Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a315d467fec6f3537a0b07a398a5dc40_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a315d467fec6f3537a0b07a398a5dc40_NeikiAnalytics.exe
-
Size
60KB
-
MD5
a315d467fec6f3537a0b07a398a5dc40
-
SHA1
3ff68464903417573cefe9c1ceeccfb8350b0201
-
SHA256
d65dfe42077ca86e6ac17a8a0adf488b754c36331e9a431eae98cede8f90447d
-
SHA512
d3e78041e972de5d1611de29296f85679e5a6bee003fc5037cc2fee45aa9089f16ec47f31a65c0b7e6613fa840453a9b34bbde194004917c9db0332d31f027df
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzk9UWd:ymb3NkkiQ3mdBjFIvlq2
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral2/memory/1800-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4644-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2188-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/8-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4380-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/412-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2676-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2876-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1368-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/464-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1844-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2572-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2892-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3188-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4524-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5092-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/884-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2368-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1796-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1996-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4364-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3232-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3892-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1824-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
llxllff.exexrrlxrl.exetntnnh.exejdjvp.exenhhthh.exenbhthb.exevjdpj.exeflxrlfr.exettnhtt.exetthtnt.exejdjjp.exelxfxlfx.exennhbbt.exe1pdpd.exevpjpj.exe5llfxrl.exetttnbb.exejdjvv.exeffxrllf.exerlrrrrx.exejpppj.exevjjjv.exe5fxrfff.exe3tbbtt.exebttnhb.exevvddj.exelxrlxrr.exebnbbhh.exepvdpd.exeppvdv.exe1lllfff.exehbnhbb.exepddvv.exefxlxflx.exefxlrllx.exenhnnhn.exedjpdd.exexfxrffx.exelrrllfx.exentbtnh.exedpdvd.exe9rlrffx.exehhtnht.exebttnhb.exedpjvp.exeflrrfff.exefxffxff.exehtttnn.exenhbtnh.exejdjdd.exexflfrrf.exenhnnnn.exettnhbb.exexflfrll.exefrxfxxx.exetthhbb.exe1dpjd.exevjvpd.exerllrxxf.exenbhhhb.exetbhbnh.exejpjpj.exexlrlxxx.exenthbbt.exepid process 4644 llxllff.exe 2188 xrrlxrl.exe 8 tntnnh.exe 4380 jdjvp.exe 412 nhhthh.exe 2676 nbhthb.exe 2876 vjdpj.exe 1368 flxrlfr.exe 464 ttnhtt.exe 2424 tthtnt.exe 1844 jdjjp.exe 2572 lxfxlfx.exe 60 nnhbbt.exe 4552 1pdpd.exe 4464 vpjpj.exe 2892 5llfxrl.exe 3188 tttnbb.exe 3596 jdjvv.exe 4524 ffxrllf.exe 5092 rlrrrrx.exe 884 jpppj.exe 2368 vjjjv.exe 1508 5fxrfff.exe 1796 3tbbtt.exe 1996 bttnhb.exe 2692 vvddj.exe 4364 lxrlxrr.exe 3232 bnbbhh.exe 3892 pvdpd.exe 3556 ppvdv.exe 1824 1lllfff.exe 4168 hbnhbb.exe 4856 pddvv.exe 4140 fxlxflx.exe 4788 fxlrllx.exe 4068 nhnnhn.exe 2124 djpdd.exe 556 xfxrffx.exe 4396 lrrllfx.exe 4988 ntbtnh.exe 5024 dpdvd.exe 1852 9rlrffx.exe 1096 hhtnht.exe 8 bttnhb.exe 2536 dpjvp.exe 412 flrrfff.exe 3560 fxffxff.exe 1528 htttnn.exe 4984 nhbtnh.exe 404 jdjdd.exe 3680 xflfrrf.exe 3520 nhnnnn.exe 1296 ttnhbb.exe 3216 xflfrll.exe 1416 frxfxxx.exe 4504 tthhbb.exe 1248 1dpjd.exe 4188 vjvpd.exe 868 rllrxxf.exe 2524 nbhhhb.exe 4744 tbhbnh.exe 1232 jpjpj.exe 2172 xlrlxxx.exe 1272 nthbbt.exe -
Processes:
resource yara_rule behavioral2/memory/1800-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1800-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4644-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2188-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/8-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4380-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/412-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2676-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2676-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2876-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1368-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/464-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1844-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2572-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2892-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3188-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4524-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5092-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/884-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2368-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1796-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1996-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4364-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3232-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3892-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1824-204-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a315d467fec6f3537a0b07a398a5dc40_NeikiAnalytics.exellxllff.exexrrlxrl.exetntnnh.exejdjvp.exenhhthh.exenbhthb.exevjdpj.exeflxrlfr.exettnhtt.exetthtnt.exejdjjp.exelxfxlfx.exennhbbt.exe1pdpd.exevpjpj.exe5llfxrl.exetttnbb.exejdjvv.exeffxrllf.exerlrrrrx.exejpppj.exedescription pid process target process PID 1800 wrote to memory of 4644 1800 a315d467fec6f3537a0b07a398a5dc40_NeikiAnalytics.exe llxllff.exe PID 1800 wrote to memory of 4644 1800 a315d467fec6f3537a0b07a398a5dc40_NeikiAnalytics.exe llxllff.exe PID 1800 wrote to memory of 4644 1800 a315d467fec6f3537a0b07a398a5dc40_NeikiAnalytics.exe llxllff.exe PID 4644 wrote to memory of 2188 4644 llxllff.exe xrrlxrl.exe PID 4644 wrote to memory of 2188 4644 llxllff.exe xrrlxrl.exe PID 4644 wrote to memory of 2188 4644 llxllff.exe xrrlxrl.exe PID 2188 wrote to memory of 8 2188 xrrlxrl.exe tntnnh.exe PID 2188 wrote to memory of 8 2188 xrrlxrl.exe tntnnh.exe PID 2188 wrote to memory of 8 2188 xrrlxrl.exe tntnnh.exe PID 8 wrote to memory of 4380 8 tntnnh.exe jdjvp.exe PID 8 wrote to memory of 4380 8 tntnnh.exe jdjvp.exe PID 8 wrote to memory of 4380 8 tntnnh.exe jdjvp.exe PID 4380 wrote to memory of 412 4380 jdjvp.exe nhhthh.exe PID 4380 wrote to memory of 412 4380 jdjvp.exe nhhthh.exe PID 4380 wrote to memory of 412 4380 jdjvp.exe nhhthh.exe PID 412 wrote to memory of 2676 412 nhhthh.exe nbhthb.exe PID 412 wrote to memory of 2676 412 nhhthh.exe nbhthb.exe PID 412 wrote to memory of 2676 412 nhhthh.exe nbhthb.exe PID 2676 wrote to memory of 2876 2676 nbhthb.exe vjdpj.exe PID 2676 wrote to memory of 2876 2676 nbhthb.exe vjdpj.exe PID 2676 wrote to memory of 2876 2676 nbhthb.exe vjdpj.exe PID 2876 wrote to memory of 1368 2876 vjdpj.exe flxrlfr.exe PID 2876 wrote to memory of 1368 2876 vjdpj.exe flxrlfr.exe PID 2876 wrote to memory of 1368 2876 vjdpj.exe flxrlfr.exe PID 1368 wrote to memory of 464 1368 flxrlfr.exe ttnhtt.exe PID 1368 wrote to memory of 464 1368 flxrlfr.exe ttnhtt.exe PID 1368 wrote to memory of 464 1368 flxrlfr.exe ttnhtt.exe PID 464 wrote to memory of 2424 464 ttnhtt.exe tthtnt.exe PID 464 wrote to memory of 2424 464 ttnhtt.exe tthtnt.exe PID 464 wrote to memory of 2424 464 ttnhtt.exe tthtnt.exe PID 2424 wrote to memory of 1844 2424 tthtnt.exe jdjjp.exe PID 2424 wrote to memory of 1844 2424 tthtnt.exe jdjjp.exe PID 2424 wrote to memory of 1844 2424 tthtnt.exe jdjjp.exe PID 1844 wrote to memory of 2572 1844 jdjjp.exe lxfxlfx.exe PID 1844 wrote to memory of 2572 1844 jdjjp.exe lxfxlfx.exe PID 1844 wrote to memory of 2572 1844 jdjjp.exe lxfxlfx.exe PID 2572 wrote to memory of 60 2572 lxfxlfx.exe nnhbbt.exe PID 2572 wrote to memory of 60 2572 lxfxlfx.exe nnhbbt.exe PID 2572 wrote to memory of 60 2572 lxfxlfx.exe nnhbbt.exe PID 60 wrote to memory of 4552 60 nnhbbt.exe 1pdpd.exe PID 60 wrote to memory of 4552 60 nnhbbt.exe 1pdpd.exe PID 60 wrote to memory of 4552 60 nnhbbt.exe 1pdpd.exe PID 4552 wrote to memory of 4464 4552 1pdpd.exe vpjpj.exe PID 4552 wrote to memory of 4464 4552 1pdpd.exe vpjpj.exe PID 4552 wrote to memory of 4464 4552 1pdpd.exe vpjpj.exe PID 4464 wrote to memory of 2892 4464 vpjpj.exe 5llfxrl.exe PID 4464 wrote to memory of 2892 4464 vpjpj.exe 5llfxrl.exe PID 4464 wrote to memory of 2892 4464 vpjpj.exe 5llfxrl.exe PID 2892 wrote to memory of 3188 2892 5llfxrl.exe tttnbb.exe PID 2892 wrote to memory of 3188 2892 5llfxrl.exe tttnbb.exe PID 2892 wrote to memory of 3188 2892 5llfxrl.exe tttnbb.exe PID 3188 wrote to memory of 3596 3188 tttnbb.exe jdjvv.exe PID 3188 wrote to memory of 3596 3188 tttnbb.exe jdjvv.exe PID 3188 wrote to memory of 3596 3188 tttnbb.exe jdjvv.exe PID 3596 wrote to memory of 4524 3596 jdjvv.exe ffxrllf.exe PID 3596 wrote to memory of 4524 3596 jdjvv.exe ffxrllf.exe PID 3596 wrote to memory of 4524 3596 jdjvv.exe ffxrllf.exe PID 4524 wrote to memory of 5092 4524 ffxrllf.exe rlrrrrx.exe PID 4524 wrote to memory of 5092 4524 ffxrllf.exe rlrrrrx.exe PID 4524 wrote to memory of 5092 4524 ffxrllf.exe rlrrrrx.exe PID 5092 wrote to memory of 884 5092 rlrrrrx.exe jpppj.exe PID 5092 wrote to memory of 884 5092 rlrrrrx.exe jpppj.exe PID 5092 wrote to memory of 884 5092 rlrrrrx.exe jpppj.exe PID 884 wrote to memory of 2368 884 jpppj.exe vjjjv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a315d467fec6f3537a0b07a398a5dc40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a315d467fec6f3537a0b07a398a5dc40_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\llxllff.exec:\llxllff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\tntnnh.exec:\tntnnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\jdjvp.exec:\jdjvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\nhhthh.exec:\nhhthh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\nbhthb.exec:\nbhthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\vjdpj.exec:\vjdpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\flxrlfr.exec:\flxrlfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\ttnhtt.exec:\ttnhtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\tthtnt.exec:\tthtnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\jdjjp.exec:\jdjjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\lxfxlfx.exec:\lxfxlfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\nnhbbt.exec:\nnhbbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\1pdpd.exec:\1pdpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\vpjpj.exec:\vpjpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\5llfxrl.exec:\5llfxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\tttnbb.exec:\tttnbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\jdjvv.exec:\jdjvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\ffxrllf.exec:\ffxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\rlrrrrx.exec:\rlrrrrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\jpppj.exec:\jpppj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\vjjjv.exec:\vjjjv.exe23⤵
- Executes dropped EXE
PID:2368 -
\??\c:\5fxrfff.exec:\5fxrfff.exe24⤵
- Executes dropped EXE
PID:1508 -
\??\c:\3tbbtt.exec:\3tbbtt.exe25⤵
- Executes dropped EXE
PID:1796 -
\??\c:\bttnhb.exec:\bttnhb.exe26⤵
- Executes dropped EXE
PID:1996 -
\??\c:\vvddj.exec:\vvddj.exe27⤵
- Executes dropped EXE
PID:2692 -
\??\c:\lxrlxrr.exec:\lxrlxrr.exe28⤵
- Executes dropped EXE
PID:4364 -
\??\c:\bnbbhh.exec:\bnbbhh.exe29⤵
- Executes dropped EXE
PID:3232 -
\??\c:\pvdpd.exec:\pvdpd.exe30⤵
- Executes dropped EXE
PID:3892 -
\??\c:\ppvdv.exec:\ppvdv.exe31⤵
- Executes dropped EXE
PID:3556 -
\??\c:\1lllfff.exec:\1lllfff.exe32⤵
- Executes dropped EXE
PID:1824 -
\??\c:\hbnhbb.exec:\hbnhbb.exe33⤵
- Executes dropped EXE
PID:4168 -
\??\c:\pddvv.exec:\pddvv.exe34⤵
- Executes dropped EXE
PID:4856 -
\??\c:\fxlxflx.exec:\fxlxflx.exe35⤵
- Executes dropped EXE
PID:4140 -
\??\c:\fxlrllx.exec:\fxlrllx.exe36⤵
- Executes dropped EXE
PID:4788 -
\??\c:\nhnnhn.exec:\nhnnhn.exe37⤵
- Executes dropped EXE
PID:4068 -
\??\c:\djpdd.exec:\djpdd.exe38⤵
- Executes dropped EXE
PID:2124 -
\??\c:\xfxrffx.exec:\xfxrffx.exe39⤵
- Executes dropped EXE
PID:556 -
\??\c:\lrrllfx.exec:\lrrllfx.exe40⤵
- Executes dropped EXE
PID:4396 -
\??\c:\ntbtnh.exec:\ntbtnh.exe41⤵
- Executes dropped EXE
PID:4988 -
\??\c:\dpdvd.exec:\dpdvd.exe42⤵
- Executes dropped EXE
PID:5024 -
\??\c:\9rlrffx.exec:\9rlrffx.exe43⤵
- Executes dropped EXE
PID:1852 -
\??\c:\hhtnht.exec:\hhtnht.exe44⤵
- Executes dropped EXE
PID:1096 -
\??\c:\bttnhb.exec:\bttnhb.exe45⤵
- Executes dropped EXE
PID:8 -
\??\c:\dpjvp.exec:\dpjvp.exe46⤵
- Executes dropped EXE
PID:2536 -
\??\c:\flrrfff.exec:\flrrfff.exe47⤵
- Executes dropped EXE
PID:412 -
\??\c:\fxffxff.exec:\fxffxff.exe48⤵
- Executes dropped EXE
PID:3560 -
\??\c:\htttnn.exec:\htttnn.exe49⤵
- Executes dropped EXE
PID:1528 -
\??\c:\nhbtnh.exec:\nhbtnh.exe50⤵
- Executes dropped EXE
PID:4984 -
\??\c:\jdjdd.exec:\jdjdd.exe51⤵
- Executes dropped EXE
PID:404 -
\??\c:\xflfrrf.exec:\xflfrrf.exe52⤵
- Executes dropped EXE
PID:3680 -
\??\c:\nhnnnn.exec:\nhnnnn.exe53⤵
- Executes dropped EXE
PID:3520 -
\??\c:\ttnhbb.exec:\ttnhbb.exe54⤵
- Executes dropped EXE
PID:1296 -
\??\c:\xflfrll.exec:\xflfrll.exe55⤵
- Executes dropped EXE
PID:3216 -
\??\c:\frxfxxx.exec:\frxfxxx.exe56⤵
- Executes dropped EXE
PID:1416 -
\??\c:\tthhbb.exec:\tthhbb.exe57⤵
- Executes dropped EXE
PID:4504 -
\??\c:\1dpjd.exec:\1dpjd.exe58⤵
- Executes dropped EXE
PID:1248 -
\??\c:\vjvpd.exec:\vjvpd.exe59⤵
- Executes dropped EXE
PID:4188 -
\??\c:\rllrxxf.exec:\rllrxxf.exe60⤵
- Executes dropped EXE
PID:868 -
\??\c:\nbhhhb.exec:\nbhhhb.exe61⤵
- Executes dropped EXE
PID:2524 -
\??\c:\tbhbnh.exec:\tbhbnh.exe62⤵
- Executes dropped EXE
PID:4744 -
\??\c:\jpjpj.exec:\jpjpj.exe63⤵
- Executes dropped EXE
PID:1232 -
\??\c:\xlrlxxx.exec:\xlrlxxx.exe64⤵
- Executes dropped EXE
PID:2172 -
\??\c:\nthbbt.exec:\nthbbt.exe65⤵
- Executes dropped EXE
PID:1272 -
\??\c:\jjdvp.exec:\jjdvp.exe66⤵PID:3760
-
\??\c:\nnhbnh.exec:\nnhbnh.exe67⤵PID:2316
-
\??\c:\jddvj.exec:\jddvj.exe68⤵PID:4400
-
\??\c:\vvppd.exec:\vvppd.exe69⤵PID:4720
-
\??\c:\frllxxf.exec:\frllxxf.exe70⤵PID:4544
-
\??\c:\bbttth.exec:\bbttth.exe71⤵PID:3616
-
\??\c:\7dddp.exec:\7dddp.exe72⤵PID:1220
-
\??\c:\7rrfxxr.exec:\7rrfxxr.exe73⤵PID:4364
-
\??\c:\frrlffr.exec:\frrlffr.exe74⤵PID:4208
-
\??\c:\tbbbtn.exec:\tbbbtn.exe75⤵PID:2136
-
\??\c:\vjddd.exec:\vjddd.exe76⤵PID:2144
-
\??\c:\vjpdp.exec:\vjpdp.exe77⤵PID:3356
-
\??\c:\frlxrlx.exec:\frlxrlx.exe78⤵PID:4924
-
\??\c:\btbbtt.exec:\btbbtt.exe79⤵PID:4168
-
\??\c:\hnhbtb.exec:\hnhbtb.exe80⤵PID:4784
-
\??\c:\pjpjj.exec:\pjpjj.exe81⤵PID:3364
-
\??\c:\lfxlxlf.exec:\lfxlxlf.exe82⤵PID:2760
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe83⤵PID:3496
-
\??\c:\thbtnb.exec:\thbtnb.exe84⤵PID:4120
-
\??\c:\vpjdv.exec:\vpjdv.exe85⤵PID:4292
-
\??\c:\1xxlxxr.exec:\1xxlxxr.exe86⤵PID:4540
-
\??\c:\xflfxxr.exec:\xflfxxr.exe87⤵PID:3184
-
\??\c:\9bbbbb.exec:\9bbbbb.exe88⤵PID:2756
-
\??\c:\jpvpj.exec:\jpvpj.exe89⤵PID:2720
-
\??\c:\dpvvj.exec:\dpvvj.exe90⤵PID:4228
-
\??\c:\lxffrll.exec:\lxffrll.exe91⤵PID:4380
-
\??\c:\htnhbt.exec:\htnhbt.exe92⤵PID:1728
-
\??\c:\bnnbnn.exec:\bnnbnn.exe93⤵PID:2676
-
\??\c:\vjvdd.exec:\vjvdd.exe94⤵PID:3560
-
\??\c:\vjpjj.exec:\vjpjj.exe95⤵PID:4968
-
\??\c:\rllfrlf.exec:\rllfrlf.exe96⤵PID:4176
-
\??\c:\hntttt.exec:\hntttt.exe97⤵PID:2016
-
\??\c:\nntbbb.exec:\nntbbb.exe98⤵PID:4476
-
\??\c:\pjddp.exec:\pjddp.exe99⤵PID:2860
-
\??\c:\frxrrrx.exec:\frxrrrx.exe100⤵PID:2180
-
\??\c:\htbbtn.exec:\htbbtn.exe101⤵PID:4536
-
\??\c:\3dvdp.exec:\3dvdp.exe102⤵PID:2488
-
\??\c:\rrrfxfx.exec:\rrrfxfx.exe103⤵PID:3268
-
\??\c:\rrrxrfx.exec:\rrrxrfx.exe104⤵PID:4500
-
\??\c:\hbbtnn.exec:\hbbtnn.exe105⤵PID:4188
-
\??\c:\nnnhtn.exec:\nnnhtn.exe106⤵PID:4092
-
\??\c:\vjpjv.exec:\vjpjv.exe107⤵PID:1068
-
\??\c:\fllxrlf.exec:\fllxrlf.exe108⤵PID:3768
-
\??\c:\dppjd.exec:\dppjd.exe109⤵PID:5092
-
\??\c:\xlfxrll.exec:\xlfxrll.exe110⤵PID:3348
-
\??\c:\frfrrlx.exec:\frfrrlx.exe111⤵PID:2368
-
\??\c:\htbbtb.exec:\htbbtb.exe112⤵PID:2792
-
\??\c:\jpjdp.exec:\jpjdp.exe113⤵PID:3344
-
\??\c:\pdjdv.exec:\pdjdv.exe114⤵PID:2300
-
\??\c:\frxrrll.exec:\frxrrll.exe115⤵PID:4364
-
\??\c:\dpppj.exec:\dpppj.exe116⤵PID:3892
-
\??\c:\vjjdp.exec:\vjjdp.exe117⤵PID:912
-
\??\c:\3xlxfff.exec:\3xlxfff.exe118⤵PID:4348
-
\??\c:\nnttbh.exec:\nnttbh.exe119⤵PID:2916
-
\??\c:\1bbhnb.exec:\1bbhnb.exe120⤵PID:1492
-
\??\c:\5vvjv.exec:\5vvjv.exe121⤵PID:4784
-
\??\c:\lflxrlx.exec:\lflxrlx.exe122⤵PID:3364
-
\??\c:\5nthtt.exec:\5nthtt.exe123⤵PID:2760
-
\??\c:\tttthh.exec:\tttthh.exe124⤵PID:3496
-
\??\c:\pvjdd.exec:\pvjdd.exe125⤵PID:3912
-
\??\c:\rlrrxrl.exec:\rlrrxrl.exe126⤵PID:2636
-
\??\c:\5ntnnh.exec:\5ntnnh.exe127⤵PID:1284
-
\??\c:\thhtnh.exec:\thhtnh.exe128⤵PID:2188
-
\??\c:\pvpjd.exec:\pvpjd.exe129⤵PID:4996
-
\??\c:\xrrlxxf.exec:\xrrlxxf.exe130⤵PID:1404
-
\??\c:\rxrrfll.exec:\rxrrfll.exe131⤵PID:3160
-
\??\c:\nbbthh.exec:\nbbthh.exe132⤵PID:4220
-
\??\c:\vvdvv.exec:\vvdvv.exe133⤵PID:2152
-
\??\c:\lxrfxrl.exec:\lxrfxrl.exe134⤵PID:1528
-
\??\c:\rfxlffx.exec:\rfxlffx.exe135⤵PID:4344
-
\??\c:\bnnhbt.exec:\bnnhbt.exe136⤵PID:4376
-
\??\c:\tbtntt.exec:\tbtntt.exe137⤵PID:1688
-
\??\c:\5dpjj.exec:\5dpjj.exe138⤵PID:4848
-
\??\c:\djppd.exec:\djppd.exe139⤵PID:3520
-
\??\c:\rlffrrl.exec:\rlffrrl.exe140⤵PID:2572
-
\??\c:\bthbbb.exec:\bthbbb.exe141⤵PID:3472
-
\??\c:\ntbnhb.exec:\ntbnhb.exe142⤵PID:3268
-
\??\c:\5hhhbb.exec:\5hhhbb.exe143⤵PID:3220
-
\??\c:\jdppv.exec:\jdppv.exe144⤵PID:2980
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe145⤵PID:2952
-
\??\c:\nbbbtn.exec:\nbbbtn.exe146⤵PID:1232
-
\??\c:\htbbtt.exec:\htbbtt.exe147⤵PID:3768
-
\??\c:\7vdpp.exec:\7vdpp.exe148⤵PID:2140
-
\??\c:\5vjvv.exec:\5vjvv.exe149⤵PID:1648
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe150⤵PID:2368
-
\??\c:\httnnt.exec:\httnnt.exe151⤵PID:3952
-
\??\c:\pvvdd.exec:\pvvdd.exe152⤵PID:3344
-
\??\c:\3ttnbb.exec:\3ttnbb.exe153⤵PID:3200
-
\??\c:\thhbtb.exec:\thhbtb.exe154⤵PID:4328
-
\??\c:\dpppd.exec:\dpppd.exe155⤵PID:4004
-
\??\c:\3dvvp.exec:\3dvvp.exe156⤵PID:2248
-
\??\c:\frrrlfr.exec:\frrrlfr.exe157⤵PID:4924
-
\??\c:\bhhbtt.exec:\bhhbtt.exe158⤵PID:2508
-
\??\c:\nhbthh.exec:\nhbthh.exe159⤵PID:2688
-
\??\c:\jvddp.exec:\jvddp.exe160⤵PID:1080
-
\??\c:\jjpjj.exec:\jjpjj.exe161⤵PID:748
-
\??\c:\frxrfxf.exec:\frxrfxf.exe162⤵PID:4312
-
\??\c:\rlfxfff.exec:\rlfxfff.exe163⤵PID:1936
-
\??\c:\bntnhb.exec:\bntnhb.exe164⤵PID:4012
-
\??\c:\3hbnbb.exec:\3hbnbb.exe165⤵PID:1696
-
\??\c:\vdjdp.exec:\vdjdp.exe166⤵PID:2188
-
\??\c:\7djdp.exec:\7djdp.exe167⤵PID:1252
-
\??\c:\xfxrfxf.exec:\xfxrfxf.exe168⤵PID:1924
-
\??\c:\bnhbtn.exec:\bnhbtn.exe169⤵PID:1168
-
\??\c:\thtnhh.exec:\thtnhh.exe170⤵PID:4220
-
\??\c:\ppdpj.exec:\ppdpj.exe171⤵PID:4964
-
\??\c:\fxlfxrr.exec:\fxlfxrr.exe172⤵PID:4224
-
\??\c:\rlfxrrr.exec:\rlfxrrr.exe173⤵PID:2964
-
\??\c:\9jpjp.exec:\9jpjp.exe174⤵PID:2016
-
\??\c:\frxrllf.exec:\frxrllf.exe175⤵PID:1688
-
\??\c:\3nnbtt.exec:\3nnbtt.exe176⤵PID:1600
-
\??\c:\nnhhtt.exec:\nnhhtt.exe177⤵PID:3520
-
\??\c:\9pvjd.exec:\9pvjd.exe178⤵PID:4536
-
\??\c:\9vdvv.exec:\9vdvv.exe179⤵PID:932
-
\??\c:\xrrlfxl.exec:\xrrlfxl.exe180⤵PID:4548
-
\??\c:\flrlxxr.exec:\flrlxxr.exe181⤵PID:2224
-
\??\c:\tnttbb.exec:\tnttbb.exe182⤵PID:2980
-
\??\c:\bhbbnh.exec:\bhbbnh.exe183⤵PID:2952
-
\??\c:\dvdvj.exec:\dvdvj.exe184⤵PID:1436
-
\??\c:\rffxllx.exec:\rffxllx.exe185⤵PID:516
-
\??\c:\lxrfrrl.exec:\lxrfrrl.exe186⤵PID:3768
-
\??\c:\tbhnhh.exec:\tbhnhh.exe187⤵PID:2816
-
\??\c:\nhbbnn.exec:\nhbbnn.exe188⤵PID:2692
-
\??\c:\3pdvj.exec:\3pdvj.exe189⤵PID:2192
-
\??\c:\dvpjv.exec:\dvpjv.exe190⤵PID:4148
-
\??\c:\7xxxxxr.exec:\7xxxxxr.exe191⤵PID:2400
-
\??\c:\tbnhth.exec:\tbnhth.exe192⤵PID:2872
-
\??\c:\nbthnh.exec:\nbthnh.exe193⤵PID:4916
-
\??\c:\nttnbh.exec:\nttnbh.exe194⤵PID:2384
-
\??\c:\jddvp.exec:\jddvp.exe195⤵PID:4856
-
\??\c:\fffxrrl.exec:\fffxrrl.exe196⤵PID:4784
-
\??\c:\fxxxrrl.exec:\fxxxrrl.exe197⤵PID:2688
-
\??\c:\bhntnt.exec:\bhntnt.exe198⤵PID:1080
-
\??\c:\bntnnn.exec:\bntnnn.exe199⤵PID:4292
-
\??\c:\vjjdv.exec:\vjjdv.exe200⤵PID:4312
-
\??\c:\jjjpj.exec:\jjjpj.exe201⤵PID:1284
-
\??\c:\vjppd.exec:\vjppd.exe202⤵PID:3012
-
\??\c:\flrfrrl.exec:\flrfrrl.exe203⤵PID:1552
-
\??\c:\tbthbt.exec:\tbthbt.exe204⤵PID:4380
-
\??\c:\hnhhnn.exec:\hnhhnn.exe205⤵PID:2536
-
\??\c:\jvvpj.exec:\jvvpj.exe206⤵PID:4728
-
\??\c:\jpvvj.exec:\jpvvj.exe207⤵PID:4236
-
\??\c:\lfrlfxr.exec:\lfrlfxr.exe208⤵PID:4968
-
\??\c:\lfxrxxl.exec:\lfxrxxl.exe209⤵PID:4224
-
\??\c:\ttnnhh.exec:\ttnnhh.exe210⤵PID:4376
-
\??\c:\tnnnbb.exec:\tnnnbb.exe211⤵PID:2860
-
\??\c:\dpvpp.exec:\dpvpp.exe212⤵PID:1392
-
\??\c:\pjdvp.exec:\pjdvp.exe213⤵PID:2440
-
\??\c:\rlxrfff.exec:\rlxrfff.exe214⤵PID:2572
-
\??\c:\frrrlll.exec:\frrrlll.exe215⤵PID:1248
-
\??\c:\xrllrlr.exec:\xrllrlr.exe216⤵PID:4776
-
\??\c:\ppjdv.exec:\ppjdv.exe217⤵PID:2524
-
\??\c:\dvpdp.exec:\dvpdp.exe218⤵PID:1068
-
\??\c:\pjpvp.exec:\pjpvp.exe219⤵PID:2172
-
\??\c:\xxllxxx.exec:\xxllxxx.exe220⤵PID:3924
-
\??\c:\lxxrllf.exec:\lxxrllf.exe221⤵PID:884
-
\??\c:\nbhbth.exec:\nbhbth.exe222⤵PID:3172
-
\??\c:\hbtnhb.exec:\hbtnhb.exe223⤵PID:440
-
\??\c:\9vvvj.exec:\9vvvj.exe224⤵PID:1828
-
\??\c:\dvpjv.exec:\dvpjv.exe225⤵PID:3632
-
\??\c:\fxllfff.exec:\fxllfff.exe226⤵PID:3580
-
\??\c:\bbnnnn.exec:\bbnnnn.exe227⤵PID:3544
-
\??\c:\hbbbnn.exec:\hbbbnn.exe228⤵PID:4148
-
\??\c:\bnhbbb.exec:\bnhbbb.exe229⤵PID:3620
-
\??\c:\jppjv.exec:\jppjv.exe230⤵PID:5040
-
\??\c:\pddvj.exec:\pddvj.exe231⤵PID:4916
-
\??\c:\3xfxxrr.exec:\3xfxxrr.exe232⤵PID:2012
-
\??\c:\flflxrf.exec:\flflxrf.exe233⤵PID:4124
-
\??\c:\nbnbhb.exec:\nbnbhb.exe234⤵PID:560
-
\??\c:\vppvp.exec:\vppvp.exe235⤵PID:4120
-
\??\c:\rlxxxxf.exec:\rlxxxxf.exe236⤵PID:1952
-
\??\c:\5xrlfrl.exec:\5xrlfrl.exe237⤵PID:1080
-
\??\c:\nbbbbb.exec:\nbbbbb.exe238⤵PID:4292
-
\??\c:\dvpdd.exec:\dvpdd.exe239⤵PID:4312
-
\??\c:\hbthbt.exec:\hbthbt.exe240⤵PID:1284
-
\??\c:\5ntntt.exec:\5ntntt.exe241⤵PID:3012
-
\??\c:\ddjvd.exec:\ddjvd.exe242⤵PID:4940