Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 13:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a4faa0645cc9d0916ff2fc1d96d8e520_NeikiAnalytics.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
a4faa0645cc9d0916ff2fc1d96d8e520_NeikiAnalytics.exe
-
Size
449KB
-
MD5
a4faa0645cc9d0916ff2fc1d96d8e520
-
SHA1
e71892e3261c60fe4997ceb9b7beabb8b4336605
-
SHA256
ff950dd8dd7679b615d977b63e739fd35c0a58c739ca34a310dd84731f1cb116
-
SHA512
335c2de10283e4f3c40863accabce7286266814798cac751cdde2268504c45e6747f2446239231853e48d371d147ab1c8a9189e488112e68a28b76e8cbf91630
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3092-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-881-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-1005-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-1059-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-1078-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-1161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-1311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4104 djpjd.exe 3040 frxrfxx.exe 5076 tnhhbb.exe 2948 5pddv.exe 4664 222062.exe 2084 64820.exe 4240 s0848.exe 920 200044.exe 4376 ddvvp.exe 2808 468886.exe 1052 662068.exe 3648 s0822.exe 1372 06486.exe 4636 3nbbbh.exe 2848 bbhhtt.exe 4032 u800882.exe 2552 7frlrrx.exe 3248 0860482.exe 4444 u800448.exe 2112 ntbttt.exe 1764 3ttttb.exe 1064 k02660.exe 1964 bttttt.exe 1668 rlfxrlf.exe 1032 6800048.exe 4180 6060228.exe 4500 220044.exe 4864 pddpj.exe 4916 dpddv.exe 2484 2008682.exe 1088 0002846.exe 2704 0626048.exe 4876 jvjdd.exe 2000 tthttt.exe 1464 pjvpv.exe 4276 40222.exe 4264 6244006.exe 3844 7xfxrrl.exe 1344 rrxrrrl.exe 4436 xxlfllf.exe 4172 lfxffxx.exe 4912 dddvv.exe 4348 204060.exe 3492 0622666.exe 4104 nnhbtt.exe 4268 btbttt.exe 928 2420044.exe 2368 06404.exe 2572 w24488.exe 2104 e82640.exe 1516 04880.exe 4028 xrlfffx.exe 1076 q68266.exe 3516 pvdvp.exe 3792 o220466.exe 1736 vvjvp.exe 972 602660.exe 4692 jjjdd.exe 1900 jddpv.exe 2152 bhntnn.exe 4604 jpvpv.exe 4820 i488660.exe 4680 nthbbb.exe 2296 rlfxflr.exe -
resource yara_rule behavioral2/memory/3092-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-785-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3092 wrote to memory of 4104 3092 a4faa0645cc9d0916ff2fc1d96d8e520_NeikiAnalytics.exe 83 PID 3092 wrote to memory of 4104 3092 a4faa0645cc9d0916ff2fc1d96d8e520_NeikiAnalytics.exe 83 PID 3092 wrote to memory of 4104 3092 a4faa0645cc9d0916ff2fc1d96d8e520_NeikiAnalytics.exe 83 PID 4104 wrote to memory of 3040 4104 djpjd.exe 84 PID 4104 wrote to memory of 3040 4104 djpjd.exe 84 PID 4104 wrote to memory of 3040 4104 djpjd.exe 84 PID 3040 wrote to memory of 5076 3040 frxrfxx.exe 87 PID 3040 wrote to memory of 5076 3040 frxrfxx.exe 87 PID 3040 wrote to memory of 5076 3040 frxrfxx.exe 87 PID 5076 wrote to memory of 2948 5076 tnhhbb.exe 88 PID 5076 wrote to memory of 2948 5076 tnhhbb.exe 88 PID 5076 wrote to memory of 2948 5076 tnhhbb.exe 88 PID 2948 wrote to memory of 4664 2948 5pddv.exe 90 PID 2948 wrote to memory of 4664 2948 5pddv.exe 90 PID 2948 wrote to memory of 4664 2948 5pddv.exe 90 PID 4664 wrote to memory of 2084 4664 222062.exe 91 PID 4664 wrote to memory of 2084 4664 222062.exe 91 PID 4664 wrote to memory of 2084 4664 222062.exe 91 PID 2084 wrote to memory of 4240 2084 64820.exe 92 PID 2084 wrote to memory of 4240 2084 64820.exe 92 PID 2084 wrote to memory of 4240 2084 64820.exe 92 PID 4240 wrote to memory of 920 4240 s0848.exe 93 PID 4240 wrote to memory of 920 4240 s0848.exe 93 PID 4240 wrote to memory of 920 4240 s0848.exe 93 PID 920 wrote to memory of 4376 920 200044.exe 94 PID 920 wrote to memory of 4376 920 200044.exe 94 PID 920 wrote to memory of 4376 920 200044.exe 94 PID 4376 wrote to memory of 2808 4376 ddvvp.exe 95 PID 4376 wrote to memory of 2808 4376 ddvvp.exe 95 PID 4376 wrote to memory of 2808 4376 ddvvp.exe 95 PID 2808 wrote to memory of 1052 2808 468886.exe 96 PID 2808 wrote to memory of 1052 2808 468886.exe 96 PID 2808 wrote to memory of 1052 2808 468886.exe 96 PID 1052 wrote to memory of 3648 1052 662068.exe 97 PID 1052 wrote to memory of 3648 1052 662068.exe 97 PID 1052 wrote to memory of 3648 1052 662068.exe 97 PID 3648 wrote to memory of 1372 3648 s0822.exe 98 PID 3648 wrote to memory of 1372 3648 s0822.exe 98 PID 3648 wrote to memory of 1372 3648 s0822.exe 98 PID 1372 wrote to memory of 4636 1372 06486.exe 99 PID 1372 wrote to memory of 4636 1372 06486.exe 99 PID 1372 wrote to memory of 4636 1372 06486.exe 99 PID 4636 wrote to memory of 2848 4636 3nbbbh.exe 100 PID 4636 wrote to memory of 2848 4636 3nbbbh.exe 100 PID 4636 wrote to memory of 2848 4636 3nbbbh.exe 100 PID 2848 wrote to memory of 4032 2848 bbhhtt.exe 101 PID 2848 wrote to memory of 4032 2848 bbhhtt.exe 101 PID 2848 wrote to memory of 4032 2848 bbhhtt.exe 101 PID 4032 wrote to memory of 2552 4032 u800882.exe 102 PID 4032 wrote to memory of 2552 4032 u800882.exe 102 PID 4032 wrote to memory of 2552 4032 u800882.exe 102 PID 2552 wrote to memory of 3248 2552 7frlrrx.exe 103 PID 2552 wrote to memory of 3248 2552 7frlrrx.exe 103 PID 2552 wrote to memory of 3248 2552 7frlrrx.exe 103 PID 3248 wrote to memory of 4444 3248 0860482.exe 104 PID 3248 wrote to memory of 4444 3248 0860482.exe 104 PID 3248 wrote to memory of 4444 3248 0860482.exe 104 PID 4444 wrote to memory of 2112 4444 u800448.exe 105 PID 4444 wrote to memory of 2112 4444 u800448.exe 105 PID 4444 wrote to memory of 2112 4444 u800448.exe 105 PID 2112 wrote to memory of 1764 2112 ntbttt.exe 106 PID 2112 wrote to memory of 1764 2112 ntbttt.exe 106 PID 2112 wrote to memory of 1764 2112 ntbttt.exe 106 PID 1764 wrote to memory of 1064 1764 3ttttb.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4faa0645cc9d0916ff2fc1d96d8e520_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a4faa0645cc9d0916ff2fc1d96d8e520_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\djpjd.exec:\djpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\frxrfxx.exec:\frxrfxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\tnhhbb.exec:\tnhhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\5pddv.exec:\5pddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\222062.exec:\222062.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\64820.exec:\64820.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\s0848.exec:\s0848.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\200044.exec:\200044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\ddvvp.exec:\ddvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\468886.exec:\468886.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\662068.exec:\662068.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\s0822.exec:\s0822.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\06486.exec:\06486.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\3nbbbh.exec:\3nbbbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\bbhhtt.exec:\bbhhtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\u800882.exec:\u800882.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\7frlrrx.exec:\7frlrrx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\0860482.exec:\0860482.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\u800448.exec:\u800448.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\ntbttt.exec:\ntbttt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\3ttttb.exec:\3ttttb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\k02660.exec:\k02660.exe23⤵
- Executes dropped EXE
PID:1064 -
\??\c:\bttttt.exec:\bttttt.exe24⤵
- Executes dropped EXE
PID:1964 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe25⤵
- Executes dropped EXE
PID:1668 -
\??\c:\6800048.exec:\6800048.exe26⤵
- Executes dropped EXE
PID:1032 -
\??\c:\6060228.exec:\6060228.exe27⤵
- Executes dropped EXE
PID:4180 -
\??\c:\220044.exec:\220044.exe28⤵
- Executes dropped EXE
PID:4500 -
\??\c:\pddpj.exec:\pddpj.exe29⤵
- Executes dropped EXE
PID:4864 -
\??\c:\dpddv.exec:\dpddv.exe30⤵
- Executes dropped EXE
PID:4916 -
\??\c:\2008682.exec:\2008682.exe31⤵
- Executes dropped EXE
PID:2484 -
\??\c:\0002846.exec:\0002846.exe32⤵
- Executes dropped EXE
PID:1088 -
\??\c:\0626048.exec:\0626048.exe33⤵
- Executes dropped EXE
PID:2704 -
\??\c:\jvjdd.exec:\jvjdd.exe34⤵
- Executes dropped EXE
PID:4876 -
\??\c:\tthttt.exec:\tthttt.exe35⤵
- Executes dropped EXE
PID:2000 -
\??\c:\pjvpv.exec:\pjvpv.exe36⤵
- Executes dropped EXE
PID:1464 -
\??\c:\40222.exec:\40222.exe37⤵
- Executes dropped EXE
PID:4276 -
\??\c:\6244006.exec:\6244006.exe38⤵
- Executes dropped EXE
PID:4264 -
\??\c:\7xfxrrl.exec:\7xfxrrl.exe39⤵
- Executes dropped EXE
PID:3844 -
\??\c:\rrxrrrl.exec:\rrxrrrl.exe40⤵
- Executes dropped EXE
PID:1344 -
\??\c:\xxlfllf.exec:\xxlfllf.exe41⤵
- Executes dropped EXE
PID:4436 -
\??\c:\lfxffxx.exec:\lfxffxx.exe42⤵
- Executes dropped EXE
PID:4172 -
\??\c:\dddvv.exec:\dddvv.exe43⤵
- Executes dropped EXE
PID:4912 -
\??\c:\204060.exec:\204060.exe44⤵
- Executes dropped EXE
PID:4348 -
\??\c:\0622666.exec:\0622666.exe45⤵
- Executes dropped EXE
PID:3492 -
\??\c:\nnhbtt.exec:\nnhbtt.exe46⤵
- Executes dropped EXE
PID:4104 -
\??\c:\btbttt.exec:\btbttt.exe47⤵
- Executes dropped EXE
PID:4268 -
\??\c:\2420044.exec:\2420044.exe48⤵
- Executes dropped EXE
PID:928 -
\??\c:\06404.exec:\06404.exe49⤵
- Executes dropped EXE
PID:2368 -
\??\c:\w24488.exec:\w24488.exe50⤵
- Executes dropped EXE
PID:2572 -
\??\c:\e82640.exec:\e82640.exe51⤵
- Executes dropped EXE
PID:2104 -
\??\c:\04880.exec:\04880.exe52⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xrlfffx.exec:\xrlfffx.exe53⤵
- Executes dropped EXE
PID:4028 -
\??\c:\q68266.exec:\q68266.exe54⤵
- Executes dropped EXE
PID:1076 -
\??\c:\pvdvp.exec:\pvdvp.exe55⤵
- Executes dropped EXE
PID:3516 -
\??\c:\o220466.exec:\o220466.exe56⤵
- Executes dropped EXE
PID:3792 -
\??\c:\vvjvp.exec:\vvjvp.exe57⤵
- Executes dropped EXE
PID:1736 -
\??\c:\602660.exec:\602660.exe58⤵
- Executes dropped EXE
PID:972 -
\??\c:\jjjdd.exec:\jjjdd.exe59⤵
- Executes dropped EXE
PID:4692 -
\??\c:\jddpv.exec:\jddpv.exe60⤵
- Executes dropped EXE
PID:1900 -
\??\c:\bhntnn.exec:\bhntnn.exe61⤵
- Executes dropped EXE
PID:2152 -
\??\c:\jpvpv.exec:\jpvpv.exe62⤵
- Executes dropped EXE
PID:4604 -
\??\c:\i488660.exec:\i488660.exe63⤵
- Executes dropped EXE
PID:4820 -
\??\c:\nthbbb.exec:\nthbbb.exe64⤵
- Executes dropped EXE
PID:4680 -
\??\c:\rlfxflr.exec:\rlfxflr.exe65⤵
- Executes dropped EXE
PID:2296 -
\??\c:\jvjdv.exec:\jvjdv.exe66⤵PID:2856
-
\??\c:\428200.exec:\428200.exe67⤵PID:4840
-
\??\c:\q60860.exec:\q60860.exe68⤵PID:1756
-
\??\c:\0060400.exec:\0060400.exe69⤵PID:4964
-
\??\c:\nbhbtb.exec:\nbhbtb.exe70⤵PID:3192
-
\??\c:\bbthbt.exec:\bbthbt.exe71⤵PID:856
-
\??\c:\2886048.exec:\2886048.exe72⤵PID:4720
-
\??\c:\062604.exec:\062604.exe73⤵PID:1764
-
\??\c:\7nbhnh.exec:\7nbhnh.exe74⤵PID:1140
-
\??\c:\044866.exec:\044866.exe75⤵PID:3136
-
\??\c:\jpjjv.exec:\jpjjv.exe76⤵PID:1696
-
\??\c:\rxlxllx.exec:\rxlxllx.exe77⤵PID:1832
-
\??\c:\hhbtnb.exec:\hhbtnb.exe78⤵PID:3736
-
\??\c:\tttbnh.exec:\tttbnh.exe79⤵PID:2976
-
\??\c:\82660.exec:\82660.exe80⤵PID:4504
-
\??\c:\62820.exec:\62820.exe81⤵PID:2852
-
\??\c:\hbbnhn.exec:\hbbnhn.exe82⤵PID:4116
-
\??\c:\3pvdv.exec:\3pvdv.exe83⤵PID:2860
-
\??\c:\9pdvj.exec:\9pdvj.exe84⤵PID:4516
-
\??\c:\ppvpp.exec:\ppvpp.exe85⤵PID:1564
-
\??\c:\448822.exec:\448822.exe86⤵PID:1136
-
\??\c:\9thbnn.exec:\9thbnn.exe87⤵PID:4100
-
\??\c:\nbhttn.exec:\nbhttn.exe88⤵PID:2000
-
\??\c:\2482604.exec:\2482604.exe89⤵PID:4160
-
\??\c:\28820.exec:\28820.exe90⤵PID:2940
-
\??\c:\864286.exec:\864286.exe91⤵PID:4596
-
\??\c:\7xllfxr.exec:\7xllfxr.exe92⤵PID:2236
-
\??\c:\40604.exec:\40604.exe93⤵PID:4524
-
\??\c:\3rrlxxr.exec:\3rrlxxr.exe94⤵PID:2968
-
\??\c:\pvdvd.exec:\pvdvd.exe95⤵PID:2824
-
\??\c:\80448.exec:\80448.exe96⤵PID:2120
-
\??\c:\5frfrrr.exec:\5frfrrr.exe97⤵PID:2548
-
\??\c:\lrllffx.exec:\lrllffx.exe98⤵PID:536
-
\??\c:\bbhbtt.exec:\bbhbtt.exe99⤵PID:4380
-
\??\c:\dpppp.exec:\dpppp.exe100⤵PID:2724
-
\??\c:\rffxrlf.exec:\rffxrlf.exe101⤵PID:2352
-
\??\c:\6444488.exec:\6444488.exe102⤵PID:3492
-
\??\c:\48226.exec:\48226.exe103⤵PID:5108
-
\??\c:\bhtnhh.exec:\bhtnhh.exe104⤵PID:1792
-
\??\c:\htbtnt.exec:\htbtnt.exe105⤵PID:3620
-
\??\c:\80408.exec:\80408.exe106⤵PID:4080
-
\??\c:\vppjd.exec:\vppjd.exe107⤵PID:1328
-
\??\c:\1nbbbh.exec:\1nbbbh.exe108⤵PID:2268
-
\??\c:\lllffff.exec:\lllffff.exe109⤵PID:3148
-
\??\c:\8864846.exec:\8864846.exe110⤵PID:4036
-
\??\c:\xrxllrf.exec:\xrxllrf.exe111⤵PID:4240
-
\??\c:\rrxxllr.exec:\rrxxllr.exe112⤵PID:3084
-
\??\c:\840482.exec:\840482.exe113⤵PID:4152
-
\??\c:\bnhbtt.exec:\bnhbtt.exe114⤵PID:508
-
\??\c:\hbhhhh.exec:\hbhhhh.exe115⤵PID:3532
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe116⤵PID:3604
-
\??\c:\rlrrlll.exec:\rlrrlll.exe117⤵PID:3648
-
\??\c:\2808882.exec:\2808882.exe118⤵PID:864
-
\??\c:\frxxrrx.exec:\frxxrrx.exe119⤵PID:1372
-
\??\c:\jjjdv.exec:\jjjdv.exe120⤵PID:4836
-
\??\c:\28488.exec:\28488.exe121⤵PID:1588
-
\??\c:\2666048.exec:\2666048.exe122⤵PID:1908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-