Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 03:04
Behavioral task
behavioral1
Sample
3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe
Resource
win7-20240611-en
5 signatures
150 seconds
General
-
Target
3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe
-
Size
457KB
-
MD5
5dbcc6550af3f61d4d620b0ff1b010c0
-
SHA1
c46b04f4caf8b76229b358999046dc2418c45956
-
SHA256
3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f
-
SHA512
871bdc1a3e903b927e0fc817f6a2eaff5fcd02092b41e3df33b57c9ec9de5b57c70001ea9f5c53ff8025038dd1bfebc6a81fd509e90aeab475178a3a973d0da7
-
SSDEEP
12288:04wFHoSyd0V3eFp3IDvSbh5nPYERM8mXzplo4M3:rd0gFp3lz1/uzplof
Malware Config
Signatures
-
Detect Blackmoon payload 38 IoCs
Processes:
resource yara_rule behavioral1/memory/3048-1-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2692-20-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2336-16-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2844-38-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2592-36-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2752-56-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2944-73-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1548-89-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2788-99-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1616-111-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2932-109-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1572-128-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1444-146-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1576-154-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2020-165-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2564-174-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1628-183-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1780-203-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1912-227-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1696-242-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/340-255-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1216-272-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1964-269-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1500-287-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1436-302-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2572-315-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1728-418-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2392-540-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/908-548-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2368-576-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/1660-577-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2684-655-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2748-669-0x0000000000220000-0x0000000000258000-memory.dmp family_blackmoon behavioral1/memory/2780-689-0x0000000000220000-0x0000000000258000-memory.dmp family_blackmoon behavioral1/memory/2780-688-0x0000000000220000-0x0000000000258000-memory.dmp family_blackmoon behavioral1/memory/2204-765-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon behavioral1/memory/2372-877-0x0000000000220000-0x0000000000258000-memory.dmp family_blackmoon behavioral1/memory/2968-983-0x0000000000400000-0x0000000000438000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
jvvpp.exe1lflrfr.exe5ddjp.exenhtbhn.exejddpj.exe5thhnt.exe9nbbhb.exelfrlxrx.exenbnttt.exevjpvd.exe1rllxxf.exedvvdj.exepdjdj.exe7hhhnh.exevdjvp.exenbhbbb.exe7vjdp.exehthhhh.exejjvdj.exefrfxrlr.exe5thhnb.exelxllxxl.exehbttth.exejdpvv.exexlxfrxr.exethtbnt.exepvvvj.exehbnnnn.exehntnbh.exe5dvvj.exe1lxfxxl.exerxrrxxr.exethttbt.exe7pjdj.exejvppv.exe9lxxxfl.exebhhnbh.exefxfxrrx.exelrfrfxf.exe9httbb.exedjpjj.exe9fxfxfl.exebthnhh.exe3pdjj.exe3xxfllx.exehhbhbh.exejdvvj.exejdvdp.exefxxxlfr.exebhbnnn.exevjjjp.exedvppd.exeflfffll.exebbthbh.exe5pvpp.exelfflrxl.exebbtbhn.exehhbntn.exepjpvp.exelxllfxx.exe3thhnn.exe9ppjj.exevppvv.exe7rxxfxf.exepid process 2336 jvvpp.exe 2692 1lflrfr.exe 2592 5ddjp.exe 2844 nhtbhn.exe 2808 jddpj.exe 2752 5thhnt.exe 2500 9nbbhb.exe 2944 lfrlxrx.exe 1548 nbnttt.exe 2788 vjpvd.exe 2932 1rllxxf.exe 1616 dvvdj.exe 1204 pdjdj.exe 1572 7hhhnh.exe 1444 vdjvp.exe 1576 nbhbbb.exe 2020 7vjdp.exe 2564 hthhhh.exe 1628 jjvdj.exe 2876 frfxrlr.exe 1412 5thhnb.exe 1780 lxllxxl.exe 2328 hbttth.exe 2420 jdpvv.exe 1912 xlxfrxr.exe 1696 thtbnt.exe 1324 pvvvj.exe 340 hbnnnn.exe 1964 hntnbh.exe 1216 5dvvj.exe 1500 1lxfxxl.exe 2132 rxrrxxr.exe 1436 thttbt.exe 1712 7pjdj.exe 1956 jvppv.exe 2572 9lxxxfl.exe 1896 bhhnbh.exe 2668 fxfxrrx.exe 2476 lrfrfxf.exe 2084 9httbb.exe 2496 djpjj.exe 2556 9fxfxfl.exe 2640 bthnhh.exe 2488 3pdjj.exe 2500 3xxfllx.exe 2944 hhbhbh.exe 1016 jdvvj.exe 2804 jdvdp.exe 2924 fxxxlfr.exe 1116 bhbnnn.exe 1728 vjjjp.exe 1768 dvppd.exe 2212 flfffll.exe 1592 bbthbh.exe 892 5pvpp.exe 1452 lfflrxl.exe 864 bbtbhn.exe 1960 hhbntn.exe 2036 pjpvp.exe 1580 lxllfxx.exe 1972 3thhnn.exe 2448 9ppjj.exe 108 vppvv.exe 1108 7rxxfxf.exe -
Processes:
resource yara_rule behavioral1/memory/3048-1-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\jvvpp.exe upx behavioral1/memory/2336-8-0x0000000000400000-0x0000000000438000-memory.dmp upx \??\c:\1lflrfr.exe upx behavioral1/memory/2692-20-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2336-16-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2592-27-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\5ddjp.exe upx C:\nhtbhn.exe upx behavioral1/memory/2844-38-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2592-36-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\jddpj.exe upx \??\c:\5thhnt.exe upx behavioral1/memory/2752-56-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\9nbbhb.exe upx \??\c:\lfrlxrx.exe upx behavioral1/memory/2944-73-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\nbnttt.exe upx C:\vjpvd.exe upx behavioral1/memory/2788-90-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1548-89-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\1rllxxf.exe upx behavioral1/memory/2788-99-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\dvvdj.exe upx behavioral1/memory/1616-111-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2932-109-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\pdjdj.exe upx behavioral1/memory/1572-128-0x0000000000400000-0x0000000000438000-memory.dmp upx \??\c:\7hhhnh.exe upx C:\vdjvp.exe upx behavioral1/memory/1444-146-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\nbhbbb.exe upx behavioral1/memory/1576-154-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\7vjdp.exe upx behavioral1/memory/2020-156-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\hthhhh.exe upx behavioral1/memory/2564-166-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2020-165-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\jjvdj.exe upx behavioral1/memory/2564-174-0x0000000000400000-0x0000000000438000-memory.dmp upx \??\c:\frfxrlr.exe upx behavioral1/memory/1628-183-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\5thhnb.exe upx \??\c:\lxllxxl.exe upx behavioral1/memory/1780-203-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\hbttth.exe upx C:\jdpvv.exe upx \??\c:\xlxfrxr.exe upx behavioral1/memory/1912-227-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\thtbnt.exe upx C:\pvvvj.exe upx behavioral1/memory/1696-242-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1324-244-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\hbnnnn.exe upx \??\c:\hntnbh.exe upx behavioral1/memory/340-255-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\1lxfxxl.exe upx behavioral1/memory/1216-272-0x0000000000400000-0x0000000000438000-memory.dmp upx \??\c:\5dvvj.exe upx behavioral1/memory/1964-269-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/1500-287-0x0000000000400000-0x0000000000438000-memory.dmp upx C:\rxrrxxr.exe upx behavioral1/memory/1436-302-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/2572-315-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exejvvpp.exe1lflrfr.exe5ddjp.exenhtbhn.exejddpj.exe5thhnt.exe9nbbhb.exelfrlxrx.exenbnttt.exevjpvd.exe1rllxxf.exedvvdj.exepdjdj.exe7hhhnh.exevdjvp.exedescription pid process target process PID 3048 wrote to memory of 2336 3048 3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe jvvpp.exe PID 3048 wrote to memory of 2336 3048 3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe jvvpp.exe PID 3048 wrote to memory of 2336 3048 3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe jvvpp.exe PID 3048 wrote to memory of 2336 3048 3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe jvvpp.exe PID 2336 wrote to memory of 2692 2336 jvvpp.exe 1lflrfr.exe PID 2336 wrote to memory of 2692 2336 jvvpp.exe 1lflrfr.exe PID 2336 wrote to memory of 2692 2336 jvvpp.exe 1lflrfr.exe PID 2336 wrote to memory of 2692 2336 jvvpp.exe 1lflrfr.exe PID 2692 wrote to memory of 2592 2692 1lflrfr.exe 5ddjp.exe PID 2692 wrote to memory of 2592 2692 1lflrfr.exe 5ddjp.exe PID 2692 wrote to memory of 2592 2692 1lflrfr.exe 5ddjp.exe PID 2692 wrote to memory of 2592 2692 1lflrfr.exe 5ddjp.exe PID 2592 wrote to memory of 2844 2592 5ddjp.exe nhtbhn.exe PID 2592 wrote to memory of 2844 2592 5ddjp.exe nhtbhn.exe PID 2592 wrote to memory of 2844 2592 5ddjp.exe nhtbhn.exe PID 2592 wrote to memory of 2844 2592 5ddjp.exe nhtbhn.exe PID 2844 wrote to memory of 2808 2844 nhtbhn.exe jddpj.exe PID 2844 wrote to memory of 2808 2844 nhtbhn.exe jddpj.exe PID 2844 wrote to memory of 2808 2844 nhtbhn.exe jddpj.exe PID 2844 wrote to memory of 2808 2844 nhtbhn.exe jddpj.exe PID 2808 wrote to memory of 2752 2808 jddpj.exe 5thhnt.exe PID 2808 wrote to memory of 2752 2808 jddpj.exe 5thhnt.exe PID 2808 wrote to memory of 2752 2808 jddpj.exe 5thhnt.exe PID 2808 wrote to memory of 2752 2808 jddpj.exe 5thhnt.exe PID 2752 wrote to memory of 2500 2752 5thhnt.exe 9nbbhb.exe PID 2752 wrote to memory of 2500 2752 5thhnt.exe 9nbbhb.exe PID 2752 wrote to memory of 2500 2752 5thhnt.exe 9nbbhb.exe PID 2752 wrote to memory of 2500 2752 5thhnt.exe 9nbbhb.exe PID 2500 wrote to memory of 2944 2500 9nbbhb.exe lfrlxrx.exe PID 2500 wrote to memory of 2944 2500 9nbbhb.exe lfrlxrx.exe PID 2500 wrote to memory of 2944 2500 9nbbhb.exe lfrlxrx.exe PID 2500 wrote to memory of 2944 2500 9nbbhb.exe lfrlxrx.exe PID 2944 wrote to memory of 1548 2944 lfrlxrx.exe nbnttt.exe PID 2944 wrote to memory of 1548 2944 lfrlxrx.exe nbnttt.exe PID 2944 wrote to memory of 1548 2944 lfrlxrx.exe nbnttt.exe PID 2944 wrote to memory of 1548 2944 lfrlxrx.exe nbnttt.exe PID 1548 wrote to memory of 2788 1548 nbnttt.exe vjpvd.exe PID 1548 wrote to memory of 2788 1548 nbnttt.exe vjpvd.exe PID 1548 wrote to memory of 2788 1548 nbnttt.exe vjpvd.exe PID 1548 wrote to memory of 2788 1548 nbnttt.exe vjpvd.exe PID 2788 wrote to memory of 2932 2788 vjpvd.exe 1rllxxf.exe PID 2788 wrote to memory of 2932 2788 vjpvd.exe 1rllxxf.exe PID 2788 wrote to memory of 2932 2788 vjpvd.exe 1rllxxf.exe PID 2788 wrote to memory of 2932 2788 vjpvd.exe 1rllxxf.exe PID 2932 wrote to memory of 1616 2932 1rllxxf.exe dvvdj.exe PID 2932 wrote to memory of 1616 2932 1rllxxf.exe dvvdj.exe PID 2932 wrote to memory of 1616 2932 1rllxxf.exe dvvdj.exe PID 2932 wrote to memory of 1616 2932 1rllxxf.exe dvvdj.exe PID 1616 wrote to memory of 1204 1616 dvvdj.exe pdjdj.exe PID 1616 wrote to memory of 1204 1616 dvvdj.exe pdjdj.exe PID 1616 wrote to memory of 1204 1616 dvvdj.exe pdjdj.exe PID 1616 wrote to memory of 1204 1616 dvvdj.exe pdjdj.exe PID 1204 wrote to memory of 1572 1204 pdjdj.exe 7hhhnh.exe PID 1204 wrote to memory of 1572 1204 pdjdj.exe 7hhhnh.exe PID 1204 wrote to memory of 1572 1204 pdjdj.exe 7hhhnh.exe PID 1204 wrote to memory of 1572 1204 pdjdj.exe 7hhhnh.exe PID 1572 wrote to memory of 1444 1572 7hhhnh.exe vdjvp.exe PID 1572 wrote to memory of 1444 1572 7hhhnh.exe vdjvp.exe PID 1572 wrote to memory of 1444 1572 7hhhnh.exe vdjvp.exe PID 1572 wrote to memory of 1444 1572 7hhhnh.exe vdjvp.exe PID 1444 wrote to memory of 1576 1444 vdjvp.exe nbhbbb.exe PID 1444 wrote to memory of 1576 1444 vdjvp.exe nbhbbb.exe PID 1444 wrote to memory of 1576 1444 vdjvp.exe nbhbbb.exe PID 1444 wrote to memory of 1576 1444 vdjvp.exe nbhbbb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3387340180ea017b13042ed0008f11e21e09161bbf887408beb2611033530d8f_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\jvvpp.exec:\jvvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\1lflrfr.exec:\1lflrfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\5ddjp.exec:\5ddjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\nhtbhn.exec:\nhtbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\jddpj.exec:\jddpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\5thhnt.exec:\5thhnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\9nbbhb.exec:\9nbbhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\lfrlxrx.exec:\lfrlxrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\nbnttt.exec:\nbnttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\vjpvd.exec:\vjpvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\1rllxxf.exec:\1rllxxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\dvvdj.exec:\dvvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\pdjdj.exec:\pdjdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\7hhhnh.exec:\7hhhnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\vdjvp.exec:\vdjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\nbhbbb.exec:\nbhbbb.exe17⤵
- Executes dropped EXE
PID:1576 -
\??\c:\7vjdp.exec:\7vjdp.exe18⤵
- Executes dropped EXE
PID:2020 -
\??\c:\hthhhh.exec:\hthhhh.exe19⤵
- Executes dropped EXE
PID:2564 -
\??\c:\jjvdj.exec:\jjvdj.exe20⤵
- Executes dropped EXE
PID:1628 -
\??\c:\frfxrlr.exec:\frfxrlr.exe21⤵
- Executes dropped EXE
PID:2876 -
\??\c:\5thhnb.exec:\5thhnb.exe22⤵
- Executes dropped EXE
PID:1412 -
\??\c:\lxllxxl.exec:\lxllxxl.exe23⤵
- Executes dropped EXE
PID:1780 -
\??\c:\hbttth.exec:\hbttth.exe24⤵
- Executes dropped EXE
PID:2328 -
\??\c:\jdpvv.exec:\jdpvv.exe25⤵
- Executes dropped EXE
PID:2420 -
\??\c:\xlxfrxr.exec:\xlxfrxr.exe26⤵
- Executes dropped EXE
PID:1912 -
\??\c:\thtbnt.exec:\thtbnt.exe27⤵
- Executes dropped EXE
PID:1696 -
\??\c:\pvvvj.exec:\pvvvj.exe28⤵
- Executes dropped EXE
PID:1324 -
\??\c:\hbnnnn.exec:\hbnnnn.exe29⤵
- Executes dropped EXE
PID:340 -
\??\c:\hntnbh.exec:\hntnbh.exe30⤵
- Executes dropped EXE
PID:1964 -
\??\c:\5dvvj.exec:\5dvvj.exe31⤵
- Executes dropped EXE
PID:1216 -
\??\c:\1lxfxxl.exec:\1lxfxxl.exe32⤵
- Executes dropped EXE
PID:1500 -
\??\c:\rxrrxxr.exec:\rxrrxxr.exe33⤵
- Executes dropped EXE
PID:2132 -
\??\c:\thttbt.exec:\thttbt.exe34⤵
- Executes dropped EXE
PID:1436 -
\??\c:\7pjdj.exec:\7pjdj.exe35⤵
- Executes dropped EXE
PID:1712 -
\??\c:\jvppv.exec:\jvppv.exe36⤵
- Executes dropped EXE
PID:1956 -
\??\c:\9lxxxfl.exec:\9lxxxfl.exe37⤵
- Executes dropped EXE
PID:2572 -
\??\c:\bhhnbh.exec:\bhhnbh.exe38⤵
- Executes dropped EXE
PID:1896 -
\??\c:\fxfxrrx.exec:\fxfxrrx.exe39⤵
- Executes dropped EXE
PID:2668 -
\??\c:\lrfrfxf.exec:\lrfrfxf.exe40⤵
- Executes dropped EXE
PID:2476 -
\??\c:\9httbb.exec:\9httbb.exe41⤵
- Executes dropped EXE
PID:2084 -
\??\c:\djpjj.exec:\djpjj.exe42⤵
- Executes dropped EXE
PID:2496 -
\??\c:\9fxfxfl.exec:\9fxfxfl.exe43⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bthnhh.exec:\bthnhh.exe44⤵
- Executes dropped EXE
PID:2640 -
\??\c:\3pdjj.exec:\3pdjj.exe45⤵
- Executes dropped EXE
PID:2488 -
\??\c:\3xxfllx.exec:\3xxfllx.exe46⤵
- Executes dropped EXE
PID:2500 -
\??\c:\hhbhbh.exec:\hhbhbh.exe47⤵
- Executes dropped EXE
PID:2944 -
\??\c:\jdvvj.exec:\jdvvj.exe48⤵
- Executes dropped EXE
PID:1016 -
\??\c:\jdvdp.exec:\jdvdp.exe49⤵
- Executes dropped EXE
PID:2804 -
\??\c:\fxxxlfr.exec:\fxxxlfr.exe50⤵
- Executes dropped EXE
PID:2924 -
\??\c:\bhbnnn.exec:\bhbnnn.exe51⤵
- Executes dropped EXE
PID:1116 -
\??\c:\vjjjp.exec:\vjjjp.exe52⤵
- Executes dropped EXE
PID:1728 -
\??\c:\dvppd.exec:\dvppd.exe53⤵
- Executes dropped EXE
PID:1768 -
\??\c:\flfffll.exec:\flfffll.exe54⤵
- Executes dropped EXE
PID:2212 -
\??\c:\bbthbh.exec:\bbthbh.exe55⤵
- Executes dropped EXE
PID:1592 -
\??\c:\5pvpp.exec:\5pvpp.exe56⤵
- Executes dropped EXE
PID:892 -
\??\c:\lfflrxl.exec:\lfflrxl.exe57⤵
- Executes dropped EXE
PID:1452 -
\??\c:\bbtbhn.exec:\bbtbhn.exe58⤵
- Executes dropped EXE
PID:864 -
\??\c:\hhbntn.exec:\hhbntn.exe59⤵
- Executes dropped EXE
PID:1960 -
\??\c:\pjpvp.exec:\pjpvp.exe60⤵
- Executes dropped EXE
PID:2036 -
\??\c:\lxllfxx.exec:\lxllfxx.exe61⤵
- Executes dropped EXE
PID:1580 -
\??\c:\3thhnn.exec:\3thhnn.exe62⤵
- Executes dropped EXE
PID:1972 -
\??\c:\9ppjj.exec:\9ppjj.exe63⤵
- Executes dropped EXE
PID:2448 -
\??\c:\vppvv.exec:\vppvv.exe64⤵
- Executes dropped EXE
PID:108 -
\??\c:\7rxxfxf.exec:\7rxxfxf.exe65⤵
- Executes dropped EXE
PID:1108 -
\??\c:\bthhnn.exec:\bthhnn.exe66⤵PID:1588
-
\??\c:\7dvpv.exec:\7dvpv.exe67⤵PID:2272
-
\??\c:\ddvpj.exec:\ddvpj.exe68⤵PID:1472
-
\??\c:\1flxlll.exec:\1flxlll.exe69⤵PID:2420
-
\??\c:\3nhbhb.exec:\3nhbhb.exe70⤵PID:764
-
\??\c:\nnbbbt.exec:\nnbbbt.exe71⤵PID:1244
-
\??\c:\3vvdv.exec:\3vvdv.exe72⤵PID:2392
-
\??\c:\rfxflfr.exec:\rfxflfr.exe73⤵PID:908
-
\??\c:\rrlxlll.exec:\rrlxlll.exe74⤵PID:1884
-
\??\c:\bbttnt.exec:\bbttnt.exe75⤵PID:2880
-
\??\c:\jdpvd.exec:\jdpvd.exe76⤵PID:2368
-
\??\c:\5lllxfx.exec:\5lllxfx.exe77⤵PID:1660
-
\??\c:\xrflxxf.exec:\xrflxxf.exe78⤵PID:2108
-
\??\c:\bhhtnn.exec:\bhhtnn.exe79⤵PID:2836
-
\??\c:\5djjv.exec:\5djjv.exe80⤵PID:1872
-
\??\c:\frxffxl.exec:\frxffxl.exe81⤵PID:3044
-
\??\c:\ntnbhn.exec:\ntnbhn.exe82⤵PID:1880
-
\??\c:\htntnh.exec:\htntnh.exe83⤵PID:2748
-
\??\c:\vpddj.exec:\vpddj.exe84⤵PID:1896
-
\??\c:\fxflxfx.exec:\fxflxfx.exe85⤵PID:2696
-
\??\c:\ntntbn.exec:\ntntbn.exe86⤵PID:2628
-
\??\c:\jdpdd.exec:\jdpdd.exe87⤵PID:2492
-
\??\c:\dpdvv.exec:\dpdvv.exe88⤵PID:2684
-
\??\c:\flrxffr.exec:\flrxffr.exe89⤵PID:2524
-
\??\c:\nhttbb.exec:\nhttbb.exe90⤵PID:2464
-
\??\c:\jjdjp.exec:\jjdjp.exe91⤵PID:2172
-
\??\c:\ppjvd.exec:\ppjvd.exe92⤵PID:468
-
\??\c:\frlllll.exec:\frlllll.exe93⤵PID:2780
-
\??\c:\hhtnhh.exec:\hhtnhh.exe94⤵PID:2792
-
\??\c:\djvjv.exec:\djvjv.exe95⤵PID:2784
-
\??\c:\1rrrlll.exec:\1rrrlll.exe96⤵PID:2940
-
\??\c:\bnbbbb.exec:\bnbbbb.exe97⤵PID:1568
-
\??\c:\7nttbh.exec:\7nttbh.exe98⤵PID:1920
-
\??\c:\dvvjp.exec:\dvvjp.exe99⤵PID:1368
-
\??\c:\llxflrf.exec:\llxflrf.exe100⤵PID:2444
-
\??\c:\7lfllxf.exec:\7lfllxf.exe101⤵PID:2992
-
\??\c:\btnthn.exec:\btnthn.exe102⤵PID:1228
-
\??\c:\7vdpj.exec:\7vdpj.exe103⤵PID:1576
-
\??\c:\9pjjd.exec:\9pjjd.exe104⤵PID:3068
-
\??\c:\rfrrffr.exec:\rfrrffr.exe105⤵PID:2220
-
\??\c:\hbtbnn.exec:\hbtbnn.exe106⤵PID:2204
-
\??\c:\hbnntn.exec:\hbnntn.exe107⤵PID:1628
-
\??\c:\ddppd.exec:\ddppd.exe108⤵PID:1408
-
\??\c:\xrrfrrf.exec:\xrrfrrf.exe109⤵PID:1924
-
\??\c:\tbtnbh.exec:\tbtnbh.exe110⤵PID:1484
-
\??\c:\hbbhbb.exec:\hbbhbb.exe111⤵PID:2252
-
\??\c:\7dddj.exec:\7dddj.exe112⤵PID:836
-
\??\c:\xlrlrrf.exec:\xlrlrrf.exe113⤵PID:2296
-
\??\c:\1bbhhn.exec:\1bbhhn.exe114⤵PID:1308
-
\??\c:\tnnntb.exec:\tnnntb.exe115⤵PID:544
-
\??\c:\7ddjv.exec:\7ddjv.exe116⤵PID:916
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe117⤵PID:1928
-
\??\c:\bhbnbh.exec:\bhbnbh.exe118⤵PID:2072
-
\??\c:\tnnhnt.exec:\tnnhnt.exe119⤵PID:908
-
\??\c:\pjdpp.exec:\pjdpp.exe120⤵PID:1668
-
\??\c:\9rfrrrx.exec:\9rfrrrx.exe121⤵PID:2400
-
\??\c:\dddvj.exec:\dddvj.exe122⤵PID:2364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-