Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 01:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a89d8e2a1996e5ba30d25815e86716fd5d71970975946d84fa0e4fb565c9df02.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
a89d8e2a1996e5ba30d25815e86716fd5d71970975946d84fa0e4fb565c9df02.exe
-
Size
65KB
-
MD5
8214cb432b0f8f87043cf183b9cc1907
-
SHA1
30bc370261e92e21d4bbee094f7abc925263243b
-
SHA256
a89d8e2a1996e5ba30d25815e86716fd5d71970975946d84fa0e4fb565c9df02
-
SHA512
716d6ceb074fb80792febf33d674574e7e325ef105d55e8fdd3c60f2e88dfd1a37454819f01f7fe773a5703e872583b552c10b0f4449f82d3f3ba1f892967132
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6Mu/ePS3AyXmPh:ymb3NkkiQ3mdBjFI46TQyXmPh
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
resource yara_rule behavioral2/memory/2372-5-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2316-13-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4868-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1216-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3724-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3724-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3576-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2080-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3484-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1604-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1600-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4460-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5044-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1012-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4780-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2024-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3440-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2572-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4244-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2548-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4564-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4564-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2152-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/976-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3672-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 30 IoCs
resource yara_rule behavioral2/memory/2372-5-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2316-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4868-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1216-31-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1216-38-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3724-42-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3724-41-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3724-40-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3576-114-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2080-162-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3484-180-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1604-210-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1600-204-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4460-198-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5044-187-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1012-150-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4780-144-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2024-133-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3440-108-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2572-102-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4244-90-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2548-81-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4564-73-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4564-72-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4564-71-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2152-65-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/976-58-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3672-50-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3672-49-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1216-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 2316 rfxlxrl.exe 4868 7ntnhh.exe 5100 9pjdp.exe 1216 lxlfxrx.exe 3724 btnhbb.exe 3672 1hbbht.exe 976 pjvpp.exe 2152 9lffrrl.exe 4564 fxlfxxr.exe 2548 bnbnbn.exe 4244 bttntn.exe 1856 1vvpd.exe 2572 lfxxxff.exe 3440 rrrrllr.exe 3576 nbbntt.exe 4060 nhnbth.exe 1756 pjppv.exe 2024 frxrfxx.exe 4056 xxrfllx.exe 4780 bbnhbb.exe 1012 1bnntn.exe 1668 vdpjj.exe 2080 1jdpj.exe 1744 rrrlfll.exe 1660 rfrllll.exe 3484 9nttnn.exe 5044 nnhbtn.exe 4524 jdvjv.exe 4460 5rxlxrx.exe 1600 3rrlllf.exe 1604 ppjdv.exe 4212 vvpdd.exe 528 5fflxrl.exe 4412 rlxrlff.exe 1828 3htbht.exe 2888 1ttnbt.exe 1904 vpvpp.exe 2492 dvvpd.exe 1216 lxlxfxf.exe 4020 9xflrxf.exe 3724 3btnnb.exe 1680 nbbtbh.exe 976 pvpjj.exe 2936 jdjvj.exe 2792 xrllxlx.exe 4008 thbtnn.exe 4680 thbntb.exe 1816 vdvdd.exe 1592 pdpdp.exe 2040 9frfxrf.exe 1272 tnbttn.exe 2928 bnhtnh.exe 384 jdjdp.exe 1516 3dvpv.exe 4060 xxlfxxr.exe 2616 xlxrfrx.exe 3628 tnbbtb.exe 3592 jddvp.exe 2140 pdvjv.exe 4628 lllxxxl.exe 1012 lfxrlfx.exe 3356 nnbnht.exe 4696 btnbhn.exe 2828 pvvvp.exe -
resource yara_rule behavioral2/memory/2372-5-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2316-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4868-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1216-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1216-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3724-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3724-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3724-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3576-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2080-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3484-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1604-210-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1600-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4460-198-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5044-187-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1012-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4780-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2024-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3440-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2572-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4244-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2548-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4564-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4564-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4564-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2152-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/976-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3672-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3672-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1216-32-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2316 2372 a89d8e2a1996e5ba30d25815e86716fd5d71970975946d84fa0e4fb565c9df02.exe 82 PID 2372 wrote to memory of 2316 2372 a89d8e2a1996e5ba30d25815e86716fd5d71970975946d84fa0e4fb565c9df02.exe 82 PID 2372 wrote to memory of 2316 2372 a89d8e2a1996e5ba30d25815e86716fd5d71970975946d84fa0e4fb565c9df02.exe 82 PID 2316 wrote to memory of 4868 2316 rfxlxrl.exe 83 PID 2316 wrote to memory of 4868 2316 rfxlxrl.exe 83 PID 2316 wrote to memory of 4868 2316 rfxlxrl.exe 83 PID 4868 wrote to memory of 5100 4868 7ntnhh.exe 84 PID 4868 wrote to memory of 5100 4868 7ntnhh.exe 84 PID 4868 wrote to memory of 5100 4868 7ntnhh.exe 84 PID 5100 wrote to memory of 1216 5100 9pjdp.exe 124 PID 5100 wrote to memory of 1216 5100 9pjdp.exe 124 PID 5100 wrote to memory of 1216 5100 9pjdp.exe 124 PID 1216 wrote to memory of 3724 1216 lxlfxrx.exe 126 PID 1216 wrote to memory of 3724 1216 lxlfxrx.exe 126 PID 1216 wrote to memory of 3724 1216 lxlfxrx.exe 126 PID 3724 wrote to memory of 3672 3724 btnhbb.exe 87 PID 3724 wrote to memory of 3672 3724 btnhbb.exe 87 PID 3724 wrote to memory of 3672 3724 btnhbb.exe 87 PID 3672 wrote to memory of 976 3672 1hbbht.exe 89 PID 3672 wrote to memory of 976 3672 1hbbht.exe 89 PID 3672 wrote to memory of 976 3672 1hbbht.exe 89 PID 976 wrote to memory of 2152 976 pjvpp.exe 214 PID 976 wrote to memory of 2152 976 pjvpp.exe 214 PID 976 wrote to memory of 2152 976 pjvpp.exe 214 PID 2152 wrote to memory of 4564 2152 9lffrrl.exe 91 PID 2152 wrote to memory of 4564 2152 9lffrrl.exe 91 PID 2152 wrote to memory of 4564 2152 9lffrrl.exe 91 PID 4564 wrote to memory of 2548 4564 fxlfxxr.exe 92 PID 4564 wrote to memory of 2548 4564 fxlfxxr.exe 92 PID 4564 wrote to memory of 2548 4564 fxlfxxr.exe 92 PID 2548 wrote to memory of 4244 2548 bnbnbn.exe 93 PID 2548 wrote to memory of 4244 2548 bnbnbn.exe 93 PID 2548 wrote to memory of 4244 2548 bnbnbn.exe 93 PID 4244 wrote to memory of 1856 4244 bttntn.exe 220 PID 4244 wrote to memory of 1856 4244 bttntn.exe 220 PID 4244 wrote to memory of 1856 4244 bttntn.exe 220 PID 1856 wrote to memory of 2572 1856 1vvpd.exe 178 PID 1856 wrote to memory of 2572 1856 1vvpd.exe 178 PID 1856 wrote to memory of 2572 1856 1vvpd.exe 178 PID 2572 wrote to memory of 3440 2572 lfxxxff.exe 225 PID 2572 wrote to memory of 3440 2572 lfxxxff.exe 225 PID 2572 wrote to memory of 3440 2572 lfxxxff.exe 225 PID 3440 wrote to memory of 3576 3440 rrrrllr.exe 98 PID 3440 wrote to memory of 3576 3440 rrrrllr.exe 98 PID 3440 wrote to memory of 3576 3440 rrrrllr.exe 98 PID 3576 wrote to memory of 4060 3576 nbbntt.exe 99 PID 3576 wrote to memory of 4060 3576 nbbntt.exe 99 PID 3576 wrote to memory of 4060 3576 nbbntt.exe 99 PID 4060 wrote to memory of 1756 4060 nhnbth.exe 183 PID 4060 wrote to memory of 1756 4060 nhnbth.exe 183 PID 4060 wrote to memory of 1756 4060 nhnbth.exe 183 PID 1756 wrote to memory of 2024 1756 pjppv.exe 228 PID 1756 wrote to memory of 2024 1756 pjppv.exe 228 PID 1756 wrote to memory of 2024 1756 pjppv.exe 228 PID 2024 wrote to memory of 4056 2024 frxrfxx.exe 103 PID 2024 wrote to memory of 4056 2024 frxrfxx.exe 103 PID 2024 wrote to memory of 4056 2024 frxrfxx.exe 103 PID 4056 wrote to memory of 4780 4056 xxrfllx.exe 187 PID 4056 wrote to memory of 4780 4056 xxrfllx.exe 187 PID 4056 wrote to memory of 4780 4056 xxrfllx.exe 187 PID 4780 wrote to memory of 1012 4780 bbnhbb.exe 146 PID 4780 wrote to memory of 1012 4780 bbnhbb.exe 146 PID 4780 wrote to memory of 1012 4780 bbnhbb.exe 146 PID 1012 wrote to memory of 1668 1012 1bnntn.exe 233
Processes
-
C:\Users\Admin\AppData\Local\Temp\a89d8e2a1996e5ba30d25815e86716fd5d71970975946d84fa0e4fb565c9df02.exe"C:\Users\Admin\AppData\Local\Temp\a89d8e2a1996e5ba30d25815e86716fd5d71970975946d84fa0e4fb565c9df02.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\rfxlxrl.exec:\rfxlxrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\7ntnhh.exec:\7ntnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\9pjdp.exec:\9pjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\lxlfxrx.exec:\lxlfxrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\btnhbb.exec:\btnhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\1hbbht.exec:\1hbbht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\pjvpp.exec:\pjvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\9lffrrl.exec:\9lffrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\bnbnbn.exec:\bnbnbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\bttntn.exec:\bttntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\1vvpd.exec:\1vvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\lfxxxff.exec:\lfxxxff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\rrrrllr.exec:\rrrrllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\nbbntt.exec:\nbbntt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\nhnbth.exec:\nhnbth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\pjppv.exec:\pjppv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\frxrfxx.exec:\frxrfxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\xxrfllx.exec:\xxrfllx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\bbnhbb.exec:\bbnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\1bnntn.exec:\1bnntn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\vdpjj.exec:\vdpjj.exe23⤵
- Executes dropped EXE
PID:1668 -
\??\c:\1jdpj.exec:\1jdpj.exe24⤵
- Executes dropped EXE
PID:2080 -
\??\c:\rrrlfll.exec:\rrrlfll.exe25⤵
- Executes dropped EXE
PID:1744 -
\??\c:\rfrllll.exec:\rfrllll.exe26⤵
- Executes dropped EXE
PID:1660 -
\??\c:\9nttnn.exec:\9nttnn.exe27⤵
- Executes dropped EXE
PID:3484 -
\??\c:\nnhbtn.exec:\nnhbtn.exe28⤵
- Executes dropped EXE
PID:5044 -
\??\c:\jdvjv.exec:\jdvjv.exe29⤵
- Executes dropped EXE
PID:4524 -
\??\c:\5rxlxrx.exec:\5rxlxrx.exe30⤵
- Executes dropped EXE
PID:4460 -
\??\c:\3rrlllf.exec:\3rrlllf.exe31⤵
- Executes dropped EXE
PID:1600 -
\??\c:\ppjdv.exec:\ppjdv.exe32⤵
- Executes dropped EXE
PID:1604 -
\??\c:\vvpdd.exec:\vvpdd.exe33⤵
- Executes dropped EXE
PID:4212 -
\??\c:\5fflxrl.exec:\5fflxrl.exe34⤵
- Executes dropped EXE
PID:528 -
\??\c:\rlxrlff.exec:\rlxrlff.exe35⤵
- Executes dropped EXE
PID:4412 -
\??\c:\3htbht.exec:\3htbht.exe36⤵
- Executes dropped EXE
PID:1828 -
\??\c:\1ttnbt.exec:\1ttnbt.exe37⤵
- Executes dropped EXE
PID:2888 -
\??\c:\vpvpp.exec:\vpvpp.exe38⤵
- Executes dropped EXE
PID:1904 -
\??\c:\dvvpd.exec:\dvvpd.exe39⤵
- Executes dropped EXE
PID:2492 -
\??\c:\lxlxfxf.exec:\lxlxfxf.exe40⤵
- Executes dropped EXE
PID:1216 -
\??\c:\9xflrxf.exec:\9xflrxf.exe41⤵
- Executes dropped EXE
PID:4020 -
\??\c:\3btnnb.exec:\3btnnb.exe42⤵
- Executes dropped EXE
PID:3724 -
\??\c:\nbbtbh.exec:\nbbtbh.exe43⤵
- Executes dropped EXE
PID:1680 -
\??\c:\pvpjj.exec:\pvpjj.exe44⤵
- Executes dropped EXE
PID:976 -
\??\c:\jdjvj.exec:\jdjvj.exe45⤵
- Executes dropped EXE
PID:2936 -
\??\c:\xrllxlx.exec:\xrllxlx.exe46⤵
- Executes dropped EXE
PID:2792 -
\??\c:\thbtnn.exec:\thbtnn.exe47⤵
- Executes dropped EXE
PID:4008 -
\??\c:\thbntb.exec:\thbntb.exe48⤵
- Executes dropped EXE
PID:4680 -
\??\c:\vdvdd.exec:\vdvdd.exe49⤵
- Executes dropped EXE
PID:1816 -
\??\c:\pdpdp.exec:\pdpdp.exe50⤵
- Executes dropped EXE
PID:1592 -
\??\c:\9frfxrf.exec:\9frfxrf.exe51⤵
- Executes dropped EXE
PID:2040 -
\??\c:\tnbttn.exec:\tnbttn.exe52⤵
- Executes dropped EXE
PID:1272 -
\??\c:\bnhtnh.exec:\bnhtnh.exe53⤵
- Executes dropped EXE
PID:2928 -
\??\c:\jdjdp.exec:\jdjdp.exe54⤵
- Executes dropped EXE
PID:384 -
\??\c:\3dvpv.exec:\3dvpv.exe55⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xxlfxxr.exec:\xxlfxxr.exe56⤵
- Executes dropped EXE
PID:4060 -
\??\c:\xlxrfrx.exec:\xlxrfrx.exe57⤵
- Executes dropped EXE
PID:2616 -
\??\c:\tnbbtb.exec:\tnbbtb.exe58⤵
- Executes dropped EXE
PID:3628 -
\??\c:\jddvp.exec:\jddvp.exe59⤵
- Executes dropped EXE
PID:3592 -
\??\c:\pdvjv.exec:\pdvjv.exe60⤵
- Executes dropped EXE
PID:2140 -
\??\c:\lllxxxl.exec:\lllxxxl.exe61⤵
- Executes dropped EXE
PID:4628 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe62⤵
- Executes dropped EXE
PID:1012 -
\??\c:\nnbnht.exec:\nnbnht.exe63⤵
- Executes dropped EXE
PID:3356 -
\??\c:\btnbhn.exec:\btnbhn.exe64⤵
- Executes dropped EXE
PID:4696 -
\??\c:\pvvvp.exec:\pvvvp.exe65⤵
- Executes dropped EXE
PID:2828 -
\??\c:\jdpdp.exec:\jdpdp.exe66⤵PID:2348
-
\??\c:\9lfrxrx.exec:\9lfrxrx.exe67⤵PID:3264
-
\??\c:\fffrlxr.exec:\fffrlxr.exe68⤵PID:4036
-
\??\c:\9bbnbt.exec:\9bbnbt.exe69⤵PID:3920
-
\??\c:\jvdjv.exec:\jvdjv.exe70⤵PID:1444
-
\??\c:\ddpjv.exec:\ddpjv.exe71⤵PID:1428
-
\??\c:\frlfxlf.exec:\frlfxlf.exe72⤵PID:512
-
\??\c:\lfxlxrf.exec:\lfxlxrf.exe73⤵PID:1792
-
\??\c:\nhnhhb.exec:\nhnhhb.exe74⤵PID:1396
-
\??\c:\vvpjj.exec:\vvpjj.exe75⤵PID:4508
-
\??\c:\pvdpj.exec:\pvdpj.exe76⤵PID:528
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe77⤵PID:4544
-
\??\c:\1bbnbb.exec:\1bbnbb.exe78⤵PID:4516
-
\??\c:\tnhbtt.exec:\tnhbtt.exe79⤵PID:4032
-
\??\c:\1jdpj.exec:\1jdpj.exe80⤵PID:2328
-
\??\c:\7vjjv.exec:\7vjjv.exe81⤵PID:3232
-
\??\c:\pvvjv.exec:\pvvjv.exe82⤵PID:220
-
\??\c:\fxlrlxr.exec:\fxlrlxr.exe83⤵PID:3128
-
\??\c:\nnhbtt.exec:\nnhbtt.exe84⤵PID:3656
-
\??\c:\ttbbht.exec:\ttbbht.exe85⤵PID:3044
-
\??\c:\3hhhhh.exec:\3hhhhh.exe86⤵PID:4944
-
\??\c:\pjvvd.exec:\pjvvd.exe87⤵PID:2152
-
\??\c:\vdpvd.exec:\vdpvd.exe88⤵PID:3064
-
\??\c:\xffrlfr.exec:\xffrlfr.exe89⤵PID:1360
-
\??\c:\rrxrlff.exec:\rrxrlff.exe90⤵PID:1020
-
\??\c:\7bthbt.exec:\7bthbt.exe91⤵PID:4248
-
\??\c:\bthbtn.exec:\bthbtn.exe92⤵PID:1116
-
\??\c:\3vdvj.exec:\3vdvj.exe93⤵PID:2612
-
\??\c:\vvjdp.exec:\vvjdp.exe94⤵PID:2572
-
\??\c:\rrrfxlr.exec:\rrrfxlr.exe95⤵PID:4636
-
\??\c:\1bthbb.exec:\1bthbb.exe96⤵PID:3440
-
\??\c:\bttthh.exec:\bttthh.exe97⤵PID:952
-
\??\c:\djjdp.exec:\djjdp.exe98⤵PID:1100
-
\??\c:\pdjvp.exec:\pdjvp.exe99⤵PID:1756
-
\??\c:\djdvp.exec:\djdvp.exe100⤵PID:3768
-
\??\c:\xllfxrf.exec:\xllfxrf.exe101⤵PID:1772
-
\??\c:\hbthnb.exec:\hbthnb.exe102⤵PID:1672
-
\??\c:\tnhbnh.exec:\tnhbnh.exe103⤵PID:4780
-
\??\c:\dvvpj.exec:\dvvpj.exe104⤵PID:4176
-
\??\c:\vpvpv.exec:\vpvpv.exe105⤵PID:3972
-
\??\c:\xxxlxrl.exec:\xxxlxrl.exe106⤵PID:4504
-
\??\c:\thbthb.exec:\thbthb.exe107⤵PID:4668
-
\??\c:\hnhbbh.exec:\hnhbbh.exe108⤵PID:2704
-
\??\c:\ppdvp.exec:\ppdvp.exe109⤵PID:1104
-
\??\c:\pvjdj.exec:\pvjdj.exe110⤵PID:964
-
\??\c:\xlllxxr.exec:\xlllxxr.exe111⤵PID:1344
-
\??\c:\nthbtn.exec:\nthbtn.exe112⤵PID:4324
-
\??\c:\btnbtt.exec:\btnbtt.exe113⤵PID:2592
-
\??\c:\5ddvj.exec:\5ddvj.exe114⤵PID:2200
-
\??\c:\jjpjp.exec:\jjpjp.exe115⤵PID:1600
-
\??\c:\lflxxxl.exec:\lflxxxl.exe116⤵PID:920
-
\??\c:\xxxrfxl.exec:\xxxrfxl.exe117⤵PID:4064
-
\??\c:\nbthhb.exec:\nbthhb.exe118⤵PID:3716
-
\??\c:\hthtnh.exec:\hthtnh.exe119⤵PID:448
-
\??\c:\vjdjj.exec:\vjdjj.exe120⤵PID:3692
-
\??\c:\pvvjd.exec:\pvvjd.exe121⤵PID:4516
-
\??\c:\fxlffxx.exec:\fxlffxx.exe122⤵PID:1904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-