Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 06:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe
-
Size
277KB
-
MD5
a0ee156c4fcf96a54fbd2daba4e76da0
-
SHA1
999ff00c9f3a42f7d60f8946c67be9f2ad65c494
-
SHA256
f37cbbc77eecbb6b1eabdc0ca76d4ca098c4b24527db81834d0349b997aa580e
-
SHA512
a5421622b15051d03f86f8bfc5a2ec72d5cf5b5c84c3e80160fdcc67347311763e6dd00dde8c77cf471dafcca9808b856489f65355b99fcef6388edddd654c27
-
SSDEEP
6144:n3C9BRIG0asYFm71m8+GdkB9yMu7VvemQ:n3C9uYA71kSMum
Malware Config
Signatures
-
Detect Blackmoon payload 28 IoCs
Processes:
resource yara_rule behavioral2/memory/4456-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2528-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3184-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4920-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3884-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5060-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4052-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1224-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2004-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1968-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/516-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4508-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4248-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4980-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1112-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5032-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4372-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4352-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2352-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/904-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3796-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3736-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/440-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1388-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3312-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3976-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4564-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3504-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
fxxrrxl.exerrfxfxx.exehtbttn.exevjvpd.exeflffrfr.exefrrlffx.exebbhtnh.exedvpjd.exellrrlfr.exebhttnh.exenhhtnh.exejddvp.exelflfxrl.exefffxrlx.exentthbn.exedppdp.exe1llfrrx.exe7vvjd.exexffrfxl.exehnthbt.exexlfxfxf.exetntnhb.exejdvpp.exe7rlrllx.exethnnbb.exejdddv.exe9lxrlll.exefxfxfxl.exenhhnbh.exexlrllxr.exenhbtht.exepvvjv.exefxlxlfx.exethbtnh.exevpvpp.exerlflrff.exe9rxrlff.exehbnhhb.exexrrrfxl.exefrfxxxf.exehnntht.exe7hhthh.exepdjdd.exe3rrxlxr.exe7hnnnn.exenhhbnt.exexrxlxxx.exerxfxlfx.exe7tntnh.exedjpdp.exe7jdpd.exe3xlfxrl.exehhbtnb.exetttnbt.exevjjdp.exefxxlfxr.exexxrfxxr.exenbbtnh.exe7vpjj.exepddvp.exe3xxlrlx.exehttnnh.exebtbnbb.exepjdvj.exepid process 4456 fxxrrxl.exe 2528 rrfxfxx.exe 3184 htbttn.exe 4920 vjvpd.exe 3884 flffrfr.exe 4508 frrlffx.exe 4248 bbhtnh.exe 5060 dvpjd.exe 4052 llrrlfr.exe 516 bhttnh.exe 2204 nhhtnh.exe 1224 jddvp.exe 2004 lflfxrl.exe 1968 fffxrlx.exe 4980 ntthbn.exe 5032 dppdp.exe 1428 1llfrrx.exe 4372 7vvjd.exe 4352 xffrfxl.exe 2352 hnthbt.exe 904 xlfxfxf.exe 3796 tntnhb.exe 3736 jdvpp.exe 440 7rlrllx.exe 3664 thnnbb.exe 1388 jdddv.exe 3312 9lxrlll.exe 3976 fxfxfxl.exe 4564 nhhnbh.exe 3504 xlrllxr.exe 4628 nhbtht.exe 4500 pvvjv.exe 3640 fxlxlfx.exe 1616 thbtnh.exe 696 vpvpp.exe 4424 rlflrff.exe 2540 9rxrlff.exe 2388 hbnhhb.exe 1004 xrrrfxl.exe 3448 frfxxxf.exe 1100 hnntht.exe 4996 7hhthh.exe 4688 pdjdd.exe 1808 3rrxlxr.exe 4516 7hnnnn.exe 220 nhhbnt.exe 2020 xrxlxxx.exe 1940 rxfxlfx.exe 3188 7tntnh.exe 4584 djpdp.exe 2444 7jdpd.exe 1960 3xlfxrl.exe 1908 hhbtnb.exe 1224 tttnbt.exe 2836 vjjdp.exe 3596 fxxlfxr.exe 3656 xxrfxxr.exe 5036 nbbtnh.exe 1764 7vpjj.exe 1336 pddvp.exe 3864 3xxlrlx.exe 4372 httnnh.exe 4352 btbnbb.exe 3620 pjdvj.exe -
Processes:
resource yara_rule behavioral2/memory/4456-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2528-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3184-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4920-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3884-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5060-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4052-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1224-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2004-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1968-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/516-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4508-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4248-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4980-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1112-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5032-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4372-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4352-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2352-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/904-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3796-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3736-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/440-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1388-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3312-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3976-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4564-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3504-197-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exefxxrrxl.exerrfxfxx.exehtbttn.exevjvpd.exeflffrfr.exefrrlffx.exebbhtnh.exedvpjd.exellrrlfr.exebhttnh.exenhhtnh.exejddvp.exelflfxrl.exefffxrlx.exentthbn.exedppdp.exe1llfrrx.exe7vvjd.exexffrfxl.exehnthbt.exexlfxfxf.exedescription pid process target process PID 1112 wrote to memory of 4456 1112 a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe fxxrrxl.exe PID 1112 wrote to memory of 4456 1112 a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe fxxrrxl.exe PID 1112 wrote to memory of 4456 1112 a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe fxxrrxl.exe PID 4456 wrote to memory of 2528 4456 fxxrrxl.exe rrfxfxx.exe PID 4456 wrote to memory of 2528 4456 fxxrrxl.exe rrfxfxx.exe PID 4456 wrote to memory of 2528 4456 fxxrrxl.exe rrfxfxx.exe PID 2528 wrote to memory of 3184 2528 rrfxfxx.exe htbttn.exe PID 2528 wrote to memory of 3184 2528 rrfxfxx.exe htbttn.exe PID 2528 wrote to memory of 3184 2528 rrfxfxx.exe htbttn.exe PID 3184 wrote to memory of 4920 3184 htbttn.exe vjvpd.exe PID 3184 wrote to memory of 4920 3184 htbttn.exe vjvpd.exe PID 3184 wrote to memory of 4920 3184 htbttn.exe vjvpd.exe PID 4920 wrote to memory of 3884 4920 vjvpd.exe flffrfr.exe PID 4920 wrote to memory of 3884 4920 vjvpd.exe flffrfr.exe PID 4920 wrote to memory of 3884 4920 vjvpd.exe flffrfr.exe PID 3884 wrote to memory of 4508 3884 flffrfr.exe frrlffx.exe PID 3884 wrote to memory of 4508 3884 flffrfr.exe frrlffx.exe PID 3884 wrote to memory of 4508 3884 flffrfr.exe frrlffx.exe PID 4508 wrote to memory of 4248 4508 frrlffx.exe bbhtnh.exe PID 4508 wrote to memory of 4248 4508 frrlffx.exe bbhtnh.exe PID 4508 wrote to memory of 4248 4508 frrlffx.exe bbhtnh.exe PID 4248 wrote to memory of 5060 4248 bbhtnh.exe dvpjd.exe PID 4248 wrote to memory of 5060 4248 bbhtnh.exe dvpjd.exe PID 4248 wrote to memory of 5060 4248 bbhtnh.exe dvpjd.exe PID 5060 wrote to memory of 4052 5060 dvpjd.exe llrrlfr.exe PID 5060 wrote to memory of 4052 5060 dvpjd.exe llrrlfr.exe PID 5060 wrote to memory of 4052 5060 dvpjd.exe llrrlfr.exe PID 4052 wrote to memory of 516 4052 llrrlfr.exe bhttnh.exe PID 4052 wrote to memory of 516 4052 llrrlfr.exe bhttnh.exe PID 4052 wrote to memory of 516 4052 llrrlfr.exe bhttnh.exe PID 516 wrote to memory of 2204 516 bhttnh.exe nhhtnh.exe PID 516 wrote to memory of 2204 516 bhttnh.exe nhhtnh.exe PID 516 wrote to memory of 2204 516 bhttnh.exe nhhtnh.exe PID 2204 wrote to memory of 1224 2204 nhhtnh.exe jddvp.exe PID 2204 wrote to memory of 1224 2204 nhhtnh.exe jddvp.exe PID 2204 wrote to memory of 1224 2204 nhhtnh.exe jddvp.exe PID 1224 wrote to memory of 2004 1224 jddvp.exe lflfxrl.exe PID 1224 wrote to memory of 2004 1224 jddvp.exe lflfxrl.exe PID 1224 wrote to memory of 2004 1224 jddvp.exe lflfxrl.exe PID 2004 wrote to memory of 1968 2004 lflfxrl.exe fffxrlx.exe PID 2004 wrote to memory of 1968 2004 lflfxrl.exe fffxrlx.exe PID 2004 wrote to memory of 1968 2004 lflfxrl.exe fffxrlx.exe PID 1968 wrote to memory of 4980 1968 fffxrlx.exe ntthbn.exe PID 1968 wrote to memory of 4980 1968 fffxrlx.exe ntthbn.exe PID 1968 wrote to memory of 4980 1968 fffxrlx.exe ntthbn.exe PID 4980 wrote to memory of 5032 4980 ntthbn.exe dppdp.exe PID 4980 wrote to memory of 5032 4980 ntthbn.exe dppdp.exe PID 4980 wrote to memory of 5032 4980 ntthbn.exe dppdp.exe PID 5032 wrote to memory of 1428 5032 dppdp.exe 1llfrrx.exe PID 5032 wrote to memory of 1428 5032 dppdp.exe 1llfrrx.exe PID 5032 wrote to memory of 1428 5032 dppdp.exe 1llfrrx.exe PID 1428 wrote to memory of 4372 1428 1llfrrx.exe 7vvjd.exe PID 1428 wrote to memory of 4372 1428 1llfrrx.exe 7vvjd.exe PID 1428 wrote to memory of 4372 1428 1llfrrx.exe 7vvjd.exe PID 4372 wrote to memory of 4352 4372 7vvjd.exe xffrfxl.exe PID 4372 wrote to memory of 4352 4372 7vvjd.exe xffrfxl.exe PID 4372 wrote to memory of 4352 4372 7vvjd.exe xffrfxl.exe PID 4352 wrote to memory of 2352 4352 xffrfxl.exe hnthbt.exe PID 4352 wrote to memory of 2352 4352 xffrfxl.exe hnthbt.exe PID 4352 wrote to memory of 2352 4352 xffrfxl.exe hnthbt.exe PID 2352 wrote to memory of 904 2352 hnthbt.exe xlfxfxf.exe PID 2352 wrote to memory of 904 2352 hnthbt.exe xlfxfxf.exe PID 2352 wrote to memory of 904 2352 hnthbt.exe xlfxfxf.exe PID 904 wrote to memory of 3796 904 xlfxfxf.exe tntnhb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a0ee156c4fcf96a54fbd2daba4e76da0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\fxxrrxl.exec:\fxxrrxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\rrfxfxx.exec:\rrfxfxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\htbttn.exec:\htbttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\vjvpd.exec:\vjvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\flffrfr.exec:\flffrfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\frrlffx.exec:\frrlffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\bbhtnh.exec:\bbhtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\dvpjd.exec:\dvpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\llrrlfr.exec:\llrrlfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\bhttnh.exec:\bhttnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\nhhtnh.exec:\nhhtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\jddvp.exec:\jddvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\lflfxrl.exec:\lflfxrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\fffxrlx.exec:\fffxrlx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\ntthbn.exec:\ntthbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\dppdp.exec:\dppdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\1llfrrx.exec:\1llfrrx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\7vvjd.exec:\7vvjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\xffrfxl.exec:\xffrfxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\hnthbt.exec:\hnthbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\xlfxfxf.exec:\xlfxfxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\tntnhb.exec:\tntnhb.exe23⤵
- Executes dropped EXE
PID:3796 -
\??\c:\jdvpp.exec:\jdvpp.exe24⤵
- Executes dropped EXE
PID:3736 -
\??\c:\7rlrllx.exec:\7rlrllx.exe25⤵
- Executes dropped EXE
PID:440 -
\??\c:\thnnbb.exec:\thnnbb.exe26⤵
- Executes dropped EXE
PID:3664 -
\??\c:\jdddv.exec:\jdddv.exe27⤵
- Executes dropped EXE
PID:1388 -
\??\c:\9lxrlll.exec:\9lxrlll.exe28⤵
- Executes dropped EXE
PID:3312 -
\??\c:\fxfxfxl.exec:\fxfxfxl.exe29⤵
- Executes dropped EXE
PID:3976 -
\??\c:\nhhnbh.exec:\nhhnbh.exe30⤵
- Executes dropped EXE
PID:4564 -
\??\c:\xlrllxr.exec:\xlrllxr.exe31⤵
- Executes dropped EXE
PID:3504 -
\??\c:\nhbtht.exec:\nhbtht.exe32⤵
- Executes dropped EXE
PID:4628 -
\??\c:\pvvjv.exec:\pvvjv.exe33⤵
- Executes dropped EXE
PID:4500 -
\??\c:\fxlxlfx.exec:\fxlxlfx.exe34⤵
- Executes dropped EXE
PID:3640 -
\??\c:\thbtnh.exec:\thbtnh.exe35⤵
- Executes dropped EXE
PID:1616 -
\??\c:\vpvpp.exec:\vpvpp.exe36⤵
- Executes dropped EXE
PID:696 -
\??\c:\rlflrff.exec:\rlflrff.exe37⤵
- Executes dropped EXE
PID:4424 -
\??\c:\9rxrlff.exec:\9rxrlff.exe38⤵
- Executes dropped EXE
PID:2540 -
\??\c:\hbnhhb.exec:\hbnhhb.exe39⤵
- Executes dropped EXE
PID:2388 -
\??\c:\xrrrfxl.exec:\xrrrfxl.exe40⤵
- Executes dropped EXE
PID:1004 -
\??\c:\frfxxxf.exec:\frfxxxf.exe41⤵
- Executes dropped EXE
PID:3448 -
\??\c:\hnntht.exec:\hnntht.exe42⤵
- Executes dropped EXE
PID:1100 -
\??\c:\7hhthh.exec:\7hhthh.exe43⤵
- Executes dropped EXE
PID:4996 -
\??\c:\pdjdd.exec:\pdjdd.exe44⤵
- Executes dropped EXE
PID:4688 -
\??\c:\3rrxlxr.exec:\3rrxlxr.exe45⤵
- Executes dropped EXE
PID:1808 -
\??\c:\7hnnnn.exec:\7hnnnn.exe46⤵
- Executes dropped EXE
PID:4516 -
\??\c:\nhhbnt.exec:\nhhbnt.exe47⤵
- Executes dropped EXE
PID:220 -
\??\c:\xrxlxxx.exec:\xrxlxxx.exe48⤵
- Executes dropped EXE
PID:2020 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe49⤵
- Executes dropped EXE
PID:1940 -
\??\c:\7tntnh.exec:\7tntnh.exe50⤵
- Executes dropped EXE
PID:3188 -
\??\c:\djpdp.exec:\djpdp.exe51⤵
- Executes dropped EXE
PID:4584 -
\??\c:\7jdpd.exec:\7jdpd.exe52⤵
- Executes dropped EXE
PID:2444 -
\??\c:\3xlfxrl.exec:\3xlfxrl.exe53⤵
- Executes dropped EXE
PID:1960 -
\??\c:\hhbtnb.exec:\hhbtnb.exe54⤵
- Executes dropped EXE
PID:1908 -
\??\c:\tttnbt.exec:\tttnbt.exe55⤵
- Executes dropped EXE
PID:1224 -
\??\c:\vjjdp.exec:\vjjdp.exe56⤵
- Executes dropped EXE
PID:2836 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe57⤵
- Executes dropped EXE
PID:3596 -
\??\c:\xxrfxxr.exec:\xxrfxxr.exe58⤵
- Executes dropped EXE
PID:3656 -
\??\c:\nbbtnh.exec:\nbbtnh.exe59⤵
- Executes dropped EXE
PID:5036 -
\??\c:\7vpjj.exec:\7vpjj.exe60⤵
- Executes dropped EXE
PID:1764 -
\??\c:\pddvp.exec:\pddvp.exe61⤵
- Executes dropped EXE
PID:1336 -
\??\c:\3xxlrlx.exec:\3xxlrlx.exe62⤵
- Executes dropped EXE
PID:3864 -
\??\c:\httnnh.exec:\httnnh.exe63⤵
- Executes dropped EXE
PID:4372 -
\??\c:\btbnbb.exec:\btbnbb.exe64⤵
- Executes dropped EXE
PID:4352 -
\??\c:\pjdvj.exec:\pjdvj.exe65⤵
- Executes dropped EXE
PID:3620 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe66⤵PID:1040
-
\??\c:\nhhbnh.exec:\nhhbnh.exe67⤵PID:4640
-
\??\c:\vdpjj.exec:\vdpjj.exe68⤵PID:1008
-
\??\c:\btbbhb.exec:\btbbhb.exe69⤵PID:1364
-
\??\c:\ddjvv.exec:\ddjvv.exe70⤵PID:656
-
\??\c:\xllxlfx.exec:\xllxlfx.exe71⤵PID:2300
-
\??\c:\btnnhb.exec:\btnnhb.exe72⤵PID:2588
-
\??\c:\7hhbnh.exec:\7hhbnh.exe73⤵PID:2184
-
\??\c:\9pjdp.exec:\9pjdp.exe74⤵PID:2272
-
\??\c:\3lxrfxr.exec:\3lxrfxr.exe75⤵PID:3488
-
\??\c:\fxfxlfl.exec:\fxfxlfl.exe76⤵PID:3472
-
\??\c:\ntnbtn.exec:\ntnbtn.exe77⤵PID:1056
-
\??\c:\vddpd.exec:\vddpd.exe78⤵PID:4332
-
\??\c:\9dvvj.exec:\9dvvj.exe79⤵PID:5020
-
\??\c:\fxffxxx.exec:\fxffxxx.exe80⤵PID:1888
-
\??\c:\nbnnhn.exec:\nbnnhn.exe81⤵PID:3972
-
\??\c:\jdddp.exec:\jdddp.exe82⤵PID:5108
-
\??\c:\9vpjp.exec:\9vpjp.exe83⤵PID:3768
-
\??\c:\lxxlxrx.exec:\lxxlxrx.exe84⤵PID:1080
-
\??\c:\bntnnn.exec:\bntnnn.exe85⤵PID:548
-
\??\c:\hhnhtn.exec:\hhnhtn.exe86⤵PID:3084
-
\??\c:\jdvjv.exec:\jdvjv.exe87⤵PID:4436
-
\??\c:\rllrfxr.exec:\rllrfxr.exe88⤵PID:1112
-
\??\c:\9rfxrlf.exec:\9rfxrlf.exe89⤵PID:1996
-
\??\c:\bnbttn.exec:\bnbttn.exe90⤵PID:4356
-
\??\c:\jjdvp.exec:\jjdvp.exe91⤵PID:3184
-
\??\c:\jppjv.exec:\jppjv.exe92⤵PID:932
-
\??\c:\5rllfxl.exec:\5rllfxl.exe93⤵PID:4920
-
\??\c:\bttnbb.exec:\bttnbb.exe94⤵PID:4392
-
\??\c:\7nhbnn.exec:\7nhbnn.exe95⤵PID:2780
-
\??\c:\jdvjj.exec:\jdvjj.exe96⤵PID:2728
-
\??\c:\rfllxrf.exec:\rfllxrf.exe97⤵PID:4020
-
\??\c:\frxlfxr.exec:\frxlfxr.exe98⤵PID:3820
-
\??\c:\bhhnhb.exec:\bhhnhb.exe99⤵PID:740
-
\??\c:\dpdjd.exec:\dpdjd.exe100⤵PID:2204
-
\??\c:\vdvpj.exec:\vdvpj.exe101⤵PID:2548
-
\??\c:\xlxrflf.exec:\xlxrflf.exe102⤵PID:1448
-
\??\c:\bhbthb.exec:\bhbthb.exe103⤵PID:4104
-
\??\c:\tttnbt.exec:\tttnbt.exe104⤵PID:4724
-
\??\c:\jjdpp.exec:\jjdpp.exe105⤵PID:4940
-
\??\c:\vpvjj.exec:\vpvjj.exe106⤵PID:1524
-
\??\c:\xflxlfx.exec:\xflxlfx.exe107⤵PID:3564
-
\??\c:\xrrlxrr.exec:\xrrlxrr.exe108⤵PID:828
-
\??\c:\nbbnnh.exec:\nbbnnh.exe109⤵PID:3252
-
\??\c:\lffxrll.exec:\lffxrll.exe110⤵PID:216
-
\??\c:\hbbnbn.exec:\hbbnbn.exe111⤵PID:228
-
\??\c:\nhhthb.exec:\nhhthb.exe112⤵PID:5004
-
\??\c:\5jjdj.exec:\5jjdj.exe113⤵PID:3736
-
\??\c:\dvdpp.exec:\dvdpp.exe114⤵PID:4252
-
\??\c:\frrfrlf.exec:\frrfrlf.exe115⤵PID:5008
-
\??\c:\hbhbnn.exec:\hbhbnn.exe116⤵PID:2536
-
\??\c:\1nhbhh.exec:\1nhbhh.exe117⤵PID:3312
-
\??\c:\pdvvv.exec:\pdvvv.exe118⤵PID:5012
-
\??\c:\jjjdv.exec:\jjjdv.exe119⤵PID:3976
-
\??\c:\xrlrxrl.exec:\xrlrxrl.exe120⤵PID:1416
-
\??\c:\nhhbbt.exec:\nhhbbt.exe121⤵PID:5100
-
\??\c:\nbbnbt.exec:\nbbnbt.exe122⤵PID:4332
-
\??\c:\ppjdp.exec:\ppjdp.exe123⤵PID:5020
-
\??\c:\1jvjj.exec:\1jvjj.exe124⤵PID:1888
-
\??\c:\rfxrfxx.exec:\rfxrfxx.exe125⤵PID:3640
-
\??\c:\xllfrlx.exec:\xllfrlx.exe126⤵PID:3556
-
\??\c:\ntbtnn.exec:\ntbtnn.exe127⤵PID:3768
-
\??\c:\3tnbnt.exec:\3tnbnt.exe128⤵PID:4424
-
\??\c:\djpjv.exec:\djpjv.exe129⤵PID:2340
-
\??\c:\vddpp.exec:\vddpp.exe130⤵PID:2388
-
\??\c:\flrfxxl.exec:\flrfxxl.exe131⤵PID:4344
-
\??\c:\bttttn.exec:\bttttn.exe132⤵PID:3244
-
\??\c:\bhhtbb.exec:\bhhtbb.exe133⤵PID:2064
-
\??\c:\pddvd.exec:\pddvd.exe134⤵PID:4996
-
\??\c:\3ppdp.exec:\3ppdp.exe135⤵PID:960
-
\??\c:\frrfrlf.exec:\frrfrlf.exe136⤵PID:4560
-
\??\c:\rlrrfxr.exec:\rlrrfxr.exe137⤵PID:3092
-
\??\c:\nhtnbn.exec:\nhtnbn.exe138⤵PID:1660
-
\??\c:\thhbbt.exec:\thhbbt.exe139⤵PID:5060
-
\??\c:\djjvp.exec:\djjvp.exe140⤵PID:992
-
\??\c:\pddpd.exec:\pddpd.exe141⤵PID:1652
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe142⤵PID:2192
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe143⤵PID:1224
-
\??\c:\bbhbtn.exec:\bbhbtn.exe144⤵PID:2200
-
\??\c:\bnnhhb.exec:\bnnhhb.exe145⤵PID:1480
-
\??\c:\dpvjp.exec:\dpvjp.exe146⤵PID:3420
-
\??\c:\dpvpv.exec:\dpvpv.exe147⤵PID:2924
-
\??\c:\rlrxrfx.exec:\rlrxrfx.exe148⤵PID:4904
-
\??\c:\frrlfxr.exec:\frrlfxr.exe149⤵PID:3232
-
\??\c:\hbthtn.exec:\hbthtn.exe150⤵PID:3336
-
\??\c:\vdvpj.exec:\vdvpj.exe151⤵PID:1040
-
\??\c:\fxfrrlx.exec:\fxfrrlx.exe152⤵PID:1952
-
\??\c:\5fxfrlf.exec:\5fxfrlf.exe153⤵PID:3736
-
\??\c:\bhtthh.exec:\bhtthh.exe154⤵PID:3364
-
\??\c:\jvjpd.exec:\jvjpd.exe155⤵PID:5008
-
\??\c:\vddpj.exec:\vddpj.exe156⤵PID:2424
-
\??\c:\fxrlxrl.exec:\fxrlxrl.exe157⤵PID:3876
-
\??\c:\3hhbnn.exec:\3hhbnn.exe158⤵PID:4132
-
\??\c:\bhhbhb.exec:\bhhbhb.exe159⤵PID:3356
-
\??\c:\pdvjp.exec:\pdvjp.exe160⤵PID:4040
-
\??\c:\pddpv.exec:\pddpv.exe161⤵PID:5064
-
\??\c:\lrrfllx.exec:\lrrfllx.exe162⤵PID:3644
-
\??\c:\hbtnhb.exec:\hbtnhb.exe163⤵PID:2868
-
\??\c:\btbttt.exec:\btbttt.exe164⤵PID:1300
-
\??\c:\vpjvj.exec:\vpjvj.exe165⤵PID:3640
-
\??\c:\flrlrrf.exec:\flrlrrf.exe166⤵PID:696
-
\??\c:\fxfrfxx.exec:\fxfrfxx.exe167⤵PID:548
-
\??\c:\ntthbb.exec:\ntthbb.exe168⤵PID:4424
-
\??\c:\htnhth.exec:\htnhth.exe169⤵PID:1004
-
\??\c:\vppjd.exec:\vppjd.exe170⤵PID:2528
-
\??\c:\3rlxrlx.exec:\3rlxrlx.exe171⤵PID:3172
-
\??\c:\rffxrlf.exec:\rffxrlf.exe172⤵PID:212
-
\??\c:\hbtnht.exec:\hbtnht.exe173⤵PID:3428
-
\??\c:\btthtn.exec:\btthtn.exe174⤵PID:3024
-
\??\c:\7jdvj.exec:\7jdvj.exe175⤵PID:2976
-
\??\c:\rfxrffr.exec:\rfxrffr.exe176⤵PID:3568
-
\??\c:\3lllfff.exec:\3lllfff.exe177⤵PID:4536
-
\??\c:\btbbbb.exec:\btbbbb.exe178⤵PID:4544
-
\??\c:\pjjvp.exec:\pjjvp.exe179⤵PID:4160
-
\??\c:\xlfrllf.exec:\xlfrllf.exe180⤵PID:1748
-
\??\c:\rxlxrlf.exec:\rxlxrlf.exe181⤵PID:3560
-
\??\c:\bthhbt.exec:\bthhbt.exe182⤵PID:1340
-
\??\c:\pppdd.exec:\pppdd.exe183⤵PID:1912
-
\??\c:\xrxrflf.exec:\xrxrflf.exe184⤵PID:3260
-
\??\c:\rrfxlll.exec:\rrfxlll.exe185⤵PID:828
-
\??\c:\tnnbtn.exec:\tnnbtn.exe186⤵PID:3252
-
\??\c:\pjjdv.exec:\pjjdv.exe187⤵PID:3340
-
\??\c:\dppjv.exec:\dppjv.exe188⤵PID:2960
-
\??\c:\9frlrlf.exec:\9frlrlf.exe189⤵PID:1500
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe190⤵PID:4936
-
\??\c:\nhhbnn.exec:\nhhbnn.exe191⤵PID:2160
-
\??\c:\9thtnh.exec:\9thtnh.exe192⤵PID:3576
-
\??\c:\5ddvv.exec:\5ddvv.exe193⤵PID:3780
-
\??\c:\pjppp.exec:\pjppp.exe194⤵PID:2028
-
\??\c:\flrfrlx.exec:\flrfrlx.exe195⤵PID:3956
-
\??\c:\rlrlxrf.exec:\rlrlxrf.exe196⤵PID:4856
-
\??\c:\htbtnh.exec:\htbtnh.exe197⤵PID:3032
-
\??\c:\nhbnhb.exec:\nhbnhb.exe198⤵PID:1568
-
\??\c:\ppvpv.exec:\ppvpv.exe199⤵PID:3848
-
\??\c:\1jjvp.exec:\1jjvp.exe200⤵PID:4776
-
\??\c:\llrlfxr.exec:\llrlfxr.exe201⤵PID:3972
-
\??\c:\rrxxrll.exec:\rrxxrll.exe202⤵PID:512
-
\??\c:\hbnhtt.exec:\hbnhtt.exe203⤵PID:1800
-
\??\c:\hbhbnn.exec:\hbhbnn.exe204⤵PID:1300
-
\??\c:\dvvdv.exec:\dvvdv.exe205⤵PID:1080
-
\??\c:\rffrrlr.exec:\rffrrlr.exe206⤵PID:4580
-
\??\c:\rlfrfxr.exec:\rlfrfxr.exe207⤵PID:548
-
\??\c:\thtnbb.exec:\thtnbb.exe208⤵PID:2824
-
\??\c:\ntnhhh.exec:\ntnhhh.exe209⤵PID:4356
-
\??\c:\vvpjv.exec:\vvpjv.exe210⤵PID:2668
-
\??\c:\pjjjp.exec:\pjjjp.exe211⤵PID:1996
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe212⤵PID:3172
-
\??\c:\rllfrlf.exec:\rllfrlf.exe213⤵PID:212
-
\??\c:\ttbthn.exec:\ttbthn.exe214⤵PID:4392
-
\??\c:\ntbnnt.exec:\ntbnnt.exe215⤵PID:3912
-
\??\c:\jppdp.exec:\jppdp.exe216⤵PID:2976
-
\??\c:\vdpjv.exec:\vdpjv.exe217⤵PID:4732
-
\??\c:\rlfrlfx.exec:\rlfrlfx.exe218⤵PID:4076
-
\??\c:\lfxfxrx.exec:\lfxfxrx.exe219⤵PID:4544
-
\??\c:\nnthbt.exec:\nnthbt.exe220⤵PID:2220
-
\??\c:\nbbnbb.exec:\nbbnbb.exe221⤵PID:3200
-
\??\c:\vjpjd.exec:\vjpjd.exe222⤵PID:964
-
\??\c:\vdpdj.exec:\vdpdj.exe223⤵PID:2412
-
\??\c:\rllxlfr.exec:\rllxlfr.exe224⤵PID:1480
-
\??\c:\rfrxfxf.exec:\rfrxfxf.exe225⤵PID:2924
-
\??\c:\nbbnhb.exec:\nbbnhb.exe226⤵PID:4904
-
\??\c:\jdjvj.exec:\jdjvj.exe227⤵PID:216
-
\??\c:\vpdpj.exec:\vpdpj.exe228⤵PID:552
-
\??\c:\rrlrxfl.exec:\rrlrxfl.exe229⤵PID:2152
-
\??\c:\llflrfr.exec:\llflrfr.exe230⤵PID:656
-
\??\c:\bttnhb.exec:\bttnhb.exe231⤵PID:3736
-
\??\c:\jvvpd.exec:\jvvpd.exe232⤵PID:2000
-
\??\c:\dpjvj.exec:\dpjvj.exe233⤵PID:3576
-
\??\c:\rlfxlff.exec:\rlfxlff.exe234⤵PID:3780
-
\??\c:\htbbbb.exec:\htbbbb.exe235⤵PID:2028
-
\??\c:\ntbbnn.exec:\ntbbnn.exe236⤵PID:3956
-
\??\c:\vppvj.exec:\vppvj.exe237⤵PID:3504
-
\??\c:\dvjpd.exec:\dvjpd.exe238⤵PID:3032
-
\??\c:\lflffxx.exec:\lflffxx.exe239⤵PID:3968
-
\??\c:\thbthb.exec:\thbthb.exe240⤵PID:1888
-
\??\c:\htnhbt.exec:\htnhbt.exe241⤵PID:4136
-
\??\c:\vpjvj.exec:\vpjvj.exe242⤵PID:3972