdvv.exec:\jvdvv.exe71⤵PID:3108
-
\??\c:\rlrrxfx.exec:\rlrrxfx.exe72⤵PID:1268
-
\??\c:\ntbbtb.exec:\ntbbtb.exe73⤵PID:1248
-
\??\c:\5ppjj.exec:\5ppjj.exe74⤵PID:3932
-
\??\c:\lrrfxlf.exec:\lrrfxlf.exe75⤵PID:3788
-
\??\c:\hhtnbn.exec:\hhtnbn.exe76⤵PID:2152
-
\??\c:\pvpjd.exec:\pvpjd.exe77⤵PID:4588
-
\??\c:\rxxxfff.exec:\rxxxfff.exe78⤵PID:4592
-
\??\c:\hbhthh.exec:\hbhthh.exe79⤵PID:4680
-
\??\c:\hbnhhh.exec:\hbnhhh.exe80⤵PID:2364
-
\??\c:\vvdvd.exec:\vvdvd.exe81⤵PID:2212
-
\??\c:\xxllrrr.exec:\xxllrrr.exe82⤵PID:916
-
\??\c:\pjdvj.exec:\pjdvj.exe83⤵PID:2240
-
\??\c:\frlfxlf.exec:\frlfxlf.exe84⤵PID:3740
-
\??\c:\hbhbtt.exec:\hbhbtt.exe85⤵PID:4372
-
\??\c:\ttnbbt.exec:\ttnbbt.exe86⤵PID:2176
-
\??\c:\dpppp.exec:\dpppp.exe87⤵PID:4284
-
\??\c:\xrfxllf.exec:\xrfxllf.exe88⤵PID:1964
-
\??\c:\hbhbtn.exec:\hbhbtn.exe89⤵PID:2928
-
\??\c:\dvvvv.exec:\dvvvv.exe90⤵PID:4596
-
\??\c:\lfrrlrl.exec:\lfrrlrl.exe91⤵PID:216
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe92⤵PID:1708
-
\??\c:\hnhhhn.exec:\hnhhhn.exe93⤵PID:2288
-
\??\c:\jpvjd.exec:\jpvjd.exe94⤵PID:3360
-
\??\c:\llxrffx.exec:\llxrffx.exe95⤵PID:4856
-
\??\c:\tnnhbt.exec:\tnnhbt.exe96⤵PID:4876
-
\??\c:\1vddv.exec:\1vddv.exe97⤵PID:4432
-
\??\c:\lxxrlll.exec:\lxxrlll.exe98⤵PID:4036
-
\??\c:\frrrlff.exec:\frrrlff.exe99⤵PID:4892
-
\??\c:\3bnhtn.exec:\3bnhtn.exe100⤵PID:5096
-
\??\c:\dppjd.exec:\dppjd.exe101⤵PID:1900
-
\??\c:\lxlrffr.exec:\lxlrffr.exe102⤵PID:2460
-
\??\c:\hbbtnn.exec:\hbbtnn.exe103⤵PID:956
-
\??\c:\hbnnnn.exec:\hbnnnn.exe104⤵PID:3584
-
\??\c:\5djjj.exec:\5djjj.exe105⤵PID:464
-
\??\c:\flrlfrr.exec:\flrlfrr.exe106⤵PID:4828
-
\??\c:\bnbthb.exec:\bnbthb.exe107⤵PID:32
-
\??\c:\bnntbb.exec:\bnntbb.exe108⤵PID:1564
-
\??\c:\vvvpp.exec:\vvvpp.exe109⤵PID:4576
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe110⤵PID:4060
-
\??\c:\rxrlfrl.exec:\rxrlfrl.exe111⤵PID:2072
-
\??\c:\tnbhnn.exec:\tnbhnn.exe112⤵PID:5100
-
\??\c:\vdjdp.exec:\vdjdp.exe113⤵PID:208
-
\??\c:\3llfxxl.exec:\3llfxxl.exe114⤵PID:4540
-
\??\c:\nhhbbt.exec:\nhhbbt.exe115⤵PID:2052
-
\??\c:\jvjdv.exec:\jvjdv.exe116⤵PID:1740
-
\??\c:\rxrlxfx.exec:\rxrlxfx.exe117⤵PID:5080
-
\??\c:\lxrrffx.exec:\lxrrffx.exe118⤵PID:3104
-
\??\c:\bbbbtt.exec:\bbbbtt.exe119⤵PID:3388
-
\??\c:\ddvpj.exec:\ddvpj.exe120⤵PID:1988
-
\??\c:\llllffx.exec:\llllffx.exe121⤵PID:2264
-
\??\c:\rxfrrrl.exec:\rxfrrrl.exe122⤵PID:1716
-
\??\c:\bnhbth.exec:\bnhbth.exe123⤵PID:3272
-
\??\c:\flrxrlf.exec:\flrxrlf.exe124⤵PID:1196
-
\??\c:\ffrlxlx.exec:\ffrlxlx.exe125⤵PID:3968
-
\??\c:\hhbthb.exec:\hhbthb.exe126⤵PID:3288
-
\??\c:\5jdpj.exec:\5jdpj.exe127⤵PID:2452
-
\??\c:\rrrlllf.exec:\rrrlllf.exe128⤵PID:4556
-
\??\c:\xxlfxrl.exec:\xxlfxrl.exe129⤵PID:3048
-
\??\c:\ntbtnh.exec:\ntbtnh.exe130⤵PID:3692
-
\??\c:\pdjdd.exec:\pdjdd.exe131⤵PID:3280
-
\??\c:\xxxrxxr.exec:\xxxrxxr.exe132⤵PID:3328
-
\??\c:\bhnnhb.exec:\bhnnhb.exe133⤵PID:1596
-
\??\c:\9nbnbn.exec:\9nbnbn.exe134⤵PID:2176
-
\??\c:\vpddp.exec:\vpddp.exe135⤵PID:4284
-
\??\c:\rfxrrxf.exec:\rfxrrxf.exe136⤵PID:1964
-
\??\c:\hthbbt.exec:\hthbbt.exe137⤵PID:2436
-
\??\c:\pvdjp.exec:\pvdjp.exe138⤵PID:4596
-
\??\c:\lllxxrr.exec:\lllxxrr.exe139⤵PID:216
-
\??\c:\xfxrxxl.exec:\xfxrxxl.exe140⤵PID:2188
-
\??\c:\thbttt.exec:\thbttt.exe141⤵PID:3100
-
\??\c:\9djvp.exec:\9djvp.exe142⤵PID:3360
-
\??\c:\lxfxrxr.exec:\lxfxrxr.exe143⤵PID:4416
-
\??\c:\bbbttt.exec:\bbbttt.exe144⤵PID:2300
-
\??\c:\pjvdv.exec:\pjvdv.exe145⤵PID:4160
-
\??\c:\pjpvp.exec:\pjpvp.exe146⤵PID:2668
-
\??\c:\5rflffx.exec:\5rflffx.exe147⤵PID:4488
-
\??\c:\htbhhn.exec:\htbhhn.exe148⤵PID:4072
-
\??\c:\jddjd.exec:\jddjd.exe149⤵PID:5060
-
\??\c:\xrfffll.exec:\xrfffll.exe150⤵PID:956
-
\??\c:\7tbtnt.exec:\7tbtnt.exe151⤵PID:2336
-
\??\c:\tnbtnn.exec:\tnbtnn.exe152⤵PID:3988
-
\??\c:\3jpvp.exec:\3jpvp.exe153⤵PID:2076
-
\??\c:\rrrlffx.exec:\rrrlffx.exe154⤵PID:4828
-
\??\c:\xxrrxxx.exec:\xxrrxxx.exe155⤵PID:1736
-
\??\c:\hbtnnn.exec:\hbtnnn.exe156⤵PID:2768
-
\??\c:\5djdp.exec:\5djdp.exe157⤵PID:2132
-
\??\c:\7xfxxxx.exec:\7xfxxxx.exe158⤵PID:5100
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe159⤵PID:3284
-
\??\c:\9ntbbh.exec:\9ntbbh.exe160⤵PID:2148
-
\??\c:\dvppp.exec:\dvppp.exe161⤵PID:5080
-
\??\c:\llrllff.exec:\llrllff.exe162⤵PID:2044
-
\??\c:\frxrrlf.exec:\frxrrlf.exe163⤵PID:3108
-
\??\c:\5bhhbb.exec:\5bhhbb.exe164⤵PID:2264
-
\??\c:\5pjdp.exec:\5pjdp.exe165⤵PID:1676
-
\??\c:\xlrrxrr.exec:\xlrrxrr.exe166⤵PID:4836
-
\??\c:\bbhtnn.exec:\bbhtnn.exe167⤵PID:728
-
\??\c:\pdjpp.exec:\pdjpp.exe168⤵PID:3384
-
\??\c:\jvjpv.exec:\jvjpv.exe169⤵PID:3200
-
\??\c:\9llrfrx.exec:\9llrfrx.exe170⤵PID:2224
-
\??\c:\nhnttt.exec:\nhnttt.exe171⤵PID:1660
-
\??\c:\7djjp.exec:\7djjp.exe172⤵PID:916
-
\??\c:\7rxxxff.exec:\7rxxxff.exe173⤵PID:4980
-
\??\c:\7tttnb.exec:\7tttnb.exe174⤵PID:2860
-
\??\c:\jdvvd.exec:\jdvvd.exe175⤵PID:1076
-
\??\c:\hbnntt.exec:\hbnntt.exe176⤵PID:924
-
\??\c:\jdppv.exec:\jdppv.exe177⤵PID:2640
-
\??\c:\9xffxff.exec:\9xffxff.exe178⤵PID:1392
-
\??\c:\hhbhnh.exec:\hhbhnh.exe179⤵PID:968
-
\??\c:\jdjjj.exec:\jdjjj.exe180⤵PID:4388
-
\??\c:\fxxxfll.exec:\fxxxfll.exe181⤵PID:216
-
\??\c:\vpppp.exec:\vpppp.exe182⤵PID:4480
-
\??\c:\5jppp.exec:\5jppp.exe183⤵PID:5036
-
\??\c:\5xxxflr.exec:\5xxxflr.exe184⤵PID:1240
-
\??\c:\nbnbbt.exec:\nbnbbt.exe185⤵PID:872
-
\??\c:\1djjd.exec:\1djjd.exe186⤵PID:4036
-
\??\c:\xffxxlr.exec:\xffxxlr.exe187⤵PID:428
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe188⤵PID:2668
-
\??\c:\nbhbth.exec:\nbhbth.exe189⤵PID:2708
-
\??\c:\vjjdj.exec:\vjjdj.exe190⤵PID:4072
-
\??\c:\nnhtbt.exec:\nnhtbt.exe191⤵PID:4296
-
\??\c:\vjjjj.exec:\vjjjj.exe192⤵PID:2228
-
\??\c:\xxrfrrl.exec:\xxrfrrl.exe193⤵PID:2484
-
\??\c:\nhhbtt.exec:\nhhbtt.exe194⤵PID:3428
-
\??\c:\ntnhbb.exec:\ntnhbb.exe195⤵PID:2820
-
\??\c:\pjvpv.exec:\pjvpv.exe196⤵PID:228
-
\??\c:\rxllllr.exec:\rxllllr.exe197⤵PID:2940
-
\??\c:\3bbthh.exec:\3bbthh.exe198⤵PID:1776
-
\??\c:\nhbbtb.exec:\nhbbtb.exe199⤵PID:4132
-
\??\c:\1vvdv.exec:\1vvdv.exe200⤵PID:3460
-
\??\c:\fxxfxll.exec:\fxxfxll.exe201⤵PID:1808
-
\??\c:\tbthnb.exec:\tbthnb.exe202⤵PID:5080
-
\??\c:\3hnhnn.exec:\3hnhnn.exe203⤵PID:4920
-
\??\c:\vvvpj.exec:\vvvpj.exe204⤵PID:3932
-
\??\c:\frfxllf.exec:\frfxllf.exe205⤵PID:4736
-
\??\c:\nhtnhb.exec:\nhtnhb.exe206⤵PID:3968
-
\??\c:\thnttn.exec:\thnttn.exe207⤵PID:3288
-
\??\c:\dvdpd.exec:\dvdpd.exe208⤵PID:1768
-
\??\c:\jvvvv.exec:\jvvvv.exe209⤵PID:2128
-
\??\c:\xfxrlfx.exec:\xfxrlfx.exe210⤵PID:4396
-
\??\c:\tttnbt.exec:\tttnbt.exe211⤵PID:4148
-
\??\c:\dddvv.exec:\dddvv.exe212⤵PID:1320
-
\??\c:\djvpp.exec:\djvpp.exe213⤵PID:4516
-
\??\c:\9rxxxll.exec:\9rxxxll.exe214⤵PID:624
-
\??\c:\3nnnnn.exec:\3nnnnn.exe215⤵PID:224
-
\??\c:\nhbbhh.exec:\nhbbhh.exe216⤵PID:1156
-
\??\c:\pvdvp.exec:\pvdvp.exe217⤵PID:4424
-
\??\c:\jppdv.exec:\jppdv.exe218⤵PID:1708
-
\??\c:\rfrrrlf.exec:\rfrrrlf.exe219⤵PID:1124
-
\??\c:\tntbhh.exec:\tntbhh.exe220⤵PID:1864
-
\??\c:\vppjj.exec:\vppjj.exe221⤵PID:3368
-
\??\c:\ffxrlxr.exec:\ffxrlxr.exe222⤵PID:4420
-
\??\c:\rfxrrrr.exec:\rfxrrrr.exe223⤵PID:4292
-
\??\c:\tnttbt.exec:\tnttbt.exe224⤵PID:1112
-
\??\c:\vjvpj.exec:\vjvpj.exe225⤵PID:3316
-
\??\c:\frxrrrr.exec:\frxrrrr.exe226⤵PID:3016
-
\??\c:\nttnhb.exec:\nttnhb.exe227⤵PID:2724
-
\??\c:\hbbhhh.exec:\hbbhhh.exe228⤵PID:2156
-
\??\c:\1xfxrrl.exec:\1xfxrrl.exe229⤵PID:1128
-
\??\c:\5tbhbh.exec:\5tbhbh.exe230⤵PID:4704
-
\??\c:\nbhhtn.exec:\nbhhtn.exe231⤵PID:5040
-
\??\c:\pdjvp.exec:\pdjvp.exe232⤵PID:3428
-
\??\c:\xfxrxrf.exec:\xfxrxrf.exe233⤵PID:2552
-
\??\c:\hhhbbb.exec:\hhhbbb.exe234⤵PID:2940
-
\??\c:\bhhbbn.exec:\bhhbbn.exe235⤵PID:1776
-
\??\c:\jvpjd.exec:\jvpjd.exe236⤵PID:4132
-
\??\c:\xxfrrlx.exec:\xxfrrlx.exe237⤵PID:2148
-
\??\c:\5bnhtt.exec:\5bnhtt.exe238⤵PID:2044
-
\??\c:\vjppj.exec:\vjppj.exe239⤵PID:2812
-
\??\c:\pjjdv.exec:\pjjdv.exe240⤵PID:1880
-
\??\c:\1lfxllf.exec:\1lfxllf.exe241⤵PID:1924
-
\??\c:\7tthbb.exec:\7tthbb.exe242⤵PID:860