Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 01:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe
-
Size
78KB
-
MD5
6b929fe3b72c06b0b38e4a10180bd77c
-
SHA1
c878b7eadc3ca7cea0bad6703203a951fa4ed87b
-
SHA256
a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd
-
SHA512
cc0ae527a0f1f47ac687caa925b0963f60de610c886c8e285e9bc75fa88bc226224111131183376126e24a9cb5f4fb5530805cc43928814c299a54392f6f7950
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIYgC/KSLJEd2aQ:ymb3NkkiQ3mdBjFI3eFC/Q
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
resource yara_rule behavioral2/memory/2856-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4152-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2088-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3212-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3020-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1696-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1396-212-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3956-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4308-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4256-170-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5076-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3468-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2632-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3596-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/724-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3816-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/916-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4404-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1008-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2984-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1744-60-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1744-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4740-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4588-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/892-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 34 IoCs
resource yara_rule behavioral2/memory/2856-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2856-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4152-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2088-17-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4588-36-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4948-81-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3212-98-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3020-122-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1696-158-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1396-212-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3956-200-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4308-176-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4256-170-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5076-152-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3468-146-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2632-134-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3596-128-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/724-110-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3816-104-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/916-92-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4948-82-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4404-73-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1008-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2984-66-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1744-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4740-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4740-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4740-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4588-41-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4588-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4588-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/892-27-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/892-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/892-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 4152 jdjdv.exe 2088 frlllfx.exe 892 rxlrrxx.exe 4588 hhhtht.exe 4740 jjvjp.exe 1744 xxlrrxl.exe 2984 3xllrrl.exe 1008 tbtbbh.exe 4404 nbnnbh.exe 4948 jjjvv.exe 916 vpjpj.exe 3212 lfxlrlr.exe 3816 fxxxxfx.exe 724 bbnbbh.exe 4272 dpjjd.exe 3020 3dppd.exe 3596 frffrll.exe 2632 7hhbtn.exe 336 9vvvp.exe 3468 5vppd.exe 5076 lxlfllr.exe 1696 rrrrlll.exe 4600 hbbbbb.exe 4256 btbbtb.exe 4308 vvjjj.exe 4520 xxxrlll.exe 2684 9htbbt.exe 4696 jvjdp.exe 3956 pdjdv.exe 2732 lfrrrxx.exe 1396 thbhhb.exe 2940 jvjdp.exe 640 3vdvd.exe 432 llxxxfx.exe 4172 llrrrrr.exe 3272 hbhhtt.exe 4868 tthtbb.exe 4700 ppjjd.exe 5112 rrflfff.exe 4740 rfrxxxx.exe 3172 1btbbb.exe 2880 btbbbh.exe 1964 jpvvv.exe 1008 vvjvv.exe 4404 rlxxffl.exe 8 xxllrrr.exe 216 hbbbhb.exe 772 dvdvp.exe 4252 1djjd.exe 4572 fxxxlrx.exe 724 rfrlfff.exe 4224 bthhbh.exe 4676 nhhhbb.exe 1436 jdjjd.exe 3828 dpvvv.exe 2632 9rrrlrl.exe 2960 3xfffxx.exe 3468 tttttb.exe 2156 9tbbnn.exe 2724 3pvvd.exe 3964 vjvvp.exe 3740 llxfxlr.exe 4804 fffxrrl.exe 4256 hnbbhn.exe -
resource yara_rule behavioral2/memory/2856-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2856-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4152-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2088-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4588-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4948-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3212-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3020-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1696-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1396-212-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3956-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4308-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4256-170-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5076-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3468-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2632-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3596-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/724-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3816-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/916-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4948-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4404-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1008-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2984-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1744-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4740-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4740-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4740-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4588-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4588-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4588-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/892-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/892-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/892-25-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2856 wrote to memory of 4152 2856 a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe 83 PID 2856 wrote to memory of 4152 2856 a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe 83 PID 2856 wrote to memory of 4152 2856 a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe 83 PID 4152 wrote to memory of 2088 4152 jdjdv.exe 84 PID 4152 wrote to memory of 2088 4152 jdjdv.exe 84 PID 4152 wrote to memory of 2088 4152 jdjdv.exe 84 PID 2088 wrote to memory of 892 2088 frlllfx.exe 85 PID 2088 wrote to memory of 892 2088 frlllfx.exe 85 PID 2088 wrote to memory of 892 2088 frlllfx.exe 85 PID 892 wrote to memory of 4588 892 rxlrrxx.exe 86 PID 892 wrote to memory of 4588 892 rxlrrxx.exe 86 PID 892 wrote to memory of 4588 892 rxlrrxx.exe 86 PID 4588 wrote to memory of 4740 4588 hhhtht.exe 87 PID 4588 wrote to memory of 4740 4588 hhhtht.exe 87 PID 4588 wrote to memory of 4740 4588 hhhtht.exe 87 PID 4740 wrote to memory of 1744 4740 jjvjp.exe 88 PID 4740 wrote to memory of 1744 4740 jjvjp.exe 88 PID 4740 wrote to memory of 1744 4740 jjvjp.exe 88 PID 1744 wrote to memory of 2984 1744 xxlrrxl.exe 89 PID 1744 wrote to memory of 2984 1744 xxlrrxl.exe 89 PID 1744 wrote to memory of 2984 1744 xxlrrxl.exe 89 PID 2984 wrote to memory of 1008 2984 3xllrrl.exe 90 PID 2984 wrote to memory of 1008 2984 3xllrrl.exe 90 PID 2984 wrote to memory of 1008 2984 3xllrrl.exe 90 PID 1008 wrote to memory of 4404 1008 tbtbbh.exe 91 PID 1008 wrote to memory of 4404 1008 tbtbbh.exe 91 PID 1008 wrote to memory of 4404 1008 tbtbbh.exe 91 PID 4404 wrote to memory of 4948 4404 nbnnbh.exe 92 PID 4404 wrote to memory of 4948 4404 nbnnbh.exe 92 PID 4404 wrote to memory of 4948 4404 nbnnbh.exe 92 PID 4948 wrote to memory of 916 4948 jjjvv.exe 93 PID 4948 wrote to memory of 916 4948 jjjvv.exe 93 PID 4948 wrote to memory of 916 4948 jjjvv.exe 93 PID 916 wrote to memory of 3212 916 vpjpj.exe 94 PID 916 wrote to memory of 3212 916 vpjpj.exe 94 PID 916 wrote to memory of 3212 916 vpjpj.exe 94 PID 3212 wrote to memory of 3816 3212 lfxlrlr.exe 95 PID 3212 wrote to memory of 3816 3212 lfxlrlr.exe 95 PID 3212 wrote to memory of 3816 3212 lfxlrlr.exe 95 PID 3816 wrote to memory of 724 3816 fxxxxfx.exe 96 PID 3816 wrote to memory of 724 3816 fxxxxfx.exe 96 PID 3816 wrote to memory of 724 3816 fxxxxfx.exe 96 PID 724 wrote to memory of 4272 724 bbnbbh.exe 97 PID 724 wrote to memory of 4272 724 bbnbbh.exe 97 PID 724 wrote to memory of 4272 724 bbnbbh.exe 97 PID 4272 wrote to memory of 3020 4272 dpjjd.exe 98 PID 4272 wrote to memory of 3020 4272 dpjjd.exe 98 PID 4272 wrote to memory of 3020 4272 dpjjd.exe 98 PID 3020 wrote to memory of 3596 3020 3dppd.exe 99 PID 3020 wrote to memory of 3596 3020 3dppd.exe 99 PID 3020 wrote to memory of 3596 3020 3dppd.exe 99 PID 3596 wrote to memory of 2632 3596 frffrll.exe 100 PID 3596 wrote to memory of 2632 3596 frffrll.exe 100 PID 3596 wrote to memory of 2632 3596 frffrll.exe 100 PID 2632 wrote to memory of 336 2632 7hhbtn.exe 101 PID 2632 wrote to memory of 336 2632 7hhbtn.exe 101 PID 2632 wrote to memory of 336 2632 7hhbtn.exe 101 PID 336 wrote to memory of 3468 336 9vvvp.exe 102 PID 336 wrote to memory of 3468 336 9vvvp.exe 102 PID 336 wrote to memory of 3468 336 9vvvp.exe 102 PID 3468 wrote to memory of 5076 3468 5vppd.exe 103 PID 3468 wrote to memory of 5076 3468 5vppd.exe 103 PID 3468 wrote to memory of 5076 3468 5vppd.exe 103 PID 5076 wrote to memory of 1696 5076 lxlfllr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe"C:\Users\Admin\AppData\Local\Temp\a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\jdjdv.exec:\jdjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\frlllfx.exec:\frlllfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\rxlrrxx.exec:\rxlrrxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\hhhtht.exec:\hhhtht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\jjvjp.exec:\jjvjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\xxlrrxl.exec:\xxlrrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\3xllrrl.exec:\3xllrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\tbtbbh.exec:\tbtbbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\nbnnbh.exec:\nbnnbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\jjjvv.exec:\jjjvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\vpjpj.exec:\vpjpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\lfxlrlr.exec:\lfxlrlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\fxxxxfx.exec:\fxxxxfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\bbnbbh.exec:\bbnbbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
\??\c:\dpjjd.exec:\dpjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\3dppd.exec:\3dppd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\frffrll.exec:\frffrll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\7hhbtn.exec:\7hhbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\9vvvp.exec:\9vvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\5vppd.exec:\5vppd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\lxlfllr.exec:\lxlfllr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\rrrrlll.exec:\rrrrlll.exe23⤵
- Executes dropped EXE
PID:1696 -
\??\c:\hbbbbb.exec:\hbbbbb.exe24⤵
- Executes dropped EXE
PID:4600 -
\??\c:\btbbtb.exec:\btbbtb.exe25⤵
- Executes dropped EXE
PID:4256 -
\??\c:\vvjjj.exec:\vvjjj.exe26⤵
- Executes dropped EXE
PID:4308 -
\??\c:\xxxrlll.exec:\xxxrlll.exe27⤵
- Executes dropped EXE
PID:4520 -
\??\c:\9htbbt.exec:\9htbbt.exe28⤵
- Executes dropped EXE
PID:2684 -
\??\c:\jvjdp.exec:\jvjdp.exe29⤵
- Executes dropped EXE
PID:4696 -
\??\c:\pdjdv.exec:\pdjdv.exe30⤵
- Executes dropped EXE
PID:3956 -
\??\c:\lfrrrxx.exec:\lfrrrxx.exe31⤵
- Executes dropped EXE
PID:2732 -
\??\c:\thbhhb.exec:\thbhhb.exe32⤵
- Executes dropped EXE
PID:1396 -
\??\c:\jvjdp.exec:\jvjdp.exe33⤵
- Executes dropped EXE
PID:2940 -
\??\c:\3vdvd.exec:\3vdvd.exe34⤵
- Executes dropped EXE
PID:640 -
\??\c:\llxxxfx.exec:\llxxxfx.exe35⤵
- Executes dropped EXE
PID:432 -
\??\c:\llrrrrr.exec:\llrrrrr.exe36⤵
- Executes dropped EXE
PID:4172 -
\??\c:\hbhhtt.exec:\hbhhtt.exe37⤵
- Executes dropped EXE
PID:3272 -
\??\c:\tthtbb.exec:\tthtbb.exe38⤵
- Executes dropped EXE
PID:4868 -
\??\c:\ppjjd.exec:\ppjjd.exe39⤵
- Executes dropped EXE
PID:4700 -
\??\c:\rrflfff.exec:\rrflfff.exe40⤵
- Executes dropped EXE
PID:5112 -
\??\c:\rfrxxxx.exec:\rfrxxxx.exe41⤵
- Executes dropped EXE
PID:4740 -
\??\c:\1btbbb.exec:\1btbbb.exe42⤵
- Executes dropped EXE
PID:3172 -
\??\c:\btbbbh.exec:\btbbbh.exe43⤵
- Executes dropped EXE
PID:2880 -
\??\c:\jpvvv.exec:\jpvvv.exe44⤵
- Executes dropped EXE
PID:1964 -
\??\c:\vvjvv.exec:\vvjvv.exe45⤵
- Executes dropped EXE
PID:1008 -
\??\c:\rlxxffl.exec:\rlxxffl.exe46⤵
- Executes dropped EXE
PID:4404 -
\??\c:\xxllrrr.exec:\xxllrrr.exe47⤵
- Executes dropped EXE
PID:8 -
\??\c:\hbbbhb.exec:\hbbbhb.exe48⤵
- Executes dropped EXE
PID:216 -
\??\c:\dvdvp.exec:\dvdvp.exe49⤵
- Executes dropped EXE
PID:772 -
\??\c:\1djjd.exec:\1djjd.exe50⤵
- Executes dropped EXE
PID:4252 -
\??\c:\fxxxlrx.exec:\fxxxlrx.exe51⤵
- Executes dropped EXE
PID:4572 -
\??\c:\rfrlfff.exec:\rfrlfff.exe52⤵
- Executes dropped EXE
PID:724 -
\??\c:\bthhbh.exec:\bthhbh.exe53⤵
- Executes dropped EXE
PID:4224 -
\??\c:\nhhhbb.exec:\nhhhbb.exe54⤵
- Executes dropped EXE
PID:4676 -
\??\c:\jdjjd.exec:\jdjjd.exe55⤵
- Executes dropped EXE
PID:1436 -
\??\c:\dpvvv.exec:\dpvvv.exe56⤵
- Executes dropped EXE
PID:3828 -
\??\c:\9rrrlrl.exec:\9rrrlrl.exe57⤵
- Executes dropped EXE
PID:2632 -
\??\c:\3xfffxx.exec:\3xfffxx.exe58⤵
- Executes dropped EXE
PID:2960 -
\??\c:\tttttb.exec:\tttttb.exe59⤵
- Executes dropped EXE
PID:3468 -
\??\c:\9tbbnn.exec:\9tbbnn.exe60⤵
- Executes dropped EXE
PID:2156 -
\??\c:\3pvvd.exec:\3pvvd.exe61⤵
- Executes dropped EXE
PID:2724 -
\??\c:\vjvvp.exec:\vjvvp.exe62⤵
- Executes dropped EXE
PID:3964 -
\??\c:\llxfxlr.exec:\llxfxlr.exe63⤵
- Executes dropped EXE
PID:3740 -
\??\c:\fffxrrl.exec:\fffxrrl.exe64⤵
- Executes dropped EXE
PID:4804 -
\??\c:\hnbbhn.exec:\hnbbhn.exe65⤵
- Executes dropped EXE
PID:4256 -
\??\c:\vjvjp.exec:\vjvjp.exe66⤵PID:1176
-
\??\c:\5djjd.exec:\5djjd.exe67⤵PID:3236
-
\??\c:\fxrrlrl.exec:\fxrrlrl.exe68⤵PID:624
-
\??\c:\lffrlll.exec:\lffrlll.exe69⤵PID:3420
-
\??\c:\bbhbtt.exec:\bbhbtt.exe70⤵PID:2224
-
\??\c:\jvvvp.exec:\jvvvp.exe71⤵PID:4680
-
\??\c:\rflrxff.exec:\rflrxff.exe72⤵PID:2284
-
\??\c:\fxrrflx.exec:\fxrrflx.exe73⤵PID:4268
-
\??\c:\hhhnnn.exec:\hhhnnn.exe74⤵PID:4348
-
\??\c:\nbhhbh.exec:\nbhhbh.exe75⤵PID:4376
-
\??\c:\pdpvv.exec:\pdpvv.exe76⤵PID:4356
-
\??\c:\1rrxrxr.exec:\1rrxrxr.exe77⤵PID:4432
-
\??\c:\9hhhhn.exec:\9hhhhn.exe78⤵PID:968
-
\??\c:\hhnttb.exec:\hhnttb.exe79⤵PID:4172
-
\??\c:\jjppj.exec:\jjppj.exe80⤵PID:5100
-
\??\c:\lfrxxxr.exec:\lfrxxxr.exe81⤵PID:3692
-
\??\c:\bthhht.exec:\bthhht.exe82⤵PID:2308
-
\??\c:\1vdpj.exec:\1vdpj.exe83⤵PID:5008
-
\??\c:\vpdvj.exec:\vpdvj.exe84⤵PID:764
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe85⤵PID:3584
-
\??\c:\3hhhbb.exec:\3hhhbb.exe86⤵PID:4744
-
\??\c:\tntbtb.exec:\tntbtb.exe87⤵PID:1580
-
\??\c:\jvdjj.exec:\jvdjj.exe88⤵PID:4760
-
\??\c:\llrllrr.exec:\llrllrr.exe89⤵PID:2340
-
\??\c:\5rrrlrr.exec:\5rrrlrr.exe90⤵PID:4948
-
\??\c:\ttthtt.exec:\ttthtt.exe91⤵PID:4852
-
\??\c:\nhtttt.exec:\nhtttt.exe92⤵PID:4452
-
\??\c:\vdvjj.exec:\vdvjj.exe93⤵PID:3840
-
\??\c:\xxllrrl.exec:\xxllrrl.exe94⤵PID:2560
-
\??\c:\fllxxxl.exec:\fllxxxl.exe95⤵PID:1148
-
\??\c:\ntbnhh.exec:\ntbnhh.exe96⤵PID:724
-
\??\c:\nbttht.exec:\nbttht.exe97⤵PID:4224
-
\??\c:\vjdvp.exec:\vjdvp.exe98⤵PID:4360
-
\??\c:\vpdvv.exec:\vpdvv.exe99⤵PID:408
-
\??\c:\xrxxflf.exec:\xrxxflf.exe100⤵PID:3828
-
\??\c:\xffxrxf.exec:\xffxrxf.exe101⤵PID:4080
-
\??\c:\hbnhbt.exec:\hbnhbt.exe102⤵PID:2960
-
\??\c:\1hhhhh.exec:\1hhhhh.exe103⤵PID:5076
-
\??\c:\5vpjd.exec:\5vpjd.exe104⤵PID:668
-
\??\c:\5pppj.exec:\5pppj.exe105⤵PID:3616
-
\??\c:\xrrrflf.exec:\xrrrflf.exe106⤵PID:4600
-
\??\c:\bbnhnn.exec:\bbnhnn.exe107⤵PID:784
-
\??\c:\djdvp.exec:\djdvp.exe108⤵PID:2896
-
\??\c:\1jddp.exec:\1jddp.exe109⤵PID:1532
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe110⤵PID:3676
-
\??\c:\xxfxxxx.exec:\xxfxxxx.exe111⤵PID:4468
-
\??\c:\hbntnt.exec:\hbntnt.exe112⤵PID:624
-
\??\c:\5pppd.exec:\5pppd.exe113⤵PID:3420
-
\??\c:\vppjj.exec:\vppjj.exe114⤵PID:812
-
\??\c:\llxrrrf.exec:\llxrrrf.exe115⤵PID:5116
-
\??\c:\rflllll.exec:\rflllll.exe116⤵PID:1656
-
\??\c:\ttttth.exec:\ttttth.exe117⤵PID:3188
-
\??\c:\tttnnn.exec:\tttnnn.exe118⤵PID:4352
-
\??\c:\vvjjj.exec:\vvjjj.exe119⤵PID:3524
-
\??\c:\5xfffll.exec:\5xfffll.exe120⤵PID:2392
-
\??\c:\rfrxfrl.exec:\rfrxfrl.exe121⤵PID:4496
-
\??\c:\ttbbbb.exec:\ttbbbb.exe122⤵PID:2568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-