Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 22:02
Behavioral task
behavioral1
Sample
6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe
-
Size
253KB
-
MD5
6a0c47316f2320eabc2caa9f7e3267c0
-
SHA1
f4e41b5093345a47e12385edab5e7bce23962fe7
-
SHA256
d6c0e575e45c5f90ea927797d314ef85d1be30e964d7307231e0ed1962fbcf76
-
SHA512
b0646f3c2746d8b65304f55325e7855f4c1d2193ad4085a72219d6e4f1cd222e182ad920615c32eeb36b021ad54065ad844bdaf0317e9c7c228800d9fc3268df
-
SSDEEP
3072:chOmTsF93UYfwC6GIoutieyhC2lbgGi5yLpcgDE4JBuItR8pTsgZ9WT4iaz+THka:ccm4FmowdHoSi9EIBftapTs4WZazeE1w
Malware Config
Signatures
-
Detect Blackmoon payload 37 IoCs
Processes:
resource yara_rule behavioral1/memory/2160-0-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2724-15-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2956-26-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2652-29-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2608-44-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2636-52-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2388-62-0x00000000001B0000-0x00000000001E6000-memory.dmp family_blackmoon behavioral1/memory/2388-64-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2308-88-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1608-98-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1728-106-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2592-108-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2564-117-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1856-141-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/300-162-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2716-180-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/784-249-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2748-329-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1756-385-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1688-446-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/572-526-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/560-539-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1664-406-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/568-547-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2380-364-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2648-363-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2844-304-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1480-276-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1080-217-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1572-198-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2036-160-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1992-150-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1260-609-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2488-664-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1932-696-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/2032-865-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2208-929-0x00000000001B0000-0x00000000001E6000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 32 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\3nhhnt.exe family_berbew C:\dvjvj.exe family_berbew C:\rlllrrf.exe family_berbew C:\nnbntb.exe family_berbew C:\jdvpd.exe family_berbew C:\llflrxl.exe family_berbew C:\nhtthh.exe family_berbew C:\vvpdp.exe family_berbew C:\1rllrxl.exe family_berbew C:\5hhnbb.exe family_berbew \??\c:\btnnbb.exe family_berbew C:\jjppd.exe family_berbew \??\c:\xrllflx.exe family_berbew \??\c:\fffrxlr.exe family_berbew C:\9nbntb.exe family_berbew C:\jjjdp.exe family_berbew C:\pppdv.exe family_berbew \??\c:\lrrlfff.exe family_berbew \??\c:\bthtbt.exe family_berbew C:\xlrlxfx.exe family_berbew \??\c:\1xlrxfr.exe family_berbew C:\lflrffl.exe family_berbew \??\c:\fxlrlrx.exe family_berbew \??\c:\rlxxllx.exe family_berbew C:\xrflrrx.exe family_berbew C:\ntnhnb.exe family_berbew \??\c:\jvpdp.exe family_berbew \??\c:\jdjjv.exe family_berbew \??\c:\dvjpv.exe family_berbew \??\c:\1vjpv.exe family_berbew \??\c:\pdjpv.exe family_berbew \??\c:\lffrflx.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
3nhhnt.exedvjvj.exerlllrrf.exennbntb.exejdvpd.exellflrxl.exenhtthh.exevvpdp.exe1rllrxl.exe5hhnbb.exebtnnbb.exejjppd.exexrllflx.exefffrxlr.exe9nbntb.exejjjdp.exepppdv.exelrrlfff.exelffrflx.exebthtbt.exexlrlxfx.exe1xlrxfr.exepdjpv.exe1vjpv.exelflrffl.exefxlrlrx.exedvjpv.exerlxxllx.exexrflrrx.exentnhnb.exejvpdp.exejdjjv.exexxfflrx.exehhbhbb.exedvvjp.exejdppp.exe7rrlrfr.exenhbhnn.exevvpdp.exe5fllrrf.exe5tnbnb.exe5ntnbh.exepjdpd.exellfrfxr.exelxllrxf.exebtbbhn.exevjdjd.exevvpjj.exe1rllllr.exerlffrrf.exehhbhnt.exennthtt.exedddpp.exefxfffxl.exefxlxlxx.exe3bhhnt.exejdpvd.exe3jvdd.exellflxlf.exefrllfxf.exethtbhh.exenhtbtb.exepdvvd.exevpdjd.exepid process 2724 3nhhnt.exe 2956 dvjvj.exe 2652 rlllrrf.exe 2608 nnbntb.exe 2636 jdvpd.exe 2388 llflrxl.exe 2364 nhtthh.exe 2444 vvpdp.exe 2308 1rllrxl.exe 1608 5hhnbb.exe 1728 btnnbb.exe 2592 jjppd.exe 2564 xrllflx.exe 1744 fffrxlr.exe 1856 9nbntb.exe 1992 jjjdp.exe 2036 pppdv.exe 300 lrrlfff.exe 2716 lffrflx.exe 276 bthtbt.exe 1572 xlrlxfx.exe 596 1xlrxfr.exe 1000 pdjpv.exe 1080 1vjpv.exe 1752 lflrffl.exe 1288 fxlrlrx.exe 784 dvjpv.exe 2888 rlxxllx.exe 1452 xrflrrx.exe 2180 ntnhnb.exe 1480 jvpdp.exe 2188 jdjjv.exe 900 xxfflrx.exe 2032 hhbhbb.exe 2844 dvvjp.exe 2496 jdppp.exe 1512 7rrlrfr.exe 2748 nhbhnn.exe 2476 vvpdp.exe 2472 5fllrrf.exe 2400 5tnbnb.exe 3064 5ntnbh.exe 2648 pjdpd.exe 2380 llfrfxr.exe 2820 lxllrxf.exe 2488 btbbhn.exe 1756 vjdjd.exe 1376 vvpjj.exe 384 1rllllr.exe 1664 rlffrrf.exe 1720 hhbhnt.exe 2020 nnthtt.exe 1972 dddpp.exe 1968 fxfffxl.exe 2548 fxlxlxx.exe 1688 3bhhnt.exe 2080 jdpvd.exe 1160 3jvdd.exe 820 llflxlf.exe 3048 frllfxf.exe 1648 thtbhh.exe 1116 nhtbtb.exe 664 pdvvd.exe 2580 vpdjd.exe -
Processes:
resource yara_rule behavioral1/memory/2160-0-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\3nhhnt.exe upx C:\dvjvj.exe upx behavioral1/memory/2956-17-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2724-15-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2956-26-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\rlllrrf.exe upx behavioral1/memory/2652-29-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\nnbntb.exe upx behavioral1/memory/2608-36-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2608-44-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\jdvpd.exe upx behavioral1/memory/2636-52-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\llflrxl.exe upx behavioral1/memory/2388-54-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2388-62-0x00000000001B0000-0x00000000001E6000-memory.dmp upx behavioral1/memory/2388-64-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\nhtthh.exe upx C:\vvpdp.exe upx C:\1rllrxl.exe upx behavioral1/memory/2308-88-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\5hhnbb.exe upx behavioral1/memory/1608-89-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\btnnbb.exe upx behavioral1/memory/1608-98-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1728-106-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\jjppd.exe upx behavioral1/memory/2592-108-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\xrllflx.exe upx \??\c:\fffrxlr.exe upx behavioral1/memory/2564-117-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\9nbntb.exe upx C:\jjjdp.exe upx behavioral1/memory/1856-141-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\pppdv.exe upx behavioral1/memory/300-162-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\lrrlfff.exe upx behavioral1/memory/2716-172-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/276-181-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\bthtbt.exe upx behavioral1/memory/2716-180-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\xlrlxfx.exe upx behavioral1/memory/1572-190-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\1xlrxfr.exe upx C:\lflrffl.exe upx \??\c:\fxlrlrx.exe upx behavioral1/memory/784-249-0x0000000000400000-0x0000000000436000-memory.dmp upx \??\c:\rlxxllx.exe upx C:\xrflrrx.exe upx C:\ntnhnb.exe upx \??\c:\jvpdp.exe upx \??\c:\jdjjv.exe upx behavioral1/memory/2748-322-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2748-329-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1756-385-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1688-446-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/572-526-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1720-414-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/560-539-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1664-406-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/568-540-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/568-547-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2488-380-0x00000000001B0000-0x00000000001E6000-memory.dmp upx behavioral1/memory/2380-364-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe3nhhnt.exedvjvj.exerlllrrf.exennbntb.exejdvpd.exellflrxl.exenhtthh.exevvpdp.exe1rllrxl.exe5hhnbb.exebtnnbb.exejjppd.exexrllflx.exefffrxlr.exe9nbntb.exedescription pid process target process PID 2160 wrote to memory of 2724 2160 6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe 3nhhnt.exe PID 2160 wrote to memory of 2724 2160 6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe 3nhhnt.exe PID 2160 wrote to memory of 2724 2160 6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe 3nhhnt.exe PID 2160 wrote to memory of 2724 2160 6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe 3nhhnt.exe PID 2724 wrote to memory of 2956 2724 3nhhnt.exe dvjvj.exe PID 2724 wrote to memory of 2956 2724 3nhhnt.exe dvjvj.exe PID 2724 wrote to memory of 2956 2724 3nhhnt.exe dvjvj.exe PID 2724 wrote to memory of 2956 2724 3nhhnt.exe dvjvj.exe PID 2956 wrote to memory of 2652 2956 dvjvj.exe rlllrrf.exe PID 2956 wrote to memory of 2652 2956 dvjvj.exe rlllrrf.exe PID 2956 wrote to memory of 2652 2956 dvjvj.exe rlllrrf.exe PID 2956 wrote to memory of 2652 2956 dvjvj.exe rlllrrf.exe PID 2652 wrote to memory of 2608 2652 rlllrrf.exe nnbntb.exe PID 2652 wrote to memory of 2608 2652 rlllrrf.exe nnbntb.exe PID 2652 wrote to memory of 2608 2652 rlllrrf.exe nnbntb.exe PID 2652 wrote to memory of 2608 2652 rlllrrf.exe nnbntb.exe PID 2608 wrote to memory of 2636 2608 nnbntb.exe jdvpd.exe PID 2608 wrote to memory of 2636 2608 nnbntb.exe jdvpd.exe PID 2608 wrote to memory of 2636 2608 nnbntb.exe jdvpd.exe PID 2608 wrote to memory of 2636 2608 nnbntb.exe jdvpd.exe PID 2636 wrote to memory of 2388 2636 jdvpd.exe llflrxl.exe PID 2636 wrote to memory of 2388 2636 jdvpd.exe llflrxl.exe PID 2636 wrote to memory of 2388 2636 jdvpd.exe llflrxl.exe PID 2636 wrote to memory of 2388 2636 jdvpd.exe llflrxl.exe PID 2388 wrote to memory of 2364 2388 llflrxl.exe nhtthh.exe PID 2388 wrote to memory of 2364 2388 llflrxl.exe nhtthh.exe PID 2388 wrote to memory of 2364 2388 llflrxl.exe nhtthh.exe PID 2388 wrote to memory of 2364 2388 llflrxl.exe nhtthh.exe PID 2364 wrote to memory of 2444 2364 nhtthh.exe vvpdp.exe PID 2364 wrote to memory of 2444 2364 nhtthh.exe vvpdp.exe PID 2364 wrote to memory of 2444 2364 nhtthh.exe vvpdp.exe PID 2364 wrote to memory of 2444 2364 nhtthh.exe vvpdp.exe PID 2444 wrote to memory of 2308 2444 vvpdp.exe 1rllrxl.exe PID 2444 wrote to memory of 2308 2444 vvpdp.exe 1rllrxl.exe PID 2444 wrote to memory of 2308 2444 vvpdp.exe 1rllrxl.exe PID 2444 wrote to memory of 2308 2444 vvpdp.exe 1rllrxl.exe PID 2308 wrote to memory of 1608 2308 1rllrxl.exe 5hhnbb.exe PID 2308 wrote to memory of 1608 2308 1rllrxl.exe 5hhnbb.exe PID 2308 wrote to memory of 1608 2308 1rllrxl.exe 5hhnbb.exe PID 2308 wrote to memory of 1608 2308 1rllrxl.exe 5hhnbb.exe PID 1608 wrote to memory of 1728 1608 5hhnbb.exe btnnbb.exe PID 1608 wrote to memory of 1728 1608 5hhnbb.exe btnnbb.exe PID 1608 wrote to memory of 1728 1608 5hhnbb.exe btnnbb.exe PID 1608 wrote to memory of 1728 1608 5hhnbb.exe btnnbb.exe PID 1728 wrote to memory of 2592 1728 btnnbb.exe jjppd.exe PID 1728 wrote to memory of 2592 1728 btnnbb.exe jjppd.exe PID 1728 wrote to memory of 2592 1728 btnnbb.exe jjppd.exe PID 1728 wrote to memory of 2592 1728 btnnbb.exe jjppd.exe PID 2592 wrote to memory of 2564 2592 jjppd.exe xrllflx.exe PID 2592 wrote to memory of 2564 2592 jjppd.exe xrllflx.exe PID 2592 wrote to memory of 2564 2592 jjppd.exe xrllflx.exe PID 2592 wrote to memory of 2564 2592 jjppd.exe xrllflx.exe PID 2564 wrote to memory of 1744 2564 xrllflx.exe fffrxlr.exe PID 2564 wrote to memory of 1744 2564 xrllflx.exe fffrxlr.exe PID 2564 wrote to memory of 1744 2564 xrllflx.exe fffrxlr.exe PID 2564 wrote to memory of 1744 2564 xrllflx.exe fffrxlr.exe PID 1744 wrote to memory of 1856 1744 fffrxlr.exe 9nbntb.exe PID 1744 wrote to memory of 1856 1744 fffrxlr.exe 9nbntb.exe PID 1744 wrote to memory of 1856 1744 fffrxlr.exe 9nbntb.exe PID 1744 wrote to memory of 1856 1744 fffrxlr.exe 9nbntb.exe PID 1856 wrote to memory of 1992 1856 9nbntb.exe jjjdp.exe PID 1856 wrote to memory of 1992 1856 9nbntb.exe jjjdp.exe PID 1856 wrote to memory of 1992 1856 9nbntb.exe jjjdp.exe PID 1856 wrote to memory of 1992 1856 9nbntb.exe jjjdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6a0c47316f2320eabc2caa9f7e3267c0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\3nhhnt.exec:\3nhhnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\dvjvj.exec:\dvjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\rlllrrf.exec:\rlllrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\nnbntb.exec:\nnbntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\jdvpd.exec:\jdvpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\llflrxl.exec:\llflrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\nhtthh.exec:\nhtthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\vvpdp.exec:\vvpdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\1rllrxl.exec:\1rllrxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\5hhnbb.exec:\5hhnbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\btnnbb.exec:\btnnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\jjppd.exec:\jjppd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\xrllflx.exec:\xrllflx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\fffrxlr.exec:\fffrxlr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\9nbntb.exec:\9nbntb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\jjjdp.exec:\jjjdp.exe17⤵
- Executes dropped EXE
PID:1992 -
\??\c:\pppdv.exec:\pppdv.exe18⤵
- Executes dropped EXE
PID:2036 -
\??\c:\lrrlfff.exec:\lrrlfff.exe19⤵
- Executes dropped EXE
PID:300 -
\??\c:\lffrflx.exec:\lffrflx.exe20⤵
- Executes dropped EXE
PID:2716 -
\??\c:\bthtbt.exec:\bthtbt.exe21⤵
- Executes dropped EXE
PID:276 -
\??\c:\xlrlxfx.exec:\xlrlxfx.exe22⤵
- Executes dropped EXE
PID:1572 -
\??\c:\1xlrxfr.exec:\1xlrxfr.exe23⤵
- Executes dropped EXE
PID:596 -
\??\c:\pdjpv.exec:\pdjpv.exe24⤵
- Executes dropped EXE
PID:1000 -
\??\c:\1vjpv.exec:\1vjpv.exe25⤵
- Executes dropped EXE
PID:1080 -
\??\c:\lflrffl.exec:\lflrffl.exe26⤵
- Executes dropped EXE
PID:1752 -
\??\c:\fxlrlrx.exec:\fxlrlrx.exe27⤵
- Executes dropped EXE
PID:1288 -
\??\c:\dvjpv.exec:\dvjpv.exe28⤵
- Executes dropped EXE
PID:784 -
\??\c:\rlxxllx.exec:\rlxxllx.exe29⤵
- Executes dropped EXE
PID:2888 -
\??\c:\xrflrrx.exec:\xrflrrx.exe30⤵
- Executes dropped EXE
PID:1452 -
\??\c:\ntnhnb.exec:\ntnhnb.exe31⤵
- Executes dropped EXE
PID:2180 -
\??\c:\jvpdp.exec:\jvpdp.exe32⤵
- Executes dropped EXE
PID:1480 -
\??\c:\jdjjv.exec:\jdjjv.exe33⤵
- Executes dropped EXE
PID:2188 -
\??\c:\xxfflrx.exec:\xxfflrx.exe34⤵
- Executes dropped EXE
PID:900 -
\??\c:\hhbhbb.exec:\hhbhbb.exe35⤵
- Executes dropped EXE
PID:2032 -
\??\c:\dvvjp.exec:\dvvjp.exe36⤵
- Executes dropped EXE
PID:2844 -
\??\c:\jdppp.exec:\jdppp.exe37⤵
- Executes dropped EXE
PID:2496 -
\??\c:\7rrlrfr.exec:\7rrlrfr.exe38⤵
- Executes dropped EXE
PID:1512 -
\??\c:\nhbhnn.exec:\nhbhnn.exe39⤵
- Executes dropped EXE
PID:2748 -
\??\c:\vvpdp.exec:\vvpdp.exe40⤵
- Executes dropped EXE
PID:2476 -
\??\c:\5fllrrf.exec:\5fllrrf.exe41⤵
- Executes dropped EXE
PID:2472 -
\??\c:\5tnbnb.exec:\5tnbnb.exe42⤵
- Executes dropped EXE
PID:2400 -
\??\c:\5ntnbh.exec:\5ntnbh.exe43⤵
- Executes dropped EXE
PID:3064 -
\??\c:\pjdpd.exec:\pjdpd.exe44⤵
- Executes dropped EXE
PID:2648 -
\??\c:\llfrfxr.exec:\llfrfxr.exe45⤵
- Executes dropped EXE
PID:2380 -
\??\c:\lxllrxf.exec:\lxllrxf.exe46⤵
- Executes dropped EXE
PID:2820 -
\??\c:\btbbhn.exec:\btbbhn.exe47⤵
- Executes dropped EXE
PID:2488 -
\??\c:\vjdjd.exec:\vjdjd.exe48⤵
- Executes dropped EXE
PID:1756 -
\??\c:\vvpjj.exec:\vvpjj.exe49⤵
- Executes dropped EXE
PID:1376 -
\??\c:\1rllllr.exec:\1rllllr.exe50⤵
- Executes dropped EXE
PID:384 -
\??\c:\rlffrrf.exec:\rlffrrf.exe51⤵
- Executes dropped EXE
PID:1664 -
\??\c:\hhbhnt.exec:\hhbhnt.exe52⤵
- Executes dropped EXE
PID:1720 -
\??\c:\nnthtt.exec:\nnthtt.exe53⤵
- Executes dropped EXE
PID:2020 -
\??\c:\dddpp.exec:\dddpp.exe54⤵
- Executes dropped EXE
PID:1972 -
\??\c:\fxfffxl.exec:\fxfffxl.exe55⤵
- Executes dropped EXE
PID:1968 -
\??\c:\fxlxlxx.exec:\fxlxlxx.exe56⤵
- Executes dropped EXE
PID:2548 -
\??\c:\3bhhnt.exec:\3bhhnt.exe57⤵
- Executes dropped EXE
PID:1688 -
\??\c:\jdpvd.exec:\jdpvd.exe58⤵
- Executes dropped EXE
PID:2080 -
\??\c:\3jvdd.exec:\3jvdd.exe59⤵
- Executes dropped EXE
PID:1160 -
\??\c:\llflxlf.exec:\llflxlf.exe60⤵
- Executes dropped EXE
PID:820 -
\??\c:\frllfxf.exec:\frllfxf.exe61⤵
- Executes dropped EXE
PID:3048 -
\??\c:\thtbhh.exec:\thtbhh.exe62⤵
- Executes dropped EXE
PID:1648 -
\??\c:\nhtbtb.exec:\nhtbtb.exe63⤵
- Executes dropped EXE
PID:1116 -
\??\c:\pdvvd.exec:\pdvvd.exe64⤵
- Executes dropped EXE
PID:664 -
\??\c:\vpdjd.exec:\vpdjd.exe65⤵
- Executes dropped EXE
PID:2580 -
\??\c:\lffxffl.exec:\lffxffl.exe66⤵PID:1796
-
\??\c:\3rflxfr.exec:\3rflxfr.exe67⤵PID:2336
-
\??\c:\hbbnbn.exec:\hbbnbn.exe68⤵PID:360
-
\??\c:\5nnbtn.exec:\5nnbtn.exe69⤵PID:572
-
\??\c:\5ppdv.exec:\5ppdv.exe70⤵PID:1864
-
\??\c:\vppvj.exec:\vppvj.exe71⤵PID:560
-
\??\c:\llxlrfr.exec:\llxlrfr.exe72⤵PID:568
-
\??\c:\7rrxlrf.exec:\7rrxlrf.exe73⤵PID:1456
-
\??\c:\nnhbnb.exec:\nnhbnb.exe74⤵PID:344
-
\??\c:\vvpvj.exec:\vvpvj.exe75⤵PID:2744
-
\??\c:\jdppv.exec:\jdppv.exe76⤵PID:1164
-
\??\c:\lflrrrf.exec:\lflrrrf.exe77⤵PID:1672
-
\??\c:\xrrxflr.exec:\xrrxflr.exe78⤵PID:2160
-
\??\c:\9ttnbn.exec:\9ttnbn.exe79⤵PID:1448
-
\??\c:\hbnhht.exec:\hbnhht.exe80⤵PID:2460
-
\??\c:\dvpvp.exec:\dvpvp.exe81⤵PID:1540
-
\??\c:\ddpvj.exec:\ddpvj.exe82⤵PID:2632
-
\??\c:\xrlrffl.exec:\xrlrffl.exe83⤵PID:1260
-
\??\c:\7xxlxlx.exec:\7xxlxlx.exe84⤵PID:2652
-
\??\c:\tnhtbh.exec:\tnhtbh.exe85⤵PID:1284
-
\??\c:\pjjvd.exec:\pjjvd.exe86⤵PID:2608
-
\??\c:\jjdjv.exec:\jjdjv.exe87⤵PID:2536
-
\??\c:\7lflrxl.exec:\7lflrxl.exe88⤵PID:2360
-
\??\c:\tnbhnt.exec:\tnbhnt.exe89⤵PID:2440
-
\??\c:\nhtbhn.exec:\nhtbhn.exe90⤵PID:2272
-
\??\c:\pppdd.exec:\pppdd.exe91⤵PID:2408
-
\??\c:\rllrxlf.exec:\rllrxlf.exe92⤵PID:2488
-
\??\c:\ntbtnb.exec:\ntbtnb.exe93⤵PID:1956
-
\??\c:\xlrfrrr.exec:\xlrfrrr.exe94⤵PID:2956
-
\??\c:\nnbbht.exec:\nnbbht.exe95⤵PID:2592
-
\??\c:\jddpv.exec:\jddpv.exe96⤵PID:1932
-
\??\c:\5pddd.exec:\5pddd.exe97⤵PID:1904
-
\??\c:\xxxfllr.exec:\xxxfllr.exe98⤵PID:1636
-
\??\c:\9bttbh.exec:\9bttbh.exe99⤵PID:1844
-
\??\c:\djjvd.exec:\djjvd.exe100⤵PID:552
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe101⤵PID:1980
-
\??\c:\nnthhn.exec:\nnthhn.exe102⤵PID:1620
-
\??\c:\jvdjp.exec:\jvdjp.exe103⤵PID:300
-
\??\c:\5xrrlfr.exec:\5xrrlfr.exe104⤵PID:2260
-
\??\c:\bnbhbb.exec:\bnbhbb.exe105⤵PID:276
-
\??\c:\7jppp.exec:\7jppp.exe106⤵PID:820
-
\??\c:\fxflrxx.exec:\fxflrxx.exe107⤵PID:480
-
\??\c:\nhntbh.exec:\nhntbh.exe108⤵PID:1560
-
\??\c:\jdvvj.exec:\jdvvj.exe109⤵PID:1116
-
\??\c:\rllxrxr.exec:\rllxrxr.exe110⤵PID:1628
-
\??\c:\3nbbbb.exec:\3nbbbb.exe111⤵PID:2580
-
\??\c:\vpdjj.exec:\vpdjj.exe112⤵PID:1796
-
\??\c:\5rflrlr.exec:\5rflrlr.exe113⤵PID:2336
-
\??\c:\3dpjp.exec:\3dpjp.exe114⤵PID:1860
-
\??\c:\5fxlrfl.exec:\5fxlrfl.exe115⤵PID:572
-
\??\c:\xlrxrrx.exec:\xlrxrrx.exe116⤵PID:1864
-
\??\c:\btbhnn.exec:\btbhnn.exe117⤵PID:560
-
\??\c:\5dvvv.exec:\5dvvv.exe118⤵PID:1712
-
\??\c:\dvvvj.exec:\dvvvj.exe119⤵PID:3000
-
\??\c:\1rrlllf.exec:\1rrlllf.exe120⤵PID:1480
-
\??\c:\nbnhbb.exec:\nbnhbb.exe121⤵PID:2180
-
\??\c:\thtbhn.exec:\thtbhn.exe122⤵PID:2284
-
\??\c:\dvpvd.exec:\dvpvd.exe123⤵PID:2176
-
\??\c:\frrllfl.exec:\frrllfl.exe124⤵PID:2032
-
\??\c:\fflfrxf.exec:\fflfrxf.exe125⤵PID:2620
-
\??\c:\ttthtt.exec:\ttthtt.exe126⤵PID:1548
-
\??\c:\jdpvv.exec:\jdpvv.exe127⤵PID:2208
-
\??\c:\9vjdj.exec:\9vjdj.exe128⤵PID:2520
-
\??\c:\7rfrlrl.exec:\7rfrlrl.exe129⤵PID:2660
-
\??\c:\ttnttt.exec:\ttnttt.exe130⤵PID:2604
-
\??\c:\hbtbhh.exec:\hbtbhh.exe131⤵PID:2912
-
\??\c:\vpdvd.exec:\vpdvd.exe132⤵PID:2392
-
\??\c:\lrxlffl.exec:\lrxlffl.exe133⤵PID:2420
-
\??\c:\xxlxxlr.exec:\xxlxxlr.exe134⤵PID:2648
-
\??\c:\5tttnt.exec:\5tttnt.exe135⤵PID:2364
-
\??\c:\jdvvv.exec:\jdvvv.exe136⤵PID:2248
-
\??\c:\xxlrxrl.exec:\xxlrxrl.exe137⤵PID:2408
-
\??\c:\5fxlrrx.exec:\5fxlrrx.exe138⤵PID:2436
-
\??\c:\hnnhbh.exec:\hnnhbh.exe139⤵PID:1052
-
\??\c:\jjvjv.exec:\jjvjv.exe140⤵PID:1728
-
\??\c:\rrlxrff.exec:\rrlxrff.exe141⤵PID:1784
-
\??\c:\xrlxffl.exec:\xrlxffl.exe142⤵PID:1928
-
\??\c:\5tnbbh.exec:\5tnbbh.exe143⤵PID:1948
-
\??\c:\dpjpj.exec:\dpjpj.exe144⤵PID:1636
-
\??\c:\dvjdj.exec:\dvjdj.exe145⤵PID:1844
-
\??\c:\lxfxlrf.exec:\lxfxlrf.exe146⤵PID:552
-
\??\c:\rlrrrxl.exec:\rlrrrxl.exe147⤵PID:1980
-
\??\c:\3bnnnt.exec:\3bnnnt.exe148⤵PID:1556
-
\??\c:\jvdjp.exec:\jvdjp.exe149⤵PID:2712
-
\??\c:\5pppd.exec:\5pppd.exe150⤵PID:876
-
\??\c:\thtntb.exec:\thtntb.exe151⤵PID:1624
-
\??\c:\dvvjv.exec:\dvvjv.exe152⤵PID:1852
-
\??\c:\fxrrflr.exec:\fxrrflr.exe153⤵PID:336
-
\??\c:\xxrfxxl.exec:\xxrfxxl.exe154⤵PID:1496
-
\??\c:\5htthn.exec:\5htthn.exe155⤵PID:2756
-
\??\c:\pjvdj.exec:\pjvdj.exe156⤵PID:2544
-
\??\c:\3llrxxf.exec:\3llrxxf.exe157⤵PID:1704
-
\??\c:\7nhnnn.exec:\7nhnnn.exe158⤵PID:1616
-
\??\c:\5pjpv.exec:\5pjpv.exe159⤵PID:956
-
\??\c:\3dppv.exec:\3dppv.exe160⤵PID:1752
-
\??\c:\lfrxlrx.exec:\lfrxlrx.exe161⤵PID:784
-
\??\c:\bthbhh.exec:\bthbhh.exe162⤵PID:1864
-
\??\c:\5thhhh.exec:\5thhhh.exe163⤵PID:2136
-
\??\c:\3jdjd.exec:\3jdjd.exe164⤵PID:2776
-
\??\c:\ddvpv.exec:\ddvpv.exe165⤵PID:1652
-
\??\c:\5lfrffr.exec:\5lfrffr.exe166⤵PID:1048
-
\??\c:\1fxlxlx.exec:\1fxlxlx.exe167⤵PID:1668
-
\??\c:\bbthnt.exec:\bbthnt.exe168⤵PID:2284
-
\??\c:\dvppv.exec:\dvppv.exe169⤵PID:2896
-
\??\c:\jdvdj.exec:\jdvdj.exe170⤵PID:2844
-
\??\c:\rlxrrxl.exec:\rlxrrxl.exe171⤵PID:2460
-
\??\c:\llffxxf.exec:\llffxxf.exe172⤵PID:2056
-
\??\c:\nbnnnh.exec:\nbnnnh.exe173⤵PID:2616
-
\??\c:\7pvdp.exec:\7pvdp.exe174⤵PID:2740
-
\??\c:\ppdjp.exec:\ppdjp.exe175⤵PID:2748
-
\??\c:\fxlrrrx.exec:\fxlrrrx.exe176⤵PID:2456
-
\??\c:\nhtbht.exec:\nhtbht.exe177⤵PID:2636
-
\??\c:\5nhntt.exec:\5nhntt.exe178⤵PID:2468
-
\??\c:\dddjv.exec:\dddjv.exe179⤵PID:2376
-
\??\c:\ppjvd.exec:\ppjvd.exe180⤵PID:2824
-
\??\c:\xrfrxlx.exec:\xrfrxlx.exe181⤵PID:2832
-
\??\c:\bbhtth.exec:\bbhtth.exe182⤵PID:2444
-
\??\c:\btnbht.exec:\btnbht.exe183⤵PID:1600
-
\??\c:\7jppd.exec:\7jppd.exe184⤵PID:2008
-
\??\c:\ddvjv.exec:\ddvjv.exe185⤵PID:2252
-
\??\c:\ffxlrrl.exec:\ffxlrrl.exe186⤵PID:1052
-
\??\c:\nnnnbt.exec:\nnnnbt.exe187⤵PID:2428
-
\??\c:\bhnhhb.exec:\bhnhhb.exe188⤵PID:1664
-
\??\c:\vpjdj.exec:\vpjdj.exe189⤵PID:1904
-
\??\c:\1lxflxf.exec:\1lxflxf.exe190⤵PID:2384
-
\??\c:\rrfxxlx.exec:\rrfxxlx.exe191⤵PID:1988
-
\??\c:\5hbbhh.exec:\5hbbhh.exe192⤵PID:2548
-
\??\c:\hhnhbh.exec:\hhnhbh.exe193⤵PID:1692
-
\??\c:\7vvjv.exec:\7vvjv.exe194⤵PID:2676
-
\??\c:\lfxflxl.exec:\lfxflxl.exe195⤵PID:1620
-
\??\c:\rxfrxrx.exec:\rxfrxrx.exe196⤵PID:2100
-
\??\c:\5hhnth.exec:\5hhnth.exe197⤵PID:536
-
\??\c:\tttbnt.exec:\tttbnt.exe198⤵PID:2932
-
\??\c:\jjvdp.exec:\jjvdp.exe199⤵PID:3048
-
\??\c:\lfxxlxl.exec:\lfxxlxl.exe200⤵PID:1424
-
\??\c:\fxrlxrf.exec:\fxrlxrf.exe201⤵PID:2696
-
\??\c:\5hbbhn.exec:\5hbbhn.exe202⤵PID:664
-
\??\c:\tnhnbn.exec:\tnhnbn.exe203⤵PID:1496
-
\??\c:\pvdpv.exec:\pvdpv.exe204⤵PID:2796
-
\??\c:\xrlrrrr.exec:\xrlrrrr.exe205⤵PID:1920
-
\??\c:\xrffrlr.exec:\xrffrlr.exe206⤵PID:1564
-
\??\c:\hhhthh.exec:\hhhthh.exe207⤵PID:1708
-
\??\c:\tththn.exec:\tththn.exe208⤵PID:592
-
\??\c:\vdvpj.exec:\vdvpj.exe209⤵PID:1880
-
\??\c:\vpjjj.exec:\vpjjj.exe210⤵PID:1588
-
\??\c:\9xlxxrr.exec:\9xlxxrr.exe211⤵PID:2800
-
\??\c:\3xrxxxf.exec:\3xrxxxf.exe212⤵PID:1308
-
\??\c:\7htbht.exec:\7htbht.exe213⤵PID:2952
-
\??\c:\1vvjj.exec:\1vvjj.exe214⤵PID:1444
-
\??\c:\jdppv.exec:\jdppv.exe215⤵PID:900
-
\??\c:\pjvvp.exec:\pjvvp.exe216⤵PID:2668
-
\??\c:\lfxxxfl.exec:\lfxxxfl.exe217⤵PID:2724
-
\??\c:\hbnthh.exec:\hbnthh.exe218⤵PID:1536
-
\??\c:\9bnntt.exec:\9bnntt.exe219⤵PID:2864
-
\??\c:\pjjjd.exec:\pjjjd.exe220⤵PID:2920
-
\??\c:\jddjp.exec:\jddjp.exe221⤵PID:2628
-
\??\c:\frrrrfr.exec:\frrrrfr.exe222⤵PID:2520
-
\??\c:\xxrfflr.exec:\xxrfflr.exe223⤵PID:2660
-
\??\c:\nnnbhh.exec:\nnnbhh.exe224⤵PID:2604
-
\??\c:\nbtbhb.exec:\nbtbhb.exe225⤵PID:2736
-
\??\c:\pjjvj.exec:\pjjvj.exe226⤵PID:2536
-
\??\c:\9vpvd.exec:\9vpvd.exe227⤵PID:2672
-
\??\c:\xrxfllx.exec:\xrxfllx.exe228⤵PID:2868
-
\??\c:\3btthh.exec:\3btthh.exe229⤵PID:1596
-
\??\c:\5hthnb.exec:\5hthnb.exe230⤵PID:2124
-
\??\c:\jdjpd.exec:\jdjpd.exe231⤵PID:1964
-
\??\c:\jdppp.exec:\jdppp.exe232⤵PID:2340
-
\??\c:\5lffflr.exec:\5lffflr.exe233⤵PID:2324
-
\??\c:\nbtbnh.exec:\nbtbnh.exe234⤵PID:2016
-
\??\c:\9htttt.exec:\9htttt.exe235⤵PID:1932
-
\??\c:\dvppv.exec:\dvppv.exe236⤵PID:2020
-
\??\c:\pjddd.exec:\pjddd.exe237⤵PID:1972
-
\??\c:\1lrrlll.exec:\1lrrlll.exe238⤵PID:1992
-
\??\c:\1lxfflx.exec:\1lxfflx.exe239⤵PID:1808
-
\??\c:\bntnbt.exec:\bntnbt.exe240⤵PID:2404
-
\??\c:\pppvp.exec:\pppvp.exe241⤵PID:676
-
\??\c:\vjjpd.exec:\vjjpd.exe242⤵PID:284