Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe
-
Size
87KB
-
MD5
2d4f260a06e38b013381ac37bf11d783
-
SHA1
be452d9c551e438cb936f2b3267a07cccc764de6
-
SHA256
b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16
-
SHA512
77c238645c858f430f2b2b35837b02fa47944911036c1ad96ebcc91807afd25b235cd8192cf66ee50aaba19aa4ab84c2a1c68e1baed3dabe85e79d68e8c40fcb
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2wV3jaCJ5jH3eH5:ymb3NkkiQ3mdBjF+3TU2K3bJZXC
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
Processes:
resource yara_rule behavioral2/memory/4708-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1676-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4820-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3888-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3416-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4636-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4952-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3252-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2732-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2028-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1328-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/940-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4728-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3148-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1432-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/220-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/956-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2824-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2376-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4712-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5036-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1492-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1520-170-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4052-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1168-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4232-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2540-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 27 IoCs
Processes:
resource yara_rule behavioral2/memory/4708-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1676-19-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4820-6-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3888-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3416-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4636-39-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4952-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3252-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2732-71-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2028-81-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1328-87-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/940-93-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4728-102-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3148-105-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1432-113-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/220-117-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/956-124-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2824-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2376-135-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4712-153-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5036-158-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1492-165-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1520-170-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4052-177-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1168-183-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4232-188-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2540-195-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
9htntb.exehnhhnn.exe5djdp.exexrxxfff.exetttbbb.exebbbtnn.exexxxrlrr.exerfrfrrl.exe5thtnn.exedjjdp.exellxlrfl.exebntnhb.exenhbbbn.exejddjd.exeflfxfxf.exehhbnhn.exebhbbtt.exe1djvd.exejvvpj.exepdvvp.exexxfrxrl.exebbnbnt.exedjjdp.exepjjdj.exe1fxlxlf.exehtbtnt.exethnhhb.exe1dvdp.exe3jvpp.exelfffxff.exehbnntt.exehhtthh.exejpjdp.exexxrlllf.exetnnnnn.exepjjdp.exevdvdj.exe1nbbnt.exedvdpp.exeffxrflf.exexflxfrf.exennnhbb.exe1xfxrrl.exexrxrlff.exehbbhhh.exenthbnh.exepddvp.exedvpjd.exe3xffrxx.exebhnnhh.exetnhnhn.exevppjd.exe1pjdd.exexfrlfff.exe7lllrxf.exethnntb.exethnhbb.exe9jvpp.exejdddj.exerfffrrr.exellllfff.exe7hnntt.exebtbbnh.exevjjjd.exepid process 4708 9htntb.exe 1676 hnhhnn.exe 3888 5djdp.exe 3416 xrxxfff.exe 4636 tttbbb.exe 4952 bbbtnn.exe 3252 xxxrlrr.exe 4376 rfrfrrl.exe 3500 5thtnn.exe 2732 djjdp.exe 2028 llxlrfl.exe 1328 bntnhb.exe 940 nhbbbn.exe 4728 jddjd.exe 3148 flfxfxf.exe 1432 hhbnhn.exe 220 bhbbtt.exe 956 1djvd.exe 2824 jvvpj.exe 2376 pdvvp.exe 4604 xxfrxrl.exe 1764 bbnbnt.exe 4712 djjdp.exe 5036 pjjdj.exe 1492 1fxlxlf.exe 1520 htbtnt.exe 4052 thnhhb.exe 1168 1dvdp.exe 4232 3jvpp.exe 2540 lfffxff.exe 212 hbnntt.exe 3288 hhtthh.exe 1496 jpjdp.exe 3212 xxrlllf.exe 2628 tnnnnn.exe 3896 pjjdp.exe 3276 vdvdj.exe 4384 1nbbnt.exe 4740 dvdpp.exe 4708 ffxrflf.exe 1932 xflxfrf.exe 2248 nnnhbb.exe 1376 1xfxrrl.exe 2284 xrxrlff.exe 3116 hbbhhh.exe 4600 nthbnh.exe 4324 pddvp.exe 3120 dvpjd.exe 2168 3xffrxx.exe 5000 bhnnhh.exe 960 tnhnhn.exe 2104 vppjd.exe 1328 1pjdd.exe 2892 xfrlfff.exe 4744 7lllrxf.exe 644 thnntb.exe 3232 thnhbb.exe 4856 9jvpp.exe 680 jdddj.exe 1480 rfffrrr.exe 1056 llllfff.exe 2696 7hnntt.exe 2136 btbbnh.exe 4604 vjjjd.exe -
Processes:
resource yara_rule behavioral2/memory/4708-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1676-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4820-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3888-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3416-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4636-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4952-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3252-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2732-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2028-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1328-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/940-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4728-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3148-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1432-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/220-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/956-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2824-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2376-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4712-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5036-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1492-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1520-170-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4052-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1168-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4232-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2540-195-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe9htntb.exehnhhnn.exe5djdp.exexrxxfff.exetttbbb.exebbbtnn.exexxxrlrr.exerfrfrrl.exe5thtnn.exedjjdp.exellxlrfl.exebntnhb.exenhbbbn.exejddjd.exeflfxfxf.exehhbnhn.exebhbbtt.exe1djvd.exejvvpj.exepdvvp.exexxfrxrl.exedescription pid process target process PID 4820 wrote to memory of 4708 4820 b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe 9htntb.exe PID 4820 wrote to memory of 4708 4820 b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe 9htntb.exe PID 4820 wrote to memory of 4708 4820 b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe 9htntb.exe PID 4708 wrote to memory of 1676 4708 9htntb.exe hnhhnn.exe PID 4708 wrote to memory of 1676 4708 9htntb.exe hnhhnn.exe PID 4708 wrote to memory of 1676 4708 9htntb.exe hnhhnn.exe PID 1676 wrote to memory of 3888 1676 hnhhnn.exe 5djdp.exe PID 1676 wrote to memory of 3888 1676 hnhhnn.exe 5djdp.exe PID 1676 wrote to memory of 3888 1676 hnhhnn.exe 5djdp.exe PID 3888 wrote to memory of 3416 3888 5djdp.exe xrxxfff.exe PID 3888 wrote to memory of 3416 3888 5djdp.exe xrxxfff.exe PID 3888 wrote to memory of 3416 3888 5djdp.exe xrxxfff.exe PID 3416 wrote to memory of 4636 3416 xrxxfff.exe tttbbb.exe PID 3416 wrote to memory of 4636 3416 xrxxfff.exe tttbbb.exe PID 3416 wrote to memory of 4636 3416 xrxxfff.exe tttbbb.exe PID 4636 wrote to memory of 4952 4636 tttbbb.exe bbbtnn.exe PID 4636 wrote to memory of 4952 4636 tttbbb.exe bbbtnn.exe PID 4636 wrote to memory of 4952 4636 tttbbb.exe bbbtnn.exe PID 4952 wrote to memory of 3252 4952 bbbtnn.exe xxxrlrr.exe PID 4952 wrote to memory of 3252 4952 bbbtnn.exe xxxrlrr.exe PID 4952 wrote to memory of 3252 4952 bbbtnn.exe xxxrlrr.exe PID 3252 wrote to memory of 4376 3252 xxxrlrr.exe rfrfrrl.exe PID 3252 wrote to memory of 4376 3252 xxxrlrr.exe rfrfrrl.exe PID 3252 wrote to memory of 4376 3252 xxxrlrr.exe rfrfrrl.exe PID 4376 wrote to memory of 3500 4376 rfrfrrl.exe 5thtnn.exe PID 4376 wrote to memory of 3500 4376 rfrfrrl.exe 5thtnn.exe PID 4376 wrote to memory of 3500 4376 rfrfrrl.exe 5thtnn.exe PID 3500 wrote to memory of 2732 3500 5thtnn.exe djjdp.exe PID 3500 wrote to memory of 2732 3500 5thtnn.exe djjdp.exe PID 3500 wrote to memory of 2732 3500 5thtnn.exe djjdp.exe PID 2732 wrote to memory of 2028 2732 djjdp.exe llxlrfl.exe PID 2732 wrote to memory of 2028 2732 djjdp.exe llxlrfl.exe PID 2732 wrote to memory of 2028 2732 djjdp.exe llxlrfl.exe PID 2028 wrote to memory of 1328 2028 llxlrfl.exe bntnhb.exe PID 2028 wrote to memory of 1328 2028 llxlrfl.exe bntnhb.exe PID 2028 wrote to memory of 1328 2028 llxlrfl.exe bntnhb.exe PID 1328 wrote to memory of 940 1328 bntnhb.exe nhbbbn.exe PID 1328 wrote to memory of 940 1328 bntnhb.exe nhbbbn.exe PID 1328 wrote to memory of 940 1328 bntnhb.exe nhbbbn.exe PID 940 wrote to memory of 4728 940 nhbbbn.exe jddjd.exe PID 940 wrote to memory of 4728 940 nhbbbn.exe jddjd.exe PID 940 wrote to memory of 4728 940 nhbbbn.exe jddjd.exe PID 4728 wrote to memory of 3148 4728 jddjd.exe flfxfxf.exe PID 4728 wrote to memory of 3148 4728 jddjd.exe flfxfxf.exe PID 4728 wrote to memory of 3148 4728 jddjd.exe flfxfxf.exe PID 3148 wrote to memory of 1432 3148 flfxfxf.exe hhbnhn.exe PID 3148 wrote to memory of 1432 3148 flfxfxf.exe hhbnhn.exe PID 3148 wrote to memory of 1432 3148 flfxfxf.exe hhbnhn.exe PID 1432 wrote to memory of 220 1432 hhbnhn.exe bhbbtt.exe PID 1432 wrote to memory of 220 1432 hhbnhn.exe bhbbtt.exe PID 1432 wrote to memory of 220 1432 hhbnhn.exe bhbbtt.exe PID 220 wrote to memory of 956 220 bhbbtt.exe 1djvd.exe PID 220 wrote to memory of 956 220 bhbbtt.exe 1djvd.exe PID 220 wrote to memory of 956 220 bhbbtt.exe 1djvd.exe PID 956 wrote to memory of 2824 956 1djvd.exe jvvpj.exe PID 956 wrote to memory of 2824 956 1djvd.exe jvvpj.exe PID 956 wrote to memory of 2824 956 1djvd.exe jvvpj.exe PID 2824 wrote to memory of 2376 2824 jvvpj.exe pdvvp.exe PID 2824 wrote to memory of 2376 2824 jvvpj.exe pdvvp.exe PID 2824 wrote to memory of 2376 2824 jvvpj.exe pdvvp.exe PID 2376 wrote to memory of 4604 2376 pdvvp.exe xxfrxrl.exe PID 2376 wrote to memory of 4604 2376 pdvvp.exe xxfrxrl.exe PID 2376 wrote to memory of 4604 2376 pdvvp.exe xxfrxrl.exe PID 4604 wrote to memory of 1764 4604 xxfrxrl.exe bbnbnt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe"C:\Users\Admin\AppData\Local\Temp\b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\9htntb.exec:\9htntb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\hnhhnn.exec:\hnhhnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\5djdp.exec:\5djdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\xrxxfff.exec:\xrxxfff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\tttbbb.exec:\tttbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\bbbtnn.exec:\bbbtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\xxxrlrr.exec:\xxxrlrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\rfrfrrl.exec:\rfrfrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\5thtnn.exec:\5thtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\djjdp.exec:\djjdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\llxlrfl.exec:\llxlrfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\bntnhb.exec:\bntnhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\nhbbbn.exec:\nhbbbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\jddjd.exec:\jddjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\flfxfxf.exec:\flfxfxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\hhbnhn.exec:\hhbnhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\bhbbtt.exec:\bhbbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\1djvd.exec:\1djvd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\jvvpj.exec:\jvvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\pdvvp.exec:\pdvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\xxfrxrl.exec:\xxfrxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\bbnbnt.exec:\bbnbnt.exe23⤵
- Executes dropped EXE
PID:1764 -
\??\c:\djjdp.exec:\djjdp.exe24⤵
- Executes dropped EXE
PID:4712 -
\??\c:\pjjdj.exec:\pjjdj.exe25⤵
- Executes dropped EXE
PID:5036 -
\??\c:\1fxlxlf.exec:\1fxlxlf.exe26⤵
- Executes dropped EXE
PID:1492 -
\??\c:\htbtnt.exec:\htbtnt.exe27⤵
- Executes dropped EXE
PID:1520 -
\??\c:\thnhhb.exec:\thnhhb.exe28⤵
- Executes dropped EXE
PID:4052 -
\??\c:\1dvdp.exec:\1dvdp.exe29⤵
- Executes dropped EXE
PID:1168 -
\??\c:\3jvpp.exec:\3jvpp.exe30⤵
- Executes dropped EXE
PID:4232 -
\??\c:\lfffxff.exec:\lfffxff.exe31⤵
- Executes dropped EXE
PID:2540 -
\??\c:\hbnntt.exec:\hbnntt.exe32⤵
- Executes dropped EXE
PID:212 -
\??\c:\hhtthh.exec:\hhtthh.exe33⤵
- Executes dropped EXE
PID:3288 -
\??\c:\jpjdp.exec:\jpjdp.exe34⤵
- Executes dropped EXE
PID:1496 -
\??\c:\xxrlllf.exec:\xxrlllf.exe35⤵
- Executes dropped EXE
PID:3212 -
\??\c:\tnnnnn.exec:\tnnnnn.exe36⤵
- Executes dropped EXE
PID:2628 -
\??\c:\pjjdp.exec:\pjjdp.exe37⤵
- Executes dropped EXE
PID:3896 -
\??\c:\vdvdj.exec:\vdvdj.exe38⤵
- Executes dropped EXE
PID:3276 -
\??\c:\1nbbnt.exec:\1nbbnt.exe39⤵
- Executes dropped EXE
PID:4384 -
\??\c:\dvdpp.exec:\dvdpp.exe40⤵
- Executes dropped EXE
PID:4740 -
\??\c:\ffxrflf.exec:\ffxrflf.exe41⤵
- Executes dropped EXE
PID:4708 -
\??\c:\xflxfrf.exec:\xflxfrf.exe42⤵
- Executes dropped EXE
PID:1932 -
\??\c:\nnnhbb.exec:\nnnhbb.exe43⤵
- Executes dropped EXE
PID:2248 -
\??\c:\1xfxrrl.exec:\1xfxrrl.exe44⤵
- Executes dropped EXE
PID:1376 -
\??\c:\xrxrlff.exec:\xrxrlff.exe45⤵
- Executes dropped EXE
PID:2284 -
\??\c:\hbbhhh.exec:\hbbhhh.exe46⤵
- Executes dropped EXE
PID:3116 -
\??\c:\nthbnh.exec:\nthbnh.exe47⤵
- Executes dropped EXE
PID:4600 -
\??\c:\pddvp.exec:\pddvp.exe48⤵
- Executes dropped EXE
PID:4324 -
\??\c:\dvpjd.exec:\dvpjd.exe49⤵
- Executes dropped EXE
PID:3120 -
\??\c:\3xffrxx.exec:\3xffrxx.exe50⤵
- Executes dropped EXE
PID:2168 -
\??\c:\bhnnhh.exec:\bhnnhh.exe51⤵
- Executes dropped EXE
PID:5000 -
\??\c:\tnhnhn.exec:\tnhnhn.exe52⤵
- Executes dropped EXE
PID:960 -
\??\c:\vppjd.exec:\vppjd.exe53⤵
- Executes dropped EXE
PID:2104 -
\??\c:\1pjdd.exec:\1pjdd.exe54⤵
- Executes dropped EXE
PID:1328 -
\??\c:\xfrlfff.exec:\xfrlfff.exe55⤵
- Executes dropped EXE
PID:2892 -
\??\c:\7lllrxf.exec:\7lllrxf.exe56⤵
- Executes dropped EXE
PID:4744 -
\??\c:\thnntb.exec:\thnntb.exe57⤵
- Executes dropped EXE
PID:644 -
\??\c:\thnhbb.exec:\thnhbb.exe58⤵
- Executes dropped EXE
PID:3232 -
\??\c:\9jvpp.exec:\9jvpp.exe59⤵
- Executes dropped EXE
PID:4856 -
\??\c:\jdddj.exec:\jdddj.exe60⤵
- Executes dropped EXE
PID:680 -
\??\c:\rfffrrr.exec:\rfffrrr.exe61⤵
- Executes dropped EXE
PID:1480 -
\??\c:\llllfff.exec:\llllfff.exe62⤵
- Executes dropped EXE
PID:1056 -
\??\c:\7hnntt.exec:\7hnntt.exe63⤵
- Executes dropped EXE
PID:2696 -
\??\c:\btbbnh.exec:\btbbnh.exe64⤵
- Executes dropped EXE
PID:2136 -
\??\c:\vjjjd.exec:\vjjjd.exe65⤵
- Executes dropped EXE
PID:4604 -
\??\c:\lfxfxfx.exec:\lfxfxfx.exe66⤵PID:2804
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe67⤵PID:1624
-
\??\c:\nhbbbb.exec:\nhbbbb.exe68⤵PID:2180
-
\??\c:\tnnnbb.exec:\tnnnbb.exe69⤵PID:4704
-
\??\c:\jppdj.exec:\jppdj.exe70⤵PID:3840
-
\??\c:\3pvvd.exec:\3pvvd.exe71⤵PID:2416
-
\??\c:\9xlfrrr.exec:\9xlfrrr.exe72⤵PID:4204
-
\??\c:\rlrllfx.exec:\rlrllfx.exe73⤵PID:208
-
\??\c:\hbbbbh.exec:\hbbbbh.exe74⤵PID:5024
-
\??\c:\jjjvd.exec:\jjjvd.exe75⤵PID:4012
-
\??\c:\djjdd.exec:\djjdd.exe76⤵PID:4476
-
\??\c:\fxllfff.exec:\fxllfff.exe77⤵PID:2540
-
\??\c:\5frrllf.exec:\5frrllf.exe78⤵PID:3016
-
\??\c:\thnnhh.exec:\thnnhh.exe79⤵PID:2364
-
\??\c:\jjjjd.exec:\jjjjd.exe80⤵PID:4720
-
\??\c:\1xfxlll.exec:\1xfxlll.exe81⤵PID:5112
-
\??\c:\frlfffx.exec:\frlfffx.exe82⤵PID:4020
-
\??\c:\tbnnbn.exec:\tbnnbn.exe83⤵PID:1468
-
\??\c:\5tbttt.exec:\5tbttt.exe84⤵PID:1004
-
\??\c:\pdppj.exec:\pdppj.exe85⤵PID:2576
-
\??\c:\pdppp.exec:\pdppp.exe86⤵PID:4128
-
\??\c:\lllffff.exec:\lllffff.exe87⤵PID:4380
-
\??\c:\lfxrllf.exec:\lfxrllf.exe88⤵PID:4596
-
\??\c:\bnhhhh.exec:\bnhhhh.exe89⤵PID:4436
-
\??\c:\tbbttn.exec:\tbbttn.exe90⤵PID:1704
-
\??\c:\pvjjd.exec:\pvjjd.exe91⤵PID:3692
-
\??\c:\lfffxxx.exec:\lfffxxx.exe92⤵PID:1232
-
\??\c:\bhnnhh.exec:\bhnnhh.exe93⤵PID:3408
-
\??\c:\ppvpp.exec:\ppvpp.exe94⤵PID:4284
-
\??\c:\5jjdd.exec:\5jjdd.exe95⤵PID:4004
-
\??\c:\fxxxxrl.exec:\fxxxxrl.exe96⤵PID:3996
-
\??\c:\7nnbnh.exec:\7nnbnh.exe97⤵PID:3684
-
\??\c:\vjpjd.exec:\vjpjd.exe98⤵PID:2132
-
\??\c:\rrrlxlr.exec:\rrrlxlr.exe99⤵PID:4444
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe100⤵PID:5008
-
\??\c:\hbhtbb.exec:\hbhtbb.exe101⤵PID:1328
-
\??\c:\jpdvj.exec:\jpdvj.exe102⤵PID:4392
-
\??\c:\1jpjj.exec:\1jpjj.exe103⤵PID:3148
-
\??\c:\lffxlll.exec:\lffxlll.exe104⤵PID:820
-
\??\c:\3frrxfl.exec:\3frrxfl.exe105⤵PID:3396
-
\??\c:\btbtnb.exec:\btbtnb.exe106⤵PID:220
-
\??\c:\bbbthh.exec:\bbbthh.exe107⤵PID:912
-
\??\c:\3jppj.exec:\3jppj.exe108⤵PID:3708
-
\??\c:\vpvpv.exec:\vpvpv.exe109⤵PID:4548
-
\??\c:\xxrllrl.exec:\xxrllrl.exe110⤵PID:2696
-
\??\c:\rlllfff.exec:\rlllfff.exe111⤵PID:4504
-
\??\c:\bhtntt.exec:\bhtntt.exe112⤵PID:3304
-
\??\c:\ddvvj.exec:\ddvvj.exe113⤵PID:4452
-
\??\c:\pdjdp.exec:\pdjdp.exe114⤵PID:380
-
\??\c:\7dvvp.exec:\7dvvp.exe115⤵PID:572
-
\??\c:\tnbtnh.exec:\tnbtnh.exe116⤵PID:4984
-
\??\c:\djvvd.exec:\djvvd.exe117⤵PID:4556
-
\??\c:\dpjdv.exec:\dpjdv.exe118⤵PID:1548
-
\??\c:\rlxxlll.exec:\rlxxlll.exe119⤵PID:860
-
\??\c:\flfrflf.exec:\flfrflf.exe120⤵PID:3156
-
\??\c:\bbnhbh.exec:\bbnhbh.exe121⤵PID:1168
-
\??\c:\nttnbb.exec:\nttnbb.exe122⤵PID:932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-