Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 06:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2f883101f8e62057aff4b032d6e965cf4df6b4f7f8ab38000443047d5d413fe.exe
Resource
win7-20240220-en
6 signatures
150 seconds
General
-
Target
d2f883101f8e62057aff4b032d6e965cf4df6b4f7f8ab38000443047d5d413fe.exe
-
Size
62KB
-
MD5
c526a4f3dba001fba89f9ec270b8afcf
-
SHA1
5b2bd5b30c40e270ab677ed378786acbecdc6fc5
-
SHA256
d2f883101f8e62057aff4b032d6e965cf4df6b4f7f8ab38000443047d5d413fe
-
SHA512
d8e3561826fcaed4147c8c4343ebe3b0f3fce46fcb860b4f186e5ae908ad805efb1513c8af9532ff632dc93adef2e46b898daca8e2b77303d0efd887fa5ee9c3
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJULh1214ai:ymb3NkkiQ3mdBjFIFdJmdai
Malware Config
Signatures
-
Detect Blackmoon payload 28 IoCs
Processes:
resource yara_rule behavioral2/memory/4136-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4136-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3332-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/828-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4504-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4000-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3344-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3100-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1900-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2668-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3684-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/952-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4364-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1560-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1516-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1592-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4608-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/712-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5032-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4972-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4388-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/464-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2908-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4744-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1512-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4284-61-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3100-47-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 31 IoCs
Processes:
resource yara_rule behavioral2/memory/4136-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4136-8-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3332-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/828-19-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4504-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4504-27-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4504-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4504-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4000-38-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3344-51-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3100-48-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1900-65-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2668-101-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3684-131-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/952-210-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4364-192-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1560-185-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1516-179-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1592-173-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4608-167-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/712-155-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5032-149-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4972-143-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4388-137-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/464-125-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2908-113-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4744-90-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1512-80-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2248-72-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2248-71-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4284-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
tnbbtn.exedvpjv.exepdjdp.exerlfxxxr.exetnnbtb.exethnnhn.exedvpjd.exepdpjj.exexrllxlf.exexrffflx.exehhhnnt.exehttnnn.exeddpdv.exefffffll.exeflrxrrr.exebbbtbb.exenhhbbb.exe9jvvd.exejpvdv.exeppvpp.exefxffrxx.exelxxxlll.exettttbn.exe9httbh.exejdjjv.exepdvdp.exexrfffff.exeffllffr.exexlrrlll.exebhhbbt.exejdjpp.exejjjdv.exepjvvv.exe5xflllx.exe1lrrlll.exennnhhn.exenhhbtt.exeddvpp.exejjvpj.exeddvdp.exexxxxrxx.exerrfxrff.exerflllll.exetnttbh.exebtbbbt.exejdpvp.exelfrxxfl.exe3lxxffl.exehbnnnt.exeddjjd.exejddvp.exe1xrlxxx.exerlrrrrl.exe3nhhhh.exe5djjd.exepdvpd.exelfrlfrl.exerlllllx.exebthnnt.exejddpj.exe3vdpd.exexrlxfff.exeffllflr.exehtnttt.exepid process 3332 tnbbtn.exe 828 dvpjv.exe 4504 pdjdp.exe 4000 rlfxxxr.exe 3100 tnnbtb.exe 3344 thnnhn.exe 4284 dvpjd.exe 1900 pdpjj.exe 2248 xrllxlf.exe 1512 xrffflx.exe 4744 hhhnnt.exe 4944 httnnn.exe 2668 ddpdv.exe 2992 fffffll.exe 2908 flrxrrr.exe 4428 bbbtbb.exe 464 nhhbbb.exe 3684 9jvvd.exe 4388 jpvdv.exe 4972 ppvpp.exe 5032 fxffrxx.exe 712 lxxxlll.exe 4120 ttttbn.exe 4608 9httbh.exe 1592 jdjjv.exe 1516 pdvdp.exe 1560 xrfffff.exe 4364 ffllffr.exe 800 xlrrlll.exe 2052 bhhbbt.exe 952 jdjpp.exe 1696 jjjdv.exe 3348 pjvvv.exe 1884 5xflllx.exe 4760 1lrrlll.exe 4496 nnnhhn.exe 4464 nhhbtt.exe 2348 ddvpp.exe 3884 jjvpj.exe 3960 ddvdp.exe 2292 xxxxrxx.exe 1356 rrfxrff.exe 1212 rflllll.exe 4004 tnttbh.exe 4352 btbbbt.exe 4948 jdpvp.exe 3332 lfrxxfl.exe 4680 3lxxffl.exe 3520 hbnnnt.exe 3936 ddjjd.exe 4524 jddvp.exe 2440 1xrlxxx.exe 3600 rlrrrrl.exe 4272 3nhhhh.exe 3064 5djjd.exe 3760 pdvpd.exe 3084 lfrlfrl.exe 4252 rlllllx.exe 708 bthnnt.exe 1796 jddpj.exe 1132 3vdpd.exe 2620 xrlxfff.exe 5016 ffllflr.exe 1976 htnttt.exe -
Processes:
resource yara_rule behavioral2/memory/4136-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4136-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3332-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/828-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4504-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4504-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4504-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4504-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4000-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3344-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3100-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1900-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2668-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3684-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/952-210-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4364-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1560-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1516-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1592-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4608-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/712-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5032-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4972-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4388-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/464-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2908-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4744-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1512-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2248-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2248-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4284-59-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d2f883101f8e62057aff4b032d6e965cf4df6b4f7f8ab38000443047d5d413fe.exetnbbtn.exedvpjv.exepdjdp.exerlfxxxr.exetnnbtb.exethnnhn.exedvpjd.exepdpjj.exexrllxlf.exexrffflx.exehhhnnt.exehttnnn.exeddpdv.exefffffll.exeflrxrrr.exebbbtbb.exenhhbbb.exe9jvvd.exejpvdv.exeppvpp.exefxffrxx.exedescription pid process target process PID 4136 wrote to memory of 3332 4136 d2f883101f8e62057aff4b032d6e965cf4df6b4f7f8ab38000443047d5d413fe.exe tnbbtn.exe PID 4136 wrote to memory of 3332 4136 d2f883101f8e62057aff4b032d6e965cf4df6b4f7f8ab38000443047d5d413fe.exe tnbbtn.exe PID 4136 wrote to memory of 3332 4136 d2f883101f8e62057aff4b032d6e965cf4df6b4f7f8ab38000443047d5d413fe.exe tnbbtn.exe PID 3332 wrote to memory of 828 3332 tnbbtn.exe dvpjv.exe PID 3332 wrote to memory of 828 3332 tnbbtn.exe dvpjv.exe PID 3332 wrote to memory of 828 3332 tnbbtn.exe dvpjv.exe PID 828 wrote to memory of 4504 828 dvpjv.exe pdjdp.exe PID 828 wrote to memory of 4504 828 dvpjv.exe pdjdp.exe PID 828 wrote to memory of 4504 828 dvpjv.exe pdjdp.exe PID 4504 wrote to memory of 4000 4504 pdjdp.exe rlfxxxr.exe PID 4504 wrote to memory of 4000 4504 pdjdp.exe rlfxxxr.exe PID 4504 wrote to memory of 4000 4504 pdjdp.exe rlfxxxr.exe PID 4000 wrote to memory of 3100 4000 rlfxxxr.exe tnnbtb.exe PID 4000 wrote to memory of 3100 4000 rlfxxxr.exe tnnbtb.exe PID 4000 wrote to memory of 3100 4000 rlfxxxr.exe tnnbtb.exe PID 3100 wrote to memory of 3344 3100 tnnbtb.exe thnnhn.exe PID 3100 wrote to memory of 3344 3100 tnnbtb.exe thnnhn.exe PID 3100 wrote to memory of 3344 3100 tnnbtb.exe thnnhn.exe PID 3344 wrote to memory of 4284 3344 thnnhn.exe dvpjd.exe PID 3344 wrote to memory of 4284 3344 thnnhn.exe dvpjd.exe PID 3344 wrote to memory of 4284 3344 thnnhn.exe dvpjd.exe PID 4284 wrote to memory of 1900 4284 dvpjd.exe pdpjj.exe PID 4284 wrote to memory of 1900 4284 dvpjd.exe pdpjj.exe PID 4284 wrote to memory of 1900 4284 dvpjd.exe pdpjj.exe PID 1900 wrote to memory of 2248 1900 pdpjj.exe xrllxlf.exe PID 1900 wrote to memory of 2248 1900 pdpjj.exe xrllxlf.exe PID 1900 wrote to memory of 2248 1900 pdpjj.exe xrllxlf.exe PID 2248 wrote to memory of 1512 2248 xrllxlf.exe xrffflx.exe PID 2248 wrote to memory of 1512 2248 xrllxlf.exe xrffflx.exe PID 2248 wrote to memory of 1512 2248 xrllxlf.exe xrffflx.exe PID 1512 wrote to memory of 4744 1512 xrffflx.exe hhhnnt.exe PID 1512 wrote to memory of 4744 1512 xrffflx.exe hhhnnt.exe PID 1512 wrote to memory of 4744 1512 xrffflx.exe hhhnnt.exe PID 4744 wrote to memory of 4944 4744 hhhnnt.exe httnnn.exe PID 4744 wrote to memory of 4944 4744 hhhnnt.exe httnnn.exe PID 4744 wrote to memory of 4944 4744 hhhnnt.exe httnnn.exe PID 4944 wrote to memory of 2668 4944 httnnn.exe ddpdv.exe PID 4944 wrote to memory of 2668 4944 httnnn.exe ddpdv.exe PID 4944 wrote to memory of 2668 4944 httnnn.exe ddpdv.exe PID 2668 wrote to memory of 2992 2668 ddpdv.exe fffffll.exe PID 2668 wrote to memory of 2992 2668 ddpdv.exe fffffll.exe PID 2668 wrote to memory of 2992 2668 ddpdv.exe fffffll.exe PID 2992 wrote to memory of 2908 2992 fffffll.exe flrxrrr.exe PID 2992 wrote to memory of 2908 2992 fffffll.exe flrxrrr.exe PID 2992 wrote to memory of 2908 2992 fffffll.exe flrxrrr.exe PID 2908 wrote to memory of 4428 2908 flrxrrr.exe bbbtbb.exe PID 2908 wrote to memory of 4428 2908 flrxrrr.exe bbbtbb.exe PID 2908 wrote to memory of 4428 2908 flrxrrr.exe bbbtbb.exe PID 4428 wrote to memory of 464 4428 bbbtbb.exe nhhbbb.exe PID 4428 wrote to memory of 464 4428 bbbtbb.exe nhhbbb.exe PID 4428 wrote to memory of 464 4428 bbbtbb.exe nhhbbb.exe PID 464 wrote to memory of 3684 464 nhhbbb.exe 9jvvd.exe PID 464 wrote to memory of 3684 464 nhhbbb.exe 9jvvd.exe PID 464 wrote to memory of 3684 464 nhhbbb.exe 9jvvd.exe PID 3684 wrote to memory of 4388 3684 9jvvd.exe jpvdv.exe PID 3684 wrote to memory of 4388 3684 9jvvd.exe jpvdv.exe PID 3684 wrote to memory of 4388 3684 9jvvd.exe jpvdv.exe PID 4388 wrote to memory of 4972 4388 jpvdv.exe ppvpp.exe PID 4388 wrote to memory of 4972 4388 jpvdv.exe ppvpp.exe PID 4388 wrote to memory of 4972 4388 jpvdv.exe ppvpp.exe PID 4972 wrote to memory of 5032 4972 ppvpp.exe fxffrxx.exe PID 4972 wrote to memory of 5032 4972 ppvpp.exe fxffrxx.exe PID 4972 wrote to memory of 5032 4972 ppvpp.exe fxffrxx.exe PID 5032 wrote to memory of 712 5032 fxffrxx.exe lxxxlll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2f883101f8e62057aff4b032d6e965cf4df6b4f7f8ab38000443047d5d413fe.exe"C:\Users\Admin\AppData\Local\Temp\d2f883101f8e62057aff4b032d6e965cf4df6b4f7f8ab38000443047d5d413fe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\tnbbtn.exec:\tnbbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\dvpjv.exec:\dvpjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\pdjdp.exec:\pdjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\tnnbtb.exec:\tnnbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\thnnhn.exec:\thnnhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\dvpjd.exec:\dvpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\pdpjj.exec:\pdpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\xrllxlf.exec:\xrllxlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\xrffflx.exec:\xrffflx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\hhhnnt.exec:\hhhnnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\httnnn.exec:\httnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\ddpdv.exec:\ddpdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\fffffll.exec:\fffffll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\flrxrrr.exec:\flrxrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\bbbtbb.exec:\bbbtbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\nhhbbb.exec:\nhhbbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\9jvvd.exec:\9jvvd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\jpvdv.exec:\jpvdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\ppvpp.exec:\ppvpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\fxffrxx.exec:\fxffrxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\lxxxlll.exec:\lxxxlll.exe23⤵
- Executes dropped EXE
PID:712 -
\??\c:\ttttbn.exec:\ttttbn.exe24⤵
- Executes dropped EXE
PID:4120 -
\??\c:\9httbh.exec:\9httbh.exe25⤵
- Executes dropped EXE
PID:4608 -
\??\c:\jdjjv.exec:\jdjjv.exe26⤵
- Executes dropped EXE
PID:1592 -
\??\c:\pdvdp.exec:\pdvdp.exe27⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xrfffff.exec:\xrfffff.exe28⤵
- Executes dropped EXE
PID:1560 -
\??\c:\ffllffr.exec:\ffllffr.exe29⤵
- Executes dropped EXE
PID:4364 -
\??\c:\xlrrlll.exec:\xlrrlll.exe30⤵
- Executes dropped EXE
PID:800 -
\??\c:\bhhbbt.exec:\bhhbbt.exe31⤵
- Executes dropped EXE
PID:2052 -
\??\c:\jdjpp.exec:\jdjpp.exe32⤵
- Executes dropped EXE
PID:952 -
\??\c:\jjjdv.exec:\jjjdv.exe33⤵
- Executes dropped EXE
PID:1696 -
\??\c:\pjvvv.exec:\pjvvv.exe34⤵
- Executes dropped EXE
PID:3348 -
\??\c:\5xflllx.exec:\5xflllx.exe35⤵
- Executes dropped EXE
PID:1884 -
\??\c:\1lrrlll.exec:\1lrrlll.exe36⤵
- Executes dropped EXE
PID:4760 -
\??\c:\nnnhhn.exec:\nnnhhn.exe37⤵
- Executes dropped EXE
PID:4496 -
\??\c:\nhhbtt.exec:\nhhbtt.exe38⤵
- Executes dropped EXE
PID:4464 -
\??\c:\ddvpp.exec:\ddvpp.exe39⤵
- Executes dropped EXE
PID:2348 -
\??\c:\jjvpj.exec:\jjvpj.exe40⤵
- Executes dropped EXE
PID:3884 -
\??\c:\ddvdp.exec:\ddvdp.exe41⤵
- Executes dropped EXE
PID:3960 -
\??\c:\xxxxrxx.exec:\xxxxrxx.exe42⤵
- Executes dropped EXE
PID:2292 -
\??\c:\rrfxrff.exec:\rrfxrff.exe43⤵
- Executes dropped EXE
PID:1356 -
\??\c:\rflllll.exec:\rflllll.exe44⤵
- Executes dropped EXE
PID:1212 -
\??\c:\tnttbh.exec:\tnttbh.exe45⤵
- Executes dropped EXE
PID:4004 -
\??\c:\btbbbt.exec:\btbbbt.exe46⤵
- Executes dropped EXE
PID:4352 -
\??\c:\jdpvp.exec:\jdpvp.exe47⤵
- Executes dropped EXE
PID:4948 -
\??\c:\lfrxxfl.exec:\lfrxxfl.exe48⤵
- Executes dropped EXE
PID:3332 -
\??\c:\3lxxffl.exec:\3lxxffl.exe49⤵
- Executes dropped EXE
PID:4680 -
\??\c:\hbnnnt.exec:\hbnnnt.exe50⤵
- Executes dropped EXE
PID:3520 -
\??\c:\ddjjd.exec:\ddjjd.exe51⤵
- Executes dropped EXE
PID:3936 -
\??\c:\jddvp.exec:\jddvp.exe52⤵
- Executes dropped EXE
PID:4524 -
\??\c:\1xrlxxx.exec:\1xrlxxx.exe53⤵
- Executes dropped EXE
PID:2440 -
\??\c:\rlrrrrl.exec:\rlrrrrl.exe54⤵
- Executes dropped EXE
PID:3600 -
\??\c:\3nhhhh.exec:\3nhhhh.exe55⤵
- Executes dropped EXE
PID:4272 -
\??\c:\5djjd.exec:\5djjd.exe56⤵
- Executes dropped EXE
PID:3064 -
\??\c:\pdvpd.exec:\pdvpd.exe57⤵
- Executes dropped EXE
PID:3760 -
\??\c:\lfrlfrl.exec:\lfrlfrl.exe58⤵
- Executes dropped EXE
PID:3084 -
\??\c:\rlllllx.exec:\rlllllx.exe59⤵
- Executes dropped EXE
PID:4252 -
\??\c:\bthnnt.exec:\bthnnt.exe60⤵
- Executes dropped EXE
PID:708 -
\??\c:\jddpj.exec:\jddpj.exe61⤵
- Executes dropped EXE
PID:1796 -
\??\c:\3vdpd.exec:\3vdpd.exe62⤵
- Executes dropped EXE
PID:1132 -
\??\c:\xrlxfff.exec:\xrlxfff.exe63⤵
- Executes dropped EXE
PID:2620 -
\??\c:\ffllflr.exec:\ffllflr.exe64⤵
- Executes dropped EXE
PID:5016 -
\??\c:\htnttt.exec:\htnttt.exe65⤵
- Executes dropped EXE
PID:1976 -
\??\c:\httthh.exec:\httthh.exe66⤵PID:3560
-
\??\c:\jpjdp.exec:\jpjdp.exe67⤵PID:2604
-
\??\c:\dvpjd.exec:\dvpjd.exe68⤵PID:1636
-
\??\c:\7lxxlrf.exec:\7lxxlrf.exe69⤵PID:4428
-
\??\c:\thhhbh.exec:\thhhbh.exe70⤵PID:3028
-
\??\c:\bhnntn.exec:\bhnntn.exe71⤵PID:4568
-
\??\c:\jppdd.exec:\jppdd.exe72⤵PID:4632
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe73⤵PID:4388
-
\??\c:\5hthhh.exec:\5hthhh.exe74⤵PID:2600
-
\??\c:\hhnnnb.exec:\hhnnnb.exe75⤵PID:1880
-
\??\c:\hhtntt.exec:\hhtntt.exe76⤵PID:3872
-
\??\c:\bthbnt.exec:\bthbnt.exe77⤵PID:216
-
\??\c:\pjjvp.exec:\pjjvp.exe78⤵PID:344
-
\??\c:\ddppv.exec:\ddppv.exe79⤵PID:3340
-
\??\c:\rxxfxff.exec:\rxxfxff.exe80⤵PID:4268
-
\??\c:\3nttbb.exec:\3nttbb.exe81⤵PID:1516
-
\??\c:\ppvvp.exec:\ppvvp.exe82⤵PID:1020
-
\??\c:\pjppp.exec:\pjppp.exe83⤵PID:4476
-
\??\c:\thhnnt.exec:\thhnnt.exe84⤵PID:1108
-
\??\c:\rrlrrxf.exec:\rrlrrxf.exe85⤵PID:1736
-
\??\c:\vpddv.exec:\vpddv.exe86⤵PID:1916
-
\??\c:\jpppv.exec:\jpppv.exe87⤵PID:4964
-
\??\c:\xxrxllx.exec:\xxrxllx.exe88⤵PID:3652
-
\??\c:\bnnthn.exec:\bnnthn.exe89⤵PID:4168
-
\??\c:\jjvdj.exec:\jjvdj.exe90⤵PID:4720
-
\??\c:\3lrlfff.exec:\3lrlfff.exe91⤵PID:4088
-
\??\c:\ttbhbh.exec:\ttbhbh.exe92⤵PID:768
-
\??\c:\9ppvj.exec:\9ppvj.exe93⤵PID:756
-
\??\c:\tnttnh.exec:\tnttnh.exe94⤵PID:4228
-
\??\c:\bnnhhb.exec:\bnnhhb.exe95⤵PID:4464
-
\??\c:\vvjjv.exec:\vvjjv.exe96⤵PID:3096
-
\??\c:\jvdvp.exec:\jvdvp.exe97⤵PID:1092
-
\??\c:\rxxfxxx.exec:\rxxfxxx.exe98⤵PID:4400
-
\??\c:\rfxffff.exec:\rfxffff.exe99⤵PID:3312
-
\??\c:\nhhhtt.exec:\nhhhtt.exe100⤵PID:2784
-
\??\c:\tnbnhh.exec:\tnbnhh.exe101⤵PID:1212
-
\??\c:\djpjd.exec:\djpjd.exe102⤵PID:2460
-
\??\c:\jjpjj.exec:\jjpjj.exe103⤵PID:4352
-
\??\c:\rlrlflx.exec:\rlrlflx.exe104⤵PID:4948
-
\??\c:\llrlfff.exec:\llrlfff.exe105⤵PID:3332
-
\??\c:\nbtbbh.exec:\nbtbbh.exe106⤵PID:4680
-
\??\c:\pjvvp.exec:\pjvvp.exe107⤵PID:3520
-
\??\c:\jjjjd.exec:\jjjjd.exe108⤵PID:2676
-
\??\c:\jvvvv.exec:\jvvvv.exe109⤵PID:4524
-
\??\c:\lllllrf.exec:\lllllrf.exe110⤵PID:848
-
\??\c:\bnhbtb.exec:\bnhbtb.exe111⤵PID:3600
-
\??\c:\ntbbhn.exec:\ntbbhn.exe112⤵PID:3492
-
\??\c:\vpvvd.exec:\vpvvd.exe113⤵PID:3064
-
\??\c:\pppjd.exec:\pppjd.exe114⤵PID:2328
-
\??\c:\fxlxxxl.exec:\fxlxxxl.exe115⤵PID:3084
-
\??\c:\7xxxxff.exec:\7xxxxff.exe116⤵PID:4252
-
\??\c:\9nbbnb.exec:\9nbbnb.exe117⤵PID:708
-
\??\c:\jvjjd.exec:\jvjjd.exe118⤵PID:1556
-
\??\c:\ppdvd.exec:\ppdvd.exe119⤵PID:1132
-
\??\c:\rrrfrlf.exec:\rrrfrlf.exe120⤵PID:2476
-
\??\c:\1bbhbb.exec:\1bbhbb.exe121⤵PID:4752
-
\??\c:\tntnhh.exec:\tntnhh.exe122⤵PID:3160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-