Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 01:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9a11158e55d7bf5407d7e7f48599c5ddd5e946291635705b5ebac4cba880f413.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
9a11158e55d7bf5407d7e7f48599c5ddd5e946291635705b5ebac4cba880f413.exe
-
Size
228KB
-
MD5
ad46f932e633c10c4a33439f3e42c722
-
SHA1
fa068e742a5cafe0c86fca7ec42878d55bd22d83
-
SHA256
9a11158e55d7bf5407d7e7f48599c5ddd5e946291635705b5ebac4cba880f413
-
SHA512
ef93b9557074709c99bf58153867cc643208164f862cc0979d959538aadeb26cc3692ce090dda4c98ace01713d2a37d0012df4216eff76e4e6f06a61f87236b2
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLjBeGW:n3C9BRo7MlrWKo+lxK4
Malware Config
Signatures
-
Detect Blackmoon payload 28 IoCs
Processes:
resource yara_rule behavioral2/memory/4676-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2432-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5064-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/184-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4960-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3096-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3096-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4092-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4092-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2896-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2184-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2184-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3324-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1480-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3372-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2488-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3332-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3304-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3628-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1184-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1472-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4196-154-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3884-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4200-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1192-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/756-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2444-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4012-202-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 32 IoCs
Processes:
resource yara_rule behavioral2/memory/4676-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2432-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5064-17-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/184-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4960-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3096-40-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3096-39-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3096-38-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3096-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4092-48-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4092-47-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4092-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2896-62-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2184-71-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2184-70-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2184-69-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3324-78-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1480-89-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3372-93-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2488-105-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3332-111-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3304-124-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3628-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1184-137-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1472-147-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4196-154-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3884-163-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4200-169-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1192-172-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/756-177-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2444-191-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4012-202-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
9nnbnn.exe3pjjp.exexrrlfxr.exebhbnhb.exe5fxlrfr.exelrlffxl.exethnhhh.exelfxxxll.exerlxrxrr.exe3vpdp.exe5rrfrrf.exehhtnnn.exedvvdv.exehhthnh.exepdvjv.exe5lffxrl.exehntnhn.exedpdpd.exefllfxrl.exexxxfxfx.exevjvjd.exexfxrfxr.exe1hhthb.exehbtnhb.exe9jjdv.exethtnbb.exepjjvj.exelfxrfrl.exe9bhthb.exenhbthb.exe9jpjd.exe7ffrfrl.exehthbbb.exebnnhtn.exepdpjp.exexxlfrlx.exefxfxrlf.exe5hbttb.exehbbthh.exejvjpj.exerrlfxxr.exe9rrlfxf.exe7bbtbt.exedvjdj.exe9ddpp.exe9xxxllx.exetnbhbb.exe1thhtb.exejdpjv.exedjdvp.exe9xrfxrl.exethtnbh.exenhhbtt.exe1vvjv.exelxlxlxr.exefxfrfxr.exe1nhnhb.exejpvpv.exefrxrllx.exehbthbn.exebhhbhb.exedvpdj.exefxxrffx.exehtnbtn.exepid process 2432 9nnbnn.exe 5064 3pjjp.exe 184 xrrlfxr.exe 4960 bhbnhb.exe 3096 5fxlrfr.exe 4092 lrlffxl.exe 4952 thnhhh.exe 2896 lfxxxll.exe 2184 rlxrxrr.exe 3324 3vpdp.exe 1480 5rrfrrf.exe 3372 hhtnnn.exe 4664 dvvdv.exe 2488 hhthnh.exe 3332 pdvjv.exe 3956 5lffxrl.exe 3304 hntnhn.exe 3628 dpdpd.exe 1184 fllfxrl.exe 4040 xxxfxfx.exe 1472 vjvjd.exe 4196 xfxrfxr.exe 3884 1hhthb.exe 4200 hbtnhb.exe 1192 9jjdv.exe 756 thtnbb.exe 1616 pjjvj.exe 2444 lfxrfrl.exe 3908 9bhthb.exe 4012 nhbthb.exe 64 9jpjd.exe 2944 7ffrfrl.exe 4776 hthbbb.exe 2052 bnnhtn.exe 4812 pdpjp.exe 2460 xxlfrlx.exe 3676 fxfxrlf.exe 2168 5hbttb.exe 636 hbbthh.exe 4424 jvjpj.exe 4268 rrlfxxr.exe 1812 9rrlfxf.exe 4020 7bbtbt.exe 232 dvjdj.exe 1372 9ddpp.exe 2192 9xxxllx.exe 4492 tnbhbb.exe 4624 1thhtb.exe 5020 jdpjv.exe 3396 djdvp.exe 3556 9xrfxrl.exe 676 thtnbh.exe 1012 nhhbtt.exe 3080 1vvjv.exe 1756 lxlxlxr.exe 1864 fxfrfxr.exe 4600 1nhnhb.exe 2120 jpvpv.exe 1572 frxrllx.exe 2364 hbthbn.exe 4664 bhhbhb.exe 368 dvpdj.exe 4372 fxxrffx.exe 5004 htnbtn.exe -
Processes:
resource yara_rule behavioral2/memory/4676-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2432-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5064-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/184-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4960-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3096-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3096-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3096-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3096-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4092-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4092-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4092-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2896-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2184-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2184-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2184-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3324-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1480-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3372-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2488-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3332-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3304-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3628-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1184-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1472-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4196-154-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3884-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4200-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1192-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/756-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2444-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4012-202-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9a11158e55d7bf5407d7e7f48599c5ddd5e946291635705b5ebac4cba880f413.exe9nnbnn.exe3pjjp.exexrrlfxr.exebhbnhb.exe5fxlrfr.exelrlffxl.exethnhhh.exelfxxxll.exerlxrxrr.exe3vpdp.exe5rrfrrf.exehhtnnn.exedvvdv.exehhthnh.exepdvjv.exe5lffxrl.exehntnhn.exedpdpd.exefllfxrl.exexxxfxfx.exevjvjd.exedescription pid process target process PID 4676 wrote to memory of 2432 4676 9a11158e55d7bf5407d7e7f48599c5ddd5e946291635705b5ebac4cba880f413.exe 9nnbnn.exe PID 4676 wrote to memory of 2432 4676 9a11158e55d7bf5407d7e7f48599c5ddd5e946291635705b5ebac4cba880f413.exe 9nnbnn.exe PID 4676 wrote to memory of 2432 4676 9a11158e55d7bf5407d7e7f48599c5ddd5e946291635705b5ebac4cba880f413.exe 9nnbnn.exe PID 2432 wrote to memory of 5064 2432 9nnbnn.exe 3pjjp.exe PID 2432 wrote to memory of 5064 2432 9nnbnn.exe 3pjjp.exe PID 2432 wrote to memory of 5064 2432 9nnbnn.exe 3pjjp.exe PID 5064 wrote to memory of 184 5064 3pjjp.exe xrrlfxr.exe PID 5064 wrote to memory of 184 5064 3pjjp.exe xrrlfxr.exe PID 5064 wrote to memory of 184 5064 3pjjp.exe xrrlfxr.exe PID 184 wrote to memory of 4960 184 xrrlfxr.exe bhbnhb.exe PID 184 wrote to memory of 4960 184 xrrlfxr.exe bhbnhb.exe PID 184 wrote to memory of 4960 184 xrrlfxr.exe bhbnhb.exe PID 4960 wrote to memory of 3096 4960 bhbnhb.exe 5fxlrfr.exe PID 4960 wrote to memory of 3096 4960 bhbnhb.exe 5fxlrfr.exe PID 4960 wrote to memory of 3096 4960 bhbnhb.exe 5fxlrfr.exe PID 3096 wrote to memory of 4092 3096 5fxlrfr.exe lrlffxl.exe PID 3096 wrote to memory of 4092 3096 5fxlrfr.exe lrlffxl.exe PID 3096 wrote to memory of 4092 3096 5fxlrfr.exe lrlffxl.exe PID 4092 wrote to memory of 4952 4092 lrlffxl.exe thnhhh.exe PID 4092 wrote to memory of 4952 4092 lrlffxl.exe thnhhh.exe PID 4092 wrote to memory of 4952 4092 lrlffxl.exe thnhhh.exe PID 4952 wrote to memory of 2896 4952 thnhhh.exe lfxxxll.exe PID 4952 wrote to memory of 2896 4952 thnhhh.exe lfxxxll.exe PID 4952 wrote to memory of 2896 4952 thnhhh.exe lfxxxll.exe PID 2896 wrote to memory of 2184 2896 lfxxxll.exe rlxrxrr.exe PID 2896 wrote to memory of 2184 2896 lfxxxll.exe rlxrxrr.exe PID 2896 wrote to memory of 2184 2896 lfxxxll.exe rlxrxrr.exe PID 2184 wrote to memory of 3324 2184 rlxrxrr.exe 3vpdp.exe PID 2184 wrote to memory of 3324 2184 rlxrxrr.exe 3vpdp.exe PID 2184 wrote to memory of 3324 2184 rlxrxrr.exe 3vpdp.exe PID 3324 wrote to memory of 1480 3324 3vpdp.exe 5rrfrrf.exe PID 3324 wrote to memory of 1480 3324 3vpdp.exe 5rrfrrf.exe PID 3324 wrote to memory of 1480 3324 3vpdp.exe 5rrfrrf.exe PID 1480 wrote to memory of 3372 1480 5rrfrrf.exe hhtnnn.exe PID 1480 wrote to memory of 3372 1480 5rrfrrf.exe hhtnnn.exe PID 1480 wrote to memory of 3372 1480 5rrfrrf.exe hhtnnn.exe PID 3372 wrote to memory of 4664 3372 hhtnnn.exe dvvdv.exe PID 3372 wrote to memory of 4664 3372 hhtnnn.exe dvvdv.exe PID 3372 wrote to memory of 4664 3372 hhtnnn.exe dvvdv.exe PID 4664 wrote to memory of 2488 4664 dvvdv.exe hhthnh.exe PID 4664 wrote to memory of 2488 4664 dvvdv.exe hhthnh.exe PID 4664 wrote to memory of 2488 4664 dvvdv.exe hhthnh.exe PID 2488 wrote to memory of 3332 2488 hhthnh.exe pdvjv.exe PID 2488 wrote to memory of 3332 2488 hhthnh.exe pdvjv.exe PID 2488 wrote to memory of 3332 2488 hhthnh.exe pdvjv.exe PID 3332 wrote to memory of 3956 3332 pdvjv.exe 5lffxrl.exe PID 3332 wrote to memory of 3956 3332 pdvjv.exe 5lffxrl.exe PID 3332 wrote to memory of 3956 3332 pdvjv.exe 5lffxrl.exe PID 3956 wrote to memory of 3304 3956 5lffxrl.exe hntnhn.exe PID 3956 wrote to memory of 3304 3956 5lffxrl.exe hntnhn.exe PID 3956 wrote to memory of 3304 3956 5lffxrl.exe hntnhn.exe PID 3304 wrote to memory of 3628 3304 hntnhn.exe dpdpd.exe PID 3304 wrote to memory of 3628 3304 hntnhn.exe dpdpd.exe PID 3304 wrote to memory of 3628 3304 hntnhn.exe dpdpd.exe PID 3628 wrote to memory of 1184 3628 dpdpd.exe fllfxrl.exe PID 3628 wrote to memory of 1184 3628 dpdpd.exe fllfxrl.exe PID 3628 wrote to memory of 1184 3628 dpdpd.exe fllfxrl.exe PID 1184 wrote to memory of 4040 1184 fllfxrl.exe xxxfxfx.exe PID 1184 wrote to memory of 4040 1184 fllfxrl.exe xxxfxfx.exe PID 1184 wrote to memory of 4040 1184 fllfxrl.exe xxxfxfx.exe PID 4040 wrote to memory of 1472 4040 xxxfxfx.exe vjvjd.exe PID 4040 wrote to memory of 1472 4040 xxxfxfx.exe vjvjd.exe PID 4040 wrote to memory of 1472 4040 xxxfxfx.exe vjvjd.exe PID 1472 wrote to memory of 4196 1472 vjvjd.exe xfxrfxr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a11158e55d7bf5407d7e7f48599c5ddd5e946291635705b5ebac4cba880f413.exe"C:\Users\Admin\AppData\Local\Temp\9a11158e55d7bf5407d7e7f48599c5ddd5e946291635705b5ebac4cba880f413.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\9nnbnn.exec:\9nnbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\3pjjp.exec:\3pjjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\bhbnhb.exec:\bhbnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\5fxlrfr.exec:\5fxlrfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\lrlffxl.exec:\lrlffxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\thnhhh.exec:\thnhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\lfxxxll.exec:\lfxxxll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\rlxrxrr.exec:\rlxrxrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\3vpdp.exec:\3vpdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\5rrfrrf.exec:\5rrfrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\hhtnnn.exec:\hhtnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\dvvdv.exec:\dvvdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\hhthnh.exec:\hhthnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\pdvjv.exec:\pdvjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\5lffxrl.exec:\5lffxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\hntnhn.exec:\hntnhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\dpdpd.exec:\dpdpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\fllfxrl.exec:\fllfxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\xxxfxfx.exec:\xxxfxfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\vjvjd.exec:\vjvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\xfxrfxr.exec:\xfxrfxr.exe23⤵
- Executes dropped EXE
PID:4196 -
\??\c:\1hhthb.exec:\1hhthb.exe24⤵
- Executes dropped EXE
PID:3884 -
\??\c:\hbtnhb.exec:\hbtnhb.exe25⤵
- Executes dropped EXE
PID:4200 -
\??\c:\9jjdv.exec:\9jjdv.exe26⤵
- Executes dropped EXE
PID:1192 -
\??\c:\thtnbb.exec:\thtnbb.exe27⤵
- Executes dropped EXE
PID:756 -
\??\c:\pjjvj.exec:\pjjvj.exe28⤵
- Executes dropped EXE
PID:1616 -
\??\c:\lfxrfrl.exec:\lfxrfrl.exe29⤵
- Executes dropped EXE
PID:2444 -
\??\c:\9bhthb.exec:\9bhthb.exe30⤵
- Executes dropped EXE
PID:3908 -
\??\c:\nhbthb.exec:\nhbthb.exe31⤵
- Executes dropped EXE
PID:4012 -
\??\c:\9jpjd.exec:\9jpjd.exe32⤵
- Executes dropped EXE
PID:64 -
\??\c:\7ffrfrl.exec:\7ffrfrl.exe33⤵
- Executes dropped EXE
PID:2944 -
\??\c:\hthbbb.exec:\hthbbb.exe34⤵
- Executes dropped EXE
PID:4776 -
\??\c:\bnnhtn.exec:\bnnhtn.exe35⤵
- Executes dropped EXE
PID:2052 -
\??\c:\pdpjp.exec:\pdpjp.exe36⤵
- Executes dropped EXE
PID:4812 -
\??\c:\xxlfrlx.exec:\xxlfrlx.exe37⤵
- Executes dropped EXE
PID:2460 -
\??\c:\fxfxrlf.exec:\fxfxrlf.exe38⤵
- Executes dropped EXE
PID:3676 -
\??\c:\5hbttb.exec:\5hbttb.exe39⤵
- Executes dropped EXE
PID:2168 -
\??\c:\hbbthh.exec:\hbbthh.exe40⤵
- Executes dropped EXE
PID:636 -
\??\c:\jvjpj.exec:\jvjpj.exe41⤵
- Executes dropped EXE
PID:4424 -
\??\c:\rrlfxxr.exec:\rrlfxxr.exe42⤵
- Executes dropped EXE
PID:4268 -
\??\c:\9rrlfxf.exec:\9rrlfxf.exe43⤵
- Executes dropped EXE
PID:1812 -
\??\c:\7bbtbt.exec:\7bbtbt.exe44⤵
- Executes dropped EXE
PID:4020 -
\??\c:\dvjdj.exec:\dvjdj.exe45⤵
- Executes dropped EXE
PID:232 -
\??\c:\9ddpp.exec:\9ddpp.exe46⤵
- Executes dropped EXE
PID:1372 -
\??\c:\9xxxllx.exec:\9xxxllx.exe47⤵
- Executes dropped EXE
PID:2192 -
\??\c:\tnbhbb.exec:\tnbhbb.exe48⤵
- Executes dropped EXE
PID:4492 -
\??\c:\1thhtb.exec:\1thhtb.exe49⤵
- Executes dropped EXE
PID:4624 -
\??\c:\jdpjv.exec:\jdpjv.exe50⤵
- Executes dropped EXE
PID:5020 -
\??\c:\djdvp.exec:\djdvp.exe51⤵
- Executes dropped EXE
PID:3396 -
\??\c:\9xrfxrl.exec:\9xrfxrl.exe52⤵
- Executes dropped EXE
PID:3556 -
\??\c:\thtnbh.exec:\thtnbh.exe53⤵
- Executes dropped EXE
PID:676 -
\??\c:\nhhbtt.exec:\nhhbtt.exe54⤵
- Executes dropped EXE
PID:1012 -
\??\c:\1vvjv.exec:\1vvjv.exe55⤵
- Executes dropped EXE
PID:3080 -
\??\c:\lxlxlxr.exec:\lxlxlxr.exe56⤵
- Executes dropped EXE
PID:1756 -
\??\c:\fxfrfxr.exec:\fxfrfxr.exe57⤵
- Executes dropped EXE
PID:1864 -
\??\c:\1nhnhb.exec:\1nhnhb.exe58⤵
- Executes dropped EXE
PID:4600 -
\??\c:\jpvpv.exec:\jpvpv.exe59⤵
- Executes dropped EXE
PID:2120 -
\??\c:\frxrllx.exec:\frxrllx.exe60⤵
- Executes dropped EXE
PID:1572 -
\??\c:\hbthbn.exec:\hbthbn.exe61⤵
- Executes dropped EXE
PID:2364 -
\??\c:\bhhbhb.exec:\bhhbhb.exe62⤵
- Executes dropped EXE
PID:4664 -
\??\c:\dvpdj.exec:\dvpdj.exe63⤵
- Executes dropped EXE
PID:368 -
\??\c:\fxxrffx.exec:\fxxrffx.exe64⤵
- Executes dropped EXE
PID:4372 -
\??\c:\htnbtn.exec:\htnbtn.exe65⤵
- Executes dropped EXE
PID:5004 -
\??\c:\7ttnhb.exec:\7ttnhb.exe66⤵PID:2456
-
\??\c:\dvvpp.exec:\dvvpp.exe67⤵PID:4344
-
\??\c:\pddjd.exec:\pddjd.exe68⤵PID:4728
-
\??\c:\xrlrflf.exec:\xrlrflf.exe69⤵PID:2652
-
\??\c:\nhnhhh.exec:\nhnhhh.exe70⤵PID:3336
-
\??\c:\nhbthb.exec:\nhbthb.exe71⤵PID:1656
-
\??\c:\9dvpj.exec:\9dvpj.exe72⤵PID:3040
-
\??\c:\fxlfxfx.exec:\fxlfxfx.exe73⤵PID:2540
-
\??\c:\frxlffr.exec:\frxlffr.exe74⤵PID:4464
-
\??\c:\htthbn.exec:\htthbn.exe75⤵PID:2172
-
\??\c:\7tnbnn.exec:\7tnbnn.exe76⤵PID:1880
-
\??\c:\vjpdd.exec:\vjpdd.exe77⤵PID:4200
-
\??\c:\lrlrfxl.exec:\lrlrfxl.exe78⤵PID:1976
-
\??\c:\lffxrlf.exec:\lffxrlf.exe79⤵PID:4576
-
\??\c:\nbhhhh.exec:\nbhhhh.exe80⤵PID:4892
-
\??\c:\3hbthb.exec:\3hbthb.exe81⤵PID:4956
-
\??\c:\jddpj.exec:\jddpj.exe82⤵PID:3252
-
\??\c:\5dvpd.exec:\5dvpd.exe83⤵PID:4060
-
\??\c:\lxxrffr.exec:\lxxrffr.exe84⤵PID:2856
-
\??\c:\bnthnh.exec:\bnthnh.exe85⤵PID:2740
-
\??\c:\hhtnbt.exec:\hhtnbt.exe86⤵PID:1416
-
\??\c:\dpjdp.exec:\dpjdp.exe87⤵PID:3652
-
\??\c:\7jjdd.exec:\7jjdd.exe88⤵PID:1660
-
\??\c:\xrxrxrr.exec:\xrxrxrr.exe89⤵PID:2496
-
\??\c:\bnnhtt.exec:\bnnhtt.exe90⤵PID:2220
-
\??\c:\vppdv.exec:\vppdv.exe91⤵PID:3216
-
\??\c:\pdvdj.exec:\pdvdj.exe92⤵PID:2788
-
\??\c:\frrrfff.exec:\frrrfff.exe93⤵PID:820
-
\??\c:\fxffxrx.exec:\fxffxrx.exe94⤵PID:4440
-
\??\c:\bntbtn.exec:\bntbtn.exe95⤵PID:4220
-
\??\c:\3djdj.exec:\3djdj.exe96⤵PID:4676
-
\??\c:\jvvpd.exec:\jvvpd.exe97⤵PID:1364
-
\??\c:\rlrlfff.exec:\rlrlfff.exe98⤵PID:4020
-
\??\c:\lffxrrl.exec:\lffxrrl.exe99⤵PID:232
-
\??\c:\nhnnhh.exec:\nhnnhh.exe100⤵PID:1836
-
\??\c:\ttttnh.exec:\ttttnh.exe101⤵PID:2668
-
\??\c:\vvdvj.exec:\vvdvj.exe102⤵PID:1428
-
\??\c:\lrxlxxr.exec:\lrxlxxr.exe103⤵PID:2980
-
\??\c:\fxxrxrx.exec:\fxxrxrx.exe104⤵PID:3168
-
\??\c:\nhtnhb.exec:\nhtnhb.exe105⤵PID:3488
-
\??\c:\nbhbnn.exec:\nbhbnn.exe106⤵PID:2492
-
\??\c:\pjjvj.exec:\pjjvj.exe107⤵PID:5068
-
\??\c:\dvjpj.exec:\dvjpj.exe108⤵PID:1012
-
\??\c:\ttbnbt.exec:\ttbnbt.exe109⤵PID:4056
-
\??\c:\thbthh.exec:\thbthh.exe110⤵PID:4992
-
\??\c:\dppjv.exec:\dppjv.exe111⤵PID:4084
-
\??\c:\5rlrlfr.exec:\5rlrlfr.exe112⤵PID:1840
-
\??\c:\7lfxxrf.exec:\7lfxxrf.exe113⤵PID:3372
-
\??\c:\nbthnb.exec:\nbthnb.exe114⤵PID:3116
-
\??\c:\hnthtn.exec:\hnthtn.exe115⤵PID:508
-
\??\c:\djpjv.exec:\djpjv.exe116⤵PID:4928
-
\??\c:\lxrlxfx.exec:\lxrlxfx.exe117⤵PID:368
-
\??\c:\lffxrxr.exec:\lffxrxr.exe118⤵PID:2968
-
\??\c:\3bhtnb.exec:\3bhtnb.exe119⤵PID:1508
-
\??\c:\bthhnb.exec:\bthhnb.exe120⤵PID:2456
-
\??\c:\rxrrllr.exec:\rxrrllr.exe121⤵PID:4344
-
\??\c:\xxfxllx.exec:\xxfxllx.exe122⤵PID:4684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-