Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 05:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe
-
Size
88KB
-
MD5
e28712d9295e1d03c0ef5639f96acafa
-
SHA1
b5753af638056f649006ecd2e21fb90a23bb5fb5
-
SHA256
b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7
-
SHA512
bc479b2d0286a2def27ca182924503d8ead16fcbc69c1f92b84f818954d7e8da513d7665772337dec804476938a2f176e7a98f9c42eda6ce7c003150123949c2
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2iJvRirE0DmmdL2jqWkBY:ymb3NkkiQ3mdBjF+3TU2iBRioSumWS1i
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
Processes:
resource yara_rule behavioral2/memory/664-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1084-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2204-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2400-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/716-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1612-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3268-48-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3268-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5008-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1120-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1724-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2072-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/408-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2036-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2156-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2080-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2868-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1260-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2416-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3208-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3940-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2284-202-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 22 IoCs
Processes:
resource yara_rule behavioral2/memory/664-7-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1084-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2204-19-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2400-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/716-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1612-39-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3268-47-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5008-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1120-60-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1724-72-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1724-73-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2072-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/408-88-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2036-101-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2156-107-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2080-118-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2868-126-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1260-131-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2416-161-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3208-173-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3940-197-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2284-202-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
9btnhh.exepjjvj.exerxlfxxr.exetnhhbt.exejdpjd.exevpvpp.exexxxxlxr.exebbhhhb.exevjjjp.exelfrlflf.exe1hthbt.exedddvv.exevdpjp.exe1rxrrrr.exefxxrrfx.exebthhhh.exevjdjj.exelxrrlxl.exe3bbbtn.exetnbhnt.exejdpvj.exe3lllfxl.exefxlllll.exehhnntt.exe5dddp.exepdjdv.exerfllffx.exehbhhbb.exe1vjdj.exe7pppj.exelxxxxxx.exenhnntt.exe3tbttt.exepvjjd.exejpppd.exerllfxxx.exexfllllf.exehhbttt.exevdjdv.exejddpd.exerrlllrx.exelfffffx.exenthtbt.exepjdvp.exepdddv.exelfflxxr.exenthnnh.exetttttb.exedjdvp.exefxrrrxf.exexfflfff.exehbhttt.exenbnhtn.exevvjvp.exepjdvp.exe5lxrlfx.exebbtbbn.exebtthtn.exe9ntnbh.exejpdjj.exefxflxfx.exefflfffr.exehhnbbh.exedpvvp.exepid process 1084 9btnhh.exe 2204 pjjvj.exe 2400 rxlfxxr.exe 716 tnhhbt.exe 1612 jdpjd.exe 3268 vpvpp.exe 5008 xxxxlxr.exe 1120 bbhhhb.exe 1816 vjjjp.exe 1724 lfrlflf.exe 2072 1hthbt.exe 408 dddvv.exe 2236 vdpjp.exe 2036 1rxrrrr.exe 2156 fxxrrfx.exe 4140 bthhhh.exe 2080 vjdjj.exe 2868 lxrrlxl.exe 1260 3bbbtn.exe 3256 tnbhnt.exe 1364 jdpvj.exe 2376 3lllfxl.exe 4472 fxlllll.exe 2416 hhnntt.exe 4852 5dddp.exe 3208 pdjdv.exe 4676 rfllffx.exe 2760 hbhhbb.exe 3388 1vjdj.exe 3940 7pppj.exe 2284 lxxxxxx.exe 2468 nhnntt.exe 4116 3tbttt.exe 532 pvjjd.exe 2392 jpppd.exe 4592 rllfxxx.exe 2924 xfllllf.exe 4380 hhbttt.exe 4792 vdjdv.exe 4788 jddpd.exe 3628 rrlllrx.exe 3480 lfffffx.exe 4256 nthtbt.exe 3648 pjdvp.exe 2524 pdddv.exe 1576 lfflxxr.exe 1612 nthnnh.exe 3876 tttttb.exe 400 djdvp.exe 1964 fxrrrxf.exe 1120 xfflfff.exe 2724 hbhttt.exe 1792 nbnhtn.exe 856 vvjvp.exe 5028 pjdvp.exe 3636 5lxrlfx.exe 1940 bbtbbn.exe 4528 btthtn.exe 3652 9ntnbh.exe 1360 jpdjj.exe 2180 fxflxfx.exe 4556 fflfffr.exe 544 hhnbbh.exe 1260 dpvvp.exe -
Processes:
resource yara_rule behavioral2/memory/664-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1084-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2204-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2400-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/716-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1612-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3268-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5008-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1120-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1724-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1724-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2072-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/408-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2036-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2156-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2080-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2868-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1260-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2416-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3208-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3940-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2284-202-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe9btnhh.exepjjvj.exerxlfxxr.exetnhhbt.exejdpjd.exevpvpp.exexxxxlxr.exebbhhhb.exevjjjp.exelfrlflf.exe1hthbt.exedddvv.exevdpjp.exe1rxrrrr.exefxxrrfx.exebthhhh.exevjdjj.exelxrrlxl.exe3bbbtn.exetnbhnt.exejdpvj.exedescription pid process target process PID 664 wrote to memory of 1084 664 b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe 9btnhh.exe PID 664 wrote to memory of 1084 664 b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe 9btnhh.exe PID 664 wrote to memory of 1084 664 b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe 9btnhh.exe PID 1084 wrote to memory of 2204 1084 9btnhh.exe pjjvj.exe PID 1084 wrote to memory of 2204 1084 9btnhh.exe pjjvj.exe PID 1084 wrote to memory of 2204 1084 9btnhh.exe pjjvj.exe PID 2204 wrote to memory of 2400 2204 pjjvj.exe rxlfxxr.exe PID 2204 wrote to memory of 2400 2204 pjjvj.exe rxlfxxr.exe PID 2204 wrote to memory of 2400 2204 pjjvj.exe rxlfxxr.exe PID 2400 wrote to memory of 716 2400 rxlfxxr.exe tnhhbt.exe PID 2400 wrote to memory of 716 2400 rxlfxxr.exe tnhhbt.exe PID 2400 wrote to memory of 716 2400 rxlfxxr.exe tnhhbt.exe PID 716 wrote to memory of 1612 716 tnhhbt.exe jdpjd.exe PID 716 wrote to memory of 1612 716 tnhhbt.exe jdpjd.exe PID 716 wrote to memory of 1612 716 tnhhbt.exe jdpjd.exe PID 1612 wrote to memory of 3268 1612 jdpjd.exe vpvpp.exe PID 1612 wrote to memory of 3268 1612 jdpjd.exe vpvpp.exe PID 1612 wrote to memory of 3268 1612 jdpjd.exe vpvpp.exe PID 3268 wrote to memory of 5008 3268 vpvpp.exe xxxxlxr.exe PID 3268 wrote to memory of 5008 3268 vpvpp.exe xxxxlxr.exe PID 3268 wrote to memory of 5008 3268 vpvpp.exe xxxxlxr.exe PID 5008 wrote to memory of 1120 5008 xxxxlxr.exe bbhhhb.exe PID 5008 wrote to memory of 1120 5008 xxxxlxr.exe bbhhhb.exe PID 5008 wrote to memory of 1120 5008 xxxxlxr.exe bbhhhb.exe PID 1120 wrote to memory of 1816 1120 bbhhhb.exe vjjjp.exe PID 1120 wrote to memory of 1816 1120 bbhhhb.exe vjjjp.exe PID 1120 wrote to memory of 1816 1120 bbhhhb.exe vjjjp.exe PID 1816 wrote to memory of 1724 1816 vjjjp.exe lfrlflf.exe PID 1816 wrote to memory of 1724 1816 vjjjp.exe lfrlflf.exe PID 1816 wrote to memory of 1724 1816 vjjjp.exe lfrlflf.exe PID 1724 wrote to memory of 2072 1724 lfrlflf.exe 1hthbt.exe PID 1724 wrote to memory of 2072 1724 lfrlflf.exe 1hthbt.exe PID 1724 wrote to memory of 2072 1724 lfrlflf.exe 1hthbt.exe PID 2072 wrote to memory of 408 2072 1hthbt.exe dddvv.exe PID 2072 wrote to memory of 408 2072 1hthbt.exe dddvv.exe PID 2072 wrote to memory of 408 2072 1hthbt.exe dddvv.exe PID 408 wrote to memory of 2236 408 dddvv.exe vdpjp.exe PID 408 wrote to memory of 2236 408 dddvv.exe vdpjp.exe PID 408 wrote to memory of 2236 408 dddvv.exe vdpjp.exe PID 2236 wrote to memory of 2036 2236 vdpjp.exe 1rxrrrr.exe PID 2236 wrote to memory of 2036 2236 vdpjp.exe 1rxrrrr.exe PID 2236 wrote to memory of 2036 2236 vdpjp.exe 1rxrrrr.exe PID 2036 wrote to memory of 2156 2036 1rxrrrr.exe fxxrrfx.exe PID 2036 wrote to memory of 2156 2036 1rxrrrr.exe fxxrrfx.exe PID 2036 wrote to memory of 2156 2036 1rxrrrr.exe fxxrrfx.exe PID 2156 wrote to memory of 4140 2156 fxxrrfx.exe bthhhh.exe PID 2156 wrote to memory of 4140 2156 fxxrrfx.exe bthhhh.exe PID 2156 wrote to memory of 4140 2156 fxxrrfx.exe bthhhh.exe PID 4140 wrote to memory of 2080 4140 bthhhh.exe vjdjj.exe PID 4140 wrote to memory of 2080 4140 bthhhh.exe vjdjj.exe PID 4140 wrote to memory of 2080 4140 bthhhh.exe vjdjj.exe PID 2080 wrote to memory of 2868 2080 vjdjj.exe lxrrlxl.exe PID 2080 wrote to memory of 2868 2080 vjdjj.exe lxrrlxl.exe PID 2080 wrote to memory of 2868 2080 vjdjj.exe lxrrlxl.exe PID 2868 wrote to memory of 1260 2868 lxrrlxl.exe 3bbbtn.exe PID 2868 wrote to memory of 1260 2868 lxrrlxl.exe 3bbbtn.exe PID 2868 wrote to memory of 1260 2868 lxrrlxl.exe 3bbbtn.exe PID 1260 wrote to memory of 3256 1260 3bbbtn.exe tnbhnt.exe PID 1260 wrote to memory of 3256 1260 3bbbtn.exe tnbhnt.exe PID 1260 wrote to memory of 3256 1260 3bbbtn.exe tnbhnt.exe PID 3256 wrote to memory of 1364 3256 tnbhnt.exe jdpvj.exe PID 3256 wrote to memory of 1364 3256 tnbhnt.exe jdpvj.exe PID 3256 wrote to memory of 1364 3256 tnbhnt.exe jdpvj.exe PID 1364 wrote to memory of 2376 1364 jdpvj.exe 3lllfxl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe"C:\Users\Admin\AppData\Local\Temp\b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\9btnhh.exec:\9btnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\pjjvj.exec:\pjjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\tnhhbt.exec:\tnhhbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\jdpjd.exec:\jdpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\vpvpp.exec:\vpvpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\xxxxlxr.exec:\xxxxlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\bbhhhb.exec:\bbhhhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\vjjjp.exec:\vjjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\lfrlflf.exec:\lfrlflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\1hthbt.exec:\1hthbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\dddvv.exec:\dddvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\vdpjp.exec:\vdpjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\1rxrrrr.exec:\1rxrrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\fxxrrfx.exec:\fxxrrfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\bthhhh.exec:\bthhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\vjdjj.exec:\vjdjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\lxrrlxl.exec:\lxrrlxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\3bbbtn.exec:\3bbbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\tnbhnt.exec:\tnbhnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\jdpvj.exec:\jdpvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\3lllfxl.exec:\3lllfxl.exe23⤵
- Executes dropped EXE
PID:2376 -
\??\c:\fxlllll.exec:\fxlllll.exe24⤵
- Executes dropped EXE
PID:4472 -
\??\c:\hhnntt.exec:\hhnntt.exe25⤵
- Executes dropped EXE
PID:2416 -
\??\c:\5dddp.exec:\5dddp.exe26⤵
- Executes dropped EXE
PID:4852 -
\??\c:\pdjdv.exec:\pdjdv.exe27⤵
- Executes dropped EXE
PID:3208 -
\??\c:\rfllffx.exec:\rfllffx.exe28⤵
- Executes dropped EXE
PID:4676 -
\??\c:\hbhhbb.exec:\hbhhbb.exe29⤵
- Executes dropped EXE
PID:2760 -
\??\c:\1vjdj.exec:\1vjdj.exe30⤵
- Executes dropped EXE
PID:3388 -
\??\c:\7pppj.exec:\7pppj.exe31⤵
- Executes dropped EXE
PID:3940 -
\??\c:\lxxxxxx.exec:\lxxxxxx.exe32⤵
- Executes dropped EXE
PID:2284 -
\??\c:\nhnntt.exec:\nhnntt.exe33⤵
- Executes dropped EXE
PID:2468 -
\??\c:\3tbttt.exec:\3tbttt.exe34⤵
- Executes dropped EXE
PID:4116 -
\??\c:\pvjjd.exec:\pvjjd.exe35⤵
- Executes dropped EXE
PID:532 -
\??\c:\jpppd.exec:\jpppd.exe36⤵
- Executes dropped EXE
PID:2392 -
\??\c:\rllfxxx.exec:\rllfxxx.exe37⤵
- Executes dropped EXE
PID:4592 -
\??\c:\xfllllf.exec:\xfllllf.exe38⤵
- Executes dropped EXE
PID:2924 -
\??\c:\hhbttt.exec:\hhbttt.exe39⤵
- Executes dropped EXE
PID:4380 -
\??\c:\vdjdv.exec:\vdjdv.exe40⤵
- Executes dropped EXE
PID:4792 -
\??\c:\jddpd.exec:\jddpd.exe41⤵
- Executes dropped EXE
PID:4788 -
\??\c:\rrlllrx.exec:\rrlllrx.exe42⤵
- Executes dropped EXE
PID:3628 -
\??\c:\lfffffx.exec:\lfffffx.exe43⤵
- Executes dropped EXE
PID:3480 -
\??\c:\nthtbt.exec:\nthtbt.exe44⤵
- Executes dropped EXE
PID:4256 -
\??\c:\pjdvp.exec:\pjdvp.exe45⤵
- Executes dropped EXE
PID:3648 -
\??\c:\pdddv.exec:\pdddv.exe46⤵
- Executes dropped EXE
PID:2524 -
\??\c:\lfflxxr.exec:\lfflxxr.exe47⤵
- Executes dropped EXE
PID:1576 -
\??\c:\nthnnh.exec:\nthnnh.exe48⤵
- Executes dropped EXE
PID:1612 -
\??\c:\tttttb.exec:\tttttb.exe49⤵
- Executes dropped EXE
PID:3876 -
\??\c:\djdvp.exec:\djdvp.exe50⤵
- Executes dropped EXE
PID:400 -
\??\c:\fxrrrxf.exec:\fxrrrxf.exe51⤵
- Executes dropped EXE
PID:1964 -
\??\c:\xfflfff.exec:\xfflfff.exe52⤵
- Executes dropped EXE
PID:1120 -
\??\c:\hbhttt.exec:\hbhttt.exe53⤵
- Executes dropped EXE
PID:2724 -
\??\c:\nbnhtn.exec:\nbnhtn.exe54⤵
- Executes dropped EXE
PID:1792 -
\??\c:\vvjvp.exec:\vvjvp.exe55⤵
- Executes dropped EXE
PID:856 -
\??\c:\pjdvp.exec:\pjdvp.exe56⤵
- Executes dropped EXE
PID:5028 -
\??\c:\5lxrlfx.exec:\5lxrlfx.exe57⤵
- Executes dropped EXE
PID:3636 -
\??\c:\bbtbbn.exec:\bbtbbn.exe58⤵
- Executes dropped EXE
PID:1940 -
\??\c:\btthtn.exec:\btthtn.exe59⤵
- Executes dropped EXE
PID:4528 -
\??\c:\9ntnbh.exec:\9ntnbh.exe60⤵
- Executes dropped EXE
PID:3652 -
\??\c:\jpdjj.exec:\jpdjj.exe61⤵
- Executes dropped EXE
PID:1360 -
\??\c:\fxflxfx.exec:\fxflxfx.exe62⤵
- Executes dropped EXE
PID:2180 -
\??\c:\fflfffr.exec:\fflfffr.exe63⤵
- Executes dropped EXE
PID:4556 -
\??\c:\hhnbbh.exec:\hhnbbh.exe64⤵
- Executes dropped EXE
PID:544 -
\??\c:\dpvvp.exec:\dpvvp.exe65⤵
- Executes dropped EXE
PID:1260 -
\??\c:\jvvdd.exec:\jvvdd.exe66⤵PID:1440
-
\??\c:\flxrxrl.exec:\flxrxrl.exe67⤵PID:4480
-
\??\c:\5lxrflf.exec:\5lxrflf.exe68⤵PID:4608
-
\??\c:\jjvdj.exec:\jjvdj.exe69⤵PID:1560
-
\??\c:\fxxfrxx.exec:\fxxfrxx.exe70⤵PID:2376
-
\??\c:\btnhht.exec:\btnhht.exe71⤵PID:748
-
\??\c:\bttntt.exec:\bttntt.exe72⤵PID:1344
-
\??\c:\vvvvj.exec:\vvvvj.exe73⤵PID:1524
-
\??\c:\jvpdj.exec:\jvpdj.exe74⤵PID:4816
-
\??\c:\5frlxxf.exec:\5frlxxf.exe75⤵PID:4032
-
\??\c:\lfffxfr.exec:\lfffxfr.exe76⤵PID:436
-
\??\c:\bnnttn.exec:\bnnttn.exe77⤵PID:5004
-
\??\c:\nhhhbb.exec:\nhhhbb.exe78⤵PID:2892
-
\??\c:\1jddv.exec:\1jddv.exe79⤵PID:4944
-
\??\c:\jpjdj.exec:\jpjdj.exe80⤵PID:2760
-
\??\c:\lxlfrlx.exec:\lxlfrlx.exe81⤵PID:2992
-
\??\c:\1rrflll.exec:\1rrflll.exe82⤵PID:2740
-
\??\c:\htbhhh.exec:\htbhhh.exe83⤵PID:1828
-
\??\c:\hthhnt.exec:\hthhnt.exe84⤵PID:4832
-
\??\c:\5jjvp.exec:\5jjvp.exe85⤵PID:1252
-
\??\c:\1dppj.exec:\1dppj.exe86⤵PID:624
-
\??\c:\xxxxlll.exec:\xxxxlll.exe87⤵PID:5056
-
\??\c:\bhbtbt.exec:\bhbtbt.exe88⤵PID:4972
-
\??\c:\5nhbbb.exec:\5nhbbb.exe89⤵PID:1248
-
\??\c:\3djjd.exec:\3djjd.exe90⤵PID:2816
-
\??\c:\vvvpp.exec:\vvvpp.exe91⤵PID:1756
-
\??\c:\lxfllll.exec:\lxfllll.exe92⤵PID:1468
-
\??\c:\9fxxrlf.exec:\9fxxrlf.exe93⤵PID:3624
-
\??\c:\hhnbnt.exec:\hhnbnt.exe94⤵PID:4324
-
\??\c:\3jvvj.exec:\3jvvj.exe95⤵PID:3480
-
\??\c:\dppvp.exec:\dppvp.exe96⤵PID:4104
-
\??\c:\xfrlxrl.exec:\xfrlxrl.exe97⤵PID:2920
-
\??\c:\rxfffrl.exec:\rxfffrl.exe98⤵PID:2684
-
\??\c:\tntntn.exec:\tntntn.exe99⤵PID:3268
-
\??\c:\btnhth.exec:\btnhth.exe100⤵PID:1548
-
\??\c:\jvddd.exec:\jvddd.exe101⤵PID:4236
-
\??\c:\pjdpd.exec:\pjdpd.exe102⤵PID:400
-
\??\c:\rrfrllf.exec:\rrfrllf.exe103⤵PID:728
-
\??\c:\rxflrfl.exec:\rxflrfl.exe104⤵PID:2520
-
\??\c:\hhtbbb.exec:\hhtbbb.exe105⤵PID:1724
-
\??\c:\nnhnnt.exec:\nnhnnt.exe106⤵PID:1792
-
\??\c:\pjjjp.exec:\pjjjp.exe107⤵PID:1424
-
\??\c:\xflfrff.exec:\xflfrff.exe108⤵PID:2016
-
\??\c:\xlrxrff.exec:\xlrxrff.exe109⤵PID:4432
-
\??\c:\hbnnhb.exec:\hbnnhb.exe110⤵PID:4136
-
\??\c:\vddvv.exec:\vddvv.exe111⤵PID:4028
-
\??\c:\dddjd.exec:\dddjd.exe112⤵PID:4872
-
\??\c:\1bnbbb.exec:\1bnbbb.exe113⤵PID:4124
-
\??\c:\httnhb.exec:\httnhb.exe114⤵PID:3536
-
\??\c:\dpjjv.exec:\dpjjv.exe115⤵PID:2988
-
\??\c:\ffxrfxf.exec:\ffxrfxf.exe116⤵PID:2040
-
\??\c:\3nhnhn.exec:\3nhnhn.exe117⤵PID:4548
-
\??\c:\dvpdv.exec:\dvpdv.exe118⤵PID:2420
-
\??\c:\5xlfxrl.exec:\5xlfxrl.exe119⤵PID:1512
-
\??\c:\3flffff.exec:\3flffff.exe120⤵PID:4440
-
\??\c:\btnbtn.exec:\btnbtn.exe121⤵PID:2376
-
\??\c:\dvpjp.exec:\dvpjp.exe122⤵PID:5092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-