Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 11:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3d015c64345a0eec3c29d3e2f3227190c93d10e0c1618e94ea93f4abc08a4e11_NeikiAnalytics.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
3d015c64345a0eec3c29d3e2f3227190c93d10e0c1618e94ea93f4abc08a4e11_NeikiAnalytics.exe
-
Size
68KB
-
MD5
fe1fbbbe4e0c7ef27a5d56549951b620
-
SHA1
6aee3837f2657e1244b41f8af16aaabfa20611f9
-
SHA256
3d015c64345a0eec3c29d3e2f3227190c93d10e0c1618e94ea93f4abc08a4e11
-
SHA512
26f7606dbbf1cb109b3f7e532274a44597708a6280c79fe95e19155ff9285bf514bc4625e31f9a3097cf212ec4812003574656240f7630c145a28f88b2cc72d7
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIfv7+afCD+QsQbLx:ymb3NkkiQ3mdBjFIfvTfCD+Hq
Malware Config
Signatures
-
Detect Blackmoon payload 28 IoCs
Processes:
resource yara_rule behavioral2/memory/5068-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1288-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/800-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/800-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3924-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2660-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1528-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3168-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/364-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3488-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/744-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3668-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3516-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2220-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3008-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1360-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4184-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/640-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3184-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3960-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3224-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2560-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2100-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3448-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2540-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3076-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/908-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1784-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
xrlfllr.exexfllfrl.exetnnhhn.exedvjdv.exefffxxxf.exetththt.exehhtntb.exevdppd.exedvpvv.exexrrllfx.exellxxxff.exehttttn.exetnbtnb.exe9ppvj.exerlrlfff.exenthbbb.exentbthh.exedvjdv.exe9vvpp.exe1rfxllf.exefrrxrfx.exehnnnnn.exe5pvjv.exevvvpj.exerllxfff.exeppppp.exe5djjv.exeflllrrl.exebhnnnn.exe3ntntt.exeddpjj.exexxxxlrr.exe3nnbtt.exehbhbtn.exepjvvv.exejjddd.exexrxrllf.exelrxrxxx.exehtbbtt.exepjjjv.exe9lrrllf.exe5lxxxff.exebhnbnh.exebthhbb.exedvvpj.exe1xllxll.exexrrrlrl.exehbhbtt.exetbhbtt.exe5pdpv.exerlrxxrf.exe5lrrlll.exe7ffxrrr.exehhbhnb.exepdjjd.exevpjjj.exefxrxflr.exerlffxxr.exehhhbtt.exettbtbb.exevjjdd.exe5pjjv.exelxlfllf.exe5lfrxll.exepid process 1288 xrlfllr.exe 800 xfllfrl.exe 3924 tnnhhn.exe 2660 dvjdv.exe 1768 fffxxxf.exe 1528 tththt.exe 3168 hhtntb.exe 364 vdppd.exe 3488 dvpvv.exe 744 xrrllfx.exe 536 llxxxff.exe 3668 httttn.exe 3516 tnbtnb.exe 2220 9ppvj.exe 3008 rlrlfff.exe 1360 nthbbb.exe 4184 ntbthh.exe 640 dvjdv.exe 3184 9vvpp.exe 3960 1rfxllf.exe 3224 frrxrfx.exe 732 hnnnnn.exe 2560 5pvjv.exe 2100 vvvpj.exe 3448 rllxfff.exe 2540 ppppp.exe 3076 5djjv.exe 908 flllrrl.exe 3836 bhnnnn.exe 3832 3ntntt.exe 1784 ddpjj.exe 3228 xxxxlrr.exe 1864 3nnbtt.exe 4508 hbhbtn.exe 4332 pjvvv.exe 4364 jjddd.exe 116 xrxrllf.exe 4288 lrxrxxx.exe 2928 htbbtt.exe 1568 pjjjv.exe 2988 9lrrllf.exe 4320 5lxxxff.exe 620 bhnbnh.exe 4540 bthhbb.exe 3256 dvvpj.exe 1764 1xllxll.exe 860 xrrrlrl.exe 2296 hbhbtt.exe 4912 tbhbtt.exe 3000 5pdpv.exe 2180 rlrxxrf.exe 3568 5lrrlll.exe 2508 7ffxrrr.exe 4648 hhbhnb.exe 4568 pdjjd.exe 2248 vpjjj.exe 4824 fxrxflr.exe 2320 rlffxxr.exe 4204 hhhbtt.exe 864 ttbtbb.exe 2884 vjjdd.exe 4484 5pjjv.exe 2064 lxlfllf.exe 3416 5lfrxll.exe -
Processes:
resource yara_rule behavioral2/memory/5068-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1288-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/800-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/800-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/800-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3924-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2660-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1768-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1528-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3168-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/364-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3488-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/744-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3668-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3516-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2220-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3008-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1360-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4184-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/640-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3184-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3960-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3224-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2560-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2100-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3448-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2540-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3076-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/908-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1784-204-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3d015c64345a0eec3c29d3e2f3227190c93d10e0c1618e94ea93f4abc08a4e11_NeikiAnalytics.exexrlfllr.exexfllfrl.exetnnhhn.exedvjdv.exefffxxxf.exetththt.exehhtntb.exevdppd.exedvpvv.exexrrllfx.exellxxxff.exehttttn.exetnbtnb.exe9ppvj.exerlrlfff.exenthbbb.exentbthh.exedvjdv.exe9vvpp.exe1rfxllf.exefrrxrfx.exedescription pid process target process PID 5068 wrote to memory of 1288 5068 3d015c64345a0eec3c29d3e2f3227190c93d10e0c1618e94ea93f4abc08a4e11_NeikiAnalytics.exe xrlfllr.exe PID 5068 wrote to memory of 1288 5068 3d015c64345a0eec3c29d3e2f3227190c93d10e0c1618e94ea93f4abc08a4e11_NeikiAnalytics.exe xrlfllr.exe PID 5068 wrote to memory of 1288 5068 3d015c64345a0eec3c29d3e2f3227190c93d10e0c1618e94ea93f4abc08a4e11_NeikiAnalytics.exe xrlfllr.exe PID 1288 wrote to memory of 800 1288 xrlfllr.exe xfllfrl.exe PID 1288 wrote to memory of 800 1288 xrlfllr.exe xfllfrl.exe PID 1288 wrote to memory of 800 1288 xrlfllr.exe xfllfrl.exe PID 800 wrote to memory of 3924 800 xfllfrl.exe tnnhhn.exe PID 800 wrote to memory of 3924 800 xfllfrl.exe tnnhhn.exe PID 800 wrote to memory of 3924 800 xfllfrl.exe tnnhhn.exe PID 3924 wrote to memory of 2660 3924 tnnhhn.exe dvjdv.exe PID 3924 wrote to memory of 2660 3924 tnnhhn.exe dvjdv.exe PID 3924 wrote to memory of 2660 3924 tnnhhn.exe dvjdv.exe PID 2660 wrote to memory of 1768 2660 dvjdv.exe fffxxxf.exe PID 2660 wrote to memory of 1768 2660 dvjdv.exe fffxxxf.exe PID 2660 wrote to memory of 1768 2660 dvjdv.exe fffxxxf.exe PID 1768 wrote to memory of 1528 1768 fffxxxf.exe tththt.exe PID 1768 wrote to memory of 1528 1768 fffxxxf.exe tththt.exe PID 1768 wrote to memory of 1528 1768 fffxxxf.exe tththt.exe PID 1528 wrote to memory of 3168 1528 tththt.exe hhtntb.exe PID 1528 wrote to memory of 3168 1528 tththt.exe hhtntb.exe PID 1528 wrote to memory of 3168 1528 tththt.exe hhtntb.exe PID 3168 wrote to memory of 364 3168 hhtntb.exe vdppd.exe PID 3168 wrote to memory of 364 3168 hhtntb.exe vdppd.exe PID 3168 wrote to memory of 364 3168 hhtntb.exe vdppd.exe PID 364 wrote to memory of 3488 364 vdppd.exe dvpvv.exe PID 364 wrote to memory of 3488 364 vdppd.exe dvpvv.exe PID 364 wrote to memory of 3488 364 vdppd.exe dvpvv.exe PID 3488 wrote to memory of 744 3488 dvpvv.exe xrrllfx.exe PID 3488 wrote to memory of 744 3488 dvpvv.exe xrrllfx.exe PID 3488 wrote to memory of 744 3488 dvpvv.exe xrrllfx.exe PID 744 wrote to memory of 536 744 xrrllfx.exe llxxxff.exe PID 744 wrote to memory of 536 744 xrrllfx.exe llxxxff.exe PID 744 wrote to memory of 536 744 xrrllfx.exe llxxxff.exe PID 536 wrote to memory of 3668 536 llxxxff.exe httttn.exe PID 536 wrote to memory of 3668 536 llxxxff.exe httttn.exe PID 536 wrote to memory of 3668 536 llxxxff.exe httttn.exe PID 3668 wrote to memory of 3516 3668 httttn.exe tnbtnb.exe PID 3668 wrote to memory of 3516 3668 httttn.exe tnbtnb.exe PID 3668 wrote to memory of 3516 3668 httttn.exe tnbtnb.exe PID 3516 wrote to memory of 2220 3516 tnbtnb.exe 9ppvj.exe PID 3516 wrote to memory of 2220 3516 tnbtnb.exe 9ppvj.exe PID 3516 wrote to memory of 2220 3516 tnbtnb.exe 9ppvj.exe PID 2220 wrote to memory of 3008 2220 9ppvj.exe rlrlfff.exe PID 2220 wrote to memory of 3008 2220 9ppvj.exe rlrlfff.exe PID 2220 wrote to memory of 3008 2220 9ppvj.exe rlrlfff.exe PID 3008 wrote to memory of 1360 3008 rlrlfff.exe nthbbb.exe PID 3008 wrote to memory of 1360 3008 rlrlfff.exe nthbbb.exe PID 3008 wrote to memory of 1360 3008 rlrlfff.exe nthbbb.exe PID 1360 wrote to memory of 4184 1360 nthbbb.exe ntbthh.exe PID 1360 wrote to memory of 4184 1360 nthbbb.exe ntbthh.exe PID 1360 wrote to memory of 4184 1360 nthbbb.exe ntbthh.exe PID 4184 wrote to memory of 640 4184 ntbthh.exe dvjdv.exe PID 4184 wrote to memory of 640 4184 ntbthh.exe dvjdv.exe PID 4184 wrote to memory of 640 4184 ntbthh.exe dvjdv.exe PID 640 wrote to memory of 3184 640 dvjdv.exe 9vvpp.exe PID 640 wrote to memory of 3184 640 dvjdv.exe 9vvpp.exe PID 640 wrote to memory of 3184 640 dvjdv.exe 9vvpp.exe PID 3184 wrote to memory of 3960 3184 9vvpp.exe 1rfxllf.exe PID 3184 wrote to memory of 3960 3184 9vvpp.exe 1rfxllf.exe PID 3184 wrote to memory of 3960 3184 9vvpp.exe 1rfxllf.exe PID 3960 wrote to memory of 3224 3960 1rfxllf.exe frrxrfx.exe PID 3960 wrote to memory of 3224 3960 1rfxllf.exe frrxrfx.exe PID 3960 wrote to memory of 3224 3960 1rfxllf.exe frrxrfx.exe PID 3224 wrote to memory of 732 3224 frrxrfx.exe hnnnnn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d015c64345a0eec3c29d3e2f3227190c93d10e0c1618e94ea93f4abc08a4e11_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3d015c64345a0eec3c29d3e2f3227190c93d10e0c1618e94ea93f4abc08a4e11_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xrlfllr.exec:\xrlfllr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfllfrl.exec:\xfllfrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhhn.exec:\tnnhhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdv.exec:\dvjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffxxxf.exec:\fffxxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tththt.exec:\tththt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtntb.exec:\hhtntb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdppd.exec:\vdppd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpvv.exec:\dvpvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrllfx.exec:\xrrllfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxxxff.exec:\llxxxff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httttn.exec:\httttn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbtnb.exec:\tnbtnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9ppvj.exec:\9ppvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlfff.exec:\rlrlfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nthbbb.exec:\nthbbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbthh.exec:\ntbthh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjdv.exec:\dvjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vvpp.exec:\9vvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1rfxllf.exec:\1rfxllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrxrfx.exec:\frrxrfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnnnn.exec:\hnnnnn.exe23⤵
- Executes dropped EXE
-
\??\c:\5pvjv.exec:\5pvjv.exe24⤵
- Executes dropped EXE
-
\??\c:\vvvpj.exec:\vvvpj.exe25⤵
- Executes dropped EXE
-
\??\c:\rllxfff.exec:\rllxfff.exe26⤵
- Executes dropped EXE
-
\??\c:\ppppp.exec:\ppppp.exe27⤵
- Executes dropped EXE
-
\??\c:\5djjv.exec:\5djjv.exe28⤵
- Executes dropped EXE
-
\??\c:\flllrrl.exec:\flllrrl.exe29⤵
- Executes dropped EXE
-
\??\c:\bhnnnn.exec:\bhnnnn.exe30⤵
- Executes dropped EXE
-
\??\c:\3ntntt.exec:\3ntntt.exe31⤵
- Executes dropped EXE
-
\??\c:\ddpjj.exec:\ddpjj.exe32⤵
- Executes dropped EXE
-
\??\c:\xxxxlrr.exec:\xxxxlrr.exe33⤵
- Executes dropped EXE
-
\??\c:\3nnbtt.exec:\3nnbtt.exe34⤵
- Executes dropped EXE
-
\??\c:\hbhbtn.exec:\hbhbtn.exe35⤵
- Executes dropped EXE
-
\??\c:\pjvvv.exec:\pjvvv.exe36⤵
- Executes dropped EXE
-
\??\c:\jjddd.exec:\jjddd.exe37⤵
- Executes dropped EXE
-
\??\c:\xrxrllf.exec:\xrxrllf.exe38⤵
- Executes dropped EXE
-
\??\c:\lrxrxxx.exec:\lrxrxxx.exe39⤵
- Executes dropped EXE
-
\??\c:\htbbtt.exec:\htbbtt.exe40⤵
- Executes dropped EXE
-
\??\c:\9tbttt.exec:\9tbttt.exe41⤵
-
\??\c:\pjjjv.exec:\pjjjv.exe42⤵
- Executes dropped EXE
-
\??\c:\9lrrllf.exec:\9lrrllf.exe43⤵
- Executes dropped EXE
-
\??\c:\5lxxxff.exec:\5lxxxff.exe44⤵
- Executes dropped EXE
-
\??\c:\bhnbnh.exec:\bhnbnh.exe45⤵
- Executes dropped EXE
-
\??\c:\bthhbb.exec:\bthhbb.exe46⤵
- Executes dropped EXE
-
\??\c:\dvvpj.exec:\dvvpj.exe47⤵
- Executes dropped EXE
-
\??\c:\1xllxll.exec:\1xllxll.exe48⤵
- Executes dropped EXE
-
\??\c:\xrrrlrl.exec:\xrrrlrl.exe49⤵
- Executes dropped EXE
-
\??\c:\hbhbtt.exec:\hbhbtt.exe50⤵
- Executes dropped EXE
-
\??\c:\tbhbtt.exec:\tbhbtt.exe51⤵
- Executes dropped EXE
-
\??\c:\5pdpv.exec:\5pdpv.exe52⤵
- Executes dropped EXE
-
\??\c:\rlrxxrf.exec:\rlrxxrf.exe53⤵
- Executes dropped EXE
-
\??\c:\5lrrlll.exec:\5lrrlll.exe54⤵
- Executes dropped EXE
-
\??\c:\7ffxrrr.exec:\7ffxrrr.exe55⤵
- Executes dropped EXE
-
\??\c:\hhbhnb.exec:\hhbhnb.exe56⤵
- Executes dropped EXE
-
\??\c:\pdjjd.exec:\pdjjd.exe57⤵
- Executes dropped EXE
-
\??\c:\vpjjj.exec:\vpjjj.exe58⤵
- Executes dropped EXE
-
\??\c:\fxrxflr.exec:\fxrxflr.exe59⤵
- Executes dropped EXE
-
\??\c:\rlffxxr.exec:\rlffxxr.exe60⤵
- Executes dropped EXE
-
\??\c:\hhhbtt.exec:\hhhbtt.exe61⤵
- Executes dropped EXE
-
\??\c:\ttbtbb.exec:\ttbtbb.exe62⤵
- Executes dropped EXE
-
\??\c:\vjjdd.exec:\vjjdd.exe63⤵
- Executes dropped EXE
-
\??\c:\5pjjv.exec:\5pjjv.exe64⤵
- Executes dropped EXE
-
\??\c:\lxlfllf.exec:\lxlfllf.exe65⤵
- Executes dropped EXE
-
\??\c:\5lfrxll.exec:\5lfrxll.exe66⤵
- Executes dropped EXE
-
\??\c:\httbnb.exec:\httbnb.exe67⤵
-
\??\c:\bnthtt.exec:\bnthtt.exe68⤵
-
\??\c:\5vvpj.exec:\5vvpj.exe69⤵
-
\??\c:\vjdjp.exec:\vjdjp.exe70⤵
-
\??\c:\9dvdp.exec:\9dvdp.exe71⤵
-
\??\c:\fflfffx.exec:\fflfffx.exe72⤵
-
\??\c:\xfxrllr.exec:\xfxrllr.exe73⤵
-
\??\c:\nhhbbb.exec:\nhhbbb.exe74⤵
-
\??\c:\ttbtbb.exec:\ttbtbb.exe75⤵
-
\??\c:\tnhhnn.exec:\tnhhnn.exe76⤵
-
\??\c:\3djvp.exec:\3djvp.exe77⤵
-
\??\c:\dvpjv.exec:\dvpjv.exe78⤵
-
\??\c:\3jjdp.exec:\3jjdp.exe79⤵
-
\??\c:\lfrlffx.exec:\lfrlffx.exe80⤵
-
\??\c:\xrxxllx.exec:\xrxxllx.exe81⤵
-
\??\c:\bthhtb.exec:\bthhtb.exe82⤵
-
\??\c:\tthbbb.exec:\tthbbb.exe83⤵
-
\??\c:\dddjd.exec:\dddjd.exe84⤵
-
\??\c:\pjjpd.exec:\pjjpd.exe85⤵
-
\??\c:\vjvpp.exec:\vjvpp.exe86⤵
-
\??\c:\xlllrlx.exec:\xlllrlx.exe87⤵
-
\??\c:\xrxxrfx.exec:\xrxxrfx.exe88⤵
-
\??\c:\nbbttt.exec:\nbbttt.exe89⤵
-
\??\c:\ppdvp.exec:\ppdvp.exe90⤵
-
\??\c:\pjppj.exec:\pjppj.exe91⤵
-
\??\c:\3llllll.exec:\3llllll.exe92⤵
-
\??\c:\9frlxxf.exec:\9frlxxf.exe93⤵
-
\??\c:\hhnntt.exec:\hhnntt.exe94⤵
-
\??\c:\1ntthn.exec:\1ntthn.exe95⤵
-
\??\c:\vpjjd.exec:\vpjjd.exe96⤵
-
\??\c:\pjvvp.exec:\pjvvp.exe97⤵
-
\??\c:\9xxrrrl.exec:\9xxrrrl.exe98⤵
-
\??\c:\xxffxff.exec:\xxffxff.exe99⤵
-
\??\c:\1nntnn.exec:\1nntnn.exe100⤵
-
\??\c:\thhhbh.exec:\thhhbh.exe101⤵
-
\??\c:\3pvvv.exec:\3pvvv.exe102⤵
-
\??\c:\jdvvp.exec:\jdvvp.exe103⤵
-
\??\c:\rlrlfff.exec:\rlrlfff.exe104⤵
-
\??\c:\5lxxrrr.exec:\5lxxrrr.exe105⤵
-
\??\c:\5bbbtb.exec:\5bbbtb.exe106⤵
-
\??\c:\vpdjj.exec:\vpdjj.exe107⤵
-
\??\c:\fxrlffx.exec:\fxrlffx.exe108⤵
-
\??\c:\nhhbbb.exec:\nhhbbb.exe109⤵
-
\??\c:\3hhbbb.exec:\3hhbbb.exe110⤵
-
\??\c:\3nhhtt.exec:\3nhhtt.exe111⤵
-
\??\c:\jddpv.exec:\jddpv.exe112⤵
-
\??\c:\rxxrrxx.exec:\rxxrrxx.exe113⤵
-
\??\c:\flllflf.exec:\flllflf.exe114⤵
-
\??\c:\9ntttt.exec:\9ntttt.exe115⤵
-
\??\c:\hhnthb.exec:\hhnthb.exe116⤵
-
\??\c:\vvddv.exec:\vvddv.exe117⤵
-
\??\c:\vvjdd.exec:\vvjdd.exe118⤵
-
\??\c:\xxrrxrl.exec:\xxrrxrl.exe119⤵
-
\??\c:\hhhhbh.exec:\hhhhbh.exe120⤵
-
\??\c:\tthtnn.exec:\tthtnn.exe121⤵
-
\??\c:\vjdvv.exec:\vjdvv.exe122⤵
-
\??\c:\rrllffl.exec:\rrllffl.exe123⤵
-
\??\c:\5rffflr.exec:\5rffflr.exe124⤵
-
\??\c:\5tbttt.exec:\5tbttt.exe125⤵
-
\??\c:\7bbbbb.exec:\7bbbbb.exe126⤵
-
\??\c:\pjppj.exec:\pjppj.exe127⤵
-
\??\c:\ddpjp.exec:\ddpjp.exe128⤵
-
\??\c:\pjppp.exec:\pjppp.exe129⤵
-
\??\c:\rxxxrrl.exec:\rxxxrrl.exe130⤵
-
\??\c:\rlrrlrr.exec:\rlrrlrr.exe131⤵
-
\??\c:\tbhhhh.exec:\tbhhhh.exe132⤵
-
\??\c:\hbbbtt.exec:\hbbbtt.exe133⤵
-
\??\c:\jjvpv.exec:\jjvpv.exe134⤵
-
\??\c:\dvjjj.exec:\dvjjj.exe135⤵
-
\??\c:\lxfxlll.exec:\lxfxlll.exe136⤵
-
\??\c:\ffxrrxr.exec:\ffxrrxr.exe137⤵
-
\??\c:\hbnnbh.exec:\hbnnbh.exe138⤵
-
\??\c:\9tbtnt.exec:\9tbtnt.exe139⤵
-
\??\c:\dpvpp.exec:\dpvpp.exe140⤵
-
\??\c:\vjpjd.exec:\vjpjd.exe141⤵
-
\??\c:\lrrlflf.exec:\lrrlflf.exe142⤵
-
\??\c:\xrffllr.exec:\xrffllr.exe143⤵
-
\??\c:\fxxrlll.exec:\fxxrlll.exe144⤵
-
\??\c:\9nnhbb.exec:\9nnhbb.exe145⤵
-
\??\c:\httnnn.exec:\httnnn.exe146⤵
-
\??\c:\dpvvj.exec:\dpvvj.exe147⤵
-
\??\c:\dppdv.exec:\dppdv.exe148⤵
-
\??\c:\1xfxlll.exec:\1xfxlll.exe149⤵
-
\??\c:\rrffxfx.exec:\rrffxfx.exe150⤵
-
\??\c:\xxfxxxx.exec:\xxfxxxx.exe151⤵
-
\??\c:\bnbttt.exec:\bnbttt.exe152⤵
-
\??\c:\nnbhnn.exec:\nnbhnn.exe153⤵
-
\??\c:\vpjdv.exec:\vpjdv.exe154⤵
-
\??\c:\dpvpj.exec:\dpvpj.exe155⤵
-
\??\c:\xxrlffx.exec:\xxrlffx.exe156⤵
-
\??\c:\rrffrrx.exec:\rrffrrx.exe157⤵
-
\??\c:\5bhhbb.exec:\5bhhbb.exe158⤵
-
\??\c:\hhbttt.exec:\hhbttt.exe159⤵
-
\??\c:\5nnnhh.exec:\5nnnhh.exe160⤵
-
\??\c:\dpjdd.exec:\dpjdd.exe161⤵
-
\??\c:\jjddv.exec:\jjddv.exe162⤵
-
\??\c:\xlxrfff.exec:\xlxrfff.exe163⤵
-
\??\c:\fxflfxr.exec:\fxflfxr.exe164⤵
-
\??\c:\hbhhbb.exec:\hbhhbb.exe165⤵
-
\??\c:\tnhbbh.exec:\tnhbbh.exe166⤵
-
\??\c:\vpppj.exec:\vpppj.exe167⤵
-
\??\c:\9jdvj.exec:\9jdvj.exe168⤵
-
\??\c:\vdddv.exec:\vdddv.exe169⤵
-
\??\c:\xllfllf.exec:\xllfllf.exe170⤵
-
\??\c:\lxrrllf.exec:\lxrrllf.exe171⤵
-
\??\c:\ntbhnt.exec:\ntbhnt.exe172⤵
-
\??\c:\vvpjj.exec:\vvpjj.exe173⤵
-
\??\c:\lflllrx.exec:\lflllrx.exe174⤵
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe175⤵
-
\??\c:\fxrrrrl.exec:\fxrrrrl.exe176⤵
-
\??\c:\hhnbnn.exec:\hhnbnn.exe177⤵
-
\??\c:\vpppp.exec:\vpppp.exe178⤵
-
\??\c:\jpvpd.exec:\jpvpd.exe179⤵
-
\??\c:\xfffxrr.exec:\xfffxrr.exe180⤵
-
\??\c:\lfllfll.exec:\lfllfll.exe181⤵
-
\??\c:\1nhtnt.exec:\1nhtnt.exe182⤵
-
\??\c:\tthntb.exec:\tthntb.exe183⤵
-
\??\c:\thnhbb.exec:\thnhbb.exe184⤵
-
\??\c:\jddvv.exec:\jddvv.exe185⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe186⤵
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe187⤵
-
\??\c:\xlrrxxx.exec:\xlrrxxx.exe188⤵
-
\??\c:\5hhbbb.exec:\5hhbbb.exe189⤵
-
\??\c:\nhhnhh.exec:\nhhnhh.exe190⤵
-
\??\c:\vpjpp.exec:\vpjpp.exe191⤵
-
\??\c:\1ddvp.exec:\1ddvp.exe192⤵
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe193⤵
-
\??\c:\fxxxrll.exec:\fxxxrll.exe194⤵
-
\??\c:\nhbbtt.exec:\nhbbtt.exe195⤵
-
\??\c:\9ntnnn.exec:\9ntnnn.exe196⤵
-
\??\c:\vvppp.exec:\vvppp.exe197⤵
-
\??\c:\ddvvj.exec:\ddvvj.exe198⤵
-
\??\c:\lflflll.exec:\lflflll.exe199⤵
-
\??\c:\nntttt.exec:\nntttt.exe200⤵
-
\??\c:\bbbbtb.exec:\bbbbtb.exe201⤵
-
\??\c:\httnbt.exec:\httnbt.exe202⤵
-
\??\c:\jppjj.exec:\jppjj.exe203⤵
-
\??\c:\vppjv.exec:\vppjv.exe204⤵
-
\??\c:\9xffxxx.exec:\9xffxxx.exe205⤵
-
\??\c:\hbbbbt.exec:\hbbbbt.exe206⤵
-
\??\c:\rlllxxl.exec:\rlllxxl.exe207⤵
-
\??\c:\fxllrrl.exec:\fxllrrl.exe208⤵
-
\??\c:\tnnhbb.exec:\tnnhbb.exe209⤵
-
\??\c:\9vppj.exec:\9vppj.exe210⤵
-
\??\c:\3jjjv.exec:\3jjjv.exe211⤵
-
\??\c:\xfffxlx.exec:\xfffxlx.exe212⤵
-
\??\c:\1xxrllf.exec:\1xxrllf.exe213⤵
-
\??\c:\xrfllfr.exec:\xrfllfr.exe214⤵
-
\??\c:\nhnntt.exec:\nhnntt.exe215⤵
-
\??\c:\hthbtt.exec:\hthbtt.exe216⤵
-
\??\c:\ppvpp.exec:\ppvpp.exe217⤵
-
\??\c:\ddjdv.exec:\ddjdv.exe218⤵
-
\??\c:\3fllfff.exec:\3fllfff.exe219⤵
-
\??\c:\hbhhhh.exec:\hbhhhh.exe220⤵
-
\??\c:\btthtt.exec:\btthtt.exe221⤵
-
\??\c:\httnbb.exec:\httnbb.exe222⤵
-
\??\c:\jdddp.exec:\jdddp.exe223⤵
-
\??\c:\jvvpj.exec:\jvvpj.exe224⤵
-
\??\c:\lxffffx.exec:\lxffffx.exe225⤵
-
\??\c:\9flllll.exec:\9flllll.exe226⤵
-
\??\c:\bnnnnn.exec:\bnnnnn.exe227⤵
-
\??\c:\tbtttb.exec:\tbtttb.exe228⤵
-
\??\c:\vvjjp.exec:\vvjjp.exe229⤵
-
\??\c:\ppjjd.exec:\ppjjd.exe230⤵
-
\??\c:\lxfxrrr.exec:\lxfxrrr.exe231⤵
-
\??\c:\thnbbh.exec:\thnbbh.exe232⤵
-
\??\c:\jddvj.exec:\jddvj.exe233⤵
-
\??\c:\7vdvp.exec:\7vdvp.exe234⤵
-
\??\c:\vpdjj.exec:\vpdjj.exe235⤵
-
\??\c:\rxlxrrl.exec:\rxlxrrl.exe236⤵
-
\??\c:\tbbttn.exec:\tbbttn.exe237⤵
-
\??\c:\tthntn.exec:\tthntn.exe238⤵
-
\??\c:\bnttht.exec:\bnttht.exe239⤵
-
\??\c:\vdjjv.exec:\vdjjv.exe240⤵
-
\??\c:\9dddd.exec:\9dddd.exe241⤵