Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 05:04
Behavioral task
behavioral1
Sample
40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe
Resource
win7-20240611-en
5 signatures
150 seconds
General
-
Target
40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe
-
Size
255KB
-
MD5
196339094dab57b7da5314be5c6ef4e0
-
SHA1
d09ce666f2438782c950f49fa01d1ab3448286d0
-
SHA256
40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319
-
SHA512
d77d30bf3b880e04eb55e4dbb85aeba36b16a93fd5def4e76537d1fbb2b059cc678f88c9a1687086fffd9f0629dbbd697c13d50e7cee50a947b2e21153776430
-
SSDEEP
6144:kcm4FmowdHoSphraHcpOaKHpolTjZXvEQo9dfrP:y4wFHoS3eFaKHpKT9XvEhdfrP
Malware Config
Signatures
-
Detect Blackmoon payload 46 IoCs
Processes:
resource yara_rule behavioral1/memory/2188-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2556-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1100-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2792-58-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2536-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2496-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2548-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/468-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1448-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2720-109-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2720-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/924-128-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/924-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1704-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1456-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1444-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/852-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3056-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2328-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2716-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1904-256-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/928-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1904-290-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1152-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2208-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2224-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1976-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/536-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2008-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1384-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1540-483-0x0000000001B80000-0x0000000001BA7000-memory.dmp family_blackmoon behavioral1/memory/2300-497-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3060-530-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1052-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1532-546-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1628-862-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/752-913-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3000-945-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2588-980-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1716-992-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
btjdh.exejdtbt.exejhddr.exebjtbnfx.exeftxjx.exejvtjv.exejftdtn.exetnbfh.exetnhllr.exebxhhd.exepltjpfn.exeprfxjn.exepnbdbrf.exepfnrrvr.exexhblnnr.exebdhdb.exephxfn.exeblrfrt.exebrlhr.exepxrhxt.exenpltbpt.exerlphbhn.exevvdfnl.exenjnbjvf.exejjtrfj.exepxjpl.exerbjff.exervbdt.exebnpxpbd.exetvddtl.exejvxhpjh.exehrpjt.exevfvvjlb.exehxvprv.exexpfdl.exefvnffxf.exehpdbxnx.exerrjtv.exehnnxjj.exennpvxb.exebvjtd.exebhvrpb.exebhtlvh.exejfrlv.exefpxhvr.exerhphfrb.exeftxdhln.exefpddll.exelxrxvfp.exejxttbhr.exehjnvnn.exebvhff.exeflljbvh.exebvthbrp.exevtdhfpb.exendftnhr.exehrrvvfx.exelxthtrv.exerxxdtr.exebnphv.exetdjbj.exedxhbpv.exendxvbb.exejjnvjd.exepid process 2556 btjdh.exe 1100 jdtbt.exe 2748 jhddr.exe 2856 bjtbnfx.exe 2792 ftxjx.exe 2496 jvtjv.exe 2536 jftdtn.exe 2548 tnbfh.exe 468 tnhllr.exe 1448 bxhhd.exe 2720 pltjpfn.exe 2092 prfxjn.exe 924 pnbdbrf.exe 1704 pfnrrvr.exe 1892 xhblnnr.exe 936 bdhdb.exe 1356 phxfn.exe 1984 blrfrt.exe 2264 brlhr.exe 1456 pxrhxt.exe 1444 npltbpt.exe 2880 rlphbhn.exe 852 vvdfnl.exe 3056 njnbjvf.exe 2328 jjtrfj.exe 2716 pxjpl.exe 1904 rbjff.exe 1940 rvbdt.exe 928 bnpxpbd.exe 552 tvddtl.exe 2904 jvxhpjh.exe 1152 hrpjt.exe 872 vfvvjlb.exe 2208 hxvprv.exe 2076 xpfdl.exe 2224 fvnffxf.exe 3004 hpdbxnx.exe 2580 rrjtv.exe 2760 hnnxjj.exe 2816 nnpvxb.exe 2604 bvjtd.exe 2588 bhvrpb.exe 2640 bhtlvh.exe 2212 jfrlv.exe 2532 fpxhvr.exe 2940 rhphfrb.exe 1976 ftxdhln.exe 804 fpddll.exe 652 lxrxvfp.exe 876 jxttbhr.exe 2708 hjnvnn.exe 2156 bvhff.exe 1656 flljbvh.exe 536 bvthbrp.exe 2008 vtdhfpb.exe 944 ndftnhr.exe 1804 hrrvvfx.exe 1384 lxthtrv.exe 1540 rxxdtr.exe 1524 bnphv.exe 2300 tdjbj.exe 1456 dxhbpv.exe 2872 ndxvbb.exe 2080 jjnvjd.exe -
Processes:
resource yara_rule behavioral1/memory/2188-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2188-6-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2188-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2556-11-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\btjdh.exe upx behavioral1/memory/2556-19-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jdtbt.exe upx behavioral1/memory/1100-21-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jhddr.exe upx behavioral1/memory/1100-30-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bjtbnfx.exe upx behavioral1/memory/2748-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2856-47-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2856-50-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\ftxjx.exe upx C:\jvtjv.exe upx C:\jftdtn.exe upx behavioral1/memory/2536-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2496-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2548-78-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tnbfh.exe upx C:\tnhllr.exe upx behavioral1/memory/2548-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/468-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1448-98-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\bxhhd.exe upx C:\pltjpfn.exe upx C:\prfxjn.exe upx behavioral1/memory/2720-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2092-123-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pnbdbrf.exe upx behavioral1/memory/924-133-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pfnrrvr.exe upx C:\xhblnnr.exe upx behavioral1/memory/1704-142-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\bdhdb.exe upx C:\phxfn.exe upx \??\c:\blrfrt.exe upx \??\c:\brlhr.exe upx C:\pxrhxt.exe upx behavioral1/memory/1456-185-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\npltbpt.exe upx behavioral1/memory/1456-194-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\rlphbhn.exe upx behavioral1/memory/1444-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2880-211-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vvdfnl.exe upx behavioral1/memory/852-220-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\njnbjvf.exe upx behavioral1/memory/3056-230-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jjtrfj.exe upx behavioral1/memory/2328-238-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\pxjpl.exe upx behavioral1/memory/2716-248-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\rbjff.exe upx C:\rvbdt.exe upx C:\bnpxpbd.exe upx behavioral1/memory/928-267-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tvddtl.exe upx C:\jvxhpjh.exe upx C:\hrpjt.exe upx behavioral1/memory/1152-300-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2208-309-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2208-316-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exebtjdh.exejdtbt.exejhddr.exebjtbnfx.exeftxjx.exejvtjv.exejftdtn.exetnbfh.exetnhllr.exebxhhd.exepltjpfn.exeprfxjn.exepnbdbrf.exepfnrrvr.exexhblnnr.exedescription pid process target process PID 2188 wrote to memory of 2556 2188 40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe btjdh.exe PID 2188 wrote to memory of 2556 2188 40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe btjdh.exe PID 2188 wrote to memory of 2556 2188 40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe btjdh.exe PID 2188 wrote to memory of 2556 2188 40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe btjdh.exe PID 2556 wrote to memory of 1100 2556 btjdh.exe jdtbt.exe PID 2556 wrote to memory of 1100 2556 btjdh.exe jdtbt.exe PID 2556 wrote to memory of 1100 2556 btjdh.exe jdtbt.exe PID 2556 wrote to memory of 1100 2556 btjdh.exe jdtbt.exe PID 1100 wrote to memory of 2748 1100 jdtbt.exe jhddr.exe PID 1100 wrote to memory of 2748 1100 jdtbt.exe jhddr.exe PID 1100 wrote to memory of 2748 1100 jdtbt.exe jhddr.exe PID 1100 wrote to memory of 2748 1100 jdtbt.exe jhddr.exe PID 2748 wrote to memory of 2856 2748 jhddr.exe bjtbnfx.exe PID 2748 wrote to memory of 2856 2748 jhddr.exe bjtbnfx.exe PID 2748 wrote to memory of 2856 2748 jhddr.exe bjtbnfx.exe PID 2748 wrote to memory of 2856 2748 jhddr.exe bjtbnfx.exe PID 2856 wrote to memory of 2792 2856 bjtbnfx.exe ftxjx.exe PID 2856 wrote to memory of 2792 2856 bjtbnfx.exe ftxjx.exe PID 2856 wrote to memory of 2792 2856 bjtbnfx.exe ftxjx.exe PID 2856 wrote to memory of 2792 2856 bjtbnfx.exe ftxjx.exe PID 2792 wrote to memory of 2496 2792 ftxjx.exe jvtjv.exe PID 2792 wrote to memory of 2496 2792 ftxjx.exe jvtjv.exe PID 2792 wrote to memory of 2496 2792 ftxjx.exe jvtjv.exe PID 2792 wrote to memory of 2496 2792 ftxjx.exe jvtjv.exe PID 2496 wrote to memory of 2536 2496 jvtjv.exe jftdtn.exe PID 2496 wrote to memory of 2536 2496 jvtjv.exe jftdtn.exe PID 2496 wrote to memory of 2536 2496 jvtjv.exe jftdtn.exe PID 2496 wrote to memory of 2536 2496 jvtjv.exe jftdtn.exe PID 2536 wrote to memory of 2548 2536 jftdtn.exe tnbfh.exe PID 2536 wrote to memory of 2548 2536 jftdtn.exe tnbfh.exe PID 2536 wrote to memory of 2548 2536 jftdtn.exe tnbfh.exe PID 2536 wrote to memory of 2548 2536 jftdtn.exe tnbfh.exe PID 2548 wrote to memory of 468 2548 tnbfh.exe tnhllr.exe PID 2548 wrote to memory of 468 2548 tnbfh.exe tnhllr.exe PID 2548 wrote to memory of 468 2548 tnbfh.exe tnhllr.exe PID 2548 wrote to memory of 468 2548 tnbfh.exe tnhllr.exe PID 468 wrote to memory of 1448 468 tnhllr.exe bxhhd.exe PID 468 wrote to memory of 1448 468 tnhllr.exe bxhhd.exe PID 468 wrote to memory of 1448 468 tnhllr.exe bxhhd.exe PID 468 wrote to memory of 1448 468 tnhllr.exe bxhhd.exe PID 1448 wrote to memory of 2720 1448 bxhhd.exe pltjpfn.exe PID 1448 wrote to memory of 2720 1448 bxhhd.exe pltjpfn.exe PID 1448 wrote to memory of 2720 1448 bxhhd.exe pltjpfn.exe PID 1448 wrote to memory of 2720 1448 bxhhd.exe pltjpfn.exe PID 2720 wrote to memory of 2092 2720 pltjpfn.exe prfxjn.exe PID 2720 wrote to memory of 2092 2720 pltjpfn.exe prfxjn.exe PID 2720 wrote to memory of 2092 2720 pltjpfn.exe prfxjn.exe PID 2720 wrote to memory of 2092 2720 pltjpfn.exe prfxjn.exe PID 2092 wrote to memory of 924 2092 prfxjn.exe pnbdbrf.exe PID 2092 wrote to memory of 924 2092 prfxjn.exe pnbdbrf.exe PID 2092 wrote to memory of 924 2092 prfxjn.exe pnbdbrf.exe PID 2092 wrote to memory of 924 2092 prfxjn.exe pnbdbrf.exe PID 924 wrote to memory of 1704 924 pnbdbrf.exe pfnrrvr.exe PID 924 wrote to memory of 1704 924 pnbdbrf.exe pfnrrvr.exe PID 924 wrote to memory of 1704 924 pnbdbrf.exe pfnrrvr.exe PID 924 wrote to memory of 1704 924 pnbdbrf.exe pfnrrvr.exe PID 1704 wrote to memory of 1892 1704 pfnrrvr.exe xhblnnr.exe PID 1704 wrote to memory of 1892 1704 pfnrrvr.exe xhblnnr.exe PID 1704 wrote to memory of 1892 1704 pfnrrvr.exe xhblnnr.exe PID 1704 wrote to memory of 1892 1704 pfnrrvr.exe xhblnnr.exe PID 1892 wrote to memory of 936 1892 xhblnnr.exe bdhdb.exe PID 1892 wrote to memory of 936 1892 xhblnnr.exe bdhdb.exe PID 1892 wrote to memory of 936 1892 xhblnnr.exe bdhdb.exe PID 1892 wrote to memory of 936 1892 xhblnnr.exe bdhdb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\40749afd5eecbd278d3c84f051da6fe0ab1a052e6c159fb8241c12e8e6f75319_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\btjdh.exec:\btjdh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\jdtbt.exec:\jdtbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\jhddr.exec:\jhddr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\bjtbnfx.exec:\bjtbnfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\ftxjx.exec:\ftxjx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\jvtjv.exec:\jvtjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\jftdtn.exec:\jftdtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\tnbfh.exec:\tnbfh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\tnhllr.exec:\tnhllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\bxhhd.exec:\bxhhd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\pltjpfn.exec:\pltjpfn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\prfxjn.exec:\prfxjn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\pnbdbrf.exec:\pnbdbrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\pfnrrvr.exec:\pfnrrvr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\xhblnnr.exec:\xhblnnr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\bdhdb.exec:\bdhdb.exe17⤵
- Executes dropped EXE
PID:936 -
\??\c:\phxfn.exec:\phxfn.exe18⤵
- Executes dropped EXE
PID:1356 -
\??\c:\blrfrt.exec:\blrfrt.exe19⤵
- Executes dropped EXE
PID:1984 -
\??\c:\brlhr.exec:\brlhr.exe20⤵
- Executes dropped EXE
PID:2264 -
\??\c:\pxrhxt.exec:\pxrhxt.exe21⤵
- Executes dropped EXE
PID:1456 -
\??\c:\npltbpt.exec:\npltbpt.exe22⤵
- Executes dropped EXE
PID:1444 -
\??\c:\rlphbhn.exec:\rlphbhn.exe23⤵
- Executes dropped EXE
PID:2880 -
\??\c:\vvdfnl.exec:\vvdfnl.exe24⤵
- Executes dropped EXE
PID:852 -
\??\c:\njnbjvf.exec:\njnbjvf.exe25⤵
- Executes dropped EXE
PID:3056 -
\??\c:\jjtrfj.exec:\jjtrfj.exe26⤵
- Executes dropped EXE
PID:2328 -
\??\c:\pxjpl.exec:\pxjpl.exe27⤵
- Executes dropped EXE
PID:2716 -
\??\c:\rbjff.exec:\rbjff.exe28⤵
- Executes dropped EXE
PID:1904 -
\??\c:\rvbdt.exec:\rvbdt.exe29⤵
- Executes dropped EXE
PID:1940 -
\??\c:\bnpxpbd.exec:\bnpxpbd.exe30⤵
- Executes dropped EXE
PID:928 -
\??\c:\tvddtl.exec:\tvddtl.exe31⤵
- Executes dropped EXE
PID:552 -
\??\c:\jvxhpjh.exec:\jvxhpjh.exe32⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hrpjt.exec:\hrpjt.exe33⤵
- Executes dropped EXE
PID:1152 -
\??\c:\vfvvjlb.exec:\vfvvjlb.exe34⤵
- Executes dropped EXE
PID:872 -
\??\c:\hxvprv.exec:\hxvprv.exe35⤵
- Executes dropped EXE
PID:2208 -
\??\c:\xpfdl.exec:\xpfdl.exe36⤵
- Executes dropped EXE
PID:2076 -
\??\c:\fvnffxf.exec:\fvnffxf.exe37⤵
- Executes dropped EXE
PID:2224 -
\??\c:\hpdbxnx.exec:\hpdbxnx.exe38⤵
- Executes dropped EXE
PID:3004 -
\??\c:\rrjtv.exec:\rrjtv.exe39⤵
- Executes dropped EXE
PID:2580 -
\??\c:\hnnxjj.exec:\hnnxjj.exe40⤵
- Executes dropped EXE
PID:2760 -
\??\c:\nnpvxb.exec:\nnpvxb.exe41⤵
- Executes dropped EXE
PID:2816 -
\??\c:\bvjtd.exec:\bvjtd.exe42⤵
- Executes dropped EXE
PID:2604 -
\??\c:\bhvrpb.exec:\bhvrpb.exe43⤵
- Executes dropped EXE
PID:2588 -
\??\c:\bhtlvh.exec:\bhtlvh.exe44⤵
- Executes dropped EXE
PID:2640 -
\??\c:\jfrlv.exec:\jfrlv.exe45⤵
- Executes dropped EXE
PID:2212 -
\??\c:\fpxhvr.exec:\fpxhvr.exe46⤵
- Executes dropped EXE
PID:2532 -
\??\c:\rhphfrb.exec:\rhphfrb.exe47⤵
- Executes dropped EXE
PID:2940 -
\??\c:\ftxdhln.exec:\ftxdhln.exe48⤵
- Executes dropped EXE
PID:1976 -
\??\c:\fpddll.exec:\fpddll.exe49⤵
- Executes dropped EXE
PID:804 -
\??\c:\lxrxvfp.exec:\lxrxvfp.exe50⤵
- Executes dropped EXE
PID:652 -
\??\c:\jxttbhr.exec:\jxttbhr.exe51⤵
- Executes dropped EXE
PID:876 -
\??\c:\hjnvnn.exec:\hjnvnn.exe52⤵
- Executes dropped EXE
PID:2708 -
\??\c:\bvhff.exec:\bvhff.exe53⤵
- Executes dropped EXE
PID:2156 -
\??\c:\flljbvh.exec:\flljbvh.exe54⤵
- Executes dropped EXE
PID:1656 -
\??\c:\bvthbrp.exec:\bvthbrp.exe55⤵
- Executes dropped EXE
PID:536 -
\??\c:\vtdhfpb.exec:\vtdhfpb.exe56⤵
- Executes dropped EXE
PID:2008 -
\??\c:\ndftnhr.exec:\ndftnhr.exe57⤵
- Executes dropped EXE
PID:944 -
\??\c:\hrrvvfx.exec:\hrrvvfx.exe58⤵
- Executes dropped EXE
PID:1804 -
\??\c:\lxthtrv.exec:\lxthtrv.exe59⤵
- Executes dropped EXE
PID:1384 -
\??\c:\rxxdtr.exec:\rxxdtr.exe60⤵
- Executes dropped EXE
PID:1540 -
\??\c:\bnphv.exec:\bnphv.exe61⤵
- Executes dropped EXE
PID:1524 -
\??\c:\tdjbj.exec:\tdjbj.exe62⤵
- Executes dropped EXE
PID:2300 -
\??\c:\dxhbpv.exec:\dxhbpv.exe63⤵
- Executes dropped EXE
PID:1456 -
\??\c:\ndxvbb.exec:\ndxvbb.exe64⤵
- Executes dropped EXE
PID:2872 -
\??\c:\jjnvjd.exec:\jjnvjd.exe65⤵
- Executes dropped EXE
PID:2080 -
\??\c:\nlxjbv.exec:\nlxjbv.exe66⤵PID:3036
-
\??\c:\fnvfbj.exec:\fnvfbj.exe67⤵PID:3060
-
\??\c:\fxfjpph.exec:\fxfjpph.exe68⤵PID:1052
-
\??\c:\rtfrn.exec:\rtfrn.exe69⤵PID:1808
-
\??\c:\vjtlhx.exec:\vjtlhx.exe70⤵PID:1532
-
\??\c:\rfxtb.exec:\rfxtb.exe71⤵PID:972
-
\??\c:\nhlrtt.exec:\nhlrtt.exe72⤵PID:2956
-
\??\c:\lprvvpn.exec:\lprvvpn.exe73⤵PID:1620
-
\??\c:\xlfhvbh.exec:\xlfhvbh.exe74⤵PID:2672
-
\??\c:\ldttdl.exec:\ldttdl.exe75⤵PID:1464
-
\??\c:\rphjrb.exec:\rphjrb.exe76⤵PID:2168
-
\??\c:\brlbjjx.exec:\brlbjjx.exe77⤵PID:2664
-
\??\c:\ndtxhf.exec:\ndtxhf.exe78⤵PID:1260
-
\??\c:\ptxrbpp.exec:\ptxrbpp.exe79⤵PID:2088
-
\??\c:\npbpxd.exec:\npbpxd.exe80⤵PID:2192
-
\??\c:\tbnplp.exec:\tbnplp.exe81⤵PID:1708
-
\??\c:\jxnvd.exec:\jxnvd.exe82⤵PID:2144
-
\??\c:\frflb.exec:\frflb.exe83⤵PID:1088
-
\??\c:\xnvrj.exec:\xnvrj.exe84⤵PID:3040
-
\??\c:\xdpxnd.exec:\xdpxnd.exe85⤵PID:2740
-
\??\c:\brvjv.exec:\brvjv.exe86⤵PID:2868
-
\??\c:\vphfpv.exec:\vphfpv.exe87⤵PID:2600
-
\??\c:\hptnx.exec:\hptnx.exe88⤵PID:2816
-
\??\c:\xfbnh.exec:\xfbnh.exe89⤵PID:2792
-
\??\c:\pxjtvfl.exec:\pxjtvfl.exe90⤵PID:2924
-
\??\c:\htbrtrf.exec:\htbrtrf.exe91⤵PID:2488
-
\??\c:\xjpnh.exec:\xjpnh.exe92⤵PID:2936
-
\??\c:\ftbxdl.exec:\ftbxdl.exe93⤵PID:2492
-
\??\c:\hdjnprr.exec:\hdjnprr.exe94⤵PID:1692
-
\??\c:\htpdrj.exec:\htpdrj.exe95⤵PID:1056
-
\??\c:\tjjlf.exec:\tjjlf.exe96⤵PID:804
-
\??\c:\phftdd.exec:\phftdd.exe97⤵PID:652
-
\??\c:\vppph.exec:\vppph.exe98⤵PID:2568
-
\??\c:\jtjbvlx.exec:\jtjbvlx.exe99⤵PID:1652
-
\??\c:\nrfjr.exec:\nrfjr.exe100⤵PID:924
-
\??\c:\hdxjjtv.exec:\hdxjjtv.exe101⤵PID:756
-
\??\c:\jplvfh.exec:\jplvfh.exe102⤵PID:1144
-
\??\c:\dpxbrx.exec:\dpxbrx.exe103⤵PID:2388
-
\??\c:\rblfjdv.exec:\rblfjdv.exe104⤵PID:1756
-
\??\c:\ftnptdn.exec:\ftnptdn.exe105⤵PID:2540
-
\??\c:\nbfrl.exec:\nbfrl.exe106⤵PID:1576
-
\??\c:\dphjf.exec:\dphjf.exe107⤵PID:1500
-
\??\c:\rlblbd.exec:\rlblbd.exe108⤵PID:2264
-
\??\c:\vdfnpr.exec:\vdfnpr.exe109⤵PID:2252
-
\??\c:\xxffl.exec:\xxffl.exe110⤵PID:2864
-
\??\c:\fhblhpr.exec:\fhblhpr.exe111⤵PID:1864
-
\??\c:\rlrfvl.exec:\rlrfvl.exe112⤵PID:2284
-
\??\c:\tdfddh.exec:\tdfddh.exe113⤵PID:1068
-
\??\c:\dffvv.exec:\dffvv.exe114⤵PID:2112
-
\??\c:\nbpjff.exec:\nbpjff.exe115⤵PID:3060
-
\??\c:\rxlpljx.exec:\rxlpljx.exe116⤵PID:392
-
\??\c:\xrjdhr.exec:\xrjdhr.exe117⤵PID:2328
-
\??\c:\xbbhph.exec:\xbbhph.exe118⤵PID:1184
-
\??\c:\vvlhjn.exec:\vvlhjn.exe119⤵PID:1600
-
\??\c:\hfvfxd.exec:\hfvfxd.exe120⤵PID:1628
-
\??\c:\fbtthvx.exec:\fbtthvx.exe121⤵PID:284
-
\??\c:\hrvljjv.exec:\hrvljjv.exe122⤵PID:2364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-