Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 01:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2afe639f268f7a1dd8d1dffcfd1f17e1331f2b8b489031bd6e753cf52404e27b_NeikiAnalytics.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
2afe639f268f7a1dd8d1dffcfd1f17e1331f2b8b489031bd6e753cf52404e27b_NeikiAnalytics.exe
-
Size
84KB
-
MD5
11724532fd0d3c08467e9fc1bd551ab0
-
SHA1
1f3107b44a80fbd7081aed18cc675e2f6d58f4ce
-
SHA256
2afe639f268f7a1dd8d1dffcfd1f17e1331f2b8b489031bd6e753cf52404e27b
-
SHA512
71bc8e026d5fb20b52b7d4e209be65ad2345af585640bafc3141ebe066d60a857bc63e08479bfca4e6ae5c29d5a1861b208b0796778293e840b024c9188189d5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIYgC/KSLJMiY:ymb3NkkiQ3mdBjFI3eFZY
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral1/memory/1948-4682-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1948-2939-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1744-297-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2144-288-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1060-252-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2024-216-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1924-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3068-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3056-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2776-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/752-154-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/828-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2888-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2832-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1920-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2508-91-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2508-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2660-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2620-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2316-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1932-30-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1932-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1948-19-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2320-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
vvjpd.exedvjdd.exe7xlfxfr.exe3rfxlrx.exenbhntb.exettbbbh.exedvjpv.exe5dvjv.exe7xxxllr.exerllrffx.exenhthbn.exe3tnthh.exepdppv.exejdjdd.exevjvpv.exexxlrlrf.exeffxrlrx.exebthntb.exenhbntn.exejppdv.exedvjjv.exe9fxfxxr.exeffxlxfl.exennbhbb.exenhhnhn.exedjvjp.exexlfxfff.exefxlxxfr.exetnnhnn.exebbtntb.exeppvdv.exevjvdp.exefxrrxfr.exe3llrflr.exenhbnbb.exe3btttb.exejdddj.exedvpdv.exe3vjjp.exexrfllxl.exe7lrfrxx.exe7rlxllx.exennbnbh.exenhhbbh.exeddjjv.exehbhthn.exe7tnthh.exepjvdv.exevvpvd.exepjpvj.exe5fxxffl.exelfxflrx.exebntthb.exennbntb.exe9bbhhh.exe7dvjp.exedvjdd.exerfrxfxr.exexrxfrrx.exelxlllrf.exehbttbb.exe1nhtnh.exetnbnbh.exe5vpjp.exepid process 1948 vvjpd.exe 1932 dvjdd.exe 2316 7xlfxfr.exe 2708 3rfxlrx.exe 2620 nbhntb.exe 2788 ttbbbh.exe 2660 dvjpv.exe 2508 5dvjv.exe 2664 7xxxllr.exe 1920 rllrffx.exe 2832 nhthbn.exe 2888 3tnthh.exe 1520 pdppv.exe 828 jdjdd.exe 752 vjvpv.exe 2176 xxlrlrf.exe 2776 ffxrlrx.exe 3056 bthntb.exe 1276 nhbntn.exe 3068 jppdv.exe 1924 dvjjv.exe 2024 9fxfxxr.exe 768 ffxlxfl.exe 1640 nnbhbb.exe 3040 nhhnhn.exe 1060 djvjp.exe 1820 xlfxfff.exe 904 fxlxxfr.exe 2152 tnnhnn.exe 2144 bbtntb.exe 1744 ppvdv.exe 1688 vjvdp.exe 2216 fxrrxfr.exe 1600 3llrflr.exe 2684 nhbnbb.exe 2236 3btttb.exe 2744 jdddj.exe 2612 dvpdv.exe 2520 3vjjp.exe 2788 xrfllxl.exe 2692 7lrfrxx.exe 3024 7rlxllx.exe 2100 nnbnbh.exe 2836 nhhbbh.exe 2872 ddjjv.exe 2892 hbhthn.exe 1832 7tnthh.exe 2720 pjvdv.exe 1780 vvpvd.exe 2496 pjpvj.exe 1444 5fxxffl.exe 2176 lfxflrx.exe 816 bntthb.exe 1764 nnbntb.exe 3064 9bbhhh.exe 1248 7dvjp.exe 2676 dvjdd.exe 2084 rfrxfxr.exe 776 xrxfrrx.exe 2940 lxlllrf.exe 2112 hbttbb.exe 1084 1nhtnh.exe 3048 tnbnbh.exe 952 5vpjp.exe -
Processes:
resource yara_rule behavioral1/memory/1948-4682-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1744-297-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2144-288-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1060-252-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2024-216-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1924-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3068-198-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3056-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2776-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/752-154-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/828-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2888-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2832-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1920-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2508-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2660-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2316-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1932-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2320-4-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2afe639f268f7a1dd8d1dffcfd1f17e1331f2b8b489031bd6e753cf52404e27b_NeikiAnalytics.exevvjpd.exedvjdd.exe7xlfxfr.exe3rfxlrx.exenbhntb.exettbbbh.exedvjpv.exe5dvjv.exe7xxxllr.exerllrffx.exenhthbn.exe3tnthh.exepdppv.exejdjdd.exevjvpv.exedescription pid process target process PID 2320 wrote to memory of 1948 2320 2afe639f268f7a1dd8d1dffcfd1f17e1331f2b8b489031bd6e753cf52404e27b_NeikiAnalytics.exe vvjpd.exe PID 2320 wrote to memory of 1948 2320 2afe639f268f7a1dd8d1dffcfd1f17e1331f2b8b489031bd6e753cf52404e27b_NeikiAnalytics.exe vvjpd.exe PID 2320 wrote to memory of 1948 2320 2afe639f268f7a1dd8d1dffcfd1f17e1331f2b8b489031bd6e753cf52404e27b_NeikiAnalytics.exe vvjpd.exe PID 2320 wrote to memory of 1948 2320 2afe639f268f7a1dd8d1dffcfd1f17e1331f2b8b489031bd6e753cf52404e27b_NeikiAnalytics.exe vvjpd.exe PID 1948 wrote to memory of 1932 1948 vvjpd.exe dvjdd.exe PID 1948 wrote to memory of 1932 1948 vvjpd.exe dvjdd.exe PID 1948 wrote to memory of 1932 1948 vvjpd.exe dvjdd.exe PID 1948 wrote to memory of 1932 1948 vvjpd.exe dvjdd.exe PID 1932 wrote to memory of 2316 1932 dvjdd.exe 7xlfxfr.exe PID 1932 wrote to memory of 2316 1932 dvjdd.exe 7xlfxfr.exe PID 1932 wrote to memory of 2316 1932 dvjdd.exe 7xlfxfr.exe PID 1932 wrote to memory of 2316 1932 dvjdd.exe 7xlfxfr.exe PID 2316 wrote to memory of 2708 2316 7xlfxfr.exe 3rfxlrx.exe PID 2316 wrote to memory of 2708 2316 7xlfxfr.exe 3rfxlrx.exe PID 2316 wrote to memory of 2708 2316 7xlfxfr.exe 3rfxlrx.exe PID 2316 wrote to memory of 2708 2316 7xlfxfr.exe 3rfxlrx.exe PID 2708 wrote to memory of 2620 2708 3rfxlrx.exe nbhntb.exe PID 2708 wrote to memory of 2620 2708 3rfxlrx.exe nbhntb.exe PID 2708 wrote to memory of 2620 2708 3rfxlrx.exe nbhntb.exe PID 2708 wrote to memory of 2620 2708 3rfxlrx.exe nbhntb.exe PID 2620 wrote to memory of 2788 2620 nbhntb.exe ttbbbh.exe PID 2620 wrote to memory of 2788 2620 nbhntb.exe ttbbbh.exe PID 2620 wrote to memory of 2788 2620 nbhntb.exe ttbbbh.exe PID 2620 wrote to memory of 2788 2620 nbhntb.exe ttbbbh.exe PID 2788 wrote to memory of 2660 2788 ttbbbh.exe dvjpv.exe PID 2788 wrote to memory of 2660 2788 ttbbbh.exe dvjpv.exe PID 2788 wrote to memory of 2660 2788 ttbbbh.exe dvjpv.exe PID 2788 wrote to memory of 2660 2788 ttbbbh.exe dvjpv.exe PID 2660 wrote to memory of 2508 2660 dvjpv.exe 5dvjv.exe PID 2660 wrote to memory of 2508 2660 dvjpv.exe 5dvjv.exe PID 2660 wrote to memory of 2508 2660 dvjpv.exe 5dvjv.exe PID 2660 wrote to memory of 2508 2660 dvjpv.exe 5dvjv.exe PID 2508 wrote to memory of 2664 2508 5dvjv.exe 7xxxllr.exe PID 2508 wrote to memory of 2664 2508 5dvjv.exe 7xxxllr.exe PID 2508 wrote to memory of 2664 2508 5dvjv.exe 7xxxllr.exe PID 2508 wrote to memory of 2664 2508 5dvjv.exe 7xxxllr.exe PID 2664 wrote to memory of 1920 2664 7xxxllr.exe rllrffx.exe PID 2664 wrote to memory of 1920 2664 7xxxllr.exe rllrffx.exe PID 2664 wrote to memory of 1920 2664 7xxxllr.exe rllrffx.exe PID 2664 wrote to memory of 1920 2664 7xxxllr.exe rllrffx.exe PID 1920 wrote to memory of 2832 1920 rllrffx.exe nhthbn.exe PID 1920 wrote to memory of 2832 1920 rllrffx.exe nhthbn.exe PID 1920 wrote to memory of 2832 1920 rllrffx.exe nhthbn.exe PID 1920 wrote to memory of 2832 1920 rllrffx.exe nhthbn.exe PID 2832 wrote to memory of 2888 2832 nhthbn.exe 3tnthh.exe PID 2832 wrote to memory of 2888 2832 nhthbn.exe 3tnthh.exe PID 2832 wrote to memory of 2888 2832 nhthbn.exe 3tnthh.exe PID 2832 wrote to memory of 2888 2832 nhthbn.exe 3tnthh.exe PID 2888 wrote to memory of 1520 2888 3tnthh.exe pdppv.exe PID 2888 wrote to memory of 1520 2888 3tnthh.exe pdppv.exe PID 2888 wrote to memory of 1520 2888 3tnthh.exe pdppv.exe PID 2888 wrote to memory of 1520 2888 3tnthh.exe pdppv.exe PID 1520 wrote to memory of 828 1520 pdppv.exe jdjdd.exe PID 1520 wrote to memory of 828 1520 pdppv.exe jdjdd.exe PID 1520 wrote to memory of 828 1520 pdppv.exe jdjdd.exe PID 1520 wrote to memory of 828 1520 pdppv.exe jdjdd.exe PID 828 wrote to memory of 752 828 jdjdd.exe vjvpv.exe PID 828 wrote to memory of 752 828 jdjdd.exe vjvpv.exe PID 828 wrote to memory of 752 828 jdjdd.exe vjvpv.exe PID 828 wrote to memory of 752 828 jdjdd.exe vjvpv.exe PID 752 wrote to memory of 2176 752 vjvpv.exe xxlrlrf.exe PID 752 wrote to memory of 2176 752 vjvpv.exe xxlrlrf.exe PID 752 wrote to memory of 2176 752 vjvpv.exe xxlrlrf.exe PID 752 wrote to memory of 2176 752 vjvpv.exe xxlrlrf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2afe639f268f7a1dd8d1dffcfd1f17e1331f2b8b489031bd6e753cf52404e27b_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2afe639f268f7a1dd8d1dffcfd1f17e1331f2b8b489031bd6e753cf52404e27b_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\vvjpd.exec:\vvjpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\dvjdd.exec:\dvjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\7xlfxfr.exec:\7xlfxfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\3rfxlrx.exec:\3rfxlrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\nbhntb.exec:\nbhntb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\ttbbbh.exec:\ttbbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\dvjpv.exec:\dvjpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\5dvjv.exec:\5dvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\7xxxllr.exec:\7xxxllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\rllrffx.exec:\rllrffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\nhthbn.exec:\nhthbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\3tnthh.exec:\3tnthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\pdppv.exec:\pdppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\jdjdd.exec:\jdjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\vjvpv.exec:\vjvpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\xxlrlrf.exec:\xxlrlrf.exe17⤵
- Executes dropped EXE
PID:2176 -
\??\c:\ffxrlrx.exec:\ffxrlrx.exe18⤵
- Executes dropped EXE
PID:2776 -
\??\c:\bthntb.exec:\bthntb.exe19⤵
- Executes dropped EXE
PID:3056 -
\??\c:\nhbntn.exec:\nhbntn.exe20⤵
- Executes dropped EXE
PID:1276 -
\??\c:\jppdv.exec:\jppdv.exe21⤵
- Executes dropped EXE
PID:3068 -
\??\c:\dvjjv.exec:\dvjjv.exe22⤵
- Executes dropped EXE
PID:1924 -
\??\c:\9fxfxxr.exec:\9fxfxxr.exe23⤵
- Executes dropped EXE
PID:2024 -
\??\c:\ffxlxfl.exec:\ffxlxfl.exe24⤵
- Executes dropped EXE
PID:768 -
\??\c:\nnbhbb.exec:\nnbhbb.exe25⤵
- Executes dropped EXE
PID:1640 -
\??\c:\nhhnhn.exec:\nhhnhn.exe26⤵
- Executes dropped EXE
PID:3040 -
\??\c:\djvjp.exec:\djvjp.exe27⤵
- Executes dropped EXE
PID:1060 -
\??\c:\xlfxfff.exec:\xlfxfff.exe28⤵
- Executes dropped EXE
PID:1820 -
\??\c:\fxlxxfr.exec:\fxlxxfr.exe29⤵
- Executes dropped EXE
PID:904 -
\??\c:\tnnhnn.exec:\tnnhnn.exe30⤵
- Executes dropped EXE
PID:2152 -
\??\c:\bbtntb.exec:\bbtntb.exe31⤵
- Executes dropped EXE
PID:2144 -
\??\c:\ppvdv.exec:\ppvdv.exe32⤵
- Executes dropped EXE
PID:1744 -
\??\c:\vjvdp.exec:\vjvdp.exe33⤵
- Executes dropped EXE
PID:1688 -
\??\c:\fxrrxfr.exec:\fxrrxfr.exe34⤵
- Executes dropped EXE
PID:2216 -
\??\c:\3llrflr.exec:\3llrflr.exe35⤵
- Executes dropped EXE
PID:1600 -
\??\c:\nhbnbb.exec:\nhbnbb.exe36⤵
- Executes dropped EXE
PID:2684 -
\??\c:\3btttb.exec:\3btttb.exe37⤵
- Executes dropped EXE
PID:2236 -
\??\c:\jdddj.exec:\jdddj.exe38⤵
- Executes dropped EXE
PID:2744 -
\??\c:\dvpdv.exec:\dvpdv.exe39⤵
- Executes dropped EXE
PID:2612 -
\??\c:\3vjjp.exec:\3vjjp.exe40⤵
- Executes dropped EXE
PID:2520 -
\??\c:\xrfllxl.exec:\xrfllxl.exe41⤵
- Executes dropped EXE
PID:2788 -
\??\c:\7lrfrxx.exec:\7lrfrxx.exe42⤵
- Executes dropped EXE
PID:2692 -
\??\c:\7rlxllx.exec:\7rlxllx.exe43⤵
- Executes dropped EXE
PID:3024 -
\??\c:\nnbnbh.exec:\nnbnbh.exe44⤵
- Executes dropped EXE
PID:2100 -
\??\c:\nhhbbh.exec:\nhhbbh.exe45⤵
- Executes dropped EXE
PID:2836 -
\??\c:\ddjjv.exec:\ddjjv.exe46⤵
- Executes dropped EXE
PID:2872 -
\??\c:\hbhthn.exec:\hbhthn.exe47⤵
- Executes dropped EXE
PID:2892 -
\??\c:\7tnthh.exec:\7tnthh.exe48⤵
- Executes dropped EXE
PID:1832 -
\??\c:\pjvdv.exec:\pjvdv.exe49⤵
- Executes dropped EXE
PID:2720 -
\??\c:\vvpvd.exec:\vvpvd.exe50⤵
- Executes dropped EXE
PID:1780 -
\??\c:\pjpvj.exec:\pjpvj.exe51⤵
- Executes dropped EXE
PID:2496 -
\??\c:\5fxxffl.exec:\5fxxffl.exe52⤵
- Executes dropped EXE
PID:1444 -
\??\c:\lfxflrx.exec:\lfxflrx.exe53⤵
- Executes dropped EXE
PID:2176 -
\??\c:\bntthb.exec:\bntthb.exe54⤵
- Executes dropped EXE
PID:816 -
\??\c:\nnbntb.exec:\nnbntb.exe55⤵
- Executes dropped EXE
PID:1764 -
\??\c:\9bbhhh.exec:\9bbhhh.exe56⤵
- Executes dropped EXE
PID:3064 -
\??\c:\7dvjp.exec:\7dvjp.exe57⤵
- Executes dropped EXE
PID:1248 -
\??\c:\dvjdd.exec:\dvjdd.exe58⤵
- Executes dropped EXE
PID:2676 -
\??\c:\rfrxfxr.exec:\rfrxfxr.exe59⤵
- Executes dropped EXE
PID:2084 -
\??\c:\xrxfrrx.exec:\xrxfrrx.exe60⤵
- Executes dropped EXE
PID:776 -
\??\c:\lxlllrf.exec:\lxlllrf.exe61⤵
- Executes dropped EXE
PID:2940 -
\??\c:\hbttbb.exec:\hbttbb.exe62⤵
- Executes dropped EXE
PID:2112 -
\??\c:\1nhtnh.exec:\1nhtnh.exe63⤵
- Executes dropped EXE
PID:1084 -
\??\c:\tnbnbh.exec:\tnbnbh.exe64⤵
- Executes dropped EXE
PID:3048 -
\??\c:\5vpjp.exec:\5vpjp.exe65⤵
- Executes dropped EXE
PID:952 -
\??\c:\9dvdp.exec:\9dvdp.exe66⤵PID:1256
-
\??\c:\dvpjv.exec:\dvpjv.exe67⤵PID:1788
-
\??\c:\fxlrxff.exec:\fxlrxff.exe68⤵PID:1556
-
\??\c:\rlfrxxl.exec:\rlfrxxl.exe69⤵PID:2936
-
\??\c:\xlrxffr.exec:\xlrxffr.exe70⤵PID:812
-
\??\c:\bnbhtt.exec:\bnbhtt.exe71⤵PID:876
-
\??\c:\nhtttt.exec:\nhtttt.exe72⤵PID:880
-
\??\c:\thnhnn.exec:\thnhnn.exe73⤵PID:2964
-
\??\c:\3vpvv.exec:\3vpvv.exe74⤵PID:1592
-
\??\c:\pjppp.exec:\pjppp.exe75⤵PID:2916
-
\??\c:\jdjdv.exec:\jdjdv.exe76⤵PID:2076
-
\??\c:\vdvvj.exec:\vdvvj.exe77⤵PID:2684
-
\??\c:\fxlrfxf.exec:\fxlrfxf.exe78⤵PID:2236
-
\??\c:\lfxlxxx.exec:\lfxlxxx.exe79⤵PID:2744
-
\??\c:\nbtthh.exec:\nbtthh.exe80⤵PID:2728
-
\??\c:\thtnbh.exec:\thtnbh.exe81⤵PID:2672
-
\??\c:\bntntt.exec:\bntntt.exe82⤵PID:2448
-
\??\c:\vjpjj.exec:\vjpjj.exe83⤵PID:1716
-
\??\c:\vpvdd.exec:\vpvdd.exe84⤵PID:1740
-
\??\c:\7vjjj.exec:\7vjjj.exe85⤵PID:3028
-
\??\c:\frfflfr.exec:\frfflfr.exe86⤵PID:2848
-
\??\c:\frxrfxx.exec:\frxrfxx.exe87⤵PID:2868
-
\??\c:\xrrxllr.exec:\xrrxllr.exe88⤵PID:2872
-
\??\c:\hbttnh.exec:\hbttnh.exe89⤵PID:2752
-
\??\c:\nbbhhh.exec:\nbbhhh.exe90⤵PID:1832
-
\??\c:\pdpjv.exec:\pdpjv.exe91⤵PID:884
-
\??\c:\9vvvp.exec:\9vvvp.exe92⤵PID:2040
-
\??\c:\3dpdj.exec:\3dpdj.exe93⤵PID:2768
-
\??\c:\xrfxxxr.exec:\xrfxxxr.exe94⤵PID:1200
-
\??\c:\xrlfrfl.exec:\xrlfrfl.exe95⤵PID:1512
-
\??\c:\3rflffl.exec:\3rflffl.exe96⤵PID:1404
-
\??\c:\nbtbnn.exec:\nbtbnn.exe97⤵PID:3020
-
\??\c:\5nhbhb.exec:\5nhbhb.exe98⤵PID:3012
-
\??\c:\7hhbhb.exec:\7hhbhb.exe99⤵PID:2284
-
\??\c:\ppjdd.exec:\ppjdd.exe100⤵PID:1924
-
\??\c:\pjvjd.exec:\pjvjd.exe101⤵PID:580
-
\??\c:\fxxllrx.exec:\fxxllrx.exe102⤵PID:708
-
\??\c:\llxfflf.exec:\llxfflf.exe103⤵PID:1624
-
\??\c:\btbnbb.exec:\btbnbb.exe104⤵PID:1640
-
\??\c:\httbnb.exec:\httbnb.exe105⤵PID:1300
-
\??\c:\ppjpv.exec:\ppjpv.exe106⤵PID:1868
-
\??\c:\vdvdd.exec:\vdvdd.exe107⤵PID:1812
-
\??\c:\vjvvj.exec:\vjvvj.exe108⤵PID:2304
-
\??\c:\9rrrrlr.exec:\9rrrrlr.exe109⤵PID:1264
-
\??\c:\rrffflr.exec:\rrffflr.exe110⤵PID:1944
-
\??\c:\llxlxxl.exec:\llxlxxl.exe111⤵PID:2984
-
\??\c:\nhhnbb.exec:\nhhnbb.exe112⤵PID:1500
-
\??\c:\htbbhn.exec:\htbbhn.exe113⤵PID:1796
-
\??\c:\3tnnhn.exec:\3tnnhn.exe114⤵PID:2320
-
\??\c:\vjvjp.exec:\vjvjp.exe115⤵PID:2364
-
\??\c:\pjdpp.exec:\pjdpp.exe116⤵PID:2964
-
\??\c:\7jppv.exec:\7jppv.exe117⤵PID:2348
-
\??\c:\fxllrlf.exec:\fxllrlf.exe118⤵PID:564
-
\??\c:\lfllxxf.exec:\lfllxxf.exe119⤵PID:2500
-
\??\c:\lfrxfll.exec:\lfrxfll.exe120⤵PID:2704
-
\??\c:\5bhntt.exec:\5bhntt.exe121⤵PID:2856
-
\??\c:\thtntn.exec:\thtntn.exe122⤵PID:2220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-