Analysis
-
max time kernel
139s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 02:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9177bac7c0b4799d7eb1128bfca4ffb939bc282cccdc9d258aedfb8fc4b863ba.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
9177bac7c0b4799d7eb1128bfca4ffb939bc282cccdc9d258aedfb8fc4b863ba.exe
-
Size
62KB
-
MD5
06dbfe0d6ab7c77f29653ab84e6179b8
-
SHA1
938b8b9f6b254300b9932e4ab81abc732d24a1e9
-
SHA256
9177bac7c0b4799d7eb1128bfca4ffb939bc282cccdc9d258aedfb8fc4b863ba
-
SHA512
59fcbf8708e70a3db39b9aa6b7ae681d2113287ebd3f78e62f4abe96f1da15d4061ac8cd361ea6f63a56ab15a290a5ea861e08f5e1f8f819eabe14771e0b2463
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvAEaFJLi:ymb3NkkiQ3mdBjFIvAvi
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
Processes:
resource yara_rule behavioral2/memory/4840-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3244-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2060-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4744-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4772-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4656-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3052-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3984-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3008-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3232-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1216-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4172-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2212-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4072-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3716-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4836-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1460-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4956-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3264-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2612-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4952-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2360-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4160-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4412-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2344-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4844-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 30 IoCs
Processes:
resource yara_rule behavioral2/memory/4744-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4840-15-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3244-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2060-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4744-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4772-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4656-39-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3052-47-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3984-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1216-62-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3008-71-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3232-77-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1216-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1216-61-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1216-60-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4172-87-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2212-93-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4072-99-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3716-105-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4836-111-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1460-123-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4956-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3264-141-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2612-147-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4952-153-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2360-177-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4160-183-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4412-188-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2344-195-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4844-206-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
lrxxffr.exefflrlrl.exebtnhbb.exepdddd.exefxfxxxx.exehbhbhh.exe1htntt.exedpdjv.exejddjj.exerrlrrrr.exerlfffll.exevjvvv.exepddvp.exe7ffxrrl.exehbbttt.exehbbhhh.exejjpjj.exefllllrr.exe5rxxxxx.exehhtnnn.exevjdpp.exedvpjd.exelffrrrx.exefrrllll.exetbbbth.exejpvjp.exerxllrrf.exexlrrfrr.exe3bhhnn.exedvvjv.exerllfffx.exelrfllll.exenbbhnn.exejpvdd.exevppjd.exerxlfxfx.exethtttb.exetnnnnb.exepdjjd.exe1pdpj.exe7rrlxxr.exe9nhhtb.exe9hhhhn.exevvddp.exedvpvv.exexrxrrrr.exeflxlfxf.exe5thhbb.exebbthhh.exejdpvd.exevjdvj.exeffxrrll.exenhttbh.exe7nbbtb.exevdvvp.exeppjdd.exexlxrllf.exexlrrllf.exehbhhhh.exe3djjv.exelllffff.exe7rffxxx.exennbbhh.exenbbbbb.exepid process 4840 lrxxffr.exe 2060 fflrlrl.exe 3244 btnhbb.exe 4772 pdddd.exe 4656 fxfxxxx.exe 3052 hbhbhh.exe 3984 1htntt.exe 1216 dpdjv.exe 3008 jddjj.exe 3232 rrlrrrr.exe 4172 rlfffll.exe 2212 vjvvv.exe 4072 pddvp.exe 3716 7ffxrrl.exe 4836 hbbttt.exe 2428 hbbhhh.exe 1460 jjpjj.exe 4956 fllllrr.exe 3892 5rxxxxx.exe 3264 hhtnnn.exe 2612 vjdpp.exe 4952 dvpjd.exe 3324 lffrrrx.exe 680 frrllll.exe 3684 tbbbth.exe 2360 jpvjp.exe 4160 rxllrrf.exe 4412 xlrrfrr.exe 2344 3bhhnn.exe 4720 dvvjv.exe 4844 rllfffx.exe 1192 lrfllll.exe 972 nbbhnn.exe 1216 jpvdd.exe 2340 vppjd.exe 1604 rxlfxfx.exe 1732 thtttb.exe 4068 tnnnnb.exe 4436 pdjjd.exe 3148 1pdpj.exe 1616 7rrlxxr.exe 2128 9nhhtb.exe 4836 9hhhhn.exe 2428 vvddp.exe 1088 dvpvv.exe 2156 xrxrrrr.exe 1140 flxlfxf.exe 2036 5thhbb.exe 4292 bbthhh.exe 2612 jdpvd.exe 2600 vjdvj.exe 1076 ffxrrll.exe 4916 nhttbh.exe 1780 7nbbtb.exe 2904 vdvvp.exe 2364 ppjdd.exe 4840 xlxrllf.exe 4420 xlrrllf.exe 2408 hbhhhh.exe 2920 3djjv.exe 2468 lllffff.exe 4720 7rffxxx.exe 4844 nnbbhh.exe 4636 nbbbbb.exe -
Processes:
resource yara_rule behavioral2/memory/4744-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4840-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3244-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2060-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4744-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4772-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4656-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3052-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3984-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1216-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3008-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3232-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1216-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1216-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1216-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4172-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2212-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4072-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3716-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4836-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1460-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4956-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3264-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2612-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4952-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2360-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4160-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4412-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2344-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4844-206-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9177bac7c0b4799d7eb1128bfca4ffb939bc282cccdc9d258aedfb8fc4b863ba.exelrxxffr.exefflrlrl.exebtnhbb.exepdddd.exefxfxxxx.exehbhbhh.exe1htntt.exedpdjv.exejddjj.exerrlrrrr.exerlfffll.exevjvvv.exepddvp.exe7ffxrrl.exehbbttt.exehbbhhh.exejjpjj.exefllllrr.exe5rxxxxx.exehhtnnn.exevjdpp.exedescription pid process target process PID 4744 wrote to memory of 4840 4744 9177bac7c0b4799d7eb1128bfca4ffb939bc282cccdc9d258aedfb8fc4b863ba.exe lrxxffr.exe PID 4744 wrote to memory of 4840 4744 9177bac7c0b4799d7eb1128bfca4ffb939bc282cccdc9d258aedfb8fc4b863ba.exe lrxxffr.exe PID 4744 wrote to memory of 4840 4744 9177bac7c0b4799d7eb1128bfca4ffb939bc282cccdc9d258aedfb8fc4b863ba.exe lrxxffr.exe PID 4840 wrote to memory of 2060 4840 lrxxffr.exe fflrlrl.exe PID 4840 wrote to memory of 2060 4840 lrxxffr.exe fflrlrl.exe PID 4840 wrote to memory of 2060 4840 lrxxffr.exe fflrlrl.exe PID 2060 wrote to memory of 3244 2060 fflrlrl.exe btnhbb.exe PID 2060 wrote to memory of 3244 2060 fflrlrl.exe btnhbb.exe PID 2060 wrote to memory of 3244 2060 fflrlrl.exe btnhbb.exe PID 3244 wrote to memory of 4772 3244 btnhbb.exe pdddd.exe PID 3244 wrote to memory of 4772 3244 btnhbb.exe pdddd.exe PID 3244 wrote to memory of 4772 3244 btnhbb.exe pdddd.exe PID 4772 wrote to memory of 4656 4772 pdddd.exe fxfxxxx.exe PID 4772 wrote to memory of 4656 4772 pdddd.exe fxfxxxx.exe PID 4772 wrote to memory of 4656 4772 pdddd.exe fxfxxxx.exe PID 4656 wrote to memory of 3052 4656 fxfxxxx.exe hbhbhh.exe PID 4656 wrote to memory of 3052 4656 fxfxxxx.exe hbhbhh.exe PID 4656 wrote to memory of 3052 4656 fxfxxxx.exe hbhbhh.exe PID 3052 wrote to memory of 3984 3052 hbhbhh.exe 1htntt.exe PID 3052 wrote to memory of 3984 3052 hbhbhh.exe 1htntt.exe PID 3052 wrote to memory of 3984 3052 hbhbhh.exe 1htntt.exe PID 3984 wrote to memory of 1216 3984 1htntt.exe dpdjv.exe PID 3984 wrote to memory of 1216 3984 1htntt.exe dpdjv.exe PID 3984 wrote to memory of 1216 3984 1htntt.exe dpdjv.exe PID 1216 wrote to memory of 3008 1216 dpdjv.exe jddjj.exe PID 1216 wrote to memory of 3008 1216 dpdjv.exe jddjj.exe PID 1216 wrote to memory of 3008 1216 dpdjv.exe jddjj.exe PID 3008 wrote to memory of 3232 3008 jddjj.exe rrlrrrr.exe PID 3008 wrote to memory of 3232 3008 jddjj.exe rrlrrrr.exe PID 3008 wrote to memory of 3232 3008 jddjj.exe rrlrrrr.exe PID 3232 wrote to memory of 4172 3232 rrlrrrr.exe rlfffll.exe PID 3232 wrote to memory of 4172 3232 rrlrrrr.exe rlfffll.exe PID 3232 wrote to memory of 4172 3232 rrlrrrr.exe rlfffll.exe PID 4172 wrote to memory of 2212 4172 rlfffll.exe vjvvv.exe PID 4172 wrote to memory of 2212 4172 rlfffll.exe vjvvv.exe PID 4172 wrote to memory of 2212 4172 rlfffll.exe vjvvv.exe PID 2212 wrote to memory of 4072 2212 vjvvv.exe pddvp.exe PID 2212 wrote to memory of 4072 2212 vjvvv.exe pddvp.exe PID 2212 wrote to memory of 4072 2212 vjvvv.exe pddvp.exe PID 4072 wrote to memory of 3716 4072 pddvp.exe 7ffxrrl.exe PID 4072 wrote to memory of 3716 4072 pddvp.exe 7ffxrrl.exe PID 4072 wrote to memory of 3716 4072 pddvp.exe 7ffxrrl.exe PID 3716 wrote to memory of 4836 3716 7ffxrrl.exe hbbttt.exe PID 3716 wrote to memory of 4836 3716 7ffxrrl.exe hbbttt.exe PID 3716 wrote to memory of 4836 3716 7ffxrrl.exe hbbttt.exe PID 4836 wrote to memory of 2428 4836 hbbttt.exe hbbhhh.exe PID 4836 wrote to memory of 2428 4836 hbbttt.exe hbbhhh.exe PID 4836 wrote to memory of 2428 4836 hbbttt.exe hbbhhh.exe PID 2428 wrote to memory of 1460 2428 hbbhhh.exe jjpjj.exe PID 2428 wrote to memory of 1460 2428 hbbhhh.exe jjpjj.exe PID 2428 wrote to memory of 1460 2428 hbbhhh.exe jjpjj.exe PID 1460 wrote to memory of 4956 1460 jjpjj.exe fllllrr.exe PID 1460 wrote to memory of 4956 1460 jjpjj.exe fllllrr.exe PID 1460 wrote to memory of 4956 1460 jjpjj.exe fllllrr.exe PID 4956 wrote to memory of 3892 4956 fllllrr.exe 5rxxxxx.exe PID 4956 wrote to memory of 3892 4956 fllllrr.exe 5rxxxxx.exe PID 4956 wrote to memory of 3892 4956 fllllrr.exe 5rxxxxx.exe PID 3892 wrote to memory of 3264 3892 5rxxxxx.exe hhtnnn.exe PID 3892 wrote to memory of 3264 3892 5rxxxxx.exe hhtnnn.exe PID 3892 wrote to memory of 3264 3892 5rxxxxx.exe hhtnnn.exe PID 3264 wrote to memory of 2612 3264 hhtnnn.exe vjdpp.exe PID 3264 wrote to memory of 2612 3264 hhtnnn.exe vjdpp.exe PID 3264 wrote to memory of 2612 3264 hhtnnn.exe vjdpp.exe PID 2612 wrote to memory of 4952 2612 vjdpp.exe dvpjd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9177bac7c0b4799d7eb1128bfca4ffb939bc282cccdc9d258aedfb8fc4b863ba.exe"C:\Users\Admin\AppData\Local\Temp\9177bac7c0b4799d7eb1128bfca4ffb939bc282cccdc9d258aedfb8fc4b863ba.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\lrxxffr.exec:\lrxxffr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\fflrlrl.exec:\fflrlrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\btnhbb.exec:\btnhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\pdddd.exec:\pdddd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\fxfxxxx.exec:\fxfxxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\hbhbhh.exec:\hbhbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\1htntt.exec:\1htntt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\dpdjv.exec:\dpdjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\jddjj.exec:\jddjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\rrlrrrr.exec:\rrlrrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\rlfffll.exec:\rlfffll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\vjvvv.exec:\vjvvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\pddvp.exec:\pddvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\7ffxrrl.exec:\7ffxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\hbbttt.exec:\hbbttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\hbbhhh.exec:\hbbhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\jjpjj.exec:\jjpjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\fllllrr.exec:\fllllrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\5rxxxxx.exec:\5rxxxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\hhtnnn.exec:\hhtnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\vjdpp.exec:\vjdpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\dvpjd.exec:\dvpjd.exe23⤵
- Executes dropped EXE
PID:4952 -
\??\c:\lffrrrx.exec:\lffrrrx.exe24⤵
- Executes dropped EXE
PID:3324 -
\??\c:\frrllll.exec:\frrllll.exe25⤵
- Executes dropped EXE
PID:680 -
\??\c:\tbbbth.exec:\tbbbth.exe26⤵
- Executes dropped EXE
PID:3684 -
\??\c:\jpvjp.exec:\jpvjp.exe27⤵
- Executes dropped EXE
PID:2360 -
\??\c:\rxllrrf.exec:\rxllrrf.exe28⤵
- Executes dropped EXE
PID:4160 -
\??\c:\xlrrfrr.exec:\xlrrfrr.exe29⤵
- Executes dropped EXE
PID:4412 -
\??\c:\3bhhnn.exec:\3bhhnn.exe30⤵
- Executes dropped EXE
PID:2344 -
\??\c:\dvvjv.exec:\dvvjv.exe31⤵
- Executes dropped EXE
PID:4720 -
\??\c:\rllfffx.exec:\rllfffx.exe32⤵
- Executes dropped EXE
PID:4844 -
\??\c:\lrfllll.exec:\lrfllll.exe33⤵
- Executes dropped EXE
PID:1192 -
\??\c:\nbbhnn.exec:\nbbhnn.exe34⤵
- Executes dropped EXE
PID:972 -
\??\c:\jpvdd.exec:\jpvdd.exe35⤵
- Executes dropped EXE
PID:1216 -
\??\c:\vppjd.exec:\vppjd.exe36⤵
- Executes dropped EXE
PID:2340 -
\??\c:\rxlfxfx.exec:\rxlfxfx.exe37⤵
- Executes dropped EXE
PID:1604 -
\??\c:\thtttb.exec:\thtttb.exe38⤵
- Executes dropped EXE
PID:1732 -
\??\c:\tnnnnb.exec:\tnnnnb.exe39⤵
- Executes dropped EXE
PID:4068 -
\??\c:\pdjjd.exec:\pdjjd.exe40⤵
- Executes dropped EXE
PID:4436 -
\??\c:\1pdpj.exec:\1pdpj.exe41⤵
- Executes dropped EXE
PID:3148 -
\??\c:\7rrlxxr.exec:\7rrlxxr.exe42⤵
- Executes dropped EXE
PID:1616 -
\??\c:\9nhhtb.exec:\9nhhtb.exe43⤵
- Executes dropped EXE
PID:2128 -
\??\c:\9hhhhn.exec:\9hhhhn.exe44⤵
- Executes dropped EXE
PID:4836 -
\??\c:\vvddp.exec:\vvddp.exe45⤵
- Executes dropped EXE
PID:2428 -
\??\c:\dvpvv.exec:\dvpvv.exe46⤵
- Executes dropped EXE
PID:1088 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe47⤵
- Executes dropped EXE
PID:2156 -
\??\c:\flxlfxf.exec:\flxlfxf.exe48⤵
- Executes dropped EXE
PID:1140 -
\??\c:\5thhbb.exec:\5thhbb.exe49⤵
- Executes dropped EXE
PID:2036 -
\??\c:\bbthhh.exec:\bbthhh.exe50⤵
- Executes dropped EXE
PID:4292 -
\??\c:\jdpvd.exec:\jdpvd.exe51⤵
- Executes dropped EXE
PID:2612 -
\??\c:\vjdvj.exec:\vjdvj.exe52⤵
- Executes dropped EXE
PID:2600 -
\??\c:\ffxrrll.exec:\ffxrrll.exe53⤵
- Executes dropped EXE
PID:1076 -
\??\c:\nhttbh.exec:\nhttbh.exe54⤵
- Executes dropped EXE
PID:4916 -
\??\c:\7nbbtb.exec:\7nbbtb.exe55⤵
- Executes dropped EXE
PID:1780 -
\??\c:\vdvvp.exec:\vdvvp.exe56⤵
- Executes dropped EXE
PID:2904 -
\??\c:\ppjdd.exec:\ppjdd.exe57⤵
- Executes dropped EXE
PID:2364 -
\??\c:\xlxrllf.exec:\xlxrllf.exe58⤵
- Executes dropped EXE
PID:4840 -
\??\c:\xlrrllf.exec:\xlrrllf.exe59⤵
- Executes dropped EXE
PID:4420 -
\??\c:\hbhhhh.exec:\hbhhhh.exe60⤵
- Executes dropped EXE
PID:2408 -
\??\c:\3djjv.exec:\3djjv.exe61⤵
- Executes dropped EXE
PID:2920 -
\??\c:\lllffff.exec:\lllffff.exe62⤵
- Executes dropped EXE
PID:2468 -
\??\c:\7rffxxx.exec:\7rffxxx.exe63⤵
- Executes dropped EXE
PID:4720 -
\??\c:\nnbbhh.exec:\nnbbhh.exe64⤵
- Executes dropped EXE
PID:4844 -
\??\c:\nbbbbb.exec:\nbbbbb.exe65⤵
- Executes dropped EXE
PID:4636 -
\??\c:\ntbbtt.exec:\ntbbtt.exe66⤵PID:1596
-
\??\c:\pppjj.exec:\pppjj.exe67⤵PID:3488
-
\??\c:\3lffllf.exec:\3lffllf.exe68⤵PID:2028
-
\??\c:\1rlxxfx.exec:\1rlxxfx.exe69⤵PID:1776
-
\??\c:\tntnnn.exec:\tntnnn.exe70⤵PID:4224
-
\??\c:\btnnbh.exec:\btnnbh.exe71⤵PID:4068
-
\??\c:\jpjpd.exec:\jpjpd.exe72⤵PID:2088
-
\??\c:\dppjj.exec:\dppjj.exe73⤵PID:452
-
\??\c:\pjdvp.exec:\pjdvp.exe74⤵PID:3396
-
\??\c:\rrxfrff.exec:\rrxfrff.exe75⤵PID:1336
-
\??\c:\llxrxfl.exec:\llxrxfl.exe76⤵PID:4680
-
\??\c:\5tbhhh.exec:\5tbhhh.exe77⤵PID:1888
-
\??\c:\3thntt.exec:\3thntt.exe78⤵PID:3576
-
\??\c:\5jjpp.exec:\5jjpp.exe79⤵PID:3264
-
\??\c:\lxxffff.exec:\lxxffff.exe80⤵PID:3292
-
\??\c:\7rllfff.exec:\7rllfff.exe81⤵PID:4432
-
\??\c:\xxrlxlr.exec:\xxrlxlr.exe82⤵PID:2872
-
\??\c:\tnnhbh.exec:\tnnhbh.exe83⤵PID:4952
-
\??\c:\7nbbhh.exec:\7nbbhh.exe84⤵PID:2232
-
\??\c:\vvjdv.exec:\vvjdv.exe85⤵PID:1328
-
\??\c:\vpvvp.exec:\vpvvp.exe86⤵PID:448
-
\??\c:\rflrlxx.exec:\rflrlxx.exe87⤵PID:1780
-
\??\c:\llrxxxl.exec:\llrxxxl.exe88⤵PID:1028
-
\??\c:\tbbnnb.exec:\tbbnnb.exe89⤵PID:3544
-
\??\c:\bbhhnt.exec:\bbhhnt.exe90⤵PID:4768
-
\??\c:\nbbbbb.exec:\nbbbbb.exe91⤵PID:552
-
\??\c:\7ddjv.exec:\7ddjv.exe92⤵PID:2112
-
\??\c:\dvvpj.exec:\dvvpj.exe93⤵PID:3516
-
\??\c:\xrrlfrl.exec:\xrrlfrl.exe94⤵PID:1984
-
\??\c:\xrxxffl.exec:\xrxxffl.exe95⤵PID:3180
-
\??\c:\nhnhht.exec:\nhnhht.exe96⤵PID:4004
-
\??\c:\nnhhbh.exec:\nnhhbh.exe97⤵PID:5088
-
\??\c:\9nbbtt.exec:\9nbbtt.exe98⤵PID:4584
-
\??\c:\1dddv.exec:\1dddv.exe99⤵PID:2700
-
\??\c:\dvdvv.exec:\dvdvv.exe100⤵PID:4460
-
\??\c:\fxflrxx.exec:\fxflrxx.exe101⤵PID:2212
-
\??\c:\xrxxllx.exec:\xrxxllx.exe102⤵PID:4972
-
\??\c:\thnnnn.exec:\thnnnn.exe103⤵PID:2088
-
\??\c:\nbhhbb.exec:\nbhhbb.exe104⤵PID:4652
-
\??\c:\pjpjd.exec:\pjpjd.exe105⤵PID:2020
-
\??\c:\9pppj.exec:\9pppj.exe106⤵PID:4024
-
\??\c:\1rxffrr.exec:\1rxffrr.exe107⤵PID:4072
-
\??\c:\rflrllf.exec:\rflrllf.exe108⤵PID:1120
-
\??\c:\hhnnnh.exec:\hhnnnh.exe109⤵PID:3576
-
\??\c:\bhhnhn.exec:\bhhnhn.exe110⤵PID:2644
-
\??\c:\3ppvp.exec:\3ppvp.exe111⤵PID:3292
-
\??\c:\jdvpp.exec:\jdvpp.exe112⤵PID:4432
-
\??\c:\ffffxxx.exec:\ffffxxx.exe113⤵PID:2872
-
\??\c:\lflxffl.exec:\lflxffl.exe114⤵PID:4952
-
\??\c:\nbhnhn.exec:\nbhnhn.exe115⤵PID:5016
-
\??\c:\hhhhhh.exec:\hhhhhh.exe116⤵PID:2820
-
\??\c:\dvpjj.exec:\dvpjj.exe117⤵PID:448
-
\??\c:\jdvpp.exec:\jdvpp.exe118⤵PID:1780
-
\??\c:\3xrrllf.exec:\3xrrllf.exe119⤵PID:1028
-
\??\c:\1rxfxxx.exec:\1rxfxxx.exe120⤵PID:3156
-
\??\c:\9htnth.exec:\9htnth.exe121⤵PID:3724
-
\??\c:\nhttbb.exec:\nhttbb.exe122⤵PID:552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-