Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 13:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d1a30917bc65b7aeac930e6a3678ba50_NeikiAnalytics.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
d1a30917bc65b7aeac930e6a3678ba50_NeikiAnalytics.exe
-
Size
184KB
-
MD5
d1a30917bc65b7aeac930e6a3678ba50
-
SHA1
68994ca2fa7fef8a279a47109f5d46a6dc19fda3
-
SHA256
6b100678459d0d58ce2d3ede4cb29a2d8cd6db587601d30b8ab904ee41eb8f89
-
SHA512
9f23cfa712e2851c1af0bdf78f42bfd3d2aa5034ce643191bb49cd2272ddce05d508765523647d05b79da89d8d9fb60fed8791fc4e7c0ade3005a61c5ee2f2dd
-
SSDEEP
1536:PvQBeOGtrYSSsrc93UBIfdC67m6AJiqgT4+EMdbSG:PhOm2sI93UufdC67ciJTWMdbz
Malware Config
Signatures
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2400-1-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3052-16-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2668-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2172-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2436-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2628-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2900-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1488-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/540-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1336-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1532-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1336-138-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/480-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1068-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1128-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2780-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1564-194-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1676-231-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1712-228-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/888-252-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/676-265-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2940-286-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2512-295-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2540-334-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2484-359-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1484-392-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1904-413-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2404-426-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/620-471-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2188-498-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1276-524-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/980-568-0x00000000002B0000-0x00000000002D9000-memory.dmp family_blackmoon behavioral1/memory/3052-599-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2556-612-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2564-625-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2592-627-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2472-646-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2440-659-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1848-684-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2776-759-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2752-1017-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2804-1097-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2956-1168-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/2956-1167-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/1472-1233-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1472-1232-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2008-1328-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/932-1347-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3052 fxlrffr.exe 2524 nhbntt.exe 2668 ddddj.exe 2584 9dppd.exe 2436 fxrrfrf.exe 2172 nhbntb.exe 2628 nbnhhn.exe 2440 jjjdd.exe 2968 ffrxlrl.exe 2900 fllrxll.exe 1488 hhttht.exe 1828 vdjjp.exe 540 xxrfrxl.exe 1864 7nnbnb.exe 1336 ppdpd.exe 1532 9nhthb.exe 1912 vpvdd.exe 480 lxllxxx.exe 1068 lllrxlf.exe 1128 hbbnbn.exe 1564 jjdjd.exe 2780 thnhhh.exe 1032 nnbntb.exe 2264 xxrlxlr.exe 1712 xlffrrr.exe 1676 btnntt.exe 2872 9vdvj.exe 888 nhtbnh.exe 676 vddpp.exe 2052 lfrxffr.exe 2940 xxrfxxf.exe 1420 vjvjj.exe 2512 xrlrxxl.exe 2360 jjdjp.exe 2796 fxffffr.exe 1252 btnthh.exe 2712 5thbhh.exe 2540 jpjpv.exe 2312 pjppv.exe 2720 5lfflfr.exe 2664 nhttbb.exe 2484 pjpvp.exe 2472 pjjdv.exe 2440 xxlxxxx.exe 2888 xxrlffx.exe 1612 nbnntb.exe 1484 jpdpv.exe 1832 5vvjd.exe 1444 llrxlxl.exe 1904 lfxllrl.exe 540 bthtth.exe 2404 dvvvd.exe 1664 xffxxfl.exe 1616 hbbhhn.exe 2100 nnntnt.exe 652 jdvjd.exe 480 ddvpp.exe 1256 llxrfrr.exe 620 btntbn.exe 1128 7hhnnt.exe 1668 1jvdd.exe 2380 rxxfflf.exe 2188 hhnbhn.exe 1032 hbtbbh.exe -
resource yara_rule behavioral1/memory/2400-1-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3052-16-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2668-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2172-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2436-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2628-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2900-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1488-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1488-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/540-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1336-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1532-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/480-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1068-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1128-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2780-198-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1676-231-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1712-228-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2872-239-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/676-265-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2940-276-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2940-286-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2512-295-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2796-307-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-321-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-334-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2484-359-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1612-379-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1484-392-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2404-426-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/480-452-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/620-471-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2380-484-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1276-524-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/996-531-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3052-599-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2556-612-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2564-625-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-627-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2472-646-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2440-659-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1848-684-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2776-751-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2776-759-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2020-772-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2856-841-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2524-873-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2956-880-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2732-905-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2260-936-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1392-1004-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2752-1017-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2916-1084-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-1097-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2504-1212-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1472-1225-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1472-1232-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/1708-1246-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/372-1253-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/620-1302-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1180-1373-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 3052 2400 d1a30917bc65b7aeac930e6a3678ba50_NeikiAnalytics.exe 28 PID 2400 wrote to memory of 3052 2400 d1a30917bc65b7aeac930e6a3678ba50_NeikiAnalytics.exe 28 PID 2400 wrote to memory of 3052 2400 d1a30917bc65b7aeac930e6a3678ba50_NeikiAnalytics.exe 28 PID 2400 wrote to memory of 3052 2400 d1a30917bc65b7aeac930e6a3678ba50_NeikiAnalytics.exe 28 PID 3052 wrote to memory of 2524 3052 fxlrffr.exe 29 PID 3052 wrote to memory of 2524 3052 fxlrffr.exe 29 PID 3052 wrote to memory of 2524 3052 fxlrffr.exe 29 PID 3052 wrote to memory of 2524 3052 fxlrffr.exe 29 PID 2524 wrote to memory of 2668 2524 nhbntt.exe 30 PID 2524 wrote to memory of 2668 2524 nhbntt.exe 30 PID 2524 wrote to memory of 2668 2524 nhbntt.exe 30 PID 2524 wrote to memory of 2668 2524 nhbntt.exe 30 PID 2668 wrote to memory of 2584 2668 ddddj.exe 31 PID 2668 wrote to memory of 2584 2668 ddddj.exe 31 PID 2668 wrote to memory of 2584 2668 ddddj.exe 31 PID 2668 wrote to memory of 2584 2668 ddddj.exe 31 PID 2584 wrote to memory of 2436 2584 9dppd.exe 32 PID 2584 wrote to memory of 2436 2584 9dppd.exe 32 PID 2584 wrote to memory of 2436 2584 9dppd.exe 32 PID 2584 wrote to memory of 2436 2584 9dppd.exe 32 PID 2436 wrote to memory of 2172 2436 fxrrfrf.exe 33 PID 2436 wrote to memory of 2172 2436 fxrrfrf.exe 33 PID 2436 wrote to memory of 2172 2436 fxrrfrf.exe 33 PID 2436 wrote to memory of 2172 2436 fxrrfrf.exe 33 PID 2172 wrote to memory of 2628 2172 nhbntb.exe 34 PID 2172 wrote to memory of 2628 2172 nhbntb.exe 34 PID 2172 wrote to memory of 2628 2172 nhbntb.exe 34 PID 2172 wrote to memory of 2628 2172 nhbntb.exe 34 PID 2628 wrote to memory of 2440 2628 nbnhhn.exe 35 PID 2628 wrote to memory of 2440 2628 nbnhhn.exe 35 PID 2628 wrote to memory of 2440 2628 nbnhhn.exe 35 PID 2628 wrote to memory of 2440 2628 nbnhhn.exe 35 PID 2440 wrote to memory of 2968 2440 jjjdd.exe 36 PID 2440 wrote to memory of 2968 2440 jjjdd.exe 36 PID 2440 wrote to memory of 2968 2440 jjjdd.exe 36 PID 2440 wrote to memory of 2968 2440 jjjdd.exe 36 PID 2968 wrote to memory of 2900 2968 ffrxlrl.exe 37 PID 2968 wrote to memory of 2900 2968 ffrxlrl.exe 37 PID 2968 wrote to memory of 2900 2968 ffrxlrl.exe 37 PID 2968 wrote to memory of 2900 2968 ffrxlrl.exe 37 PID 2900 wrote to memory of 1488 2900 fllrxll.exe 38 PID 2900 wrote to memory of 1488 2900 fllrxll.exe 38 PID 2900 wrote to memory of 1488 2900 fllrxll.exe 38 PID 2900 wrote to memory of 1488 2900 fllrxll.exe 38 PID 1488 wrote to memory of 1828 1488 hhttht.exe 39 PID 1488 wrote to memory of 1828 1488 hhttht.exe 39 PID 1488 wrote to memory of 1828 1488 hhttht.exe 39 PID 1488 wrote to memory of 1828 1488 hhttht.exe 39 PID 1828 wrote to memory of 540 1828 vdjjp.exe 40 PID 1828 wrote to memory of 540 1828 vdjjp.exe 40 PID 1828 wrote to memory of 540 1828 vdjjp.exe 40 PID 1828 wrote to memory of 540 1828 vdjjp.exe 40 PID 540 wrote to memory of 1864 540 xxrfrxl.exe 41 PID 540 wrote to memory of 1864 540 xxrfrxl.exe 41 PID 540 wrote to memory of 1864 540 xxrfrxl.exe 41 PID 540 wrote to memory of 1864 540 xxrfrxl.exe 41 PID 1864 wrote to memory of 1336 1864 7nnbnb.exe 42 PID 1864 wrote to memory of 1336 1864 7nnbnb.exe 42 PID 1864 wrote to memory of 1336 1864 7nnbnb.exe 42 PID 1864 wrote to memory of 1336 1864 7nnbnb.exe 42 PID 1336 wrote to memory of 1532 1336 ppdpd.exe 43 PID 1336 wrote to memory of 1532 1336 ppdpd.exe 43 PID 1336 wrote to memory of 1532 1336 ppdpd.exe 43 PID 1336 wrote to memory of 1532 1336 ppdpd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1a30917bc65b7aeac930e6a3678ba50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d1a30917bc65b7aeac930e6a3678ba50_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\fxlrffr.exec:\fxlrffr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\nhbntt.exec:\nhbntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\ddddj.exec:\ddddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\9dppd.exec:\9dppd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\fxrrfrf.exec:\fxrrfrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\nhbntb.exec:\nhbntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\nbnhhn.exec:\nbnhhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\jjjdd.exec:\jjjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\ffrxlrl.exec:\ffrxlrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\fllrxll.exec:\fllrxll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\hhttht.exec:\hhttht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\vdjjp.exec:\vdjjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\xxrfrxl.exec:\xxrfrxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\7nnbnb.exec:\7nnbnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\ppdpd.exec:\ppdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\9nhthb.exec:\9nhthb.exe17⤵
- Executes dropped EXE
PID:1532 -
\??\c:\vpvdd.exec:\vpvdd.exe18⤵
- Executes dropped EXE
PID:1912 -
\??\c:\lxllxxx.exec:\lxllxxx.exe19⤵
- Executes dropped EXE
PID:480 -
\??\c:\lllrxlf.exec:\lllrxlf.exe20⤵
- Executes dropped EXE
PID:1068 -
\??\c:\hbbnbn.exec:\hbbnbn.exe21⤵
- Executes dropped EXE
PID:1128 -
\??\c:\jjdjd.exec:\jjdjd.exe22⤵
- Executes dropped EXE
PID:1564 -
\??\c:\thnhhh.exec:\thnhhh.exe23⤵
- Executes dropped EXE
PID:2780 -
\??\c:\nnbntb.exec:\nnbntb.exe24⤵
- Executes dropped EXE
PID:1032 -
\??\c:\xxrlxlr.exec:\xxrlxlr.exe25⤵
- Executes dropped EXE
PID:2264 -
\??\c:\xlffrrr.exec:\xlffrrr.exe26⤵
- Executes dropped EXE
PID:1712 -
\??\c:\btnntt.exec:\btnntt.exe27⤵
- Executes dropped EXE
PID:1676 -
\??\c:\9vdvj.exec:\9vdvj.exe28⤵
- Executes dropped EXE
PID:2872 -
\??\c:\nhtbnh.exec:\nhtbnh.exe29⤵
- Executes dropped EXE
PID:888 -
\??\c:\vddpp.exec:\vddpp.exe30⤵
- Executes dropped EXE
PID:676 -
\??\c:\lfrxffr.exec:\lfrxffr.exe31⤵
- Executes dropped EXE
PID:2052 -
\??\c:\xxrfxxf.exec:\xxrfxxf.exe32⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vjvjj.exec:\vjvjj.exe33⤵
- Executes dropped EXE
PID:1420 -
\??\c:\xrlrxxl.exec:\xrlrxxl.exe34⤵
- Executes dropped EXE
PID:2512 -
\??\c:\jjdjp.exec:\jjdjp.exe35⤵
- Executes dropped EXE
PID:2360 -
\??\c:\fxffffr.exec:\fxffffr.exe36⤵
- Executes dropped EXE
PID:2796 -
\??\c:\btnthh.exec:\btnthh.exe37⤵
- Executes dropped EXE
PID:1252 -
\??\c:\5thbhh.exec:\5thbhh.exe38⤵
- Executes dropped EXE
PID:2712 -
\??\c:\jpjpv.exec:\jpjpv.exe39⤵
- Executes dropped EXE
PID:2540 -
\??\c:\pjppv.exec:\pjppv.exe40⤵
- Executes dropped EXE
PID:2312 -
\??\c:\5lfflfr.exec:\5lfflfr.exe41⤵
- Executes dropped EXE
PID:2720 -
\??\c:\nhttbb.exec:\nhttbb.exe42⤵
- Executes dropped EXE
PID:2664 -
\??\c:\pjpvp.exec:\pjpvp.exe43⤵
- Executes dropped EXE
PID:2484 -
\??\c:\pjjdv.exec:\pjjdv.exe44⤵
- Executes dropped EXE
PID:2472 -
\??\c:\xxlxxxx.exec:\xxlxxxx.exe45⤵
- Executes dropped EXE
PID:2440 -
\??\c:\xxrlffx.exec:\xxrlffx.exe46⤵
- Executes dropped EXE
PID:2888 -
\??\c:\nbnntb.exec:\nbnntb.exe47⤵
- Executes dropped EXE
PID:1612 -
\??\c:\jpdpv.exec:\jpdpv.exe48⤵
- Executes dropped EXE
PID:1484 -
\??\c:\5vvjd.exec:\5vvjd.exe49⤵
- Executes dropped EXE
PID:1832 -
\??\c:\llrxlxl.exec:\llrxlxl.exe50⤵
- Executes dropped EXE
PID:1444 -
\??\c:\lfxllrl.exec:\lfxllrl.exe51⤵
- Executes dropped EXE
PID:1904 -
\??\c:\bthtth.exec:\bthtth.exe52⤵
- Executes dropped EXE
PID:540 -
\??\c:\dvvvd.exec:\dvvvd.exe53⤵
- Executes dropped EXE
PID:2404 -
\??\c:\xffxxfl.exec:\xffxxfl.exe54⤵
- Executes dropped EXE
PID:1664 -
\??\c:\hbbhhn.exec:\hbbhhn.exe55⤵
- Executes dropped EXE
PID:1616 -
\??\c:\nnntnt.exec:\nnntnt.exe56⤵
- Executes dropped EXE
PID:2100 -
\??\c:\jdvjd.exec:\jdvjd.exe57⤵
- Executes dropped EXE
PID:652 -
\??\c:\ddvpp.exec:\ddvpp.exe58⤵
- Executes dropped EXE
PID:480 -
\??\c:\llxrfrr.exec:\llxrfrr.exe59⤵
- Executes dropped EXE
PID:1256 -
\??\c:\btntbn.exec:\btntbn.exe60⤵
- Executes dropped EXE
PID:620 -
\??\c:\7hhnnt.exec:\7hhnnt.exe61⤵
- Executes dropped EXE
PID:1128 -
\??\c:\1jvdd.exec:\1jvdd.exe62⤵
- Executes dropped EXE
PID:1668 -
\??\c:\rxxfflf.exec:\rxxfflf.exe63⤵
- Executes dropped EXE
PID:2380 -
\??\c:\hhnbhn.exec:\hhnbhn.exe64⤵
- Executes dropped EXE
PID:2188 -
\??\c:\hbtbbh.exec:\hbtbbh.exe65⤵
- Executes dropped EXE
PID:1032 -
\??\c:\jddjv.exec:\jddjv.exe66⤵PID:2144
-
\??\c:\rlflffr.exec:\rlflffr.exe67⤵PID:1952
-
\??\c:\ffrxrxl.exec:\ffrxrxl.exe68⤵PID:1276
-
\??\c:\btbbtb.exec:\btbbtb.exe69⤵PID:2336
-
\??\c:\pjjpv.exec:\pjjpv.exe70⤵PID:996
-
\??\c:\jppdd.exec:\jppdd.exe71⤵PID:3000
-
\??\c:\lfrxllr.exec:\lfrxllr.exe72⤵PID:1512
-
\??\c:\rlxlrrx.exec:\rlxlrrx.exe73⤵PID:1980
-
\??\c:\btntnn.exec:\btntnn.exe74⤵PID:560
-
\??\c:\jdvjp.exec:\jdvjp.exe75⤵PID:980
-
\??\c:\ffrxllx.exec:\ffrxllx.exe76⤵PID:2128
-
\??\c:\lrxrlxl.exec:\lrxrlxl.exe77⤵PID:824
-
\??\c:\tnhnbb.exec:\tnhnbb.exe78⤵PID:2512
-
\??\c:\3hnnbt.exec:\3hnnbt.exe79⤵PID:2360
-
\??\c:\9pjvp.exec:\9pjvp.exe80⤵PID:3052
-
\??\c:\7vpdj.exec:\7vpdj.exe81⤵PID:1252
-
\??\c:\fxlrlrf.exec:\fxlrlrf.exe82⤵PID:2556
-
\??\c:\ttnbbh.exec:\ttnbbh.exe83⤵PID:2584
-
\??\c:\5tnhnt.exec:\5tnhnt.exe84⤵PID:2564
-
\??\c:\jdddj.exec:\jdddj.exe85⤵PID:2592
-
\??\c:\jpvpv.exec:\jpvpv.exe86⤵PID:2464
-
\??\c:\xxfxlxl.exec:\xxfxlxl.exe87⤵PID:2432
-
\??\c:\nhbhnt.exec:\nhbhnt.exe88⤵PID:2472
-
\??\c:\1ddvd.exec:\1ddvd.exe89⤵PID:2440
-
\??\c:\jpvpd.exec:\jpvpd.exe90⤵PID:2428
-
\??\c:\rllrxfx.exec:\rllrxfx.exe91⤵PID:1612
-
\??\c:\9rxxlrf.exec:\9rxxlrf.exe92⤵PID:1484
-
\??\c:\ttthht.exec:\ttthht.exe93⤵PID:2500
-
\??\c:\hhhbnb.exec:\hhhbnb.exe94⤵PID:1848
-
\??\c:\jdvjv.exec:\jdvjv.exe95⤵PID:1884
-
\??\c:\3llrflx.exec:\3llrflx.exe96⤵PID:1632
-
\??\c:\rllxrfl.exec:\rllxrfl.exe97⤵PID:1568
-
\??\c:\3nbhtb.exec:\3nbhtb.exe98⤵PID:1696
-
\??\c:\nthtbt.exec:\nthtbt.exe99⤵PID:752
-
\??\c:\1vppd.exec:\1vppd.exe100⤵PID:1876
-
\??\c:\fflxxll.exec:\fflxxll.exe101⤵PID:264
-
\??\c:\xrlfrfl.exec:\xrlfrfl.exe102⤵PID:2752
-
\??\c:\nntbtn.exec:\nntbtn.exe103⤵PID:2744
-
\??\c:\nbhbbh.exec:\nbhbbh.exe104⤵PID:832
-
\??\c:\vpvdv.exec:\vpvdv.exe105⤵PID:2776
-
\??\c:\pjjpd.exec:\pjjpd.exe106⤵PID:1128
-
\??\c:\xrrxrlf.exec:\xrrxrlf.exe107⤵PID:2232
-
\??\c:\nhbbtb.exec:\nhbbtb.exe108⤵PID:2020
-
\??\c:\pjvjv.exec:\pjvjv.exe109⤵PID:1388
-
\??\c:\jjddd.exec:\jjddd.exe110⤵PID:2748
-
\??\c:\lfrflxx.exec:\lfrflxx.exe111⤵PID:1796
-
\??\c:\3lxlrrf.exec:\3lxlrrf.exe112⤵PID:1452
-
\??\c:\9tnthh.exec:\9tnthh.exe113⤵PID:1276
-
\??\c:\ntttbn.exec:\ntttbn.exe114⤵PID:352
-
\??\c:\7ppdj.exec:\7ppdj.exe115⤵PID:2872
-
\??\c:\3jdvd.exec:\3jdvd.exe116⤵PID:3000
-
\??\c:\xrlrfrf.exec:\xrlrfrf.exe117⤵PID:2908
-
\??\c:\nbntnn.exec:\nbntnn.exe118⤵PID:1920
-
\??\c:\1hhbnt.exec:\1hhbnt.exe119⤵PID:2856
-
\??\c:\vjddv.exec:\vjddv.exe120⤵PID:1224
-
\??\c:\xrrfllf.exec:\xrrfllf.exe121⤵PID:1964
-
\??\c:\9rrfrxl.exec:\9rrfrxl.exe122⤵PID:1480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-