Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 06:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb7917154578a6c8777b6fd81e51ab32997963cbb9ef09490cdac079c1d71001.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
cb7917154578a6c8777b6fd81e51ab32997963cbb9ef09490cdac079c1d71001.exe
-
Size
60KB
-
MD5
717d6504a1c9606283a4c6b5d6d8fe17
-
SHA1
3c606b85ae7f5d0cc97185d58f103fa60a8fce6e
-
SHA256
cb7917154578a6c8777b6fd81e51ab32997963cbb9ef09490cdac079c1d71001
-
SHA512
a9c96162a37465329a243fc953c502a548526b2f53355e3c09aa8e06c9c9f1fca2f111450ba3d7dfbb14c4f33692b7901b4ac67bfc3983d41761ec54b65036f5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsImseE:ymb3NkkiQ3mdBjFIsIFX
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
Processes:
resource yara_rule behavioral2/memory/348-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4440-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4204-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2232-27-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2232-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1224-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2792-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4048-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1436-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3892-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1312-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2216-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3552-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3328-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2764-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/468-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5004-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2144-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3068-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4188-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2504-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4208-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3284-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1568-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2892-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3976-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1004-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 26 IoCs
Processes:
resource yara_rule behavioral2/memory/348-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4440-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4204-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2232-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1224-31-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2792-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4048-43-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1436-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3892-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1312-52-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2216-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3552-86-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3328-91-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2764-107-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/468-113-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5004-119-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2144-125-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3068-131-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4188-143-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2504-162-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4208-173-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3284-167-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1568-179-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2892-186-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3976-198-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1004-203-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
lxllrrf.exerxfllrr.exehbbbnh.exedvvvp.exefflfflr.exehnhnhn.exettnhbt.exeppvdd.exefrfxllx.exefrlfxxx.exehbnthn.exejjvvd.exejvddd.exefxlflfl.exettttbb.exenbhhnb.exedjjjj.exexlrlxff.exenttttt.exebnbbnn.exevdvvv.exefrfllff.exexrflffx.exettbttt.exe5btttb.exejpjjj.exerlllrxf.exeflxxffx.exebhnnnt.exejjvdd.exedpppp.exexrfxxff.exebhtnnn.exehhnbbh.exevpdvd.exe3pvvp.exeffrrlfx.exexxfxlfr.exetnnbbn.exejpdjp.exe7ppdv.exexllrxxl.exefxflrxx.exennnnhn.exe9nnnhb.exeddjpv.exe7jdpj.exexfllrxx.exexflxfrx.exentbnnb.exevvdjp.exeflrlrlx.exebhtttt.exehhnntb.exeddddj.exelxfflxf.exe7fxxrrr.exentttnn.exenbttnn.exejpppv.exerxlxrxf.exe9nnnhh.exethttbh.exevdvpd.exepid process 4440 lxllrrf.exe 4204 rxfllrr.exe 2232 hbbbnh.exe 1224 dvvvp.exe 4048 fflfflr.exe 2792 hnhnhn.exe 1312 ttnhbt.exe 1436 ppvdd.exe 3892 frfxllx.exe 2216 frlfxxx.exe 3552 hbnthn.exe 3328 jjvvd.exe 2400 jvddd.exe 2176 fxlflfl.exe 2764 ttttbb.exe 468 nbhhnb.exe 5004 djjjj.exe 2144 xlrlxff.exe 3068 nttttt.exe 560 bnbbnn.exe 4188 vdvvv.exe 3416 frfllff.exe 3112 xrflffx.exe 2504 ttbttt.exe 3284 5btttb.exe 4208 jpjjj.exe 1568 rlllrxf.exe 2892 flxxffx.exe 2616 bhnnnt.exe 3976 jjvdd.exe 1004 dpppp.exe 1464 xrfxxff.exe 4568 bhtnnn.exe 408 hhnbbh.exe 4548 vpdvd.exe 4676 3pvvp.exe 644 ffrrlfx.exe 4616 xxfxlfr.exe 4316 tnnbbn.exe 3104 jpdjp.exe 3272 7ppdv.exe 2832 xllrxxl.exe 3840 fxflrxx.exe 836 nnnnhn.exe 1428 9nnnhb.exe 856 ddjpv.exe 4048 7jdpj.exe 4472 xfllrxx.exe 4992 xflxfrx.exe 3512 ntbnnb.exe 3892 vvdjp.exe 1364 flrlrlx.exe 4504 bhtttt.exe 4996 hhnntb.exe 4836 ddddj.exe 4960 lxfflxf.exe 3972 7fxxrrr.exe 2976 ntttnn.exe 228 nbttnn.exe 2384 jpppv.exe 3956 rxlxrxf.exe 4184 9nnnhh.exe 3800 thttbh.exe 404 vdvpd.exe -
Processes:
resource yara_rule behavioral2/memory/348-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4440-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4204-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2232-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1224-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2792-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4048-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1436-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3892-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1312-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2216-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3552-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3328-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2764-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/468-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5004-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2144-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3068-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4188-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2504-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4208-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3284-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1568-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2892-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3976-198-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1004-203-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cb7917154578a6c8777b6fd81e51ab32997963cbb9ef09490cdac079c1d71001.exelxllrrf.exerxfllrr.exehbbbnh.exedvvvp.exefflfflr.exehnhnhn.exettnhbt.exeppvdd.exefrfxllx.exefrlfxxx.exehbnthn.exejjvvd.exejvddd.exefxlflfl.exettttbb.exenbhhnb.exedjjjj.exexlrlxff.exenttttt.exebnbbnn.exevdvvv.exedescription pid process target process PID 348 wrote to memory of 4440 348 cb7917154578a6c8777b6fd81e51ab32997963cbb9ef09490cdac079c1d71001.exe lxllrrf.exe PID 348 wrote to memory of 4440 348 cb7917154578a6c8777b6fd81e51ab32997963cbb9ef09490cdac079c1d71001.exe lxllrrf.exe PID 348 wrote to memory of 4440 348 cb7917154578a6c8777b6fd81e51ab32997963cbb9ef09490cdac079c1d71001.exe lxllrrf.exe PID 4440 wrote to memory of 4204 4440 lxllrrf.exe rxfllrr.exe PID 4440 wrote to memory of 4204 4440 lxllrrf.exe rxfllrr.exe PID 4440 wrote to memory of 4204 4440 lxllrrf.exe rxfllrr.exe PID 4204 wrote to memory of 2232 4204 rxfllrr.exe hbbbnh.exe PID 4204 wrote to memory of 2232 4204 rxfllrr.exe hbbbnh.exe PID 4204 wrote to memory of 2232 4204 rxfllrr.exe hbbbnh.exe PID 2232 wrote to memory of 1224 2232 hbbbnh.exe dvvvp.exe PID 2232 wrote to memory of 1224 2232 hbbbnh.exe dvvvp.exe PID 2232 wrote to memory of 1224 2232 hbbbnh.exe dvvvp.exe PID 1224 wrote to memory of 4048 1224 dvvvp.exe fflfflr.exe PID 1224 wrote to memory of 4048 1224 dvvvp.exe fflfflr.exe PID 1224 wrote to memory of 4048 1224 dvvvp.exe fflfflr.exe PID 4048 wrote to memory of 2792 4048 fflfflr.exe hnhnhn.exe PID 4048 wrote to memory of 2792 4048 fflfflr.exe hnhnhn.exe PID 4048 wrote to memory of 2792 4048 fflfflr.exe hnhnhn.exe PID 2792 wrote to memory of 1312 2792 hnhnhn.exe ttnhbt.exe PID 2792 wrote to memory of 1312 2792 hnhnhn.exe ttnhbt.exe PID 2792 wrote to memory of 1312 2792 hnhnhn.exe ttnhbt.exe PID 1312 wrote to memory of 1436 1312 ttnhbt.exe ppvdd.exe PID 1312 wrote to memory of 1436 1312 ttnhbt.exe ppvdd.exe PID 1312 wrote to memory of 1436 1312 ttnhbt.exe ppvdd.exe PID 1436 wrote to memory of 3892 1436 ppvdd.exe frfxllx.exe PID 1436 wrote to memory of 3892 1436 ppvdd.exe frfxllx.exe PID 1436 wrote to memory of 3892 1436 ppvdd.exe frfxllx.exe PID 3892 wrote to memory of 2216 3892 frfxllx.exe frlfxxx.exe PID 3892 wrote to memory of 2216 3892 frfxllx.exe frlfxxx.exe PID 3892 wrote to memory of 2216 3892 frfxllx.exe frlfxxx.exe PID 2216 wrote to memory of 3552 2216 frlfxxx.exe hbnthn.exe PID 2216 wrote to memory of 3552 2216 frlfxxx.exe hbnthn.exe PID 2216 wrote to memory of 3552 2216 frlfxxx.exe hbnthn.exe PID 3552 wrote to memory of 3328 3552 hbnthn.exe jjvvd.exe PID 3552 wrote to memory of 3328 3552 hbnthn.exe jjvvd.exe PID 3552 wrote to memory of 3328 3552 hbnthn.exe jjvvd.exe PID 3328 wrote to memory of 2400 3328 jjvvd.exe jvddd.exe PID 3328 wrote to memory of 2400 3328 jjvvd.exe jvddd.exe PID 3328 wrote to memory of 2400 3328 jjvvd.exe jvddd.exe PID 2400 wrote to memory of 2176 2400 jvddd.exe fxlflfl.exe PID 2400 wrote to memory of 2176 2400 jvddd.exe fxlflfl.exe PID 2400 wrote to memory of 2176 2400 jvddd.exe fxlflfl.exe PID 2176 wrote to memory of 2764 2176 fxlflfl.exe ttttbb.exe PID 2176 wrote to memory of 2764 2176 fxlflfl.exe ttttbb.exe PID 2176 wrote to memory of 2764 2176 fxlflfl.exe ttttbb.exe PID 2764 wrote to memory of 468 2764 ttttbb.exe nbhhnb.exe PID 2764 wrote to memory of 468 2764 ttttbb.exe nbhhnb.exe PID 2764 wrote to memory of 468 2764 ttttbb.exe nbhhnb.exe PID 468 wrote to memory of 5004 468 nbhhnb.exe djjjj.exe PID 468 wrote to memory of 5004 468 nbhhnb.exe djjjj.exe PID 468 wrote to memory of 5004 468 nbhhnb.exe djjjj.exe PID 5004 wrote to memory of 2144 5004 djjjj.exe xlrlxff.exe PID 5004 wrote to memory of 2144 5004 djjjj.exe xlrlxff.exe PID 5004 wrote to memory of 2144 5004 djjjj.exe xlrlxff.exe PID 2144 wrote to memory of 3068 2144 xlrlxff.exe nttttt.exe PID 2144 wrote to memory of 3068 2144 xlrlxff.exe nttttt.exe PID 2144 wrote to memory of 3068 2144 xlrlxff.exe nttttt.exe PID 3068 wrote to memory of 560 3068 nttttt.exe bnbbnn.exe PID 3068 wrote to memory of 560 3068 nttttt.exe bnbbnn.exe PID 3068 wrote to memory of 560 3068 nttttt.exe bnbbnn.exe PID 560 wrote to memory of 4188 560 bnbbnn.exe vdvvv.exe PID 560 wrote to memory of 4188 560 bnbbnn.exe vdvvv.exe PID 560 wrote to memory of 4188 560 bnbbnn.exe vdvvv.exe PID 4188 wrote to memory of 3416 4188 vdvvv.exe frfllff.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb7917154578a6c8777b6fd81e51ab32997963cbb9ef09490cdac079c1d71001.exe"C:\Users\Admin\AppData\Local\Temp\cb7917154578a6c8777b6fd81e51ab32997963cbb9ef09490cdac079c1d71001.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\lxllrrf.exec:\lxllrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\rxfllrr.exec:\rxfllrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\hbbbnh.exec:\hbbbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\dvvvp.exec:\dvvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\fflfflr.exec:\fflfflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\hnhnhn.exec:\hnhnhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\ttnhbt.exec:\ttnhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\ppvdd.exec:\ppvdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\frfxllx.exec:\frfxllx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\frlfxxx.exec:\frlfxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\hbnthn.exec:\hbnthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\jjvvd.exec:\jjvvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\jvddd.exec:\jvddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\fxlflfl.exec:\fxlflfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\ttttbb.exec:\ttttbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\nbhhnb.exec:\nbhhnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\djjjj.exec:\djjjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\xlrlxff.exec:\xlrlxff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\nttttt.exec:\nttttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\bnbbnn.exec:\bnbbnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
\??\c:\vdvvv.exec:\vdvvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\frfllff.exec:\frfllff.exe23⤵
- Executes dropped EXE
PID:3416 -
\??\c:\xrflffx.exec:\xrflffx.exe24⤵
- Executes dropped EXE
PID:3112 -
\??\c:\ttbttt.exec:\ttbttt.exe25⤵
- Executes dropped EXE
PID:2504 -
\??\c:\5btttb.exec:\5btttb.exe26⤵
- Executes dropped EXE
PID:3284 -
\??\c:\jpjjj.exec:\jpjjj.exe27⤵
- Executes dropped EXE
PID:4208 -
\??\c:\rlllrxf.exec:\rlllrxf.exe28⤵
- Executes dropped EXE
PID:1568 -
\??\c:\flxxffx.exec:\flxxffx.exe29⤵
- Executes dropped EXE
PID:2892 -
\??\c:\bhnnnt.exec:\bhnnnt.exe30⤵
- Executes dropped EXE
PID:2616 -
\??\c:\jjvdd.exec:\jjvdd.exe31⤵
- Executes dropped EXE
PID:3976 -
\??\c:\dpppp.exec:\dpppp.exe32⤵
- Executes dropped EXE
PID:1004 -
\??\c:\xrfxxff.exec:\xrfxxff.exe33⤵
- Executes dropped EXE
PID:1464 -
\??\c:\bhtnnn.exec:\bhtnnn.exe34⤵
- Executes dropped EXE
PID:4568 -
\??\c:\hhnbbh.exec:\hhnbbh.exe35⤵
- Executes dropped EXE
PID:408 -
\??\c:\vpdvd.exec:\vpdvd.exe36⤵
- Executes dropped EXE
PID:4548 -
\??\c:\3pvvp.exec:\3pvvp.exe37⤵
- Executes dropped EXE
PID:4676 -
\??\c:\ffrrlfx.exec:\ffrrlfx.exe38⤵
- Executes dropped EXE
PID:644 -
\??\c:\xxfxlfr.exec:\xxfxlfr.exe39⤵
- Executes dropped EXE
PID:4616 -
\??\c:\tnnbbn.exec:\tnnbbn.exe40⤵
- Executes dropped EXE
PID:4316 -
\??\c:\jpdjp.exec:\jpdjp.exe41⤵
- Executes dropped EXE
PID:3104 -
\??\c:\7ppdv.exec:\7ppdv.exe42⤵
- Executes dropped EXE
PID:3272 -
\??\c:\xllrxxl.exec:\xllrxxl.exe43⤵
- Executes dropped EXE
PID:2832 -
\??\c:\fxflrxx.exec:\fxflrxx.exe44⤵
- Executes dropped EXE
PID:3840 -
\??\c:\nnnnhn.exec:\nnnnhn.exe45⤵
- Executes dropped EXE
PID:836 -
\??\c:\9nnnhb.exec:\9nnnhb.exe46⤵
- Executes dropped EXE
PID:1428 -
\??\c:\ddjpv.exec:\ddjpv.exe47⤵
- Executes dropped EXE
PID:856 -
\??\c:\7jdpj.exec:\7jdpj.exe48⤵
- Executes dropped EXE
PID:4048 -
\??\c:\xfllrxx.exec:\xfllrxx.exe49⤵
- Executes dropped EXE
PID:4472 -
\??\c:\xflxfrx.exec:\xflxfrx.exe50⤵
- Executes dropped EXE
PID:4992 -
\??\c:\ntbnnb.exec:\ntbnnb.exe51⤵
- Executes dropped EXE
PID:3512 -
\??\c:\vvdjp.exec:\vvdjp.exe52⤵
- Executes dropped EXE
PID:3892 -
\??\c:\flrlrlx.exec:\flrlrlx.exe53⤵
- Executes dropped EXE
PID:1364 -
\??\c:\bhtttt.exec:\bhtttt.exe54⤵
- Executes dropped EXE
PID:4504 -
\??\c:\hhnntb.exec:\hhnntb.exe55⤵
- Executes dropped EXE
PID:4996 -
\??\c:\ddddj.exec:\ddddj.exe56⤵
- Executes dropped EXE
PID:4836 -
\??\c:\lxfflxf.exec:\lxfflxf.exe57⤵
- Executes dropped EXE
PID:4960 -
\??\c:\7fxxrrr.exec:\7fxxrrr.exe58⤵
- Executes dropped EXE
PID:3972 -
\??\c:\ntttnn.exec:\ntttnn.exe59⤵
- Executes dropped EXE
PID:2976 -
\??\c:\nbttnn.exec:\nbttnn.exe60⤵
- Executes dropped EXE
PID:228 -
\??\c:\jpppv.exec:\jpppv.exe61⤵
- Executes dropped EXE
PID:2384 -
\??\c:\rxlxrxf.exec:\rxlxrxf.exe62⤵
- Executes dropped EXE
PID:3956 -
\??\c:\9nnnhh.exec:\9nnnhh.exe63⤵
- Executes dropped EXE
PID:4184 -
\??\c:\thttbh.exec:\thttbh.exe64⤵
- Executes dropped EXE
PID:3800 -
\??\c:\vdvpd.exec:\vdvpd.exe65⤵
- Executes dropped EXE
PID:404 -
\??\c:\3vpjd.exec:\3vpjd.exe66⤵PID:1120
-
\??\c:\lrlxlfx.exec:\lrlxlfx.exe67⤵PID:1704
-
\??\c:\frrrlll.exec:\frrrlll.exe68⤵PID:3112
-
\??\c:\ttthtn.exec:\ttthtn.exe69⤵PID:1552
-
\??\c:\jpvjj.exec:\jpvjj.exe70⤵PID:4144
-
\??\c:\jpddj.exec:\jpddj.exe71⤵PID:4288
-
\??\c:\frllxrl.exec:\frllxrl.exe72⤵PID:4208
-
\??\c:\tnbbhn.exec:\tnbbhn.exe73⤵PID:2852
-
\??\c:\nhbtnn.exec:\nhbtnn.exe74⤵PID:1996
-
\??\c:\djppj.exec:\djppj.exe75⤵PID:4424
-
\??\c:\1djdp.exec:\1djdp.exe76⤵PID:564
-
\??\c:\3rffxxf.exec:\3rffxxf.exe77⤵PID:1028
-
\??\c:\llrllll.exec:\llrllll.exe78⤵PID:3504
-
\??\c:\bbhhtt.exec:\bbhhtt.exe79⤵PID:4332
-
\??\c:\nththh.exec:\nththh.exe80⤵PID:1736
-
\??\c:\jjppj.exec:\jjppj.exe81⤵PID:3632
-
\??\c:\jdjdv.exec:\jdjdv.exe82⤵PID:4988
-
\??\c:\xxffffx.exec:\xxffffx.exe83⤵PID:2168
-
\??\c:\5flrrff.exec:\5flrrff.exe84⤵PID:2304
-
\??\c:\bnnhbb.exec:\bnnhbb.exe85⤵PID:2044
-
\??\c:\3bbnnn.exec:\3bbnnn.exe86⤵PID:348
-
\??\c:\9nttnn.exec:\9nttnn.exe87⤵PID:2388
-
\??\c:\jvppj.exec:\jvppj.exe88⤵PID:3904
-
\??\c:\ddddd.exec:\ddddd.exe89⤵PID:2800
-
\??\c:\xxlllll.exec:\xxlllll.exe90⤵PID:3816
-
\??\c:\xlfxrxr.exec:\xlfxrxr.exe91⤵PID:3640
-
\??\c:\7ntnnh.exec:\7ntnnh.exe92⤵PID:1176
-
\??\c:\thhhnh.exec:\thhhnh.exe93⤵PID:748
-
\??\c:\jddjv.exec:\jddjv.exe94⤵PID:4468
-
\??\c:\xffxllr.exec:\xffxllr.exe95⤵PID:3252
-
\??\c:\xxrxrrr.exec:\xxrxrrr.exe96⤵PID:1436
-
\??\c:\5tnbhn.exec:\5tnbhn.exe97⤵PID:3296
-
\??\c:\hhnttb.exec:\hhnttb.exe98⤵PID:4040
-
\??\c:\5jjdv.exec:\5jjdv.exe99⤵PID:3220
-
\??\c:\jdjdv.exec:\jdjdv.exe100⤵PID:996
-
\??\c:\lfrfxxf.exec:\lfrfxxf.exe101⤵PID:3952
-
\??\c:\hnhbbh.exec:\hnhbbh.exe102⤵PID:3020
-
\??\c:\5pdvv.exec:\5pdvv.exe103⤵PID:4916
-
\??\c:\djjpd.exec:\djjpd.exe104⤵PID:4576
-
\??\c:\5fxrffx.exec:\5fxrffx.exe105⤵PID:2176
-
\??\c:\xrxxrxx.exec:\xrxxrxx.exe106⤵PID:4740
-
\??\c:\1thbhh.exec:\1thbhh.exe107⤵PID:1932
-
\??\c:\jvvvj.exec:\jvvvj.exe108⤵PID:3372
-
\??\c:\ttbnhb.exec:\ttbnhb.exe109⤵PID:3052
-
\??\c:\nhhbtt.exec:\nhhbtt.exe110⤵PID:3492
-
\??\c:\hbbtht.exec:\hbbtht.exe111⤵PID:2188
-
\??\c:\3vdvp.exec:\3vdvp.exe112⤵PID:452
-
\??\c:\dppjj.exec:\dppjj.exe113⤵PID:2964
-
\??\c:\7fxfxxl.exec:\7fxfxxl.exe114⤵PID:1848
-
\??\c:\rxlrllf.exec:\rxlrllf.exe115⤵PID:2504
-
\??\c:\tbbbtt.exec:\tbbbtt.exe116⤵PID:3944
-
\??\c:\vjpjv.exec:\vjpjv.exe117⤵PID:5084
-
\??\c:\pvvpj.exec:\pvvpj.exe118⤵PID:3092
-
\??\c:\pvddv.exec:\pvddv.exe119⤵PID:3032
-
\??\c:\5xfxffl.exec:\5xfxffl.exe120⤵PID:3488
-
\??\c:\nhbbtt.exec:\nhbbtt.exe121⤵PID:1624
-
\??\c:\tnhhhh.exec:\tnhhhh.exe122⤵PID:1652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-