Analysis
-
max time kernel
150s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a06522c9fbc48e1159a09b243bed5530_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a06522c9fbc48e1159a09b243bed5530_NeikiAnalytics.exe
-
Size
87KB
-
MD5
a06522c9fbc48e1159a09b243bed5530
-
SHA1
f8494461c7e3efcbdb14ce46d6915e2096e63c56
-
SHA256
6cdb79e0bb4ebe658c2b5052e86d6dde1bc81dca0c9c035f88719b11b97f00e1
-
SHA512
a0b6932398b73f0394baf9386322bb911413ac6fa3f3fc1e3843a9ed94e097d83f525a6552f3a99e34dd4535e9aaee9bc60bd8b1a69a44655dd99d733295884a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2iJvRirE0DmmdL2jqWkBh:ymb3NkkiQ3mdBjF+3TU2iBRioSumWS1H
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
Processes:
resource yara_rule behavioral2/memory/4356-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1824-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3624-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3044-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1504-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1872-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3980-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4176-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4484-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3048-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2232-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2608-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3000-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3416-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1148-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3904-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1628-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4656-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1264-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4200-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1616-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3076-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1556-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
pdpjd.exedjdvj.exebntnnn.exehhbttn.exedppjd.exerxlxrrl.exeffrlllf.exe1frrrrx.exe5bbbbb.exebtbthh.exejvpjd.exefrrlrrf.exenbhbbh.exepjddj.exexrxrlff.exe1lxrlll.exentbhbb.exejjppv.exerrxrllf.exennbbbn.exebttnhh.exepjjdv.exexfrlfxx.exenhnhhb.exevvdvv.exe7llfffx.exebntnhh.exentthhh.exevdpdd.exe3rrllff.exelfffffl.exenhhbtt.exenhttnn.exevvvpv.exerxfxrlf.exehnnnnh.exehttttt.exedvjdv.exedpjdv.exeflrlffx.exenbnhbh.exebbhntb.exejdvpj.exe7vdpj.exe3lrllrl.exexxfxllr.exe9bhbbb.exetttnhh.exe7dvpp.exerfrxllx.exerrfxxxx.exenhhhbt.exebtbthb.exevppjd.exexxfxrrl.exenttbnn.exetbbtnn.exedvpjd.exexxlfxrr.exerffxllf.exennnhtn.exejjjdp.exeddjdp.exexxrxffl.exepid process 1824 pdpjd.exe 3624 djdvj.exe 3044 bntnnn.exe 1504 hhbttn.exe 1872 dppjd.exe 3980 rxlxrrl.exe 4176 ffrlllf.exe 4796 1frrrrx.exe 4484 5bbbbb.exe 3048 btbthh.exe 2232 jvpjd.exe 2608 frrlrrf.exe 3000 nbhbbh.exe 3416 pjddj.exe 1568 xrxrlff.exe 1148 1lxrlll.exe 3904 ntbhbb.exe 5108 jjppv.exe 3308 rrxrllf.exe 2356 nnbbbn.exe 1628 bttnhh.exe 4656 pjjdv.exe 1080 xfrlfxx.exe 1444 nhnhhb.exe 1264 vvdvv.exe 4200 7llfffx.exe 1616 bntnhh.exe 3588 ntthhh.exe 3076 vdpdd.exe 1556 3rrllff.exe 5068 lfffffl.exe 1624 nhhbtt.exe 5000 nhttnn.exe 4352 vvvpv.exe 3200 rxfxrlf.exe 1084 hnnnnh.exe 916 httttt.exe 3820 dvjdv.exe 2096 dpjdv.exe 4452 flrlffx.exe 5064 nbnhbh.exe 4292 bbhntb.exe 3080 jdvpj.exe 2732 7vdpj.exe 1684 3lrllrl.exe 1504 xxfxllr.exe 2108 9bhbbb.exe 4972 tttnhh.exe 3640 7dvpp.exe 5016 rfrxllx.exe 5004 rrfxxxx.exe 2888 nhhhbt.exe 3692 btbthb.exe 5020 vppjd.exe 1564 xxfxrrl.exe 464 nttbnn.exe 2608 tbbtnn.exe 1116 dvpjd.exe 4556 xxlfxrr.exe 3248 rffxllf.exe 4888 nnnhtn.exe 3344 jjjdp.exe 5092 ddjdp.exe 4964 xxrxffl.exe -
Processes:
resource yara_rule behavioral2/memory/4356-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1824-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1824-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3624-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3044-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1504-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1872-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3980-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4176-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4484-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3048-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3048-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2232-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2608-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3000-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3416-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1148-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3904-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1628-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4656-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1264-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4200-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1616-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3076-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1556-199-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a06522c9fbc48e1159a09b243bed5530_NeikiAnalytics.exepdpjd.exedjdvj.exebntnnn.exehhbttn.exedppjd.exerxlxrrl.exeffrlllf.exe1frrrrx.exe5bbbbb.exebtbthh.exejvpjd.exefrrlrrf.exenbhbbh.exepjddj.exexrxrlff.exe1lxrlll.exentbhbb.exejjppv.exerrxrllf.exennbbbn.exebttnhh.exedescription pid process target process PID 4356 wrote to memory of 1824 4356 a06522c9fbc48e1159a09b243bed5530_NeikiAnalytics.exe pdpjd.exe PID 4356 wrote to memory of 1824 4356 a06522c9fbc48e1159a09b243bed5530_NeikiAnalytics.exe pdpjd.exe PID 4356 wrote to memory of 1824 4356 a06522c9fbc48e1159a09b243bed5530_NeikiAnalytics.exe pdpjd.exe PID 1824 wrote to memory of 3624 1824 pdpjd.exe djdvj.exe PID 1824 wrote to memory of 3624 1824 pdpjd.exe djdvj.exe PID 1824 wrote to memory of 3624 1824 pdpjd.exe djdvj.exe PID 3624 wrote to memory of 3044 3624 djdvj.exe bntnnn.exe PID 3624 wrote to memory of 3044 3624 djdvj.exe bntnnn.exe PID 3624 wrote to memory of 3044 3624 djdvj.exe bntnnn.exe PID 3044 wrote to memory of 1504 3044 bntnnn.exe hhbttn.exe PID 3044 wrote to memory of 1504 3044 bntnnn.exe hhbttn.exe PID 3044 wrote to memory of 1504 3044 bntnnn.exe hhbttn.exe PID 1504 wrote to memory of 1872 1504 hhbttn.exe dppjd.exe PID 1504 wrote to memory of 1872 1504 hhbttn.exe dppjd.exe PID 1504 wrote to memory of 1872 1504 hhbttn.exe dppjd.exe PID 1872 wrote to memory of 3980 1872 dppjd.exe rxlxrrl.exe PID 1872 wrote to memory of 3980 1872 dppjd.exe rxlxrrl.exe PID 1872 wrote to memory of 3980 1872 dppjd.exe rxlxrrl.exe PID 3980 wrote to memory of 4176 3980 rxlxrrl.exe ffrlllf.exe PID 3980 wrote to memory of 4176 3980 rxlxrrl.exe ffrlllf.exe PID 3980 wrote to memory of 4176 3980 rxlxrrl.exe ffrlllf.exe PID 4176 wrote to memory of 4796 4176 ffrlllf.exe 1frrrrx.exe PID 4176 wrote to memory of 4796 4176 ffrlllf.exe 1frrrrx.exe PID 4176 wrote to memory of 4796 4176 ffrlllf.exe 1frrrrx.exe PID 4796 wrote to memory of 4484 4796 1frrrrx.exe 5bbbbb.exe PID 4796 wrote to memory of 4484 4796 1frrrrx.exe 5bbbbb.exe PID 4796 wrote to memory of 4484 4796 1frrrrx.exe 5bbbbb.exe PID 4484 wrote to memory of 3048 4484 5bbbbb.exe btbthh.exe PID 4484 wrote to memory of 3048 4484 5bbbbb.exe btbthh.exe PID 4484 wrote to memory of 3048 4484 5bbbbb.exe btbthh.exe PID 3048 wrote to memory of 2232 3048 btbthh.exe jvpjd.exe PID 3048 wrote to memory of 2232 3048 btbthh.exe jvpjd.exe PID 3048 wrote to memory of 2232 3048 btbthh.exe jvpjd.exe PID 2232 wrote to memory of 2608 2232 jvpjd.exe frrlrrf.exe PID 2232 wrote to memory of 2608 2232 jvpjd.exe frrlrrf.exe PID 2232 wrote to memory of 2608 2232 jvpjd.exe frrlrrf.exe PID 2608 wrote to memory of 3000 2608 frrlrrf.exe nbhbbh.exe PID 2608 wrote to memory of 3000 2608 frrlrrf.exe nbhbbh.exe PID 2608 wrote to memory of 3000 2608 frrlrrf.exe nbhbbh.exe PID 3000 wrote to memory of 3416 3000 nbhbbh.exe pjddj.exe PID 3000 wrote to memory of 3416 3000 nbhbbh.exe pjddj.exe PID 3000 wrote to memory of 3416 3000 nbhbbh.exe pjddj.exe PID 3416 wrote to memory of 1568 3416 pjddj.exe xrxrlff.exe PID 3416 wrote to memory of 1568 3416 pjddj.exe xrxrlff.exe PID 3416 wrote to memory of 1568 3416 pjddj.exe xrxrlff.exe PID 1568 wrote to memory of 1148 1568 xrxrlff.exe 1lxrlll.exe PID 1568 wrote to memory of 1148 1568 xrxrlff.exe 1lxrlll.exe PID 1568 wrote to memory of 1148 1568 xrxrlff.exe 1lxrlll.exe PID 1148 wrote to memory of 3904 1148 1lxrlll.exe ntbhbb.exe PID 1148 wrote to memory of 3904 1148 1lxrlll.exe ntbhbb.exe PID 1148 wrote to memory of 3904 1148 1lxrlll.exe ntbhbb.exe PID 3904 wrote to memory of 5108 3904 ntbhbb.exe jjppv.exe PID 3904 wrote to memory of 5108 3904 ntbhbb.exe jjppv.exe PID 3904 wrote to memory of 5108 3904 ntbhbb.exe jjppv.exe PID 5108 wrote to memory of 3308 5108 jjppv.exe rrxrllf.exe PID 5108 wrote to memory of 3308 5108 jjppv.exe rrxrllf.exe PID 5108 wrote to memory of 3308 5108 jjppv.exe rrxrllf.exe PID 3308 wrote to memory of 2356 3308 rrxrllf.exe nnbbbn.exe PID 3308 wrote to memory of 2356 3308 rrxrllf.exe nnbbbn.exe PID 3308 wrote to memory of 2356 3308 rrxrllf.exe nnbbbn.exe PID 2356 wrote to memory of 1628 2356 nnbbbn.exe bttnhh.exe PID 2356 wrote to memory of 1628 2356 nnbbbn.exe bttnhh.exe PID 2356 wrote to memory of 1628 2356 nnbbbn.exe bttnhh.exe PID 1628 wrote to memory of 4656 1628 bttnhh.exe pjjdv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a06522c9fbc48e1159a09b243bed5530_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a06522c9fbc48e1159a09b243bed5530_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\pdpjd.exec:\pdpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\djdvj.exec:\djdvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\bntnnn.exec:\bntnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\hhbttn.exec:\hhbttn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\dppjd.exec:\dppjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\rxlxrrl.exec:\rxlxrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\ffrlllf.exec:\ffrlllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\1frrrrx.exec:\1frrrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\5bbbbb.exec:\5bbbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\btbthh.exec:\btbthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\jvpjd.exec:\jvpjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\frrlrrf.exec:\frrlrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\nbhbbh.exec:\nbhbbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\pjddj.exec:\pjddj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\xrxrlff.exec:\xrxrlff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\1lxrlll.exec:\1lxrlll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\ntbhbb.exec:\ntbhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\jjppv.exec:\jjppv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\rrxrllf.exec:\rrxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\nnbbbn.exec:\nnbbbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\bttnhh.exec:\bttnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\pjjdv.exec:\pjjdv.exe23⤵
- Executes dropped EXE
PID:4656 -
\??\c:\xfrlfxx.exec:\xfrlfxx.exe24⤵
- Executes dropped EXE
PID:1080 -
\??\c:\nhnhhb.exec:\nhnhhb.exe25⤵
- Executes dropped EXE
PID:1444 -
\??\c:\vvdvv.exec:\vvdvv.exe26⤵
- Executes dropped EXE
PID:1264 -
\??\c:\7llfffx.exec:\7llfffx.exe27⤵
- Executes dropped EXE
PID:4200 -
\??\c:\bntnhh.exec:\bntnhh.exe28⤵
- Executes dropped EXE
PID:1616 -
\??\c:\ntthhh.exec:\ntthhh.exe29⤵
- Executes dropped EXE
PID:3588 -
\??\c:\vdpdd.exec:\vdpdd.exe30⤵
- Executes dropped EXE
PID:3076 -
\??\c:\3rrllff.exec:\3rrllff.exe31⤵
- Executes dropped EXE
PID:1556 -
\??\c:\lfffffl.exec:\lfffffl.exe32⤵
- Executes dropped EXE
PID:5068 -
\??\c:\nhhbtt.exec:\nhhbtt.exe33⤵
- Executes dropped EXE
PID:1624 -
\??\c:\nhttnn.exec:\nhttnn.exe34⤵
- Executes dropped EXE
PID:5000 -
\??\c:\vvvpv.exec:\vvvpv.exe35⤵
- Executes dropped EXE
PID:4352 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe36⤵
- Executes dropped EXE
PID:3200 -
\??\c:\hnnnnh.exec:\hnnnnh.exe37⤵
- Executes dropped EXE
PID:1084 -
\??\c:\httttt.exec:\httttt.exe38⤵
- Executes dropped EXE
PID:916 -
\??\c:\dvjdv.exec:\dvjdv.exe39⤵
- Executes dropped EXE
PID:3820 -
\??\c:\dpjdv.exec:\dpjdv.exe40⤵
- Executes dropped EXE
PID:2096 -
\??\c:\flrlffx.exec:\flrlffx.exe41⤵
- Executes dropped EXE
PID:4452 -
\??\c:\nbnhbh.exec:\nbnhbh.exe42⤵
- Executes dropped EXE
PID:5064 -
\??\c:\bbhntb.exec:\bbhntb.exe43⤵
- Executes dropped EXE
PID:4292 -
\??\c:\jdvpj.exec:\jdvpj.exe44⤵
- Executes dropped EXE
PID:3080 -
\??\c:\7vdpj.exec:\7vdpj.exe45⤵
- Executes dropped EXE
PID:2732 -
\??\c:\3lrllrl.exec:\3lrllrl.exe46⤵
- Executes dropped EXE
PID:1684 -
\??\c:\xxfxllr.exec:\xxfxllr.exe47⤵
- Executes dropped EXE
PID:1504 -
\??\c:\9bhbbb.exec:\9bhbbb.exe48⤵
- Executes dropped EXE
PID:2108 -
\??\c:\tttnhh.exec:\tttnhh.exe49⤵
- Executes dropped EXE
PID:4972 -
\??\c:\7dvpp.exec:\7dvpp.exe50⤵
- Executes dropped EXE
PID:3640 -
\??\c:\rfrxllx.exec:\rfrxllx.exe51⤵
- Executes dropped EXE
PID:5016 -
\??\c:\rrfxxxx.exec:\rrfxxxx.exe52⤵
- Executes dropped EXE
PID:5004 -
\??\c:\nhhhbt.exec:\nhhhbt.exe53⤵
- Executes dropped EXE
PID:2888 -
\??\c:\btbthb.exec:\btbthb.exe54⤵
- Executes dropped EXE
PID:3692 -
\??\c:\vppjd.exec:\vppjd.exe55⤵
- Executes dropped EXE
PID:5020 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe56⤵
- Executes dropped EXE
PID:1564 -
\??\c:\nttbnn.exec:\nttbnn.exe57⤵
- Executes dropped EXE
PID:464 -
\??\c:\tbbtnn.exec:\tbbtnn.exe58⤵
- Executes dropped EXE
PID:2608 -
\??\c:\dvpjd.exec:\dvpjd.exe59⤵
- Executes dropped EXE
PID:1116 -
\??\c:\xxlfxrr.exec:\xxlfxrr.exe60⤵
- Executes dropped EXE
PID:4556 -
\??\c:\rffxllf.exec:\rffxllf.exe61⤵
- Executes dropped EXE
PID:3248 -
\??\c:\nnnhtn.exec:\nnnhtn.exe62⤵
- Executes dropped EXE
PID:4888 -
\??\c:\jjjdp.exec:\jjjdp.exe63⤵
- Executes dropped EXE
PID:3344 -
\??\c:\ddjdp.exec:\ddjdp.exe64⤵
- Executes dropped EXE
PID:5092 -
\??\c:\xxrxffl.exec:\xxrxffl.exe65⤵
- Executes dropped EXE
PID:4964 -
\??\c:\thbbbb.exec:\thbbbb.exe66⤵PID:1768
-
\??\c:\hbbbtb.exec:\hbbbtb.exe67⤵PID:1372
-
\??\c:\9djdv.exec:\9djdv.exe68⤵PID:2368
-
\??\c:\vvvpj.exec:\vvvpj.exe69⤵PID:4680
-
\??\c:\rxlfxxx.exec:\rxlfxxx.exe70⤵PID:4640
-
\??\c:\1bhhnt.exec:\1bhhnt.exe71⤵PID:4856
-
\??\c:\tnbbhh.exec:\tnbbhh.exe72⤵PID:2936
-
\??\c:\7djdv.exec:\7djdv.exe73⤵PID:2224
-
\??\c:\rrxrlll.exec:\rrxrlll.exe74⤵PID:4916
-
\??\c:\lflfxrx.exec:\lflfxrx.exe75⤵PID:1532
-
\??\c:\7bttnn.exec:\7bttnn.exe76⤵PID:2348
-
\??\c:\hhhtth.exec:\hhhtth.exe77⤵PID:2164
-
\??\c:\vpdpj.exec:\vpdpj.exe78⤵PID:2424
-
\??\c:\fxrllrl.exec:\fxrllrl.exe79⤵PID:1556
-
\??\c:\dvvdv.exec:\dvvdv.exe80⤵PID:3132
-
\??\c:\vvddv.exec:\vvddv.exe81⤵PID:2684
-
\??\c:\fxlllll.exec:\fxlllll.exe82⤵PID:2272
-
\??\c:\hnbhbb.exec:\hnbhbb.exe83⤵PID:4416
-
\??\c:\1jpjd.exec:\1jpjd.exe84⤵PID:5000
-
\??\c:\rrrllll.exec:\rrrllll.exe85⤵PID:4976
-
\??\c:\7rlfrrf.exec:\7rlfrrf.exe86⤵PID:2744
-
\??\c:\hhhbtt.exec:\hhhbtt.exe87⤵PID:3780
-
\??\c:\pjpjj.exec:\pjpjj.exe88⤵PID:4724
-
\??\c:\lrrlxxl.exec:\lrrlxxl.exe89⤵PID:4436
-
\??\c:\lffxllx.exec:\lffxllx.exe90⤵PID:1412
-
\??\c:\bnthbb.exec:\bnthbb.exe91⤵PID:3124
-
\??\c:\jpvvj.exec:\jpvvj.exe92⤵PID:3872
-
\??\c:\7jjdv.exec:\7jjdv.exe93⤵PID:4292
-
\??\c:\fxlfffl.exec:\fxlfffl.exe94⤵PID:3080
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe95⤵PID:1664
-
\??\c:\nnnnnn.exec:\nnnnnn.exe96⤵PID:4660
-
\??\c:\vjpjd.exec:\vjpjd.exe97⤵PID:1504
-
\??\c:\jppjd.exec:\jppjd.exe98⤵PID:744
-
\??\c:\7lllffx.exec:\7lllffx.exe99⤵PID:2168
-
\??\c:\fxxrllf.exec:\fxxrllf.exe100⤵PID:2640
-
\??\c:\hhnhnh.exec:\hhnhnh.exe101⤵PID:5016
-
\??\c:\7hbnnh.exec:\7hbnnh.exe102⤵PID:4764
-
\??\c:\jdjvd.exec:\jdjvd.exe103⤵PID:4084
-
\??\c:\ffffxxx.exec:\ffffxxx.exe104⤵PID:1436
-
\??\c:\rlllflf.exec:\rlllflf.exe105⤵PID:3452
-
\??\c:\3bbtnn.exec:\3bbtnn.exe106⤵PID:4704
-
\??\c:\btnnhh.exec:\btnnhh.exe107⤵PID:4884
-
\??\c:\vpdpd.exec:\vpdpd.exe108⤵PID:624
-
\??\c:\jjpdd.exec:\jjpdd.exe109⤵PID:3584
-
\??\c:\fllxxrr.exec:\fllxxrr.exe110⤵PID:4888
-
\??\c:\xrfxfll.exec:\xrfxfll.exe111⤵PID:3344
-
\??\c:\7tbtnn.exec:\7tbtnn.exe112⤵PID:3808
-
\??\c:\1hhbnn.exec:\1hhbnn.exe113⤵PID:4800
-
\??\c:\dpvpd.exec:\dpvpd.exe114⤵PID:1768
-
\??\c:\dpvpj.exec:\dpvpj.exe115⤵PID:1628
-
\??\c:\xrllffx.exec:\xrllffx.exe116⤵PID:4636
-
\??\c:\fxllfxx.exec:\fxllfxx.exe117⤵PID:2208
-
\??\c:\nhhnnn.exec:\nhhnnn.exe118⤵PID:752
-
\??\c:\9nnhhh.exec:\9nnhhh.exe119⤵PID:1444
-
\??\c:\vjjdp.exec:\vjjdp.exe120⤵PID:4284
-
\??\c:\dvvjd.exec:\dvvjd.exe121⤵PID:2712
-
\??\c:\rffxxrr.exec:\rffxxrr.exe122⤵PID:2688
-
\??\c:\ffxrfrl.exec:\ffxrfrl.exe123⤵PID:4956
-
\??\c:\btttnn.exec:\btttnn.exe124⤵PID:4204
-
\??\c:\bhtttt.exec:\bhtttt.exe125⤵PID:4620
-
\??\c:\jjvvj.exec:\jjvvj.exe126⤵PID:4396
-
\??\c:\pdppd.exec:\pdppd.exe127⤵PID:2332
-
\??\c:\rfffrll.exec:\rfffrll.exe128⤵PID:1276
-
\??\c:\ntttnn.exec:\ntttnn.exe129⤵PID:392
-
\??\c:\jpppd.exec:\jpppd.exe130⤵PID:3088
-
\??\c:\fxrxllx.exec:\fxrxllx.exe131⤵PID:4772
-
\??\c:\hhbtnn.exec:\hhbtnn.exe132⤵PID:960
-
\??\c:\3thhbt.exec:\3thhbt.exe133⤵PID:5072
-
\??\c:\djjdv.exec:\djjdv.exe134⤵PID:3972
-
\??\c:\rlffrrr.exec:\rlffrrr.exe135⤵PID:4724
-
\??\c:\tbbnbb.exec:\tbbnbb.exe136⤵PID:4220
-
\??\c:\jpjjd.exec:\jpjjd.exe137⤵PID:448
-
\??\c:\3pvvv.exec:\3pvvv.exe138⤵PID:856
-
\??\c:\frxxrrr.exec:\frxxrrr.exe139⤵PID:1060
-
\??\c:\tbttnb.exec:\tbttnb.exe140⤵PID:2788
-
\??\c:\tbbbnn.exec:\tbbbnn.exe141⤵PID:1664
-
\??\c:\jddvp.exec:\jddvp.exe142⤵PID:4660
-
\??\c:\5jjdv.exec:\5jjdv.exe143⤵PID:1504
-
\??\c:\rxfxlll.exec:\rxfxlll.exe144⤵PID:744
-
\??\c:\ttnnbb.exec:\ttnnbb.exe145⤵PID:5060
-
\??\c:\tnbhhh.exec:\tnbhhh.exe146⤵PID:4796
-
\??\c:\pjddp.exec:\pjddp.exe147⤵PID:3956
-
\??\c:\pjppd.exec:\pjppd.exe148⤵PID:3120
-
\??\c:\1lffxfx.exec:\1lffxfx.exe149⤵PID:3164
-
\??\c:\1bbnnb.exec:\1bbnnb.exe150⤵PID:1436
-
\??\c:\tthbbb.exec:\tthbbb.exe151⤵PID:3452
-
\??\c:\pddvp.exec:\pddvp.exe152⤵PID:688
-
\??\c:\rxxrrlx.exec:\rxxrrlx.exe153⤵PID:1712
-
\??\c:\xfllxxr.exec:\xfllxxr.exe154⤵PID:4556
-
\??\c:\hnnnhn.exec:\hnnnhn.exe155⤵PID:644
-
\??\c:\jddvp.exec:\jddvp.exe156⤵PID:5044
-
\??\c:\dpddv.exec:\dpddv.exe157⤵PID:4804
-
\??\c:\llffxxf.exec:\llffxxf.exe158⤵PID:4964
-
\??\c:\bttnbb.exec:\bttnbb.exe159⤵PID:1724
-
\??\c:\nhnhbb.exec:\nhnhbb.exe160⤵PID:2728
-
\??\c:\jjvvj.exec:\jjvvj.exe161⤵PID:4868
-
\??\c:\jjddd.exec:\jjddd.exe162⤵PID:1448
-
\??\c:\vjjjd.exec:\vjjjd.exe163⤵PID:4052
-
\??\c:\rrfrllf.exec:\rrfrllf.exe164⤵PID:724
-
\??\c:\xrllrrl.exec:\xrllrrl.exe165⤵PID:380
-
\??\c:\bhbtnh.exec:\bhbtnh.exe166⤵PID:2780
-
\??\c:\5nhtht.exec:\5nhtht.exe167⤵PID:4200
-
\??\c:\jdjjv.exec:\jdjjv.exe168⤵PID:4112
-
\??\c:\dvjdd.exec:\dvjdd.exe169⤵PID:1424
-
\??\c:\tthhnt.exec:\tthhnt.exe170⤵PID:2424
-
\??\c:\jjppv.exec:\jjppv.exe171⤵PID:1556
-
\??\c:\djjjp.exec:\djjjp.exe172⤵PID:1256
-
\??\c:\ffrxxxr.exec:\ffrxxxr.exe173⤵PID:3436
-
\??\c:\bhtnhh.exec:\bhtnhh.exe174⤵PID:1144
-
\??\c:\hnttnt.exec:\hnttnt.exe175⤵PID:4780
-
\??\c:\1jpjp.exec:\1jpjp.exe176⤵PID:2144
-
\??\c:\jppjd.exec:\jppjd.exe177⤵PID:1452
-
\??\c:\3xrrxxf.exec:\3xrrxxf.exe178⤵PID:3596
-
\??\c:\bnntht.exec:\bnntht.exe179⤵PID:4724
-
\??\c:\nhnhnh.exec:\nhnhnh.exe180⤵PID:1824
-
\??\c:\1nnbnn.exec:\1nnbnn.exe181⤵PID:1428
-
\??\c:\3pvdp.exec:\3pvdp.exe182⤵PID:2112
-
\??\c:\pddvp.exec:\pddvp.exe183⤵PID:1208
-
\??\c:\5lxxxfx.exec:\5lxxxfx.exe184⤵PID:1872
-
\??\c:\xrlxrrr.exec:\xrlxrrr.exe185⤵PID:1504
-
\??\c:\9hnnhh.exec:\9hnnhh.exe186⤵PID:4568
-
\??\c:\hhbbtt.exec:\hhbbtt.exe187⤵PID:2240
-
\??\c:\pvjvd.exec:\pvjvd.exe188⤵PID:4996
-
\??\c:\jpvpj.exec:\jpvpj.exe189⤵PID:2232
-
\??\c:\lfflffr.exec:\lfflffr.exe190⤵PID:4084
-
\??\c:\tnnhbb.exec:\tnnhbb.exe191⤵PID:2608
-
\??\c:\hhhhtt.exec:\hhhhtt.exe192⤵PID:2280
-
\??\c:\ppvpd.exec:\ppvpd.exe193⤵PID:3416
-
\??\c:\pdpvp.exec:\pdpvp.exe194⤵PID:624
-
\??\c:\fffrlxr.exec:\fffrlxr.exe195⤵PID:3104
-
\??\c:\lrrlfff.exec:\lrrlfff.exe196⤵PID:3344
-
\??\c:\bbbnhn.exec:\bbbnhn.exe197⤵PID:4608
-
\??\c:\jjdvp.exec:\jjdvp.exe198⤵PID:3808
-
\??\c:\jpdjd.exec:\jpdjd.exe199⤵PID:2080
-
\??\c:\xrxrlll.exec:\xrxrlll.exe200⤵PID:2536
-
\??\c:\9tnnnn.exec:\9tnnnn.exe201⤵PID:4868
-
\??\c:\nbhbtt.exec:\nbhbtt.exe202⤵PID:1080
-
\??\c:\jjpjd.exec:\jjpjd.exe203⤵PID:4236
-
\??\c:\ppjdj.exec:\ppjdj.exe204⤵PID:1336
-
\??\c:\9flfxfx.exec:\9flfxfx.exe205⤵PID:380
-
\??\c:\7tttbb.exec:\7tttbb.exe206⤵PID:2572
-
\??\c:\thtnbb.exec:\thtnbb.exe207⤵PID:4200
-
\??\c:\pjjjd.exec:\pjjjd.exe208⤵PID:4956
-
\??\c:\dvdvp.exec:\dvdvp.exe209⤵PID:2324
-
\??\c:\jdpvp.exec:\jdpvp.exe210⤵PID:2192
-
\??\c:\flrrlll.exec:\flrrlll.exe211⤵PID:1644
-
\??\c:\xxlrrrr.exec:\xxlrrrr.exe212⤵PID:3580
-
\??\c:\bbbttt.exec:\bbbttt.exe213⤵PID:4028
-
\??\c:\nntnhh.exec:\nntnhh.exe214⤵PID:1384
-
\??\c:\dpppv.exec:\dpppv.exe215⤵PID:2272
-
\??\c:\pdppd.exec:\pdppd.exe216⤵PID:392
-
\??\c:\rllfxff.exec:\rllfxff.exe217⤵PID:4688
-
\??\c:\lxlxxrl.exec:\lxlxxrl.exe218⤵PID:912
-
\??\c:\lxfllll.exec:\lxfllll.exe219⤵PID:3820
-
\??\c:\bhbnht.exec:\bhbnht.exe220⤵PID:4452
-
\??\c:\nbhbbb.exec:\nbhbbb.exe221⤵PID:1972
-
\??\c:\jvdvp.exec:\jvdvp.exe222⤵PID:1824
-
\??\c:\vpjjp.exec:\vpjjp.exe223⤵PID:4476
-
\??\c:\rlllxfr.exec:\rlllxfr.exe224⤵PID:2112
-
\??\c:\lrfxffx.exec:\lrfxffx.exe225⤵PID:1208
-
\??\c:\xrfflrx.exec:\xrfflrx.exe226⤵PID:1236
-
\??\c:\hhtttt.exec:\hhtttt.exe227⤵PID:5004
-
\??\c:\hhnhbb.exec:\hhnhbb.exe228⤵PID:436
-
\??\c:\vjppj.exec:\vjppj.exe229⤵PID:3484
-
\??\c:\vpdvj.exec:\vpdvj.exe230⤵PID:4552
-
\??\c:\dvpjd.exec:\dvpjd.exe231⤵PID:1716
-
\??\c:\xrxrlll.exec:\xrxrlll.exe232⤵PID:2704
-
\??\c:\lrxrlll.exec:\lrxrlll.exe233⤵PID:1620
-
\??\c:\nhnnhn.exec:\nhnnhn.exe234⤵PID:1148
-
\??\c:\tttthh.exec:\tttthh.exe235⤵PID:4544
-
\??\c:\1jjjd.exec:\1jjjd.exe236⤵PID:4888
-
\??\c:\9jjdv.exec:\9jjdv.exe237⤵PID:1168
-
\??\c:\pjvpd.exec:\pjvpd.exe238⤵PID:3228
-
\??\c:\flxxxfl.exec:\flxxxfl.exe239⤵PID:4960
-
\??\c:\rlllffx.exec:\rlllffx.exe240⤵PID:3096
-
\??\c:\9hhbbb.exec:\9hhbbb.exe241⤵PID:2368
-
\??\c:\jjpjp.exec:\jjpjp.exe242⤵PID:3188