Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 05:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
436347d1b49546a36192a174af200d7deea903a70eebfab72e2632643c4f76b7_NeikiAnalytics.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
436347d1b49546a36192a174af200d7deea903a70eebfab72e2632643c4f76b7_NeikiAnalytics.exe
-
Size
259KB
-
MD5
4d2a3d7ce63946a79e384d1f1c891600
-
SHA1
2c5ffb38be8da2d071e9887701f8f0a376a75093
-
SHA256
436347d1b49546a36192a174af200d7deea903a70eebfab72e2632643c4f76b7
-
SHA512
577c1a63bdd7b2c6de3a1f79deee3d4aa599af77a1cb0d8330e78e2bfb7ce0589f149fa1bcc3319921d7895a2f8ee99d4e7283200129f64765fff0a313b77f8b
-
SSDEEP
6144:n3C9BRo7tvnJ9Fywhk/T4i37K3BoKg0qe:n3C9ytvn8whkb4i3e3GF/e
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
Processes:
resource yara_rule behavioral1/memory/2164-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1368-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2128-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2800-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2340-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2640-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2760-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2600-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2760-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2276-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2820-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1968-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1552-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/668-222-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/908-275-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2228-293-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1920-248-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1104-240-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1056-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2976-213-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2500-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2336-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
dvvjd.exexrrfrrl.exeppppd.exellxlxfr.exetnbhth.exehbnntb.exevvpdv.exeffflxlr.exetthbhh.exe9jddp.exe3xxxlrx.exe7lflxfr.exe7tbbnt.exehhbnbb.exepjvdv.exe9fxflrx.exetnhnbb.exe7dvvd.exe1lfxlrx.exefxrxlrx.exehnhtht.exepppvj.exe3pdvj.exellfllll.exe9tttnn.exevpdjd.exexxrxlxf.exebthhth.exepjpvd.exelllxllx.exefxrrffl.exetbthbn.exepjvdv.exejjvdp.exefrrxfxl.exenhbbhb.exepjvvv.exeddvdp.exellxflfr.exehbnbnb.exennthbn.exe1jvdj.exejddpd.exe9xlrxff.exeffxlflf.exebbnbbb.exebthbhh.exejdvpv.exepjvpv.exefxllrrx.exexxlrrfr.exe7thbbb.exebbtbnt.exe7jvjj.exeppvdv.exelllrxfl.exe7nnntt.exebthhbb.exejjjvd.exerlrlxxf.exe5bntbn.exebthhbb.exexxrxlxl.exebbnntb.exepid process 2164 dvvjd.exe 2128 xrrfrrl.exe 2340 ppppd.exe 2800 llxlxfr.exe 2640 tnbhth.exe 2760 hbnntb.exe 2580 vvpdv.exe 2600 ffflxlr.exe 2276 tthbhh.exe 2820 9jddp.exe 2896 3xxxlrx.exe 2772 7lflxfr.exe 2336 7tbbnt.exe 2500 hhbnbb.exe 1968 pjvdv.exe 2844 9fxflrx.exe 1552 tnhnbb.exe 1428 7dvvd.exe 1212 1lfxlrx.exe 1508 fxrxlrx.exe 2976 hnhtht.exe 668 pppvj.exe 1056 3pdvj.exe 1104 llfllll.exe 1920 9tttnn.exe 1300 vpdjd.exe 1660 xxrxlxf.exe 908 bthhth.exe 2208 pjpvd.exe 2228 lllxllx.exe 1764 fxrrffl.exe 840 tbthbn.exe 2604 pjvdv.exe 2192 jjvdp.exe 2172 frrxfxl.exe 1148 nhbbhb.exe 2356 pjvvv.exe 2680 ddvdp.exe 2968 llxflfr.exe 2784 hbnbnb.exe 2748 nnthbn.exe 2544 1jvdj.exe 2792 jddpd.exe 2712 9xlrxff.exe 2184 ffxlflf.exe 2540 bbnbbb.exe 2820 bthbhh.exe 2896 jdvpv.exe 2688 pjvpv.exe 2940 fxllrrx.exe 1164 xxlrrfr.exe 2892 7thbbb.exe 2332 bbtbnt.exe 2844 7jvjj.exe 1828 ppvdv.exe 1152 lllrxfl.exe 2040 7nnntt.exe 1932 bthhbb.exe 2244 jjjvd.exe 780 rlrlxxf.exe 684 5bntbn.exe 576 bthhbb.exe 1916 xxrxlxl.exe 2900 bbnntb.exe -
Processes:
resource yara_rule behavioral1/memory/1368-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2164-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1368-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2128-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2340-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2340-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2340-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2800-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2340-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2600-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2276-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2820-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1968-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1552-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/668-222-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/908-275-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2228-293-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1920-248-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1104-240-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1056-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2976-213-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2500-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2336-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-66-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
436347d1b49546a36192a174af200d7deea903a70eebfab72e2632643c4f76b7_NeikiAnalytics.exedvvjd.exexrrfrrl.exeppppd.exellxlxfr.exetnbhth.exehbnntb.exevvpdv.exeffflxlr.exetthbhh.exe9jddp.exe3xxxlrx.exe7lflxfr.exe7tbbnt.exehhbnbb.exepjvdv.exedescription pid process target process PID 1368 wrote to memory of 2164 1368 436347d1b49546a36192a174af200d7deea903a70eebfab72e2632643c4f76b7_NeikiAnalytics.exe dvvjd.exe PID 1368 wrote to memory of 2164 1368 436347d1b49546a36192a174af200d7deea903a70eebfab72e2632643c4f76b7_NeikiAnalytics.exe dvvjd.exe PID 1368 wrote to memory of 2164 1368 436347d1b49546a36192a174af200d7deea903a70eebfab72e2632643c4f76b7_NeikiAnalytics.exe dvvjd.exe PID 1368 wrote to memory of 2164 1368 436347d1b49546a36192a174af200d7deea903a70eebfab72e2632643c4f76b7_NeikiAnalytics.exe dvvjd.exe PID 2164 wrote to memory of 2128 2164 dvvjd.exe xrrfrrl.exe PID 2164 wrote to memory of 2128 2164 dvvjd.exe xrrfrrl.exe PID 2164 wrote to memory of 2128 2164 dvvjd.exe xrrfrrl.exe PID 2164 wrote to memory of 2128 2164 dvvjd.exe xrrfrrl.exe PID 2128 wrote to memory of 2340 2128 xrrfrrl.exe ppppd.exe PID 2128 wrote to memory of 2340 2128 xrrfrrl.exe ppppd.exe PID 2128 wrote to memory of 2340 2128 xrrfrrl.exe ppppd.exe PID 2128 wrote to memory of 2340 2128 xrrfrrl.exe ppppd.exe PID 2340 wrote to memory of 2800 2340 ppppd.exe llxlxfr.exe PID 2340 wrote to memory of 2800 2340 ppppd.exe llxlxfr.exe PID 2340 wrote to memory of 2800 2340 ppppd.exe llxlxfr.exe PID 2340 wrote to memory of 2800 2340 ppppd.exe llxlxfr.exe PID 2800 wrote to memory of 2640 2800 llxlxfr.exe tnbhth.exe PID 2800 wrote to memory of 2640 2800 llxlxfr.exe tnbhth.exe PID 2800 wrote to memory of 2640 2800 llxlxfr.exe tnbhth.exe PID 2800 wrote to memory of 2640 2800 llxlxfr.exe tnbhth.exe PID 2640 wrote to memory of 2760 2640 tnbhth.exe hbnntb.exe PID 2640 wrote to memory of 2760 2640 tnbhth.exe hbnntb.exe PID 2640 wrote to memory of 2760 2640 tnbhth.exe hbnntb.exe PID 2640 wrote to memory of 2760 2640 tnbhth.exe hbnntb.exe PID 2760 wrote to memory of 2580 2760 hbnntb.exe vvpdv.exe PID 2760 wrote to memory of 2580 2760 hbnntb.exe vvpdv.exe PID 2760 wrote to memory of 2580 2760 hbnntb.exe vvpdv.exe PID 2760 wrote to memory of 2580 2760 hbnntb.exe vvpdv.exe PID 2580 wrote to memory of 2600 2580 vvpdv.exe ffflxlr.exe PID 2580 wrote to memory of 2600 2580 vvpdv.exe ffflxlr.exe PID 2580 wrote to memory of 2600 2580 vvpdv.exe ffflxlr.exe PID 2580 wrote to memory of 2600 2580 vvpdv.exe ffflxlr.exe PID 2600 wrote to memory of 2276 2600 ffflxlr.exe tthbhh.exe PID 2600 wrote to memory of 2276 2600 ffflxlr.exe tthbhh.exe PID 2600 wrote to memory of 2276 2600 ffflxlr.exe tthbhh.exe PID 2600 wrote to memory of 2276 2600 ffflxlr.exe tthbhh.exe PID 2276 wrote to memory of 2820 2276 tthbhh.exe 9jddp.exe PID 2276 wrote to memory of 2820 2276 tthbhh.exe 9jddp.exe PID 2276 wrote to memory of 2820 2276 tthbhh.exe 9jddp.exe PID 2276 wrote to memory of 2820 2276 tthbhh.exe 9jddp.exe PID 2820 wrote to memory of 2896 2820 9jddp.exe jdvpv.exe PID 2820 wrote to memory of 2896 2820 9jddp.exe jdvpv.exe PID 2820 wrote to memory of 2896 2820 9jddp.exe jdvpv.exe PID 2820 wrote to memory of 2896 2820 9jddp.exe jdvpv.exe PID 2896 wrote to memory of 2772 2896 3xxxlrx.exe 7lflxfr.exe PID 2896 wrote to memory of 2772 2896 3xxxlrx.exe 7lflxfr.exe PID 2896 wrote to memory of 2772 2896 3xxxlrx.exe 7lflxfr.exe PID 2896 wrote to memory of 2772 2896 3xxxlrx.exe 7lflxfr.exe PID 2772 wrote to memory of 2336 2772 7lflxfr.exe 7tbbnt.exe PID 2772 wrote to memory of 2336 2772 7lflxfr.exe 7tbbnt.exe PID 2772 wrote to memory of 2336 2772 7lflxfr.exe 7tbbnt.exe PID 2772 wrote to memory of 2336 2772 7lflxfr.exe 7tbbnt.exe PID 2336 wrote to memory of 2500 2336 7tbbnt.exe hhbnbb.exe PID 2336 wrote to memory of 2500 2336 7tbbnt.exe hhbnbb.exe PID 2336 wrote to memory of 2500 2336 7tbbnt.exe hhbnbb.exe PID 2336 wrote to memory of 2500 2336 7tbbnt.exe hhbnbb.exe PID 2500 wrote to memory of 1968 2500 hhbnbb.exe pjvdv.exe PID 2500 wrote to memory of 1968 2500 hhbnbb.exe pjvdv.exe PID 2500 wrote to memory of 1968 2500 hhbnbb.exe pjvdv.exe PID 2500 wrote to memory of 1968 2500 hhbnbb.exe pjvdv.exe PID 1968 wrote to memory of 2844 1968 pjvdv.exe 7jvjj.exe PID 1968 wrote to memory of 2844 1968 pjvdv.exe 7jvjj.exe PID 1968 wrote to memory of 2844 1968 pjvdv.exe 7jvjj.exe PID 1968 wrote to memory of 2844 1968 pjvdv.exe 7jvjj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\436347d1b49546a36192a174af200d7deea903a70eebfab72e2632643c4f76b7_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\436347d1b49546a36192a174af200d7deea903a70eebfab72e2632643c4f76b7_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\dvvjd.exec:\dvvjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\xrrfrrl.exec:\xrrfrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\ppppd.exec:\ppppd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\llxlxfr.exec:\llxlxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\tnbhth.exec:\tnbhth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\hbnntb.exec:\hbnntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\vvpdv.exec:\vvpdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\ffflxlr.exec:\ffflxlr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\tthbhh.exec:\tthbhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\9jddp.exec:\9jddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\3xxxlrx.exec:\3xxxlrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\7lflxfr.exec:\7lflxfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\7tbbnt.exec:\7tbbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\hhbnbb.exec:\hhbnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\pjvdv.exec:\pjvdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\9fxflrx.exec:\9fxflrx.exe17⤵
- Executes dropped EXE
PID:2844 -
\??\c:\tnhnbb.exec:\tnhnbb.exe18⤵
- Executes dropped EXE
PID:1552 -
\??\c:\7dvvd.exec:\7dvvd.exe19⤵
- Executes dropped EXE
PID:1428 -
\??\c:\1lfxlrx.exec:\1lfxlrx.exe20⤵
- Executes dropped EXE
PID:1212 -
\??\c:\fxrxlrx.exec:\fxrxlrx.exe21⤵
- Executes dropped EXE
PID:1508 -
\??\c:\hnhtht.exec:\hnhtht.exe22⤵
- Executes dropped EXE
PID:2976 -
\??\c:\pppvj.exec:\pppvj.exe23⤵
- Executes dropped EXE
PID:668 -
\??\c:\3pdvj.exec:\3pdvj.exe24⤵
- Executes dropped EXE
PID:1056 -
\??\c:\llfllll.exec:\llfllll.exe25⤵
- Executes dropped EXE
PID:1104 -
\??\c:\9tttnn.exec:\9tttnn.exe26⤵
- Executes dropped EXE
PID:1920 -
\??\c:\vpdjd.exec:\vpdjd.exe27⤵
- Executes dropped EXE
PID:1300 -
\??\c:\xxrxlxf.exec:\xxrxlxf.exe28⤵
- Executes dropped EXE
PID:1660 -
\??\c:\bthhth.exec:\bthhth.exe29⤵
- Executes dropped EXE
PID:908 -
\??\c:\pjpvd.exec:\pjpvd.exe30⤵
- Executes dropped EXE
PID:2208 -
\??\c:\lllxllx.exec:\lllxllx.exe31⤵
- Executes dropped EXE
PID:2228 -
\??\c:\fxrrffl.exec:\fxrrffl.exe32⤵
- Executes dropped EXE
PID:1764 -
\??\c:\tbthbn.exec:\tbthbn.exe33⤵
- Executes dropped EXE
PID:840 -
\??\c:\pjvdv.exec:\pjvdv.exe34⤵
- Executes dropped EXE
PID:2604 -
\??\c:\jjvdp.exec:\jjvdp.exe35⤵
- Executes dropped EXE
PID:2192 -
\??\c:\frrxfxl.exec:\frrxfxl.exe36⤵
- Executes dropped EXE
PID:2172 -
\??\c:\nhbbhb.exec:\nhbbhb.exe37⤵
- Executes dropped EXE
PID:1148 -
\??\c:\pjvvv.exec:\pjvvv.exe38⤵
- Executes dropped EXE
PID:2356 -
\??\c:\ddvdp.exec:\ddvdp.exe39⤵
- Executes dropped EXE
PID:2680 -
\??\c:\llxflfr.exec:\llxflfr.exe40⤵
- Executes dropped EXE
PID:2968 -
\??\c:\hbnbnb.exec:\hbnbnb.exe41⤵
- Executes dropped EXE
PID:2784 -
\??\c:\nnthbn.exec:\nnthbn.exe42⤵
- Executes dropped EXE
PID:2748 -
\??\c:\1jvdj.exec:\1jvdj.exe43⤵
- Executes dropped EXE
PID:2544 -
\??\c:\jddpd.exec:\jddpd.exe44⤵
- Executes dropped EXE
PID:2792 -
\??\c:\9xlrxff.exec:\9xlrxff.exe45⤵
- Executes dropped EXE
PID:2712 -
\??\c:\ffxlflf.exec:\ffxlflf.exe46⤵
- Executes dropped EXE
PID:2184 -
\??\c:\bbnbbb.exec:\bbnbbb.exe47⤵
- Executes dropped EXE
PID:2540 -
\??\c:\bthbhh.exec:\bthbhh.exe48⤵
- Executes dropped EXE
PID:2820 -
\??\c:\jdvpv.exec:\jdvpv.exe49⤵
- Executes dropped EXE
PID:2896 -
\??\c:\pjvpv.exec:\pjvpv.exe50⤵
- Executes dropped EXE
PID:2688 -
\??\c:\fxllrrx.exec:\fxllrrx.exe51⤵
- Executes dropped EXE
PID:2940 -
\??\c:\xxlrrfr.exec:\xxlrrfr.exe52⤵
- Executes dropped EXE
PID:1164 -
\??\c:\7thbbb.exec:\7thbbb.exe53⤵
- Executes dropped EXE
PID:2892 -
\??\c:\bbtbnt.exec:\bbtbnt.exe54⤵
- Executes dropped EXE
PID:2332 -
\??\c:\7jvjj.exec:\7jvjj.exe55⤵
- Executes dropped EXE
PID:2844 -
\??\c:\ppvdv.exec:\ppvdv.exe56⤵
- Executes dropped EXE
PID:1828 -
\??\c:\lllrxfl.exec:\lllrxfl.exe57⤵
- Executes dropped EXE
PID:1152 -
\??\c:\7nnntt.exec:\7nnntt.exe58⤵
- Executes dropped EXE
PID:2040 -
\??\c:\bthhbb.exec:\bthhbb.exe59⤵
- Executes dropped EXE
PID:1932 -
\??\c:\jjjvd.exec:\jjjvd.exe60⤵
- Executes dropped EXE
PID:2244 -
\??\c:\rlrlxxf.exec:\rlrlxxf.exe61⤵
- Executes dropped EXE
PID:780 -
\??\c:\5bntbn.exec:\5bntbn.exe62⤵
- Executes dropped EXE
PID:684 -
\??\c:\bthhbb.exec:\bthhbb.exe63⤵
- Executes dropped EXE
PID:576 -
\??\c:\xxrxlxl.exec:\xxrxlxl.exe64⤵
- Executes dropped EXE
PID:1916 -
\??\c:\bbnntb.exec:\bbnntb.exe65⤵
- Executes dropped EXE
PID:2900 -
\??\c:\dvvjp.exec:\dvvjp.exe66⤵PID:932
-
\??\c:\fxllrxl.exec:\fxllrxl.exe67⤵PID:1656
-
\??\c:\5fxlrfl.exec:\5fxlrfl.exe68⤵PID:1660
-
\??\c:\tnnhbh.exec:\tnnhbh.exe69⤵PID:1824
-
\??\c:\5hbnbh.exec:\5hbnbh.exe70⤵PID:264
-
\??\c:\jdvdv.exec:\jdvdv.exe71⤵PID:2424
-
\??\c:\vpddj.exec:\vpddj.exe72⤵PID:1060
-
\??\c:\dvvdj.exec:\dvvdj.exe73⤵PID:1736
-
\??\c:\nnbbhn.exec:\nnbbhn.exe74⤵PID:900
-
\??\c:\btntbn.exec:\btntbn.exe75⤵PID:496
-
\??\c:\lrxlxlr.exec:\lrxlxlr.exe76⤵PID:2412
-
\??\c:\btnhtt.exec:\btnhtt.exe77⤵PID:2252
-
\??\c:\9pjpv.exec:\9pjpv.exe78⤵PID:2172
-
\??\c:\9tnntb.exec:\9tnntb.exe79⤵PID:2672
-
\??\c:\9thhhh.exec:\9thhhh.exe80⤵PID:2676
-
\??\c:\ddvpj.exec:\ddvpj.exe81⤵PID:2532
-
\??\c:\rrlrrrf.exec:\rrlrrrf.exe82⤵PID:2788
-
\??\c:\3ffrflr.exec:\3ffrflr.exe83⤵PID:2640
-
\??\c:\nhnbhn.exec:\nhnbhn.exe84⤵PID:2784
-
\??\c:\bnbbnh.exec:\bnbbnh.exe85⤵PID:2724
-
\??\c:\dvjjp.exec:\dvjjp.exe86⤵PID:2520
-
\??\c:\5dpvj.exec:\5dpvj.exe87⤵PID:2580
-
\??\c:\1xxxlxf.exec:\1xxxlxf.exe88⤵PID:2556
-
\??\c:\3frfllx.exec:\3frfllx.exe89⤵PID:2832
-
\??\c:\tthhnn.exec:\tthhnn.exe90⤵PID:2572
-
\??\c:\btnbnb.exec:\btnbnb.exe91⤵PID:2920
-
\??\c:\9dpvv.exec:\9dpvv.exe92⤵PID:2584
-
\??\c:\rlflflx.exec:\rlflflx.exe93⤵PID:1680
-
\??\c:\ffrfrrf.exec:\ffrfrrf.exe94⤵PID:1608
-
\??\c:\hbnnnn.exec:\hbnnnn.exe95⤵PID:2576
-
\??\c:\tnhhnt.exec:\tnhhnt.exe96⤵PID:2624
-
\??\c:\jjpvp.exec:\jjpvp.exe97⤵PID:468
-
\??\c:\lrlrffl.exec:\lrlrffl.exe98⤵PID:1584
-
\??\c:\1rlrlrf.exec:\1rlrlrf.exe99⤵PID:1700
-
\??\c:\nnhtnt.exec:\nnhtnt.exe100⤵PID:308
-
\??\c:\hhbhtb.exec:\hhbhtb.exe101⤵PID:1212
-
\??\c:\7jvvv.exec:\7jvvv.exe102⤵PID:2084
-
\??\c:\vpdpd.exec:\vpdpd.exe103⤵PID:484
-
\??\c:\fxlrrrx.exec:\fxlrrrx.exe104⤵PID:284
-
\??\c:\tttbnn.exec:\tttbnn.exe105⤵PID:1488
-
\??\c:\hbnhnb.exec:\hbnhnb.exe106⤵PID:1056
-
\??\c:\ppdvd.exec:\ppdvd.exe107⤵PID:2352
-
\??\c:\xrfrrff.exec:\xrfrrff.exe108⤵PID:1536
-
\??\c:\lfrxflx.exec:\lfrxflx.exe109⤵PID:2504
-
\??\c:\hhnntb.exec:\hhnntb.exe110⤵PID:1656
-
\??\c:\bththb.exec:\bththb.exe111⤵PID:2280
-
\??\c:\3dppp.exec:\3dppp.exe112⤵PID:1784
-
\??\c:\3jdjp.exec:\3jdjp.exe113⤵PID:264
-
\??\c:\1xlfllr.exec:\1xlfllr.exe114⤵PID:2208
-
\??\c:\fxllllr.exec:\fxllllr.exe115⤵PID:876
-
\??\c:\tthtbh.exec:\tthtbh.exe116⤵PID:1944
-
\??\c:\hbhhnh.exec:\hbhhnh.exe117⤵PID:2952
-
\??\c:\dpjvv.exec:\dpjvv.exe118⤵PID:2240
-
\??\c:\xfrllfx.exec:\xfrllfx.exe119⤵PID:2412
-
\??\c:\5frxxlx.exec:\5frxxlx.exe120⤵PID:2616
-
\??\c:\3bnhtt.exec:\3bnhtt.exe121⤵PID:1380
-
\??\c:\ddpdj.exec:\ddpdj.exe122⤵PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-