Analysis
-
max time kernel
150s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 02:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b1b0ea9272835bd5666d3914796472be37a6a10605e8753f4c38680797c919be.exe
Resource
win7-20240611-en
5 signatures
150 seconds
General
-
Target
b1b0ea9272835bd5666d3914796472be37a6a10605e8753f4c38680797c919be.exe
-
Size
96KB
-
MD5
4c51753f17510737a49047e8d787bfd7
-
SHA1
3e5f347ba5b85928b5a5bd90b2201cf1d4632cb2
-
SHA256
b1b0ea9272835bd5666d3914796472be37a6a10605e8753f4c38680797c919be
-
SHA512
aaf32cd4dd5c24e4d17d33e7cd4527b74d270cd32465d7bb7a88a4458b81a8ad783e4e28c6355c6cf93e29be66887f8b579f213cefc791ff368d0f59c216a6a9
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KuOnrAsmY:n3C9BRo7MlrWKujsmY
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral2/memory/1604-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1028-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/440-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2448-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4544-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1460-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2596-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4672-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3200-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4676-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/116-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/400-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4632-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4680-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3984-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4880-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3360-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1052-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1412-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/696-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4992-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2584-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1416-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3652-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
xffffll.exexrxxrfl.exetnbbbh.exepjdvj.exedvvjd.exexxxrxxr.exebttnhb.exeffrrrrx.exe9hthbn.exettnhnh.exepvjjp.exeflfxxxx.exe5bbntt.exe3thnhb.exe5jjdd.exe5xrxrrl.exennthnh.exehttnnn.exeddvpd.exe5xffrrl.exebbntbb.exedpvpj.exepvjjj.exerrxlrfr.exehbtnnb.exe5djdp.exexrrllll.exe3hhhbt.exehtnhbt.exedvpvp.exefrlfrxr.exe5rxlrxf.exehhntnn.exejjpjv.exelxxfrlr.exehhhbtb.exenbntbt.exejjdvj.exehtbttn.exehhhhhn.exepvppj.exerllllll.exenbhbtt.exetnhbtn.exedvjdd.exexrrfxll.exe1lrfxfr.exetnnhnh.exevvvvd.exevpppp.exefxfxllr.exenbhhhn.exe9vpjv.exevvdvp.exexfllxrr.exehbbhbt.exetntttt.exejddvd.exedpvdj.exelxlxrrl.exethtnnb.exethhbtt.exepvvvd.exefrlllxr.exepid process 1028 xffffll.exe 440 xrxxrfl.exe 2448 tnbbbh.exe 4544 pjdvj.exe 1460 dvvjd.exe 2596 xxxrxxr.exe 4672 bttnhb.exe 3200 ffrrrrx.exe 4676 9hthbn.exe 116 ttnhnh.exe 400 pvjjp.exe 1164 flfxxxx.exe 4632 5bbntt.exe 4680 3thnhb.exe 3984 5jjdd.exe 4568 5xrxrrl.exe 4480 nnthnh.exe 4880 httnnn.exe 3660 ddvpd.exe 3360 5xffrrl.exe 1052 bbntbb.exe 2824 dpvpj.exe 1412 pvjjj.exe 696 rrxlrfr.exe 4992 hbtnnb.exe 2584 5djdp.exe 1416 xrrllll.exe 3604 3hhhbt.exe 4936 htnhbt.exe 3620 dvpvp.exe 3652 frlfrxr.exe 2288 5rxlrxf.exe 2536 hhntnn.exe 1148 jjpjv.exe 3616 lxxfrlr.exe 772 hhhbtb.exe 4400 nbntbt.exe 1152 jjdvj.exe 2012 htbttn.exe 1508 hhhhhn.exe 3188 pvppj.exe 2444 rllllll.exe 3584 nbhbtt.exe 60 tnhbtn.exe 2620 dvjdd.exe 4308 xrrfxll.exe 4700 1lrfxfr.exe 4168 tnnhnh.exe 1564 vvvvd.exe 4740 vpppp.exe 4628 fxfxllr.exe 3828 nbhhhn.exe 1760 9vpjv.exe 2468 vvdvp.exe 3456 xfllxrr.exe 908 hbbhbt.exe 3492 tntttt.exe 4616 jddvd.exe 4572 dpvdj.exe 4608 lxlxrrl.exe 4248 thtnnb.exe 3380 thhbtt.exe 940 pvvvd.exe 4956 frlllxr.exe -
Processes:
resource yara_rule behavioral2/memory/1604-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1028-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/440-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/440-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2448-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4544-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1460-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1460-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2596-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2596-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4672-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4672-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4672-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3200-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4676-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/116-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/400-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4632-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4680-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3984-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4880-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3360-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1052-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1412-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/696-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4992-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2584-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1416-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3652-208-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b1b0ea9272835bd5666d3914796472be37a6a10605e8753f4c38680797c919be.exexffffll.exexrxxrfl.exetnbbbh.exepjdvj.exedvvjd.exexxxrxxr.exebttnhb.exeffrrrrx.exe9hthbn.exettnhnh.exepvjjp.exeflfxxxx.exe5bbntt.exe3thnhb.exe5jjdd.exe5xrxrrl.exennthnh.exehttnnn.exeddvpd.exe5xffrrl.exebbntbb.exedescription pid process target process PID 1604 wrote to memory of 1028 1604 b1b0ea9272835bd5666d3914796472be37a6a10605e8753f4c38680797c919be.exe xffffll.exe PID 1604 wrote to memory of 1028 1604 b1b0ea9272835bd5666d3914796472be37a6a10605e8753f4c38680797c919be.exe xffffll.exe PID 1604 wrote to memory of 1028 1604 b1b0ea9272835bd5666d3914796472be37a6a10605e8753f4c38680797c919be.exe xffffll.exe PID 1028 wrote to memory of 440 1028 xffffll.exe xrxxrfl.exe PID 1028 wrote to memory of 440 1028 xffffll.exe xrxxrfl.exe PID 1028 wrote to memory of 440 1028 xffffll.exe xrxxrfl.exe PID 440 wrote to memory of 2448 440 xrxxrfl.exe tnbbbh.exe PID 440 wrote to memory of 2448 440 xrxxrfl.exe tnbbbh.exe PID 440 wrote to memory of 2448 440 xrxxrfl.exe tnbbbh.exe PID 2448 wrote to memory of 4544 2448 tnbbbh.exe pjdvj.exe PID 2448 wrote to memory of 4544 2448 tnbbbh.exe pjdvj.exe PID 2448 wrote to memory of 4544 2448 tnbbbh.exe pjdvj.exe PID 4544 wrote to memory of 1460 4544 pjdvj.exe dvvjd.exe PID 4544 wrote to memory of 1460 4544 pjdvj.exe dvvjd.exe PID 4544 wrote to memory of 1460 4544 pjdvj.exe dvvjd.exe PID 1460 wrote to memory of 2596 1460 dvvjd.exe xxxrxxr.exe PID 1460 wrote to memory of 2596 1460 dvvjd.exe xxxrxxr.exe PID 1460 wrote to memory of 2596 1460 dvvjd.exe xxxrxxr.exe PID 2596 wrote to memory of 4672 2596 xxxrxxr.exe bttnhb.exe PID 2596 wrote to memory of 4672 2596 xxxrxxr.exe bttnhb.exe PID 2596 wrote to memory of 4672 2596 xxxrxxr.exe bttnhb.exe PID 4672 wrote to memory of 3200 4672 bttnhb.exe ffrrrrx.exe PID 4672 wrote to memory of 3200 4672 bttnhb.exe ffrrrrx.exe PID 4672 wrote to memory of 3200 4672 bttnhb.exe ffrrrrx.exe PID 3200 wrote to memory of 4676 3200 ffrrrrx.exe 9hthbn.exe PID 3200 wrote to memory of 4676 3200 ffrrrrx.exe 9hthbn.exe PID 3200 wrote to memory of 4676 3200 ffrrrrx.exe 9hthbn.exe PID 4676 wrote to memory of 116 4676 9hthbn.exe ttnhnh.exe PID 4676 wrote to memory of 116 4676 9hthbn.exe ttnhnh.exe PID 4676 wrote to memory of 116 4676 9hthbn.exe ttnhnh.exe PID 116 wrote to memory of 400 116 ttnhnh.exe pvjjp.exe PID 116 wrote to memory of 400 116 ttnhnh.exe pvjjp.exe PID 116 wrote to memory of 400 116 ttnhnh.exe pvjjp.exe PID 400 wrote to memory of 1164 400 pvjjp.exe flfxxxx.exe PID 400 wrote to memory of 1164 400 pvjjp.exe flfxxxx.exe PID 400 wrote to memory of 1164 400 pvjjp.exe flfxxxx.exe PID 1164 wrote to memory of 4632 1164 flfxxxx.exe 5bbntt.exe PID 1164 wrote to memory of 4632 1164 flfxxxx.exe 5bbntt.exe PID 1164 wrote to memory of 4632 1164 flfxxxx.exe 5bbntt.exe PID 4632 wrote to memory of 4680 4632 5bbntt.exe 3thnhb.exe PID 4632 wrote to memory of 4680 4632 5bbntt.exe 3thnhb.exe PID 4632 wrote to memory of 4680 4632 5bbntt.exe 3thnhb.exe PID 4680 wrote to memory of 3984 4680 3thnhb.exe 5jjdd.exe PID 4680 wrote to memory of 3984 4680 3thnhb.exe 5jjdd.exe PID 4680 wrote to memory of 3984 4680 3thnhb.exe 5jjdd.exe PID 3984 wrote to memory of 4568 3984 5jjdd.exe 5xrxrrl.exe PID 3984 wrote to memory of 4568 3984 5jjdd.exe 5xrxrrl.exe PID 3984 wrote to memory of 4568 3984 5jjdd.exe 5xrxrrl.exe PID 4568 wrote to memory of 4480 4568 5xrxrrl.exe nnthnh.exe PID 4568 wrote to memory of 4480 4568 5xrxrrl.exe nnthnh.exe PID 4568 wrote to memory of 4480 4568 5xrxrrl.exe nnthnh.exe PID 4480 wrote to memory of 4880 4480 nnthnh.exe httnnn.exe PID 4480 wrote to memory of 4880 4480 nnthnh.exe httnnn.exe PID 4480 wrote to memory of 4880 4480 nnthnh.exe httnnn.exe PID 4880 wrote to memory of 3660 4880 httnnn.exe ddvpd.exe PID 4880 wrote to memory of 3660 4880 httnnn.exe ddvpd.exe PID 4880 wrote to memory of 3660 4880 httnnn.exe ddvpd.exe PID 3660 wrote to memory of 3360 3660 ddvpd.exe 5xffrrl.exe PID 3660 wrote to memory of 3360 3660 ddvpd.exe 5xffrrl.exe PID 3660 wrote to memory of 3360 3660 ddvpd.exe 5xffrrl.exe PID 3360 wrote to memory of 1052 3360 5xffrrl.exe bbntbb.exe PID 3360 wrote to memory of 1052 3360 5xffrrl.exe bbntbb.exe PID 3360 wrote to memory of 1052 3360 5xffrrl.exe bbntbb.exe PID 1052 wrote to memory of 2824 1052 bbntbb.exe dpvpj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1b0ea9272835bd5666d3914796472be37a6a10605e8753f4c38680797c919be.exe"C:\Users\Admin\AppData\Local\Temp\b1b0ea9272835bd5666d3914796472be37a6a10605e8753f4c38680797c919be.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\xffffll.exec:\xffffll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\xrxxrfl.exec:\xrxxrfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\tnbbbh.exec:\tnbbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\pjdvj.exec:\pjdvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\dvvjd.exec:\dvvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\xxxrxxr.exec:\xxxrxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\bttnhb.exec:\bttnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\ffrrrrx.exec:\ffrrrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\9hthbn.exec:\9hthbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\ttnhnh.exec:\ttnhnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\pvjjp.exec:\pvjjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\flfxxxx.exec:\flfxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\5bbntt.exec:\5bbntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\3thnhb.exec:\3thnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\5jjdd.exec:\5jjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\5xrxrrl.exec:\5xrxrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\nnthnh.exec:\nnthnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\httnnn.exec:\httnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\ddvpd.exec:\ddvpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\5xffrrl.exec:\5xffrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\bbntbb.exec:\bbntbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\dpvpj.exec:\dpvpj.exe23⤵
- Executes dropped EXE
PID:2824 -
\??\c:\pvjjj.exec:\pvjjj.exe24⤵
- Executes dropped EXE
PID:1412 -
\??\c:\rrxlrfr.exec:\rrxlrfr.exe25⤵
- Executes dropped EXE
PID:696 -
\??\c:\hbtnnb.exec:\hbtnnb.exe26⤵
- Executes dropped EXE
PID:4992 -
\??\c:\5djdp.exec:\5djdp.exe27⤵
- Executes dropped EXE
PID:2584 -
\??\c:\xrrllll.exec:\xrrllll.exe28⤵
- Executes dropped EXE
PID:1416 -
\??\c:\3hhhbt.exec:\3hhhbt.exe29⤵
- Executes dropped EXE
PID:3604 -
\??\c:\htnhbt.exec:\htnhbt.exe30⤵
- Executes dropped EXE
PID:4936 -
\??\c:\dvpvp.exec:\dvpvp.exe31⤵
- Executes dropped EXE
PID:3620 -
\??\c:\frlfrxr.exec:\frlfrxr.exe32⤵
- Executes dropped EXE
PID:3652 -
\??\c:\5rxlrxf.exec:\5rxlrxf.exe33⤵
- Executes dropped EXE
PID:2288 -
\??\c:\hhntnn.exec:\hhntnn.exe34⤵
- Executes dropped EXE
PID:2536 -
\??\c:\jjpjv.exec:\jjpjv.exe35⤵
- Executes dropped EXE
PID:1148 -
\??\c:\lxxfrlr.exec:\lxxfrlr.exe36⤵
- Executes dropped EXE
PID:3616 -
\??\c:\hhhbtb.exec:\hhhbtb.exe37⤵
- Executes dropped EXE
PID:772 -
\??\c:\nbntbt.exec:\nbntbt.exe38⤵
- Executes dropped EXE
PID:4400 -
\??\c:\jjdvj.exec:\jjdvj.exe39⤵
- Executes dropped EXE
PID:1152 -
\??\c:\htbttn.exec:\htbttn.exe40⤵
- Executes dropped EXE
PID:2012 -
\??\c:\hhhhhn.exec:\hhhhhn.exe41⤵
- Executes dropped EXE
PID:1508 -
\??\c:\pvppj.exec:\pvppj.exe42⤵
- Executes dropped EXE
PID:3188 -
\??\c:\rllllll.exec:\rllllll.exe43⤵
- Executes dropped EXE
PID:2444 -
\??\c:\nbhbtt.exec:\nbhbtt.exe44⤵
- Executes dropped EXE
PID:3584 -
\??\c:\tnhbtn.exec:\tnhbtn.exe45⤵
- Executes dropped EXE
PID:60 -
\??\c:\dvjdd.exec:\dvjdd.exe46⤵
- Executes dropped EXE
PID:2620 -
\??\c:\xrrfxll.exec:\xrrfxll.exe47⤵
- Executes dropped EXE
PID:4308 -
\??\c:\1lrfxfr.exec:\1lrfxfr.exe48⤵
- Executes dropped EXE
PID:4700 -
\??\c:\tnnhnh.exec:\tnnhnh.exe49⤵
- Executes dropped EXE
PID:4168 -
\??\c:\vvvvd.exec:\vvvvd.exe50⤵
- Executes dropped EXE
PID:1564 -
\??\c:\vpppp.exec:\vpppp.exe51⤵
- Executes dropped EXE
PID:4740 -
\??\c:\fxfxllr.exec:\fxfxllr.exe52⤵
- Executes dropped EXE
PID:4628 -
\??\c:\nbhhhn.exec:\nbhhhn.exe53⤵
- Executes dropped EXE
PID:3828 -
\??\c:\9vpjv.exec:\9vpjv.exe54⤵
- Executes dropped EXE
PID:1760 -
\??\c:\vvdvp.exec:\vvdvp.exe55⤵
- Executes dropped EXE
PID:2468 -
\??\c:\xfllxrr.exec:\xfllxrr.exe56⤵
- Executes dropped EXE
PID:3456 -
\??\c:\hbbhbt.exec:\hbbhbt.exe57⤵
- Executes dropped EXE
PID:908 -
\??\c:\tntttt.exec:\tntttt.exe58⤵
- Executes dropped EXE
PID:3492 -
\??\c:\jddvd.exec:\jddvd.exe59⤵
- Executes dropped EXE
PID:4616 -
\??\c:\dpvdj.exec:\dpvdj.exe60⤵
- Executes dropped EXE
PID:4572 -
\??\c:\lxlxrrl.exec:\lxlxrrl.exe61⤵
- Executes dropped EXE
PID:4608 -
\??\c:\thtnnb.exec:\thtnnb.exe62⤵
- Executes dropped EXE
PID:4248 -
\??\c:\thhbtt.exec:\thhbtt.exe63⤵
- Executes dropped EXE
PID:3380 -
\??\c:\pvvvd.exec:\pvvvd.exe64⤵
- Executes dropped EXE
PID:940 -
\??\c:\frlllxr.exec:\frlllxr.exe65⤵
- Executes dropped EXE
PID:4956 -
\??\c:\frllfxr.exec:\frllfxr.exe66⤵PID:892
-
\??\c:\bhtthb.exec:\bhtthb.exe67⤵PID:1088
-
\??\c:\ddvpj.exec:\ddvpj.exe68⤵PID:4492
-
\??\c:\jvjdd.exec:\jvjdd.exe69⤵PID:4504
-
\??\c:\lxfxrxf.exec:\lxfxrxf.exe70⤵PID:3908
-
\??\c:\nbthhn.exec:\nbthhn.exe71⤵PID:4196
-
\??\c:\vjjdp.exec:\vjjdp.exe72⤵PID:3780
-
\??\c:\7djvj.exec:\7djvj.exe73⤵PID:1416
-
\??\c:\frxrrrl.exec:\frxrrrl.exe74⤵PID:1684
-
\??\c:\5bbthb.exec:\5bbthb.exe75⤵PID:1356
-
\??\c:\hntthb.exec:\hntthb.exe76⤵PID:3872
-
\??\c:\jjjdd.exec:\jjjdd.exe77⤵PID:3620
-
\??\c:\jddvj.exec:\jddvj.exe78⤵PID:4184
-
\??\c:\flrfxrl.exec:\flrfxrl.exe79⤵PID:1280
-
\??\c:\fxllfrf.exec:\fxllfrf.exe80⤵PID:216
-
\??\c:\hnnnnt.exec:\hnnnnt.exe81⤵PID:2908
-
\??\c:\vjvjj.exec:\vjvjj.exe82⤵PID:3012
-
\??\c:\jdpjv.exec:\jdpjv.exe83⤵PID:2472
-
\??\c:\lrflxxr.exec:\lrflxxr.exe84⤵PID:4048
-
\??\c:\hhbtnh.exec:\hhbtnh.exe85⤵PID:2652
-
\??\c:\dvvjv.exec:\dvvjv.exe86⤵PID:64
-
\??\c:\pdvvj.exec:\pdvvj.exe87⤵PID:4264
-
\??\c:\fflxlfx.exec:\fflxlfx.exe88⤵PID:3716
-
\??\c:\7flfffx.exec:\7flfffx.exe89⤵PID:4460
-
\??\c:\nhbthh.exec:\nhbthh.exe90⤵PID:3140
-
\??\c:\bnnbnn.exec:\bnnbnn.exe91⤵PID:4060
-
\??\c:\pjvpp.exec:\pjvpp.exe92⤵PID:2268
-
\??\c:\dppjv.exec:\dppjv.exe93⤵PID:2588
-
\??\c:\9lfrffx.exec:\9lfrffx.exe94⤵PID:1312
-
\??\c:\xrlffxf.exec:\xrlffxf.exe95⤵PID:1752
-
\??\c:\nhnhnn.exec:\nhnhnn.exe96⤵PID:4592
-
\??\c:\tnnbhb.exec:\tnnbhb.exe97⤵PID:4168
-
\??\c:\jvjdv.exec:\jvjdv.exe98⤵PID:1712
-
\??\c:\llrlffx.exec:\llrlffx.exe99⤵PID:3376
-
\??\c:\xrlrlrl.exec:\xrlrlrl.exe100⤵PID:4628
-
\??\c:\tnttbh.exec:\tnttbh.exe101⤵PID:4332
-
\??\c:\5bnhhh.exec:\5bnhhh.exe102⤵PID:2168
-
\??\c:\vpjdv.exec:\vpjdv.exe103⤵PID:4960
-
\??\c:\xffxrrx.exec:\xffxrrx.exe104⤵PID:3612
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe105⤵PID:1796
-
\??\c:\1hhbnn.exec:\1hhbnn.exe106⤵PID:664
-
\??\c:\vdjdd.exec:\vdjdd.exe107⤵PID:3632
-
\??\c:\pvvpj.exec:\pvvpj.exe108⤵PID:3896
-
\??\c:\rllffxx.exec:\rllffxx.exe109⤵PID:4248
-
\??\c:\httnbb.exec:\httnbb.exe110⤵PID:4500
-
\??\c:\5tnhnt.exec:\5tnhnt.exe111⤵PID:3360
-
\??\c:\3dvpj.exec:\3dvpj.exe112⤵PID:3404
-
\??\c:\vpjdd.exec:\vpjdd.exe113⤵PID:1876
-
\??\c:\ffxrllf.exec:\ffxrllf.exe114⤵PID:1412
-
\??\c:\hhtnhh.exec:\hhtnhh.exe115⤵PID:4932
-
\??\c:\thnhbt.exec:\thnhbt.exe116⤵PID:2096
-
\??\c:\jdddj.exec:\jdddj.exe117⤵PID:4580
-
\??\c:\flrlxfl.exec:\flrlxfl.exe118⤵PID:1624
-
\??\c:\xfllrrx.exec:\xfllrrx.exe119⤵PID:1408
-
\??\c:\llrxlfl.exec:\llrxlfl.exe120⤵PID:4120
-
\??\c:\5btbnb.exec:\5btbnb.exe121⤵PID:4692
-
\??\c:\vjjdp.exec:\vjjdp.exe122⤵PID:4840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-