Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 12:51
Behavioral task
behavioral1
Sample
c738084076be11dd9dabb3c6995fd400_NeikiAnalytics.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
c738084076be11dd9dabb3c6995fd400_NeikiAnalytics.exe
-
Size
339KB
-
MD5
c738084076be11dd9dabb3c6995fd400
-
SHA1
fb473779e73e2df7b2e10059a4faed7d02a47c49
-
SHA256
f90223599c68033e7923e726c144b175e279ebf548020cf9b0c5705b43c4ff55
-
SHA512
d0929365e892f06fb7c53d20de42f08f7b741e65caf0f3da6dbf5afe65afcda8c1ff392914239bb72086855c027b100e9c001214832ea507efdffda2f51435eb
-
SSDEEP
3072:9hOmTsF93UYfwC6GIoutz5yLpcgDE4JBHNgu5ex1B2OkEv0KvmhNin:9cm4FmowdHoS4BtguSPKyHn
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2928-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3216-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3676-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1908-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3820-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1296-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/764-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1160-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1076-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1524-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3792-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2272-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5088-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/376-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1132-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2364-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1032-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/732-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3916-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/624-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/732-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-507-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1192-526-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1988-533-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-558-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-571-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-614-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-694-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-721-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-824-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-914-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-927-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1296-1068-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-1158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-1263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3040-1308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2928 pvjvj.exe 4764 28426.exe 3652 044260.exe 3216 422802.exe 3768 08842.exe 3676 xlrfxrf.exe 1908 fxfxrlr.exe 4368 2826004.exe 4512 hhbhht.exe 3820 04488.exe 4632 884040.exe 1296 8088884.exe 2096 fxrffll.exe 5104 486666.exe 5084 024860.exe 1160 7flxlxx.exe 764 088648.exe 1076 m2828.exe 5008 2244886.exe 1524 dpdvp.exe 2884 7ddpv.exe 2204 62082.exe 5092 ffxlrll.exe 3960 lxrfffr.exe 2864 ttttnn.exe 880 48886.exe 4644 ffllxxr.exe 5012 w24004.exe 2632 44066.exe 5016 nbthtn.exe 3916 xfxflxl.exe 3792 ppvvp.exe 2272 6464602.exe 4572 k40648.exe 1612 802048.exe 1420 228264.exe 3520 28444.exe 220 3llxlfx.exe 3472 hnnbnn.exe 3152 hbtnbb.exe 872 82860.exe 4116 428204.exe 3620 djjvp.exe 1348 262600.exe 5088 22204.exe 4112 ddpjv.exe 3260 tthhbh.exe 376 djddd.exe 1132 4602228.exe 4632 xffrlfr.exe 3580 9rxfxxx.exe 2364 8848660.exe 2812 rfxrlfx.exe 1032 fflfrfx.exe 1980 hbbnhb.exe 3120 pppjd.exe 1564 jvvjd.exe 732 xxfxrfx.exe 4832 hhnnbt.exe 4436 ntnttn.exe 4720 tnnhnn.exe 1456 hththh.exe 832 vvpjv.exe 3468 2886086.exe -
resource yara_rule behavioral2/memory/4092-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023305-3.dat upx behavioral2/memory/2928-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4092-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023478-12.dat upx behavioral2/memory/4764-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023471-11.dat upx behavioral2/memory/3652-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023479-21.dat upx behavioral2/memory/3216-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347a-27.dat upx behavioral2/files/0x000700000002347c-32.dat upx behavioral2/files/0x000700000002347d-38.dat upx behavioral2/memory/3676-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347e-42.dat upx behavioral2/memory/1908-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4368-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002347f-49.dat upx behavioral2/files/0x0007000000023480-56.dat upx behavioral2/files/0x0007000000023481-59.dat upx behavioral2/memory/3820-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023475-66.dat upx behavioral2/memory/1296-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4632-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023482-72.dat upx behavioral2/memory/1296-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023483-78.dat upx behavioral2/memory/2096-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5104-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023484-85.dat upx behavioral2/memory/5084-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5084-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023485-92.dat upx behavioral2/memory/1160-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023486-98.dat upx behavioral2/memory/764-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1160-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023487-104.dat upx behavioral2/memory/1076-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023488-111.dat upx behavioral2/files/0x0007000000023489-115.dat upx behavioral2/memory/1524-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002348a-122.dat upx behavioral2/files/0x000700000002348b-127.dat upx behavioral2/memory/2204-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002348c-132.dat upx behavioral2/files/0x000700000002348d-137.dat upx behavioral2/files/0x000700000002348e-143.dat upx behavioral2/files/0x000700000002348f-148.dat upx behavioral2/memory/2864-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023491-153.dat upx behavioral2/files/0x0007000000023492-160.dat upx behavioral2/files/0x0007000000023493-164.dat upx behavioral2/memory/2632-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023494-169.dat upx behavioral2/memory/5016-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023495-175.dat upx behavioral2/files/0x0007000000023496-180.dat upx behavioral2/memory/3792-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2272-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4572-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1612-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4560-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3520-207-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4092 wrote to memory of 2928 4092 c738084076be11dd9dabb3c6995fd400_NeikiAnalytics.exe 83 PID 4092 wrote to memory of 2928 4092 c738084076be11dd9dabb3c6995fd400_NeikiAnalytics.exe 83 PID 4092 wrote to memory of 2928 4092 c738084076be11dd9dabb3c6995fd400_NeikiAnalytics.exe 83 PID 2928 wrote to memory of 4764 2928 pvjvj.exe 84 PID 2928 wrote to memory of 4764 2928 pvjvj.exe 84 PID 2928 wrote to memory of 4764 2928 pvjvj.exe 84 PID 4764 wrote to memory of 3652 4764 28426.exe 85 PID 4764 wrote to memory of 3652 4764 28426.exe 85 PID 4764 wrote to memory of 3652 4764 28426.exe 85 PID 3652 wrote to memory of 3216 3652 044260.exe 86 PID 3652 wrote to memory of 3216 3652 044260.exe 86 PID 3652 wrote to memory of 3216 3652 044260.exe 86 PID 3216 wrote to memory of 3768 3216 422802.exe 87 PID 3216 wrote to memory of 3768 3216 422802.exe 87 PID 3216 wrote to memory of 3768 3216 422802.exe 87 PID 3768 wrote to memory of 3676 3768 08842.exe 88 PID 3768 wrote to memory of 3676 3768 08842.exe 88 PID 3768 wrote to memory of 3676 3768 08842.exe 88 PID 3676 wrote to memory of 1908 3676 xlrfxrf.exe 89 PID 3676 wrote to memory of 1908 3676 xlrfxrf.exe 89 PID 3676 wrote to memory of 1908 3676 xlrfxrf.exe 89 PID 1908 wrote to memory of 4368 1908 fxfxrlr.exe 90 PID 1908 wrote to memory of 4368 1908 fxfxrlr.exe 90 PID 1908 wrote to memory of 4368 1908 fxfxrlr.exe 90 PID 4368 wrote to memory of 4512 4368 2826004.exe 91 PID 4368 wrote to memory of 4512 4368 2826004.exe 91 PID 4368 wrote to memory of 4512 4368 2826004.exe 91 PID 4512 wrote to memory of 3820 4512 hhbhht.exe 93 PID 4512 wrote to memory of 3820 4512 hhbhht.exe 93 PID 4512 wrote to memory of 3820 4512 hhbhht.exe 93 PID 3820 wrote to memory of 4632 3820 04488.exe 94 PID 3820 wrote to memory of 4632 3820 04488.exe 94 PID 3820 wrote to memory of 4632 3820 04488.exe 94 PID 4632 wrote to memory of 1296 4632 884040.exe 95 PID 4632 wrote to memory of 1296 4632 884040.exe 95 PID 4632 wrote to memory of 1296 4632 884040.exe 95 PID 1296 wrote to memory of 2096 1296 8088884.exe 97 PID 1296 wrote to memory of 2096 1296 8088884.exe 97 PID 1296 wrote to memory of 2096 1296 8088884.exe 97 PID 2096 wrote to memory of 5104 2096 fxrffll.exe 98 PID 2096 wrote to memory of 5104 2096 fxrffll.exe 98 PID 2096 wrote to memory of 5104 2096 fxrffll.exe 98 PID 5104 wrote to memory of 5084 5104 486666.exe 99 PID 5104 wrote to memory of 5084 5104 486666.exe 99 PID 5104 wrote to memory of 5084 5104 486666.exe 99 PID 5084 wrote to memory of 1160 5084 024860.exe 101 PID 5084 wrote to memory of 1160 5084 024860.exe 101 PID 5084 wrote to memory of 1160 5084 024860.exe 101 PID 1160 wrote to memory of 764 1160 7flxlxx.exe 102 PID 1160 wrote to memory of 764 1160 7flxlxx.exe 102 PID 1160 wrote to memory of 764 1160 7flxlxx.exe 102 PID 764 wrote to memory of 1076 764 088648.exe 103 PID 764 wrote to memory of 1076 764 088648.exe 103 PID 764 wrote to memory of 1076 764 088648.exe 103 PID 1076 wrote to memory of 5008 1076 m2828.exe 104 PID 1076 wrote to memory of 5008 1076 m2828.exe 104 PID 1076 wrote to memory of 5008 1076 m2828.exe 104 PID 5008 wrote to memory of 1524 5008 2244886.exe 105 PID 5008 wrote to memory of 1524 5008 2244886.exe 105 PID 5008 wrote to memory of 1524 5008 2244886.exe 105 PID 1524 wrote to memory of 2884 1524 dpdvp.exe 106 PID 1524 wrote to memory of 2884 1524 dpdvp.exe 106 PID 1524 wrote to memory of 2884 1524 dpdvp.exe 106 PID 2884 wrote to memory of 2204 2884 7ddpv.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c738084076be11dd9dabb3c6995fd400_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c738084076be11dd9dabb3c6995fd400_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\pvjvj.exec:\pvjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\28426.exec:\28426.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\044260.exec:\044260.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\422802.exec:\422802.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\08842.exec:\08842.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\xlrfxrf.exec:\xlrfxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\fxfxrlr.exec:\fxfxrlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\2826004.exec:\2826004.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\hhbhht.exec:\hhbhht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\04488.exec:\04488.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\884040.exec:\884040.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\8088884.exec:\8088884.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\fxrffll.exec:\fxrffll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\486666.exec:\486666.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\024860.exec:\024860.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\7flxlxx.exec:\7flxlxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\088648.exec:\088648.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\m2828.exec:\m2828.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\2244886.exec:\2244886.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\dpdvp.exec:\dpdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\7ddpv.exec:\7ddpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\62082.exec:\62082.exe23⤵
- Executes dropped EXE
PID:2204 -
\??\c:\ffxlrll.exec:\ffxlrll.exe24⤵
- Executes dropped EXE
PID:5092 -
\??\c:\lxrfffr.exec:\lxrfffr.exe25⤵
- Executes dropped EXE
PID:3960 -
\??\c:\ttttnn.exec:\ttttnn.exe26⤵
- Executes dropped EXE
PID:2864 -
\??\c:\48886.exec:\48886.exe27⤵
- Executes dropped EXE
PID:880 -
\??\c:\ffllxxr.exec:\ffllxxr.exe28⤵
- Executes dropped EXE
PID:4644 -
\??\c:\w24004.exec:\w24004.exe29⤵
- Executes dropped EXE
PID:5012 -
\??\c:\44066.exec:\44066.exe30⤵
- Executes dropped EXE
PID:2632 -
\??\c:\nbthtn.exec:\nbthtn.exe31⤵
- Executes dropped EXE
PID:5016 -
\??\c:\xfxflxl.exec:\xfxflxl.exe32⤵
- Executes dropped EXE
PID:3916 -
\??\c:\ppvvp.exec:\ppvvp.exe33⤵
- Executes dropped EXE
PID:3792 -
\??\c:\6464602.exec:\6464602.exe34⤵
- Executes dropped EXE
PID:2272 -
\??\c:\k40648.exec:\k40648.exe35⤵
- Executes dropped EXE
PID:4572 -
\??\c:\802048.exec:\802048.exe36⤵
- Executes dropped EXE
PID:1612 -
\??\c:\tnbnnb.exec:\tnbnnb.exe37⤵PID:4560
-
\??\c:\228264.exec:\228264.exe38⤵
- Executes dropped EXE
PID:1420 -
\??\c:\28444.exec:\28444.exe39⤵
- Executes dropped EXE
PID:3520 -
\??\c:\3llxlfx.exec:\3llxlfx.exe40⤵
- Executes dropped EXE
PID:220 -
\??\c:\hnnbnn.exec:\hnnbnn.exe41⤵
- Executes dropped EXE
PID:3472 -
\??\c:\hbtnbb.exec:\hbtnbb.exe42⤵
- Executes dropped EXE
PID:3152 -
\??\c:\82860.exec:\82860.exe43⤵
- Executes dropped EXE
PID:872 -
\??\c:\428204.exec:\428204.exe44⤵
- Executes dropped EXE
PID:4116 -
\??\c:\djjvp.exec:\djjvp.exe45⤵
- Executes dropped EXE
PID:3620 -
\??\c:\262600.exec:\262600.exe46⤵
- Executes dropped EXE
PID:1348 -
\??\c:\22204.exec:\22204.exe47⤵
- Executes dropped EXE
PID:5088 -
\??\c:\ddpjv.exec:\ddpjv.exe48⤵
- Executes dropped EXE
PID:4112 -
\??\c:\tthhbh.exec:\tthhbh.exe49⤵
- Executes dropped EXE
PID:3260 -
\??\c:\djddd.exec:\djddd.exe50⤵
- Executes dropped EXE
PID:376 -
\??\c:\4602228.exec:\4602228.exe51⤵
- Executes dropped EXE
PID:1132 -
\??\c:\xffrlfr.exec:\xffrlfr.exe52⤵
- Executes dropped EXE
PID:4632 -
\??\c:\9rxfxxx.exec:\9rxfxxx.exe53⤵
- Executes dropped EXE
PID:3580 -
\??\c:\8848660.exec:\8848660.exe54⤵
- Executes dropped EXE
PID:2364 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe55⤵
- Executes dropped EXE
PID:2812 -
\??\c:\fflfrfx.exec:\fflfrfx.exe56⤵
- Executes dropped EXE
PID:1032 -
\??\c:\hbbnhb.exec:\hbbnhb.exe57⤵
- Executes dropped EXE
PID:1980 -
\??\c:\pppjd.exec:\pppjd.exe58⤵
- Executes dropped EXE
PID:3120 -
\??\c:\jvvjd.exec:\jvvjd.exe59⤵
- Executes dropped EXE
PID:1564 -
\??\c:\xxfxrfx.exec:\xxfxrfx.exe60⤵
- Executes dropped EXE
PID:732 -
\??\c:\hhnnbt.exec:\hhnnbt.exe61⤵
- Executes dropped EXE
PID:4832 -
\??\c:\ntnttn.exec:\ntnttn.exe62⤵
- Executes dropped EXE
PID:4436 -
\??\c:\tnnhnn.exec:\tnnhnn.exe63⤵
- Executes dropped EXE
PID:4720 -
\??\c:\hththh.exec:\hththh.exe64⤵
- Executes dropped EXE
PID:1456 -
\??\c:\vvpjv.exec:\vvpjv.exe65⤵
- Executes dropped EXE
PID:832 -
\??\c:\2886086.exec:\2886086.exe66⤵
- Executes dropped EXE
PID:3468 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe67⤵PID:4680
-
\??\c:\thnbbb.exec:\thnbbb.exe68⤵PID:3932
-
\??\c:\88082.exec:\88082.exe69⤵PID:2204
-
\??\c:\422640.exec:\422640.exe70⤵PID:1948
-
\??\c:\vppjd.exec:\vppjd.exe71⤵PID:4740
-
\??\c:\20860.exec:\20860.exe72⤵PID:4544
-
\??\c:\9fxlxrf.exec:\9fxlxrf.exe73⤵PID:4724
-
\??\c:\xfxxrll.exec:\xfxxrll.exe74⤵PID:2564
-
\??\c:\044848.exec:\044848.exe75⤵PID:4024
-
\??\c:\2848220.exec:\2848220.exe76⤵PID:3392
-
\??\c:\02680.exec:\02680.exe77⤵PID:2632
-
\??\c:\026426.exec:\026426.exe78⤵PID:4960
-
\??\c:\2626644.exec:\2626644.exe79⤵PID:4748
-
\??\c:\pdjvd.exec:\pdjvd.exe80⤵PID:3916
-
\??\c:\vppjd.exec:\vppjd.exe81⤵PID:1344
-
\??\c:\084226.exec:\084226.exe82⤵PID:2888
-
\??\c:\ddvdv.exec:\ddvdv.exe83⤵PID:620
-
\??\c:\dpdpv.exec:\dpdpv.exe84⤵PID:2324
-
\??\c:\lffxlfx.exec:\lffxlfx.exe85⤵PID:2672
-
\??\c:\jjddp.exec:\jjddp.exe86⤵PID:3548
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe87⤵PID:2928
-
\??\c:\lflffxf.exec:\lflffxf.exe88⤵PID:4764
-
\??\c:\22864.exec:\22864.exe89⤵PID:220
-
\??\c:\86826.exec:\86826.exe90⤵PID:4480
-
\??\c:\u486482.exec:\u486482.exe91⤵PID:2160
-
\??\c:\nbthtn.exec:\nbthtn.exe92⤵PID:1192
-
\??\c:\rrxxrll.exec:\rrxxrll.exe93⤵PID:2040
-
\??\c:\fxxrllf.exec:\fxxrllf.exe94⤵PID:2148
-
\??\c:\6004804.exec:\6004804.exe95⤵PID:1588
-
\??\c:\dpjvp.exec:\dpjvp.exe96⤵PID:1348
-
\??\c:\xxfrfrl.exec:\xxfrfrl.exe97⤵PID:5088
-
\??\c:\640440.exec:\640440.exe98⤵PID:4996
-
\??\c:\e68822.exec:\e68822.exe99⤵PID:2152
-
\??\c:\rrxxlfx.exec:\rrxxlfx.exe100⤵PID:624
-
\??\c:\8264826.exec:\8264826.exe101⤵PID:4608
-
\??\c:\ttbnbt.exec:\ttbnbt.exe102⤵PID:3580
-
\??\c:\s0082.exec:\s0082.exe103⤵PID:1100
-
\??\c:\dvpdp.exec:\dvpdp.exe104⤵PID:5104
-
\??\c:\ttnhbt.exec:\ttnhbt.exe105⤵PID:1032
-
\??\c:\dvjdp.exec:\dvjdp.exe106⤵PID:4532
-
\??\c:\tbhthh.exec:\tbhthh.exe107⤵PID:4708
-
\??\c:\3fxrrrr.exec:\3fxrrrr.exe108⤵PID:1564
-
\??\c:\tbtnhb.exec:\tbtnhb.exe109⤵PID:732
-
\??\c:\2228662.exec:\2228662.exe110⤵PID:444
-
\??\c:\24002.exec:\24002.exe111⤵PID:2748
-
\??\c:\llfllfx.exec:\llfllfx.exe112⤵PID:4720
-
\??\c:\bnhhbt.exec:\bnhhbt.exe113⤵PID:2704
-
\??\c:\jpvvp.exec:\jpvvp.exe114⤵PID:3028
-
\??\c:\i488248.exec:\i488248.exe115⤵PID:4928
-
\??\c:\nnhbtb.exec:\nnhbtb.exe116⤵PID:3980
-
\??\c:\pjdvj.exec:\pjdvj.exe117⤵PID:3932
-
\??\c:\080626.exec:\080626.exe118⤵PID:2028
-
\??\c:\xxrlxxr.exec:\xxrlxxr.exe119⤵PID:2396
-
\??\c:\dvjjj.exec:\dvjjj.exe120⤵PID:1252
-
\??\c:\jdvvd.exec:\jdvvd.exe121⤵PID:4612
-
\??\c:\w80082.exec:\w80082.exe122⤵PID:4908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-