Analysis
-
max time kernel
150s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 01:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2838e08fc15ee292232c78a203fef034b1ea385975fc0ce6f4d944942168795c_NeikiAnalytics.exe
Resource
win7-20231129-en
5 signatures
150 seconds
General
-
Target
2838e08fc15ee292232c78a203fef034b1ea385975fc0ce6f4d944942168795c_NeikiAnalytics.exe
-
Size
87KB
-
MD5
1f2b0cf355e9d8757195c1e3336b7cb0
-
SHA1
be41a0c90ceda7726d9d83af8efb19de3ad060df
-
SHA256
2838e08fc15ee292232c78a203fef034b1ea385975fc0ce6f4d944942168795c
-
SHA512
8aadfedf6ae62424ecefd18423253623fd7a69038b21b4ac887d1d32764e97b8aa99fd41a5f379ef1d3e72154f33f01f3ab8096250e37e9283230bd916f35ceb
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2iJvRirE0DmoLZsO4V:ymb3NkkiQ3mdBjF+3TU2iBRioSnZsTV
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral2/memory/4732-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4252-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4432-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4344-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4556-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4220-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1324-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2124-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4480-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4036-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4516-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1808-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4960-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2128-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3000-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4860-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4996-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4972-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3112-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5008-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2820-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/456-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1440-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/548-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
lfxxxff.exe3nnttt.exettnhbt.exennhnnt.exepvvpp.exeppvvj.exerlxfxlf.exenbbbtt.exebbnhnn.exevjjdv.exeflllfff.exethtttn.exevvpjd.exexrrllxr.exetnhbtn.exebnnnbh.exedjjdv.exe5fxxllf.exerlrlllr.exetnhnhh.exejdjdd.exelxxxxxx.exexrllfff.exe9tnnhh.exebnnnhh.exepdjdv.exerxrrfrx.exexlrrrrl.exevdppj.exejvddp.exexrrlflf.exefxrrllf.exebtbnbh.exedjjpj.exefrxrffx.exelfflrrl.exe7bbhhh.exehttnnh.exeddjdv.exefffxxxx.exelrxfxfl.exehbnnnn.exepjpjp.exeppjdv.exehbtnbb.exejppjd.exejvvpj.exexfxlxrl.exerxxxllr.exexlrxrrr.exehnnnnn.exettbbtb.exe3vdvj.exerllxlrl.exexrrxfff.exetnnhnn.exetnnhbb.exevpppd.exedjpjd.exelflfxrr.exexrxlffx.exe3lllxxr.exetbhbbt.exeppvvv.exepid process 4556 lfxxxff.exe 4344 3nnttt.exe 4432 ttnhbt.exe 4252 nnhnnt.exe 4732 pvvpp.exe 1324 ppvvj.exe 2124 rlxfxlf.exe 4480 nbbbtt.exe 4036 bbnhnn.exe 4516 vjjdv.exe 4744 flllfff.exe 1808 thtttn.exe 4960 vvpjd.exe 2128 xrrllxr.exe 3000 tnhbtn.exe 4860 bnnnbh.exe 4996 djjdv.exe 4972 5fxxllf.exe 3112 rlrlllr.exe 5008 tnhnhh.exe 2820 jdjdd.exe 3268 lxxxxxx.exe 456 xrllfff.exe 1440 9tnnhh.exe 3048 bnnnhh.exe 3136 pdjdv.exe 548 rxrrfrx.exe 5076 xlrrrrl.exe 3052 vdppj.exe 2852 jvddp.exe 4380 xrrlflf.exe 1632 fxrrllf.exe 2364 btbnbh.exe 2624 djjpj.exe 4904 frxrffx.exe 2504 lfflrrl.exe 4440 7bbhhh.exe 628 httnnh.exe 2556 ddjdv.exe 4344 fffxxxx.exe 4236 lrxfxfl.exe 3544 hbnnnn.exe 1576 pjpjp.exe 1400 ppjdv.exe 1608 hbtnbb.exe 3924 jppjd.exe 3324 jvvpj.exe 1704 xfxlxrl.exe 2804 rxxxllr.exe 1744 xlrxrrr.exe 4036 hnnnnn.exe 3472 ttbbtb.exe 2148 3vdvj.exe 5088 rllxlrl.exe 2884 xrrxfff.exe 2912 tnnhnn.exe 2128 tnnhbb.exe 2304 vpppd.exe 4192 djpjd.exe 1984 lflfxrr.exe 3460 xrxlffx.exe 2836 3lllxxr.exe 4384 tbhbbt.exe 4284 ppvvv.exe -
Processes:
resource yara_rule behavioral2/memory/4732-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1324-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4252-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4432-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4344-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4556-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4220-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1324-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2124-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4480-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4036-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4036-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4516-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4516-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4516-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4516-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1808-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4960-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2128-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3000-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4860-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4996-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4972-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3112-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5008-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2820-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/456-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1440-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/548-184-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2838e08fc15ee292232c78a203fef034b1ea385975fc0ce6f4d944942168795c_NeikiAnalytics.exelfxxxff.exe3nnttt.exettnhbt.exennhnnt.exepvvpp.exeppvvj.exerlxfxlf.exenbbbtt.exebbnhnn.exevjjdv.exeflllfff.exethtttn.exevvpjd.exexrrllxr.exetnhbtn.exebnnnbh.exedjjdv.exe5fxxllf.exerlrlllr.exetnhnhh.exejdjdd.exedescription pid process target process PID 4220 wrote to memory of 4556 4220 2838e08fc15ee292232c78a203fef034b1ea385975fc0ce6f4d944942168795c_NeikiAnalytics.exe lfxxxff.exe PID 4220 wrote to memory of 4556 4220 2838e08fc15ee292232c78a203fef034b1ea385975fc0ce6f4d944942168795c_NeikiAnalytics.exe lfxxxff.exe PID 4220 wrote to memory of 4556 4220 2838e08fc15ee292232c78a203fef034b1ea385975fc0ce6f4d944942168795c_NeikiAnalytics.exe lfxxxff.exe PID 4556 wrote to memory of 4344 4556 lfxxxff.exe 3nnttt.exe PID 4556 wrote to memory of 4344 4556 lfxxxff.exe 3nnttt.exe PID 4556 wrote to memory of 4344 4556 lfxxxff.exe 3nnttt.exe PID 4344 wrote to memory of 4432 4344 3nnttt.exe ttnhbt.exe PID 4344 wrote to memory of 4432 4344 3nnttt.exe ttnhbt.exe PID 4344 wrote to memory of 4432 4344 3nnttt.exe ttnhbt.exe PID 4432 wrote to memory of 4252 4432 ttnhbt.exe nnhnnt.exe PID 4432 wrote to memory of 4252 4432 ttnhbt.exe nnhnnt.exe PID 4432 wrote to memory of 4252 4432 ttnhbt.exe nnhnnt.exe PID 4252 wrote to memory of 4732 4252 nnhnnt.exe pvvpp.exe PID 4252 wrote to memory of 4732 4252 nnhnnt.exe pvvpp.exe PID 4252 wrote to memory of 4732 4252 nnhnnt.exe pvvpp.exe PID 4732 wrote to memory of 1324 4732 pvvpp.exe ppvvj.exe PID 4732 wrote to memory of 1324 4732 pvvpp.exe ppvvj.exe PID 4732 wrote to memory of 1324 4732 pvvpp.exe ppvvj.exe PID 1324 wrote to memory of 2124 1324 ppvvj.exe rlxfxlf.exe PID 1324 wrote to memory of 2124 1324 ppvvj.exe rlxfxlf.exe PID 1324 wrote to memory of 2124 1324 ppvvj.exe rlxfxlf.exe PID 2124 wrote to memory of 4480 2124 rlxfxlf.exe nbbbtt.exe PID 2124 wrote to memory of 4480 2124 rlxfxlf.exe nbbbtt.exe PID 2124 wrote to memory of 4480 2124 rlxfxlf.exe nbbbtt.exe PID 4480 wrote to memory of 4036 4480 nbbbtt.exe bbnhnn.exe PID 4480 wrote to memory of 4036 4480 nbbbtt.exe bbnhnn.exe PID 4480 wrote to memory of 4036 4480 nbbbtt.exe bbnhnn.exe PID 4036 wrote to memory of 4516 4036 bbnhnn.exe vjjdv.exe PID 4036 wrote to memory of 4516 4036 bbnhnn.exe vjjdv.exe PID 4036 wrote to memory of 4516 4036 bbnhnn.exe vjjdv.exe PID 4516 wrote to memory of 4744 4516 vjjdv.exe flllfff.exe PID 4516 wrote to memory of 4744 4516 vjjdv.exe flllfff.exe PID 4516 wrote to memory of 4744 4516 vjjdv.exe flllfff.exe PID 4744 wrote to memory of 1808 4744 flllfff.exe thtttn.exe PID 4744 wrote to memory of 1808 4744 flllfff.exe thtttn.exe PID 4744 wrote to memory of 1808 4744 flllfff.exe thtttn.exe PID 1808 wrote to memory of 4960 1808 thtttn.exe vvpjd.exe PID 1808 wrote to memory of 4960 1808 thtttn.exe vvpjd.exe PID 1808 wrote to memory of 4960 1808 thtttn.exe vvpjd.exe PID 4960 wrote to memory of 2128 4960 vvpjd.exe xrrllxr.exe PID 4960 wrote to memory of 2128 4960 vvpjd.exe xrrllxr.exe PID 4960 wrote to memory of 2128 4960 vvpjd.exe xrrllxr.exe PID 2128 wrote to memory of 3000 2128 xrrllxr.exe tnhbtn.exe PID 2128 wrote to memory of 3000 2128 xrrllxr.exe tnhbtn.exe PID 2128 wrote to memory of 3000 2128 xrrllxr.exe tnhbtn.exe PID 3000 wrote to memory of 4860 3000 tnhbtn.exe bnnnbh.exe PID 3000 wrote to memory of 4860 3000 tnhbtn.exe bnnnbh.exe PID 3000 wrote to memory of 4860 3000 tnhbtn.exe bnnnbh.exe PID 4860 wrote to memory of 4996 4860 bnnnbh.exe djjdv.exe PID 4860 wrote to memory of 4996 4860 bnnnbh.exe djjdv.exe PID 4860 wrote to memory of 4996 4860 bnnnbh.exe djjdv.exe PID 4996 wrote to memory of 4972 4996 djjdv.exe 5fxxllf.exe PID 4996 wrote to memory of 4972 4996 djjdv.exe 5fxxllf.exe PID 4996 wrote to memory of 4972 4996 djjdv.exe 5fxxllf.exe PID 4972 wrote to memory of 3112 4972 5fxxllf.exe rlrlllr.exe PID 4972 wrote to memory of 3112 4972 5fxxllf.exe rlrlllr.exe PID 4972 wrote to memory of 3112 4972 5fxxllf.exe rlrlllr.exe PID 3112 wrote to memory of 5008 3112 rlrlllr.exe tnhnhh.exe PID 3112 wrote to memory of 5008 3112 rlrlllr.exe tnhnhh.exe PID 3112 wrote to memory of 5008 3112 rlrlllr.exe tnhnhh.exe PID 5008 wrote to memory of 2820 5008 tnhnhh.exe jdjdd.exe PID 5008 wrote to memory of 2820 5008 tnhnhh.exe jdjdd.exe PID 5008 wrote to memory of 2820 5008 tnhnhh.exe jdjdd.exe PID 2820 wrote to memory of 3268 2820 jdjdd.exe lxxxxxx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2838e08fc15ee292232c78a203fef034b1ea385975fc0ce6f4d944942168795c_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2838e08fc15ee292232c78a203fef034b1ea385975fc0ce6f4d944942168795c_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\lfxxxff.exec:\lfxxxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\3nnttt.exec:\3nnttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\ttnhbt.exec:\ttnhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\nnhnnt.exec:\nnhnnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\pvvpp.exec:\pvvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\ppvvj.exec:\ppvvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\rlxfxlf.exec:\rlxfxlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\nbbbtt.exec:\nbbbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\bbnhnn.exec:\bbnhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\vjjdv.exec:\vjjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\flllfff.exec:\flllfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\thtttn.exec:\thtttn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\vvpjd.exec:\vvpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\xrrllxr.exec:\xrrllxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\tnhbtn.exec:\tnhbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\bnnnbh.exec:\bnnnbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\djjdv.exec:\djjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\5fxxllf.exec:\5fxxllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\rlrlllr.exec:\rlrlllr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\tnhnhh.exec:\tnhnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\jdjdd.exec:\jdjdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\lxxxxxx.exec:\lxxxxxx.exe23⤵
- Executes dropped EXE
PID:3268 -
\??\c:\xrllfff.exec:\xrllfff.exe24⤵
- Executes dropped EXE
PID:456 -
\??\c:\9tnnhh.exec:\9tnnhh.exe25⤵
- Executes dropped EXE
PID:1440 -
\??\c:\bnnnhh.exec:\bnnnhh.exe26⤵
- Executes dropped EXE
PID:3048 -
\??\c:\pdjdv.exec:\pdjdv.exe27⤵
- Executes dropped EXE
PID:3136 -
\??\c:\rxrrfrx.exec:\rxrrfrx.exe28⤵
- Executes dropped EXE
PID:548 -
\??\c:\xlrrrrl.exec:\xlrrrrl.exe29⤵
- Executes dropped EXE
PID:5076 -
\??\c:\vdppj.exec:\vdppj.exe30⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jvddp.exec:\jvddp.exe31⤵
- Executes dropped EXE
PID:2852 -
\??\c:\xrrlflf.exec:\xrrlflf.exe32⤵
- Executes dropped EXE
PID:4380 -
\??\c:\fxrrllf.exec:\fxrrllf.exe33⤵
- Executes dropped EXE
PID:1632 -
\??\c:\btbnbh.exec:\btbnbh.exe34⤵
- Executes dropped EXE
PID:2364 -
\??\c:\djjpj.exec:\djjpj.exe35⤵
- Executes dropped EXE
PID:2624 -
\??\c:\frxrffx.exec:\frxrffx.exe36⤵
- Executes dropped EXE
PID:4904 -
\??\c:\lfflrrl.exec:\lfflrrl.exe37⤵
- Executes dropped EXE
PID:2504 -
\??\c:\7bbhhh.exec:\7bbhhh.exe38⤵
- Executes dropped EXE
PID:4440 -
\??\c:\httnnh.exec:\httnnh.exe39⤵
- Executes dropped EXE
PID:628 -
\??\c:\ddjdv.exec:\ddjdv.exe40⤵
- Executes dropped EXE
PID:2556 -
\??\c:\fffxxxx.exec:\fffxxxx.exe41⤵
- Executes dropped EXE
PID:4344 -
\??\c:\lrxfxfl.exec:\lrxfxfl.exe42⤵
- Executes dropped EXE
PID:4236 -
\??\c:\hbnnnn.exec:\hbnnnn.exe43⤵
- Executes dropped EXE
PID:3544 -
\??\c:\pjpjp.exec:\pjpjp.exe44⤵
- Executes dropped EXE
PID:1576 -
\??\c:\ppjdv.exec:\ppjdv.exe45⤵
- Executes dropped EXE
PID:1400 -
\??\c:\hbtnbb.exec:\hbtnbb.exe46⤵
- Executes dropped EXE
PID:1608 -
\??\c:\jppjd.exec:\jppjd.exe47⤵
- Executes dropped EXE
PID:3924 -
\??\c:\jvvpj.exec:\jvvpj.exe48⤵
- Executes dropped EXE
PID:3324 -
\??\c:\xfxlxrl.exec:\xfxlxrl.exe49⤵
- Executes dropped EXE
PID:1704 -
\??\c:\rxxxllr.exec:\rxxxllr.exe50⤵
- Executes dropped EXE
PID:2804 -
\??\c:\xlrxrrr.exec:\xlrxrrr.exe51⤵
- Executes dropped EXE
PID:1744 -
\??\c:\hnnnnn.exec:\hnnnnn.exe52⤵
- Executes dropped EXE
PID:4036 -
\??\c:\ttbbtb.exec:\ttbbtb.exe53⤵
- Executes dropped EXE
PID:3472 -
\??\c:\3vdvj.exec:\3vdvj.exe54⤵
- Executes dropped EXE
PID:2148 -
\??\c:\rllxlrl.exec:\rllxlrl.exe55⤵
- Executes dropped EXE
PID:5088 -
\??\c:\xrrxfff.exec:\xrrxfff.exe56⤵
- Executes dropped EXE
PID:2884 -
\??\c:\tnnhnn.exec:\tnnhnn.exe57⤵
- Executes dropped EXE
PID:2912 -
\??\c:\tnnhbb.exec:\tnnhbb.exe58⤵
- Executes dropped EXE
PID:2128 -
\??\c:\vpppd.exec:\vpppd.exe59⤵
- Executes dropped EXE
PID:2304 -
\??\c:\djpjd.exec:\djpjd.exe60⤵
- Executes dropped EXE
PID:4192 -
\??\c:\lflfxrr.exec:\lflfxrr.exe61⤵
- Executes dropped EXE
PID:1984 -
\??\c:\xrxlffx.exec:\xrxlffx.exe62⤵
- Executes dropped EXE
PID:3460 -
\??\c:\3lllxxr.exec:\3lllxxr.exe63⤵
- Executes dropped EXE
PID:2836 -
\??\c:\tbhbbt.exec:\tbhbbt.exe64⤵
- Executes dropped EXE
PID:4384 -
\??\c:\ppvvv.exec:\ppvvv.exe65⤵
- Executes dropped EXE
PID:4284 -
\??\c:\flxfxrx.exec:\flxfxrx.exe66⤵PID:1872
-
\??\c:\lxxxrxx.exec:\lxxxrxx.exe67⤵PID:4100
-
\??\c:\btbbbb.exec:\btbbbb.exe68⤵PID:3064
-
\??\c:\nbbtnn.exec:\nbbtnn.exe69⤵PID:3368
-
\??\c:\vpdvv.exec:\vpdvv.exe70⤵PID:4776
-
\??\c:\dvjpv.exec:\dvjpv.exe71⤵PID:720
-
\??\c:\fxxrffx.exec:\fxxrffx.exe72⤵PID:4056
-
\??\c:\frrrllf.exec:\frrrllf.exe73⤵PID:4008
-
\??\c:\hhbbhh.exec:\hhbbhh.exe74⤵PID:4068
-
\??\c:\hhnthh.exec:\hhnthh.exe75⤵PID:3408
-
\??\c:\jvvvp.exec:\jvvvp.exe76⤵PID:3052
-
\??\c:\1dvpd.exec:\1dvpd.exe77⤵PID:2896
-
\??\c:\5lfxrll.exec:\5lfxrll.exe78⤵PID:1172
-
\??\c:\nbhbtt.exec:\nbhbtt.exe79⤵PID:4380
-
\??\c:\tnnhtt.exec:\tnnhtt.exe80⤵PID:4880
-
\??\c:\dvvvv.exec:\dvvvv.exe81⤵PID:844
-
\??\c:\5jjdv.exec:\5jjdv.exe82⤵PID:972
-
\??\c:\lfflflf.exec:\lfflflf.exe83⤵PID:2624
-
\??\c:\rfffxxx.exec:\rfffxxx.exe84⤵PID:1780
-
\??\c:\btbnnb.exec:\btbnnb.exe85⤵PID:2504
-
\??\c:\httnnn.exec:\httnnn.exe86⤵PID:2412
-
\??\c:\jvpvp.exec:\jvpvp.exe87⤵PID:4452
-
\??\c:\7djdv.exec:\7djdv.exe88⤵PID:3344
-
\??\c:\ffxrlrl.exec:\ffxrlrl.exe89⤵PID:1972
-
\??\c:\xlfxxxr.exec:\xlfxxxr.exe90⤵PID:4432
-
\??\c:\dpppj.exec:\dpppj.exe91⤵PID:448
-
\??\c:\ddjjj.exec:\ddjjj.exe92⤵PID:4732
-
\??\c:\lflfxxr.exec:\lflfxxr.exe93⤵PID:4576
-
\??\c:\7fxxrrr.exec:\7fxxrrr.exe94⤵PID:2864
-
\??\c:\tnhhbb.exec:\tnhhbb.exe95⤵PID:2964
-
\??\c:\jdppv.exec:\jdppv.exe96⤵PID:4408
-
\??\c:\xrxxlrl.exec:\xrxxlrl.exe97⤵PID:4264
-
\??\c:\thhhbb.exec:\thhhbb.exe98⤵PID:3640
-
\??\c:\djppd.exec:\djppd.exe99⤵PID:2500
-
\??\c:\7rrlllf.exec:\7rrlllf.exe100⤵PID:2844
-
\??\c:\tnnnhh.exec:\tnnnhh.exe101⤵PID:640
-
\??\c:\pvjvp.exec:\pvjvp.exe102⤵PID:2884
-
\??\c:\pvvvj.exec:\pvvvj.exe103⤵PID:1844
-
\??\c:\lfxrlff.exec:\lfxrlff.exe104⤵PID:3764
-
\??\c:\btbtnn.exec:\btbtnn.exe105⤵PID:4436
-
\??\c:\dvpjv.exec:\dvpjv.exe106⤵PID:4192
-
\??\c:\jdddd.exec:\jdddd.exe107⤵PID:1984
-
\??\c:\9rrlffx.exec:\9rrlffx.exe108⤵PID:3112
-
\??\c:\3frrlrl.exec:\3frrlrl.exe109⤵PID:1488
-
\??\c:\bttnhn.exec:\bttnhn.exe110⤵PID:1892
-
\??\c:\hhbthh.exec:\hhbthh.exe111⤵PID:3268
-
\??\c:\vdpjd.exec:\vdpjd.exe112⤵PID:1872
-
\??\c:\dpdvj.exec:\dpdvj.exe113⤵PID:4868
-
\??\c:\7rllffl.exec:\7rllffl.exe114⤵PID:4084
-
\??\c:\lflllfr.exec:\lflllfr.exe115⤵PID:3844
-
\??\c:\bnhhtt.exec:\bnhhtt.exe116⤵PID:4756
-
\??\c:\hbhhnn.exec:\hbhhnn.exe117⤵PID:3976
-
\??\c:\vjjjd.exec:\vjjjd.exe118⤵PID:764
-
\??\c:\rlffflf.exec:\rlffflf.exe119⤵PID:3408
-
\??\c:\rxxxrrl.exec:\rxxxrrl.exe120⤵PID:1956
-
\??\c:\tnhhhh.exec:\tnhhhh.exe121⤵PID:1056
-
\??\c:\hhhnnt.exec:\hhhnnt.exe122⤵PID:1568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-