Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 06:03
Behavioral task
behavioral1
Sample
9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
5 signatures
150 seconds
General
-
Target
9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe
-
Size
401KB
-
MD5
9f2785a5f1d54ce2076b7abe60ecce80
-
SHA1
fd4de23163219988da79a2f83454358d7644530c
-
SHA256
fa6fef39e618a09d4ba2a432a1cad6be094780948356b9b141060c383bc8b568
-
SHA512
f1f870b8bd820562c5ce8c07a603b6d87d785a1c32c6d2e99d06fc22ef4d545c20aeac13b640ebf6ef8dc05ad913161724dc5fd9fbef54d1c72634ee0cf315c8
-
SSDEEP
6144:kcm4FmowdHoSph3Ymu8wdHoSM05d34iWRbzami32:y4wFHoS3zuxHoSTd34iWRhiG
Malware Config
Signatures
-
Detect Blackmoon payload 34 IoCs
Processes:
resource yara_rule behavioral1/memory/2184-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3056-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2624-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2256-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2800-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2564-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2572-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2580-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2984-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3020-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/800-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1036-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1776-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/644-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1844-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2128-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1760-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/648-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1532-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2008-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2452-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/812-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2272-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2684-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3048-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1592-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1496-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1584-546-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/696-573-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2188-609-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2968-999-0x0000000000260000-0x0000000000287000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
1rxxxfr.exennhbnn.exeddpdp.exejjpvv.exepjdjj.exefxrxffl.exepjdvj.exeddpdj.exentnnbh.exerrlrfrf.exe1hbtbh.exevvpvv.exe9ntbnt.exerlflffx.exebhtthb.exelfxxxxx.exe1pjpv.exejdjpv.exebbbtbt.exedpdvv.exebbbhnt.exeppdvd.exeffxfxrf.exebnbntt.exe1lxxrrf.exehbtbnn.exedvdjj.exerrlrfrl.exedvjjp.exepppdp.exebbtttb.exeddvvd.exebbttbb.exejvdpp.exefxxffrf.exehbthbb.exe5dppp.exefxrfrfr.exehhtnnn.exebtnhnn.exe9vdvj.exexrlfllx.exenhbbnb.exe5pdpv.exe7flrxlr.exexffxlxr.exe5hbbnb.exepjdpd.exelfxffrf.exennhtbb.exe9nhbhn.exeddpvp.exe5rrflrf.exebbtnhn.exejdvdv.exerlllxfl.exe1rfxrxl.exe7bnbht.exeddpvd.exe9rxfxxf.exe9lfflrf.exe9hhhbb.exepvvpd.exexxflfrl.exepid process 2184 1rxxxfr.exe 2256 nnhbnn.exe 2624 ddpdp.exe 2900 jjpvv.exe 2800 pjdjj.exe 2824 fxrxffl.exe 2564 pjdvj.exe 2576 ddpdj.exe 2572 ntnnbh.exe 2580 rrlrfrf.exe 2236 1hbtbh.exe 2984 vvpvv.exe 3020 9ntbnt.exe 1520 rlflffx.exe 800 bhtthb.exe 2620 lfxxxxx.exe 1392 1pjpv.exe 1316 jdjpv.exe 1036 bbbtbt.exe 2004 dpdvv.exe 1776 bbbhnt.exe 2508 ppdvd.exe 644 ffxfxrf.exe 1844 bnbntt.exe 1556 1lxxrrf.exe 496 hbtbnn.exe 976 dvdjj.exe 1760 rrlrfrl.exe 2128 dvjjp.exe 648 pppdp.exe 2424 bbtttb.exe 2932 ddvvd.exe 1740 bbttbb.exe 1532 jvdpp.exe 2008 fxxffrf.exe 2452 hbthbb.exe 812 5dppp.exe 1564 fxrfrfr.exe 2144 hhtnnn.exe 2688 btnhnn.exe 2272 9vdvj.exe 2684 xrlfllx.exe 1580 nhbbnb.exe 2808 5pdpv.exe 3060 7flrxlr.exe 2532 xffxlxr.exe 2560 5hbbnb.exe 2992 pjdpd.exe 3048 lfxffrf.exe 2852 nnhtbb.exe 1592 9nhbhn.exe 3036 ddpvp.exe 1496 5rrflrf.exe 1684 bbtnhn.exe 1596 jdvdv.exe 348 rlllxfl.exe 824 1rfxrxl.exe 1304 7bnbht.exe 484 ddpvd.exe 1240 9rxfxxf.exe 292 9lfflrf.exe 2076 9hhhbb.exe 2920 pvvpd.exe 1256 xxflfrl.exe -
Processes:
resource yara_rule behavioral1/memory/3056-0-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1rxxxfr.exe upx behavioral1/memory/2184-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3056-10-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nnhbnn.exe upx behavioral1/memory/2256-21-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ddpdp.exe upx behavioral1/memory/2624-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2256-30-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jjpvv.exe upx C:\pjdjj.exe upx behavioral1/memory/2900-49-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\fxrxffl.exe upx behavioral1/memory/2800-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2824-62-0x0000000000220000-0x0000000000247000-memory.dmp upx C:\pjdvj.exe upx behavioral1/memory/2824-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2564-71-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ddpdj.exe upx C:\ntnnbh.exe upx behavioral1/memory/2572-95-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rrlrfrf.exe upx C:\1hbtbh.exe upx behavioral1/memory/2580-104-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vvpvv.exe upx C:\9ntbnt.exe upx behavioral1/memory/2984-121-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rlflffx.exe upx behavioral1/memory/3020-129-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bhtthb.exe upx C:\lfxxxxx.exe upx behavioral1/memory/800-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2620-148-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1pjpv.exe upx C:\jdjpv.exe upx C:\bbbtbt.exe upx behavioral1/memory/1036-180-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dpdvv.exe upx C:\bbbhnt.exe upx behavioral1/memory/1776-191-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ppdvd.exe upx C:\ffxfxrf.exe upx behavioral1/memory/644-214-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bnbntt.exe upx behavioral1/memory/1844-223-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\1lxxrrf.exe upx C:\hbtbnn.exe upx C:\dvdjj.exe upx C:\rrlrfrl.exe upx behavioral1/memory/1760-250-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dvjjp.exe upx behavioral1/memory/2128-261-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1760-259-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pppdp.exe upx C:\bbtttb.exe upx behavioral1/memory/648-277-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2932-287-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ddvvd.exe upx behavioral1/memory/2932-295-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1532-302-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1532-309-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2008-316-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2452-323-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/812-330-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe1rxxxfr.exennhbnn.exeddpdp.exejjpvv.exepjdjj.exefxrxffl.exepjdvj.exeddpdj.exentnnbh.exerrlrfrf.exe1hbtbh.exevvpvv.exe9ntbnt.exerlflffx.exebhtthb.exedescription pid process target process PID 3056 wrote to memory of 2184 3056 9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe 1rxxxfr.exe PID 3056 wrote to memory of 2184 3056 9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe 1rxxxfr.exe PID 3056 wrote to memory of 2184 3056 9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe 1rxxxfr.exe PID 3056 wrote to memory of 2184 3056 9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe 1rxxxfr.exe PID 2184 wrote to memory of 2256 2184 1rxxxfr.exe nnhbnn.exe PID 2184 wrote to memory of 2256 2184 1rxxxfr.exe nnhbnn.exe PID 2184 wrote to memory of 2256 2184 1rxxxfr.exe nnhbnn.exe PID 2184 wrote to memory of 2256 2184 1rxxxfr.exe nnhbnn.exe PID 2256 wrote to memory of 2624 2256 nnhbnn.exe ddpdp.exe PID 2256 wrote to memory of 2624 2256 nnhbnn.exe ddpdp.exe PID 2256 wrote to memory of 2624 2256 nnhbnn.exe ddpdp.exe PID 2256 wrote to memory of 2624 2256 nnhbnn.exe ddpdp.exe PID 2624 wrote to memory of 2900 2624 ddpdp.exe jjpvv.exe PID 2624 wrote to memory of 2900 2624 ddpdp.exe jjpvv.exe PID 2624 wrote to memory of 2900 2624 ddpdp.exe jjpvv.exe PID 2624 wrote to memory of 2900 2624 ddpdp.exe jjpvv.exe PID 2900 wrote to memory of 2800 2900 jjpvv.exe pjdjj.exe PID 2900 wrote to memory of 2800 2900 jjpvv.exe pjdjj.exe PID 2900 wrote to memory of 2800 2900 jjpvv.exe pjdjj.exe PID 2900 wrote to memory of 2800 2900 jjpvv.exe pjdjj.exe PID 2800 wrote to memory of 2824 2800 pjdjj.exe fxrxffl.exe PID 2800 wrote to memory of 2824 2800 pjdjj.exe fxrxffl.exe PID 2800 wrote to memory of 2824 2800 pjdjj.exe fxrxffl.exe PID 2800 wrote to memory of 2824 2800 pjdjj.exe fxrxffl.exe PID 2824 wrote to memory of 2564 2824 fxrxffl.exe pjdvj.exe PID 2824 wrote to memory of 2564 2824 fxrxffl.exe pjdvj.exe PID 2824 wrote to memory of 2564 2824 fxrxffl.exe pjdvj.exe PID 2824 wrote to memory of 2564 2824 fxrxffl.exe pjdvj.exe PID 2564 wrote to memory of 2576 2564 pjdvj.exe ddpdj.exe PID 2564 wrote to memory of 2576 2564 pjdvj.exe ddpdj.exe PID 2564 wrote to memory of 2576 2564 pjdvj.exe ddpdj.exe PID 2564 wrote to memory of 2576 2564 pjdvj.exe ddpdj.exe PID 2576 wrote to memory of 2572 2576 ddpdj.exe ntnnbh.exe PID 2576 wrote to memory of 2572 2576 ddpdj.exe ntnnbh.exe PID 2576 wrote to memory of 2572 2576 ddpdj.exe ntnnbh.exe PID 2576 wrote to memory of 2572 2576 ddpdj.exe ntnnbh.exe PID 2572 wrote to memory of 2580 2572 ntnnbh.exe rrlrfrf.exe PID 2572 wrote to memory of 2580 2572 ntnnbh.exe rrlrfrf.exe PID 2572 wrote to memory of 2580 2572 ntnnbh.exe rrlrfrf.exe PID 2572 wrote to memory of 2580 2572 ntnnbh.exe rrlrfrf.exe PID 2580 wrote to memory of 2236 2580 rrlrfrf.exe 1hbtbh.exe PID 2580 wrote to memory of 2236 2580 rrlrfrf.exe 1hbtbh.exe PID 2580 wrote to memory of 2236 2580 rrlrfrf.exe 1hbtbh.exe PID 2580 wrote to memory of 2236 2580 rrlrfrf.exe 1hbtbh.exe PID 2236 wrote to memory of 2984 2236 1hbtbh.exe vvpvv.exe PID 2236 wrote to memory of 2984 2236 1hbtbh.exe vvpvv.exe PID 2236 wrote to memory of 2984 2236 1hbtbh.exe vvpvv.exe PID 2236 wrote to memory of 2984 2236 1hbtbh.exe vvpvv.exe PID 2984 wrote to memory of 3020 2984 vvpvv.exe 9ntbnt.exe PID 2984 wrote to memory of 3020 2984 vvpvv.exe 9ntbnt.exe PID 2984 wrote to memory of 3020 2984 vvpvv.exe 9ntbnt.exe PID 2984 wrote to memory of 3020 2984 vvpvv.exe 9ntbnt.exe PID 3020 wrote to memory of 1520 3020 9ntbnt.exe rlflffx.exe PID 3020 wrote to memory of 1520 3020 9ntbnt.exe rlflffx.exe PID 3020 wrote to memory of 1520 3020 9ntbnt.exe rlflffx.exe PID 3020 wrote to memory of 1520 3020 9ntbnt.exe rlflffx.exe PID 1520 wrote to memory of 800 1520 rlflffx.exe bhtthb.exe PID 1520 wrote to memory of 800 1520 rlflffx.exe bhtthb.exe PID 1520 wrote to memory of 800 1520 rlflffx.exe bhtthb.exe PID 1520 wrote to memory of 800 1520 rlflffx.exe bhtthb.exe PID 800 wrote to memory of 2620 800 bhtthb.exe lfxxxxx.exe PID 800 wrote to memory of 2620 800 bhtthb.exe lfxxxxx.exe PID 800 wrote to memory of 2620 800 bhtthb.exe lfxxxxx.exe PID 800 wrote to memory of 2620 800 bhtthb.exe lfxxxxx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9f2785a5f1d54ce2076b7abe60ecce80_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\1rxxxfr.exec:\1rxxxfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\nnhbnn.exec:\nnhbnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\ddpdp.exec:\ddpdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\jjpvv.exec:\jjpvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\pjdjj.exec:\pjdjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\fxrxffl.exec:\fxrxffl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\pjdvj.exec:\pjdvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\ddpdj.exec:\ddpdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\ntnnbh.exec:\ntnnbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\rrlrfrf.exec:\rrlrfrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\1hbtbh.exec:\1hbtbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\vvpvv.exec:\vvpvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\9ntbnt.exec:\9ntbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\rlflffx.exec:\rlflffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\bhtthb.exec:\bhtthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\lfxxxxx.exec:\lfxxxxx.exe17⤵
- Executes dropped EXE
PID:2620 -
\??\c:\1pjpv.exec:\1pjpv.exe18⤵
- Executes dropped EXE
PID:1392 -
\??\c:\jdjpv.exec:\jdjpv.exe19⤵
- Executes dropped EXE
PID:1316 -
\??\c:\bbbtbt.exec:\bbbtbt.exe20⤵
- Executes dropped EXE
PID:1036 -
\??\c:\dpdvv.exec:\dpdvv.exe21⤵
- Executes dropped EXE
PID:2004 -
\??\c:\bbbhnt.exec:\bbbhnt.exe22⤵
- Executes dropped EXE
PID:1776 -
\??\c:\ppdvd.exec:\ppdvd.exe23⤵
- Executes dropped EXE
PID:2508 -
\??\c:\ffxfxrf.exec:\ffxfxrf.exe24⤵
- Executes dropped EXE
PID:644 -
\??\c:\bnbntt.exec:\bnbntt.exe25⤵
- Executes dropped EXE
PID:1844 -
\??\c:\1lxxrrf.exec:\1lxxrrf.exe26⤵
- Executes dropped EXE
PID:1556 -
\??\c:\hbtbnn.exec:\hbtbnn.exe27⤵
- Executes dropped EXE
PID:496 -
\??\c:\dvdjj.exec:\dvdjj.exe28⤵
- Executes dropped EXE
PID:976 -
\??\c:\rrlrfrl.exec:\rrlrfrl.exe29⤵
- Executes dropped EXE
PID:1760 -
\??\c:\dvjjp.exec:\dvjjp.exe30⤵
- Executes dropped EXE
PID:2128 -
\??\c:\pppdp.exec:\pppdp.exe31⤵
- Executes dropped EXE
PID:648 -
\??\c:\bbtttb.exec:\bbtttb.exe32⤵
- Executes dropped EXE
PID:2424 -
\??\c:\ddvvd.exec:\ddvvd.exe33⤵
- Executes dropped EXE
PID:2932 -
\??\c:\bbttbb.exec:\bbttbb.exe34⤵
- Executes dropped EXE
PID:1740 -
\??\c:\jvdpp.exec:\jvdpp.exe35⤵
- Executes dropped EXE
PID:1532 -
\??\c:\fxxffrf.exec:\fxxffrf.exe36⤵
- Executes dropped EXE
PID:2008 -
\??\c:\hbthbb.exec:\hbthbb.exe37⤵
- Executes dropped EXE
PID:2452 -
\??\c:\5dppp.exec:\5dppp.exe38⤵
- Executes dropped EXE
PID:812 -
\??\c:\fxrfrfr.exec:\fxrfrfr.exe39⤵
- Executes dropped EXE
PID:1564 -
\??\c:\hhtnnn.exec:\hhtnnn.exe40⤵
- Executes dropped EXE
PID:2144 -
\??\c:\btnhnn.exec:\btnhnn.exe41⤵
- Executes dropped EXE
PID:2688 -
\??\c:\9vdvj.exec:\9vdvj.exe42⤵
- Executes dropped EXE
PID:2272 -
\??\c:\xrlfllx.exec:\xrlfllx.exe43⤵
- Executes dropped EXE
PID:2684 -
\??\c:\nhbbnb.exec:\nhbbnb.exe44⤵
- Executes dropped EXE
PID:1580 -
\??\c:\5pdpv.exec:\5pdpv.exe45⤵
- Executes dropped EXE
PID:2808 -
\??\c:\7flrxlr.exec:\7flrxlr.exe46⤵
- Executes dropped EXE
PID:3060 -
\??\c:\xffxlxr.exec:\xffxlxr.exe47⤵
- Executes dropped EXE
PID:2532 -
\??\c:\5hbbnb.exec:\5hbbnb.exe48⤵
- Executes dropped EXE
PID:2560 -
\??\c:\pjdpd.exec:\pjdpd.exe49⤵
- Executes dropped EXE
PID:2992 -
\??\c:\lfxffrf.exec:\lfxffrf.exe50⤵
- Executes dropped EXE
PID:3048 -
\??\c:\nnhtbb.exec:\nnhtbb.exe51⤵
- Executes dropped EXE
PID:2852 -
\??\c:\9nhbhn.exec:\9nhbhn.exe52⤵
- Executes dropped EXE
PID:1592 -
\??\c:\ddpvp.exec:\ddpvp.exe53⤵
- Executes dropped EXE
PID:3036 -
\??\c:\5rrflrf.exec:\5rrflrf.exe54⤵
- Executes dropped EXE
PID:1496 -
\??\c:\bbtnhn.exec:\bbtnhn.exe55⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jdvdv.exec:\jdvdv.exe56⤵
- Executes dropped EXE
PID:1596 -
\??\c:\rlllxfl.exec:\rlllxfl.exe57⤵
- Executes dropped EXE
PID:348 -
\??\c:\1rfxrxl.exec:\1rfxrxl.exe58⤵
- Executes dropped EXE
PID:824 -
\??\c:\7bnbht.exec:\7bnbht.exe59⤵
- Executes dropped EXE
PID:1304 -
\??\c:\ddpvd.exec:\ddpvd.exe60⤵
- Executes dropped EXE
PID:484 -
\??\c:\9rxfxxf.exec:\9rxfxxf.exe61⤵
- Executes dropped EXE
PID:1240 -
\??\c:\9lfflrf.exec:\9lfflrf.exe62⤵
- Executes dropped EXE
PID:292 -
\??\c:\9hhhbb.exec:\9hhhbb.exe63⤵
- Executes dropped EXE
PID:2076 -
\??\c:\pvvpd.exec:\pvvpd.exe64⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xxflfrl.exec:\xxflfrl.exe65⤵
- Executes dropped EXE
PID:1256 -
\??\c:\ntntbn.exec:\ntntbn.exe66⤵PID:2472
-
\??\c:\1thtnn.exec:\1thtnn.exe67⤵PID:2280
-
\??\c:\ddvdj.exec:\ddvdj.exe68⤵PID:1844
-
\??\c:\lrxlfrf.exec:\lrxlfrf.exe69⤵PID:1604
-
\??\c:\tttbhn.exec:\tttbhn.exe70⤵PID:1748
-
\??\c:\bnthhh.exec:\bnthhh.exe71⤵PID:1968
-
\??\c:\jjdjv.exec:\jjdjv.exe72⤵PID:1584
-
\??\c:\rxxrlrr.exec:\rxxrlrr.exe73⤵PID:1780
-
\??\c:\fxxlxfl.exec:\fxxlxfl.exe74⤵PID:956
-
\??\c:\9hhbnt.exec:\9hhbnt.exe75⤵PID:696
-
\??\c:\vdpvj.exec:\vdpvj.exe76⤵PID:1860
-
\??\c:\frxrllr.exec:\frxrllr.exe77⤵PID:2308
-
\??\c:\nhbbnt.exec:\nhbbnt.exe78⤵PID:2432
-
\??\c:\5dvpp.exec:\5dvpp.exe79⤵PID:1944
-
\??\c:\9jvpp.exec:\9jvpp.exe80⤵PID:2936
-
\??\c:\fxrxfxf.exec:\fxrxfxf.exe81⤵PID:1952
-
\??\c:\5hbhnn.exec:\5hbhnn.exe82⤵PID:2188
-
\??\c:\9bnhbh.exec:\9bnhbh.exe83⤵PID:1568
-
\??\c:\ppjpv.exec:\ppjpv.exe84⤵PID:2884
-
\??\c:\3lxxlxf.exec:\3lxxlxf.exe85⤵PID:1564
-
\??\c:\rlrrlrl.exec:\rlrrlrl.exe86⤵PID:2144
-
\??\c:\tthtnt.exec:\tthtnt.exe87⤵PID:2688
-
\??\c:\dvjpp.exec:\dvjpp.exe88⤵PID:2272
-
\??\c:\9vjdj.exec:\9vjdj.exe89⤵PID:2904
-
\??\c:\7fflxff.exec:\7fflxff.exe90⤵PID:2536
-
\??\c:\5tnhtb.exec:\5tnhtb.exe91⤵PID:888
-
\??\c:\bbtbnt.exec:\bbtbnt.exe92⤵PID:2564
-
\??\c:\dvjpv.exec:\dvjpv.exe93⤵PID:2644
-
\??\c:\7rrrffr.exec:\7rrrffr.exe94⤵PID:2652
-
\??\c:\llflxlf.exec:\llflxlf.exe95⤵PID:3044
-
\??\c:\hththn.exec:\hththn.exe96⤵PID:2580
-
\??\c:\9vpdj.exec:\9vpdj.exe97⤵PID:3024
-
\??\c:\xrfllrl.exec:\xrfllrl.exe98⤵PID:3012
-
\??\c:\9xrxrll.exec:\9xrxrll.exe99⤵PID:1288
-
\??\c:\bttbhn.exec:\bttbhn.exe100⤵PID:900
-
\??\c:\bbtbbh.exec:\bbtbbh.exe101⤵PID:1548
-
\??\c:\3jddj.exec:\3jddj.exe102⤵PID:1500
-
\??\c:\xffxffr.exec:\xffxffr.exe103⤵PID:2104
-
\??\c:\7xrlrrf.exec:\7xrlrrf.exe104⤵PID:2100
-
\??\c:\btnbth.exec:\btnbth.exe105⤵PID:824
-
\??\c:\7vdpv.exec:\7vdpv.exe106⤵PID:1220
-
\??\c:\9vvjj.exec:\9vvjj.exe107⤵PID:2092
-
\??\c:\fxrrflr.exec:\fxrrflr.exe108⤵PID:2116
-
\??\c:\nnhtnh.exec:\nnhtnh.exe109⤵PID:2480
-
\??\c:\nhbhnt.exec:\nhbhnt.exe110⤵PID:1776
-
\??\c:\pjjjv.exec:\pjjjv.exe111⤵PID:1248
-
\??\c:\ffxxfxr.exec:\ffxxfxr.exe112⤵PID:1620
-
\??\c:\fllrffl.exec:\fllrffl.exe113⤵PID:2472
-
\??\c:\hbtbhn.exec:\hbtbhn.exe114⤵PID:2280
-
\??\c:\hbbnbn.exec:\hbbnbn.exe115⤵PID:1556
-
\??\c:\pppdj.exec:\pppdj.exe116⤵PID:1348
-
\??\c:\ttnthb.exec:\ttnthb.exe117⤵PID:1764
-
\??\c:\jjvjd.exec:\jjvjd.exe118⤵PID:1040
-
\??\c:\rrrxlxr.exec:\rrrxlxr.exe119⤵PID:1760
-
\??\c:\hbthnb.exec:\hbthnb.exe120⤵PID:2128
-
\??\c:\ddpvp.exec:\ddpvp.exe121⤵PID:1020
-
\??\c:\xrllxfr.exec:\xrllxfr.exe122⤵PID:696
-
\??\c:\7hhnbn.exec:\7hhnbn.exe123⤵PID:2424
-
\??\c:\pjdvd.exec:\pjdvd.exe124⤵PID:2096
-
\??\c:\dpddd.exec:\dpddd.exe125⤵PID:2940
-
\??\c:\rllxxfr.exec:\rllxxfr.exe126⤵PID:1672
-
\??\c:\ntnnbt.exec:\ntnnbt.exe127⤵PID:2224
-
\??\c:\bbtbnh.exec:\bbtbnh.exe128⤵PID:2168
-
\??\c:\9pppv.exec:\9pppv.exe129⤵PID:1692
-
\??\c:\5rxxxxf.exec:\5rxxxxf.exe130⤵PID:2844
-
\??\c:\lfxlrxx.exec:\lfxlrxx.exe131⤵PID:2360
-
\??\c:\nhtbhb.exec:\nhtbhb.exe132⤵PID:1276
-
\??\c:\vpjdd.exec:\vpjdd.exe133⤵PID:2732
-
\??\c:\5ddjp.exec:\5ddjp.exe134⤵PID:2788
-
\??\c:\3xllrrr.exec:\3xllrrr.exe135⤵PID:2648
-
\??\c:\btnntb.exec:\btnntb.exe136⤵PID:2748
-
\??\c:\btnbbb.exec:\btnbbb.exe137⤵PID:1580
-
\??\c:\9pppv.exec:\9pppv.exe138⤵PID:2524
-
\??\c:\dvjdj.exec:\dvjdj.exe139⤵PID:2552
-
\??\c:\7xxrxxl.exec:\7xxrxxl.exe140⤵PID:2644
-
\??\c:\nhtnnh.exec:\nhtnnh.exe141⤵PID:2652
-
\??\c:\pppvd.exec:\pppvd.exe142⤵PID:2872
-
\??\c:\llflrxl.exec:\llflrxl.exe143⤵PID:2968
-
\??\c:\7rxlffr.exec:\7rxlffr.exe144⤵PID:1592
-
\??\c:\nnnbhh.exec:\nnnbhh.exe145⤵PID:1360
-
\??\c:\pjdjj.exec:\pjdjj.exe146⤵PID:2416
-
\??\c:\9xffflr.exec:\9xffflr.exe147⤵PID:1652
-
\??\c:\flfrxxx.exec:\flfrxxx.exe148⤵PID:1440
-
\??\c:\9ntbtb.exec:\9ntbtb.exe149⤵PID:1500
-
\??\c:\dvjpv.exec:\dvjpv.exe150⤵PID:2104
-
\??\c:\pdvjj.exec:\pdvjj.exe151⤵PID:2100
-
\??\c:\xrffllx.exec:\xrffllx.exe152⤵PID:776
-
\??\c:\nttnnb.exec:\nttnnb.exe153⤵PID:1676
-
\??\c:\nhnbbn.exec:\nhnbbn.exe154⤵PID:2512
-
\??\c:\pjdpv.exec:\pjdpv.exe155⤵PID:1996
-
\??\c:\fxlrxrx.exec:\fxlrxrx.exe156⤵PID:2480
-
\??\c:\tttbnb.exec:\tttbnb.exe157⤵PID:1472
-
\??\c:\7nhnbn.exec:\7nhnbn.exe158⤵PID:2628
-
\??\c:\jjdpd.exec:\jjdpd.exe159⤵PID:1620
-
\??\c:\9fxrxfr.exec:\9fxrxfr.exe160⤵PID:2328
-
\??\c:\rlfxflx.exec:\rlfxflx.exe161⤵PID:2280
-
\??\c:\3tnthn.exec:\3tnthn.exe162⤵PID:1344
-
\??\c:\9ddpd.exec:\9ddpd.exe163⤵PID:1332
-
\??\c:\3vppv.exec:\3vppv.exe164⤵PID:692
-
\??\c:\xllrxfx.exec:\xllrxfx.exe165⤵PID:1920
-
\??\c:\bhtbhn.exec:\bhtbhn.exe166⤵PID:1632
-
\??\c:\9nhnnb.exec:\9nhnnb.exe167⤵PID:2296
-
\??\c:\jpppv.exec:\jpppv.exe168⤵PID:840
-
\??\c:\5ffflxx.exec:\5ffflxx.exe169⤵PID:2400
-
\??\c:\9lffllr.exec:\9lffllr.exe170⤵PID:2428
-
\??\c:\1bhnnb.exec:\1bhnnb.exe171⤵PID:1648
-
\??\c:\9pvjv.exec:\9pvjv.exe172⤵PID:2932
-
\??\c:\pppvj.exec:\pppvj.exe173⤵PID:2120
-
\??\c:\lfxxxfr.exec:\lfxxxfr.exe174⤵PID:2008
-
\??\c:\9tnnnt.exec:\9tnnnt.exe175⤵PID:2184
-
\??\c:\nnnnhh.exec:\nnnnhh.exe176⤵PID:2228
-
\??\c:\pvpvj.exec:\pvpvj.exe177⤵PID:2268
-
\??\c:\llrrxff.exec:\llrrxff.exe178⤵PID:2712
-
\??\c:\1lffflr.exec:\1lffflr.exe179⤵PID:2148
-
\??\c:\7hbttt.exec:\7hbttt.exe180⤵PID:2284
-
\??\c:\1vvdp.exec:\1vvdp.exe181⤵PID:2728
-
\??\c:\1lrxxfr.exec:\1lrxxfr.exe182⤵PID:2068
-
\??\c:\xrrrffl.exec:\xrrrffl.exe183⤵PID:2692
-
\??\c:\5hhbhh.exec:\5hhbhh.exe184⤵PID:2704
-
\??\c:\vdvjd.exec:\vdvjd.exe185⤵PID:2832
-
\??\c:\ffxfxfr.exec:\ffxfxfr.exe186⤵PID:2548
-
\??\c:\rlrfflf.exec:\rlrfflf.exe187⤵PID:2556
-
\??\c:\7bhhbh.exec:\7bhhbh.exe188⤵PID:2340
-
\??\c:\vppdp.exec:\vppdp.exe189⤵PID:2856
-
\??\c:\vpdpd.exec:\vpdpd.exe190⤵PID:2880
-
\??\c:\7xlxfxx.exec:\7xlxfxx.exe191⤵PID:2980
-
\??\c:\bthnbh.exec:\bthnbh.exe192⤵PID:3008
-
\??\c:\7bhbbb.exec:\7bhbbb.exe193⤵PID:2864
-
\??\c:\jdpdj.exec:\jdpdj.exe194⤵PID:1520
-
\??\c:\5frxffl.exec:\5frxffl.exe195⤵PID:1588
-
\??\c:\1lflxxr.exec:\1lflxxr.exe196⤵PID:1916
-
\??\c:\nnhbth.exec:\nnhbth.exe197⤵PID:348
-
\??\c:\3jjjj.exec:\3jjjj.exe198⤵PID:1724
-
\??\c:\dpdjv.exec:\dpdjv.exe199⤵PID:852
-
\??\c:\7fllxfl.exec:\7fllxfl.exe200⤵PID:484
-
\??\c:\7nbbtb.exec:\7nbbtb.exe201⤵PID:564
-
\??\c:\3jvpd.exec:\3jvpd.exe202⤵PID:2056
-
\??\c:\jvppj.exec:\jvppj.exe203⤵PID:2512
-
\??\c:\3xrflrx.exec:\3xrflrx.exe204⤵PID:1996
-
\??\c:\rlxrxfx.exec:\rlxrxfx.exe205⤵PID:1776
-
\??\c:\1btbnn.exec:\1btbnn.exe206⤵PID:1472
-
\??\c:\vppvj.exec:\vppvj.exe207⤵PID:872
-
\??\c:\xllxlxr.exec:\xllxlxr.exe208⤵PID:2484
-
\??\c:\hbtbbn.exec:\hbtbbn.exe209⤵PID:832
-
\??\c:\bttthn.exec:\bttthn.exe210⤵PID:2072
-
\??\c:\dpddv.exec:\dpddv.exe211⤵PID:1768
-
\??\c:\rrxfflf.exec:\rrxfflf.exe212⤵PID:1028
-
\??\c:\3nhhbh.exec:\3nhhbh.exe213⤵PID:1764
-
\??\c:\ntbttt.exec:\ntbttt.exe214⤵PID:1328
-
\??\c:\dvjpv.exec:\dvjpv.exe215⤵PID:892
-
\??\c:\llfrfrl.exec:\llfrfrl.exe216⤵PID:2296
-
\??\c:\hbnttt.exec:\hbnttt.exe217⤵PID:840
-
\??\c:\jdjdp.exec:\jdjdp.exe218⤵PID:1860
-
\??\c:\dvdvd.exec:\dvdvd.exe219⤵PID:316
-
\??\c:\1lxrxrx.exec:\1lxrxrx.exe220⤵PID:876
-
\??\c:\7tthnn.exec:\7tthnn.exe221⤵PID:2192
-
\??\c:\nnhbnb.exec:\nnhbnb.exe222⤵PID:2888
-
\??\c:\jdvpv.exec:\jdvpv.exe223⤵PID:1572
-
\??\c:\rrrxllx.exec:\rrrxllx.exe224⤵PID:2184
-
\??\c:\rrrrlrr.exec:\rrrrlrr.exe225⤵PID:2292
-
\??\c:\btnntn.exec:\btnntn.exe226⤵PID:2716
-
\??\c:\ddvjd.exec:\ddvjd.exe227⤵PID:2040
-
\??\c:\jjddp.exec:\jjddp.exe228⤵PID:2792
-
\??\c:\1lfxxfl.exec:\1lfxxfl.exe229⤵PID:2256
-
\??\c:\tthnhh.exec:\tthnhh.exe230⤵PID:2272
-
\??\c:\9btbth.exec:\9btbth.exe231⤵PID:2648
-
\??\c:\jjjjv.exec:\jjjjv.exe232⤵PID:2748
-
\??\c:\3xrrxfx.exec:\3xrrxfx.exe233⤵PID:2540
-
\??\c:\5nhbhb.exec:\5nhbhb.exe234⤵PID:2604
-
\??\c:\9nthth.exec:\9nthth.exe235⤵PID:2552
-
\??\c:\jdvvp.exec:\jdvvp.exe236⤵PID:2556
-
\??\c:\dpjjp.exec:\dpjjp.exe237⤵PID:2340
-
\??\c:\rxflxfr.exec:\rxflxfr.exe238⤵PID:2856
-
\??\c:\bthnbh.exec:\bthnbh.exe239⤵PID:2984
-
\??\c:\ttnnhn.exec:\ttnnhn.exe240⤵PID:2988
-
\??\c:\7pdvv.exec:\7pdvv.exe241⤵PID:2236
-
\??\c:\fxrrffr.exec:\fxrrffr.exe242⤵PID:1592