Analysis
-
max time kernel
150s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 01:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe
Resource
win7-20240215-en
6 signatures
150 seconds
General
-
Target
a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe
-
Size
77KB
-
MD5
799c046913d5cbd2ac311204e9aa689f
-
SHA1
c633407f3d6cc12838e30aaedd10e469f25a1c4d
-
SHA256
a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1
-
SHA512
e63a0cb629a7fc0555c7cd8bd41fea821019276e7ab4584ff4a995cb5795677e7108833af09cfe8e8a7119722c26681fb08a6c1e89b112910742307812ddd7b4
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73tgygQwKjiawEmBgU:ymb3NkkiQ3mdBjFo73thgQ/wEkt
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
resource yara_rule behavioral2/memory/4128-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4372-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3364-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2840-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4700-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3952-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3284-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1372-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3128-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4956-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4280-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2904-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3776-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3928-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3192-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3044-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3616-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2288-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4012-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4496-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1384-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4328-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4116-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1760-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 25 IoCs
resource yara_rule behavioral2/memory/4128-6-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4372-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3364-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2840-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4700-40-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3952-51-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3284-47-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1372-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3128-60-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4956-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/996-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4280-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2904-89-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3776-107-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3928-114-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3192-119-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3044-131-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3616-143-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2288-155-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4012-161-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4496-167-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1384-172-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4328-179-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4116-184-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1760-190-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 4372 tttthh.exe 3364 ppppj.exe 2840 fflrrll.exe 1372 xrrllll.exe 4700 hbbtnt.exe 3284 tbhhhn.exe 3952 pdpvv.exe 3128 pdjjd.exe 4956 nthbbb.exe 996 pvdvj.exe 4280 fxffxxl.exe 2904 3bhbtb.exe 4308 3jjdd.exe 4896 pvjpj.exe 3776 rfrrfxr.exe 3928 bnhbnn.exe 3192 jjvpj.exe 3920 rrrlxxl.exe 3044 hbbbtb.exe 1472 pdvvd.exe 3616 5llffff.exe 3016 9tbntb.exe 2288 pjjpj.exe 4012 rxxxllf.exe 4496 hbtnbt.exe 1384 pdjdv.exe 4328 jjdpp.exe 4116 5rxrlrl.exe 1760 tttnhh.exe 2852 tnnnbb.exe 4892 vdpjd.exe 1664 fllllrx.exe 3332 nbhbbb.exe 1476 jdjdd.exe 3736 lllfffl.exe 1812 xrlffxx.exe 896 btbttt.exe 2344 vdddp.exe 4808 3pjjd.exe 2068 rxflfll.exe 3804 xxxrrxx.exe 4796 bbhbbn.exe 444 dvjpp.exe 5084 pjpdv.exe 2840 rrxxrxx.exe 5052 ntbbbh.exe 2872 dpppp.exe 648 dvjdd.exe 1144 frlfrxl.exe 3952 fflrfll.exe 4444 bbbbhh.exe 4984 tbhtbh.exe 2492 dvvpp.exe 1672 xxxxfrr.exe 1576 lfrflfr.exe 4960 thntnb.exe 1648 dpvdd.exe 4504 vddvv.exe 2880 fxfffff.exe 3928 rxlllll.exe 3192 ntbbbh.exe 4188 9thnhb.exe 3376 9jppp.exe 1420 rrfllrx.exe -
resource yara_rule behavioral2/memory/4128-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4372-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3364-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2840-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4700-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3952-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3284-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1372-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3128-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4956-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/996-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4280-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2904-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3776-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3928-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3192-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3044-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3616-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2288-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4012-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4496-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1384-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4328-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4116-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1760-190-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4128 wrote to memory of 4372 4128 a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe 84 PID 4128 wrote to memory of 4372 4128 a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe 84 PID 4128 wrote to memory of 4372 4128 a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe 84 PID 4372 wrote to memory of 3364 4372 tttthh.exe 85 PID 4372 wrote to memory of 3364 4372 tttthh.exe 85 PID 4372 wrote to memory of 3364 4372 tttthh.exe 85 PID 3364 wrote to memory of 2840 3364 ppppj.exe 86 PID 3364 wrote to memory of 2840 3364 ppppj.exe 86 PID 3364 wrote to memory of 2840 3364 ppppj.exe 86 PID 2840 wrote to memory of 1372 2840 fflrrll.exe 87 PID 2840 wrote to memory of 1372 2840 fflrrll.exe 87 PID 2840 wrote to memory of 1372 2840 fflrrll.exe 87 PID 1372 wrote to memory of 4700 1372 xrrllll.exe 88 PID 1372 wrote to memory of 4700 1372 xrrllll.exe 88 PID 1372 wrote to memory of 4700 1372 xrrllll.exe 88 PID 4700 wrote to memory of 3284 4700 hbbtnt.exe 89 PID 4700 wrote to memory of 3284 4700 hbbtnt.exe 89 PID 4700 wrote to memory of 3284 4700 hbbtnt.exe 89 PID 3284 wrote to memory of 3952 3284 tbhhhn.exe 90 PID 3284 wrote to memory of 3952 3284 tbhhhn.exe 90 PID 3284 wrote to memory of 3952 3284 tbhhhn.exe 90 PID 3952 wrote to memory of 3128 3952 pdpvv.exe 91 PID 3952 wrote to memory of 3128 3952 pdpvv.exe 91 PID 3952 wrote to memory of 3128 3952 pdpvv.exe 91 PID 3128 wrote to memory of 4956 3128 pdjjd.exe 92 PID 3128 wrote to memory of 4956 3128 pdjjd.exe 92 PID 3128 wrote to memory of 4956 3128 pdjjd.exe 92 PID 4956 wrote to memory of 996 4956 nthbbb.exe 93 PID 4956 wrote to memory of 996 4956 nthbbb.exe 93 PID 4956 wrote to memory of 996 4956 nthbbb.exe 93 PID 996 wrote to memory of 4280 996 pvdvj.exe 94 PID 996 wrote to memory of 4280 996 pvdvj.exe 94 PID 996 wrote to memory of 4280 996 pvdvj.exe 94 PID 4280 wrote to memory of 2904 4280 fxffxxl.exe 95 PID 4280 wrote to memory of 2904 4280 fxffxxl.exe 95 PID 4280 wrote to memory of 2904 4280 fxffxxl.exe 95 PID 2904 wrote to memory of 4308 2904 3bhbtb.exe 96 PID 2904 wrote to memory of 4308 2904 3bhbtb.exe 96 PID 2904 wrote to memory of 4308 2904 3bhbtb.exe 96 PID 4308 wrote to memory of 4896 4308 3jjdd.exe 97 PID 4308 wrote to memory of 4896 4308 3jjdd.exe 97 PID 4308 wrote to memory of 4896 4308 3jjdd.exe 97 PID 4896 wrote to memory of 3776 4896 pvjpj.exe 98 PID 4896 wrote to memory of 3776 4896 pvjpj.exe 98 PID 4896 wrote to memory of 3776 4896 pvjpj.exe 98 PID 3776 wrote to memory of 3928 3776 rfrrfxr.exe 99 PID 3776 wrote to memory of 3928 3776 rfrrfxr.exe 99 PID 3776 wrote to memory of 3928 3776 rfrrfxr.exe 99 PID 3928 wrote to memory of 3192 3928 bnhbnn.exe 100 PID 3928 wrote to memory of 3192 3928 bnhbnn.exe 100 PID 3928 wrote to memory of 3192 3928 bnhbnn.exe 100 PID 3192 wrote to memory of 3920 3192 jjvpj.exe 101 PID 3192 wrote to memory of 3920 3192 jjvpj.exe 101 PID 3192 wrote to memory of 3920 3192 jjvpj.exe 101 PID 3920 wrote to memory of 3044 3920 rrrlxxl.exe 102 PID 3920 wrote to memory of 3044 3920 rrrlxxl.exe 102 PID 3920 wrote to memory of 3044 3920 rrrlxxl.exe 102 PID 3044 wrote to memory of 1472 3044 hbbbtb.exe 103 PID 3044 wrote to memory of 1472 3044 hbbbtb.exe 103 PID 3044 wrote to memory of 1472 3044 hbbbtb.exe 103 PID 1472 wrote to memory of 3616 1472 pdvvd.exe 104 PID 1472 wrote to memory of 3616 1472 pdvvd.exe 104 PID 1472 wrote to memory of 3616 1472 pdvvd.exe 104 PID 3616 wrote to memory of 3016 3616 5llffff.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe"C:\Users\Admin\AppData\Local\Temp\a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\tttthh.exec:\tttthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\ppppj.exec:\ppppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\fflrrll.exec:\fflrrll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\xrrllll.exec:\xrrllll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\hbbtnt.exec:\hbbtnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\tbhhhn.exec:\tbhhhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\pdpvv.exec:\pdpvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\pdjjd.exec:\pdjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\nthbbb.exec:\nthbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\pvdvj.exec:\pvdvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\fxffxxl.exec:\fxffxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\3bhbtb.exec:\3bhbtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\3jjdd.exec:\3jjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\pvjpj.exec:\pvjpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\rfrrfxr.exec:\rfrrfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\bnhbnn.exec:\bnhbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\jjvpj.exec:\jjvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\rrrlxxl.exec:\rrrlxxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\hbbbtb.exec:\hbbbtb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\pdvvd.exec:\pdvvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\5llffff.exec:\5llffff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\9tbntb.exec:\9tbntb.exe23⤵
- Executes dropped EXE
PID:3016 -
\??\c:\pjjpj.exec:\pjjpj.exe24⤵
- Executes dropped EXE
PID:2288 -
\??\c:\rxxxllf.exec:\rxxxllf.exe25⤵
- Executes dropped EXE
PID:4012 -
\??\c:\hbtnbt.exec:\hbtnbt.exe26⤵
- Executes dropped EXE
PID:4496 -
\??\c:\pdjdv.exec:\pdjdv.exe27⤵
- Executes dropped EXE
PID:1384 -
\??\c:\jjdpp.exec:\jjdpp.exe28⤵
- Executes dropped EXE
PID:4328 -
\??\c:\5rxrlrl.exec:\5rxrlrl.exe29⤵
- Executes dropped EXE
PID:4116 -
\??\c:\tttnhh.exec:\tttnhh.exe30⤵
- Executes dropped EXE
PID:1760 -
\??\c:\tnnnbb.exec:\tnnnbb.exe31⤵
- Executes dropped EXE
PID:2852 -
\??\c:\vdpjd.exec:\vdpjd.exe32⤵
- Executes dropped EXE
PID:4892 -
\??\c:\fllllrx.exec:\fllllrx.exe33⤵
- Executes dropped EXE
PID:1664 -
\??\c:\nbhbbb.exec:\nbhbbb.exe34⤵
- Executes dropped EXE
PID:3332 -
\??\c:\jdjdd.exec:\jdjdd.exe35⤵
- Executes dropped EXE
PID:1476 -
\??\c:\lllfffl.exec:\lllfffl.exe36⤵
- Executes dropped EXE
PID:3736 -
\??\c:\xrlffxx.exec:\xrlffxx.exe37⤵
- Executes dropped EXE
PID:1812 -
\??\c:\btbttt.exec:\btbttt.exe38⤵
- Executes dropped EXE
PID:896 -
\??\c:\vdddp.exec:\vdddp.exe39⤵
- Executes dropped EXE
PID:2344 -
\??\c:\3pjjd.exec:\3pjjd.exe40⤵
- Executes dropped EXE
PID:4808 -
\??\c:\rxflfll.exec:\rxflfll.exe41⤵
- Executes dropped EXE
PID:2068 -
\??\c:\xxxrrxx.exec:\xxxrrxx.exe42⤵
- Executes dropped EXE
PID:3804 -
\??\c:\bbhbbn.exec:\bbhbbn.exe43⤵
- Executes dropped EXE
PID:4796 -
\??\c:\1dvvv.exec:\1dvvv.exe44⤵PID:3140
-
\??\c:\dvjpp.exec:\dvjpp.exe45⤵
- Executes dropped EXE
PID:444 -
\??\c:\pjpdv.exec:\pjpdv.exe46⤵
- Executes dropped EXE
PID:5084 -
\??\c:\rrxxrxx.exec:\rrxxrxx.exe47⤵
- Executes dropped EXE
PID:2840 -
\??\c:\ntbbbh.exec:\ntbbbh.exe48⤵
- Executes dropped EXE
PID:5052 -
\??\c:\dpppp.exec:\dpppp.exe49⤵
- Executes dropped EXE
PID:2872 -
\??\c:\dvjdd.exec:\dvjdd.exe50⤵
- Executes dropped EXE
PID:648 -
\??\c:\frlfrxl.exec:\frlfrxl.exe51⤵
- Executes dropped EXE
PID:1144 -
\??\c:\fflrfll.exec:\fflrfll.exe52⤵
- Executes dropped EXE
PID:3952 -
\??\c:\bbbbhh.exec:\bbbbhh.exe53⤵
- Executes dropped EXE
PID:4444 -
\??\c:\tbhtbh.exec:\tbhtbh.exe54⤵
- Executes dropped EXE
PID:4984 -
\??\c:\dvvpp.exec:\dvvpp.exe55⤵
- Executes dropped EXE
PID:2492 -
\??\c:\xxxxfrr.exec:\xxxxfrr.exe56⤵
- Executes dropped EXE
PID:1672 -
\??\c:\lfrflfr.exec:\lfrflfr.exe57⤵
- Executes dropped EXE
PID:1576 -
\??\c:\thntnb.exec:\thntnb.exe58⤵
- Executes dropped EXE
PID:4960 -
\??\c:\dpvdd.exec:\dpvdd.exe59⤵
- Executes dropped EXE
PID:1648 -
\??\c:\vddvv.exec:\vddvv.exe60⤵
- Executes dropped EXE
PID:4504 -
\??\c:\fxfffff.exec:\fxfffff.exe61⤵
- Executes dropped EXE
PID:2880 -
\??\c:\rxlllll.exec:\rxlllll.exe62⤵
- Executes dropped EXE
PID:3928 -
\??\c:\ntbbbh.exec:\ntbbbh.exe63⤵
- Executes dropped EXE
PID:3192 -
\??\c:\9thnhb.exec:\9thnhb.exe64⤵
- Executes dropped EXE
PID:4188 -
\??\c:\9jppp.exec:\9jppp.exe65⤵
- Executes dropped EXE
PID:3376 -
\??\c:\rrfllrx.exec:\rrfllrx.exe66⤵
- Executes dropped EXE
PID:1420 -
\??\c:\xrrrlrr.exec:\xrrrlrr.exe67⤵PID:3152
-
\??\c:\tbhbbt.exec:\tbhbbt.exe68⤵PID:464
-
\??\c:\5vddd.exec:\5vddd.exe69⤵PID:1716
-
\??\c:\ddpjv.exec:\ddpjv.exe70⤵PID:3280
-
\??\c:\llrrrxx.exec:\llrrrxx.exe71⤵PID:4576
-
\??\c:\xfrflrr.exec:\xfrflrr.exe72⤵PID:2660
-
\??\c:\lfllxrx.exec:\lfllxrx.exe73⤵PID:3392
-
\??\c:\nbbnhb.exec:\nbbnhb.exe74⤵PID:1384
-
\??\c:\ddppj.exec:\ddppj.exe75⤵PID:4084
-
\??\c:\jjjpp.exec:\jjjpp.exe76⤵PID:3652
-
\??\c:\xfrrlrr.exec:\xfrrlrr.exe77⤵PID:1844
-
\??\c:\llrrxff.exec:\llrrxff.exe78⤵PID:4464
-
\??\c:\rfxffll.exec:\rfxffll.exe79⤵PID:808
-
\??\c:\hthnnn.exec:\hthnnn.exe80⤵PID:3564
-
\??\c:\jpvdp.exec:\jpvdp.exe81⤵PID:2360
-
\??\c:\jdvjd.exec:\jdvjd.exe82⤵PID:1976
-
\??\c:\5rrxrxx.exec:\5rrxrxx.exe83⤵PID:768
-
\??\c:\xxxxxff.exec:\xxxxxff.exe84⤵PID:4744
-
\??\c:\hthhnt.exec:\hthhnt.exe85⤵PID:4848
-
\??\c:\hnbntt.exec:\hnbntt.exe86⤵PID:5032
-
\??\c:\1vvvv.exec:\1vvvv.exe87⤵PID:2632
-
\??\c:\ppjdj.exec:\ppjdj.exe88⤵PID:776
-
\??\c:\fflrrxx.exec:\fflrrxx.exe89⤵PID:4216
-
\??\c:\rrfflrx.exec:\rrfflrx.exe90⤵PID:1300
-
\??\c:\nttnht.exec:\nttnht.exe91⤵PID:2180
-
\??\c:\xlxrrrr.exec:\xlxrrrr.exe92⤵PID:3140
-
\??\c:\tbnttb.exec:\tbnttb.exe93⤵PID:4828
-
\??\c:\ppddv.exec:\ppddv.exe94⤵PID:2760
-
\??\c:\vpvvd.exec:\vpvvd.exe95⤵PID:1356
-
\??\c:\llrrllr.exec:\llrrllr.exe96⤵PID:2920
-
\??\c:\hhnnbb.exec:\hhnnbb.exe97⤵PID:1208
-
\??\c:\ddjdv.exec:\ddjdv.exe98⤵PID:2192
-
\??\c:\vdvpj.exec:\vdvpj.exe99⤵PID:4528
-
\??\c:\lxxxrrf.exec:\lxxxrrf.exe100⤵PID:4984
-
\??\c:\ttbbbt.exec:\ttbbbt.exe101⤵PID:1112
-
\??\c:\tnhhnn.exec:\tnhhnn.exe102⤵PID:1264
-
\??\c:\vvvvp.exec:\vvvvp.exe103⤵PID:4972
-
\??\c:\pjpvj.exec:\pjpvj.exe104⤵PID:3464
-
\??\c:\rrxrllx.exec:\rrxrllx.exe105⤵PID:1920
-
\??\c:\bbhhhh.exec:\bbhhhh.exe106⤵PID:1764
-
\??\c:\hnhtnb.exec:\hnhtnb.exe107⤵PID:3776
-
\??\c:\ddvdd.exec:\ddvdd.exe108⤵PID:2548
-
\??\c:\rrllrrf.exec:\rrllrrf.exe109⤵PID:3792
-
\??\c:\1hbbnt.exec:\1hbbnt.exe110⤵PID:3328
-
\??\c:\pdjjj.exec:\pdjjj.exe111⤵PID:4912
-
\??\c:\lrlllrr.exec:\lrlllrr.exe112⤵PID:3636
-
\??\c:\lfllfff.exec:\lfllfff.exe113⤵PID:4788
-
\??\c:\nhhhbb.exec:\nhhhbb.exe114⤵PID:2468
-
\??\c:\bbttbh.exec:\bbttbh.exe115⤵PID:464
-
\??\c:\dvppj.exec:\dvppj.exe116⤵PID:3180
-
\??\c:\pdddd.exec:\pdddd.exe117⤵PID:4012
-
\??\c:\rrlxxfl.exec:\rrlxxfl.exe118⤵PID:4576
-
\??\c:\xffxffl.exec:\xffxffl.exe119⤵PID:1676
-
\??\c:\ttbnbt.exec:\ttbnbt.exe120⤵PID:3392
-
\??\c:\ppppj.exec:\ppppj.exe121⤵PID:1384
-
\??\c:\ppvjj.exec:\ppvjj.exe122⤵PID:4084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-