Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 23:11
Behavioral task
behavioral1
Sample
6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe
-
Size
441KB
-
MD5
6c696784ba6bac24ee74863800142a20
-
SHA1
cdb7a90c00a59970d0d66d2b3c2b46f9deef0894
-
SHA256
ef76ea699e27a5d047f1c2453ac9b0a273c36d8307a63297e4ce7cd91a3848a1
-
SHA512
c281a9a386131e818e49ddf9a362e9d7d3980d63b7fe7590a8b1962a472aa30fd4e9b4e398f2749ea6d1f4a1547b1d03395056136fb9b31ce09df0471e622d29
-
SSDEEP
12288:w4wFHoS9KxbNnidEhjEJd1kNpeUgI95yRoZHVaoJMOxFXnRV4PiGO0hUmH9:kKxbNndhjEJd1kNpeUgI95yRoZHgoJMH
Malware Config
Signatures
-
Detect Blackmoon payload 42 IoCs
Processes:
resource yara_rule behavioral1/memory/3024-7-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/760-18-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2172-28-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2180-38-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2052-48-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2560-57-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2660-67-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2440-70-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2300-148-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2020-299-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2372-312-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2348-326-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2716-352-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1428-522-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/888-574-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2588-645-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2256-554-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2804-658-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2392-690-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2400-499-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/1184-465-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1948-439-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1912-425-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1048-374-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2584-359-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2516-339-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1184-748-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/960-274-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1880-263-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2532-236-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2944-227-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1644-202-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1904-156-0x0000000001C70000-0x0000000001CA4000-memory.dmp family_blackmoon behavioral1/memory/1528-138-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2892-122-0x0000000000540000-0x0000000000574000-memory.dmp family_blackmoon behavioral1/memory/2892-121-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2444-102-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2600-93-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1580-866-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2480-948-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1092-955-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2492-1022-0x00000000003C0000-0x00000000003F4000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 33 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\3vvjv.exe family_berbew C:\nhtbht.exe family_berbew C:\llflxfr.exe family_berbew C:\bbnnbh.exe family_berbew C:\djjpd.exe family_berbew C:\xfrrxxf.exe family_berbew \??\c:\bnbbhb.exe family_berbew C:\jjpjd.exe family_berbew \??\c:\7xllllr.exe family_berbew \??\c:\bbtbnn.exe family_berbew \??\c:\djppv.exe family_berbew C:\ffllrxr.exe family_berbew \??\c:\ttbbth.exe family_berbew C:\jdppv.exe family_berbew C:\vpvjp.exe family_berbew \??\c:\9vpdp.exe family_berbew \??\c:\5fxlxfr.exe family_berbew \??\c:\bbhnbh.exe family_berbew \??\c:\jdddj.exe family_berbew \??\c:\1ffxlrl.exe family_berbew \??\c:\7jddp.exe family_berbew \??\c:\nbhhhb.exe family_berbew \??\c:\vpdjj.exe family_berbew \??\c:\bbtnht.exe family_berbew \??\c:\9vpvj.exe family_berbew \??\c:\llxrrfx.exe family_berbew \??\c:\tbhhhh.exe family_berbew \??\c:\vdpdv.exe family_berbew C:\llrrxfx.exe family_berbew \??\c:\vvpdp.exe family_berbew \??\c:\5rlrxfr.exe family_berbew \??\c:\ntnthn.exe family_berbew behavioral1/memory/2172-893-0x0000000000250000-0x0000000000284000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
Processes:
3vvjv.exenhtbht.exellflxfr.exebbnnbh.exedjjpd.exexfrrxxf.exebnbbhb.exejjpjd.exe7xllllr.exebbtbnn.exedjppv.exeffllrxr.exettbbth.exejdppv.exentnthn.exevpvjp.exe9vpdp.exe5fxlxfr.exebbhnbh.exejdddj.exe1ffxlrl.exe7jddp.exe5rlrxfr.exenbhhhb.exevvpdp.exevpdjj.exebbtnht.exe9vpvj.exellxrrfx.exetbhhhh.exevdpdv.exellrrxfx.exejdvpd.exepdjpp.exerlxfrfr.exehhhhbn.exe1ddjv.exe1djpp.exeffrrffr.exehbhnnt.exevjvpv.exexlrlrrr.exe1rfffff.exebbhnhh.exevpjvd.exe7lfxrlf.exenththn.exehtntth.exevpjpv.exepdvdj.exe7xxrlrf.exelfflffr.exennnbnb.exedvdpj.exexrflflf.exelrflllx.exehhhbht.exe5bnhbt.exe7vvjv.exevjppv.exexffrfrf.exenbtnnh.exebnhhtt.exedjdpd.exepid process 760 3vvjv.exe 2172 nhtbht.exe 2180 llflxfr.exe 2052 bbnnbh.exe 2560 djjpd.exe 2660 xfrrxxf.exe 2440 bnbbhb.exe 2460 jjpjd.exe 2600 7xllllr.exe 2444 bbtbnn.exe 2476 djppv.exe 2892 ffllrxr.exe 2156 ttbbth.exe 1528 jdppv.exe 2300 ntnthn.exe 1904 vpvjp.exe 3060 9vpdp.exe 1468 5fxlxfr.exe 1212 bbhnbh.exe 1676 jdddj.exe 488 1ffxlrl.exe 1644 7jddp.exe 1316 5rlrxfr.exe 2944 nbhhhb.exe 2532 vvpdp.exe 884 vpdjj.exe 1564 bbtnht.exe 1880 9vpvj.exe 960 llxrrfx.exe 3068 tbhhhh.exe 2120 vdpdv.exe 3012 llrrxfx.exe 2020 jdvpd.exe 3024 pdjpp.exe 2372 rlxfrfr.exe 1728 hhhhbn.exe 2348 1ddjv.exe 2516 1djpp.exe 2908 ffrrffr.exe 2716 hbhnnt.exe 2584 vjvpv.exe 2700 xlrlrrr.exe 2540 1rfffff.exe 1048 bbhnhh.exe 2484 vpjvd.exe 2464 7lfxrlf.exe 2748 nththn.exe 2712 htntth.exe 1804 vpjpv.exe 2752 pdvdj.exe 2156 7xxrlrf.exe 1912 lfflffr.exe 1948 nnnbnb.exe 2492 dvdpj.exe 1220 xrflflf.exe 1664 lrflllx.exe 1184 hhhbht.exe 1208 5bnhbt.exe 324 7vvjv.exe 1652 vjppv.exe 488 xffrfrf.exe 808 nbtnnh.exe 2400 bnhhtt.exe 1076 djdpd.exe -
Processes:
resource yara_rule behavioral1/memory/3024-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3024-7-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\3vvjv.exe upx behavioral1/memory/760-9-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/760-13-0x0000000000220000-0x0000000000254000-memory.dmp upx C:\nhtbht.exe upx behavioral1/memory/760-18-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2172-28-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\llflxfr.exe upx behavioral1/memory/2180-38-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\bbnnbh.exe upx behavioral1/memory/2052-48-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\djjpd.exe upx behavioral1/memory/2560-57-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\xfrrxxf.exe upx behavioral1/memory/2660-67-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\bnbbhb.exe upx behavioral1/memory/2440-70-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\jjpjd.exe upx \??\c:\7xllllr.exe upx \??\c:\bbtbnn.exe upx \??\c:\djppv.exe upx C:\ffllrxr.exe upx \??\c:\ttbbth.exe upx C:\jdppv.exe upx behavioral1/memory/2300-140-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2300-148-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\vpvjp.exe upx \??\c:\9vpdp.exe upx \??\c:\5fxlxfr.exe upx behavioral1/memory/1468-166-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\bbhnbh.exe upx \??\c:\jdddj.exe upx behavioral1/memory/1676-183-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\1ffxlrl.exe upx \??\c:\7jddp.exe upx \??\c:\nbhhhb.exe upx \??\c:\vpdjj.exe upx \??\c:\bbtnht.exe upx \??\c:\9vpvj.exe upx \??\c:\llxrrfx.exe upx behavioral1/memory/960-265-0x0000000000400000-0x0000000000434000-memory.dmp upx \??\c:\tbhhhh.exe upx \??\c:\vdpdv.exe upx C:\llrrxfx.exe upx behavioral1/memory/2020-299-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2372-312-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1728-319-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2348-326-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2716-352-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1948-432-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2492-440-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1428-522-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1824-529-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/888-567-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/888-574-0x0000000000220000-0x0000000000254000-memory.dmp upx behavioral1/memory/2328-608-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2256-554-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2804-658-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2208-665-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2400-496-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1184-465-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1948-439-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1324-717-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe3vvjv.exenhtbht.exellflxfr.exebbnnbh.exedjjpd.exexfrrxxf.exebnbbhb.exejjpjd.exe7xllllr.exebbtbnn.exedjppv.exeffllrxr.exettbbth.exejdppv.exentnthn.exedescription pid process target process PID 3024 wrote to memory of 760 3024 6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe 3vvjv.exe PID 3024 wrote to memory of 760 3024 6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe 3vvjv.exe PID 3024 wrote to memory of 760 3024 6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe 3vvjv.exe PID 3024 wrote to memory of 760 3024 6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe 3vvjv.exe PID 760 wrote to memory of 2172 760 3vvjv.exe ppjvj.exe PID 760 wrote to memory of 2172 760 3vvjv.exe ppjvj.exe PID 760 wrote to memory of 2172 760 3vvjv.exe ppjvj.exe PID 760 wrote to memory of 2172 760 3vvjv.exe ppjvj.exe PID 2172 wrote to memory of 2180 2172 nhtbht.exe llflxfr.exe PID 2172 wrote to memory of 2180 2172 nhtbht.exe llflxfr.exe PID 2172 wrote to memory of 2180 2172 nhtbht.exe llflxfr.exe PID 2172 wrote to memory of 2180 2172 nhtbht.exe llflxfr.exe PID 2180 wrote to memory of 2052 2180 llflxfr.exe bbnnbh.exe PID 2180 wrote to memory of 2052 2180 llflxfr.exe bbnnbh.exe PID 2180 wrote to memory of 2052 2180 llflxfr.exe bbnnbh.exe PID 2180 wrote to memory of 2052 2180 llflxfr.exe bbnnbh.exe PID 2052 wrote to memory of 2560 2052 bbnnbh.exe djjpd.exe PID 2052 wrote to memory of 2560 2052 bbnnbh.exe djjpd.exe PID 2052 wrote to memory of 2560 2052 bbnnbh.exe djjpd.exe PID 2052 wrote to memory of 2560 2052 bbnnbh.exe djjpd.exe PID 2560 wrote to memory of 2660 2560 djjpd.exe lrlfrxx.exe PID 2560 wrote to memory of 2660 2560 djjpd.exe lrlfrxx.exe PID 2560 wrote to memory of 2660 2560 djjpd.exe lrlfrxx.exe PID 2560 wrote to memory of 2660 2560 djjpd.exe lrlfrxx.exe PID 2660 wrote to memory of 2440 2660 xfrrxxf.exe bnbbhb.exe PID 2660 wrote to memory of 2440 2660 xfrrxxf.exe bnbbhb.exe PID 2660 wrote to memory of 2440 2660 xfrrxxf.exe bnbbhb.exe PID 2660 wrote to memory of 2440 2660 xfrrxxf.exe bnbbhb.exe PID 2440 wrote to memory of 2460 2440 bnbbhb.exe jjpjd.exe PID 2440 wrote to memory of 2460 2440 bnbbhb.exe jjpjd.exe PID 2440 wrote to memory of 2460 2440 bnbbhb.exe jjpjd.exe PID 2440 wrote to memory of 2460 2440 bnbbhb.exe jjpjd.exe PID 2460 wrote to memory of 2600 2460 jjpjd.exe 7xllllr.exe PID 2460 wrote to memory of 2600 2460 jjpjd.exe 7xllllr.exe PID 2460 wrote to memory of 2600 2460 jjpjd.exe 7xllllr.exe PID 2460 wrote to memory of 2600 2460 jjpjd.exe 7xllllr.exe PID 2600 wrote to memory of 2444 2600 7xllllr.exe bbtbnn.exe PID 2600 wrote to memory of 2444 2600 7xllllr.exe bbtbnn.exe PID 2600 wrote to memory of 2444 2600 7xllllr.exe bbtbnn.exe PID 2600 wrote to memory of 2444 2600 7xllllr.exe bbtbnn.exe PID 2444 wrote to memory of 2476 2444 bbtbnn.exe djppv.exe PID 2444 wrote to memory of 2476 2444 bbtbnn.exe djppv.exe PID 2444 wrote to memory of 2476 2444 bbtbnn.exe djppv.exe PID 2444 wrote to memory of 2476 2444 bbtbnn.exe djppv.exe PID 2476 wrote to memory of 2892 2476 djppv.exe ffllrxr.exe PID 2476 wrote to memory of 2892 2476 djppv.exe ffllrxr.exe PID 2476 wrote to memory of 2892 2476 djppv.exe ffllrxr.exe PID 2476 wrote to memory of 2892 2476 djppv.exe ffllrxr.exe PID 2892 wrote to memory of 2156 2892 ffllrxr.exe ttbbth.exe PID 2892 wrote to memory of 2156 2892 ffllrxr.exe ttbbth.exe PID 2892 wrote to memory of 2156 2892 ffllrxr.exe ttbbth.exe PID 2892 wrote to memory of 2156 2892 ffllrxr.exe ttbbth.exe PID 2156 wrote to memory of 1528 2156 ttbbth.exe jdppv.exe PID 2156 wrote to memory of 1528 2156 ttbbth.exe jdppv.exe PID 2156 wrote to memory of 1528 2156 ttbbth.exe jdppv.exe PID 2156 wrote to memory of 1528 2156 ttbbth.exe jdppv.exe PID 1528 wrote to memory of 2300 1528 jdppv.exe ntnthn.exe PID 1528 wrote to memory of 2300 1528 jdppv.exe ntnthn.exe PID 1528 wrote to memory of 2300 1528 jdppv.exe ntnthn.exe PID 1528 wrote to memory of 2300 1528 jdppv.exe ntnthn.exe PID 2300 wrote to memory of 1904 2300 ntnthn.exe vpvjp.exe PID 2300 wrote to memory of 1904 2300 ntnthn.exe vpvjp.exe PID 2300 wrote to memory of 1904 2300 ntnthn.exe vpvjp.exe PID 2300 wrote to memory of 1904 2300 ntnthn.exe vpvjp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6c696784ba6bac24ee74863800142a20_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\3vvjv.exec:\3vvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\nhtbht.exec:\nhtbht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\llflxfr.exec:\llflxfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\bbnnbh.exec:\bbnnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\djjpd.exec:\djjpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\xfrrxxf.exec:\xfrrxxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\bnbbhb.exec:\bnbbhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\jjpjd.exec:\jjpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\7xllllr.exec:\7xllllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\bbtbnn.exec:\bbtbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\djppv.exec:\djppv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\ffllrxr.exec:\ffllrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\ttbbth.exec:\ttbbth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\jdppv.exec:\jdppv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\ntnthn.exec:\ntnthn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\vpvjp.exec:\vpvjp.exe17⤵
- Executes dropped EXE
PID:1904 -
\??\c:\9vpdp.exec:\9vpdp.exe18⤵
- Executes dropped EXE
PID:3060 -
\??\c:\5fxlxfr.exec:\5fxlxfr.exe19⤵
- Executes dropped EXE
PID:1468 -
\??\c:\bbhnbh.exec:\bbhnbh.exe20⤵
- Executes dropped EXE
PID:1212 -
\??\c:\jdddj.exec:\jdddj.exe21⤵
- Executes dropped EXE
PID:1676 -
\??\c:\1ffxlrl.exec:\1ffxlrl.exe22⤵
- Executes dropped EXE
PID:488 -
\??\c:\7jddp.exec:\7jddp.exe23⤵
- Executes dropped EXE
PID:1644 -
\??\c:\5rlrxfr.exec:\5rlrxfr.exe24⤵
- Executes dropped EXE
PID:1316 -
\??\c:\nbhhhb.exec:\nbhhhb.exe25⤵
- Executes dropped EXE
PID:2944 -
\??\c:\vvpdp.exec:\vvpdp.exe26⤵
- Executes dropped EXE
PID:2532 -
\??\c:\vpdjj.exec:\vpdjj.exe27⤵
- Executes dropped EXE
PID:884 -
\??\c:\bbtnht.exec:\bbtnht.exe28⤵
- Executes dropped EXE
PID:1564 -
\??\c:\9vpvj.exec:\9vpvj.exe29⤵
- Executes dropped EXE
PID:1880 -
\??\c:\llxrrfx.exec:\llxrrfx.exe30⤵
- Executes dropped EXE
PID:960 -
\??\c:\tbhhhh.exec:\tbhhhh.exe31⤵
- Executes dropped EXE
PID:3068 -
\??\c:\vdpdv.exec:\vdpdv.exe32⤵
- Executes dropped EXE
PID:2120 -
\??\c:\llrrxfx.exec:\llrrxfx.exe33⤵
- Executes dropped EXE
PID:3012 -
\??\c:\jdvpd.exec:\jdvpd.exe34⤵
- Executes dropped EXE
PID:2020 -
\??\c:\pdjpp.exec:\pdjpp.exe35⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rlxfrfr.exec:\rlxfrfr.exe36⤵
- Executes dropped EXE
PID:2372 -
\??\c:\hhhhbn.exec:\hhhhbn.exe37⤵
- Executes dropped EXE
PID:1728 -
\??\c:\1ddjv.exec:\1ddjv.exe38⤵
- Executes dropped EXE
PID:2348 -
\??\c:\1djpp.exec:\1djpp.exe39⤵
- Executes dropped EXE
PID:2516 -
\??\c:\ffrrffr.exec:\ffrrffr.exe40⤵
- Executes dropped EXE
PID:2908 -
\??\c:\hbhnnt.exec:\hbhnnt.exe41⤵
- Executes dropped EXE
PID:2716 -
\??\c:\vjvpv.exec:\vjvpv.exe42⤵
- Executes dropped EXE
PID:2584 -
\??\c:\xlrlrrr.exec:\xlrlrrr.exe43⤵
- Executes dropped EXE
PID:2700 -
\??\c:\1rfffff.exec:\1rfffff.exe44⤵
- Executes dropped EXE
PID:2540 -
\??\c:\bbhnhh.exec:\bbhnhh.exe45⤵
- Executes dropped EXE
PID:1048 -
\??\c:\vpjvd.exec:\vpjvd.exe46⤵
- Executes dropped EXE
PID:2484 -
\??\c:\7lfxrlf.exec:\7lfxrlf.exe47⤵
- Executes dropped EXE
PID:2464 -
\??\c:\nththn.exec:\nththn.exe48⤵
- Executes dropped EXE
PID:2748 -
\??\c:\htntth.exec:\htntth.exe49⤵
- Executes dropped EXE
PID:2712 -
\??\c:\vpjpv.exec:\vpjpv.exe50⤵
- Executes dropped EXE
PID:1804 -
\??\c:\pdvdj.exec:\pdvdj.exe51⤵
- Executes dropped EXE
PID:2752 -
\??\c:\7xxrlrf.exec:\7xxrlrf.exe52⤵
- Executes dropped EXE
PID:2156 -
\??\c:\lfflffr.exec:\lfflffr.exe53⤵
- Executes dropped EXE
PID:1912 -
\??\c:\nnnbnb.exec:\nnnbnb.exe54⤵
- Executes dropped EXE
PID:1948 -
\??\c:\dvdpj.exec:\dvdpj.exe55⤵
- Executes dropped EXE
PID:2492 -
\??\c:\xrflflf.exec:\xrflflf.exe56⤵
- Executes dropped EXE
PID:1220 -
\??\c:\lrflllx.exec:\lrflllx.exe57⤵
- Executes dropped EXE
PID:1664 -
\??\c:\hhhbht.exec:\hhhbht.exe58⤵
- Executes dropped EXE
PID:1184 -
\??\c:\5bnhbt.exec:\5bnhbt.exe59⤵
- Executes dropped EXE
PID:1208 -
\??\c:\7vvjv.exec:\7vvjv.exe60⤵
- Executes dropped EXE
PID:324 -
\??\c:\vjppv.exec:\vjppv.exe61⤵
- Executes dropped EXE
PID:1652 -
\??\c:\xffrfrf.exec:\xffrfrf.exe62⤵
- Executes dropped EXE
PID:488 -
\??\c:\nbtnnh.exec:\nbtnnh.exe63⤵
- Executes dropped EXE
PID:808 -
\??\c:\bnhhtt.exec:\bnhhtt.exe64⤵
- Executes dropped EXE
PID:2400 -
\??\c:\djdpd.exec:\djdpd.exe65⤵
- Executes dropped EXE
PID:1076 -
\??\c:\rrlxlrf.exec:\rrlxlrf.exe66⤵PID:2944
-
\??\c:\flfxxrf.exec:\flfxxrf.exe67⤵PID:1440
-
\??\c:\5ttbht.exec:\5ttbht.exe68⤵PID:1428
-
\??\c:\hbnntt.exec:\hbnntt.exe69⤵PID:1824
-
\??\c:\jvvjp.exec:\jvvjp.exe70⤵PID:2136
-
\??\c:\frrrlrf.exec:\frrrlrf.exe71⤵PID:2100
-
\??\c:\flflxfr.exec:\flflxfr.exe72⤵PID:2868
-
\??\c:\hbtbnt.exec:\hbtbnt.exe73⤵PID:2256
-
\??\c:\7hhtbh.exec:\7hhtbh.exe74⤵PID:2040
-
\??\c:\pdjvd.exec:\pdjvd.exe75⤵PID:888
-
\??\c:\ddddj.exec:\ddddj.exe76⤵PID:2920
-
\??\c:\rrlrlxf.exec:\rrlrlxf.exe77⤵PID:2020
-
\??\c:\9nhtbt.exec:\9nhtbt.exe78⤵PID:2152
-
\??\c:\hbttbh.exec:\hbttbh.exe79⤵PID:1416
-
\??\c:\9vpdj.exec:\9vpdj.exe80⤵PID:568
-
\??\c:\jdppv.exec:\jdppv.exe81⤵PID:2328
-
\??\c:\xrflxxl.exec:\xrflxxl.exe82⤵PID:2364
-
\??\c:\ntnttb.exec:\ntnttb.exe83⤵PID:1884
-
\??\c:\jdvvd.exec:\jdvvd.exe84⤵PID:2908
-
\??\c:\vdjjj.exec:\vdjjj.exe85⤵PID:2716
-
\??\c:\xrxlrxf.exec:\xrxlrxf.exe86⤵PID:2588
-
\??\c:\fxllrxf.exec:\fxllrxf.exe87⤵PID:2676
-
\??\c:\bbtbnb.exec:\bbtbnb.exe88⤵PID:2472
-
\??\c:\1jvjp.exec:\1jvjp.exe89⤵PID:2804
-
\??\c:\jdpjp.exec:\jdpjp.exe90⤵PID:2208
-
\??\c:\5lxlllr.exec:\5lxlllr.exe91⤵PID:2840
-
\??\c:\xrlrxrx.exec:\xrlrxrx.exe92⤵PID:2448
-
\??\c:\nbthnt.exec:\nbthnt.exe93⤵PID:2392
-
\??\c:\ntthbn.exec:\ntthbn.exe94⤵PID:2892
-
\??\c:\7ppvj.exec:\7ppvj.exe95⤵PID:3052
-
\??\c:\jdjdd.exec:\jdjdd.exe96⤵PID:1432
-
\??\c:\xrflrrf.exec:\xrflrrf.exe97⤵PID:2156
-
\??\c:\9tbhnn.exec:\9tbhnn.exe98⤵PID:1324
-
\??\c:\djvpd.exec:\djvpd.exe99⤵PID:2784
-
\??\c:\pdjjp.exec:\pdjjp.exe100⤵PID:2740
-
\??\c:\rrlfrfr.exec:\rrlfrfr.exe101⤵PID:1900
-
\??\c:\flfrfrf.exec:\flfrfrf.exe102⤵PID:1664
-
\??\c:\hbtbnn.exec:\hbtbnn.exe103⤵PID:1184
-
\??\c:\1pdpv.exec:\1pdpv.exe104⤵PID:656
-
\??\c:\fxlxfll.exec:\fxlxfll.exe105⤵PID:324
-
\??\c:\lxxxflr.exec:\lxxxflr.exe106⤵PID:112
-
\??\c:\tnbbhb.exec:\tnbbhb.exe107⤵PID:488
-
\??\c:\hhnbtt.exec:\hhnbtt.exe108⤵PID:1648
-
\??\c:\pdpvd.exec:\pdpvd.exe109⤵PID:1124
-
\??\c:\pvvdj.exec:\pvvdj.exe110⤵PID:1828
-
\??\c:\llxxlrr.exec:\llxxlrr.exe111⤵PID:2532
-
\??\c:\7rlrrrx.exec:\7rlrrrx.exe112⤵PID:904
-
\??\c:\tnhthn.exec:\tnhthn.exe113⤵PID:1128
-
\??\c:\9ddjv.exec:\9ddjv.exe114⤵PID:1904
-
\??\c:\pjjpv.exec:\pjjpv.exe115⤵PID:572
-
\??\c:\rlllxfl.exec:\rlllxfl.exe116⤵PID:1036
-
\??\c:\rfxlxrx.exec:\rfxlxrx.exe117⤵PID:2860
-
\??\c:\bthhnt.exec:\bthhnt.exe118⤵PID:1140
-
\??\c:\thbbhh.exec:\thbbhh.exe119⤵PID:896
-
\??\c:\9vvpd.exec:\9vvpd.exe120⤵PID:2288
-
\??\c:\7xfrrff.exec:\7xfrrff.exe121⤵PID:1580
-
\??\c:\7ntbnn.exec:\7ntbnn.exe122⤵PID:280
-
\??\c:\bthbhb.exec:\bthbhb.exe123⤵PID:948
-
\??\c:\pdjvj.exec:\pdjvj.exe124⤵PID:1960
-
\??\c:\ppjvj.exec:\ppjvj.exe125⤵PID:2172
-
\??\c:\fffffxr.exec:\fffffxr.exe126⤵PID:2348
-
\??\c:\xlfffff.exec:\xlfffff.exe127⤵PID:1764
-
\??\c:\ntbthn.exec:\ntbthn.exe128⤵PID:2632
-
\??\c:\pdpdd.exec:\pdpdd.exe129⤵PID:952
-
\??\c:\jpjjp.exec:\jpjjp.exe130⤵PID:3056
-
\??\c:\lrlfrxx.exec:\lrlfrxx.exe131⤵PID:2660
-
\??\c:\llflxll.exec:\llflxll.exe132⤵PID:2584
-
\??\c:\nbnhnn.exec:\nbnhnn.exe133⤵PID:2540
-
\??\c:\ppdpp.exec:\ppdpp.exe134⤵PID:2432
-
\??\c:\jvjpd.exec:\jvjpd.exe135⤵PID:2480
-
\??\c:\fxxfxxl.exec:\fxxfxxl.exe136⤵PID:1092
-
\??\c:\hbthtt.exec:\hbthtt.exe137⤵PID:2840
-
\??\c:\nhhntb.exec:\nhhntb.exe138⤵PID:1704
-
\??\c:\vvpdp.exec:\vvpdp.exe139⤵PID:2392
-
\??\c:\5jddj.exec:\5jddj.exe140⤵PID:2756
-
\??\c:\lxlrxrf.exec:\lxlrxrf.exe141⤵PID:2728
-
\??\c:\lfflrxl.exec:\lfflrxl.exe142⤵PID:2304
-
\??\c:\ttbhtb.exec:\ttbhtb.exe143⤵PID:2036
-
\??\c:\lrrrfrf.exec:\lrrrfrf.exe144⤵PID:2016
-
\??\c:\ntnhnn.exec:\ntnhnn.exe145⤵PID:2624
-
\??\c:\dvppd.exec:\dvppd.exe146⤵PID:2492
-
\??\c:\7btbnt.exec:\7btbnt.exe147⤵PID:956
-
\??\c:\djjpv.exec:\djjpv.exe148⤵PID:1664
-
\??\c:\xxxlxfr.exec:\xxxlxfr.exe149⤵PID:544
-
\??\c:\htnthn.exec:\htnthn.exe150⤵PID:2140
-
\??\c:\vpjjv.exec:\vpjjv.exe151⤵PID:1028
-
\??\c:\xrlxlxr.exec:\xrlxlxr.exe152⤵PID:632
-
\??\c:\nnnbnh.exec:\nnnbnh.exe153⤵PID:2692
-
\??\c:\pdjjj.exec:\pdjjj.exe154⤵PID:2004
-
\??\c:\bnhnhn.exec:\bnhnhn.exe155⤵PID:2900
-
\??\c:\dpjdp.exec:\dpjdp.exe156⤵PID:1076
-
\??\c:\rllflrl.exec:\rllflrl.exe157⤵PID:2412
-
\??\c:\tnnbtb.exec:\tnnbtb.exe158⤵PID:1908
-
\??\c:\bttbnt.exec:\bttbnt.exe159⤵PID:600
-
\??\c:\pppjp.exec:\pppjp.exe160⤵PID:2116
-
\??\c:\7ddpv.exec:\7ddpv.exe161⤵PID:572
-
\??\c:\9xlfflr.exec:\9xlfflr.exe162⤵PID:1036
-
\??\c:\frrxflx.exec:\frrxflx.exe163⤵PID:2860
-
\??\c:\htnnhn.exec:\htnnhn.exe164⤵PID:1716
-
\??\c:\1pvdd.exec:\1pvdd.exe165⤵PID:2844
-
\??\c:\djjdv.exec:\djjdv.exe166⤵PID:2316
-
\??\c:\rfxxllr.exec:\rfxxllr.exe167⤵PID:1580
-
\??\c:\fffxrfx.exec:\fffxrfx.exe168⤵PID:1596
-
\??\c:\hbtbth.exec:\hbtbth.exe169⤵PID:1892
-
\??\c:\hbtbnn.exec:\hbtbnn.exe170⤵PID:1616
-
\??\c:\ddvdp.exec:\ddvdp.exe171⤵PID:1436
-
\??\c:\fffxrrf.exec:\fffxrrf.exe172⤵PID:2188
-
\??\c:\nhhttn.exec:\nhhttn.exe173⤵PID:3012
-
\??\c:\jdvpd.exec:\jdvpd.exe174⤵PID:2656
-
\??\c:\ffllxxl.exec:\ffllxxl.exe175⤵PID:1536
-
\??\c:\ntthhn.exec:\ntthhn.exe176⤵PID:2560
-
\??\c:\ffxlrxf.exec:\ffxlrxf.exe177⤵PID:2764
-
\??\c:\1vjjv.exec:\1vjjv.exe178⤵PID:2696
-
\??\c:\jdvdj.exec:\jdvdj.exe179⤵PID:2648
-
\??\c:\rllxlrf.exec:\rllxlrf.exe180⤵PID:2804
-
\??\c:\xffrxxl.exec:\xffrxxl.exe181⤵PID:2464
-
\??\c:\hhbhbn.exec:\hhbhbn.exe182⤵PID:2476
-
\??\c:\xxlxflr.exec:\xxlxflr.exe183⤵PID:2564
-
\??\c:\7dvvj.exec:\7dvvj.exe184⤵PID:1752
-
\??\c:\7lfllxf.exec:\7lfllxf.exe185⤵PID:2568
-
\??\c:\nhthbh.exec:\nhthbh.exe186⤵PID:2436
-
\??\c:\nnbhbh.exec:\nnbhbh.exe187⤵PID:1668
-
\??\c:\3rflxfr.exec:\3rflxfr.exe188⤵PID:2932
-
\??\c:\xxxrflx.exec:\xxxrflx.exe189⤵PID:1976
-
\??\c:\3tntbh.exec:\3tntbh.exe190⤵PID:2036
-
\??\c:\jdjvj.exec:\jdjvj.exe191⤵PID:2016
-
\??\c:\3jdjv.exec:\3jdjv.exe192⤵PID:2240
-
\??\c:\rrlxrrl.exec:\rrlxrrl.exe193⤵PID:1900
-
\??\c:\hbnbnb.exec:\hbnbnb.exe194⤵PID:1524
-
\??\c:\hhhntn.exec:\hhhntn.exe195⤵PID:1072
-
\??\c:\vdvpv.exec:\vdvpv.exe196⤵PID:1736
-
\??\c:\fxrflrf.exec:\fxrflrf.exe197⤵PID:656
-
\??\c:\nhhhtn.exec:\nhhhtn.exe198⤵PID:2248
-
\??\c:\7bbbtt.exec:\7bbbtt.exe199⤵PID:1956
-
\??\c:\vjdpv.exec:\vjdpv.exe200⤵PID:2236
-
\??\c:\lrrflrf.exec:\lrrflrf.exe201⤵PID:808
-
\??\c:\frrxflx.exec:\frrxflx.exe202⤵PID:1508
-
\??\c:\hbtbnt.exec:\hbtbnt.exe203⤵PID:2028
-
\??\c:\vdvdp.exec:\vdvdp.exe204⤵PID:1492
-
\??\c:\pjppd.exec:\pjppd.exe205⤵PID:2532
-
\??\c:\fxxrxfr.exec:\fxxrxfr.exe206⤵PID:1532
-
\??\c:\ttnbnb.exec:\ttnbnb.exe207⤵PID:692
-
\??\c:\nhnthn.exec:\nhnthn.exe208⤵PID:3000
-
\??\c:\pjdpd.exec:\pjdpd.exe209⤵PID:3004
-
\??\c:\fxxlrxx.exec:\fxxlrxx.exe210⤵PID:2256
-
\??\c:\7rrflxf.exec:\7rrflxf.exe211⤵PID:1140
-
\??\c:\hhtbhb.exec:\hhtbhb.exe212⤵PID:896
-
\??\c:\ddpdp.exec:\ddpdp.exe213⤵PID:2216
-
\??\c:\vpvdj.exec:\vpvdj.exe214⤵PID:3024
-
\??\c:\fffrflf.exec:\fffrflf.exe215⤵PID:848
-
\??\c:\llfrfrx.exec:\llfrfrx.exe216⤵PID:2212
-
\??\c:\nhhtbh.exec:\nhhtbh.exe217⤵PID:2020
-
\??\c:\dvjpj.exec:\dvjpj.exe218⤵PID:568
-
\??\c:\jpjpd.exec:\jpjpd.exe219⤵PID:2328
-
\??\c:\xxxrrrr.exec:\xxxrrrr.exe220⤵PID:2364
-
\??\c:\3hbbnn.exec:\3hbbnn.exe221⤵PID:1552
-
\??\c:\ntnnht.exec:\ntnnht.exe222⤵PID:2052
-
\??\c:\jvppp.exec:\jvppp.exe223⤵PID:952
-
\??\c:\flflxff.exec:\flflxff.exe224⤵PID:2572
-
\??\c:\1xxxlxf.exec:\1xxxlxf.exe225⤵PID:2800
-
\??\c:\3nhthn.exec:\3nhthn.exe226⤵PID:2488
-
\??\c:\5dpvd.exec:\5dpvd.exe227⤵PID:2640
-
\??\c:\vddvp.exec:\vddvp.exe228⤵PID:2552
-
\??\c:\fxrflxr.exec:\fxrflxr.exe229⤵PID:2884
-
\??\c:\ntbttt.exec:\ntbttt.exe230⤵PID:2208
-
\??\c:\5dpdd.exec:\5dpdd.exe231⤵PID:2672
-
\??\c:\rlrrrxr.exec:\rlrrrxr.exe232⤵PID:1228
-
\??\c:\rlllrxl.exec:\rlllrxl.exe233⤵PID:2392
-
\??\c:\9nhtbh.exec:\9nhtbh.exe234⤵PID:1988
-
\??\c:\jjjdp.exec:\jjjdp.exe235⤵PID:1528
-
\??\c:\jjjvd.exec:\jjjvd.exe236⤵PID:2304
-
\??\c:\fxrxlxf.exec:\fxrxlxf.exe237⤵PID:1992
-
\??\c:\nhnbnn.exec:\nhnbnn.exe238⤵PID:3032
-
\??\c:\9tthnt.exec:\9tthnt.exe239⤵PID:1204
-
\??\c:\vpppj.exec:\vpppj.exe240⤵PID:2408
-
\??\c:\xfflrrl.exec:\xfflrrl.exe241⤵PID:1468
-
\??\c:\hhtnth.exec:\hhtnth.exe242⤵PID:2148