Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 05:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe
-
Size
313KB
-
MD5
758d9e1617a7f98dcbc8be8015627d18
-
SHA1
cf84fa9a564d589774f701a56f216500abc15661
-
SHA256
c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8
-
SHA512
a9f0956f16c9d053511afc75626026000e695f06712fcf19fdaa330f1368220028d388899fb4b5e32c658efdae0178ac50014056184d21cbece1d7bfc4241921
-
SSDEEP
6144:n3C9BRo/AIX2h97aUzpbBj3+b2ziJC39QS8hDJd+Q7ZLbjwB:n3C9uDC97aUFbZ42ziM39QS8hDJd+Q7W
Malware Config
Signatures
-
Detect Blackmoon payload 32 IoCs
Processes:
resource yara_rule behavioral2/memory/3828-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4872-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/932-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3200-46-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/408-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3672-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3576-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4964-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1324-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4064-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1888-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4484-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3852-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4804-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4456-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4136-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4968-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4544-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1568-82-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-75-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/656-67-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/656-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1996-60-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4524-53-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4524-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3200-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3916-40-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3916-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/224-32-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/224-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 25 IoCs
Processes:
resource yara_rule behavioral2/memory/3828-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4872-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/932-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/408-189-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3672-183-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3576-176-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4964-171-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1324-165-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4064-159-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1888-147-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4484-134-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3852-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4804-117-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4456-105-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4136-99-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4968-93-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4544-87-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/640-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/656-66-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1996-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4524-52-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3200-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3916-38-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/224-31-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/932-17-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
rfffxxr.exehthhhh.exenhnhhb.exevdjdd.exexrfxxxr.exelrrffrr.exentnhhh.exevjvpj.exevdjdd.exefxxxxxl.exerrfxlfr.exenhnhhn.exejdjdd.exe7ddvp.exelllllll.exexrfxxrr.exettttnn.exedvjdj.exeddjjv.exe9rxrlll.exe7lfxxrx.exehnbtnn.exe1thtnn.exedvjjp.exerrxxxxx.exe1lrlfff.exennnnnn.exehhbbhh.exe9djjd.exexrfxxff.exexrxxxxr.exe3bnhtt.exehhnbnb.exepjpvp.exe7xxrrrr.exelfxxrrl.exebhnnnn.exebbnntt.exejdjdv.exerlrlfff.exexrxxrrr.exethtnnh.exebnthhb.exejvvvv.exevdjjd.exelxrlffx.exethttbh.exe3ttnnt.exedpvpp.exejdjjj.exefrrlfxx.exenhhhbb.exehbbhbb.exevjpdv.exe5fxlffr.exelfllxxr.exetnntnb.exettbhbt.exevpvpj.exefllfxrr.exe9rxxrfx.exenbnbbn.exepvjpp.exexffxxxr.exepid process 4872 rfffxxr.exe 932 hthhhh.exe 224 nhnhhb.exe 3916 vdjdd.exe 3200 xrfxxxr.exe 4524 lrrffrr.exe 1996 ntnhhh.exe 656 vjvpj.exe 640 vdjdd.exe 1568 fxxxxxl.exe 4544 rrfxlfr.exe 4968 nhnhhn.exe 4136 jdjdd.exe 4456 7ddvp.exe 2684 lllllll.exe 4804 xrfxxrr.exe 3852 ttttnn.exe 4484 dvjdj.exe 3296 ddjjv.exe 4188 9rxrlll.exe 1888 7lfxxrx.exe 3340 hnbtnn.exe 4064 1thtnn.exe 1324 dvjjp.exe 4964 rrxxxxx.exe 3576 1lrlfff.exe 3672 nnnnnn.exe 408 hhbbhh.exe 628 9djjd.exe 1564 xrfxxff.exe 1376 xrxxxxr.exe 60 3bnhtt.exe 2392 hhnbnb.exe 1632 pjpvp.exe 2728 7xxrrrr.exe 4228 lfxxrrl.exe 2152 bhnnnn.exe 4408 bbnntt.exe 4440 jdjdv.exe 2128 rlrlfff.exe 1828 xrxxrrr.exe 2476 thtnnh.exe 3624 bnthhb.exe 3976 jvvvv.exe 4572 vdjjd.exe 4840 lxrlffx.exe 1336 thttbh.exe 5008 3ttnnt.exe 4784 dpvpp.exe 2832 jdjjj.exe 3972 frrlfxx.exe 876 nhhhbb.exe 4544 hbbhbb.exe 2292 vjpdv.exe 2964 5fxlffr.exe 2496 lfllxxr.exe 4976 tnntnb.exe 3688 ttbhbt.exe 420 vpvpj.exe 3636 fllfxrr.exe 2284 9rxxrfx.exe 4100 nbnbbn.exe 4528 pvjpp.exe 668 xffxxxr.exe -
Processes:
resource yara_rule behavioral2/memory/3828-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4872-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/932-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/408-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3672-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3576-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4964-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1324-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4064-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1888-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4484-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3852-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4804-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4456-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4136-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4968-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4544-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/640-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/656-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1996-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4524-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3200-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3916-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/224-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/932-17-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exerfffxxr.exehthhhh.exenhnhhb.exevdjdd.exexrfxxxr.exelrrffrr.exentnhhh.exevjvpj.exevdjdd.exefxxxxxl.exerrfxlfr.exenhnhhn.exejdjdd.exe7ddvp.exelllllll.exexrfxxrr.exettttnn.exedvjdj.exeddjjv.exe9rxrlll.exe7lfxxrx.exedescription pid process target process PID 3828 wrote to memory of 4872 3828 c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe rfffxxr.exe PID 3828 wrote to memory of 4872 3828 c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe rfffxxr.exe PID 3828 wrote to memory of 4872 3828 c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe rfffxxr.exe PID 4872 wrote to memory of 932 4872 rfffxxr.exe hthhhh.exe PID 4872 wrote to memory of 932 4872 rfffxxr.exe hthhhh.exe PID 4872 wrote to memory of 932 4872 rfffxxr.exe hthhhh.exe PID 932 wrote to memory of 224 932 hthhhh.exe nhnhhb.exe PID 932 wrote to memory of 224 932 hthhhh.exe nhnhhb.exe PID 932 wrote to memory of 224 932 hthhhh.exe nhnhhb.exe PID 224 wrote to memory of 3916 224 nhnhhb.exe vdjdd.exe PID 224 wrote to memory of 3916 224 nhnhhb.exe vdjdd.exe PID 224 wrote to memory of 3916 224 nhnhhb.exe vdjdd.exe PID 3916 wrote to memory of 3200 3916 vdjdd.exe xrfxxxr.exe PID 3916 wrote to memory of 3200 3916 vdjdd.exe xrfxxxr.exe PID 3916 wrote to memory of 3200 3916 vdjdd.exe xrfxxxr.exe PID 3200 wrote to memory of 4524 3200 xrfxxxr.exe lrrffrr.exe PID 3200 wrote to memory of 4524 3200 xrfxxxr.exe lrrffrr.exe PID 3200 wrote to memory of 4524 3200 xrfxxxr.exe lrrffrr.exe PID 4524 wrote to memory of 1996 4524 lrrffrr.exe ntnhhh.exe PID 4524 wrote to memory of 1996 4524 lrrffrr.exe ntnhhh.exe PID 4524 wrote to memory of 1996 4524 lrrffrr.exe ntnhhh.exe PID 1996 wrote to memory of 656 1996 ntnhhh.exe vjvpj.exe PID 1996 wrote to memory of 656 1996 ntnhhh.exe vjvpj.exe PID 1996 wrote to memory of 656 1996 ntnhhh.exe vjvpj.exe PID 656 wrote to memory of 640 656 vjvpj.exe vdjdd.exe PID 656 wrote to memory of 640 656 vjvpj.exe vdjdd.exe PID 656 wrote to memory of 640 656 vjvpj.exe vdjdd.exe PID 640 wrote to memory of 1568 640 vdjdd.exe fxxxxxl.exe PID 640 wrote to memory of 1568 640 vdjdd.exe fxxxxxl.exe PID 640 wrote to memory of 1568 640 vdjdd.exe fxxxxxl.exe PID 1568 wrote to memory of 4544 1568 fxxxxxl.exe hbbhbb.exe PID 1568 wrote to memory of 4544 1568 fxxxxxl.exe hbbhbb.exe PID 1568 wrote to memory of 4544 1568 fxxxxxl.exe hbbhbb.exe PID 4544 wrote to memory of 4968 4544 rrfxlfr.exe nhnhhn.exe PID 4544 wrote to memory of 4968 4544 rrfxlfr.exe nhnhhn.exe PID 4544 wrote to memory of 4968 4544 rrfxlfr.exe nhnhhn.exe PID 4968 wrote to memory of 4136 4968 nhnhhn.exe jdjdd.exe PID 4968 wrote to memory of 4136 4968 nhnhhn.exe jdjdd.exe PID 4968 wrote to memory of 4136 4968 nhnhhn.exe jdjdd.exe PID 4136 wrote to memory of 4456 4136 jdjdd.exe 7ddvp.exe PID 4136 wrote to memory of 4456 4136 jdjdd.exe 7ddvp.exe PID 4136 wrote to memory of 4456 4136 jdjdd.exe 7ddvp.exe PID 4456 wrote to memory of 2684 4456 7ddvp.exe lllllll.exe PID 4456 wrote to memory of 2684 4456 7ddvp.exe lllllll.exe PID 4456 wrote to memory of 2684 4456 7ddvp.exe lllllll.exe PID 2684 wrote to memory of 4804 2684 lllllll.exe xrfxxrr.exe PID 2684 wrote to memory of 4804 2684 lllllll.exe xrfxxrr.exe PID 2684 wrote to memory of 4804 2684 lllllll.exe xrfxxrr.exe PID 4804 wrote to memory of 3852 4804 xrfxxrr.exe ttttnn.exe PID 4804 wrote to memory of 3852 4804 xrfxxrr.exe ttttnn.exe PID 4804 wrote to memory of 3852 4804 xrfxxrr.exe ttttnn.exe PID 3852 wrote to memory of 4484 3852 ttttnn.exe dvjdj.exe PID 3852 wrote to memory of 4484 3852 ttttnn.exe dvjdj.exe PID 3852 wrote to memory of 4484 3852 ttttnn.exe dvjdj.exe PID 4484 wrote to memory of 3296 4484 dvjdj.exe ddjjv.exe PID 4484 wrote to memory of 3296 4484 dvjdj.exe ddjjv.exe PID 4484 wrote to memory of 3296 4484 dvjdj.exe ddjjv.exe PID 3296 wrote to memory of 4188 3296 ddjjv.exe 9rxrlll.exe PID 3296 wrote to memory of 4188 3296 ddjjv.exe 9rxrlll.exe PID 3296 wrote to memory of 4188 3296 ddjjv.exe 9rxrlll.exe PID 4188 wrote to memory of 1888 4188 9rxrlll.exe 7lfxxrx.exe PID 4188 wrote to memory of 1888 4188 9rxrlll.exe 7lfxxrx.exe PID 4188 wrote to memory of 1888 4188 9rxrlll.exe 7lfxxrx.exe PID 1888 wrote to memory of 3340 1888 7lfxxrx.exe hnbtnn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe"C:\Users\Admin\AppData\Local\Temp\c67ef46a6691e111bc5e08105e6aca3b96af382518144c262b8ed91a3c2d4fe8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\rfffxxr.exec:\rfffxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\hthhhh.exec:\hthhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\nhnhhb.exec:\nhnhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\vdjdd.exec:\vdjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\xrfxxxr.exec:\xrfxxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\lrrffrr.exec:\lrrffrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\ntnhhh.exec:\ntnhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\vjvpj.exec:\vjvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
\??\c:\vdjdd.exec:\vdjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\fxxxxxl.exec:\fxxxxxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\rrfxlfr.exec:\rrfxlfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\nhnhhn.exec:\nhnhhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\jdjdd.exec:\jdjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\7ddvp.exec:\7ddvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\lllllll.exec:\lllllll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\xrfxxrr.exec:\xrfxxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\ttttnn.exec:\ttttnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\dvjdj.exec:\dvjdj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\ddjjv.exec:\ddjjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\9rxrlll.exec:\9rxrlll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\7lfxxrx.exec:\7lfxxrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\hnbtnn.exec:\hnbtnn.exe23⤵
- Executes dropped EXE
PID:3340 -
\??\c:\1thtnn.exec:\1thtnn.exe24⤵
- Executes dropped EXE
PID:4064 -
\??\c:\dvjjp.exec:\dvjjp.exe25⤵
- Executes dropped EXE
PID:1324 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe26⤵
- Executes dropped EXE
PID:4964 -
\??\c:\1lrlfff.exec:\1lrlfff.exe27⤵
- Executes dropped EXE
PID:3576 -
\??\c:\nnnnnn.exec:\nnnnnn.exe28⤵
- Executes dropped EXE
PID:3672 -
\??\c:\hhbbhh.exec:\hhbbhh.exe29⤵
- Executes dropped EXE
PID:408 -
\??\c:\9djjd.exec:\9djjd.exe30⤵
- Executes dropped EXE
PID:628 -
\??\c:\xrfxxff.exec:\xrfxxff.exe31⤵
- Executes dropped EXE
PID:1564 -
\??\c:\xrxxxxr.exec:\xrxxxxr.exe32⤵
- Executes dropped EXE
PID:1376 -
\??\c:\3bnhtt.exec:\3bnhtt.exe33⤵
- Executes dropped EXE
PID:60 -
\??\c:\hhnbnb.exec:\hhnbnb.exe34⤵
- Executes dropped EXE
PID:2392 -
\??\c:\pjpvp.exec:\pjpvp.exe35⤵
- Executes dropped EXE
PID:1632 -
\??\c:\7xxrrrr.exec:\7xxrrrr.exe36⤵
- Executes dropped EXE
PID:2728 -
\??\c:\lfxxrrl.exec:\lfxxrrl.exe37⤵
- Executes dropped EXE
PID:4228 -
\??\c:\bhnnnn.exec:\bhnnnn.exe38⤵
- Executes dropped EXE
PID:2152 -
\??\c:\bbnntt.exec:\bbnntt.exe39⤵
- Executes dropped EXE
PID:4408 -
\??\c:\jdjdv.exec:\jdjdv.exe40⤵
- Executes dropped EXE
PID:4440 -
\??\c:\rlrlfff.exec:\rlrlfff.exe41⤵
- Executes dropped EXE
PID:2128 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe42⤵
- Executes dropped EXE
PID:1828 -
\??\c:\thtnnh.exec:\thtnnh.exe43⤵
- Executes dropped EXE
PID:2476 -
\??\c:\bnthhb.exec:\bnthhb.exe44⤵
- Executes dropped EXE
PID:3624 -
\??\c:\jvvvv.exec:\jvvvv.exe45⤵
- Executes dropped EXE
PID:3976 -
\??\c:\vdjjd.exec:\vdjjd.exe46⤵
- Executes dropped EXE
PID:4572 -
\??\c:\lxrlffx.exec:\lxrlffx.exe47⤵
- Executes dropped EXE
PID:4840 -
\??\c:\thttbh.exec:\thttbh.exe48⤵
- Executes dropped EXE
PID:1336 -
\??\c:\3ttnnt.exec:\3ttnnt.exe49⤵
- Executes dropped EXE
PID:5008 -
\??\c:\dpvpp.exec:\dpvpp.exe50⤵
- Executes dropped EXE
PID:4784 -
\??\c:\jdjjj.exec:\jdjjj.exe51⤵
- Executes dropped EXE
PID:2832 -
\??\c:\frrlfxx.exec:\frrlfxx.exe52⤵
- Executes dropped EXE
PID:3972 -
\??\c:\nhhhbb.exec:\nhhhbb.exe53⤵
- Executes dropped EXE
PID:876 -
\??\c:\hbbhbb.exec:\hbbhbb.exe54⤵
- Executes dropped EXE
PID:4544 -
\??\c:\vjpdv.exec:\vjpdv.exe55⤵
- Executes dropped EXE
PID:2292 -
\??\c:\5fxlffr.exec:\5fxlffr.exe56⤵
- Executes dropped EXE
PID:2964 -
\??\c:\lfllxxr.exec:\lfllxxr.exe57⤵
- Executes dropped EXE
PID:2496 -
\??\c:\tnntnb.exec:\tnntnb.exe58⤵
- Executes dropped EXE
PID:4976 -
\??\c:\ttbhbt.exec:\ttbhbt.exe59⤵
- Executes dropped EXE
PID:3688 -
\??\c:\vpvpj.exec:\vpvpj.exe60⤵
- Executes dropped EXE
PID:420 -
\??\c:\fllfxrr.exec:\fllfxrr.exe61⤵
- Executes dropped EXE
PID:3636 -
\??\c:\9rxxrfx.exec:\9rxxrfx.exe62⤵
- Executes dropped EXE
PID:2284 -
\??\c:\nbnbbn.exec:\nbnbbn.exe63⤵
- Executes dropped EXE
PID:4100 -
\??\c:\pvjpp.exec:\pvjpp.exe64⤵
- Executes dropped EXE
PID:4528 -
\??\c:\xffxxxr.exec:\xffxxxr.exe65⤵
- Executes dropped EXE
PID:668 -
\??\c:\bthbbt.exec:\bthbbt.exe66⤵PID:4860
-
\??\c:\1bnbtn.exec:\1bnbtn.exe67⤵PID:1164
-
\??\c:\djjjd.exec:\djjjd.exe68⤵PID:3760
-
\??\c:\xrxrllf.exec:\xrxrllf.exe69⤵PID:3596
-
\??\c:\bbbttt.exec:\bbbttt.exe70⤵PID:3216
-
\??\c:\pdvvv.exec:\pdvvv.exe71⤵PID:3448
-
\??\c:\jvdpj.exec:\jvdpj.exe72⤵PID:3964
-
\??\c:\xlxrrll.exec:\xlxrrll.exe73⤵PID:1700
-
\??\c:\bhnhbb.exec:\bhnhbb.exe74⤵PID:3208
-
\??\c:\jjjvv.exec:\jjjvv.exe75⤵PID:2296
-
\??\c:\llffxrl.exec:\llffxrl.exe76⤵PID:2704
-
\??\c:\tttnhb.exec:\tttnhb.exe77⤵PID:3900
-
\??\c:\jddvj.exec:\jddvj.exe78⤵PID:4980
-
\??\c:\9rxfrxl.exec:\9rxfrxl.exe79⤵PID:1904
-
\??\c:\9hnhnh.exec:\9hnhnh.exe80⤵PID:3920
-
\??\c:\dppdj.exec:\dppdj.exe81⤵PID:4580
-
\??\c:\pjjdv.exec:\pjjdv.exe82⤵PID:1064
-
\??\c:\vpdvv.exec:\vpdvv.exe83⤵PID:3756
-
\??\c:\frxfxfx.exec:\frxfxfx.exe84⤵PID:3768
-
\??\c:\hhhttt.exec:\hhhttt.exe85⤵PID:224
-
\??\c:\9djjd.exec:\9djjd.exe86⤵PID:3916
-
\??\c:\5rlfxrr.exec:\5rlfxrr.exe87⤵PID:3604
-
\??\c:\nhbtnn.exec:\nhbtnn.exe88⤵PID:1228
-
\??\c:\9hhhbb.exec:\9hhhbb.exe89⤵PID:4784
-
\??\c:\7rxllff.exec:\7rxllff.exe90⤵PID:640
-
\??\c:\ttnnnt.exec:\ttnnnt.exe91⤵PID:5072
-
\??\c:\7ddvp.exec:\7ddvp.exe92⤵PID:1420
-
\??\c:\fxlllxf.exec:\fxlllxf.exe93⤵PID:4040
-
\??\c:\htbnht.exec:\htbnht.exe94⤵PID:1604
-
\??\c:\vjjvp.exec:\vjjvp.exe95⤵PID:980
-
\??\c:\fxffxxf.exec:\fxffxxf.exe96⤵PID:2712
-
\??\c:\fxxrllf.exec:\fxxrllf.exe97⤵PID:780
-
\??\c:\hntnhb.exec:\hntnhb.exe98⤵PID:5112
-
\??\c:\3tbttt.exec:\3tbttt.exe99⤵PID:4456
-
\??\c:\vpjdp.exec:\vpjdp.exe100⤵PID:2120
-
\??\c:\9xxxrlf.exec:\9xxxrlf.exe101⤵PID:3376
-
\??\c:\tbbtnh.exec:\tbbtnh.exe102⤵PID:4712
-
\??\c:\3jjjv.exec:\3jjjv.exe103⤵PID:4484
-
\??\c:\pvddv.exec:\pvddv.exe104⤵PID:2892
-
\??\c:\lxffxxr.exec:\lxffxxr.exe105⤵PID:1532
-
\??\c:\7bbthh.exec:\7bbthh.exe106⤵PID:4832
-
\??\c:\thhbbt.exec:\thhbbt.exe107⤵PID:4696
-
\??\c:\jdjdd.exec:\jdjdd.exe108⤵PID:3340
-
\??\c:\vjvjd.exec:\vjvjd.exe109⤵PID:2592
-
\??\c:\lllfrxr.exec:\lllfrxr.exe110⤵PID:1720
-
\??\c:\nhhbbt.exec:\nhhbbt.exe111⤵PID:536
-
\??\c:\bnbhht.exec:\bnbhht.exe112⤵PID:5116
-
\??\c:\jjddd.exec:\jjddd.exe113⤵PID:2368
-
\??\c:\xxlrffx.exec:\xxlrffx.exe114⤵PID:2360
-
\??\c:\fxfxrxr.exec:\fxfxrxr.exe115⤵PID:4668
-
\??\c:\hhttnn.exec:\hhttnn.exe116⤵PID:1140
-
\??\c:\dpddv.exec:\dpddv.exe117⤵PID:3980
-
\??\c:\lrxxllf.exec:\lrxxllf.exe118⤵PID:3668
-
\??\c:\nhnnbn.exec:\nhnnbn.exe119⤵PID:1832
-
\??\c:\vddvd.exec:\vddvd.exe120⤵PID:2612
-
\??\c:\pppjd.exec:\pppjd.exe121⤵PID:4408
-
\??\c:\rflfxxr.exec:\rflfxxr.exe122⤵PID:4980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-