Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 13:09
Behavioral task
behavioral1
Sample
ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe
-
Size
75KB
-
MD5
ca1d2998e9a09f24f42f2b8384d46da0
-
SHA1
2b4df4eaee808482833515c45d8b616e4af53dce
-
SHA256
57de95644933185973a94bb63a3cafc3e2d2ff3202699dd1dae6718c03f3fce4
-
SHA512
ca804848fcb79dcbf34149bd95d72c921a7c7e290fc79248537aea58b653bd6b3dae65e44a6c9e93d0043c9bed3447a33e2ed3fd699efc2ece218ed20b299f9c
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8PbhnyLFWoFLAxZhMDzE8x:9hOmTsF93UYfwC6GIoutz5yLpOSDD
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1388-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1908-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4236-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/724-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1260-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4160-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2584-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3176-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3164-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3524-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2684-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2156-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4752-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/764-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2596-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3724-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1672-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2116-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1088-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3136-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1100-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3800-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2876-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4592-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2396-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1220-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2868-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2972-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3552-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2744-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4360-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-445-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2356-474-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2924-486-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/944-520-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-701-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/324-862-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-916-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-987-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4268-1103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-1329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-1348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-1368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4236 bthbhh.exe 1908 vdvjj.exe 1260 flllllr.exe 724 bhhnnh.exe 5036 ppdvj.exe 4160 3lrlffl.exe 2584 ffrxfff.exe 4336 nhnnnn.exe 3176 ttbbbn.exe 3164 jpvpj.exe 3048 rllrrff.exe 3524 thttnt.exe 3484 pvjpp.exe 2684 xllllff.exe 4044 nhtnhh.exe 3980 dvpjj.exe 3948 flxrlll.exe 4832 bnnhbb.exe 2156 pjvpp.exe 1552 xrfrrlx.exe 4752 xrffffx.exe 3144 7nhbtb.exe 764 3vppj.exe 2596 tbbhbh.exe 5044 jdddd.exe 1276 xrxxxrr.exe 3724 ttbbbb.exe 4576 dvpvp.exe 1672 llffffx.exe 4296 llfrrll.exe 2116 bnnnhh.exe 3208 tbhhbt.exe 3220 vdvdd.exe 1088 frfxrrx.exe 2992 btbthn.exe 3136 vvdvp.exe 2712 5rffllx.exe 1100 7xxrlff.exe 3904 ttnnbn.exe 2216 vjjpd.exe 4828 bnttnh.exe 4940 vjdvv.exe 1104 rxxrrrr.exe 4460 bntbtt.exe 548 pvddd.exe 3800 5bnbth.exe 4568 hnnthb.exe 2876 dvvpp.exe 4552 frlxlxr.exe 2336 9btnnn.exe 5028 rxfffff.exe 4212 rxxrlfl.exe 4064 bbntbn.exe 4592 djddp.exe 2396 xxllxrx.exe 5036 hthhbb.exe 4976 pdvvd.exe 1828 vpvpd.exe 3600 5xxxlxr.exe 4456 bnnntn.exe 2212 bhhtnh.exe 2152 vjpjj.exe 3768 fllfffx.exe 1220 9thtnt.exe -
resource yara_rule behavioral2/memory/1388-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000500000002326f-5.dat upx behavioral2/memory/1388-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4236-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000233d5-11.dat upx behavioral2/memory/1908-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233d9-13.dat upx behavioral2/memory/4236-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233da-22.dat upx behavioral2/memory/724-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1260-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233db-30.dat upx behavioral2/memory/5036-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233dc-35.dat upx behavioral2/memory/4160-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2584-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233dd-43.dat upx behavioral2/files/0x00070000000233de-49.dat upx behavioral2/memory/4336-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3176-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233df-54.dat upx behavioral2/files/0x00070000000233e0-59.dat upx behavioral2/memory/3164-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e1-65.dat upx behavioral2/files/0x00070000000233e2-70.dat upx behavioral2/files/0x00070000000233e4-75.dat upx behavioral2/memory/3524-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e5-81.dat upx behavioral2/memory/3484-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e6-86.dat upx behavioral2/memory/2684-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e7-92.dat upx behavioral2/memory/3980-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e8-98.dat upx behavioral2/memory/3948-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233e9-103.dat upx behavioral2/files/0x00070000000233ea-110.dat upx behavioral2/memory/4832-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2156-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233eb-114.dat upx behavioral2/files/0x00070000000233ec-120.dat upx behavioral2/files/0x00070000000233ed-125.dat upx behavioral2/memory/4752-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3144-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233ee-131.dat upx behavioral2/files/0x00070000000233ef-137.dat upx behavioral2/memory/764-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233f0-145.dat upx behavioral2/memory/2596-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00080000000233d6-149.dat upx behavioral2/memory/5044-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233f1-155.dat upx behavioral2/files/0x00070000000233f2-162.dat upx behavioral2/memory/3724-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4576-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233f4-169.dat upx behavioral2/memory/1672-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000233f5-172.dat upx behavioral2/files/0x00070000000233f6-179.dat upx behavioral2/files/0x00070000000233f7-184.dat upx behavioral2/memory/2116-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1088-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3136-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2712-207-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1388 wrote to memory of 4236 1388 ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe 82 PID 1388 wrote to memory of 4236 1388 ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe 82 PID 1388 wrote to memory of 4236 1388 ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe 82 PID 4236 wrote to memory of 1908 4236 bthbhh.exe 83 PID 4236 wrote to memory of 1908 4236 bthbhh.exe 83 PID 4236 wrote to memory of 1908 4236 bthbhh.exe 83 PID 1908 wrote to memory of 1260 1908 vdvjj.exe 84 PID 1908 wrote to memory of 1260 1908 vdvjj.exe 84 PID 1908 wrote to memory of 1260 1908 vdvjj.exe 84 PID 1260 wrote to memory of 724 1260 flllllr.exe 85 PID 1260 wrote to memory of 724 1260 flllllr.exe 85 PID 1260 wrote to memory of 724 1260 flllllr.exe 85 PID 724 wrote to memory of 5036 724 bhhnnh.exe 86 PID 724 wrote to memory of 5036 724 bhhnnh.exe 86 PID 724 wrote to memory of 5036 724 bhhnnh.exe 86 PID 5036 wrote to memory of 4160 5036 ppdvj.exe 87 PID 5036 wrote to memory of 4160 5036 ppdvj.exe 87 PID 5036 wrote to memory of 4160 5036 ppdvj.exe 87 PID 4160 wrote to memory of 2584 4160 3lrlffl.exe 88 PID 4160 wrote to memory of 2584 4160 3lrlffl.exe 88 PID 4160 wrote to memory of 2584 4160 3lrlffl.exe 88 PID 2584 wrote to memory of 4336 2584 ffrxfff.exe 89 PID 2584 wrote to memory of 4336 2584 ffrxfff.exe 89 PID 2584 wrote to memory of 4336 2584 ffrxfff.exe 89 PID 4336 wrote to memory of 3176 4336 nhnnnn.exe 90 PID 4336 wrote to memory of 3176 4336 nhnnnn.exe 90 PID 4336 wrote to memory of 3176 4336 nhnnnn.exe 90 PID 3176 wrote to memory of 3164 3176 ttbbbn.exe 91 PID 3176 wrote to memory of 3164 3176 ttbbbn.exe 91 PID 3176 wrote to memory of 3164 3176 ttbbbn.exe 91 PID 3164 wrote to memory of 3048 3164 jpvpj.exe 92 PID 3164 wrote to memory of 3048 3164 jpvpj.exe 92 PID 3164 wrote to memory of 3048 3164 jpvpj.exe 92 PID 3048 wrote to memory of 3524 3048 rllrrff.exe 93 PID 3048 wrote to memory of 3524 3048 rllrrff.exe 93 PID 3048 wrote to memory of 3524 3048 rllrrff.exe 93 PID 3524 wrote to memory of 3484 3524 thttnt.exe 94 PID 3524 wrote to memory of 3484 3524 thttnt.exe 94 PID 3524 wrote to memory of 3484 3524 thttnt.exe 94 PID 3484 wrote to memory of 2684 3484 pvjpp.exe 95 PID 3484 wrote to memory of 2684 3484 pvjpp.exe 95 PID 3484 wrote to memory of 2684 3484 pvjpp.exe 95 PID 2684 wrote to memory of 4044 2684 xllllff.exe 96 PID 2684 wrote to memory of 4044 2684 xllllff.exe 96 PID 2684 wrote to memory of 4044 2684 xllllff.exe 96 PID 4044 wrote to memory of 3980 4044 nhtnhh.exe 97 PID 4044 wrote to memory of 3980 4044 nhtnhh.exe 97 PID 4044 wrote to memory of 3980 4044 nhtnhh.exe 97 PID 3980 wrote to memory of 3948 3980 dvpjj.exe 98 PID 3980 wrote to memory of 3948 3980 dvpjj.exe 98 PID 3980 wrote to memory of 3948 3980 dvpjj.exe 98 PID 3948 wrote to memory of 4832 3948 flxrlll.exe 99 PID 3948 wrote to memory of 4832 3948 flxrlll.exe 99 PID 3948 wrote to memory of 4832 3948 flxrlll.exe 99 PID 4832 wrote to memory of 2156 4832 bnnhbb.exe 100 PID 4832 wrote to memory of 2156 4832 bnnhbb.exe 100 PID 4832 wrote to memory of 2156 4832 bnnhbb.exe 100 PID 2156 wrote to memory of 1552 2156 pjvpp.exe 101 PID 2156 wrote to memory of 1552 2156 pjvpp.exe 101 PID 2156 wrote to memory of 1552 2156 pjvpp.exe 101 PID 1552 wrote to memory of 4752 1552 xrfrrlx.exe 102 PID 1552 wrote to memory of 4752 1552 xrfrrlx.exe 102 PID 1552 wrote to memory of 4752 1552 xrfrrlx.exe 102 PID 4752 wrote to memory of 3144 4752 xrffffx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\ca1d2998e9a09f24f42f2b8384d46da0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\bthbhh.exec:\bthbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\vdvjj.exec:\vdvjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\flllllr.exec:\flllllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\bhhnnh.exec:\bhhnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
\??\c:\ppdvj.exec:\ppdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\3lrlffl.exec:\3lrlffl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\ffrxfff.exec:\ffrxfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\nhnnnn.exec:\nhnnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\ttbbbn.exec:\ttbbbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\jpvpj.exec:\jpvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\rllrrff.exec:\rllrrff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\thttnt.exec:\thttnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\pvjpp.exec:\pvjpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\xllllff.exec:\xllllff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\nhtnhh.exec:\nhtnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\dvpjj.exec:\dvpjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\flxrlll.exec:\flxrlll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\bnnhbb.exec:\bnnhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\pjvpp.exec:\pjvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\xrfrrlx.exec:\xrfrrlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\xrffffx.exec:\xrffffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\7nhbtb.exec:\7nhbtb.exe23⤵
- Executes dropped EXE
PID:3144 -
\??\c:\3vppj.exec:\3vppj.exe24⤵
- Executes dropped EXE
PID:764 -
\??\c:\tbbhbh.exec:\tbbhbh.exe25⤵
- Executes dropped EXE
PID:2596 -
\??\c:\jdddd.exec:\jdddd.exe26⤵
- Executes dropped EXE
PID:5044 -
\??\c:\xrxxxrr.exec:\xrxxxrr.exe27⤵
- Executes dropped EXE
PID:1276 -
\??\c:\ttbbbb.exec:\ttbbbb.exe28⤵
- Executes dropped EXE
PID:3724 -
\??\c:\dvpvp.exec:\dvpvp.exe29⤵
- Executes dropped EXE
PID:4576 -
\??\c:\llffffx.exec:\llffffx.exe30⤵
- Executes dropped EXE
PID:1672 -
\??\c:\llfrrll.exec:\llfrrll.exe31⤵
- Executes dropped EXE
PID:4296 -
\??\c:\bnnnhh.exec:\bnnnhh.exe32⤵
- Executes dropped EXE
PID:2116 -
\??\c:\tbhhbt.exec:\tbhhbt.exe33⤵
- Executes dropped EXE
PID:3208 -
\??\c:\vdvdd.exec:\vdvdd.exe34⤵
- Executes dropped EXE
PID:3220 -
\??\c:\frfxrrx.exec:\frfxrrx.exe35⤵
- Executes dropped EXE
PID:1088 -
\??\c:\btbthn.exec:\btbthn.exe36⤵
- Executes dropped EXE
PID:2992 -
\??\c:\vvdvp.exec:\vvdvp.exe37⤵
- Executes dropped EXE
PID:3136 -
\??\c:\5rffllx.exec:\5rffllx.exe38⤵
- Executes dropped EXE
PID:2712 -
\??\c:\7xxrlff.exec:\7xxrlff.exe39⤵
- Executes dropped EXE
PID:1100 -
\??\c:\ttnnbn.exec:\ttnnbn.exe40⤵
- Executes dropped EXE
PID:3904 -
\??\c:\vjjpd.exec:\vjjpd.exe41⤵
- Executes dropped EXE
PID:2216 -
\??\c:\bnttnh.exec:\bnttnh.exe42⤵
- Executes dropped EXE
PID:4828 -
\??\c:\vjdvv.exec:\vjdvv.exe43⤵
- Executes dropped EXE
PID:4940 -
\??\c:\rxxrrrr.exec:\rxxrrrr.exe44⤵
- Executes dropped EXE
PID:1104 -
\??\c:\bntbtt.exec:\bntbtt.exe45⤵
- Executes dropped EXE
PID:4460 -
\??\c:\pvddd.exec:\pvddd.exe46⤵
- Executes dropped EXE
PID:548 -
\??\c:\5bnbth.exec:\5bnbth.exe47⤵
- Executes dropped EXE
PID:3800 -
\??\c:\hnnthb.exec:\hnnthb.exe48⤵
- Executes dropped EXE
PID:4568 -
\??\c:\dvvpp.exec:\dvvpp.exe49⤵
- Executes dropped EXE
PID:2876 -
\??\c:\frlxlxr.exec:\frlxlxr.exe50⤵
- Executes dropped EXE
PID:4552 -
\??\c:\9btnnn.exec:\9btnnn.exe51⤵
- Executes dropped EXE
PID:2336 -
\??\c:\rxfffff.exec:\rxfffff.exe52⤵
- Executes dropped EXE
PID:5028 -
\??\c:\rxxrlfl.exec:\rxxrlfl.exe53⤵
- Executes dropped EXE
PID:4212 -
\??\c:\bbntbn.exec:\bbntbn.exe54⤵
- Executes dropped EXE
PID:4064 -
\??\c:\djddp.exec:\djddp.exe55⤵
- Executes dropped EXE
PID:4592 -
\??\c:\xxllxrx.exec:\xxllxrx.exe56⤵
- Executes dropped EXE
PID:2396 -
\??\c:\hthhbb.exec:\hthhbb.exe57⤵
- Executes dropped EXE
PID:5036 -
\??\c:\pdvvd.exec:\pdvvd.exe58⤵
- Executes dropped EXE
PID:4976 -
\??\c:\vpvpd.exec:\vpvpd.exe59⤵
- Executes dropped EXE
PID:1828 -
\??\c:\5xxxlxr.exec:\5xxxlxr.exe60⤵
- Executes dropped EXE
PID:3600 -
\??\c:\bnnntn.exec:\bnnntn.exe61⤵
- Executes dropped EXE
PID:4456 -
\??\c:\bhhtnh.exec:\bhhtnh.exe62⤵
- Executes dropped EXE
PID:2212 -
\??\c:\vjpjj.exec:\vjpjj.exe63⤵
- Executes dropped EXE
PID:2152 -
\??\c:\fllfffx.exec:\fllfffx.exe64⤵
- Executes dropped EXE
PID:3768 -
\??\c:\9thtnt.exec:\9thtnt.exe65⤵
- Executes dropped EXE
PID:1220 -
\??\c:\5jppd.exec:\5jppd.exe66⤵PID:3592
-
\??\c:\7fxrlll.exec:\7fxrlll.exe67⤵PID:2564
-
\??\c:\rxxxrrf.exec:\rxxxrrf.exe68⤵PID:4024
-
\??\c:\hhntbh.exec:\hhntbh.exe69⤵PID:2860
-
\??\c:\pjddp.exec:\pjddp.exe70⤵PID:2868
-
\??\c:\vpppv.exec:\vpppv.exe71⤵PID:528
-
\??\c:\tntnhh.exec:\tntnhh.exe72⤵PID:1144
-
\??\c:\tntnnh.exec:\tntnnh.exe73⤵PID:2972
-
\??\c:\pdppj.exec:\pdppj.exe74⤵PID:3488
-
\??\c:\dddvv.exec:\dddvv.exe75⤵PID:3788
-
\??\c:\flllffl.exec:\flllffl.exe76⤵PID:4924
-
\??\c:\tbhhhn.exec:\tbhhhn.exe77⤵PID:3772
-
\??\c:\pjppj.exec:\pjppj.exe78⤵PID:4512
-
\??\c:\lfxxxxf.exec:\lfxxxxf.exe79⤵PID:2824
-
\??\c:\5xxxxxx.exec:\5xxxxxx.exe80⤵PID:844
-
\??\c:\1tnnnn.exec:\1tnnnn.exe81⤵PID:3224
-
\??\c:\vdvpj.exec:\vdvpj.exe82⤵PID:3692
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe83⤵PID:1048
-
\??\c:\5tbbbh.exec:\5tbbbh.exe84⤵PID:4476
-
\??\c:\5nhhtb.exec:\5nhhtb.exe85⤵PID:1140
-
\??\c:\vjvpp.exec:\vjvpp.exe86⤵PID:4532
-
\??\c:\xxrrlll.exec:\xxrrlll.exe87⤵PID:4792
-
\??\c:\tthbhn.exec:\tthbhn.exe88⤵PID:3552
-
\??\c:\thhhbb.exec:\thhhbb.exe89⤵PID:5068
-
\??\c:\vpppj.exec:\vpppj.exe90⤵PID:2660
-
\??\c:\7vjdd.exec:\7vjdd.exe91⤵PID:3292
-
\??\c:\rlfrfxl.exec:\rlfrfxl.exe92⤵PID:2332
-
\??\c:\bbnntn.exec:\bbnntn.exe93⤵PID:3228
-
\??\c:\ttnttb.exec:\ttnttb.exe94⤵PID:1964
-
\??\c:\vvddv.exec:\vvddv.exe95⤵PID:2744
-
\??\c:\7lrxlrr.exec:\7lrxlrr.exe96⤵PID:1520
-
\??\c:\ttbbnn.exec:\ttbbnn.exe97⤵PID:2992
-
\??\c:\9tttnn.exec:\9tttnn.exe98⤵PID:3460
-
\??\c:\3vvvj.exec:\3vvvj.exe99⤵PID:4360
-
\??\c:\rrflfff.exec:\rrflfff.exe100⤵PID:3128
-
\??\c:\bbthtn.exec:\bbthtn.exe101⤵PID:1120
-
\??\c:\thtbhn.exec:\thtbhn.exe102⤵PID:1896
-
\??\c:\lxffffx.exec:\lxffffx.exe103⤵PID:4172
-
\??\c:\xrllrxl.exec:\xrllrxl.exe104⤵PID:2324
-
\??\c:\7bbbbh.exec:\7bbbbh.exe105⤵PID:4556
-
\??\c:\jpdvj.exec:\jpdvj.exe106⤵PID:4984
-
\??\c:\fxxrffx.exec:\fxxrffx.exe107⤵PID:4916
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe108⤵PID:4292
-
\??\c:\nnttth.exec:\nnttth.exe109⤵PID:4076
-
\??\c:\bthhbb.exec:\bthhbb.exe110⤵PID:4880
-
\??\c:\9pppj.exec:\9pppj.exe111⤵PID:4320
-
\??\c:\xfrlfrr.exec:\xfrlfrr.exe112⤵PID:3396
-
\??\c:\frfffxr.exec:\frfffxr.exe113⤵PID:2756
-
\??\c:\bhhtnt.exec:\bhhtnt.exe114⤵PID:4928
-
\??\c:\pjjdv.exec:\pjjdv.exe115⤵PID:3528
-
\??\c:\rrxrllr.exec:\rrxrllr.exe116⤵PID:1640
-
\??\c:\9hnbbt.exec:\9hnbbt.exe117⤵PID:4604
-
\??\c:\7nbttb.exec:\7nbttb.exe118⤵PID:3264
-
\??\c:\9pvvd.exec:\9pvvd.exe119⤵PID:468
-
\??\c:\rfrrlll.exec:\rfrrlll.exe120⤵PID:2356
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe121⤵PID:3504
-
\??\c:\hbnnnn.exec:\hbnnnn.exe122⤵PID:4336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-