Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 01:47
Behavioral task
behavioral1
Sample
70fbe59a653dcffcad8052f4a051ec10_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
5 signatures
150 seconds
General
-
Target
70fbe59a653dcffcad8052f4a051ec10_NeikiAnalytics.exe
-
Size
273KB
-
MD5
70fbe59a653dcffcad8052f4a051ec10
-
SHA1
15e809bc74e33ee50bfbd97043736c33da77f755
-
SHA256
d35c84f1e32571521e67ac8a89a79726d57679f30f85456584b51bb617b0c699
-
SHA512
c84cd46d2fe6d45d9c3df3695311539099b6e8a23e9c2953a37cf706d12bfad06ce2cd724fb99f0e370605e977b1c2f90157026544cfeed53c8bbf1c0b0f7865
-
SSDEEP
6144:Ycm4FmowdHoSgWrXF5lpKGYV0aTk/BO0XJm4UEPOshN/xdKnvP48bmo:e4wFHoSgWjdpKGATTk/jYIOWN/KnnPT
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1984-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3920-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/316-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2844-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1344-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4056-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4180-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2632-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1876-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4944-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1788-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4720-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/888-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1364-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1180-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2796-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3320-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/592-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1916-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3844-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2168-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2768-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1456-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-419-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-427-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-472-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1884-513-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-546-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1480-557-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3208-566-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 316 hhhbtt.exe 3920 dpvpp.exe 4788 lffxxff.exe 440 nnhnbn.exe 4844 nhhbbb.exe 3212 hbbthh.exe 3964 vdjjd.exe 2844 ffffxxx.exe 5028 hhnhhh.exe 2648 7pjvj.exe 4976 fllrlrl.exe 4628 bttnhh.exe 1344 pvdjj.exe 4056 fxxxxxl.exe 4180 hnttnt.exe 1840 vvvpj.exe 8 hhtnnn.exe 3384 nbhhbh.exe 4292 jjdvp.exe 5044 bnttnh.exe 2632 vjpjd.exe 812 lllffxr.exe 1876 nhbtbb.exe 4944 5vjpj.exe 4756 9fffxxx.exe 4276 3nnhhh.exe 4728 dvjdp.exe 4304 llllfff.exe 1788 hbbtnn.exe 4720 dppdd.exe 888 rrffxxx.exe 4704 thbbtb.exe 4028 bhnhhh.exe 2824 3vdpv.exe 1364 dvvpj.exe 2944 rrlllll.exe 1336 bntbbb.exe 768 9tbtnh.exe 3132 vddjv.exe 3040 vdjdv.exe 1436 fxfxxxx.exe 1780 btnhth.exe 4764 jddvv.exe 412 jvdvp.exe 3172 xrlrrll.exe 1536 rfxrlrl.exe 3740 thnhbb.exe 440 vpjdv.exe 3720 dppjd.exe 3272 3fxrflf.exe 3316 lflfxff.exe 2560 ntnnbt.exe 3472 pjjdv.exe 1940 9vjdj.exe 464 xffxxfr.exe 4008 bnnnhh.exe 1180 hbbbtb.exe 4976 jvvpj.exe 4628 ddjdp.exe 4216 rlrrflf.exe 1112 hnttnn.exe 3752 nhbtnn.exe 2796 vvppj.exe 3264 pvjdv.exe -
resource yara_rule behavioral2/memory/1984-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1984-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0006000000023298-4.dat upx behavioral2/memory/316-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023414-9.dat upx behavioral2/files/0x0007000000023415-11.dat upx behavioral2/files/0x0007000000023416-20.dat upx behavioral2/memory/440-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4788-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3920-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/316-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023417-26.dat upx behavioral2/memory/4844-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023418-30.dat upx behavioral2/files/0x0007000000023419-35.dat upx behavioral2/memory/3964-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002341a-39.dat upx behavioral2/memory/2844-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002341b-45.dat upx behavioral2/files/0x000700000002341c-48.dat upx behavioral2/memory/5028-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002341d-53.dat upx behavioral2/files/0x000700000002341e-57.dat upx behavioral2/files/0x000700000002341f-62.dat upx behavioral2/files/0x0007000000023420-65.dat upx behavioral2/memory/1344-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4056-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023421-72.dat upx behavioral2/memory/4180-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023422-76.dat upx behavioral2/memory/1840-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023423-81.dat upx behavioral2/memory/8-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023424-86.dat upx behavioral2/files/0x0007000000023425-90.dat upx behavioral2/memory/3384-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023426-95.dat upx behavioral2/memory/4292-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023427-99.dat upx behavioral2/memory/5044-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023428-107.dat upx behavioral2/memory/2632-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/812-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023411-110.dat upx behavioral2/memory/1876-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002342a-116.dat upx behavioral2/files/0x000700000002342b-122.dat upx behavioral2/memory/4944-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4756-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002342c-126.dat upx behavioral2/memory/4276-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002342d-131.dat upx behavioral2/memory/4304-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000700000002342f-140.dat upx behavioral2/files/0x000700000002342e-136.dat upx behavioral2/memory/1788-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023430-145.dat upx behavioral2/files/0x0007000000023431-149.dat upx behavioral2/memory/4720-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023432-156.dat upx behavioral2/memory/4704-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4028-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2824-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/888-152-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 316 1984 70fbe59a653dcffcad8052f4a051ec10_NeikiAnalytics.exe 82 PID 1984 wrote to memory of 316 1984 70fbe59a653dcffcad8052f4a051ec10_NeikiAnalytics.exe 82 PID 1984 wrote to memory of 316 1984 70fbe59a653dcffcad8052f4a051ec10_NeikiAnalytics.exe 82 PID 316 wrote to memory of 3920 316 hhhbtt.exe 83 PID 316 wrote to memory of 3920 316 hhhbtt.exe 83 PID 316 wrote to memory of 3920 316 hhhbtt.exe 83 PID 3920 wrote to memory of 4788 3920 dpvpp.exe 84 PID 3920 wrote to memory of 4788 3920 dpvpp.exe 84 PID 3920 wrote to memory of 4788 3920 dpvpp.exe 84 PID 4788 wrote to memory of 440 4788 lffxxff.exe 85 PID 4788 wrote to memory of 440 4788 lffxxff.exe 85 PID 4788 wrote to memory of 440 4788 lffxxff.exe 85 PID 440 wrote to memory of 4844 440 nnhnbn.exe 86 PID 440 wrote to memory of 4844 440 nnhnbn.exe 86 PID 440 wrote to memory of 4844 440 nnhnbn.exe 86 PID 4844 wrote to memory of 3212 4844 nhhbbb.exe 87 PID 4844 wrote to memory of 3212 4844 nhhbbb.exe 87 PID 4844 wrote to memory of 3212 4844 nhhbbb.exe 87 PID 3212 wrote to memory of 3964 3212 hbbthh.exe 88 PID 3212 wrote to memory of 3964 3212 hbbthh.exe 88 PID 3212 wrote to memory of 3964 3212 hbbthh.exe 88 PID 3964 wrote to memory of 2844 3964 vdjjd.exe 89 PID 3964 wrote to memory of 2844 3964 vdjjd.exe 89 PID 3964 wrote to memory of 2844 3964 vdjjd.exe 89 PID 2844 wrote to memory of 5028 2844 ffffxxx.exe 90 PID 2844 wrote to memory of 5028 2844 ffffxxx.exe 90 PID 2844 wrote to memory of 5028 2844 ffffxxx.exe 90 PID 5028 wrote to memory of 2648 5028 hhnhhh.exe 91 PID 5028 wrote to memory of 2648 5028 hhnhhh.exe 91 PID 5028 wrote to memory of 2648 5028 hhnhhh.exe 91 PID 2648 wrote to memory of 4976 2648 7pjvj.exe 92 PID 2648 wrote to memory of 4976 2648 7pjvj.exe 92 PID 2648 wrote to memory of 4976 2648 7pjvj.exe 92 PID 4976 wrote to memory of 4628 4976 fllrlrl.exe 93 PID 4976 wrote to memory of 4628 4976 fllrlrl.exe 93 PID 4976 wrote to memory of 4628 4976 fllrlrl.exe 93 PID 4628 wrote to memory of 1344 4628 bttnhh.exe 94 PID 4628 wrote to memory of 1344 4628 bttnhh.exe 94 PID 4628 wrote to memory of 1344 4628 bttnhh.exe 94 PID 1344 wrote to memory of 4056 1344 pvdjj.exe 95 PID 1344 wrote to memory of 4056 1344 pvdjj.exe 95 PID 1344 wrote to memory of 4056 1344 pvdjj.exe 95 PID 4056 wrote to memory of 4180 4056 fxxxxxl.exe 96 PID 4056 wrote to memory of 4180 4056 fxxxxxl.exe 96 PID 4056 wrote to memory of 4180 4056 fxxxxxl.exe 96 PID 4180 wrote to memory of 1840 4180 hnttnt.exe 97 PID 4180 wrote to memory of 1840 4180 hnttnt.exe 97 PID 4180 wrote to memory of 1840 4180 hnttnt.exe 97 PID 1840 wrote to memory of 8 1840 vvvpj.exe 98 PID 1840 wrote to memory of 8 1840 vvvpj.exe 98 PID 1840 wrote to memory of 8 1840 vvvpj.exe 98 PID 8 wrote to memory of 3384 8 hhtnnn.exe 100 PID 8 wrote to memory of 3384 8 hhtnnn.exe 100 PID 8 wrote to memory of 3384 8 hhtnnn.exe 100 PID 3384 wrote to memory of 4292 3384 nbhhbh.exe 101 PID 3384 wrote to memory of 4292 3384 nbhhbh.exe 101 PID 3384 wrote to memory of 4292 3384 nbhhbh.exe 101 PID 4292 wrote to memory of 5044 4292 jjdvp.exe 102 PID 4292 wrote to memory of 5044 4292 jjdvp.exe 102 PID 4292 wrote to memory of 5044 4292 jjdvp.exe 102 PID 5044 wrote to memory of 2632 5044 bnttnh.exe 103 PID 5044 wrote to memory of 2632 5044 bnttnh.exe 103 PID 5044 wrote to memory of 2632 5044 bnttnh.exe 103 PID 2632 wrote to memory of 812 2632 vjpjd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\70fbe59a653dcffcad8052f4a051ec10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\70fbe59a653dcffcad8052f4a051ec10_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\hhhbtt.exec:\hhhbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\dpvpp.exec:\dpvpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\lffxxff.exec:\lffxxff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\nnhnbn.exec:\nnhnbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\nhhbbb.exec:\nhhbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\hbbthh.exec:\hbbthh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\vdjjd.exec:\vdjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\ffffxxx.exec:\ffffxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\hhnhhh.exec:\hhnhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\7pjvj.exec:\7pjvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\fllrlrl.exec:\fllrlrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\bttnhh.exec:\bttnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\pvdjj.exec:\pvdjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\fxxxxxl.exec:\fxxxxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\hnttnt.exec:\hnttnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\vvvpj.exec:\vvvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\hhtnnn.exec:\hhtnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\nbhhbh.exec:\nbhhbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\jjdvp.exec:\jjdvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\bnttnh.exec:\bnttnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\vjpjd.exec:\vjpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\lllffxr.exec:\lllffxr.exe23⤵
- Executes dropped EXE
PID:812 -
\??\c:\nhbtbb.exec:\nhbtbb.exe24⤵
- Executes dropped EXE
PID:1876 -
\??\c:\5vjpj.exec:\5vjpj.exe25⤵
- Executes dropped EXE
PID:4944 -
\??\c:\9fffxxx.exec:\9fffxxx.exe26⤵
- Executes dropped EXE
PID:4756 -
\??\c:\3nnhhh.exec:\3nnhhh.exe27⤵
- Executes dropped EXE
PID:4276 -
\??\c:\dvjdp.exec:\dvjdp.exe28⤵
- Executes dropped EXE
PID:4728 -
\??\c:\llllfff.exec:\llllfff.exe29⤵
- Executes dropped EXE
PID:4304 -
\??\c:\hbbtnn.exec:\hbbtnn.exe30⤵
- Executes dropped EXE
PID:1788 -
\??\c:\dppdd.exec:\dppdd.exe31⤵
- Executes dropped EXE
PID:4720 -
\??\c:\rrffxxx.exec:\rrffxxx.exe32⤵
- Executes dropped EXE
PID:888 -
\??\c:\thbbtb.exec:\thbbtb.exe33⤵
- Executes dropped EXE
PID:4704 -
\??\c:\bhnhhh.exec:\bhnhhh.exe34⤵
- Executes dropped EXE
PID:4028 -
\??\c:\3vdpv.exec:\3vdpv.exe35⤵
- Executes dropped EXE
PID:2824 -
\??\c:\dvvpj.exec:\dvvpj.exe36⤵
- Executes dropped EXE
PID:1364 -
\??\c:\rrlllll.exec:\rrlllll.exe37⤵
- Executes dropped EXE
PID:2944 -
\??\c:\bntbbb.exec:\bntbbb.exe38⤵
- Executes dropped EXE
PID:1336 -
\??\c:\9tbtnh.exec:\9tbtnh.exe39⤵
- Executes dropped EXE
PID:768 -
\??\c:\vddjv.exec:\vddjv.exe40⤵
- Executes dropped EXE
PID:3132 -
\??\c:\vdjdv.exec:\vdjdv.exe41⤵
- Executes dropped EXE
PID:3040 -
\??\c:\fxfxxxx.exec:\fxfxxxx.exe42⤵
- Executes dropped EXE
PID:1436 -
\??\c:\btnhth.exec:\btnhth.exe43⤵
- Executes dropped EXE
PID:1780 -
\??\c:\jddvv.exec:\jddvv.exe44⤵
- Executes dropped EXE
PID:4764 -
\??\c:\jvdvp.exec:\jvdvp.exe45⤵
- Executes dropped EXE
PID:412 -
\??\c:\xrlrrll.exec:\xrlrrll.exe46⤵
- Executes dropped EXE
PID:3172 -
\??\c:\rfxrlrl.exec:\rfxrlrl.exe47⤵
- Executes dropped EXE
PID:1536 -
\??\c:\thnhbb.exec:\thnhbb.exe48⤵
- Executes dropped EXE
PID:3740 -
\??\c:\vpjdv.exec:\vpjdv.exe49⤵
- Executes dropped EXE
PID:440 -
\??\c:\dppjd.exec:\dppjd.exe50⤵
- Executes dropped EXE
PID:3720 -
\??\c:\3fxrflf.exec:\3fxrflf.exe51⤵
- Executes dropped EXE
PID:3272 -
\??\c:\lflfxff.exec:\lflfxff.exe52⤵
- Executes dropped EXE
PID:3316 -
\??\c:\ntnnbt.exec:\ntnnbt.exe53⤵
- Executes dropped EXE
PID:2560 -
\??\c:\pjjdv.exec:\pjjdv.exe54⤵
- Executes dropped EXE
PID:3472 -
\??\c:\9vjdj.exec:\9vjdj.exe55⤵
- Executes dropped EXE
PID:1940 -
\??\c:\xffxxfr.exec:\xffxxfr.exe56⤵
- Executes dropped EXE
PID:464 -
\??\c:\bnnnhh.exec:\bnnnhh.exe57⤵
- Executes dropped EXE
PID:4008 -
\??\c:\hbbbtb.exec:\hbbbtb.exe58⤵
- Executes dropped EXE
PID:1180 -
\??\c:\jvvpj.exec:\jvvpj.exe59⤵
- Executes dropped EXE
PID:4976 -
\??\c:\ddjdp.exec:\ddjdp.exe60⤵
- Executes dropped EXE
PID:4628 -
\??\c:\rlrrflf.exec:\rlrrflf.exe61⤵
- Executes dropped EXE
PID:4216 -
\??\c:\hnttnn.exec:\hnttnn.exe62⤵
- Executes dropped EXE
PID:1112 -
\??\c:\nhbtnn.exec:\nhbtnn.exe63⤵
- Executes dropped EXE
PID:3752 -
\??\c:\vvppj.exec:\vvppj.exe64⤵
- Executes dropped EXE
PID:2796 -
\??\c:\pvjdv.exec:\pvjdv.exe65⤵
- Executes dropped EXE
PID:3264 -
\??\c:\frlxxlr.exec:\frlxxlr.exe66⤵PID:2652
-
\??\c:\nhbtnn.exec:\nhbtnn.exe67⤵PID:3236
-
\??\c:\hhtttt.exec:\hhtttt.exe68⤵PID:3596
-
\??\c:\vvdvp.exec:\vvdvp.exe69⤵PID:4872
-
\??\c:\vvvjj.exec:\vvvjj.exe70⤵PID:4940
-
\??\c:\rfxrxxx.exec:\rfxrxxx.exe71⤵PID:3320
-
\??\c:\btttnn.exec:\btttnn.exe72⤵PID:4656
-
\??\c:\nnnhtt.exec:\nnnhtt.exe73⤵PID:1596
-
\??\c:\vpjdv.exec:\vpjdv.exe74⤵PID:4472
-
\??\c:\1jvvd.exec:\1jvvd.exe75⤵PID:1896
-
\??\c:\1xlfffl.exec:\1xlfffl.exe76⤵PID:4852
-
\??\c:\hhbbbb.exec:\hhbbbb.exe77⤵PID:1048
-
\??\c:\nthbtt.exec:\nthbtt.exe78⤵PID:1288
-
\??\c:\3ddvv.exec:\3ddvv.exe79⤵PID:3240
-
\??\c:\9jvpj.exec:\9jvpj.exe80⤵PID:4276
-
\??\c:\lxxxrrl.exec:\lxxxrrl.exe81⤵PID:3476
-
\??\c:\7nbttb.exec:\7nbttb.exe82⤵PID:4132
-
\??\c:\7jvpp.exec:\7jvpp.exe83⤵PID:4556
-
\??\c:\1lrlffl.exec:\1lrlffl.exe84⤵PID:592
-
\??\c:\7frrrrr.exec:\7frrrrr.exe85⤵PID:1604
-
\??\c:\thntnn.exec:\thntnn.exe86⤵PID:4720
-
\??\c:\tbtntb.exec:\tbtntb.exe87⤵PID:4768
-
\??\c:\dpddd.exec:\dpddd.exe88⤵PID:4620
-
\??\c:\llrlffl.exec:\llrlffl.exe89⤵PID:4900
-
\??\c:\ntnhnn.exec:\ntnhnn.exe90⤵PID:3400
-
\??\c:\hnhnhb.exec:\hnhnhb.exe91⤵PID:1228
-
\??\c:\pdjdv.exec:\pdjdv.exe92⤵PID:3564
-
\??\c:\ffxrrrr.exec:\ffxrrrr.exe93⤵PID:1968
-
\??\c:\btnhhh.exec:\btnhhh.exe94⤵PID:1916
-
\??\c:\hbbthh.exec:\hbbthh.exe95⤵PID:1336
-
\??\c:\vjpdd.exec:\vjpdd.exe96⤵PID:4948
-
\??\c:\frrlfff.exec:\frrlfff.exe97⤵PID:3508
-
\??\c:\lxxrxxf.exec:\lxxrxxf.exe98⤵PID:1564
-
\??\c:\djpjd.exec:\djpjd.exe99⤵PID:2304
-
\??\c:\7xxlfff.exec:\7xxlfff.exe100⤵PID:2488
-
\??\c:\flrffff.exec:\flrffff.exe101⤵PID:3688
-
\??\c:\3nnhbt.exec:\3nnhbt.exe102⤵PID:384
-
\??\c:\ddvjv.exec:\ddvjv.exe103⤵PID:4184
-
\??\c:\dpdpp.exec:\dpdpp.exe104⤵PID:3740
-
\??\c:\rlrrxxr.exec:\rlrrxxr.exe105⤵PID:3156
-
\??\c:\3hbtnn.exec:\3hbtnn.exe106⤵PID:3848
-
\??\c:\httntn.exec:\httntn.exe107⤵PID:3272
-
\??\c:\jpvpj.exec:\jpvpj.exe108⤵PID:3316
-
\??\c:\jvjdp.exec:\jvjdp.exe109⤵PID:3628
-
\??\c:\lxlrfrl.exec:\lxlrfrl.exe110⤵PID:228
-
\??\c:\xllfxrl.exec:\xllfxrl.exe111⤵PID:5040
-
\??\c:\nthtbh.exec:\nthtbh.exe112⤵PID:464
-
\??\c:\nbhtbt.exec:\nbhtbt.exe113⤵PID:3844
-
\??\c:\dvvpp.exec:\dvvpp.exe114⤵PID:3260
-
\??\c:\rllrlfl.exec:\rllrlfl.exe115⤵PID:1704
-
\??\c:\xrrlrll.exec:\xrrlrll.exe116⤵PID:4040
-
\??\c:\tnbtnh.exec:\tnbtnh.exe117⤵PID:1688
-
\??\c:\hnthnb.exec:\hnthnb.exe118⤵PID:1112
-
\??\c:\jppdv.exec:\jppdv.exe119⤵PID:2168
-
\??\c:\pddvp.exec:\pddvp.exe120⤵PID:3864
-
\??\c:\frfrlfr.exec:\frfrlfr.exe121⤵PID:2212
-
\??\c:\3bntbt.exec:\3bntbt.exe122⤵PID:4672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-