Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 04:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e676e393876e15951962248430ea1cdc5092bc9cbe2a1d1e188fb150bde0a665.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
e676e393876e15951962248430ea1cdc5092bc9cbe2a1d1e188fb150bde0a665.exe
-
Size
267KB
-
MD5
6af7547be49d20a40ddc0333be383ce6
-
SHA1
5a5ef6233eab0fc6238932e709bd2d3e817ff609
-
SHA256
e676e393876e15951962248430ea1cdc5092bc9cbe2a1d1e188fb150bde0a665
-
SHA512
6c135b6439be834aa636ea5a5e1a7b13dbc821e45934b91151c4fa705913a1f3843833d91d02718f1d4af81a21033cde43ae4e7fc52e4c9cad0fd1acbea3ea7a
-
SSDEEP
3072:ymb3NkkiQ3mdBjFIi/0RU6QeYQsm71vPmPzTkV2y/QTa9RBZydZbf83pnzgmmIMY:n3C9BRIG0asYFm71mPfkVB8dKwaWo
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
Processes:
resource yara_rule behavioral2/memory/744-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4680-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1152-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/884-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2856-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3800-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4608-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2348-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3980-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4036-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1892-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1856-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3764-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2444-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4800-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1612-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4208-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5056-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2648-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4468-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2212-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4260-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5064-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2188-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3172-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 27 IoCs
Processes:
resource yara_rule behavioral2/memory/744-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4680-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1152-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2348-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/884-38-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2856-31-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3800-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4608-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2348-50-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3980-62-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4036-68-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1892-75-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1892-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1856-85-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3764-91-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2444-98-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4800-103-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1612-109-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4208-115-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5056-121-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2648-126-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4468-139-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2212-145-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4260-151-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5064-175-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2188-186-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3172-192-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
vjdvp.exexlfrrfx.exelxxrllf.exenbhtnh.exedppjd.exepddvj.exebhhthb.exedpdpj.exerllxlfx.exetbthtb.exehbthth.exelxfrfrl.exentthtn.exejvvjv.exe5pjvv.exentbhhh.exejjpvj.exetnhttn.exevdvpd.exe9ffrfxx.exetntbht.exebnbhbn.exejdpjv.exexfrfxrl.exexffxllx.exebnnhtn.exedvdvv.exefxxllxr.exe5lfrlll.exexxffxrf.exebththh.exepjdvv.exefrrllfr.exethbtnn.exe7vvpd.exexlxlxrf.exenttbth.exentthbt.exe9vjdp.exejvpjv.exelfxllff.exexxxlxrf.exebtthtt.exe7dvjv.exelllxrlx.exelffxrlf.exehhhtnh.exethnbbn.exejppjv.exelfrfrlf.exexrrfrrf.exe7hbnbt.exehhnbnh.exepdpjv.exelffrrlr.exe9xrfrfx.exethnnbt.exejvvjv.exe1dvpv.exefrrflxx.exerfffrlf.exebbbnnh.exe5pdpd.exejppdp.exepid process 4680 vjdvp.exe 3800 xlfrrfx.exe 1152 lxxrllf.exe 2856 nbhtnh.exe 884 dppjd.exe 2348 pddvj.exe 4608 bhhthb.exe 3980 dpdpj.exe 4036 rllxlfx.exe 1892 tbthtb.exe 1856 hbthth.exe 3764 lxfrfrl.exe 2444 ntthtn.exe 4800 jvvjv.exe 1612 5pjvv.exe 4208 ntbhhh.exe 5056 jjpvj.exe 2648 tnhttn.exe 4824 vdvpd.exe 4468 9ffrfxx.exe 2212 tntbht.exe 4260 bnbhbn.exe 4424 jdpjv.exe 1140 xfrfxrl.exe 1392 xffxllx.exe 5064 bnnhtn.exe 3104 dvdvv.exe 2188 fxxllxr.exe 3172 5lfrlll.exe 3164 xxffxrf.exe 4920 bththh.exe 468 pjdvv.exe 4532 frrllfr.exe 2208 thbtnn.exe 4776 7vvpd.exe 396 xlxlxrf.exe 4444 nttbth.exe 2484 ntthbt.exe 4940 9vjdp.exe 1532 jvpjv.exe 3140 lfxllff.exe 4264 xxxlxrf.exe 1388 btthtt.exe 2868 7dvjv.exe 3936 lllxrlx.exe 244 lffxrlf.exe 1664 hhhtnh.exe 3980 thnbbn.exe 1740 jppjv.exe 4716 lfrfrlf.exe 3920 xrrfrrf.exe 3720 7hbnbt.exe 2444 hhnbnh.exe 2104 pdpjv.exe 4200 lffrrlr.exe 1612 9xrfrfx.exe 2864 thnnbt.exe 3904 jvvjv.exe 4612 1dvpv.exe 4276 frrflxx.exe 520 rfffrlf.exe 2432 bbbnnh.exe 1084 5pdpd.exe 4956 jppdp.exe -
Processes:
resource yara_rule behavioral2/memory/744-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4680-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1152-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2348-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/884-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2856-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3800-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4608-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2348-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3980-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4036-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1892-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1892-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1856-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3764-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2444-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4800-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1612-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4208-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5056-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2648-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4468-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2212-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4260-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5064-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2188-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3172-192-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e676e393876e15951962248430ea1cdc5092bc9cbe2a1d1e188fb150bde0a665.exevjdvp.exexlfrrfx.exelxxrllf.exenbhtnh.exedppjd.exepddvj.exebhhthb.exedpdpj.exerllxlfx.exetbthtb.exehbthth.exelxfrfrl.exentthtn.exejvvjv.exe5pjvv.exentbhhh.exejjpvj.exetnhttn.exevdvpd.exe9ffrfxx.exetntbht.exedescription pid process target process PID 744 wrote to memory of 4680 744 e676e393876e15951962248430ea1cdc5092bc9cbe2a1d1e188fb150bde0a665.exe vjdvp.exe PID 744 wrote to memory of 4680 744 e676e393876e15951962248430ea1cdc5092bc9cbe2a1d1e188fb150bde0a665.exe vjdvp.exe PID 744 wrote to memory of 4680 744 e676e393876e15951962248430ea1cdc5092bc9cbe2a1d1e188fb150bde0a665.exe vjdvp.exe PID 4680 wrote to memory of 3800 4680 vjdvp.exe xlfrrfx.exe PID 4680 wrote to memory of 3800 4680 vjdvp.exe xlfrrfx.exe PID 4680 wrote to memory of 3800 4680 vjdvp.exe xlfrrfx.exe PID 3800 wrote to memory of 1152 3800 xlfrrfx.exe lxxrllf.exe PID 3800 wrote to memory of 1152 3800 xlfrrfx.exe lxxrllf.exe PID 3800 wrote to memory of 1152 3800 xlfrrfx.exe lxxrllf.exe PID 1152 wrote to memory of 2856 1152 lxxrllf.exe nbhtnh.exe PID 1152 wrote to memory of 2856 1152 lxxrllf.exe nbhtnh.exe PID 1152 wrote to memory of 2856 1152 lxxrllf.exe nbhtnh.exe PID 2856 wrote to memory of 884 2856 nbhtnh.exe dppjd.exe PID 2856 wrote to memory of 884 2856 nbhtnh.exe dppjd.exe PID 2856 wrote to memory of 884 2856 nbhtnh.exe dppjd.exe PID 884 wrote to memory of 2348 884 dppjd.exe pddvj.exe PID 884 wrote to memory of 2348 884 dppjd.exe pddvj.exe PID 884 wrote to memory of 2348 884 dppjd.exe pddvj.exe PID 2348 wrote to memory of 4608 2348 pddvj.exe bhhthb.exe PID 2348 wrote to memory of 4608 2348 pddvj.exe bhhthb.exe PID 2348 wrote to memory of 4608 2348 pddvj.exe bhhthb.exe PID 4608 wrote to memory of 3980 4608 bhhthb.exe dpdpj.exe PID 4608 wrote to memory of 3980 4608 bhhthb.exe dpdpj.exe PID 4608 wrote to memory of 3980 4608 bhhthb.exe dpdpj.exe PID 3980 wrote to memory of 4036 3980 dpdpj.exe rllxlfx.exe PID 3980 wrote to memory of 4036 3980 dpdpj.exe rllxlfx.exe PID 3980 wrote to memory of 4036 3980 dpdpj.exe rllxlfx.exe PID 4036 wrote to memory of 1892 4036 rllxlfx.exe tbthtb.exe PID 4036 wrote to memory of 1892 4036 rllxlfx.exe tbthtb.exe PID 4036 wrote to memory of 1892 4036 rllxlfx.exe tbthtb.exe PID 1892 wrote to memory of 1856 1892 tbthtb.exe hbthth.exe PID 1892 wrote to memory of 1856 1892 tbthtb.exe hbthth.exe PID 1892 wrote to memory of 1856 1892 tbthtb.exe hbthth.exe PID 1856 wrote to memory of 3764 1856 hbthth.exe lxfrfrl.exe PID 1856 wrote to memory of 3764 1856 hbthth.exe lxfrfrl.exe PID 1856 wrote to memory of 3764 1856 hbthth.exe lxfrfrl.exe PID 3764 wrote to memory of 2444 3764 lxfrfrl.exe ntthtn.exe PID 3764 wrote to memory of 2444 3764 lxfrfrl.exe ntthtn.exe PID 3764 wrote to memory of 2444 3764 lxfrfrl.exe ntthtn.exe PID 2444 wrote to memory of 4800 2444 ntthtn.exe jvvjv.exe PID 2444 wrote to memory of 4800 2444 ntthtn.exe jvvjv.exe PID 2444 wrote to memory of 4800 2444 ntthtn.exe jvvjv.exe PID 4800 wrote to memory of 1612 4800 jvvjv.exe 5pjvv.exe PID 4800 wrote to memory of 1612 4800 jvvjv.exe 5pjvv.exe PID 4800 wrote to memory of 1612 4800 jvvjv.exe 5pjvv.exe PID 1612 wrote to memory of 4208 1612 5pjvv.exe ntbhhh.exe PID 1612 wrote to memory of 4208 1612 5pjvv.exe ntbhhh.exe PID 1612 wrote to memory of 4208 1612 5pjvv.exe ntbhhh.exe PID 4208 wrote to memory of 5056 4208 ntbhhh.exe jjpvj.exe PID 4208 wrote to memory of 5056 4208 ntbhhh.exe jjpvj.exe PID 4208 wrote to memory of 5056 4208 ntbhhh.exe jjpvj.exe PID 5056 wrote to memory of 2648 5056 jjpvj.exe tnhttn.exe PID 5056 wrote to memory of 2648 5056 jjpvj.exe tnhttn.exe PID 5056 wrote to memory of 2648 5056 jjpvj.exe tnhttn.exe PID 2648 wrote to memory of 4824 2648 tnhttn.exe vdvpd.exe PID 2648 wrote to memory of 4824 2648 tnhttn.exe vdvpd.exe PID 2648 wrote to memory of 4824 2648 tnhttn.exe vdvpd.exe PID 4824 wrote to memory of 4468 4824 vdvpd.exe 9ffrfxx.exe PID 4824 wrote to memory of 4468 4824 vdvpd.exe 9ffrfxx.exe PID 4824 wrote to memory of 4468 4824 vdvpd.exe 9ffrfxx.exe PID 4468 wrote to memory of 2212 4468 9ffrfxx.exe tntbht.exe PID 4468 wrote to memory of 2212 4468 9ffrfxx.exe tntbht.exe PID 4468 wrote to memory of 2212 4468 9ffrfxx.exe tntbht.exe PID 2212 wrote to memory of 4260 2212 tntbht.exe bnbhbn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e676e393876e15951962248430ea1cdc5092bc9cbe2a1d1e188fb150bde0a665.exe"C:\Users\Admin\AppData\Local\Temp\e676e393876e15951962248430ea1cdc5092bc9cbe2a1d1e188fb150bde0a665.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\vjdvp.exec:\vjdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\xlfrrfx.exec:\xlfrrfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
\??\c:\lxxrllf.exec:\lxxrllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\nbhtnh.exec:\nbhtnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\dppjd.exec:\dppjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\pddvj.exec:\pddvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\bhhthb.exec:\bhhthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\dpdpj.exec:\dpdpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\rllxlfx.exec:\rllxlfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\tbthtb.exec:\tbthtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\hbthth.exec:\hbthth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\lxfrfrl.exec:\lxfrfrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\ntthtn.exec:\ntthtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\jvvjv.exec:\jvvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\5pjvv.exec:\5pjvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\ntbhhh.exec:\ntbhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\jjpvj.exec:\jjpvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\tnhttn.exec:\tnhttn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\vdvpd.exec:\vdvpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\9ffrfxx.exec:\9ffrfxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\tntbht.exec:\tntbht.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\bnbhbn.exec:\bnbhbn.exe23⤵
- Executes dropped EXE
PID:4260 -
\??\c:\jdpjv.exec:\jdpjv.exe24⤵
- Executes dropped EXE
PID:4424 -
\??\c:\xfrfxrl.exec:\xfrfxrl.exe25⤵
- Executes dropped EXE
PID:1140 -
\??\c:\xffxllx.exec:\xffxllx.exe26⤵
- Executes dropped EXE
PID:1392 -
\??\c:\bnnhtn.exec:\bnnhtn.exe27⤵
- Executes dropped EXE
PID:5064 -
\??\c:\dvdvv.exec:\dvdvv.exe28⤵
- Executes dropped EXE
PID:3104 -
\??\c:\fxxllxr.exec:\fxxllxr.exe29⤵
- Executes dropped EXE
PID:2188 -
\??\c:\5lfrlll.exec:\5lfrlll.exe30⤵
- Executes dropped EXE
PID:3172 -
\??\c:\xxffxrf.exec:\xxffxrf.exe31⤵
- Executes dropped EXE
PID:3164 -
\??\c:\bththh.exec:\bththh.exe32⤵
- Executes dropped EXE
PID:4920 -
\??\c:\pjdvv.exec:\pjdvv.exe33⤵
- Executes dropped EXE
PID:468 -
\??\c:\frrllfr.exec:\frrllfr.exe34⤵
- Executes dropped EXE
PID:4532 -
\??\c:\thbtnn.exec:\thbtnn.exe35⤵
- Executes dropped EXE
PID:2208 -
\??\c:\7vvpd.exec:\7vvpd.exe36⤵
- Executes dropped EXE
PID:4776 -
\??\c:\xlxlxrf.exec:\xlxlxrf.exe37⤵
- Executes dropped EXE
PID:396 -
\??\c:\nttbth.exec:\nttbth.exe38⤵
- Executes dropped EXE
PID:4444 -
\??\c:\ntthbt.exec:\ntthbt.exe39⤵
- Executes dropped EXE
PID:2484 -
\??\c:\9vjdp.exec:\9vjdp.exe40⤵
- Executes dropped EXE
PID:4940 -
\??\c:\jvpjv.exec:\jvpjv.exe41⤵
- Executes dropped EXE
PID:1532 -
\??\c:\lfxllff.exec:\lfxllff.exe42⤵
- Executes dropped EXE
PID:3140 -
\??\c:\xxxlxrf.exec:\xxxlxrf.exe43⤵
- Executes dropped EXE
PID:4264 -
\??\c:\btthtt.exec:\btthtt.exe44⤵
- Executes dropped EXE
PID:1388 -
\??\c:\7dvjv.exec:\7dvjv.exe45⤵
- Executes dropped EXE
PID:2868 -
\??\c:\lllxrlx.exec:\lllxrlx.exe46⤵
- Executes dropped EXE
PID:3936 -
\??\c:\lffxrlf.exec:\lffxrlf.exe47⤵
- Executes dropped EXE
PID:244 -
\??\c:\hhhtnh.exec:\hhhtnh.exe48⤵
- Executes dropped EXE
PID:1664 -
\??\c:\thnbbn.exec:\thnbbn.exe49⤵
- Executes dropped EXE
PID:3980 -
\??\c:\jppjv.exec:\jppjv.exe50⤵
- Executes dropped EXE
PID:1740 -
\??\c:\lfrfrlf.exec:\lfrfrlf.exe51⤵
- Executes dropped EXE
PID:4716 -
\??\c:\xrrfrrf.exec:\xrrfrrf.exe52⤵
- Executes dropped EXE
PID:3920 -
\??\c:\7hbnbt.exec:\7hbnbt.exe53⤵
- Executes dropped EXE
PID:3720 -
\??\c:\hhnbnh.exec:\hhnbnh.exe54⤵
- Executes dropped EXE
PID:2444 -
\??\c:\pdpjv.exec:\pdpjv.exe55⤵
- Executes dropped EXE
PID:2104 -
\??\c:\lffrrlr.exec:\lffrrlr.exe56⤵
- Executes dropped EXE
PID:4200 -
\??\c:\9xrfrfx.exec:\9xrfrfx.exe57⤵
- Executes dropped EXE
PID:1612 -
\??\c:\thnnbt.exec:\thnnbt.exe58⤵
- Executes dropped EXE
PID:2864 -
\??\c:\jvvjv.exec:\jvvjv.exe59⤵
- Executes dropped EXE
PID:3904 -
\??\c:\1dvpv.exec:\1dvpv.exe60⤵
- Executes dropped EXE
PID:4612 -
\??\c:\frrflxx.exec:\frrflxx.exe61⤵
- Executes dropped EXE
PID:4276 -
\??\c:\rfffrlf.exec:\rfffrlf.exe62⤵
- Executes dropped EXE
PID:520 -
\??\c:\bbbnnh.exec:\bbbnnh.exe63⤵
- Executes dropped EXE
PID:2432 -
\??\c:\5pdpd.exec:\5pdpd.exe64⤵
- Executes dropped EXE
PID:1084 -
\??\c:\jppdp.exec:\jppdp.exe65⤵
- Executes dropped EXE
PID:4956 -
\??\c:\frrrfxx.exec:\frrrfxx.exe66⤵PID:2968
-
\??\c:\thbnht.exec:\thbnht.exe67⤵PID:5012
-
\??\c:\hbbnbn.exec:\hbbnbn.exe68⤵PID:4224
-
\??\c:\vpppd.exec:\vpppd.exe69⤵PID:3988
-
\??\c:\jvpjv.exec:\jvpjv.exe70⤵PID:720
-
\??\c:\7xrflfl.exec:\7xrflfl.exe71⤵PID:2972
-
\??\c:\ttnbtn.exec:\ttnbtn.exe72⤵PID:5068
-
\??\c:\hhtnht.exec:\hhtnht.exe73⤵PID:4644
-
\??\c:\pvvjv.exec:\pvvjv.exe74⤵PID:1652
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe75⤵PID:840
-
\??\c:\bhbthh.exec:\bhbthh.exe76⤵PID:3100
-
\??\c:\7jjdp.exec:\7jjdp.exe77⤵PID:2156
-
\??\c:\5vjdv.exec:\5vjdv.exe78⤵PID:4528
-
\??\c:\rrrlffx.exec:\rrrlffx.exe79⤵PID:2108
-
\??\c:\7nbthb.exec:\7nbthb.exe80⤵PID:5060
-
\??\c:\jpjvp.exec:\jpjvp.exe81⤵PID:4776
-
\??\c:\vpdpd.exec:\vpdpd.exe82⤵PID:4452
-
\??\c:\xlxrfff.exec:\xlxrfff.exe83⤵PID:4444
-
\??\c:\hbbnbn.exec:\hbbnbn.exe84⤵PID:1372
-
\??\c:\bbhbnh.exec:\bbhbnh.exe85⤵PID:4940
-
\??\c:\pdvvj.exec:\pdvvj.exe86⤵PID:1100
-
\??\c:\7llxffr.exec:\7llxffr.exe87⤵PID:4540
-
\??\c:\tnbtnb.exec:\tnbtnb.exe88⤵PID:4264
-
\??\c:\vjjvj.exec:\vjjvj.exe89⤵PID:560
-
\??\c:\vddpd.exec:\vddpd.exe90⤵PID:2868
-
\??\c:\5xfrlfx.exec:\5xfrlfx.exe91⤵PID:1600
-
\??\c:\nhnbtn.exec:\nhnbtn.exe92⤵PID:3200
-
\??\c:\thbthh.exec:\thbthh.exe93⤵PID:1768
-
\??\c:\djppv.exec:\djppv.exe94⤵PID:3368
-
\??\c:\xlrxlfr.exec:\xlrxlfr.exe95⤵PID:1172
-
\??\c:\ttthtn.exec:\ttthtn.exe96⤵PID:756
-
\??\c:\tntnht.exec:\tntnht.exe97⤵PID:3692
-
\??\c:\1pjdp.exec:\1pjdp.exe98⤵PID:3160
-
\??\c:\lxxlfxx.exec:\lxxlfxx.exe99⤵PID:4140
-
\??\c:\lxfxfxx.exec:\lxfxfxx.exe100⤵PID:1208
-
\??\c:\nbbnhb.exec:\nbbnhb.exe101⤵PID:1528
-
\??\c:\dpvjv.exec:\dpvjv.exe102⤵PID:4208
-
\??\c:\dpvjd.exec:\dpvjd.exe103⤵PID:1988
-
\??\c:\rfrlrlf.exec:\rfrlrlf.exe104⤵PID:1752
-
\??\c:\fllxlxl.exec:\fllxlxl.exe105⤵PID:380
-
\??\c:\hbbnbt.exec:\hbbnbt.exe106⤵PID:4468
-
\??\c:\vjpdp.exec:\vjpdp.exe107⤵PID:520
-
\??\c:\jvpdv.exec:\jvpdv.exe108⤵PID:2436
-
\??\c:\fllxlfx.exec:\fllxlfx.exe109⤵PID:1084
-
\??\c:\ttnbnb.exec:\ttnbnb.exe110⤵PID:3484
-
\??\c:\htthhn.exec:\htthhn.exe111⤵PID:2968
-
\??\c:\pjvvj.exec:\pjvvj.exe112⤵PID:1140
-
\??\c:\xxfrfxr.exec:\xxfrfxr.exe113⤵PID:4236
-
\??\c:\rxlrlxr.exec:\rxlrlxr.exe114⤵PID:3696
-
\??\c:\hthbbt.exec:\hthbbt.exe115⤵PID:1056
-
\??\c:\vdvjd.exec:\vdvjd.exe116⤵PID:4088
-
\??\c:\vjpdp.exec:\vjpdp.exe117⤵PID:3176
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe118⤵PID:632
-
\??\c:\5xfxlfx.exec:\5xfxlfx.exe119⤵PID:4712
-
\??\c:\ttbtht.exec:\ttbtht.exe120⤵PID:4156
-
\??\c:\htnttn.exec:\htnttn.exe121⤵PID:2112
-
\??\c:\pppdj.exec:\pppdj.exe122⤵PID:216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-