Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 06:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4b4cbbe8f91bcc291ec9ec2626fa0a02d2e161493d7c9c8ecd2d471d26d3828.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
d4b4cbbe8f91bcc291ec9ec2626fa0a02d2e161493d7c9c8ecd2d471d26d3828.exe
-
Size
96KB
-
MD5
2f435e7d71814471be92e6cba8b87045
-
SHA1
aeeb1c28e25007ae72ce286ef676dde8a95a12cd
-
SHA256
d4b4cbbe8f91bcc291ec9ec2626fa0a02d2e161493d7c9c8ecd2d471d26d3828
-
SHA512
c80b14e0859b1df7eb7168afbe9c13305d194c20d0fd4e0876209bfbd361ee3f5a75fc4a5f35589ba515299b757548fbb9257cafc431132ae0bd07899a4298e9
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIS7/b9EUeWpEC3alBlwtn8BLnnk:ymb3NkkiQ3mdBjFIi/REUZnKlbnvc
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
Processes:
resource yara_rule behavioral2/memory/1296-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5088-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3248-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/632-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/388-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1512-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3748-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4332-62-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1004-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2908-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/632-39-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3600-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4456-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/956-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1476-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3168-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2248-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1000-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3164-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1272-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5048-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3500-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4388-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4712-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4048-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4332-628-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 25 IoCs
Processes:
resource yara_rule behavioral2/memory/1296-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5088-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3248-17-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/632-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/388-58-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1512-68-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3748-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1004-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2908-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2800-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3600-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4456-96-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/956-102-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1476-108-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3168-120-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2248-133-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1000-139-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3164-144-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1272-157-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5048-163-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3500-168-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4388-186-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4712-192-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4048-204-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4332-628-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
bhnhbt.exepjjjj.exedvvvj.exebhhtnt.exebtnnhh.exevppjj.exevjvdp.exerfrlffl.exexflfxxr.exe1btnbb.exejpvpj.exettbnnh.exennthnn.exedvddv.exefffxrll.exe5xrlffx.exe7bbntn.exejdddv.exerffrfrf.exe9nnhtt.exe1ttnnn.exeppvpp.exexrxxrrr.exettbbhh.exe5nhhht.exejdpjj.exexrfrlfx.exehtttnn.exetntttt.exe1jjdj.exerrxrrrl.exeffllflf.exe9nhnhb.exeddpvd.exedvjdp.exerllffff.exehtnnhb.exe7jdvv.exejpjpp.exexlrrxxx.exexrxrrlr.exe1bbtnn.exe5nttth.exejdvvp.exeflxxxxx.exe5rxfxff.exe1ntnhn.exerrfxfxl.exetntttt.exe3hnbbh.exe5nbbbb.exepjjjj.exejddvv.exelxlrlrr.exelflllrr.exe1hnntn.exedddpj.exejjjdv.exexlxxffx.exexlrxxll.exerxfllll.exe1bhnhn.exehntttb.exedpppv.exepid process 5088 bhnhbt.exe 3248 pjjjj.exe 2800 dvvvj.exe 632 bhhtnt.exe 2908 btnnhh.exe 1004 vppjj.exe 388 vjvdp.exe 4332 rfrlffl.exe 1512 xflfxxr.exe 3748 1btnbb.exe 3600 jpvpj.exe 2380 ttbnnh.exe 4456 nnthnn.exe 956 dvddv.exe 1476 fffxrll.exe 4684 5xrlffx.exe 3168 7bbntn.exe 1924 jdddv.exe 2248 rffrfrf.exe 1000 9nnhtt.exe 3164 1ttnnn.exe 2608 ppvpp.exe 1272 xrxxrrr.exe 5048 ttbbhh.exe 3500 5nhhht.exe 3728 jdpjj.exe 4912 xrfrlfx.exe 4388 htttnn.exe 4712 tntttt.exe 2860 1jjdj.exe 4048 rrxrrrl.exe 2160 ffllflf.exe 3024 9nhnhb.exe 740 ddpvd.exe 620 dvjdp.exe 636 rllffff.exe 4836 htnnhb.exe 1496 7jdvv.exe 3692 jpjpp.exe 4068 xlrrxxx.exe 4536 xrxrrlr.exe 3312 1bbtnn.exe 2720 5nttth.exe 2380 jdvvp.exe 3948 flxxxxx.exe 2560 5rxfxff.exe 2676 1ntnhn.exe 1844 rrfxfxl.exe 3764 tntttt.exe 3468 3hnbbh.exe 2248 5nbbbb.exe 320 pjjjj.exe 4652 jddvv.exe 2900 lxlrlrr.exe 3220 lflllrr.exe 228 1hnntn.exe 4616 dddpj.exe 2340 jjjdv.exe 876 xlxxffx.exe 4396 xlrxxll.exe 5064 rxfllll.exe 1332 1bhnhn.exe 3208 hntttb.exe 2292 dpppv.exe -
Processes:
resource yara_rule behavioral2/memory/1296-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5088-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3248-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/632-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/388-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1512-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3748-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1004-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2908-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2800-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3600-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4456-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/956-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1476-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3168-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2248-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1000-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3164-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1272-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5048-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3500-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4388-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4712-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4048-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4332-628-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d4b4cbbe8f91bcc291ec9ec2626fa0a02d2e161493d7c9c8ecd2d471d26d3828.exebhnhbt.exepjjjj.exedvvvj.exebhhtnt.exebtnnhh.exevppjj.exevjvdp.exerfrlffl.exexflfxxr.exe1btnbb.exejpvpj.exettbnnh.exennthnn.exedvddv.exefffxrll.exe5xrlffx.exe7bbntn.exejdddv.exerffrfrf.exe9nnhtt.exe1ttnnn.exedescription pid process target process PID 1296 wrote to memory of 5088 1296 d4b4cbbe8f91bcc291ec9ec2626fa0a02d2e161493d7c9c8ecd2d471d26d3828.exe bhnhbt.exe PID 1296 wrote to memory of 5088 1296 d4b4cbbe8f91bcc291ec9ec2626fa0a02d2e161493d7c9c8ecd2d471d26d3828.exe bhnhbt.exe PID 1296 wrote to memory of 5088 1296 d4b4cbbe8f91bcc291ec9ec2626fa0a02d2e161493d7c9c8ecd2d471d26d3828.exe bhnhbt.exe PID 5088 wrote to memory of 3248 5088 bhnhbt.exe pjjjj.exe PID 5088 wrote to memory of 3248 5088 bhnhbt.exe pjjjj.exe PID 5088 wrote to memory of 3248 5088 bhnhbt.exe pjjjj.exe PID 3248 wrote to memory of 2800 3248 pjjjj.exe dvvvj.exe PID 3248 wrote to memory of 2800 3248 pjjjj.exe dvvvj.exe PID 3248 wrote to memory of 2800 3248 pjjjj.exe dvvvj.exe PID 2800 wrote to memory of 632 2800 dvvvj.exe bhhtnt.exe PID 2800 wrote to memory of 632 2800 dvvvj.exe bhhtnt.exe PID 2800 wrote to memory of 632 2800 dvvvj.exe bhhtnt.exe PID 632 wrote to memory of 2908 632 bhhtnt.exe btnnhh.exe PID 632 wrote to memory of 2908 632 bhhtnt.exe btnnhh.exe PID 632 wrote to memory of 2908 632 bhhtnt.exe btnnhh.exe PID 2908 wrote to memory of 1004 2908 btnnhh.exe vppjj.exe PID 2908 wrote to memory of 1004 2908 btnnhh.exe vppjj.exe PID 2908 wrote to memory of 1004 2908 btnnhh.exe vppjj.exe PID 1004 wrote to memory of 388 1004 vppjj.exe vjvdp.exe PID 1004 wrote to memory of 388 1004 vppjj.exe vjvdp.exe PID 1004 wrote to memory of 388 1004 vppjj.exe vjvdp.exe PID 388 wrote to memory of 4332 388 vjvdp.exe rfrlffl.exe PID 388 wrote to memory of 4332 388 vjvdp.exe rfrlffl.exe PID 388 wrote to memory of 4332 388 vjvdp.exe rfrlffl.exe PID 4332 wrote to memory of 1512 4332 rfrlffl.exe xflfxxr.exe PID 4332 wrote to memory of 1512 4332 rfrlffl.exe xflfxxr.exe PID 4332 wrote to memory of 1512 4332 rfrlffl.exe xflfxxr.exe PID 1512 wrote to memory of 3748 1512 xflfxxr.exe 1btnbb.exe PID 1512 wrote to memory of 3748 1512 xflfxxr.exe 1btnbb.exe PID 1512 wrote to memory of 3748 1512 xflfxxr.exe 1btnbb.exe PID 3748 wrote to memory of 3600 3748 1btnbb.exe jpvpj.exe PID 3748 wrote to memory of 3600 3748 1btnbb.exe jpvpj.exe PID 3748 wrote to memory of 3600 3748 1btnbb.exe jpvpj.exe PID 3600 wrote to memory of 2380 3600 jpvpj.exe ttbnnh.exe PID 3600 wrote to memory of 2380 3600 jpvpj.exe ttbnnh.exe PID 3600 wrote to memory of 2380 3600 jpvpj.exe ttbnnh.exe PID 2380 wrote to memory of 4456 2380 ttbnnh.exe nnthnn.exe PID 2380 wrote to memory of 4456 2380 ttbnnh.exe nnthnn.exe PID 2380 wrote to memory of 4456 2380 ttbnnh.exe nnthnn.exe PID 4456 wrote to memory of 956 4456 nnthnn.exe dvddv.exe PID 4456 wrote to memory of 956 4456 nnthnn.exe dvddv.exe PID 4456 wrote to memory of 956 4456 nnthnn.exe dvddv.exe PID 956 wrote to memory of 1476 956 dvddv.exe fffxrll.exe PID 956 wrote to memory of 1476 956 dvddv.exe fffxrll.exe PID 956 wrote to memory of 1476 956 dvddv.exe fffxrll.exe PID 1476 wrote to memory of 4684 1476 fffxrll.exe 5xrlffx.exe PID 1476 wrote to memory of 4684 1476 fffxrll.exe 5xrlffx.exe PID 1476 wrote to memory of 4684 1476 fffxrll.exe 5xrlffx.exe PID 4684 wrote to memory of 3168 4684 5xrlffx.exe 7bbntn.exe PID 4684 wrote to memory of 3168 4684 5xrlffx.exe 7bbntn.exe PID 4684 wrote to memory of 3168 4684 5xrlffx.exe 7bbntn.exe PID 3168 wrote to memory of 1924 3168 7bbntn.exe jdddv.exe PID 3168 wrote to memory of 1924 3168 7bbntn.exe jdddv.exe PID 3168 wrote to memory of 1924 3168 7bbntn.exe jdddv.exe PID 1924 wrote to memory of 2248 1924 jdddv.exe rffrfrf.exe PID 1924 wrote to memory of 2248 1924 jdddv.exe rffrfrf.exe PID 1924 wrote to memory of 2248 1924 jdddv.exe rffrfrf.exe PID 2248 wrote to memory of 1000 2248 rffrfrf.exe 9nnhtt.exe PID 2248 wrote to memory of 1000 2248 rffrfrf.exe 9nnhtt.exe PID 2248 wrote to memory of 1000 2248 rffrfrf.exe 9nnhtt.exe PID 1000 wrote to memory of 3164 1000 9nnhtt.exe 1ttnnn.exe PID 1000 wrote to memory of 3164 1000 9nnhtt.exe 1ttnnn.exe PID 1000 wrote to memory of 3164 1000 9nnhtt.exe 1ttnnn.exe PID 3164 wrote to memory of 2608 3164 1ttnnn.exe ppvpp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4b4cbbe8f91bcc291ec9ec2626fa0a02d2e161493d7c9c8ecd2d471d26d3828.exe"C:\Users\Admin\AppData\Local\Temp\d4b4cbbe8f91bcc291ec9ec2626fa0a02d2e161493d7c9c8ecd2d471d26d3828.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\bhnhbt.exec:\bhnhbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\pjjjj.exec:\pjjjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\dvvvj.exec:\dvvvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\bhhtnt.exec:\bhhtnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\btnnhh.exec:\btnnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\vppjj.exec:\vppjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\vjvdp.exec:\vjvdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\rfrlffl.exec:\rfrlffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\xflfxxr.exec:\xflfxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\1btnbb.exec:\1btnbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\jpvpj.exec:\jpvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\ttbnnh.exec:\ttbnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\nnthnn.exec:\nnthnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\dvddv.exec:\dvddv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\fffxrll.exec:\fffxrll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\5xrlffx.exec:\5xrlffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\7bbntn.exec:\7bbntn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\jdddv.exec:\jdddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\rffrfrf.exec:\rffrfrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\9nnhtt.exec:\9nnhtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\1ttnnn.exec:\1ttnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\ppvpp.exec:\ppvpp.exe23⤵
- Executes dropped EXE
PID:2608 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe24⤵
- Executes dropped EXE
PID:1272 -
\??\c:\ttbbhh.exec:\ttbbhh.exe25⤵
- Executes dropped EXE
PID:5048 -
\??\c:\5nhhht.exec:\5nhhht.exe26⤵
- Executes dropped EXE
PID:3500 -
\??\c:\jdpjj.exec:\jdpjj.exe27⤵
- Executes dropped EXE
PID:3728 -
\??\c:\xrfrlfx.exec:\xrfrlfx.exe28⤵
- Executes dropped EXE
PID:4912 -
\??\c:\htttnn.exec:\htttnn.exe29⤵
- Executes dropped EXE
PID:4388 -
\??\c:\tntttt.exec:\tntttt.exe30⤵
- Executes dropped EXE
PID:4712 -
\??\c:\1jjdj.exec:\1jjdj.exe31⤵
- Executes dropped EXE
PID:2860 -
\??\c:\rrxrrrl.exec:\rrxrrrl.exe32⤵
- Executes dropped EXE
PID:4048 -
\??\c:\ffllflf.exec:\ffllflf.exe33⤵
- Executes dropped EXE
PID:2160 -
\??\c:\9nhnhb.exec:\9nhnhb.exe34⤵
- Executes dropped EXE
PID:3024 -
\??\c:\ddpvd.exec:\ddpvd.exe35⤵
- Executes dropped EXE
PID:740 -
\??\c:\dvjdp.exec:\dvjdp.exe36⤵
- Executes dropped EXE
PID:620 -
\??\c:\rllffff.exec:\rllffff.exe37⤵
- Executes dropped EXE
PID:636 -
\??\c:\htnnhb.exec:\htnnhb.exe38⤵
- Executes dropped EXE
PID:4836 -
\??\c:\7jdvv.exec:\7jdvv.exe39⤵
- Executes dropped EXE
PID:1496 -
\??\c:\jpjpp.exec:\jpjpp.exe40⤵
- Executes dropped EXE
PID:3692 -
\??\c:\xlrrxxx.exec:\xlrrxxx.exe41⤵
- Executes dropped EXE
PID:4068 -
\??\c:\xrxrrlr.exec:\xrxrrlr.exe42⤵
- Executes dropped EXE
PID:4536 -
\??\c:\1bbtnn.exec:\1bbtnn.exe43⤵
- Executes dropped EXE
PID:3312 -
\??\c:\5nttth.exec:\5nttth.exe44⤵
- Executes dropped EXE
PID:2720 -
\??\c:\jdvvp.exec:\jdvvp.exe45⤵
- Executes dropped EXE
PID:2380 -
\??\c:\flxxxxx.exec:\flxxxxx.exe46⤵
- Executes dropped EXE
PID:3948 -
\??\c:\5rxfxff.exec:\5rxfxff.exe47⤵
- Executes dropped EXE
PID:2560 -
\??\c:\1ntnhn.exec:\1ntnhn.exe48⤵
- Executes dropped EXE
PID:2676 -
\??\c:\rrfxfxl.exec:\rrfxfxl.exe49⤵
- Executes dropped EXE
PID:1844 -
\??\c:\tntttt.exec:\tntttt.exe50⤵
- Executes dropped EXE
PID:3764 -
\??\c:\3hnbbh.exec:\3hnbbh.exe51⤵
- Executes dropped EXE
PID:3468 -
\??\c:\5nbbbb.exec:\5nbbbb.exe52⤵
- Executes dropped EXE
PID:2248 -
\??\c:\pjjjj.exec:\pjjjj.exe53⤵
- Executes dropped EXE
PID:320 -
\??\c:\jddvv.exec:\jddvv.exe54⤵
- Executes dropped EXE
PID:4652 -
\??\c:\lxlrlrr.exec:\lxlrlrr.exe55⤵
- Executes dropped EXE
PID:2900 -
\??\c:\lflllrr.exec:\lflllrr.exe56⤵
- Executes dropped EXE
PID:3220 -
\??\c:\1hnntn.exec:\1hnntn.exe57⤵
- Executes dropped EXE
PID:228 -
\??\c:\dddpj.exec:\dddpj.exe58⤵
- Executes dropped EXE
PID:4616 -
\??\c:\jjjdv.exec:\jjjdv.exe59⤵
- Executes dropped EXE
PID:2340 -
\??\c:\xlxxffx.exec:\xlxxffx.exe60⤵
- Executes dropped EXE
PID:876 -
\??\c:\xlrxxll.exec:\xlrxxll.exe61⤵
- Executes dropped EXE
PID:4396 -
\??\c:\rxfllll.exec:\rxfllll.exe62⤵
- Executes dropped EXE
PID:5064 -
\??\c:\1bhnhn.exec:\1bhnhn.exe63⤵
- Executes dropped EXE
PID:1332 -
\??\c:\hntttb.exec:\hntttb.exe64⤵
- Executes dropped EXE
PID:3208 -
\??\c:\dpppv.exec:\dpppv.exe65⤵
- Executes dropped EXE
PID:2292 -
\??\c:\rrlffrf.exec:\rrlffrf.exe66⤵PID:3216
-
\??\c:\ffrrrxr.exec:\ffrrrxr.exe67⤵PID:4476
-
\??\c:\bntnnn.exec:\bntnnn.exe68⤵PID:3024
-
\??\c:\hnttnt.exec:\hnttnt.exe69⤵PID:2908
-
\??\c:\bnthhh.exec:\bnthhh.exe70⤵PID:4292
-
\??\c:\5pvvj.exec:\5pvvj.exe71⤵PID:4956
-
\??\c:\dvvpp.exec:\dvvpp.exe72⤵PID:2284
-
\??\c:\llxrxxf.exec:\llxrxxf.exe73⤵PID:552
-
\??\c:\lffxrxx.exec:\lffxrxx.exe74⤵PID:428
-
\??\c:\httttt.exec:\httttt.exe75⤵PID:2196
-
\??\c:\tntnnn.exec:\tntnnn.exe76⤵PID:2172
-
\??\c:\9bttnt.exec:\9bttnt.exe77⤵PID:1504
-
\??\c:\djddj.exec:\djddj.exe78⤵PID:1704
-
\??\c:\3vdvp.exec:\3vdvp.exe79⤵PID:3732
-
\??\c:\lfrllll.exec:\lfrllll.exe80⤵PID:2792
-
\??\c:\lflrlrl.exec:\lflrlrl.exe81⤵PID:4684
-
\??\c:\7hhbth.exec:\7hhbth.exe82⤵PID:2276
-
\??\c:\hhttth.exec:\hhttth.exe83⤵PID:3840
-
\??\c:\thhhbb.exec:\thhhbb.exe84⤵PID:536
-
\??\c:\ppppj.exec:\ppppj.exe85⤵PID:2108
-
\??\c:\7pjjj.exec:\7pjjj.exe86⤵PID:3164
-
\??\c:\lffxxrf.exec:\lffxxrf.exe87⤵PID:540
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe88⤵PID:3640
-
\??\c:\tntttt.exec:\tntttt.exe89⤵PID:800
-
\??\c:\1bhhhn.exec:\1bhhhn.exe90⤵PID:4576
-
\??\c:\3bhhtt.exec:\3bhhtt.exe91⤵PID:64
-
\??\c:\9pvpj.exec:\9pvpj.exe92⤵PID:4724
-
\??\c:\pdddj.exec:\pdddj.exe93⤵PID:2356
-
\??\c:\lllfxff.exec:\lllfxff.exe94⤵PID:4912
-
\??\c:\xlrxflx.exec:\xlrxflx.exe95⤵PID:1296
-
\??\c:\3tttnh.exec:\3tttnh.exe96⤵PID:3048
-
\??\c:\nnntth.exec:\nnntth.exe97⤵PID:3584
-
\??\c:\dpvdd.exec:\dpvdd.exe98⤵PID:2708
-
\??\c:\vpvvd.exec:\vpvvd.exe99⤵PID:872
-
\??\c:\9djdd.exec:\9djdd.exe100⤵PID:1700
-
\??\c:\9rxrlrr.exec:\9rxrlrr.exe101⤵PID:2160
-
\??\c:\7fffxxx.exec:\7fffxxx.exe102⤵PID:1772
-
\??\c:\hhhhhh.exec:\hhhhhh.exe103⤵PID:2736
-
\??\c:\ttbbnt.exec:\ttbbnt.exe104⤵PID:4292
-
\??\c:\9bhhhn.exec:\9bhhhn.exe105⤵PID:4812
-
\??\c:\pjpjp.exec:\pjpjp.exe106⤵PID:3800
-
\??\c:\ppjdd.exec:\ppjdd.exe107⤵PID:1600
-
\??\c:\fxffffl.exec:\fxffffl.exe108⤵PID:2324
-
\??\c:\llxfxff.exec:\llxfxff.exe109⤵PID:5016
-
\??\c:\1xrrlll.exec:\1xrrlll.exe110⤵PID:1540
-
\??\c:\3hnnnt.exec:\3hnnnt.exe111⤵PID:2720
-
\??\c:\3hnhbh.exec:\3hnhbh.exe112⤵PID:336
-
\??\c:\jjvdd.exec:\jjvdd.exe113⤵PID:3732
-
\??\c:\jpvvv.exec:\jpvvv.exe114⤵PID:4692
-
\??\c:\vjjjv.exec:\vjjjv.exe115⤵PID:4684
-
\??\c:\5llfrll.exec:\5llfrll.exe116⤵PID:2276
-
\??\c:\rlfflrf.exec:\rlfflrf.exe117⤵PID:3756
-
\??\c:\nhhtnn.exec:\nhhtnn.exe118⤵PID:536
-
\??\c:\9nnnhh.exec:\9nnnhh.exe119⤵PID:2108
-
\??\c:\pjpjv.exec:\pjpjv.exe120⤵PID:4652
-
\??\c:\ddpvv.exec:\ddpvv.exe121⤵PID:1892
-
\??\c:\7xfxrxr.exec:\7xfxrxr.exe122⤵PID:4320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-