Analysis
-
max time kernel
149s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 08:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b17f5efdffb7cec96a5ecc30522eb9e0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
5 signatures
150 seconds
General
-
Target
b17f5efdffb7cec96a5ecc30522eb9e0_NeikiAnalytics.exe
-
Size
75KB
-
MD5
b17f5efdffb7cec96a5ecc30522eb9e0
-
SHA1
70cc82ab6fcf4f58b8571d7895582a3a39235961
-
SHA256
673a0588285f7297eee1d93a426bed44a8a48b1a4a8d24f525eb89b2c83788ab
-
SHA512
741b96b26733f1dc96b7e473c0a40af7f62c099c798e1aa674e5062d3b79f9420631ddd82edbc7220cfb3e6181019f47c601ac8d344f515b1479da491bf3cf6f
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5c:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCC
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
Processes:
resource yara_rule behavioral2/memory/880-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4748-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3024-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3024-20-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4876-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/452-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/368-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2856-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4612-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2680-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2288-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1344-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1680-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2360-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4468-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1964-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1796-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4764-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3340-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1416-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4704-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1668-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3780-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2620-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4584-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
rfflxlf.exenhhbtn.exebtbbtn.exefxxrfrf.exerffxxrl.exehbttnn.exe1ddvp.exejvdvj.exellllfrl.exexrxrrrf.exennnhbb.exedvdvv.exe9llffxr.exennbbtb.exejvpjp.exefrrlffl.exe3hhhbb.exenhhbbt.exedpjvp.exerllfrrx.exehnhbtt.exepdvvp.exe9lrrxxr.exebtthbt.exetnnnnn.exejvpjd.exepjjdp.exe3xlxxxf.exehbhhhb.exepjpjp.exevpdvj.exerlllfff.exetntnnh.exe5bbthh.exejpvpd.exevvpjd.exe5rrrxxx.exetnnnhb.exejvvpj.exeflfxlfx.exelrrrlll.exe9tbtbb.exebbttbb.exevdpjv.exevvvdp.exexllfxxr.exerllfxxr.exe7bhbtn.exebhtnnn.exevpddp.exelxfxrll.exexxxfxrx.exetnnntn.exejdvvv.exe7jjdv.exefffxllf.exexxlffxr.exe3hnhnt.exedvpjd.exevvvjd.exerfffrrf.exexlfxrrl.exenhbtnn.exetnnhbb.exepid process 4748 rfflxlf.exe 3024 nhhbtn.exe 3524 btbbtn.exe 4876 fxxrfrf.exe 3732 rffxxrl.exe 452 hbttnn.exe 368 1ddvp.exe 2856 jvdvj.exe 2668 llllfrl.exe 4612 xrxrrrf.exe 2032 nnnhbb.exe 2680 dvdvv.exe 3764 9llffxr.exe 2288 nnbbtb.exe 1344 jvpjp.exe 1680 frrlffl.exe 2360 3hhhbb.exe 4468 nhhbbt.exe 1964 dpjvp.exe 1796 rllfrrx.exe 4764 hnhbtt.exe 3340 pdvvp.exe 1416 9lrrxxr.exe 4704 btthbt.exe 1668 tnnnnn.exe 3780 jvpjd.exe 4796 pjjdp.exe 2620 3xlxxxf.exe 2364 hbhhhb.exe 804 pjpjp.exe 4584 vpdvj.exe 2024 rlllfff.exe 2508 tntnnh.exe 4752 5bbthh.exe 2780 jpvpd.exe 2160 vvpjd.exe 3112 5rrrxxx.exe 696 tnnnhb.exe 1352 jvvpj.exe 1596 flfxlfx.exe 1684 lrrrlll.exe 4356 9tbtbb.exe 2560 bbttbb.exe 1148 vdpjv.exe 544 vvvdp.exe 3684 xllfxxr.exe 1460 rllfxxr.exe 4492 7bhbtn.exe 1492 bhtnnn.exe 552 vpddp.exe 1276 lxfxrll.exe 2188 xxxfxrx.exe 4660 tnnntn.exe 2296 jdvvv.exe 2568 7jjdv.exe 3356 fffxllf.exe 3992 xxlffxr.exe 1944 3hnhnt.exe 5004 dvpjd.exe 2456 vvvjd.exe 4568 rfffrrf.exe 1680 xlfxrrl.exe 4364 nhbtnn.exe 1560 tnnhbb.exe -
Processes:
resource yara_rule behavioral2/memory/880-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4748-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3024-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3524-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4876-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/452-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/368-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2856-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4612-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2680-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2288-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1344-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1680-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2360-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4468-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1964-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1796-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4764-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3340-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1416-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4704-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1668-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3780-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2620-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4584-201-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b17f5efdffb7cec96a5ecc30522eb9e0_NeikiAnalytics.exerfflxlf.exenhhbtn.exebtbbtn.exefxxrfrf.exerffxxrl.exehbttnn.exe1ddvp.exejvdvj.exellllfrl.exexrxrrrf.exennnhbb.exedvdvv.exe9llffxr.exennbbtb.exejvpjp.exefrrlffl.exe3hhhbb.exenhhbbt.exedpjvp.exerllfrrx.exehnhbtt.exedescription pid process target process PID 880 wrote to memory of 4748 880 b17f5efdffb7cec96a5ecc30522eb9e0_NeikiAnalytics.exe rfflxlf.exe PID 880 wrote to memory of 4748 880 b17f5efdffb7cec96a5ecc30522eb9e0_NeikiAnalytics.exe rfflxlf.exe PID 880 wrote to memory of 4748 880 b17f5efdffb7cec96a5ecc30522eb9e0_NeikiAnalytics.exe rfflxlf.exe PID 4748 wrote to memory of 3024 4748 rfflxlf.exe nhhbtn.exe PID 4748 wrote to memory of 3024 4748 rfflxlf.exe nhhbtn.exe PID 4748 wrote to memory of 3024 4748 rfflxlf.exe nhhbtn.exe PID 3024 wrote to memory of 3524 3024 nhhbtn.exe btbbtn.exe PID 3024 wrote to memory of 3524 3024 nhhbtn.exe btbbtn.exe PID 3024 wrote to memory of 3524 3024 nhhbtn.exe btbbtn.exe PID 3524 wrote to memory of 4876 3524 btbbtn.exe fxxrfrf.exe PID 3524 wrote to memory of 4876 3524 btbbtn.exe fxxrfrf.exe PID 3524 wrote to memory of 4876 3524 btbbtn.exe fxxrfrf.exe PID 4876 wrote to memory of 3732 4876 fxxrfrf.exe rffxxrl.exe PID 4876 wrote to memory of 3732 4876 fxxrfrf.exe rffxxrl.exe PID 4876 wrote to memory of 3732 4876 fxxrfrf.exe rffxxrl.exe PID 3732 wrote to memory of 452 3732 rffxxrl.exe hbttnn.exe PID 3732 wrote to memory of 452 3732 rffxxrl.exe hbttnn.exe PID 3732 wrote to memory of 452 3732 rffxxrl.exe hbttnn.exe PID 452 wrote to memory of 368 452 hbttnn.exe 1ddvp.exe PID 452 wrote to memory of 368 452 hbttnn.exe 1ddvp.exe PID 452 wrote to memory of 368 452 hbttnn.exe 1ddvp.exe PID 368 wrote to memory of 2856 368 1ddvp.exe jvdvj.exe PID 368 wrote to memory of 2856 368 1ddvp.exe jvdvj.exe PID 368 wrote to memory of 2856 368 1ddvp.exe jvdvj.exe PID 2856 wrote to memory of 2668 2856 jvdvj.exe llllfrl.exe PID 2856 wrote to memory of 2668 2856 jvdvj.exe llllfrl.exe PID 2856 wrote to memory of 2668 2856 jvdvj.exe llllfrl.exe PID 2668 wrote to memory of 4612 2668 llllfrl.exe xrxrrrf.exe PID 2668 wrote to memory of 4612 2668 llllfrl.exe xrxrrrf.exe PID 2668 wrote to memory of 4612 2668 llllfrl.exe xrxrrrf.exe PID 4612 wrote to memory of 2032 4612 xrxrrrf.exe nnnhbb.exe PID 4612 wrote to memory of 2032 4612 xrxrrrf.exe nnnhbb.exe PID 4612 wrote to memory of 2032 4612 xrxrrrf.exe nnnhbb.exe PID 2032 wrote to memory of 2680 2032 nnnhbb.exe dvdvv.exe PID 2032 wrote to memory of 2680 2032 nnnhbb.exe dvdvv.exe PID 2032 wrote to memory of 2680 2032 nnnhbb.exe dvdvv.exe PID 2680 wrote to memory of 3764 2680 dvdvv.exe 9llffxr.exe PID 2680 wrote to memory of 3764 2680 dvdvv.exe 9llffxr.exe PID 2680 wrote to memory of 3764 2680 dvdvv.exe 9llffxr.exe PID 3764 wrote to memory of 2288 3764 9llffxr.exe nnbbtb.exe PID 3764 wrote to memory of 2288 3764 9llffxr.exe nnbbtb.exe PID 3764 wrote to memory of 2288 3764 9llffxr.exe nnbbtb.exe PID 2288 wrote to memory of 1344 2288 nnbbtb.exe jvpjp.exe PID 2288 wrote to memory of 1344 2288 nnbbtb.exe jvpjp.exe PID 2288 wrote to memory of 1344 2288 nnbbtb.exe jvpjp.exe PID 1344 wrote to memory of 1680 1344 jvpjp.exe frrlffl.exe PID 1344 wrote to memory of 1680 1344 jvpjp.exe frrlffl.exe PID 1344 wrote to memory of 1680 1344 jvpjp.exe frrlffl.exe PID 1680 wrote to memory of 2360 1680 frrlffl.exe 3hhhbb.exe PID 1680 wrote to memory of 2360 1680 frrlffl.exe 3hhhbb.exe PID 1680 wrote to memory of 2360 1680 frrlffl.exe 3hhhbb.exe PID 2360 wrote to memory of 4468 2360 3hhhbb.exe nhhbbt.exe PID 2360 wrote to memory of 4468 2360 3hhhbb.exe nhhbbt.exe PID 2360 wrote to memory of 4468 2360 3hhhbb.exe nhhbbt.exe PID 4468 wrote to memory of 1964 4468 nhhbbt.exe dpjvp.exe PID 4468 wrote to memory of 1964 4468 nhhbbt.exe dpjvp.exe PID 4468 wrote to memory of 1964 4468 nhhbbt.exe dpjvp.exe PID 1964 wrote to memory of 1796 1964 dpjvp.exe rllfrrx.exe PID 1964 wrote to memory of 1796 1964 dpjvp.exe rllfrrx.exe PID 1964 wrote to memory of 1796 1964 dpjvp.exe rllfrrx.exe PID 1796 wrote to memory of 4764 1796 rllfrrx.exe hnhbtt.exe PID 1796 wrote to memory of 4764 1796 rllfrrx.exe hnhbtt.exe PID 1796 wrote to memory of 4764 1796 rllfrrx.exe hnhbtt.exe PID 4764 wrote to memory of 3340 4764 hnhbtt.exe pdvvp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b17f5efdffb7cec96a5ecc30522eb9e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b17f5efdffb7cec96a5ecc30522eb9e0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\rfflxlf.exec:\rfflxlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\nhhbtn.exec:\nhhbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\btbbtn.exec:\btbbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\fxxrfrf.exec:\fxxrfrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\rffxxrl.exec:\rffxxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\hbttnn.exec:\hbttnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\1ddvp.exec:\1ddvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\jvdvj.exec:\jvdvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\llllfrl.exec:\llllfrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\xrxrrrf.exec:\xrxrrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\nnnhbb.exec:\nnnhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\dvdvv.exec:\dvdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\9llffxr.exec:\9llffxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\nnbbtb.exec:\nnbbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\jvpjp.exec:\jvpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\frrlffl.exec:\frrlffl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\3hhhbb.exec:\3hhhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\nhhbbt.exec:\nhhbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\dpjvp.exec:\dpjvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\rllfrrx.exec:\rllfrrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\hnhbtt.exec:\hnhbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\pdvvp.exec:\pdvvp.exe23⤵
- Executes dropped EXE
PID:3340 -
\??\c:\9lrrxxr.exec:\9lrrxxr.exe24⤵
- Executes dropped EXE
PID:1416 -
\??\c:\btthbt.exec:\btthbt.exe25⤵
- Executes dropped EXE
PID:4704 -
\??\c:\tnnnnn.exec:\tnnnnn.exe26⤵
- Executes dropped EXE
PID:1668 -
\??\c:\jvpjd.exec:\jvpjd.exe27⤵
- Executes dropped EXE
PID:3780 -
\??\c:\pjjdp.exec:\pjjdp.exe28⤵
- Executes dropped EXE
PID:4796 -
\??\c:\3xlxxxf.exec:\3xlxxxf.exe29⤵
- Executes dropped EXE
PID:2620 -
\??\c:\hbhhhb.exec:\hbhhhb.exe30⤵
- Executes dropped EXE
PID:2364 -
\??\c:\pjpjp.exec:\pjpjp.exe31⤵
- Executes dropped EXE
PID:804 -
\??\c:\vpdvj.exec:\vpdvj.exe32⤵
- Executes dropped EXE
PID:4584 -
\??\c:\rlllfff.exec:\rlllfff.exe33⤵
- Executes dropped EXE
PID:2024 -
\??\c:\tntnnh.exec:\tntnnh.exe34⤵
- Executes dropped EXE
PID:2508 -
\??\c:\5bbthh.exec:\5bbthh.exe35⤵
- Executes dropped EXE
PID:4752 -
\??\c:\jpvpd.exec:\jpvpd.exe36⤵
- Executes dropped EXE
PID:2780 -
\??\c:\vvpjd.exec:\vvpjd.exe37⤵
- Executes dropped EXE
PID:2160 -
\??\c:\5rrrxxx.exec:\5rrrxxx.exe38⤵
- Executes dropped EXE
PID:3112 -
\??\c:\tnnnhb.exec:\tnnnhb.exe39⤵
- Executes dropped EXE
PID:696 -
\??\c:\jvvpj.exec:\jvvpj.exe40⤵
- Executes dropped EXE
PID:1352 -
\??\c:\flfxlfx.exec:\flfxlfx.exe41⤵
- Executes dropped EXE
PID:1596 -
\??\c:\lrrrlll.exec:\lrrrlll.exe42⤵
- Executes dropped EXE
PID:1684 -
\??\c:\9tbtbb.exec:\9tbtbb.exe43⤵
- Executes dropped EXE
PID:4356 -
\??\c:\bbttbb.exec:\bbttbb.exe44⤵
- Executes dropped EXE
PID:2560 -
\??\c:\vdpjv.exec:\vdpjv.exe45⤵
- Executes dropped EXE
PID:1148 -
\??\c:\vvvdp.exec:\vvvdp.exe46⤵
- Executes dropped EXE
PID:544 -
\??\c:\xllfxxr.exec:\xllfxxr.exe47⤵
- Executes dropped EXE
PID:3684 -
\??\c:\rllfxxr.exec:\rllfxxr.exe48⤵
- Executes dropped EXE
PID:1460 -
\??\c:\7bhbtn.exec:\7bhbtn.exe49⤵
- Executes dropped EXE
PID:4492 -
\??\c:\bhtnnn.exec:\bhtnnn.exe50⤵
- Executes dropped EXE
PID:1492 -
\??\c:\vpddp.exec:\vpddp.exe51⤵
- Executes dropped EXE
PID:552 -
\??\c:\lxfxrll.exec:\lxfxrll.exe52⤵
- Executes dropped EXE
PID:1276 -
\??\c:\xxxfxrx.exec:\xxxfxrx.exe53⤵
- Executes dropped EXE
PID:2188 -
\??\c:\tnnntn.exec:\tnnntn.exe54⤵
- Executes dropped EXE
PID:4660 -
\??\c:\jdvvv.exec:\jdvvv.exe55⤵
- Executes dropped EXE
PID:2296 -
\??\c:\7jjdv.exec:\7jjdv.exe56⤵
- Executes dropped EXE
PID:2568 -
\??\c:\fffxllf.exec:\fffxllf.exe57⤵
- Executes dropped EXE
PID:3356 -
\??\c:\xxlffxr.exec:\xxlffxr.exe58⤵
- Executes dropped EXE
PID:3992 -
\??\c:\3hnhnt.exec:\3hnhnt.exe59⤵
- Executes dropped EXE
PID:1944 -
\??\c:\dvpjd.exec:\dvpjd.exe60⤵
- Executes dropped EXE
PID:5004 -
\??\c:\vvvjd.exec:\vvvjd.exe61⤵
- Executes dropped EXE
PID:2456 -
\??\c:\rfffrrf.exec:\rfffrrf.exe62⤵
- Executes dropped EXE
PID:4568 -
\??\c:\xlfxrrl.exec:\xlfxrrl.exe63⤵
- Executes dropped EXE
PID:1680 -
\??\c:\nhbtnn.exec:\nhbtnn.exe64⤵
- Executes dropped EXE
PID:4364 -
\??\c:\tnnhbb.exec:\tnnhbb.exe65⤵
- Executes dropped EXE
PID:1560 -
\??\c:\jvdpj.exec:\jvdpj.exe66⤵PID:3052
-
\??\c:\vddvj.exec:\vddvj.exe67⤵PID:1796
-
\??\c:\3flffxf.exec:\3flffxf.exe68⤵PID:4764
-
\??\c:\rfrlxxr.exec:\rfrlxxr.exe69⤵PID:448
-
\??\c:\rlrrlxx.exec:\rlrrlxx.exe70⤵PID:1020
-
\??\c:\bnnhhb.exec:\bnnhhb.exe71⤵PID:4248
-
\??\c:\bnnhnn.exec:\bnnhnn.exe72⤵PID:4652
-
\??\c:\dpvpd.exec:\dpvpd.exe73⤵PID:1104
-
\??\c:\ddjdd.exec:\ddjdd.exe74⤵PID:4012
-
\??\c:\rlxrrxr.exec:\rlxrrxr.exe75⤵PID:4644
-
\??\c:\9lrllfx.exec:\9lrllfx.exe76⤵PID:4708
-
\??\c:\ntnhbb.exec:\ntnhbb.exe77⤵PID:4608
-
\??\c:\httnhh.exec:\httnhh.exe78⤵PID:4476
-
\??\c:\9ppjv.exec:\9ppjv.exe79⤵PID:3916
-
\??\c:\pjjdj.exec:\pjjdj.exe80⤵PID:1328
-
\??\c:\rfxlfxr.exec:\rfxlfxr.exe81⤵PID:3152
-
\??\c:\xrlfrfx.exec:\xrlfrfx.exe82⤵PID:4500
-
\??\c:\bhhhtt.exec:\bhhhtt.exe83⤵PID:5036
-
\??\c:\btbttt.exec:\btbttt.exe84⤵PID:3256
-
\??\c:\pvvvj.exec:\pvvvj.exe85⤵PID:408
-
\??\c:\jdvpj.exec:\jdvpj.exe86⤵PID:3032
-
\??\c:\3frxlrl.exec:\3frxlrl.exe87⤵PID:1412
-
\??\c:\7xrxffl.exec:\7xrxffl.exe88⤵PID:3112
-
\??\c:\bhthbh.exec:\bhthbh.exe89⤵PID:3248
-
\??\c:\hhbthh.exec:\hhbthh.exe90⤵PID:3588
-
\??\c:\1djvj.exec:\1djvj.exe91⤵PID:3628
-
\??\c:\pjppj.exec:\pjppj.exe92⤵PID:4360
-
\??\c:\fxrlllf.exec:\fxrlllf.exe93⤵PID:3568
-
\??\c:\9tttnn.exec:\9tttnn.exe94⤵PID:4748
-
\??\c:\jjjdv.exec:\jjjdv.exe95⤵PID:2728
-
\??\c:\vvpdv.exec:\vvpdv.exe96⤵PID:2704
-
\??\c:\lfxrffx.exec:\lfxrffx.exe97⤵PID:1488
-
\??\c:\xrfxrxx.exec:\xrfxrxx.exe98⤵PID:3632
-
\??\c:\nnhbtt.exec:\nnhbtt.exe99⤵PID:912
-
\??\c:\dvjdv.exec:\dvjdv.exe100⤵PID:844
-
\??\c:\ddpdv.exec:\ddpdv.exe101⤵PID:2900
-
\??\c:\nnttbb.exec:\nnttbb.exe102⤵PID:1276
-
\??\c:\hbtnhb.exec:\hbtnhb.exe103⤵PID:5044
-
\??\c:\vdjdv.exec:\vdjdv.exe104⤵PID:2032
-
\??\c:\jdjdp.exec:\jdjdp.exe105⤵PID:4980
-
\??\c:\xxlfflr.exec:\xxlfflr.exe106⤵PID:4084
-
\??\c:\ffrrrrl.exec:\ffrrrrl.exe107⤵PID:1588
-
\??\c:\ttnnhh.exec:\ttnnhh.exe108⤵PID:1740
-
\??\c:\nhnntn.exec:\nhnntn.exe109⤵PID:1344
-
\??\c:\pjpdd.exec:\pjpdd.exe110⤵PID:4592
-
\??\c:\pvdvj.exec:\pvdvj.exe111⤵PID:5076
-
\??\c:\xxfxllf.exec:\xxfxllf.exe112⤵PID:540
-
\??\c:\rfrlfxr.exec:\rfrlfxr.exe113⤵PID:5024
-
\??\c:\htnhbb.exec:\htnhbb.exe114⤵PID:2316
-
\??\c:\btnnbh.exec:\btnnbh.exe115⤵PID:1340
-
\??\c:\dvppj.exec:\dvppj.exe116⤵PID:4896
-
\??\c:\vpppp.exec:\vpppp.exe117⤵PID:2556
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe118⤵PID:5068
-
\??\c:\xffxxxx.exec:\xffxxxx.exe119⤵PID:1416
-
\??\c:\tbhbhb.exec:\tbhbhb.exe120⤵PID:4704
-
\??\c:\pppjv.exec:\pppjv.exe121⤵PID:4632
-
\??\c:\vvvpd.exec:\vvvpd.exe122⤵PID:4216
-
\??\c:\fxxlffr.exec:\fxxlffr.exe123⤵PID:944
-
\??\c:\lrffllf.exec:\lrffllf.exe124⤵PID:2620
-
\??\c:\5xxxrrl.exec:\5xxxrrl.exe125⤵PID:4708
-
\??\c:\ntntnn.exec:\ntntnn.exe126⤵PID:2012
-
\??\c:\hhhhbh.exec:\hhhhbh.exe127⤵PID:1092
-
\??\c:\jdvpp.exec:\jdvpp.exe128⤵PID:1328
-
\??\c:\1lrlffx.exec:\1lrlffx.exe129⤵PID:2412
-
\??\c:\ffxrllf.exec:\ffxrllf.exe130⤵PID:1464
-
\??\c:\bnhhbt.exec:\bnhhbt.exe131⤵PID:3188
-
\??\c:\pdvdv.exec:\pdvdv.exe132⤵PID:848
-
\??\c:\7ppjd.exec:\7ppjd.exe133⤵PID:2836
-
\??\c:\7xrllrr.exec:\7xrllrr.exe134⤵PID:2324
-
\??\c:\hbbbtt.exec:\hbbbtt.exe135⤵PID:4044
-
\??\c:\dppjv.exec:\dppjv.exe136⤵PID:1352
-
\??\c:\lrxrlfl.exec:\lrxrlfl.exe137⤵PID:4100
-
\??\c:\7pppj.exec:\7pppj.exe138⤵PID:4464
-
\??\c:\3ffxllf.exec:\3ffxllf.exe139⤵PID:3380
-
\??\c:\3rfxxrl.exec:\3rfxxrl.exe140⤵PID:4748
-
\??\c:\7tbhhh.exec:\7tbhhh.exe141⤵PID:3408
-
\??\c:\nhbbtn.exec:\nhbbtn.exe142⤵PID:1460
-
\??\c:\jppjd.exec:\jppjd.exe143⤵PID:560
-
\??\c:\dvpdv.exec:\dvpdv.exe144⤵PID:912
-
\??\c:\ffrrrrl.exec:\ffrrrrl.exe145⤵PID:2272
-
\??\c:\rxllffr.exec:\rxllffr.exe146⤵PID:3512
-
\??\c:\hbbbbb.exec:\hbbbbb.exe147⤵PID:2680
-
\??\c:\nttnbt.exec:\nttnbt.exe148⤵PID:2852
-
\??\c:\3pppj.exec:\3pppj.exe149⤵PID:3992
-
\??\c:\vvdvd.exec:\vvdvd.exe150⤵PID:1476
-
\??\c:\dvjdp.exec:\dvjdp.exe151⤵PID:2016
-
\??\c:\flffffx.exec:\flffffx.exe152⤵PID:4276
-
\??\c:\7btnbb.exec:\7btnbb.exe153⤵PID:5076
-
\??\c:\tbhbnh.exec:\tbhbnh.exe154⤵PID:540
-
\??\c:\5pdvp.exec:\5pdvp.exe155⤵PID:4520
-
\??\c:\rlxrrff.exec:\rlxrrff.exe156⤵PID:2316
-
\??\c:\hnhbtt.exec:\hnhbtt.exe157⤵PID:4528
-
\??\c:\bbnnhh.exec:\bbnnhh.exe158⤵PID:4896
-
\??\c:\rfxxlfx.exec:\rfxxlfx.exe159⤵PID:2556
-
\??\c:\lfxxffl.exec:\lfxxffl.exe160⤵PID:5068
-
\??\c:\bthhbb.exec:\bthhbb.exe161⤵PID:4804
-
\??\c:\9dvjv.exec:\9dvjv.exe162⤵PID:1244
-
\??\c:\3jvvp.exec:\3jvvp.exe163⤵PID:2056
-
\??\c:\7fxxlll.exec:\7fxxlll.exe164⤵PID:2948
-
\??\c:\bthnhn.exec:\bthnhn.exe165⤵PID:1948
-
\??\c:\vpdvp.exec:\vpdvp.exe166⤵PID:1792
-
\??\c:\xfflflf.exec:\xfflflf.exe167⤵PID:3916
-
\??\c:\frrlxxr.exec:\frrlxxr.exe168⤵PID:3288
-
\??\c:\thhnnn.exec:\thhnnn.exe169⤵PID:3152
-
\??\c:\pjvvj.exec:\pjvvj.exe170⤵PID:3364
-
\??\c:\xllfrlf.exec:\xllfrlf.exe171⤵PID:4740
-
\??\c:\5thbhh.exec:\5thbhh.exe172⤵PID:3720
-
\??\c:\1jdvj.exec:\1jdvj.exe173⤵PID:2780
-
\??\c:\ffrflfr.exec:\ffrflfr.exe174⤵PID:1900
-
\??\c:\9hnhbt.exec:\9hnhbt.exe175⤵PID:1544
-
\??\c:\3ttnhb.exec:\3ttnhb.exe176⤵PID:4620
-
\??\c:\jdvvp.exec:\jdvvp.exe177⤵PID:3184
-
\??\c:\xffxlll.exec:\xffxlll.exe178⤵PID:1684
-
\??\c:\bnhhbt.exec:\bnhhbt.exe179⤵PID:4340
-
\??\c:\5bnbnh.exec:\5bnbnh.exe180⤵PID:2624
-
\??\c:\jvvvj.exec:\jvvvj.exe181⤵PID:4092
-
\??\c:\7jpdp.exec:\7jpdp.exe182⤵PID:1096
-
\??\c:\llllxxr.exec:\llllxxr.exe183⤵PID:4492
-
\??\c:\flrlfxx.exec:\flrlfxx.exe184⤵PID:384
-
\??\c:\9vdvp.exec:\9vdvp.exe185⤵PID:532
-
\??\c:\bnhbtt.exec:\bnhbtt.exe186⤵PID:1996
-
\??\c:\fflfxxx.exec:\fflfxxx.exe187⤵PID:4788
-
\??\c:\thhhbb.exec:\thhhbb.exe188⤵PID:2664
-
\??\c:\jdjjp.exec:\jdjjp.exe189⤵PID:3764
-
\??\c:\xrfllrr.exec:\xrfllrr.exe190⤵PID:4152
-
\??\c:\ffxxrrr.exec:\ffxxrrr.exe191⤵PID:2520
-
\??\c:\htbttt.exec:\htbttt.exe192⤵PID:3644
-
\??\c:\ttbbhh.exec:\ttbbhh.exe193⤵PID:620
-
\??\c:\3jjjd.exec:\3jjjd.exe194⤵PID:5076
-
\??\c:\ppdpj.exec:\ppdpj.exe195⤵PID:2676
-
\??\c:\llrrlxf.exec:\llrrlxf.exe196⤵PID:4888
-
\??\c:\xlrrllf.exec:\xlrrllf.exe197⤵PID:1796
-
\??\c:\ntbtnh.exec:\ntbtnh.exe198⤵PID:4720
-
\??\c:\pjjdp.exec:\pjjdp.exe199⤵PID:4764
-
\??\c:\ppjdp.exec:\ppjdp.exe200⤵PID:1748
-
\??\c:\3fxlfff.exec:\3fxlfff.exe201⤵PID:2336
-
\??\c:\3flfffx.exec:\3flfffx.exe202⤵PID:2572
-
\??\c:\3hbtnh.exec:\3hbtnh.exe203⤵PID:2328
-
\??\c:\nbbnbb.exec:\nbbnbb.exe204⤵PID:2088
-
\??\c:\dvpjj.exec:\dvpjj.exe205⤵PID:1892
-
\??\c:\vjjdv.exec:\vjjdv.exe206⤵PID:4736
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe207⤵PID:4768
-
\??\c:\xrxxffl.exec:\xrxxffl.exe208⤵PID:1456
-
\??\c:\tnthnn.exec:\tnthnn.exe209⤵PID:3152
-
\??\c:\hbhbnt.exec:\hbhbnt.exe210⤵PID:3256
-
\??\c:\9nbbtt.exec:\9nbbtt.exe211⤵PID:2160
-
\??\c:\7dvpv.exec:\7dvpv.exe212⤵PID:848
-
\??\c:\jdppj.exec:\jdppj.exe213⤵PID:1736
-
\??\c:\7xxlrxx.exec:\7xxlrxx.exe214⤵PID:2816
-
\??\c:\frxrrrr.exec:\frxrrrr.exe215⤵PID:1596
-
\??\c:\htnhnn.exec:\htnhnn.exe216⤵PID:4544
-
\??\c:\3tbthh.exec:\3tbthh.exe217⤵PID:1612
-
\??\c:\vpvpd.exec:\vpvpd.exe218⤵PID:3568
-
\??\c:\djjdp.exec:\djjdp.exe219⤵PID:2728
-
\??\c:\xffrffl.exec:\xffrffl.exe220⤵PID:2688
-
\??\c:\frlfffx.exec:\frlfffx.exe221⤵PID:3636
-
\??\c:\bnhhhh.exec:\bnhhhh.exe222⤵PID:3632
-
\??\c:\1tbtnt.exec:\1tbtnt.exe223⤵PID:4456
-
\??\c:\3pjjd.exec:\3pjjd.exe224⤵PID:4164
-
\??\c:\vvvpd.exec:\vvvpd.exe225⤵PID:632
-
\??\c:\lrlrrll.exec:\lrlrrll.exe226⤵PID:4932
-
\??\c:\1xxrlll.exec:\1xxrlll.exe227⤵PID:2852
-
\??\c:\btbbhh.exec:\btbbhh.exe228⤵PID:4828
-
\??\c:\pjddv.exec:\pjddv.exe229⤵PID:1740
-
\??\c:\dvvvp.exec:\dvvvp.exe230⤵PID:1984
-
\??\c:\lfrlxrr.exec:\lfrlxrr.exe231⤵PID:1028
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe232⤵PID:1908
-
\??\c:\ntbbbh.exec:\ntbbbh.exe233⤵PID:1420
-
\??\c:\hbbtht.exec:\hbbtht.exe234⤵PID:1768
-
\??\c:\1vpjv.exec:\1vpjv.exe235⤵PID:4380
-
\??\c:\jdppp.exec:\jdppp.exe236⤵PID:3868
-
\??\c:\xllfrrr.exec:\xllfrrr.exe237⤵PID:4896
-
\??\c:\rlllffx.exec:\rlllffx.exe238⤵PID:732
-
\??\c:\ttbtbb.exec:\ttbtbb.exe239⤵PID:1748
-
\??\c:\bhhbtn.exec:\bhhbtn.exe240⤵PID:4880
-
\??\c:\pdddv.exec:\pdddv.exe241⤵PID:2572
-
\??\c:\rflfrrr.exec:\rflfrrr.exe242⤵PID:2056