Analysis
-
max time kernel
138s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe
-
Size
394KB
-
MD5
a2e6e46097ab26e58862d3cfb836f4f0
-
SHA1
62f1226a3e5574a369b298bb3495a85e2b3a0755
-
SHA256
3ca482c4b8b0e279797aaaacb8fcb98c70c30c4007c7112d5389b95fd634c044
-
SHA512
1a4a9460f217b4199353804277ba92992711c80654ed174befeeac4d4a9ae7c08b720cdf920bdbee8adfb3d71085d83569a3a7bdd0debd01696b36919bc057f9
-
SSDEEP
6144:n3C9BRo7tvnJ9oH0IRgZvjkobjcSbcY+CaQdaFOY4iGFYtRdu/6:n3C9ytvngQjZbz+xt4vFBy
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
Processes:
resource yara_rule behavioral2/memory/3248-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2472-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1420-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3412-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1268-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5084-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2816-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4156-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4236-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/512-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1296-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3268-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3380-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3288-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1500-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3040-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1552-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/748-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4500-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2468-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4036-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1184-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4444-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4728-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2064-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1192-202-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3916-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
jvjvj.exexffrlfr.exe1tnhbb.exejjvdp.exedpvpp.exe5vvpv.exe1ffrfxl.exe3frflff.exejvppd.exefrlxllx.exennhttn.exexlllxxl.exettbtbt.exejddpp.exehhhbhb.exejddpj.exehhtnhh.exevvvpd.exe9lxxxxf.exeddjdv.exefrrfrlx.exebhnhtn.exepddvj.exerrxlxfr.exebtnhbt.exevjdvj.exe5fxxrxx.exebhtnnh.exe9jjjd.exexrxxlll.exejjjjv.exerflfllr.exepjvvd.exefrrffff.exerxrlrrx.exehbthhh.exevvjjv.exefllllrx.exehthnnn.exevdddv.exejdjvd.exexflxxxx.exennbnnh.exeppdvd.exejjjjj.exexflffxx.exetnhbbt.exejvdvv.exexlrrrrr.exelflllfx.exehhtnnt.exevvdpp.exe1ffxrrl.exe7hhbbt.exedjdvj.exexxlxxff.exethttbb.exebnbttt.exepjvpv.exeflflffl.exenhhnhb.exevpvjj.exevpvpv.exelrxxrxr.exepid process 1420 jvjvj.exe 2472 xffrlfr.exe 4320 1tnhbb.exe 3412 jjvdp.exe 1268 dpvpp.exe 5084 5vvpv.exe 2816 1ffrfxl.exe 4156 3frflff.exe 4236 jvppd.exe 512 frlxllx.exe 1296 nnhttn.exe 3268 xlllxxl.exe 3380 ttbtbt.exe 3288 jddpp.exe 1500 hhhbhb.exe 3040 jddpj.exe 1552 hhtnhh.exe 748 vvvpd.exe 4500 9lxxxxf.exe 1564 ddjdv.exe 2468 frrfrlx.exe 4036 bhnhtn.exe 1184 pddvj.exe 3792 rrxlxfr.exe 4728 btnhbt.exe 4444 vjdvj.exe 5004 5fxxrxx.exe 3840 bhtnnh.exe 2064 9jjjd.exe 1192 xrxxlll.exe 3916 jjjjv.exe 1848 rflfllr.exe 4308 pjvvd.exe 3112 frrffff.exe 1072 rxrlrrx.exe 3324 hbthhh.exe 2248 vvjjv.exe 2080 fllllrx.exe 1452 hthnnn.exe 2416 vdddv.exe 1640 jdjvd.exe 2252 xflxxxx.exe 376 nnbnnh.exe 1064 ppdvd.exe 1688 jjjjj.exe 4736 xflffxx.exe 2744 tnhbbt.exe 3048 jvdvv.exe 2920 xlrrrrr.exe 4152 lflllfx.exe 4752 hhtnnt.exe 1768 vvdpp.exe 4960 1ffxrrl.exe 3140 7hhbbt.exe 1840 djdvj.exe 2308 xxlxxff.exe 2424 thttbb.exe 4848 bnbttt.exe 4404 pjvpv.exe 1300 flflffl.exe 2696 nhhnhb.exe 4596 vpvjj.exe 2976 vpvpv.exe 1508 lrxxrxr.exe -
Processes:
resource yara_rule behavioral2/memory/3248-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1420-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2472-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1420-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3412-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3412-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3412-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1268-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5084-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2816-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4156-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4156-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4156-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4156-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4236-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/512-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1296-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3268-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3380-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3288-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1500-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3040-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1552-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/748-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4500-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2468-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4036-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1184-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4444-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4728-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2064-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1192-202-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3916-204-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exejvjvj.exexffrlfr.exe1tnhbb.exejjvdp.exedpvpp.exe5vvpv.exe1ffrfxl.exe3frflff.exejvppd.exefrlxllx.exennhttn.exexlllxxl.exettbtbt.exejddpp.exehhhbhb.exejddpj.exehhtnhh.exevvvpd.exe9lxxxxf.exeddjdv.exefrrfrlx.exedescription pid process target process PID 3248 wrote to memory of 1420 3248 a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe jvjvj.exe PID 3248 wrote to memory of 1420 3248 a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe jvjvj.exe PID 3248 wrote to memory of 1420 3248 a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe jvjvj.exe PID 1420 wrote to memory of 2472 1420 jvjvj.exe xffrlfr.exe PID 1420 wrote to memory of 2472 1420 jvjvj.exe xffrlfr.exe PID 1420 wrote to memory of 2472 1420 jvjvj.exe xffrlfr.exe PID 2472 wrote to memory of 4320 2472 xffrlfr.exe 1tnhbb.exe PID 2472 wrote to memory of 4320 2472 xffrlfr.exe 1tnhbb.exe PID 2472 wrote to memory of 4320 2472 xffrlfr.exe 1tnhbb.exe PID 4320 wrote to memory of 3412 4320 1tnhbb.exe jjvdp.exe PID 4320 wrote to memory of 3412 4320 1tnhbb.exe jjvdp.exe PID 4320 wrote to memory of 3412 4320 1tnhbb.exe jjvdp.exe PID 3412 wrote to memory of 1268 3412 jjvdp.exe dpvpp.exe PID 3412 wrote to memory of 1268 3412 jjvdp.exe dpvpp.exe PID 3412 wrote to memory of 1268 3412 jjvdp.exe dpvpp.exe PID 1268 wrote to memory of 5084 1268 dpvpp.exe 5vvpv.exe PID 1268 wrote to memory of 5084 1268 dpvpp.exe 5vvpv.exe PID 1268 wrote to memory of 5084 1268 dpvpp.exe 5vvpv.exe PID 5084 wrote to memory of 2816 5084 5vvpv.exe 1ffrfxl.exe PID 5084 wrote to memory of 2816 5084 5vvpv.exe 1ffrfxl.exe PID 5084 wrote to memory of 2816 5084 5vvpv.exe 1ffrfxl.exe PID 2816 wrote to memory of 4156 2816 1ffrfxl.exe 3frflff.exe PID 2816 wrote to memory of 4156 2816 1ffrfxl.exe 3frflff.exe PID 2816 wrote to memory of 4156 2816 1ffrfxl.exe 3frflff.exe PID 4156 wrote to memory of 4236 4156 3frflff.exe jvppd.exe PID 4156 wrote to memory of 4236 4156 3frflff.exe jvppd.exe PID 4156 wrote to memory of 4236 4156 3frflff.exe jvppd.exe PID 4236 wrote to memory of 512 4236 jvppd.exe frlxllx.exe PID 4236 wrote to memory of 512 4236 jvppd.exe frlxllx.exe PID 4236 wrote to memory of 512 4236 jvppd.exe frlxllx.exe PID 512 wrote to memory of 1296 512 frlxllx.exe nnhttn.exe PID 512 wrote to memory of 1296 512 frlxllx.exe nnhttn.exe PID 512 wrote to memory of 1296 512 frlxllx.exe nnhttn.exe PID 1296 wrote to memory of 3268 1296 nnhttn.exe xlllxxl.exe PID 1296 wrote to memory of 3268 1296 nnhttn.exe xlllxxl.exe PID 1296 wrote to memory of 3268 1296 nnhttn.exe xlllxxl.exe PID 3268 wrote to memory of 3380 3268 xlllxxl.exe ttbtbt.exe PID 3268 wrote to memory of 3380 3268 xlllxxl.exe ttbtbt.exe PID 3268 wrote to memory of 3380 3268 xlllxxl.exe ttbtbt.exe PID 3380 wrote to memory of 3288 3380 ttbtbt.exe jddpp.exe PID 3380 wrote to memory of 3288 3380 ttbtbt.exe jddpp.exe PID 3380 wrote to memory of 3288 3380 ttbtbt.exe jddpp.exe PID 3288 wrote to memory of 1500 3288 jddpp.exe hhhbhb.exe PID 3288 wrote to memory of 1500 3288 jddpp.exe hhhbhb.exe PID 3288 wrote to memory of 1500 3288 jddpp.exe hhhbhb.exe PID 1500 wrote to memory of 3040 1500 hhhbhb.exe jddpj.exe PID 1500 wrote to memory of 3040 1500 hhhbhb.exe jddpj.exe PID 1500 wrote to memory of 3040 1500 hhhbhb.exe jddpj.exe PID 3040 wrote to memory of 1552 3040 jddpj.exe hhtnhh.exe PID 3040 wrote to memory of 1552 3040 jddpj.exe hhtnhh.exe PID 3040 wrote to memory of 1552 3040 jddpj.exe hhtnhh.exe PID 1552 wrote to memory of 748 1552 hhtnhh.exe vvvpd.exe PID 1552 wrote to memory of 748 1552 hhtnhh.exe vvvpd.exe PID 1552 wrote to memory of 748 1552 hhtnhh.exe vvvpd.exe PID 748 wrote to memory of 4500 748 vvvpd.exe 9lxxxxf.exe PID 748 wrote to memory of 4500 748 vvvpd.exe 9lxxxxf.exe PID 748 wrote to memory of 4500 748 vvvpd.exe 9lxxxxf.exe PID 4500 wrote to memory of 1564 4500 9lxxxxf.exe ddjdv.exe PID 4500 wrote to memory of 1564 4500 9lxxxxf.exe ddjdv.exe PID 4500 wrote to memory of 1564 4500 9lxxxxf.exe ddjdv.exe PID 1564 wrote to memory of 2468 1564 ddjdv.exe frrfrlx.exe PID 1564 wrote to memory of 2468 1564 ddjdv.exe frrfrlx.exe PID 1564 wrote to memory of 2468 1564 ddjdv.exe frrfrlx.exe PID 2468 wrote to memory of 4036 2468 frrfrlx.exe bhnhtn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a2e6e46097ab26e58862d3cfb836f4f0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\jvjvj.exec:\jvjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\xffrlfr.exec:\xffrlfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\1tnhbb.exec:\1tnhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\jjvdp.exec:\jjvdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\dpvpp.exec:\dpvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\5vvpv.exec:\5vvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\1ffrfxl.exec:\1ffrfxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\3frflff.exec:\3frflff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\jvppd.exec:\jvppd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\frlxllx.exec:\frlxllx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\nnhttn.exec:\nnhttn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\xlllxxl.exec:\xlllxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\ttbtbt.exec:\ttbtbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\jddpp.exec:\jddpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\hhhbhb.exec:\hhhbhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\jddpj.exec:\jddpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\hhtnhh.exec:\hhtnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\vvvpd.exec:\vvvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\9lxxxxf.exec:\9lxxxxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\ddjdv.exec:\ddjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\frrfrlx.exec:\frrfrlx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\bhnhtn.exec:\bhnhtn.exe23⤵
- Executes dropped EXE
PID:4036 -
\??\c:\pddvj.exec:\pddvj.exe24⤵
- Executes dropped EXE
PID:1184 -
\??\c:\rrxlxfr.exec:\rrxlxfr.exe25⤵
- Executes dropped EXE
PID:3792 -
\??\c:\btnhbt.exec:\btnhbt.exe26⤵
- Executes dropped EXE
PID:4728 -
\??\c:\vjdvj.exec:\vjdvj.exe27⤵
- Executes dropped EXE
PID:4444 -
\??\c:\5fxxrxx.exec:\5fxxrxx.exe28⤵
- Executes dropped EXE
PID:5004 -
\??\c:\bhtnnh.exec:\bhtnnh.exe29⤵
- Executes dropped EXE
PID:3840 -
\??\c:\9jjjd.exec:\9jjjd.exe30⤵
- Executes dropped EXE
PID:2064 -
\??\c:\xrxxlll.exec:\xrxxlll.exe31⤵
- Executes dropped EXE
PID:1192 -
\??\c:\jjjjv.exec:\jjjjv.exe32⤵
- Executes dropped EXE
PID:3916 -
\??\c:\jjpjd.exec:\jjpjd.exe33⤵PID:5076
-
\??\c:\rflfllr.exec:\rflfllr.exe34⤵
- Executes dropped EXE
PID:1848 -
\??\c:\pjvvd.exec:\pjvvd.exe35⤵
- Executes dropped EXE
PID:4308 -
\??\c:\frrffff.exec:\frrffff.exe36⤵
- Executes dropped EXE
PID:3112 -
\??\c:\rxrlrrx.exec:\rxrlrrx.exe37⤵
- Executes dropped EXE
PID:1072 -
\??\c:\hbthhh.exec:\hbthhh.exe38⤵
- Executes dropped EXE
PID:3324 -
\??\c:\vvjjv.exec:\vvjjv.exe39⤵
- Executes dropped EXE
PID:2248 -
\??\c:\fllllrx.exec:\fllllrx.exe40⤵
- Executes dropped EXE
PID:2080 -
\??\c:\hthnnn.exec:\hthnnn.exe41⤵
- Executes dropped EXE
PID:1452 -
\??\c:\vdddv.exec:\vdddv.exe42⤵
- Executes dropped EXE
PID:2416 -
\??\c:\jdjvd.exec:\jdjvd.exe43⤵
- Executes dropped EXE
PID:1640 -
\??\c:\xflxxxx.exec:\xflxxxx.exe44⤵
- Executes dropped EXE
PID:2252 -
\??\c:\nnbnnh.exec:\nnbnnh.exe45⤵
- Executes dropped EXE
PID:376 -
\??\c:\ppdvd.exec:\ppdvd.exe46⤵
- Executes dropped EXE
PID:1064 -
\??\c:\jjjjj.exec:\jjjjj.exe47⤵
- Executes dropped EXE
PID:1688 -
\??\c:\xflffxx.exec:\xflffxx.exe48⤵
- Executes dropped EXE
PID:4736 -
\??\c:\tnhbbt.exec:\tnhbbt.exe49⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jvdvv.exec:\jvdvv.exe50⤵
- Executes dropped EXE
PID:3048 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe51⤵
- Executes dropped EXE
PID:2920 -
\??\c:\lflllfx.exec:\lflllfx.exe52⤵
- Executes dropped EXE
PID:4152 -
\??\c:\hhtnnt.exec:\hhtnnt.exe53⤵
- Executes dropped EXE
PID:4752 -
\??\c:\vvdpp.exec:\vvdpp.exe54⤵
- Executes dropped EXE
PID:1768 -
\??\c:\1ffxrrl.exec:\1ffxrrl.exe55⤵
- Executes dropped EXE
PID:4960 -
\??\c:\7hhbbt.exec:\7hhbbt.exe56⤵
- Executes dropped EXE
PID:3140 -
\??\c:\djdvj.exec:\djdvj.exe57⤵
- Executes dropped EXE
PID:1840 -
\??\c:\xxlxxff.exec:\xxlxxff.exe58⤵
- Executes dropped EXE
PID:2308 -
\??\c:\thttbb.exec:\thttbb.exe59⤵
- Executes dropped EXE
PID:2424 -
\??\c:\bnbttt.exec:\bnbttt.exe60⤵
- Executes dropped EXE
PID:4848 -
\??\c:\pjvpv.exec:\pjvpv.exe61⤵
- Executes dropped EXE
PID:4404 -
\??\c:\flflffl.exec:\flflffl.exe62⤵
- Executes dropped EXE
PID:1300 -
\??\c:\nhhnhb.exec:\nhhnhb.exe63⤵
- Executes dropped EXE
PID:2696 -
\??\c:\vpvjj.exec:\vpvjj.exe64⤵
- Executes dropped EXE
PID:4596 -
\??\c:\vpvpv.exec:\vpvpv.exe65⤵
- Executes dropped EXE
PID:2976 -
\??\c:\lrxxrxr.exec:\lrxxrxr.exe66⤵
- Executes dropped EXE
PID:1508 -
\??\c:\thnnnn.exec:\thnnnn.exe67⤵PID:388
-
\??\c:\ppdvd.exec:\ppdvd.exe68⤵PID:3356
-
\??\c:\pjpvp.exec:\pjpvp.exe69⤵PID:1656
-
\??\c:\hhbbbh.exec:\hhbbbh.exe70⤵PID:3108
-
\??\c:\vvddv.exec:\vvddv.exe71⤵PID:4300
-
\??\c:\dpdvp.exec:\dpdvp.exe72⤵PID:3752
-
\??\c:\thbhnb.exec:\thbhnb.exe73⤵PID:3028
-
\??\c:\xxxrrxx.exec:\xxxrrxx.exe74⤵PID:4664
-
\??\c:\1bhbth.exec:\1bhbth.exe75⤵PID:876
-
\??\c:\9dddp.exec:\9dddp.exe76⤵PID:2300
-
\??\c:\lfrfrll.exec:\lfrfrll.exe77⤵PID:440
-
\??\c:\rrffxxx.exec:\rrffxxx.exe78⤵PID:3172
-
\??\c:\nhbtnh.exec:\nhbtnh.exe79⤵PID:2128
-
\??\c:\3dvvp.exec:\3dvvp.exe80⤵PID:1692
-
\??\c:\lrlfxxr.exec:\lrlfxxr.exe81⤵PID:2080
-
\??\c:\tnhtnn.exec:\tnhtnn.exe82⤵PID:3552
-
\??\c:\tntnbb.exec:\tntnbb.exe83⤵PID:2416
-
\??\c:\dpvdd.exec:\dpvdd.exe84⤵PID:3968
-
\??\c:\xlffxxr.exec:\xlffxxr.exe85⤵PID:3844
-
\??\c:\nhnbbt.exec:\nhnbbt.exe86⤵PID:4236
-
\??\c:\7vpdv.exec:\7vpdv.exe87⤵PID:764
-
\??\c:\vppjd.exec:\vppjd.exe88⤵PID:792
-
\??\c:\7xxrfff.exec:\7xxrfff.exe89⤵PID:3972
-
\??\c:\bhnhbb.exec:\bhnhbb.exe90⤵PID:4812
-
\??\c:\tbbthh.exec:\tbbthh.exe91⤵PID:3048
-
\??\c:\pvddp.exec:\pvddp.exe92⤵PID:1208
-
\??\c:\lrxxxxf.exec:\lrxxxxf.exe93⤵PID:3148
-
\??\c:\ffrflll.exec:\ffrflll.exe94⤵PID:4992
-
\??\c:\1bnntb.exec:\1bnntb.exe95⤵PID:716
-
\??\c:\bnbttn.exec:\bnbttn.exe96⤵PID:2732
-
\??\c:\pvvpp.exec:\pvvpp.exe97⤵PID:3040
-
\??\c:\frrrlxx.exec:\frrrlxx.exe98⤵PID:1152
-
\??\c:\3rxxfxx.exec:\3rxxfxx.exe99⤵PID:2136
-
\??\c:\nnhhbn.exec:\nnhhbn.exe100⤵PID:5092
-
\??\c:\5vdpj.exec:\5vdpj.exe101⤵PID:3620
-
\??\c:\xxlllxx.exec:\xxlllxx.exe102⤵PID:4360
-
\??\c:\1rlfxff.exec:\1rlfxff.exe103⤵PID:1340
-
\??\c:\bnhbbt.exec:\bnhbbt.exe104⤵PID:4268
-
\??\c:\ntbttt.exec:\ntbttt.exe105⤵PID:2688
-
\??\c:\pdjdj.exec:\pdjdj.exe106⤵PID:3664
-
\??\c:\ffflllf.exec:\ffflllf.exe107⤵PID:3776
-
\??\c:\ntnhhh.exec:\ntnhhh.exe108⤵PID:3792
-
\??\c:\nbbbbt.exec:\nbbbbt.exe109⤵PID:1728
-
\??\c:\vdvpj.exec:\vdvpj.exe110⤵PID:3300
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe111⤵PID:1372
-
\??\c:\ttttbh.exec:\ttttbh.exe112⤵PID:544
-
\??\c:\nhhhbh.exec:\nhhhbh.exe113⤵PID:1012
-
\??\c:\ppvvv.exec:\ppvvv.exe114⤵PID:4420
-
\??\c:\xrxrlll.exec:\xrxrlll.exe115⤵PID:4844
-
\??\c:\rxllfff.exec:\rxllfff.exe116⤵PID:3324
-
\??\c:\bhbnhb.exec:\bhbnhb.exe117⤵PID:4860
-
\??\c:\pdjpj.exec:\pdjpj.exe118⤵PID:2080
-
\??\c:\jdppp.exec:\jdppp.exe119⤵PID:1640
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe120⤵PID:1044
-
\??\c:\btbbbb.exec:\btbbbb.exe121⤵PID:4332
-
\??\c:\pdddp.exec:\pdddp.exe122⤵PID:632
-
\??\c:\xxlxxff.exec:\xxlxxff.exe123⤵PID:4736
-
\??\c:\hhhhnb.exec:\hhhhnb.exe124⤵PID:4064
-
\??\c:\1pdjd.exec:\1pdjd.exe125⤵PID:3116
-
\??\c:\djpdp.exec:\djpdp.exe126⤵PID:924
-
\??\c:\9lllfff.exec:\9lllfff.exe127⤵PID:5016
-
\??\c:\tbbhhb.exec:\tbbhhb.exe128⤵PID:1672
-
\??\c:\nhnnhh.exec:\nhnnhh.exe129⤵PID:1768
-
\??\c:\jvpjv.exec:\jvpjv.exe130⤵PID:4952
-
\??\c:\3lrlffx.exec:\3lrlffx.exe131⤵PID:720
-
\??\c:\hhtnbt.exec:\hhtnbt.exe132⤵PID:708
-
\??\c:\5jjjj.exec:\5jjjj.exe133⤵PID:1156
-
\??\c:\dpppp.exec:\dpppp.exe134⤵PID:4912
-
\??\c:\9lllrfx.exec:\9lllrfx.exe135⤵PID:4056
-
\??\c:\hnnbbb.exec:\hnnbbb.exe136⤵PID:4052
-
\??\c:\thtthn.exec:\thtthn.exe137⤵PID:1564
-
\??\c:\djjjj.exec:\djjjj.exe138⤵PID:1528
-
\??\c:\ppddd.exec:\ppddd.exe139⤵PID:2704
-
\??\c:\7frlxxl.exec:\7frlxxl.exe140⤵PID:4032
-
\??\c:\ntbbtt.exec:\ntbbtt.exe141⤵PID:3136
-
\??\c:\dvdvp.exec:\dvdvp.exe142⤵PID:3980
-
\??\c:\lfrfxrx.exec:\lfrfxrx.exe143⤵PID:1348
-
\??\c:\fxrxrlx.exec:\fxrxrlx.exe144⤵PID:3676
-
\??\c:\httnhb.exec:\httnhb.exe145⤵PID:4984
-
\??\c:\jjddv.exec:\jjddv.exe146⤵PID:2464
-
\??\c:\flrrlxr.exec:\flrrlxr.exe147⤵PID:2328
-
\??\c:\xxlfllr.exec:\xxlfllr.exe148⤵PID:3352
-
\??\c:\nnhbtt.exec:\nnhbtt.exe149⤵PID:1540
-
\??\c:\pjjpv.exec:\pjjpv.exe150⤵PID:2028
-
\??\c:\pjpjj.exec:\pjpjj.exe151⤵PID:1692
-
\??\c:\xrffflr.exec:\xrffflr.exe152⤵PID:3544
-
\??\c:\nhhhbb.exec:\nhhhbb.exe153⤵PID:1636
-
\??\c:\dpvpj.exec:\dpvpj.exe154⤵PID:2252
-
\??\c:\lxrfflf.exec:\lxrfflf.exe155⤵PID:1416
-
\??\c:\rrrrrxl.exec:\rrrrrxl.exe156⤵PID:1064
-
\??\c:\tbbbnn.exec:\tbbbnn.exe157⤵PID:2072
-
\??\c:\vpdvv.exec:\vpdvv.exe158⤵PID:3268
-
\??\c:\xrfflrx.exec:\xrfflrx.exe159⤵PID:1172
-
\??\c:\rlxxxlr.exec:\rlxxxlr.exe160⤵PID:4908
-
\??\c:\7btbnt.exec:\7btbnt.exe161⤵PID:4816
-
\??\c:\jjjdj.exec:\jjjdj.exe162⤵PID:4992
-
\??\c:\xrxxrrl.exec:\xrxxrrl.exe163⤵PID:3140
-
\??\c:\lfrlxxf.exec:\lfrlxxf.exe164⤵PID:2596
-
\??\c:\bnbtnn.exec:\bnbtnn.exe165⤵PID:3940
-
\??\c:\dpdvp.exec:\dpdvp.exe166⤵PID:2720
-
\??\c:\djpjd.exec:\djpjd.exe167⤵PID:2424
-
\??\c:\3rllfxr.exec:\3rllfxr.exe168⤵PID:4100
-
\??\c:\thbthn.exec:\thbthn.exe169⤵PID:2244
-
\??\c:\vdpdv.exec:\vdpdv.exe170⤵PID:4944
-
\??\c:\pvvdp.exec:\pvvdp.exe171⤵PID:2976
-
\??\c:\llfxxxr.exec:\llfxxxr.exe172⤵PID:1428
-
\??\c:\nntnhn.exec:\nntnhn.exe173⤵PID:4856
-
\??\c:\pjpjp.exec:\pjpjp.exe174⤵PID:2988
-
\??\c:\lfrffll.exec:\lfrffll.exe175⤵PID:1728
-
\??\c:\llfrflr.exec:\llfrflr.exe176⤵PID:3676
-
\??\c:\9ttttb.exec:\9ttttb.exe177⤵PID:4300
-
\??\c:\pppjj.exec:\pppjj.exe178⤵PID:4512
-
\??\c:\xrxrllf.exec:\xrxrllf.exe179⤵PID:2328
-
\??\c:\nhnnnn.exec:\nhnnnn.exe180⤵PID:2612
-
\??\c:\pjvvp.exec:\pjvvp.exe181⤵PID:2472
-
\??\c:\dvdvd.exec:\dvdvd.exe182⤵PID:400
-
\??\c:\lllfxfx.exec:\lllfxfx.exe183⤵PID:3920
-
\??\c:\nntnnh.exec:\nntnnh.exe184⤵PID:1028
-
\??\c:\9nttnn.exec:\9nttnn.exe185⤵PID:3008
-
\??\c:\7jppj.exec:\7jppj.exe186⤵PID:2252
-
\??\c:\fllffrl.exec:\fllffrl.exe187⤵PID:3880
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe188⤵PID:3624
-
\??\c:\hhbtnt.exec:\hhbtnt.exe189⤵PID:4316
-
\??\c:\1nttnn.exec:\1nttnn.exe190⤵PID:4812
-
\??\c:\vdjpj.exec:\vdjpj.exe191⤵PID:1168
-
\??\c:\rlrllrr.exec:\rlrllrr.exe192⤵PID:4520
-
\??\c:\1tttnb.exec:\1tttnb.exe193⤵PID:1672
-
\??\c:\bhnnnn.exec:\bhnnnn.exe194⤵PID:3476
-
\??\c:\vvjjj.exec:\vvjjj.exe195⤵PID:1088
-
\??\c:\fxllfll.exec:\fxllfll.exe196⤵PID:3380
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe197⤵PID:64
-
\??\c:\nnnnbn.exec:\nnnnbn.exe198⤵PID:5068
-
\??\c:\3jjdd.exec:\3jjdd.exe199⤵PID:4772
-
\??\c:\pvvdv.exec:\pvvdv.exe200⤵PID:1252
-
\??\c:\7lllxfl.exec:\7lllxfl.exe201⤵PID:4848
-
\??\c:\ttnhhh.exec:\ttnhhh.exe202⤵PID:4360
-
\??\c:\jvppd.exec:\jvppd.exe203⤵PID:4596
-
\??\c:\ppvpp.exec:\ppvpp.exe204⤵PID:4032
-
\??\c:\lxlrlrx.exec:\lxlrlrx.exe205⤵PID:2916
-
\??\c:\fxrxfll.exec:\fxrxfll.exe206⤵PID:2196
-
\??\c:\bbbbbt.exec:\bbbbbt.exe207⤵PID:4508
-
\??\c:\vvddv.exec:\vvddv.exe208⤵PID:1684
-
\??\c:\pvdjd.exec:\pvdjd.exe209⤵PID:4436
-
\??\c:\lxlffff.exec:\lxlffff.exe210⤵PID:4300
-
\??\c:\tnntnn.exec:\tnntnn.exe211⤵PID:3352
-
\??\c:\ddpjd.exec:\ddpjd.exe212⤵PID:2328
-
\??\c:\rrxrfxf.exec:\rrxrfxf.exe213⤵PID:5032
-
\??\c:\hbbtth.exec:\hbbtth.exe214⤵PID:1692
-
\??\c:\nnbtnt.exec:\nnbtnt.exe215⤵PID:4528
-
\??\c:\9vvjd.exec:\9vvjd.exe216⤵PID:1636
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe217⤵PID:4236
-
\??\c:\lxxxlxf.exec:\lxxxlxf.exe218⤵PID:2388
-
\??\c:\ntbbbb.exec:\ntbbbb.exe219⤵PID:1300
-
\??\c:\9pvdj.exec:\9pvdj.exe220⤵PID:4392
-
\??\c:\dpvvv.exec:\dpvvv.exe221⤵PID:764
-
\??\c:\rxllffr.exec:\rxllffr.exe222⤵PID:2312
-
\??\c:\ntttth.exec:\ntttth.exe223⤵PID:3116
-
\??\c:\btbbbb.exec:\btbbbb.exe224⤵PID:2920
-
\??\c:\jppvv.exec:\jppvv.exe225⤵PID:4896
-
\??\c:\pjpjj.exec:\pjpjj.exe226⤵PID:3272
-
\??\c:\lrxlxxr.exec:\lrxlxxr.exe227⤵PID:4752
-
\??\c:\3htnnn.exec:\3htnnn.exe228⤵PID:4040
-
\??\c:\nhnhhn.exec:\nhnhhn.exe229⤵PID:3140
-
\??\c:\djvvp.exec:\djvvp.exe230⤵PID:2068
-
\??\c:\7xlfxll.exec:\7xlfxll.exe231⤵PID:880
-
\??\c:\bbthhh.exec:\bbthhh.exe232⤵PID:748
-
\??\c:\bhtnhh.exec:\bhtnhh.exe233⤵PID:1592
-
\??\c:\djjjv.exec:\djjjv.exe234⤵PID:5068
-
\??\c:\9xfxxfx.exec:\9xfxxfx.exe235⤵PID:1724
-
\??\c:\5lrxlll.exec:\5lrxlll.exe236⤵PID:1252
-
\??\c:\ttbhhh.exec:\ttbhhh.exe237⤵PID:4848
-
\??\c:\dpdvv.exec:\dpdvv.exe238⤵PID:4360
-
\??\c:\rlxrxxx.exec:\rlxrxxx.exe239⤵PID:4668
-
\??\c:\5rxrrxr.exec:\5rxrrxr.exe240⤵PID:1348
-
\??\c:\ttnnbb.exec:\ttnnbb.exe241⤵PID:2956
-
\??\c:\jdddd.exec:\jdddd.exe242⤵PID:3916