Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 03:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe
Resource
win7-20240215-en
6 signatures
150 seconds
General
-
Target
a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe
-
Size
247KB
-
MD5
4a9f67752e64749cc880f344800891f3
-
SHA1
35b58495fbeb410b2ef2a3f415ea0137665d736d
-
SHA256
a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42
-
SHA512
355038103828515c692130a244f79c05b049ca2211ae09bc293a3dc3f887572d0d442911c952e9e04371998f69441b3a6fdfb36df2eefb027671e44112c326ad
-
SSDEEP
6144:n3C9BRo/AIX27NHWpU00VIxas1oa3YiFRV6E:n3C9uD6AUDCa4NYmRh
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
Processes:
resource yara_rule behavioral2/memory/4708-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4712-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2828-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3064-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4756-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3536-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2640-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3012-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/932-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/988-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1196-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3380-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2252-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1908-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1760-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4124-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2996-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2232-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4608-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1632-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1632-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3832-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4220-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4364-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1572-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3424-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/884-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 32 IoCs
Processes:
resource yara_rule behavioral2/memory/4708-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4712-27-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2828-106-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3064-113-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4756-124-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3536-142-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2640-208-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3012-196-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/932-193-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/988-178-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1196-167-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3380-159-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2252-153-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1908-150-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1760-136-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4124-118-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2996-100-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2232-94-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4608-72-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4608-71-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4608-70-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1632-63-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1632-62-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3832-56-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4220-48-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4364-41-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1572-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3424-20-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/884-17-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/884-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/884-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/884-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
9djdj.exevdpjd.exerxxxfxf.exe9rxlffr.exenhhbhh.exejjjjd.exepdjjd.exe3lfxrxr.exebntthn.exepvjjp.exexrrxrxr.exexlrlfxx.exenbhbhb.exetbnhtn.exe5vdpv.exepvjpp.exexlfxllf.exehttnhh.exejvppj.exedvddv.exellxrlff.exehhhbtn.exebtnnhh.exedpdvp.exexlrrlrl.exentttbb.exe7jvpj.exepjpdp.exexlfxrrr.exe3thtbt.exedvddv.exedddvd.exerffllrx.exe3tthth.exebttnhh.exevjpjd.exelfrlrrr.exexxllxff.exe9thbbb.exebthnnn.exevppjd.exe1flllfr.exelrrlfxf.exehbbbhh.exettnnht.exepppjp.exe1lrrlll.exerffrlxx.exetnttnh.exettbttt.exepjpdd.exefrxlffx.exelrrllll.exebntttt.exebbtttt.exe5pvvv.exevvjpv.exexxfxrrl.exetnbbnn.exebtnhhb.exe1jdvd.exevjppj.exefrxrllf.exe3xfffll.exepid process 884 9djdj.exe 3424 vdpjd.exe 4712 rxxxfxf.exe 1572 9rxlffr.exe 4364 nhhbhh.exe 4220 jjjjd.exe 3832 pdjjd.exe 1632 3lfxrxr.exe 4608 bntthn.exe 3088 pvjjp.exe 2344 xrrxrxr.exe 2232 xlrlfxx.exe 2996 nbhbhb.exe 2828 tbnhtn.exe 3064 5vdpv.exe 4124 pvjpp.exe 4756 xlfxllf.exe 4948 httnhh.exe 1760 jvppj.exe 3536 dvddv.exe 1908 llxrlff.exe 2252 hhhbtn.exe 3380 btnnhh.exe 1196 dpdvp.exe 4012 xlrrlrl.exe 988 ntttbb.exe 2672 7jvpj.exe 932 pjpdp.exe 3012 xlfxrrr.exe 2848 3thtbt.exe 2640 dvddv.exe 1900 dddvd.exe 1400 rffllrx.exe 3444 3tthth.exe 1056 bttnhh.exe 2176 vjpjd.exe 556 lfrlrrr.exe 4964 xxllxff.exe 2996 9thbbb.exe 4416 bthnnn.exe 1116 vppjd.exe 4752 1flllfr.exe 2520 lrrlfxf.exe 4256 hbbbhh.exe 5060 ttnnht.exe 1760 pppjp.exe 3648 1lrrlll.exe 3092 rffrlxx.exe 2212 tnttnh.exe 964 ttbttt.exe 3108 pjpdd.exe 4812 frxlffx.exe 2896 lrrllll.exe 2768 bntttt.exe 932 bbtttt.exe 4868 5pvvv.exe 2196 vvjpv.exe 4040 xxfxrrl.exe 3060 tnbbnn.exe 4108 btnhhb.exe 400 1jdvd.exe 3668 vjppj.exe 4780 frxrllf.exe 4480 3xfffll.exe -
Processes:
resource yara_rule behavioral2/memory/4708-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4712-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2828-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3064-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4756-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3536-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2640-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3012-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/932-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/988-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1196-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3380-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2252-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1908-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1760-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4124-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2996-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2232-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4608-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4608-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4608-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1632-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1632-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3832-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4220-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4364-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1572-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3424-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/884-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/884-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/884-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/884-10-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe9djdj.exevdpjd.exerxxxfxf.exe9rxlffr.exenhhbhh.exejjjjd.exepdjjd.exe3lfxrxr.exebntthn.exepvjjp.exexrrxrxr.exexlrlfxx.exenbhbhb.exetbnhtn.exe5vdpv.exepvjpp.exexlfxllf.exehttnhh.exejvppj.exedvddv.exellxrlff.exedescription pid process target process PID 4708 wrote to memory of 884 4708 a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe 9djdj.exe PID 4708 wrote to memory of 884 4708 a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe 9djdj.exe PID 4708 wrote to memory of 884 4708 a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe 9djdj.exe PID 884 wrote to memory of 3424 884 9djdj.exe vdpjd.exe PID 884 wrote to memory of 3424 884 9djdj.exe vdpjd.exe PID 884 wrote to memory of 3424 884 9djdj.exe vdpjd.exe PID 3424 wrote to memory of 4712 3424 vdpjd.exe rxxxfxf.exe PID 3424 wrote to memory of 4712 3424 vdpjd.exe rxxxfxf.exe PID 3424 wrote to memory of 4712 3424 vdpjd.exe rxxxfxf.exe PID 4712 wrote to memory of 1572 4712 rxxxfxf.exe 9rxlffr.exe PID 4712 wrote to memory of 1572 4712 rxxxfxf.exe 9rxlffr.exe PID 4712 wrote to memory of 1572 4712 rxxxfxf.exe 9rxlffr.exe PID 1572 wrote to memory of 4364 1572 9rxlffr.exe nhhbhh.exe PID 1572 wrote to memory of 4364 1572 9rxlffr.exe nhhbhh.exe PID 1572 wrote to memory of 4364 1572 9rxlffr.exe nhhbhh.exe PID 4364 wrote to memory of 4220 4364 nhhbhh.exe jjjjd.exe PID 4364 wrote to memory of 4220 4364 nhhbhh.exe jjjjd.exe PID 4364 wrote to memory of 4220 4364 nhhbhh.exe jjjjd.exe PID 4220 wrote to memory of 3832 4220 jjjjd.exe pdjjd.exe PID 4220 wrote to memory of 3832 4220 jjjjd.exe pdjjd.exe PID 4220 wrote to memory of 3832 4220 jjjjd.exe pdjjd.exe PID 3832 wrote to memory of 1632 3832 pdjjd.exe 3lfxrxr.exe PID 3832 wrote to memory of 1632 3832 pdjjd.exe 3lfxrxr.exe PID 3832 wrote to memory of 1632 3832 pdjjd.exe 3lfxrxr.exe PID 1632 wrote to memory of 4608 1632 3lfxrxr.exe bntthn.exe PID 1632 wrote to memory of 4608 1632 3lfxrxr.exe bntthn.exe PID 1632 wrote to memory of 4608 1632 3lfxrxr.exe bntthn.exe PID 4608 wrote to memory of 3088 4608 bntthn.exe pvjjp.exe PID 4608 wrote to memory of 3088 4608 bntthn.exe pvjjp.exe PID 4608 wrote to memory of 3088 4608 bntthn.exe pvjjp.exe PID 3088 wrote to memory of 2344 3088 pvjjp.exe xrrxrxr.exe PID 3088 wrote to memory of 2344 3088 pvjjp.exe xrrxrxr.exe PID 3088 wrote to memory of 2344 3088 pvjjp.exe xrrxrxr.exe PID 2344 wrote to memory of 2232 2344 xrrxrxr.exe xlrlfxx.exe PID 2344 wrote to memory of 2232 2344 xrrxrxr.exe xlrlfxx.exe PID 2344 wrote to memory of 2232 2344 xrrxrxr.exe xlrlfxx.exe PID 2232 wrote to memory of 2996 2232 xlrlfxx.exe nbhbhb.exe PID 2232 wrote to memory of 2996 2232 xlrlfxx.exe nbhbhb.exe PID 2232 wrote to memory of 2996 2232 xlrlfxx.exe nbhbhb.exe PID 2996 wrote to memory of 2828 2996 nbhbhb.exe hhbbtt.exe PID 2996 wrote to memory of 2828 2996 nbhbhb.exe hhbbtt.exe PID 2996 wrote to memory of 2828 2996 nbhbhb.exe hhbbtt.exe PID 2828 wrote to memory of 3064 2828 tbnhtn.exe 5vdpv.exe PID 2828 wrote to memory of 3064 2828 tbnhtn.exe 5vdpv.exe PID 2828 wrote to memory of 3064 2828 tbnhtn.exe 5vdpv.exe PID 3064 wrote to memory of 4124 3064 5vdpv.exe pvjpp.exe PID 3064 wrote to memory of 4124 3064 5vdpv.exe pvjpp.exe PID 3064 wrote to memory of 4124 3064 5vdpv.exe pvjpp.exe PID 4124 wrote to memory of 4756 4124 pvjpp.exe hhhbtb.exe PID 4124 wrote to memory of 4756 4124 pvjpp.exe hhhbtb.exe PID 4124 wrote to memory of 4756 4124 pvjpp.exe hhhbtb.exe PID 4756 wrote to memory of 4948 4756 xlfxllf.exe httnhh.exe PID 4756 wrote to memory of 4948 4756 xlfxllf.exe httnhh.exe PID 4756 wrote to memory of 4948 4756 xlfxllf.exe httnhh.exe PID 4948 wrote to memory of 1760 4948 httnhh.exe jvppj.exe PID 4948 wrote to memory of 1760 4948 httnhh.exe jvppj.exe PID 4948 wrote to memory of 1760 4948 httnhh.exe jvppj.exe PID 1760 wrote to memory of 3536 1760 jvppj.exe ntbbbh.exe PID 1760 wrote to memory of 3536 1760 jvppj.exe ntbbbh.exe PID 1760 wrote to memory of 3536 1760 jvppj.exe ntbbbh.exe PID 3536 wrote to memory of 1908 3536 dvddv.exe llxrlff.exe PID 3536 wrote to memory of 1908 3536 dvddv.exe llxrlff.exe PID 3536 wrote to memory of 1908 3536 dvddv.exe llxrlff.exe PID 1908 wrote to memory of 2252 1908 llxrlff.exe hhhbtn.exe
Processes
-
C:\Windows\system32\usoclient.exeC:\Windows\system32\usoclient.exe StartScan1⤵PID:812
-
C:\Windows\system32\usoclient.exeC:\Windows\system32\usoclient.exe StartScan1⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe"C:\Users\Admin\AppData\Local\Temp\a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\9djdj.exec:\9djdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\vdpjd.exec:\vdpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\rxxxfxf.exec:\rxxxfxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\9rxlffr.exec:\9rxlffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\nhhbhh.exec:\nhhbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\jjjjd.exec:\jjjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\pdjjd.exec:\pdjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\3lfxrxr.exec:\3lfxrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\bntthn.exec:\bntthn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\pvjjp.exec:\pvjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\xrrxrxr.exec:\xrrxrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\xlrlfxx.exec:\xlrlfxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\nbhbhb.exec:\nbhbhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\tbnhtn.exec:\tbnhtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\5vdpv.exec:\5vdpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\pvjpp.exec:\pvjpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\xlfxllf.exec:\xlfxllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\httnhh.exec:\httnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\jvppj.exec:\jvppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\dvddv.exec:\dvddv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\llxrlff.exec:\llxrlff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\hhhbtn.exec:\hhhbtn.exe23⤵
- Executes dropped EXE
PID:2252 -
\??\c:\btnnhh.exec:\btnnhh.exe24⤵
- Executes dropped EXE
PID:3380 -
\??\c:\dpdvp.exec:\dpdvp.exe25⤵
- Executes dropped EXE
PID:1196 -
\??\c:\xlrrlrl.exec:\xlrrlrl.exe26⤵
- Executes dropped EXE
PID:4012 -
\??\c:\ntttbb.exec:\ntttbb.exe27⤵
- Executes dropped EXE
PID:988 -
\??\c:\7jvpj.exec:\7jvpj.exe28⤵
- Executes dropped EXE
PID:2672 -
\??\c:\pjpdp.exec:\pjpdp.exe29⤵
- Executes dropped EXE
PID:932 -
\??\c:\xlfxrrr.exec:\xlfxrrr.exe30⤵
- Executes dropped EXE
PID:3012 -
\??\c:\3thtbt.exec:\3thtbt.exe31⤵
- Executes dropped EXE
PID:2848 -
\??\c:\dvddv.exec:\dvddv.exe32⤵
- Executes dropped EXE
PID:2640 -
\??\c:\dddvd.exec:\dddvd.exe33⤵
- Executes dropped EXE
PID:1900 -
\??\c:\rffllrx.exec:\rffllrx.exe34⤵
- Executes dropped EXE
PID:1400 -
\??\c:\3tthth.exec:\3tthth.exe35⤵
- Executes dropped EXE
PID:3444 -
\??\c:\bttnhh.exec:\bttnhh.exe36⤵
- Executes dropped EXE
PID:1056 -
\??\c:\vjpjd.exec:\vjpjd.exe37⤵
- Executes dropped EXE
PID:2176 -
\??\c:\lfrlrrr.exec:\lfrlrrr.exe38⤵
- Executes dropped EXE
PID:556 -
\??\c:\xxllxff.exec:\xxllxff.exe39⤵
- Executes dropped EXE
PID:4964 -
\??\c:\9thbbb.exec:\9thbbb.exe40⤵
- Executes dropped EXE
PID:2996 -
\??\c:\bthnnn.exec:\bthnnn.exe41⤵
- Executes dropped EXE
PID:4416 -
\??\c:\vppjd.exec:\vppjd.exe42⤵
- Executes dropped EXE
PID:1116 -
\??\c:\1flllfr.exec:\1flllfr.exe43⤵
- Executes dropped EXE
PID:4752 -
\??\c:\lrrlfxf.exec:\lrrlfxf.exe44⤵
- Executes dropped EXE
PID:2520 -
\??\c:\hbbbhh.exec:\hbbbhh.exe45⤵
- Executes dropped EXE
PID:4256 -
\??\c:\ttnnht.exec:\ttnnht.exe46⤵
- Executes dropped EXE
PID:5060 -
\??\c:\pppjp.exec:\pppjp.exe47⤵
- Executes dropped EXE
PID:1760 -
\??\c:\1lrrlll.exec:\1lrrlll.exe48⤵
- Executes dropped EXE
PID:3648 -
\??\c:\rffrlxx.exec:\rffrlxx.exe49⤵
- Executes dropped EXE
PID:3092 -
\??\c:\tnttnh.exec:\tnttnh.exe50⤵
- Executes dropped EXE
PID:2212 -
\??\c:\ttbttt.exec:\ttbttt.exe51⤵
- Executes dropped EXE
PID:964 -
\??\c:\pjpdd.exec:\pjpdd.exe52⤵
- Executes dropped EXE
PID:3108 -
\??\c:\frxlffx.exec:\frxlffx.exe53⤵
- Executes dropped EXE
PID:4812 -
\??\c:\lrrllll.exec:\lrrllll.exe54⤵
- Executes dropped EXE
PID:2896 -
\??\c:\bntttt.exec:\bntttt.exe55⤵
- Executes dropped EXE
PID:2768 -
\??\c:\bbtttt.exec:\bbtttt.exe56⤵
- Executes dropped EXE
PID:932 -
\??\c:\5pvvv.exec:\5pvvv.exe57⤵
- Executes dropped EXE
PID:4868 -
\??\c:\vvjpv.exec:\vvjpv.exe58⤵
- Executes dropped EXE
PID:2196 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe59⤵
- Executes dropped EXE
PID:4040 -
\??\c:\tnbbnn.exec:\tnbbnn.exe60⤵
- Executes dropped EXE
PID:3060 -
\??\c:\btnhhb.exec:\btnhhb.exe61⤵
- Executes dropped EXE
PID:4108 -
\??\c:\1jdvd.exec:\1jdvd.exe62⤵
- Executes dropped EXE
PID:400 -
\??\c:\vjppj.exec:\vjppj.exe63⤵
- Executes dropped EXE
PID:3668 -
\??\c:\frxrllf.exec:\frxrllf.exe64⤵
- Executes dropped EXE
PID:4780 -
\??\c:\3xfffll.exec:\3xfffll.exe65⤵
- Executes dropped EXE
PID:4480 -
\??\c:\bbnntt.exec:\bbnntt.exe66⤵PID:952
-
\??\c:\ddjdv.exec:\ddjdv.exe67⤵PID:5116
-
\??\c:\jvdvv.exec:\jvdvv.exe68⤵PID:3436
-
\??\c:\rlfffrx.exec:\rlfffrx.exe69⤵PID:4228
-
\??\c:\rllllll.exec:\rllllll.exe70⤵PID:2560
-
\??\c:\3hhbtt.exec:\3hhbtt.exe71⤵PID:4740
-
\??\c:\ttbtbb.exec:\ttbtbb.exe72⤵PID:3368
-
\??\c:\1vvpp.exec:\1vvpp.exe73⤵PID:1180
-
\??\c:\ddjjd.exec:\ddjjd.exe74⤵PID:4124
-
\??\c:\lxrrxrx.exec:\lxrrxrx.exe75⤵PID:4216
-
\??\c:\rllfxxr.exec:\rllfxxr.exe76⤵PID:4256
-
\??\c:\btbhhn.exec:\btbhhn.exe77⤵PID:5060
-
\??\c:\thnhbb.exec:\thnhbb.exe78⤵PID:2500
-
\??\c:\pdvpp.exec:\pdvpp.exe79⤵PID:1948
-
\??\c:\lrxrlfr.exec:\lrxrlfr.exe80⤵PID:1276
-
\??\c:\9hbbtn.exec:\9hbbtn.exe81⤵PID:704
-
\??\c:\tnhbtt.exec:\tnhbtt.exe82⤵PID:5080
-
\??\c:\7vvvv.exec:\7vvvv.exe83⤵PID:2672
-
\??\c:\vpvvp.exec:\vpvvp.exe84⤵PID:3476
-
\??\c:\lfxrrrr.exec:\lfxrrrr.exe85⤵PID:3408
-
\??\c:\3fxrrrl.exec:\3fxrrrl.exe86⤵PID:668
-
\??\c:\tbhhtt.exec:\tbhhtt.exe87⤵PID:348
-
\??\c:\hbbttt.exec:\hbbttt.exe88⤵PID:1772
-
\??\c:\9vjdd.exec:\9vjdd.exe89⤵PID:4716
-
\??\c:\rxffxfl.exec:\rxffxfl.exe90⤵PID:2656
-
\??\c:\btbhbh.exec:\btbhbh.exe91⤵PID:4508
-
\??\c:\tthbbh.exec:\tthbbh.exe92⤵PID:3036
-
\??\c:\3djdd.exec:\3djdd.exe93⤵PID:1632
-
\??\c:\pdpjp.exec:\pdpjp.exe94⤵PID:3572
-
\??\c:\1llrlrr.exec:\1llrlrr.exe95⤵PID:1556
-
\??\c:\bhttnt.exec:\bhttnt.exe96⤵PID:2752
-
\??\c:\bttttt.exec:\bttttt.exe97⤵PID:3436
-
\??\c:\pjvjv.exec:\pjvjv.exe98⤵PID:5020
-
\??\c:\vdjjj.exec:\vdjjj.exe99⤵PID:4120
-
\??\c:\rxrrrrr.exec:\rxrrrrr.exe100⤵PID:4472
-
\??\c:\1rrrlrr.exec:\1rrrlrr.exe101⤵PID:4100
-
\??\c:\bntnhn.exec:\bntnhn.exe102⤵PID:5088
-
\??\c:\nhbtbt.exec:\nhbtbt.exe103⤵PID:4752
-
\??\c:\jdvjd.exec:\jdvjd.exe104⤵PID:3760
-
\??\c:\jdpjv.exec:\jdpjv.exe105⤵PID:4304
-
\??\c:\frllffl.exec:\frllffl.exe106⤵PID:3104
-
\??\c:\rlxxffl.exec:\rlxxffl.exe107⤵PID:4504
-
\??\c:\tnhhbb.exec:\tnhhbb.exe108⤵PID:4960
-
\??\c:\7ntnhh.exec:\7ntnhh.exe109⤵PID:2760
-
\??\c:\3djjv.exec:\3djjv.exe110⤵PID:772
-
\??\c:\dpvdd.exec:\dpvdd.exe111⤵PID:5016
-
\??\c:\xxxffxf.exec:\xxxffxf.exe112⤵PID:5012
-
\??\c:\lrrlfff.exec:\lrrlfff.exe113⤵PID:3112
-
\??\c:\nhnntt.exec:\nhnntt.exe114⤵PID:4308
-
\??\c:\3hbthh.exec:\3hbthh.exe115⤵PID:3012
-
\??\c:\pddpj.exec:\pddpj.exe116⤵PID:3612
-
\??\c:\pjjjd.exec:\pjjjd.exe117⤵PID:2848
-
\??\c:\7xrlfff.exec:\7xrlfff.exe118⤵PID:4692
-
\??\c:\9rlflfl.exec:\9rlflfl.exe119⤵PID:4532
-
\??\c:\hhhbhh.exec:\hhhbhh.exe120⤵PID:4108
-
\??\c:\hbhhnn.exec:\hbhhnn.exe121⤵PID:4560
-
\??\c:\ddvvp.exec:\ddvvp.exe122⤵PID:4400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-