Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 05:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9cf78a6f602e78b95147702705804fa0_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
5 signatures
150 seconds
General
-
Target
9cf78a6f602e78b95147702705804fa0_NeikiAnalytics.exe
-
Size
75KB
-
MD5
9cf78a6f602e78b95147702705804fa0
-
SHA1
7736c942d60b159cab558648971dbd854e9acf11
-
SHA256
24220494aa157b2af4751e8d5d1ebf3ed976611e5e5a5ce485ae8275ec53d568
-
SHA512
3e60db8774a33a5541066b5740c0c738eac4cd8174322933f64aba900813b93d7ac23429e6b12721a002e1930e1447da42851623755d585bb3bc6f1421cda1b1
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIoAh2QpUnX1Az:ymb3NkkiQ3mdBjFIsIVbpUW
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
Processes:
resource yara_rule behavioral2/memory/1916-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3800-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1484-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1828-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/528-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2992-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1672-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3304-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1244-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3900-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1652-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1652-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3908-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3468-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/8-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2956-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/364-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1516-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2880-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2732-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3188-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4092-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3500-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3280-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3832-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3316-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3476-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
3jvvp.exe5djjd.exelxffffx.exebtbbtt.exettbtbb.exevpdjv.exe9rrlfxr.exentttnb.exebhnnhh.exedvdvv.exe1lrfxll.exebbtntt.exeppjdv.exe1vdvv.exerrlffll.exehbbbtt.exe9jjdj.exexrllxfx.exexxrfrrx.exehttnnb.exevjdpp.exe7pdvv.exe1xfxflr.exehbhhbb.exeddppd.exedvvjd.exeflfrflf.exe5hbttt.exenbbnbt.exedvpdv.exe5vdpd.exetnbnnn.exenhthnh.exevdjvj.exe3ppdp.exerfrrfxl.exetbbbtt.exebttnnh.exe1pppj.exejjddd.exexrxrlfx.exebbnbbt.exetthbnt.exehtbbbb.exe1djjd.exelxllxrf.exebhnnnt.exetbtnhb.exetnnbbn.exe1vdvp.exejvpjv.exexfflxxr.exebbthbt.exethhtnb.exedvjdp.exerrrlxrl.exexflflfl.exetttnhb.exentbbbb.exeddvvp.exerflfxxr.exerrrlfxx.exehbhbbt.exebtnbtn.exepid process 3800 3jvvp.exe 1484 5djjd.exe 1828 lxffffx.exe 528 btbbtt.exe 2992 ttbtbb.exe 1672 vpdjv.exe 3304 9rrlfxr.exe 1244 ntttnb.exe 3900 bhnnhh.exe 1652 dvdvv.exe 3908 1lrfxll.exe 2640 bbtntt.exe 3468 ppjdv.exe 8 1vdvv.exe 2956 rrlffll.exe 4428 hbbbtt.exe 364 9jjdj.exe 4872 xrllxfx.exe 2156 xxrfrrx.exe 1516 httnnb.exe 2880 vjdpp.exe 2732 7pdvv.exe 3188 1xfxflr.exe 4092 hbhhbb.exe 3500 ddppd.exe 3280 dvvjd.exe 3832 flfrflf.exe 3760 5hbttt.exe 432 nbbnbt.exe 3316 dvpdv.exe 3476 5vdpd.exe 3312 tnbnnn.exe 3824 nhthnh.exe 3320 vdjvj.exe 4644 3ppdp.exe 3124 rfrrfxl.exe 3152 tbbbtt.exe 4328 bttnnh.exe 4316 1pppj.exe 3716 jjddd.exe 2292 xrxrlfx.exe 4616 bbnbbt.exe 2588 tthbnt.exe 2576 htbbbb.exe 1500 1djjd.exe 3532 lxllxrf.exe 1672 bhnnnt.exe 1208 tbtnhb.exe 640 tnnbbn.exe 4396 1vdvp.exe 1284 jvpjv.exe 1244 xfflxxr.exe 2072 bbthbt.exe 4916 thhtnb.exe 4444 dvjdp.exe 1764 rrrlxrl.exe 3468 xflflfl.exe 4628 tttnhb.exe 2672 ntbbbb.exe 2108 ddvvp.exe 1416 rflfxxr.exe 364 rrrlfxx.exe 1864 hbhbbt.exe 4720 btnbtn.exe -
Processes:
resource yara_rule behavioral2/memory/1916-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3800-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1484-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1828-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/528-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2992-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1672-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3304-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3304-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3304-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1244-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3900-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1652-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1652-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1652-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1652-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3908-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3468-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/8-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2956-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/364-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1516-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2880-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2732-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3188-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4092-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3500-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3280-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3832-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3316-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3476-207-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9cf78a6f602e78b95147702705804fa0_NeikiAnalytics.exe3jvvp.exe5djjd.exelxffffx.exebtbbtt.exettbtbb.exevpdjv.exe9rrlfxr.exentttnb.exebhnnhh.exedvdvv.exe1lrfxll.exebbtntt.exeppjdv.exe1vdvv.exerrlffll.exehbbbtt.exe9jjdj.exexrllxfx.exexxrfrrx.exehttnnb.exevjdpp.exedescription pid process target process PID 1916 wrote to memory of 3800 1916 9cf78a6f602e78b95147702705804fa0_NeikiAnalytics.exe 3jvvp.exe PID 1916 wrote to memory of 3800 1916 9cf78a6f602e78b95147702705804fa0_NeikiAnalytics.exe 3jvvp.exe PID 1916 wrote to memory of 3800 1916 9cf78a6f602e78b95147702705804fa0_NeikiAnalytics.exe 3jvvp.exe PID 3800 wrote to memory of 1484 3800 3jvvp.exe 5djjd.exe PID 3800 wrote to memory of 1484 3800 3jvvp.exe 5djjd.exe PID 3800 wrote to memory of 1484 3800 3jvvp.exe 5djjd.exe PID 1484 wrote to memory of 1828 1484 5djjd.exe lxffffx.exe PID 1484 wrote to memory of 1828 1484 5djjd.exe lxffffx.exe PID 1484 wrote to memory of 1828 1484 5djjd.exe lxffffx.exe PID 1828 wrote to memory of 528 1828 lxffffx.exe btbbtt.exe PID 1828 wrote to memory of 528 1828 lxffffx.exe btbbtt.exe PID 1828 wrote to memory of 528 1828 lxffffx.exe btbbtt.exe PID 528 wrote to memory of 2992 528 btbbtt.exe ttbtbb.exe PID 528 wrote to memory of 2992 528 btbbtt.exe ttbtbb.exe PID 528 wrote to memory of 2992 528 btbbtt.exe ttbtbb.exe PID 2992 wrote to memory of 1672 2992 ttbtbb.exe vpdjv.exe PID 2992 wrote to memory of 1672 2992 ttbtbb.exe vpdjv.exe PID 2992 wrote to memory of 1672 2992 ttbtbb.exe vpdjv.exe PID 1672 wrote to memory of 3304 1672 vpdjv.exe 9rrlfxr.exe PID 1672 wrote to memory of 3304 1672 vpdjv.exe 9rrlfxr.exe PID 1672 wrote to memory of 3304 1672 vpdjv.exe 9rrlfxr.exe PID 3304 wrote to memory of 1244 3304 9rrlfxr.exe ntttnb.exe PID 3304 wrote to memory of 1244 3304 9rrlfxr.exe ntttnb.exe PID 3304 wrote to memory of 1244 3304 9rrlfxr.exe ntttnb.exe PID 1244 wrote to memory of 3900 1244 ntttnb.exe bhnnhh.exe PID 1244 wrote to memory of 3900 1244 ntttnb.exe bhnnhh.exe PID 1244 wrote to memory of 3900 1244 ntttnb.exe bhnnhh.exe PID 3900 wrote to memory of 1652 3900 bhnnhh.exe dvdvv.exe PID 3900 wrote to memory of 1652 3900 bhnnhh.exe dvdvv.exe PID 3900 wrote to memory of 1652 3900 bhnnhh.exe dvdvv.exe PID 1652 wrote to memory of 3908 1652 dvdvv.exe 1lrfxll.exe PID 1652 wrote to memory of 3908 1652 dvdvv.exe 1lrfxll.exe PID 1652 wrote to memory of 3908 1652 dvdvv.exe 1lrfxll.exe PID 3908 wrote to memory of 2640 3908 1lrfxll.exe bbtntt.exe PID 3908 wrote to memory of 2640 3908 1lrfxll.exe bbtntt.exe PID 3908 wrote to memory of 2640 3908 1lrfxll.exe bbtntt.exe PID 2640 wrote to memory of 3468 2640 bbtntt.exe ppjdv.exe PID 2640 wrote to memory of 3468 2640 bbtntt.exe ppjdv.exe PID 2640 wrote to memory of 3468 2640 bbtntt.exe ppjdv.exe PID 3468 wrote to memory of 8 3468 ppjdv.exe 1vdvv.exe PID 3468 wrote to memory of 8 3468 ppjdv.exe 1vdvv.exe PID 3468 wrote to memory of 8 3468 ppjdv.exe 1vdvv.exe PID 8 wrote to memory of 2956 8 1vdvv.exe rrlffll.exe PID 8 wrote to memory of 2956 8 1vdvv.exe rrlffll.exe PID 8 wrote to memory of 2956 8 1vdvv.exe rrlffll.exe PID 2956 wrote to memory of 4428 2956 rrlffll.exe hbbbtt.exe PID 2956 wrote to memory of 4428 2956 rrlffll.exe hbbbtt.exe PID 2956 wrote to memory of 4428 2956 rrlffll.exe hbbbtt.exe PID 4428 wrote to memory of 364 4428 hbbbtt.exe 9jjdj.exe PID 4428 wrote to memory of 364 4428 hbbbtt.exe 9jjdj.exe PID 4428 wrote to memory of 364 4428 hbbbtt.exe 9jjdj.exe PID 364 wrote to memory of 4872 364 9jjdj.exe xrllxfx.exe PID 364 wrote to memory of 4872 364 9jjdj.exe xrllxfx.exe PID 364 wrote to memory of 4872 364 9jjdj.exe xrllxfx.exe PID 4872 wrote to memory of 2156 4872 xrllxfx.exe xxrfrrx.exe PID 4872 wrote to memory of 2156 4872 xrllxfx.exe xxrfrrx.exe PID 4872 wrote to memory of 2156 4872 xrllxfx.exe xxrfrrx.exe PID 2156 wrote to memory of 1516 2156 xxrfrrx.exe httnnb.exe PID 2156 wrote to memory of 1516 2156 xxrfrrx.exe httnnb.exe PID 2156 wrote to memory of 1516 2156 xxrfrrx.exe httnnb.exe PID 1516 wrote to memory of 2880 1516 httnnb.exe vjdpp.exe PID 1516 wrote to memory of 2880 1516 httnnb.exe vjdpp.exe PID 1516 wrote to memory of 2880 1516 httnnb.exe vjdpp.exe PID 2880 wrote to memory of 2732 2880 vjdpp.exe 7pdvv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cf78a6f602e78b95147702705804fa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9cf78a6f602e78b95147702705804fa0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\3jvvp.exec:\3jvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
\??\c:\5djjd.exec:\5djjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\lxffffx.exec:\lxffffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\btbbtt.exec:\btbbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\ttbtbb.exec:\ttbtbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\vpdjv.exec:\vpdjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\9rrlfxr.exec:\9rrlfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\ntttnb.exec:\ntttnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\bhnnhh.exec:\bhnnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\dvdvv.exec:\dvdvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\1lrfxll.exec:\1lrfxll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\bbtntt.exec:\bbtntt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\ppjdv.exec:\ppjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\1vdvv.exec:\1vdvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\rrlffll.exec:\rrlffll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\hbbbtt.exec:\hbbbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\9jjdj.exec:\9jjdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
\??\c:\xrllxfx.exec:\xrllxfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\xxrfrrx.exec:\xxrfrrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\httnnb.exec:\httnnb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\vjdpp.exec:\vjdpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\7pdvv.exec:\7pdvv.exe23⤵
- Executes dropped EXE
PID:2732 -
\??\c:\1xfxflr.exec:\1xfxflr.exe24⤵
- Executes dropped EXE
PID:3188 -
\??\c:\hbhhbb.exec:\hbhhbb.exe25⤵
- Executes dropped EXE
PID:4092 -
\??\c:\ddppd.exec:\ddppd.exe26⤵
- Executes dropped EXE
PID:3500 -
\??\c:\dvvjd.exec:\dvvjd.exe27⤵
- Executes dropped EXE
PID:3280 -
\??\c:\flfrflf.exec:\flfrflf.exe28⤵
- Executes dropped EXE
PID:3832 -
\??\c:\5hbttt.exec:\5hbttt.exe29⤵
- Executes dropped EXE
PID:3760 -
\??\c:\nbbnbt.exec:\nbbnbt.exe30⤵
- Executes dropped EXE
PID:432 -
\??\c:\dvpdv.exec:\dvpdv.exe31⤵
- Executes dropped EXE
PID:3316 -
\??\c:\5vdpd.exec:\5vdpd.exe32⤵
- Executes dropped EXE
PID:3476 -
\??\c:\tnbnnn.exec:\tnbnnn.exe33⤵
- Executes dropped EXE
PID:3312 -
\??\c:\nhthnh.exec:\nhthnh.exe34⤵
- Executes dropped EXE
PID:3824 -
\??\c:\vdjvj.exec:\vdjvj.exe35⤵
- Executes dropped EXE
PID:3320 -
\??\c:\3ppdp.exec:\3ppdp.exe36⤵
- Executes dropped EXE
PID:4644 -
\??\c:\rfrrfxl.exec:\rfrrfxl.exe37⤵
- Executes dropped EXE
PID:3124 -
\??\c:\tbbbtt.exec:\tbbbtt.exe38⤵
- Executes dropped EXE
PID:3152 -
\??\c:\bttnnh.exec:\bttnnh.exe39⤵
- Executes dropped EXE
PID:4328 -
\??\c:\1pppj.exec:\1pppj.exe40⤵
- Executes dropped EXE
PID:4316 -
\??\c:\jjddd.exec:\jjddd.exe41⤵
- Executes dropped EXE
PID:3716 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe42⤵
- Executes dropped EXE
PID:2292 -
\??\c:\bbnbbt.exec:\bbnbbt.exe43⤵
- Executes dropped EXE
PID:4616 -
\??\c:\tthbnt.exec:\tthbnt.exe44⤵
- Executes dropped EXE
PID:2588 -
\??\c:\htbbbb.exec:\htbbbb.exe45⤵
- Executes dropped EXE
PID:2576 -
\??\c:\1djjd.exec:\1djjd.exe46⤵
- Executes dropped EXE
PID:1500 -
\??\c:\lxllxrf.exec:\lxllxrf.exe47⤵
- Executes dropped EXE
PID:3532 -
\??\c:\bhnnnt.exec:\bhnnnt.exe48⤵
- Executes dropped EXE
PID:1672 -
\??\c:\tbtnhb.exec:\tbtnhb.exe49⤵
- Executes dropped EXE
PID:1208 -
\??\c:\tnnbbn.exec:\tnnbbn.exe50⤵
- Executes dropped EXE
PID:640 -
\??\c:\1vdvp.exec:\1vdvp.exe51⤵
- Executes dropped EXE
PID:4396 -
\??\c:\jvpjv.exec:\jvpjv.exe52⤵
- Executes dropped EXE
PID:1284 -
\??\c:\xfflxxr.exec:\xfflxxr.exe53⤵
- Executes dropped EXE
PID:1244 -
\??\c:\bbthbt.exec:\bbthbt.exe54⤵
- Executes dropped EXE
PID:2072 -
\??\c:\thhtnb.exec:\thhtnb.exe55⤵
- Executes dropped EXE
PID:4916 -
\??\c:\dvjdp.exec:\dvjdp.exe56⤵
- Executes dropped EXE
PID:4444 -
\??\c:\rrrlxrl.exec:\rrrlxrl.exe57⤵
- Executes dropped EXE
PID:1764 -
\??\c:\xflflfl.exec:\xflflfl.exe58⤵
- Executes dropped EXE
PID:3468 -
\??\c:\tttnhb.exec:\tttnhb.exe59⤵
- Executes dropped EXE
PID:4628 -
\??\c:\ntbbbb.exec:\ntbbbb.exe60⤵
- Executes dropped EXE
PID:2672 -
\??\c:\ddvvp.exec:\ddvvp.exe61⤵
- Executes dropped EXE
PID:2108 -
\??\c:\rflfxxr.exec:\rflfxxr.exe62⤵
- Executes dropped EXE
PID:1416 -
\??\c:\rrrlfxx.exec:\rrrlfxx.exe63⤵
- Executes dropped EXE
PID:364 -
\??\c:\hbhbbt.exec:\hbhbbt.exe64⤵
- Executes dropped EXE
PID:1864 -
\??\c:\btnbtn.exec:\btnbtn.exe65⤵
- Executes dropped EXE
PID:4720 -
\??\c:\pjjvd.exec:\pjjvd.exe66⤵PID:3956
-
\??\c:\jdpjj.exec:\jdpjj.exe67⤵PID:736
-
\??\c:\5llxfxr.exec:\5llxfxr.exe68⤵PID:4940
-
\??\c:\xfxlfxr.exec:\xfxlfxr.exe69⤵PID:4436
-
\??\c:\hnbbnn.exec:\hnbbnn.exe70⤵PID:2536
-
\??\c:\vpdvj.exec:\vpdvj.exe71⤵PID:1032
-
\??\c:\jpvpd.exec:\jpvpd.exe72⤵PID:4920
-
\??\c:\rxrrxfl.exec:\rxrrxfl.exe73⤵PID:460
-
\??\c:\rxxfxxl.exec:\rxxfxxl.exe74⤵PID:1628
-
\??\c:\3hhhtt.exec:\3hhhtt.exe75⤵PID:4576
-
\??\c:\bhnhtn.exec:\bhnhtn.exe76⤵PID:1748
-
\??\c:\pdvjp.exec:\pdvjp.exe77⤵PID:4900
-
\??\c:\5jvpd.exec:\5jvpd.exe78⤵PID:968
-
\??\c:\lflrxfr.exec:\lflrxfr.exe79⤵PID:4760
-
\??\c:\hnhbnb.exec:\hnhbnb.exe80⤵PID:2124
-
\??\c:\hnnbnh.exec:\hnnbnh.exe81⤵PID:4216
-
\??\c:\pdvjv.exec:\pdvjv.exe82⤵PID:1992
-
\??\c:\ddpjd.exec:\ddpjd.exe83⤵PID:3460
-
\??\c:\frxlrlf.exec:\frxlrlf.exe84⤵PID:1464
-
\??\c:\rllllfl.exec:\rllllfl.exe85⤵PID:3124
-
\??\c:\9tbtbh.exec:\9tbtbh.exe86⤵PID:3152
-
\??\c:\bnhtnt.exec:\bnhtnt.exe87⤵PID:3604
-
\??\c:\1vpjv.exec:\1vpjv.exe88⤵PID:1116
-
\??\c:\3xxrffx.exec:\3xxrffx.exe89⤵PID:976
-
\??\c:\lfxlfxr.exec:\lfxlfxr.exe90⤵PID:3964
-
\??\c:\tbhthb.exec:\tbhthb.exe91⤵PID:3792
-
\??\c:\vvppd.exec:\vvppd.exe92⤵PID:1856
-
\??\c:\vpdvd.exec:\vpdvd.exe93⤵PID:1832
-
\??\c:\xfrffff.exec:\xfrffff.exe94⤵PID:2520
-
\??\c:\lxrrlfx.exec:\lxrrlfx.exe95⤵PID:872
-
\??\c:\thhbtn.exec:\thhbtn.exe96⤵PID:4924
-
\??\c:\jpjdp.exec:\jpjdp.exe97⤵PID:5088
-
\??\c:\jvdvv.exec:\jvdvv.exe98⤵PID:3900
-
\??\c:\9llflfx.exec:\9llflfx.exe99⤵PID:4912
-
\??\c:\lrfxrlf.exec:\lrfxrlf.exe100⤵PID:1244
-
\??\c:\htnhbt.exec:\htnhbt.exe101⤵PID:2232
-
\??\c:\bbbtnt.exec:\bbbtnt.exe102⤵PID:2028
-
\??\c:\jjvdd.exec:\jjvdd.exe103⤵PID:3036
-
\??\c:\9lrflrx.exec:\9lrflrx.exe104⤵PID:4104
-
\??\c:\5xlfrll.exec:\5xlfrll.exe105⤵PID:764
-
\??\c:\bbbnhn.exec:\bbbnhn.exe106⤵PID:2212
-
\??\c:\3hhthn.exec:\3hhthn.exe107⤵PID:4628
-
\??\c:\vjpdp.exec:\vjpdp.exe108⤵PID:2776
-
\??\c:\vpdvv.exec:\vpdvv.exe109⤵PID:2108
-
\??\c:\rfxlrrf.exec:\rfxlrrf.exe110⤵PID:3628
-
\??\c:\lxlxfff.exec:\lxlxfff.exe111⤵PID:4076
-
\??\c:\3nnhbt.exec:\3nnhbt.exe112⤵PID:4612
-
\??\c:\djvvj.exec:\djvvj.exe113⤵PID:2156
-
\??\c:\jpjvp.exec:\jpjvp.exe114⤵PID:1804
-
\??\c:\xrllxxf.exec:\xrllxxf.exe115⤵PID:1912
-
\??\c:\nhnbtn.exec:\nhnbtn.exe116⤵PID:3044
-
\??\c:\vpvvj.exec:\vpvvj.exe117⤵PID:868
-
\??\c:\lxrflfx.exec:\lxrflfx.exe118⤵PID:4740
-
\??\c:\rlrrlll.exec:\rlrrlll.exe119⤵PID:2420
-
\??\c:\htbnbt.exec:\htbnbt.exe120⤵PID:3352
-
\??\c:\vjpjv.exec:\vjpjv.exe121⤵PID:3280
-
\??\c:\3pppj.exec:\3pppj.exe122⤵PID:4936
-
\??\c:\xllxrlr.exec:\xllxrlr.exe123⤵PID:4576
-
\??\c:\xfxrfxl.exec:\xfxrfxl.exe124⤵PID:4120
-
\??\c:\7nnhbb.exec:\7nnhbb.exe125⤵PID:3788
-
\??\c:\3jjdp.exec:\3jjdp.exe126⤵PID:4036
-
\??\c:\9ppdv.exec:\9ppdv.exe127⤵PID:4932
-
\??\c:\lxrfrrf.exec:\lxrfrrf.exe128⤵PID:3320
-
\??\c:\fxlfrlf.exec:\fxlfrlf.exe129⤵PID:512
-
\??\c:\5hhbtn.exec:\5hhbtn.exe130⤵PID:1464
-
\??\c:\dpppd.exec:\dpppd.exe131⤵PID:4828
-
\??\c:\vpjvp.exec:\vpjvp.exe132⤵PID:2504
-
\??\c:\9xxlxxr.exec:\9xxlxxr.exe133⤵PID:3604
-
\??\c:\lffllff.exec:\lffllff.exe134⤵PID:2904
-
\??\c:\pdppj.exec:\pdppj.exe135⤵PID:948
-
\??\c:\xrxfxrr.exec:\xrxfxrr.exe136⤵PID:3964
-
\??\c:\frxflxx.exec:\frxflxx.exe137⤵PID:3792
-
\??\c:\nbntth.exec:\nbntth.exe138⤵PID:2708
-
\??\c:\nbthtn.exec:\nbthtn.exe139⤵PID:1832
-
\??\c:\vjdpd.exec:\vjdpd.exe140⤵PID:2520
-
\??\c:\jdvjd.exec:\jdvjd.exe141⤵PID:2000
-
\??\c:\jvpdp.exec:\jvpdp.exe142⤵PID:640
-
\??\c:\lrffrrf.exec:\lrffrrf.exe143⤵PID:5088
-
\??\c:\1frlxlf.exec:\1frlxlf.exe144⤵PID:1852
-
\??\c:\btntnh.exec:\btntnh.exe145⤵PID:1768
-
\??\c:\bnhtnh.exec:\bnhtnh.exe146⤵PID:1244
-
\??\c:\djpjv.exec:\djpjv.exe147⤵PID:2232
-
\??\c:\9jdvj.exec:\9jdvj.exe148⤵PID:2028
-
\??\c:\lfrlrfx.exec:\lfrlrfx.exe149⤵PID:2980
-
\??\c:\xllffff.exec:\xllffff.exe150⤵PID:2512
-
\??\c:\thnbtn.exec:\thnbtn.exe151⤵PID:764
-
\??\c:\tnbnbt.exec:\tnbnbt.exe152⤵PID:2212
-
\??\c:\vvdjj.exec:\vvdjj.exe153⤵PID:424
-
\??\c:\dvvdp.exec:\dvvdp.exe154⤵PID:4204
-
\??\c:\lrrrlrx.exec:\lrrrlrx.exe155⤵PID:2108
-
\??\c:\hhnbht.exec:\hhnbht.exe156⤵PID:1680
-
\??\c:\nbnbhb.exec:\nbnbhb.exe157⤵PID:4076
-
\??\c:\3pdjv.exec:\3pdjv.exe158⤵PID:1516
-
\??\c:\5djdp.exec:\5djdp.exe159⤵PID:2580
-
\??\c:\lxfxxxr.exec:\lxfxxxr.exe160⤵PID:1776
-
\??\c:\thbtnn.exec:\thbtnn.exe161⤵PID:1996
-
\??\c:\pjdvj.exec:\pjdvj.exe162⤵PID:4420
-
\??\c:\vjvjd.exec:\vjvjd.exe163⤵PID:4400
-
\??\c:\rfrflfx.exec:\rfrflfx.exe164⤵PID:3620
-
\??\c:\frrfxll.exec:\frrfxll.exe165⤵PID:3548
-
\??\c:\nbthtn.exec:\nbthtn.exe166⤵PID:3812
-
\??\c:\nbbnth.exec:\nbbnth.exe167⤵PID:4868
-
\??\c:\nhhbbt.exec:\nhhbbt.exe168⤵PID:3788
-
\??\c:\dvvvp.exec:\dvvvp.exe169⤵PID:4932
-
\??\c:\pjdpd.exec:\pjdpd.exe170⤵PID:3664
-
\??\c:\rlrrllf.exec:\rlrrllf.exe171⤵PID:1464
-
\??\c:\lflxrrl.exec:\lflxrrl.exe172⤵PID:3716
-
\??\c:\tnnbhb.exec:\tnnbhb.exe173⤵PID:4028
-
\??\c:\1nnbht.exec:\1nnbht.exe174⤵PID:3764
-
\??\c:\jvvpp.exec:\jvvpp.exe175⤵PID:4736
-
\??\c:\dvjpd.exec:\dvjpd.exe176⤵PID:3576
-
\??\c:\rflffxf.exec:\rflffxf.exe177⤵PID:1932
-
\??\c:\rxxlxrr.exec:\rxxlxrr.exe178⤵PID:1656
-
\??\c:\5tnhbt.exec:\5tnhbt.exe179⤵PID:2184
-
\??\c:\hhhthb.exec:\hhhthb.exe180⤵PID:2520
-
\??\c:\djjdv.exec:\djjdv.exe181⤵PID:4072
-
\??\c:\pjddd.exec:\pjddd.exe182⤵PID:4268
-
\??\c:\fffrfxr.exec:\fffrfxr.exe183⤵PID:5088
-
\??\c:\lffxfxx.exec:\lffxfxx.exe184⤵PID:2096
-
\??\c:\bttttn.exec:\bttttn.exe185⤵PID:1768
-
\??\c:\7jjvj.exec:\7jjvj.exe186⤵PID:2916
-
\??\c:\pddvd.exec:\pddvd.exe187⤵PID:1460
-
\??\c:\frrflfr.exec:\frrflfr.exe188⤵PID:3256
-
\??\c:\3rlfllf.exec:\3rlfllf.exe189⤵PID:3268
-
\??\c:\hbbnhb.exec:\hbbnhb.exe190⤵PID:2604
-
\??\c:\bnnhbt.exec:\bnnhbt.exe191⤵PID:2672
-
\??\c:\vvpjv.exec:\vvpjv.exe192⤵PID:2776
-
\??\c:\rlxlxrl.exec:\rlxlxrl.exe193⤵PID:4852
-
\??\c:\tbntht.exec:\tbntht.exe194⤵PID:3628
-
\??\c:\btnhhh.exec:\btnhhh.exe195⤵PID:4956
-
\??\c:\dpjdp.exec:\dpjdp.exe196⤵PID:2468
-
\??\c:\flfxxxr.exec:\flfxxxr.exe197⤵PID:60
-
\??\c:\7hnhbn.exec:\7hnhbn.exe198⤵PID:1516
-
\??\c:\7btnbt.exec:\7btnbt.exe199⤵PID:2596
-
\??\c:\7vddp.exec:\7vddp.exe200⤵PID:868
-
\??\c:\5rrrfxl.exec:\5rrrfxl.exe201⤵PID:2532
-
\??\c:\frrfxrl.exec:\frrfxrl.exe202⤵PID:3352
-
\??\c:\7tnbnh.exec:\7tnbnh.exe203⤵PID:3832
-
\??\c:\3tnbhb.exec:\3tnbhb.exe204⤵PID:968
-
\??\c:\3djjd.exec:\3djjd.exe205⤵PID:4576
-
\??\c:\bnttnn.exec:\bnttnn.exe206⤵PID:4564
-
\??\c:\pddpv.exec:\pddpv.exe207⤵PID:2424
-
\??\c:\jvpjd.exec:\jvpjd.exe208⤵PID:2668
-
\??\c:\lflffxl.exec:\lflffxl.exe209⤵PID:3116
-
\??\c:\thttnn.exec:\thttnn.exe210⤵PID:3744
-
\??\c:\7jjdd.exec:\7jjdd.exe211⤵PID:836
-
\??\c:\jddpv.exec:\jddpv.exe212⤵PID:1484
-
\??\c:\1rrffrr.exec:\1rrffrr.exe213⤵PID:444
-
\??\c:\fxxfrxf.exec:\fxxfrxf.exe214⤵PID:2464
-
\??\c:\hnnhnn.exec:\hnnhnn.exe215⤵PID:2992
-
\??\c:\bnbnbt.exec:\bnbnbt.exe216⤵PID:3792
-
\??\c:\jdjdp.exec:\jdjdp.exe217⤵PID:1956
-
\??\c:\rfxrllf.exec:\rfxrllf.exe218⤵PID:4396
-
\??\c:\3xlfrrf.exec:\3xlfrrf.exe219⤵PID:2572
-
\??\c:\bnhnbh.exec:\bnhnbh.exe220⤵PID:3584
-
\??\c:\htnbnh.exec:\htnbnh.exe221⤵PID:3900
-
\??\c:\pdvjv.exec:\pdvjv.exe222⤵PID:5088
-
\??\c:\jpvvp.exec:\jpvvp.exe223⤵PID:2908
-
\??\c:\jdjdv.exec:\jdjdv.exe224⤵PID:1768
-
\??\c:\rlxrfxr.exec:\rlxrfxr.exe225⤵PID:4444
-
\??\c:\frlfrlx.exec:\frlfrlx.exe226⤵PID:1460
-
\??\c:\hhhhnb.exec:\hhhhnb.exe227⤵PID:2944
-
\??\c:\htnhbt.exec:\htnhbt.exe228⤵PID:1740
-
\??\c:\vjvjp.exec:\vjvjp.exe229⤵PID:2604
-
\??\c:\vpvpp.exec:\vpvpp.exe230⤵PID:1860
-
\??\c:\xrrrlfx.exec:\xrrrlfx.exe231⤵PID:2776
-
\??\c:\rffxxlf.exec:\rffxxlf.exe232⤵PID:364
-
\??\c:\nhbtht.exec:\nhbtht.exe233⤵PID:3368
-
\??\c:\7nnhtt.exec:\7nnhtt.exe234⤵PID:2832
-
\??\c:\jjdvp.exec:\jjdvp.exe235⤵PID:1172
-
\??\c:\3pjpd.exec:\3pjpd.exe236⤵PID:736
-
\??\c:\rxrlrll.exec:\rxrlrll.exe237⤵PID:4124
-
\??\c:\flfrfxl.exec:\flfrfxl.exe238⤵PID:3776
-
\??\c:\hbtnbt.exec:\hbtnbt.exe239⤵PID:3516
-
\??\c:\nbtntb.exec:\nbtntb.exe240⤵PID:4508
-
\??\c:\vdvjv.exec:\vdvjv.exe241⤵PID:4400
-
\??\c:\jvjdv.exec:\jvjdv.exe242⤵PID:3620