Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:18
Behavioral task
behavioral1
Sample
5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe
-
Size
483KB
-
MD5
5997f4cb9f0b863da332731e191882a0
-
SHA1
6daa508d8e92e9e9eb0ed93cc7ccb27b7f40a9cb
-
SHA256
17e5e77efe41e990c2cdc99af3e7bd4b99948473c79a06785fbb272d9c62c9e8
-
SHA512
c13329f3b193d7aeb82216e7e7a4a31c75c29d6c887f12578cfc25cd76924e2d782ce57667ba003de5b69f758e7647eadf3230ccce9055dac7ff5255b9dfb1ad
-
SSDEEP
6144:mcm7ImGddXv/VWrXD486jCpoAhlq1mEjBqLyOSlhNFF2Y:I7TcfNWj168w1VjsyvhNFF2Y
Malware Config
Signatures
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/1704-1-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/3004-19-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/1752-16-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/2684-39-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/2688-35-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/2448-52-0x0000000000220000-0x000000000024E000-memory.dmp family_blackmoon behavioral1/memory/2448-56-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/2480-65-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/964-102-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/1332-114-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/2816-122-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/2672-139-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/944-148-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/768-157-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/1484-167-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/1520-186-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/596-195-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/780-224-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/2200-272-0x00000000003C0000-0x00000000003EE000-memory.dmp family_blackmoon behavioral1/memory/1888-267-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/1300-304-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/884-287-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/1888-260-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/1384-258-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/3044-212-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/2544-74-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/2668-331-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/3004-353-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/2096-398-0x0000000000320000-0x000000000034E000-memory.dmp family_blackmoon behavioral1/memory/2268-415-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/1020-429-0x0000000000220000-0x000000000024E000-memory.dmp family_blackmoon behavioral1/memory/2524-476-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/2732-484-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/3020-517-0x0000000000220000-0x000000000024E000-memory.dmp family_blackmoon behavioral1/memory/1748-589-0x00000000003B0000-0x00000000003DE000-memory.dmp family_blackmoon behavioral1/memory/2916-627-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/636-750-0x00000000003C0000-0x00000000003EE000-memory.dmp family_blackmoon behavioral1/memory/1980-761-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon behavioral1/memory/528-836-0x0000000000400000-0x000000000042E000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b000000014e3d-7.dat family_berbew behavioral1/files/0x002c0000000155d4-18.dat family_berbew behavioral1/files/0x0008000000015a2d-26.dat family_berbew behavioral1/files/0x0007000000015a98-37.dat family_berbew behavioral1/files/0x0007000000015c0d-45.dat family_berbew behavioral1/files/0x0007000000015c23-57.dat family_berbew behavioral1/files/0x0009000000015c2f-64.dat family_berbew behavioral1/files/0x00120000000155d9-76.dat family_berbew behavioral1/files/0x0009000000015c3c-84.dat family_berbew behavioral1/files/0x0006000000016d84-103.dat family_berbew behavioral1/files/0x0006000000016d89-115.dat family_berbew behavioral1/files/0x0006000000016e56-124.dat family_berbew behavioral1/files/0x000600000001704f-131.dat family_berbew behavioral1/files/0x0006000000016d55-95.dat family_berbew behavioral1/files/0x0006000000017090-140.dat family_berbew behavioral1/files/0x000500000001868c-150.dat family_berbew behavioral1/files/0x0005000000018698-159.dat family_berbew behavioral1/files/0x00050000000186a0-168.dat family_berbew behavioral1/files/0x0006000000018ae2-175.dat family_berbew behavioral1/files/0x0006000000018ae8-187.dat family_berbew behavioral1/files/0x0006000000018b15-196.dat family_berbew behavioral1/files/0x0006000000018b33-205.dat family_berbew behavioral1/files/0x0006000000018b37-215.dat family_berbew behavioral1/files/0x0006000000018b42-225.dat family_berbew behavioral1/files/0x0006000000018b4a-232.dat family_berbew behavioral1/files/0x0006000000018b6a-242.dat family_berbew behavioral1/files/0x0006000000018b73-250.dat family_berbew behavioral1/files/0x0006000000018b96-259.dat family_berbew behavioral1/files/0x0006000000018ba2-269.dat family_berbew behavioral1/files/0x0006000000018d06-279.dat family_berbew behavioral1/files/0x00050000000192c9-289.dat family_berbew behavioral1/files/0x00050000000192f4-296.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1752 dplxl.exe 3004 vnnfrv.exe 2688 thjbh.exe 2684 pnhjxt.exe 2448 lbjhndl.exe 2480 dfvbrhn.exe 2544 fvbvbnl.exe 2932 ttnllnl.exe 1392 vpjth.exe 964 lhnnj.exe 1332 dblvnr.exe 2816 pbvvnl.exe 2144 xnlhdxb.exe 2672 hbxbpx.exe 944 xnhhn.exe 768 vvlfx.exe 1484 hvvxnbj.exe 1760 rrfbjn.exe 1520 ftbjvfj.exe 596 nbhbnxd.exe 1288 pbdfdxp.exe 3044 bjpdl.exe 780 tlllh.exe 1304 bflljr.exe 2352 ffdnd.exe 692 ttxfb.exe 1384 nnvxx.exe 1888 fjjlfj.exe 2200 brnljh.exe 884 xlxldxb.exe 1180 lrrnvjn.exe 1300 hnjpjd.exe 1780 nbxfn.exe 1596 xfbplp.exe 2220 rxphl.exe 2668 jfblvx.exe 2836 hhpxtjr.exe 2624 ljphj.exe 3004 hppjjj.exe 2656 phvbd.exe 2684 fxjfrnp.exe 2096 dnhfbxr.exe 2436 brfrf.exe 2480 pvjfbrh.exe 2444 fhfftl.exe 2936 rrffln.exe 636 xnfbtd.exe 2268 ftrtd.exe 2772 lhpbl.exe 1020 vnfftjv.exe 1052 hrplf.exe 1048 pjrrx.exe 1308 rrnfb.exe 2828 frbnb.exe 1988 nndln.exe 1776 fjflnt.exe 2524 fptdf.exe 2732 jvfbfp.exe 1660 nnlpjf.exe 1740 blvhxrr.exe 1664 nnpbbj.exe 2336 xjrxn.exe 3020 xbjtlxn.exe 2076 npfvp.exe -
resource yara_rule behavioral1/memory/1704-1-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/3004-19-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1752-16-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2688-27-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2684-39-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2688-35-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2448-56-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2480-58-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2480-65-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1392-85-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/964-102-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1332-114-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2816-122-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/964-94-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2672-139-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/944-148-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/768-157-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1484-167-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1520-178-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1520-186-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/596-195-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/780-214-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/780-224-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/692-241-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2200-272-0x00000000003C0000-0x00000000003EE000-memory.dmp upx behavioral1/memory/1888-267-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1300-304-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/884-287-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1888-260-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1384-258-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/3044-212-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2544-74-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2668-324-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2668-331-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2624-339-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/3004-353-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2268-415-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2524-476-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2732-477-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2732-484-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2336-503-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2036-576-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2916-627-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2852-654-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2644-661-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2608-675-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2932-706-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/636-713-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2788-732-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1168-747-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1980-761-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2104-816-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/528-829-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/528-836-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1444-837-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1752 1704 5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe 28 PID 1704 wrote to memory of 1752 1704 5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe 28 PID 1704 wrote to memory of 1752 1704 5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe 28 PID 1704 wrote to memory of 1752 1704 5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe 28 PID 1752 wrote to memory of 3004 1752 dplxl.exe 66 PID 1752 wrote to memory of 3004 1752 dplxl.exe 66 PID 1752 wrote to memory of 3004 1752 dplxl.exe 66 PID 1752 wrote to memory of 3004 1752 dplxl.exe 66 PID 3004 wrote to memory of 2688 3004 vnnfrv.exe 30 PID 3004 wrote to memory of 2688 3004 vnnfrv.exe 30 PID 3004 wrote to memory of 2688 3004 vnnfrv.exe 30 PID 3004 wrote to memory of 2688 3004 vnnfrv.exe 30 PID 2688 wrote to memory of 2684 2688 thjbh.exe 68 PID 2688 wrote to memory of 2684 2688 thjbh.exe 68 PID 2688 wrote to memory of 2684 2688 thjbh.exe 68 PID 2688 wrote to memory of 2684 2688 thjbh.exe 68 PID 2684 wrote to memory of 2448 2684 pnhjxt.exe 32 PID 2684 wrote to memory of 2448 2684 pnhjxt.exe 32 PID 2684 wrote to memory of 2448 2684 pnhjxt.exe 32 PID 2684 wrote to memory of 2448 2684 pnhjxt.exe 32 PID 2448 wrote to memory of 2480 2448 lbjhndl.exe 71 PID 2448 wrote to memory of 2480 2448 lbjhndl.exe 71 PID 2448 wrote to memory of 2480 2448 lbjhndl.exe 71 PID 2448 wrote to memory of 2480 2448 lbjhndl.exe 71 PID 2480 wrote to memory of 2544 2480 dfvbrhn.exe 34 PID 2480 wrote to memory of 2544 2480 dfvbrhn.exe 34 PID 2480 wrote to memory of 2544 2480 dfvbrhn.exe 34 PID 2480 wrote to memory of 2544 2480 dfvbrhn.exe 34 PID 2544 wrote to memory of 2932 2544 fvbvbnl.exe 35 PID 2544 wrote to memory of 2932 2544 fvbvbnl.exe 35 PID 2544 wrote to memory of 2932 2544 fvbvbnl.exe 35 PID 2544 wrote to memory of 2932 2544 fvbvbnl.exe 35 PID 2932 wrote to memory of 1392 2932 ttnllnl.exe 36 PID 2932 wrote to memory of 1392 2932 ttnllnl.exe 36 PID 2932 wrote to memory of 1392 2932 ttnllnl.exe 36 PID 2932 wrote to memory of 1392 2932 ttnllnl.exe 36 PID 1392 wrote to memory of 964 1392 vpjth.exe 37 PID 1392 wrote to memory of 964 1392 vpjth.exe 37 PID 1392 wrote to memory of 964 1392 vpjth.exe 37 PID 1392 wrote to memory of 964 1392 vpjth.exe 37 PID 964 wrote to memory of 1332 964 lhnnj.exe 38 PID 964 wrote to memory of 1332 964 lhnnj.exe 38 PID 964 wrote to memory of 1332 964 lhnnj.exe 38 PID 964 wrote to memory of 1332 964 lhnnj.exe 38 PID 1332 wrote to memory of 2816 1332 dblvnr.exe 39 PID 1332 wrote to memory of 2816 1332 dblvnr.exe 39 PID 1332 wrote to memory of 2816 1332 dblvnr.exe 39 PID 1332 wrote to memory of 2816 1332 dblvnr.exe 39 PID 2816 wrote to memory of 2144 2816 pbvvnl.exe 40 PID 2816 wrote to memory of 2144 2816 pbvvnl.exe 40 PID 2816 wrote to memory of 2144 2816 pbvvnl.exe 40 PID 2816 wrote to memory of 2144 2816 pbvvnl.exe 40 PID 2144 wrote to memory of 2672 2144 xnlhdxb.exe 41 PID 2144 wrote to memory of 2672 2144 xnlhdxb.exe 41 PID 2144 wrote to memory of 2672 2144 xnlhdxb.exe 41 PID 2144 wrote to memory of 2672 2144 xnlhdxb.exe 41 PID 2672 wrote to memory of 944 2672 hbxbpx.exe 42 PID 2672 wrote to memory of 944 2672 hbxbpx.exe 42 PID 2672 wrote to memory of 944 2672 hbxbpx.exe 42 PID 2672 wrote to memory of 944 2672 hbxbpx.exe 42 PID 944 wrote to memory of 768 944 xnhhn.exe 43 PID 944 wrote to memory of 768 944 xnhhn.exe 43 PID 944 wrote to memory of 768 944 xnhhn.exe 43 PID 944 wrote to memory of 768 944 xnhhn.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5997f4cb9f0b863da332731e191882a0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\dplxl.exec:\dplxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\vnnfrv.exec:\vnnfrv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\thjbh.exec:\thjbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\pnhjxt.exec:\pnhjxt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\lbjhndl.exec:\lbjhndl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\dfvbrhn.exec:\dfvbrhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\fvbvbnl.exec:\fvbvbnl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\ttnllnl.exec:\ttnllnl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\vpjth.exec:\vpjth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\lhnnj.exec:\lhnnj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\dblvnr.exec:\dblvnr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\pbvvnl.exec:\pbvvnl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\xnlhdxb.exec:\xnlhdxb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\hbxbpx.exec:\hbxbpx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\xnhhn.exec:\xnhhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\vvlfx.exec:\vvlfx.exe17⤵
- Executes dropped EXE
PID:768 -
\??\c:\hvvxnbj.exec:\hvvxnbj.exe18⤵
- Executes dropped EXE
PID:1484 -
\??\c:\rrfbjn.exec:\rrfbjn.exe19⤵
- Executes dropped EXE
PID:1760 -
\??\c:\ftbjvfj.exec:\ftbjvfj.exe20⤵
- Executes dropped EXE
PID:1520 -
\??\c:\nbhbnxd.exec:\nbhbnxd.exe21⤵
- Executes dropped EXE
PID:596 -
\??\c:\pbdfdxp.exec:\pbdfdxp.exe22⤵
- Executes dropped EXE
PID:1288 -
\??\c:\bjpdl.exec:\bjpdl.exe23⤵
- Executes dropped EXE
PID:3044 -
\??\c:\tlllh.exec:\tlllh.exe24⤵
- Executes dropped EXE
PID:780 -
\??\c:\bflljr.exec:\bflljr.exe25⤵
- Executes dropped EXE
PID:1304 -
\??\c:\ffdnd.exec:\ffdnd.exe26⤵
- Executes dropped EXE
PID:2352 -
\??\c:\ttxfb.exec:\ttxfb.exe27⤵
- Executes dropped EXE
PID:692 -
\??\c:\nnvxx.exec:\nnvxx.exe28⤵
- Executes dropped EXE
PID:1384 -
\??\c:\fjjlfj.exec:\fjjlfj.exe29⤵
- Executes dropped EXE
PID:1888 -
\??\c:\brnljh.exec:\brnljh.exe30⤵
- Executes dropped EXE
PID:2200 -
\??\c:\xlxldxb.exec:\xlxldxb.exe31⤵
- Executes dropped EXE
PID:884 -
\??\c:\lrrnvjn.exec:\lrrnvjn.exe32⤵
- Executes dropped EXE
PID:1180 -
\??\c:\hnjpjd.exec:\hnjpjd.exe33⤵
- Executes dropped EXE
PID:1300 -
\??\c:\nbxfn.exec:\nbxfn.exe34⤵
- Executes dropped EXE
PID:1780 -
\??\c:\xfbplp.exec:\xfbplp.exe35⤵
- Executes dropped EXE
PID:1596 -
\??\c:\rxphl.exec:\rxphl.exe36⤵
- Executes dropped EXE
PID:2220 -
\??\c:\jfblvx.exec:\jfblvx.exe37⤵
- Executes dropped EXE
PID:2668 -
\??\c:\hhpxtjr.exec:\hhpxtjr.exe38⤵
- Executes dropped EXE
PID:2836 -
\??\c:\ljphj.exec:\ljphj.exe39⤵
- Executes dropped EXE
PID:2624 -
\??\c:\hppjjj.exec:\hppjjj.exe40⤵
- Executes dropped EXE
PID:3004 -
\??\c:\phvbd.exec:\phvbd.exe41⤵
- Executes dropped EXE
PID:2656 -
\??\c:\fxjfrnp.exec:\fxjfrnp.exe42⤵
- Executes dropped EXE
PID:2684 -
\??\c:\dnhfbxr.exec:\dnhfbxr.exe43⤵
- Executes dropped EXE
PID:2096 -
\??\c:\brfrf.exec:\brfrf.exe44⤵
- Executes dropped EXE
PID:2436 -
\??\c:\pvjfbrh.exec:\pvjfbrh.exe45⤵
- Executes dropped EXE
PID:2480 -
\??\c:\fhfftl.exec:\fhfftl.exe46⤵
- Executes dropped EXE
PID:2444 -
\??\c:\rrffln.exec:\rrffln.exe47⤵
- Executes dropped EXE
PID:2936 -
\??\c:\xnfbtd.exec:\xnfbtd.exe48⤵
- Executes dropped EXE
PID:636 -
\??\c:\ftrtd.exec:\ftrtd.exe49⤵
- Executes dropped EXE
PID:2268 -
\??\c:\lhpbl.exec:\lhpbl.exe50⤵
- Executes dropped EXE
PID:2772 -
\??\c:\vnfftjv.exec:\vnfftjv.exe51⤵
- Executes dropped EXE
PID:1020 -
\??\c:\hrplf.exec:\hrplf.exe52⤵
- Executes dropped EXE
PID:1052 -
\??\c:\pjrrx.exec:\pjrrx.exe53⤵
- Executes dropped EXE
PID:1048 -
\??\c:\rrnfb.exec:\rrnfb.exe54⤵
- Executes dropped EXE
PID:1308 -
\??\c:\frbnb.exec:\frbnb.exe55⤵
- Executes dropped EXE
PID:2828 -
\??\c:\nndln.exec:\nndln.exe56⤵
- Executes dropped EXE
PID:1988 -
\??\c:\fjflnt.exec:\fjflnt.exe57⤵
- Executes dropped EXE
PID:1776 -
\??\c:\fptdf.exec:\fptdf.exe58⤵
- Executes dropped EXE
PID:2524 -
\??\c:\jvfbfp.exec:\jvfbfp.exe59⤵
- Executes dropped EXE
PID:2732 -
\??\c:\nnlpjf.exec:\nnlpjf.exe60⤵
- Executes dropped EXE
PID:1660 -
\??\c:\blvhxrr.exec:\blvhxrr.exe61⤵
- Executes dropped EXE
PID:1740 -
\??\c:\nnpbbj.exec:\nnpbbj.exe62⤵
- Executes dropped EXE
PID:1664 -
\??\c:\xjrxn.exec:\xjrxn.exe63⤵
- Executes dropped EXE
PID:2336 -
\??\c:\xbjtlxn.exec:\xbjtlxn.exe64⤵
- Executes dropped EXE
PID:3020 -
\??\c:\npfvp.exec:\npfvp.exe65⤵
- Executes dropped EXE
PID:2076 -
\??\c:\xhnvjnj.exec:\xhnvjnj.exe66⤵PID:676
-
\??\c:\fprxpth.exec:\fprxpth.exe67⤵PID:960
-
\??\c:\vtvvj.exec:\vtvvj.exe68⤵PID:816
-
\??\c:\ttbhrh.exec:\ttbhrh.exe69⤵PID:1476
-
\??\c:\hldvbxj.exec:\hldvbxj.exe70⤵PID:828
-
\??\c:\jvpjrjd.exec:\jvpjrjd.exe71⤵PID:1140
-
\??\c:\lvvjn.exec:\lvvjn.exe72⤵PID:2156
-
\??\c:\hlbbxhv.exec:\hlbbxhv.exe73⤵PID:1672
-
\??\c:\fndfj.exec:\fndfj.exe74⤵PID:2036
-
\??\c:\jjbrjp.exec:\jjbrjp.exe75⤵PID:1748
-
\??\c:\lrhfd.exec:\lrhfd.exe76⤵PID:1180
-
\??\c:\hxvdvrx.exec:\hxvdvrx.exe77⤵PID:900
-
\??\c:\ldrhn.exec:\ldrhn.exe78⤵PID:320
-
\??\c:\fnvvnhl.exec:\fnvvnhl.exe79⤵PID:1968
-
\??\c:\plrjp.exec:\plrjp.exe80⤵PID:2172
-
\??\c:\nxpjxxn.exec:\nxpjxxn.exe81⤵PID:2916
-
\??\c:\nbbnr.exec:\nbbnr.exe82⤵PID:1284
-
\??\c:\xdfbfp.exec:\xdfbfp.exe83⤵PID:1564
-
\??\c:\xxhtl.exec:\xxhtl.exe84⤵PID:1752
-
\??\c:\xrtpxxt.exec:\xrtpxxt.exe85⤵PID:2632
-
\??\c:\dpbpbxd.exec:\dpbpbxd.exe86⤵PID:2852
-
\??\c:\rntjdb.exec:\rntjdb.exe87⤵PID:2644
-
\??\c:\hrfbh.exec:\hrfbh.exe88⤵PID:3008
-
\??\c:\xdvpjpj.exec:\xdvpjpj.exe89⤵PID:2608
-
\??\c:\xvfjlpr.exec:\xvfjlpr.exe90⤵PID:2928
-
\??\c:\bxnjhlt.exec:\bxnjhlt.exe91⤵PID:2648
-
\??\c:\jvvlljh.exec:\jvvlljh.exe92⤵PID:436
-
\??\c:\ndnjlpl.exec:\ndnjlpl.exe93⤵PID:2444
-
\??\c:\drfxbxr.exec:\drfxbxr.exe94⤵PID:2932
-
\??\c:\nfjbvjt.exec:\nfjbvjt.exe95⤵PID:636
-
\??\c:\hxjjhvf.exec:\hxjjhvf.exe96⤵PID:1880
-
\??\c:\jtjhnf.exec:\jtjhnf.exe97⤵PID:2824
-
\??\c:\vnnvj.exec:\vnnvj.exe98⤵PID:2788
-
\??\c:\jdfhvr.exec:\jdfhvr.exe99⤵PID:956
-
\??\c:\llllrjr.exec:\llllrjr.exe100⤵PID:1168
-
\??\c:\nhprf.exec:\nhprf.exe101⤵PID:1980
-
\??\c:\vnbvd.exec:\vnbvd.exe102⤵PID:812
-
\??\c:\txhdn.exec:\txhdn.exe103⤵PID:1988
-
\??\c:\hrpxrph.exec:\hrpxrph.exe104⤵PID:1776
-
\??\c:\rjxlxb.exec:\rjxlxb.exe105⤵PID:2700
-
\??\c:\bxrjfdn.exec:\bxrjfdn.exe106⤵PID:1760
-
\??\c:\dnxpv.exec:\dnxpv.exe107⤵PID:940
-
\??\c:\xltrbfx.exec:\xltrbfx.exe108⤵PID:2308
-
\??\c:\tdlbjfj.exec:\tdlbjfj.exe109⤵PID:468
-
\??\c:\jhpjjf.exec:\jhpjjf.exe110⤵PID:3056
-
\??\c:\vxrbvhb.exec:\vxrbvhb.exe111⤵PID:2104
-
\??\c:\tvbfbd.exec:\tvbfbd.exe112⤵PID:1448
-
\??\c:\jdhnr.exec:\jdhnr.exe113⤵PID:528
-
\??\c:\nhtdbv.exec:\nhtdbv.exe114⤵PID:1444
-
\??\c:\bhrbrp.exec:\bhrbrp.exe115⤵PID:856
-
\??\c:\jpjfv.exec:\jpjfv.exe116⤵PID:692
-
\??\c:\ppptx.exec:\ppptx.exe117⤵PID:1972
-
\??\c:\jpvnl.exec:\jpvnl.exe118⤵PID:2364
-
\??\c:\blfjhdb.exec:\blfjhdb.exe119⤵PID:916
-
\??\c:\plvxvj.exec:\plvxvj.exe120⤵PID:1204
-
\??\c:\xjxptn.exec:\xjxptn.exe121⤵PID:2132
-
\??\c:\jjhrfx.exec:\jjhrfx.exe122⤵PID:1816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-