Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 01:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a3e2e141ece5cf76a4fbccca5e997270f75bcb0a74c55ef4115d55e973970a01.exe
Resource
win7-20240611-en
6 signatures
150 seconds
General
-
Target
a3e2e141ece5cf76a4fbccca5e997270f75bcb0a74c55ef4115d55e973970a01.exe
-
Size
229KB
-
MD5
576c4a7fbc3af4f5820a02ab386f2e54
-
SHA1
01aef226358a106f66d3c14251f481f3b0322405
-
SHA256
a3e2e141ece5cf76a4fbccca5e997270f75bcb0a74c55ef4115d55e973970a01
-
SHA512
67b8d341fad2511e2e1451b8b4b7269ddb054645d8d2c17c71c0ce3b18647590f339c64b6218505187d65c0b271c8b311227a4b32680c54a0f7857ccc936c8aa
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1n:n3C9BRo7MlrWKo+lxKk1n
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
Processes:
resource yara_rule behavioral2/memory/3148-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4812-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1212-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4620-156-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1856-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1104-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1516-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1792-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1176-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5064-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/512-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4548-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3344-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1900-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4156-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1196-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1368-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3124-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1224-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1372-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3604-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4808-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1416-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1892-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4584-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2020-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3240-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 30 IoCs
Processes:
resource yara_rule behavioral2/memory/3148-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4812-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2928-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1212-108-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4620-156-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1856-175-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1104-192-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1516-200-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1792-188-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1176-180-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5064-168-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/512-162-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4548-151-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3344-138-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1900-126-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4156-121-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1196-115-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1368-103-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3124-95-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1224-90-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1372-84-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3604-75-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4808-62-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2928-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2928-52-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1416-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1892-38-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4584-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2020-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3240-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
hthhnn.exe3rllxlf.exetttbbn.exebnbtnt.exepvjjj.exejpppp.exexrxxxff.exeffrxrxx.exennbbht.exepjvdd.exejvvdv.exefxxxxxx.exebbnntt.exebbbhhh.exejjjjd.exejvjdp.exeffrrrrr.exethbhhb.exedvjpp.exevjddj.exe3frflrx.exettttnn.exepdpjj.exexlxxflx.exexlllrxx.exejdpjj.exepppvv.exelflrxxf.exenbhbtt.exennntbb.exevvvvv.exelxxffll.exe7xllrlf.exebtttnn.exethbhbt.exejpvdd.exevvjpp.exefxlrxxx.exerxfffll.exehthhnb.exepdjjj.exejpvvd.exefrxxrxx.exerrrrrrr.exebbhhhh.exe3tnhhn.exejpddv.exeppppp.exexxllrfl.exe3lxxlrr.exehbhhhh.exehttttb.exeppjdp.exe5dppd.exerxllflr.exexrrrrrr.exennnnnn.exetnttnt.exe7dddd.exeppvvv.exefxlllrx.exeflxfffl.exehhbhbn.exetntbtb.exepid process 4812 hthhnn.exe 3240 3rllxlf.exe 2020 tttbbn.exe 4584 bnbtnt.exe 1892 pvjjj.exe 1416 jpppp.exe 2928 xrxxxff.exe 4808 ffrxrxx.exe 1040 nnbbht.exe 3604 pjvdd.exe 1372 jvvdv.exe 1224 fxxxxxx.exe 3124 bbnntt.exe 1368 bbbhhh.exe 1212 jjjjd.exe 1196 jvjdp.exe 4156 ffrrrrr.exe 1900 thbhhb.exe 2456 dvjpp.exe 3344 vjddj.exe 3120 3frflrx.exe 4548 ttttnn.exe 4620 pdpjj.exe 512 xlxxflx.exe 5064 xlllrxx.exe 1856 jdpjj.exe 1176 pppvv.exe 1792 lflrxxf.exe 1104 nbhbtt.exe 1516 nnntbb.exe 1200 vvvvv.exe 4476 lxxffll.exe 1172 7xllrlf.exe 960 btttnn.exe 544 thbhbt.exe 440 jpvdd.exe 4564 vvjpp.exe 1168 fxlrxxx.exe 2448 rxfffll.exe 3272 hthhnb.exe 4532 pdjjj.exe 3536 jpvvd.exe 4508 frxxrxx.exe 3148 rrrrrrr.exe 4028 bbhhhh.exe 4928 3tnhhn.exe 2572 jpddv.exe 4768 ppppp.exe 2952 xxllrfl.exe 212 3lxxlrr.exe 2068 hbhhhh.exe 1372 httttb.exe 4580 ppjdp.exe 1296 5dppd.exe 1740 rxllflr.exe 4820 xrrrrrr.exe 2504 nnnnnn.exe 5068 tnttnt.exe 4612 7dddd.exe 1544 ppvvv.exe 1900 fxlllrx.exe 1968 flxfffl.exe 1392 hhbhbn.exe 2124 tntbtb.exe -
Processes:
resource yara_rule behavioral2/memory/3148-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4812-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2928-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1212-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4620-156-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1856-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1104-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1516-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1792-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1176-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5064-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/512-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4548-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3344-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1900-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4156-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1196-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1368-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3124-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1224-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1372-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3604-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4808-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2928-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2928-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1416-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1892-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4584-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2020-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3240-18-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a3e2e141ece5cf76a4fbccca5e997270f75bcb0a74c55ef4115d55e973970a01.exehthhnn.exe3rllxlf.exetttbbn.exebnbtnt.exepvjjj.exejpppp.exexrxxxff.exeffrxrxx.exennbbht.exepjvdd.exejvvdv.exefxxxxxx.exebbnntt.exebbbhhh.exejjjjd.exejvjdp.exeffrrrrr.exethbhhb.exedvjpp.exevjddj.exe3frflrx.exedescription pid process target process PID 3148 wrote to memory of 4812 3148 a3e2e141ece5cf76a4fbccca5e997270f75bcb0a74c55ef4115d55e973970a01.exe hthhnn.exe PID 3148 wrote to memory of 4812 3148 a3e2e141ece5cf76a4fbccca5e997270f75bcb0a74c55ef4115d55e973970a01.exe hthhnn.exe PID 3148 wrote to memory of 4812 3148 a3e2e141ece5cf76a4fbccca5e997270f75bcb0a74c55ef4115d55e973970a01.exe hthhnn.exe PID 4812 wrote to memory of 3240 4812 hthhnn.exe 9pdjp.exe PID 4812 wrote to memory of 3240 4812 hthhnn.exe 9pdjp.exe PID 4812 wrote to memory of 3240 4812 hthhnn.exe 9pdjp.exe PID 3240 wrote to memory of 2020 3240 3rllxlf.exe tttbbn.exe PID 3240 wrote to memory of 2020 3240 3rllxlf.exe tttbbn.exe PID 3240 wrote to memory of 2020 3240 3rllxlf.exe tttbbn.exe PID 2020 wrote to memory of 4584 2020 tttbbn.exe bnbtnt.exe PID 2020 wrote to memory of 4584 2020 tttbbn.exe bnbtnt.exe PID 2020 wrote to memory of 4584 2020 tttbbn.exe bnbtnt.exe PID 4584 wrote to memory of 1892 4584 bnbtnt.exe pvjjj.exe PID 4584 wrote to memory of 1892 4584 bnbtnt.exe pvjjj.exe PID 4584 wrote to memory of 1892 4584 bnbtnt.exe pvjjj.exe PID 1892 wrote to memory of 1416 1892 pvjjj.exe jpppp.exe PID 1892 wrote to memory of 1416 1892 pvjjj.exe jpppp.exe PID 1892 wrote to memory of 1416 1892 pvjjj.exe jpppp.exe PID 1416 wrote to memory of 2928 1416 jpppp.exe xrxxxff.exe PID 1416 wrote to memory of 2928 1416 jpppp.exe xrxxxff.exe PID 1416 wrote to memory of 2928 1416 jpppp.exe xrxxxff.exe PID 2928 wrote to memory of 4808 2928 xrxxxff.exe ffrxrxx.exe PID 2928 wrote to memory of 4808 2928 xrxxxff.exe ffrxrxx.exe PID 2928 wrote to memory of 4808 2928 xrxxxff.exe ffrxrxx.exe PID 4808 wrote to memory of 1040 4808 ffrxrxx.exe nnbbht.exe PID 4808 wrote to memory of 1040 4808 ffrxrxx.exe nnbbht.exe PID 4808 wrote to memory of 1040 4808 ffrxrxx.exe nnbbht.exe PID 1040 wrote to memory of 3604 1040 nnbbht.exe pjvdd.exe PID 1040 wrote to memory of 3604 1040 nnbbht.exe pjvdd.exe PID 1040 wrote to memory of 3604 1040 nnbbht.exe pjvdd.exe PID 3604 wrote to memory of 1372 3604 pjvdd.exe jvvdv.exe PID 3604 wrote to memory of 1372 3604 pjvdd.exe jvvdv.exe PID 3604 wrote to memory of 1372 3604 pjvdd.exe jvvdv.exe PID 1372 wrote to memory of 1224 1372 jvvdv.exe fxxxxxx.exe PID 1372 wrote to memory of 1224 1372 jvvdv.exe fxxxxxx.exe PID 1372 wrote to memory of 1224 1372 jvvdv.exe fxxxxxx.exe PID 1224 wrote to memory of 3124 1224 fxxxxxx.exe bbnntt.exe PID 1224 wrote to memory of 3124 1224 fxxxxxx.exe bbnntt.exe PID 1224 wrote to memory of 3124 1224 fxxxxxx.exe bbnntt.exe PID 3124 wrote to memory of 1368 3124 bbnntt.exe bbbhhh.exe PID 3124 wrote to memory of 1368 3124 bbnntt.exe bbbhhh.exe PID 3124 wrote to memory of 1368 3124 bbnntt.exe bbbhhh.exe PID 1368 wrote to memory of 1212 1368 bbbhhh.exe jjjjd.exe PID 1368 wrote to memory of 1212 1368 bbbhhh.exe jjjjd.exe PID 1368 wrote to memory of 1212 1368 bbbhhh.exe jjjjd.exe PID 1212 wrote to memory of 1196 1212 jjjjd.exe jvjdp.exe PID 1212 wrote to memory of 1196 1212 jjjjd.exe jvjdp.exe PID 1212 wrote to memory of 1196 1212 jjjjd.exe jvjdp.exe PID 1196 wrote to memory of 4156 1196 jvjdp.exe ffrrrrr.exe PID 1196 wrote to memory of 4156 1196 jvjdp.exe ffrrrrr.exe PID 1196 wrote to memory of 4156 1196 jvjdp.exe ffrrrrr.exe PID 4156 wrote to memory of 1900 4156 ffrrrrr.exe thbhhb.exe PID 4156 wrote to memory of 1900 4156 ffrrrrr.exe thbhhb.exe PID 4156 wrote to memory of 1900 4156 ffrrrrr.exe thbhhb.exe PID 1900 wrote to memory of 2456 1900 thbhhb.exe dvjpp.exe PID 1900 wrote to memory of 2456 1900 thbhhb.exe dvjpp.exe PID 1900 wrote to memory of 2456 1900 thbhhb.exe dvjpp.exe PID 2456 wrote to memory of 3344 2456 dvjpp.exe vjddj.exe PID 2456 wrote to memory of 3344 2456 dvjpp.exe vjddj.exe PID 2456 wrote to memory of 3344 2456 dvjpp.exe vjddj.exe PID 3344 wrote to memory of 3120 3344 vjddj.exe 3frflrx.exe PID 3344 wrote to memory of 3120 3344 vjddj.exe 3frflrx.exe PID 3344 wrote to memory of 3120 3344 vjddj.exe 3frflrx.exe PID 3120 wrote to memory of 4548 3120 3frflrx.exe ttttnn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3e2e141ece5cf76a4fbccca5e997270f75bcb0a74c55ef4115d55e973970a01.exe"C:\Users\Admin\AppData\Local\Temp\a3e2e141ece5cf76a4fbccca5e997270f75bcb0a74c55ef4115d55e973970a01.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\hthhnn.exec:\hthhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\3rllxlf.exec:\3rllxlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\tttbbn.exec:\tttbbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\bnbtnt.exec:\bnbtnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\pvjjj.exec:\pvjjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\jpppp.exec:\jpppp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\xrxxxff.exec:\xrxxxff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\ffrxrxx.exec:\ffrxrxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\nnbbht.exec:\nnbbht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\pjvdd.exec:\pjvdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\jvvdv.exec:\jvvdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\bbnntt.exec:\bbnntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\bbbhhh.exec:\bbbhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\jjjjd.exec:\jjjjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\jvjdp.exec:\jvjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\ffrrrrr.exec:\ffrrrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\thbhhb.exec:\thbhhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\dvjpp.exec:\dvjpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\vjddj.exec:\vjddj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\3frflrx.exec:\3frflrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\ttttnn.exec:\ttttnn.exe23⤵
- Executes dropped EXE
PID:4548 -
\??\c:\pdpjj.exec:\pdpjj.exe24⤵
- Executes dropped EXE
PID:4620 -
\??\c:\xlxxflx.exec:\xlxxflx.exe25⤵
- Executes dropped EXE
PID:512 -
\??\c:\xlllrxx.exec:\xlllrxx.exe26⤵
- Executes dropped EXE
PID:5064 -
\??\c:\jdpjj.exec:\jdpjj.exe27⤵
- Executes dropped EXE
PID:1856 -
\??\c:\pppvv.exec:\pppvv.exe28⤵
- Executes dropped EXE
PID:1176 -
\??\c:\lflrxxf.exec:\lflrxxf.exe29⤵
- Executes dropped EXE
PID:1792 -
\??\c:\nbhbtt.exec:\nbhbtt.exe30⤵
- Executes dropped EXE
PID:1104 -
\??\c:\nnntbb.exec:\nnntbb.exe31⤵
- Executes dropped EXE
PID:1516 -
\??\c:\vvvvv.exec:\vvvvv.exe32⤵
- Executes dropped EXE
PID:1200 -
\??\c:\lxxffll.exec:\lxxffll.exe33⤵
- Executes dropped EXE
PID:4476 -
\??\c:\7xllrlf.exec:\7xllrlf.exe34⤵
- Executes dropped EXE
PID:1172 -
\??\c:\btttnn.exec:\btttnn.exe35⤵
- Executes dropped EXE
PID:960 -
\??\c:\thbhbt.exec:\thbhbt.exe36⤵
- Executes dropped EXE
PID:544 -
\??\c:\jpvdd.exec:\jpvdd.exe37⤵
- Executes dropped EXE
PID:440 -
\??\c:\vvjpp.exec:\vvjpp.exe38⤵
- Executes dropped EXE
PID:4564 -
\??\c:\fxlrxxx.exec:\fxlrxxx.exe39⤵
- Executes dropped EXE
PID:1168 -
\??\c:\rxfffll.exec:\rxfffll.exe40⤵
- Executes dropped EXE
PID:2448 -
\??\c:\hthhnb.exec:\hthhnb.exe41⤵
- Executes dropped EXE
PID:3272 -
\??\c:\pdjjj.exec:\pdjjj.exe42⤵
- Executes dropped EXE
PID:4532 -
\??\c:\jpvvd.exec:\jpvvd.exe43⤵
- Executes dropped EXE
PID:3536 -
\??\c:\frxxrxx.exec:\frxxrxx.exe44⤵
- Executes dropped EXE
PID:4508 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe45⤵
- Executes dropped EXE
PID:3148 -
\??\c:\bbhhhh.exec:\bbhhhh.exe46⤵
- Executes dropped EXE
PID:4028 -
\??\c:\3tnhhn.exec:\3tnhhn.exe47⤵
- Executes dropped EXE
PID:4928 -
\??\c:\jpddv.exec:\jpddv.exe48⤵
- Executes dropped EXE
PID:2572 -
\??\c:\ppppp.exec:\ppppp.exe49⤵
- Executes dropped EXE
PID:4768 -
\??\c:\xxllrfl.exec:\xxllrfl.exe50⤵
- Executes dropped EXE
PID:2952 -
\??\c:\3lxxlrr.exec:\3lxxlrr.exe51⤵
- Executes dropped EXE
PID:212 -
\??\c:\hbhhhh.exec:\hbhhhh.exe52⤵
- Executes dropped EXE
PID:2068 -
\??\c:\httttb.exec:\httttb.exe53⤵
- Executes dropped EXE
PID:1372 -
\??\c:\ppjdp.exec:\ppjdp.exe54⤵
- Executes dropped EXE
PID:4580 -
\??\c:\5dppd.exec:\5dppd.exe55⤵
- Executes dropped EXE
PID:1296 -
\??\c:\rxllflr.exec:\rxllflr.exe56⤵
- Executes dropped EXE
PID:1740 -
\??\c:\xrrrrrr.exec:\xrrrrrr.exe57⤵
- Executes dropped EXE
PID:4820 -
\??\c:\nnnnnn.exec:\nnnnnn.exe58⤵
- Executes dropped EXE
PID:2504 -
\??\c:\tnttnt.exec:\tnttnt.exe59⤵
- Executes dropped EXE
PID:5068 -
\??\c:\7dddd.exec:\7dddd.exe60⤵
- Executes dropped EXE
PID:4612 -
\??\c:\ppvvv.exec:\ppvvv.exe61⤵
- Executes dropped EXE
PID:1544 -
\??\c:\fxlllrx.exec:\fxlllrx.exe62⤵
- Executes dropped EXE
PID:1900 -
\??\c:\flxfffl.exec:\flxfffl.exe63⤵
- Executes dropped EXE
PID:1968 -
\??\c:\hhbhbn.exec:\hhbhbn.exe64⤵
- Executes dropped EXE
PID:1392 -
\??\c:\tntbtb.exec:\tntbtb.exe65⤵
- Executes dropped EXE
PID:2124 -
\??\c:\jdjjd.exec:\jdjjd.exe66⤵PID:612
-
\??\c:\9vddj.exec:\9vddj.exe67⤵PID:1488
-
\??\c:\xfffffl.exec:\xfffffl.exe68⤵PID:4620
-
\??\c:\xrllllr.exec:\xrllllr.exe69⤵PID:1964
-
\??\c:\1nbhhn.exec:\1nbhhn.exe70⤵PID:2372
-
\??\c:\bnhhbh.exec:\bnhhbh.exe71⤵PID:1204
-
\??\c:\vjjjj.exec:\vjjjj.exe72⤵PID:1768
-
\??\c:\9pddv.exec:\9pddv.exe73⤵PID:4012
-
\??\c:\rrrrrff.exec:\rrrrrff.exe74⤵PID:3180
-
\??\c:\frfllrx.exec:\frfllrx.exe75⤵PID:1848
-
\??\c:\hhnnhn.exec:\hhnnhn.exe76⤵PID:4056
-
\??\c:\hhbbhn.exec:\hhbbhn.exe77⤵PID:1884
-
\??\c:\vjppj.exec:\vjppj.exe78⤵PID:4120
-
\??\c:\dvvpj.exec:\dvvpj.exe79⤵PID:1192
-
\??\c:\rxffflr.exec:\rxffflr.exe80⤵PID:1972
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe81⤵PID:4728
-
\??\c:\bbbbbh.exec:\bbbbbh.exe82⤵PID:4944
-
\??\c:\nntttb.exec:\nntttb.exe83⤵PID:1584
-
\??\c:\tnhbbb.exec:\tnhbbb.exe84⤵PID:2660
-
\??\c:\dvjjd.exec:\dvjjd.exe85⤵PID:4008
-
\??\c:\jpjpj.exec:\jpjpj.exe86⤵PID:3824
-
\??\c:\9rxxrrx.exec:\9rxxrrx.exe87⤵PID:4300
-
\??\c:\7rxxxfx.exec:\7rxxxfx.exe88⤵PID:4884
-
\??\c:\bbtnhh.exec:\bbtnhh.exe89⤵PID:4256
-
\??\c:\nhnhbh.exec:\nhnhbh.exe90⤵PID:1384
-
\??\c:\vvdvd.exec:\vvdvd.exe91⤵PID:912
-
\??\c:\3vddd.exec:\3vddd.exe92⤵PID:4000
-
\??\c:\xfrlfll.exec:\xfrlfll.exe93⤵PID:4088
-
\??\c:\fxllfxf.exec:\fxllfxf.exe94⤵PID:4272
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe95⤵PID:4496
-
\??\c:\tbhnnt.exec:\tbhnnt.exe96⤵PID:3296
-
\??\c:\bhnntb.exec:\bhnntb.exe97⤵PID:1892
-
\??\c:\fffllrf.exec:\fffllrf.exe98⤵PID:1940
-
\??\c:\3fllrxf.exec:\3fllrxf.exe99⤵PID:1040
-
\??\c:\bhnnnt.exec:\bhnnnt.exe100⤵PID:668
-
\??\c:\hbtttb.exec:\hbtttb.exe101⤵PID:4124
-
\??\c:\djjpv.exec:\djjpv.exe102⤵PID:3528
-
\??\c:\jvddv.exec:\jvddv.exe103⤵PID:1512
-
\??\c:\lxfffff.exec:\lxfffff.exe104⤵PID:4180
-
\??\c:\xfffrfr.exec:\xfffrfr.exe105⤵PID:212
-
\??\c:\tnbbtb.exec:\tnbbtb.exe106⤵PID:3440
-
\??\c:\hhbtnn.exec:\hhbtnn.exe107⤵PID:3448
-
\??\c:\vvdvp.exec:\vvdvp.exe108⤵PID:4348
-
\??\c:\5vpjj.exec:\5vpjj.exe109⤵PID:3124
-
\??\c:\3fxlxxf.exec:\3fxlxxf.exe110⤵PID:1368
-
\??\c:\rlrrrxx.exec:\rlrrrxx.exe111⤵PID:3392
-
\??\c:\fffflrr.exec:\fffflrr.exe112⤵PID:3540
-
\??\c:\ttnnnh.exec:\ttnnnh.exe113⤵PID:3572
-
\??\c:\ntbhhn.exec:\ntbhhn.exe114⤵PID:2876
-
\??\c:\dpvvp.exec:\dpvvp.exe115⤵PID:1400
-
\??\c:\jjvvj.exec:\jjvvj.exe116⤵PID:2456
-
\??\c:\ffxxffr.exec:\ffxxffr.exe117⤵PID:3040
-
\??\c:\xfrrrxx.exec:\xfrrrxx.exe118⤵PID:2908
-
\??\c:\bttttt.exec:\bttttt.exe119⤵PID:4500
-
\??\c:\btnnht.exec:\btnnht.exe120⤵PID:4396
-
\??\c:\jvvvp.exec:\jvvvp.exe121⤵PID:3748
-
\??\c:\vvvpp.exec:\vvvpp.exe122⤵PID:1528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-