Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 02:34
Behavioral task
behavioral1
Sample
b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe
-
Size
159KB
-
MD5
527ed2836e7c27e2e9c38e4ea0d0b364
-
SHA1
9f3ee1054796614179ca89d492ecba0c58f06c92
-
SHA256
b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422
-
SHA512
6331b25b6555a1df4610d1e3d6f0a49eae8aaeb0adeb2b5c71c2e96c7f64a6ff48aa7cbf64f8db2c1c563059eee1bb3e66f57113ad0fbed668328d494a1b0e43
-
SSDEEP
3072:chOmTsF93UYfwC6GIoutieyhC2lbgGi5yL5:ccm4FmowdHoSi9EE
Malware Config
Signatures
-
Detect Blackmoon payload 38 IoCs
Processes:
resource yara_rule behavioral1/memory/3028-0-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2036-11-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2032-26-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2580-36-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2700-45-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2752-54-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2060-64-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2644-67-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2480-82-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/960-85-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2308-100-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1736-133-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1832-141-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2840-151-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1868-153-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1956-189-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/480-211-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/672-220-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3032-263-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2224-272-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1872-290-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2412-308-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2152-315-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2616-328-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2616-335-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2060-356-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2524-369-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1752-419-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1572-440-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2568-453-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2372-517-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2016-662-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1744-694-0x0000000000260000-0x0000000000296000-memory.dmp family_blackmoon behavioral1/memory/1196-725-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/324-769-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1168-820-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2444-913-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/2280-1075-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral1/memory/3028-0-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\7hbhtt.exe UPX behavioral1/memory/2036-11-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\9bntnh.exe UPX behavioral1/memory/2032-18-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\fflxfrf.exe UPX behavioral1/memory/2032-26-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral1/memory/2580-36-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\btbthh.exe UPX behavioral1/memory/2700-45-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\ddjvp.exe UPX behavioral1/memory/2752-46-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\xlxxlfr.exe UPX behavioral1/memory/2752-54-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\hhthbh.exe UPX behavioral1/memory/2060-64-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral1/memory/2644-67-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\7nbtbt.exe UPX behavioral1/memory/2480-82-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\7pjjp.exe UPX behavioral1/memory/960-85-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\rfrrlll.exe UPX behavioral1/memory/2308-100-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\tnthtb.exe UPX C:\jddvp.exe UPX C:\xrxrxxr.exe UPX C:\rflrlrx.exe UPX C:\nhbbhn.exe UPX behavioral1/memory/1736-133-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\9nhnbb.exe UPX behavioral1/memory/1832-141-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral1/memory/2840-151-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\7dvdd.exe UPX behavioral1/memory/1868-153-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\3lxffrx.exe UPX behavioral1/memory/1476-161-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\nbtnhn.exe UPX C:\btbhnn.exe UPX C:\vjvvp.exe UPX behavioral1/memory/1956-189-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\rflxxrx.exe UPX C:\3bnnnn.exe UPX behavioral1/memory/480-211-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\pjdjp.exe UPX C:\5flrfrf.exe UPX behavioral1/memory/672-220-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\9lxlrxf.exe UPX behavioral1/memory/1904-229-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\9ntttt.exe UPX C:\vppjj.exe UPX behavioral1/memory/1224-246-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\xlxlxrr.exe UPX behavioral1/memory/3032-263-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\hbhhbb.exe UPX behavioral1/memory/2224-264-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral1/memory/2224-272-0x0000000000400000-0x0000000000436000-memory.dmp UPX C:\1ntbnn.exe UPX C:\vjpvv.exe UPX behavioral1/memory/1872-290-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral1/memory/2412-308-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral1/memory/2152-315-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral1/memory/2616-328-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral1/memory/2616-335-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral1/memory/2604-336-0x0000000000400000-0x0000000000436000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
7hbhtt.exe9bntnh.exefflxfrf.exebtbthh.exeddjvp.exexlxxlfr.exehhthbh.exe7nbtbt.exe7pjjp.exerfrrlll.exetnthtb.exejddvp.exexrxrxxr.exerflrlrx.exenhbbhn.exe9nhnbb.exe7dvdd.exe3lxffrx.exenbtnhn.exebtbhnn.exevjvvp.exerflxxrx.exe3bnnnn.exepjdjp.exe5flrfrf.exe9lxlrxf.exe9ntttt.exevppjj.exexlxlxrr.exehbhhbb.exe1ntbnn.exevjpvv.exerxrffll.exenhhhtb.exenbhbbt.exeddvdv.exe9lxxxlx.exerfllrlr.exebthnbn.exethnntn.exe7jjpd.exerlrrffx.exeffxfrfx.exetnhnbb.exehhbthb.exe3pjjp.exexxfllff.exehbnhhn.exe3nbttn.exedvdjp.exevvjpp.exerlrxllx.exexrxlxxf.exe5nbtbh.exe9pddv.exe3xfxrlr.exelxlllfl.exe3rxflff.exetnhhnn.exe9nbthb.exejvddd.exepjddj.exe5lfxflr.exehtbbbt.exepid process 2036 7hbhtt.exe 2032 9bntnh.exe 2580 fflxfrf.exe 2700 btbthh.exe 2752 ddjvp.exe 2060 xlxxlfr.exe 2644 hhthbh.exe 2480 7nbtbt.exe 960 7pjjp.exe 2308 rfrrlll.exe 1612 tnthtb.exe 1652 jddvp.exe 1752 xrxrxxr.exe 1736 rflrlrx.exe 1832 nhbbhn.exe 2840 9nhnbb.exe 1868 7dvdd.exe 1476 3lxffrx.exe 2120 nbtnhn.exe 2024 btbhnn.exe 1956 vjvvp.exe 2908 rflxxrx.exe 480 3bnnnn.exe 672 pjdjp.exe 712 5flrfrf.exe 1904 9lxlrxf.exe 108 9ntttt.exe 1224 vppjj.exe 3032 xlxlxrr.exe 2224 hbhhbb.exe 3000 1ntbnn.exe 1188 vjpvv.exe 1872 rxrffll.exe 2848 nhhhtb.exe 2412 nbhbbt.exe 2152 ddvdv.exe 2344 9lxxxlx.exe 2668 rfllrlr.exe 2616 bthnbn.exe 2604 thnntn.exe 2588 7jjpd.exe 2792 rlrrffx.exe 2060 ffxfrfx.exe 2524 tnhnbb.exe 2528 hhbthb.exe 1656 3pjjp.exe 1860 xxfllff.exe 2868 hbnhhn.exe 2508 3nbttn.exe 964 dvdjp.exe 1284 vvjpp.exe 1752 rlrxllx.exe 2812 xrxlxxf.exe 2800 5nbtbh.exe 2836 9pddv.exe 1572 3xfxrlr.exe 1140 lxlllfl.exe 2568 3rxflff.exe 1704 tnhhnn.exe 2448 9nbthb.exe 2024 jvddd.exe 592 pjddj.exe 324 5lfxflr.exe 480 htbbbt.exe -
Processes:
resource yara_rule behavioral1/memory/3028-0-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\7hbhtt.exe upx behavioral1/memory/2036-11-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\9bntnh.exe upx behavioral1/memory/2032-18-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\fflxfrf.exe upx behavioral1/memory/2032-26-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2580-36-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\btbthh.exe upx behavioral1/memory/2700-45-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\ddjvp.exe upx behavioral1/memory/2752-46-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\xlxxlfr.exe upx behavioral1/memory/2752-54-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\hhthbh.exe upx behavioral1/memory/2060-64-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2644-67-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\7nbtbt.exe upx behavioral1/memory/2480-82-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\7pjjp.exe upx behavioral1/memory/960-85-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\rfrrlll.exe upx behavioral1/memory/2308-100-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\tnthtb.exe upx C:\jddvp.exe upx C:\xrxrxxr.exe upx C:\rflrlrx.exe upx C:\nhbbhn.exe upx behavioral1/memory/1736-133-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\9nhnbb.exe upx behavioral1/memory/1832-141-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2840-151-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\7dvdd.exe upx behavioral1/memory/1868-153-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\3lxffrx.exe upx behavioral1/memory/1476-161-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\nbtnhn.exe upx C:\btbhnn.exe upx C:\vjvvp.exe upx behavioral1/memory/1956-189-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\rflxxrx.exe upx C:\3bnnnn.exe upx behavioral1/memory/480-211-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\pjdjp.exe upx C:\5flrfrf.exe upx behavioral1/memory/672-220-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\9lxlrxf.exe upx behavioral1/memory/1904-229-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\9ntttt.exe upx C:\vppjj.exe upx behavioral1/memory/1224-246-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\xlxlxrr.exe upx behavioral1/memory/3032-263-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\hbhhbb.exe upx behavioral1/memory/2224-264-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2224-272-0x0000000000400000-0x0000000000436000-memory.dmp upx C:\1ntbnn.exe upx C:\vjpvv.exe upx behavioral1/memory/1872-290-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2412-308-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2152-315-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2616-328-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2616-335-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2604-336-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe7hbhtt.exe9bntnh.exefflxfrf.exebtbthh.exeddjvp.exexlxxlfr.exehhthbh.exe7nbtbt.exe7pjjp.exerfrrlll.exetnthtb.exejddvp.exexrxrxxr.exerflrlrx.exenhbbhn.exedescription pid process target process PID 3028 wrote to memory of 2036 3028 b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe 7hbhtt.exe PID 3028 wrote to memory of 2036 3028 b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe 7hbhtt.exe PID 3028 wrote to memory of 2036 3028 b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe 7hbhtt.exe PID 3028 wrote to memory of 2036 3028 b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe 7hbhtt.exe PID 2036 wrote to memory of 2032 2036 7hbhtt.exe 9bntnh.exe PID 2036 wrote to memory of 2032 2036 7hbhtt.exe 9bntnh.exe PID 2036 wrote to memory of 2032 2036 7hbhtt.exe 9bntnh.exe PID 2036 wrote to memory of 2032 2036 7hbhtt.exe 9bntnh.exe PID 2032 wrote to memory of 2580 2032 9bntnh.exe fflxfrf.exe PID 2032 wrote to memory of 2580 2032 9bntnh.exe fflxfrf.exe PID 2032 wrote to memory of 2580 2032 9bntnh.exe fflxfrf.exe PID 2032 wrote to memory of 2580 2032 9bntnh.exe fflxfrf.exe PID 2580 wrote to memory of 2700 2580 fflxfrf.exe btbthh.exe PID 2580 wrote to memory of 2700 2580 fflxfrf.exe btbthh.exe PID 2580 wrote to memory of 2700 2580 fflxfrf.exe btbthh.exe PID 2580 wrote to memory of 2700 2580 fflxfrf.exe btbthh.exe PID 2700 wrote to memory of 2752 2700 btbthh.exe ddjvp.exe PID 2700 wrote to memory of 2752 2700 btbthh.exe ddjvp.exe PID 2700 wrote to memory of 2752 2700 btbthh.exe ddjvp.exe PID 2700 wrote to memory of 2752 2700 btbthh.exe ddjvp.exe PID 2752 wrote to memory of 2060 2752 ddjvp.exe xlxxlfr.exe PID 2752 wrote to memory of 2060 2752 ddjvp.exe xlxxlfr.exe PID 2752 wrote to memory of 2060 2752 ddjvp.exe xlxxlfr.exe PID 2752 wrote to memory of 2060 2752 ddjvp.exe xlxxlfr.exe PID 2060 wrote to memory of 2644 2060 xlxxlfr.exe hhthbh.exe PID 2060 wrote to memory of 2644 2060 xlxxlfr.exe hhthbh.exe PID 2060 wrote to memory of 2644 2060 xlxxlfr.exe hhthbh.exe PID 2060 wrote to memory of 2644 2060 xlxxlfr.exe hhthbh.exe PID 2644 wrote to memory of 2480 2644 hhthbh.exe 7nbtbt.exe PID 2644 wrote to memory of 2480 2644 hhthbh.exe 7nbtbt.exe PID 2644 wrote to memory of 2480 2644 hhthbh.exe 7nbtbt.exe PID 2644 wrote to memory of 2480 2644 hhthbh.exe 7nbtbt.exe PID 2480 wrote to memory of 960 2480 7nbtbt.exe 7pjjp.exe PID 2480 wrote to memory of 960 2480 7nbtbt.exe 7pjjp.exe PID 2480 wrote to memory of 960 2480 7nbtbt.exe 7pjjp.exe PID 2480 wrote to memory of 960 2480 7nbtbt.exe 7pjjp.exe PID 960 wrote to memory of 2308 960 7pjjp.exe rfrrlll.exe PID 960 wrote to memory of 2308 960 7pjjp.exe rfrrlll.exe PID 960 wrote to memory of 2308 960 7pjjp.exe rfrrlll.exe PID 960 wrote to memory of 2308 960 7pjjp.exe rfrrlll.exe PID 2308 wrote to memory of 1612 2308 rfrrlll.exe tnthtb.exe PID 2308 wrote to memory of 1612 2308 rfrrlll.exe tnthtb.exe PID 2308 wrote to memory of 1612 2308 rfrrlll.exe tnthtb.exe PID 2308 wrote to memory of 1612 2308 rfrrlll.exe tnthtb.exe PID 1612 wrote to memory of 1652 1612 tnthtb.exe jddvp.exe PID 1612 wrote to memory of 1652 1612 tnthtb.exe jddvp.exe PID 1612 wrote to memory of 1652 1612 tnthtb.exe jddvp.exe PID 1612 wrote to memory of 1652 1612 tnthtb.exe jddvp.exe PID 1652 wrote to memory of 1752 1652 jddvp.exe xrxrxxr.exe PID 1652 wrote to memory of 1752 1652 jddvp.exe xrxrxxr.exe PID 1652 wrote to memory of 1752 1652 jddvp.exe xrxrxxr.exe PID 1652 wrote to memory of 1752 1652 jddvp.exe xrxrxxr.exe PID 1752 wrote to memory of 1736 1752 xrxrxxr.exe rflrlrx.exe PID 1752 wrote to memory of 1736 1752 xrxrxxr.exe rflrlrx.exe PID 1752 wrote to memory of 1736 1752 xrxrxxr.exe rflrlrx.exe PID 1752 wrote to memory of 1736 1752 xrxrxxr.exe rflrlrx.exe PID 1736 wrote to memory of 1832 1736 rflrlrx.exe nhbbhn.exe PID 1736 wrote to memory of 1832 1736 rflrlrx.exe nhbbhn.exe PID 1736 wrote to memory of 1832 1736 rflrlrx.exe nhbbhn.exe PID 1736 wrote to memory of 1832 1736 rflrlrx.exe nhbbhn.exe PID 1832 wrote to memory of 2840 1832 nhbbhn.exe 9nhnbb.exe PID 1832 wrote to memory of 2840 1832 nhbbhn.exe 9nhnbb.exe PID 1832 wrote to memory of 2840 1832 nhbbhn.exe 9nhnbb.exe PID 1832 wrote to memory of 2840 1832 nhbbhn.exe 9nhnbb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe"C:\Users\Admin\AppData\Local\Temp\b4887bb83c159ffd4928bea12964e04fa4c0fc2dff0535c99210459e803c9422.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\7hbhtt.exec:\7hbhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\9bntnh.exec:\9bntnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\fflxfrf.exec:\fflxfrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\btbthh.exec:\btbthh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\ddjvp.exec:\ddjvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\xlxxlfr.exec:\xlxxlfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\hhthbh.exec:\hhthbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\7nbtbt.exec:\7nbtbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\7pjjp.exec:\7pjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\rfrrlll.exec:\rfrrlll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\tnthtb.exec:\tnthtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\jddvp.exec:\jddvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\xrxrxxr.exec:\xrxrxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\rflrlrx.exec:\rflrlrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\nhbbhn.exec:\nhbbhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\9nhnbb.exec:\9nhnbb.exe17⤵
- Executes dropped EXE
PID:2840 -
\??\c:\7dvdd.exec:\7dvdd.exe18⤵
- Executes dropped EXE
PID:1868 -
\??\c:\3lxffrx.exec:\3lxffrx.exe19⤵
- Executes dropped EXE
PID:1476 -
\??\c:\nbtnhn.exec:\nbtnhn.exe20⤵
- Executes dropped EXE
PID:2120 -
\??\c:\btbhnn.exec:\btbhnn.exe21⤵
- Executes dropped EXE
PID:2024 -
\??\c:\vjvvp.exec:\vjvvp.exe22⤵
- Executes dropped EXE
PID:1956 -
\??\c:\rflxxrx.exec:\rflxxrx.exe23⤵
- Executes dropped EXE
PID:2908 -
\??\c:\3bnnnn.exec:\3bnnnn.exe24⤵
- Executes dropped EXE
PID:480 -
\??\c:\pjdjp.exec:\pjdjp.exe25⤵
- Executes dropped EXE
PID:672 -
\??\c:\5flrfrf.exec:\5flrfrf.exe26⤵
- Executes dropped EXE
PID:712 -
\??\c:\9lxlrxf.exec:\9lxlrxf.exe27⤵
- Executes dropped EXE
PID:1904 -
\??\c:\9ntttt.exec:\9ntttt.exe28⤵
- Executes dropped EXE
PID:108 -
\??\c:\vppjj.exec:\vppjj.exe29⤵
- Executes dropped EXE
PID:1224 -
\??\c:\xlxlxrr.exec:\xlxlxrr.exe30⤵
- Executes dropped EXE
PID:3032 -
\??\c:\hbhhbb.exec:\hbhhbb.exe31⤵
- Executes dropped EXE
PID:2224 -
\??\c:\1ntbnn.exec:\1ntbnn.exe32⤵
- Executes dropped EXE
PID:3000 -
\??\c:\vjpvv.exec:\vjpvv.exe33⤵
- Executes dropped EXE
PID:1188 -
\??\c:\rxrffll.exec:\rxrffll.exe34⤵
- Executes dropped EXE
PID:1872 -
\??\c:\nhhhtb.exec:\nhhhtb.exe35⤵
- Executes dropped EXE
PID:2848 -
\??\c:\nbhbbt.exec:\nbhbbt.exe36⤵
- Executes dropped EXE
PID:2412 -
\??\c:\ddvdv.exec:\ddvdv.exe37⤵
- Executes dropped EXE
PID:2152 -
\??\c:\9lxxxlx.exec:\9lxxxlx.exe38⤵
- Executes dropped EXE
PID:2344 -
\??\c:\rfllrlr.exec:\rfllrlr.exe39⤵
- Executes dropped EXE
PID:2668 -
\??\c:\bthnbn.exec:\bthnbn.exe40⤵
- Executes dropped EXE
PID:2616 -
\??\c:\thnntn.exec:\thnntn.exe41⤵
- Executes dropped EXE
PID:2604 -
\??\c:\7jjpd.exec:\7jjpd.exe42⤵
- Executes dropped EXE
PID:2588 -
\??\c:\rlrrffx.exec:\rlrrffx.exe43⤵
- Executes dropped EXE
PID:2792 -
\??\c:\ffxfrfx.exec:\ffxfrfx.exe44⤵
- Executes dropped EXE
PID:2060 -
\??\c:\tnhnbb.exec:\tnhnbb.exe45⤵
- Executes dropped EXE
PID:2524 -
\??\c:\hhbthb.exec:\hhbthb.exe46⤵
- Executes dropped EXE
PID:2528 -
\??\c:\3pjjp.exec:\3pjjp.exe47⤵
- Executes dropped EXE
PID:1656 -
\??\c:\xxfllff.exec:\xxfllff.exe48⤵
- Executes dropped EXE
PID:1860 -
\??\c:\hbnhhn.exec:\hbnhhn.exe49⤵
- Executes dropped EXE
PID:2868 -
\??\c:\3nbttn.exec:\3nbttn.exe50⤵
- Executes dropped EXE
PID:2508 -
\??\c:\dvdjp.exec:\dvdjp.exe51⤵
- Executes dropped EXE
PID:964 -
\??\c:\vvjpp.exec:\vvjpp.exe52⤵
- Executes dropped EXE
PID:1284 -
\??\c:\rlrxllx.exec:\rlrxllx.exe53⤵
- Executes dropped EXE
PID:1752 -
\??\c:\xrxlxxf.exec:\xrxlxxf.exe54⤵
- Executes dropped EXE
PID:2812 -
\??\c:\5nbtbh.exec:\5nbtbh.exe55⤵
- Executes dropped EXE
PID:2800 -
\??\c:\9pddv.exec:\9pddv.exe56⤵
- Executes dropped EXE
PID:2836 -
\??\c:\3xfxrlr.exec:\3xfxrlr.exe57⤵
- Executes dropped EXE
PID:1572 -
\??\c:\lxlllfl.exec:\lxlllfl.exe58⤵
- Executes dropped EXE
PID:1140 -
\??\c:\3rxflff.exec:\3rxflff.exe59⤵
- Executes dropped EXE
PID:2568 -
\??\c:\tnhhnn.exec:\tnhhnn.exe60⤵
- Executes dropped EXE
PID:1704 -
\??\c:\9nbthb.exec:\9nbthb.exe61⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jvddd.exec:\jvddd.exe62⤵
- Executes dropped EXE
PID:2024 -
\??\c:\pjddj.exec:\pjddj.exe63⤵
- Executes dropped EXE
PID:592 -
\??\c:\5lfxflr.exec:\5lfxflr.exe64⤵
- Executes dropped EXE
PID:324 -
\??\c:\htbbbt.exec:\htbbbt.exe65⤵
- Executes dropped EXE
PID:480 -
\??\c:\htttbt.exec:\htttbt.exe66⤵PID:1500
-
\??\c:\pdpjv.exec:\pdpjv.exe67⤵PID:1888
-
\??\c:\jdvvp.exec:\jdvvp.exe68⤵PID:2372
-
\??\c:\xxxlrll.exec:\xxxlrll.exe69⤵PID:1240
-
\??\c:\fxfxfff.exec:\fxfxfff.exe70⤵PID:1684
-
\??\c:\9bhntn.exec:\9bhntn.exe71⤵PID:1168
-
\??\c:\3hbtbt.exec:\3hbtbt.exe72⤵PID:1184
-
\??\c:\jvdjj.exec:\jvdjj.exe73⤵PID:2236
-
\??\c:\fxrfrlr.exec:\fxrfrlr.exe74⤵PID:952
-
\??\c:\lxfrrlr.exec:\lxfrrlr.exe75⤵PID:2192
-
\??\c:\htbnth.exec:\htbnth.exe76⤵PID:3000
-
\??\c:\1ntttt.exec:\1ntttt.exe77⤵PID:2232
-
\??\c:\jvvjd.exec:\jvvjd.exe78⤵PID:1692
-
\??\c:\djjjp.exec:\djjjp.exe79⤵PID:2240
-
\??\c:\xfxxrlx.exec:\xfxxrlx.exe80⤵PID:2436
-
\??\c:\5rxxrrr.exec:\5rxxrrr.exe81⤵PID:2356
-
\??\c:\nnbbnt.exec:\nnbbnt.exe82⤵PID:2576
-
\??\c:\bhnnnh.exec:\bhnnnh.exe83⤵PID:2684
-
\??\c:\vpjjv.exec:\vpjjv.exe84⤵PID:2636
-
\??\c:\3pjpp.exec:\3pjpp.exe85⤵PID:2716
-
\??\c:\rxlfxfx.exec:\rxlfxfx.exe86⤵PID:2752
-
\??\c:\5bnhnn.exec:\5bnhnn.exe87⤵PID:2952
-
\??\c:\tbthht.exec:\tbthht.exe88⤵PID:2756
-
\??\c:\1pvdd.exec:\1pvdd.exe89⤵PID:2500
-
\??\c:\vjpjj.exec:\vjpjj.exe90⤵PID:2536
-
\??\c:\fxllfrr.exec:\fxllfrr.exe91⤵PID:2528
-
\??\c:\lfrrxrr.exec:\lfrrxrr.exe92⤵PID:2016
-
\??\c:\hthhtn.exec:\hthhtn.exe93⤵PID:2308
-
\??\c:\ththnn.exec:\ththnn.exe94⤵PID:1848
-
\??\c:\jdvvj.exec:\jdvvj.exe95⤵PID:2656
-
\??\c:\frxxxxf.exec:\frxxxxf.exe96⤵PID:1744
-
\??\c:\5flllff.exec:\5flllff.exe97⤵PID:2376
-
\??\c:\tbhnbt.exec:\tbhnbt.exe98⤵PID:1856
-
\??\c:\bhhbbb.exec:\bhhbbb.exe99⤵PID:1832
-
\??\c:\vjjjj.exec:\vjjjj.exe100⤵PID:2840
-
\??\c:\pdjdp.exec:\pdjdp.exe101⤵PID:1460
-
\??\c:\rflxlfl.exec:\rflxlfl.exe102⤵PID:1196
-
\??\c:\fxrfrxl.exec:\fxrfrxl.exe103⤵PID:1540
-
\??\c:\bhnhbt.exec:\bhnhbt.exe104⤵PID:2568
-
\??\c:\bnthnn.exec:\bnthnn.exe105⤵PID:2452
-
\??\c:\jvpjp.exec:\jvpjp.exe106⤵PID:1956
-
\??\c:\vjpjd.exec:\vjpjd.exe107⤵PID:684
-
\??\c:\frlxxrf.exec:\frlxxrf.exe108⤵PID:604
-
\??\c:\lxffxrr.exec:\lxffxrr.exe109⤵PID:324
-
\??\c:\tntbtt.exec:\tntbtt.exe110⤵PID:480
-
\??\c:\nthbhn.exec:\nthbhn.exe111⤵PID:112
-
\??\c:\pjddd.exec:\pjddd.exe112⤵PID:992
-
\??\c:\5pvdp.exec:\5pvdp.exe113⤵PID:2956
-
\??\c:\rlxxxfl.exec:\rlxxxfl.exe114⤵PID:920
-
\??\c:\rlxxxll.exec:\rlxxxll.exe115⤵PID:1684
-
\??\c:\nbhhbn.exec:\nbhhbn.exe116⤵PID:1168
-
\??\c:\thnhhb.exec:\thnhhb.exe117⤵PID:1776
-
\??\c:\vjvvj.exec:\vjvvj.exe118⤵PID:2236
-
\??\c:\pdjpd.exec:\pdjpd.exe119⤵PID:952
-
\??\c:\3rfxrlr.exec:\3rfxrlr.exe120⤵PID:2108
-
\??\c:\llxxffl.exec:\llxxffl.exe121⤵PID:2420
-
\??\c:\thntbt.exec:\thntbt.exe122⤵PID:1872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-