Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 01:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26969f7c70f09886ab79e326541fa087c8c264b16c3fabefcdada7f5174476ad_NeikiAnalytics.exe
Resource
win7-20240611-en
5 signatures
150 seconds
General
-
Target
26969f7c70f09886ab79e326541fa087c8c264b16c3fabefcdada7f5174476ad_NeikiAnalytics.exe
-
Size
384KB
-
MD5
fdf4ec8be112e857051357cd81a546c0
-
SHA1
2c138101c423f492a2e2535fb565e2ca7957f3a7
-
SHA256
26969f7c70f09886ab79e326541fa087c8c264b16c3fabefcdada7f5174476ad
-
SHA512
2d10f1bd6a64119cc896ee5dcadfa74cf3eda225f50701adb7deb311aef78b921cf6f4df3f57edb8c1faf9569881e724ed7cc6f25ff11f09d7cb7449d0aa6b61
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp99zm+/KZBHqL3yeHmlwe+axBcot39vUDbYhzod0q:n3C9BRo7tvnJ99T/KZEL3c5BTkPXKpcX
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
Processes:
resource yara_rule behavioral1/memory/2440-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2224-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1360-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1360-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2100-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2676-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2808-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2732-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2524-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2956-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/668-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1004-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2860-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2040-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2276-182-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1928-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/320-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1032-218-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1872-236-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/704-245-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2924-254-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1644-272-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1092-281-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
ppjvd.exe5fllxff.exerfxfrrx.exe5nbbhn.exe7tbbhn.exexxxflrf.exetnbtnh.exejvppp.exe1flllll.exe3hbntb.exe1vdjp.exeththtn.exe9jddj.exe1ffflff.exe1hbnnb.exevpjjp.exerllrfxx.exe3jpjp.exepdvjp.exe3tbbtt.exevjppv.exefxrrffr.exe7nbtnn.exe1pddj.exefxfllxl.exetnhbtt.exepjvdp.exepjvpd.exetbnbhh.exe3vddp.exerfrrfff.exe7hnhhb.exe3djpd.exenhnttn.exepdjjj.exevdpdv.exerfrxrrx.exenbnttt.exe9vjjj.exedvppj.exellxfllx.exerfrrrrf.exehbnbhh.exe5djdd.exejdvvj.exexrffrxf.exe3hnnnt.exebthnbh.exe1djvj.exepvjdj.exefxrrxxf.exebthtbt.exehtnntb.exe5dppd.exexrfflxf.exerlxxffl.exe9bhbbb.exe9jjdp.exeppdjv.exe5rxxxll.exelfrrxxf.exethtnnh.exevppvj.exedvvdv.exepid process 2224 ppjvd.exe 1360 5fllxff.exe 2100 rfxfrrx.exe 2676 5nbbhn.exe 2808 7tbbhn.exe 2732 xxxflrf.exe 2656 tnbtnh.exe 2524 jvppp.exe 2956 1flllll.exe 2052 3hbntb.exe 668 1vdjp.exe 1664 ththtn.exe 2496 9jddj.exe 1004 1ffflff.exe 2860 1hbnnb.exe 2040 vpjjp.exe 1680 rllrfxx.exe 2276 3jpjp.exe 1672 pdvjp.exe 1928 3tbbtt.exe 320 vjppv.exe 1032 fxrrffr.exe 572 7nbtnn.exe 1872 1pddj.exe 704 fxfllxl.exe 2924 tnhbtt.exe 2880 pjvdp.exe 1644 pjvpd.exe 1092 tbnbhh.exe 2000 3vddp.exe 1208 rfrrfff.exe 2428 7hnhhb.exe 2948 3djpd.exe 1596 nhnttn.exe 2124 pdjjj.exe 2624 vdpdv.exe 2784 rfrxrrx.exe 2772 nbnttt.exe 2760 9vjjj.exe 2808 dvppj.exe 2544 llxfllx.exe 2520 rfrrrrf.exe 2552 hbnbhh.exe 3052 5djdd.exe 2956 jdvvj.exe 2508 xrffrxf.exe 1052 3hnnnt.exe 1056 bthnbh.exe 808 1djvj.exe 324 pvjdj.exe 2696 fxrrxxf.exe 1608 bthtbt.exe 1720 htnntb.exe 2144 5dppd.exe 2944 xrfflxf.exe 2112 rlxxffl.exe 1144 9bhbbb.exe 1928 9jjdp.exe 784 ppdjv.exe 568 5rxxxll.exe 2320 lfrrxxf.exe 1492 thtnnh.exe 2312 vppvj.exe 2488 dvvdv.exe -
Processes:
resource yara_rule behavioral1/memory/2440-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2224-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1360-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1360-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2100-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2676-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2732-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2524-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2956-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/668-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1004-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2860-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2040-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2276-182-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1928-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/320-210-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1032-218-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1872-236-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/704-245-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2924-254-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1644-272-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1092-281-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
26969f7c70f09886ab79e326541fa087c8c264b16c3fabefcdada7f5174476ad_NeikiAnalytics.exeppjvd.exe5fllxff.exerfxfrrx.exe5nbbhn.exe7tbbhn.exexxxflrf.exetnbtnh.exejvppp.exe1flllll.exe3hbntb.exe1vdjp.exeththtn.exe9jddj.exe1ffflff.exe1hbnnb.exedescription pid process target process PID 2440 wrote to memory of 2224 2440 26969f7c70f09886ab79e326541fa087c8c264b16c3fabefcdada7f5174476ad_NeikiAnalytics.exe ppjvd.exe PID 2440 wrote to memory of 2224 2440 26969f7c70f09886ab79e326541fa087c8c264b16c3fabefcdada7f5174476ad_NeikiAnalytics.exe ppjvd.exe PID 2440 wrote to memory of 2224 2440 26969f7c70f09886ab79e326541fa087c8c264b16c3fabefcdada7f5174476ad_NeikiAnalytics.exe ppjvd.exe PID 2440 wrote to memory of 2224 2440 26969f7c70f09886ab79e326541fa087c8c264b16c3fabefcdada7f5174476ad_NeikiAnalytics.exe ppjvd.exe PID 2224 wrote to memory of 1360 2224 ppjvd.exe 5fllxff.exe PID 2224 wrote to memory of 1360 2224 ppjvd.exe 5fllxff.exe PID 2224 wrote to memory of 1360 2224 ppjvd.exe 5fllxff.exe PID 2224 wrote to memory of 1360 2224 ppjvd.exe 5fllxff.exe PID 1360 wrote to memory of 2100 1360 5fllxff.exe rfxfrrx.exe PID 1360 wrote to memory of 2100 1360 5fllxff.exe rfxfrrx.exe PID 1360 wrote to memory of 2100 1360 5fllxff.exe rfxfrrx.exe PID 1360 wrote to memory of 2100 1360 5fllxff.exe rfxfrrx.exe PID 2100 wrote to memory of 2676 2100 rfxfrrx.exe 5nbbhn.exe PID 2100 wrote to memory of 2676 2100 rfxfrrx.exe 5nbbhn.exe PID 2100 wrote to memory of 2676 2100 rfxfrrx.exe 5nbbhn.exe PID 2100 wrote to memory of 2676 2100 rfxfrrx.exe 5nbbhn.exe PID 2676 wrote to memory of 2808 2676 5nbbhn.exe 7tbbhn.exe PID 2676 wrote to memory of 2808 2676 5nbbhn.exe 7tbbhn.exe PID 2676 wrote to memory of 2808 2676 5nbbhn.exe 7tbbhn.exe PID 2676 wrote to memory of 2808 2676 5nbbhn.exe 7tbbhn.exe PID 2808 wrote to memory of 2732 2808 7tbbhn.exe xxxflrf.exe PID 2808 wrote to memory of 2732 2808 7tbbhn.exe xxxflrf.exe PID 2808 wrote to memory of 2732 2808 7tbbhn.exe xxxflrf.exe PID 2808 wrote to memory of 2732 2808 7tbbhn.exe xxxflrf.exe PID 2732 wrote to memory of 2656 2732 xxxflrf.exe tnbtnh.exe PID 2732 wrote to memory of 2656 2732 xxxflrf.exe tnbtnh.exe PID 2732 wrote to memory of 2656 2732 xxxflrf.exe tnbtnh.exe PID 2732 wrote to memory of 2656 2732 xxxflrf.exe tnbtnh.exe PID 2656 wrote to memory of 2524 2656 tnbtnh.exe jvppp.exe PID 2656 wrote to memory of 2524 2656 tnbtnh.exe jvppp.exe PID 2656 wrote to memory of 2524 2656 tnbtnh.exe jvppp.exe PID 2656 wrote to memory of 2524 2656 tnbtnh.exe jvppp.exe PID 2524 wrote to memory of 2956 2524 jvppp.exe 1flllll.exe PID 2524 wrote to memory of 2956 2524 jvppp.exe 1flllll.exe PID 2524 wrote to memory of 2956 2524 jvppp.exe 1flllll.exe PID 2524 wrote to memory of 2956 2524 jvppp.exe 1flllll.exe PID 2956 wrote to memory of 2052 2956 1flllll.exe 3hbntb.exe PID 2956 wrote to memory of 2052 2956 1flllll.exe 3hbntb.exe PID 2956 wrote to memory of 2052 2956 1flllll.exe 3hbntb.exe PID 2956 wrote to memory of 2052 2956 1flllll.exe 3hbntb.exe PID 2052 wrote to memory of 668 2052 3hbntb.exe 1vdjp.exe PID 2052 wrote to memory of 668 2052 3hbntb.exe 1vdjp.exe PID 2052 wrote to memory of 668 2052 3hbntb.exe 1vdjp.exe PID 2052 wrote to memory of 668 2052 3hbntb.exe 1vdjp.exe PID 668 wrote to memory of 1664 668 1vdjp.exe ththtn.exe PID 668 wrote to memory of 1664 668 1vdjp.exe ththtn.exe PID 668 wrote to memory of 1664 668 1vdjp.exe ththtn.exe PID 668 wrote to memory of 1664 668 1vdjp.exe ththtn.exe PID 1664 wrote to memory of 2496 1664 ththtn.exe 9jddj.exe PID 1664 wrote to memory of 2496 1664 ththtn.exe 9jddj.exe PID 1664 wrote to memory of 2496 1664 ththtn.exe 9jddj.exe PID 1664 wrote to memory of 2496 1664 ththtn.exe 9jddj.exe PID 2496 wrote to memory of 1004 2496 9jddj.exe 1ffflff.exe PID 2496 wrote to memory of 1004 2496 9jddj.exe 1ffflff.exe PID 2496 wrote to memory of 1004 2496 9jddj.exe 1ffflff.exe PID 2496 wrote to memory of 1004 2496 9jddj.exe 1ffflff.exe PID 1004 wrote to memory of 2860 1004 1ffflff.exe 1hbnnb.exe PID 1004 wrote to memory of 2860 1004 1ffflff.exe 1hbnnb.exe PID 1004 wrote to memory of 2860 1004 1ffflff.exe 1hbnnb.exe PID 1004 wrote to memory of 2860 1004 1ffflff.exe 1hbnnb.exe PID 2860 wrote to memory of 2040 2860 1hbnnb.exe vpjjp.exe PID 2860 wrote to memory of 2040 2860 1hbnnb.exe vpjjp.exe PID 2860 wrote to memory of 2040 2860 1hbnnb.exe vpjjp.exe PID 2860 wrote to memory of 2040 2860 1hbnnb.exe vpjjp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26969f7c70f09886ab79e326541fa087c8c264b16c3fabefcdada7f5174476ad_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\26969f7c70f09886ab79e326541fa087c8c264b16c3fabefcdada7f5174476ad_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\ppjvd.exec:\ppjvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\5fllxff.exec:\5fllxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\rfxfrrx.exec:\rfxfrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\5nbbhn.exec:\5nbbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\7tbbhn.exec:\7tbbhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\xxxflrf.exec:\xxxflrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\tnbtnh.exec:\tnbtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\jvppp.exec:\jvppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\1flllll.exec:\1flllll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\3hbntb.exec:\3hbntb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\1vdjp.exec:\1vdjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\ththtn.exec:\ththtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\9jddj.exec:\9jddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\1ffflff.exec:\1ffflff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\1hbnnb.exec:\1hbnnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\vpjjp.exec:\vpjjp.exe17⤵
- Executes dropped EXE
PID:2040 -
\??\c:\rllrfxx.exec:\rllrfxx.exe18⤵
- Executes dropped EXE
PID:1680 -
\??\c:\3jpjp.exec:\3jpjp.exe19⤵
- Executes dropped EXE
PID:2276 -
\??\c:\pdvjp.exec:\pdvjp.exe20⤵
- Executes dropped EXE
PID:1672 -
\??\c:\3tbbtt.exec:\3tbbtt.exe21⤵
- Executes dropped EXE
PID:1928 -
\??\c:\vjppv.exec:\vjppv.exe22⤵
- Executes dropped EXE
PID:320 -
\??\c:\fxrrffr.exec:\fxrrffr.exe23⤵
- Executes dropped EXE
PID:1032 -
\??\c:\7nbtnn.exec:\7nbtnn.exe24⤵
- Executes dropped EXE
PID:572 -
\??\c:\1pddj.exec:\1pddj.exe25⤵
- Executes dropped EXE
PID:1872 -
\??\c:\fxfllxl.exec:\fxfllxl.exe26⤵
- Executes dropped EXE
PID:704 -
\??\c:\tnhbtt.exec:\tnhbtt.exe27⤵
- Executes dropped EXE
PID:2924 -
\??\c:\pjvdp.exec:\pjvdp.exe28⤵
- Executes dropped EXE
PID:2880 -
\??\c:\pjvpd.exec:\pjvpd.exe29⤵
- Executes dropped EXE
PID:1644 -
\??\c:\tbnbhh.exec:\tbnbhh.exe30⤵
- Executes dropped EXE
PID:1092 -
\??\c:\3vddp.exec:\3vddp.exe31⤵
- Executes dropped EXE
PID:2000 -
\??\c:\rfrrfff.exec:\rfrrfff.exe32⤵
- Executes dropped EXE
PID:1208 -
\??\c:\7hnhhb.exec:\7hnhhb.exe33⤵
- Executes dropped EXE
PID:2428 -
\??\c:\3djpd.exec:\3djpd.exe34⤵
- Executes dropped EXE
PID:2948 -
\??\c:\rrrxfxx.exec:\rrrxfxx.exe35⤵PID:1540
-
\??\c:\nhnttn.exec:\nhnttn.exe36⤵
- Executes dropped EXE
PID:1596 -
\??\c:\pdjjj.exec:\pdjjj.exe37⤵
- Executes dropped EXE
PID:2124 -
\??\c:\vdpdv.exec:\vdpdv.exe38⤵
- Executes dropped EXE
PID:2624 -
\??\c:\rfrxrrx.exec:\rfrxrrx.exe39⤵
- Executes dropped EXE
PID:2784 -
\??\c:\nbnttt.exec:\nbnttt.exe40⤵
- Executes dropped EXE
PID:2772 -
\??\c:\9vjjj.exec:\9vjjj.exe41⤵
- Executes dropped EXE
PID:2760 -
\??\c:\dvppj.exec:\dvppj.exe42⤵
- Executes dropped EXE
PID:2808 -
\??\c:\llxfllx.exec:\llxfllx.exe43⤵
- Executes dropped EXE
PID:2544 -
\??\c:\rfrrrrf.exec:\rfrrrrf.exe44⤵
- Executes dropped EXE
PID:2520 -
\??\c:\hbnbhh.exec:\hbnbhh.exe45⤵
- Executes dropped EXE
PID:2552 -
\??\c:\5djdd.exec:\5djdd.exe46⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jdvvj.exec:\jdvvj.exe47⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xrffrxf.exec:\xrffrxf.exe48⤵
- Executes dropped EXE
PID:2508 -
\??\c:\3hnnnt.exec:\3hnnnt.exe49⤵
- Executes dropped EXE
PID:1052 -
\??\c:\bthnbh.exec:\bthnbh.exe50⤵
- Executes dropped EXE
PID:1056 -
\??\c:\1djvj.exec:\1djvj.exe51⤵
- Executes dropped EXE
PID:808 -
\??\c:\pvjdj.exec:\pvjdj.exe52⤵
- Executes dropped EXE
PID:324 -
\??\c:\fxrrxxf.exec:\fxrrxxf.exe53⤵
- Executes dropped EXE
PID:2696 -
\??\c:\bthtbt.exec:\bthtbt.exe54⤵
- Executes dropped EXE
PID:1608 -
\??\c:\htnntb.exec:\htnntb.exe55⤵
- Executes dropped EXE
PID:1720 -
\??\c:\5dppd.exec:\5dppd.exe56⤵
- Executes dropped EXE
PID:2144 -
\??\c:\xrfflxf.exec:\xrfflxf.exe57⤵
- Executes dropped EXE
PID:2944 -
\??\c:\rlxxffl.exec:\rlxxffl.exe58⤵
- Executes dropped EXE
PID:2112 -
\??\c:\9bhbbb.exec:\9bhbbb.exe59⤵
- Executes dropped EXE
PID:1144 -
\??\c:\9jjdp.exec:\9jjdp.exe60⤵
- Executes dropped EXE
PID:1928 -
\??\c:\ppdjv.exec:\ppdjv.exe61⤵
- Executes dropped EXE
PID:784 -
\??\c:\5rxxxll.exec:\5rxxxll.exe62⤵
- Executes dropped EXE
PID:568 -
\??\c:\lfrrxxf.exec:\lfrrxxf.exe63⤵
- Executes dropped EXE
PID:2320 -
\??\c:\thtnnh.exec:\thtnnh.exe64⤵
- Executes dropped EXE
PID:1492 -
\??\c:\vppvj.exec:\vppvj.exe65⤵
- Executes dropped EXE
PID:2312 -
\??\c:\dvvdv.exec:\dvvdv.exe66⤵
- Executes dropped EXE
PID:2488 -
\??\c:\rlrllrx.exec:\rlrllrx.exe67⤵PID:1940
-
\??\c:\3xrlrrf.exec:\3xrlrrf.exe68⤵PID:960
-
\??\c:\bnbttn.exec:\bnbttn.exe69⤵PID:2880
-
\??\c:\pjvvj.exec:\pjvvj.exe70⤵PID:1552
-
\??\c:\3vjjp.exec:\3vjjp.exe71⤵PID:2256
-
\??\c:\5lfrlll.exec:\5lfrlll.exe72⤵PID:1520
-
\??\c:\xlxrxrx.exec:\xlxrxrx.exe73⤵PID:2976
-
\??\c:\7btttb.exec:\7btttb.exe74⤵PID:1208
-
\??\c:\pjvvj.exec:\pjvvj.exe75⤵PID:2992
-
\??\c:\jvjjp.exec:\jvjjp.exe76⤵PID:1628
-
\??\c:\lfrxfll.exec:\lfrxfll.exe77⤵PID:2352
-
\??\c:\frxxffl.exec:\frxxffl.exe78⤵PID:2448
-
\??\c:\hbnntt.exec:\hbnntt.exe79⤵PID:2776
-
\??\c:\jvdvv.exec:\jvdvv.exe80⤵PID:2796
-
\??\c:\pjjdj.exec:\pjjdj.exe81⤵PID:2404
-
\??\c:\fflfrxf.exec:\fflfrxf.exe82⤵PID:2896
-
\??\c:\3nbbbt.exec:\3nbbbt.exe83⤵PID:2732
-
\??\c:\9vjdd.exec:\9vjdd.exe84⤵PID:2688
-
\??\c:\jvpjp.exec:\jvpjp.exe85⤵PID:2656
-
\??\c:\fxlrxxr.exec:\fxlrxxr.exe86⤵PID:2988
-
\??\c:\lxllrxl.exec:\lxllrxl.exe87⤵PID:3032
-
\??\c:\3ttbbt.exec:\3ttbbt.exe88⤵PID:2332
-
\??\c:\9btbhb.exec:\9btbhb.exe89⤵PID:2828
-
\??\c:\vpdjv.exec:\vpdjv.exe90⤵PID:1244
-
\??\c:\xxlrxfl.exec:\xxlrxfl.exe91⤵PID:1712
-
\??\c:\1flxxlr.exec:\1flxxlr.exe92⤵PID:552
-
\??\c:\hbhhhn.exec:\hbhhhn.exe93⤵PID:2192
-
\??\c:\bbntht.exec:\bbntht.exe94⤵PID:2856
-
\??\c:\vpdpv.exec:\vpdpv.exe95⤵PID:1700
-
\??\c:\fxlxflr.exec:\fxlxflr.exe96⤵PID:1640
-
\??\c:\9lffrxl.exec:\9lffrxl.exe97⤵PID:1688
-
\??\c:\nhbnnn.exec:\nhbnnn.exe98⤵PID:1584
-
\??\c:\dpddd.exec:\dpddd.exe99⤵PID:1716
-
\??\c:\vjvvv.exec:\vjvvv.exe100⤵PID:1204
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe101⤵PID:584
-
\??\c:\1fxlfll.exec:\1fxlfll.exe102⤵PID:780
-
\??\c:\7btttt.exec:\7btttt.exe103⤵PID:1496
-
\??\c:\pjvvd.exec:\pjvvd.exe104⤵PID:1384
-
\??\c:\5flfxrr.exec:\5flfxrr.exe105⤵PID:296
-
\??\c:\rrlfrxl.exec:\rrlfrxl.exe106⤵PID:1136
-
\??\c:\3bnnhh.exec:\3bnnhh.exe107⤵PID:996
-
\??\c:\3hnnhb.exec:\3hnnhb.exe108⤵PID:1916
-
\??\c:\pdppv.exec:\pdppv.exe109⤵PID:3064
-
\??\c:\1lxrlrr.exec:\1lxrlrr.exe110⤵PID:1748
-
\??\c:\xrllrrl.exec:\xrllrrl.exe111⤵PID:2336
-
\??\c:\nbtbbb.exec:\nbtbbb.exe112⤵PID:1552
-
\??\c:\tnbtbt.exec:\tnbtbt.exe113⤵PID:2456
-
\??\c:\vpppd.exec:\vpppd.exe114⤵PID:1764
-
\??\c:\3lrrxff.exec:\3lrrxff.exe115⤵PID:2232
-
\??\c:\9xlfxxf.exec:\9xlfxxf.exe116⤵PID:2064
-
\??\c:\5htnbh.exec:\5htnbh.exe117⤵PID:2196
-
\??\c:\jvdvd.exec:\jvdvd.exe118⤵PID:2188
-
\??\c:\lfrrflr.exec:\lfrrflr.exe119⤵PID:2396
-
\??\c:\rfrlllr.exec:\rfrlllr.exe120⤵PID:2668
-
\??\c:\bnhnth.exec:\bnhnth.exe121⤵PID:2672
-
\??\c:\vjvpv.exec:\vjvpv.exe122⤵PID:2636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-