Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9a0250adb2ba927f8f839f2be837501a_JaffaCakes118.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
9a0250adb2ba927f8f839f2be837501a_JaffaCakes118.exe
-
Size
193KB
-
MD5
9a0250adb2ba927f8f839f2be837501a
-
SHA1
27393415e043ad689916e08cecddaf233d533d61
-
SHA256
10343942e861772e1d1925aed7189f45da3fb52c4933399213ff896ead2844e6
-
SHA512
efc4ef8a357526c4a73f357617e8781dcfc02b3d95d9cc8600aa4c1a6df2f6c786583f333e79f92539c0008d28be4a0a16795b10712a8452c095275165f51066
-
SSDEEP
1536:PvQBeOGtrYSSsrc93UBIfdC67m6AJiqyByFEyDRZ8CsLJ:PhOm2sI93UufdC67cihByiylmCsl
Malware Config
Signatures
-
Detect Blackmoon payload 45 IoCs
Processes:
resource yara_rule behavioral1/memory/2748-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2196-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2204-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2540-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3036-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/380-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2944-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/780-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1708-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2100-212-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1564-239-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2128-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2100-215-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2308-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2684-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2704-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2688-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2432-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2724-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2700-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1064-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2808-263-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2384-272-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1064-314-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2564-328-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1836-365-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2800-378-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2968-392-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2520-406-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1980-419-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/320-446-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1760-473-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/976-524-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2064-525-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1008-567-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1380-580-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1380-578-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2576-607-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2728-634-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/1836-656-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/400-734-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2756-945-0x00000000002C0000-0x00000000002E9000-memory.dmp family_blackmoon behavioral1/memory/1828-1031-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1828-1065-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1764-1212-0x00000000002C0000-0x00000000002E9000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
0840268.exennhnhn.exenhhhht.exe6422668.exe88624.exerfrllrf.exe82446.exew08022.exe0806662.exebthhnn.exe1xllflr.exe7nhbbh.exe42684.exem6844.exevjpvj.exe240288.exethtnnn.exe824422.exe4862668.exettnhtn.exe9vdjd.exe88682.exe080066.exe6640602.exe642462.exe3btthn.exe602848.exelfrlxfr.exevpjdv.exejvjvp.exek86844.exea6886.exee20244.exe8226824.exee08848.exe9hbttb.exetbhnbn.exehtbbhb.exevvvjv.exe862204.exelxrllfl.exe9pddj.exe9dvvj.exe4282884.exebhnhnt.exe6028046.exes4284.exelfrxfrf.exepdpjp.exebnttbt.exe0282440.exetnbtbt.exee42888.exe1hthhn.exehtnntn.exelxrxffl.exe2640226.exek46804.exelxxfffl.exedvddd.exetnbbtt.exe424662.exe48662.exe424440.exepid process 2196 0840268.exe 1064 nnhnhn.exe 2204 nhhhht.exe 2700 6422668.exe 2540 88624.exe 2724 rfrllrf.exe 3036 82446.exe 2432 w08022.exe 380 0806662.exe 2960 bthhnn.exe 1768 1xllflr.exe 2924 7nhbbh.exe 2944 42684.exe 2032 m6844.exe 780 vjpvj.exe 2688 240288.exe 2704 thtnnn.exe 2684 824422.exe 1748 4862668.exe 1780 ttnhtn.exe 1708 9vdjd.exe 2308 88682.exe 2876 080066.exe 2100 6640602.exe 1032 642462.exe 2128 3btthn.exe 1564 602848.exe 1876 lfrlxfr.exe 2808 vpjdv.exe 2384 jvjvp.exe 3032 k86844.exe 1400 a6886.exe 912 e20244.exe 2908 8226824.exe 2844 e08848.exe 1064 9hbttb.exe 1764 tbhnbn.exe 2564 htbbhb.exe 1312 vvvjv.exe 2596 862204.exe 2728 lxrllfl.exe 2652 9pddj.exe 2452 9dvvj.exe 1836 4282884.exe 2232 bhnhnt.exe 2800 6028046.exe 1324 s4284.exe 2924 lfrxfrf.exe 2968 pdpjp.exe 2520 bnttbt.exe 2556 0282440.exe 344 tnbtbt.exe 1980 e42888.exe 1604 1hthhn.exe 2996 htnntn.exe 320 lxrxffl.exe 1828 2640226.exe 1716 k46804.exe 1820 lxxfffl.exe 1460 dvddd.exe 1760 tnbbtt.exe 2064 424662.exe 1776 48662.exe 1684 424440.exe -
Processes:
resource yara_rule behavioral1/memory/2748-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2196-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2204-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/380-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2944-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/780-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2688-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1708-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2100-212-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1564-239-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2128-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2308-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1876-250-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/2684-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2704-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2688-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2432-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2724-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2700-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1064-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-263-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2384-272-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1064-314-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2564-328-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1836-365-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2968-392-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2520-406-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1980-419-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1604-426-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2996-433-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/320-446-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1716-453-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1460-466-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1760-473-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2276-504-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/976-524-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/284-539-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2152-546-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2188-594-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-634-0x00000000001B0000-0x00000000001D9000-memory.dmp upx behavioral1/memory/2580-645-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2504-702-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2252-715-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/400-734-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2412-759-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2404-766-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1856-815-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/920-840-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2272-893-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1828-1031-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/540-1039-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2528-1046-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/696-1097-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2176-1178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-1204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2176-1218-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/2324-1261-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2780-1292-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/320-1299-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1640-1306-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1920-1338-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9a0250adb2ba927f8f839f2be837501a_JaffaCakes118.exe0840268.exennhnhn.exenhhhht.exe6422668.exe88624.exerfrllrf.exe82446.exew08022.exe0806662.exebthhnn.exe1xllflr.exe7nhbbh.exe42684.exem6844.exevjpvj.exedescription pid process target process PID 2748 wrote to memory of 2196 2748 9a0250adb2ba927f8f839f2be837501a_JaffaCakes118.exe 0840268.exe PID 2748 wrote to memory of 2196 2748 9a0250adb2ba927f8f839f2be837501a_JaffaCakes118.exe 0840268.exe PID 2748 wrote to memory of 2196 2748 9a0250adb2ba927f8f839f2be837501a_JaffaCakes118.exe 0840268.exe PID 2748 wrote to memory of 2196 2748 9a0250adb2ba927f8f839f2be837501a_JaffaCakes118.exe 0840268.exe PID 2196 wrote to memory of 1064 2196 0840268.exe nnhnhn.exe PID 2196 wrote to memory of 1064 2196 0840268.exe nnhnhn.exe PID 2196 wrote to memory of 1064 2196 0840268.exe nnhnhn.exe PID 2196 wrote to memory of 1064 2196 0840268.exe nnhnhn.exe PID 1064 wrote to memory of 2204 1064 nnhnhn.exe nhhhht.exe PID 1064 wrote to memory of 2204 1064 nnhnhn.exe nhhhht.exe PID 1064 wrote to memory of 2204 1064 nnhnhn.exe nhhhht.exe PID 1064 wrote to memory of 2204 1064 nnhnhn.exe nhhhht.exe PID 2204 wrote to memory of 2700 2204 nhhhht.exe 6422668.exe PID 2204 wrote to memory of 2700 2204 nhhhht.exe 6422668.exe PID 2204 wrote to memory of 2700 2204 nhhhht.exe 6422668.exe PID 2204 wrote to memory of 2700 2204 nhhhht.exe 6422668.exe PID 2700 wrote to memory of 2540 2700 6422668.exe 88624.exe PID 2700 wrote to memory of 2540 2700 6422668.exe 88624.exe PID 2700 wrote to memory of 2540 2700 6422668.exe 88624.exe PID 2700 wrote to memory of 2540 2700 6422668.exe 88624.exe PID 2540 wrote to memory of 2724 2540 88624.exe rfrllrf.exe PID 2540 wrote to memory of 2724 2540 88624.exe rfrllrf.exe PID 2540 wrote to memory of 2724 2540 88624.exe rfrllrf.exe PID 2540 wrote to memory of 2724 2540 88624.exe rfrllrf.exe PID 2724 wrote to memory of 3036 2724 rfrllrf.exe 82446.exe PID 2724 wrote to memory of 3036 2724 rfrllrf.exe 82446.exe PID 2724 wrote to memory of 3036 2724 rfrllrf.exe 82446.exe PID 2724 wrote to memory of 3036 2724 rfrllrf.exe 82446.exe PID 3036 wrote to memory of 2432 3036 82446.exe w08022.exe PID 3036 wrote to memory of 2432 3036 82446.exe w08022.exe PID 3036 wrote to memory of 2432 3036 82446.exe w08022.exe PID 3036 wrote to memory of 2432 3036 82446.exe w08022.exe PID 2432 wrote to memory of 380 2432 w08022.exe 0806662.exe PID 2432 wrote to memory of 380 2432 w08022.exe 0806662.exe PID 2432 wrote to memory of 380 2432 w08022.exe 0806662.exe PID 2432 wrote to memory of 380 2432 w08022.exe 0806662.exe PID 380 wrote to memory of 2960 380 0806662.exe bthhnn.exe PID 380 wrote to memory of 2960 380 0806662.exe bthhnn.exe PID 380 wrote to memory of 2960 380 0806662.exe bthhnn.exe PID 380 wrote to memory of 2960 380 0806662.exe bthhnn.exe PID 2960 wrote to memory of 1768 2960 bthhnn.exe 1xllflr.exe PID 2960 wrote to memory of 1768 2960 bthhnn.exe 1xllflr.exe PID 2960 wrote to memory of 1768 2960 bthhnn.exe 1xllflr.exe PID 2960 wrote to memory of 1768 2960 bthhnn.exe 1xllflr.exe PID 1768 wrote to memory of 2924 1768 1xllflr.exe 7nhbbh.exe PID 1768 wrote to memory of 2924 1768 1xllflr.exe 7nhbbh.exe PID 1768 wrote to memory of 2924 1768 1xllflr.exe 7nhbbh.exe PID 1768 wrote to memory of 2924 1768 1xllflr.exe 7nhbbh.exe PID 2924 wrote to memory of 2944 2924 7nhbbh.exe 42684.exe PID 2924 wrote to memory of 2944 2924 7nhbbh.exe 42684.exe PID 2924 wrote to memory of 2944 2924 7nhbbh.exe 42684.exe PID 2924 wrote to memory of 2944 2924 7nhbbh.exe 42684.exe PID 2944 wrote to memory of 2032 2944 42684.exe m6844.exe PID 2944 wrote to memory of 2032 2944 42684.exe m6844.exe PID 2944 wrote to memory of 2032 2944 42684.exe m6844.exe PID 2944 wrote to memory of 2032 2944 42684.exe m6844.exe PID 2032 wrote to memory of 780 2032 m6844.exe vjpvj.exe PID 2032 wrote to memory of 780 2032 m6844.exe vjpvj.exe PID 2032 wrote to memory of 780 2032 m6844.exe vjpvj.exe PID 2032 wrote to memory of 780 2032 m6844.exe vjpvj.exe PID 780 wrote to memory of 2688 780 vjpvj.exe 240288.exe PID 780 wrote to memory of 2688 780 vjpvj.exe 240288.exe PID 780 wrote to memory of 2688 780 vjpvj.exe 240288.exe PID 780 wrote to memory of 2688 780 vjpvj.exe 240288.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a0250adb2ba927f8f839f2be837501a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9a0250adb2ba927f8f839f2be837501a_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\0840268.exec:\0840268.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\nnhnhn.exec:\nnhnhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\nhhhht.exec:\nhhhht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\6422668.exec:\6422668.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\88624.exec:\88624.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\rfrllrf.exec:\rfrllrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\82446.exec:\82446.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\w08022.exec:\w08022.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\0806662.exec:\0806662.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\bthhnn.exec:\bthhnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\1xllflr.exec:\1xllflr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\7nhbbh.exec:\7nhbbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\42684.exec:\42684.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\m6844.exec:\m6844.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\vjpvj.exec:\vjpvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\240288.exec:\240288.exe17⤵
- Executes dropped EXE
PID:2688 -
\??\c:\thtnnn.exec:\thtnnn.exe18⤵
- Executes dropped EXE
PID:2704 -
\??\c:\824422.exec:\824422.exe19⤵
- Executes dropped EXE
PID:2684 -
\??\c:\4862668.exec:\4862668.exe20⤵
- Executes dropped EXE
PID:1748 -
\??\c:\ttnhtn.exec:\ttnhtn.exe21⤵
- Executes dropped EXE
PID:1780 -
\??\c:\9vdjd.exec:\9vdjd.exe22⤵
- Executes dropped EXE
PID:1708 -
\??\c:\88682.exec:\88682.exe23⤵
- Executes dropped EXE
PID:2308 -
\??\c:\080066.exec:\080066.exe24⤵
- Executes dropped EXE
PID:2876 -
\??\c:\6640602.exec:\6640602.exe25⤵
- Executes dropped EXE
PID:2100 -
\??\c:\642462.exec:\642462.exe26⤵
- Executes dropped EXE
PID:1032 -
\??\c:\3btthn.exec:\3btthn.exe27⤵
- Executes dropped EXE
PID:2128 -
\??\c:\602848.exec:\602848.exe28⤵
- Executes dropped EXE
PID:1564 -
\??\c:\lfrlxfr.exec:\lfrlxfr.exe29⤵
- Executes dropped EXE
PID:1876 -
\??\c:\vpjdv.exec:\vpjdv.exe30⤵
- Executes dropped EXE
PID:2808 -
\??\c:\jvjvp.exec:\jvjvp.exe31⤵
- Executes dropped EXE
PID:2384 -
\??\c:\k86844.exec:\k86844.exe32⤵
- Executes dropped EXE
PID:3032 -
\??\c:\a6886.exec:\a6886.exe33⤵
- Executes dropped EXE
PID:1400 -
\??\c:\e20244.exec:\e20244.exe34⤵
- Executes dropped EXE
PID:912 -
\??\c:\8226824.exec:\8226824.exe35⤵
- Executes dropped EXE
PID:2908 -
\??\c:\e08848.exec:\e08848.exe36⤵
- Executes dropped EXE
PID:2844 -
\??\c:\9hbttb.exec:\9hbttb.exe37⤵
- Executes dropped EXE
PID:1064 -
\??\c:\tbhnbn.exec:\tbhnbn.exe38⤵
- Executes dropped EXE
PID:1764 -
\??\c:\htbbhb.exec:\htbbhb.exe39⤵
- Executes dropped EXE
PID:2564 -
\??\c:\vvvjv.exec:\vvvjv.exe40⤵
- Executes dropped EXE
PID:1312 -
\??\c:\862204.exec:\862204.exe41⤵
- Executes dropped EXE
PID:2596 -
\??\c:\lxrllfl.exec:\lxrllfl.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\9pddj.exec:\9pddj.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\9dvvj.exec:\9dvvj.exe44⤵
- Executes dropped EXE
PID:2452 -
\??\c:\4282884.exec:\4282884.exe45⤵
- Executes dropped EXE
PID:1836 -
\??\c:\bhnhnt.exec:\bhnhnt.exe46⤵
- Executes dropped EXE
PID:2232 -
\??\c:\6028046.exec:\6028046.exe47⤵
- Executes dropped EXE
PID:2800 -
\??\c:\s4284.exec:\s4284.exe48⤵
- Executes dropped EXE
PID:1324 -
\??\c:\lfrxfrf.exec:\lfrxfrf.exe49⤵
- Executes dropped EXE
PID:2924 -
\??\c:\pdpjp.exec:\pdpjp.exe50⤵
- Executes dropped EXE
PID:2968 -
\??\c:\bnttbt.exec:\bnttbt.exe51⤵
- Executes dropped EXE
PID:2520 -
\??\c:\0282440.exec:\0282440.exe52⤵
- Executes dropped EXE
PID:2556 -
\??\c:\tnbtbt.exec:\tnbtbt.exe53⤵
- Executes dropped EXE
PID:344 -
\??\c:\e42888.exec:\e42888.exe54⤵
- Executes dropped EXE
PID:1980 -
\??\c:\1hthhn.exec:\1hthhn.exe55⤵
- Executes dropped EXE
PID:1604 -
\??\c:\htnntn.exec:\htnntn.exe56⤵
- Executes dropped EXE
PID:2996 -
\??\c:\lxrxffl.exec:\lxrxffl.exe57⤵
- Executes dropped EXE
PID:320 -
\??\c:\2640226.exec:\2640226.exe58⤵
- Executes dropped EXE
PID:1828 -
\??\c:\k46804.exec:\k46804.exe59⤵
- Executes dropped EXE
PID:1716 -
\??\c:\lxxfffl.exec:\lxxfffl.exe60⤵
- Executes dropped EXE
PID:1820 -
\??\c:\dvddd.exec:\dvddd.exe61⤵
- Executes dropped EXE
PID:1460 -
\??\c:\tnbbtt.exec:\tnbbtt.exe62⤵
- Executes dropped EXE
PID:1760 -
\??\c:\424662.exec:\424662.exe63⤵
- Executes dropped EXE
PID:2064 -
\??\c:\48662.exec:\48662.exe64⤵
- Executes dropped EXE
PID:1776 -
\??\c:\424440.exec:\424440.exe65⤵
- Executes dropped EXE
PID:1684 -
\??\c:\o004084.exec:\o004084.exe66⤵PID:1188
-
\??\c:\bntbhn.exec:\bntbhn.exe67⤵PID:2276
-
\??\c:\6428440.exec:\6428440.exe68⤵PID:896
-
\??\c:\7xxfrxf.exec:\7xxfrxf.exe69⤵PID:976
-
\??\c:\hbttbb.exec:\hbttbb.exe70⤵PID:1516
-
\??\c:\xlxrxxr.exec:\xlxrxxr.exe71⤵PID:1880
-
\??\c:\frxfrxf.exec:\frxfrxf.exe72⤵PID:284
-
\??\c:\fxllxxf.exec:\fxllxxf.exe73⤵PID:2152
-
\??\c:\268406.exec:\268406.exe74⤵PID:1036
-
\??\c:\5htnhn.exec:\5htnhn.exe75⤵PID:2336
-
\??\c:\00624.exec:\00624.exe76⤵PID:1008
-
\??\c:\3hbbnn.exec:\3hbbnn.exe77⤵PID:1380
-
\??\c:\xlfxflr.exec:\xlfxflr.exe78⤵PID:1752
-
\??\c:\c608628.exec:\c608628.exe79⤵PID:2000
-
\??\c:\820244.exec:\820244.exe80⤵PID:2188
-
\??\c:\bbhnbh.exec:\bbhnbh.exe81⤵PID:2576
-
\??\c:\jpddj.exec:\jpddj.exe82⤵PID:2568
-
\??\c:\424400.exec:\424400.exe83⤵PID:2564
-
\??\c:\9dppp.exec:\9dppp.exe84⤵PID:2856
-
\??\c:\648888.exec:\648888.exe85⤵PID:2456
-
\??\c:\646688.exec:\646688.exe86⤵PID:2728
-
\??\c:\82446.exec:\82446.exe87⤵PID:2464
-
\??\c:\llxfrxf.exec:\llxfrxf.exe88⤵PID:2580
-
\??\c:\m2020.exec:\m2020.exe89⤵PID:1836
-
\??\c:\w86202.exec:\w86202.exe90⤵PID:2232
-
\??\c:\bthhnh.exec:\bthhnh.exe91⤵PID:924
-
\??\c:\hbtthb.exec:\hbtthb.exe92⤵PID:3060
-
\??\c:\tnbnht.exec:\tnbnht.exe93⤵PID:2948
-
\??\c:\4806824.exec:\4806824.exe94⤵PID:2824
-
\??\c:\9nbnbb.exec:\9nbnbb.exe95⤵PID:1480
-
\??\c:\60840.exec:\60840.exe96⤵PID:2556
-
\??\c:\tnnntb.exec:\tnnntb.exe97⤵PID:2504
-
\??\c:\fxlfflx.exec:\fxlfflx.exe98⤵PID:1596
-
\??\c:\86228.exec:\86228.exe99⤵PID:2252
-
\??\c:\c406666.exec:\c406666.exe100⤵PID:2704
-
\??\c:\o806008.exec:\o806008.exe101⤵PID:400
-
\??\c:\268066.exec:\268066.exe102⤵PID:1640
-
\??\c:\rfxrrrl.exec:\rfxrrrl.exe103⤵PID:1780
-
\??\c:\i462446.exec:\i462446.exe104⤵PID:2264
-
\??\c:\6608068.exec:\6608068.exe105⤵PID:1820
-
\??\c:\6462446.exec:\6462446.exe106⤵PID:2412
-
\??\c:\4240662.exec:\4240662.exe107⤵PID:2404
-
\??\c:\xrllxxx.exec:\xrllxxx.exe108⤵PID:564
-
\??\c:\pjvvd.exec:\pjvvd.exe109⤵PID:608
-
\??\c:\hbnthh.exec:\hbnthh.exe110⤵PID:1504
-
\??\c:\jdpvd.exec:\jdpvd.exe111⤵PID:1260
-
\??\c:\w80000.exec:\w80000.exe112⤵PID:1956
-
\??\c:\2602406.exec:\2602406.exe113⤵PID:1564
-
\??\c:\20660.exec:\20660.exe114⤵PID:976
-
\??\c:\i028880.exec:\i028880.exe115⤵PID:1856
-
\??\c:\1vjjv.exec:\1vjjv.exe116⤵PID:1624
-
\??\c:\26406.exec:\26406.exe117⤵PID:1872
-
\??\c:\i200222.exec:\i200222.exe118⤵PID:628
-
\??\c:\nnhntt.exec:\nnhntt.exe119⤵PID:920
-
\??\c:\648026.exec:\648026.exe120⤵PID:2120
-
\??\c:\hhtbnn.exec:\hhtbnn.exe121⤵PID:2084
-
\??\c:\5tnhtn.exec:\5tnhtn.exe122⤵PID:1400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-