Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 19:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
16059ab5fbb81d7cd2f9c835492093f0fc4650e2d2aa0adee9eae50a798769c9.exe
Resource
win7-20240215-en
windows7-x64
6 signatures
150 seconds
General
-
Target
16059ab5fbb81d7cd2f9c835492093f0fc4650e2d2aa0adee9eae50a798769c9.exe
-
Size
70KB
-
MD5
90b59b9fa07efece02af37c4df6eab6d
-
SHA1
78dbe69aee4b5aadd52ceeaa81500e15ed56f54f
-
SHA256
16059ab5fbb81d7cd2f9c835492093f0fc4650e2d2aa0adee9eae50a798769c9
-
SHA512
c1632973eb778a33f03121bef8f90ab24f4730bbcf2b14b2e9c37c35a5ac2753246c7476e769df6ec64faeb099663619eb46fb3023cd0a28078f520f04f79c31
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIgUVyiAnV:ymb3NkkiQ3mdBjFIgUE/
Malware Config
Signatures
-
Detect Blackmoon payload 29 IoCs
resource yara_rule behavioral2/memory/4052-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/220-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5020-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1128-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2216-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3320-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1416-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2252-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4992-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4992-75-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/676-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5076-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4764-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1384-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1984-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4328-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1728-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1992-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2104-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4084-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2160-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3264-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1972-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3548-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4188-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/232-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2028-182-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1816-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1608-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 28 IoCs
resource yara_rule behavioral2/memory/4052-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/220-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5020-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1128-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2216-38-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3320-50-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1416-57-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2252-65-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4992-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/676-81-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5076-93-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4764-101-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1384-105-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1984-110-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4328-117-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1728-125-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1992-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2104-135-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4084-140-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2160-147-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3264-152-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1972-158-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3548-164-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4188-171-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/232-178-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2028-182-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1816-195-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1608-201-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 220 5vpvd.exe 1128 lrxlfxr.exe 5020 nthbtb.exe 3484 3vdvp.exe 2216 lxlflrl.exe 4364 tnhttn.exe 3320 3nthnh.exe 1416 djpjd.exe 2252 rffxrll.exe 4992 bnnntn.exe 676 jddvv.exe 3468 1lrfffl.exe 5076 lllllxl.exe 4764 hhthtn.exe 1384 djdvv.exe 1984 rffxrrl.exe 4328 ntbttt.exe 1728 pvpdv.exe 1992 xrrfxrr.exe 2104 xrxxrrr.exe 4084 9hbbth.exe 2160 vdpdp.exe 3264 lffxrrr.exe 1972 3rrlxxf.exe 3548 3tbtbt.exe 4188 7djdv.exe 232 9xrrlll.exe 2028 fxxxxxx.exe 2056 htbbnn.exe 1816 9lffrrx.exe 1608 5nbbhn.exe 4704 nhnntt.exe 3376 pdddj.exe 1904 frrxrxr.exe 1564 ttttnt.exe 5060 pvvpd.exe 4348 jvdvv.exe 3320 frfxffl.exe 4468 ffrrxxx.exe 4160 1nnnbb.exe 680 fxllrff.exe 676 9xflfll.exe 3468 tnnhhh.exe 1652 jddvv.exe 4764 7ppjd.exe 4100 pjpjv.exe 408 5xllfrr.exe 4064 lfffxxr.exe 1728 nbhhhh.exe 1992 nntbnb.exe 4240 jjvvd.exe 3448 ddjjp.exe 1020 rflfxxr.exe 2160 1bbttt.exe 1596 hhbttt.exe 1756 vpvpv.exe 1548 7dppj.exe 3752 xrlrxrl.exe 1912 hhhnth.exe 4488 3hnhbb.exe 4460 ppvvd.exe 4512 vvjjd.exe 4736 rllffff.exe 2652 lfxrllf.exe -
resource yara_rule behavioral2/memory/4052-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/220-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5020-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1128-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2216-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3320-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1416-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2252-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4992-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/676-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5076-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4764-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1384-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1984-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4328-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1728-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1992-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2104-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4084-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2160-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3264-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1972-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3548-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4188-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/232-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2028-182-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1816-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1608-201-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4052 wrote to memory of 220 4052 16059ab5fbb81d7cd2f9c835492093f0fc4650e2d2aa0adee9eae50a798769c9.exe 90 PID 4052 wrote to memory of 220 4052 16059ab5fbb81d7cd2f9c835492093f0fc4650e2d2aa0adee9eae50a798769c9.exe 90 PID 4052 wrote to memory of 220 4052 16059ab5fbb81d7cd2f9c835492093f0fc4650e2d2aa0adee9eae50a798769c9.exe 90 PID 220 wrote to memory of 1128 220 5vpvd.exe 91 PID 220 wrote to memory of 1128 220 5vpvd.exe 91 PID 220 wrote to memory of 1128 220 5vpvd.exe 91 PID 1128 wrote to memory of 5020 1128 lrxlfxr.exe 92 PID 1128 wrote to memory of 5020 1128 lrxlfxr.exe 92 PID 1128 wrote to memory of 5020 1128 lrxlfxr.exe 92 PID 5020 wrote to memory of 3484 5020 nthbtb.exe 93 PID 5020 wrote to memory of 3484 5020 nthbtb.exe 93 PID 5020 wrote to memory of 3484 5020 nthbtb.exe 93 PID 3484 wrote to memory of 2216 3484 3vdvp.exe 94 PID 3484 wrote to memory of 2216 3484 3vdvp.exe 94 PID 3484 wrote to memory of 2216 3484 3vdvp.exe 94 PID 2216 wrote to memory of 4364 2216 lxlflrl.exe 95 PID 2216 wrote to memory of 4364 2216 lxlflrl.exe 95 PID 2216 wrote to memory of 4364 2216 lxlflrl.exe 95 PID 4364 wrote to memory of 3320 4364 tnhttn.exe 96 PID 4364 wrote to memory of 3320 4364 tnhttn.exe 96 PID 4364 wrote to memory of 3320 4364 tnhttn.exe 96 PID 3320 wrote to memory of 1416 3320 3nthnh.exe 97 PID 3320 wrote to memory of 1416 3320 3nthnh.exe 97 PID 3320 wrote to memory of 1416 3320 3nthnh.exe 97 PID 1416 wrote to memory of 2252 1416 djpjd.exe 98 PID 1416 wrote to memory of 2252 1416 djpjd.exe 98 PID 1416 wrote to memory of 2252 1416 djpjd.exe 98 PID 2252 wrote to memory of 4992 2252 rffxrll.exe 99 PID 2252 wrote to memory of 4992 2252 rffxrll.exe 99 PID 2252 wrote to memory of 4992 2252 rffxrll.exe 99 PID 4992 wrote to memory of 676 4992 bnnntn.exe 100 PID 4992 wrote to memory of 676 4992 bnnntn.exe 100 PID 4992 wrote to memory of 676 4992 bnnntn.exe 100 PID 676 wrote to memory of 3468 676 jddvv.exe 101 PID 676 wrote to memory of 3468 676 jddvv.exe 101 PID 676 wrote to memory of 3468 676 jddvv.exe 101 PID 3468 wrote to memory of 5076 3468 1lrfffl.exe 102 PID 3468 wrote to memory of 5076 3468 1lrfffl.exe 102 PID 3468 wrote to memory of 5076 3468 1lrfffl.exe 102 PID 5076 wrote to memory of 4764 5076 lllllxl.exe 103 PID 5076 wrote to memory of 4764 5076 lllllxl.exe 103 PID 5076 wrote to memory of 4764 5076 lllllxl.exe 103 PID 4764 wrote to memory of 1384 4764 hhthtn.exe 104 PID 4764 wrote to memory of 1384 4764 hhthtn.exe 104 PID 4764 wrote to memory of 1384 4764 hhthtn.exe 104 PID 1384 wrote to memory of 1984 1384 djdvv.exe 105 PID 1384 wrote to memory of 1984 1384 djdvv.exe 105 PID 1384 wrote to memory of 1984 1384 djdvv.exe 105 PID 1984 wrote to memory of 4328 1984 rffxrrl.exe 106 PID 1984 wrote to memory of 4328 1984 rffxrrl.exe 106 PID 1984 wrote to memory of 4328 1984 rffxrrl.exe 106 PID 4328 wrote to memory of 1728 4328 ntbttt.exe 107 PID 4328 wrote to memory of 1728 4328 ntbttt.exe 107 PID 4328 wrote to memory of 1728 4328 ntbttt.exe 107 PID 1728 wrote to memory of 1992 1728 pvpdv.exe 108 PID 1728 wrote to memory of 1992 1728 pvpdv.exe 108 PID 1728 wrote to memory of 1992 1728 pvpdv.exe 108 PID 1992 wrote to memory of 2104 1992 xrrfxrr.exe 109 PID 1992 wrote to memory of 2104 1992 xrrfxrr.exe 109 PID 1992 wrote to memory of 2104 1992 xrrfxrr.exe 109 PID 2104 wrote to memory of 4084 2104 xrxxrrr.exe 110 PID 2104 wrote to memory of 4084 2104 xrxxrrr.exe 110 PID 2104 wrote to memory of 4084 2104 xrxxrrr.exe 110 PID 4084 wrote to memory of 2160 4084 9hbbth.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\16059ab5fbb81d7cd2f9c835492093f0fc4650e2d2aa0adee9eae50a798769c9.exe"C:\Users\Admin\AppData\Local\Temp\16059ab5fbb81d7cd2f9c835492093f0fc4650e2d2aa0adee9eae50a798769c9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\5vpvd.exec:\5vpvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\nthbtb.exec:\nthbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\3vdvp.exec:\3vdvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\lxlflrl.exec:\lxlflrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\tnhttn.exec:\tnhttn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\3nthnh.exec:\3nthnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\djpjd.exec:\djpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\rffxrll.exec:\rffxrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\bnnntn.exec:\bnnntn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\jddvv.exec:\jddvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\1lrfffl.exec:\1lrfffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\lllllxl.exec:\lllllxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\hhthtn.exec:\hhthtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\djdvv.exec:\djdvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\rffxrrl.exec:\rffxrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\ntbttt.exec:\ntbttt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\pvpdv.exec:\pvpdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\xrrfxrr.exec:\xrrfxrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\9hbbth.exec:\9hbbth.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\vdpdp.exec:\vdpdp.exe23⤵
- Executes dropped EXE
PID:2160 -
\??\c:\lffxrrr.exec:\lffxrrr.exe24⤵
- Executes dropped EXE
PID:3264 -
\??\c:\3rrlxxf.exec:\3rrlxxf.exe25⤵
- Executes dropped EXE
PID:1972 -
\??\c:\3tbtbt.exec:\3tbtbt.exe26⤵
- Executes dropped EXE
PID:3548 -
\??\c:\7djdv.exec:\7djdv.exe27⤵
- Executes dropped EXE
PID:4188 -
\??\c:\9xrrlll.exec:\9xrrlll.exe28⤵
- Executes dropped EXE
PID:232 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe29⤵
- Executes dropped EXE
PID:2028 -
\??\c:\htbbnn.exec:\htbbnn.exe30⤵
- Executes dropped EXE
PID:2056 -
\??\c:\9lffrrx.exec:\9lffrrx.exe31⤵
- Executes dropped EXE
PID:1816 -
\??\c:\5nbbhn.exec:\5nbbhn.exe32⤵
- Executes dropped EXE
PID:1608 -
\??\c:\nhnntt.exec:\nhnntt.exe33⤵
- Executes dropped EXE
PID:4704 -
\??\c:\pdddj.exec:\pdddj.exe34⤵
- Executes dropped EXE
PID:3376 -
\??\c:\frrxrxr.exec:\frrxrxr.exe35⤵
- Executes dropped EXE
PID:1904 -
\??\c:\ttttnt.exec:\ttttnt.exe36⤵
- Executes dropped EXE
PID:1564 -
\??\c:\pvvpd.exec:\pvvpd.exe37⤵
- Executes dropped EXE
PID:5060 -
\??\c:\jvdvv.exec:\jvdvv.exe38⤵
- Executes dropped EXE
PID:4348 -
\??\c:\frfxffl.exec:\frfxffl.exe39⤵
- Executes dropped EXE
PID:3320 -
\??\c:\ffrrxxx.exec:\ffrrxxx.exe40⤵
- Executes dropped EXE
PID:4468 -
\??\c:\1nnnbb.exec:\1nnnbb.exe41⤵
- Executes dropped EXE
PID:4160 -
\??\c:\fxllrff.exec:\fxllrff.exe42⤵
- Executes dropped EXE
PID:680 -
\??\c:\9xflfll.exec:\9xflfll.exe43⤵
- Executes dropped EXE
PID:676 -
\??\c:\tnnhhh.exec:\tnnhhh.exe44⤵
- Executes dropped EXE
PID:3468 -
\??\c:\jddvv.exec:\jddvv.exe45⤵
- Executes dropped EXE
PID:1652 -
\??\c:\7ppjd.exec:\7ppjd.exe46⤵
- Executes dropped EXE
PID:4764 -
\??\c:\pjpjv.exec:\pjpjv.exe47⤵
- Executes dropped EXE
PID:4100 -
\??\c:\5xllfrr.exec:\5xllfrr.exe48⤵
- Executes dropped EXE
PID:408 -
\??\c:\lfffxxr.exec:\lfffxxr.exe49⤵
- Executes dropped EXE
PID:4064 -
\??\c:\nbhhhh.exec:\nbhhhh.exe50⤵
- Executes dropped EXE
PID:1728 -
\??\c:\nntbnb.exec:\nntbnb.exe51⤵
- Executes dropped EXE
PID:1992 -
\??\c:\jjvvd.exec:\jjvvd.exe52⤵
- Executes dropped EXE
PID:4240 -
\??\c:\ddjjp.exec:\ddjjp.exe53⤵
- Executes dropped EXE
PID:3448 -
\??\c:\rflfxxr.exec:\rflfxxr.exe54⤵
- Executes dropped EXE
PID:1020 -
\??\c:\1bbttt.exec:\1bbttt.exe55⤵
- Executes dropped EXE
PID:2160 -
\??\c:\hhbttt.exec:\hhbttt.exe56⤵
- Executes dropped EXE
PID:1596 -
\??\c:\vpvpv.exec:\vpvpv.exe57⤵
- Executes dropped EXE
PID:1756 -
\??\c:\7dppj.exec:\7dppj.exe58⤵
- Executes dropped EXE
PID:1548 -
\??\c:\xrlrxrl.exec:\xrlrxrl.exe59⤵
- Executes dropped EXE
PID:3752 -
\??\c:\hhhnth.exec:\hhhnth.exe60⤵
- Executes dropped EXE
PID:1912 -
\??\c:\3hnhbb.exec:\3hnhbb.exe61⤵
- Executes dropped EXE
PID:4488 -
\??\c:\ppvvd.exec:\ppvvd.exe62⤵
- Executes dropped EXE
PID:4460 -
\??\c:\vvjjd.exec:\vvjjd.exe63⤵
- Executes dropped EXE
PID:4512 -
\??\c:\rllffff.exec:\rllffff.exe64⤵
- Executes dropped EXE
PID:4736 -
\??\c:\lfxrllf.exec:\lfxrllf.exe65⤵
- Executes dropped EXE
PID:2652 -
\??\c:\nbhhbh.exec:\nbhhbh.exe66⤵PID:4804
-
\??\c:\pddvv.exec:\pddvv.exe67⤵PID:660
-
\??\c:\vdjjj.exec:\vdjjj.exe68⤵PID:2884
-
\??\c:\ppvjv.exec:\ppvjv.exe69⤵PID:2016
-
\??\c:\lxrrllf.exec:\lxrrllf.exe70⤵PID:224
-
\??\c:\3hhhhn.exec:\3hhhhn.exe71⤵PID:5100
-
\??\c:\vdddv.exec:\vdddv.exe72⤵PID:548
-
\??\c:\vjdvp.exec:\vjdvp.exe73⤵PID:1416
-
\??\c:\xrrlfff.exec:\xrrlfff.exe74⤵PID:1472
-
\??\c:\frfffff.exec:\frfffff.exe75⤵PID:860
-
\??\c:\nnhhbb.exec:\nnhhbb.exe76⤵PID:3880
-
\??\c:\pjpjd.exec:\pjpjd.exe77⤵PID:2956
-
\??\c:\vdjpj.exec:\vdjpj.exe78⤵PID:4028
-
\??\c:\llflxfx.exec:\llflxfx.exe79⤵PID:4140
-
\??\c:\ntbntn.exec:\ntbntn.exe80⤵PID:4656
-
\??\c:\nnbthh.exec:\nnbthh.exe81⤵PID:4548
-
\??\c:\bnbtnn.exec:\bnbtnn.exe82⤵PID:3472
-
\??\c:\vjpjd.exec:\vjpjd.exe83⤵PID:1180
-
\??\c:\7vvvp.exec:\7vvvp.exe84⤵PID:464
-
\??\c:\fllrrxf.exec:\fllrrxf.exe85⤵PID:3944
-
\??\c:\fxlllrr.exec:\fxlllrr.exe86⤵PID:3528
-
\??\c:\nhbthh.exec:\nhbthh.exe87⤵PID:3104
-
\??\c:\hhbtbn.exec:\hhbtbn.exe88⤵PID:2612
-
\??\c:\jddvv.exec:\jddvv.exe89⤵PID:1972
-
\??\c:\3vddd.exec:\3vddd.exe90⤵PID:3000
-
\??\c:\fxrrxff.exec:\fxrrxff.exe91⤵PID:1828
-
\??\c:\7flffxx.exec:\7flffxx.exe92⤵PID:4624
-
\??\c:\9rxrflx.exec:\9rxrflx.exe93⤵PID:4472
-
\??\c:\bbhbtt.exec:\bbhbtt.exe94⤵PID:2140
-
\??\c:\9bbtnn.exec:\9bbtnn.exe95⤵PID:4052
-
\??\c:\pvjdd.exec:\pvjdd.exe96⤵PID:4572
-
\??\c:\dvppv.exec:\dvppv.exe97⤵PID:4900
-
\??\c:\xllfxxr.exec:\xllfxxr.exe98⤵PID:1568
-
\??\c:\lrxxfxf.exec:\lrxxfxf.exe99⤵PID:5092
-
\??\c:\frlxllx.exec:\frlxllx.exe100⤵PID:4508
-
\??\c:\5bbtth.exec:\5bbtth.exe101⤵PID:2884
-
\??\c:\bhhnht.exec:\bhhnht.exe102⤵PID:4364
-
\??\c:\7vddv.exec:\7vddv.exe103⤵PID:1604
-
\??\c:\dppjj.exec:\dppjj.exe104⤵PID:3324
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe105⤵PID:4468
-
\??\c:\llflxrx.exec:\llflxrx.exe106⤵PID:528
-
\??\c:\bhbhhn.exec:\bhbhhn.exe107⤵PID:5108
-
\??\c:\nbtntt.exec:\nbtntt.exe108⤵PID:4408
-
\??\c:\pdvjp.exec:\pdvjp.exe109⤵PID:3948
-
\??\c:\dddvv.exec:\dddvv.exe110⤵PID:4184
-
\??\c:\frrrflf.exec:\frrrflf.exe111⤵PID:4764
-
\??\c:\rxffrxl.exec:\rxffrxl.exe112⤵PID:4100
-
\??\c:\thnnhb.exec:\thnnhb.exe113⤵PID:4056
-
\??\c:\pjjpj.exec:\pjjpj.exe114⤵PID:1380
-
\??\c:\pdjpj.exec:\pdjpj.exe115⤵PID:4612
-
\??\c:\9fxxrxx.exec:\9fxxrxx.exe116⤵PID:1180
-
\??\c:\3lxllxf.exec:\3lxllxf.exe117⤵PID:464
-
\??\c:\5tnbnn.exec:\5tnbnn.exe118⤵PID:3120
-
\??\c:\5pvvp.exec:\5pvvp.exe119⤵PID:3528
-
\??\c:\lrlffff.exec:\lrlffff.exe120⤵PID:3104
-
\??\c:\rlfrlll.exec:\rlfrlll.exe121⤵PID:972
-
\??\c:\btttnb.exec:\btttnb.exe122⤵PID:216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-