Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 13:09
Behavioral task
behavioral1
Sample
ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe
-
Size
75KB
-
MD5
ca1d2998e9a09f24f42f2b8384d46da0
-
SHA1
2b4df4eaee808482833515c45d8b616e4af53dce
-
SHA256
57de95644933185973a94bb63a3cafc3e2d2ff3202699dd1dae6718c03f3fce4
-
SHA512
ca804848fcb79dcbf34149bd95d72c921a7c7e290fc79248537aea58b653bd6b3dae65e44a6c9e93d0043c9bed3447a33e2ed3fd699efc2ece218ed20b299f9c
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8PbhnyLFWoFLAxZhMDzE8x:9hOmTsF93UYfwC6GIoutz5yLpOSDD
Malware Config
Signatures
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/3068-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1836-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2188-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2712-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2672-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2788-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2836-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3060-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3000-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2440-108-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2440-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1288-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1684-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1588-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/288-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2104-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1752-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2304-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1624-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1784-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2096-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2936-296-0x00000000770F0000-0x000000007720F000-memory.dmp family_blackmoon behavioral1/memory/1272-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3016-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2428-561-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2208-559-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2256-598-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2272-610-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3004-678-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1036-752-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1344-802-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2088-921-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-959-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1512-1078-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1952-1140-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1660-1214-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1708-1316-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1532-1404-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1572-1429-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2176-1442-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1836 llxfflr.exe 2188 5thhnn.exe 2712 lfrfrrx.exe 2672 9lfrlll.exe 2788 5hhntb.exe 2784 dpjdd.exe 2836 fffxlrf.exe 3060 frlrllx.exe 2540 bbbhnt.exe 3000 vpdpp.exe 2440 rlflrxl.exe 2876 rxrrxrx.exe 2988 thtnnn.exe 1288 jpjdv.exe 1684 ffxrffr.exe 1588 ttntbb.exe 288 1hbhhn.exe 2744 9jvjp.exe 2104 rlflrlx.exe 1300 nhbntb.exe 1752 9tntbb.exe 2304 dvjdp.exe 1624 jvjdj.exe 2916 rlxrlll.exe 1044 tthbth.exe 1512 bthhnn.exe 1340 vjvvv.exe 1780 ddpdp.exe 648 lxllxrr.exe 1784 rlrxffl.exe 2096 bnbhtn.exe 2316 9hnhhh.exe 2120 1pddj.exe 2936 1vdvd.exe 1272 rfrxrrf.exe 2008 ttbtht.exe 2884 jvdpp.exe 2144 vjdjj.exe 2688 1btbtt.exe 2796 3btnnn.exe 2816 7nhhnt.exe 2536 vpvpd.exe 2784 frffxrx.exe 2808 lfrrfxf.exe 2528 ffrfffr.exe 2592 nhtbbt.exe 2540 nbthnb.exe 1928 hbhhhh.exe 2852 vpdjd.exe 3016 7dpvd.exe 2876 pdppj.exe 2988 rllfflr.exe 1496 xlrrllx.exe 1596 7rlrrrr.exe 1600 nhtttt.exe 1588 1bbhhb.exe 2740 vpddp.exe 344 pjvdj.exe 1428 1jvjp.exe 672 7xllxxf.exe 584 xlrrfxr.exe 2016 7rllrxl.exe 292 7hbnnt.exe 2304 5bhhnt.exe -
resource yara_rule behavioral1/memory/3068-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3068-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1836-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a0000000122ec-9.dat upx behavioral1/files/0x0037000000016c7a-17.dat upx behavioral1/files/0x0008000000016d2c-24.dat upx behavioral1/memory/2188-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2712-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d3d-35.dat upx behavioral1/memory/2672-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d45-43.dat upx behavioral1/memory/2672-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d4e-54.dat upx behavioral1/memory/2788-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2784-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d65-60.dat upx behavioral1/files/0x0007000000016d69-70.dat upx behavioral1/memory/2836-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3060-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000186e6-80.dat upx behavioral1/memory/3060-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186f1-90.dat upx behavioral1/files/0x00050000000186ff-97.dat upx behavioral1/memory/3000-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018739-109.dat upx behavioral1/memory/2440-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001873f-117.dat upx behavioral1/files/0x0005000000018787-125.dat upx behavioral1/files/0x000500000001878d-132.dat upx behavioral1/memory/1288-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1684-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018bf0-142.dat upx behavioral1/memory/1684-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019228-151.dat upx behavioral1/memory/1588-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001923b-160.dat upx behavioral1/memory/288-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001925d-168.dat upx behavioral1/memory/2744-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019260-178.dat upx behavioral1/memory/2104-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019275-186.dat upx behavioral1/memory/1752-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019277-198.dat upx behavioral1/memory/1752-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019283-204.dat upx behavioral1/memory/2304-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001933a-213.dat upx behavioral1/memory/1624-215-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019381-222.dat upx behavioral1/memory/1044-224-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001939f-233.dat upx behavioral1/files/0x00050000000193a5-240.dat upx behavioral1/files/0x00050000000193b1-248.dat upx behavioral1/files/0x0005000000019433-256.dat upx behavioral1/files/0x000500000001943e-264.dat upx behavioral1/memory/1784-266-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019457-273.dat upx behavioral1/memory/2096-280-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019462-281.dat upx behavioral1/memory/2936-296-0x00000000770F0000-0x000000007720F000-memory.dmp upx behavioral1/memory/1272-304-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2688-330-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2852-392-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 1836 3068 ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe 28 PID 3068 wrote to memory of 1836 3068 ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe 28 PID 3068 wrote to memory of 1836 3068 ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe 28 PID 3068 wrote to memory of 1836 3068 ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe 28 PID 1836 wrote to memory of 2188 1836 llxfflr.exe 29 PID 1836 wrote to memory of 2188 1836 llxfflr.exe 29 PID 1836 wrote to memory of 2188 1836 llxfflr.exe 29 PID 1836 wrote to memory of 2188 1836 llxfflr.exe 29 PID 2188 wrote to memory of 2712 2188 5thhnn.exe 30 PID 2188 wrote to memory of 2712 2188 5thhnn.exe 30 PID 2188 wrote to memory of 2712 2188 5thhnn.exe 30 PID 2188 wrote to memory of 2712 2188 5thhnn.exe 30 PID 2712 wrote to memory of 2672 2712 lfrfrrx.exe 31 PID 2712 wrote to memory of 2672 2712 lfrfrrx.exe 31 PID 2712 wrote to memory of 2672 2712 lfrfrrx.exe 31 PID 2712 wrote to memory of 2672 2712 lfrfrrx.exe 31 PID 2672 wrote to memory of 2788 2672 9lfrlll.exe 32 PID 2672 wrote to memory of 2788 2672 9lfrlll.exe 32 PID 2672 wrote to memory of 2788 2672 9lfrlll.exe 32 PID 2672 wrote to memory of 2788 2672 9lfrlll.exe 32 PID 2788 wrote to memory of 2784 2788 5hhntb.exe 33 PID 2788 wrote to memory of 2784 2788 5hhntb.exe 33 PID 2788 wrote to memory of 2784 2788 5hhntb.exe 33 PID 2788 wrote to memory of 2784 2788 5hhntb.exe 33 PID 2784 wrote to memory of 2836 2784 dpjdd.exe 34 PID 2784 wrote to memory of 2836 2784 dpjdd.exe 34 PID 2784 wrote to memory of 2836 2784 dpjdd.exe 34 PID 2784 wrote to memory of 2836 2784 dpjdd.exe 34 PID 2836 wrote to memory of 3060 2836 fffxlrf.exe 35 PID 2836 wrote to memory of 3060 2836 fffxlrf.exe 35 PID 2836 wrote to memory of 3060 2836 fffxlrf.exe 35 PID 2836 wrote to memory of 3060 2836 fffxlrf.exe 35 PID 3060 wrote to memory of 2540 3060 frlrllx.exe 36 PID 3060 wrote to memory of 2540 3060 frlrllx.exe 36 PID 3060 wrote to memory of 2540 3060 frlrllx.exe 36 PID 3060 wrote to memory of 2540 3060 frlrllx.exe 36 PID 2540 wrote to memory of 3000 2540 bbbhnt.exe 37 PID 2540 wrote to memory of 3000 2540 bbbhnt.exe 37 PID 2540 wrote to memory of 3000 2540 bbbhnt.exe 37 PID 2540 wrote to memory of 3000 2540 bbbhnt.exe 37 PID 3000 wrote to memory of 2440 3000 vpdpp.exe 38 PID 3000 wrote to memory of 2440 3000 vpdpp.exe 38 PID 3000 wrote to memory of 2440 3000 vpdpp.exe 38 PID 3000 wrote to memory of 2440 3000 vpdpp.exe 38 PID 2440 wrote to memory of 2876 2440 rlflrxl.exe 39 PID 2440 wrote to memory of 2876 2440 rlflrxl.exe 39 PID 2440 wrote to memory of 2876 2440 rlflrxl.exe 39 PID 2440 wrote to memory of 2876 2440 rlflrxl.exe 39 PID 2876 wrote to memory of 2988 2876 rxrrxrx.exe 40 PID 2876 wrote to memory of 2988 2876 rxrrxrx.exe 40 PID 2876 wrote to memory of 2988 2876 rxrrxrx.exe 40 PID 2876 wrote to memory of 2988 2876 rxrrxrx.exe 40 PID 2988 wrote to memory of 1288 2988 thtnnn.exe 41 PID 2988 wrote to memory of 1288 2988 thtnnn.exe 41 PID 2988 wrote to memory of 1288 2988 thtnnn.exe 41 PID 2988 wrote to memory of 1288 2988 thtnnn.exe 41 PID 1288 wrote to memory of 1684 1288 jpjdv.exe 42 PID 1288 wrote to memory of 1684 1288 jpjdv.exe 42 PID 1288 wrote to memory of 1684 1288 jpjdv.exe 42 PID 1288 wrote to memory of 1684 1288 jpjdv.exe 42 PID 1684 wrote to memory of 1588 1684 ffxrffr.exe 43 PID 1684 wrote to memory of 1588 1684 ffxrffr.exe 43 PID 1684 wrote to memory of 1588 1684 ffxrffr.exe 43 PID 1684 wrote to memory of 1588 1684 ffxrffr.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\llxfflr.exec:\llxfflr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\5thhnn.exec:\5thhnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\lfrfrrx.exec:\lfrfrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\9lfrlll.exec:\9lfrlll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\5hhntb.exec:\5hhntb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\dpjdd.exec:\dpjdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\fffxlrf.exec:\fffxlrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\frlrllx.exec:\frlrllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\bbbhnt.exec:\bbbhnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\vpdpp.exec:\vpdpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\rlflrxl.exec:\rlflrxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\rxrrxrx.exec:\rxrrxrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\thtnnn.exec:\thtnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\jpjdv.exec:\jpjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\ffxrffr.exec:\ffxrffr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\ttntbb.exec:\ttntbb.exe17⤵
- Executes dropped EXE
PID:1588 -
\??\c:\1hbhhn.exec:\1hbhhn.exe18⤵
- Executes dropped EXE
PID:288 -
\??\c:\9jvjp.exec:\9jvjp.exe19⤵
- Executes dropped EXE
PID:2744 -
\??\c:\rlflrlx.exec:\rlflrlx.exe20⤵
- Executes dropped EXE
PID:2104 -
\??\c:\nhbntb.exec:\nhbntb.exe21⤵
- Executes dropped EXE
PID:1300 -
\??\c:\9tntbb.exec:\9tntbb.exe22⤵
- Executes dropped EXE
PID:1752 -
\??\c:\dvjdp.exec:\dvjdp.exe23⤵
- Executes dropped EXE
PID:2304 -
\??\c:\jvjdj.exec:\jvjdj.exe24⤵
- Executes dropped EXE
PID:1624 -
\??\c:\rlxrlll.exec:\rlxrlll.exe25⤵
- Executes dropped EXE
PID:2916 -
\??\c:\tthbth.exec:\tthbth.exe26⤵
- Executes dropped EXE
PID:1044 -
\??\c:\bthhnn.exec:\bthhnn.exe27⤵
- Executes dropped EXE
PID:1512 -
\??\c:\vjvvv.exec:\vjvvv.exe28⤵
- Executes dropped EXE
PID:1340 -
\??\c:\ddpdp.exec:\ddpdp.exe29⤵
- Executes dropped EXE
PID:1780 -
\??\c:\lxllxrr.exec:\lxllxrr.exe30⤵
- Executes dropped EXE
PID:648 -
\??\c:\rlrxffl.exec:\rlrxffl.exe31⤵
- Executes dropped EXE
PID:1784 -
\??\c:\bnbhtn.exec:\bnbhtn.exe32⤵
- Executes dropped EXE
PID:2096 -
\??\c:\9hnhhh.exec:\9hnhhh.exe33⤵
- Executes dropped EXE
PID:2316 -
\??\c:\1pddj.exec:\1pddj.exe34⤵
- Executes dropped EXE
PID:2120 -
\??\c:\1vdvd.exec:\1vdvd.exe35⤵
- Executes dropped EXE
PID:2936 -
\??\c:\vjvdj.exec:\vjvdj.exe36⤵PID:2456
-
\??\c:\rfrxrrf.exec:\rfrxrrf.exe37⤵
- Executes dropped EXE
PID:1272 -
\??\c:\ttbtht.exec:\ttbtht.exe38⤵
- Executes dropped EXE
PID:2008 -
\??\c:\jvdpp.exec:\jvdpp.exe39⤵
- Executes dropped EXE
PID:2884 -
\??\c:\vjdjj.exec:\vjdjj.exe40⤵
- Executes dropped EXE
PID:2144 -
\??\c:\1btbtt.exec:\1btbtt.exe41⤵
- Executes dropped EXE
PID:2688 -
\??\c:\3btnnn.exec:\3btnnn.exe42⤵
- Executes dropped EXE
PID:2796 -
\??\c:\7nhhnt.exec:\7nhhnt.exe43⤵
- Executes dropped EXE
PID:2816 -
\??\c:\vpvpd.exec:\vpvpd.exe44⤵
- Executes dropped EXE
PID:2536 -
\??\c:\frffxrx.exec:\frffxrx.exe45⤵
- Executes dropped EXE
PID:2784 -
\??\c:\lfrrfxf.exec:\lfrrfxf.exe46⤵
- Executes dropped EXE
PID:2808 -
\??\c:\ffrfffr.exec:\ffrfffr.exe47⤵
- Executes dropped EXE
PID:2528 -
\??\c:\nhtbbt.exec:\nhtbbt.exe48⤵
- Executes dropped EXE
PID:2592 -
\??\c:\nbthnb.exec:\nbthnb.exe49⤵
- Executes dropped EXE
PID:2540 -
\??\c:\hbhhhh.exec:\hbhhhh.exe50⤵
- Executes dropped EXE
PID:1928 -
\??\c:\vpdjd.exec:\vpdjd.exe51⤵
- Executes dropped EXE
PID:2852 -
\??\c:\7dpvd.exec:\7dpvd.exe52⤵
- Executes dropped EXE
PID:3016 -
\??\c:\pdppj.exec:\pdppj.exe53⤵
- Executes dropped EXE
PID:2876 -
\??\c:\rllfflr.exec:\rllfflr.exe54⤵
- Executes dropped EXE
PID:2988 -
\??\c:\xlrrllx.exec:\xlrrllx.exe55⤵
- Executes dropped EXE
PID:1496 -
\??\c:\7rlrrrr.exec:\7rlrrrr.exe56⤵
- Executes dropped EXE
PID:1596 -
\??\c:\nhtttt.exec:\nhtttt.exe57⤵
- Executes dropped EXE
PID:1600 -
\??\c:\1bbhhb.exec:\1bbhhb.exe58⤵
- Executes dropped EXE
PID:1588 -
\??\c:\vpddp.exec:\vpddp.exe59⤵
- Executes dropped EXE
PID:2740 -
\??\c:\pjvdj.exec:\pjvdj.exe60⤵
- Executes dropped EXE
PID:344 -
\??\c:\1jvjp.exec:\1jvjp.exe61⤵
- Executes dropped EXE
PID:1428 -
\??\c:\7xllxxf.exec:\7xllxxf.exe62⤵
- Executes dropped EXE
PID:672 -
\??\c:\xlrrfxr.exec:\xlrrfxr.exe63⤵
- Executes dropped EXE
PID:584 -
\??\c:\7rllrxl.exec:\7rllrxl.exe64⤵
- Executes dropped EXE
PID:2016 -
\??\c:\7hbnnt.exec:\7hbnnt.exe65⤵
- Executes dropped EXE
PID:292 -
\??\c:\5bhhnt.exec:\5bhhnt.exe66⤵
- Executes dropped EXE
PID:2304 -
\??\c:\jdvvd.exec:\jdvvd.exe67⤵PID:2112
-
\??\c:\vjpvd.exec:\vjpvd.exe68⤵PID:920
-
\??\c:\xrllxxx.exec:\xrllxxx.exe69⤵PID:2484
-
\??\c:\7flfrlx.exec:\7flfrlx.exe70⤵PID:1344
-
\??\c:\hbnthh.exec:\hbnthh.exe71⤵PID:1968
-
\??\c:\lrrfxlf.exec:\lrrfxlf.exe72⤵PID:2708
-
\??\c:\xxfxxrf.exec:\xxfxxrf.exe73⤵PID:692
-
\??\c:\bththh.exec:\bththh.exe74⤵PID:696
-
\??\c:\dvpvj.exec:\dvpvj.exe75⤵PID:1852
-
\??\c:\nnbnbh.exec:\nnbnbh.exe76⤵PID:1020
-
\??\c:\7pvvd.exec:\7pvvd.exe77⤵PID:2208
-
\??\c:\lfrfrxf.exec:\lfrfrxf.exe78⤵PID:2428
-
\??\c:\nbttbb.exec:\nbttbb.exe79⤵PID:1672
-
\??\c:\xxfllxr.exec:\xxfllxr.exe80⤵PID:1016
-
\??\c:\frfrfxf.exec:\frfrfxf.exe81⤵PID:868
-
\??\c:\nhtbnn.exec:\nhtbnn.exe82⤵PID:2380
-
\??\c:\dvpvd.exec:\dvpvd.exe83⤵PID:2844
-
\??\c:\lxrxfrr.exec:\lxrxfrr.exe84⤵PID:2256
-
\??\c:\lfrrflx.exec:\lfrrflx.exe85⤵PID:2272
-
\??\c:\3nhhnt.exec:\3nhhnt.exe86⤵PID:2724
-
\??\c:\pjppd.exec:\pjppd.exe87⤵PID:2828
-
\??\c:\thhtnh.exec:\thhtnh.exe88⤵PID:2656
-
\??\c:\vpvdp.exec:\vpvdp.exe89⤵PID:2088
-
\??\c:\hhthnb.exec:\hhthnb.exe90⤵PID:2700
-
\??\c:\9tthnn.exec:\9tthnn.exe91⤵PID:2644
-
\??\c:\dvjjp.exec:\dvjjp.exe92⤵PID:2548
-
\??\c:\3fxflrx.exec:\3fxflrx.exe93⤵PID:2608
-
\??\c:\ffrfrxl.exec:\ffrfrxl.exe94⤵PID:2064
-
\??\c:\tthtbh.exec:\tthtbh.exe95⤵PID:2236
-
\??\c:\thhnbn.exec:\thhnbn.exe96⤵PID:1948
-
\??\c:\pppdj.exec:\pppdj.exe97⤵PID:3004
-
\??\c:\7dppp.exec:\7dppp.exe98⤵PID:3036
-
\??\c:\xlxxfll.exec:\xlxxfll.exe99⤵PID:296
-
\??\c:\nhbbnt.exec:\nhbbnt.exe100⤵PID:348
-
\??\c:\btnntt.exec:\btnntt.exe101⤵PID:2516
-
\??\c:\pdpvp.exec:\pdpvp.exe102⤵PID:1108
-
\??\c:\dpppp.exec:\dpppp.exe103⤵PID:2760
-
\??\c:\1rlxlrx.exec:\1rlxlrx.exe104⤵PID:2260
-
\??\c:\lfxlxfr.exec:\lfxlxfr.exe105⤵PID:2620
-
\??\c:\5bhhhn.exec:\5bhhhn.exe106⤵PID:1916
-
\??\c:\hbtnth.exec:\hbtnth.exe107⤵PID:1192
-
\??\c:\ppjjj.exec:\ppjjj.exe108⤵PID:1320
-
\??\c:\xrfrxll.exec:\xrfrxll.exe109⤵PID:1036
-
\??\c:\hnbhnt.exec:\hnbhnt.exe110⤵PID:2016
-
\??\c:\jdpvd.exec:\jdpvd.exe111⤵PID:2780
-
\??\c:\vpvdp.exec:\vpvdp.exe112⤵PID:2804
-
\??\c:\jddjj.exec:\jddjj.exe113⤵PID:1256
-
\??\c:\xflllfr.exec:\xflllfr.exe114⤵PID:920
-
\??\c:\tnbthn.exec:\tnbthn.exe115⤵PID:2484
-
\??\c:\1bthtb.exec:\1bthtb.exe116⤵PID:1344
-
\??\c:\dvpvv.exec:\dvpvv.exe117⤵PID:2496
-
\??\c:\rrflrlx.exec:\rrflrlx.exe118⤵PID:1032
-
\??\c:\9bthhn.exec:\9bthhn.exe119⤵PID:604
-
\??\c:\btnbhb.exec:\btnbhb.exe120⤵PID:2308
-
\??\c:\7pdpd.exec:\7pdpd.exe121⤵PID:1152
-
\??\c:\5lfxfxl.exec:\5lfxfxl.exe122⤵PID:2504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-