Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 01:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe
-
Size
128KB
-
MD5
9122feaedba57c7374bab20e0f5a4eb3
-
SHA1
1c077095107165ac97517056681b64d36a72ff69
-
SHA256
a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f
-
SHA512
b206620684196fc2ec951d6f1a23d076f3ad1700131a18dc2b031bba73276df4bbc971cea3a1df6f09e1e750cd8b28db06f7ba190fc09c346993b1ca3aa67de5
-
SSDEEP
3072:ymb3NkkiQ3mdBjFWXkj7afoHvmQ+EZMYX/x6gt6:n3C9BRW0j/uVEZFJvM
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
resource yara_rule behavioral2/memory/1124-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4468-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2424-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2408-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4776-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1140-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3360-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4952-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4604-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4556-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5232-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4452-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4220-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4624-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2092-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5032-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3620-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4552-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5688-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/840-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/396-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4212-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3040-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1796-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3260-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5760-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 30 IoCs
resource yara_rule behavioral2/memory/1124-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4468-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2424-17-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2408-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4776-39-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1140-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2408-30-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3360-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3360-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3360-52-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3360-60-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4952-63-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4604-70-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4556-76-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5232-88-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4452-92-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4220-98-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4624-104-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2092-116-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5032-122-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3620-128-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4552-145-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5688-152-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/840-159-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/396-169-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4212-176-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3040-183-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1796-187-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3260-194-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5760-200-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 4468 fffxrxx.exe 2424 5lrlfff.exe 4272 tnhhht.exe 2408 9hbnbb.exe 4776 tnhbnt.exe 1140 jpjpd.exe 3360 9flrlxx.exe 4952 7rlfffr.exe 4604 nbhhhh.exe 4556 dpdvv.exe 5232 lxfffll.exe 4452 vppdj.exe 4220 1lxrrrx.exe 4624 hnhnhb.exe 3440 vvpjp.exe 2092 xxxxrll.exe 5032 bbbbnn.exe 3620 5tbbbh.exe 1852 7ffffxr.exe 3748 btnntt.exe 4552 ddjpd.exe 5688 jjjjj.exe 840 3lxxxfx.exe 2024 btbhbt.exe 396 vjppp.exe 4212 5xfxlxl.exe 3040 hbnnnn.exe 1796 jpdjd.exe 3260 1llfxll.exe 5760 tnhtbt.exe 3552 pdjpj.exe 3948 lflfffx.exe 776 btnhbb.exe 816 pvjdj.exe 5396 9llfrxx.exe 4076 9rrlffx.exe 5960 5tthnh.exe 4600 vvdvj.exe 388 jvppj.exe 1316 rrrxxxx.exe 5292 bbtnhh.exe 760 3nhhbt.exe 4872 pdvpp.exe 844 rlfrffl.exe 2364 1ffxrll.exe 5016 bbbbbb.exe 2672 jpdjd.exe 2264 ffrrxff.exe 3348 fxfxrxr.exe 2224 nhnntn.exe 3236 vvdvp.exe 4396 ffllxll.exe 4308 lxlffff.exe 4068 bnbbtb.exe 5652 9hnhhh.exe 2160 ddpvv.exe 6124 xflllll.exe 6024 rrllxff.exe 3804 ntnnhb.exe 4416 jppjd.exe 4312 dvdvd.exe 6088 ffllxfr.exe 4380 nhhtbb.exe 5496 vdjjv.exe -
resource yara_rule behavioral2/memory/1124-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4468-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2424-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2408-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4776-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1140-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2408-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3360-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3360-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3360-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3360-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4952-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4604-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4556-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5232-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4452-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4220-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4624-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2092-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5032-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3620-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4552-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5688-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/840-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/396-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4212-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3040-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1796-187-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3260-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5760-200-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1124 wrote to memory of 4468 1124 a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe 83 PID 1124 wrote to memory of 4468 1124 a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe 83 PID 1124 wrote to memory of 4468 1124 a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe 83 PID 4468 wrote to memory of 2424 4468 fffxrxx.exe 84 PID 4468 wrote to memory of 2424 4468 fffxrxx.exe 84 PID 4468 wrote to memory of 2424 4468 fffxrxx.exe 84 PID 2424 wrote to memory of 4272 2424 5lrlfff.exe 85 PID 2424 wrote to memory of 4272 2424 5lrlfff.exe 85 PID 2424 wrote to memory of 4272 2424 5lrlfff.exe 85 PID 4272 wrote to memory of 2408 4272 tnhhht.exe 86 PID 4272 wrote to memory of 2408 4272 tnhhht.exe 86 PID 4272 wrote to memory of 2408 4272 tnhhht.exe 86 PID 2408 wrote to memory of 4776 2408 9hbnbb.exe 87 PID 2408 wrote to memory of 4776 2408 9hbnbb.exe 87 PID 2408 wrote to memory of 4776 2408 9hbnbb.exe 87 PID 4776 wrote to memory of 1140 4776 tnhbnt.exe 88 PID 4776 wrote to memory of 1140 4776 tnhbnt.exe 88 PID 4776 wrote to memory of 1140 4776 tnhbnt.exe 88 PID 1140 wrote to memory of 3360 1140 jpjpd.exe 89 PID 1140 wrote to memory of 3360 1140 jpjpd.exe 89 PID 1140 wrote to memory of 3360 1140 jpjpd.exe 89 PID 3360 wrote to memory of 4952 3360 9flrlxx.exe 91 PID 3360 wrote to memory of 4952 3360 9flrlxx.exe 91 PID 3360 wrote to memory of 4952 3360 9flrlxx.exe 91 PID 4952 wrote to memory of 4604 4952 7rlfffr.exe 92 PID 4952 wrote to memory of 4604 4952 7rlfffr.exe 92 PID 4952 wrote to memory of 4604 4952 7rlfffr.exe 92 PID 4604 wrote to memory of 4556 4604 nbhhhh.exe 93 PID 4604 wrote to memory of 4556 4604 nbhhhh.exe 93 PID 4604 wrote to memory of 4556 4604 nbhhhh.exe 93 PID 4556 wrote to memory of 5232 4556 dpdvv.exe 95 PID 4556 wrote to memory of 5232 4556 dpdvv.exe 95 PID 4556 wrote to memory of 5232 4556 dpdvv.exe 95 PID 5232 wrote to memory of 4452 5232 lxfffll.exe 96 PID 5232 wrote to memory of 4452 5232 lxfffll.exe 96 PID 5232 wrote to memory of 4452 5232 lxfffll.exe 96 PID 4452 wrote to memory of 4220 4452 vppdj.exe 97 PID 4452 wrote to memory of 4220 4452 vppdj.exe 97 PID 4452 wrote to memory of 4220 4452 vppdj.exe 97 PID 4220 wrote to memory of 4624 4220 1lxrrrx.exe 98 PID 4220 wrote to memory of 4624 4220 1lxrrrx.exe 98 PID 4220 wrote to memory of 4624 4220 1lxrrrx.exe 98 PID 4624 wrote to memory of 3440 4624 hnhnhb.exe 99 PID 4624 wrote to memory of 3440 4624 hnhnhb.exe 99 PID 4624 wrote to memory of 3440 4624 hnhnhb.exe 99 PID 3440 wrote to memory of 2092 3440 vvpjp.exe 100 PID 3440 wrote to memory of 2092 3440 vvpjp.exe 100 PID 3440 wrote to memory of 2092 3440 vvpjp.exe 100 PID 2092 wrote to memory of 5032 2092 xxxxrll.exe 101 PID 2092 wrote to memory of 5032 2092 xxxxrll.exe 101 PID 2092 wrote to memory of 5032 2092 xxxxrll.exe 101 PID 5032 wrote to memory of 3620 5032 bbbbnn.exe 102 PID 5032 wrote to memory of 3620 5032 bbbbnn.exe 102 PID 5032 wrote to memory of 3620 5032 bbbbnn.exe 102 PID 3620 wrote to memory of 1852 3620 5tbbbh.exe 104 PID 3620 wrote to memory of 1852 3620 5tbbbh.exe 104 PID 3620 wrote to memory of 1852 3620 5tbbbh.exe 104 PID 1852 wrote to memory of 3748 1852 7ffffxr.exe 105 PID 1852 wrote to memory of 3748 1852 7ffffxr.exe 105 PID 1852 wrote to memory of 3748 1852 7ffffxr.exe 105 PID 3748 wrote to memory of 4552 3748 btnntt.exe 106 PID 3748 wrote to memory of 4552 3748 btnntt.exe 106 PID 3748 wrote to memory of 4552 3748 btnntt.exe 106 PID 4552 wrote to memory of 5688 4552 ddjpd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe"C:\Users\Admin\AppData\Local\Temp\a9133cfb31e2d076411ec862b6db2e6be19be142c3de9cd22739b87e5c25704f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\fffxrxx.exec:\fffxrxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\5lrlfff.exec:\5lrlfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\tnhhht.exec:\tnhhht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\9hbnbb.exec:\9hbnbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\tnhbnt.exec:\tnhbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\jpjpd.exec:\jpjpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\9flrlxx.exec:\9flrlxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\7rlfffr.exec:\7rlfffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\nbhhhh.exec:\nbhhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\dpdvv.exec:\dpdvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\lxfffll.exec:\lxfffll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5232 -
\??\c:\vppdj.exec:\vppdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\1lxrrrx.exec:\1lxrrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\hnhnhb.exec:\hnhnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\vvpjp.exec:\vvpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\xxxxrll.exec:\xxxxrll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\bbbbnn.exec:\bbbbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\5tbbbh.exec:\5tbbbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\7ffffxr.exec:\7ffffxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\btnntt.exec:\btnntt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\ddjpd.exec:\ddjpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\jjjjj.exec:\jjjjj.exe23⤵
- Executes dropped EXE
PID:5688 -
\??\c:\3lxxxfx.exec:\3lxxxfx.exe24⤵
- Executes dropped EXE
PID:840 -
\??\c:\btbhbt.exec:\btbhbt.exe25⤵
- Executes dropped EXE
PID:2024 -
\??\c:\vjppp.exec:\vjppp.exe26⤵
- Executes dropped EXE
PID:396 -
\??\c:\5xfxlxl.exec:\5xfxlxl.exe27⤵
- Executes dropped EXE
PID:4212 -
\??\c:\hbnnnn.exec:\hbnnnn.exe28⤵
- Executes dropped EXE
PID:3040 -
\??\c:\jpdjd.exec:\jpdjd.exe29⤵
- Executes dropped EXE
PID:1796 -
\??\c:\1llfxll.exec:\1llfxll.exe30⤵
- Executes dropped EXE
PID:3260 -
\??\c:\tnhtbt.exec:\tnhtbt.exe31⤵
- Executes dropped EXE
PID:5760 -
\??\c:\pdjpj.exec:\pdjpj.exe32⤵
- Executes dropped EXE
PID:3552 -
\??\c:\lflfffx.exec:\lflfffx.exe33⤵
- Executes dropped EXE
PID:3948 -
\??\c:\btnhbb.exec:\btnhbb.exe34⤵
- Executes dropped EXE
PID:776 -
\??\c:\pvjdj.exec:\pvjdj.exe35⤵
- Executes dropped EXE
PID:816 -
\??\c:\9llfrxx.exec:\9llfrxx.exe36⤵
- Executes dropped EXE
PID:5396 -
\??\c:\9rrlffx.exec:\9rrlffx.exe37⤵
- Executes dropped EXE
PID:4076 -
\??\c:\5tthnh.exec:\5tthnh.exe38⤵
- Executes dropped EXE
PID:5960 -
\??\c:\vvdvj.exec:\vvdvj.exe39⤵
- Executes dropped EXE
PID:4600 -
\??\c:\jvppj.exec:\jvppj.exe40⤵
- Executes dropped EXE
PID:388 -
\??\c:\rrrxxxx.exec:\rrrxxxx.exe41⤵
- Executes dropped EXE
PID:1316 -
\??\c:\bbtnhh.exec:\bbtnhh.exe42⤵
- Executes dropped EXE
PID:5292 -
\??\c:\3nhhbt.exec:\3nhhbt.exe43⤵
- Executes dropped EXE
PID:760 -
\??\c:\pdvpp.exec:\pdvpp.exe44⤵
- Executes dropped EXE
PID:4872 -
\??\c:\rlfrffl.exec:\rlfrffl.exe45⤵
- Executes dropped EXE
PID:844 -
\??\c:\1ffxrll.exec:\1ffxrll.exe46⤵
- Executes dropped EXE
PID:2364 -
\??\c:\bbbbbb.exec:\bbbbbb.exe47⤵
- Executes dropped EXE
PID:5016 -
\??\c:\jpdjd.exec:\jpdjd.exe48⤵
- Executes dropped EXE
PID:2672 -
\??\c:\ffrrxff.exec:\ffrrxff.exe49⤵
- Executes dropped EXE
PID:2264 -
\??\c:\fxfxrxr.exec:\fxfxrxr.exe50⤵
- Executes dropped EXE
PID:3348 -
\??\c:\nhnntn.exec:\nhnntn.exe51⤵
- Executes dropped EXE
PID:2224 -
\??\c:\vvdvp.exec:\vvdvp.exe52⤵
- Executes dropped EXE
PID:3236 -
\??\c:\ffllxll.exec:\ffllxll.exe53⤵
- Executes dropped EXE
PID:4396 -
\??\c:\lxlffff.exec:\lxlffff.exe54⤵
- Executes dropped EXE
PID:4308 -
\??\c:\bnbbtb.exec:\bnbbtb.exe55⤵
- Executes dropped EXE
PID:4068 -
\??\c:\9hnhhh.exec:\9hnhhh.exe56⤵
- Executes dropped EXE
PID:5652 -
\??\c:\ddpvv.exec:\ddpvv.exe57⤵
- Executes dropped EXE
PID:2160 -
\??\c:\xflllll.exec:\xflllll.exe58⤵
- Executes dropped EXE
PID:6124 -
\??\c:\rrllxff.exec:\rrllxff.exe59⤵
- Executes dropped EXE
PID:6024 -
\??\c:\ntnnhb.exec:\ntnnhb.exe60⤵
- Executes dropped EXE
PID:3804 -
\??\c:\jppjd.exec:\jppjd.exe61⤵
- Executes dropped EXE
PID:4416 -
\??\c:\dvdvd.exec:\dvdvd.exe62⤵
- Executes dropped EXE
PID:4312 -
\??\c:\ffllxfr.exec:\ffllxfr.exe63⤵
- Executes dropped EXE
PID:6088 -
\??\c:\nhhtbb.exec:\nhhtbb.exe64⤵
- Executes dropped EXE
PID:4380 -
\??\c:\vdjjv.exec:\vdjjv.exe65⤵
- Executes dropped EXE
PID:5496 -
\??\c:\ddjvp.exec:\ddjvp.exe66⤵PID:3976
-
\??\c:\xlxxlrr.exec:\xlxxlrr.exe67⤵PID:1196
-
\??\c:\5hnnhh.exec:\5hnnhh.exe68⤵PID:4408
-
\??\c:\jdjdp.exec:\jdjdp.exe69⤵PID:2384
-
\??\c:\dpddd.exec:\dpddd.exe70⤵PID:4336
-
\??\c:\7rlllll.exec:\7rlllll.exe71⤵PID:4868
-
\??\c:\5bnhbt.exec:\5bnhbt.exe72⤵PID:5324
-
\??\c:\bthbhh.exec:\bthbhh.exe73⤵PID:2052
-
\??\c:\ppvvv.exec:\ppvvv.exe74⤵PID:5000
-
\??\c:\ppvvp.exec:\ppvvp.exe75⤵PID:1764
-
\??\c:\rllllrf.exec:\rllllrf.exe76⤵PID:4940
-
\??\c:\9bhhbh.exec:\9bhhbh.exe77⤵PID:5180
-
\??\c:\bththt.exec:\bththt.exe78⤵PID:5144
-
\??\c:\dvvvj.exec:\dvvvj.exe79⤵PID:6116
-
\??\c:\lffffll.exec:\lffffll.exe80⤵PID:1484
-
\??\c:\nhbhnt.exec:\nhbhnt.exe81⤵PID:3660
-
\??\c:\bbnhnn.exec:\bbnhnn.exe82⤵PID:4092
-
\??\c:\ddvvd.exec:\ddvvd.exe83⤵PID:3440
-
\??\c:\fffffll.exec:\fffffll.exe84⤵PID:2092
-
\??\c:\lrlxffx.exec:\lrlxffx.exe85⤵PID:5692
-
\??\c:\nhntbb.exec:\nhntbb.exe86⤵PID:3116
-
\??\c:\hthbtb.exec:\hthbtb.exe87⤵PID:5092
-
\??\c:\vjpjd.exec:\vjpjd.exe88⤵PID:1852
-
\??\c:\ffrlfrx.exec:\ffrlfrx.exe89⤵PID:2852
-
\??\c:\1xffxff.exec:\1xffxff.exe90⤵PID:1872
-
\??\c:\ttnhht.exec:\ttnhht.exe91⤵PID:4972
-
\??\c:\jdddv.exec:\jdddv.exe92⤵PID:2352
-
\??\c:\dvjvd.exec:\dvjvd.exe93⤵PID:1992
-
\??\c:\3rfxrrl.exec:\3rfxrrl.exe94⤵PID:2324
-
\??\c:\tnhhnb.exec:\tnhhnb.exe95⤵PID:564
-
\??\c:\dvdvv.exec:\dvdvv.exe96⤵PID:3104
-
\??\c:\ppdjd.exec:\ppdjd.exe97⤵PID:4672
-
\??\c:\rrrlxxf.exec:\rrrlxxf.exe98⤵PID:6108
-
\??\c:\frrxxfx.exec:\frrxxfx.exe99⤵PID:2148
-
\??\c:\nbbtbn.exec:\nbbtbn.exe100⤵PID:5556
-
\??\c:\ppjdd.exec:\ppjdd.exe101⤵PID:3084
-
\??\c:\vdpdp.exec:\vdpdp.exe102⤵PID:3480
-
\??\c:\rxrlfff.exec:\rxrlfff.exe103⤵PID:5520
-
\??\c:\thhttn.exec:\thhttn.exe104⤵PID:2972
-
\??\c:\bthbtn.exec:\bthbtn.exe105⤵PID:5268
-
\??\c:\lllffrf.exec:\lllffrf.exe106⤵PID:5888
-
\??\c:\hbhbth.exec:\hbhbth.exe107⤵PID:2328
-
\??\c:\dddvp.exec:\dddvp.exe108⤵PID:428
-
\??\c:\rrxrlll.exec:\rrxrlll.exe109⤵PID:2492
-
\??\c:\3htttt.exec:\3htttt.exe110⤵PID:4724
-
\??\c:\rlrrrxf.exec:\rlrrrxf.exe111⤵PID:4684
-
\??\c:\1bbbbb.exec:\1bbbbb.exe112⤵PID:1904
-
\??\c:\nhtnnh.exec:\nhtnnh.exe113⤵PID:5776
-
\??\c:\9ppjv.exec:\9ppjv.exe114⤵PID:5460
-
\??\c:\xfxlllr.exec:\xfxlllr.exe115⤵PID:5492
-
\??\c:\nbnbhb.exec:\nbnbhb.exe116⤵PID:760
-
\??\c:\fxrxxxf.exec:\fxrxxxf.exe117⤵PID:1632
-
\??\c:\tnnbht.exec:\tnnbht.exe118⤵PID:2572
-
\??\c:\pvjvd.exec:\pvjvd.exe119⤵PID:4524
-
\??\c:\jdddp.exec:\jdddp.exe120⤵PID:5016
-
\??\c:\xrxfxxr.exec:\xrxfxxr.exe121⤵PID:2660
-
\??\c:\9xlxrrr.exec:\9xlxrrr.exe122⤵PID:4704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-