Analysis
-
max time kernel
131s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 13:41
Behavioral task
behavioral1
Sample
d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe
Resource
win7-20240508-en
7 signatures
150 seconds
General
-
Target
d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe
-
Size
169KB
-
MD5
d002865618db61a4b2c7216615c0ed80
-
SHA1
aa6442723c8aac153b9dcdf6b9d0315ab1e703f6
-
SHA256
7e819bbfcd868a05aa4ba90b1c1ed904739c7360865eb27c1414e80ea808b501
-
SHA512
20b224a316fd1af22280c02de25ddb2656a7e511fc679669a53b1452dc6b636493d05516964469fdaa90b9c127d66be34c4c8c5f4030100d429cd8c87592ac8c
-
SSDEEP
1536:HvQBeOGtrYS3srx93UBWfwC6Ggnouy8CUYj7FK4O8A1o4XEc3YtxD8/Ai2L:HhOmTsF93UYfwC6GIoutX8Ki3c3YT8VU
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2748-6-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/2780-8-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/2176-17-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4012-23-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4016-31-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1076-32-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1496-39-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1604-48-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1584-54-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1808-61-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/2732-66-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1468-72-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1748-81-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1868-82-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/3508-89-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1868-88-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/2916-111-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/556-123-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4600-120-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/3944-136-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1592-146-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/2112-152-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/708-176-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/3400-181-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/3084-187-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/2544-192-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4556-202-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4340-213-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4496-217-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4352-221-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/796-223-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/796-226-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4228-230-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1496-240-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/3968-248-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1776-268-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4836-274-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1868-278-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/5072-282-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4948-326-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4948-329-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4612-336-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/5016-341-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/2328-347-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/708-353-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1800-373-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/3904-381-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4344-385-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/644-389-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/644-393-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4012-397-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1972-407-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1820-426-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/2060-433-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4220-437-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4028-463-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4420-495-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/2392-610-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/5104-615-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/3784-654-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4584-661-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1436-665-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/1800-804-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon behavioral2/memory/4372-864-0x0000000000400000-0x0000000000446000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2780 7vpdv.exe 2176 xlfllxl.exe 4012 rfrfxlf.exe 4016 nnhbnt.exe 1076 1pvpv.exe 1496 htthtn.exe 1604 9nthbh.exe 1584 ddppp.exe 1808 jdpjp.exe 2732 llrffxx.exe 1468 hnhnht.exe 1748 hnbnht.exe 1868 xrlffrr.exe 3508 flfxxrl.exe 492 tnhbtb.exe 1560 ddvjd.exe 368 vppjv.exe 2916 9llxrrl.exe 4600 lfrlffr.exe 556 5hhbnn.exe 392 vppjp.exe 3944 3rxrxrx.exe 1592 fxfxrxr.exe 3896 3bhtht.exe 2112 7rxrlll.exe 4936 fxffflf.exe 4680 nttnbt.exe 3360 bbbbtn.exe 708 pjjdj.exe 3400 rlfxrll.exe 3084 ttbbhb.exe 2544 lffxrll.exe 3080 bhnhbt.exe 3292 hnbbbt.exe 4556 djjjd.exe 1152 vpppp.exe 4676 llrlxxf.exe 4340 hhbtht.exe 4496 9hhtnh.exe 4352 jvpvp.exe 796 lxlfrlf.exe 4228 fflfllr.exe 4760 hnnhbb.exe 4548 ppdvj.exe 1496 1vdvp.exe 3868 1xfxxxx.exe 3968 xrllfff.exe 4488 ttbthb.exe 2700 jdjdd.exe 652 1rrlxlx.exe 2676 7xrlffl.exe 2380 5ntbnn.exe 5096 9jddj.exe 1776 ppvvd.exe 4836 xrfxrrl.exe 1868 nttnhb.exe 4824 djvpj.exe 5072 dvpjv.exe 1048 fxffxxr.exe 4028 nhtnht.exe 1476 tbhhbb.exe 4040 nhhbtn.exe 4608 1pvvp.exe 4044 dvppv.exe -
resource yara_rule behavioral2/memory/2748-0-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2748-6-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/2780-8-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x0007000000023443-10.dat upx behavioral2/files/0x0007000000023444-13.dat upx behavioral2/memory/2176-17-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/4012-23-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x0007000000023445-21.dat upx behavioral2/memory/4016-25-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x000800000002343c-4.dat upx behavioral2/files/0x0007000000023446-28.dat upx behavioral2/memory/4016-31-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1076-32-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x0007000000023447-35.dat upx behavioral2/memory/1496-39-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x0007000000023448-42.dat upx behavioral2/files/0x0007000000023449-49.dat upx behavioral2/memory/1604-48-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x000700000002344a-55.dat upx behavioral2/memory/1584-54-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x000700000002344b-58.dat upx behavioral2/memory/1808-61-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x000700000002344c-64.dat upx behavioral2/memory/2732-66-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1468-68-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x000700000002344d-73.dat upx behavioral2/memory/1468-72-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1748-75-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x000700000002344e-78.dat upx behavioral2/memory/1748-81-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1868-82-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x000700000002344f-87.dat upx behavioral2/memory/3508-89-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1868-88-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x0007000000023450-93.dat upx behavioral2/files/0x0007000000023451-97.dat upx behavioral2/files/0x0007000000023452-104.dat upx behavioral2/files/0x0007000000023453-109.dat upx behavioral2/memory/2916-111-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x0007000000023454-113.dat upx behavioral2/memory/556-123-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x0007000000023455-121.dat upx behavioral2/files/0x0007000000023456-125.dat upx behavioral2/memory/4600-120-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x0007000000023457-131.dat upx behavioral2/files/0x0007000000023458-137.dat upx behavioral2/memory/3944-136-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1592-139-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x0007000000023459-142.dat upx behavioral2/memory/3896-144-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/1592-146-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x000700000002345a-151.dat upx behavioral2/memory/2112-152-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x000700000002345b-156.dat upx behavioral2/files/0x000700000002345c-160.dat upx behavioral2/files/0x000700000002345d-165.dat upx behavioral2/files/0x000700000002345e-171.dat upx behavioral2/files/0x000700000002345f-175.dat upx behavioral2/memory/708-176-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x0008000000023440-180.dat upx behavioral2/memory/3400-181-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/memory/3084-187-0x0000000000400000-0x0000000000446000-memory.dmp upx behavioral2/files/0x0007000000023460-185.dat upx behavioral2/memory/2544-192-0x0000000000400000-0x0000000000446000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2780 2748 d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe 82 PID 2748 wrote to memory of 2780 2748 d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe 82 PID 2748 wrote to memory of 2780 2748 d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe 82 PID 2780 wrote to memory of 2176 2780 7vpdv.exe 83 PID 2780 wrote to memory of 2176 2780 7vpdv.exe 83 PID 2780 wrote to memory of 2176 2780 7vpdv.exe 83 PID 2176 wrote to memory of 4012 2176 xlfllxl.exe 84 PID 2176 wrote to memory of 4012 2176 xlfllxl.exe 84 PID 2176 wrote to memory of 4012 2176 xlfllxl.exe 84 PID 4012 wrote to memory of 4016 4012 rfrfxlf.exe 85 PID 4012 wrote to memory of 4016 4012 rfrfxlf.exe 85 PID 4012 wrote to memory of 4016 4012 rfrfxlf.exe 85 PID 4016 wrote to memory of 1076 4016 nnhbnt.exe 86 PID 4016 wrote to memory of 1076 4016 nnhbnt.exe 86 PID 4016 wrote to memory of 1076 4016 nnhbnt.exe 86 PID 1076 wrote to memory of 1496 1076 1pvpv.exe 87 PID 1076 wrote to memory of 1496 1076 1pvpv.exe 87 PID 1076 wrote to memory of 1496 1076 1pvpv.exe 87 PID 1496 wrote to memory of 1604 1496 htthtn.exe 89 PID 1496 wrote to memory of 1604 1496 htthtn.exe 89 PID 1496 wrote to memory of 1604 1496 htthtn.exe 89 PID 1604 wrote to memory of 1584 1604 9nthbh.exe 90 PID 1604 wrote to memory of 1584 1604 9nthbh.exe 90 PID 1604 wrote to memory of 1584 1604 9nthbh.exe 90 PID 1584 wrote to memory of 1808 1584 ddppp.exe 91 PID 1584 wrote to memory of 1808 1584 ddppp.exe 91 PID 1584 wrote to memory of 1808 1584 ddppp.exe 91 PID 1808 wrote to memory of 2732 1808 jdpjp.exe 92 PID 1808 wrote to memory of 2732 1808 jdpjp.exe 92 PID 1808 wrote to memory of 2732 1808 jdpjp.exe 92 PID 2732 wrote to memory of 1468 2732 llrffxx.exe 94 PID 2732 wrote to memory of 1468 2732 llrffxx.exe 94 PID 2732 wrote to memory of 1468 2732 llrffxx.exe 94 PID 1468 wrote to memory of 1748 1468 hnhnht.exe 95 PID 1468 wrote to memory of 1748 1468 hnhnht.exe 95 PID 1468 wrote to memory of 1748 1468 hnhnht.exe 95 PID 1748 wrote to memory of 1868 1748 hnbnht.exe 97 PID 1748 wrote to memory of 1868 1748 hnbnht.exe 97 PID 1748 wrote to memory of 1868 1748 hnbnht.exe 97 PID 1868 wrote to memory of 3508 1868 xrlffrr.exe 98 PID 1868 wrote to memory of 3508 1868 xrlffrr.exe 98 PID 1868 wrote to memory of 3508 1868 xrlffrr.exe 98 PID 3508 wrote to memory of 492 3508 flfxxrl.exe 99 PID 3508 wrote to memory of 492 3508 flfxxrl.exe 99 PID 3508 wrote to memory of 492 3508 flfxxrl.exe 99 PID 492 wrote to memory of 1560 492 tnhbtb.exe 100 PID 492 wrote to memory of 1560 492 tnhbtb.exe 100 PID 492 wrote to memory of 1560 492 tnhbtb.exe 100 PID 1560 wrote to memory of 368 1560 ddvjd.exe 101 PID 1560 wrote to memory of 368 1560 ddvjd.exe 101 PID 1560 wrote to memory of 368 1560 ddvjd.exe 101 PID 368 wrote to memory of 2916 368 vppjv.exe 102 PID 368 wrote to memory of 2916 368 vppjv.exe 102 PID 368 wrote to memory of 2916 368 vppjv.exe 102 PID 2916 wrote to memory of 4600 2916 9llxrrl.exe 103 PID 2916 wrote to memory of 4600 2916 9llxrrl.exe 103 PID 2916 wrote to memory of 4600 2916 9llxrrl.exe 103 PID 4600 wrote to memory of 556 4600 lfrlffr.exe 104 PID 4600 wrote to memory of 556 4600 lfrlffr.exe 104 PID 4600 wrote to memory of 556 4600 lfrlffr.exe 104 PID 556 wrote to memory of 392 556 5hhbnn.exe 105 PID 556 wrote to memory of 392 556 5hhbnn.exe 105 PID 556 wrote to memory of 392 556 5hhbnn.exe 105 PID 392 wrote to memory of 3944 392 vppjp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d002865618db61a4b2c7216615c0ed80_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\7vpdv.exec:\7vpdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\xlfllxl.exec:\xlfllxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\rfrfxlf.exec:\rfrfxlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\nnhbnt.exec:\nnhbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\1pvpv.exec:\1pvpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\htthtn.exec:\htthtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\9nthbh.exec:\9nthbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\ddppp.exec:\ddppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\jdpjp.exec:\jdpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\llrffxx.exec:\llrffxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\hnhnht.exec:\hnhnht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\hnbnht.exec:\hnbnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\xrlffrr.exec:\xrlffrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\flfxxrl.exec:\flfxxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\tnhbtb.exec:\tnhbtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
\??\c:\ddvjd.exec:\ddvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\vppjv.exec:\vppjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\9llxrrl.exec:\9llxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\lfrlffr.exec:\lfrlffr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\5hhbnn.exec:\5hhbnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\vppjp.exec:\vppjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\3rxrxrx.exec:\3rxrxrx.exe23⤵
- Executes dropped EXE
PID:3944 -
\??\c:\fxfxrxr.exec:\fxfxrxr.exe24⤵
- Executes dropped EXE
PID:1592 -
\??\c:\3bhtht.exec:\3bhtht.exe25⤵
- Executes dropped EXE
PID:3896 -
\??\c:\7rxrlll.exec:\7rxrlll.exe26⤵
- Executes dropped EXE
PID:2112 -
\??\c:\fxffflf.exec:\fxffflf.exe27⤵
- Executes dropped EXE
PID:4936 -
\??\c:\nttnbt.exec:\nttnbt.exe28⤵
- Executes dropped EXE
PID:4680 -
\??\c:\bbbbtn.exec:\bbbbtn.exe29⤵
- Executes dropped EXE
PID:3360 -
\??\c:\pjjdj.exec:\pjjdj.exe30⤵
- Executes dropped EXE
PID:708 -
\??\c:\rlfxrll.exec:\rlfxrll.exe31⤵
- Executes dropped EXE
PID:3400 -
\??\c:\ttbbhb.exec:\ttbbhb.exe32⤵
- Executes dropped EXE
PID:3084 -
\??\c:\lffxrll.exec:\lffxrll.exe33⤵
- Executes dropped EXE
PID:2544 -
\??\c:\bhnhbt.exec:\bhnhbt.exe34⤵
- Executes dropped EXE
PID:3080 -
\??\c:\hnbbbt.exec:\hnbbbt.exe35⤵
- Executes dropped EXE
PID:3292 -
\??\c:\djjjd.exec:\djjjd.exe36⤵
- Executes dropped EXE
PID:4556 -
\??\c:\vpppp.exec:\vpppp.exe37⤵
- Executes dropped EXE
PID:1152 -
\??\c:\llrlxxf.exec:\llrlxxf.exe38⤵
- Executes dropped EXE
PID:4676 -
\??\c:\hhbtht.exec:\hhbtht.exe39⤵
- Executes dropped EXE
PID:4340 -
\??\c:\9hhtnh.exec:\9hhtnh.exe40⤵
- Executes dropped EXE
PID:4496 -
\??\c:\jvpvp.exec:\jvpvp.exe41⤵
- Executes dropped EXE
PID:4352 -
\??\c:\lxlfrlf.exec:\lxlfrlf.exe42⤵
- Executes dropped EXE
PID:796 -
\??\c:\fflfllr.exec:\fflfllr.exe43⤵
- Executes dropped EXE
PID:4228 -
\??\c:\hnnhbb.exec:\hnnhbb.exe44⤵
- Executes dropped EXE
PID:4760 -
\??\c:\ppdvj.exec:\ppdvj.exe45⤵
- Executes dropped EXE
PID:4548 -
\??\c:\1vdvp.exec:\1vdvp.exe46⤵
- Executes dropped EXE
PID:1496 -
\??\c:\1xfxxxx.exec:\1xfxxxx.exe47⤵
- Executes dropped EXE
PID:3868 -
\??\c:\xrllfff.exec:\xrllfff.exe48⤵
- Executes dropped EXE
PID:3968 -
\??\c:\ttbthb.exec:\ttbthb.exe49⤵
- Executes dropped EXE
PID:4488 -
\??\c:\jdjdd.exec:\jdjdd.exe50⤵
- Executes dropped EXE
PID:2700 -
\??\c:\1rrlxlx.exec:\1rrlxlx.exe51⤵
- Executes dropped EXE
PID:652 -
\??\c:\7xrlffl.exec:\7xrlffl.exe52⤵
- Executes dropped EXE
PID:2676 -
\??\c:\5ntbnn.exec:\5ntbnn.exe53⤵
- Executes dropped EXE
PID:2380 -
\??\c:\9jddj.exec:\9jddj.exe54⤵
- Executes dropped EXE
PID:5096 -
\??\c:\ppvvd.exec:\ppvvd.exe55⤵
- Executes dropped EXE
PID:1776 -
\??\c:\xrfxrrl.exec:\xrfxrrl.exe56⤵
- Executes dropped EXE
PID:4836 -
\??\c:\nttnhb.exec:\nttnhb.exe57⤵
- Executes dropped EXE
PID:1868 -
\??\c:\djvpj.exec:\djvpj.exe58⤵
- Executes dropped EXE
PID:4824 -
\??\c:\dvpjv.exec:\dvpjv.exe59⤵
- Executes dropped EXE
PID:5072 -
\??\c:\fxffxxr.exec:\fxffxxr.exe60⤵
- Executes dropped EXE
PID:1048 -
\??\c:\nhtnht.exec:\nhtnht.exe61⤵
- Executes dropped EXE
PID:4028 -
\??\c:\tbhhbb.exec:\tbhhbb.exe62⤵
- Executes dropped EXE
PID:1476 -
\??\c:\nhhbtn.exec:\nhhbtn.exe63⤵
- Executes dropped EXE
PID:4040 -
\??\c:\1pvvp.exec:\1pvvp.exe64⤵
- Executes dropped EXE
PID:4608 -
\??\c:\dvppv.exec:\dvppv.exe65⤵
- Executes dropped EXE
PID:4044 -
\??\c:\rxffxxx.exec:\rxffxxx.exe66⤵PID:4404
-
\??\c:\fxrlffx.exec:\fxrlffx.exe67⤵PID:60
-
\??\c:\thnhhb.exec:\thnhhb.exe68⤵PID:1856
-
\??\c:\7tbttt.exec:\7tbttt.exe69⤵PID:3944
-
\??\c:\vpdvp.exec:\vpdvp.exe70⤵PID:2064
-
\??\c:\5jddv.exec:\5jddv.exe71⤵PID:2344
-
\??\c:\xxllxxr.exec:\xxllxxr.exe72⤵PID:696
-
\??\c:\rrrxxxr.exec:\rrrxxxr.exe73⤵PID:4948
-
\??\c:\5hhhhb.exec:\5hhhhb.exe74⤵PID:1860
-
\??\c:\hnbbbh.exec:\hnbbbh.exe75⤵PID:4612
-
\??\c:\3jpvj.exec:\3jpvj.exe76⤵PID:4992
-
\??\c:\llfxfff.exec:\llfxfff.exe77⤵PID:5016
-
\??\c:\llfxxxr.exec:\llfxxxr.exe78⤵PID:1836
-
\??\c:\hbhbtn.exec:\hbhbtn.exe79⤵PID:2328
-
\??\c:\bnbbbh.exec:\bnbbbh.exe80⤵PID:708
-
\??\c:\vjppv.exec:\vjppv.exe81⤵PID:2264
-
\??\c:\pvdvj.exec:\pvdvj.exe82⤵PID:432
-
\??\c:\xxflrrf.exec:\xxflrrf.exe83⤵PID:4656
-
\??\c:\5nhhhh.exec:\5nhhhh.exe84⤵PID:1436
-
\??\c:\7vvpp.exec:\7vvpp.exe85⤵PID:4648
-
\??\c:\vjjjd.exec:\vjjjd.exe86⤵PID:1800
-
\??\c:\fxxrllf.exec:\fxxrllf.exe87⤵PID:2368
-
\??\c:\fxfffff.exec:\fxfffff.exe88⤵PID:3904
-
\??\c:\bntnnn.exec:\bntnnn.exe89⤵PID:4344
-
\??\c:\3bhbtb.exec:\3bhbtb.exe90⤵PID:4424
-
\??\c:\vvdvd.exec:\vvdvd.exe91⤵PID:644
-
\??\c:\vjjjj.exec:\vjjjj.exe92⤵PID:4012
-
\??\c:\rrlfxxx.exec:\rrlfxxx.exe93⤵PID:3192
-
\??\c:\nhbbnn.exec:\nhbbnn.exe94⤵PID:1056
-
\??\c:\btnhbb.exec:\btnhbb.exe95⤵PID:1972
-
\??\c:\djpjj.exec:\djpjj.exe96⤵PID:4276
-
\??\c:\pvvdp.exec:\pvvdp.exe97⤵PID:2388
-
\??\c:\rffrrll.exec:\rffrrll.exe98⤵PID:4260
-
\??\c:\ffrflrr.exec:\ffrflrr.exe99⤵PID:2520
-
\??\c:\nnnnnn.exec:\nnnnnn.exe100⤵PID:2464
-
\??\c:\ttbtbt.exec:\ttbtbt.exe101⤵PID:2700
-
\??\c:\vvvpj.exec:\vvvpj.exe102⤵PID:1820
-
\??\c:\lrxrlff.exec:\lrxrlff.exe103⤵PID:2060
-
\??\c:\5ffffll.exec:\5ffffll.exe104⤵PID:4220
-
\??\c:\nnbbtb.exec:\nnbbtb.exe105⤵PID:4372
-
\??\c:\thnhnh.exec:\thnhnh.exe106⤵PID:3108
-
\??\c:\3jddv.exec:\3jddv.exe107⤵PID:4816
-
\??\c:\jjjpd.exec:\jjjpd.exe108⤵PID:3116
-
\??\c:\xrfxrrr.exec:\xrfxrrr.exe109⤵PID:1300
-
\??\c:\ffxxrrr.exec:\ffxxrrr.exe110⤵PID:2340
-
\??\c:\tnbtbb.exec:\tnbtbb.exe111⤵PID:1048
-
\??\c:\hntnnb.exec:\hntnnb.exe112⤵PID:4028
-
\??\c:\dvvvp.exec:\dvvvp.exe113⤵PID:1476
-
\??\c:\ffllfff.exec:\ffllfff.exe114⤵PID:4040
-
\??\c:\bthtnb.exec:\bthtnb.exe115⤵PID:4608
-
\??\c:\ddjdv.exec:\ddjdv.exe116⤵PID:4044
-
\??\c:\jvvvv.exec:\jvvvv.exe117⤵PID:1692
-
\??\c:\xrrlffx.exec:\xrrlffx.exe118⤵PID:3652
-
\??\c:\9thhnn.exec:\9thhnn.exe119⤵PID:1992
-
\??\c:\1btthh.exec:\1btthh.exe120⤵PID:2880
-
\??\c:\5jpjp.exec:\5jpjp.exe121⤵PID:2128
-
\??\c:\flrfxrl.exec:\flrfxrl.exe122⤵PID:4420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-