Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 05:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe
-
Size
313KB
-
MD5
758d9e1617a7f98dcbc8be8015627d18
-
SHA1
cf84fa9a564d589774f701a56f216500abc15661
-
SHA256
c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8
-
SHA512
a9f0956f16c9d053511afc75626026000e695f06712fcf19fdaa330f1368220028d388899fb4b5e32c658efdae0178ac50014056184d21cbece1d7bfc4241921
-
SSDEEP
6144:n3C9BRo/AIX2h97aUzpbBj3+b2ziJC39QS8hDJd+Q7ZLbjwB:n3C9uDC97aUFbZ42ziM39QS8hDJd+Q7W
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
Processes:
resource yara_rule behavioral1/memory/2116-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2436-16-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2436-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2132-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2636-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1392-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2556-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2532-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2028-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2868-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1664-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2012-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1048-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2580-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/524-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2352-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2060-212-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1244-221-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2972-229-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1864-239-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1732-247-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2340-265-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1876-283-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 29 IoCs
Processes:
resource yara_rule behavioral1/memory/2116-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2116-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2436-16-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2436-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2436-13-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2436-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2132-27-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2636-47-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2636-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2636-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2636-56-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1392-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2556-69-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2532-80-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2028-103-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2868-121-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1664-139-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2012-149-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1048-157-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-167-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/524-175-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2352-203-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2060-212-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1244-221-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2972-229-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1864-239-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1732-247-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2340-265-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1876-283-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
dvjpv.exebtnthn.exerrffllr.exe9thnbn.exevpjjp.exetnbbhh.exejpjjj.exejjvvd.exebtntbb.exepdvpv.exe3rfllll.exehbnthh.exe1jpvd.exexflfxrl.exetbbnbn.exe1pvvv.exelflflff.exe3thhtt.exeppjpp.exe9rflflx.exe5jvdj.exe7vjdp.exenhbhnb.exenbhntb.exe7rfflff.exehtnnbh.exerflllfl.exehbbhtn.exe1pvdp.exexfxfrrf.exenhtntt.exejvjpd.exenhntbh.exehbtbhn.exe9pvjj.exe5lxlrxf.exexrxflrf.exenbhhnn.exejdjpd.exe9rllrrl.exefxrrlxf.exetnbnbb.exedpdjv.exe1dvdj.exe9xxflrf.exexfxfrxr.exebnbhbb.exevvjpv.exelfrfrxl.exefxrrffr.exe3tntbh.exeddjjp.exe1ffrxxl.exexrflffr.exetnbhnn.exenhhttb.exe1jjjv.exexxllxfr.exe5frxxfr.exettthtn.exe9vppv.exelfrxflx.exefxlrxfl.exehhbnbn.exepid process 2436 dvjpv.exe 2132 btnthn.exe 2736 rrffllr.exe 2636 9thnbn.exe 1392 vpjjp.exe 2556 tnbbhh.exe 2532 jpjjj.exe 3024 jjvvd.exe 2028 btntbb.exe 2772 pdvpv.exe 2868 3rfllll.exe 1500 hbnthh.exe 1664 1jpvd.exe 2012 xflfxrl.exe 1048 tbbnbn.exe 2580 1pvvv.exe 524 lflflff.exe 372 3thhtt.exe 1784 ppjpp.exe 2352 9rflflx.exe 2060 5jvdj.exe 1244 7vjdp.exe 2972 nhbhnb.exe 1864 nbhntb.exe 1732 7rfflff.exe 1336 htnnbh.exe 2340 rflllfl.exe 752 hbbhtn.exe 1876 1pvdp.exe 2592 xfxfrrf.exe 1840 nhtntt.exe 2948 jvjpd.exe 2400 nhntbh.exe 1932 hbtbhn.exe 2604 9pvjj.exe 2640 5lxlrxf.exe 2728 xrxflrf.exe 2664 nbhhnn.exe 2520 jdjpd.exe 2776 9rllrrl.exe 2380 fxrrlxf.exe 2684 tnbnbb.exe 2576 dpdjv.exe 2376 1dvdj.exe 3032 9xxflrf.exe 2824 xfxfrxr.exe 2840 bnbhbb.exe 2892 vvjpv.exe 2916 lfrfrxl.exe 2040 fxrrffr.exe 2044 3tntbh.exe 284 ddjjp.exe 760 1ffrxxl.exe 2600 xrflffr.exe 308 tnbhnn.exe 316 nhhttb.exe 1648 1jjjv.exe 2208 xxllxfr.exe 2372 5frxxfr.exe 2692 ttthtn.exe 2236 9vppv.exe 2052 lfrxflx.exe 1480 fxlrxfl.exe 1940 hhbnbn.exe -
Processes:
resource yara_rule behavioral1/memory/2116-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2116-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2436-16-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2436-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2436-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2436-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2132-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1392-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2556-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2532-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2028-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2868-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1664-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2012-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1048-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/524-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2352-203-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2060-212-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1244-221-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2972-229-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1864-239-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1732-247-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2340-265-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1876-283-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exedvjpv.exebtnthn.exerrffllr.exe9thnbn.exevpjjp.exetnbbhh.exejpjjj.exejjvvd.exebtntbb.exepdvpv.exe3rfllll.exehbnthh.exe1jpvd.exexflfxrl.exetbbnbn.exedescription pid process target process PID 2116 wrote to memory of 2436 2116 c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe dvjpv.exe PID 2116 wrote to memory of 2436 2116 c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe dvjpv.exe PID 2116 wrote to memory of 2436 2116 c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe dvjpv.exe PID 2116 wrote to memory of 2436 2116 c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe dvjpv.exe PID 2436 wrote to memory of 2132 2436 dvjpv.exe btnthn.exe PID 2436 wrote to memory of 2132 2436 dvjpv.exe btnthn.exe PID 2436 wrote to memory of 2132 2436 dvjpv.exe btnthn.exe PID 2436 wrote to memory of 2132 2436 dvjpv.exe btnthn.exe PID 2132 wrote to memory of 2736 2132 btnthn.exe rrffllr.exe PID 2132 wrote to memory of 2736 2132 btnthn.exe rrffllr.exe PID 2132 wrote to memory of 2736 2132 btnthn.exe rrffllr.exe PID 2132 wrote to memory of 2736 2132 btnthn.exe rrffllr.exe PID 2736 wrote to memory of 2636 2736 rrffllr.exe 9thnbn.exe PID 2736 wrote to memory of 2636 2736 rrffllr.exe 9thnbn.exe PID 2736 wrote to memory of 2636 2736 rrffllr.exe 9thnbn.exe PID 2736 wrote to memory of 2636 2736 rrffllr.exe 9thnbn.exe PID 2636 wrote to memory of 1392 2636 9thnbn.exe vpjjp.exe PID 2636 wrote to memory of 1392 2636 9thnbn.exe vpjjp.exe PID 2636 wrote to memory of 1392 2636 9thnbn.exe vpjjp.exe PID 2636 wrote to memory of 1392 2636 9thnbn.exe vpjjp.exe PID 1392 wrote to memory of 2556 1392 vpjjp.exe tnbbhh.exe PID 1392 wrote to memory of 2556 1392 vpjjp.exe tnbbhh.exe PID 1392 wrote to memory of 2556 1392 vpjjp.exe tnbbhh.exe PID 1392 wrote to memory of 2556 1392 vpjjp.exe tnbbhh.exe PID 2556 wrote to memory of 2532 2556 tnbbhh.exe jpjjj.exe PID 2556 wrote to memory of 2532 2556 tnbbhh.exe jpjjj.exe PID 2556 wrote to memory of 2532 2556 tnbbhh.exe jpjjj.exe PID 2556 wrote to memory of 2532 2556 tnbbhh.exe jpjjj.exe PID 2532 wrote to memory of 3024 2532 jpjjj.exe jjvvd.exe PID 2532 wrote to memory of 3024 2532 jpjjj.exe jjvvd.exe PID 2532 wrote to memory of 3024 2532 jpjjj.exe jjvvd.exe PID 2532 wrote to memory of 3024 2532 jpjjj.exe jjvvd.exe PID 3024 wrote to memory of 2028 3024 jjvvd.exe btntbb.exe PID 3024 wrote to memory of 2028 3024 jjvvd.exe btntbb.exe PID 3024 wrote to memory of 2028 3024 jjvvd.exe btntbb.exe PID 3024 wrote to memory of 2028 3024 jjvvd.exe btntbb.exe PID 2028 wrote to memory of 2772 2028 btntbb.exe pdvpv.exe PID 2028 wrote to memory of 2772 2028 btntbb.exe pdvpv.exe PID 2028 wrote to memory of 2772 2028 btntbb.exe pdvpv.exe PID 2028 wrote to memory of 2772 2028 btntbb.exe pdvpv.exe PID 2772 wrote to memory of 2868 2772 pdvpv.exe 3rfllll.exe PID 2772 wrote to memory of 2868 2772 pdvpv.exe 3rfllll.exe PID 2772 wrote to memory of 2868 2772 pdvpv.exe 3rfllll.exe PID 2772 wrote to memory of 2868 2772 pdvpv.exe 3rfllll.exe PID 2868 wrote to memory of 1500 2868 3rfllll.exe hbnthh.exe PID 2868 wrote to memory of 1500 2868 3rfllll.exe hbnthh.exe PID 2868 wrote to memory of 1500 2868 3rfllll.exe hbnthh.exe PID 2868 wrote to memory of 1500 2868 3rfllll.exe hbnthh.exe PID 1500 wrote to memory of 1664 1500 hbnthh.exe 1jpvd.exe PID 1500 wrote to memory of 1664 1500 hbnthh.exe 1jpvd.exe PID 1500 wrote to memory of 1664 1500 hbnthh.exe 1jpvd.exe PID 1500 wrote to memory of 1664 1500 hbnthh.exe 1jpvd.exe PID 1664 wrote to memory of 2012 1664 1jpvd.exe xflfxrl.exe PID 1664 wrote to memory of 2012 1664 1jpvd.exe xflfxrl.exe PID 1664 wrote to memory of 2012 1664 1jpvd.exe xflfxrl.exe PID 1664 wrote to memory of 2012 1664 1jpvd.exe xflfxrl.exe PID 2012 wrote to memory of 1048 2012 xflfxrl.exe tbbnbn.exe PID 2012 wrote to memory of 1048 2012 xflfxrl.exe tbbnbn.exe PID 2012 wrote to memory of 1048 2012 xflfxrl.exe tbbnbn.exe PID 2012 wrote to memory of 1048 2012 xflfxrl.exe tbbnbn.exe PID 1048 wrote to memory of 2580 1048 tbbnbn.exe 1pvvv.exe PID 1048 wrote to memory of 2580 1048 tbbnbn.exe 1pvvv.exe PID 1048 wrote to memory of 2580 1048 tbbnbn.exe 1pvvv.exe PID 1048 wrote to memory of 2580 1048 tbbnbn.exe 1pvvv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe"C:\Users\Admin\AppData\Local\Temp\c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\dvjpv.exec:\dvjpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\btnthn.exec:\btnthn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\rrffllr.exec:\rrffllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\9thnbn.exec:\9thnbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\vpjjp.exec:\vpjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\tnbbhh.exec:\tnbbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\jpjjj.exec:\jpjjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\jjvvd.exec:\jjvvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\btntbb.exec:\btntbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\pdvpv.exec:\pdvpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\3rfllll.exec:\3rfllll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\hbnthh.exec:\hbnthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\1jpvd.exec:\1jpvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\xflfxrl.exec:\xflfxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\tbbnbn.exec:\tbbnbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\1pvvv.exec:\1pvvv.exe17⤵
- Executes dropped EXE
PID:2580 -
\??\c:\lflflff.exec:\lflflff.exe18⤵
- Executes dropped EXE
PID:524 -
\??\c:\3thhtt.exec:\3thhtt.exe19⤵
- Executes dropped EXE
PID:372 -
\??\c:\ppjpp.exec:\ppjpp.exe20⤵
- Executes dropped EXE
PID:1784 -
\??\c:\9rflflx.exec:\9rflflx.exe21⤵
- Executes dropped EXE
PID:2352 -
\??\c:\5jvdj.exec:\5jvdj.exe22⤵
- Executes dropped EXE
PID:2060 -
\??\c:\7vjdp.exec:\7vjdp.exe23⤵
- Executes dropped EXE
PID:1244 -
\??\c:\nhbhnb.exec:\nhbhnb.exe24⤵
- Executes dropped EXE
PID:2972 -
\??\c:\nbhntb.exec:\nbhntb.exe25⤵
- Executes dropped EXE
PID:1864 -
\??\c:\7rfflff.exec:\7rfflff.exe26⤵
- Executes dropped EXE
PID:1732 -
\??\c:\htnnbh.exec:\htnnbh.exe27⤵
- Executes dropped EXE
PID:1336 -
\??\c:\rflllfl.exec:\rflllfl.exe28⤵
- Executes dropped EXE
PID:2340 -
\??\c:\hbbhtn.exec:\hbbhtn.exe29⤵
- Executes dropped EXE
PID:752 -
\??\c:\1pvdp.exec:\1pvdp.exe30⤵
- Executes dropped EXE
PID:1876 -
\??\c:\xfxfrrf.exec:\xfxfrrf.exe31⤵
- Executes dropped EXE
PID:2592 -
\??\c:\nhtntt.exec:\nhtntt.exe32⤵
- Executes dropped EXE
PID:1840 -
\??\c:\jvjpd.exec:\jvjpd.exe33⤵
- Executes dropped EXE
PID:2948 -
\??\c:\nhntbh.exec:\nhntbh.exe34⤵
- Executes dropped EXE
PID:2400 -
\??\c:\hbtbhn.exec:\hbtbhn.exe35⤵
- Executes dropped EXE
PID:1932 -
\??\c:\9pvjj.exec:\9pvjj.exe36⤵
- Executes dropped EXE
PID:2604 -
\??\c:\5lxlrxf.exec:\5lxlrxf.exe37⤵
- Executes dropped EXE
PID:2640 -
\??\c:\xrxflrf.exec:\xrxflrf.exe38⤵
- Executes dropped EXE
PID:2728 -
\??\c:\nbhhnn.exec:\nbhhnn.exe39⤵
- Executes dropped EXE
PID:2664 -
\??\c:\jdjpd.exec:\jdjpd.exe40⤵
- Executes dropped EXE
PID:2520 -
\??\c:\9rllrrl.exec:\9rllrrl.exe41⤵
- Executes dropped EXE
PID:2776 -
\??\c:\fxrrlxf.exec:\fxrrlxf.exe42⤵
- Executes dropped EXE
PID:2380 -
\??\c:\tnbnbb.exec:\tnbnbb.exe43⤵
- Executes dropped EXE
PID:2684 -
\??\c:\dpdjv.exec:\dpdjv.exe44⤵
- Executes dropped EXE
PID:2576 -
\??\c:\1dvdj.exec:\1dvdj.exe45⤵
- Executes dropped EXE
PID:2376 -
\??\c:\9xxflrf.exec:\9xxflrf.exe46⤵
- Executes dropped EXE
PID:3032 -
\??\c:\xfxfrxr.exec:\xfxfrxr.exe47⤵
- Executes dropped EXE
PID:2824 -
\??\c:\bnbhbb.exec:\bnbhbb.exe48⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vvjpv.exec:\vvjpv.exe49⤵
- Executes dropped EXE
PID:2892 -
\??\c:\lfrfrxl.exec:\lfrfrxl.exe50⤵
- Executes dropped EXE
PID:2916 -
\??\c:\fxrrffr.exec:\fxrrffr.exe51⤵
- Executes dropped EXE
PID:2040 -
\??\c:\3tntbh.exec:\3tntbh.exe52⤵
- Executes dropped EXE
PID:2044 -
\??\c:\ddjjp.exec:\ddjjp.exe53⤵
- Executes dropped EXE
PID:284 -
\??\c:\1ffrxxl.exec:\1ffrxxl.exe54⤵
- Executes dropped EXE
PID:760 -
\??\c:\xrflffr.exec:\xrflffr.exe55⤵
- Executes dropped EXE
PID:2600 -
\??\c:\tnbhnn.exec:\tnbhnn.exe56⤵
- Executes dropped EXE
PID:308 -
\??\c:\nhhttb.exec:\nhhttb.exe57⤵
- Executes dropped EXE
PID:316 -
\??\c:\1jjjv.exec:\1jjjv.exe58⤵
- Executes dropped EXE
PID:1648 -
\??\c:\xxllxfr.exec:\xxllxfr.exe59⤵
- Executes dropped EXE
PID:2208 -
\??\c:\5frxxfr.exec:\5frxxfr.exe60⤵
- Executes dropped EXE
PID:2372 -
\??\c:\ttthtn.exec:\ttthtn.exe61⤵
- Executes dropped EXE
PID:2692 -
\??\c:\9vppv.exec:\9vppv.exe62⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lfrxflx.exec:\lfrxflx.exe63⤵
- Executes dropped EXE
PID:2052 -
\??\c:\fxlrxfl.exec:\fxlrxfl.exe64⤵
- Executes dropped EXE
PID:1480 -
\??\c:\hhbnbn.exec:\hhbnbn.exe65⤵
- Executes dropped EXE
PID:1940 -
\??\c:\jdvdp.exec:\jdvdp.exe66⤵PID:1884
-
\??\c:\lfrxflf.exec:\lfrxflf.exe67⤵PID:1856
-
\??\c:\lfrxffl.exec:\lfrxffl.exe68⤵PID:2952
-
\??\c:\7hnntt.exec:\7hnntt.exe69⤵PID:2468
-
\??\c:\dvpvj.exec:\dvpvj.exe70⤵PID:2316
-
\??\c:\jdpjj.exec:\jdpjj.exe71⤵PID:2192
-
\??\c:\3xrxfrr.exec:\3xrxfrr.exe72⤵PID:3008
-
\??\c:\hhbhnt.exec:\hhbhnt.exe73⤵PID:1764
-
\??\c:\hnnbnt.exec:\hnnbnt.exe74⤵PID:1832
-
\??\c:\ddvvp.exec:\ddvvp.exe75⤵PID:2264
-
\??\c:\xrlxllr.exec:\xrlxllr.exe76⤵PID:2948
-
\??\c:\9xllxfr.exec:\9xllxfr.exe77⤵PID:2176
-
\??\c:\nhbbtb.exec:\nhbbtb.exe78⤵PID:1932
-
\??\c:\pjvdj.exec:\pjvdj.exe79⤵PID:2604
-
\??\c:\pjddd.exec:\pjddd.exe80⤵PID:2640
-
\??\c:\rlfrfll.exec:\rlfrfll.exe81⤵PID:2728
-
\??\c:\bttbtt.exec:\bttbtt.exe82⤵PID:2664
-
\??\c:\hbnbbt.exec:\hbnbbt.exe83⤵PID:2896
-
\??\c:\ppjvp.exec:\ppjvp.exe84⤵PID:2776
-
\??\c:\dvpjj.exec:\dvpjj.exe85⤵PID:2516
-
\??\c:\1xrxxfl.exec:\1xrxxfl.exe86⤵PID:2684
-
\??\c:\hbtbht.exec:\hbtbht.exe87⤵PID:2300
-
\??\c:\hbnnth.exec:\hbnnth.exe88⤵PID:2376
-
\??\c:\vpppd.exec:\vpppd.exe89⤵PID:3032
-
\??\c:\frfxfff.exec:\frfxfff.exe90⤵PID:2824
-
\??\c:\7rffrlr.exec:\7rffrlr.exe91⤵PID:2840
-
\??\c:\nnbthb.exec:\nnbthb.exe92⤵PID:2892
-
\??\c:\1hbbnt.exec:\1hbbnt.exe93⤵PID:3012
-
\??\c:\vpddj.exec:\vpddj.exe94⤵PID:2040
-
\??\c:\1xflrrf.exec:\1xflrrf.exe95⤵PID:796
-
\??\c:\rxllxfr.exec:\rxllxfr.exe96⤵PID:284
-
\??\c:\thtbhb.exec:\thtbhb.exe97⤵PID:2780
-
\??\c:\vpppv.exec:\vpppv.exe98⤵PID:2600
-
\??\c:\pdpjp.exec:\pdpjp.exe99⤵PID:524
-
\??\c:\fxlxlfr.exec:\fxlxlfr.exe100⤵PID:316
-
\??\c:\5hbbnn.exec:\5hbbnn.exe101⤵PID:2248
-
\??\c:\btbhnn.exec:\btbhnn.exe102⤵PID:2208
-
\??\c:\vpjpv.exec:\vpjpv.exe103⤵PID:2372
-
\??\c:\7vdjj.exec:\7vdjj.exe104⤵PID:2692
-
\??\c:\xrrrxxr.exec:\xrrrxxr.exe105⤵PID:2056
-
\??\c:\7rllxxr.exec:\7rllxxr.exe106⤵PID:2072
-
\??\c:\7thhbn.exec:\7thhbn.exe107⤵PID:804
-
\??\c:\nhbtbb.exec:\nhbtbb.exe108⤵PID:1940
-
\??\c:\7dpdj.exec:\7dpdj.exe109⤵PID:1516
-
\??\c:\lxfllrf.exec:\lxfllrf.exe110⤵PID:1856
-
\??\c:\xxrlxfr.exec:\xxrlxfr.exe111⤵PID:1716
-
\??\c:\nbhntt.exec:\nbhntt.exe112⤵PID:2468
-
\??\c:\nhbhtt.exec:\nhbhtt.exe113⤵PID:752
-
\??\c:\pjvvd.exec:\pjvvd.exe114⤵PID:2192
-
\??\c:\jdvvd.exec:\jdvvd.exe115⤵PID:2596
-
\??\c:\9llrffr.exec:\9llrffr.exe116⤵PID:1620
-
\??\c:\1bttbb.exec:\1bttbb.exe117⤵PID:2004
-
\??\c:\tthhbn.exec:\tthhbn.exe118⤵PID:1548
-
\??\c:\dvdpd.exec:\dvdpd.exe119⤵PID:2400
-
\??\c:\dvpvd.exec:\dvpvd.exe120⤵PID:1580
-
\??\c:\5lflxfx.exec:\5lflxfx.exe121⤵PID:2928
-
\??\c:\btnbhn.exec:\btnbhn.exe122⤵PID:1252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-