Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 05:55
Behavioral task
behavioral1
Sample
79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe
-
Size
251KB
-
MD5
79cc60dd48574053ccbc25690ba774d0
-
SHA1
5174c77972294663cce9a4f6b500eb899067278e
-
SHA256
a4268244d7ee8185be1570a461b78f4fb4101860b60678280574b8469311b720
-
SHA512
48a7cf9771639588b073ccd7ad7d0d8f3d8a9fc590a8068caf6c925c71b3eba9bfaaa3b6e25aaf44dc6e93d4f79d1e967bd3d9d7c63253aa9a74ba8a681f85d7
-
SSDEEP
3072:chOmTsF93UYfwC6GIoutieyhC2lbgGi5yLpcgDE4JBuItR8pTsgZ9WT4iaz+W:ccm4FmowdHoSi9EIBftapTs4WZazb
Malware Config
Signatures
-
Detect Blackmoon payload 37 IoCs
Processes:
resource yara_rule behavioral1/memory/2956-8-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3064-18-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2184-28-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1768-37-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2736-45-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2688-56-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2192-65-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2580-89-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1572-107-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2712-117-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3024-125-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1952-143-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2580-144-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/1052-153-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1060-170-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2288-203-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/712-219-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2144-244-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2220-261-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2296-272-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2984-287-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/884-300-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1700-301-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3064-327-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2204-377-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3016-390-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2208-397-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1968-441-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3044-479-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2112-480-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1516-493-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/448-532-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1844-735-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/712-800-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/2828-968-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3020-999-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3044-1053-0x0000000000440000-0x0000000000476000-memory.dmp family_blackmoon -
Malware Dropper & Backdoor - Berbew 33 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\vjjjj.exe family_berbew C:\7jpdp.exe family_berbew C:\3vpdj.exe family_berbew C:\bttbtb.exe family_berbew C:\jdvdp.exe family_berbew C:\ffrflll.exe family_berbew C:\nnnnbt.exe family_berbew C:\pvpjv.exe family_berbew C:\7tntth.exe family_berbew C:\3dddp.exe family_berbew C:\frflrrx.exe family_berbew C:\hhthnh.exe family_berbew C:\rfrrrlr.exe family_berbew C:\nhbhth.exe family_berbew C:\9ppvp.exe family_berbew C:\fffrlxf.exe family_berbew C:\jpjdj.exe family_berbew C:\pjvpp.exe family_berbew C:\hnhtht.exe family_berbew C:\jddjp.exe family_berbew C:\xxlxrxl.exe family_berbew C:\nnnhtb.exe family_berbew C:\7ppvj.exe family_berbew C:\xrllrfx.exe family_berbew C:\thnnhb.exe family_berbew C:\fxrlfrf.exe family_berbew behavioral1/memory/408-235-0x00000000005D0000-0x0000000000606000-memory.dmp family_berbew C:\ddvjv.exe family_berbew C:\lxxxxxf.exe family_berbew C:\vpjvj.exe family_berbew C:\3frxfxx.exe family_berbew C:\bnbbhh.exe family_berbew C:\pvjdv.exe family_berbew -
Executes dropped EXE 64 IoCs
Processes:
vjjjj.exe7jpdp.exe3vpdj.exebttbtb.exejdvdp.exeffrflll.exennnnbt.exepvpjv.exe7tntth.exe3dddp.exefrflrrx.exehhthnh.exerfrrrlr.exenhbhth.exe9ppvp.exefffrlxf.exejpjdj.exepjvpp.exehnhtht.exejddjp.exexxlxrxl.exennnhtb.exe7ppvj.exexrllrfx.exethnnhb.exefxrlfrf.exeddvjv.exelxxxxxf.exevpjvj.exe3frxfxx.exebnbbhh.exepvjdv.exexrlxffl.exenhnbnn.exedvddj.exelxlrxxf.exebthhbb.exejdjdp.exevjddd.exerflffrx.exe3nbtht.exejdvvp.exexrlrfrx.exe1bbbth.exebtnbtb.exe7jvdd.exexlrfxfl.exehbntbb.exevjjdv.exeffxlxxl.exe5llxrxx.exenttbbn.exe7vpvp.exerlfrlrl.exe7fflxlr.exebthntt.exejjjjj.exevjjdj.exe3btttb.exentbbbn.exeppdvp.exelllrrfx.exellfrllx.exehbttbh.exepid process 3064 vjjjj.exe 2184 7jpdp.exe 1768 3vpdj.exe 2736 bttbtb.exe 2688 jdvdp.exe 2192 ffrflll.exe 2892 nnnnbt.exe 2648 pvpjv.exe 2580 7tntth.exe 1704 3dddp.exe 1572 frflrrx.exe 2712 hhthnh.exe 3024 rfrrrlr.exe 2180 nhbhth.exe 1952 9ppvp.exe 1052 fffrlxf.exe 1860 jpjdj.exe 1060 pjvpp.exe 3044 hnhtht.exe 2112 jddjp.exe 1160 xxlxrxl.exe 2288 nnnhtb.exe 2116 7ppvj.exe 712 xrllrfx.exe 1496 thnnhb.exe 408 fxrlfrf.exe 2144 ddvjv.exe 1380 lxxxxxf.exe 2220 vpjvj.exe 924 3frxfxx.exe 2296 bnbbhh.exe 2984 pvjdv.exe 2844 xrlxffl.exe 884 nhnbnn.exe 1700 dvddj.exe 1736 lxlrxxf.exe 1672 bthhbb.exe 3064 jdjdp.exe 1796 vjddd.exe 2640 rflffrx.exe 2792 3nbtht.exe 2664 jdvvp.exe 2660 xrlrfrx.exe 2568 1bbbth.exe 2192 btnbtb.exe 2204 7jvdd.exe 2564 xlrfxfl.exe 3016 hbntbb.exe 2208 vjjdv.exe 2584 ffxlxxl.exe 2848 5llxrxx.exe 3040 nttbbn.exe 1676 7vpvp.exe 1976 rlfrlrl.exe 2180 7fflxlr.exe 1968 bthntt.exe 1944 jjjjj.exe 2520 vjjdj.exe 1860 3btttb.exe 548 ntbbbn.exe 2292 ppdvp.exe 3044 lllrrfx.exe 2112 llfrllx.exe 2408 hbttbh.exe -
Processes:
resource yara_rule behavioral1/memory/2956-0-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\vjjjj.exe upx behavioral1/memory/3064-9-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2956-8-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\7jpdp.exe upx behavioral1/memory/3064-18-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2184-22-0x00000000003A0000-0x00000000003D6000-memory.dmp upx C:\3vpdj.exe upx behavioral1/memory/2184-28-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\bttbtb.exe upx behavioral1/memory/1768-37-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\jdvdp.exe upx behavioral1/memory/2736-45-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2688-47-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\ffrflll.exe upx behavioral1/memory/2688-56-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\nnnnbt.exe upx behavioral1/memory/2192-65-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\pvpjv.exe upx C:\7tntth.exe upx behavioral1/memory/2580-89-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\3dddp.exe upx C:\frflrrx.exe upx behavioral1/memory/1572-99-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\hhthnh.exe upx behavioral1/memory/1572-107-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\rfrrrlr.exe upx behavioral1/memory/2712-117-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\nhbhth.exe upx behavioral1/memory/3024-125-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\9ppvp.exe upx C:\fffrlxf.exe upx behavioral1/memory/1952-143-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\jpjdj.exe upx behavioral1/memory/1052-153-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\pjvpp.exe upx C:\hnhtht.exe upx behavioral1/memory/1060-170-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\jddjp.exe upx C:\xxlxrxl.exe upx C:\nnnhtb.exe upx C:\7ppvj.exe upx behavioral1/memory/2288-203-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\xrllrfx.exe upx C:\thnnhb.exe upx behavioral1/memory/712-219-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\fxrlfrf.exe upx behavioral1/memory/408-235-0x00000000005D0000-0x0000000000606000-memory.dmp upx C:\ddvjv.exe upx behavioral1/memory/2144-244-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\lxxxxxf.exe upx C:\vpjvj.exe upx C:\3frxfxx.exe upx behavioral1/memory/2220-261-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\bnbbhh.exe upx behavioral1/memory/2296-272-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\pvjdv.exe upx behavioral1/memory/2984-287-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/884-300-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1700-301-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/3064-327-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2204-377-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/3016-390-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2208-397-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exevjjjj.exe7jpdp.exe3vpdj.exebttbtb.exejdvdp.exeffrflll.exennnnbt.exepvpjv.exe7tntth.exe3dddp.exefrflrrx.exehhthnh.exerfrrrlr.exenhbhth.exe9ppvp.exedescription pid process target process PID 2956 wrote to memory of 3064 2956 79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe vjjjj.exe PID 2956 wrote to memory of 3064 2956 79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe vjjjj.exe PID 2956 wrote to memory of 3064 2956 79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe vjjjj.exe PID 2956 wrote to memory of 3064 2956 79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe vjjjj.exe PID 3064 wrote to memory of 2184 3064 vjjjj.exe 7jpdp.exe PID 3064 wrote to memory of 2184 3064 vjjjj.exe 7jpdp.exe PID 3064 wrote to memory of 2184 3064 vjjjj.exe 7jpdp.exe PID 3064 wrote to memory of 2184 3064 vjjjj.exe 7jpdp.exe PID 2184 wrote to memory of 1768 2184 7jpdp.exe 3vpdj.exe PID 2184 wrote to memory of 1768 2184 7jpdp.exe 3vpdj.exe PID 2184 wrote to memory of 1768 2184 7jpdp.exe 3vpdj.exe PID 2184 wrote to memory of 1768 2184 7jpdp.exe 3vpdj.exe PID 1768 wrote to memory of 2736 1768 3vpdj.exe bttbtb.exe PID 1768 wrote to memory of 2736 1768 3vpdj.exe bttbtb.exe PID 1768 wrote to memory of 2736 1768 3vpdj.exe bttbtb.exe PID 1768 wrote to memory of 2736 1768 3vpdj.exe bttbtb.exe PID 2736 wrote to memory of 2688 2736 bttbtb.exe jdvdp.exe PID 2736 wrote to memory of 2688 2736 bttbtb.exe jdvdp.exe PID 2736 wrote to memory of 2688 2736 bttbtb.exe jdvdp.exe PID 2736 wrote to memory of 2688 2736 bttbtb.exe jdvdp.exe PID 2688 wrote to memory of 2192 2688 jdvdp.exe ffrflll.exe PID 2688 wrote to memory of 2192 2688 jdvdp.exe ffrflll.exe PID 2688 wrote to memory of 2192 2688 jdvdp.exe ffrflll.exe PID 2688 wrote to memory of 2192 2688 jdvdp.exe ffrflll.exe PID 2192 wrote to memory of 2892 2192 ffrflll.exe nnnnbt.exe PID 2192 wrote to memory of 2892 2192 ffrflll.exe nnnnbt.exe PID 2192 wrote to memory of 2892 2192 ffrflll.exe nnnnbt.exe PID 2192 wrote to memory of 2892 2192 ffrflll.exe nnnnbt.exe PID 2892 wrote to memory of 2648 2892 nnnnbt.exe pvpjv.exe PID 2892 wrote to memory of 2648 2892 nnnnbt.exe pvpjv.exe PID 2892 wrote to memory of 2648 2892 nnnnbt.exe pvpjv.exe PID 2892 wrote to memory of 2648 2892 nnnnbt.exe pvpjv.exe PID 2648 wrote to memory of 2580 2648 pvpjv.exe 7tntth.exe PID 2648 wrote to memory of 2580 2648 pvpjv.exe 7tntth.exe PID 2648 wrote to memory of 2580 2648 pvpjv.exe 7tntth.exe PID 2648 wrote to memory of 2580 2648 pvpjv.exe 7tntth.exe PID 2580 wrote to memory of 1704 2580 7tntth.exe 3dddp.exe PID 2580 wrote to memory of 1704 2580 7tntth.exe 3dddp.exe PID 2580 wrote to memory of 1704 2580 7tntth.exe 3dddp.exe PID 2580 wrote to memory of 1704 2580 7tntth.exe 3dddp.exe PID 1704 wrote to memory of 1572 1704 3dddp.exe frflrrx.exe PID 1704 wrote to memory of 1572 1704 3dddp.exe frflrrx.exe PID 1704 wrote to memory of 1572 1704 3dddp.exe frflrrx.exe PID 1704 wrote to memory of 1572 1704 3dddp.exe frflrrx.exe PID 1572 wrote to memory of 2712 1572 frflrrx.exe hhthnh.exe PID 1572 wrote to memory of 2712 1572 frflrrx.exe hhthnh.exe PID 1572 wrote to memory of 2712 1572 frflrrx.exe hhthnh.exe PID 1572 wrote to memory of 2712 1572 frflrrx.exe hhthnh.exe PID 2712 wrote to memory of 3024 2712 hhthnh.exe rfrrrlr.exe PID 2712 wrote to memory of 3024 2712 hhthnh.exe rfrrrlr.exe PID 2712 wrote to memory of 3024 2712 hhthnh.exe rfrrrlr.exe PID 2712 wrote to memory of 3024 2712 hhthnh.exe rfrrrlr.exe PID 3024 wrote to memory of 2180 3024 rfrrrlr.exe nhbhth.exe PID 3024 wrote to memory of 2180 3024 rfrrrlr.exe nhbhth.exe PID 3024 wrote to memory of 2180 3024 rfrrrlr.exe nhbhth.exe PID 3024 wrote to memory of 2180 3024 rfrrrlr.exe nhbhth.exe PID 2180 wrote to memory of 1952 2180 nhbhth.exe 9ppvp.exe PID 2180 wrote to memory of 1952 2180 nhbhth.exe 9ppvp.exe PID 2180 wrote to memory of 1952 2180 nhbhth.exe 9ppvp.exe PID 2180 wrote to memory of 1952 2180 nhbhth.exe 9ppvp.exe PID 1952 wrote to memory of 1052 1952 9ppvp.exe fffrlxf.exe PID 1952 wrote to memory of 1052 1952 9ppvp.exe fffrlxf.exe PID 1952 wrote to memory of 1052 1952 9ppvp.exe fffrlxf.exe PID 1952 wrote to memory of 1052 1952 9ppvp.exe fffrlxf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\79cc60dd48574053ccbc25690ba774d0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\vjjjj.exec:\vjjjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\7jpdp.exec:\7jpdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\3vpdj.exec:\3vpdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\bttbtb.exec:\bttbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\jdvdp.exec:\jdvdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\ffrflll.exec:\ffrflll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\nnnnbt.exec:\nnnnbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\pvpjv.exec:\pvpjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\7tntth.exec:\7tntth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\3dddp.exec:\3dddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\frflrrx.exec:\frflrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\hhthnh.exec:\hhthnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\rfrrrlr.exec:\rfrrrlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\nhbhth.exec:\nhbhth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\9ppvp.exec:\9ppvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\fffrlxf.exec:\fffrlxf.exe17⤵
- Executes dropped EXE
PID:1052 -
\??\c:\jpjdj.exec:\jpjdj.exe18⤵
- Executes dropped EXE
PID:1860 -
\??\c:\pjvpp.exec:\pjvpp.exe19⤵
- Executes dropped EXE
PID:1060 -
\??\c:\hnhtht.exec:\hnhtht.exe20⤵
- Executes dropped EXE
PID:3044 -
\??\c:\jddjp.exec:\jddjp.exe21⤵
- Executes dropped EXE
PID:2112 -
\??\c:\xxlxrxl.exec:\xxlxrxl.exe22⤵
- Executes dropped EXE
PID:1160 -
\??\c:\nnnhtb.exec:\nnnhtb.exe23⤵
- Executes dropped EXE
PID:2288 -
\??\c:\7ppvj.exec:\7ppvj.exe24⤵
- Executes dropped EXE
PID:2116 -
\??\c:\xrllrfx.exec:\xrllrfx.exe25⤵
- Executes dropped EXE
PID:712 -
\??\c:\thnnhb.exec:\thnnhb.exe26⤵
- Executes dropped EXE
PID:1496 -
\??\c:\fxrlfrf.exec:\fxrlfrf.exe27⤵
- Executes dropped EXE
PID:408 -
\??\c:\ddvjv.exec:\ddvjv.exe28⤵
- Executes dropped EXE
PID:2144 -
\??\c:\lxxxxxf.exec:\lxxxxxf.exe29⤵
- Executes dropped EXE
PID:1380 -
\??\c:\vpjvj.exec:\vpjvj.exe30⤵
- Executes dropped EXE
PID:2220 -
\??\c:\3frxfxx.exec:\3frxfxx.exe31⤵
- Executes dropped EXE
PID:924 -
\??\c:\bnbbhh.exec:\bnbbhh.exe32⤵
- Executes dropped EXE
PID:2296 -
\??\c:\pvjdv.exec:\pvjdv.exe33⤵
- Executes dropped EXE
PID:2984 -
\??\c:\xrlxffl.exec:\xrlxffl.exe34⤵
- Executes dropped EXE
PID:2844 -
\??\c:\nhnbnn.exec:\nhnbnn.exe35⤵
- Executes dropped EXE
PID:884 -
\??\c:\dvddj.exec:\dvddj.exe36⤵
- Executes dropped EXE
PID:1700 -
\??\c:\lxlrxxf.exec:\lxlrxxf.exe37⤵
- Executes dropped EXE
PID:1736 -
\??\c:\bthhbb.exec:\bthhbb.exe38⤵
- Executes dropped EXE
PID:1672 -
\??\c:\jdjdp.exec:\jdjdp.exe39⤵
- Executes dropped EXE
PID:3064 -
\??\c:\vjddd.exec:\vjddd.exe40⤵
- Executes dropped EXE
PID:1796 -
\??\c:\rflffrx.exec:\rflffrx.exe41⤵
- Executes dropped EXE
PID:2640 -
\??\c:\3nbtht.exec:\3nbtht.exe42⤵
- Executes dropped EXE
PID:2792 -
\??\c:\jdvvp.exec:\jdvvp.exe43⤵
- Executes dropped EXE
PID:2664 -
\??\c:\xrlrfrx.exec:\xrlrfrx.exe44⤵
- Executes dropped EXE
PID:2660 -
\??\c:\1bbbth.exec:\1bbbth.exe45⤵
- Executes dropped EXE
PID:2568 -
\??\c:\btnbtb.exec:\btnbtb.exe46⤵
- Executes dropped EXE
PID:2192 -
\??\c:\7jvdd.exec:\7jvdd.exe47⤵
- Executes dropped EXE
PID:2204 -
\??\c:\xlrfxfl.exec:\xlrfxfl.exe48⤵
- Executes dropped EXE
PID:2564 -
\??\c:\hbntbb.exec:\hbntbb.exe49⤵
- Executes dropped EXE
PID:3016 -
\??\c:\vjjdv.exec:\vjjdv.exe50⤵
- Executes dropped EXE
PID:2208 -
\??\c:\ffxlxxl.exec:\ffxlxxl.exe51⤵
- Executes dropped EXE
PID:2584 -
\??\c:\5llxrxx.exec:\5llxrxx.exe52⤵
- Executes dropped EXE
PID:2848 -
\??\c:\nttbbn.exec:\nttbbn.exe53⤵
- Executes dropped EXE
PID:3040 -
\??\c:\7vpvp.exec:\7vpvp.exe54⤵
- Executes dropped EXE
PID:1676 -
\??\c:\rlfrlrl.exec:\rlfrlrl.exe55⤵
- Executes dropped EXE
PID:1976 -
\??\c:\7fflxlr.exec:\7fflxlr.exe56⤵
- Executes dropped EXE
PID:2180 -
\??\c:\bthntt.exec:\bthntt.exe57⤵
- Executes dropped EXE
PID:1968 -
\??\c:\jjjjj.exec:\jjjjj.exe58⤵
- Executes dropped EXE
PID:1944 -
\??\c:\vjjdj.exec:\vjjdj.exe59⤵
- Executes dropped EXE
PID:2520 -
\??\c:\3btttb.exec:\3btttb.exe60⤵
- Executes dropped EXE
PID:1860 -
\??\c:\ntbbbn.exec:\ntbbbn.exe61⤵
- Executes dropped EXE
PID:548 -
\??\c:\ppdvp.exec:\ppdvp.exe62⤵
- Executes dropped EXE
PID:2292 -
\??\c:\lllrrfx.exec:\lllrrfx.exe63⤵
- Executes dropped EXE
PID:3044 -
\??\c:\llfrllx.exec:\llfrllx.exe64⤵
- Executes dropped EXE
PID:2112 -
\??\c:\hbttbh.exec:\hbttbh.exe65⤵
- Executes dropped EXE
PID:2408 -
\??\c:\djjvd.exec:\djjvd.exe66⤵PID:1516
-
\??\c:\vvddd.exec:\vvddd.exe67⤵PID:684
-
\??\c:\5llxrrf.exec:\5llxrrf.exe68⤵PID:624
-
\??\c:\tttntb.exec:\tttntb.exe69⤵PID:1824
-
\??\c:\jpdvv.exec:\jpdvv.exe70⤵PID:2320
-
\??\c:\1djdj.exec:\1djdj.exe71⤵PID:448
-
\??\c:\lllxrxl.exec:\lllxrxl.exe72⤵PID:960
-
\??\c:\nhbnbn.exec:\nhbnbn.exe73⤵PID:1748
-
\??\c:\ppvdp.exec:\ppvdp.exe74⤵PID:2012
-
\??\c:\pvvjd.exec:\pvvjd.exe75⤵PID:2376
-
\??\c:\fxrxlrl.exec:\fxrxlrl.exe76⤵PID:1708
-
\??\c:\hhhhth.exec:\hhhhth.exe77⤵PID:1200
-
\??\c:\nnhnbn.exec:\nnhnbn.exe78⤵PID:2480
-
\??\c:\jjjdv.exec:\jjjdv.exe79⤵PID:296
-
\??\c:\rllrflr.exec:\rllrflr.exe80⤵PID:1696
-
\??\c:\fffrrrl.exec:\fffrrrl.exe81⤵PID:2960
-
\??\c:\5hhbnb.exec:\5hhbnb.exe82⤵PID:1588
-
\??\c:\vvppd.exec:\vvppd.exe83⤵PID:1752
-
\??\c:\lxllxxf.exec:\lxllxxf.exe84⤵PID:2240
-
\??\c:\nnnbnt.exec:\nnnbnt.exe85⤵PID:2644
-
\??\c:\hbhhtt.exec:\hbhhtt.exe86⤵PID:2756
-
\??\c:\7ddjv.exec:\7ddjv.exe87⤵PID:2916
-
\??\c:\1xxlxxr.exec:\1xxlxxr.exe88⤵PID:2760
-
\??\c:\rlfxfxr.exec:\rlfxfxr.exe89⤵PID:2688
-
\??\c:\bhhnth.exec:\bhhnth.exe90⤵PID:2704
-
\??\c:\jjvdp.exec:\jjvdp.exe91⤵PID:2556
-
\??\c:\5ddjp.exec:\5ddjp.exe92⤵PID:2548
-
\??\c:\rrfrfrf.exec:\rrfrfrf.exe93⤵PID:2612
-
\??\c:\thbhtn.exec:\thbhtn.exe94⤵PID:2564
-
\??\c:\hntttn.exec:\hntttn.exe95⤵PID:2776
-
\??\c:\jjdpv.exec:\jjdpv.exe96⤵PID:2868
-
\??\c:\fxxlffx.exec:\fxxlffx.exe97⤵PID:2992
-
\??\c:\xfflxfx.exec:\xfflxfx.exe98⤵PID:2712
-
\??\c:\nhnbnh.exec:\nhnbnh.exe99⤵PID:3040
-
\??\c:\jdjjp.exec:\jdjjp.exe100⤵PID:2328
-
\??\c:\7jjpv.exec:\7jjpv.exe101⤵PID:1976
-
\??\c:\7xrfrxf.exec:\7xrfrxf.exe102⤵PID:2032
-
\??\c:\tthhnt.exec:\tthhnt.exe103⤵PID:1844
-
\??\c:\nnthhn.exec:\nnthhn.exe104⤵PID:1944
-
\??\c:\dvvdp.exec:\dvvdp.exe105⤵PID:1992
-
\??\c:\lfflrxl.exec:\lfflrxl.exe106⤵PID:1860
-
\??\c:\lrrflfx.exec:\lrrflfx.exe107⤵PID:548
-
\??\c:\nnhbnn.exec:\nnhbnn.exe108⤵PID:2292
-
\??\c:\pjdpv.exec:\pjdpv.exe109⤵PID:2120
-
\??\c:\vppjd.exec:\vppjd.exe110⤵PID:2212
-
\??\c:\ffrfrfr.exec:\ffrfrfr.exe111⤵PID:1732
-
\??\c:\xrffrxr.exec:\xrffrxr.exe112⤵PID:2116
-
\??\c:\nhnnth.exec:\nhnnth.exe113⤵PID:712
-
\??\c:\dpjdd.exec:\dpjdd.exe114⤵PID:716
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe115⤵PID:1804
-
\??\c:\xxrxlrl.exec:\xxrxlrl.exe116⤵PID:1568
-
\??\c:\nttnht.exec:\nttnht.exe117⤵PID:2144
-
\??\c:\7ppdp.exec:\7ppdp.exe118⤵PID:960
-
\??\c:\jddjj.exec:\jddjj.exe119⤵PID:1716
-
\??\c:\llxfrxx.exec:\llxfrxx.exe120⤵PID:640
-
\??\c:\ttnbth.exec:\ttnbth.exe121⤵PID:1332
-
\??\c:\7pjvd.exec:\7pjvd.exe122⤵PID:1708
-
\??\c:\vdpjp.exec:\vdpjp.exe123⤵PID:2984
-
\??\c:\llxxfrf.exec:\llxxfrf.exe124⤵PID:2164
-
\??\c:\llxfrlf.exec:\llxfrlf.exe125⤵PID:1252
-
\??\c:\7hnbnh.exec:\7hnbnh.exe126⤵PID:1616
-
\??\c:\9vppv.exec:\9vppv.exe127⤵PID:2196
-
\??\c:\llxlfxr.exec:\llxlfxr.exe128⤵PID:2444
-
\??\c:\htbbhh.exec:\htbbhh.exe129⤵PID:1592
-
\??\c:\5vpdj.exec:\5vpdj.exe130⤵PID:1156
-
\??\c:\3vvdj.exec:\3vvdj.exe131⤵PID:1768
-
\??\c:\lfffrxl.exec:\lfffrxl.exe132⤵PID:2340
-
\??\c:\xrlrlrf.exec:\xrlrlrf.exe133⤵PID:2740
-
\??\c:\bnnnnt.exec:\bnnnnt.exe134⤵PID:2780
-
\??\c:\vvvvp.exec:\vvvvp.exe135⤵PID:2708
-
\??\c:\xxrfrxl.exec:\xxrfrxl.exe136⤵PID:2876
-
\??\c:\9xflffr.exec:\9xflffr.exe137⤵PID:2700
-
\??\c:\hhtbnt.exec:\hhtbnt.exe138⤵PID:2544
-
\??\c:\3vpvj.exec:\3vpvj.exe139⤵PID:2600
-
\??\c:\vjdpj.exec:\vjdpj.exe140⤵PID:1320
-
\??\c:\xxxlrxl.exec:\xxxlrxl.exe141⤵PID:2828
-
\??\c:\nhhthn.exec:\nhhthn.exe142⤵PID:2856
-
\??\c:\nnnnnh.exec:\nnnnnh.exe143⤵PID:2848
-
\??\c:\dvdjd.exec:\dvdjd.exe144⤵PID:1948
-
\??\c:\fxfrrxx.exec:\fxfrrxx.exe145⤵PID:2020
-
\??\c:\7rxxlfr.exec:\7rxxlfr.exe146⤵PID:3020
-
\??\c:\nhttbh.exec:\nhttbh.exe147⤵PID:2180
-
\??\c:\djjvd.exec:\djjvd.exe148⤵PID:1968
-
\??\c:\rlllrrf.exec:\rlllrrf.exe149⤵PID:1296
-
\??\c:\ththhh.exec:\ththhh.exe150⤵PID:1944
-
\??\c:\3jvvj.exec:\3jvvj.exe151⤵PID:2520
-
\??\c:\rrlrflx.exec:\rrlrflx.exe152⤵PID:1860
-
\??\c:\fflfflx.exec:\fflfflx.exe153⤵PID:1780
-
\??\c:\7nhhnt.exec:\7nhhnt.exe154⤵PID:3044
-
\??\c:\vppvp.exec:\vppvp.exe155⤵PID:2112
-
\??\c:\vppdp.exec:\vppdp.exe156⤵PID:2940
-
\??\c:\flxxxlr.exec:\flxxxlr.exe157⤵PID:592
-
\??\c:\ttnbtn.exec:\ttnbtn.exe158⤵PID:2924
-
\??\c:\btbhhn.exec:\btbhhn.exe159⤵PID:856
-
\??\c:\3pvjj.exec:\3pvjj.exe160⤵PID:1872
-
\??\c:\7pdpv.exec:\7pdpv.exe161⤵PID:1356
-
\??\c:\3rrrrrl.exec:\3rrrrrl.exe162⤵PID:1376
-
\??\c:\5hnnbh.exec:\5hnnbh.exe163⤵PID:780
-
\??\c:\bthnbh.exec:\bthnbh.exe164⤵PID:1996
-
\??\c:\1ppdv.exec:\1ppdv.exe165⤵PID:960
-
\??\c:\lfxfflx.exec:\lfxfflx.exe166⤵PID:2060
-
\??\c:\5lrxffl.exec:\5lrxffl.exe167⤵PID:2268
-
\??\c:\hhbtth.exec:\hhbtth.exe168⤵PID:1664
-
\??\c:\3nhbbh.exec:\3nhbbh.exe169⤵PID:1524
-
\??\c:\vpjpj.exec:\vpjpj.exe170⤵PID:2984
-
\??\c:\ffxllxf.exec:\ffxllxf.exe171⤵PID:2716
-
\??\c:\lxllrrf.exec:\lxllrrf.exe172⤵PID:1252
-
\??\c:\9btnnh.exec:\9btnnh.exe173⤵PID:1616
-
\??\c:\vvvjv.exec:\vvvjv.exe174⤵PID:2196
-
\??\c:\7ffflfx.exec:\7ffflfx.exe175⤵PID:2816
-
\??\c:\xrlxlrf.exec:\xrlxlrf.exe176⤵PID:2820
-
\??\c:\nnnthn.exec:\nnnthn.exe177⤵PID:1752
-
\??\c:\hntnth.exec:\hntnth.exe178⤵PID:2240
-
\??\c:\vvdpj.exec:\vvdpj.exe179⤵PID:1196
-
\??\c:\5llrxxf.exec:\5llrxxf.exe180⤵PID:2764
-
\??\c:\5ffrfrf.exec:\5ffrfrf.exe181⤵PID:2660
-
\??\c:\7ttbnb.exec:\7ttbnb.exe182⤵PID:2688
-
\??\c:\bhnhbb.exec:\bhnhbb.exe183⤵PID:2532
-
\??\c:\djjvd.exec:\djjvd.exe184⤵PID:2556
-
\??\c:\lffrllx.exec:\lffrllx.exe185⤵PID:2648
-
\??\c:\fxrxlrl.exec:\fxrxlrl.exe186⤵PID:2656
-
\??\c:\bhttht.exec:\bhttht.exe187⤵PID:2832
-
\??\c:\dvjdj.exec:\dvjdj.exe188⤵PID:2208
-
\??\c:\ddjjj.exec:\ddjjj.exe189⤵PID:2884
-
\??\c:\7fxxfxf.exec:\7fxxfxf.exe190⤵PID:2872
-
\??\c:\nbnnhn.exec:\nbnnhn.exe191⤵PID:3004
-
\??\c:\nhhnth.exec:\nhhnth.exe192⤵PID:2172
-
\??\c:\pdvdj.exec:\pdvdj.exe193⤵PID:1712
-
\??\c:\lfrfrfl.exec:\lfrfrfl.exe194⤵PID:1276
-
\??\c:\hhbtnt.exec:\hhbtnt.exe195⤵PID:2024
-
\??\c:\bbhntt.exec:\bbhntt.exe196⤵PID:1052
-
\??\c:\vvjpv.exec:\vvjpv.exe197⤵PID:2836
-
\??\c:\lxxrxfr.exec:\lxxrxfr.exe198⤵PID:1060
-
\??\c:\rlrlxlr.exec:\rlrlxlr.exe199⤵PID:820
-
\??\c:\tnnhtb.exec:\tnnhtb.exe200⤵PID:2076
-
\??\c:\jjdjv.exec:\jjdjv.exe201⤵PID:2084
-
\??\c:\7vpdp.exec:\7vpdp.exe202⤵PID:1728
-
\??\c:\1lflxfr.exec:\1lflxfr.exe203⤵PID:3044
-
\??\c:\7nttnh.exec:\7nttnh.exe204⤵PID:380
-
\??\c:\5nhnhn.exec:\5nhnhn.exe205⤵PID:1268
-
\??\c:\jjpvj.exec:\jjpvj.exe206⤵PID:556
-
\??\c:\fxrlrxr.exec:\fxrlrxr.exe207⤵PID:784
-
\??\c:\btnnhb.exec:\btnnhb.exe208⤵PID:2016
-
\??\c:\bbttth.exec:\bbttth.exe209⤵PID:900
-
\??\c:\jppdv.exec:\jppdv.exe210⤵PID:1568
-
\??\c:\flrxfxr.exec:\flrxfxr.exe211⤵PID:620
-
\??\c:\lxlxxrl.exec:\lxlxxrl.exe212⤵PID:940
-
\??\c:\thntnb.exec:\thntnb.exe213⤵PID:2512
-
\??\c:\pdvvv.exec:\pdvvv.exe214⤵PID:960
-
\??\c:\9xxfrlr.exec:\9xxfrlr.exe215⤵PID:1652
-
\??\c:\lrxffxx.exec:\lrxffxx.exe216⤵PID:1708
-
\??\c:\bnbhnb.exec:\bnbhnb.exe217⤵PID:2296
-
\??\c:\9nthbh.exec:\9nthbh.exe218⤵PID:1432
-
\??\c:\7dvdp.exec:\7dvdp.exe219⤵PID:2044
-
\??\c:\xxllrrf.exec:\xxllrrf.exe220⤵PID:2956
-
\??\c:\ffrlfrf.exec:\ffrlfrf.exe221⤵PID:1596
-
\??\c:\bhnhbb.exec:\bhnhbb.exe222⤵PID:1292
-
\??\c:\dvdjv.exec:\dvdjv.exe223⤵PID:1956
-
\??\c:\fxxlflx.exec:\fxxlflx.exe224⤵PID:2284
-
\??\c:\1xrlffr.exec:\1xrlffr.exe225⤵PID:2684
-
\??\c:\1bnhhn.exec:\1bnhhn.exe226⤵PID:2808
-
\??\c:\3vvvj.exec:\3vvvj.exe227⤵PID:2800
-
\??\c:\vvvdv.exec:\vvvdv.exe228⤵PID:2788
-
\??\c:\rlfxrrf.exec:\rlfxrrf.exe229⤵PID:2724
-
\??\c:\bbnbbn.exec:\bbnbbn.exe230⤵PID:2568
-
\??\c:\nhbbth.exec:\nhbbth.exe231⤵PID:2732
-
\??\c:\dvppp.exec:\dvppp.exe232⤵PID:2552
-
\??\c:\rxfffxf.exec:\rxfffxf.exe233⤵PID:2580
-
\??\c:\9ffllrx.exec:\9ffllrx.exe234⤵PID:1288
-
\??\c:\tbbtnb.exec:\tbbtnb.exe235⤵PID:2564
-
\??\c:\bnhnnt.exec:\bnhnnt.exe236⤵PID:2832
-
\??\c:\pppvp.exec:\pppvp.exe237⤵PID:3060
-
\??\c:\ffrfllr.exec:\ffrfllr.exe238⤵PID:3000
-
\??\c:\7lrrffl.exec:\7lrrffl.exe239⤵PID:2872
-
\??\c:\5thhnn.exec:\5thhnn.exe240⤵PID:3004
-
\??\c:\ddvjv.exec:\ddvjv.exe241⤵PID:2172
-
\??\c:\dvdjj.exec:\dvdjj.exe242⤵PID:1712