Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 05:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9e02fd8e45c12d8387d6b89cc0b2c590_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
9e02fd8e45c12d8387d6b89cc0b2c590_NeikiAnalytics.exe
-
Size
460KB
-
MD5
9e02fd8e45c12d8387d6b89cc0b2c590
-
SHA1
d5c3797813f69bdb7c7fe84b5c12846b0985c5d3
-
SHA256
36b25b90900003665878bd9f8b6c4ad7d7a1576ac47b67bbffac0134bd11e861
-
SHA512
ea9e8c146d89f289d35ec10c52c0d329fd651db6aca0e927badf2b73b778edfdd3cad539612e56bce27bc97c528138e96618e256655db6e1708ec7ccb6d8d406
-
SSDEEP
6144:n3C9BRo7tvnJ9Fywhk/TJTaYvMmr3C9BRo7tvnJ9Fywhk/Tkh:n3C9ytvn8whkbJTaFmr3C9ytvn8whkbU
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral2/memory/4944-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3476-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4448-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2652-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3392-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3860-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5000-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4632-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4920-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4140-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4228-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3512-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4508-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3956-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2112-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1696-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2356-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2840-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1064-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2872-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1968-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3588-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/716-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2032-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
bnhhhh.exedvddp.exe5bbbtb.exe7ddvj.exetnttnn.exe5dpjv.exeffffxxr.exetbhhnn.exe1hhhhh.exejpdpd.exeflxflfx.exejvddj.exexllfxxx.exebnttnn.exefrxxrxx.exentbbbh.exexxxlfxr.exe1nttbb.exepppjp.exebbtbht.exehbbhbb.exe7dddv.exefflfllr.exebntnnh.exefrxlfff.exebtnbbn.exevjddv.exe5flfllf.exedpvvd.exe1tbnhh.exevdddv.exexllrrrr.exe9jpjp.exevdjdv.exerlxrlll.exetnbbnt.exejdpdv.exexrllrrx.exe7fllfll.exenbhhnh.exe1jddv.exefrfrlll.exehnhbnn.exehbbtbt.exejdpjd.exefrxrfrr.exebhhbbt.exedvpvv.exebtbnbb.exeddvpj.exejdjdj.exerfxrflf.exehbnnnn.exe3djvp.exelllllxx.exe1ttnnt.exevpjdp.exerfllfff.exetnnhbb.exejpppj.exe5xxrrrr.exefffflrr.exenbnhbb.exedppjv.exepid process 3476 bnhhhh.exe 4448 dvddp.exe 2652 5bbbtb.exe 3392 7ddvj.exe 3860 tnttnn.exe 5000 5dpjv.exe 4632 ffffxxr.exe 4920 tbhhnn.exe 4140 1hhhhh.exe 4228 jpdpd.exe 1832 flxflfx.exe 3512 jvddj.exe 4508 xllfxxx.exe 3956 bnttnn.exe 2112 frxxrxx.exe 1696 ntbbbh.exe 1484 xxxlfxr.exe 2840 1nttbb.exe 2356 pppjp.exe 4280 bbtbht.exe 776 hbbhbb.exe 2788 7dddv.exe 1064 fflfllr.exe 2872 bntnnh.exe 1968 frxlfff.exe 3588 btnbbn.exe 716 vjddv.exe 2032 5flfllf.exe 4624 dpvvd.exe 2196 1tbnhh.exe 1052 vdddv.exe 4316 xllrrrr.exe 3832 9jpjp.exe 816 vdjdv.exe 4084 rlxrlll.exe 2424 tnbbnt.exe 1836 jdpdv.exe 3392 xrllrrx.exe 4152 7fllfll.exe 4276 nbhhnh.exe 4768 1jddv.exe 3160 frfrlll.exe 4992 hnhbnn.exe 4920 hbbtbt.exe 396 jdpjd.exe 5060 frxrfrr.exe 3620 bhhbbt.exe 4792 dvpvv.exe 4324 btbnbb.exe 440 ddvpj.exe 2812 jdjdj.exe 1680 rfxrflf.exe 1132 hbnnnn.exe 3856 3djvp.exe 3076 lllllxx.exe 980 1ttnnt.exe 2564 vpjdp.exe 3228 rfllfff.exe 3600 tnnhbb.exe 1448 jpppj.exe 3104 5xxrrrr.exe 4884 fffflrr.exe 4880 nbnhbb.exe 4348 dppjv.exe -
Processes:
resource yara_rule behavioral2/memory/4944-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3476-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4448-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2652-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3392-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3860-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3860-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3860-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3860-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5000-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4632-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4920-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4140-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4140-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4228-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4140-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3512-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4508-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3956-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2112-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1696-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2356-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2840-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1064-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2872-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1968-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3588-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/716-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2032-191-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9e02fd8e45c12d8387d6b89cc0b2c590_NeikiAnalytics.exebnhhhh.exedvddp.exe5bbbtb.exe7ddvj.exetnttnn.exe5dpjv.exeffffxxr.exetbhhnn.exe1hhhhh.exejpdpd.exeflxflfx.exejvddj.exexllfxxx.exebnttnn.exefrxxrxx.exentbbbh.exexxxlfxr.exe1nttbb.exepppjp.exebbtbht.exehbbhbb.exedescription pid process target process PID 4944 wrote to memory of 3476 4944 9e02fd8e45c12d8387d6b89cc0b2c590_NeikiAnalytics.exe bnhhhh.exe PID 4944 wrote to memory of 3476 4944 9e02fd8e45c12d8387d6b89cc0b2c590_NeikiAnalytics.exe bnhhhh.exe PID 4944 wrote to memory of 3476 4944 9e02fd8e45c12d8387d6b89cc0b2c590_NeikiAnalytics.exe bnhhhh.exe PID 3476 wrote to memory of 4448 3476 bnhhhh.exe dvddp.exe PID 3476 wrote to memory of 4448 3476 bnhhhh.exe dvddp.exe PID 3476 wrote to memory of 4448 3476 bnhhhh.exe dvddp.exe PID 4448 wrote to memory of 2652 4448 dvddp.exe 5bbbtb.exe PID 4448 wrote to memory of 2652 4448 dvddp.exe 5bbbtb.exe PID 4448 wrote to memory of 2652 4448 dvddp.exe 5bbbtb.exe PID 2652 wrote to memory of 3392 2652 5bbbtb.exe 7ddvj.exe PID 2652 wrote to memory of 3392 2652 5bbbtb.exe 7ddvj.exe PID 2652 wrote to memory of 3392 2652 5bbbtb.exe 7ddvj.exe PID 3392 wrote to memory of 3860 3392 7ddvj.exe tnttnn.exe PID 3392 wrote to memory of 3860 3392 7ddvj.exe tnttnn.exe PID 3392 wrote to memory of 3860 3392 7ddvj.exe tnttnn.exe PID 3860 wrote to memory of 5000 3860 tnttnn.exe 5dpjv.exe PID 3860 wrote to memory of 5000 3860 tnttnn.exe 5dpjv.exe PID 3860 wrote to memory of 5000 3860 tnttnn.exe 5dpjv.exe PID 5000 wrote to memory of 4632 5000 5dpjv.exe ffffxxr.exe PID 5000 wrote to memory of 4632 5000 5dpjv.exe ffffxxr.exe PID 5000 wrote to memory of 4632 5000 5dpjv.exe ffffxxr.exe PID 4632 wrote to memory of 4920 4632 ffffxxr.exe tbhhnn.exe PID 4632 wrote to memory of 4920 4632 ffffxxr.exe tbhhnn.exe PID 4632 wrote to memory of 4920 4632 ffffxxr.exe tbhhnn.exe PID 4920 wrote to memory of 4140 4920 tbhhnn.exe 1hhhhh.exe PID 4920 wrote to memory of 4140 4920 tbhhnn.exe 1hhhhh.exe PID 4920 wrote to memory of 4140 4920 tbhhnn.exe 1hhhhh.exe PID 4140 wrote to memory of 4228 4140 1hhhhh.exe jpdpd.exe PID 4140 wrote to memory of 4228 4140 1hhhhh.exe jpdpd.exe PID 4140 wrote to memory of 4228 4140 1hhhhh.exe jpdpd.exe PID 4228 wrote to memory of 1832 4228 jpdpd.exe flxflfx.exe PID 4228 wrote to memory of 1832 4228 jpdpd.exe flxflfx.exe PID 4228 wrote to memory of 1832 4228 jpdpd.exe flxflfx.exe PID 1832 wrote to memory of 3512 1832 flxflfx.exe jvddj.exe PID 1832 wrote to memory of 3512 1832 flxflfx.exe jvddj.exe PID 1832 wrote to memory of 3512 1832 flxflfx.exe jvddj.exe PID 3512 wrote to memory of 4508 3512 jvddj.exe xllfxxx.exe PID 3512 wrote to memory of 4508 3512 jvddj.exe xllfxxx.exe PID 3512 wrote to memory of 4508 3512 jvddj.exe xllfxxx.exe PID 4508 wrote to memory of 3956 4508 xllfxxx.exe bnttnn.exe PID 4508 wrote to memory of 3956 4508 xllfxxx.exe bnttnn.exe PID 4508 wrote to memory of 3956 4508 xllfxxx.exe bnttnn.exe PID 3956 wrote to memory of 2112 3956 bnttnn.exe frxxrxx.exe PID 3956 wrote to memory of 2112 3956 bnttnn.exe frxxrxx.exe PID 3956 wrote to memory of 2112 3956 bnttnn.exe frxxrxx.exe PID 2112 wrote to memory of 1696 2112 frxxrxx.exe ntbbbh.exe PID 2112 wrote to memory of 1696 2112 frxxrxx.exe ntbbbh.exe PID 2112 wrote to memory of 1696 2112 frxxrxx.exe ntbbbh.exe PID 1696 wrote to memory of 1484 1696 ntbbbh.exe xxxlfxr.exe PID 1696 wrote to memory of 1484 1696 ntbbbh.exe xxxlfxr.exe PID 1696 wrote to memory of 1484 1696 ntbbbh.exe xxxlfxr.exe PID 1484 wrote to memory of 2840 1484 xxxlfxr.exe 1nttbb.exe PID 1484 wrote to memory of 2840 1484 xxxlfxr.exe 1nttbb.exe PID 1484 wrote to memory of 2840 1484 xxxlfxr.exe 1nttbb.exe PID 2840 wrote to memory of 2356 2840 1nttbb.exe pppjp.exe PID 2840 wrote to memory of 2356 2840 1nttbb.exe pppjp.exe PID 2840 wrote to memory of 2356 2840 1nttbb.exe pppjp.exe PID 2356 wrote to memory of 4280 2356 pppjp.exe bbtbht.exe PID 2356 wrote to memory of 4280 2356 pppjp.exe bbtbht.exe PID 2356 wrote to memory of 4280 2356 pppjp.exe bbtbht.exe PID 4280 wrote to memory of 776 4280 bbtbht.exe hbbhbb.exe PID 4280 wrote to memory of 776 4280 bbtbht.exe hbbhbb.exe PID 4280 wrote to memory of 776 4280 bbtbht.exe hbbhbb.exe PID 776 wrote to memory of 2788 776 hbbhbb.exe 7dddv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e02fd8e45c12d8387d6b89cc0b2c590_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9e02fd8e45c12d8387d6b89cc0b2c590_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\bnhhhh.exec:\bnhhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\dvddp.exec:\dvddp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\5bbbtb.exec:\5bbbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\7ddvj.exec:\7ddvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\tnttnn.exec:\tnttnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\5dpjv.exec:\5dpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\ffffxxr.exec:\ffffxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\tbhhnn.exec:\tbhhnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\1hhhhh.exec:\1hhhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\jpdpd.exec:\jpdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\flxflfx.exec:\flxflfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\jvddj.exec:\jvddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\xllfxxx.exec:\xllfxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\bnttnn.exec:\bnttnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\frxxrxx.exec:\frxxrxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\ntbbbh.exec:\ntbbbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\xxxlfxr.exec:\xxxlfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\1nttbb.exec:\1nttbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\pppjp.exec:\pppjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\bbtbht.exec:\bbtbht.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\hbbhbb.exec:\hbbhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\7dddv.exec:\7dddv.exe23⤵
- Executes dropped EXE
PID:2788 -
\??\c:\fflfllr.exec:\fflfllr.exe24⤵
- Executes dropped EXE
PID:1064 -
\??\c:\bntnnh.exec:\bntnnh.exe25⤵
- Executes dropped EXE
PID:2872 -
\??\c:\frxlfff.exec:\frxlfff.exe26⤵
- Executes dropped EXE
PID:1968 -
\??\c:\btnbbn.exec:\btnbbn.exe27⤵
- Executes dropped EXE
PID:3588 -
\??\c:\vjddv.exec:\vjddv.exe28⤵
- Executes dropped EXE
PID:716 -
\??\c:\5flfllf.exec:\5flfllf.exe29⤵
- Executes dropped EXE
PID:2032 -
\??\c:\dpvvd.exec:\dpvvd.exe30⤵
- Executes dropped EXE
PID:4624 -
\??\c:\1tbnhh.exec:\1tbnhh.exe31⤵
- Executes dropped EXE
PID:2196 -
\??\c:\vdddv.exec:\vdddv.exe32⤵
- Executes dropped EXE
PID:1052 -
\??\c:\xllrrrr.exec:\xllrrrr.exe33⤵
- Executes dropped EXE
PID:4316 -
\??\c:\9jpjp.exec:\9jpjp.exe34⤵
- Executes dropped EXE
PID:3832 -
\??\c:\vdjdv.exec:\vdjdv.exe35⤵
- Executes dropped EXE
PID:816 -
\??\c:\rlxrlll.exec:\rlxrlll.exe36⤵
- Executes dropped EXE
PID:4084 -
\??\c:\tnbbnt.exec:\tnbbnt.exe37⤵
- Executes dropped EXE
PID:2424 -
\??\c:\jdpdv.exec:\jdpdv.exe38⤵
- Executes dropped EXE
PID:1836 -
\??\c:\xrllrrx.exec:\xrllrrx.exe39⤵
- Executes dropped EXE
PID:3392 -
\??\c:\7fllfll.exec:\7fllfll.exe40⤵
- Executes dropped EXE
PID:4152 -
\??\c:\nbhhnh.exec:\nbhhnh.exe41⤵
- Executes dropped EXE
PID:4276 -
\??\c:\1jddv.exec:\1jddv.exe42⤵
- Executes dropped EXE
PID:4768 -
\??\c:\frfrlll.exec:\frfrlll.exe43⤵
- Executes dropped EXE
PID:3160 -
\??\c:\hnhbnn.exec:\hnhbnn.exe44⤵
- Executes dropped EXE
PID:4992 -
\??\c:\hbbtbt.exec:\hbbtbt.exe45⤵
- Executes dropped EXE
PID:4920 -
\??\c:\jdpjd.exec:\jdpjd.exe46⤵
- Executes dropped EXE
PID:396 -
\??\c:\frxrfrr.exec:\frxrfrr.exe47⤵
- Executes dropped EXE
PID:5060 -
\??\c:\bhhbbt.exec:\bhhbbt.exe48⤵
- Executes dropped EXE
PID:3620 -
\??\c:\dvpvv.exec:\dvpvv.exe49⤵
- Executes dropped EXE
PID:4792 -
\??\c:\btbnbb.exec:\btbnbb.exe50⤵
- Executes dropped EXE
PID:4324 -
\??\c:\ddvpj.exec:\ddvpj.exe51⤵
- Executes dropped EXE
PID:440 -
\??\c:\jdjdj.exec:\jdjdj.exe52⤵
- Executes dropped EXE
PID:2812 -
\??\c:\rfxrflf.exec:\rfxrflf.exe53⤵
- Executes dropped EXE
PID:1680 -
\??\c:\hbnnnn.exec:\hbnnnn.exe54⤵
- Executes dropped EXE
PID:1132 -
\??\c:\3djvp.exec:\3djvp.exe55⤵
- Executes dropped EXE
PID:3856 -
\??\c:\lllllxx.exec:\lllllxx.exe56⤵
- Executes dropped EXE
PID:3076 -
\??\c:\1ttnnt.exec:\1ttnnt.exe57⤵
- Executes dropped EXE
PID:980 -
\??\c:\vpjdp.exec:\vpjdp.exe58⤵
- Executes dropped EXE
PID:2564 -
\??\c:\rfllfff.exec:\rfllfff.exe59⤵
- Executes dropped EXE
PID:3228 -
\??\c:\tnnhbb.exec:\tnnhbb.exe60⤵
- Executes dropped EXE
PID:3600 -
\??\c:\jpppj.exec:\jpppj.exe61⤵
- Executes dropped EXE
PID:1448 -
\??\c:\5xxrrrr.exec:\5xxrrrr.exe62⤵
- Executes dropped EXE
PID:3104 -
\??\c:\fffflrr.exec:\fffflrr.exe63⤵
- Executes dropped EXE
PID:4884 -
\??\c:\nbnhbb.exec:\nbnhbb.exe64⤵
- Executes dropped EXE
PID:4880 -
\??\c:\dppjv.exec:\dppjv.exe65⤵
- Executes dropped EXE
PID:4348 -
\??\c:\fxfrxxf.exec:\fxfrxxf.exe66⤵PID:1444
-
\??\c:\bnbnhb.exec:\bnbnhb.exe67⤵PID:2592
-
\??\c:\vpvdv.exec:\vpvdv.exe68⤵PID:4432
-
\??\c:\pdjvp.exec:\pdjvp.exe69⤵PID:2380
-
\??\c:\fffrfrx.exec:\fffrfrx.exe70⤵PID:2612
-
\??\c:\ntbtnh.exec:\ntbtnh.exe71⤵PID:2028
-
\??\c:\vdvpj.exec:\vdvpj.exe72⤵PID:2004
-
\??\c:\dvpjp.exec:\dvpjp.exe73⤵PID:4612
-
\??\c:\xfffffx.exec:\xfffffx.exe74⤵PID:1924
-
\??\c:\hhbhth.exec:\hhbhth.exe75⤵PID:3196
-
\??\c:\tnntnb.exec:\tnntnb.exe76⤵PID:1596
-
\??\c:\dvjdj.exec:\dvjdj.exe77⤵PID:3920
-
\??\c:\xlfxlfr.exec:\xlfxlfr.exe78⤵PID:816
-
\??\c:\nhtnbh.exec:\nhtnbh.exe79⤵PID:5032
-
\??\c:\rlfrfxx.exec:\rlfrfxx.exe80⤵PID:4860
-
\??\c:\thnhhh.exec:\thnhhh.exe81⤵PID:3392
-
\??\c:\pdjdd.exec:\pdjdd.exe82⤵PID:2360
-
\??\c:\frxrrlx.exec:\frxrrlx.exe83⤵PID:3160
-
\??\c:\rffxllf.exec:\rffxllf.exe84⤵PID:2924
-
\??\c:\bhhbtn.exec:\bhhbtn.exe85⤵PID:1800
-
\??\c:\dvvpj.exec:\dvvpj.exe86⤵PID:3248
-
\??\c:\pppjd.exec:\pppjd.exe87⤵PID:1832
-
\??\c:\lrfrxxf.exec:\lrfrxxf.exe88⤵PID:804
-
\??\c:\bntnhb.exec:\bntnhb.exe89⤵PID:440
-
\??\c:\nhhbtt.exec:\nhhbtt.exe90⤵PID:4492
-
\??\c:\jppdv.exec:\jppdv.exe91⤵PID:1160
-
\??\c:\3frlffx.exec:\3frlffx.exe92⤵PID:2704
-
\??\c:\hnnhtn.exec:\hnnhtn.exe93⤵PID:3408
-
\??\c:\tnhbtn.exec:\tnhbtn.exe94⤵PID:424
-
\??\c:\pdjdp.exec:\pdjdp.exe95⤵PID:2664
-
\??\c:\7dpjv.exec:\7dpjv.exe96⤵PID:2660
-
\??\c:\7rrlfxr.exec:\7rrlfxr.exe97⤵PID:432
-
\??\c:\1nbhhn.exec:\1nbhhn.exe98⤵PID:536
-
\??\c:\vpdpv.exec:\vpdpv.exe99⤵PID:4956
-
\??\c:\vvpvd.exec:\vvpvd.exe100⤵PID:2328
-
\??\c:\rxxxfxx.exec:\rxxxfxx.exe101⤵PID:1588
-
\??\c:\nhbnbt.exec:\nhbnbt.exe102⤵PID:4580
-
\??\c:\ntbbnh.exec:\ntbbnh.exe103⤵PID:2064
-
\??\c:\djpjj.exec:\djpjj.exe104⤵PID:1444
-
\??\c:\xflxfxf.exec:\xflxfxf.exe105⤵PID:2164
-
\??\c:\hbbthb.exec:\hbbthb.exe106⤵PID:4432
-
\??\c:\5jpjd.exec:\5jpjd.exe107⤵PID:3752
-
\??\c:\jppjd.exec:\jppjd.exe108⤵PID:1992
-
\??\c:\lrrllfx.exec:\lrrllfx.exe109⤵PID:2028
-
\??\c:\thhbtt.exec:\thhbtt.exe110⤵PID:2488
-
\??\c:\jdvpj.exec:\jdvpj.exe111⤵PID:1380
-
\??\c:\xxrlxrl.exec:\xxrlxrl.exe112⤵PID:4944
-
\??\c:\tbhttb.exec:\tbhttb.exe113⤵PID:3196
-
\??\c:\9tnnbb.exec:\9tnnbb.exe114⤵PID:4436
-
\??\c:\pvdpj.exec:\pvdpj.exe115⤵PID:3632
-
\??\c:\frlfxrf.exec:\frlfxrf.exe116⤵PID:1836
-
\??\c:\7nntbt.exec:\7nntbt.exe117⤵PID:3088
-
\??\c:\pjdpj.exec:\pjdpj.exe118⤵PID:5000
-
\??\c:\lfxrlfr.exec:\lfxrlfr.exe119⤵PID:3432
-
\??\c:\7xrlffx.exec:\7xrlffx.exe120⤵PID:5024
-
\??\c:\tnnhtn.exec:\tnnhtn.exe121⤵PID:4456
-
\??\c:\pjpjd.exec:\pjpjd.exe122⤵PID:4244
-
\??\c:\rlrlfff.exec:\rlrlfff.exe123⤵PID:3108
-
\??\c:\thhtnb.exec:\thhtnb.exe124⤵PID:4940
-
\??\c:\jvdpd.exec:\jvdpd.exe125⤵PID:1204
-
\??\c:\vvdvd.exec:\vvdvd.exe126⤵PID:2508
-
\??\c:\9fxrlxr.exec:\9fxrlxr.exe127⤵PID:2840
-
\??\c:\1nhbtt.exec:\1nhbtt.exe128⤵PID:2532
-
\??\c:\dpvjv.exec:\dpvjv.exe129⤵PID:3144
-
\??\c:\7jpjv.exec:\7jpjv.exe130⤵PID:3080
-
\??\c:\frxrllf.exec:\frxrllf.exe131⤵PID:2904
-
\??\c:\lrrlffr.exec:\lrrlffr.exe132⤵PID:3600
-
\??\c:\tnthbt.exec:\tnthbt.exe133⤵PID:3692
-
\??\c:\pppdv.exec:\pppdv.exe134⤵PID:3172
-
\??\c:\dvpdv.exec:\dvpdv.exe135⤵PID:3644
-
\??\c:\fxrfxrr.exec:\fxrfxrr.exe136⤵PID:4180
-
\??\c:\1hhbnh.exec:\1hhbnh.exe137⤵PID:3588
-
\??\c:\bthbtn.exec:\bthbtn.exe138⤵PID:2064
-
\??\c:\jdjjj.exec:\jdjjj.exe139⤵PID:3048
-
\??\c:\frllfxr.exec:\frllfxr.exe140⤵PID:1564
-
\??\c:\tnhtnn.exec:\tnhtnn.exe141⤵PID:3904
-
\??\c:\vppjd.exec:\vppjd.exe142⤵PID:772
-
\??\c:\dpvpd.exec:\dpvpd.exe143⤵PID:3624
-
\??\c:\1rlxxxr.exec:\1rlxxxr.exe144⤵PID:4344
-
\??\c:\hbttnb.exec:\hbttnb.exe145⤵PID:3968
-
\??\c:\nhnhhh.exec:\nhnhhh.exe146⤵PID:4944
-
\??\c:\1jppj.exec:\1jppj.exe147⤵PID:3184
-
\??\c:\vvdvv.exec:\vvdvv.exe148⤵PID:3148
-
\??\c:\rrfxrff.exec:\rrfxrff.exe149⤵PID:2424
-
\??\c:\bhnhtt.exec:\bhnhtt.exe150⤵PID:2040
-
\??\c:\9nhnhb.exec:\9nhnhb.exe151⤵PID:4744
-
\??\c:\jdpjv.exec:\jdpjv.exe152⤵PID:3564
-
\??\c:\lrxlffx.exec:\lrxlffx.exe153⤵PID:4768
-
\??\c:\1ffrffx.exec:\1ffrffx.exe154⤵PID:4920
-
\??\c:\btnhhh.exec:\btnhhh.exe155⤵PID:3656
-
\??\c:\ppjpd.exec:\ppjpd.exe156⤵PID:4428
-
\??\c:\jvvpj.exec:\jvvpj.exe157⤵PID:4244
-
\??\c:\lflxfrx.exec:\lflxfrx.exe158⤵PID:1276
-
\??\c:\tbtnbt.exec:\tbtnbt.exe159⤵PID:3956
-
\??\c:\bhtnth.exec:\bhtnth.exe160⤵PID:3380
-
\??\c:\5pjvj.exec:\5pjvj.exe161⤵PID:2356
-
\??\c:\xflxfxr.exec:\xflxfxr.exe162⤵PID:2840
-
\??\c:\bbhbtt.exec:\bbhbtt.exe163⤵PID:2532
-
\??\c:\hhhhnn.exec:\hhhhnn.exe164⤵PID:1688
-
\??\c:\vjppj.exec:\vjppj.exe165⤵PID:432
-
\??\c:\xxrrrrx.exec:\xxrrrrx.exe166⤵PID:3640
-
\??\c:\llxrxfl.exec:\llxrxfl.exe167⤵PID:1064
-
\??\c:\thnhbt.exec:\thnhbt.exe168⤵PID:3172
-
\??\c:\jdvpj.exec:\jdvpj.exe169⤵PID:3644
-
\??\c:\5jjdp.exec:\5jjdp.exe170⤵PID:2920
-
\??\c:\xxfrxlx.exec:\xxfrxlx.exe171⤵PID:3588
-
\??\c:\nnhhhh.exec:\nnhhhh.exe172⤵PID:2064
-
\??\c:\jdvpp.exec:\jdvpp.exe173⤵PID:3048
-
\??\c:\fxxlllf.exec:\fxxlllf.exe174⤵PID:1564
-
\??\c:\lfffxxr.exec:\lfffxxr.exe175⤵PID:2196
-
\??\c:\3bhnhb.exec:\3bhnhb.exe176⤵PID:1924
-
\??\c:\vvvpj.exec:\vvvpj.exe177⤵PID:1456
-
\??\c:\9lllffl.exec:\9lllffl.exe178⤵PID:3196
-
\??\c:\1htnbb.exec:\1htnbb.exe179⤵PID:4084
-
\??\c:\nnnhhn.exec:\nnnhhn.exe180⤵PID:3632
-
\??\c:\jvddd.exec:\jvddd.exe181⤵PID:5032
-
\??\c:\ffxrlfx.exec:\ffxrlfx.exe182⤵PID:1012
-
\??\c:\frxrlxl.exec:\frxrlxl.exe183⤵PID:4420
-
\??\c:\tbtthh.exec:\tbtthh.exe184⤵PID:3652
-
\??\c:\vvjjp.exec:\vvjjp.exe185⤵PID:448
-
\??\c:\lxrlfxx.exec:\lxrlfxx.exe186⤵PID:3620
-
\??\c:\lllffff.exec:\lllffff.exe187⤵PID:4888
-
\??\c:\nthbbb.exec:\nthbbb.exe188⤵PID:1800
-
\??\c:\ddpjj.exec:\ddpjj.exe189⤵PID:3084
-
\??\c:\vpvvp.exec:\vpvvp.exe190⤵PID:2764
-
\??\c:\5frrrlx.exec:\5frrrlx.exe191⤵PID:3324
-
\??\c:\bntnbh.exec:\bntnbh.exe192⤵PID:1696
-
\??\c:\vpvpp.exec:\vpvpp.exe193⤵PID:980
-
\??\c:\5flllll.exec:\5flllll.exe194⤵PID:1032
-
\??\c:\3rxlrxf.exec:\3rxlrxf.exe195⤵PID:2164
-
\??\c:\bttnnn.exec:\bttnnn.exe196⤵PID:804
-
\??\c:\pjpdd.exec:\pjpdd.exe197⤵PID:4524
-
\??\c:\xxxrllf.exec:\xxxrllf.exe198⤵PID:2788
-
\??\c:\5flfffx.exec:\5flfffx.exe199⤵PID:4520
-
\??\c:\bnnbtn.exec:\bnnbtn.exe200⤵PID:4364
-
\??\c:\thhthb.exec:\thhthb.exe201⤵PID:1064
-
\??\c:\dvddd.exec:\dvddd.exe202⤵PID:2644
-
\??\c:\lfxrrff.exec:\lfxrrff.exe203⤵PID:1764
-
\??\c:\tnnhbh.exec:\tnnhbh.exe204⤵PID:3644
-
\??\c:\pjpjj.exec:\pjpjj.exe205⤵PID:1508
-
\??\c:\5jvpp.exec:\5jvpp.exe206⤵PID:3588
-
\??\c:\xfrlfff.exec:\xfrlfff.exe207⤵PID:728
-
\??\c:\1bhbhh.exec:\1bhbhh.exe208⤵PID:2612
-
\??\c:\dvdvv.exec:\dvdvv.exe209⤵PID:4684
-
\??\c:\dddvv.exec:\dddvv.exe210⤵PID:3624
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe211⤵PID:544
-
\??\c:\thhntn.exec:\thhntn.exe212⤵PID:3968
-
\??\c:\ddvvj.exec:\ddvvj.exe213⤵PID:4764
-
\??\c:\xlffxxx.exec:\xlffxxx.exe214⤵PID:5048
-
\??\c:\flrfrfr.exec:\flrfrfr.exe215⤵PID:3148
-
\??\c:\nththb.exec:\nththb.exe216⤵PID:4904
-
\??\c:\pjjdd.exec:\pjjdd.exe217⤵PID:2040
-
\??\c:\flfrffl.exec:\flfrffl.exe218⤵PID:4744
-
\??\c:\hhhntt.exec:\hhhntt.exe219⤵PID:1940
-
\??\c:\7vjdp.exec:\7vjdp.exe220⤵PID:5036
-
\??\c:\jjpvp.exec:\jjpvp.exe221⤵PID:4920
-
\??\c:\xfrlrfr.exec:\xfrlrfr.exe222⤵PID:2692
-
\??\c:\tbbhnn.exec:\tbbhnn.exe223⤵PID:4508
-
\??\c:\vdjdp.exec:\vdjdp.exe224⤵PID:2336
-
\??\c:\dpjdv.exec:\dpjdv.exe225⤵PID:1276
-
\??\c:\rfrrxfl.exec:\rfrrxfl.exe226⤵PID:2332
-
\??\c:\hbthnn.exec:\hbthnn.exe227⤵PID:3100
-
\??\c:\ppdjd.exec:\ppdjd.exe228⤵PID:2568
-
\??\c:\pdjvp.exec:\pdjvp.exe229⤵PID:1132
-
\??\c:\fxrlxrl.exec:\fxrlxrl.exe230⤵PID:372
-
\??\c:\5ntthb.exec:\5ntthb.exe231⤵PID:1308
-
\??\c:\jjpjj.exec:\jjpjj.exe232⤵PID:3600
-
\??\c:\vvppd.exec:\vvppd.exe233⤵PID:2016
-
\??\c:\rfrlfff.exec:\rfrlfff.exe234⤵PID:3472
-
\??\c:\nbhbtt.exec:\nbhbtt.exe235⤵PID:2276
-
\??\c:\dppjv.exec:\dppjv.exe236⤵PID:5084
-
\??\c:\jpjjp.exec:\jpjjp.exe237⤵PID:4484
-
\??\c:\lffxrlx.exec:\lffxrlx.exe238⤵PID:2160
-
\??\c:\tthtnh.exec:\tthtnh.exe239⤵PID:2928
-
\??\c:\jjpjv.exec:\jjpjv.exe240⤵PID:4044
-
\??\c:\3xlxllf.exec:\3xlxllf.exe241⤵PID:1848
-
\??\c:\3xxrxlx.exec:\3xxrxlx.exe242⤵PID:1400