Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 03:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3602cc6190821f0dc7c3e1be7a6200fff18ba69c7c1cf69cd29a9218e8597a0e_NeikiAnalytics.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
3602cc6190821f0dc7c3e1be7a6200fff18ba69c7c1cf69cd29a9218e8597a0e_NeikiAnalytics.exe
-
Size
307KB
-
MD5
be229eb598c02d5d8e495823b57a1cc0
-
SHA1
dc0ed09e023efbdb5a4098502249af24a39c5500
-
SHA256
3602cc6190821f0dc7c3e1be7a6200fff18ba69c7c1cf69cd29a9218e8597a0e
-
SHA512
967824ad199ec150021e4d20962c0b31b2771edbd3f492db6e5ee3558095978df657b4251c1934d21548b4e92c9063dabdda6759ef1a9791cadb19a8400deb77
-
SSDEEP
6144:n3C9BRo/CH26ZAmaOXicLrnRukAPXt1UP+3OgEbXeTiDSd2vE:n3C9uUnAvtd3Ogld2vE
Malware Config
Signatures
-
Detect Blackmoon payload 30 IoCs
Processes:
resource yara_rule behavioral2/memory/540-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4692-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4692-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3816-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3684-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3640-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3764-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2376-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4016-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/760-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1920-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1784-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4912-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3784-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3212-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1512-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1856-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2920-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2468-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2572-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/656-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4292-156-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/432-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4056-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2948-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4100-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2604-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4816-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2472-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4496-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
rlxrlfx.exerrrfrlx.exethnhtn.exe7vjdp.exelxlfxxr.exerrfxllf.exexffxlrx.exenhtnhh.exenhtnnn.exe9djdv.exeflffffx.exepvdjj.exelrrxrxx.exetbttbb.exepdjdv.exexrlfllx.exebnthth.exefxrrlfx.exetthhbh.exevdppp.exerrfxxxx.exehthbtt.exelflfrrf.exehhttnn.exedppdj.exe3rxrfxr.exe3tnnhn.exe1vppj.exe9rlfrfx.exe9hnhbb.exeppvpp.exellllfff.exettbhtb.exejjpjd.exejjdvp.exebthtnt.exebbtnhb.exejdppj.exerllfxxr.exennnhhh.exejvjdv.exerrxfrfl.exe1htnhn.exenbhbbb.exettnhbt.exedjppp.exevppjd.exexxfrxxr.exetnnbnn.exe5thtbt.exe1vjdv.exelflfrll.exerfxrfxr.exebnnhnh.exedpppp.exerxxrfxr.exenhhbbb.exehhnttb.exejddpj.exexfxfrfr.exe5llxfxl.exehtbnbt.exejpvjj.exe9lxrxrx.exepid process 3764 rlxrlfx.exe 3640 rrrfrlx.exe 3684 thnhtn.exe 3816 7vjdp.exe 4692 lxlfxxr.exe 1920 rrfxllf.exe 760 xffxlrx.exe 4016 nhtnhh.exe 2376 nhtnnn.exe 1784 9djdv.exe 4912 flffffx.exe 3784 pvdjj.exe 3212 lrrxrxx.exe 1512 tbttbb.exe 1708 pdjdv.exe 5104 xrlfllx.exe 1856 bnthth.exe 2920 fxrrlfx.exe 2468 tthhbh.exe 2572 vdppp.exe 656 rrfxxxx.exe 4292 hthbtt.exe 432 lflfrrf.exe 4056 hhttnn.exe 5100 dppdj.exe 2948 3rxrfxr.exe 4100 3tnnhn.exe 2604 1vppj.exe 4816 9rlfrfx.exe 2472 9hnhbb.exe 4496 ppvpp.exe 3540 llllfff.exe 3932 ttbhtb.exe 5020 jjpjd.exe 5108 jjdvp.exe 4360 bthtnt.exe 4328 bbtnhb.exe 4140 jdppj.exe 540 rllfxxr.exe 4824 nnnhhh.exe 4480 jvjdv.exe 1588 rrxfrfl.exe 1380 1htnhn.exe 2416 nbhbbb.exe 4432 ttnhbt.exe 4988 djppp.exe 2292 vppjd.exe 5116 xxfrxxr.exe 1524 tnnbnn.exe 2028 5thtbt.exe 4740 1vjdv.exe 1076 lflfrll.exe 3192 rfxrfxr.exe 1744 bnnhnh.exe 4980 dpppp.exe 2256 rxxrfxr.exe 4524 nhhbbb.exe 3912 hhnttb.exe 5104 jddpj.exe 2096 xfxfrfr.exe 4516 5llxfxl.exe 4440 htbnbt.exe 652 jpvjj.exe 656 9lxrxrx.exe -
Processes:
resource yara_rule behavioral2/memory/540-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4692-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4692-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4692-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3816-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3684-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3640-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3764-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2376-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4016-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/760-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1920-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1784-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1784-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1784-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1784-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4912-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3784-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3212-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1512-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1856-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2920-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2468-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2572-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/656-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4292-156-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/432-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4056-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2948-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4100-187-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2604-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4816-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2472-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4496-209-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3602cc6190821f0dc7c3e1be7a6200fff18ba69c7c1cf69cd29a9218e8597a0e_NeikiAnalytics.exerlxrlfx.exerrrfrlx.exethnhtn.exe7vjdp.exelxlfxxr.exerrfxllf.exexffxlrx.exenhtnhh.exenhtnnn.exe9djdv.exeflffffx.exepvdjj.exelrrxrxx.exetbttbb.exepdjdv.exexrlfllx.exebnthth.exefxrrlfx.exetthhbh.exevdppp.exerrfxxxx.exedescription pid process target process PID 540 wrote to memory of 3764 540 3602cc6190821f0dc7c3e1be7a6200fff18ba69c7c1cf69cd29a9218e8597a0e_NeikiAnalytics.exe rlxrlfx.exe PID 540 wrote to memory of 3764 540 3602cc6190821f0dc7c3e1be7a6200fff18ba69c7c1cf69cd29a9218e8597a0e_NeikiAnalytics.exe rlxrlfx.exe PID 540 wrote to memory of 3764 540 3602cc6190821f0dc7c3e1be7a6200fff18ba69c7c1cf69cd29a9218e8597a0e_NeikiAnalytics.exe rlxrlfx.exe PID 3764 wrote to memory of 3640 3764 rlxrlfx.exe rrrfrlx.exe PID 3764 wrote to memory of 3640 3764 rlxrlfx.exe rrrfrlx.exe PID 3764 wrote to memory of 3640 3764 rlxrlfx.exe rrrfrlx.exe PID 3640 wrote to memory of 3684 3640 rrrfrlx.exe thnhtn.exe PID 3640 wrote to memory of 3684 3640 rrrfrlx.exe thnhtn.exe PID 3640 wrote to memory of 3684 3640 rrrfrlx.exe thnhtn.exe PID 3684 wrote to memory of 3816 3684 thnhtn.exe 7vjdp.exe PID 3684 wrote to memory of 3816 3684 thnhtn.exe 7vjdp.exe PID 3684 wrote to memory of 3816 3684 thnhtn.exe 7vjdp.exe PID 3816 wrote to memory of 4692 3816 7vjdp.exe lxlfxxr.exe PID 3816 wrote to memory of 4692 3816 7vjdp.exe lxlfxxr.exe PID 3816 wrote to memory of 4692 3816 7vjdp.exe lxlfxxr.exe PID 4692 wrote to memory of 1920 4692 lxlfxxr.exe rrfxllf.exe PID 4692 wrote to memory of 1920 4692 lxlfxxr.exe rrfxllf.exe PID 4692 wrote to memory of 1920 4692 lxlfxxr.exe rrfxllf.exe PID 1920 wrote to memory of 760 1920 rrfxllf.exe xffxlrx.exe PID 1920 wrote to memory of 760 1920 rrfxllf.exe xffxlrx.exe PID 1920 wrote to memory of 760 1920 rrfxllf.exe xffxlrx.exe PID 760 wrote to memory of 4016 760 xffxlrx.exe nhtnhh.exe PID 760 wrote to memory of 4016 760 xffxlrx.exe nhtnhh.exe PID 760 wrote to memory of 4016 760 xffxlrx.exe nhtnhh.exe PID 4016 wrote to memory of 2376 4016 nhtnhh.exe nhtnnn.exe PID 4016 wrote to memory of 2376 4016 nhtnhh.exe nhtnnn.exe PID 4016 wrote to memory of 2376 4016 nhtnhh.exe nhtnnn.exe PID 2376 wrote to memory of 1784 2376 nhtnnn.exe 9djdv.exe PID 2376 wrote to memory of 1784 2376 nhtnnn.exe 9djdv.exe PID 2376 wrote to memory of 1784 2376 nhtnnn.exe 9djdv.exe PID 1784 wrote to memory of 4912 1784 9djdv.exe flffffx.exe PID 1784 wrote to memory of 4912 1784 9djdv.exe flffffx.exe PID 1784 wrote to memory of 4912 1784 9djdv.exe flffffx.exe PID 4912 wrote to memory of 3784 4912 flffffx.exe pvdjj.exe PID 4912 wrote to memory of 3784 4912 flffffx.exe pvdjj.exe PID 4912 wrote to memory of 3784 4912 flffffx.exe pvdjj.exe PID 3784 wrote to memory of 3212 3784 pvdjj.exe lrrxrxx.exe PID 3784 wrote to memory of 3212 3784 pvdjj.exe lrrxrxx.exe PID 3784 wrote to memory of 3212 3784 pvdjj.exe lrrxrxx.exe PID 3212 wrote to memory of 1512 3212 lrrxrxx.exe tbttbb.exe PID 3212 wrote to memory of 1512 3212 lrrxrxx.exe tbttbb.exe PID 3212 wrote to memory of 1512 3212 lrrxrxx.exe tbttbb.exe PID 1512 wrote to memory of 1708 1512 tbttbb.exe pdjdv.exe PID 1512 wrote to memory of 1708 1512 tbttbb.exe pdjdv.exe PID 1512 wrote to memory of 1708 1512 tbttbb.exe pdjdv.exe PID 1708 wrote to memory of 5104 1708 pdjdv.exe xrlfllx.exe PID 1708 wrote to memory of 5104 1708 pdjdv.exe xrlfllx.exe PID 1708 wrote to memory of 5104 1708 pdjdv.exe xrlfllx.exe PID 5104 wrote to memory of 1856 5104 xrlfllx.exe bnthth.exe PID 5104 wrote to memory of 1856 5104 xrlfllx.exe bnthth.exe PID 5104 wrote to memory of 1856 5104 xrlfllx.exe bnthth.exe PID 1856 wrote to memory of 2920 1856 bnthth.exe fxrrlfx.exe PID 1856 wrote to memory of 2920 1856 bnthth.exe fxrrlfx.exe PID 1856 wrote to memory of 2920 1856 bnthth.exe fxrrlfx.exe PID 2920 wrote to memory of 2468 2920 fxrrlfx.exe tthhbh.exe PID 2920 wrote to memory of 2468 2920 fxrrlfx.exe tthhbh.exe PID 2920 wrote to memory of 2468 2920 fxrrlfx.exe tthhbh.exe PID 2468 wrote to memory of 2572 2468 tthhbh.exe vdppp.exe PID 2468 wrote to memory of 2572 2468 tthhbh.exe vdppp.exe PID 2468 wrote to memory of 2572 2468 tthhbh.exe vdppp.exe PID 2572 wrote to memory of 656 2572 vdppp.exe rrfxxxx.exe PID 2572 wrote to memory of 656 2572 vdppp.exe rrfxxxx.exe PID 2572 wrote to memory of 656 2572 vdppp.exe rrfxxxx.exe PID 656 wrote to memory of 4292 656 rrfxxxx.exe hthbtt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3602cc6190821f0dc7c3e1be7a6200fff18ba69c7c1cf69cd29a9218e8597a0e_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3602cc6190821f0dc7c3e1be7a6200fff18ba69c7c1cf69cd29a9218e8597a0e_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\rlxrlfx.exec:\rlxrlfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\rrrfrlx.exec:\rrrfrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\thnhtn.exec:\thnhtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\7vjdp.exec:\7vjdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\rrfxllf.exec:\rrfxllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\xffxlrx.exec:\xffxlrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\nhtnhh.exec:\nhtnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\nhtnnn.exec:\nhtnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\9djdv.exec:\9djdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\flffffx.exec:\flffffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\pvdjj.exec:\pvdjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\lrrxrxx.exec:\lrrxrxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\tbttbb.exec:\tbttbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\pdjdv.exec:\pdjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\xrlfllx.exec:\xrlfllx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\bnthth.exec:\bnthth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\fxrrlfx.exec:\fxrrlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\tthhbh.exec:\tthhbh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\vdppp.exec:\vdppp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\rrfxxxx.exec:\rrfxxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
\??\c:\hthbtt.exec:\hthbtt.exe23⤵
- Executes dropped EXE
PID:4292 -
\??\c:\lflfrrf.exec:\lflfrrf.exe24⤵
- Executes dropped EXE
PID:432 -
\??\c:\hhttnn.exec:\hhttnn.exe25⤵
- Executes dropped EXE
PID:4056 -
\??\c:\dppdj.exec:\dppdj.exe26⤵
- Executes dropped EXE
PID:5100 -
\??\c:\3rxrfxr.exec:\3rxrfxr.exe27⤵
- Executes dropped EXE
PID:2948 -
\??\c:\3tnnhn.exec:\3tnnhn.exe28⤵
- Executes dropped EXE
PID:4100 -
\??\c:\1vppj.exec:\1vppj.exe29⤵
- Executes dropped EXE
PID:2604 -
\??\c:\9rlfrfx.exec:\9rlfrfx.exe30⤵
- Executes dropped EXE
PID:4816 -
\??\c:\9hnhbb.exec:\9hnhbb.exe31⤵
- Executes dropped EXE
PID:2472 -
\??\c:\ppvpp.exec:\ppvpp.exe32⤵
- Executes dropped EXE
PID:4496 -
\??\c:\llllfff.exec:\llllfff.exe33⤵
- Executes dropped EXE
PID:3540 -
\??\c:\ttbhtb.exec:\ttbhtb.exe34⤵
- Executes dropped EXE
PID:3932 -
\??\c:\jjpjd.exec:\jjpjd.exe35⤵
- Executes dropped EXE
PID:5020 -
\??\c:\jjdvp.exec:\jjdvp.exe36⤵
- Executes dropped EXE
PID:5108 -
\??\c:\bthtnt.exec:\bthtnt.exe37⤵
- Executes dropped EXE
PID:4360 -
\??\c:\bbtnhb.exec:\bbtnhb.exe38⤵
- Executes dropped EXE
PID:4328 -
\??\c:\jdppj.exec:\jdppj.exe39⤵
- Executes dropped EXE
PID:4140 -
\??\c:\rllfxxr.exec:\rllfxxr.exe40⤵
- Executes dropped EXE
PID:540 -
\??\c:\nnnhhh.exec:\nnnhhh.exe41⤵
- Executes dropped EXE
PID:4824 -
\??\c:\jvjdv.exec:\jvjdv.exe42⤵
- Executes dropped EXE
PID:4480 -
\??\c:\rrxfrfl.exec:\rrxfrfl.exe43⤵
- Executes dropped EXE
PID:1588 -
\??\c:\1htnhn.exec:\1htnhn.exe44⤵
- Executes dropped EXE
PID:1380 -
\??\c:\nbhbbb.exec:\nbhbbb.exe45⤵
- Executes dropped EXE
PID:2416 -
\??\c:\ttnhbt.exec:\ttnhbt.exe46⤵
- Executes dropped EXE
PID:4432 -
\??\c:\djppp.exec:\djppp.exe47⤵
- Executes dropped EXE
PID:4988 -
\??\c:\vppjd.exec:\vppjd.exe48⤵
- Executes dropped EXE
PID:2292 -
\??\c:\xxfrxxr.exec:\xxfrxxr.exe49⤵
- Executes dropped EXE
PID:5116 -
\??\c:\tnnbnn.exec:\tnnbnn.exe50⤵
- Executes dropped EXE
PID:1524 -
\??\c:\5thtbt.exec:\5thtbt.exe51⤵
- Executes dropped EXE
PID:2028 -
\??\c:\1vjdv.exec:\1vjdv.exe52⤵
- Executes dropped EXE
PID:4740 -
\??\c:\lflfrll.exec:\lflfrll.exe53⤵
- Executes dropped EXE
PID:1076 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe54⤵
- Executes dropped EXE
PID:3192 -
\??\c:\bnnhnh.exec:\bnnhnh.exe55⤵
- Executes dropped EXE
PID:1744 -
\??\c:\dpppp.exec:\dpppp.exe56⤵
- Executes dropped EXE
PID:4980 -
\??\c:\rxxrfxr.exec:\rxxrfxr.exe57⤵
- Executes dropped EXE
PID:2256 -
\??\c:\nhhbbb.exec:\nhhbbb.exe58⤵
- Executes dropped EXE
PID:4524 -
\??\c:\hhnttb.exec:\hhnttb.exe59⤵
- Executes dropped EXE
PID:3912 -
\??\c:\jddpj.exec:\jddpj.exe60⤵
- Executes dropped EXE
PID:5104 -
\??\c:\xfxfrfr.exec:\xfxfrfr.exe61⤵
- Executes dropped EXE
PID:2096 -
\??\c:\5llxfxl.exec:\5llxfxl.exe62⤵
- Executes dropped EXE
PID:4516 -
\??\c:\htbnbt.exec:\htbnbt.exe63⤵
- Executes dropped EXE
PID:4440 -
\??\c:\jpvjj.exec:\jpvjj.exe64⤵
- Executes dropped EXE
PID:652 -
\??\c:\9lxrxrx.exec:\9lxrxrx.exe65⤵
- Executes dropped EXE
PID:656 -
\??\c:\hnbbnb.exec:\hnbbnb.exe66⤵PID:4188
-
\??\c:\nbbtnh.exec:\nbbtnh.exe67⤵PID:2956
-
\??\c:\dddvj.exec:\dddvj.exe68⤵PID:2892
-
\??\c:\1fxrfxr.exec:\1fxrfxr.exe69⤵PID:1344
-
\??\c:\fxrfrfx.exec:\fxrfrfx.exe70⤵PID:4684
-
\??\c:\tbthbt.exec:\tbthbt.exe71⤵PID:3496
-
\??\c:\ddjvj.exec:\ddjvj.exe72⤵PID:2624
-
\??\c:\xxrfxrl.exec:\xxrfxrl.exe73⤵PID:4436
-
\??\c:\lrrxrrl.exec:\lrrxrrl.exe74⤵PID:4308
-
\??\c:\tnbbth.exec:\tnbbth.exe75⤵PID:3936
-
\??\c:\7jdpd.exec:\7jdpd.exe76⤵PID:3780
-
\??\c:\jjvjd.exec:\jjvjd.exe77⤵PID:3544
-
\??\c:\lrxfrlx.exec:\lrxfrlx.exe78⤵PID:3204
-
\??\c:\lllffxr.exec:\lllffxr.exe79⤵PID:3548
-
\??\c:\9hbthb.exec:\9hbthb.exe80⤵PID:972
-
\??\c:\pvdpd.exec:\pvdpd.exe81⤵PID:5024
-
\??\c:\3vpjd.exec:\3vpjd.exe82⤵PID:1424
-
\??\c:\lrlxllx.exec:\lrlxllx.exe83⤵PID:4316
-
\??\c:\frllrll.exec:\frllrll.exe84⤵PID:4260
-
\??\c:\hbbbtt.exec:\hbbbtt.exe85⤵PID:3740
-
\??\c:\pdjjv.exec:\pdjjv.exe86⤵PID:1520
-
\??\c:\jppdp.exec:\jppdp.exe87⤵PID:1516
-
\??\c:\9llxlfr.exec:\9llxlfr.exe88⤵PID:3040
-
\??\c:\9htthh.exec:\9htthh.exe89⤵PID:2392
-
\??\c:\bhhtbh.exec:\bhhtbh.exe90⤵PID:3484
-
\??\c:\vvpdp.exec:\vvpdp.exe91⤵PID:4432
-
\??\c:\1dpjj.exec:\1dpjj.exe92⤵PID:4268
-
\??\c:\1lxrffx.exec:\1lxrffx.exe93⤵PID:5116
-
\??\c:\lfxrffx.exec:\lfxrffx.exe94⤵PID:1152
-
\??\c:\hbnhbt.exec:\hbnhbt.exe95⤵PID:1784
-
\??\c:\1vpjv.exec:\1vpjv.exe96⤵PID:1540
-
\??\c:\djdvp.exec:\djdvp.exe97⤵PID:2144
-
\??\c:\fllxrxr.exec:\fllxrxr.exe98⤵PID:1248
-
\??\c:\lllrfxf.exec:\lllrfxf.exe99⤵PID:3028
-
\??\c:\bbtntn.exec:\bbtntn.exe100⤵PID:3968
-
\??\c:\pjdpj.exec:\pjdpj.exe101⤵PID:4772
-
\??\c:\rffrxrl.exec:\rffrxrl.exe102⤵PID:3568
-
\??\c:\lxxxlfx.exec:\lxxxlfx.exe103⤵PID:2572
-
\??\c:\llfrrlx.exec:\llfrrlx.exe104⤵PID:4180
-
\??\c:\7bhbht.exec:\7bhbht.exe105⤵PID:1096
-
\??\c:\1jvpd.exec:\1jvpd.exe106⤵PID:432
-
\??\c:\jpjvj.exec:\jpjvj.exe107⤵PID:3296
-
\??\c:\xfrflfr.exec:\xfrflfr.exe108⤵PID:3312
-
\??\c:\bhbnht.exec:\bhbnht.exe109⤵PID:1496
-
\??\c:\5dvjv.exec:\5dvjv.exe110⤵PID:4812
-
\??\c:\lrrfrlr.exec:\lrrfrlr.exe111⤵PID:3004
-
\??\c:\fxflxfx.exec:\fxflxfx.exe112⤵PID:2604
-
\??\c:\1nhbnb.exec:\1nhbnb.exe113⤵PID:2620
-
\??\c:\bnhbnt.exec:\bnhbnt.exe114⤵PID:1648
-
\??\c:\jvpvd.exec:\jvpvd.exe115⤵PID:4496
-
\??\c:\lfrflfr.exec:\lfrflfr.exe116⤵PID:2476
-
\??\c:\9xfxlfl.exec:\9xfxlfl.exe117⤵PID:4132
-
\??\c:\htnhtn.exec:\htnhtn.exe118⤵PID:3548
-
\??\c:\3jpdj.exec:\3jpdj.exe119⤵PID:4456
-
\??\c:\vjdpv.exec:\vjdpv.exe120⤵PID:5080
-
\??\c:\lrrlffx.exec:\lrrlffx.exe121⤵PID:2884
-
\??\c:\7fxxlrf.exec:\7fxxlrf.exe122⤵PID:3764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-