Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 03:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c2266a76314b0da3efbbe0f5b732d5154b7a28f12f18c67f1d2ed04ddab08220.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
c2266a76314b0da3efbbe0f5b732d5154b7a28f12f18c67f1d2ed04ddab08220.exe
-
Size
59KB
-
MD5
2b9443cd51ebfaf0743dc440938b92bd
-
SHA1
98c0febdb7b11ccac48a98c214565ca4bb7f080a
-
SHA256
c2266a76314b0da3efbbe0f5b732d5154b7a28f12f18c67f1d2ed04ddab08220
-
SHA512
753a28da4bb63ff528e1825029ccbd5a0cdfc84fc420dc88848b5991fb3cae8155ece8a798171c6489a673bcd5bf130fb616fcc6f50ab961ef88d703b4facb85
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0chVnY:ymb3NkkiQ3mdBjF0crY
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral2/memory/3628-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3964-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4156-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3112-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/396-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2376-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2744-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3972-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3972-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1924-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2556-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1636-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3884-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4528-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1660-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2408-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1932-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4816-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2368-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2532-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4576-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4152-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/512-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3636-202-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 26 IoCs
Processes:
resource yara_rule behavioral2/memory/3628-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3964-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4156-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3112-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/396-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2376-39-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2744-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3972-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3972-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3972-52-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3972-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1924-63-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2556-75-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1636-84-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3884-91-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4528-97-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1660-102-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2408-109-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1932-114-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4816-122-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2368-133-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2532-139-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4576-153-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4152-157-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/512-168-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3636-202-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
nthnhn.exepvdpj.exehnnbhb.exethhbnt.exejjjdp.exerxrrxlr.exethhnbh.exerxlffxl.exetnnnhn.exeddpjd.exelxrlllf.exetbbhbb.exepjddp.exerxxlxrx.exetbntbn.exejddvd.exexllrlxf.exebnhbbb.exejdpdv.exethhthb.exejjvpv.exe3fxxrrx.exetnthth.exepdjjv.exeddppj.exexxllllf.exenhtbth.exedvdpp.exedppjj.exelfrxfrl.exettnnbt.exennbhbh.exedjjjd.exefrfffff.exebthbht.exefflxrlx.exehtbhbh.exenbnttt.exe5jjdv.exellxxrxr.exehhhntt.exevpddj.exexlllllr.exexrrlllf.exennbhth.exedpvpp.exefrlrrrr.exerfrxffx.exehtnhhb.exepvvpp.exevdjjv.exexfxrrrf.exehbbbhh.exe1htnnn.exejjjjv.exexxlxrxx.exehbhhbb.exehhnhtn.exevjvvp.exelfrlllx.exenntntb.exepdjdv.exevvdvp.exeffllxxf.exepid process 3964 nthnhn.exe 4156 pvdpj.exe 3112 hnnbhb.exe 396 thhbnt.exe 2376 jjjdp.exe 2744 rxrrxlr.exe 3972 thhnbh.exe 1924 rxlffxl.exe 4660 tnnnhn.exe 2556 ddpjd.exe 1636 lxrlllf.exe 3884 tbbhbb.exe 4528 pjddp.exe 1660 rxxlxrx.exe 2408 tbntbn.exe 1932 jddvd.exe 4816 xllrlxf.exe 2016 bnhbbb.exe 2368 jdpdv.exe 2532 thhthb.exe 840 jjvpv.exe 4576 3fxxrrx.exe 4152 tnthth.exe 3984 pdjjv.exe 512 ddppj.exe 1448 xxllllf.exe 4544 nhtbth.exe 3116 dvdpp.exe 4640 dppjj.exe 3636 lfrxfrl.exe 4676 ttnnbt.exe 3392 nnbhbh.exe 836 djjjd.exe 532 frfffff.exe 3384 bthbht.exe 4496 fflxrlx.exe 4268 htbhbh.exe 720 nbnttt.exe 4540 5jjdv.exe 4944 llxxrxr.exe 1400 hhhntt.exe 1952 vpddj.exe 4156 xlllllr.exe 4480 xrrlllf.exe 1576 nnbhth.exe 3520 dpvpp.exe 1068 frlrrrr.exe 1900 rfrxffx.exe 3872 htnhhb.exe 2064 pvvpp.exe 3452 vdjjv.exe 4960 xfxrrrf.exe 3144 hbbbhh.exe 2556 1htnnn.exe 2020 jjjjv.exe 3884 xxlxrxx.exe 2976 hbhhbb.exe 3608 hhnhtn.exe 3980 vjvvp.exe 2184 lfrlllx.exe 2156 nntntb.exe 4816 pdjdv.exe 4920 vvdvp.exe 3664 ffllxxf.exe -
Processes:
resource yara_rule behavioral2/memory/3628-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3964-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4156-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3112-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/396-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2376-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2744-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3972-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3972-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3972-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3972-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1924-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2556-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1636-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3884-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4528-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1660-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2408-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1932-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4816-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2368-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2532-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4576-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4152-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/512-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3636-202-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c2266a76314b0da3efbbe0f5b732d5154b7a28f12f18c67f1d2ed04ddab08220.exenthnhn.exepvdpj.exehnnbhb.exethhbnt.exejjjdp.exerxrrxlr.exethhnbh.exerxlffxl.exetnnnhn.exeddpjd.exelxrlllf.exetbbhbb.exepjddp.exerxxlxrx.exetbntbn.exejddvd.exexllrlxf.exebnhbbb.exejdpdv.exethhthb.exejjvpv.exedescription pid process target process PID 3628 wrote to memory of 3964 3628 c2266a76314b0da3efbbe0f5b732d5154b7a28f12f18c67f1d2ed04ddab08220.exe nthnhn.exe PID 3628 wrote to memory of 3964 3628 c2266a76314b0da3efbbe0f5b732d5154b7a28f12f18c67f1d2ed04ddab08220.exe nthnhn.exe PID 3628 wrote to memory of 3964 3628 c2266a76314b0da3efbbe0f5b732d5154b7a28f12f18c67f1d2ed04ddab08220.exe nthnhn.exe PID 3964 wrote to memory of 4156 3964 nthnhn.exe pvdpj.exe PID 3964 wrote to memory of 4156 3964 nthnhn.exe pvdpj.exe PID 3964 wrote to memory of 4156 3964 nthnhn.exe pvdpj.exe PID 4156 wrote to memory of 3112 4156 pvdpj.exe hnnbhb.exe PID 4156 wrote to memory of 3112 4156 pvdpj.exe hnnbhb.exe PID 4156 wrote to memory of 3112 4156 pvdpj.exe hnnbhb.exe PID 3112 wrote to memory of 396 3112 hnnbhb.exe thhbnt.exe PID 3112 wrote to memory of 396 3112 hnnbhb.exe thhbnt.exe PID 3112 wrote to memory of 396 3112 hnnbhb.exe thhbnt.exe PID 396 wrote to memory of 2376 396 thhbnt.exe jjjdp.exe PID 396 wrote to memory of 2376 396 thhbnt.exe jjjdp.exe PID 396 wrote to memory of 2376 396 thhbnt.exe jjjdp.exe PID 2376 wrote to memory of 2744 2376 jjjdp.exe rxrrxlr.exe PID 2376 wrote to memory of 2744 2376 jjjdp.exe rxrrxlr.exe PID 2376 wrote to memory of 2744 2376 jjjdp.exe rxrrxlr.exe PID 2744 wrote to memory of 3972 2744 rxrrxlr.exe thhnbh.exe PID 2744 wrote to memory of 3972 2744 rxrrxlr.exe thhnbh.exe PID 2744 wrote to memory of 3972 2744 rxrrxlr.exe thhnbh.exe PID 3972 wrote to memory of 1924 3972 thhnbh.exe rxlffxl.exe PID 3972 wrote to memory of 1924 3972 thhnbh.exe rxlffxl.exe PID 3972 wrote to memory of 1924 3972 thhnbh.exe rxlffxl.exe PID 1924 wrote to memory of 4660 1924 rxlffxl.exe tnnnhn.exe PID 1924 wrote to memory of 4660 1924 rxlffxl.exe tnnnhn.exe PID 1924 wrote to memory of 4660 1924 rxlffxl.exe tnnnhn.exe PID 4660 wrote to memory of 2556 4660 tnnnhn.exe ddpjd.exe PID 4660 wrote to memory of 2556 4660 tnnnhn.exe ddpjd.exe PID 4660 wrote to memory of 2556 4660 tnnnhn.exe ddpjd.exe PID 2556 wrote to memory of 1636 2556 ddpjd.exe lxrlllf.exe PID 2556 wrote to memory of 1636 2556 ddpjd.exe lxrlllf.exe PID 2556 wrote to memory of 1636 2556 ddpjd.exe lxrlllf.exe PID 1636 wrote to memory of 3884 1636 lxrlllf.exe tbbhbb.exe PID 1636 wrote to memory of 3884 1636 lxrlllf.exe tbbhbb.exe PID 1636 wrote to memory of 3884 1636 lxrlllf.exe tbbhbb.exe PID 3884 wrote to memory of 4528 3884 tbbhbb.exe pjddp.exe PID 3884 wrote to memory of 4528 3884 tbbhbb.exe pjddp.exe PID 3884 wrote to memory of 4528 3884 tbbhbb.exe pjddp.exe PID 4528 wrote to memory of 1660 4528 pjddp.exe rxxlxrx.exe PID 4528 wrote to memory of 1660 4528 pjddp.exe rxxlxrx.exe PID 4528 wrote to memory of 1660 4528 pjddp.exe rxxlxrx.exe PID 1660 wrote to memory of 2408 1660 rxxlxrx.exe tbntbn.exe PID 1660 wrote to memory of 2408 1660 rxxlxrx.exe tbntbn.exe PID 1660 wrote to memory of 2408 1660 rxxlxrx.exe tbntbn.exe PID 2408 wrote to memory of 1932 2408 tbntbn.exe jddvd.exe PID 2408 wrote to memory of 1932 2408 tbntbn.exe jddvd.exe PID 2408 wrote to memory of 1932 2408 tbntbn.exe jddvd.exe PID 1932 wrote to memory of 4816 1932 jddvd.exe xllrlxf.exe PID 1932 wrote to memory of 4816 1932 jddvd.exe xllrlxf.exe PID 1932 wrote to memory of 4816 1932 jddvd.exe xllrlxf.exe PID 4816 wrote to memory of 2016 4816 xllrlxf.exe bnhbbb.exe PID 4816 wrote to memory of 2016 4816 xllrlxf.exe bnhbbb.exe PID 4816 wrote to memory of 2016 4816 xllrlxf.exe bnhbbb.exe PID 2016 wrote to memory of 2368 2016 bnhbbb.exe jdpdv.exe PID 2016 wrote to memory of 2368 2016 bnhbbb.exe jdpdv.exe PID 2016 wrote to memory of 2368 2016 bnhbbb.exe jdpdv.exe PID 2368 wrote to memory of 2532 2368 jdpdv.exe thhthb.exe PID 2368 wrote to memory of 2532 2368 jdpdv.exe thhthb.exe PID 2368 wrote to memory of 2532 2368 jdpdv.exe thhthb.exe PID 2532 wrote to memory of 840 2532 thhthb.exe jjvpv.exe PID 2532 wrote to memory of 840 2532 thhthb.exe jjvpv.exe PID 2532 wrote to memory of 840 2532 thhthb.exe jjvpv.exe PID 840 wrote to memory of 4576 840 jjvpv.exe 3fxxrrx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2266a76314b0da3efbbe0f5b732d5154b7a28f12f18c67f1d2ed04ddab08220.exe"C:\Users\Admin\AppData\Local\Temp\c2266a76314b0da3efbbe0f5b732d5154b7a28f12f18c67f1d2ed04ddab08220.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\nthnhn.exec:\nthnhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\pvdpj.exec:\pvdpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\hnnbhb.exec:\hnnbhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\thhbnt.exec:\thhbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\jjjdp.exec:\jjjdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\rxrrxlr.exec:\rxrrxlr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\thhnbh.exec:\thhnbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\rxlffxl.exec:\rxlffxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\tnnnhn.exec:\tnnnhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\ddpjd.exec:\ddpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\lxrlllf.exec:\lxrlllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\tbbhbb.exec:\tbbhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\pjddp.exec:\pjddp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\rxxlxrx.exec:\rxxlxrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\tbntbn.exec:\tbntbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\jddvd.exec:\jddvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\xllrlxf.exec:\xllrlxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\bnhbbb.exec:\bnhbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\jdpdv.exec:\jdpdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\thhthb.exec:\thhthb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\jjvpv.exec:\jjvpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\3fxxrrx.exec:\3fxxrrx.exe23⤵
- Executes dropped EXE
PID:4576 -
\??\c:\tnthth.exec:\tnthth.exe24⤵
- Executes dropped EXE
PID:4152 -
\??\c:\pdjjv.exec:\pdjjv.exe25⤵
- Executes dropped EXE
PID:3984 -
\??\c:\ddppj.exec:\ddppj.exe26⤵
- Executes dropped EXE
PID:512 -
\??\c:\xxllllf.exec:\xxllllf.exe27⤵
- Executes dropped EXE
PID:1448 -
\??\c:\nhtbth.exec:\nhtbth.exe28⤵
- Executes dropped EXE
PID:4544 -
\??\c:\dvdpp.exec:\dvdpp.exe29⤵
- Executes dropped EXE
PID:3116 -
\??\c:\dppjj.exec:\dppjj.exe30⤵
- Executes dropped EXE
PID:4640 -
\??\c:\lfrxfrl.exec:\lfrxfrl.exe31⤵
- Executes dropped EXE
PID:3636 -
\??\c:\ttnnbt.exec:\ttnnbt.exe32⤵
- Executes dropped EXE
PID:4676 -
\??\c:\nnbhbh.exec:\nnbhbh.exe33⤵
- Executes dropped EXE
PID:3392 -
\??\c:\djjjd.exec:\djjjd.exe34⤵
- Executes dropped EXE
PID:836 -
\??\c:\frfffff.exec:\frfffff.exe35⤵
- Executes dropped EXE
PID:532 -
\??\c:\bthbht.exec:\bthbht.exe36⤵
- Executes dropped EXE
PID:3384 -
\??\c:\fflxrlx.exec:\fflxrlx.exe37⤵
- Executes dropped EXE
PID:4496 -
\??\c:\htbhbh.exec:\htbhbh.exe38⤵
- Executes dropped EXE
PID:4268 -
\??\c:\nbnttt.exec:\nbnttt.exe39⤵
- Executes dropped EXE
PID:720 -
\??\c:\5jjdv.exec:\5jjdv.exe40⤵
- Executes dropped EXE
PID:4540 -
\??\c:\llxxrxr.exec:\llxxrxr.exe41⤵
- Executes dropped EXE
PID:4944 -
\??\c:\bbbhhh.exec:\bbbhhh.exe42⤵PID:4332
-
\??\c:\hhhntt.exec:\hhhntt.exe43⤵
- Executes dropped EXE
PID:1400 -
\??\c:\vpddj.exec:\vpddj.exe44⤵
- Executes dropped EXE
PID:1952 -
\??\c:\xlllllr.exec:\xlllllr.exe45⤵
- Executes dropped EXE
PID:4156 -
\??\c:\xrrlllf.exec:\xrrlllf.exe46⤵
- Executes dropped EXE
PID:4480 -
\??\c:\nnbhth.exec:\nnbhth.exe47⤵
- Executes dropped EXE
PID:1576 -
\??\c:\dpvpp.exec:\dpvpp.exe48⤵
- Executes dropped EXE
PID:3520 -
\??\c:\frlrrrr.exec:\frlrrrr.exe49⤵
- Executes dropped EXE
PID:1068 -
\??\c:\rfrxffx.exec:\rfrxffx.exe50⤵
- Executes dropped EXE
PID:1900 -
\??\c:\htnhhb.exec:\htnhhb.exe51⤵
- Executes dropped EXE
PID:3872 -
\??\c:\pvvpp.exec:\pvvpp.exe52⤵
- Executes dropped EXE
PID:2064 -
\??\c:\vdjjv.exec:\vdjjv.exe53⤵
- Executes dropped EXE
PID:3452 -
\??\c:\xfxrrrf.exec:\xfxrrrf.exe54⤵
- Executes dropped EXE
PID:4960 -
\??\c:\hbbbhh.exec:\hbbbhh.exe55⤵
- Executes dropped EXE
PID:3144 -
\??\c:\1htnnn.exec:\1htnnn.exe56⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jjjjv.exec:\jjjjv.exe57⤵
- Executes dropped EXE
PID:2020 -
\??\c:\xxlxrxx.exec:\xxlxrxx.exe58⤵
- Executes dropped EXE
PID:3884 -
\??\c:\hbhhbb.exec:\hbhhbb.exe59⤵
- Executes dropped EXE
PID:2976 -
\??\c:\hhnhtn.exec:\hhnhtn.exe60⤵
- Executes dropped EXE
PID:3608 -
\??\c:\vjvvp.exec:\vjvvp.exe61⤵
- Executes dropped EXE
PID:3980 -
\??\c:\lfrlllx.exec:\lfrlllx.exe62⤵
- Executes dropped EXE
PID:2184 -
\??\c:\nntntb.exec:\nntntb.exe63⤵
- Executes dropped EXE
PID:2156 -
\??\c:\pdjdv.exec:\pdjdv.exe64⤵
- Executes dropped EXE
PID:4816 -
\??\c:\vvdvp.exec:\vvdvp.exe65⤵
- Executes dropped EXE
PID:4920 -
\??\c:\ffllxxf.exec:\ffllxxf.exe66⤵
- Executes dropped EXE
PID:3664 -
\??\c:\5jjjd.exec:\5jjjd.exe67⤵PID:4896
-
\??\c:\ddppv.exec:\ddppv.exe68⤵PID:2552
-
\??\c:\llfrlff.exec:\llfrlff.exe69⤵PID:4452
-
\??\c:\httnbt.exec:\httnbt.exe70⤵PID:2988
-
\??\c:\pdppp.exec:\pdppp.exe71⤵PID:1120
-
\??\c:\xxlrlfx.exec:\xxlrlfx.exe72⤵PID:4872
-
\??\c:\7frfrfx.exec:\7frfrfx.exe73⤵PID:400
-
\??\c:\5hhhhn.exec:\5hhhhn.exe74⤵PID:1080
-
\??\c:\jvvpj.exec:\jvvpj.exe75⤵PID:1560
-
\??\c:\dvpvp.exec:\dvpvp.exe76⤵PID:4544
-
\??\c:\rfxrlxr.exec:\rfxrlxr.exe77⤵PID:1824
-
\??\c:\hbbthh.exec:\hbbthh.exe78⤵PID:404
-
\??\c:\vjvjp.exec:\vjvjp.exe79⤵PID:5048
-
\??\c:\vvpdv.exec:\vvpdv.exe80⤵PID:4408
-
\??\c:\fxlfxrl.exec:\fxlfxrl.exe81⤵PID:4676
-
\??\c:\tnbthn.exec:\tnbthn.exe82⤵PID:1412
-
\??\c:\jvdvp.exec:\jvdvp.exe83⤵PID:3956
-
\??\c:\rrfrfrl.exec:\rrfrfrl.exe84⤵PID:4604
-
\??\c:\bnbbbh.exec:\bnbbbh.exe85⤵PID:4912
-
\??\c:\hbhhnn.exec:\hbhhnn.exe86⤵PID:4932
-
\??\c:\pdvpj.exec:\pdvpj.exe87⤵PID:3352
-
\??\c:\xlrlxxx.exec:\xlrlxxx.exe88⤵PID:4044
-
\??\c:\9tnbhh.exec:\9tnbhh.exe89⤵PID:3748
-
\??\c:\htttnt.exec:\htttnt.exe90⤵PID:1728
-
\??\c:\vddjp.exec:\vddjp.exe91⤵PID:3628
-
\??\c:\lflxrff.exec:\lflxrff.exe92⤵PID:2544
-
\??\c:\xrlfxff.exec:\xrlfxff.exe93⤵PID:4520
-
\??\c:\hthbhb.exec:\hthbhb.exe94⤵PID:4156
-
\??\c:\bnhnnt.exec:\bnhnnt.exe95⤵PID:396
-
\??\c:\jjddp.exec:\jjddp.exe96⤵PID:3520
-
\??\c:\frxxxlr.exec:\frxxxlr.exe97⤵PID:3480
-
\??\c:\fflffff.exec:\fflffff.exe98⤵PID:3276
-
\??\c:\ffxfxrr.exec:\ffxfxrr.exe99⤵PID:3736
-
\??\c:\fxxxrxl.exec:\fxxxrxl.exe100⤵PID:1872
-
\??\c:\hnbnnt.exec:\hnbnnt.exe101⤵PID:4644
-
\??\c:\pppjd.exec:\pppjd.exe102⤵PID:744
-
\??\c:\djjdj.exec:\djjdj.exe103⤵PID:1652
-
\??\c:\xlrrlfx.exec:\xlrrlfx.exe104⤵PID:1660
-
\??\c:\9lxrxrl.exec:\9lxrxrl.exe105⤵PID:384
-
\??\c:\bnttth.exec:\bnttth.exe106⤵PID:4888
-
\??\c:\vvpvv.exec:\vvpvv.exe107⤵PID:4508
-
\??\c:\3vvjd.exec:\3vvjd.exe108⤵PID:5100
-
\??\c:\9fxrfff.exec:\9fxrfff.exe109⤵PID:3664
-
\??\c:\7rrxxfl.exec:\7rrxxfl.exe110⤵PID:2824
-
\??\c:\bhhtbn.exec:\bhhtbn.exe111⤵PID:2328
-
\??\c:\jjppv.exec:\jjppv.exe112⤵PID:1936
-
\??\c:\fxxrffx.exec:\fxxrffx.exe113⤵PID:1428
-
\??\c:\xxrxllf.exec:\xxrxllf.exe114⤵PID:2656
-
\??\c:\ntbbnt.exec:\ntbbnt.exe115⤵PID:400
-
\??\c:\vvppj.exec:\vvppj.exe116⤵PID:4776
-
\??\c:\fffrffr.exec:\fffrffr.exe117⤵PID:864
-
\??\c:\lxflffx.exec:\lxflffx.exe118⤵PID:4544
-
\??\c:\btnhtt.exec:\btnhtt.exe119⤵PID:4352
-
\??\c:\xxrfrlf.exec:\xxrfrlf.exe120⤵PID:3636
-
\??\c:\xrffrxf.exec:\xrffrxf.exe121⤵PID:4848
-
\??\c:\hntbbb.exec:\hntbbb.exe122⤵PID:1208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-