Analysis
-
max time kernel
115s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 06:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe
-
Size
83KB
-
MD5
f9d9ea898558d780190e26db3713a318
-
SHA1
1e73ce7f7318a5b36243b3f3a7e5e0c1552f9c20
-
SHA256
cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30
-
SHA512
0c1219381966ccd0243f19b52d49e734e5cecbb556855c9ea9f543f4b56cd9dca14e4163f1d5ae4f4460220e401ebb1aa256107d49ec0ebad68f6130efd1e6d7
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDInWeNCYGyA2R7JkZPsv7w:ymb3NkkiQ3mdBjFIWeFGyA9Pz
Malware Config
Signatures
-
Detect Blackmoon payload 29 IoCs
Processes:
resource yara_rule behavioral2/memory/4200-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1644-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1900-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5028-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1924-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2172-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4920-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2204-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3312-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/788-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3172-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3172-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/620-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1736-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1168-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2060-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4828-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4828-22-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1284-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2348-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3436-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2212-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2728-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1484-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2184-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3340-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2364-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4528-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1064-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 36 IoCs
Processes:
resource yara_rule behavioral2/memory/4200-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4200-7-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1644-37-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1900-51-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5028-118-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1924-111-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2172-105-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4920-101-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2204-135-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3312-93-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/788-84-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3172-76-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3172-75-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/620-69-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1736-65-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1736-60-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1736-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1168-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2060-31-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4828-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4828-22-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4828-21-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1284-19-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1284-13-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1284-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1284-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2348-141-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3436-148-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2212-153-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2728-159-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1484-172-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2184-177-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3340-183-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2364-190-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4528-201-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1064-207-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
btnnhb.exexrffxfx.exerlrlllf.exenbtttt.exetntttt.exedpjdv.exevvjjd.exefxllflf.exerlfxrrl.exe5tbtnn.exepjddv.exepjjdd.exexlxrlll.exeflllflf.exebbtnht.exebtbthh.exepppvj.exefrxrrrf.exellfxrxr.exetntnnt.exedvvvv.exelxlfrrr.exebntttb.exeppjjj.exerllfxxr.exethtnbn.exevjjvp.exe5rlxllf.exebntnbt.exetnnhnh.exepjpdd.exe9flxlfx.exebnhbhh.exetthbtn.exedjjdd.exevvpjv.exerlfxlrl.exehttnnn.exenbhbnh.exedjdvj.exejjjjv.exexllxffr.exe3rrxrlf.exetnttnh.exetbtnbt.exedvjpd.exelxffxxl.exettnhtn.exe9hbnhb.exejddvp.exerrllfxl.exelfxxfff.exetthbtn.exevvjdv.exepvdpd.exexlrlxxr.exebthbtn.exebnbnth.exevpppd.exevjdvj.exelxrlfxr.exenttbnn.exe9bbthh.exepjdjp.exepid process 1284 btnnhb.exe 4828 xrffxfx.exe 2060 rlrlllf.exe 1644 nbtttt.exe 1168 tntttt.exe 1900 dpjdv.exe 1736 vvjjd.exe 620 fxllflf.exe 3172 rlfxrrl.exe 788 5tbtnn.exe 3312 pjddv.exe 4920 pjjdd.exe 2172 xlxrlll.exe 1924 flllflf.exe 5028 bbtnht.exe 3644 btbthh.exe 4464 pppvj.exe 2204 frxrrrf.exe 2348 llfxrxr.exe 3436 tntnnt.exe 2212 dvvvv.exe 2728 lxlfrrr.exe 3632 bntttb.exe 1484 ppjjj.exe 2184 rllfxxr.exe 3340 thtnbn.exe 2364 vjjvp.exe 116 5rlxllf.exe 4528 bntnbt.exe 1064 tnnhnh.exe 3352 pjpdd.exe 1380 9flxlfx.exe 3192 bnhbhh.exe 996 tthbtn.exe 1652 djjdd.exe 2464 vvpjv.exe 4460 rlfxlrl.exe 3852 httnnn.exe 3252 nbhbnh.exe 4480 djdvj.exe 3336 jjjjv.exe 1096 xllxffr.exe 1000 3rrxrlf.exe 3308 tnttnh.exe 1376 tbtnbt.exe 632 dvjpd.exe 2024 lxffxxl.exe 2260 ttnhtn.exe 4136 9hbnhb.exe 5016 jddvp.exe 2084 rrllfxl.exe 1564 lfxxfff.exe 4496 tthbtn.exe 532 vvjdv.exe 4464 pvdpd.exe 4336 xlrlxxr.exe 3568 bthbtn.exe 4824 bnbnth.exe 4160 vpppd.exe 4356 vjdvj.exe 1172 lxrlfxr.exe 1160 nttbnn.exe 5036 9bbthh.exe 4820 pjdjp.exe -
Processes:
resource yara_rule behavioral2/memory/4200-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4200-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1644-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1900-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5028-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1924-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2172-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4920-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2204-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3312-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/788-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3172-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3172-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/620-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1736-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1736-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1736-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1168-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2060-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4828-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4828-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4828-21-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1284-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1284-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1284-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1284-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2348-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3436-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2212-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2728-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1484-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2184-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3340-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2364-190-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4528-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1064-207-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exebtnnhb.exexrffxfx.exerlrlllf.exenbtttt.exetntttt.exedpjdv.exevvjjd.exefxllflf.exerlfxrrl.exe5tbtnn.exepjddv.exepjjdd.exexlxrlll.exeflllflf.exebbtnht.exebtbthh.exepppvj.exefrxrrrf.exellfxrxr.exetntnnt.exedvvvv.exedescription pid process target process PID 4200 wrote to memory of 1284 4200 cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe btnnhb.exe PID 4200 wrote to memory of 1284 4200 cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe btnnhb.exe PID 4200 wrote to memory of 1284 4200 cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe btnnhb.exe PID 1284 wrote to memory of 4828 1284 btnnhb.exe xrffxfx.exe PID 1284 wrote to memory of 4828 1284 btnnhb.exe xrffxfx.exe PID 1284 wrote to memory of 4828 1284 btnnhb.exe xrffxfx.exe PID 4828 wrote to memory of 2060 4828 xrffxfx.exe rlrlllf.exe PID 4828 wrote to memory of 2060 4828 xrffxfx.exe rlrlllf.exe PID 4828 wrote to memory of 2060 4828 xrffxfx.exe rlrlllf.exe PID 2060 wrote to memory of 1644 2060 rlrlllf.exe nbtttt.exe PID 2060 wrote to memory of 1644 2060 rlrlllf.exe nbtttt.exe PID 2060 wrote to memory of 1644 2060 rlrlllf.exe nbtttt.exe PID 1644 wrote to memory of 1168 1644 nbtttt.exe tntttt.exe PID 1644 wrote to memory of 1168 1644 nbtttt.exe tntttt.exe PID 1644 wrote to memory of 1168 1644 nbtttt.exe tntttt.exe PID 1168 wrote to memory of 1900 1168 tntttt.exe dpjdv.exe PID 1168 wrote to memory of 1900 1168 tntttt.exe dpjdv.exe PID 1168 wrote to memory of 1900 1168 tntttt.exe dpjdv.exe PID 1900 wrote to memory of 1736 1900 dpjdv.exe vvjjd.exe PID 1900 wrote to memory of 1736 1900 dpjdv.exe vvjjd.exe PID 1900 wrote to memory of 1736 1900 dpjdv.exe vvjjd.exe PID 1736 wrote to memory of 620 1736 vvjjd.exe fxllflf.exe PID 1736 wrote to memory of 620 1736 vvjjd.exe fxllflf.exe PID 1736 wrote to memory of 620 1736 vvjjd.exe fxllflf.exe PID 620 wrote to memory of 3172 620 fxllflf.exe rlfxrrl.exe PID 620 wrote to memory of 3172 620 fxllflf.exe rlfxrrl.exe PID 620 wrote to memory of 3172 620 fxllflf.exe rlfxrrl.exe PID 3172 wrote to memory of 788 3172 rlfxrrl.exe 5tbtnn.exe PID 3172 wrote to memory of 788 3172 rlfxrrl.exe 5tbtnn.exe PID 3172 wrote to memory of 788 3172 rlfxrrl.exe 5tbtnn.exe PID 788 wrote to memory of 3312 788 5tbtnn.exe pjddv.exe PID 788 wrote to memory of 3312 788 5tbtnn.exe pjddv.exe PID 788 wrote to memory of 3312 788 5tbtnn.exe pjddv.exe PID 3312 wrote to memory of 4920 3312 pjddv.exe pjjdd.exe PID 3312 wrote to memory of 4920 3312 pjddv.exe pjjdd.exe PID 3312 wrote to memory of 4920 3312 pjddv.exe pjjdd.exe PID 4920 wrote to memory of 2172 4920 pjjdd.exe xlxrlll.exe PID 4920 wrote to memory of 2172 4920 pjjdd.exe xlxrlll.exe PID 4920 wrote to memory of 2172 4920 pjjdd.exe xlxrlll.exe PID 2172 wrote to memory of 1924 2172 xlxrlll.exe flllflf.exe PID 2172 wrote to memory of 1924 2172 xlxrlll.exe flllflf.exe PID 2172 wrote to memory of 1924 2172 xlxrlll.exe flllflf.exe PID 1924 wrote to memory of 5028 1924 flllflf.exe bbtnht.exe PID 1924 wrote to memory of 5028 1924 flllflf.exe bbtnht.exe PID 1924 wrote to memory of 5028 1924 flllflf.exe bbtnht.exe PID 5028 wrote to memory of 3644 5028 bbtnht.exe btbthh.exe PID 5028 wrote to memory of 3644 5028 bbtnht.exe btbthh.exe PID 5028 wrote to memory of 3644 5028 bbtnht.exe btbthh.exe PID 3644 wrote to memory of 4464 3644 btbthh.exe pppvj.exe PID 3644 wrote to memory of 4464 3644 btbthh.exe pppvj.exe PID 3644 wrote to memory of 4464 3644 btbthh.exe pppvj.exe PID 4464 wrote to memory of 2204 4464 pppvj.exe frxrrrf.exe PID 4464 wrote to memory of 2204 4464 pppvj.exe frxrrrf.exe PID 4464 wrote to memory of 2204 4464 pppvj.exe frxrrrf.exe PID 2204 wrote to memory of 2348 2204 frxrrrf.exe llfxrxr.exe PID 2204 wrote to memory of 2348 2204 frxrrrf.exe llfxrxr.exe PID 2204 wrote to memory of 2348 2204 frxrrrf.exe llfxrxr.exe PID 2348 wrote to memory of 3436 2348 llfxrxr.exe tntnnt.exe PID 2348 wrote to memory of 3436 2348 llfxrxr.exe tntnnt.exe PID 2348 wrote to memory of 3436 2348 llfxrxr.exe tntnnt.exe PID 3436 wrote to memory of 2212 3436 tntnnt.exe dvvvv.exe PID 3436 wrote to memory of 2212 3436 tntnnt.exe dvvvv.exe PID 3436 wrote to memory of 2212 3436 tntnnt.exe dvvvv.exe PID 2212 wrote to memory of 2728 2212 dvvvv.exe lxlfrrr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe"C:\Users\Admin\AppData\Local\Temp\cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\btnnhb.exec:\btnnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\xrffxfx.exec:\xrffxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\rlrlllf.exec:\rlrlllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\nbtttt.exec:\nbtttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\tntttt.exec:\tntttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\dpjdv.exec:\dpjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\vvjjd.exec:\vvjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\fxllflf.exec:\fxllflf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\5tbtnn.exec:\5tbtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
\??\c:\pjddv.exec:\pjddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\pjjdd.exec:\pjjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\xlxrlll.exec:\xlxrlll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\flllflf.exec:\flllflf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\bbtnht.exec:\bbtnht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\btbthh.exec:\btbthh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\pppvj.exec:\pppvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\frxrrrf.exec:\frxrrrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\llfxrxr.exec:\llfxrxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\tntnnt.exec:\tntnnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\dvvvv.exec:\dvvvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\lxlfrrr.exec:\lxlfrrr.exe23⤵
- Executes dropped EXE
PID:2728 -
\??\c:\bntttb.exec:\bntttb.exe24⤵
- Executes dropped EXE
PID:3632 -
\??\c:\ppjjj.exec:\ppjjj.exe25⤵
- Executes dropped EXE
PID:1484 -
\??\c:\rllfxxr.exec:\rllfxxr.exe26⤵
- Executes dropped EXE
PID:2184 -
\??\c:\thtnbn.exec:\thtnbn.exe27⤵
- Executes dropped EXE
PID:3340 -
\??\c:\vjjvp.exec:\vjjvp.exe28⤵
- Executes dropped EXE
PID:2364 -
\??\c:\5rlxllf.exec:\5rlxllf.exe29⤵
- Executes dropped EXE
PID:116 -
\??\c:\bntnbt.exec:\bntnbt.exe30⤵
- Executes dropped EXE
PID:4528 -
\??\c:\tnnhnh.exec:\tnnhnh.exe31⤵
- Executes dropped EXE
PID:1064 -
\??\c:\pjpdd.exec:\pjpdd.exe32⤵
- Executes dropped EXE
PID:3352 -
\??\c:\9flxlfx.exec:\9flxlfx.exe33⤵
- Executes dropped EXE
PID:1380 -
\??\c:\bnhbhh.exec:\bnhbhh.exe34⤵
- Executes dropped EXE
PID:3192 -
\??\c:\tthbtn.exec:\tthbtn.exe35⤵
- Executes dropped EXE
PID:996 -
\??\c:\djjdd.exec:\djjdd.exe36⤵
- Executes dropped EXE
PID:1652 -
\??\c:\vvpjv.exec:\vvpjv.exe37⤵
- Executes dropped EXE
PID:2464 -
\??\c:\rlfxlrl.exec:\rlfxlrl.exe38⤵
- Executes dropped EXE
PID:4460 -
\??\c:\httnnn.exec:\httnnn.exe39⤵
- Executes dropped EXE
PID:3852 -
\??\c:\nbhbnh.exec:\nbhbnh.exe40⤵
- Executes dropped EXE
PID:3252 -
\??\c:\djdvj.exec:\djdvj.exe41⤵
- Executes dropped EXE
PID:4480 -
\??\c:\jjjjv.exec:\jjjjv.exe42⤵
- Executes dropped EXE
PID:3336 -
\??\c:\xllxffr.exec:\xllxffr.exe43⤵
- Executes dropped EXE
PID:1096 -
\??\c:\3rrxrlf.exec:\3rrxrlf.exe44⤵
- Executes dropped EXE
PID:1000 -
\??\c:\tnttnh.exec:\tnttnh.exe45⤵
- Executes dropped EXE
PID:3308 -
\??\c:\tbtnbt.exec:\tbtnbt.exe46⤵
- Executes dropped EXE
PID:1376 -
\??\c:\dvjpd.exec:\dvjpd.exe47⤵
- Executes dropped EXE
PID:632 -
\??\c:\lxffxxl.exec:\lxffxxl.exe48⤵
- Executes dropped EXE
PID:2024 -
\??\c:\ttnhtn.exec:\ttnhtn.exe49⤵
- Executes dropped EXE
PID:2260 -
\??\c:\9hbnhb.exec:\9hbnhb.exe50⤵
- Executes dropped EXE
PID:4136 -
\??\c:\jddvp.exec:\jddvp.exe51⤵
- Executes dropped EXE
PID:5016 -
\??\c:\rrllfxl.exec:\rrllfxl.exe52⤵
- Executes dropped EXE
PID:2084 -
\??\c:\lfxxfff.exec:\lfxxfff.exe53⤵
- Executes dropped EXE
PID:1564 -
\??\c:\tthbtn.exec:\tthbtn.exe54⤵
- Executes dropped EXE
PID:4496 -
\??\c:\vvjdv.exec:\vvjdv.exe55⤵
- Executes dropped EXE
PID:532 -
\??\c:\pvdpd.exec:\pvdpd.exe56⤵
- Executes dropped EXE
PID:4464 -
\??\c:\xlrlxxr.exec:\xlrlxxr.exe57⤵
- Executes dropped EXE
PID:4336 -
\??\c:\bthbtn.exec:\bthbtn.exe58⤵
- Executes dropped EXE
PID:3568 -
\??\c:\bnbnth.exec:\bnbnth.exe59⤵
- Executes dropped EXE
PID:4824 -
\??\c:\vpppd.exec:\vpppd.exe60⤵
- Executes dropped EXE
PID:4160 -
\??\c:\vjdvj.exec:\vjdvj.exe61⤵
- Executes dropped EXE
PID:4356 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe62⤵
- Executes dropped EXE
PID:1172 -
\??\c:\nttbnn.exec:\nttbnn.exe63⤵
- Executes dropped EXE
PID:1160 -
\??\c:\9bbthh.exec:\9bbthh.exe64⤵
- Executes dropped EXE
PID:5036 -
\??\c:\pjdjp.exec:\pjdjp.exe65⤵
- Executes dropped EXE
PID:4820 -
\??\c:\pddjd.exec:\pddjd.exe66⤵PID:2308
-
\??\c:\3xfxlfx.exec:\3xfxlfx.exe67⤵PID:3820
-
\??\c:\llrlrrx.exec:\llrlrrx.exe68⤵PID:4272
-
\??\c:\tbbtnn.exec:\tbbtnn.exe69⤵PID:1484
-
\??\c:\tnhbnn.exec:\tnhbnn.exe70⤵PID:4848
-
\??\c:\dvvpd.exec:\dvvpd.exe71⤵PID:4876
-
\??\c:\rlxlxxx.exec:\rlxlxxx.exe72⤵PID:5112
-
\??\c:\5xfrlrf.exec:\5xfrlrf.exe73⤵PID:4972
-
\??\c:\bththn.exec:\bththn.exe74⤵PID:1248
-
\??\c:\dvvvv.exec:\dvvvv.exe75⤵PID:672
-
\??\c:\3jdvd.exec:\3jdvd.exe76⤵PID:3168
-
\??\c:\7xxxffl.exec:\7xxxffl.exe77⤵PID:4312
-
\??\c:\dpppv.exec:\dpppv.exe78⤵PID:3164
-
\??\c:\jdvpj.exec:\jdvpj.exe79⤵PID:5040
-
\??\c:\3xxrllf.exec:\3xxrllf.exe80⤵PID:908
-
\??\c:\llrlffx.exec:\llrlffx.exe81⤵PID:1632
-
\??\c:\btbtnt.exec:\btbtnt.exe82⤵PID:2536
-
\??\c:\jvppd.exec:\jvppd.exe83⤵PID:1620
-
\??\c:\pjpvj.exec:\pjpvj.exe84⤵PID:312
-
\??\c:\rffrffr.exec:\rffrffr.exe85⤵PID:4068
-
\??\c:\rfrrlff.exec:\rfrrlff.exe86⤵PID:4592
-
\??\c:\bnbhhb.exec:\bnbhhb.exe87⤵PID:1468
-
\??\c:\vjjvj.exec:\vjjvj.exe88⤵PID:2488
-
\??\c:\jvvvv.exec:\jvvvv.exe89⤵PID:2108
-
\??\c:\lffffff.exec:\lffffff.exe90⤵PID:4084
-
\??\c:\xrrllfx.exec:\xrrllfx.exe91⤵PID:5080
-
\??\c:\bbhbtt.exec:\bbhbtt.exe92⤵PID:2172
-
\??\c:\htnhbb.exec:\htnhbb.exe93⤵PID:1164
-
\??\c:\dvpjv.exec:\dvpjv.exe94⤵PID:1924
-
\??\c:\1vdjv.exec:\1vdjv.exe95⤵PID:3764
-
\??\c:\fxlllll.exec:\fxlllll.exe96⤵PID:404
-
\??\c:\xrllfff.exec:\xrllfff.exe97⤵PID:412
-
\??\c:\tttnhh.exec:\tttnhh.exe98⤵PID:2140
-
\??\c:\vjpjd.exec:\vjpjd.exe99⤵PID:1832
-
\??\c:\xlllxxr.exec:\xlllxxr.exe100⤵PID:844
-
\??\c:\rfrfxrx.exec:\rfrfxrx.exe101⤵PID:3940
-
\??\c:\7htnbt.exec:\7htnbt.exe102⤵PID:1544
-
\??\c:\nntnhb.exec:\nntnhb.exe103⤵PID:1476
-
\??\c:\vppjd.exec:\vppjd.exe104⤵PID:2204
-
\??\c:\jdvpj.exec:\jdvpj.exe105⤵PID:3720
-
\??\c:\3rlxxxr.exec:\3rlxxxr.exe106⤵PID:1896
-
\??\c:\rxfrlfr.exec:\rxfrlfr.exe107⤵PID:1552
-
\??\c:\bhhbtt.exec:\bhhbtt.exe108⤵PID:4792
-
\??\c:\tnthtn.exec:\tnthtn.exe109⤵PID:4956
-
\??\c:\jddpd.exec:\jddpd.exe110⤵PID:3060
-
\??\c:\vdjvp.exec:\vdjvp.exe111⤵PID:1616
-
\??\c:\9lxrxlx.exec:\9lxrxlx.exe112⤵PID:4520
-
\??\c:\frlfxxr.exec:\frlfxxr.exe113⤵PID:3984
-
\??\c:\nnhbtt.exec:\nnhbtt.exe114⤵PID:4488
-
\??\c:\1bbtnn.exec:\1bbtnn.exe115⤵PID:1568
-
\??\c:\pjdpd.exec:\pjdpd.exe116⤵PID:3608
-
\??\c:\jvdpj.exec:\jvdpj.exe117⤵PID:4888
-
\??\c:\flrfrll.exec:\flrfrll.exe118⤵PID:3776
-
\??\c:\hbhtnh.exec:\hbhtnh.exe119⤵PID:4788
-
\??\c:\bttnbb.exec:\bttnbb.exe120⤵PID:2388
-
\??\c:\9jvvv.exec:\9jvvv.exe121⤵PID:4196
-
\??\c:\xrxfrxl.exec:\xrxfrxl.exe122⤵PID:3352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-