Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 03:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe
-
Size
67KB
-
MD5
53c2b642afd212fa7aeccaf9087e64b1
-
SHA1
fc70f1ebcf2d26b30437e4765808fe2e0bf5272a
-
SHA256
9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0
-
SHA512
9fe432f93981772589825ac480427a9a820c0ea5d7e73dd83bfb2abb73d4c04de413530655446efae07329b73984c982474f87561aa7d9d13b4e63ef851021b4
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUuYp+5C8+LuvPrgpX6:ymb3NkkiQ3mdBjF0yMlwrj
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
Processes:
resource yara_rule behavioral2/memory/2896-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1580-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3012-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5008-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4964-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2508-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/840-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2560-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/700-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4492-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2696-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1296-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3572-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4984-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4268-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4432-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4728-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1364-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2900-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2000-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3252-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2200-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4812-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2044-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2896-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1580-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 28 IoCs
Processes:
resource yara_rule behavioral2/memory/2896-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1580-13-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1580-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1580-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3012-20-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5008-28-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4964-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2508-40-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/840-49-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2560-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/700-62-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4492-68-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2696-76-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1296-85-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3572-91-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4984-97-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4268-103-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4432-109-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4728-114-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1364-121-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2900-133-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2000-139-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3252-145-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2200-175-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4812-183-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2044-188-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2896-198-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1580-205-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
vvddv.exe9lfxrlf.exepdvpp.exejddvp.exerlxrlff.exethnnnb.exevpvpj.exejvdvp.exexrlfxrl.exebnnnhb.exejvdvp.exedpvdp.exe5llxrrl.exehththt.exedppvp.exevpvvd.exexrlfrll.exenhhbbb.exedvvdv.exeppjjd.exexxlflll.exehbnthn.exetnnbnt.exedvvpp.exexfxxxxr.exennttbh.exenhbhhn.exejdvvv.exeddjjd.exelfrlflf.exehnhhhb.exedvdvj.exefrxrrrl.exenthtbh.exebtnhtt.exevjdjd.exellrrffx.exe1ttttb.exe3hnntt.exe1jpjj.exepjpjd.exerllfrxr.exetnhhbb.exe7thbhn.exejjjdp.exexxlfxxl.exehttbhh.exethhhbb.exepjvpd.exe5jddv.exefxxfrxr.exe5rrfxll.exebbbhbb.exevpvdj.exedvdvj.exe1frrflf.exebnnntb.exenbbbnt.exejjpvv.exevjpjd.exexrrrflf.exeffffxxx.exenbnntn.exenthbbn.exepid process 1580 vvddv.exe 3012 9lfxrlf.exe 5008 pdvpp.exe 4964 jddvp.exe 2508 rlxrlff.exe 840 thnnnb.exe 2560 vpvpj.exe 700 jvdvp.exe 4492 xrlfxrl.exe 2696 bnnnhb.exe 1296 jvdvp.exe 3572 dpvdp.exe 4984 5llxrrl.exe 4268 hththt.exe 4432 dppvp.exe 4728 vpvvd.exe 1364 xrlfrll.exe 4376 nhhbbb.exe 2900 dvvdv.exe 2000 ppjjd.exe 3252 xxlflll.exe 2136 hbnthn.exe 4540 tnnbnt.exe 980 dvvpp.exe 4784 xfxxxxr.exe 2200 nnttbh.exe 4812 nhbhhn.exe 2044 jdvvv.exe 940 ddjjd.exe 2896 lfrlflf.exe 1580 hnhhhb.exe 2384 dvdvj.exe 4372 frxrrrl.exe 2684 nthtbh.exe 2948 btnhtt.exe 2504 vjdjd.exe 4532 llrrffx.exe 4544 1ttttb.exe 4872 3hnntt.exe 4492 1jpjj.exe 5060 pjpjd.exe 3940 rllfrxr.exe 556 tnhhbb.exe 5016 7thbhn.exe 1664 jjjdp.exe 4844 xxlfxxl.exe 4752 httbhh.exe 4380 thhhbb.exe 4948 pjvpd.exe 3616 5jddv.exe 3904 fxxfrxr.exe 1168 5rrfxll.exe 4560 bbbhbb.exe 4312 vpvdj.exe 4484 dvdvj.exe 4960 1frrflf.exe 468 bnnntb.exe 1092 nbbbnt.exe 4764 jjpvv.exe 2460 vjpjd.exe 2044 xrrrflf.exe 2796 ffffxxx.exe 3476 nbnntn.exe 5052 nthbbn.exe -
Processes:
resource yara_rule behavioral2/memory/2896-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1580-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1580-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1580-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3012-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5008-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4964-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2508-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/840-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2560-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/700-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4492-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2696-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1296-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3572-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4984-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4268-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4432-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4728-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1364-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2900-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2000-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3252-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2200-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4812-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2044-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2896-198-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1580-205-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exevvddv.exe9lfxrlf.exepdvpp.exejddvp.exerlxrlff.exethnnnb.exevpvpj.exejvdvp.exexrlfxrl.exebnnnhb.exejvdvp.exedpvdp.exe5llxrrl.exehththt.exedppvp.exevpvvd.exexrlfrll.exenhhbbb.exedvvdv.exeppjjd.exexxlflll.exedescription pid process target process PID 2896 wrote to memory of 1580 2896 9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe vvddv.exe PID 2896 wrote to memory of 1580 2896 9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe vvddv.exe PID 2896 wrote to memory of 1580 2896 9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe vvddv.exe PID 1580 wrote to memory of 3012 1580 vvddv.exe 9lfxrlf.exe PID 1580 wrote to memory of 3012 1580 vvddv.exe 9lfxrlf.exe PID 1580 wrote to memory of 3012 1580 vvddv.exe 9lfxrlf.exe PID 3012 wrote to memory of 5008 3012 9lfxrlf.exe pdvpp.exe PID 3012 wrote to memory of 5008 3012 9lfxrlf.exe pdvpp.exe PID 3012 wrote to memory of 5008 3012 9lfxrlf.exe pdvpp.exe PID 5008 wrote to memory of 4964 5008 pdvpp.exe jddvp.exe PID 5008 wrote to memory of 4964 5008 pdvpp.exe jddvp.exe PID 5008 wrote to memory of 4964 5008 pdvpp.exe jddvp.exe PID 4964 wrote to memory of 2508 4964 jddvp.exe rlxrlff.exe PID 4964 wrote to memory of 2508 4964 jddvp.exe rlxrlff.exe PID 4964 wrote to memory of 2508 4964 jddvp.exe rlxrlff.exe PID 2508 wrote to memory of 840 2508 rlxrlff.exe thnnnb.exe PID 2508 wrote to memory of 840 2508 rlxrlff.exe thnnnb.exe PID 2508 wrote to memory of 840 2508 rlxrlff.exe thnnnb.exe PID 840 wrote to memory of 2560 840 thnnnb.exe vpvpj.exe PID 840 wrote to memory of 2560 840 thnnnb.exe vpvpj.exe PID 840 wrote to memory of 2560 840 thnnnb.exe vpvpj.exe PID 2560 wrote to memory of 700 2560 vpvpj.exe jvdvp.exe PID 2560 wrote to memory of 700 2560 vpvpj.exe jvdvp.exe PID 2560 wrote to memory of 700 2560 vpvpj.exe jvdvp.exe PID 700 wrote to memory of 4492 700 jvdvp.exe xrlfxrl.exe PID 700 wrote to memory of 4492 700 jvdvp.exe xrlfxrl.exe PID 700 wrote to memory of 4492 700 jvdvp.exe xrlfxrl.exe PID 4492 wrote to memory of 2696 4492 xrlfxrl.exe bnnnhb.exe PID 4492 wrote to memory of 2696 4492 xrlfxrl.exe bnnnhb.exe PID 4492 wrote to memory of 2696 4492 xrlfxrl.exe bnnnhb.exe PID 2696 wrote to memory of 1296 2696 bnnnhb.exe jvdvp.exe PID 2696 wrote to memory of 1296 2696 bnnnhb.exe jvdvp.exe PID 2696 wrote to memory of 1296 2696 bnnnhb.exe jvdvp.exe PID 1296 wrote to memory of 3572 1296 jvdvp.exe dpvdp.exe PID 1296 wrote to memory of 3572 1296 jvdvp.exe dpvdp.exe PID 1296 wrote to memory of 3572 1296 jvdvp.exe dpvdp.exe PID 3572 wrote to memory of 4984 3572 dpvdp.exe 5llxrrl.exe PID 3572 wrote to memory of 4984 3572 dpvdp.exe 5llxrrl.exe PID 3572 wrote to memory of 4984 3572 dpvdp.exe 5llxrrl.exe PID 4984 wrote to memory of 4268 4984 5llxrrl.exe hththt.exe PID 4984 wrote to memory of 4268 4984 5llxrrl.exe hththt.exe PID 4984 wrote to memory of 4268 4984 5llxrrl.exe hththt.exe PID 4268 wrote to memory of 4432 4268 hththt.exe dppvp.exe PID 4268 wrote to memory of 4432 4268 hththt.exe dppvp.exe PID 4268 wrote to memory of 4432 4268 hththt.exe dppvp.exe PID 4432 wrote to memory of 4728 4432 dppvp.exe vpvvd.exe PID 4432 wrote to memory of 4728 4432 dppvp.exe vpvvd.exe PID 4432 wrote to memory of 4728 4432 dppvp.exe vpvvd.exe PID 4728 wrote to memory of 1364 4728 vpvvd.exe xrlfrll.exe PID 4728 wrote to memory of 1364 4728 vpvvd.exe xrlfrll.exe PID 4728 wrote to memory of 1364 4728 vpvvd.exe xrlfrll.exe PID 1364 wrote to memory of 4376 1364 xrlfrll.exe nhhbbb.exe PID 1364 wrote to memory of 4376 1364 xrlfrll.exe nhhbbb.exe PID 1364 wrote to memory of 4376 1364 xrlfrll.exe nhhbbb.exe PID 4376 wrote to memory of 2900 4376 nhhbbb.exe dvvdv.exe PID 4376 wrote to memory of 2900 4376 nhhbbb.exe dvvdv.exe PID 4376 wrote to memory of 2900 4376 nhhbbb.exe dvvdv.exe PID 2900 wrote to memory of 2000 2900 dvvdv.exe ppjjd.exe PID 2900 wrote to memory of 2000 2900 dvvdv.exe ppjjd.exe PID 2900 wrote to memory of 2000 2900 dvvdv.exe ppjjd.exe PID 2000 wrote to memory of 3252 2000 ppjjd.exe xxlflll.exe PID 2000 wrote to memory of 3252 2000 ppjjd.exe xxlflll.exe PID 2000 wrote to memory of 3252 2000 ppjjd.exe xxlflll.exe PID 3252 wrote to memory of 2136 3252 xxlflll.exe hbnthn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe"C:\Users\Admin\AppData\Local\Temp\9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\vvddv.exec:\vvddv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\9lfxrlf.exec:\9lfxrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\pdvpp.exec:\pdvpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\jddvp.exec:\jddvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\rlxrlff.exec:\rlxrlff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\thnnnb.exec:\thnnnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\vpvpj.exec:\vpvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\jvdvp.exec:\jvdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\bnnnhb.exec:\bnnnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\jvdvp.exec:\jvdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\dpvdp.exec:\dpvdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\5llxrrl.exec:\5llxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\hththt.exec:\hththt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\dppvp.exec:\dppvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\vpvvd.exec:\vpvvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\xrlfrll.exec:\xrlfrll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\nhhbbb.exec:\nhhbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\dvvdv.exec:\dvvdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\ppjjd.exec:\ppjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\xxlflll.exec:\xxlflll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\hbnthn.exec:\hbnthn.exe23⤵
- Executes dropped EXE
PID:2136 -
\??\c:\tnnbnt.exec:\tnnbnt.exe24⤵
- Executes dropped EXE
PID:4540 -
\??\c:\dvvpp.exec:\dvvpp.exe25⤵
- Executes dropped EXE
PID:980 -
\??\c:\xfxxxxr.exec:\xfxxxxr.exe26⤵
- Executes dropped EXE
PID:4784 -
\??\c:\nnttbh.exec:\nnttbh.exe27⤵
- Executes dropped EXE
PID:2200 -
\??\c:\nhbhhn.exec:\nhbhhn.exe28⤵
- Executes dropped EXE
PID:4812 -
\??\c:\jdvvv.exec:\jdvvv.exe29⤵
- Executes dropped EXE
PID:2044 -
\??\c:\ddjjd.exec:\ddjjd.exe30⤵
- Executes dropped EXE
PID:940 -
\??\c:\lfrlflf.exec:\lfrlflf.exe31⤵
- Executes dropped EXE
PID:2896 -
\??\c:\hnhhhb.exec:\hnhhhb.exe32⤵
- Executes dropped EXE
PID:1580 -
\??\c:\dvdvj.exec:\dvdvj.exe33⤵
- Executes dropped EXE
PID:2384 -
\??\c:\frxrrrl.exec:\frxrrrl.exe34⤵
- Executes dropped EXE
PID:4372 -
\??\c:\nthtbh.exec:\nthtbh.exe35⤵
- Executes dropped EXE
PID:2684 -
\??\c:\btnhtt.exec:\btnhtt.exe36⤵
- Executes dropped EXE
PID:2948 -
\??\c:\vjdjd.exec:\vjdjd.exe37⤵
- Executes dropped EXE
PID:2504 -
\??\c:\llrrffx.exec:\llrrffx.exe38⤵
- Executes dropped EXE
PID:4532 -
\??\c:\1ttttb.exec:\1ttttb.exe39⤵
- Executes dropped EXE
PID:4544 -
\??\c:\3hnntt.exec:\3hnntt.exe40⤵
- Executes dropped EXE
PID:4872 -
\??\c:\1jpjj.exec:\1jpjj.exe41⤵
- Executes dropped EXE
PID:4492 -
\??\c:\pjpjd.exec:\pjpjd.exe42⤵
- Executes dropped EXE
PID:5060 -
\??\c:\rllfrxr.exec:\rllfrxr.exe43⤵
- Executes dropped EXE
PID:3940 -
\??\c:\tnhhbb.exec:\tnhhbb.exe44⤵
- Executes dropped EXE
PID:556 -
\??\c:\7thbhn.exec:\7thbhn.exe45⤵
- Executes dropped EXE
PID:5016 -
\??\c:\jjjdp.exec:\jjjdp.exe46⤵
- Executes dropped EXE
PID:1664 -
\??\c:\xxlfxxl.exec:\xxlfxxl.exe47⤵
- Executes dropped EXE
PID:4844 -
\??\c:\httbhh.exec:\httbhh.exe48⤵
- Executes dropped EXE
PID:4752 -
\??\c:\thhhbb.exec:\thhhbb.exe49⤵
- Executes dropped EXE
PID:4380 -
\??\c:\pjvpd.exec:\pjvpd.exe50⤵
- Executes dropped EXE
PID:4948 -
\??\c:\5jddv.exec:\5jddv.exe51⤵
- Executes dropped EXE
PID:3616 -
\??\c:\fxxfrxr.exec:\fxxfrxr.exe52⤵
- Executes dropped EXE
PID:3904 -
\??\c:\5rrfxll.exec:\5rrfxll.exe53⤵
- Executes dropped EXE
PID:1168 -
\??\c:\bbbhbb.exec:\bbbhbb.exe54⤵
- Executes dropped EXE
PID:4560 -
\??\c:\vpvdj.exec:\vpvdj.exe55⤵
- Executes dropped EXE
PID:4312 -
\??\c:\dvdvj.exec:\dvdvj.exe56⤵
- Executes dropped EXE
PID:4484 -
\??\c:\1frrflf.exec:\1frrflf.exe57⤵
- Executes dropped EXE
PID:4960 -
\??\c:\bnnntb.exec:\bnnntb.exe58⤵
- Executes dropped EXE
PID:468 -
\??\c:\nbbbnt.exec:\nbbbnt.exe59⤵
- Executes dropped EXE
PID:1092 -
\??\c:\jjpvv.exec:\jjpvv.exe60⤵
- Executes dropped EXE
PID:4764 -
\??\c:\vjpjd.exec:\vjpjd.exe61⤵
- Executes dropped EXE
PID:2460 -
\??\c:\xrrrflf.exec:\xrrrflf.exe62⤵
- Executes dropped EXE
PID:2044 -
\??\c:\ffffxxx.exec:\ffffxxx.exe63⤵
- Executes dropped EXE
PID:2796 -
\??\c:\nbnntn.exec:\nbnntn.exe64⤵
- Executes dropped EXE
PID:3476 -
\??\c:\nthbbn.exec:\nthbbn.exe65⤵
- Executes dropped EXE
PID:5052 -
\??\c:\nhhhbb.exec:\nhhhbb.exe66⤵PID:3012
-
\??\c:\jvddv.exec:\jvddv.exe67⤵PID:2648
-
\??\c:\rllfxxx.exec:\rllfxxx.exe68⤵PID:1408
-
\??\c:\xfllrrl.exec:\xfllrrl.exe69⤵PID:968
-
\??\c:\bhbtnh.exec:\bhbtnh.exe70⤵PID:2948
-
\??\c:\3bnnnt.exec:\3bnnnt.exe71⤵PID:2504
-
\??\c:\ddvvp.exec:\ddvvp.exe72⤵PID:1636
-
\??\c:\pjjpp.exec:\pjjpp.exe73⤵PID:4608
-
\??\c:\rfflllf.exec:\rfflllf.exe74⤵PID:4872
-
\??\c:\htbbtb.exec:\htbbtb.exe75⤵PID:2832
-
\??\c:\nbthnh.exec:\nbthnh.exe76⤵PID:2232
-
\??\c:\ppvpd.exec:\ppvpd.exe77⤵PID:4232
-
\??\c:\rflxxxr.exec:\rflxxxr.exe78⤵PID:952
-
\??\c:\nnnnnh.exec:\nnnnnh.exe79⤵PID:5016
-
\??\c:\9bnnbh.exec:\9bnnbh.exe80⤵PID:3760
-
\??\c:\jjvjj.exec:\jjvjj.exe81⤵PID:4844
-
\??\c:\vjvpp.exec:\vjvpp.exe82⤵PID:3140
-
\??\c:\3xffllr.exec:\3xffllr.exe83⤵PID:1932
-
\??\c:\fxxxrxr.exec:\fxxxrxr.exe84⤵PID:4948
-
\??\c:\lflflrl.exec:\lflflrl.exe85⤵PID:2804
-
\??\c:\hntttt.exec:\hntttt.exe86⤵PID:1444
-
\??\c:\jjppp.exec:\jjppp.exe87⤵PID:3280
-
\??\c:\jvdvp.exec:\jvdvp.exe88⤵PID:1984
-
\??\c:\pjddv.exec:\pjddv.exe89⤵PID:3680
-
\??\c:\htnhbb.exec:\htnhbb.exe90⤵PID:624
-
\??\c:\bhbbbh.exec:\bhbbbh.exe91⤵PID:448
-
\??\c:\pjpjd.exec:\pjpjd.exe92⤵PID:468
-
\??\c:\jjppj.exec:\jjppj.exe93⤵PID:1092
-
\??\c:\rfffxlf.exec:\rfffxlf.exe94⤵PID:988
-
\??\c:\fxxxxff.exec:\fxxxxff.exe95⤵PID:2788
-
\??\c:\httbhn.exec:\httbhn.exe96⤵PID:4324
-
\??\c:\btbhbb.exec:\btbhbb.exe97⤵PID:384
-
\??\c:\vpvjj.exec:\vpvjj.exe98⤵PID:1580
-
\??\c:\pddvv.exec:\pddvv.exe99⤵PID:4364
-
\??\c:\ddppj.exec:\ddppj.exe100⤵PID:3012
-
\??\c:\xrrrlrr.exec:\xrrrlrr.exe101⤵PID:1900
-
\??\c:\lffffll.exec:\lffffll.exe102⤵PID:4388
-
\??\c:\htbttt.exec:\htbttt.exe103⤵PID:2560
-
\??\c:\tttbnn.exec:\tttbnn.exe104⤵PID:1012
-
\??\c:\7jjjd.exec:\7jjjd.exe105⤵PID:4544
-
\??\c:\pjjdd.exec:\pjjdd.exe106⤵PID:700
-
\??\c:\7frlllf.exec:\7frlllf.exe107⤵PID:2176
-
\??\c:\xrllffl.exec:\xrllffl.exe108⤵PID:2660
-
\??\c:\xrllffl.exec:\xrllffl.exe109⤵PID:1832
-
\??\c:\tttttb.exec:\tttttb.exe110⤵PID:412
-
\??\c:\bnbbhn.exec:\bnbbhn.exe111⤵PID:2168
-
\??\c:\pjvpd.exec:\pjvpd.exe112⤵PID:1912
-
\??\c:\vpjdv.exec:\vpjdv.exe113⤵PID:4976
-
\??\c:\vppjj.exec:\vppjj.exe114⤵PID:4588
-
\??\c:\lfllflr.exec:\lfllflr.exe115⤵PID:3264
-
\??\c:\lflrllx.exec:\lflrllx.exe116⤵PID:3060
-
\??\c:\hbhhtt.exec:\hbhhtt.exe117⤵PID:1448
-
\??\c:\btbhbb.exec:\btbhbb.exe118⤵PID:2804
-
\??\c:\vvjjd.exec:\vvjjd.exe119⤵PID:3872
-
\??\c:\jpppj.exec:\jpppj.exe120⤵PID:1204
-
\??\c:\rrxxxxf.exec:\rrxxxxf.exe121⤵PID:1984
-
\??\c:\xffxllf.exec:\xffxllf.exe122⤵PID:2500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-