Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 08:19
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
f3c6c22a2b7ff5ca1a65143006faa7f58b7b274e4fc8d0fd320ebd0142d0b4f7.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
f3c6c22a2b7ff5ca1a65143006faa7f58b7b274e4fc8d0fd320ebd0142d0b4f7.exe
-
Size
233KB
-
MD5
b634186fb7ead4fa7359a1f86ad2d631
-
SHA1
108c5c6db0b344acefb0af732dd260653c8f6329
-
SHA256
f3c6c22a2b7ff5ca1a65143006faa7f58b7b274e4fc8d0fd320ebd0142d0b4f7
-
SHA512
b32dbfc1f8ca0c95c205f5bb4436b55a01cafbb074fce4667b2e812579e8f1cc5f63b0fc766b280c78bc7e0ecc816c1e3fdf6e65532958d8cc5d23dca9901a4c
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo7LAIRUohTF/SjSrbzLAuBjfwFOmoFzMvUpGqC5n+t:n3C9BRo/AIuuFSjA8uBjwI7FjpjC5+t
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral1/memory/2408-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1424-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2724-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2692-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2556-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/300-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2480-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1716-300-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1492-291-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2924-282-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1388-255-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/632-246-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1840-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2684-228-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1900-202-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1320-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2168-156-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1940-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2808-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2600-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2576-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3008-74-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3032-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 59 IoCs
Processes:
resource yara_rule behavioral1/memory/1424-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX C:\lxlfllx.exe UPX behavioral1/memory/2408-15-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1424-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2724-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\nhtthh.exe UPX C:\jvjpv.exe UPX \??\c:\fxxrffr.exe UPX behavioral1/memory/2692-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2556-77-0x0000000000400000-0x0000000000429000-memory.dmp UPX C:\lllxlrl.exe UPX \??\c:\tnbhtb.exe UPX C:\btntnn.exe UPX behavioral1/memory/300-130-0x0000000000400000-0x0000000000429000-memory.dmp UPX C:\rfflxxf.exe UPX \??\c:\hthntt.exe UPX C:\dpdpj.exe UPX \??\c:\frfxffl.exe UPX C:\dvjdd.exe UPX behavioral1/memory/2480-210-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\7dpdp.exe UPX \??\c:\fxrfxlr.exe UPX C:\1bbnnn.exe UPX C:\nhbbbh.exe UPX C:\hbtbtt.exe UPX \??\c:\ppddp.exe UPX C:\rfrrffl.exe UPX behavioral1/memory/1716-300-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\5rxrxrx.exe UPX behavioral1/memory/1492-291-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2924-282-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\xlxllxl.exe UPX behavioral1/memory/1388-255-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\jdvjv.exe UPX behavioral1/memory/632-246-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1840-237-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\hthhnb.exe UPX behavioral1/memory/2684-228-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1900-202-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\bnbbbt.exe UPX \??\c:\rrxfxxf.exe UPX behavioral1/memory/1320-184-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\hbnnbb.exe UPX behavioral1/memory/2168-156-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1940-148-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\1pjjj.exe UPX behavioral1/memory/2808-120-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\bthtbt.exe UPX behavioral1/memory/2600-112-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2576-87-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\dpddj.exe UPX \??\c:\5thnth.exe UPX \??\c:\hbbnhh.exe UPX behavioral1/memory/2880-57-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2692-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2692-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2692-43-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3032-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX \??\c:\nnhthb.exe UPX -
Executes dropped EXE 64 IoCs
Processes:
lxlfllx.exenhtthh.exennhthb.exejvjpv.exefxxrffr.exehbbnhh.exe5thnth.exedpddj.exelllxlrl.exetnbhtb.exebthtbt.exebtntnn.exe1pjjj.exerfflxxf.exehthntt.exehbnnbb.exedpdpj.exefrfxffl.exerrxfxxf.exebnbbbt.exe7dpdp.exedvjdd.exefxrfxlr.exehthhnb.exe1bbnnn.exejdvjv.exexlxllxl.exenhbbbh.exehbtbtt.exeppddp.exe5rxrxrx.exerfrrffl.exehthbbt.exevvpvd.exedvjjp.exejdvdp.exe3lflrff.exebtnthn.exe5btbhb.exe9pddj.exepppvj.exe9rfxrrx.exe9lxfllf.exe1bttth.exenhhtbh.exedpvvv.exejdvdj.exellxlxfl.exerlfllrx.exetthnnt.exehbnhtt.exevpddp.exe5pjpv.exevvjjv.exe9fllrrx.exelllrfrf.exehbtthh.exenhbnbn.exe3jvvd.exedvjvj.exelfxflrl.exerlllrrx.exehbttbh.exetnhbth.exepid process 2408 lxlfllx.exe 2724 nhtthh.exe 3032 nnhthb.exe 2692 jvjpv.exe 2880 fxxrffr.exe 3008 hbbnhh.exe 2556 5thnth.exe 2576 dpddj.exe 2980 lllxlrl.exe 2600 tnbhtb.exe 2808 bthtbt.exe 300 btntnn.exe 1908 1pjjj.exe 1940 rfflxxf.exe 2168 hthntt.exe 1540 hbnnbb.exe 2432 dpdpj.exe 1320 frfxffl.exe 2284 rrxfxxf.exe 1900 bnbbbt.exe 2480 7dpdp.exe 592 dvjdd.exe 2684 fxrfxlr.exe 1840 hthhnb.exe 632 1bbnnn.exe 1388 jdvjv.exe 752 xlxllxl.exe 1232 nhbbbh.exe 2924 hbtbtt.exe 1492 ppddp.exe 1716 5rxrxrx.exe 2172 rfrrffl.exe 2224 hthbbt.exe 2408 vvpvd.exe 2868 dvjjp.exe 1300 jdvdp.exe 3052 3lflrff.exe 2664 btnthn.exe 2752 5btbhb.exe 3008 9pddj.exe 2184 pppvj.exe 2508 9rfxrrx.exe 296 9lxfllf.exe 2800 1bttth.exe 2848 nhhtbh.exe 392 dpvvv.exe 1960 jdvdj.exe 2416 llxlxfl.exe 336 rlfllrx.exe 1604 tthnnt.exe 2168 hbnhtt.exe 1540 vpddp.exe 1628 5pjpv.exe 2368 vvjjv.exe 2856 9fllrrx.exe 2096 lllrfrf.exe 2072 hbtthh.exe 2900 nhbnbn.exe 1484 3jvvd.exe 2540 dvjvj.exe 764 lfxflrl.exe 1816 rlllrrx.exe 844 hbttbh.exe 1936 tnhbth.exe -
Processes:
resource yara_rule behavioral1/memory/1424-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2408-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1424-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2724-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2692-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2556-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/300-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2480-210-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1716-300-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1492-291-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2924-282-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1388-255-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/632-246-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1840-237-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2684-228-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1900-202-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1320-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2168-156-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1940-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2600-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2576-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2880-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2692-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2692-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2692-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3032-34-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f3c6c22a2b7ff5ca1a65143006faa7f58b7b274e4fc8d0fd320ebd0142d0b4f7.exelxlfllx.exenhtthh.exennhthb.exejvjpv.exefxxrffr.exehbbnhh.exe5thnth.exedpddj.exelllxlrl.exetnbhtb.exebthtbt.exebtntnn.exe1pjjj.exerfflxxf.exehthntt.exedescription pid process target process PID 1424 wrote to memory of 2408 1424 f3c6c22a2b7ff5ca1a65143006faa7f58b7b274e4fc8d0fd320ebd0142d0b4f7.exe vvpvd.exe PID 1424 wrote to memory of 2408 1424 f3c6c22a2b7ff5ca1a65143006faa7f58b7b274e4fc8d0fd320ebd0142d0b4f7.exe vvpvd.exe PID 1424 wrote to memory of 2408 1424 f3c6c22a2b7ff5ca1a65143006faa7f58b7b274e4fc8d0fd320ebd0142d0b4f7.exe vvpvd.exe PID 1424 wrote to memory of 2408 1424 f3c6c22a2b7ff5ca1a65143006faa7f58b7b274e4fc8d0fd320ebd0142d0b4f7.exe vvpvd.exe PID 2408 wrote to memory of 2724 2408 lxlfllx.exe nhtthh.exe PID 2408 wrote to memory of 2724 2408 lxlfllx.exe nhtthh.exe PID 2408 wrote to memory of 2724 2408 lxlfllx.exe nhtthh.exe PID 2408 wrote to memory of 2724 2408 lxlfllx.exe nhtthh.exe PID 2724 wrote to memory of 3032 2724 nhtthh.exe nnhthb.exe PID 2724 wrote to memory of 3032 2724 nhtthh.exe nnhthb.exe PID 2724 wrote to memory of 3032 2724 nhtthh.exe nnhthb.exe PID 2724 wrote to memory of 3032 2724 nhtthh.exe nnhthb.exe PID 3032 wrote to memory of 2692 3032 nnhthb.exe jvjpv.exe PID 3032 wrote to memory of 2692 3032 nnhthb.exe jvjpv.exe PID 3032 wrote to memory of 2692 3032 nnhthb.exe jvjpv.exe PID 3032 wrote to memory of 2692 3032 nnhthb.exe jvjpv.exe PID 2692 wrote to memory of 2880 2692 jvjpv.exe fxxrffr.exe PID 2692 wrote to memory of 2880 2692 jvjpv.exe fxxrffr.exe PID 2692 wrote to memory of 2880 2692 jvjpv.exe fxxrffr.exe PID 2692 wrote to memory of 2880 2692 jvjpv.exe fxxrffr.exe PID 2880 wrote to memory of 3008 2880 fxxrffr.exe hbbnhh.exe PID 2880 wrote to memory of 3008 2880 fxxrffr.exe hbbnhh.exe PID 2880 wrote to memory of 3008 2880 fxxrffr.exe hbbnhh.exe PID 2880 wrote to memory of 3008 2880 fxxrffr.exe hbbnhh.exe PID 3008 wrote to memory of 2556 3008 hbbnhh.exe 5thnth.exe PID 3008 wrote to memory of 2556 3008 hbbnhh.exe 5thnth.exe PID 3008 wrote to memory of 2556 3008 hbbnhh.exe 5thnth.exe PID 3008 wrote to memory of 2556 3008 hbbnhh.exe 5thnth.exe PID 2556 wrote to memory of 2576 2556 5thnth.exe dpddj.exe PID 2556 wrote to memory of 2576 2556 5thnth.exe dpddj.exe PID 2556 wrote to memory of 2576 2556 5thnth.exe dpddj.exe PID 2556 wrote to memory of 2576 2556 5thnth.exe dpddj.exe PID 2576 wrote to memory of 2980 2576 dpddj.exe lllxlrl.exe PID 2576 wrote to memory of 2980 2576 dpddj.exe lllxlrl.exe PID 2576 wrote to memory of 2980 2576 dpddj.exe lllxlrl.exe PID 2576 wrote to memory of 2980 2576 dpddj.exe lllxlrl.exe PID 2980 wrote to memory of 2600 2980 lllxlrl.exe tnbhtb.exe PID 2980 wrote to memory of 2600 2980 lllxlrl.exe tnbhtb.exe PID 2980 wrote to memory of 2600 2980 lllxlrl.exe tnbhtb.exe PID 2980 wrote to memory of 2600 2980 lllxlrl.exe tnbhtb.exe PID 2600 wrote to memory of 2808 2600 tnbhtb.exe bthtbt.exe PID 2600 wrote to memory of 2808 2600 tnbhtb.exe bthtbt.exe PID 2600 wrote to memory of 2808 2600 tnbhtb.exe bthtbt.exe PID 2600 wrote to memory of 2808 2600 tnbhtb.exe bthtbt.exe PID 2808 wrote to memory of 300 2808 bthtbt.exe btntnn.exe PID 2808 wrote to memory of 300 2808 bthtbt.exe btntnn.exe PID 2808 wrote to memory of 300 2808 bthtbt.exe btntnn.exe PID 2808 wrote to memory of 300 2808 bthtbt.exe btntnn.exe PID 300 wrote to memory of 1908 300 btntnn.exe rlrxxxf.exe PID 300 wrote to memory of 1908 300 btntnn.exe rlrxxxf.exe PID 300 wrote to memory of 1908 300 btntnn.exe rlrxxxf.exe PID 300 wrote to memory of 1908 300 btntnn.exe rlrxxxf.exe PID 1908 wrote to memory of 1940 1908 1pjjj.exe rfflxxf.exe PID 1908 wrote to memory of 1940 1908 1pjjj.exe rfflxxf.exe PID 1908 wrote to memory of 1940 1908 1pjjj.exe rfflxxf.exe PID 1908 wrote to memory of 1940 1908 1pjjj.exe rfflxxf.exe PID 1940 wrote to memory of 2168 1940 rfflxxf.exe hthntt.exe PID 1940 wrote to memory of 2168 1940 rfflxxf.exe hthntt.exe PID 1940 wrote to memory of 2168 1940 rfflxxf.exe hthntt.exe PID 1940 wrote to memory of 2168 1940 rfflxxf.exe hthntt.exe PID 2168 wrote to memory of 1540 2168 hthntt.exe hbnnbb.exe PID 2168 wrote to memory of 1540 2168 hthntt.exe hbnnbb.exe PID 2168 wrote to memory of 1540 2168 hthntt.exe hbnnbb.exe PID 2168 wrote to memory of 1540 2168 hthntt.exe hbnnbb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3c6c22a2b7ff5ca1a65143006faa7f58b7b274e4fc8d0fd320ebd0142d0b4f7.exe"C:\Users\Admin\AppData\Local\Temp\f3c6c22a2b7ff5ca1a65143006faa7f58b7b274e4fc8d0fd320ebd0142d0b4f7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\lxlfllx.exec:\lxlfllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\nhtthh.exec:\nhtthh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\nnhthb.exec:\nnhthb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\jvjpv.exec:\jvjpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\fxxrffr.exec:\fxxrffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\hbbnhh.exec:\hbbnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\5thnth.exec:\5thnth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\dpddj.exec:\dpddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\lllxlrl.exec:\lllxlrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\tnbhtb.exec:\tnbhtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\bthtbt.exec:\bthtbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\btntnn.exec:\btntnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:300 -
\??\c:\1pjjj.exec:\1pjjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\rfflxxf.exec:\rfflxxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\hthntt.exec:\hthntt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\hbnnbb.exec:\hbnnbb.exe17⤵
- Executes dropped EXE
PID:1540 -
\??\c:\dpdpj.exec:\dpdpj.exe18⤵
- Executes dropped EXE
PID:2432 -
\??\c:\frfxffl.exec:\frfxffl.exe19⤵
- Executes dropped EXE
PID:1320 -
\??\c:\rrxfxxf.exec:\rrxfxxf.exe20⤵
- Executes dropped EXE
PID:2284 -
\??\c:\bnbbbt.exec:\bnbbbt.exe21⤵
- Executes dropped EXE
PID:1900 -
\??\c:\7dpdp.exec:\7dpdp.exe22⤵
- Executes dropped EXE
PID:2480 -
\??\c:\dvjdd.exec:\dvjdd.exe23⤵
- Executes dropped EXE
PID:592 -
\??\c:\fxrfxlr.exec:\fxrfxlr.exe24⤵
- Executes dropped EXE
PID:2684 -
\??\c:\hthhnb.exec:\hthhnb.exe25⤵
- Executes dropped EXE
PID:1840 -
\??\c:\1bbnnn.exec:\1bbnnn.exe26⤵
- Executes dropped EXE
PID:632 -
\??\c:\jdvjv.exec:\jdvjv.exe27⤵
- Executes dropped EXE
PID:1388 -
\??\c:\xlxllxl.exec:\xlxllxl.exe28⤵
- Executes dropped EXE
PID:752 -
\??\c:\nhbbbh.exec:\nhbbbh.exe29⤵
- Executes dropped EXE
PID:1232 -
\??\c:\hbtbtt.exec:\hbtbtt.exe30⤵
- Executes dropped EXE
PID:2924 -
\??\c:\ppddp.exec:\ppddp.exe31⤵
- Executes dropped EXE
PID:1492 -
\??\c:\5rxrxrx.exec:\5rxrxrx.exe32⤵
- Executes dropped EXE
PID:1716 -
\??\c:\rfrrffl.exec:\rfrrffl.exe33⤵
- Executes dropped EXE
PID:2172 -
\??\c:\hthbbt.exec:\hthbbt.exe34⤵
- Executes dropped EXE
PID:2224 -
\??\c:\vvpvd.exec:\vvpvd.exe35⤵
- Executes dropped EXE
PID:2408 -
\??\c:\dvjjp.exec:\dvjjp.exe36⤵
- Executes dropped EXE
PID:2868 -
\??\c:\jdvdp.exec:\jdvdp.exe37⤵
- Executes dropped EXE
PID:1300 -
\??\c:\3lflrff.exec:\3lflrff.exe38⤵
- Executes dropped EXE
PID:3052 -
\??\c:\btnthn.exec:\btnthn.exe39⤵
- Executes dropped EXE
PID:2664 -
\??\c:\5btbhb.exec:\5btbhb.exe40⤵
- Executes dropped EXE
PID:2752 -
\??\c:\9pddj.exec:\9pddj.exe41⤵
- Executes dropped EXE
PID:3008 -
\??\c:\pppvj.exec:\pppvj.exe42⤵
- Executes dropped EXE
PID:2184 -
\??\c:\9rfxrrx.exec:\9rfxrrx.exe43⤵
- Executes dropped EXE
PID:2508 -
\??\c:\9lxfllf.exec:\9lxfllf.exe44⤵
- Executes dropped EXE
PID:296 -
\??\c:\1bttth.exec:\1bttth.exe45⤵
- Executes dropped EXE
PID:2800 -
\??\c:\nhhtbh.exec:\nhhtbh.exe46⤵
- Executes dropped EXE
PID:2848 -
\??\c:\dpvvv.exec:\dpvvv.exe47⤵
- Executes dropped EXE
PID:392 -
\??\c:\jdvdj.exec:\jdvdj.exe48⤵
- Executes dropped EXE
PID:1960 -
\??\c:\llxlxfl.exec:\llxlxfl.exe49⤵
- Executes dropped EXE
PID:2416 -
\??\c:\rlfllrx.exec:\rlfllrx.exe50⤵
- Executes dropped EXE
PID:336 -
\??\c:\tthnnt.exec:\tthnnt.exe51⤵
- Executes dropped EXE
PID:1604 -
\??\c:\hbnhtt.exec:\hbnhtt.exe52⤵
- Executes dropped EXE
PID:2168 -
\??\c:\vpddp.exec:\vpddp.exe53⤵
- Executes dropped EXE
PID:1540 -
\??\c:\5pjpv.exec:\5pjpv.exe54⤵
- Executes dropped EXE
PID:1628 -
\??\c:\vvjjv.exec:\vvjjv.exe55⤵
- Executes dropped EXE
PID:2368 -
\??\c:\9fllrrx.exec:\9fllrrx.exe56⤵
- Executes dropped EXE
PID:2856 -
\??\c:\lllrfrf.exec:\lllrfrf.exe57⤵
- Executes dropped EXE
PID:2096 -
\??\c:\hbtthh.exec:\hbtthh.exe58⤵
- Executes dropped EXE
PID:2072 -
\??\c:\nhbnbn.exec:\nhbnbn.exe59⤵
- Executes dropped EXE
PID:2900 -
\??\c:\3jvvd.exec:\3jvvd.exe60⤵
- Executes dropped EXE
PID:1484 -
\??\c:\dvjvj.exec:\dvjvj.exe61⤵
- Executes dropped EXE
PID:2540 -
\??\c:\lfxflrl.exec:\lfxflrl.exe62⤵
- Executes dropped EXE
PID:764 -
\??\c:\rlllrrx.exec:\rlllrrx.exe63⤵
- Executes dropped EXE
PID:1816 -
\??\c:\hbttbh.exec:\hbttbh.exe64⤵
- Executes dropped EXE
PID:844 -
\??\c:\tnhbth.exec:\tnhbth.exe65⤵
- Executes dropped EXE
PID:1936 -
\??\c:\pjjjd.exec:\pjjjd.exe66⤵PID:2080
-
\??\c:\dvjjv.exec:\dvjjv.exe67⤵PID:2156
-
\??\c:\rlrrllr.exec:\rlrrllr.exe68⤵PID:3004
-
\??\c:\3frxfrf.exec:\3frxfrf.exe69⤵PID:2456
-
\??\c:\5rllxlr.exec:\5rllxlr.exe70⤵PID:1716
-
\??\c:\tnnbtb.exec:\tnnbtb.exe71⤵PID:1548
-
\??\c:\9bhhnb.exec:\9bhhnb.exe72⤵PID:1588
-
\??\c:\pppvd.exec:\pppvd.exe73⤵PID:2696
-
\??\c:\djppv.exec:\djppv.exe74⤵PID:2908
-
\??\c:\lxxfxxx.exec:\lxxfxxx.exe75⤵PID:2276
-
\??\c:\rfxfrxf.exec:\rfxfrxf.exe76⤵PID:2656
-
\??\c:\thbhbb.exec:\thbhbb.exe77⤵PID:2196
-
\??\c:\tnhnhn.exec:\tnhnhn.exe78⤵PID:3056
-
\??\c:\7jjpd.exec:\7jjpd.exe79⤵PID:2520
-
\??\c:\dpjjp.exec:\dpjjp.exe80⤵PID:2244
-
\??\c:\ffxrrfr.exec:\ffxrrfr.exe81⤵PID:2188
-
\??\c:\frfrxxf.exec:\frfrxxf.exe82⤵PID:2804
-
\??\c:\3ttttn.exec:\3ttttn.exe83⤵PID:2824
-
\??\c:\1bbthn.exec:\1bbthn.exe84⤵PID:2952
-
\??\c:\9pdjv.exec:\9pdjv.exe85⤵PID:1708
-
\??\c:\1jppv.exec:\1jppv.exe86⤵PID:2708
-
\??\c:\rlffxrf.exec:\rlffxrf.exe87⤵PID:1972
-
\??\c:\frlllxx.exec:\frlllxx.exe88⤵PID:1696
-
\??\c:\1frxllx.exec:\1frxllx.exe89⤵PID:2960
-
\??\c:\1nnntb.exec:\1nnntb.exe90⤵PID:1964
-
\??\c:\vvjjp.exec:\vvjjp.exe91⤵PID:2716
-
\??\c:\3jpvj.exec:\3jpvj.exe92⤵PID:1504
-
\??\c:\7vpvj.exec:\7vpvj.exe93⤵PID:840
-
\??\c:\rlflrxl.exec:\rlflrxl.exe94⤵PID:1792
-
\??\c:\xxrflrx.exec:\xxrflrx.exe95⤵PID:2516
-
\??\c:\hbntbn.exec:\hbntbn.exe96⤵PID:1644
-
\??\c:\nhbnbh.exec:\nhbnbh.exe97⤵PID:1900
-
\??\c:\vjvpv.exec:\vjvpv.exe98⤵PID:264
-
\??\c:\jjdpd.exec:\jjdpd.exe99⤵PID:1228
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe100⤵PID:2192
-
\??\c:\rrlrxlr.exec:\rrlrxlr.exe101⤵PID:2684
-
\??\c:\5tttbb.exec:\5tttbb.exe102⤵PID:1884
-
\??\c:\tnbhbh.exec:\tnbhbh.exe103⤵PID:764
-
\??\c:\ddvjd.exec:\ddvjd.exe104⤵PID:3028
-
\??\c:\jjddd.exec:\jjddd.exe105⤵PID:752
-
\??\c:\rllfflx.exec:\rllfflx.exe106⤵PID:2036
-
\??\c:\rlrfrlx.exec:\rlrfrlx.exe107⤵PID:756
-
\??\c:\tnhntb.exec:\tnhntb.exe108⤵PID:1748
-
\??\c:\7hhhtb.exec:\7hhhtb.exe109⤵PID:3004
-
\??\c:\pppjp.exec:\pppjp.exe110⤵PID:1576
-
\??\c:\7dvjp.exec:\7dvjp.exe111⤵PID:1580
-
\??\c:\rrflffl.exec:\rrflffl.exe112⤵PID:1384
-
\??\c:\xrxflxl.exec:\xrxflxl.exe113⤵PID:2792
-
\??\c:\1ttbnh.exec:\1ttbnh.exe114⤵PID:2696
-
\??\c:\btbbnt.exec:\btbbnt.exe115⤵PID:2628
-
\??\c:\vpdjd.exec:\vpdjd.exe116⤵PID:2536
-
\??\c:\pdjjp.exec:\pdjjp.exe117⤵PID:2656
-
\??\c:\fxrrflf.exec:\fxrrflf.exe118⤵PID:2196
-
\??\c:\xrfrrxf.exec:\xrfrrxf.exe119⤵PID:3056
-
\??\c:\rllxllx.exec:\rllxllx.exe120⤵PID:2520
-
\??\c:\bhthtb.exec:\bhthtb.exe121⤵PID:1992
-
\??\c:\hbbbnh.exec:\hbbbnh.exe122⤵PID:2184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-