Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 01:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a72b262953e339abd55ea74c9e4462606ecf22b3048abdc075ebffe5e1d34a1e.exe
Resource
win7-20240419-en
6 signatures
150 seconds
General
-
Target
a72b262953e339abd55ea74c9e4462606ecf22b3048abdc075ebffe5e1d34a1e.exe
-
Size
94KB
-
MD5
9ef96678a4505e57095fa1506e7aa761
-
SHA1
9e5e2c2fca6440357bf0e6585d5decf849976334
-
SHA256
a72b262953e339abd55ea74c9e4462606ecf22b3048abdc075ebffe5e1d34a1e
-
SHA512
bedaeed142f33330d4794f56e41a8896bbe545de947fa7dc7580656c0fbbd7ecdb520fddeb6fb140d998450ac805249f29d171a165d97d390cff22a9456fe3ee
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+qP1hvZo66Ox4oq2SQwfTQe:ymb3NkkiQ3mdBjFIj+qNhvZuHQY0e
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
resource yara_rule behavioral2/memory/4036-5-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1972-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/232-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/316-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4416-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2392-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1412-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2892-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3308-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3308-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/400-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1760-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5044-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3276-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4828-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4492-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2648-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2536-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/988-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4852-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4276-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2344-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1912-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3752-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3344-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 27 IoCs
resource yara_rule behavioral2/memory/4036-5-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1972-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/232-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/316-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/316-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4416-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2392-40-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1412-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2892-47-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3308-63-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3308-61-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3308-60-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/400-69-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1760-77-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5044-92-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3276-100-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4828-104-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4492-110-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2648-118-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2536-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/988-123-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4852-151-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4276-158-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2344-179-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1912-184-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3752-193-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3344-206-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 232 9ntttt.exe 1972 nnbtnt.exe 316 5dppp.exe 4416 3nnnhn.exe 2392 pvdjp.exe 2892 ffrxfff.exe 1412 nbhttt.exe 3308 jjvvv.exe 400 xllxlfr.exe 1760 bhnbbh.exe 2456 fxfflll.exe 5044 hbbbbh.exe 3276 jjppp.exe 4828 xrxrlrr.exe 4492 nnbhhb.exe 2648 pvjdd.exe 988 ppdjv.exe 2536 llflrfl.exe 4296 nnhhnt.exe 2208 nnhtth.exe 1516 frrlxrr.exe 4852 3bnntt.exe 4276 vpdvv.exe 3748 xfrlrxf.exe 3032 7vjjd.exe 2344 rrflffl.exe 1912 xlxxrlx.exe 5004 hnhttb.exe 3752 vpvvd.exe 2804 flrlxxl.exe 3344 jjpvd.exe 2564 fxxxxlf.exe 1040 hhbhbn.exe 4264 ddjpp.exe 3448 xlffxxx.exe 2008 tnhhbb.exe 4568 jddvv.exe 372 lfxlflf.exe 1720 3nttht.exe 4360 vpdvj.exe 224 rrffrll.exe 4232 lxxxrlf.exe 3268 httbtn.exe 4540 pjvdp.exe 4772 ththtt.exe 3504 ppvpj.exe 4488 9fxlrll.exe 2392 hnnbnb.exe 1464 jdppd.exe 1412 xffxffx.exe 4956 hbnhnn.exe 1260 djppj.exe 1680 xllffxx.exe 4220 9xfxrrl.exe 3640 hnttbb.exe 1876 3djjd.exe 2136 rlflrxr.exe 2088 vdpvv.exe 428 ffrfflr.exe 3212 btnhbb.exe 4492 dpjvd.exe 632 7tbttt.exe 2280 djpdd.exe 3460 rlfxfxx.exe -
resource yara_rule behavioral2/memory/4036-5-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1972-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/232-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/316-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/316-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4416-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2392-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1412-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2892-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3308-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3308-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3308-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/400-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1760-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5044-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3276-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4828-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4492-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2648-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2536-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/988-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4852-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4276-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2344-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1912-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3752-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3344-206-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4036 wrote to memory of 232 4036 a72b262953e339abd55ea74c9e4462606ecf22b3048abdc075ebffe5e1d34a1e.exe 83 PID 4036 wrote to memory of 232 4036 a72b262953e339abd55ea74c9e4462606ecf22b3048abdc075ebffe5e1d34a1e.exe 83 PID 4036 wrote to memory of 232 4036 a72b262953e339abd55ea74c9e4462606ecf22b3048abdc075ebffe5e1d34a1e.exe 83 PID 232 wrote to memory of 1972 232 9ntttt.exe 84 PID 232 wrote to memory of 1972 232 9ntttt.exe 84 PID 232 wrote to memory of 1972 232 9ntttt.exe 84 PID 1972 wrote to memory of 316 1972 nnbtnt.exe 85 PID 1972 wrote to memory of 316 1972 nnbtnt.exe 85 PID 1972 wrote to memory of 316 1972 nnbtnt.exe 85 PID 316 wrote to memory of 4416 316 5dppp.exe 86 PID 316 wrote to memory of 4416 316 5dppp.exe 86 PID 316 wrote to memory of 4416 316 5dppp.exe 86 PID 4416 wrote to memory of 2392 4416 3nnnhn.exe 87 PID 4416 wrote to memory of 2392 4416 3nnnhn.exe 87 PID 4416 wrote to memory of 2392 4416 3nnnhn.exe 87 PID 2392 wrote to memory of 2892 2392 pvdjp.exe 88 PID 2392 wrote to memory of 2892 2392 pvdjp.exe 88 PID 2392 wrote to memory of 2892 2392 pvdjp.exe 88 PID 2892 wrote to memory of 1412 2892 ffrxfff.exe 89 PID 2892 wrote to memory of 1412 2892 ffrxfff.exe 89 PID 2892 wrote to memory of 1412 2892 ffrxfff.exe 89 PID 1412 wrote to memory of 3308 1412 nbhttt.exe 90 PID 1412 wrote to memory of 3308 1412 nbhttt.exe 90 PID 1412 wrote to memory of 3308 1412 nbhttt.exe 90 PID 3308 wrote to memory of 400 3308 jjvvv.exe 91 PID 3308 wrote to memory of 400 3308 jjvvv.exe 91 PID 3308 wrote to memory of 400 3308 jjvvv.exe 91 PID 400 wrote to memory of 1760 400 xllxlfr.exe 92 PID 400 wrote to memory of 1760 400 xllxlfr.exe 92 PID 400 wrote to memory of 1760 400 xllxlfr.exe 92 PID 1760 wrote to memory of 2456 1760 bhnbbh.exe 93 PID 1760 wrote to memory of 2456 1760 bhnbbh.exe 93 PID 1760 wrote to memory of 2456 1760 bhnbbh.exe 93 PID 2456 wrote to memory of 5044 2456 fxfflll.exe 94 PID 2456 wrote to memory of 5044 2456 fxfflll.exe 94 PID 2456 wrote to memory of 5044 2456 fxfflll.exe 94 PID 5044 wrote to memory of 3276 5044 hbbbbh.exe 95 PID 5044 wrote to memory of 3276 5044 hbbbbh.exe 95 PID 5044 wrote to memory of 3276 5044 hbbbbh.exe 95 PID 3276 wrote to memory of 4828 3276 jjppp.exe 96 PID 3276 wrote to memory of 4828 3276 jjppp.exe 96 PID 3276 wrote to memory of 4828 3276 jjppp.exe 96 PID 4828 wrote to memory of 4492 4828 xrxrlrr.exe 97 PID 4828 wrote to memory of 4492 4828 xrxrlrr.exe 97 PID 4828 wrote to memory of 4492 4828 xrxrlrr.exe 97 PID 4492 wrote to memory of 2648 4492 nnbhhb.exe 98 PID 4492 wrote to memory of 2648 4492 nnbhhb.exe 98 PID 4492 wrote to memory of 2648 4492 nnbhhb.exe 98 PID 2648 wrote to memory of 988 2648 pvjdd.exe 99 PID 2648 wrote to memory of 988 2648 pvjdd.exe 99 PID 2648 wrote to memory of 988 2648 pvjdd.exe 99 PID 988 wrote to memory of 2536 988 ppdjv.exe 100 PID 988 wrote to memory of 2536 988 ppdjv.exe 100 PID 988 wrote to memory of 2536 988 ppdjv.exe 100 PID 2536 wrote to memory of 4296 2536 llflrfl.exe 101 PID 2536 wrote to memory of 4296 2536 llflrfl.exe 101 PID 2536 wrote to memory of 4296 2536 llflrfl.exe 101 PID 4296 wrote to memory of 2208 4296 nnhhnt.exe 102 PID 4296 wrote to memory of 2208 4296 nnhhnt.exe 102 PID 4296 wrote to memory of 2208 4296 nnhhnt.exe 102 PID 2208 wrote to memory of 1516 2208 nnhtth.exe 103 PID 2208 wrote to memory of 1516 2208 nnhtth.exe 103 PID 2208 wrote to memory of 1516 2208 nnhtth.exe 103 PID 1516 wrote to memory of 4852 1516 frrlxrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a72b262953e339abd55ea74c9e4462606ecf22b3048abdc075ebffe5e1d34a1e.exe"C:\Users\Admin\AppData\Local\Temp\a72b262953e339abd55ea74c9e4462606ecf22b3048abdc075ebffe5e1d34a1e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\9ntttt.exec:\9ntttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\nnbtnt.exec:\nnbtnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\5dppp.exec:\5dppp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\3nnnhn.exec:\3nnnhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\pvdjp.exec:\pvdjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\ffrxfff.exec:\ffrxfff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\nbhttt.exec:\nbhttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\jjvvv.exec:\jjvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\xllxlfr.exec:\xllxlfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\bhnbbh.exec:\bhnbbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\fxfflll.exec:\fxfflll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\hbbbbh.exec:\hbbbbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\jjppp.exec:\jjppp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\xrxrlrr.exec:\xrxrlrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\nnbhhb.exec:\nnbhhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\pvjdd.exec:\pvjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\ppdjv.exec:\ppdjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\llflrfl.exec:\llflrfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\nnhhnt.exec:\nnhhnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\nnhtth.exec:\nnhtth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\frrlxrr.exec:\frrlxrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\3bnntt.exec:\3bnntt.exe23⤵
- Executes dropped EXE
PID:4852 -
\??\c:\vpdvv.exec:\vpdvv.exe24⤵
- Executes dropped EXE
PID:4276 -
\??\c:\xfrlrxf.exec:\xfrlrxf.exe25⤵
- Executes dropped EXE
PID:3748 -
\??\c:\7vjjd.exec:\7vjjd.exe26⤵
- Executes dropped EXE
PID:3032 -
\??\c:\rrflffl.exec:\rrflffl.exe27⤵
- Executes dropped EXE
PID:2344 -
\??\c:\xlxxrlx.exec:\xlxxrlx.exe28⤵
- Executes dropped EXE
PID:1912 -
\??\c:\hnhttb.exec:\hnhttb.exe29⤵
- Executes dropped EXE
PID:5004 -
\??\c:\vpvvd.exec:\vpvvd.exe30⤵
- Executes dropped EXE
PID:3752 -
\??\c:\flrlxxl.exec:\flrlxxl.exe31⤵
- Executes dropped EXE
PID:2804 -
\??\c:\jjpvd.exec:\jjpvd.exe32⤵
- Executes dropped EXE
PID:3344 -
\??\c:\fxxxxlf.exec:\fxxxxlf.exe33⤵
- Executes dropped EXE
PID:2564 -
\??\c:\hhbhbn.exec:\hhbhbn.exe34⤵
- Executes dropped EXE
PID:1040 -
\??\c:\ddjpp.exec:\ddjpp.exe35⤵
- Executes dropped EXE
PID:4264 -
\??\c:\xlffxxx.exec:\xlffxxx.exe36⤵
- Executes dropped EXE
PID:3448 -
\??\c:\tnhhbb.exec:\tnhhbb.exe37⤵
- Executes dropped EXE
PID:2008 -
\??\c:\jddvv.exec:\jddvv.exe38⤵
- Executes dropped EXE
PID:4568 -
\??\c:\lfxlflf.exec:\lfxlflf.exe39⤵
- Executes dropped EXE
PID:372 -
\??\c:\3nttht.exec:\3nttht.exe40⤵
- Executes dropped EXE
PID:1720 -
\??\c:\vpdvj.exec:\vpdvj.exe41⤵
- Executes dropped EXE
PID:4360 -
\??\c:\rrffrll.exec:\rrffrll.exe42⤵
- Executes dropped EXE
PID:224 -
\??\c:\lxxxrlf.exec:\lxxxrlf.exe43⤵
- Executes dropped EXE
PID:4232 -
\??\c:\httbtn.exec:\httbtn.exe44⤵
- Executes dropped EXE
PID:3268 -
\??\c:\pjvdp.exec:\pjvdp.exe45⤵
- Executes dropped EXE
PID:4540 -
\??\c:\ththtt.exec:\ththtt.exe46⤵
- Executes dropped EXE
PID:4772 -
\??\c:\ppvpj.exec:\ppvpj.exe47⤵
- Executes dropped EXE
PID:3504 -
\??\c:\9fxlrll.exec:\9fxlrll.exe48⤵
- Executes dropped EXE
PID:4488 -
\??\c:\hnnbnb.exec:\hnnbnb.exe49⤵
- Executes dropped EXE
PID:2392 -
\??\c:\jdppd.exec:\jdppd.exe50⤵
- Executes dropped EXE
PID:1464 -
\??\c:\xffxffx.exec:\xffxffx.exe51⤵
- Executes dropped EXE
PID:1412 -
\??\c:\hbnhnn.exec:\hbnhnn.exe52⤵
- Executes dropped EXE
PID:4956 -
\??\c:\djppj.exec:\djppj.exe53⤵
- Executes dropped EXE
PID:1260 -
\??\c:\xllffxx.exec:\xllffxx.exe54⤵
- Executes dropped EXE
PID:1680 -
\??\c:\9xfxrrl.exec:\9xfxrrl.exe55⤵
- Executes dropped EXE
PID:4220 -
\??\c:\hnttbb.exec:\hnttbb.exe56⤵
- Executes dropped EXE
PID:3640 -
\??\c:\3djjd.exec:\3djjd.exe57⤵
- Executes dropped EXE
PID:1876 -
\??\c:\rlflrxr.exec:\rlflrxr.exe58⤵
- Executes dropped EXE
PID:2136 -
\??\c:\vdpvv.exec:\vdpvv.exe59⤵
- Executes dropped EXE
PID:2088 -
\??\c:\ffrfflr.exec:\ffrfflr.exe60⤵
- Executes dropped EXE
PID:428 -
\??\c:\btnhbb.exec:\btnhbb.exe61⤵
- Executes dropped EXE
PID:3212 -
\??\c:\dpjvd.exec:\dpjvd.exe62⤵
- Executes dropped EXE
PID:4492 -
\??\c:\7tbttt.exec:\7tbttt.exe63⤵
- Executes dropped EXE
PID:632 -
\??\c:\djpdd.exec:\djpdd.exe64⤵
- Executes dropped EXE
PID:2280 -
\??\c:\rlfxfxx.exec:\rlfxfxx.exe65⤵
- Executes dropped EXE
PID:3460 -
\??\c:\3hnbtt.exec:\3hnbtt.exe66⤵PID:1092
-
\??\c:\dvpjj.exec:\dvpjj.exe67⤵PID:348
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe68⤵PID:4280
-
\??\c:\1btthn.exec:\1btthn.exe69⤵PID:3560
-
\??\c:\dpppj.exec:\dpppj.exe70⤵PID:4748
-
\??\c:\5lxrxrx.exec:\5lxrxrx.exe71⤵PID:4144
-
\??\c:\tbnhhn.exec:\tbnhhn.exe72⤵PID:3656
-
\??\c:\9vpjj.exec:\9vpjj.exe73⤵PID:4428
-
\??\c:\5rlflfr.exec:\5rlflfr.exe74⤵PID:4780
-
\??\c:\nnbtth.exec:\nnbtth.exe75⤵PID:3464
-
\??\c:\vddvv.exec:\vddvv.exe76⤵PID:4764
-
\??\c:\rfxfxrf.exec:\rfxfxrf.exe77⤵PID:2164
-
\??\c:\lxfxfff.exec:\lxfxfff.exe78⤵PID:2804
-
\??\c:\nbttth.exec:\nbttth.exe79⤵PID:3720
-
\??\c:\dddvp.exec:\dddvp.exe80⤵PID:1880
-
\??\c:\lxllflr.exec:\lxllflr.exe81⤵PID:3476
-
\??\c:\xrlxxff.exec:\xrlxxff.exe82⤵PID:2412
-
\??\c:\nbbtbb.exec:\nbbtbb.exe83⤵PID:3612
-
\??\c:\jjvvp.exec:\jjvvp.exe84⤵PID:4588
-
\??\c:\lfrrrrf.exec:\lfrrrrf.exe85⤵PID:4804
-
\??\c:\tnttbn.exec:\tnttbn.exe86⤵PID:548
-
\??\c:\vddvp.exec:\vddvp.exe87⤵PID:1808
-
\??\c:\xfxlfrl.exec:\xfxlfrl.exe88⤵PID:4344
-
\??\c:\lrlxrfr.exec:\lrlxrfr.exe89⤵PID:1944
-
\??\c:\1tbbbb.exec:\1tbbbb.exe90⤵PID:232
-
\??\c:\pjpdv.exec:\pjpdv.exe91⤵PID:3268
-
\??\c:\rxfllrx.exec:\rxfllrx.exe92⤵PID:672
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe93⤵PID:4216
-
\??\c:\bbttbb.exec:\bbttbb.exe94⤵PID:824
-
\??\c:\pdjjv.exec:\pdjjv.exe95⤵PID:1820
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe96⤵PID:4100
-
\??\c:\llflrxl.exec:\llflrxl.exe97⤵PID:4636
-
\??\c:\btnnhb.exec:\btnnhb.exe98⤵PID:4108
-
\??\c:\thbthb.exec:\thbthb.exe99⤵PID:1560
-
\??\c:\3dvvv.exec:\3dvvv.exe100⤵PID:2456
-
\??\c:\1xflxrr.exec:\1xflxrr.exe101⤵PID:5032
-
\??\c:\hbtntt.exec:\hbtntt.exe102⤵PID:1312
-
\??\c:\vdjvd.exec:\vdjvd.exe103⤵PID:4988
-
\??\c:\vvjjj.exec:\vvjjj.exe104⤵PID:4600
-
\??\c:\flxllll.exec:\flxllll.exe105⤵PID:3212
-
\??\c:\5ttbtb.exec:\5ttbtb.exe106⤵PID:4492
-
\??\c:\ttbtnn.exec:\ttbtnn.exe107⤵PID:1736
-
\??\c:\9vvpj.exec:\9vvpj.exe108⤵PID:2640
-
\??\c:\xxfxlrl.exec:\xxfxlrl.exe109⤵PID:1440
-
\??\c:\xxffxxr.exec:\xxffxxr.exe110⤵PID:1548
-
\??\c:\7nttnt.exec:\7nttnt.exe111⤵PID:1672
-
\??\c:\5pdpj.exec:\5pdpj.exe112⤵PID:3588
-
\??\c:\rlflxfx.exec:\rlflxfx.exe113⤵PID:3748
-
\??\c:\htttnt.exec:\htttnt.exe114⤵PID:2460
-
\??\c:\bntnbh.exec:\bntnbh.exe115⤵PID:5000
-
\??\c:\pvddp.exec:\pvddp.exe116⤵PID:4948
-
\??\c:\fxlrrxx.exec:\fxlrrxx.exe117⤵PID:4780
-
\??\c:\thnnhh.exec:\thnnhh.exe118⤵PID:3752
-
\??\c:\vvvjd.exec:\vvvjd.exe119⤵PID:4764
-
\??\c:\hnbhth.exec:\hnbhth.exe120⤵PID:3356
-
\??\c:\nhbntb.exec:\nhbntb.exe121⤵PID:2556
-
\??\c:\jvpjj.exec:\jvpjj.exe122⤵PID:3488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-