Analysis
-
max time kernel
2s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 05:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be53e18c89eca3474df0e5fd8ea717d8d630fde3ae86670ab0f2d52b35596def.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
be53e18c89eca3474df0e5fd8ea717d8d630fde3ae86670ab0f2d52b35596def.exe
-
Size
395KB
-
MD5
3cbb57d507170111d591c92c325111eb
-
SHA1
0413d780255dec792e276c9c18147dafd20f73ce
-
SHA256
be53e18c89eca3474df0e5fd8ea717d8d630fde3ae86670ab0f2d52b35596def
-
SHA512
4899b31afdf33f73fca3da5efc635284fe53ca05a59e0fe776524e9bd13131ca681e1f37930e247869c583f9893562b57714a62a6277ec2c269e3783ede97d23
-
SSDEEP
6144:n3C9BRo7tvnJ9oH0IRgZvjkobjcSbcY+CaQdaFOY4iGFYtRdu/+:n3C9ytvngQjZbz+xt4vFBW
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
Processes:
resource yara_rule behavioral2/memory/4560-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4064-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4204-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2528-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3248-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3528-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3720-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4552-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2124-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2620-211-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4876-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3680-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/960-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/884-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2036-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4356-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1700-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/856-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3412-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4204-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4892-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1540-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/804-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 29 IoCs
Processes:
resource yara_rule behavioral2/memory/4560-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4064-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4204-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2528-52-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3248-65-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3528-72-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/856-79-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3720-92-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4552-97-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2124-104-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2620-211-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4876-204-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3680-186-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/960-174-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/884-162-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2036-157-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4356-120-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1700-108-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/856-86-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3412-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4204-48-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4204-43-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4204-42-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4892-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4892-27-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4892-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4892-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1540-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/804-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 61 IoCs
Processes:
rrrlxfx.exehbttbt.exevdddp.exelxlflll.exehthhhh.exe1ntntt.exevpppd.exellrrlrx.exenhbnbh.exevdjvj.exebhnhnb.exevvvpd.exefrlfffx.exetbhhtt.exedvddj.exehntbhn.exedjpjd.exepdjpp.exelxxrllf.exe7nbthh.exedjvvd.exe1rxxxff.exehnhhhn.exepvvpp.exefxllllr.exehnhhbb.exe9jpdv.exerfxxrff.exellxrxfl.exettnntb.exejvpvv.exerxrffxf.exethttbb.exepjjpp.exerlxxxxx.exerlxxffl.exenhbhth.exevjdvd.exexxlfflr.exebnnnhh.exevddjj.exefxlfxrl.exenhhtbb.exejpvvv.exeppvvj.exellfrfxr.exebnttnn.exe3pdvp.exe9fllfff.exellxrffx.exenbbthh.exeppvpp.exejvvvv.exenbthnt.exejdppj.exepdddp.exelrxffrr.exebtnhnn.exevdjdv.exe3fxrlfr.exefrxlrxf.exepid process 4560 rrrlxfx.exe 1540 hbttbt.exe 4892 vdddp.exe 4064 lxlflll.exe 4204 hthhhh.exe 2528 1ntntt.exe 3412 vpppd.exe 3248 llrrlrx.exe 3528 nhbnbh.exe 856 vdjvj.exe 3720 bhnhnb.exe 4552 vvvpd.exe 2124 frlfffx.exe 1700 tbhhtt.exe 1064 dvddj.exe 4356 hntbhn.exe 1848 djpjd.exe 872 pdjpp.exe 1888 lxxrllf.exe 448 7nbthh.exe 2008 djvvd.exe 2036 1rxxxff.exe 884 hnhhhn.exe 3476 pvvpp.exe 960 fxllllr.exe 4748 hnhhbb.exe 3680 9jpdv.exe 3924 rfxxrff.exe 2856 llxrxfl.exe 4876 ttnntb.exe 2620 jvpvv.exe 1516 rxrffxf.exe 3384 thttbb.exe 4772 pjjpp.exe 4712 rlxxxxx.exe 4380 rlxxffl.exe 772 nhbhth.exe 4340 vjdvd.exe 1704 xxlfflr.exe 4752 bnnnhh.exe 4892 vddjj.exe 4016 fxlfxrl.exe 4952 nhhtbb.exe 432 jpvvv.exe 2448 ppvvj.exe 3844 llfrfxr.exe 4624 bnttnn.exe 4856 3pdvp.exe 3528 9fllfff.exe 4740 llxrffx.exe 2752 nbbthh.exe 4496 ppvpp.exe 2136 jvvvv.exe 3460 nbthnt.exe 1344 jdppj.exe 4464 pdddp.exe 3360 lrxffrr.exe 4208 btnhnn.exe 1848 vdjdv.exe 5024 3fxrlfr.exe 344 frxlrxf.exe -
Processes:
resource yara_rule behavioral2/memory/4560-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4064-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4204-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2528-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3248-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3528-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/856-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3720-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4552-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2124-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2620-211-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4876-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3680-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/960-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/884-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2036-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4356-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1700-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/856-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3412-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4204-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4204-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4204-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4892-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4892-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4892-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4892-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1540-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/804-3-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
be53e18c89eca3474df0e5fd8ea717d8d630fde3ae86670ab0f2d52b35596def.exerrrlxfx.exehbttbt.exevdddp.exelxlflll.exehthhhh.exe1ntntt.exevpppd.exellrrlrx.exenhbnbh.exevdjvj.exebhnhnb.exevvvpd.exefrlfffx.exetbhhtt.exedvddj.exehntbhn.exedjpjd.exepdjpp.exelxxrllf.exe7nbthh.exedjvvd.exedescription pid process target process PID 804 wrote to memory of 4560 804 be53e18c89eca3474df0e5fd8ea717d8d630fde3ae86670ab0f2d52b35596def.exe 7rffxfx.exe PID 804 wrote to memory of 4560 804 be53e18c89eca3474df0e5fd8ea717d8d630fde3ae86670ab0f2d52b35596def.exe 7rffxfx.exe PID 804 wrote to memory of 4560 804 be53e18c89eca3474df0e5fd8ea717d8d630fde3ae86670ab0f2d52b35596def.exe 7rffxfx.exe PID 4560 wrote to memory of 1540 4560 rrrlxfx.exe hbttbt.exe PID 4560 wrote to memory of 1540 4560 rrrlxfx.exe hbttbt.exe PID 4560 wrote to memory of 1540 4560 rrrlxfx.exe hbttbt.exe PID 1540 wrote to memory of 4892 1540 hbttbt.exe vdddp.exe PID 1540 wrote to memory of 4892 1540 hbttbt.exe vdddp.exe PID 1540 wrote to memory of 4892 1540 hbttbt.exe vdddp.exe PID 4892 wrote to memory of 4064 4892 vdddp.exe 7rxllfx.exe PID 4892 wrote to memory of 4064 4892 vdddp.exe 7rxllfx.exe PID 4892 wrote to memory of 4064 4892 vdddp.exe 7rxllfx.exe PID 4064 wrote to memory of 4204 4064 lxlflll.exe hthhhh.exe PID 4064 wrote to memory of 4204 4064 lxlflll.exe hthhhh.exe PID 4064 wrote to memory of 4204 4064 lxlflll.exe hthhhh.exe PID 4204 wrote to memory of 2528 4204 hthhhh.exe 1ntntt.exe PID 4204 wrote to memory of 2528 4204 hthhhh.exe 1ntntt.exe PID 4204 wrote to memory of 2528 4204 hthhhh.exe 1ntntt.exe PID 2528 wrote to memory of 3412 2528 1ntntt.exe vpppd.exe PID 2528 wrote to memory of 3412 2528 1ntntt.exe vpppd.exe PID 2528 wrote to memory of 3412 2528 1ntntt.exe vpppd.exe PID 3412 wrote to memory of 3248 3412 vpppd.exe htbtnn.exe PID 3412 wrote to memory of 3248 3412 vpppd.exe htbtnn.exe PID 3412 wrote to memory of 3248 3412 vpppd.exe htbtnn.exe PID 3248 wrote to memory of 3528 3248 llrrlrx.exe nhbnbh.exe PID 3248 wrote to memory of 3528 3248 llrrlrx.exe nhbnbh.exe PID 3248 wrote to memory of 3528 3248 llrrlrx.exe nhbnbh.exe PID 3528 wrote to memory of 856 3528 nhbnbh.exe vdjvj.exe PID 3528 wrote to memory of 856 3528 nhbnbh.exe vdjvj.exe PID 3528 wrote to memory of 856 3528 nhbnbh.exe vdjvj.exe PID 856 wrote to memory of 3720 856 vdjvj.exe bhnhnb.exe PID 856 wrote to memory of 3720 856 vdjvj.exe bhnhnb.exe PID 856 wrote to memory of 3720 856 vdjvj.exe bhnhnb.exe PID 3720 wrote to memory of 4552 3720 bhnhnb.exe frrfxlf.exe PID 3720 wrote to memory of 4552 3720 bhnhnb.exe frrfxlf.exe PID 3720 wrote to memory of 4552 3720 bhnhnb.exe frrfxlf.exe PID 4552 wrote to memory of 2124 4552 vvvpd.exe frlfffx.exe PID 4552 wrote to memory of 2124 4552 vvvpd.exe frlfffx.exe PID 4552 wrote to memory of 2124 4552 vvvpd.exe frlfffx.exe PID 2124 wrote to memory of 1700 2124 frlfffx.exe tbhhtt.exe PID 2124 wrote to memory of 1700 2124 frlfffx.exe tbhhtt.exe PID 2124 wrote to memory of 1700 2124 frlfffx.exe tbhhtt.exe PID 1700 wrote to memory of 1064 1700 tbhhtt.exe dvddj.exe PID 1700 wrote to memory of 1064 1700 tbhhtt.exe dvddj.exe PID 1700 wrote to memory of 1064 1700 tbhhtt.exe dvddj.exe PID 1064 wrote to memory of 4356 1064 dvddj.exe hntbhn.exe PID 1064 wrote to memory of 4356 1064 dvddj.exe hntbhn.exe PID 1064 wrote to memory of 4356 1064 dvddj.exe hntbhn.exe PID 4356 wrote to memory of 1848 4356 hntbhn.exe djpjd.exe PID 4356 wrote to memory of 1848 4356 hntbhn.exe djpjd.exe PID 4356 wrote to memory of 1848 4356 hntbhn.exe djpjd.exe PID 1848 wrote to memory of 872 1848 djpjd.exe pdjpp.exe PID 1848 wrote to memory of 872 1848 djpjd.exe pdjpp.exe PID 1848 wrote to memory of 872 1848 djpjd.exe pdjpp.exe PID 872 wrote to memory of 1888 872 pdjpp.exe 3djdp.exe PID 872 wrote to memory of 1888 872 pdjpp.exe 3djdp.exe PID 872 wrote to memory of 1888 872 pdjpp.exe 3djdp.exe PID 1888 wrote to memory of 448 1888 lxxrllf.exe PID 1888 wrote to memory of 448 1888 lxxrllf.exe PID 1888 wrote to memory of 448 1888 lxxrllf.exe PID 448 wrote to memory of 2008 448 7nbthh.exe pjpjj.exe PID 448 wrote to memory of 2008 448 7nbthh.exe pjpjj.exe PID 448 wrote to memory of 2008 448 7nbthh.exe pjpjj.exe PID 2008 wrote to memory of 2036 2008 djvvd.exe 1rxxxff.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be53e18c89eca3474df0e5fd8ea717d8d630fde3ae86670ab0f2d52b35596def.exe"C:\Users\Admin\AppData\Local\Temp\be53e18c89eca3474df0e5fd8ea717d8d630fde3ae86670ab0f2d52b35596def.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\rrrlxfx.exec:\rrrlxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\hbttbt.exec:\hbttbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\vdddp.exec:\vdddp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\lxlflll.exec:\lxlflll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\hthhhh.exec:\hthhhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\1ntntt.exec:\1ntntt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\vpppd.exec:\vpppd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\llrrlrx.exec:\llrrlrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\nhbnbh.exec:\nhbnbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\vdjvj.exec:\vdjvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\bhnhnb.exec:\bhnhnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\vvvpd.exec:\vvvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\frlfffx.exec:\frlfffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\tbhhtt.exec:\tbhhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\dvddj.exec:\dvddj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\hntbhn.exec:\hntbhn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\djpjd.exec:\djpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\pdjpp.exec:\pdjpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\lxxrllf.exec:\lxxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\7nbthh.exec:\7nbthh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\djvvd.exec:\djvvd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\1rxxxff.exec:\1rxxxff.exe23⤵
- Executes dropped EXE
PID:2036 -
\??\c:\hnhhhn.exec:\hnhhhn.exe24⤵
- Executes dropped EXE
PID:884 -
\??\c:\pvvpp.exec:\pvvpp.exe25⤵
- Executes dropped EXE
PID:3476 -
\??\c:\fxllllr.exec:\fxllllr.exe26⤵
- Executes dropped EXE
PID:960 -
\??\c:\hnhhbb.exec:\hnhhbb.exe27⤵
- Executes dropped EXE
PID:4748 -
\??\c:\9jpdv.exec:\9jpdv.exe28⤵
- Executes dropped EXE
PID:3680 -
\??\c:\rfxxrff.exec:\rfxxrff.exe29⤵
- Executes dropped EXE
PID:3924 -
\??\c:\llxrxfl.exec:\llxrxfl.exe30⤵
- Executes dropped EXE
PID:2856 -
\??\c:\ttnntb.exec:\ttnntb.exe31⤵
- Executes dropped EXE
PID:4876 -
\??\c:\jvpvv.exec:\jvpvv.exe32⤵
- Executes dropped EXE
PID:2620 -
\??\c:\rxrffxf.exec:\rxrffxf.exe33⤵
- Executes dropped EXE
PID:1516 -
\??\c:\thttbb.exec:\thttbb.exe34⤵
- Executes dropped EXE
PID:3384 -
\??\c:\pjjpp.exec:\pjjpp.exe35⤵
- Executes dropped EXE
PID:4772 -
\??\c:\rlxxxxx.exec:\rlxxxxx.exe36⤵
- Executes dropped EXE
PID:4712 -
\??\c:\rlxxffl.exec:\rlxxffl.exe37⤵
- Executes dropped EXE
PID:4380 -
\??\c:\nhbhth.exec:\nhbhth.exe38⤵
- Executes dropped EXE
PID:772 -
\??\c:\vjdvd.exec:\vjdvd.exe39⤵
- Executes dropped EXE
PID:4340 -
\??\c:\xxlfflr.exec:\xxlfflr.exe40⤵
- Executes dropped EXE
PID:1704 -
\??\c:\bnnnhh.exec:\bnnnhh.exe41⤵
- Executes dropped EXE
PID:4752 -
\??\c:\vddjj.exec:\vddjj.exe42⤵
- Executes dropped EXE
PID:4892 -
\??\c:\fxlfxrl.exec:\fxlfxrl.exe43⤵
- Executes dropped EXE
PID:4016 -
\??\c:\nhhtbb.exec:\nhhtbb.exe44⤵
- Executes dropped EXE
PID:4952 -
\??\c:\jpvvv.exec:\jpvvv.exe45⤵
- Executes dropped EXE
PID:432 -
\??\c:\ppvvj.exec:\ppvvj.exe46⤵
- Executes dropped EXE
PID:2448 -
\??\c:\llfrfxr.exec:\llfrfxr.exe47⤵
- Executes dropped EXE
PID:3844 -
\??\c:\bnttnn.exec:\bnttnn.exe48⤵
- Executes dropped EXE
PID:4624 -
\??\c:\3pdvp.exec:\3pdvp.exe49⤵
- Executes dropped EXE
PID:4856 -
\??\c:\9fllfff.exec:\9fllfff.exe50⤵
- Executes dropped EXE
PID:3528 -
\??\c:\llxrffx.exec:\llxrffx.exe51⤵
- Executes dropped EXE
PID:4740 -
\??\c:\nbbthh.exec:\nbbthh.exe52⤵
- Executes dropped EXE
PID:2752 -
\??\c:\ppvpp.exec:\ppvpp.exe53⤵
- Executes dropped EXE
PID:4496 -
\??\c:\jvvvv.exec:\jvvvv.exe54⤵
- Executes dropped EXE
PID:2136 -
\??\c:\nbthnt.exec:\nbthnt.exe55⤵
- Executes dropped EXE
PID:3460 -
\??\c:\jdppj.exec:\jdppj.exe56⤵
- Executes dropped EXE
PID:1344 -
\??\c:\pdddp.exec:\pdddp.exe57⤵
- Executes dropped EXE
PID:4464 -
\??\c:\lrxffrr.exec:\lrxffrr.exe58⤵
- Executes dropped EXE
PID:3360 -
\??\c:\btnhnn.exec:\btnhnn.exe59⤵
- Executes dropped EXE
PID:4208 -
\??\c:\vdjdv.exec:\vdjdv.exe60⤵
- Executes dropped EXE
PID:1848 -
\??\c:\3fxrlfr.exec:\3fxrlfr.exe61⤵
- Executes dropped EXE
PID:5024 -
\??\c:\frxlrxf.exec:\frxlrxf.exe62⤵
- Executes dropped EXE
PID:344 -
\??\c:\tnbhtt.exec:\tnbhtt.exe63⤵PID:5040
-
\??\c:\jjvpj.exec:\jjvpj.exe64⤵PID:3120
-
\??\c:\ddjdp.exec:\ddjdp.exe65⤵PID:4332
-
\??\c:\llxlfxr.exec:\llxlfxr.exe66⤵PID:5088
-
\??\c:\nbtbhb.exec:\nbtbhb.exe67⤵PID:3892
-
\??\c:\pvpdv.exec:\pvpdv.exe68⤵PID:2336
-
\??\c:\djjvj.exec:\djjvj.exe69⤵PID:4708
-
\??\c:\xffxrfx.exec:\xffxrfx.exe70⤵PID:4992
-
\??\c:\bthhhb.exec:\bthhhb.exe71⤵PID:1604
-
\??\c:\vpjdv.exec:\vpjdv.exe72⤵PID:1092
-
\??\c:\dpjvp.exec:\dpjvp.exe73⤵PID:2560
-
\??\c:\lxxxrfr.exec:\lxxxrfr.exe74⤵PID:4596
-
\??\c:\nnbbbb.exec:\nnbbbb.exe75⤵PID:3196
-
\??\c:\vpjdj.exec:\vpjdj.exe76⤵PID:3796
-
\??\c:\rllxrfl.exec:\rllxrfl.exe77⤵PID:4460
-
\??\c:\fffxflr.exec:\fffxflr.exe78⤵PID:4568
-
\??\c:\btbtbt.exec:\btbtbt.exe79⤵PID:1764
-
\??\c:\bnttnb.exec:\bnttnb.exe80⤵PID:4744
-
\??\c:\ppvvd.exec:\ppvvd.exe81⤵PID:1352
-
\??\c:\nnbbnn.exec:\nnbbnn.exe82⤵PID:4340
-
\??\c:\tnbbnn.exec:\tnbbnn.exe83⤵PID:1692
-
\??\c:\djppv.exec:\djppv.exe84⤵PID:1540
-
\??\c:\9dvdv.exec:\9dvdv.exe85⤵PID:4232
-
\??\c:\5lxffll.exec:\5lxffll.exe86⤵PID:4292
-
\??\c:\rlxxxxr.exec:\rlxxxxr.exe87⤵PID:1748
-
\??\c:\tbbbtb.exec:\tbbbtb.exe88⤵PID:2688
-
\??\c:\3ppjj.exec:\3ppjj.exe89⤵PID:4188
-
\??\c:\vjjvp.exec:\vjjvp.exe90⤵PID:3140
-
\??\c:\rxlxrrf.exec:\rxlxrrf.exe91⤵PID:2448
-
\??\c:\tbhbtn.exec:\tbhbtn.exe92⤵PID:4956
-
\??\c:\bhnhtt.exec:\bhnhtt.exe93⤵PID:2904
-
\??\c:\dpvvv.exec:\dpvvv.exe94⤵PID:3640
-
\??\c:\pjpjj.exec:\pjpjj.exe95⤵PID:1632
-
\??\c:\xxffrrf.exec:\xxffrrf.exe96⤵PID:1868
-
\??\c:\5hnhnb.exec:\5hnhnb.exe97⤵PID:3524
-
\??\c:\hthntt.exec:\hthntt.exe98⤵PID:2704
-
\??\c:\3pppj.exec:\3pppj.exe99⤵PID:4496
-
\??\c:\9fffrlx.exec:\9fffrlx.exe100⤵PID:1700
-
\??\c:\rrfrlff.exec:\rrfrlff.exe101⤵PID:3088
-
\??\c:\tbhbbb.exec:\tbhbbb.exe102⤵PID:2868
-
\??\c:\jppvv.exec:\jppvv.exe103⤵PID:2852
-
\??\c:\lrrlrff.exec:\lrrlrff.exe104⤵PID:1848
-
\??\c:\xlrrrrl.exec:\xlrrrrl.exe105⤵PID:2976
-
\??\c:\7nntbn.exec:\7nntbn.exe106⤵PID:1956
-
\??\c:\djdjj.exec:\djdjj.exe107⤵PID:884
-
\??\c:\fxfxrfx.exec:\fxfxrfx.exe108⤵PID:5088
-
\??\c:\thtntt.exec:\thtntt.exe109⤵PID:3892
-
\??\c:\nnhbnn.exec:\nnhbnn.exe110⤵PID:1256
-
\??\c:\vvvpj.exec:\vvvpj.exe111⤵PID:4708
-
\??\c:\llxlrff.exec:\llxlrff.exe112⤵PID:4472
-
\??\c:\xffrfrx.exec:\xffrfrx.exe113⤵PID:1604
-
\??\c:\1nbtnn.exec:\1nbtnn.exe114⤵PID:4068
-
\??\c:\5ppjd.exec:\5ppjd.exe115⤵PID:2560
-
\??\c:\9ddjj.exec:\9ddjj.exe116⤵PID:3480
-
\??\c:\9xrlfff.exec:\9xrlfff.exe117⤵PID:3384
-
\??\c:\1ttnnt.exec:\1ttnnt.exe118⤵PID:4772
-
\??\c:\hthbtt.exec:\hthbtt.exe119⤵PID:3084
-
\??\c:\ddvdd.exec:\ddvdd.exe120⤵PID:1668
-
\??\c:\jpvvp.exec:\jpvvp.exe121⤵PID:3012
-
\??\c:\5xfxxrx.exec:\5xfxxrx.exe122⤵PID:1736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-