Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 07:00
Behavioral task
behavioral1
Sample
4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe
-
Size
295KB
-
MD5
6e78b3587b564ef2502534846cb91a60
-
SHA1
d5959cea30350f3a510e4fedfc04630cad7cf5bd
-
SHA256
4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499
-
SHA512
19bc7f9ebdcf424152987bb19c122cbd0d7861e7c97b988324965593f55721cecebca73ca2ac0b39b8d5966ee3935f32829d18ebda32523149d9540529513436
-
SSDEEP
6144:ccm4FmowdHoSQkuObHq9ltAszBd+za/p1slTjZXvEQo9dftOa:K4wFHoSQkuUHk1zBR/pMT9XvEhdff
Malware Config
Signatures
-
Detect Blackmoon payload 39 IoCs
Processes:
resource yara_rule behavioral1/memory/1712-7-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2156-18-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1860-26-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2628-36-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2784-64-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2596-91-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/3056-101-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2856-110-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2772-122-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2416-131-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/656-218-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/900-272-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1744-304-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2476-336-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2776-599-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/932-794-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2224-829-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/1608-700-0x00000000005D0000-0x0000000000604000-memory.dmp family_blackmoon behavioral1/memory/1608-693-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2672-661-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2892-560-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2752-475-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2888-394-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2616-381-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1860-343-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2444-296-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1612-269-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1812-247-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/408-243-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1644-233-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2508-216-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2900-191-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/624-181-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2844-158-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2708-120-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2708-115-0x00000000002D0000-0x0000000000304000-memory.dmp family_blackmoon behavioral1/memory/2708-112-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2784-71-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2668-53-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
rlxlxlr.exe5pdjv.exeppjvj.exefxxlfrx.exe1httbb.exebtbhhh.exeppjjd.exe9rrfxxf.exe3hhtnh.exe7nbhnh.exe9ppjd.exellfrfrx.exenhtbnn.exebtbntb.exejdvdd.exejdddv.exexrxxllf.exe1bnbnt.exevvjvj.exexrlrffl.exerrxxflx.exe7bnnbb.exepdppv.exe3xrxlrl.exebbthbt.exejjpvv.exerrxlfll.exebtbhbb.exe7ddjd.exe3jjvv.exe7rfxrrx.exenhbnbb.exevvpjd.exexrfrlrx.exehnbbbb.exe9ppvj.exejdvdp.exefxlrxlr.exebntbtb.exepjjvd.exerllrrrr.exelfxrxxf.exe7hntbb.exenhthbb.exedjvvd.exexrllxfr.exe3xlllrx.exehhbnbb.exejdppd.exeppjjp.exerrfxrrl.exelfxlrxl.exebbtnbn.exennnttn.exedvvdj.exelxxlrfr.exerlffrxl.exehhhbtb.exebbbthh.exevvpdd.exeddvdp.exe5rxlxfr.exefrlrxxl.exehtnnbh.exepid process 2156 rlxlxlr.exe 1860 5pdjv.exe 2628 ppjvj.exe 2744 fxxlfrx.exe 2668 1httbb.exe 2804 btbhhh.exe 2784 ppjjd.exe 2636 9rrfxxf.exe 2596 3hhtnh.exe 3056 7nbhnh.exe 2856 9ppjd.exe 2708 llfrfrx.exe 2772 nhtbnn.exe 2416 btbntb.exe 1460 jdvdd.exe 1956 jdddv.exe 2844 xrxxllf.exe 1552 1bnbnt.exe 624 vvjvj.exe 2116 xrlrffl.exe 2900 rrxxflx.exe 2752 7bnnbb.exe 2508 pdppv.exe 656 3xrxlrl.exe 1644 bbthbt.exe 408 jjpvv.exe 1812 rrxlfll.exe 1300 btbhbb.exe 1612 7ddjd.exe 900 3jjvv.exe 2240 7rfxrrx.exe 2444 nhbnbb.exe 1744 vvpjd.exe 2452 xrfrlrx.exe 2604 hnbbbb.exe 1596 9ppvj.exe 2816 jdvdp.exe 2476 fxlrxlr.exe 1860 bntbtb.exe 1388 pjjvd.exe 2684 rllrrrr.exe 2548 lfxrxxf.exe 2572 7hntbb.exe 2588 nhthbb.exe 2616 djvvd.exe 1880 xrllxfr.exe 2888 3xlllrx.exe 2856 hhbnbb.exe 3064 jdppd.exe 1676 ppjjp.exe 2416 rrfxrrl.exe 1460 lfxlrxl.exe 2868 bbtnbn.exe 1820 nnnttn.exe 2640 dvvdj.exe 1772 lxxlrfr.exe 624 rlffrxl.exe 2032 hhhbtb.exe 2980 bbbthh.exe 2752 vvpdd.exe 1828 ddvdp.exe 288 5rxlxfr.exe 1488 frlrxxl.exe 1644 htnnbh.exe -
Processes:
resource yara_rule behavioral1/memory/1712-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1712-7-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2156-9-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\rlxlxlr.exe upx \??\c:\5pdjv.exe upx behavioral1/memory/2156-18-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1860-26-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2628-36-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\fxxlfrx.exe upx behavioral1/memory/2784-64-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\9rrfxxf.exe upx \??\c:\3hhtnh.exe upx behavioral1/memory/2596-91-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\9ppjd.exe upx behavioral1/memory/3056-101-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2856-110-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2772-122-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2416-131-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\jdvdd.exe upx behavioral1/memory/2784-139-0x00000000002F0000-0x0000000000324000-memory.dmp upx \??\c:\jdddv.exe upx C:\1bnbnt.exe upx C:\vvjvj.exe upx \??\c:\xrlrffl.exe upx \??\c:\rrxxflx.exe upx \??\c:\7bnnbb.exe upx \??\c:\pdppv.exe upx behavioral1/memory/656-218-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\bbthbt.exe upx \??\c:\btbhbb.exe upx \??\c:\7ddjd.exe upx behavioral1/memory/900-272-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1744-297-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1744-304-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2604-311-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2476-336-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1772-444-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1256-586-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2776-599-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/932-794-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2372-871-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2500-968-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2668-909-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2436-884-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1784-840-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2224-829-0x0000000000220000-0x0000000000254000-memory.dmp upx behavioral1/memory/1720-820-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/808-769-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1608-693-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/316-680-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2672-661-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2292-630-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1596-579-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2892-560-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2752-475-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1820-437-0x00000000003C0000-0x00000000003F4000-memory.dmp upx behavioral1/memory/2888-394-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2616-381-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1860-343-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2444-296-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\nhbnbb.exe upx \??\c:\7rfxrrx.exe upx \??\c:\3jjvv.exe upx behavioral1/memory/1612-269-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exerlxlxlr.exe5pdjv.exeppjvj.exefxxlfrx.exe1httbb.exebtbhhh.exeppjjd.exe9rrfxxf.exe3hhtnh.exe7nbhnh.exe9ppjd.exellfrfrx.exenhtbnn.exebtbntb.exejdvdd.exedescription pid process target process PID 1712 wrote to memory of 2156 1712 4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe rlxlxlr.exe PID 1712 wrote to memory of 2156 1712 4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe rlxlxlr.exe PID 1712 wrote to memory of 2156 1712 4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe rlxlxlr.exe PID 1712 wrote to memory of 2156 1712 4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe rlxlxlr.exe PID 2156 wrote to memory of 1860 2156 rlxlxlr.exe bntbtb.exe PID 2156 wrote to memory of 1860 2156 rlxlxlr.exe bntbtb.exe PID 2156 wrote to memory of 1860 2156 rlxlxlr.exe bntbtb.exe PID 2156 wrote to memory of 1860 2156 rlxlxlr.exe bntbtb.exe PID 1860 wrote to memory of 2628 1860 5pdjv.exe ppjvj.exe PID 1860 wrote to memory of 2628 1860 5pdjv.exe ppjvj.exe PID 1860 wrote to memory of 2628 1860 5pdjv.exe ppjvj.exe PID 1860 wrote to memory of 2628 1860 5pdjv.exe ppjvj.exe PID 2628 wrote to memory of 2744 2628 ppjvj.exe fxxlfrx.exe PID 2628 wrote to memory of 2744 2628 ppjvj.exe fxxlfrx.exe PID 2628 wrote to memory of 2744 2628 ppjvj.exe fxxlfrx.exe PID 2628 wrote to memory of 2744 2628 ppjvj.exe fxxlfrx.exe PID 2744 wrote to memory of 2668 2744 fxxlfrx.exe 1httbb.exe PID 2744 wrote to memory of 2668 2744 fxxlfrx.exe 1httbb.exe PID 2744 wrote to memory of 2668 2744 fxxlfrx.exe 1httbb.exe PID 2744 wrote to memory of 2668 2744 fxxlfrx.exe 1httbb.exe PID 2668 wrote to memory of 2804 2668 1httbb.exe btbhhh.exe PID 2668 wrote to memory of 2804 2668 1httbb.exe btbhhh.exe PID 2668 wrote to memory of 2804 2668 1httbb.exe btbhhh.exe PID 2668 wrote to memory of 2804 2668 1httbb.exe btbhhh.exe PID 2804 wrote to memory of 2784 2804 btbhhh.exe ppjjd.exe PID 2804 wrote to memory of 2784 2804 btbhhh.exe ppjjd.exe PID 2804 wrote to memory of 2784 2804 btbhhh.exe ppjjd.exe PID 2804 wrote to memory of 2784 2804 btbhhh.exe ppjjd.exe PID 2784 wrote to memory of 2636 2784 ppjjd.exe 9rrfxxf.exe PID 2784 wrote to memory of 2636 2784 ppjjd.exe 9rrfxxf.exe PID 2784 wrote to memory of 2636 2784 ppjjd.exe 9rrfxxf.exe PID 2784 wrote to memory of 2636 2784 ppjjd.exe 9rrfxxf.exe PID 2636 wrote to memory of 2596 2636 9rrfxxf.exe fxrxrrf.exe PID 2636 wrote to memory of 2596 2636 9rrfxxf.exe fxrxrrf.exe PID 2636 wrote to memory of 2596 2636 9rrfxxf.exe fxrxrrf.exe PID 2636 wrote to memory of 2596 2636 9rrfxxf.exe fxrxrrf.exe PID 2596 wrote to memory of 3056 2596 3hhtnh.exe 7nbhnh.exe PID 2596 wrote to memory of 3056 2596 3hhtnh.exe 7nbhnh.exe PID 2596 wrote to memory of 3056 2596 3hhtnh.exe 7nbhnh.exe PID 2596 wrote to memory of 3056 2596 3hhtnh.exe 7nbhnh.exe PID 3056 wrote to memory of 2856 3056 7nbhnh.exe 9ppjd.exe PID 3056 wrote to memory of 2856 3056 7nbhnh.exe 9ppjd.exe PID 3056 wrote to memory of 2856 3056 7nbhnh.exe 9ppjd.exe PID 3056 wrote to memory of 2856 3056 7nbhnh.exe 9ppjd.exe PID 2856 wrote to memory of 2708 2856 9ppjd.exe llfrfrx.exe PID 2856 wrote to memory of 2708 2856 9ppjd.exe llfrfrx.exe PID 2856 wrote to memory of 2708 2856 9ppjd.exe llfrfrx.exe PID 2856 wrote to memory of 2708 2856 9ppjd.exe llfrfrx.exe PID 2708 wrote to memory of 2772 2708 llfrfrx.exe nhtbnn.exe PID 2708 wrote to memory of 2772 2708 llfrfrx.exe nhtbnn.exe PID 2708 wrote to memory of 2772 2708 llfrfrx.exe nhtbnn.exe PID 2708 wrote to memory of 2772 2708 llfrfrx.exe nhtbnn.exe PID 2772 wrote to memory of 2416 2772 nhtbnn.exe btbntb.exe PID 2772 wrote to memory of 2416 2772 nhtbnn.exe btbntb.exe PID 2772 wrote to memory of 2416 2772 nhtbnn.exe btbntb.exe PID 2772 wrote to memory of 2416 2772 nhtbnn.exe btbntb.exe PID 2416 wrote to memory of 1460 2416 btbntb.exe jdvdd.exe PID 2416 wrote to memory of 1460 2416 btbntb.exe jdvdd.exe PID 2416 wrote to memory of 1460 2416 btbntb.exe jdvdd.exe PID 2416 wrote to memory of 1460 2416 btbntb.exe jdvdd.exe PID 1460 wrote to memory of 1956 1460 jdvdd.exe jdddv.exe PID 1460 wrote to memory of 1956 1460 jdvdd.exe jdddv.exe PID 1460 wrote to memory of 1956 1460 jdvdd.exe jdddv.exe PID 1460 wrote to memory of 1956 1460 jdvdd.exe jdddv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4c438abbee9c45611472dc20b70042e5a49e93d8b9a6804d34ee3adb8eb12499_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\rlxlxlr.exec:\rlxlxlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\5pdjv.exec:\5pdjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\ppjvj.exec:\ppjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\fxxlfrx.exec:\fxxlfrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\1httbb.exec:\1httbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\btbhhh.exec:\btbhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\ppjjd.exec:\ppjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\9rrfxxf.exec:\9rrfxxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\3hhtnh.exec:\3hhtnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\7nbhnh.exec:\7nbhnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\9ppjd.exec:\9ppjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\llfrfrx.exec:\llfrfrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\nhtbnn.exec:\nhtbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\btbntb.exec:\btbntb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\jdvdd.exec:\jdvdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\jdddv.exec:\jdddv.exe17⤵
- Executes dropped EXE
PID:1956 -
\??\c:\xrxxllf.exec:\xrxxllf.exe18⤵
- Executes dropped EXE
PID:2844 -
\??\c:\1bnbnt.exec:\1bnbnt.exe19⤵
- Executes dropped EXE
PID:1552 -
\??\c:\vvjvj.exec:\vvjvj.exe20⤵
- Executes dropped EXE
PID:624 -
\??\c:\xrlrffl.exec:\xrlrffl.exe21⤵
- Executes dropped EXE
PID:2116 -
\??\c:\rrxxflx.exec:\rrxxflx.exe22⤵
- Executes dropped EXE
PID:2900 -
\??\c:\7bnnbb.exec:\7bnnbb.exe23⤵
- Executes dropped EXE
PID:2752 -
\??\c:\pdppv.exec:\pdppv.exe24⤵
- Executes dropped EXE
PID:2508 -
\??\c:\3xrxlrl.exec:\3xrxlrl.exe25⤵
- Executes dropped EXE
PID:656 -
\??\c:\bbthbt.exec:\bbthbt.exe26⤵
- Executes dropped EXE
PID:1644 -
\??\c:\jjpvv.exec:\jjpvv.exe27⤵
- Executes dropped EXE
PID:408 -
\??\c:\rrxlfll.exec:\rrxlfll.exe28⤵
- Executes dropped EXE
PID:1812 -
\??\c:\btbhbb.exec:\btbhbb.exe29⤵
- Executes dropped EXE
PID:1300 -
\??\c:\7ddjd.exec:\7ddjd.exe30⤵
- Executes dropped EXE
PID:1612 -
\??\c:\3jjvv.exec:\3jjvv.exe31⤵
- Executes dropped EXE
PID:900 -
\??\c:\7rfxrrx.exec:\7rfxrrx.exe32⤵
- Executes dropped EXE
PID:2240 -
\??\c:\nhbnbb.exec:\nhbnbb.exe33⤵
- Executes dropped EXE
PID:2444 -
\??\c:\vvpjd.exec:\vvpjd.exe34⤵
- Executes dropped EXE
PID:1744 -
\??\c:\xrfrlrx.exec:\xrfrlrx.exe35⤵
- Executes dropped EXE
PID:2452 -
\??\c:\hnbbbb.exec:\hnbbbb.exe36⤵
- Executes dropped EXE
PID:2604 -
\??\c:\9ppvj.exec:\9ppvj.exe37⤵
- Executes dropped EXE
PID:1596 -
\??\c:\jdvdp.exec:\jdvdp.exe38⤵
- Executes dropped EXE
PID:2816 -
\??\c:\fxlrxlr.exec:\fxlrxlr.exe39⤵
- Executes dropped EXE
PID:2476 -
\??\c:\bntbtb.exec:\bntbtb.exe40⤵
- Executes dropped EXE
PID:1860 -
\??\c:\pjjvd.exec:\pjjvd.exe41⤵
- Executes dropped EXE
PID:1388 -
\??\c:\rllrrrr.exec:\rllrrrr.exe42⤵
- Executes dropped EXE
PID:2684 -
\??\c:\lfxrxxf.exec:\lfxrxxf.exe43⤵
- Executes dropped EXE
PID:2548 -
\??\c:\7hntbb.exec:\7hntbb.exe44⤵
- Executes dropped EXE
PID:2572 -
\??\c:\nhthbb.exec:\nhthbb.exe45⤵
- Executes dropped EXE
PID:2588 -
\??\c:\djvvd.exec:\djvvd.exe46⤵
- Executes dropped EXE
PID:2616 -
\??\c:\xrllxfr.exec:\xrllxfr.exe47⤵
- Executes dropped EXE
PID:1880 -
\??\c:\3xlllrx.exec:\3xlllrx.exe48⤵
- Executes dropped EXE
PID:2888 -
\??\c:\hhbnbb.exec:\hhbnbb.exe49⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jdppd.exec:\jdppd.exe50⤵
- Executes dropped EXE
PID:3064 -
\??\c:\ppjjp.exec:\ppjjp.exe51⤵
- Executes dropped EXE
PID:1676 -
\??\c:\rrfxrrl.exec:\rrfxrrl.exe52⤵
- Executes dropped EXE
PID:2416 -
\??\c:\lfxlrxl.exec:\lfxlrxl.exe53⤵
- Executes dropped EXE
PID:1460 -
\??\c:\bbtnbn.exec:\bbtnbn.exe54⤵
- Executes dropped EXE
PID:2868 -
\??\c:\nnnttn.exec:\nnnttn.exe55⤵
- Executes dropped EXE
PID:1820 -
\??\c:\dvvdj.exec:\dvvdj.exe56⤵
- Executes dropped EXE
PID:2640 -
\??\c:\lxxlrfr.exec:\lxxlrfr.exe57⤵
- Executes dropped EXE
PID:1772 -
\??\c:\rlffrxl.exec:\rlffrxl.exe58⤵
- Executes dropped EXE
PID:624 -
\??\c:\hhhbtb.exec:\hhhbtb.exe59⤵
- Executes dropped EXE
PID:2032 -
\??\c:\bbbthh.exec:\bbbthh.exe60⤵
- Executes dropped EXE
PID:2980 -
\??\c:\vvpdd.exec:\vvpdd.exe61⤵
- Executes dropped EXE
PID:2752 -
\??\c:\ddvdp.exec:\ddvdp.exe62⤵
- Executes dropped EXE
PID:1828 -
\??\c:\5rxlxfr.exec:\5rxlxfr.exe63⤵
- Executes dropped EXE
PID:288 -
\??\c:\frlrxxl.exec:\frlrxxl.exe64⤵
- Executes dropped EXE
PID:1488 -
\??\c:\htnnbh.exec:\htnnbh.exe65⤵
- Executes dropped EXE
PID:1644 -
\??\c:\tthtth.exec:\tthtth.exe66⤵PID:2932
-
\??\c:\dvjjj.exec:\dvjjj.exe67⤵PID:1792
-
\??\c:\jjdvj.exec:\jjdvj.exe68⤵PID:1824
-
\??\c:\xxrxfrl.exec:\xxrxfrl.exe69⤵PID:2456
-
\??\c:\lffllrx.exec:\lffllrx.exe70⤵PID:1612
-
\??\c:\bhhhnt.exec:\bhhhnt.exe71⤵PID:2236
-
\??\c:\9nhbht.exec:\9nhbht.exe72⤵PID:2824
-
\??\c:\tntbbh.exec:\tntbbh.exe73⤵PID:612
-
\??\c:\vjppp.exec:\vjppp.exe74⤵PID:2256
-
\??\c:\5ddpd.exec:\5ddpd.exe75⤵PID:1744
-
\??\c:\flxxrfr.exec:\flxxrfr.exe76⤵PID:2892
-
\??\c:\5tttnb.exec:\5tttnb.exe77⤵PID:1600
-
\??\c:\3hbthb.exec:\3hbthb.exe78⤵PID:2832
-
\??\c:\djjpp.exec:\djjpp.exe79⤵PID:1596
-
\??\c:\dddpj.exec:\dddpj.exe80⤵PID:1256
-
\??\c:\rrllrrx.exec:\rrllrrx.exe81⤵PID:468
-
\??\c:\3xlxlxf.exec:\3xlxlxf.exe82⤵PID:2776
-
\??\c:\nhhhhn.exec:\nhhhhn.exe83⤵PID:2964
-
\??\c:\tnhbnt.exec:\tnhbnt.exe84⤵PID:2248
-
\??\c:\5jvvd.exec:\5jvvd.exe85⤵PID:2728
-
\??\c:\pjjdd.exec:\pjjdd.exe86⤵PID:2660
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe87⤵PID:2292
-
\??\c:\9rrxlxf.exec:\9rrxlxf.exe88⤵PID:2536
-
\??\c:\nbntbb.exec:\nbntbb.exe89⤵PID:2492
-
\??\c:\hbbnnn.exec:\hbbnnn.exe90⤵PID:2596
-
\??\c:\ppvdv.exec:\ppvdv.exe91⤵PID:2060
-
\??\c:\dvjjp.exec:\dvjjp.exe92⤵PID:2672
-
\??\c:\7ffllrf.exec:\7ffllrf.exe93⤵PID:1276
-
\??\c:\xrlrlrx.exec:\xrlrlrx.exe94⤵PID:2700
-
\??\c:\nnbhth.exec:\nnbhth.exe95⤵PID:316
-
\??\c:\ttntnn.exec:\ttntnn.exe96⤵PID:2756
-
\??\c:\1dvdp.exec:\1dvdp.exe97⤵PID:1608
-
\??\c:\pjvpd.exec:\pjvpd.exe98⤵PID:2724
-
\??\c:\lfxlxrx.exec:\lfxlxrx.exe99⤵PID:1628
-
\??\c:\hbbhht.exec:\hbbhht.exe100⤵PID:2828
-
\??\c:\5ntbnh.exec:\5ntbnh.exe101⤵PID:3032
-
\??\c:\jdvdd.exec:\jdvdd.exe102⤵PID:1716
-
\??\c:\pjvdp.exec:\pjvdp.exe103⤵PID:1152
-
\??\c:\lfflrrx.exec:\lfflrrx.exe104⤵PID:2984
-
\??\c:\xxlrfff.exec:\xxlrfff.exe105⤵PID:2016
-
\??\c:\hhbtnh.exec:\hhbtnh.exe106⤵PID:2044
-
\??\c:\nhtnth.exec:\nhtnth.exe107⤵PID:2752
-
\??\c:\nhbtnn.exec:\nhbtnn.exe108⤵PID:656
-
\??\c:\ddvjd.exec:\ddvjd.exe109⤵PID:808
-
\??\c:\dvpvv.exec:\dvpvv.exe110⤵PID:2308
-
\??\c:\xlxrrrx.exec:\xlxrrrx.exe111⤵PID:1988
-
\??\c:\5rflfxl.exec:\5rflfxl.exe112⤵PID:932
-
\??\c:\hhhnnt.exec:\hhhnnt.exe113⤵PID:1300
-
\??\c:\nnbhtn.exec:\nnbhtn.exe114⤵PID:3060
-
\??\c:\djpjj.exec:\djpjj.exe115⤵PID:1656
-
\??\c:\vpddj.exec:\vpddj.exe116⤵PID:2208
-
\??\c:\7xrflll.exec:\7xrflll.exe117⤵PID:1720
-
\??\c:\btbnhn.exec:\btbnhn.exe118⤵PID:2224
-
\??\c:\nhtbbn.exec:\nhtbbn.exe119⤵PID:2228
-
\??\c:\1bhnbb.exec:\1bhnbb.exe120⤵PID:1784
-
\??\c:\vddjd.exec:\vddjd.exe121⤵PID:2452
-
\??\c:\9dpvv.exec:\9dpvv.exe122⤵PID:2604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-