Analysis
-
max time kernel
65s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 04:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe
-
Size
68KB
-
MD5
6e1a0e2af53c0e36a7b136fa4d265688
-
SHA1
b1efffaa72e0ca58fb0e5e40a47cf0868dc0319e
-
SHA256
ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db
-
SHA512
26e79e3516ac2ca574b9997ac83bc6e737859b94c951cc92347a111512488324dd6f777c87b1330b0a19197e22893d2adf54328b4eb774b63caec9d13917b6f3
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJUDbAIu:ymb3NkkiQ3mdBjFIFdJ8bG
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral2/memory/4900-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5008-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4012-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4544-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3568-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3924-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4164-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4384-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4548-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/552-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2796-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1900-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1424-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4560-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4616-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4944-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2212-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4856-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1460-156-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2460-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4064-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4276-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/900-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1588-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 25 IoCs
Processes:
resource yara_rule behavioral2/memory/4900-7-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5008-13-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4012-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4544-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3568-31-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3924-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4164-55-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4384-60-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4164-52-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4548-42-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/552-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2796-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1900-89-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1424-95-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4560-106-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4616-113-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4944-119-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2212-133-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4856-146-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1460-156-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2460-149-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4064-162-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4276-185-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/900-191-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1588-197-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
vpvpp.exettbhht.exetntnnt.exerfffllf.exexfxrlll.exenhbntt.exejdvvv.exe1pjjd.exerlfxxxx.exebnnbnt.exe3jppd.exeflrllrl.exedvddd.exefxlfxfl.exelfffffr.exebtnntt.exellxfxlf.exebhtttb.exejdpvd.exe7rlllrr.exe1bnnnt.exejjjpd.exebhhtbt.exevpjpp.exexxllllf.exebntbnn.exepddvd.exeffllffx.exebhbnnn.exe5rxfxfr.exehbnhbn.exexlxlrlr.exe3btbbt.exe5vdvp.exelxflrxx.exebbntbn.exettttnn.exedvppd.exerxrlrxx.exe5nnnhh.exefrfllrr.exerfxxfxx.exebntttt.exe7jdjd.exellxlxlf.exebbttth.exevpdjp.exerfxlxxx.exerrrlrxr.exehtnhnn.exe9pdjp.exefffxxff.exenthnnb.exepdvdj.exefrfxrrr.exebhbbnn.exejdvpp.exerlrllll.exetbnhnn.exe3pvvv.exe7rxrlxx.exetntttt.exetbhbnn.exejvjjj.exepid process 5008 vpvpp.exe 4012 ttbhht.exe 4544 tntnnt.exe 3568 rfffllf.exe 4548 xfxrlll.exe 3924 nhbntt.exe 4164 jdvvv.exe 4384 1pjjd.exe 552 rlfxxxx.exe 4436 bnnbnt.exe 2796 3jppd.exe 1900 flrllrl.exe 1424 dvddd.exe 3980 fxlfxfl.exe 4560 lfffffr.exe 4616 btnntt.exe 4944 llxfxlf.exe 3256 bhtttb.exe 2212 jdpvd.exe 3888 7rlllrr.exe 4856 1bnnnt.exe 2460 jjjpd.exe 1460 bhhtbt.exe 4064 vpjpp.exe 2744 xxllllf.exe 4052 bntbnn.exe 4744 pddvd.exe 4276 ffllffx.exe 900 bhbnnn.exe 1588 5rxfxfr.exe 1576 hbnhbn.exe 2484 xlxlrlr.exe 3672 3btbbt.exe 4056 5vdvp.exe 1128 lxflrxx.exe 1844 bbntbn.exe 1912 ttttnn.exe 1564 dvppd.exe 1908 rxrlrxx.exe 1620 5nnnhh.exe 2176 frfllrr.exe 2684 rfxxfxx.exe 4224 bntttt.exe 1512 7jdjd.exe 3356 llxlxlf.exe 2296 bbttth.exe 1944 vpdjp.exe 1580 rfxlxxx.exe 2916 rrrlrxr.exe 1524 htnhnn.exe 544 9pdjp.exe 4488 fffxxff.exe 2564 nthnnb.exe 3664 pdvdj.exe 2764 frfxrrr.exe 3040 bhbbnn.exe 4428 jdvpp.exe 4972 rlrllll.exe 2352 tbnhnn.exe 116 3pvvv.exe 1876 7rxrlxx.exe 1380 tntttt.exe 4540 tbhbnn.exe 3888 jvjjj.exe -
Processes:
resource yara_rule behavioral2/memory/4900-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5008-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4012-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4544-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3568-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3924-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4164-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4384-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4164-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4548-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/552-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2796-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1900-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1424-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4560-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4616-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4944-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2212-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4856-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1460-156-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2460-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4064-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4276-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/900-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1588-197-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exevpvpp.exettbhht.exetntnnt.exerfffllf.exexfxrlll.exenhbntt.exejdvvv.exe1pjjd.exerlfxxxx.exebnnbnt.exe3jppd.exeflrllrl.exedvddd.exefxlfxfl.exelfffffr.exebtnntt.exellxfxlf.exebhtttb.exejdpvd.exe7rlllrr.exe1bnnnt.exedescription pid process target process PID 4900 wrote to memory of 5008 4900 ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe vpvpp.exe PID 4900 wrote to memory of 5008 4900 ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe vpvpp.exe PID 4900 wrote to memory of 5008 4900 ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe vpvpp.exe PID 5008 wrote to memory of 4012 5008 vpvpp.exe ttbhht.exe PID 5008 wrote to memory of 4012 5008 vpvpp.exe ttbhht.exe PID 5008 wrote to memory of 4012 5008 vpvpp.exe ttbhht.exe PID 4012 wrote to memory of 4544 4012 ttbhht.exe tntnnt.exe PID 4012 wrote to memory of 4544 4012 ttbhht.exe tntnnt.exe PID 4012 wrote to memory of 4544 4012 ttbhht.exe tntnnt.exe PID 4544 wrote to memory of 3568 4544 tntnnt.exe rfffllf.exe PID 4544 wrote to memory of 3568 4544 tntnnt.exe rfffllf.exe PID 4544 wrote to memory of 3568 4544 tntnnt.exe rfffllf.exe PID 3568 wrote to memory of 4548 3568 rfffllf.exe xfxrlll.exe PID 3568 wrote to memory of 4548 3568 rfffllf.exe xfxrlll.exe PID 3568 wrote to memory of 4548 3568 rfffllf.exe xfxrlll.exe PID 4548 wrote to memory of 3924 4548 xfxrlll.exe nhbntt.exe PID 4548 wrote to memory of 3924 4548 xfxrlll.exe nhbntt.exe PID 4548 wrote to memory of 3924 4548 xfxrlll.exe nhbntt.exe PID 3924 wrote to memory of 4164 3924 nhbntt.exe jdvvv.exe PID 3924 wrote to memory of 4164 3924 nhbntt.exe jdvvv.exe PID 3924 wrote to memory of 4164 3924 nhbntt.exe jdvvv.exe PID 4164 wrote to memory of 4384 4164 jdvvv.exe 1pjjd.exe PID 4164 wrote to memory of 4384 4164 jdvvv.exe 1pjjd.exe PID 4164 wrote to memory of 4384 4164 jdvvv.exe 1pjjd.exe PID 4384 wrote to memory of 552 4384 1pjjd.exe rlfxxxx.exe PID 4384 wrote to memory of 552 4384 1pjjd.exe rlfxxxx.exe PID 4384 wrote to memory of 552 4384 1pjjd.exe rlfxxxx.exe PID 552 wrote to memory of 4436 552 rlfxxxx.exe bnnbnt.exe PID 552 wrote to memory of 4436 552 rlfxxxx.exe bnnbnt.exe PID 552 wrote to memory of 4436 552 rlfxxxx.exe bnnbnt.exe PID 4436 wrote to memory of 2796 4436 bnnbnt.exe 3jppd.exe PID 4436 wrote to memory of 2796 4436 bnnbnt.exe 3jppd.exe PID 4436 wrote to memory of 2796 4436 bnnbnt.exe 3jppd.exe PID 2796 wrote to memory of 1900 2796 3jppd.exe flrllrl.exe PID 2796 wrote to memory of 1900 2796 3jppd.exe flrllrl.exe PID 2796 wrote to memory of 1900 2796 3jppd.exe flrllrl.exe PID 1900 wrote to memory of 1424 1900 flrllrl.exe dvddd.exe PID 1900 wrote to memory of 1424 1900 flrllrl.exe dvddd.exe PID 1900 wrote to memory of 1424 1900 flrllrl.exe dvddd.exe PID 1424 wrote to memory of 3980 1424 dvddd.exe fxlfxfl.exe PID 1424 wrote to memory of 3980 1424 dvddd.exe fxlfxfl.exe PID 1424 wrote to memory of 3980 1424 dvddd.exe fxlfxfl.exe PID 3980 wrote to memory of 4560 3980 fxlfxfl.exe lfffffr.exe PID 3980 wrote to memory of 4560 3980 fxlfxfl.exe lfffffr.exe PID 3980 wrote to memory of 4560 3980 fxlfxfl.exe lfffffr.exe PID 4560 wrote to memory of 4616 4560 lfffffr.exe btnntt.exe PID 4560 wrote to memory of 4616 4560 lfffffr.exe btnntt.exe PID 4560 wrote to memory of 4616 4560 lfffffr.exe btnntt.exe PID 4616 wrote to memory of 4944 4616 btnntt.exe llxfxlf.exe PID 4616 wrote to memory of 4944 4616 btnntt.exe llxfxlf.exe PID 4616 wrote to memory of 4944 4616 btnntt.exe llxfxlf.exe PID 4944 wrote to memory of 3256 4944 llxfxlf.exe bhtttb.exe PID 4944 wrote to memory of 3256 4944 llxfxlf.exe bhtttb.exe PID 4944 wrote to memory of 3256 4944 llxfxlf.exe bhtttb.exe PID 3256 wrote to memory of 2212 3256 bhtttb.exe jdpvd.exe PID 3256 wrote to memory of 2212 3256 bhtttb.exe jdpvd.exe PID 3256 wrote to memory of 2212 3256 bhtttb.exe jdpvd.exe PID 2212 wrote to memory of 3888 2212 jdpvd.exe 7rlllrr.exe PID 2212 wrote to memory of 3888 2212 jdpvd.exe 7rlllrr.exe PID 2212 wrote to memory of 3888 2212 jdpvd.exe 7rlllrr.exe PID 3888 wrote to memory of 4856 3888 7rlllrr.exe 1bnnnt.exe PID 3888 wrote to memory of 4856 3888 7rlllrr.exe 1bnnnt.exe PID 3888 wrote to memory of 4856 3888 7rlllrr.exe 1bnnnt.exe PID 4856 wrote to memory of 2460 4856 1bnnnt.exe jjjpd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe"C:\Users\Admin\AppData\Local\Temp\ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\vpvpp.exec:\vpvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\ttbhht.exec:\ttbhht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\tntnnt.exec:\tntnnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\rfffllf.exec:\rfffllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\xfxrlll.exec:\xfxrlll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\nhbntt.exec:\nhbntt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\jdvvv.exec:\jdvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\1pjjd.exec:\1pjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\rlfxxxx.exec:\rlfxxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\bnnbnt.exec:\bnnbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\3jppd.exec:\3jppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\flrllrl.exec:\flrllrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\dvddd.exec:\dvddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\fxlfxfl.exec:\fxlfxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\lfffffr.exec:\lfffffr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\btnntt.exec:\btnntt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\llxfxlf.exec:\llxfxlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\bhtttb.exec:\bhtttb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\jdpvd.exec:\jdpvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\7rlllrr.exec:\7rlllrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\1bnnnt.exec:\1bnnnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\jjjpd.exec:\jjjpd.exe23⤵
- Executes dropped EXE
PID:2460 -
\??\c:\bhhtbt.exec:\bhhtbt.exe24⤵
- Executes dropped EXE
PID:1460 -
\??\c:\vpjpp.exec:\vpjpp.exe25⤵
- Executes dropped EXE
PID:4064 -
\??\c:\xxllllf.exec:\xxllllf.exe26⤵
- Executes dropped EXE
PID:2744 -
\??\c:\bntbnn.exec:\bntbnn.exe27⤵
- Executes dropped EXE
PID:4052 -
\??\c:\pddvd.exec:\pddvd.exe28⤵
- Executes dropped EXE
PID:4744 -
\??\c:\ffllffx.exec:\ffllffx.exe29⤵
- Executes dropped EXE
PID:4276 -
\??\c:\bhbnnn.exec:\bhbnnn.exe30⤵
- Executes dropped EXE
PID:900 -
\??\c:\5rxfxfr.exec:\5rxfxfr.exe31⤵
- Executes dropped EXE
PID:1588 -
\??\c:\hbnhbn.exec:\hbnhbn.exe32⤵
- Executes dropped EXE
PID:1576 -
\??\c:\xlxlrlr.exec:\xlxlrlr.exe33⤵
- Executes dropped EXE
PID:2484 -
\??\c:\3btbbt.exec:\3btbbt.exe34⤵
- Executes dropped EXE
PID:3672 -
\??\c:\5vdvp.exec:\5vdvp.exe35⤵
- Executes dropped EXE
PID:4056 -
\??\c:\lxflrxx.exec:\lxflrxx.exe36⤵
- Executes dropped EXE
PID:1128 -
\??\c:\bbntbn.exec:\bbntbn.exe37⤵
- Executes dropped EXE
PID:1844 -
\??\c:\ttttnn.exec:\ttttnn.exe38⤵
- Executes dropped EXE
PID:1912 -
\??\c:\dvppd.exec:\dvppd.exe39⤵
- Executes dropped EXE
PID:1564 -
\??\c:\rxrlrxx.exec:\rxrlrxx.exe40⤵
- Executes dropped EXE
PID:1908 -
\??\c:\5nnnhh.exec:\5nnnhh.exe41⤵
- Executes dropped EXE
PID:1620 -
\??\c:\frfllrr.exec:\frfllrr.exe42⤵
- Executes dropped EXE
PID:2176 -
\??\c:\rfxxfxx.exec:\rfxxfxx.exe43⤵
- Executes dropped EXE
PID:2684 -
\??\c:\bntttt.exec:\bntttt.exe44⤵
- Executes dropped EXE
PID:4224 -
\??\c:\7jdjd.exec:\7jdjd.exe45⤵
- Executes dropped EXE
PID:1512 -
\??\c:\llxlxlf.exec:\llxlxlf.exe46⤵
- Executes dropped EXE
PID:3356 -
\??\c:\bbttth.exec:\bbttth.exe47⤵
- Executes dropped EXE
PID:2296 -
\??\c:\vpdjp.exec:\vpdjp.exe48⤵
- Executes dropped EXE
PID:1944 -
\??\c:\rfxlxxx.exec:\rfxlxxx.exe49⤵
- Executes dropped EXE
PID:1580 -
\??\c:\rrrlrxr.exec:\rrrlrxr.exe50⤵
- Executes dropped EXE
PID:2916 -
\??\c:\htnhnn.exec:\htnhnn.exe51⤵
- Executes dropped EXE
PID:1524 -
\??\c:\9pdjp.exec:\9pdjp.exe52⤵
- Executes dropped EXE
PID:544 -
\??\c:\fffxxff.exec:\fffxxff.exe53⤵
- Executes dropped EXE
PID:4488 -
\??\c:\nthnnb.exec:\nthnnb.exe54⤵
- Executes dropped EXE
PID:2564 -
\??\c:\pdvdj.exec:\pdvdj.exe55⤵
- Executes dropped EXE
PID:3664 -
\??\c:\frfxrrr.exec:\frfxrrr.exe56⤵
- Executes dropped EXE
PID:2764 -
\??\c:\bhbbnn.exec:\bhbbnn.exe57⤵
- Executes dropped EXE
PID:3040 -
\??\c:\jdvpp.exec:\jdvpp.exe58⤵
- Executes dropped EXE
PID:4428 -
\??\c:\rlrllll.exec:\rlrllll.exe59⤵
- Executes dropped EXE
PID:4972 -
\??\c:\tbnhnn.exec:\tbnhnn.exe60⤵
- Executes dropped EXE
PID:2352 -
\??\c:\3pvvv.exec:\3pvvv.exe61⤵
- Executes dropped EXE
PID:116 -
\??\c:\7rxrlxx.exec:\7rxrlxx.exe62⤵
- Executes dropped EXE
PID:1876 -
\??\c:\tntttt.exec:\tntttt.exe63⤵
- Executes dropped EXE
PID:1380 -
\??\c:\tbhbnn.exec:\tbhbnn.exe64⤵
- Executes dropped EXE
PID:4540 -
\??\c:\jvjjj.exec:\jvjjj.exe65⤵
- Executes dropped EXE
PID:3888 -
\??\c:\frxllfx.exec:\frxllfx.exe66⤵PID:1052
-
\??\c:\bnbhtn.exec:\bnbhtn.exe67⤵PID:2384
-
\??\c:\dpppv.exec:\dpppv.exe68⤵PID:428
-
\??\c:\hbbbhh.exec:\hbbbhh.exe69⤵PID:4592
-
\??\c:\dppvv.exec:\dppvv.exe70⤵PID:4992
-
\??\c:\lxfffrr.exec:\lxfffrr.exe71⤵PID:4604
-
\??\c:\ffflxxl.exec:\ffflxxl.exe72⤵PID:1072
-
\??\c:\nhhttb.exec:\nhhttb.exe73⤵PID:4216
-
\??\c:\vvddp.exec:\vvddp.exe74⤵PID:744
-
\??\c:\lllllll.exec:\lllllll.exe75⤵PID:3460
-
\??\c:\fxlrrrl.exec:\fxlrrrl.exe76⤵PID:1328
-
\??\c:\ttbttt.exec:\ttbttt.exe77⤵PID:4752
-
\??\c:\ddpjd.exec:\ddpjd.exe78⤵PID:2400
-
\??\c:\dvvvj.exec:\dvvvj.exe79⤵PID:2440
-
\??\c:\frxlflf.exec:\frxlflf.exe80⤵PID:4976
-
\??\c:\bbtnhn.exec:\bbtnhn.exe81⤵PID:4948
-
\??\c:\vjvvj.exec:\vjvvj.exe82⤵PID:4424
-
\??\c:\pjvdj.exec:\pjvdj.exe83⤵PID:4872
-
\??\c:\xlrffxx.exec:\xlrffxx.exe84⤵PID:2964
-
\??\c:\nttnhb.exec:\nttnhb.exe85⤵PID:1272
-
\??\c:\hnbnbn.exec:\hnbnbn.exe86⤵PID:1860
-
\??\c:\jddpj.exec:\jddpj.exe87⤵PID:1464
-
\??\c:\nnnnnt.exec:\nnnnnt.exe88⤵PID:4328
-
\??\c:\9vjjd.exec:\9vjjd.exe89⤵PID:4224
-
\??\c:\lflrrxx.exec:\lflrrxx.exe90⤵PID:1548
-
\??\c:\1rfxrrl.exec:\1rfxrrl.exe91⤵PID:1520
-
\??\c:\thtbnn.exec:\thtbnn.exe92⤵PID:608
-
\??\c:\dpdjj.exec:\dpdjj.exe93⤵PID:1580
-
\??\c:\jppjj.exec:\jppjj.exe94⤵PID:3612
-
\??\c:\rrfrfrl.exec:\rrfrfrl.exe95⤵PID:4484
-
\??\c:\hbhhnn.exec:\hbhhnn.exe96⤵PID:5104
-
\??\c:\1btnnn.exec:\1btnnn.exe97⤵PID:2564
-
\??\c:\ddjvj.exec:\ddjvj.exe98⤵PID:1712
-
\??\c:\xrrfxxx.exec:\xrrfxxx.exe99⤵PID:5032
-
\??\c:\fxrflxf.exec:\fxrflxf.exe100⤵PID:3156
-
\??\c:\nhhbbb.exec:\nhhbbb.exe101⤵PID:5100
-
\??\c:\pdvjp.exec:\pdvjp.exe102⤵PID:2396
-
\??\c:\frflxfr.exec:\frflxfr.exe103⤵PID:3724
-
\??\c:\hhhhhh.exec:\hhhhhh.exe104⤵PID:3256
-
\??\c:\pddpd.exec:\pddpd.exe105⤵PID:388
-
\??\c:\jppjj.exec:\jppjj.exe106⤵PID:448
-
\??\c:\xxlllrr.exec:\xxlllrr.exe107⤵PID:3888
-
\??\c:\tbhnnn.exec:\tbhnnn.exe108⤵PID:3024
-
\??\c:\bttnnt.exec:\bttnnt.exe109⤵PID:4260
-
\??\c:\jppjj.exec:\jppjj.exe110⤵PID:428
-
\??\c:\rrxrxxx.exec:\rrxrxxx.exe111⤵PID:4592
-
\??\c:\btnbht.exec:\btnbht.exe112⤵PID:5084
-
\??\c:\nntbtb.exec:\nntbtb.exe113⤵PID:4604
-
\??\c:\5xrrrrf.exec:\5xrrrrf.exe114⤵PID:2868
-
\??\c:\rxllxxl.exec:\rxllxxl.exe115⤵PID:2468
-
\??\c:\ttnnbb.exec:\ttnnbb.exe116⤵PID:3760
-
\??\c:\jjjdd.exec:\jjjdd.exe117⤵PID:900
-
\??\c:\lrlxrxr.exec:\lrlxrxr.exe118⤵PID:2536
-
\??\c:\lrxlxrx.exec:\lrxlxrx.exe119⤵PID:4752
-
\??\c:\bbnnhn.exec:\bbnnhn.exe120⤵PID:2400
-
\??\c:\ttbhnh.exec:\ttbhnh.exe121⤵PID:3452
-
\??\c:\vvvdv.exec:\vvvdv.exe122⤵PID:1144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-