Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 13:41
Behavioral task
behavioral1
Sample
d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe
Resource
win7-20240508-en
7 signatures
150 seconds
General
-
Target
d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe
-
Size
169KB
-
MD5
d002865618db61a4b2c7216615c0ed80
-
SHA1
aa6442723c8aac153b9dcdf6b9d0315ab1e703f6
-
SHA256
7e819bbfcd868a05aa4ba90b1c1ed904739c7360865eb27c1414e80ea808b501
-
SHA512
20b224a316fd1af22280c02de25ddb2656a7e511fc679669a53b1452dc6b636493d05516964469fdaa90b9c127d66be34c4c8c5f4030100d429cd8c87592ac8c
-
SSDEEP
1536:HvQBeOGtrYS3srx93UBWfwC6Ggnouy8CUYj7FK4O8A1o4XEc3YtxD8/Ai2L:HhOmTsF93UYfwC6GIoutX8Ki3c3YT8VU
Score
10/10
Malware Config
Signatures
-
Detect Blackmoon payload 31 IoCs
resource yara_rule behavioral1/memory/3064-9-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1592-19-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1776-22-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2644-37-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2748-40-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1540-49-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2652-64-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2860-74-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2612-91-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1336-100-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2824-110-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2856-112-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1676-128-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1964-136-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1800-146-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2408-203-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1732-212-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2216-263-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1984-261-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2356-279-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2176-293-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2820-306-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2428-319-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2764-347-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2696-354-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2696-361-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/2548-374-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1772-460-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1728-473-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/484-513-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral1/memory/1616-579-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1592 9vppd.exe 1776 vvjpv.exe 2644 1dvpp.exe 2748 5frlllr.exe 1540 bbthbb.exe 2652 jvvdp.exe 2860 9fxlflx.exe 2532 3bthbh.exe 2612 ppjpj.exe 1336 3rrfrrf.exe 2824 lfxxflr.exe 2856 ddpvj.exe 1676 lflrlrx.exe 1964 tnhtbn.exe 1800 ddjjv.exe 1316 xxrlxxl.exe 1792 3tnhbh.exe 316 pjvdp.exe 812 1rxlxlf.exe 2076 3hbnhn.exe 2516 nhnhth.exe 2408 vpdjv.exe 1732 7lxflff.exe 484 tnhhnn.exe 1508 dpdjd.exe 1788 lfxxffl.exe 2028 hhbhtb.exe 1044 pjjdv.exe 1984 fxlrllr.exe 2216 nhhbtt.exe 2356 hbtbth.exe 2164 rlxlxfx.exe 2176 rlrlxrx.exe 2276 bthtnt.exe 2820 pdjvv.exe 1536 lflfxxf.exe 2428 5llrxxf.exe 2640 hhtbtt.exe 2736 pjvdj.exe 2792 fxrxfxf.exe 2764 pppvv.exe 2784 jvjpp.exe 2696 7xlllfl.exe 2556 tthntt.exe 2548 7pjvd.exe 2532 lflffff.exe 2208 xlrxfff.exe 2768 nhtnbt.exe 2332 dpdjd.exe 2824 xlrlrlr.exe 2856 3frrfxl.exe 3040 7nhhtn.exe 1712 1hnnnt.exe 1964 dvjpd.exe 1276 lfxxfrf.exe 2604 fxrxfxl.exe 2624 hbnnhh.exe 764 nbhhtn.exe 1772 vjvvp.exe 1528 5rfxffl.exe 2256 fxllxxx.exe 1728 ttntnn.exe 2516 djvdj.exe 2408 9fxlxlr.exe -
resource yara_rule behavioral1/memory/2960-0-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/3064-2-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x000e00000001226b-7.dat upx behavioral1/memory/3064-9-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0036000000015c7f-17.dat upx behavioral1/memory/1592-19-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/1776-22-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0008000000015cc7-28.dat upx behavioral1/files/0x0007000000015ce3-35.dat upx behavioral1/memory/2644-37-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2748-40-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0007000000015cf0-46.dat upx behavioral1/memory/1540-49-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0007000000015d02-53.dat upx behavioral1/memory/2652-56-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2652-64-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0008000000015d0c-65.dat upx behavioral1/files/0x0008000000015d19-72.dat upx behavioral1/memory/2860-74-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x00070000000165a8-82.dat upx behavioral1/files/0x000600000001663f-89.dat upx behavioral1/memory/2612-91-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2824-101-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/1336-100-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x000600000001686d-99.dat upx behavioral1/memory/2824-110-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000016abb-108.dat upx behavioral1/memory/2856-112-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000016c56-119.dat upx behavioral1/files/0x0006000000016c71-126.dat upx behavioral1/memory/1676-128-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000016c7a-137.dat upx behavioral1/memory/1964-136-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000016cc3-144.dat upx behavioral1/memory/1800-146-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000016ce7-154.dat upx behavioral1/files/0x0006000000016d1b-161.dat upx behavioral1/files/0x0006000000016d2c-169.dat upx behavioral1/files/0x0006000000016d34-177.dat upx behavioral1/files/0x0006000000016d3d-185.dat upx behavioral1/files/0x0006000000016d45-194.dat upx behavioral1/files/0x0035000000015c93-202.dat upx behavioral1/memory/2408-203-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/1732-212-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000016d4e-210.dat upx behavioral1/files/0x0006000000016d61-220.dat upx behavioral1/files/0x0006000000016d65-228.dat upx behavioral1/files/0x0006000000016d69-236.dat upx behavioral1/files/0x0006000000016d71-244.dat upx behavioral1/files/0x0006000000016dda-252.dat upx behavioral1/files/0x0006000000016dde-260.dat upx behavioral1/memory/2216-263-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/1984-261-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000016de7-270.dat upx behavioral1/memory/2356-279-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/files/0x0006000000016eb9-278.dat upx behavioral1/memory/2176-293-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2820-306-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2428-319-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2792-333-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2764-342-0x0000000000290000-0x00000000002D6000-memory.dmp upx behavioral1/memory/2764-347-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2696-354-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral1/memory/2696-361-0x0000000000400000-0x0000000000446000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Serverx = "C:\\Windows\\system32\\Serverx.exe" d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Serverx.exe d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Serverx.exe d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 3064 2960 d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe 28 PID 2960 wrote to memory of 3064 2960 d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe 28 PID 2960 wrote to memory of 3064 2960 d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe 28 PID 2960 wrote to memory of 3064 2960 d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe 28 PID 3064 wrote to memory of 1592 3064 d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe 29 PID 3064 wrote to memory of 1592 3064 d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe 29 PID 3064 wrote to memory of 1592 3064 d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe 29 PID 3064 wrote to memory of 1592 3064 d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe 29 PID 1592 wrote to memory of 1776 1592 9vppd.exe 30 PID 1592 wrote to memory of 1776 1592 9vppd.exe 30 PID 1592 wrote to memory of 1776 1592 9vppd.exe 30 PID 1592 wrote to memory of 1776 1592 9vppd.exe 30 PID 1776 wrote to memory of 2644 1776 vvjpv.exe 31 PID 1776 wrote to memory of 2644 1776 vvjpv.exe 31 PID 1776 wrote to memory of 2644 1776 vvjpv.exe 31 PID 1776 wrote to memory of 2644 1776 vvjpv.exe 31 PID 2644 wrote to memory of 2748 2644 1dvpp.exe 32 PID 2644 wrote to memory of 2748 2644 1dvpp.exe 32 PID 2644 wrote to memory of 2748 2644 1dvpp.exe 32 PID 2644 wrote to memory of 2748 2644 1dvpp.exe 32 PID 2748 wrote to memory of 1540 2748 5frlllr.exe 33 PID 2748 wrote to memory of 1540 2748 5frlllr.exe 33 PID 2748 wrote to memory of 1540 2748 5frlllr.exe 33 PID 2748 wrote to memory of 1540 2748 5frlllr.exe 33 PID 1540 wrote to memory of 2652 1540 bbthbb.exe 34 PID 1540 wrote to memory of 2652 1540 bbthbb.exe 34 PID 1540 wrote to memory of 2652 1540 bbthbb.exe 34 PID 1540 wrote to memory of 2652 1540 bbthbb.exe 34 PID 2652 wrote to memory of 2860 2652 jvvdp.exe 35 PID 2652 wrote to memory of 2860 2652 jvvdp.exe 35 PID 2652 wrote to memory of 2860 2652 jvvdp.exe 35 PID 2652 wrote to memory of 2860 2652 jvvdp.exe 35 PID 2860 wrote to memory of 2532 2860 9fxlflx.exe 36 PID 2860 wrote to memory of 2532 2860 9fxlflx.exe 36 PID 2860 wrote to memory of 2532 2860 9fxlflx.exe 36 PID 2860 wrote to memory of 2532 2860 9fxlflx.exe 36 PID 2532 wrote to memory of 2612 2532 3bthbh.exe 37 PID 2532 wrote to memory of 2612 2532 3bthbh.exe 37 PID 2532 wrote to memory of 2612 2532 3bthbh.exe 37 PID 2532 wrote to memory of 2612 2532 3bthbh.exe 37 PID 2612 wrote to memory of 1336 2612 ppjpj.exe 38 PID 2612 wrote to memory of 1336 2612 ppjpj.exe 38 PID 2612 wrote to memory of 1336 2612 ppjpj.exe 38 PID 2612 wrote to memory of 1336 2612 ppjpj.exe 38 PID 1336 wrote to memory of 2824 1336 3rrfrrf.exe 39 PID 1336 wrote to memory of 2824 1336 3rrfrrf.exe 39 PID 1336 wrote to memory of 2824 1336 3rrfrrf.exe 39 PID 1336 wrote to memory of 2824 1336 3rrfrrf.exe 39 PID 2824 wrote to memory of 2856 2824 lfxxflr.exe 40 PID 2824 wrote to memory of 2856 2824 lfxxflr.exe 40 PID 2824 wrote to memory of 2856 2824 lfxxflr.exe 40 PID 2824 wrote to memory of 2856 2824 lfxxflr.exe 40 PID 2856 wrote to memory of 1676 2856 ddpvj.exe 41 PID 2856 wrote to memory of 1676 2856 ddpvj.exe 41 PID 2856 wrote to memory of 1676 2856 ddpvj.exe 41 PID 2856 wrote to memory of 1676 2856 ddpvj.exe 41 PID 1676 wrote to memory of 1964 1676 lflrlrx.exe 42 PID 1676 wrote to memory of 1964 1676 lflrlrx.exe 42 PID 1676 wrote to memory of 1964 1676 lflrlrx.exe 42 PID 1676 wrote to memory of 1964 1676 lflrlrx.exe 42 PID 1964 wrote to memory of 1800 1964 tnhtbn.exe 43 PID 1964 wrote to memory of 1800 1964 tnhtbn.exe 43 PID 1964 wrote to memory of 1800 1964 tnhtbn.exe 43 PID 1964 wrote to memory of 1800 1964 tnhtbn.exe 43
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\9vppd.exec:\9vppd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\vvjpv.exec:\vvjpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\1dvpp.exec:\1dvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\5frlllr.exec:\5frlllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\bbthbb.exec:\bbthbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\jvvdp.exec:\jvvdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\9fxlflx.exec:\9fxlflx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\3bthbh.exec:\3bthbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\ppjpj.exec:\ppjpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\3rrfrrf.exec:\3rrfrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\lfxxflr.exec:\lfxxflr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\ddpvj.exec:\ddpvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\lflrlrx.exec:\lflrlrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\tnhtbn.exec:\tnhtbn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\ddjjv.exec:\ddjjv.exe18⤵
- Executes dropped EXE
PID:1800 -
\??\c:\xxrlxxl.exec:\xxrlxxl.exe19⤵
- Executes dropped EXE
PID:1316 -
\??\c:\3tnhbh.exec:\3tnhbh.exe20⤵
- Executes dropped EXE
PID:1792 -
\??\c:\pjvdp.exec:\pjvdp.exe21⤵
- Executes dropped EXE
PID:316 -
\??\c:\1rxlxlf.exec:\1rxlxlf.exe22⤵
- Executes dropped EXE
PID:812 -
\??\c:\3hbnhn.exec:\3hbnhn.exe23⤵
- Executes dropped EXE
PID:2076 -
\??\c:\nhnhth.exec:\nhnhth.exe24⤵
- Executes dropped EXE
PID:2516 -
\??\c:\vpdjv.exec:\vpdjv.exe25⤵
- Executes dropped EXE
PID:2408 -
\??\c:\7lxflff.exec:\7lxflff.exe26⤵
- Executes dropped EXE
PID:1732 -
\??\c:\tnhhnn.exec:\tnhhnn.exe27⤵
- Executes dropped EXE
PID:484 -
\??\c:\dpdjd.exec:\dpdjd.exe28⤵
- Executes dropped EXE
PID:1508 -
\??\c:\lfxxffl.exec:\lfxxffl.exe29⤵
- Executes dropped EXE
PID:1788 -
\??\c:\hhbhtb.exec:\hhbhtb.exe30⤵
- Executes dropped EXE
PID:2028 -
\??\c:\pjjdv.exec:\pjjdv.exe31⤵
- Executes dropped EXE
PID:1044 -
\??\c:\fxlrllr.exec:\fxlrllr.exe32⤵
- Executes dropped EXE
PID:1984 -
\??\c:\nhhbtt.exec:\nhhbtt.exe33⤵
- Executes dropped EXE
PID:2216 -
\??\c:\hbtbth.exec:\hbtbth.exe34⤵
- Executes dropped EXE
PID:2356 -
\??\c:\rlxlxfx.exec:\rlxlxfx.exe35⤵
- Executes dropped EXE
PID:2164 -
\??\c:\rlrlxrx.exec:\rlrlxrx.exe36⤵
- Executes dropped EXE
PID:2176 -
\??\c:\bthtnt.exec:\bthtnt.exe37⤵
- Executes dropped EXE
PID:2276 -
\??\c:\pdjvv.exec:\pdjvv.exe38⤵
- Executes dropped EXE
PID:2820 -
\??\c:\lflfxxf.exec:\lflfxxf.exe39⤵
- Executes dropped EXE
PID:1536 -
\??\c:\5llrxxf.exec:\5llrxxf.exe40⤵
- Executes dropped EXE
PID:2428 -
\??\c:\hhtbtt.exec:\hhtbtt.exe41⤵
- Executes dropped EXE
PID:2640 -
\??\c:\pjvdj.exec:\pjvdj.exe42⤵
- Executes dropped EXE
PID:2736 -
\??\c:\fxrxfxf.exec:\fxrxfxf.exe43⤵
- Executes dropped EXE
PID:2792 -
\??\c:\pppvv.exec:\pppvv.exe44⤵
- Executes dropped EXE
PID:2764 -
\??\c:\jvjpp.exec:\jvjpp.exe45⤵
- Executes dropped EXE
PID:2784 -
\??\c:\7xlllfl.exec:\7xlllfl.exe46⤵
- Executes dropped EXE
PID:2696 -
\??\c:\tthntt.exec:\tthntt.exe47⤵
- Executes dropped EXE
PID:2556 -
\??\c:\7pjvd.exec:\7pjvd.exe48⤵
- Executes dropped EXE
PID:2548 -
\??\c:\lflffff.exec:\lflffff.exe49⤵
- Executes dropped EXE
PID:2532 -
\??\c:\xlrxfff.exec:\xlrxfff.exe50⤵
- Executes dropped EXE
PID:2208 -
\??\c:\nhtnbt.exec:\nhtnbt.exe51⤵
- Executes dropped EXE
PID:2768 -
\??\c:\dpdjd.exec:\dpdjd.exe52⤵
- Executes dropped EXE
PID:2332 -
\??\c:\xlrlrlr.exec:\xlrlrlr.exe53⤵
- Executes dropped EXE
PID:2824 -
\??\c:\3frrfxl.exec:\3frrfxl.exe54⤵
- Executes dropped EXE
PID:2856 -
\??\c:\7nhhtn.exec:\7nhhtn.exe55⤵
- Executes dropped EXE
PID:3040 -
\??\c:\1hnnnt.exec:\1hnnnt.exe56⤵
- Executes dropped EXE
PID:1712 -
\??\c:\dvjpd.exec:\dvjpd.exe57⤵
- Executes dropped EXE
PID:1964 -
\??\c:\lfxxfrf.exec:\lfxxfrf.exe58⤵
- Executes dropped EXE
PID:1276 -
\??\c:\fxrxfxl.exec:\fxrxfxl.exe59⤵
- Executes dropped EXE
PID:2604 -
\??\c:\hbnnhh.exec:\hbnnhh.exe60⤵
- Executes dropped EXE
PID:2624 -
\??\c:\nbhhtn.exec:\nbhhtn.exe61⤵
- Executes dropped EXE
PID:764 -
\??\c:\vjvvp.exec:\vjvvp.exe62⤵
- Executes dropped EXE
PID:1772 -
\??\c:\5rfxffl.exec:\5rfxffl.exe63⤵
- Executes dropped EXE
PID:1528 -
\??\c:\fxllxxx.exec:\fxllxxx.exe64⤵
- Executes dropped EXE
PID:2256 -
\??\c:\ttntnn.exec:\ttntnn.exe65⤵
- Executes dropped EXE
PID:1728 -
\??\c:\djvdj.exec:\djvdj.exe66⤵
- Executes dropped EXE
PID:2516 -
\??\c:\9fxlxlr.exec:\9fxlxlr.exe67⤵
- Executes dropped EXE
PID:2408 -
\??\c:\nbnthb.exec:\nbnthb.exe68⤵PID:320
-
\??\c:\bnnhbt.exec:\bnnhbt.exe69⤵PID:1496
-
\??\c:\dpvvp.exec:\dpvvp.exe70⤵PID:484
-
\??\c:\rllrrrr.exec:\rllrrrr.exe71⤵PID:1692
-
\??\c:\tthnhn.exec:\tthnhn.exe72⤵PID:1400
-
\??\c:\7bhbhb.exec:\7bhbhb.exe73⤵PID:2000
-
\??\c:\jdpvd.exec:\jdpvd.exe74⤵PID:2012
-
\??\c:\fxlxffx.exec:\fxlxffx.exe75⤵PID:2376
-
\??\c:\hntbhb.exec:\hntbhb.exe76⤵PID:1332
-
\??\c:\dvddj.exec:\dvddj.exe77⤵PID:1972
-
\??\c:\frxfrlr.exec:\frxfrlr.exe78⤵PID:2356
-
\??\c:\frfrxrr.exec:\frfrxrr.exe79⤵PID:892
-
\??\c:\bntbhn.exec:\bntbhn.exe80⤵PID:1596
-
\??\c:\htbthb.exec:\htbthb.exe81⤵PID:1616
-
\??\c:\jvjjv.exec:\jvjjv.exe82⤵PID:3064
-
\??\c:\frflrrf.exec:\frflrrf.exe83⤵PID:2444
-
\??\c:\bnbhbt.exec:\bnbhbt.exe84⤵PID:1156
-
\??\c:\hbhnnn.exec:\hbhnnn.exe85⤵PID:1796
-
\??\c:\jdpvj.exec:\jdpvj.exe86⤵PID:2644
-
\??\c:\7xrxrrx.exec:\7xrxrrx.exe87⤵PID:2756
-
\??\c:\nbhnhb.exec:\nbhnhb.exe88⤵PID:2724
-
\??\c:\hbnbtn.exec:\hbnbtn.exe89⤵PID:1540
-
\??\c:\7pvdj.exec:\7pvdj.exe90⤵PID:2572
-
\??\c:\lllxlrx.exec:\lllxlrx.exe91⤵PID:2696
-
\??\c:\5rrrrxf.exec:\5rrrrxf.exe92⤵PID:2556
-
\??\c:\7htbnn.exec:\7htbnn.exe93⤵PID:2552
-
\??\c:\3ddvd.exec:\3ddvd.exe94⤵PID:2472
-
\??\c:\xxffffl.exec:\xxffffl.exe95⤵PID:3060
-
\??\c:\1lrxffl.exec:\1lrxffl.exe96⤵PID:2828
-
\??\c:\3hbntt.exec:\3hbntt.exe97⤵PID:3000
-
\??\c:\dpdpj.exec:\dpdpj.exe98⤵PID:2980
-
\??\c:\pjvdd.exec:\pjvdd.exe99⤵PID:2508
-
\??\c:\xlxxflr.exec:\xlxxflr.exe100⤵PID:1948
-
\??\c:\hbhnbh.exec:\hbhnbh.exe101⤵PID:1032
-
\??\c:\9nnttt.exec:\9nnttt.exe102⤵PID:1944
-
\??\c:\jdjpd.exec:\jdjpd.exe103⤵PID:2032
-
\??\c:\xxrfxfr.exec:\xxrfxfr.exe104⤵PID:2604
-
\??\c:\lfrrflf.exec:\lfrrflf.exe105⤵PID:1792
-
\??\c:\thtbhn.exec:\thtbhn.exe106⤵PID:764
-
\??\c:\jvddp.exec:\jvddp.exe107⤵PID:2292
-
\??\c:\3rfxfff.exec:\3rfxfff.exe108⤵PID:1528
-
\??\c:\xxrxlrx.exec:\xxrxlrx.exe109⤵PID:2300
-
\??\c:\bbtnht.exec:\bbtnht.exe110⤵PID:2852
-
\??\c:\pjvvj.exec:\pjvvj.exe111⤵PID:2728
-
\??\c:\pvddj.exec:\pvddj.exe112⤵PID:712
-
\??\c:\rrrxrxf.exec:\rrrxrxf.exe113⤵PID:1264
-
\??\c:\1hhbnt.exec:\1hhbnt.exe114⤵PID:336
-
\??\c:\btnntb.exec:\btnntb.exe115⤵PID:2988
-
\??\c:\5jdvd.exec:\5jdvd.exe116⤵PID:1552
-
\??\c:\rlxrffr.exec:\rlxrffr.exe117⤵PID:620
-
\??\c:\nbhtth.exec:\nbhtth.exe118⤵PID:1716
-
\??\c:\bbnhtt.exec:\bbnhtt.exe119⤵PID:1044
-
\??\c:\1dvdd.exec:\1dvdd.exe120⤵PID:2012
-
\??\c:\7llllxf.exec:\7llllxf.exe121⤵PID:2376
-
\??\c:\llffllf.exec:\llffllf.exe122⤵PID:2324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-