Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 04:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2d3b0c345c5b3cea662d36239659a4f088c93ecef725fa1fc08b4007c6c6780.exe
Resource
win7-20240508-en
windows7-x64
6 signatures
150 seconds
General
-
Target
f2d3b0c345c5b3cea662d36239659a4f088c93ecef725fa1fc08b4007c6c6780.exe
-
Size
63KB
-
MD5
b96c3d364951b30e3f45d223781f4f3f
-
SHA1
b570d885629a827e3ca77e703a303d8b28adf77e
-
SHA256
f2d3b0c345c5b3cea662d36239659a4f088c93ecef725fa1fc08b4007c6c6780
-
SHA512
f8493410746ef3ce23013d0092d95505013b6a96ce92f4486019cc086bf781b0e26f235abe2c706542c46b943c889f7a892106e54ce171f1c601c5e52ee3fb87
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJULh12k:ymb3NkkiQ3mdBjFIFdJmJ
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral2/memory/3708-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4468-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2956-22-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5076-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2952-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4396-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1032-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3672-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3124-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2432-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2888-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2660-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4416-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2900-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4704-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4928-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3828-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4880-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3936-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2976-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1564-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3716-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2200-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1436-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 27 IoCs
Processes:
resource yara_rule behavioral2/memory/3708-7-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4468-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2956-22-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5076-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4396-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4396-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2952-39-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4396-41-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4396-31-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1032-51-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3672-55-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3124-63-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2432-76-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2888-85-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2660-97-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4416-103-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2900-109-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4704-115-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4928-120-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3828-127-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4880-133-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3936-139-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2976-152-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1564-163-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3716-181-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2200-194-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1436-205-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
frlfxfx.exellrrfxr.exehhnhtn.exethbnbt.exepvvjv.exexlrxffl.exefffrflr.exetnhbnn.exenhtbnh.exe5djjj.exellfrfxf.exe5ntnnh.exebhthnb.exedppdp.exelrlfrxr.exe1nnbtn.exe5bthtt.exe1jpjv.exexfffffx.exehnnbbt.exepvddv.exevjjdv.exe7flfxxx.exerrrrrrr.exetbbtnn.exepdjjv.exe3jjvp.exefxxrxxf.exennnhtt.exefxxrllf.exefrlrfrr.exehhhhnn.exejjjdd.exevppjv.exefllxrlf.exentnbtn.exe3jpjv.exejvjpj.exerflfflr.exentttnn.exetbtnhb.exeppddj.exexffxlll.exehhttbb.exebbnnbt.exejdddp.exe9pvpd.exeflxrlfx.exexxfrllf.exebtttnn.exetttntb.exejjjjv.exeddjjd.exexlrrffx.exerrlfxxl.exenhnthh.exepvvvp.exeddvvv.exefrrfxxr.exehhhbhh.exe5vdvv.exejjdvp.exerfrfxrx.exennnhbb.exepid process 4468 frlfxfx.exe 2956 llrrfxr.exe 5076 hhnhtn.exe 4396 thbnbt.exe 2952 pvvjv.exe 1032 xlrxffl.exe 3672 fffrflr.exe 3124 tnhbnn.exe 3156 nhtbnh.exe 2432 5djjj.exe 2888 llfrfxf.exe 468 5ntnnh.exe 2660 bhthnb.exe 4416 dppdp.exe 2900 lrlfrxr.exe 4704 1nnbtn.exe 4928 5bthtt.exe 3828 1jpjv.exe 4880 xfffffx.exe 3936 hnnbbt.exe 724 pvddv.exe 2976 vjjdv.exe 3896 7flfxxx.exe 1564 rrrrrrr.exe 5016 tbbtnn.exe 4556 pdjjv.exe 3716 3jjvp.exe 3884 fxxrxxf.exe 2200 nnnhtt.exe 3076 fxxrllf.exe 1436 frlrfrr.exe 3320 hhhhnn.exe 3992 jjjdd.exe 4408 vppjv.exe 3192 fllxrlf.exe 2832 ntnbtn.exe 3052 3jpjv.exe 3048 jvjpj.exe 372 rflfflr.exe 3840 ntttnn.exe 3556 tbtnhb.exe 5012 ppddj.exe 2436 xffxlll.exe 4748 hhttbb.exe 2480 bbnnbt.exe 4256 jdddp.exe 3132 9pvpd.exe 1380 flxrlfx.exe 1584 xxfrllf.exe 2152 btttnn.exe 4840 tttntb.exe 2076 jjjjv.exe 2016 ddjjd.exe 4184 xlrrffx.exe 3980 rrlfxxl.exe 3640 nhnthh.exe 4200 pvvvp.exe 3796 ddvvv.exe 3056 frrfxxr.exe 4164 hhhbhh.exe 4016 5vdvv.exe 4908 jjdvp.exe 1264 rfrfxrx.exe 1016 nnnhbb.exe -
Processes:
resource yara_rule behavioral2/memory/3708-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4468-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2956-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5076-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2952-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1032-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3672-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3124-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2432-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2888-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2660-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4416-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2900-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4704-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4928-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3828-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4880-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3936-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2976-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1564-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3716-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2200-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1436-205-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f2d3b0c345c5b3cea662d36239659a4f088c93ecef725fa1fc08b4007c6c6780.exefrlfxfx.exellrrfxr.exehhnhtn.exethbnbt.exepvvjv.exexlrxffl.exefffrflr.exetnhbnn.exenhtbnh.exe5djjj.exellfrfxf.exe5ntnnh.exebhthnb.exedppdp.exelrlfrxr.exe1nnbtn.exe5bthtt.exe1jpjv.exexfffffx.exehnnbbt.exepvddv.exedescription pid process target process PID 3708 wrote to memory of 4468 3708 f2d3b0c345c5b3cea662d36239659a4f088c93ecef725fa1fc08b4007c6c6780.exe frlfxfx.exe PID 3708 wrote to memory of 4468 3708 f2d3b0c345c5b3cea662d36239659a4f088c93ecef725fa1fc08b4007c6c6780.exe frlfxfx.exe PID 3708 wrote to memory of 4468 3708 f2d3b0c345c5b3cea662d36239659a4f088c93ecef725fa1fc08b4007c6c6780.exe frlfxfx.exe PID 4468 wrote to memory of 2956 4468 frlfxfx.exe llrrfxr.exe PID 4468 wrote to memory of 2956 4468 frlfxfx.exe llrrfxr.exe PID 4468 wrote to memory of 2956 4468 frlfxfx.exe llrrfxr.exe PID 2956 wrote to memory of 5076 2956 llrrfxr.exe hhnhtn.exe PID 2956 wrote to memory of 5076 2956 llrrfxr.exe hhnhtn.exe PID 2956 wrote to memory of 5076 2956 llrrfxr.exe hhnhtn.exe PID 5076 wrote to memory of 4396 5076 hhnhtn.exe thbnbt.exe PID 5076 wrote to memory of 4396 5076 hhnhtn.exe thbnbt.exe PID 5076 wrote to memory of 4396 5076 hhnhtn.exe thbnbt.exe PID 4396 wrote to memory of 2952 4396 thbnbt.exe pvvjv.exe PID 4396 wrote to memory of 2952 4396 thbnbt.exe pvvjv.exe PID 4396 wrote to memory of 2952 4396 thbnbt.exe pvvjv.exe PID 2952 wrote to memory of 1032 2952 pvvjv.exe xlrxffl.exe PID 2952 wrote to memory of 1032 2952 pvvjv.exe xlrxffl.exe PID 2952 wrote to memory of 1032 2952 pvvjv.exe xlrxffl.exe PID 1032 wrote to memory of 3672 1032 xlrxffl.exe fffrflr.exe PID 1032 wrote to memory of 3672 1032 xlrxffl.exe fffrflr.exe PID 1032 wrote to memory of 3672 1032 xlrxffl.exe fffrflr.exe PID 3672 wrote to memory of 3124 3672 fffrflr.exe tnhbnn.exe PID 3672 wrote to memory of 3124 3672 fffrflr.exe tnhbnn.exe PID 3672 wrote to memory of 3124 3672 fffrflr.exe tnhbnn.exe PID 3124 wrote to memory of 3156 3124 tnhbnn.exe nhtbnh.exe PID 3124 wrote to memory of 3156 3124 tnhbnn.exe nhtbnh.exe PID 3124 wrote to memory of 3156 3124 tnhbnn.exe nhtbnh.exe PID 3156 wrote to memory of 2432 3156 nhtbnh.exe 5djjj.exe PID 3156 wrote to memory of 2432 3156 nhtbnh.exe 5djjj.exe PID 3156 wrote to memory of 2432 3156 nhtbnh.exe 5djjj.exe PID 2432 wrote to memory of 2888 2432 5djjj.exe llfrfxf.exe PID 2432 wrote to memory of 2888 2432 5djjj.exe llfrfxf.exe PID 2432 wrote to memory of 2888 2432 5djjj.exe llfrfxf.exe PID 2888 wrote to memory of 468 2888 llfrfxf.exe 5ntnnh.exe PID 2888 wrote to memory of 468 2888 llfrfxf.exe 5ntnnh.exe PID 2888 wrote to memory of 468 2888 llfrfxf.exe 5ntnnh.exe PID 468 wrote to memory of 2660 468 5ntnnh.exe bhthnb.exe PID 468 wrote to memory of 2660 468 5ntnnh.exe bhthnb.exe PID 468 wrote to memory of 2660 468 5ntnnh.exe bhthnb.exe PID 2660 wrote to memory of 4416 2660 bhthnb.exe dppdp.exe PID 2660 wrote to memory of 4416 2660 bhthnb.exe dppdp.exe PID 2660 wrote to memory of 4416 2660 bhthnb.exe dppdp.exe PID 4416 wrote to memory of 2900 4416 dppdp.exe lrlfrxr.exe PID 4416 wrote to memory of 2900 4416 dppdp.exe lrlfrxr.exe PID 4416 wrote to memory of 2900 4416 dppdp.exe lrlfrxr.exe PID 2900 wrote to memory of 4704 2900 lrlfrxr.exe 1nnbtn.exe PID 2900 wrote to memory of 4704 2900 lrlfrxr.exe 1nnbtn.exe PID 2900 wrote to memory of 4704 2900 lrlfrxr.exe 1nnbtn.exe PID 4704 wrote to memory of 4928 4704 1nnbtn.exe 5bthtt.exe PID 4704 wrote to memory of 4928 4704 1nnbtn.exe 5bthtt.exe PID 4704 wrote to memory of 4928 4704 1nnbtn.exe 5bthtt.exe PID 4928 wrote to memory of 3828 4928 5bthtt.exe 1jpjv.exe PID 4928 wrote to memory of 3828 4928 5bthtt.exe 1jpjv.exe PID 4928 wrote to memory of 3828 4928 5bthtt.exe 1jpjv.exe PID 3828 wrote to memory of 4880 3828 1jpjv.exe xfffffx.exe PID 3828 wrote to memory of 4880 3828 1jpjv.exe xfffffx.exe PID 3828 wrote to memory of 4880 3828 1jpjv.exe xfffffx.exe PID 4880 wrote to memory of 3936 4880 xfffffx.exe hnnbbt.exe PID 4880 wrote to memory of 3936 4880 xfffffx.exe hnnbbt.exe PID 4880 wrote to memory of 3936 4880 xfffffx.exe hnnbbt.exe PID 3936 wrote to memory of 724 3936 hnnbbt.exe pvddv.exe PID 3936 wrote to memory of 724 3936 hnnbbt.exe pvddv.exe PID 3936 wrote to memory of 724 3936 hnnbbt.exe pvddv.exe PID 724 wrote to memory of 2976 724 pvddv.exe vjjdv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2d3b0c345c5b3cea662d36239659a4f088c93ecef725fa1fc08b4007c6c6780.exe"C:\Users\Admin\AppData\Local\Temp\f2d3b0c345c5b3cea662d36239659a4f088c93ecef725fa1fc08b4007c6c6780.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\frlfxfx.exec:\frlfxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\llrrfxr.exec:\llrrfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\hhnhtn.exec:\hhnhtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\thbnbt.exec:\thbnbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\pvvjv.exec:\pvvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\xlrxffl.exec:\xlrxffl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\fffrflr.exec:\fffrflr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\tnhbnn.exec:\tnhbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\nhtbnh.exec:\nhtbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\5djjj.exec:\5djjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\llfrfxf.exec:\llfrfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\5ntnnh.exec:\5ntnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\bhthnb.exec:\bhthnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\dppdp.exec:\dppdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\lrlfrxr.exec:\lrlfrxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\1nnbtn.exec:\1nnbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\5bthtt.exec:\5bthtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\1jpjv.exec:\1jpjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\xfffffx.exec:\xfffffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\hnnbbt.exec:\hnnbbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\pvddv.exec:\pvddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
\??\c:\vjjdv.exec:\vjjdv.exe23⤵
- Executes dropped EXE
PID:2976 -
\??\c:\7flfxxx.exec:\7flfxxx.exe24⤵
- Executes dropped EXE
PID:3896 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe25⤵
- Executes dropped EXE
PID:1564 -
\??\c:\tbbtnn.exec:\tbbtnn.exe26⤵
- Executes dropped EXE
PID:5016 -
\??\c:\pdjjv.exec:\pdjjv.exe27⤵
- Executes dropped EXE
PID:4556 -
\??\c:\3jjvp.exec:\3jjvp.exe28⤵
- Executes dropped EXE
PID:3716 -
\??\c:\fxxrxxf.exec:\fxxrxxf.exe29⤵
- Executes dropped EXE
PID:3884 -
\??\c:\nnnhtt.exec:\nnnhtt.exe30⤵
- Executes dropped EXE
PID:2200 -
\??\c:\fxxrllf.exec:\fxxrllf.exe31⤵
- Executes dropped EXE
PID:3076 -
\??\c:\frlrfrr.exec:\frlrfrr.exe32⤵
- Executes dropped EXE
PID:1436 -
\??\c:\hhhhnn.exec:\hhhhnn.exe33⤵
- Executes dropped EXE
PID:3320 -
\??\c:\jjjdd.exec:\jjjdd.exe34⤵
- Executes dropped EXE
PID:3992 -
\??\c:\vppjv.exec:\vppjv.exe35⤵
- Executes dropped EXE
PID:4408 -
\??\c:\fllxrlf.exec:\fllxrlf.exe36⤵
- Executes dropped EXE
PID:3192 -
\??\c:\ntnbtn.exec:\ntnbtn.exe37⤵
- Executes dropped EXE
PID:2832 -
\??\c:\3jpjv.exec:\3jpjv.exe38⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jvjpj.exec:\jvjpj.exe39⤵
- Executes dropped EXE
PID:3048 -
\??\c:\rflfflr.exec:\rflfflr.exe40⤵
- Executes dropped EXE
PID:372 -
\??\c:\ntttnn.exec:\ntttnn.exe41⤵
- Executes dropped EXE
PID:3840 -
\??\c:\tbtnhb.exec:\tbtnhb.exe42⤵
- Executes dropped EXE
PID:3556 -
\??\c:\ppddj.exec:\ppddj.exe43⤵
- Executes dropped EXE
PID:5012 -
\??\c:\xffxlll.exec:\xffxlll.exe44⤵
- Executes dropped EXE
PID:2436 -
\??\c:\hhttbb.exec:\hhttbb.exe45⤵
- Executes dropped EXE
PID:4748 -
\??\c:\bbnnbt.exec:\bbnnbt.exe46⤵
- Executes dropped EXE
PID:2480 -
\??\c:\jdddp.exec:\jdddp.exe47⤵
- Executes dropped EXE
PID:4256 -
\??\c:\9pvpd.exec:\9pvpd.exe48⤵
- Executes dropped EXE
PID:3132 -
\??\c:\flxrlfx.exec:\flxrlfx.exe49⤵
- Executes dropped EXE
PID:1380 -
\??\c:\xxfrllf.exec:\xxfrllf.exe50⤵
- Executes dropped EXE
PID:1584 -
\??\c:\btttnn.exec:\btttnn.exe51⤵
- Executes dropped EXE
PID:2152 -
\??\c:\tttntb.exec:\tttntb.exe52⤵
- Executes dropped EXE
PID:4840 -
\??\c:\jjjjv.exec:\jjjjv.exe53⤵
- Executes dropped EXE
PID:2076 -
\??\c:\ddjjd.exec:\ddjjd.exe54⤵
- Executes dropped EXE
PID:2016 -
\??\c:\xlrrffx.exec:\xlrrffx.exe55⤵
- Executes dropped EXE
PID:4184 -
\??\c:\rrlfxxl.exec:\rrlfxxl.exe56⤵
- Executes dropped EXE
PID:3980 -
\??\c:\nhnthh.exec:\nhnthh.exe57⤵
- Executes dropped EXE
PID:3640 -
\??\c:\pvvvp.exec:\pvvvp.exe58⤵
- Executes dropped EXE
PID:4200 -
\??\c:\ddvvv.exec:\ddvvv.exe59⤵
- Executes dropped EXE
PID:3796 -
\??\c:\frrfxxr.exec:\frrfxxr.exe60⤵
- Executes dropped EXE
PID:3056 -
\??\c:\hhhbhh.exec:\hhhbhh.exe61⤵
- Executes dropped EXE
PID:4164 -
\??\c:\5vdvv.exec:\5vdvv.exe62⤵
- Executes dropped EXE
PID:4016 -
\??\c:\jjdvp.exec:\jjdvp.exe63⤵
- Executes dropped EXE
PID:4908 -
\??\c:\rfrfxrx.exec:\rfrfxrx.exe64⤵
- Executes dropped EXE
PID:1264 -
\??\c:\nnnhbb.exec:\nnnhbb.exe65⤵
- Executes dropped EXE
PID:1016 -
\??\c:\ntbtnn.exec:\ntbtnn.exe66⤵PID:636
-
\??\c:\pppjd.exec:\pppjd.exe67⤵PID:2492
-
\??\c:\rflfllr.exec:\rflfllr.exe68⤵PID:3952
-
\??\c:\nbbbtn.exec:\nbbbtn.exe69⤵PID:2404
-
\??\c:\hnnbnh.exec:\hnnbnh.exe70⤵PID:1916
-
\??\c:\jvppd.exec:\jvppd.exe71⤵PID:2688
-
\??\c:\3xxrlfx.exec:\3xxrlfx.exe72⤵PID:4552
-
\??\c:\nhbthb.exec:\nhbthb.exe73⤵PID:1460
-
\??\c:\bthbhh.exec:\bthbhh.exe74⤵PID:1408
-
\??\c:\9vjpd.exec:\9vjpd.exe75⤵PID:3104
-
\??\c:\xxxfrlf.exec:\xxxfrlf.exe76⤵PID:4436
-
\??\c:\lffxxrx.exec:\lffxxrx.exe77⤵PID:5112
-
\??\c:\5nttnb.exec:\5nttnb.exe78⤵PID:2136
-
\??\c:\btnnnn.exec:\btnnnn.exe79⤵PID:1424
-
\??\c:\jjdvd.exec:\jjdvd.exe80⤵PID:2980
-
\??\c:\7vpjj.exec:\7vpjj.exe81⤵PID:1444
-
\??\c:\rlflfxf.exec:\rlflfxf.exe82⤵PID:5092
-
\??\c:\hbtnhb.exec:\hbtnhb.exe83⤵PID:1124
-
\??\c:\7vjvj.exec:\7vjvj.exe84⤵PID:3556
-
\??\c:\fxrrfxl.exec:\fxrrfxl.exe85⤵PID:5012
-
\??\c:\flfxxrl.exec:\flfxxrl.exe86⤵PID:2436
-
\??\c:\thnnnn.exec:\thnnnn.exe87⤵PID:4748
-
\??\c:\dpvvp.exec:\dpvvp.exe88⤵PID:2480
-
\??\c:\pjpdj.exec:\pjpdj.exe89⤵PID:4256
-
\??\c:\lfrlxrf.exec:\lfrlxrf.exe90⤵PID:348
-
\??\c:\rxrlxfx.exec:\rxrlxfx.exe91⤵PID:1708
-
\??\c:\hhbhtt.exec:\hhbhtt.exe92⤵PID:1048
-
\??\c:\htntbh.exec:\htntbh.exe93⤵PID:3612
-
\??\c:\pjjvj.exec:\pjjvj.exe94⤵PID:2024
-
\??\c:\lllfllr.exec:\lllfllr.exe95⤵PID:2916
-
\??\c:\lxfxfrx.exec:\lxfxfrx.exe96⤵PID:2016
-
\??\c:\htbtnh.exec:\htbtnh.exe97⤵PID:4184
-
\??\c:\htnhbb.exec:\htnhbb.exe98⤵PID:964
-
\??\c:\nbtnbt.exec:\nbtnbt.exe99⤵PID:3640
-
\??\c:\ppvpv.exec:\ppvpv.exe100⤵PID:1136
-
\??\c:\jdjvj.exec:\jdjvj.exe101⤵PID:3796
-
\??\c:\lfxlxrl.exec:\lfxlxrl.exe102⤵PID:2360
-
\??\c:\3lrfxrl.exec:\3lrfxrl.exe103⤵PID:2308
-
\??\c:\httnnn.exec:\httnnn.exe104⤵PID:4464
-
\??\c:\bntnnb.exec:\bntnnb.exe105⤵PID:2568
-
\??\c:\dvpdp.exec:\dvpdp.exe106⤵PID:1264
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe107⤵PID:1016
-
\??\c:\rrrlffl.exec:\rrrlffl.exe108⤵PID:4556
-
\??\c:\httbhn.exec:\httbhn.exe109⤵PID:344
-
\??\c:\pdjvp.exec:\pdjvp.exe110⤵PID:3884
-
\??\c:\jvjvj.exec:\jvjvj.exe111⤵PID:2200
-
\??\c:\lffxxxr.exec:\lffxxxr.exe112⤵PID:4480
-
\??\c:\frrrrrx.exec:\frrrrrx.exe113⤵PID:2696
-
\??\c:\nbtnbt.exec:\nbtnbt.exe114⤵PID:4364
-
\??\c:\pjjjv.exec:\pjjjv.exe115⤵PID:1072
-
\??\c:\dvdvd.exec:\dvdvd.exe116⤵PID:4428
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe117⤵PID:2908
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe118⤵PID:2156
-
\??\c:\nttnhb.exec:\nttnhb.exe119⤵PID:3408
-
\??\c:\tnbthh.exec:\tnbthh.exe120⤵PID:2832
-
\??\c:\pjpvj.exec:\pjpvj.exe121⤵PID:116
-
\??\c:\pjdvj.exec:\pjdvj.exe122⤵PID:632
-
\??\c:\xflxlfr.exec:\xflxlfr.exe123⤵PID:2868
-
\??\c:\rlrlxrl.exec:\rlrlxrl.exe124⤵PID:4728
-
\??\c:\tnhbnn.exec:\tnhbnn.exe125⤵PID:3416
-
\??\c:\9ddvd.exec:\9ddvd.exe126⤵PID:3476
-
\??\c:\pjjvj.exec:\pjjvj.exe127⤵PID:1316
-
\??\c:\xllflxl.exec:\xllflxl.exe128⤵PID:2432
-
\??\c:\rfrlfff.exec:\rfrlfff.exe129⤵PID:2888
-
\??\c:\3bbtbb.exec:\3bbtbb.exe130⤵PID:3132
-
\??\c:\hnnhbt.exec:\hnnhbt.exe131⤵PID:468
-
\??\c:\vvvvp.exec:\vvvvp.exe132⤵PID:2448
-
\??\c:\jvppd.exec:\jvppd.exe133⤵PID:4232
-
\??\c:\lffrfxl.exec:\lffrfxl.exe134⤵PID:2700
-
\??\c:\3lffrrx.exec:\3lffrrx.exe135⤵PID:3184
-
\??\c:\xxfxxrr.exec:\xxfxxrr.exe136⤵PID:5024
-
\??\c:\bbbbtb.exec:\bbbbtb.exe137⤵PID:3688
-
\??\c:\rlffxll.exec:\rlffxll.exe138⤵PID:1912
-
\??\c:\tbhbtn.exec:\tbhbtn.exe139⤵PID:3044
-
\??\c:\bhtthh.exec:\bhtthh.exe140⤵PID:540
-
\??\c:\7nbbtt.exec:\7nbbtt.exe141⤵PID:4892
-
\??\c:\9jppd.exec:\9jppd.exe142⤵PID:1252
-
\??\c:\pvdvp.exec:\pvdvp.exe143⤵PID:2412
-
\??\c:\xlrlxfr.exec:\xlrlxfr.exe144⤵PID:2976
-
\??\c:\llxrffl.exec:\llxrffl.exe145⤵PID:1656
-
\??\c:\3bhhbb.exec:\3bhhbb.exe146⤵PID:3404
-
\??\c:\dvjjj.exec:\dvjjj.exe147⤵PID:4312
-
\??\c:\dddvp.exec:\dddvp.exe148⤵PID:636
-
\??\c:\fxxxxff.exec:\fxxxxff.exe149⤵PID:1016
-
\??\c:\rlrrrxr.exec:\rlrrrxr.exe150⤵PID:3028
-
\??\c:\ttnnnn.exec:\ttnnnn.exe151⤵PID:2404
-
\??\c:\jvpjd.exec:\jvpjd.exe152⤵PID:1040
-
\??\c:\pjvvp.exec:\pjvvp.exe153⤵PID:3648
-
\??\c:\vpdjp.exec:\vpdjp.exe154⤵PID:4328
-
\??\c:\xxlllll.exec:\xxlllll.exe155⤵PID:432
-
\??\c:\9xflfll.exec:\9xflfll.exe156⤵PID:2488
-
\??\c:\nbbtnt.exec:\nbbtnt.exe157⤵PID:3248
-
\??\c:\bbhnhh.exec:\bbhnhh.exe158⤵PID:3316
-
\??\c:\jvvvp.exec:\jvvvp.exe159⤵PID:4012
-
\??\c:\lxfxflf.exec:\lxfxflf.exe160⤵PID:2332
-
\??\c:\lfrrfrx.exec:\lfrrfrx.exe161⤵PID:4968
-
\??\c:\ttnhhb.exec:\ttnhhb.exe162⤵PID:2196
-
\??\c:\nhhhnt.exec:\nhhhnt.exe163⤵PID:3664
-
\??\c:\ddvjv.exec:\ddvjv.exe164⤵PID:3840
-
\??\c:\vvpjv.exec:\vvpjv.exe165⤵PID:4264
-
\??\c:\7rfrfxf.exec:\7rfrfxf.exe166⤵PID:3476
-
\??\c:\rrllllf.exec:\rrllllf.exe167⤵PID:2216
-
\??\c:\bbhbtt.exec:\bbhbtt.exe168⤵PID:2772
-
\??\c:\hbhbtn.exec:\hbhbtn.exe169⤵PID:3132
-
\??\c:\5ppjv.exec:\5ppjv.exe170⤵PID:2804
-
\??\c:\3pvjj.exec:\3pvjj.exe171⤵PID:4128
-
\??\c:\xflxrlf.exec:\xflxrlf.exe172⤵PID:4232
-
\??\c:\fxxllff.exec:\fxxllff.exe173⤵PID:2900
-
\??\c:\thbbtn.exec:\thbbtn.exe174⤵PID:3940
-
\??\c:\hnhthh.exec:\hnhthh.exe175⤵PID:996
-
\??\c:\jvdvd.exec:\jvdvd.exe176⤵PID:1664
-
\??\c:\3jppv.exec:\3jppv.exe177⤵PID:964
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe178⤵PID:3760
-
\??\c:\rlrffrx.exec:\rlrffrx.exe179⤵PID:3860
-
\??\c:\nhthtn.exec:\nhthtn.exe180⤵PID:3796
-
\??\c:\bbnhhh.exec:\bbnhhh.exe181⤵PID:1416
-
\??\c:\jjjdj.exec:\jjjdj.exe182⤵PID:5000
-
\??\c:\7lrrlll.exec:\7lrrlll.exe183⤵PID:1884
-
\??\c:\rfffrxr.exec:\rfffrxr.exe184⤵PID:892
-
\??\c:\nnthht.exec:\nnthht.exe185⤵PID:1752
-
\??\c:\pjjjp.exec:\pjjjp.exe186⤵PID:1472
-
\??\c:\vpjvp.exec:\vpjvp.exe187⤵PID:1896
-
\??\c:\lrlfxxr.exec:\lrlfxxr.exe188⤵PID:768
-
\??\c:\rrxxrlx.exec:\rrxxrlx.exe189⤵PID:4104
-
\??\c:\thbhnn.exec:\thbhnn.exe190⤵PID:1888
-
\??\c:\vdddv.exec:\vdddv.exe191⤵PID:2004
-
\??\c:\dpjvj.exec:\dpjvj.exe192⤵PID:1460
-
\??\c:\jdpdp.exec:\jdpdp.exe193⤵PID:1072
-
\??\c:\flxxlfx.exec:\flxxlfx.exe194⤵PID:2908
-
\??\c:\tnbbtn.exec:\tnbbtn.exe195⤵PID:3248
-
\??\c:\nnhntb.exec:\nnhntb.exe196⤵PID:3316
-
\??\c:\djdvd.exec:\djdvd.exe197⤵PID:1700
-
\??\c:\9ppdv.exec:\9ppdv.exe198⤵PID:4040
-
\??\c:\pvpjv.exec:\pvpjv.exe199⤵PID:5092
-
\??\c:\flrfrlx.exec:\flrfrlx.exe200⤵PID:3664
-
\??\c:\nhnhnh.exec:\nhnhnh.exe201⤵PID:3228
-
\??\c:\tntnhb.exec:\tntnhb.exe202⤵PID:1296
-
\??\c:\jddvp.exec:\jddvp.exe203⤵PID:2480
-
\??\c:\pjvvp.exec:\pjvvp.exe204⤵PID:468
-
\??\c:\xxlrrxl.exec:\xxlrrxl.exe205⤵PID:3132
-
\??\c:\xllffrf.exec:\xllffrf.exe206⤵PID:2700
-
\??\c:\nnhbbt.exec:\nnhbbt.exe207⤵PID:5024
-
\??\c:\7tbnbt.exec:\7tbnbt.exe208⤵PID:4216
-
\??\c:\jjddd.exec:\jjddd.exe209⤵PID:4888
-
\??\c:\pjvdp.exec:\pjvdp.exe210⤵PID:512
-
\??\c:\xlrlxxx.exec:\xlrlxxx.exe211⤵PID:1136
-
\??\c:\xlfrfrf.exec:\xlfrfrf.exe212⤵PID:3488
-
\??\c:\nhbtnh.exec:\nhbtnh.exe213⤵PID:3796
-
\??\c:\hntntt.exec:\hntntt.exe214⤵PID:4016
-
\??\c:\pdvvd.exec:\pdvvd.exe215⤵PID:4908
-
\??\c:\jjjvj.exec:\jjjvj.exe216⤵PID:1196
-
\??\c:\flrlxxr.exec:\flrlxxr.exe217⤵PID:892
-
\??\c:\btbtbb.exec:\btbtbb.exe218⤵PID:756
-
\??\c:\jpjdv.exec:\jpjdv.exe219⤵PID:1472
-
\??\c:\pdjvj.exec:\pdjvj.exe220⤵PID:1640
-
\??\c:\1xrfrlf.exec:\1xrfrlf.exe221⤵PID:3900
-
\??\c:\bhthtn.exec:\bhthtn.exe222⤵PID:1720
-
\??\c:\tnbnbb.exec:\tnbnbb.exe223⤵PID:3396
-
\??\c:\jvvjv.exec:\jvvjv.exe224⤵PID:3104
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe225⤵PID:1116
-
\??\c:\nhnhhb.exec:\nhnhhb.exe226⤵PID:2896
-
\??\c:\vpvpd.exec:\vpvpd.exe227⤵PID:5076
-
\??\c:\vdvvj.exec:\vdvvj.exe228⤵PID:4032
-
\??\c:\bntttt.exec:\bntttt.exe229⤵PID:3048
-
\??\c:\jvvdj.exec:\jvvdj.exe230⤵PID:4968
-
\??\c:\vppjj.exec:\vppjj.exe231⤵PID:2292
-
\??\c:\rrxrfxx.exec:\rrxrfxx.exe232⤵PID:3672
-
\??\c:\rlffllr.exec:\rlffllr.exe233⤵PID:4900
-
\??\c:\9hbnhb.exec:\9hbnhb.exe234⤵PID:4024
-
\??\c:\9dvjd.exec:\9dvjd.exe235⤵PID:1316
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe236⤵PID:4268
-
\??\c:\xlxlxrf.exec:\xlxlxrf.exe237⤵PID:2340
-
\??\c:\5rrlfxr.exec:\5rrlfxr.exe238⤵PID:3352
-
\??\c:\httnnn.exec:\httnnn.exe239⤵PID:2468
-
\??\c:\pjdvd.exec:\pjdvd.exe240⤵PID:3164
-
\??\c:\jddpp.exec:\jddpp.exe241⤵PID:996
-
\??\c:\xrfrrrr.exec:\xrfrrrr.exe242⤵PID:4880