Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 13:17
Behavioral task
behavioral1
Sample
cbb271f375f0d33be34d6b900168e800_NeikiAnalytics.exe
Resource
win7-20231129-en
5 signatures
150 seconds
General
-
Target
cbb271f375f0d33be34d6b900168e800_NeikiAnalytics.exe
-
Size
75KB
-
MD5
cbb271f375f0d33be34d6b900168e800
-
SHA1
63772079d27206e68743d3b7b6ad37d96f32567a
-
SHA256
8de0bec4b76376df982fd261336fc0a5076e27d5ddbd3e998349a19a38eb994a
-
SHA512
15ac7bad2f819cfc31063ed1d192d2d3294f7fe61528dfafd42754086b8e315401189d4dd9b81a475ce01dadf52e9438003061ef387a960b4fcc9e04d3196f48
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8PbhnyLFWoFLAxZhMDzE8s:9hOmTsF93UYfwC6GIoutz5yLpOSDi
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4540-1-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4392-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1460-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3504-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1188-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1992-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4524-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3792-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1880-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3780-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4476-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1624-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1032-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1596-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4312-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1812-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/968-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3720-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1300-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4836-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1508-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3296-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-383-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1032-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-434-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2716-460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2616-469-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2256-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-508-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-746-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1224-830-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-838-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4288-879-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-889-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/696-893-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 220 86682.exe 4980 a0826.exe 4940 tttnbh.exe 4320 84408.exe 5068 nhhnbb.exe 4392 6682004.exe 3500 4682660.exe 900 llfxllf.exe 1460 1pdjv.exe 3504 802088.exe 1188 btbnhb.exe 3520 240848.exe 1992 684088.exe 640 84082.exe 4524 222604.exe 3792 pjdvp.exe 5020 7bhbtn.exe 4796 jdjdv.exe 2964 lfrlffx.exe 1880 fffxrrl.exe 2748 bhhbnn.exe 2400 8804882.exe 2316 dvvpp.exe 2632 480860.exe 2024 006608.exe 4508 6286444.exe 3780 9xfrllx.exe 3532 1jjdp.exe 4208 u622004.exe 4520 o840800.exe 4476 86888.exe 3612 hnnbtn.exe 4396 xflxrlf.exe 4260 frrllfl.exe 3252 g6822.exe 3120 5dvdj.exe 3056 dppjd.exe 1900 0060460.exe 1624 vddpj.exe 1032 rfflffx.exe 1260 vpdvp.exe 1596 4804804.exe 4312 8240684.exe 1812 884860.exe 4904 hhhbbt.exe 1868 dvjdv.exe 968 vpvpv.exe 2352 260422.exe 4092 80264.exe 2200 8464882.exe 2036 6682004.exe 4024 i206284.exe 3720 vvvpj.exe 4576 m4264.exe 3288 66888.exe 2760 fffxrlf.exe 2096 8244688.exe 1400 m4622.exe 1300 dvjpv.exe 3096 802226.exe 1044 rlfxlll.exe 2300 9lxrfxr.exe 4280 bnhnth.exe 1116 244820.exe -
resource yara_rule behavioral2/memory/4540-1-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/220-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0006000000023308-5.dat upx behavioral2/files/0x0008000000023484-9.dat upx behavioral2/memory/220-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4980-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023485-13.dat upx behavioral2/memory/4940-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023487-22.dat upx behavioral2/memory/4320-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023488-28.dat upx behavioral2/files/0x0007000000023489-33.dat upx behavioral2/memory/4392-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002348a-40.dat upx behavioral2/files/0x000700000002348b-44.dat upx behavioral2/memory/3500-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/900-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002348c-52.dat upx behavioral2/memory/1460-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002348d-57.dat upx behavioral2/files/0x000700000002348e-62.dat upx behavioral2/memory/3504-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1188-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002348f-69.dat upx behavioral2/files/0x0007000000023490-74.dat upx behavioral2/memory/3520-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1992-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023491-80.dat upx behavioral2/files/0x0007000000023492-85.dat upx behavioral2/memory/640-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023493-91.dat upx behavioral2/memory/4524-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023494-96.dat upx behavioral2/memory/3792-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023495-101.dat upx behavioral2/memory/5020-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023496-107.dat upx behavioral2/memory/4796-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2964-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1880-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023497-115.dat upx behavioral2/files/0x0007000000023498-120.dat upx behavioral2/files/0x0007000000023499-126.dat upx behavioral2/files/0x0008000000023482-130.dat upx behavioral2/memory/2400-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2316-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002349a-137.dat upx behavioral2/memory/2632-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002349b-143.dat upx behavioral2/memory/2024-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002349d-149.dat upx behavioral2/memory/4508-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002349e-155.dat upx behavioral2/files/0x000700000002349f-163.dat upx behavioral2/memory/3780-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234a0-166.dat upx behavioral2/memory/4208-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00070000000234a1-173.dat upx behavioral2/files/0x00070000000234a2-178.dat upx behavioral2/files/0x00070000000234a3-183.dat upx behavioral2/memory/4476-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3612-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4260-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3252-197-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4540 wrote to memory of 220 4540 cbb271f375f0d33be34d6b900168e800_NeikiAnalytics.exe 83 PID 4540 wrote to memory of 220 4540 cbb271f375f0d33be34d6b900168e800_NeikiAnalytics.exe 83 PID 4540 wrote to memory of 220 4540 cbb271f375f0d33be34d6b900168e800_NeikiAnalytics.exe 83 PID 220 wrote to memory of 4980 220 86682.exe 84 PID 220 wrote to memory of 4980 220 86682.exe 84 PID 220 wrote to memory of 4980 220 86682.exe 84 PID 4980 wrote to memory of 4940 4980 a0826.exe 85 PID 4980 wrote to memory of 4940 4980 a0826.exe 85 PID 4980 wrote to memory of 4940 4980 a0826.exe 85 PID 4940 wrote to memory of 4320 4940 tttnbh.exe 86 PID 4940 wrote to memory of 4320 4940 tttnbh.exe 86 PID 4940 wrote to memory of 4320 4940 tttnbh.exe 86 PID 4320 wrote to memory of 5068 4320 84408.exe 87 PID 4320 wrote to memory of 5068 4320 84408.exe 87 PID 4320 wrote to memory of 5068 4320 84408.exe 87 PID 5068 wrote to memory of 4392 5068 nhhnbb.exe 88 PID 5068 wrote to memory of 4392 5068 nhhnbb.exe 88 PID 5068 wrote to memory of 4392 5068 nhhnbb.exe 88 PID 4392 wrote to memory of 3500 4392 6682004.exe 89 PID 4392 wrote to memory of 3500 4392 6682004.exe 89 PID 4392 wrote to memory of 3500 4392 6682004.exe 89 PID 3500 wrote to memory of 900 3500 4682660.exe 90 PID 3500 wrote to memory of 900 3500 4682660.exe 90 PID 3500 wrote to memory of 900 3500 4682660.exe 90 PID 900 wrote to memory of 1460 900 llfxllf.exe 91 PID 900 wrote to memory of 1460 900 llfxllf.exe 91 PID 900 wrote to memory of 1460 900 llfxllf.exe 91 PID 1460 wrote to memory of 3504 1460 1pdjv.exe 92 PID 1460 wrote to memory of 3504 1460 1pdjv.exe 92 PID 1460 wrote to memory of 3504 1460 1pdjv.exe 92 PID 3504 wrote to memory of 1188 3504 802088.exe 93 PID 3504 wrote to memory of 1188 3504 802088.exe 93 PID 3504 wrote to memory of 1188 3504 802088.exe 93 PID 1188 wrote to memory of 3520 1188 btbnhb.exe 94 PID 1188 wrote to memory of 3520 1188 btbnhb.exe 94 PID 1188 wrote to memory of 3520 1188 btbnhb.exe 94 PID 3520 wrote to memory of 1992 3520 240848.exe 95 PID 3520 wrote to memory of 1992 3520 240848.exe 95 PID 3520 wrote to memory of 1992 3520 240848.exe 95 PID 1992 wrote to memory of 640 1992 684088.exe 96 PID 1992 wrote to memory of 640 1992 684088.exe 96 PID 1992 wrote to memory of 640 1992 684088.exe 96 PID 640 wrote to memory of 4524 640 84082.exe 97 PID 640 wrote to memory of 4524 640 84082.exe 97 PID 640 wrote to memory of 4524 640 84082.exe 97 PID 4524 wrote to memory of 3792 4524 222604.exe 98 PID 4524 wrote to memory of 3792 4524 222604.exe 98 PID 4524 wrote to memory of 3792 4524 222604.exe 98 PID 3792 wrote to memory of 5020 3792 pjdvp.exe 99 PID 3792 wrote to memory of 5020 3792 pjdvp.exe 99 PID 3792 wrote to memory of 5020 3792 pjdvp.exe 99 PID 5020 wrote to memory of 4796 5020 7bhbtn.exe 100 PID 5020 wrote to memory of 4796 5020 7bhbtn.exe 100 PID 5020 wrote to memory of 4796 5020 7bhbtn.exe 100 PID 4796 wrote to memory of 2964 4796 jdjdv.exe 101 PID 4796 wrote to memory of 2964 4796 jdjdv.exe 101 PID 4796 wrote to memory of 2964 4796 jdjdv.exe 101 PID 2964 wrote to memory of 1880 2964 lfrlffx.exe 102 PID 2964 wrote to memory of 1880 2964 lfrlffx.exe 102 PID 2964 wrote to memory of 1880 2964 lfrlffx.exe 102 PID 1880 wrote to memory of 2748 1880 fffxrrl.exe 103 PID 1880 wrote to memory of 2748 1880 fffxrrl.exe 103 PID 1880 wrote to memory of 2748 1880 fffxrrl.exe 103 PID 2748 wrote to memory of 2400 2748 bhhbnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbb271f375f0d33be34d6b900168e800_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cbb271f375f0d33be34d6b900168e800_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\86682.exec:\86682.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\a0826.exec:\a0826.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\tttnbh.exec:\tttnbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\84408.exec:\84408.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\nhhnbb.exec:\nhhnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\6682004.exec:\6682004.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\4682660.exec:\4682660.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\llfxllf.exec:\llfxllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\1pdjv.exec:\1pdjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\802088.exec:\802088.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\btbnhb.exec:\btbnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\240848.exec:\240848.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\684088.exec:\684088.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\84082.exec:\84082.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\222604.exec:\222604.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\pjdvp.exec:\pjdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\7bhbtn.exec:\7bhbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\jdjdv.exec:\jdjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\lfrlffx.exec:\lfrlffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\fffxrrl.exec:\fffxrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\bhhbnn.exec:\bhhbnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\8804882.exec:\8804882.exe23⤵
- Executes dropped EXE
PID:2400 -
\??\c:\dvvpp.exec:\dvvpp.exe24⤵
- Executes dropped EXE
PID:2316 -
\??\c:\480860.exec:\480860.exe25⤵
- Executes dropped EXE
PID:2632 -
\??\c:\006608.exec:\006608.exe26⤵
- Executes dropped EXE
PID:2024 -
\??\c:\6286444.exec:\6286444.exe27⤵
- Executes dropped EXE
PID:4508 -
\??\c:\9xfrllx.exec:\9xfrllx.exe28⤵
- Executes dropped EXE
PID:3780 -
\??\c:\1jjdp.exec:\1jjdp.exe29⤵
- Executes dropped EXE
PID:3532 -
\??\c:\u622004.exec:\u622004.exe30⤵
- Executes dropped EXE
PID:4208 -
\??\c:\o840800.exec:\o840800.exe31⤵
- Executes dropped EXE
PID:4520 -
\??\c:\86888.exec:\86888.exe32⤵
- Executes dropped EXE
PID:4476 -
\??\c:\hnnbtn.exec:\hnnbtn.exe33⤵
- Executes dropped EXE
PID:3612 -
\??\c:\xflxrlf.exec:\xflxrlf.exe34⤵
- Executes dropped EXE
PID:4396 -
\??\c:\frrllfl.exec:\frrllfl.exe35⤵
- Executes dropped EXE
PID:4260 -
\??\c:\g6822.exec:\g6822.exe36⤵
- Executes dropped EXE
PID:3252 -
\??\c:\5dvdj.exec:\5dvdj.exe37⤵
- Executes dropped EXE
PID:3120 -
\??\c:\dppjd.exec:\dppjd.exe38⤵
- Executes dropped EXE
PID:3056 -
\??\c:\0060460.exec:\0060460.exe39⤵
- Executes dropped EXE
PID:1900 -
\??\c:\vddpj.exec:\vddpj.exe40⤵
- Executes dropped EXE
PID:1624 -
\??\c:\rfflffx.exec:\rfflffx.exe41⤵
- Executes dropped EXE
PID:1032 -
\??\c:\vpdvp.exec:\vpdvp.exe42⤵
- Executes dropped EXE
PID:1260 -
\??\c:\4804804.exec:\4804804.exe43⤵
- Executes dropped EXE
PID:1596 -
\??\c:\8240684.exec:\8240684.exe44⤵
- Executes dropped EXE
PID:4312 -
\??\c:\884860.exec:\884860.exe45⤵
- Executes dropped EXE
PID:1812 -
\??\c:\hhhbbt.exec:\hhhbbt.exe46⤵
- Executes dropped EXE
PID:4904 -
\??\c:\dvjdv.exec:\dvjdv.exe47⤵
- Executes dropped EXE
PID:1868 -
\??\c:\vpvpv.exec:\vpvpv.exe48⤵
- Executes dropped EXE
PID:968 -
\??\c:\260422.exec:\260422.exe49⤵
- Executes dropped EXE
PID:2352 -
\??\c:\80264.exec:\80264.exe50⤵
- Executes dropped EXE
PID:4092 -
\??\c:\8464882.exec:\8464882.exe51⤵
- Executes dropped EXE
PID:2200 -
\??\c:\6682004.exec:\6682004.exe52⤵
- Executes dropped EXE
PID:2036 -
\??\c:\i206284.exec:\i206284.exe53⤵
- Executes dropped EXE
PID:4024 -
\??\c:\vvvpj.exec:\vvvpj.exe54⤵
- Executes dropped EXE
PID:3720 -
\??\c:\m4264.exec:\m4264.exe55⤵
- Executes dropped EXE
PID:4576 -
\??\c:\66888.exec:\66888.exe56⤵
- Executes dropped EXE
PID:3288 -
\??\c:\fffxrlf.exec:\fffxrlf.exe57⤵
- Executes dropped EXE
PID:2760 -
\??\c:\8244688.exec:\8244688.exe58⤵
- Executes dropped EXE
PID:2096 -
\??\c:\m4622.exec:\m4622.exe59⤵
- Executes dropped EXE
PID:1400 -
\??\c:\dvjpv.exec:\dvjpv.exe60⤵
- Executes dropped EXE
PID:1300 -
\??\c:\802226.exec:\802226.exe61⤵
- Executes dropped EXE
PID:3096 -
\??\c:\rlfxlll.exec:\rlfxlll.exe62⤵
- Executes dropped EXE
PID:1044 -
\??\c:\9lxrfxr.exec:\9lxrfxr.exe63⤵
- Executes dropped EXE
PID:2300 -
\??\c:\bnhnth.exec:\bnhnth.exe64⤵
- Executes dropped EXE
PID:4280 -
\??\c:\244820.exec:\244820.exe65⤵
- Executes dropped EXE
PID:1116 -
\??\c:\828266.exec:\828266.exe66⤵PID:4836
-
\??\c:\0486480.exec:\0486480.exe67⤵PID:2964
-
\??\c:\htthhh.exec:\htthhh.exe68⤵PID:4404
-
\??\c:\000482.exec:\000482.exe69⤵PID:2748
-
\??\c:\bhhnbt.exec:\bhhnbt.exe70⤵PID:2612
-
\??\c:\jddvj.exec:\jddvj.exe71⤵PID:532
-
\??\c:\8604848.exec:\8604848.exe72⤵PID:4740
-
\??\c:\xfxlllr.exec:\xfxlllr.exe73⤵PID:3964
-
\??\c:\nnnntt.exec:\nnnntt.exe74⤵PID:3848
-
\??\c:\7thhhh.exec:\7thhhh.exe75⤵PID:1508
-
\??\c:\tbthtb.exec:\tbthtb.exe76⤵PID:4516
-
\??\c:\20064.exec:\20064.exe77⤵PID:1216
-
\??\c:\9tnhbt.exec:\9tnhbt.exe78⤵PID:4972
-
\??\c:\9btnbt.exec:\9btnbt.exe79⤵PID:1860
-
\??\c:\g4048.exec:\g4048.exe80⤵PID:4072
-
\??\c:\488606.exec:\488606.exe81⤵PID:2220
-
\??\c:\frxrffr.exec:\frxrffr.exe82⤵PID:3296
-
\??\c:\486626.exec:\486626.exe83⤵PID:3736
-
\??\c:\9rrlrxr.exec:\9rrlrxr.exe84⤵PID:4272
-
\??\c:\c688440.exec:\c688440.exe85⤵PID:1156
-
\??\c:\m8800.exec:\m8800.exe86⤵PID:2376
-
\??\c:\262088.exec:\262088.exe87⤵PID:2940
-
\??\c:\3jddd.exec:\3jddd.exe88⤵PID:836
-
\??\c:\djpjv.exec:\djpjv.exe89⤵PID:3056
-
\??\c:\22400.exec:\22400.exe90⤵PID:2120
-
\??\c:\rfxfrlf.exec:\rfxfrlf.exe91⤵PID:1624
-
\??\c:\020044.exec:\020044.exe92⤵PID:1032
-
\??\c:\5bbtnh.exec:\5bbtnh.exe93⤵PID:1260
-
\??\c:\ddpjj.exec:\ddpjj.exe94⤵PID:4540
-
\??\c:\6680448.exec:\6680448.exe95⤵PID:4312
-
\??\c:\dpdvj.exec:\dpdvj.exe96⤵PID:5064
-
\??\c:\68220.exec:\68220.exe97⤵PID:1428
-
\??\c:\480488.exec:\480488.exe98⤵PID:4536
-
\??\c:\0448888.exec:\0448888.exe99⤵PID:1544
-
\??\c:\2844488.exec:\2844488.exe100⤵PID:3528
-
\??\c:\60604.exec:\60604.exe101⤵PID:4092
-
\??\c:\88480.exec:\88480.exe102⤵PID:2232
-
\??\c:\xrrfrlf.exec:\xrrfrlf.exe103⤵PID:3352
-
\??\c:\frlfrll.exec:\frlfrll.exe104⤵PID:900
-
\??\c:\thbhtb.exec:\thbhtb.exe105⤵PID:2328
-
\??\c:\2004260.exec:\2004260.exe106⤵PID:3940
-
\??\c:\80226.exec:\80226.exe107⤵PID:3580
-
\??\c:\htbnbb.exec:\htbnbb.exe108⤵PID:1320
-
\??\c:\ffxrfxx.exec:\ffxrfxx.exe109⤵PID:4228
-
\??\c:\xlfxrlf.exec:\xlfxrlf.exe110⤵PID:4420
-
\??\c:\42200.exec:\42200.exe111⤵PID:2488
-
\??\c:\8242604.exec:\8242604.exe112⤵PID:3096
-
\??\c:\a8844.exec:\a8844.exe113⤵PID:2716
-
\??\c:\hbtnhh.exec:\hbtnhh.exe114⤵PID:4284
-
\??\c:\xrxfxlf.exec:\xrxfxlf.exe115⤵PID:2616
-
\??\c:\688266.exec:\688266.exe116⤵PID:1468
-
\??\c:\fxxrxrl.exec:\fxxrxrl.exe117⤵PID:2256
-
\??\c:\0028888.exec:\0028888.exe118⤵PID:3024
-
\??\c:\bhbbtt.exec:\bhbbtt.exe119⤵PID:2392
-
\??\c:\08886.exec:\08886.exe120⤵PID:1592
-
\??\c:\4688626.exec:\4688626.exe121⤵PID:2400
-
\??\c:\a6804.exec:\a6804.exe122⤵PID:532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-