Analysis
-
max time kernel
90s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 03:45
Behavioral task
behavioral1
Sample
162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe
Resource
win7-20240215-en
6 signatures
150 seconds
General
-
Target
162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe
-
Size
294KB
-
MD5
162fb1c1325f43cc67a254ab8417f6c0
-
SHA1
e5b8f2d55cb7a67fdb9f456bc49fd92d3092ab48
-
SHA256
adf0587abfc3064356785f163abcd6f780a64b62f6104e0a72768edeebcaeb36
-
SHA512
99d5be7c47b146e65eb255d8498b3dfca64305ee8451db9fa5d29552c5b194a9be6503dc5a7985bf0ef701d30a862d68a79903114aca44ebbca35481cb190f71
-
SSDEEP
6144:ccm4FmowdHoSQkuObHq9ltAszBd+za/p1slTjZXvEQo9dftOW:K4wFHoSQkuUHk1zBR/pMT9XvEhdfL
Malware Config
Signatures
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2180-10-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2404-8-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2312-27-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2712-45-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2660-48-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/868-62-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2504-70-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/3024-97-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/304-107-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2844-116-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2996-124-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2008-141-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2776-169-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1664-178-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1812-188-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1820-215-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/888-265-0x00000000003C0000-0x00000000003F4000-memory.dmp family_blackmoon behavioral1/memory/2148-282-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2276-290-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2428-317-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2504-367-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2504-405-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2760-426-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2440-452-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/324-497-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1252-498-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1092-511-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/984-564-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2276-577-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1268-604-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2476-656-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2508-663-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2008-707-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2996-739-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/856-783-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1280-829-0x00000000001B0000-0x00000000001E4000-memory.dmp family_blackmoon behavioral1/memory/3028-947-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1488-1064-0x00000000002D0000-0x0000000000304000-memory.dmp family_blackmoon behavioral1/memory/1600-1090-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1752-1117-0x00000000003C0000-0x00000000003F4000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 33 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000a00000001431c-6.dat family_berbew behavioral1/files/0x0036000000014502-16.dat family_berbew behavioral1/files/0x0007000000014702-25.dat family_berbew behavioral1/files/0x000700000001480e-36.dat family_berbew behavioral1/files/0x00070000000149e1-43.dat family_berbew behavioral1/files/0x0009000000014b10-54.dat family_berbew behavioral1/files/0x0008000000014b36-61.dat family_berbew behavioral1/files/0x0007000000015c5a-71.dat family_berbew behavioral1/files/0x0006000000015c6f-78.dat family_berbew behavioral1/files/0x0006000000015c85-87.dat family_berbew behavioral1/files/0x0006000000015c93-95.dat family_berbew behavioral1/files/0x0006000000015c9c-106.dat family_berbew behavioral1/files/0x0006000000015cb0-114.dat family_berbew behavioral1/files/0x0006000000015cbd-125.dat family_berbew behavioral1/files/0x0006000000015cce-131.dat family_berbew behavioral1/files/0x0006000000015cd9-142.dat family_berbew behavioral1/files/0x0006000000015ce3-152.dat family_berbew behavioral1/files/0x0006000000015cf5-160.dat family_berbew behavioral1/files/0x0006000000015d0c-170.dat family_berbew behavioral1/files/0x0006000000015d24-179.dat family_berbew behavioral1/memory/1812-187-0x00000000002B0000-0x00000000002E4000-memory.dmp family_berbew behavioral1/files/0x0035000000014588-189.dat family_berbew behavioral1/files/0x0006000000015d44-197.dat family_berbew behavioral1/files/0x0006000000015d4c-207.dat family_berbew behavioral1/files/0x0006000000015e09-213.dat family_berbew behavioral1/files/0x0006000000015e6d-223.dat family_berbew behavioral1/files/0x0006000000015f3c-233.dat family_berbew behavioral1/files/0x0006000000015fa7-240.dat family_berbew behavioral1/files/0x00060000000160cc-249.dat family_berbew behavioral1/files/0x00060000000161b3-256.dat family_berbew behavioral1/files/0x00060000000162c9-264.dat family_berbew behavioral1/files/0x0006000000016476-273.dat family_berbew behavioral1/files/0x000600000001654a-281.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2180 5vvvd.exe 2312 tnbtht.exe 2172 jvjjp.exe 2712 lfxfrll.exe 2660 hhnntt.exe 868 djjjv.exe 2504 lxfrlxx.exe 2520 hbtbnt.exe 2528 vpdvd.exe 3024 7frxffx.exe 304 5dppp.exe 2844 xxrrxfr.exe 2996 3bntnb.exe 2688 ffrfrxl.exe 2008 5nnbhn.exe 700 9vvvv.exe 2772 9xxlrxl.exe 2776 1hnhbn.exe 1664 3vppd.exe 1812 frfffrf.exe 3048 3btbnt.exe 888 pppvj.exe 1820 xxrfxxr.exe 576 bhbhnt.exe 2160 pjvpp.exe 1776 flxlffr.exe 1872 pdpdv.exe 1852 rxfxllf.exe 632 5thnbh.exe 1972 dvjdd.exe 2148 rxxfrlr.exe 2276 pjdjv.exe 2056 lrlxlxr.exe 1564 bthntn.exe 2328 pvjpd.exe 2428 lxlxfrf.exe 2560 xflfxxx.exe 1724 dpvpv.exe 2932 rfrrrxx.exe 2624 3rfrrlr.exe 2756 hhhhtb.exe 2808 dvdvd.exe 2744 5pjvd.exe 2504 rllfflr.exe 2732 thttbh.exe 2736 7pjpv.exe 3068 vpjjp.exe 2516 lxrxfxl.exe 2872 3bhbtt.exe 2892 hbtbhh.exe 2844 dvppv.exe 2996 rlxlxfl.exe 2760 7ffrlxf.exe 900 bthntt.exe 1764 pjpjj.exe 3000 ffrflfl.exe 2440 1nnbtn.exe 1572 pjdpj.exe 2700 dvddj.exe 1620 rlrxlff.exe 2952 tbnbnt.exe 1332 dpjpp.exe 2644 3vvdp.exe 324 xxfrfxl.exe -
resource yara_rule behavioral1/memory/2404-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000a00000001431c-6.dat upx behavioral1/memory/2180-10-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2404-8-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2312-18-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0036000000014502-16.dat upx behavioral1/files/0x0007000000014702-25.dat upx behavioral1/memory/2312-27-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2172-28-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000700000001480e-36.dat upx behavioral1/memory/2712-45-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x00070000000149e1-43.dat upx behavioral1/memory/2660-48-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0009000000014b10-54.dat upx behavioral1/memory/868-62-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0008000000014b36-61.dat upx behavioral1/memory/2504-70-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0007000000015c5a-71.dat upx behavioral1/files/0x0006000000015c6f-78.dat upx behavioral1/files/0x0006000000015c85-87.dat upx behavioral1/memory/3024-88-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3024-97-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0006000000015c93-95.dat upx behavioral1/memory/304-98-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0006000000015c9c-106.dat upx behavioral1/memory/304-107-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2844-116-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0006000000015cb0-114.dat upx behavioral1/memory/2996-124-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0006000000015cbd-125.dat upx behavioral1/files/0x0006000000015cce-131.dat upx behavioral1/files/0x0006000000015cd9-142.dat upx behavioral1/memory/2008-141-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0006000000015ce3-152.dat upx behavioral1/files/0x0006000000015cf5-160.dat upx behavioral1/files/0x0006000000015d0c-170.dat upx behavioral1/memory/2776-169-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1664-178-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0006000000015d24-179.dat upx behavioral1/files/0x0035000000014588-189.dat upx behavioral1/memory/1812-188-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0006000000015d44-197.dat upx behavioral1/files/0x0006000000015d4c-207.dat upx behavioral1/files/0x0006000000015e09-213.dat upx behavioral1/memory/576-216-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1820-215-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0006000000015e6d-223.dat upx behavioral1/files/0x0006000000015f3c-233.dat upx behavioral1/files/0x0006000000015fa7-240.dat upx behavioral1/files/0x00060000000160cc-249.dat upx behavioral1/files/0x00060000000161b3-256.dat upx behavioral1/files/0x00060000000162c9-264.dat upx behavioral1/files/0x0006000000016476-273.dat upx behavioral1/files/0x000600000001654a-281.dat upx behavioral1/memory/2148-282-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2276-290-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2428-317-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2624-336-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2504-367-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2736-374-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2760-419-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2760-426-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2440-445-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2440-452-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2180 2404 162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe 28 PID 2404 wrote to memory of 2180 2404 162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe 28 PID 2404 wrote to memory of 2180 2404 162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe 28 PID 2404 wrote to memory of 2180 2404 162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe 28 PID 2180 wrote to memory of 2312 2180 5vvvd.exe 29 PID 2180 wrote to memory of 2312 2180 5vvvd.exe 29 PID 2180 wrote to memory of 2312 2180 5vvvd.exe 29 PID 2180 wrote to memory of 2312 2180 5vvvd.exe 29 PID 2312 wrote to memory of 2172 2312 tnbtht.exe 30 PID 2312 wrote to memory of 2172 2312 tnbtht.exe 30 PID 2312 wrote to memory of 2172 2312 tnbtht.exe 30 PID 2312 wrote to memory of 2172 2312 tnbtht.exe 30 PID 2172 wrote to memory of 2712 2172 jvjjp.exe 31 PID 2172 wrote to memory of 2712 2172 jvjjp.exe 31 PID 2172 wrote to memory of 2712 2172 jvjjp.exe 31 PID 2172 wrote to memory of 2712 2172 jvjjp.exe 31 PID 2712 wrote to memory of 2660 2712 lfxfrll.exe 32 PID 2712 wrote to memory of 2660 2712 lfxfrll.exe 32 PID 2712 wrote to memory of 2660 2712 lfxfrll.exe 32 PID 2712 wrote to memory of 2660 2712 lfxfrll.exe 32 PID 2660 wrote to memory of 868 2660 hhnntt.exe 33 PID 2660 wrote to memory of 868 2660 hhnntt.exe 33 PID 2660 wrote to memory of 868 2660 hhnntt.exe 33 PID 2660 wrote to memory of 868 2660 hhnntt.exe 33 PID 868 wrote to memory of 2504 868 djjjv.exe 34 PID 868 wrote to memory of 2504 868 djjjv.exe 34 PID 868 wrote to memory of 2504 868 djjjv.exe 34 PID 868 wrote to memory of 2504 868 djjjv.exe 34 PID 2504 wrote to memory of 2520 2504 lxfrlxx.exe 35 PID 2504 wrote to memory of 2520 2504 lxfrlxx.exe 35 PID 2504 wrote to memory of 2520 2504 lxfrlxx.exe 35 PID 2504 wrote to memory of 2520 2504 lxfrlxx.exe 35 PID 2520 wrote to memory of 2528 2520 hbtbnt.exe 36 PID 2520 wrote to memory of 2528 2520 hbtbnt.exe 36 PID 2520 wrote to memory of 2528 2520 hbtbnt.exe 36 PID 2520 wrote to memory of 2528 2520 hbtbnt.exe 36 PID 2528 wrote to memory of 3024 2528 vpdvd.exe 37 PID 2528 wrote to memory of 3024 2528 vpdvd.exe 37 PID 2528 wrote to memory of 3024 2528 vpdvd.exe 37 PID 2528 wrote to memory of 3024 2528 vpdvd.exe 37 PID 3024 wrote to memory of 304 3024 7frxffx.exe 38 PID 3024 wrote to memory of 304 3024 7frxffx.exe 38 PID 3024 wrote to memory of 304 3024 7frxffx.exe 38 PID 3024 wrote to memory of 304 3024 7frxffx.exe 38 PID 304 wrote to memory of 2844 304 5dppp.exe 39 PID 304 wrote to memory of 2844 304 5dppp.exe 39 PID 304 wrote to memory of 2844 304 5dppp.exe 39 PID 304 wrote to memory of 2844 304 5dppp.exe 39 PID 2844 wrote to memory of 2996 2844 xxrrxfr.exe 40 PID 2844 wrote to memory of 2996 2844 xxrrxfr.exe 40 PID 2844 wrote to memory of 2996 2844 xxrrxfr.exe 40 PID 2844 wrote to memory of 2996 2844 xxrrxfr.exe 40 PID 2996 wrote to memory of 2688 2996 3bntnb.exe 41 PID 2996 wrote to memory of 2688 2996 3bntnb.exe 41 PID 2996 wrote to memory of 2688 2996 3bntnb.exe 41 PID 2996 wrote to memory of 2688 2996 3bntnb.exe 41 PID 2688 wrote to memory of 2008 2688 ffrfrxl.exe 42 PID 2688 wrote to memory of 2008 2688 ffrfrxl.exe 42 PID 2688 wrote to memory of 2008 2688 ffrfrxl.exe 42 PID 2688 wrote to memory of 2008 2688 ffrfrxl.exe 42 PID 2008 wrote to memory of 700 2008 5nnbhn.exe 43 PID 2008 wrote to memory of 700 2008 5nnbhn.exe 43 PID 2008 wrote to memory of 700 2008 5nnbhn.exe 43 PID 2008 wrote to memory of 700 2008 5nnbhn.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\162fb1c1325f43cc67a254ab8417f6c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\5vvvd.exec:\5vvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\tnbtht.exec:\tnbtht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\jvjjp.exec:\jvjjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\lfxfrll.exec:\lfxfrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\hhnntt.exec:\hhnntt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\djjjv.exec:\djjjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\lxfrlxx.exec:\lxfrlxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\hbtbnt.exec:\hbtbnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\vpdvd.exec:\vpdvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\7frxffx.exec:\7frxffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\5dppp.exec:\5dppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:304 -
\??\c:\xxrrxfr.exec:\xxrrxfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\3bntnb.exec:\3bntnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\ffrfrxl.exec:\ffrfrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\5nnbhn.exec:\5nnbhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\9vvvv.exec:\9vvvv.exe17⤵
- Executes dropped EXE
PID:700 -
\??\c:\9xxlrxl.exec:\9xxlrxl.exe18⤵
- Executes dropped EXE
PID:2772 -
\??\c:\1hnhbn.exec:\1hnhbn.exe19⤵
- Executes dropped EXE
PID:2776 -
\??\c:\3vppd.exec:\3vppd.exe20⤵
- Executes dropped EXE
PID:1664 -
\??\c:\frfffrf.exec:\frfffrf.exe21⤵
- Executes dropped EXE
PID:1812 -
\??\c:\3btbnt.exec:\3btbnt.exe22⤵
- Executes dropped EXE
PID:3048 -
\??\c:\pppvj.exec:\pppvj.exe23⤵
- Executes dropped EXE
PID:888 -
\??\c:\xxrfxxr.exec:\xxrfxxr.exe24⤵
- Executes dropped EXE
PID:1820 -
\??\c:\bhbhnt.exec:\bhbhnt.exe25⤵
- Executes dropped EXE
PID:576 -
\??\c:\pjvpp.exec:\pjvpp.exe26⤵
- Executes dropped EXE
PID:2160 -
\??\c:\flxlffr.exec:\flxlffr.exe27⤵
- Executes dropped EXE
PID:1776 -
\??\c:\pdpdv.exec:\pdpdv.exe28⤵
- Executes dropped EXE
PID:1872 -
\??\c:\rxfxllf.exec:\rxfxllf.exe29⤵
- Executes dropped EXE
PID:1852 -
\??\c:\5thnbh.exec:\5thnbh.exe30⤵
- Executes dropped EXE
PID:632 -
\??\c:\dvjdd.exec:\dvjdd.exe31⤵
- Executes dropped EXE
PID:1972 -
\??\c:\rxxfrlr.exec:\rxxfrlr.exe32⤵
- Executes dropped EXE
PID:2148 -
\??\c:\pjdjv.exec:\pjdjv.exe33⤵
- Executes dropped EXE
PID:2276 -
\??\c:\lrlxlxr.exec:\lrlxlxr.exe34⤵
- Executes dropped EXE
PID:2056 -
\??\c:\bthntn.exec:\bthntn.exe35⤵
- Executes dropped EXE
PID:1564 -
\??\c:\pvjpd.exec:\pvjpd.exe36⤵
- Executes dropped EXE
PID:2328 -
\??\c:\lxlxfrf.exec:\lxlxfrf.exe37⤵
- Executes dropped EXE
PID:2428 -
\??\c:\xflfxxx.exec:\xflfxxx.exe38⤵
- Executes dropped EXE
PID:2560 -
\??\c:\dpvpv.exec:\dpvpv.exe39⤵
- Executes dropped EXE
PID:1724 -
\??\c:\rfrrrxx.exec:\rfrrrxx.exe40⤵
- Executes dropped EXE
PID:2932 -
\??\c:\3rfrrlr.exec:\3rfrrlr.exe41⤵
- Executes dropped EXE
PID:2624 -
\??\c:\hhhhtb.exec:\hhhhtb.exe42⤵
- Executes dropped EXE
PID:2756 -
\??\c:\dvdvd.exec:\dvdvd.exe43⤵
- Executes dropped EXE
PID:2808 -
\??\c:\5pjvd.exec:\5pjvd.exe44⤵
- Executes dropped EXE
PID:2744 -
\??\c:\rllfflr.exec:\rllfflr.exe45⤵
- Executes dropped EXE
PID:2504 -
\??\c:\thttbh.exec:\thttbh.exe46⤵
- Executes dropped EXE
PID:2732 -
\??\c:\7pjpv.exec:\7pjpv.exe47⤵
- Executes dropped EXE
PID:2736 -
\??\c:\vpjjp.exec:\vpjjp.exe48⤵
- Executes dropped EXE
PID:3068 -
\??\c:\lxrxfxl.exec:\lxrxfxl.exe49⤵
- Executes dropped EXE
PID:2516 -
\??\c:\3bhbtt.exec:\3bhbtt.exe50⤵
- Executes dropped EXE
PID:2872 -
\??\c:\hbtbhh.exec:\hbtbhh.exe51⤵
- Executes dropped EXE
PID:2892 -
\??\c:\dvppv.exec:\dvppv.exe52⤵
- Executes dropped EXE
PID:2844 -
\??\c:\rlxlxfl.exec:\rlxlxfl.exe53⤵
- Executes dropped EXE
PID:2996 -
\??\c:\7ffrlxf.exec:\7ffrlxf.exe54⤵
- Executes dropped EXE
PID:2760 -
\??\c:\bthntt.exec:\bthntt.exe55⤵
- Executes dropped EXE
PID:900 -
\??\c:\pjpjj.exec:\pjpjj.exe56⤵
- Executes dropped EXE
PID:1764 -
\??\c:\ffrflfl.exec:\ffrflfl.exe57⤵
- Executes dropped EXE
PID:3000 -
\??\c:\1nnbtn.exec:\1nnbtn.exe58⤵
- Executes dropped EXE
PID:2440 -
\??\c:\pjdpj.exec:\pjdpj.exe59⤵
- Executes dropped EXE
PID:1572 -
\??\c:\dvddj.exec:\dvddj.exe60⤵
- Executes dropped EXE
PID:2700 -
\??\c:\rlrxlff.exec:\rlrxlff.exe61⤵
- Executes dropped EXE
PID:1620 -
\??\c:\tbnbnt.exec:\tbnbnt.exe62⤵
- Executes dropped EXE
PID:2952 -
\??\c:\dpjpp.exec:\dpjpp.exe63⤵
- Executes dropped EXE
PID:1332 -
\??\c:\3vvdp.exec:\3vvdp.exe64⤵
- Executes dropped EXE
PID:2644 -
\??\c:\xxfrfxl.exec:\xxfrfxl.exe65⤵
- Executes dropped EXE
PID:324 -
\??\c:\9htntt.exec:\9htntt.exe66⤵PID:1252
-
\??\c:\pdppj.exec:\pdppj.exe67⤵PID:1092
-
\??\c:\xxlrrlr.exec:\xxlrrlr.exe68⤵PID:2128
-
\??\c:\flxrxll.exec:\flxrxll.exe69⤵PID:1380
-
\??\c:\bthhnn.exec:\bthhnn.exe70⤵PID:1640
-
\??\c:\pjvpv.exec:\pjvpv.exe71⤵PID:2096
-
\??\c:\llflxfr.exec:\llflxfr.exe72⤵PID:1852
-
\??\c:\fffxllx.exec:\fffxllx.exe73⤵PID:2548
-
\??\c:\3nbntt.exec:\3nbntt.exe74⤵PID:1740
-
\??\c:\jjdvd.exec:\jjdvd.exe75⤵PID:984
-
\??\c:\vvpvp.exec:\vvpvp.exe76⤵PID:2552
-
\??\c:\rrxfrxl.exec:\rrxfrxl.exe77⤵PID:2276
-
\??\c:\ttthbh.exec:\ttthbh.exe78⤵PID:1584
-
\??\c:\bthhht.exec:\bthhht.exe79⤵PID:1592
-
\??\c:\dpdjj.exec:\dpdjj.exe80⤵PID:2404
-
\??\c:\llxfrlx.exec:\llxfrlx.exe81⤵PID:2428
-
\??\c:\bbbnht.exec:\bbbnht.exe82⤵PID:1268
-
\??\c:\bbnhbn.exec:\bbnhbn.exe83⤵PID:2608
-
\??\c:\jdvvv.exec:\jdvvv.exe84⤵PID:2248
-
\??\c:\rrlffxr.exec:\rrlffxr.exe85⤵PID:2928
-
\??\c:\7rrlfrl.exec:\7rrlfrl.exe86⤵PID:760
-
\??\c:\nhthnh.exec:\nhthnh.exe87⤵PID:2924
-
\??\c:\3jdjv.exec:\3jdjv.exe88⤵PID:2464
-
\??\c:\9frxfll.exec:\9frxfll.exe89⤵PID:2476
-
\??\c:\5tnnbt.exec:\5tnnbt.exe90⤵PID:2508
-
\??\c:\vpjjp.exec:\vpjjp.exe91⤵PID:2736
-
\??\c:\vpdjp.exec:\vpdjp.exe92⤵PID:2848
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe93⤵PID:2860
-
\??\c:\tbthbn.exec:\tbthbn.exe94⤵PID:2908
-
\??\c:\vppvp.exec:\vppvp.exe95⤵PID:2884
-
\??\c:\xrllxxx.exec:\xrllxxx.exe96⤵PID:2004
-
\??\c:\frfrrfl.exec:\frfrrfl.exe97⤵PID:2996
-
\??\c:\hnnnhh.exec:\hnnnhh.exe98⤵PID:2008
-
\??\c:\pdpvv.exec:\pdpvv.exe99⤵PID:2648
-
\??\c:\fxfllfl.exec:\fxfllfl.exe100⤵PID:1764
-
\??\c:\nhttbn.exec:\nhttbn.exe101⤵PID:2652
-
\??\c:\9dvdd.exec:\9dvdd.exe102⤵PID:1628
-
\??\c:\1pdpd.exec:\1pdpd.exe103⤵PID:1984
-
\??\c:\fxrxrxl.exec:\fxrxrxl.exe104⤵PID:1768
-
\??\c:\hhbhtb.exec:\hhbhtb.exe105⤵PID:1548
-
\??\c:\hhhtnt.exec:\hhhtnt.exe106⤵PID:2448
-
\??\c:\dppdp.exec:\dppdp.exe107⤵PID:2296
-
\??\c:\llflrxr.exec:\llflrxr.exe108⤵PID:1916
-
\??\c:\lfxfrxl.exec:\lfxfrxl.exe109⤵PID:396
-
\??\c:\ttntnt.exec:\ttntnt.exe110⤵PID:856
-
\??\c:\ppjdp.exec:\ppjdp.exe111⤵PID:1800
-
\??\c:\9frfxxl.exec:\9frfxxl.exe112⤵PID:1068
-
\??\c:\lrlffrx.exec:\lrlffrx.exe113⤵PID:2080
-
\??\c:\thtntt.exec:\thtntt.exe114⤵PID:2920
-
\??\c:\dvpdp.exec:\dvpdp.exe115⤵PID:1704
-
\??\c:\9vppj.exec:\9vppj.exe116⤵PID:1280
-
\??\c:\rfxfrrf.exec:\rfxfrrf.exe117⤵PID:2076
-
\??\c:\hbnhbb.exec:\hbnhbb.exe118⤵PID:2968
-
\??\c:\bbtbnb.exec:\bbtbnb.exe119⤵PID:1960
-
\??\c:\pjvjv.exec:\pjvjv.exe120⤵PID:2124
-
\??\c:\lfrxxff.exec:\lfrxxff.exe121⤵PID:2976
-
\??\c:\5bnnbt.exec:\5bnnbt.exe122⤵PID:2204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-