Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 03:30
Behavioral task
behavioral1
Sample
dfaf2325ac6dcdb525f967c4be6fc840_NEIKI.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
dfaf2325ac6dcdb525f967c4be6fc840_NEIKI.exe
-
Size
259KB
-
MD5
dfaf2325ac6dcdb525f967c4be6fc840
-
SHA1
d739e9d52f2561d1b2ee67be0be4b27512992b43
-
SHA256
8ded563b81abe772f8e0d1deb34ee72c803b5c5083182115d2d6adf875517c4c
-
SHA512
2bc75d2f66f079dd2b4c2d59c038f699468e41160d53541b76749d122e704f0427da4635434355ffb8adf03c11c4305539647e38a8b3e2e390adde0cdc505782
-
SSDEEP
6144:mcm4FmowdHoS1IOnHoDTmhraHcpOFltH4t0P4EhTKCi5RQc7EC:I4wFHoSKOHYT6eFpguen5Sc7h
Malware Config
Signatures
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2580-57-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1800-66-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2812-114-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1608-165-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1308-175-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2352-300-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2432-334-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2728-347-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1044-389-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1320-406-0x00000000003A0000-0x00000000003D6000-memory.dmp family_blackmoon behavioral1/memory/760-488-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1780-758-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1264-715-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3024-690-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2496-646-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2948-615-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1800-583-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2648-556-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2300-439-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2944-387-0x0000000000440000-0x0000000000476000-memory.dmp family_blackmoon behavioral1/memory/2564-320-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1940-307-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/2892-287-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2776-277-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2396-267-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2396-259-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/908-256-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1940-241-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2860-208-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1608-173-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/496-139-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1288-137-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2764-104-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/660-87-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2424-85-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2620-76-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2628-38-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2516-36-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2208-26-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3000-7-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 33 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0007000000015cba-68.dat family_berbew behavioral1/files/0x0006000000015eaf-83.dat family_berbew behavioral1/files/0x0006000000015fe9-101.dat family_berbew behavioral1/files/0x000600000001630b-127.dat family_berbew behavioral1/files/0x0006000000016572-147.dat family_berbew behavioral1/files/0x0006000000016c4a-183.dat family_berbew behavioral1/files/0x0006000000016c63-190.dat family_berbew behavioral1/files/0x0006000000016cb7-205.dat family_berbew behavioral1/files/0x0006000000016d0d-224.dat family_berbew behavioral1/files/0x0006000000016d1e-232.dat family_berbew behavioral1/files/0x0006000000016d3a-248.dat family_berbew behavioral1/files/0x0006000000016d90-278.dat family_berbew behavioral1/files/0x0006000000016da7-286.dat family_berbew behavioral1/files/0x0006000000016d7e-269.dat family_berbew behavioral1/files/0x0034000000015653-258.dat family_berbew behavioral1/files/0x0006000000016d26-240.dat family_berbew behavioral1/files/0x0006000000016ce4-216.dat family_berbew behavioral1/files/0x0006000000016c6b-199.dat family_berbew behavioral1/files/0x0006000000016a9a-174.dat family_berbew behavioral1/files/0x0006000000016843-164.dat family_berbew behavioral1/files/0x000600000001661c-156.dat family_berbew behavioral1/memory/2160-155-0x00000000002D0000-0x0000000000306000-memory.dmp family_berbew behavioral1/files/0x00060000000164b2-138.dat family_berbew behavioral1/files/0x00060000000161e7-121.dat family_berbew behavioral1/files/0x0006000000016117-112.dat family_berbew behavioral1/files/0x0006000000015f6d-95.dat family_berbew behavioral1/files/0x0008000000015e3a-77.dat family_berbew behavioral1/files/0x0007000000015ca6-58.dat family_berbew behavioral1/files/0x0007000000015be6-47.dat family_berbew behavioral1/files/0x000800000001567f-37.dat family_berbew behavioral1/files/0x000800000001566b-28.dat family_berbew behavioral1/files/0x003400000001508a-18.dat family_berbew behavioral1/files/0x000c000000012671-9.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1796 m8202.exe 2208 tnbnhb.exe 2516 3vjpv.exe 2628 48020.exe 2580 1fllfxl.exe 1800 xrrrllr.exe 2620 802222.exe 2424 6484440.exe 660 bttthn.exe 2264 xrxflrf.exe 2764 tnhhnn.exe 2812 q42804.exe 2928 44062.exe 1288 080622.exe 496 jvjvj.exe 2160 frflrlr.exe 1192 vpvvd.exe 1608 e68888.exe 1308 4206884.exe 2300 lfllrrx.exe 1628 fxffffr.exe 2688 lfrfrrf.exe 2860 rlxxlrf.exe 2096 k08860.exe 2272 c688008.exe 376 tthhtb.exe 1940 g2406.exe 908 hbbbnn.exe 2396 htttnn.exe 2776 48624.exe 556 o400662.exe 2892 hthnnn.exe 3008 048480.exe 2352 6468480.exe 2176 5bntbb.exe 1980 64224.exe 2564 080660.exe 2432 6406268.exe 2580 9rfrxfr.exe 2728 8808282.exe 2488 nhbhnn.exe 2992 rfrlrrx.exe 2716 lffrffr.exe 2156 dvpdp.exe 1544 hbtthn.exe 2944 bnbhnn.exe 1044 64662.exe 2496 jjjjv.exe 1320 hhtbhn.exe 2524 vpvpd.exe 1192 3vjjj.exe 1808 200684.exe 3048 pjvjv.exe 2100 7vpjd.exe 2300 2608024.exe 2112 208422.exe 2604 hthntt.exe 2304 lfxrxlf.exe 1476 s8662.exe 1704 3tnhnh.exe 1328 pjddj.exe 760 pdpvj.exe 568 jvdvv.exe 928 q26066.exe -
resource yara_rule behavioral1/memory/3000-0-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2208-17-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2580-57-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1800-66-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0007000000015cba-68.dat upx behavioral1/files/0x0006000000015eaf-83.dat upx behavioral1/files/0x0006000000015fe9-101.dat upx behavioral1/memory/2812-114-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x000600000001630b-127.dat upx behavioral1/files/0x0006000000016572-147.dat upx behavioral1/memory/1608-165-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1308-175-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0006000000016c4a-183.dat upx behavioral1/files/0x0006000000016c63-190.dat upx behavioral1/files/0x0006000000016cb7-205.dat upx behavioral1/files/0x0006000000016d0d-224.dat upx behavioral1/files/0x0006000000016d1e-232.dat upx behavioral1/files/0x0006000000016d3a-248.dat upx behavioral1/files/0x0006000000016d90-278.dat upx behavioral1/memory/2352-300-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2432-334-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2728-347-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1044-389-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1320-406-0x00000000003A0000-0x00000000003D6000-memory.dmp upx behavioral1/memory/760-488-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1800-576-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1604-907-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/776-939-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2796-1007-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/3000-1050-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1852-970-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2668-920-0x0000000000250000-0x0000000000286000-memory.dmp upx behavioral1/memory/1912-845-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2600-832-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2732-819-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1780-758-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1264-715-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/3024-690-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2092-677-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2496-646-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2944-633-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2948-615-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1800-583-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2648-556-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2388-531-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1328-475-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2300-439-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2944-386-0x0000000000440000-0x0000000000476000-memory.dmp upx behavioral1/memory/1544-373-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2716-360-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2564-320-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2892-287-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0006000000016da7-286.dat upx behavioral1/memory/2776-277-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0006000000016d7e-269.dat upx behavioral1/memory/2776-268-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2396-267-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2396-259-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0034000000015653-258.dat upx behavioral1/memory/908-256-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1940-241-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0006000000016d26-240.dat upx behavioral1/files/0x0006000000016ce4-216.dat upx behavioral1/memory/2860-208-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 1796 3000 dfaf2325ac6dcdb525f967c4be6fc840_NEIKI.exe 28 PID 3000 wrote to memory of 1796 3000 dfaf2325ac6dcdb525f967c4be6fc840_NEIKI.exe 28 PID 3000 wrote to memory of 1796 3000 dfaf2325ac6dcdb525f967c4be6fc840_NEIKI.exe 28 PID 3000 wrote to memory of 1796 3000 dfaf2325ac6dcdb525f967c4be6fc840_NEIKI.exe 28 PID 1796 wrote to memory of 2208 1796 m8202.exe 29 PID 1796 wrote to memory of 2208 1796 m8202.exe 29 PID 1796 wrote to memory of 2208 1796 m8202.exe 29 PID 1796 wrote to memory of 2208 1796 m8202.exe 29 PID 2208 wrote to memory of 2516 2208 tnbnhb.exe 30 PID 2208 wrote to memory of 2516 2208 tnbnhb.exe 30 PID 2208 wrote to memory of 2516 2208 tnbnhb.exe 30 PID 2208 wrote to memory of 2516 2208 tnbnhb.exe 30 PID 2516 wrote to memory of 2628 2516 3vjpv.exe 31 PID 2516 wrote to memory of 2628 2516 3vjpv.exe 31 PID 2516 wrote to memory of 2628 2516 3vjpv.exe 31 PID 2516 wrote to memory of 2628 2516 3vjpv.exe 31 PID 2628 wrote to memory of 2580 2628 48020.exe 32 PID 2628 wrote to memory of 2580 2628 48020.exe 32 PID 2628 wrote to memory of 2580 2628 48020.exe 32 PID 2628 wrote to memory of 2580 2628 48020.exe 32 PID 2580 wrote to memory of 1800 2580 1fllfxl.exe 33 PID 2580 wrote to memory of 1800 2580 1fllfxl.exe 33 PID 2580 wrote to memory of 1800 2580 1fllfxl.exe 33 PID 2580 wrote to memory of 1800 2580 1fllfxl.exe 33 PID 1800 wrote to memory of 2620 1800 xrrrllr.exe 34 PID 1800 wrote to memory of 2620 1800 xrrrllr.exe 34 PID 1800 wrote to memory of 2620 1800 xrrrllr.exe 34 PID 1800 wrote to memory of 2620 1800 xrrrllr.exe 34 PID 2620 wrote to memory of 2424 2620 802222.exe 35 PID 2620 wrote to memory of 2424 2620 802222.exe 35 PID 2620 wrote to memory of 2424 2620 802222.exe 35 PID 2620 wrote to memory of 2424 2620 802222.exe 35 PID 2424 wrote to memory of 660 2424 6484440.exe 36 PID 2424 wrote to memory of 660 2424 6484440.exe 36 PID 2424 wrote to memory of 660 2424 6484440.exe 36 PID 2424 wrote to memory of 660 2424 6484440.exe 36 PID 660 wrote to memory of 2264 660 bttthn.exe 37 PID 660 wrote to memory of 2264 660 bttthn.exe 37 PID 660 wrote to memory of 2264 660 bttthn.exe 37 PID 660 wrote to memory of 2264 660 bttthn.exe 37 PID 2264 wrote to memory of 2764 2264 xrxflrf.exe 38 PID 2264 wrote to memory of 2764 2264 xrxflrf.exe 38 PID 2264 wrote to memory of 2764 2264 xrxflrf.exe 38 PID 2264 wrote to memory of 2764 2264 xrxflrf.exe 38 PID 2764 wrote to memory of 2812 2764 tnhhnn.exe 39 PID 2764 wrote to memory of 2812 2764 tnhhnn.exe 39 PID 2764 wrote to memory of 2812 2764 tnhhnn.exe 39 PID 2764 wrote to memory of 2812 2764 tnhhnn.exe 39 PID 2812 wrote to memory of 2928 2812 q42804.exe 40 PID 2812 wrote to memory of 2928 2812 q42804.exe 40 PID 2812 wrote to memory of 2928 2812 q42804.exe 40 PID 2812 wrote to memory of 2928 2812 q42804.exe 40 PID 2928 wrote to memory of 1288 2928 44062.exe 41 PID 2928 wrote to memory of 1288 2928 44062.exe 41 PID 2928 wrote to memory of 1288 2928 44062.exe 41 PID 2928 wrote to memory of 1288 2928 44062.exe 41 PID 1288 wrote to memory of 496 1288 080622.exe 42 PID 1288 wrote to memory of 496 1288 080622.exe 42 PID 1288 wrote to memory of 496 1288 080622.exe 42 PID 1288 wrote to memory of 496 1288 080622.exe 42 PID 496 wrote to memory of 2160 496 jvjvj.exe 43 PID 496 wrote to memory of 2160 496 jvjvj.exe 43 PID 496 wrote to memory of 2160 496 jvjvj.exe 43 PID 496 wrote to memory of 2160 496 jvjvj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfaf2325ac6dcdb525f967c4be6fc840_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\dfaf2325ac6dcdb525f967c4be6fc840_NEIKI.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\m8202.exec:\m8202.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\tnbnhb.exec:\tnbnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\3vjpv.exec:\3vjpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\48020.exec:\48020.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\1fllfxl.exec:\1fllfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\xrrrllr.exec:\xrrrllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\802222.exec:\802222.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\6484440.exec:\6484440.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\bttthn.exec:\bttthn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
\??\c:\xrxflrf.exec:\xrxflrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\tnhhnn.exec:\tnhhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\q42804.exec:\q42804.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\44062.exec:\44062.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\080622.exec:\080622.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\jvjvj.exec:\jvjvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:496 -
\??\c:\frflrlr.exec:\frflrlr.exe17⤵
- Executes dropped EXE
PID:2160 -
\??\c:\vpvvd.exec:\vpvvd.exe18⤵
- Executes dropped EXE
PID:1192 -
\??\c:\e68888.exec:\e68888.exe19⤵
- Executes dropped EXE
PID:1608 -
\??\c:\4206884.exec:\4206884.exe20⤵
- Executes dropped EXE
PID:1308 -
\??\c:\lfllrrx.exec:\lfllrrx.exe21⤵
- Executes dropped EXE
PID:2300 -
\??\c:\fxffffr.exec:\fxffffr.exe22⤵
- Executes dropped EXE
PID:1628 -
\??\c:\lfrfrrf.exec:\lfrfrrf.exe23⤵
- Executes dropped EXE
PID:2688 -
\??\c:\rlxxlrf.exec:\rlxxlrf.exe24⤵
- Executes dropped EXE
PID:2860 -
\??\c:\k08860.exec:\k08860.exe25⤵
- Executes dropped EXE
PID:2096 -
\??\c:\c688008.exec:\c688008.exe26⤵
- Executes dropped EXE
PID:2272 -
\??\c:\tthhtb.exec:\tthhtb.exe27⤵
- Executes dropped EXE
PID:376 -
\??\c:\g2406.exec:\g2406.exe28⤵
- Executes dropped EXE
PID:1940 -
\??\c:\hbbbnn.exec:\hbbbnn.exe29⤵
- Executes dropped EXE
PID:908 -
\??\c:\htttnn.exec:\htttnn.exe30⤵
- Executes dropped EXE
PID:2396 -
\??\c:\48624.exec:\48624.exe31⤵
- Executes dropped EXE
PID:2776 -
\??\c:\o400662.exec:\o400662.exe32⤵
- Executes dropped EXE
PID:556 -
\??\c:\hthnnn.exec:\hthnnn.exe33⤵
- Executes dropped EXE
PID:2892 -
\??\c:\048480.exec:\048480.exe34⤵
- Executes dropped EXE
PID:3008 -
\??\c:\6468480.exec:\6468480.exe35⤵
- Executes dropped EXE
PID:2352 -
\??\c:\5bntbb.exec:\5bntbb.exe36⤵
- Executes dropped EXE
PID:2176 -
\??\c:\64224.exec:\64224.exe37⤵
- Executes dropped EXE
PID:1980 -
\??\c:\080660.exec:\080660.exe38⤵
- Executes dropped EXE
PID:2564 -
\??\c:\6406268.exec:\6406268.exe39⤵
- Executes dropped EXE
PID:2432 -
\??\c:\9rfrxfr.exec:\9rfrxfr.exe40⤵
- Executes dropped EXE
PID:2580 -
\??\c:\8808282.exec:\8808282.exe41⤵
- Executes dropped EXE
PID:2728 -
\??\c:\nhbhnn.exec:\nhbhnn.exe42⤵
- Executes dropped EXE
PID:2488 -
\??\c:\rfrlrrx.exec:\rfrlrrx.exe43⤵
- Executes dropped EXE
PID:2992 -
\??\c:\lffrffr.exec:\lffrffr.exe44⤵
- Executes dropped EXE
PID:2716 -
\??\c:\dvpdp.exec:\dvpdp.exe45⤵
- Executes dropped EXE
PID:2156 -
\??\c:\hbtthn.exec:\hbtthn.exe46⤵
- Executes dropped EXE
PID:1544 -
\??\c:\bnbhnn.exec:\bnbhnn.exe47⤵
- Executes dropped EXE
PID:2944 -
\??\c:\64662.exec:\64662.exe48⤵
- Executes dropped EXE
PID:1044 -
\??\c:\jjjjv.exec:\jjjjv.exe49⤵
- Executes dropped EXE
PID:2496 -
\??\c:\hhtbhn.exec:\hhtbhn.exe50⤵
- Executes dropped EXE
PID:1320 -
\??\c:\vpvpd.exec:\vpvpd.exe51⤵
- Executes dropped EXE
PID:2524 -
\??\c:\3vjjj.exec:\3vjjj.exe52⤵
- Executes dropped EXE
PID:1192 -
\??\c:\200684.exec:\200684.exe53⤵
- Executes dropped EXE
PID:1808 -
\??\c:\pjvjv.exec:\pjvjv.exe54⤵
- Executes dropped EXE
PID:3048 -
\??\c:\7vpjd.exec:\7vpjd.exe55⤵
- Executes dropped EXE
PID:2100 -
\??\c:\2608024.exec:\2608024.exe56⤵
- Executes dropped EXE
PID:2300 -
\??\c:\208422.exec:\208422.exe57⤵
- Executes dropped EXE
PID:2112 -
\??\c:\hthntt.exec:\hthntt.exe58⤵
- Executes dropped EXE
PID:2604 -
\??\c:\lfxrxlf.exec:\lfxrxlf.exe59⤵
- Executes dropped EXE
PID:2304 -
\??\c:\s8662.exec:\s8662.exe60⤵
- Executes dropped EXE
PID:1476 -
\??\c:\3tnhnh.exec:\3tnhnh.exe61⤵
- Executes dropped EXE
PID:1704 -
\??\c:\pjddj.exec:\pjddj.exe62⤵
- Executes dropped EXE
PID:1328 -
\??\c:\pdpvj.exec:\pdpvj.exe63⤵
- Executes dropped EXE
PID:760 -
\??\c:\jvdvv.exec:\jvdvv.exe64⤵
- Executes dropped EXE
PID:568 -
\??\c:\q26066.exec:\q26066.exe65⤵
- Executes dropped EXE
PID:928 -
\??\c:\202282.exec:\202282.exe66⤵PID:908
-
\??\c:\7dvdd.exec:\7dvdd.exe67⤵PID:2868
-
\??\c:\dvjpd.exec:\dvjpd.exe68⤵PID:1972
-
\??\c:\4804446.exec:\4804446.exe69⤵PID:884
-
\??\c:\tnbbhn.exec:\tnbbhn.exe70⤵PID:2876
-
\??\c:\bnbbhn.exec:\bnbbhn.exe71⤵PID:2388
-
\??\c:\04828.exec:\04828.exe72⤵PID:1680
-
\??\c:\64208.exec:\64208.exe73⤵PID:2152
-
\??\c:\hbtbnn.exec:\hbtbnn.exe74⤵PID:2208
-
\??\c:\1lfrxxf.exec:\1lfrxxf.exe75⤵PID:2648
-
\??\c:\o606006.exec:\o606006.exe76⤵PID:2548
-
\??\c:\hhthhh.exec:\hhthhh.exe77⤵PID:1152
-
\??\c:\bnhbbb.exec:\bnhbbb.exe78⤵PID:1800
-
\??\c:\pdjpv.exec:\pdjpv.exe79⤵PID:2440
-
\??\c:\jdvdd.exec:\jdvdd.exe80⤵PID:2468
-
\??\c:\3frrxxf.exec:\3frrxxf.exe81⤵PID:2476
-
\??\c:\9fxfflr.exec:\9fxfflr.exe82⤵PID:2992
-
\??\c:\c800662.exec:\c800662.exe83⤵PID:808
-
\??\c:\802086.exec:\802086.exe84⤵PID:2948
-
\??\c:\fxfllxf.exec:\fxfllxf.exe85⤵PID:2912
-
\??\c:\2082228.exec:\2082228.exe86⤵PID:1544
-
\??\c:\080682.exec:\080682.exe87⤵PID:2944
-
\??\c:\vjpjj.exec:\vjpjj.exe88⤵PID:1044
-
\??\c:\a2062.exec:\a2062.exe89⤵PID:2496
-
\??\c:\jdjdd.exec:\jdjdd.exe90⤵PID:2668
-
\??\c:\42040.exec:\42040.exe91⤵PID:2524
-
\??\c:\0848028.exec:\0848028.exe92⤵PID:1092
-
\??\c:\20666.exec:\20666.exe93⤵PID:1608
-
\??\c:\1djpv.exec:\1djpv.exe94⤵PID:2092
-
\??\c:\5bhhnn.exec:\5bhhnn.exe95⤵PID:268
-
\??\c:\tbnhnn.exec:\tbnhnn.exe96⤵PID:3024
-
\??\c:\thbhtn.exec:\thbhtn.exe97⤵PID:1712
-
\??\c:\rffxfff.exec:\rffxfff.exe98⤵PID:2336
-
\??\c:\pdvjp.exec:\pdvjp.exe99⤵PID:2604
-
\??\c:\2404040.exec:\2404040.exe100⤵PID:1264
-
\??\c:\86824.exec:\86824.exe101⤵PID:1476
-
\??\c:\e64466.exec:\e64466.exe102⤵PID:1788
-
\??\c:\bthhtn.exec:\bthhtn.exe103⤵PID:2724
-
\??\c:\xrfflrx.exec:\xrfflrx.exe104⤵PID:2796
-
\??\c:\462228.exec:\462228.exe105⤵PID:2384
-
\??\c:\pjjjp.exec:\pjjjp.exe106⤵PID:600
-
\??\c:\jvdvv.exec:\jvdvv.exe107⤵PID:1780
-
\??\c:\646228.exec:\646228.exe108⤵PID:988
-
\??\c:\6462228.exec:\6462228.exe109⤵PID:3028
-
\??\c:\bnbbbt.exec:\bnbbbt.exe110⤵PID:556
-
\??\c:\hbntbh.exec:\hbntbh.exe111⤵PID:2892
-
\??\c:\042428.exec:\042428.exe112⤵PID:1676
-
\??\c:\dvdvp.exec:\dvdvp.exe113⤵PID:2780
-
\??\c:\xlfflrx.exec:\xlfflrx.exe114⤵PID:1664
-
\??\c:\3bhbbt.exec:\3bhbbt.exe115⤵PID:2232
-
\??\c:\8660600.exec:\8660600.exe116⤵PID:2840
-
\??\c:\dvdvp.exec:\dvdvp.exe117⤵PID:2732
-
\??\c:\9xrrfxl.exec:\9xrrfxl.exe118⤵PID:2548
-
\??\c:\vjpdd.exec:\vjpdd.exe119⤵PID:2600
-
\??\c:\thtttt.exec:\thtttt.exe120⤵PID:2444
-
\??\c:\802044.exec:\802044.exe121⤵PID:1912
-
\??\c:\a2668.exec:\a2668.exe122⤵PID:1508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-