Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 05:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ec90f261cd00173f7ad9e1ae26b4ea91b62c293fac076000543bafdc0c87d8b1.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
ec90f261cd00173f7ad9e1ae26b4ea91b62c293fac076000543bafdc0c87d8b1.exe
-
Size
65KB
-
MD5
57037062c0eedfe4b8257fb5b05428a7
-
SHA1
3107d8e6c7abc7cf0793890e48dd813eb9a90cce
-
SHA256
ec90f261cd00173f7ad9e1ae26b4ea91b62c293fac076000543bafdc0c87d8b1
-
SHA512
dbfd071cb3ca16f314e8c714a2839a2b8d22a265460e199e8150fcc18e408b3f67d09f0f9723f2365a84b15ae9abd322fe81f4b65aa9091b8e5eee49d1be6fa1
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUuYp+5C8+Luv0:ymb3NkkiQ3mdBjF0yMlb
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
Processes:
resource yara_rule behavioral2/memory/624-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4988-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1776-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1168-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5028-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2572-42-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2572-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5092-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1384-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2152-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2952-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1196-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3876-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4544-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2832-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4144-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1916-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4688-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4692-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4844-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4576-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4972-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1044-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3540-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3464-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4340-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
frrrrrr.exentttnt.exedjddv.exexrllxxx.exe9bhhbb.exevvvvj.exerllfflr.exerfrllxl.exetbtbtb.exedpjjd.exepjjdv.exerffxrrx.exebnhbtt.exejvdvj.exefxlfffl.exexrrlfrr.exe3ntttb.exevdddv.exe9lllflf.exe9hhhhn.exetttnhn.exejdvjp.exefflfrrx.exexxllfxr.exebhbtnn.exenbbtnn.exejvjdp.exebnbtnn.exevpvvp.exevpvvp.exellrrxxr.exebnhnhn.exebbbbtt.exevpjdd.exedpvdp.exexrlfxxr.exentbtnn.exebntnnh.exepdvpj.exelxfxlrr.exerlxxffr.exethttnt.exebnhbtt.exedvvpd.exejvppj.exexrllfff.exefrrrrrr.exerlxrrrl.exe5tbbtt.exetbbthh.exejvjjj.exepdjdv.exefllfffx.exelrxxfll.exetnnhbb.exebhtnhh.exejjjdv.exepppjd.exexlrrxrx.exebntthb.exethtntb.exedvdpj.exepdjvp.exelffxrrl.exepid process 4988 frrrrrr.exe 1776 ntttnt.exe 1168 djddv.exe 5028 xrllxxx.exe 2572 9bhhbb.exe 5092 vvvvj.exe 1384 rllfflr.exe 4152 rfrllxl.exe 2152 tbtbtb.exe 2952 dpjjd.exe 3868 pjjdv.exe 1196 rffxrrx.exe 3876 bnhbtt.exe 4624 jvdvj.exe 4544 fxlfffl.exe 2832 xrrlfrr.exe 4760 3ntttb.exe 4144 vdddv.exe 4928 9lllflf.exe 1916 9hhhhn.exe 4688 tttnhn.exe 4692 jdvjp.exe 4844 fflfrrx.exe 4576 xxllfxr.exe 1044 bhbtnn.exe 4972 nbbtnn.exe 384 jvjdp.exe 4444 bnbtnn.exe 3540 vpvvp.exe 3464 vpvvp.exe 4340 llrrxxr.exe 4936 bnhnhn.exe 5048 bbbbtt.exe 5060 vpjdd.exe 876 dpvdp.exe 4924 xrlfxxr.exe 3092 ntbtnn.exe 4108 bntnnh.exe 4984 pdvpj.exe 1524 lxfxlrr.exe 3160 rlxxffr.exe 1596 thttnt.exe 2204 bnhbtt.exe 4624 dvvpd.exe 428 jvppj.exe 3348 xrllfff.exe 752 frrrrrr.exe 3144 rlxrrrl.exe 2760 5tbbtt.exe 1504 tbbthh.exe 512 jvjjj.exe 1864 pdjdv.exe 4016 fllfffx.exe 4436 lrxxfll.exe 4692 tnnhbb.exe 3600 bhtnhh.exe 4480 jjjdv.exe 3276 pppjd.exe 672 xlrrxrx.exe 3292 bntthb.exe 1592 thtntb.exe 1784 dvdpj.exe 4464 pdjvp.exe 4988 lffxrrl.exe -
Processes:
resource yara_rule behavioral2/memory/624-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4988-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1776-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1168-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5028-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2572-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5092-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1384-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2152-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2952-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1196-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3876-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4544-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2832-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4144-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1916-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4688-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4692-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4844-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4576-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4972-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1044-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3540-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3464-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4340-198-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ec90f261cd00173f7ad9e1ae26b4ea91b62c293fac076000543bafdc0c87d8b1.exefrrrrrr.exentttnt.exedjddv.exexrllxxx.exe9bhhbb.exevvvvj.exerllfflr.exerfrllxl.exetbtbtb.exedpjjd.exepjjdv.exerffxrrx.exebnhbtt.exejvdvj.exefxlfffl.exexrrlfrr.exe3ntttb.exevdddv.exe9lllflf.exe9hhhhn.exetttnhn.exedescription pid process target process PID 624 wrote to memory of 4988 624 ec90f261cd00173f7ad9e1ae26b4ea91b62c293fac076000543bafdc0c87d8b1.exe frrrrrr.exe PID 624 wrote to memory of 4988 624 ec90f261cd00173f7ad9e1ae26b4ea91b62c293fac076000543bafdc0c87d8b1.exe frrrrrr.exe PID 624 wrote to memory of 4988 624 ec90f261cd00173f7ad9e1ae26b4ea91b62c293fac076000543bafdc0c87d8b1.exe frrrrrr.exe PID 4988 wrote to memory of 1776 4988 frrrrrr.exe ntttnt.exe PID 4988 wrote to memory of 1776 4988 frrrrrr.exe ntttnt.exe PID 4988 wrote to memory of 1776 4988 frrrrrr.exe ntttnt.exe PID 1776 wrote to memory of 1168 1776 ntttnt.exe djddv.exe PID 1776 wrote to memory of 1168 1776 ntttnt.exe djddv.exe PID 1776 wrote to memory of 1168 1776 ntttnt.exe djddv.exe PID 1168 wrote to memory of 5028 1168 djddv.exe xrllxxx.exe PID 1168 wrote to memory of 5028 1168 djddv.exe xrllxxx.exe PID 1168 wrote to memory of 5028 1168 djddv.exe xrllxxx.exe PID 5028 wrote to memory of 2572 5028 xrllxxx.exe 9bhhbb.exe PID 5028 wrote to memory of 2572 5028 xrllxxx.exe 9bhhbb.exe PID 5028 wrote to memory of 2572 5028 xrllxxx.exe 9bhhbb.exe PID 2572 wrote to memory of 5092 2572 9bhhbb.exe vvvvj.exe PID 2572 wrote to memory of 5092 2572 9bhhbb.exe vvvvj.exe PID 2572 wrote to memory of 5092 2572 9bhhbb.exe vvvvj.exe PID 5092 wrote to memory of 1384 5092 vvvvj.exe rllfflr.exe PID 5092 wrote to memory of 1384 5092 vvvvj.exe rllfflr.exe PID 5092 wrote to memory of 1384 5092 vvvvj.exe rllfflr.exe PID 1384 wrote to memory of 4152 1384 rllfflr.exe rfrllxl.exe PID 1384 wrote to memory of 4152 1384 rllfflr.exe rfrllxl.exe PID 1384 wrote to memory of 4152 1384 rllfflr.exe rfrllxl.exe PID 4152 wrote to memory of 2152 4152 rfrllxl.exe tbtbtb.exe PID 4152 wrote to memory of 2152 4152 rfrllxl.exe tbtbtb.exe PID 4152 wrote to memory of 2152 4152 rfrllxl.exe tbtbtb.exe PID 2152 wrote to memory of 2952 2152 tbtbtb.exe dpjjd.exe PID 2152 wrote to memory of 2952 2152 tbtbtb.exe dpjjd.exe PID 2152 wrote to memory of 2952 2152 tbtbtb.exe dpjjd.exe PID 2952 wrote to memory of 3868 2952 dpjjd.exe pjjdv.exe PID 2952 wrote to memory of 3868 2952 dpjjd.exe pjjdv.exe PID 2952 wrote to memory of 3868 2952 dpjjd.exe pjjdv.exe PID 3868 wrote to memory of 1196 3868 pjjdv.exe rffxrrx.exe PID 3868 wrote to memory of 1196 3868 pjjdv.exe rffxrrx.exe PID 3868 wrote to memory of 1196 3868 pjjdv.exe rffxrrx.exe PID 1196 wrote to memory of 3876 1196 rffxrrx.exe bnhbtt.exe PID 1196 wrote to memory of 3876 1196 rffxrrx.exe bnhbtt.exe PID 1196 wrote to memory of 3876 1196 rffxrrx.exe bnhbtt.exe PID 3876 wrote to memory of 4624 3876 bnhbtt.exe jvdvj.exe PID 3876 wrote to memory of 4624 3876 bnhbtt.exe jvdvj.exe PID 3876 wrote to memory of 4624 3876 bnhbtt.exe jvdvj.exe PID 4624 wrote to memory of 4544 4624 jvdvj.exe fxlfffl.exe PID 4624 wrote to memory of 4544 4624 jvdvj.exe fxlfffl.exe PID 4624 wrote to memory of 4544 4624 jvdvj.exe fxlfffl.exe PID 4544 wrote to memory of 2832 4544 fxlfffl.exe xrrlfrr.exe PID 4544 wrote to memory of 2832 4544 fxlfffl.exe xrrlfrr.exe PID 4544 wrote to memory of 2832 4544 fxlfffl.exe xrrlfrr.exe PID 2832 wrote to memory of 4760 2832 xrrlfrr.exe 3ntttb.exe PID 2832 wrote to memory of 4760 2832 xrrlfrr.exe 3ntttb.exe PID 2832 wrote to memory of 4760 2832 xrrlfrr.exe 3ntttb.exe PID 4760 wrote to memory of 4144 4760 3ntttb.exe vdddv.exe PID 4760 wrote to memory of 4144 4760 3ntttb.exe vdddv.exe PID 4760 wrote to memory of 4144 4760 3ntttb.exe vdddv.exe PID 4144 wrote to memory of 4928 4144 vdddv.exe 9lllflf.exe PID 4144 wrote to memory of 4928 4144 vdddv.exe 9lllflf.exe PID 4144 wrote to memory of 4928 4144 vdddv.exe 9lllflf.exe PID 4928 wrote to memory of 1916 4928 9lllflf.exe 9hhhhn.exe PID 4928 wrote to memory of 1916 4928 9lllflf.exe 9hhhhn.exe PID 4928 wrote to memory of 1916 4928 9lllflf.exe 9hhhhn.exe PID 1916 wrote to memory of 4688 1916 9hhhhn.exe tttnhn.exe PID 1916 wrote to memory of 4688 1916 9hhhhn.exe tttnhn.exe PID 1916 wrote to memory of 4688 1916 9hhhhn.exe tttnhn.exe PID 4688 wrote to memory of 4692 4688 tttnhn.exe jdvjp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec90f261cd00173f7ad9e1ae26b4ea91b62c293fac076000543bafdc0c87d8b1.exe"C:\Users\Admin\AppData\Local\Temp\ec90f261cd00173f7ad9e1ae26b4ea91b62c293fac076000543bafdc0c87d8b1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\frrrrrr.exec:\frrrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\ntttnt.exec:\ntttnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\djddv.exec:\djddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\xrllxxx.exec:\xrllxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\9bhhbb.exec:\9bhhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\vvvvj.exec:\vvvvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\rllfflr.exec:\rllfflr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\rfrllxl.exec:\rfrllxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\tbtbtb.exec:\tbtbtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\dpjjd.exec:\dpjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\pjjdv.exec:\pjjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\rffxrrx.exec:\rffxrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\bnhbtt.exec:\bnhbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\jvdvj.exec:\jvdvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\fxlfffl.exec:\fxlfffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\xrrlfrr.exec:\xrrlfrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\3ntttb.exec:\3ntttb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\vdddv.exec:\vdddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\9lllflf.exec:\9lllflf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\9hhhhn.exec:\9hhhhn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\tttnhn.exec:\tttnhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\jdvjp.exec:\jdvjp.exe23⤵
- Executes dropped EXE
PID:4692 -
\??\c:\fflfrrx.exec:\fflfrrx.exe24⤵
- Executes dropped EXE
PID:4844 -
\??\c:\xxllfxr.exec:\xxllfxr.exe25⤵
- Executes dropped EXE
PID:4576 -
\??\c:\bhbtnn.exec:\bhbtnn.exe26⤵
- Executes dropped EXE
PID:1044 -
\??\c:\nbbtnn.exec:\nbbtnn.exe27⤵
- Executes dropped EXE
PID:4972 -
\??\c:\jvjdp.exec:\jvjdp.exe28⤵
- Executes dropped EXE
PID:384 -
\??\c:\bnbtnn.exec:\bnbtnn.exe29⤵
- Executes dropped EXE
PID:4444 -
\??\c:\vpvvp.exec:\vpvvp.exe30⤵
- Executes dropped EXE
PID:3540 -
\??\c:\vpvvp.exec:\vpvvp.exe31⤵
- Executes dropped EXE
PID:3464 -
\??\c:\llrrxxr.exec:\llrrxxr.exe32⤵
- Executes dropped EXE
PID:4340 -
\??\c:\bnhnhn.exec:\bnhnhn.exe33⤵
- Executes dropped EXE
PID:4936 -
\??\c:\bbbbtt.exec:\bbbbtt.exe34⤵
- Executes dropped EXE
PID:5048 -
\??\c:\vpjdd.exec:\vpjdd.exe35⤵
- Executes dropped EXE
PID:5060 -
\??\c:\dpvdp.exec:\dpvdp.exe36⤵
- Executes dropped EXE
PID:876 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe37⤵
- Executes dropped EXE
PID:4924 -
\??\c:\ntbtnn.exec:\ntbtnn.exe38⤵
- Executes dropped EXE
PID:3092 -
\??\c:\bntnnh.exec:\bntnnh.exe39⤵
- Executes dropped EXE
PID:4108 -
\??\c:\pdvpj.exec:\pdvpj.exe40⤵
- Executes dropped EXE
PID:4984 -
\??\c:\lxfxlrr.exec:\lxfxlrr.exe41⤵
- Executes dropped EXE
PID:1524 -
\??\c:\rlxxffr.exec:\rlxxffr.exe42⤵
- Executes dropped EXE
PID:3160 -
\??\c:\thttnt.exec:\thttnt.exe43⤵
- Executes dropped EXE
PID:1596 -
\??\c:\bnhbtt.exec:\bnhbtt.exe44⤵
- Executes dropped EXE
PID:2204 -
\??\c:\dvvpd.exec:\dvvpd.exe45⤵
- Executes dropped EXE
PID:4624 -
\??\c:\jvppj.exec:\jvppj.exe46⤵
- Executes dropped EXE
PID:428 -
\??\c:\xrllfff.exec:\xrllfff.exe47⤵
- Executes dropped EXE
PID:3348 -
\??\c:\frrrrrr.exec:\frrrrrr.exe48⤵
- Executes dropped EXE
PID:752 -
\??\c:\rlxrrrl.exec:\rlxrrrl.exe49⤵
- Executes dropped EXE
PID:3144 -
\??\c:\5tbbtt.exec:\5tbbtt.exe50⤵
- Executes dropped EXE
PID:2760 -
\??\c:\tbbthh.exec:\tbbthh.exe51⤵
- Executes dropped EXE
PID:1504 -
\??\c:\jvjjj.exec:\jvjjj.exe52⤵
- Executes dropped EXE
PID:512 -
\??\c:\pdjdv.exec:\pdjdv.exe53⤵
- Executes dropped EXE
PID:1864 -
\??\c:\fllfffx.exec:\fllfffx.exe54⤵
- Executes dropped EXE
PID:4016 -
\??\c:\lrxxfll.exec:\lrxxfll.exe55⤵
- Executes dropped EXE
PID:4436 -
\??\c:\tnnhbb.exec:\tnnhbb.exe56⤵
- Executes dropped EXE
PID:4692 -
\??\c:\bhtnhh.exec:\bhtnhh.exe57⤵
- Executes dropped EXE
PID:3600 -
\??\c:\jjjdv.exec:\jjjdv.exe58⤵
- Executes dropped EXE
PID:4480 -
\??\c:\pppjd.exec:\pppjd.exe59⤵
- Executes dropped EXE
PID:3276 -
\??\c:\xlrrxrx.exec:\xlrrxrx.exe60⤵
- Executes dropped EXE
PID:672 -
\??\c:\bntthb.exec:\bntthb.exe61⤵
- Executes dropped EXE
PID:3292 -
\??\c:\thtntb.exec:\thtntb.exe62⤵
- Executes dropped EXE
PID:1592 -
\??\c:\dvdpj.exec:\dvdpj.exe63⤵
- Executes dropped EXE
PID:1784 -
\??\c:\pdjvp.exec:\pdjvp.exe64⤵
- Executes dropped EXE
PID:4464 -
\??\c:\lffxrrl.exec:\lffxrrl.exe65⤵
- Executes dropped EXE
PID:4988 -
\??\c:\nnbtnh.exec:\nnbtnh.exe66⤵PID:3888
-
\??\c:\5nnbtn.exec:\5nnbtn.exe67⤵PID:3820
-
\??\c:\dvvpd.exec:\dvvpd.exe68⤵PID:4700
-
\??\c:\dvvvp.exec:\dvvvp.exe69⤵PID:3332
-
\??\c:\llfrlfx.exec:\llfrlfx.exe70⤵PID:540
-
\??\c:\1rrrfxr.exec:\1rrrfxr.exe71⤵PID:2464
-
\??\c:\hthbbt.exec:\hthbbt.exe72⤵PID:3956
-
\??\c:\tnbbhh.exec:\tnbbhh.exe73⤵PID:4228
-
\??\c:\pvvpj.exec:\pvvpj.exe74⤵PID:4160
-
\??\c:\1dvpd.exec:\1dvpd.exe75⤵PID:1812
-
\??\c:\ppdjd.exec:\ppdjd.exe76⤵PID:3284
-
\??\c:\1llfxlx.exec:\1llfxlx.exe77⤵PID:3860
-
\??\c:\rffxxrr.exec:\rffxxrr.exe78⤵PID:4492
-
\??\c:\nhhhnh.exec:\nhhhnh.exe79⤵PID:1800
-
\??\c:\nbbtnh.exec:\nbbtnh.exe80⤵PID:3020
-
\??\c:\jpvjv.exec:\jpvjv.exe81⤵PID:2204
-
\??\c:\7rfxlrl.exec:\7rfxlrl.exe82⤵PID:4200
-
\??\c:\rxxxrlf.exec:\rxxxrlf.exe83⤵PID:3268
-
\??\c:\9nbbhh.exec:\9nbbhh.exe84⤵PID:3948
-
\??\c:\xffxlfx.exec:\xffxlfx.exe85⤵PID:1736
-
\??\c:\nhnntt.exec:\nhnntt.exe86⤵PID:1100
-
\??\c:\7hnhnn.exec:\7hnhnn.exe87⤵PID:2156
-
\??\c:\hbtnhb.exec:\hbtnhb.exe88⤵PID:4864
-
\??\c:\jddpj.exec:\jddpj.exe89⤵PID:3404
-
\??\c:\vjjvj.exec:\vjjvj.exe90⤵PID:3264
-
\??\c:\rlrlffx.exec:\rlrlffx.exe91⤵PID:1108
-
\??\c:\rrxrffx.exec:\rrxrffx.exe92⤵PID:1356
-
\??\c:\ntttnn.exec:\ntttnn.exe93⤵PID:5096
-
\??\c:\vjvjd.exec:\vjvjd.exe94⤵PID:2948
-
\??\c:\7xxllxr.exec:\7xxllxr.exe95⤵PID:3720
-
\??\c:\7xllffx.exec:\7xllffx.exe96⤵PID:4448
-
\??\c:\nhhbnn.exec:\nhhbnn.exe97⤵PID:3816
-
\??\c:\tthbbt.exec:\tthbbt.exe98⤵PID:4444
-
\??\c:\hbbnbb.exec:\hbbnbb.exe99⤵PID:2960
-
\??\c:\djddp.exec:\djddp.exe100⤵PID:4104
-
\??\c:\djjjd.exec:\djjjd.exe101⤵PID:2540
-
\??\c:\ffflxfx.exec:\ffflxfx.exe102⤵PID:4672
-
\??\c:\7lrrllf.exec:\7lrrllf.exe103⤵PID:4340
-
\??\c:\fxxrffx.exec:\fxxrffx.exe104⤵PID:5048
-
\??\c:\9bttnn.exec:\9bttnn.exe105⤵PID:540
-
\??\c:\tttbnb.exec:\tttbnb.exe106⤵PID:2464
-
\??\c:\9ppjv.exec:\9ppjv.exe107⤵PID:4924
-
\??\c:\pdpjd.exec:\pdpjd.exe108⤵PID:4228
-
\??\c:\1llfllr.exec:\1llfllr.exe109⤵PID:4160
-
\??\c:\frxrllf.exec:\frxrllf.exe110⤵PID:1812
-
\??\c:\frxrllf.exec:\frxrllf.exe111⤵PID:2160
-
\??\c:\bttnnh.exec:\bttnnh.exe112⤵PID:2520
-
\??\c:\hhhbth.exec:\hhhbth.exe113⤵PID:864
-
\??\c:\jvpvd.exec:\jvpvd.exe114⤵PID:4716
-
\??\c:\3vpjd.exec:\3vpjd.exe115⤵PID:4728
-
\??\c:\lflffrr.exec:\lflffrr.exe116⤵PID:1408
-
\??\c:\9lxffff.exec:\9lxffff.exe117⤵PID:428
-
\??\c:\xlxrlrl.exec:\xlxrlrl.exe118⤵PID:3348
-
\??\c:\1httnn.exec:\1httnn.exe119⤵PID:752
-
\??\c:\bbtthh.exec:\bbtthh.exe120⤵PID:3000
-
\??\c:\3pvdp.exec:\3pvdp.exe121⤵PID:2644
-
\??\c:\5ppjd.exec:\5ppjd.exe122⤵PID:4092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-