Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 06:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf38f35800aced4a939beb12f36a97a408ced4a73c447051abafcbed6cc59ac1.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
cf38f35800aced4a939beb12f36a97a408ced4a73c447051abafcbed6cc59ac1.exe
-
Size
109KB
-
MD5
f18ef7dff4c3816c33da7fdecfdb42ba
-
SHA1
78850cef70c4aaf88da9d6a9b7a8d70613388175
-
SHA256
cf38f35800aced4a939beb12f36a97a408ced4a73c447051abafcbed6cc59ac1
-
SHA512
b2fb6b5d8c9e0114dd24c981ba8ed980c489b1dc8f6fe4995f53429cf3dd4302c016af0b6871e7df213208366e946f9e8a597c2601ad8e9e57e78d2e16b208c2
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp9X2OXlw5wy:n3C9BRo7tvnJ9Gh55
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
Processes:
resource yara_rule behavioral2/memory/3588-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1700-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4456-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4436-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3828-213-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3596-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1796-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4628-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/808-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2808-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2152-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3992-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4860-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3912-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3568-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1936-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3376-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3084-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3688-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2744-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4980-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4980-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1512-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3864-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1816-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1040-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1700-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 33 IoCs
Processes:
resource yara_rule behavioral2/memory/3588-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1700-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3864-36-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1512-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4456-117-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4436-141-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3828-213-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3596-189-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1796-183-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4628-165-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/808-160-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2808-153-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2152-147-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3992-135-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4860-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3912-123-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3568-105-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1936-93-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3376-84-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3084-77-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3688-70-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2744-63-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4980-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4980-55-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4980-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1512-51-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3864-40-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1816-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1816-27-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1816-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1040-19-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1700-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1700-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
ppvpv.exe3rxrlfx.exehhtbbh.exebhbnbb.exejjjpj.exedvdvv.exexlxrxxr.exefflllfx.exehntnhb.exenbtbnn.exejvvpj.exepjdvj.exefflfrlf.exe1xfxrrl.exenbbbtn.exebnhbnh.exepvvjv.exejjjdp.exelfrxffl.exefrlllfl.exebhnhtt.exe9vvpd.exe1rlfllx.exelxffffx.exehnttnh.exehbbtnh.exejpvjv.exe7jdvj.exexlfxlfx.exe1ffxrlf.exehhtbbb.exehnbthb.exejvpdp.exevjvpj.exe7xxrfxr.exelfxrrxx.exebtbnbh.exe1hbthh.exentnbtn.exedpppv.exedddvp.exerffxrlf.exellxrlff.exe7tnhbb.exe3bbthh.exetnhbtt.exejvdpj.exevjppp.exexrflffx.exefrfrxrl.exefxfffff.exebtbbtt.exetbnnhh.exevjjdp.exe5pvjd.exerflfrll.exe9lrlllf.exefxrxrrl.exenhtntn.exe7tnhbh.exevjjdj.exevpppp.exe5vdvp.exerlxrffl.exepid process 1700 ppvpv.exe 1040 3rxrlfx.exe 1816 hhtbbh.exe 3864 bhbnbb.exe 1512 jjjpj.exe 4980 dvdvv.exe 2744 xlxrxxr.exe 3688 fflllfx.exe 3084 hntnhb.exe 3376 nbtbnn.exe 1936 jvvpj.exe 3624 pjdvj.exe 3568 fflfrlf.exe 1468 1xfxrrl.exe 4456 nbbbtn.exe 3912 bnhbnh.exe 4860 pvvjv.exe 3992 jjjdp.exe 4436 lfrxffl.exe 2152 frlllfl.exe 2808 bhnhtt.exe 808 9vvpd.exe 4628 1rlfllx.exe 1140 lxffffx.exe 3324 hnttnh.exe 1796 hbbtnh.exe 3596 jpvjv.exe 2464 7jdvj.exe 4668 xlfxlfx.exe 4592 1ffxrlf.exe 3828 hhtbbb.exe 4652 hnbthb.exe 3032 jvpdp.exe 3712 vjvpj.exe 3488 7xxrfxr.exe 4248 lfxrrxx.exe 3880 btbnbh.exe 544 1hbthh.exe 3988 ntnbtn.exe 3340 dpppv.exe 4492 dddvp.exe 3748 rffxrlf.exe 4508 llxrlff.exe 3036 7tnhbb.exe 4696 3bbthh.exe 2792 tnhbtt.exe 2244 jvdpj.exe 1700 vjppp.exe 608 xrflffx.exe 4584 frfrxrl.exe 3480 fxfffff.exe 2336 btbbtt.exe 2880 tbnnhh.exe 3476 vjjdp.exe 4416 5pvjd.exe 3348 rflfrll.exe 444 9lrlllf.exe 2900 fxrxrrl.exe 1340 nhtntn.exe 4444 7tnhbh.exe 3068 vjjdj.exe 4556 vpppp.exe 2476 5vdvp.exe 924 rlxrffl.exe -
Processes:
resource yara_rule behavioral2/memory/3588-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1700-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3864-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1512-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4456-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4436-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3828-213-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3596-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1796-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4628-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/808-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2808-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2152-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3992-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4860-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3912-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3568-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1936-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3376-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3084-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3688-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2744-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4980-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4980-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4980-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1512-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3864-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1816-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1816-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1816-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1040-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1700-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1700-10-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cf38f35800aced4a939beb12f36a97a408ced4a73c447051abafcbed6cc59ac1.exeppvpv.exe3rxrlfx.exehhtbbh.exebhbnbb.exejjjpj.exedvdvv.exexlxrxxr.exefflllfx.exehntnhb.exenbtbnn.exejvvpj.exepjdvj.exefflfrlf.exe1xfxrrl.exenbbbtn.exebnhbnh.exepvvjv.exejjjdp.exelfrxffl.exefrlllfl.exebhnhtt.exedescription pid process target process PID 3588 wrote to memory of 1700 3588 cf38f35800aced4a939beb12f36a97a408ced4a73c447051abafcbed6cc59ac1.exe vjppp.exe PID 3588 wrote to memory of 1700 3588 cf38f35800aced4a939beb12f36a97a408ced4a73c447051abafcbed6cc59ac1.exe vjppp.exe PID 3588 wrote to memory of 1700 3588 cf38f35800aced4a939beb12f36a97a408ced4a73c447051abafcbed6cc59ac1.exe vjppp.exe PID 1700 wrote to memory of 1040 1700 ppvpv.exe 3rxrlfx.exe PID 1700 wrote to memory of 1040 1700 ppvpv.exe 3rxrlfx.exe PID 1700 wrote to memory of 1040 1700 ppvpv.exe 3rxrlfx.exe PID 1040 wrote to memory of 1816 1040 3rxrlfx.exe hhtbbh.exe PID 1040 wrote to memory of 1816 1040 3rxrlfx.exe hhtbbh.exe PID 1040 wrote to memory of 1816 1040 3rxrlfx.exe hhtbbh.exe PID 1816 wrote to memory of 3864 1816 hhtbbh.exe bhbnbb.exe PID 1816 wrote to memory of 3864 1816 hhtbbh.exe bhbnbb.exe PID 1816 wrote to memory of 3864 1816 hhtbbh.exe bhbnbb.exe PID 3864 wrote to memory of 1512 3864 bhbnbb.exe jjjpj.exe PID 3864 wrote to memory of 1512 3864 bhbnbb.exe jjjpj.exe PID 3864 wrote to memory of 1512 3864 bhbnbb.exe jjjpj.exe PID 1512 wrote to memory of 4980 1512 jjjpj.exe dvdvv.exe PID 1512 wrote to memory of 4980 1512 jjjpj.exe dvdvv.exe PID 1512 wrote to memory of 4980 1512 jjjpj.exe dvdvv.exe PID 4980 wrote to memory of 2744 4980 dvdvv.exe xlxrxxr.exe PID 4980 wrote to memory of 2744 4980 dvdvv.exe xlxrxxr.exe PID 4980 wrote to memory of 2744 4980 dvdvv.exe xlxrxxr.exe PID 2744 wrote to memory of 3688 2744 xlxrxxr.exe 9bbthb.exe PID 2744 wrote to memory of 3688 2744 xlxrxxr.exe 9bbthb.exe PID 2744 wrote to memory of 3688 2744 xlxrxxr.exe 9bbthb.exe PID 3688 wrote to memory of 3084 3688 fflllfx.exe hntnhb.exe PID 3688 wrote to memory of 3084 3688 fflllfx.exe hntnhb.exe PID 3688 wrote to memory of 3084 3688 fflllfx.exe hntnhb.exe PID 3084 wrote to memory of 3376 3084 hntnhb.exe nbtbnn.exe PID 3084 wrote to memory of 3376 3084 hntnhb.exe nbtbnn.exe PID 3084 wrote to memory of 3376 3084 hntnhb.exe nbtbnn.exe PID 3376 wrote to memory of 1936 3376 nbtbnn.exe tnhhtt.exe PID 3376 wrote to memory of 1936 3376 nbtbnn.exe tnhhtt.exe PID 3376 wrote to memory of 1936 3376 nbtbnn.exe tnhhtt.exe PID 1936 wrote to memory of 3624 1936 jvvpj.exe pjdvj.exe PID 1936 wrote to memory of 3624 1936 jvvpj.exe pjdvj.exe PID 1936 wrote to memory of 3624 1936 jvvpj.exe pjdvj.exe PID 3624 wrote to memory of 3568 3624 pjdvj.exe fflfrlf.exe PID 3624 wrote to memory of 3568 3624 pjdvj.exe fflfrlf.exe PID 3624 wrote to memory of 3568 3624 pjdvj.exe fflfrlf.exe PID 3568 wrote to memory of 1468 3568 fflfrlf.exe 1xfxrrl.exe PID 3568 wrote to memory of 1468 3568 fflfrlf.exe 1xfxrrl.exe PID 3568 wrote to memory of 1468 3568 fflfrlf.exe 1xfxrrl.exe PID 1468 wrote to memory of 4456 1468 1xfxrrl.exe nbbbtn.exe PID 1468 wrote to memory of 4456 1468 1xfxrrl.exe nbbbtn.exe PID 1468 wrote to memory of 4456 1468 1xfxrrl.exe nbbbtn.exe PID 4456 wrote to memory of 3912 4456 nbbbtn.exe bnhbnh.exe PID 4456 wrote to memory of 3912 4456 nbbbtn.exe bnhbnh.exe PID 4456 wrote to memory of 3912 4456 nbbbtn.exe bnhbnh.exe PID 3912 wrote to memory of 4860 3912 bnhbnh.exe pvvjv.exe PID 3912 wrote to memory of 4860 3912 bnhbnh.exe pvvjv.exe PID 3912 wrote to memory of 4860 3912 bnhbnh.exe pvvjv.exe PID 4860 wrote to memory of 3992 4860 pvvjv.exe jjjdp.exe PID 4860 wrote to memory of 3992 4860 pvvjv.exe jjjdp.exe PID 4860 wrote to memory of 3992 4860 pvvjv.exe jjjdp.exe PID 3992 wrote to memory of 4436 3992 jjjdp.exe lfrxffl.exe PID 3992 wrote to memory of 4436 3992 jjjdp.exe lfrxffl.exe PID 3992 wrote to memory of 4436 3992 jjjdp.exe lfrxffl.exe PID 4436 wrote to memory of 2152 4436 lfrxffl.exe frlllfl.exe PID 4436 wrote to memory of 2152 4436 lfrxffl.exe frlllfl.exe PID 4436 wrote to memory of 2152 4436 lfrxffl.exe frlllfl.exe PID 2152 wrote to memory of 2808 2152 frlllfl.exe bhnhtt.exe PID 2152 wrote to memory of 2808 2152 frlllfl.exe bhnhtt.exe PID 2152 wrote to memory of 2808 2152 frlllfl.exe bhnhtt.exe PID 2808 wrote to memory of 808 2808 bhnhtt.exe 9vvpd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf38f35800aced4a939beb12f36a97a408ced4a73c447051abafcbed6cc59ac1.exe"C:\Users\Admin\AppData\Local\Temp\cf38f35800aced4a939beb12f36a97a408ced4a73c447051abafcbed6cc59ac1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\ppvpv.exec:\ppvpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\3rxrlfx.exec:\3rxrlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\hhtbbh.exec:\hhtbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\bhbnbb.exec:\bhbnbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\jjjpj.exec:\jjjpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\dvdvv.exec:\dvdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\xlxrxxr.exec:\xlxrxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\fflllfx.exec:\fflllfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\hntnhb.exec:\hntnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\nbtbnn.exec:\nbtbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\jvvpj.exec:\jvvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\pjdvj.exec:\pjdvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\fflfrlf.exec:\fflfrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\1xfxrrl.exec:\1xfxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\nbbbtn.exec:\nbbbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\bnhbnh.exec:\bnhbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\pvvjv.exec:\pvvjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\jjjdp.exec:\jjjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\lfrxffl.exec:\lfrxffl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\frlllfl.exec:\frlllfl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\bhnhtt.exec:\bhnhtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\9vvpd.exec:\9vvpd.exe23⤵
- Executes dropped EXE
PID:808 -
\??\c:\1rlfllx.exec:\1rlfllx.exe24⤵
- Executes dropped EXE
PID:4628 -
\??\c:\lxffffx.exec:\lxffffx.exe25⤵
- Executes dropped EXE
PID:1140 -
\??\c:\hnttnh.exec:\hnttnh.exe26⤵
- Executes dropped EXE
PID:3324 -
\??\c:\hbbtnh.exec:\hbbtnh.exe27⤵
- Executes dropped EXE
PID:1796 -
\??\c:\jpvjv.exec:\jpvjv.exe28⤵
- Executes dropped EXE
PID:3596 -
\??\c:\7jdvj.exec:\7jdvj.exe29⤵
- Executes dropped EXE
PID:2464 -
\??\c:\xlfxlfx.exec:\xlfxlfx.exe30⤵
- Executes dropped EXE
PID:4668 -
\??\c:\1ffxrlf.exec:\1ffxrlf.exe31⤵
- Executes dropped EXE
PID:4592 -
\??\c:\hhtbbb.exec:\hhtbbb.exe32⤵
- Executes dropped EXE
PID:3828 -
\??\c:\hnbthb.exec:\hnbthb.exe33⤵
- Executes dropped EXE
PID:4652 -
\??\c:\jvpdp.exec:\jvpdp.exe34⤵
- Executes dropped EXE
PID:3032 -
\??\c:\vjvpj.exec:\vjvpj.exe35⤵
- Executes dropped EXE
PID:3712 -
\??\c:\7xxrfxr.exec:\7xxrfxr.exe36⤵
- Executes dropped EXE
PID:3488 -
\??\c:\lfxrrxx.exec:\lfxrrxx.exe37⤵
- Executes dropped EXE
PID:4248 -
\??\c:\btbnbh.exec:\btbnbh.exe38⤵
- Executes dropped EXE
PID:3880 -
\??\c:\1hbthh.exec:\1hbthh.exe39⤵
- Executes dropped EXE
PID:544 -
\??\c:\ntnbtn.exec:\ntnbtn.exe40⤵
- Executes dropped EXE
PID:3988 -
\??\c:\dpppv.exec:\dpppv.exe41⤵
- Executes dropped EXE
PID:3340 -
\??\c:\dddvp.exec:\dddvp.exe42⤵
- Executes dropped EXE
PID:4492 -
\??\c:\rffxrlf.exec:\rffxrlf.exe43⤵
- Executes dropped EXE
PID:3748 -
\??\c:\llxrlff.exec:\llxrlff.exe44⤵
- Executes dropped EXE
PID:4508 -
\??\c:\7tnhbb.exec:\7tnhbb.exe45⤵
- Executes dropped EXE
PID:3036 -
\??\c:\3bbthh.exec:\3bbthh.exe46⤵
- Executes dropped EXE
PID:4696 -
\??\c:\tnhbtt.exec:\tnhbtt.exe47⤵
- Executes dropped EXE
PID:2792 -
\??\c:\jvdpj.exec:\jvdpj.exe48⤵
- Executes dropped EXE
PID:2244 -
\??\c:\vjppp.exec:\vjppp.exe49⤵
- Executes dropped EXE
PID:1700 -
\??\c:\xrflffx.exec:\xrflffx.exe50⤵
- Executes dropped EXE
PID:608 -
\??\c:\frfrxrl.exec:\frfrxrl.exe51⤵
- Executes dropped EXE
PID:4584 -
\??\c:\fxfffff.exec:\fxfffff.exe52⤵
- Executes dropped EXE
PID:3480 -
\??\c:\btbbtt.exec:\btbbtt.exe53⤵
- Executes dropped EXE
PID:2336 -
\??\c:\tbnnhh.exec:\tbnnhh.exe54⤵
- Executes dropped EXE
PID:2880 -
\??\c:\vjjdp.exec:\vjjdp.exe55⤵
- Executes dropped EXE
PID:3476 -
\??\c:\5pvjd.exec:\5pvjd.exe56⤵
- Executes dropped EXE
PID:4416 -
\??\c:\rflfrll.exec:\rflfrll.exe57⤵
- Executes dropped EXE
PID:3348 -
\??\c:\9lrlllf.exec:\9lrlllf.exe58⤵
- Executes dropped EXE
PID:444 -
\??\c:\fxrxrrl.exec:\fxrxrrl.exe59⤵
- Executes dropped EXE
PID:2900 -
\??\c:\nhtntn.exec:\nhtntn.exe60⤵
- Executes dropped EXE
PID:1340 -
\??\c:\7tnhbh.exec:\7tnhbh.exe61⤵
- Executes dropped EXE
PID:4444 -
\??\c:\vjjdj.exec:\vjjdj.exe62⤵
- Executes dropped EXE
PID:3068 -
\??\c:\vpppp.exec:\vpppp.exe63⤵
- Executes dropped EXE
PID:4556 -
\??\c:\5vdvp.exec:\5vdvp.exe64⤵
- Executes dropped EXE
PID:2476 -
\??\c:\rlxrffl.exec:\rlxrffl.exe65⤵
- Executes dropped EXE
PID:924 -
\??\c:\5xfflll.exec:\5xfflll.exe66⤵PID:2736
-
\??\c:\nbnhhh.exec:\nbnhhh.exe67⤵PID:3248
-
\??\c:\7nhhtn.exec:\7nhhtn.exe68⤵PID:4144
-
\??\c:\5tnhbt.exec:\5tnhbt.exe69⤵PID:1556
-
\??\c:\vdjdj.exec:\vdjdj.exe70⤵PID:3448
-
\??\c:\pjdvj.exec:\pjdvj.exe71⤵PID:3100
-
\??\c:\xrrrfff.exec:\xrrrfff.exe72⤵PID:384
-
\??\c:\3fffffx.exec:\3fffffx.exe73⤵PID:1508
-
\??\c:\btnbtn.exec:\btnbtn.exe74⤵PID:2652
-
\??\c:\bthnht.exec:\bthnht.exe75⤵PID:4472
-
\??\c:\nbhbhh.exec:\nbhbhh.exe76⤵PID:1140
-
\??\c:\pjjdd.exec:\pjjdd.exe77⤵PID:1608
-
\??\c:\vpddp.exec:\vpddp.exe78⤵PID:636
-
\??\c:\fxllffx.exec:\fxllffx.exe79⤵PID:1688
-
\??\c:\1rxxxxf.exec:\1rxxxxf.exe80⤵PID:3460
-
\??\c:\xrrlflf.exec:\xrrlflf.exe81⤵PID:1500
-
\??\c:\nnbttt.exec:\nnbttt.exe82⤵PID:3456
-
\??\c:\ttnnhh.exec:\ttnnhh.exe83⤵PID:1492
-
\??\c:\pvdvp.exec:\pvdvp.exe84⤵PID:3284
-
\??\c:\1ddpd.exec:\1ddpd.exe85⤵PID:3812
-
\??\c:\rffxrlf.exec:\rffxrlf.exe86⤵PID:2468
-
\??\c:\fxxrlrr.exec:\fxxrlrr.exe87⤵PID:4744
-
\??\c:\frrfrfx.exec:\frrfrfx.exe88⤵PID:3400
-
\??\c:\htbtnn.exec:\htbtnn.exe89⤵PID:2452
-
\??\c:\tttbtn.exec:\tttbtn.exe90⤵PID:3440
-
\??\c:\vpjpj.exec:\vpjpj.exe91⤵PID:2432
-
\??\c:\dvpjj.exec:\dvpjj.exe92⤵PID:4544
-
\??\c:\fxlfllr.exec:\fxlfllr.exe93⤵PID:1876
-
\??\c:\llrxffl.exec:\llrxffl.exe94⤵PID:1872
-
\??\c:\5fllrrx.exec:\5fllrrx.exe95⤵PID:1288
-
\??\c:\nthbbn.exec:\nthbbn.exe96⤵PID:4424
-
\??\c:\1ntbbh.exec:\1ntbbh.exe97⤵PID:1048
-
\??\c:\vdjvv.exec:\vdjvv.exe98⤵PID:1292
-
\??\c:\vvddd.exec:\vvddd.exe99⤵PID:1200
-
\??\c:\1llfrlf.exec:\1llfrlf.exe100⤵PID:4408
-
\??\c:\3rrlfxr.exec:\3rrlfxr.exe101⤵PID:1920
-
\??\c:\xrxrxxf.exec:\xrxrxxf.exe102⤵PID:4632
-
\??\c:\7nbnhb.exec:\7nbnhb.exe103⤵PID:1424
-
\??\c:\hhhhtn.exec:\hhhhtn.exe104⤵PID:1700
-
\??\c:\jvddp.exec:\jvddp.exe105⤵PID:3632
-
\??\c:\ddvpp.exec:\ddvpp.exe106⤵PID:4584
-
\??\c:\xfxlfxr.exec:\xfxlfxr.exe107⤵PID:2296
-
\??\c:\rrffxxr.exec:\rrffxxr.exe108⤵PID:4364
-
\??\c:\lfffffx.exec:\lfffffx.exe109⤵PID:3040
-
\??\c:\tbnhnh.exec:\tbnhnh.exe110⤵PID:2980
-
\??\c:\nbtnhb.exec:\nbtnhb.exe111⤵PID:3320
-
\??\c:\jdjpj.exec:\jdjpj.exe112⤵PID:2028
-
\??\c:\vpjdd.exec:\vpjdd.exe113⤵PID:1888
-
\??\c:\frxfxff.exec:\frxfxff.exe114⤵PID:1936
-
\??\c:\xlrxrll.exec:\xlrxrll.exe115⤵PID:3980
-
\??\c:\1lfxllf.exec:\1lfxllf.exe116⤵PID:1312
-
\??\c:\htnhbt.exec:\htnhbt.exe117⤵PID:4464
-
\??\c:\tnnhbt.exec:\tnnhbt.exe118⤵PID:1296
-
\??\c:\bthbnh.exec:\bthbnh.exe119⤵PID:4456
-
\??\c:\ntbtnn.exec:\ntbtnn.exe120⤵PID:1768
-
\??\c:\hhnthh.exec:\hhnthh.exe121⤵PID:4480
-
\??\c:\vpjdp.exec:\vpjdp.exe122⤵PID:4860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-