Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 05:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb98608fe28128f76295220f9b50fe2643448616bb80e07c69662bf699ed4727.exe
Resource
win7-20240215-en
windows7-x64
6 signatures
150 seconds
General
-
Target
fb98608fe28128f76295220f9b50fe2643448616bb80e07c69662bf699ed4727.exe
-
Size
55KB
-
MD5
1ebfd427d4a453792af04c27a3da0512
-
SHA1
55371dae8747c43955df9ce101c41cb9017d0535
-
SHA256
fb98608fe28128f76295220f9b50fe2643448616bb80e07c69662bf699ed4727
-
SHA512
90d7c9111f0f224795feb7a1e8515d00f1e5c23d474e87ee863142973e30f0e2f015361f0fc6a13a7e17453860040ac7edd63184c5c301c9b9cb8125e975ddcd
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIfEVH:ymb3NkkiQ3mdBjFIO
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
Processes:
resource yara_rule behavioral2/memory/5044-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3260-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4804-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/940-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3088-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4004-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4756-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4888-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4888-59-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4020-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2012-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3580-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1152-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/60-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5092-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2708-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5084-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1620-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1724-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/452-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3496-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2256-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4344-170-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2232-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 27 IoCs
Processes:
resource yara_rule behavioral2/memory/5044-6-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3260-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4804-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3088-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/940-19-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/940-17-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/940-16-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3088-42-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4004-40-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4756-49-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4888-56-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4968-64-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4020-71-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2012-87-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3580-92-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1152-98-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/60-104-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5092-110-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2708-116-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5084-128-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1620-142-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1724-148-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/452-152-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3496-158-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2256-164-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4344-170-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2232-188-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
nhhhhn.exe3dppp.exe1jdvj.exelllfxxx.exetthhbt.exevvppj.exepdjjv.exeflllxlf.exelxxxxff.exehbttnn.exejdvvp.exe9jjdd.exelfrlfff.exebhhtnh.exebbbnhh.exepvdvj.exelfxlrll.exennnnhh.exe3ntnhh.exedddvv.exelxrlffx.exerrrrlll.exettbtnb.exe1xxlffx.exellfrrxr.exe7nbbbb.exejvpjv.exerffxllr.exebttnbb.exepjpjd.exedvjdd.exerrrlffx.exenhbbtt.exe5hnnhn.exe1vvjd.exe7vpjd.exefflrxxf.exehbtntt.exe7thhhh.exe5ntnhh.exe9jpjp.exeddddj.exelxlrrxx.exethnnbb.exe7bhbtt.exepvvvd.exejpppp.exe1rxxxrl.exexlllrxx.exebbnnnt.exetnttnh.exevjppd.exe1ddvj.exefrffrlf.exe5hhhbt.exejdjdp.exe3vdvj.exefrxrlll.exehbbhbb.exehttttb.exepjjjj.exerrxxllf.exerxlxrrl.exentttnn.exepid process 3260 nhhhhn.exe 940 3dppp.exe 4804 1jdvj.exe 3088 lllfxxx.exe 4004 tthhbt.exe 4756 vvppj.exe 4888 pdjjv.exe 4968 flllxlf.exe 4020 lxxxxff.exe 1844 hbttnn.exe 2012 jdvvp.exe 3580 9jjdd.exe 1152 lfrlfff.exe 60 bhhtnh.exe 5092 bbbnhh.exe 2708 pvdvj.exe 3172 lfxlrll.exe 5084 nnnnhh.exe 4732 3ntnhh.exe 1620 dddvv.exe 1724 lxrlffx.exe 452 rrrrlll.exe 3496 ttbtnb.exe 2256 1xxlffx.exe 4344 llfrrxr.exe 64 7nbbbb.exe 4736 jvpjv.exe 2232 rffxllr.exe 4148 bttnbb.exe 4476 pjpjd.exe 3036 dvjdd.exe 3392 rrrlffx.exe 4936 nhbbtt.exe 3672 5hnnhn.exe 4396 1vvjd.exe 4324 7vpjd.exe 3812 fflrxxf.exe 3916 hbtntt.exe 384 7thhhh.exe 528 5ntnhh.exe 2460 9jpjp.exe 3848 ddddj.exe 2416 lxlrrxx.exe 1420 thnnbb.exe 4772 7bhbtt.exe 808 pvvvd.exe 4512 jpppp.exe 836 1rxxxrl.exe 2696 xlllrxx.exe 2760 bbnnnt.exe 1740 tnttnh.exe 2168 vjppd.exe 2012 1ddvj.exe 5016 frffrlf.exe 432 5hhhbt.exe 4504 jdjdp.exe 5032 3vdvj.exe 2008 frxrlll.exe 2708 hbbhbb.exe 4524 httttb.exe 3480 pjjjj.exe 3288 rrxxllf.exe 1016 rxlxrrl.exe 2724 ntttnn.exe -
Processes:
resource yara_rule behavioral2/memory/5044-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3260-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4804-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3088-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/940-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/940-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/940-16-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3088-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4004-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4756-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4888-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4968-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4020-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2012-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3580-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1152-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/60-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5092-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2708-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5084-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1620-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1724-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/452-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3496-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2256-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4344-170-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2232-188-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fb98608fe28128f76295220f9b50fe2643448616bb80e07c69662bf699ed4727.exenhhhhn.exe3dppp.exe1jdvj.exelllfxxx.exetthhbt.exevvppj.exepdjjv.exeflllxlf.exelxxxxff.exehbttnn.exejdvvp.exe9jjdd.exelfrlfff.exebhhtnh.exebbbnhh.exepvdvj.exelfxlrll.exennnnhh.exe3ntnhh.exedddvv.exelxrlffx.exedescription pid process target process PID 5044 wrote to memory of 3260 5044 fb98608fe28128f76295220f9b50fe2643448616bb80e07c69662bf699ed4727.exe nhhhhn.exe PID 5044 wrote to memory of 3260 5044 fb98608fe28128f76295220f9b50fe2643448616bb80e07c69662bf699ed4727.exe nhhhhn.exe PID 5044 wrote to memory of 3260 5044 fb98608fe28128f76295220f9b50fe2643448616bb80e07c69662bf699ed4727.exe nhhhhn.exe PID 3260 wrote to memory of 940 3260 nhhhhn.exe 3dppp.exe PID 3260 wrote to memory of 940 3260 nhhhhn.exe 3dppp.exe PID 3260 wrote to memory of 940 3260 nhhhhn.exe 3dppp.exe PID 940 wrote to memory of 4804 940 3dppp.exe 1jdvj.exe PID 940 wrote to memory of 4804 940 3dppp.exe 1jdvj.exe PID 940 wrote to memory of 4804 940 3dppp.exe 1jdvj.exe PID 4804 wrote to memory of 3088 4804 1jdvj.exe lllfxxx.exe PID 4804 wrote to memory of 3088 4804 1jdvj.exe lllfxxx.exe PID 4804 wrote to memory of 3088 4804 1jdvj.exe lllfxxx.exe PID 3088 wrote to memory of 4004 3088 lllfxxx.exe tthhbt.exe PID 3088 wrote to memory of 4004 3088 lllfxxx.exe tthhbt.exe PID 3088 wrote to memory of 4004 3088 lllfxxx.exe tthhbt.exe PID 4004 wrote to memory of 4756 4004 tthhbt.exe vvppj.exe PID 4004 wrote to memory of 4756 4004 tthhbt.exe vvppj.exe PID 4004 wrote to memory of 4756 4004 tthhbt.exe vvppj.exe PID 4756 wrote to memory of 4888 4756 vvppj.exe pdjjv.exe PID 4756 wrote to memory of 4888 4756 vvppj.exe pdjjv.exe PID 4756 wrote to memory of 4888 4756 vvppj.exe pdjjv.exe PID 4888 wrote to memory of 4968 4888 pdjjv.exe flllxlf.exe PID 4888 wrote to memory of 4968 4888 pdjjv.exe flllxlf.exe PID 4888 wrote to memory of 4968 4888 pdjjv.exe flllxlf.exe PID 4968 wrote to memory of 4020 4968 flllxlf.exe lxxxxff.exe PID 4968 wrote to memory of 4020 4968 flllxlf.exe lxxxxff.exe PID 4968 wrote to memory of 4020 4968 flllxlf.exe lxxxxff.exe PID 4020 wrote to memory of 1844 4020 lxxxxff.exe hbttnn.exe PID 4020 wrote to memory of 1844 4020 lxxxxff.exe hbttnn.exe PID 4020 wrote to memory of 1844 4020 lxxxxff.exe hbttnn.exe PID 1844 wrote to memory of 2012 1844 hbttnn.exe jdvvp.exe PID 1844 wrote to memory of 2012 1844 hbttnn.exe jdvvp.exe PID 1844 wrote to memory of 2012 1844 hbttnn.exe jdvvp.exe PID 2012 wrote to memory of 3580 2012 jdvvp.exe 9jjdd.exe PID 2012 wrote to memory of 3580 2012 jdvvp.exe 9jjdd.exe PID 2012 wrote to memory of 3580 2012 jdvvp.exe 9jjdd.exe PID 3580 wrote to memory of 1152 3580 9jjdd.exe lfrlfff.exe PID 3580 wrote to memory of 1152 3580 9jjdd.exe lfrlfff.exe PID 3580 wrote to memory of 1152 3580 9jjdd.exe lfrlfff.exe PID 1152 wrote to memory of 60 1152 lfrlfff.exe bhhtnh.exe PID 1152 wrote to memory of 60 1152 lfrlfff.exe bhhtnh.exe PID 1152 wrote to memory of 60 1152 lfrlfff.exe bhhtnh.exe PID 60 wrote to memory of 5092 60 bhhtnh.exe bbbnhh.exe PID 60 wrote to memory of 5092 60 bhhtnh.exe bbbnhh.exe PID 60 wrote to memory of 5092 60 bhhtnh.exe bbbnhh.exe PID 5092 wrote to memory of 2708 5092 bbbnhh.exe pvdvj.exe PID 5092 wrote to memory of 2708 5092 bbbnhh.exe pvdvj.exe PID 5092 wrote to memory of 2708 5092 bbbnhh.exe pvdvj.exe PID 2708 wrote to memory of 3172 2708 pvdvj.exe lfxlrll.exe PID 2708 wrote to memory of 3172 2708 pvdvj.exe lfxlrll.exe PID 2708 wrote to memory of 3172 2708 pvdvj.exe lfxlrll.exe PID 3172 wrote to memory of 5084 3172 lfxlrll.exe nnnnhh.exe PID 3172 wrote to memory of 5084 3172 lfxlrll.exe nnnnhh.exe PID 3172 wrote to memory of 5084 3172 lfxlrll.exe nnnnhh.exe PID 5084 wrote to memory of 4732 5084 nnnnhh.exe 3ntnhh.exe PID 5084 wrote to memory of 4732 5084 nnnnhh.exe 3ntnhh.exe PID 5084 wrote to memory of 4732 5084 nnnnhh.exe 3ntnhh.exe PID 4732 wrote to memory of 1620 4732 3ntnhh.exe dddvv.exe PID 4732 wrote to memory of 1620 4732 3ntnhh.exe dddvv.exe PID 4732 wrote to memory of 1620 4732 3ntnhh.exe dddvv.exe PID 1620 wrote to memory of 1724 1620 dddvv.exe lxrlffx.exe PID 1620 wrote to memory of 1724 1620 dddvv.exe lxrlffx.exe PID 1620 wrote to memory of 1724 1620 dddvv.exe lxrlffx.exe PID 1724 wrote to memory of 452 1724 lxrlffx.exe rrrrlll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb98608fe28128f76295220f9b50fe2643448616bb80e07c69662bf699ed4727.exe"C:\Users\Admin\AppData\Local\Temp\fb98608fe28128f76295220f9b50fe2643448616bb80e07c69662bf699ed4727.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\nhhhhn.exec:\nhhhhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\3dppp.exec:\3dppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\1jdvj.exec:\1jdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\lllfxxx.exec:\lllfxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\tthhbt.exec:\tthhbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\vvppj.exec:\vvppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\pdjjv.exec:\pdjjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\flllxlf.exec:\flllxlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\lxxxxff.exec:\lxxxxff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\hbttnn.exec:\hbttnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\jdvvp.exec:\jdvvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\9jjdd.exec:\9jjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\lfrlfff.exec:\lfrlfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\bhhtnh.exec:\bhhtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\bbbnhh.exec:\bbbnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\pvdvj.exec:\pvdvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\lfxlrll.exec:\lfxlrll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\nnnnhh.exec:\nnnnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\3ntnhh.exec:\3ntnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\dddvv.exec:\dddvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\lxrlffx.exec:\lxrlffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\rrrrlll.exec:\rrrrlll.exe23⤵
- Executes dropped EXE
PID:452 -
\??\c:\ttbtnb.exec:\ttbtnb.exe24⤵
- Executes dropped EXE
PID:3496 -
\??\c:\1xxlffx.exec:\1xxlffx.exe25⤵
- Executes dropped EXE
PID:2256 -
\??\c:\llfrrxr.exec:\llfrrxr.exe26⤵
- Executes dropped EXE
PID:4344 -
\??\c:\7nbbbb.exec:\7nbbbb.exe27⤵
- Executes dropped EXE
PID:64 -
\??\c:\jvpjv.exec:\jvpjv.exe28⤵
- Executes dropped EXE
PID:4736 -
\??\c:\rffxllr.exec:\rffxllr.exe29⤵
- Executes dropped EXE
PID:2232 -
\??\c:\bttnbb.exec:\bttnbb.exe30⤵
- Executes dropped EXE
PID:4148 -
\??\c:\pjpjd.exec:\pjpjd.exe31⤵
- Executes dropped EXE
PID:4476 -
\??\c:\dvjdd.exec:\dvjdd.exe32⤵
- Executes dropped EXE
PID:3036 -
\??\c:\rrrlffx.exec:\rrrlffx.exe33⤵
- Executes dropped EXE
PID:3392 -
\??\c:\nhbbtt.exec:\nhbbtt.exe34⤵
- Executes dropped EXE
PID:4936 -
\??\c:\5hnnhn.exec:\5hnnhn.exe35⤵
- Executes dropped EXE
PID:3672 -
\??\c:\1vvjd.exec:\1vvjd.exe36⤵
- Executes dropped EXE
PID:4396 -
\??\c:\7vpjd.exec:\7vpjd.exe37⤵
- Executes dropped EXE
PID:4324 -
\??\c:\fflrxxf.exec:\fflrxxf.exe38⤵
- Executes dropped EXE
PID:3812 -
\??\c:\hbtntt.exec:\hbtntt.exe39⤵
- Executes dropped EXE
PID:3916 -
\??\c:\7thhhh.exec:\7thhhh.exe40⤵
- Executes dropped EXE
PID:384 -
\??\c:\5ntnhh.exec:\5ntnhh.exe41⤵
- Executes dropped EXE
PID:528 -
\??\c:\9jpjp.exec:\9jpjp.exe42⤵
- Executes dropped EXE
PID:2460 -
\??\c:\ddddj.exec:\ddddj.exe43⤵
- Executes dropped EXE
PID:3848 -
\??\c:\lxlrrxx.exec:\lxlrrxx.exe44⤵
- Executes dropped EXE
PID:2416 -
\??\c:\thnnbb.exec:\thnnbb.exe45⤵
- Executes dropped EXE
PID:1420 -
\??\c:\7bhbtt.exec:\7bhbtt.exe46⤵
- Executes dropped EXE
PID:4772 -
\??\c:\pvvvd.exec:\pvvvd.exe47⤵
- Executes dropped EXE
PID:808 -
\??\c:\jpppp.exec:\jpppp.exe48⤵
- Executes dropped EXE
PID:4512 -
\??\c:\1rxxxrl.exec:\1rxxxrl.exe49⤵
- Executes dropped EXE
PID:836 -
\??\c:\xlllrxx.exec:\xlllrxx.exe50⤵
- Executes dropped EXE
PID:2696 -
\??\c:\bbnnnt.exec:\bbnnnt.exe51⤵
- Executes dropped EXE
PID:2760 -
\??\c:\tnttnh.exec:\tnttnh.exe52⤵
- Executes dropped EXE
PID:1740 -
\??\c:\vjppd.exec:\vjppd.exe53⤵
- Executes dropped EXE
PID:2168 -
\??\c:\1ddvj.exec:\1ddvj.exe54⤵
- Executes dropped EXE
PID:2012 -
\??\c:\frffrlf.exec:\frffrlf.exe55⤵
- Executes dropped EXE
PID:5016 -
\??\c:\5hhhbt.exec:\5hhhbt.exe56⤵
- Executes dropped EXE
PID:432 -
\??\c:\jdjdp.exec:\jdjdp.exe57⤵
- Executes dropped EXE
PID:4504 -
\??\c:\3vdvj.exec:\3vdvj.exe58⤵
- Executes dropped EXE
PID:5032 -
\??\c:\frxrlll.exec:\frxrlll.exe59⤵
- Executes dropped EXE
PID:2008 -
\??\c:\hbbhbb.exec:\hbbhbb.exe60⤵
- Executes dropped EXE
PID:2708 -
\??\c:\httttb.exec:\httttb.exe61⤵
- Executes dropped EXE
PID:4524 -
\??\c:\pjjjj.exec:\pjjjj.exe62⤵
- Executes dropped EXE
PID:3480 -
\??\c:\rrxxllf.exec:\rrxxllf.exe63⤵
- Executes dropped EXE
PID:3288 -
\??\c:\rxlxrrl.exec:\rxlxrrl.exe64⤵
- Executes dropped EXE
PID:1016 -
\??\c:\ntttnn.exec:\ntttnn.exe65⤵
- Executes dropped EXE
PID:2724 -
\??\c:\btbhbb.exec:\btbhbb.exe66⤵PID:2452
-
\??\c:\jdvpj.exec:\jdvpj.exe67⤵PID:2092
-
\??\c:\rflfrll.exec:\rflfrll.exe68⤵PID:3680
-
\??\c:\lrxxxxx.exec:\lrxxxxx.exe69⤵PID:32
-
\??\c:\tntthh.exec:\tntthh.exe70⤵PID:2964
-
\??\c:\hthbbh.exec:\hthbbh.exe71⤵PID:2820
-
\??\c:\3xxlfxl.exec:\3xxlfxl.exe72⤵PID:4380
-
\??\c:\rlffllr.exec:\rlffllr.exe73⤵PID:4292
-
\??\c:\9tbttt.exec:\9tbttt.exe74⤵PID:5004
-
\??\c:\dvpjj.exec:\dvpjj.exe75⤵PID:2232
-
\??\c:\rflfrrx.exec:\rflfrrx.exe76⤵PID:3796
-
\??\c:\ttbtbt.exec:\ttbtbt.exe77⤵PID:3144
-
\??\c:\jdjjd.exec:\jdjjd.exe78⤵PID:508
-
\??\c:\vdjpj.exec:\vdjpj.exe79⤵PID:4900
-
\??\c:\7flxrrr.exec:\7flxrrr.exe80⤵PID:2736
-
\??\c:\tbhnnn.exec:\tbhnnn.exe81⤵PID:4668
-
\??\c:\vdpjd.exec:\vdpjd.exe82⤵PID:4452
-
\??\c:\rlfxlll.exec:\rlfxlll.exe83⤵PID:4316
-
\??\c:\rlrrrlr.exec:\rlrrrlr.exe84⤵PID:3396
-
\??\c:\bthbhh.exec:\bthbhh.exe85⤵PID:4324
-
\??\c:\lrxrffx.exec:\lrxrffx.exe86⤵PID:3812
-
\??\c:\7xfffrr.exec:\7xfffrr.exe87⤵PID:2200
-
\??\c:\ttnnnh.exec:\ttnnnh.exe88⤵PID:216
-
\??\c:\vpvdp.exec:\vpvdp.exe89⤵PID:528
-
\??\c:\vjpjd.exec:\vjpjd.exe90⤵PID:2460
-
\??\c:\fxlfllx.exec:\fxlfllx.exe91⤵PID:3804
-
\??\c:\3llllff.exec:\3llllff.exe92⤵PID:2416
-
\??\c:\3tbttt.exec:\3tbttt.exe93⤵PID:1420
-
\??\c:\pjjdd.exec:\pjjdd.exe94⤵PID:2220
-
\??\c:\rfrfrrl.exec:\rfrfrrl.exe95⤵PID:808
-
\??\c:\7bhbtb.exec:\7bhbtb.exe96⤵PID:4512
-
\??\c:\hhnnnn.exec:\hhnnnn.exe97⤵PID:836
-
\??\c:\pjpjj.exec:\pjpjj.exe98⤵PID:4552
-
\??\c:\vddvp.exec:\vddvp.exe99⤵PID:1932
-
\??\c:\3rlffrf.exec:\3rlffrf.exe100⤵PID:1740
-
\??\c:\3hnhtt.exec:\3hnhtt.exe101⤵PID:2664
-
\??\c:\ddvvv.exec:\ddvvv.exe102⤵PID:2012
-
\??\c:\ddpjj.exec:\ddpjj.exe103⤵PID:740
-
\??\c:\lfllffx.exec:\lfllffx.exe104⤵PID:1388
-
\??\c:\5bhnhh.exec:\5bhnhh.exe105⤵PID:2292
-
\??\c:\bthhnt.exec:\bthhnt.exe106⤵PID:5032
-
\??\c:\vjvpd.exec:\vjvpd.exe107⤵PID:1540
-
\??\c:\rfrfxxr.exec:\rfrfxxr.exe108⤵PID:2108
-
\??\c:\lxflrxx.exec:\lxflrxx.exe109⤵PID:5072
-
\??\c:\nnbhhn.exec:\nnbhhn.exe110⤵PID:3480
-
\??\c:\tnbbhh.exec:\tnbbhh.exe111⤵PID:4144
-
\??\c:\9hhbbt.exec:\9hhbbt.exe112⤵PID:1016
-
\??\c:\pdpjd.exec:\pdpjd.exe113⤵PID:1148
-
\??\c:\9rrlxrr.exec:\9rrlxrr.exe114⤵PID:3388
-
\??\c:\3rxffrl.exec:\3rxffrl.exe115⤵PID:2092
-
\??\c:\nhhhbb.exec:\nhhhbb.exe116⤵PID:4952
-
\??\c:\vjpjv.exec:\vjpjv.exe117⤵PID:692
-
\??\c:\xlfxffx.exec:\xlfxffx.exe118⤵PID:2988
-
\??\c:\rfxrllf.exec:\rfxrllf.exe119⤵PID:64
-
\??\c:\5bbbbb.exec:\5bbbbb.exe120⤵PID:3936
-
\??\c:\lxxxlxf.exec:\lxxxlxf.exe121⤵PID:2388
-
\??\c:\bhhhbb.exec:\bhhhbb.exe122⤵PID:3620
-
\??\c:\hnhbtt.exec:\hnhbtt.exe123⤵PID:5104
-
\??\c:\jvdpd.exec:\jvdpd.exe124⤵PID:4972
-
\??\c:\9vpjv.exec:\9vpjv.exe125⤵PID:2688
-
\??\c:\lxfxlfx.exec:\lxfxlfx.exe126⤵PID:2428
-
\??\c:\thhbtb.exec:\thhbtb.exe127⤵PID:3036
-
\??\c:\hbthtn.exec:\hbthtn.exe128⤵PID:3296
-
\??\c:\pjjdj.exec:\pjjdj.exe129⤵PID:3568
-
\??\c:\fxffrll.exec:\fxffrll.exe130⤵PID:1524
-
\??\c:\xrrlffx.exec:\xrrlffx.exe131⤵PID:4824
-
\??\c:\htnbtn.exec:\htnbtn.exe132⤵PID:2192
-
\??\c:\httbhb.exec:\httbhb.exe133⤵PID:4252
-
\??\c:\pjjdd.exec:\pjjdd.exe134⤵PID:4140
-
\??\c:\1vvvj.exec:\1vvvj.exe135⤵PID:4852
-
\??\c:\rflfrll.exec:\rflfrll.exe136⤵PID:880
-
\??\c:\llffxxx.exec:\llffxxx.exe137⤵PID:668
-
\??\c:\hhhhbb.exec:\hhhhbb.exe138⤵PID:1384
-
\??\c:\nbbbtt.exec:\nbbbtt.exe139⤵PID:4560
-
\??\c:\jvpjv.exec:\jvpjv.exe140⤵PID:4416
-
\??\c:\7djvj.exec:\7djvj.exe141⤵PID:4672
-
\??\c:\frlfrxr.exec:\frlfrxr.exe142⤵PID:1428
-
\??\c:\htnnhb.exec:\htnnhb.exe143⤵PID:2188
-
\??\c:\3btnhb.exec:\3btnhb.exe144⤵PID:4940
-
\??\c:\7dvvj.exec:\7dvvj.exe145⤵PID:3116
-
\??\c:\5ppdp.exec:\5ppdp.exe146⤵PID:1292
-
\??\c:\xxxlxrl.exec:\xxxlxrl.exe147⤵PID:3972
-
\??\c:\hbbbtt.exec:\hbbbtt.exe148⤵PID:5024
-
\??\c:\nbttnh.exec:\nbttnh.exe149⤵PID:4588
-
\??\c:\7dvpj.exec:\7dvpj.exe150⤵PID:1152
-
\??\c:\jvvvp.exec:\jvvvp.exe151⤵PID:1820
-
\??\c:\xrrlxxl.exec:\xrrlxxl.exe152⤵PID:2020
-
\??\c:\rllfxrl.exec:\rllfxrl.exe153⤵PID:3540
-
\??\c:\httthh.exec:\httthh.exe154⤵PID:1164
-
\??\c:\tnnbhn.exec:\tnnbhn.exe155⤵PID:2464
-
\??\c:\djdvp.exec:\djdvp.exe156⤵PID:2108
-
\??\c:\xfxxrxr.exec:\xfxxrxr.exe157⤵PID:4348
-
\??\c:\flffrrl.exec:\flffrrl.exe158⤵PID:3892
-
\??\c:\hnnbhn.exec:\hnnbhn.exe159⤵PID:1544
-
\??\c:\5dppj.exec:\5dppj.exe160⤵PID:1464
-
\??\c:\9ppjp.exec:\9ppjp.exe161⤵PID:3680
-
\??\c:\fxxrffr.exec:\fxxrffr.exe162⤵PID:32
-
\??\c:\rlffxrr.exec:\rlffxrr.exe163⤵PID:3140
-
\??\c:\7hhhhh.exec:\7hhhhh.exe164⤵PID:2176
-
\??\c:\7ppjp.exec:\7ppjp.exe165⤵PID:2988
-
\??\c:\rflrlff.exec:\rflrlff.exe166⤵PID:4736
-
\??\c:\tnhtnt.exec:\tnhtnt.exe167⤵PID:3052
-
\??\c:\bbtnbb.exec:\bbtnbb.exe168⤵PID:2388
-
\??\c:\9vvpd.exec:\9vvpd.exe169⤵PID:3620
-
\??\c:\5rxrfxx.exec:\5rxrfxx.exe170⤵PID:5112
-
\??\c:\xllfxrl.exec:\xllfxrl.exe171⤵PID:1584
-
\??\c:\5bnhbh.exec:\5bnhbh.exe172⤵PID:3104
-
\??\c:\nhbttt.exec:\nhbttt.exe173⤵PID:4612
-
\??\c:\ddvpd.exec:\ddvpd.exe174⤵PID:724
-
\??\c:\jvvjd.exec:\jvvjd.exe175⤵PID:3928
-
\??\c:\xllfxfx.exec:\xllfxfx.exe176⤵PID:4264
-
\??\c:\7lxrlfr.exec:\7lxrlfr.exe177⤵PID:3032
-
\??\c:\nbhbhh.exec:\nbhbhh.exe178⤵PID:2288
-
\??\c:\1jpjv.exec:\1jpjv.exe179⤵PID:4488
-
\??\c:\pdjdv.exec:\pdjdv.exe180⤵PID:1516
-
\??\c:\lxrxxlr.exec:\lxrxxlr.exe181⤵PID:3692
-
\??\c:\frlrrrl.exec:\frlrrrl.exe182⤵PID:3164
-
\??\c:\nnnbhh.exec:\nnnbhh.exe183⤵PID:4340
-
\??\c:\bhhhbh.exec:\bhhhbh.exe184⤵PID:1576
-
\??\c:\vpppj.exec:\vpppj.exe185⤵PID:2268
-
\??\c:\1ffxxfx.exec:\1ffxxfx.exe186⤵PID:4868
-
\??\c:\rlflxxf.exec:\rlflxxf.exe187⤵PID:1420
-
\??\c:\3nbtnt.exec:\3nbtnt.exe188⤵PID:1556
-
\??\c:\7tthbb.exec:\7tthbb.exe189⤵PID:2132
-
\??\c:\ddddd.exec:\ddddd.exe190⤵PID:2696
-
\??\c:\1jjvp.exec:\1jjvp.exe191⤵PID:2380
-
\??\c:\xlfrllr.exec:\xlfrllr.exe192⤵PID:1636
-
\??\c:\3rrrrrl.exec:\3rrrrrl.exe193⤵PID:2168
-
\??\c:\thbttt.exec:\thbttt.exe194⤵PID:1740
-
\??\c:\vddvp.exec:\vddvp.exe195⤵PID:4184
-
\??\c:\1pjvd.exec:\1pjvd.exe196⤵PID:432
-
\??\c:\7xxfxxr.exec:\7xxfxxr.exe197⤵PID:5092
-
\??\c:\3rxxfrx.exec:\3rxxfrx.exe198⤵PID:5032
-
\??\c:\bbtbbn.exec:\bbtbbn.exe199⤵PID:2244
-
\??\c:\5nhbtn.exec:\5nhbtn.exe200⤵PID:4704
-
\??\c:\hbbtnb.exec:\hbbtnb.exe201⤵PID:3480
-
\??\c:\pdvvd.exec:\pdvvd.exe202⤵PID:1724
-
\??\c:\3pjjv.exec:\3pjjv.exe203⤵PID:2952
-
\??\c:\7xxlxxr.exec:\7xxlxxr.exe204⤵PID:2172
-
\??\c:\rllfxlf.exec:\rllfxlf.exe205⤵PID:436
-
\??\c:\hhbbtt.exec:\hhbbtt.exe206⤵PID:2820
-
\??\c:\nhnbhb.exec:\nhnbhb.exe207⤵PID:3936
-
\??\c:\htnnnn.exec:\htnnnn.exe208⤵PID:5004
-
\??\c:\vpjjv.exec:\vpjjv.exe209⤵PID:4148
-
\??\c:\jdpjp.exec:\jdpjp.exe210⤵PID:5104
-
\??\c:\7lrlxrr.exec:\7lrlxrr.exe211⤵PID:3660
-
\??\c:\hhbnht.exec:\hhbnht.exe212⤵PID:2752
-
\??\c:\hbbtnh.exec:\hbbtnh.exe213⤵PID:624
-
\??\c:\jpvvp.exec:\jpvvp.exe214⤵PID:3392
-
\??\c:\5lffxrx.exec:\5lffxrx.exe215⤵PID:2236
-
\??\c:\flrfxxr.exec:\flrfxxr.exe216⤵PID:4332
-
\??\c:\nbbtbb.exec:\nbbtbb.exe217⤵PID:4452
-
\??\c:\bbhbtt.exec:\bbhbtt.exe218⤵PID:3264
-
\??\c:\dvdvj.exec:\dvdvj.exe219⤵PID:2004
-
\??\c:\xxrlffx.exec:\xxrlffx.exe220⤵PID:4488
-
\??\c:\flllxxl.exec:\flllxxl.exe221⤵PID:1232
-
\??\c:\bnhbtt.exec:\bnhbtt.exe222⤵PID:3164
-
\??\c:\nbttth.exec:\nbttth.exe223⤵PID:4340
-
\??\c:\1jjdv.exec:\1jjdv.exe224⤵PID:4560
-
\??\c:\3vvvj.exec:\3vvvj.exe225⤵PID:2408
-
\??\c:\xrllxxx.exec:\xrllxxx.exe226⤵PID:4888
-
\??\c:\5fxfffr.exec:\5fxfffr.exe227⤵PID:364
-
\??\c:\tbtntt.exec:\tbtntt.exe228⤵PID:2000
-
\??\c:\1nthbt.exec:\1nthbt.exe229⤵PID:1948
-
\??\c:\5dpjp.exec:\5dpjp.exe230⤵PID:4992
-
\??\c:\dppjj.exec:\dppjj.exe231⤵PID:1928
-
\??\c:\lrfrflf.exec:\lrfrflf.exe232⤵PID:2664
-
\??\c:\1rflrlr.exec:\1rflrlr.exe233⤵PID:5016
-
\??\c:\nnhhht.exec:\nnhhht.exe234⤵PID:740
-
\??\c:\nhtntn.exec:\nhtntn.exe235⤵PID:2348
-
\??\c:\jjvjd.exec:\jjvjd.exe236⤵PID:4484
-
\??\c:\vvvvj.exec:\vvvvj.exe237⤵PID:4016
-
\??\c:\lxrlfxl.exec:\lxrlfxl.exe238⤵PID:3432
-
\??\c:\btnhhb.exec:\btnhhb.exe239⤵PID:2376
-
\??\c:\7ntnnn.exec:\7ntnnn.exe240⤵PID:1148
-
\??\c:\jvddp.exec:\jvddp.exe241⤵PID:4072
-
\??\c:\7pppj.exec:\7pppj.exe242⤵PID:1012