Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 06:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cfc16ebaa34ab8a7bbb02b5ffa6944f2418bddeaed38022206080d3990645de0.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
cfc16ebaa34ab8a7bbb02b5ffa6944f2418bddeaed38022206080d3990645de0.exe
-
Size
60KB
-
MD5
16bf7fa5ffd61278263ee996d54417eb
-
SHA1
b72ebf55f4d000085b5dc3474583f05ff35ee979
-
SHA256
cfc16ebaa34ab8a7bbb02b5ffa6944f2418bddeaed38022206080d3990645de0
-
SHA512
e51c989d8035975cea0fa94c1aeeb394ff034069c926299a80668ea3b9aa9d7a4fcb7d23d5ab1ff1519c90d89c6bd4ecd0743f8b4a0b9e1753e38f4bf0eec756
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9Lp:ymb3NkkiQ3mdBjFI9F
Malware Config
Signatures
-
Detect Blackmoon payload 28 IoCs
Processes:
resource yara_rule behavioral2/memory/3896-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4324-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4528-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4036-28-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3240-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4884-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4976-49-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1372-57-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1372-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/764-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4000-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3920-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1424-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3948-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1672-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3884-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4504-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4228-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1396-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3008-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3664-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4384-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2468-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1796-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2268-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4396-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 26 IoCs
Processes:
resource yara_rule behavioral2/memory/3896-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4324-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4528-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4036-27-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3240-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3240-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4884-42-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4976-48-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1372-56-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/764-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4000-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3920-88-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1424-94-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3948-100-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1672-106-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3884-113-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4504-121-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4228-130-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1396-136-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3008-142-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3664-160-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4384-166-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2468-172-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1796-184-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2268-196-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4396-201-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
jddpj.exejvvpd.exerflllfx.exebtbnnh.exedvvpd.exe5xxxlff.exelfxxrlf.exepdvpj.exelfxrfrl.exe9frlfxl.exetnhbtt.exedpdvv.exe1vvjd.exefxrllrr.exebttthh.exe1nhbtn.exevpjdv.exefxfrfxx.exefxlfllx.exebtthbn.exe7nhbnn.exevpdvv.exelflfrrl.exefflfxxr.exebtnhbt.exe3hhbnn.exe1pvvp.exerxrlxxl.exe7xrrffx.exehhnhnh.exebhntht.exedvpjd.exefffxllf.exe5lxxxxx.exe5bbtnn.exenttnnh.exejvdjd.exejjddv.exerrfllrl.exeflffrrl.exethtthn.exenhnnhh.exefrrlfrl.exe3lllfxr.exehnnnhh.exe5ttnbt.exejjdvd.exe9jvvd.exepjjjp.exe5lrrlxf.exexfrxfll.exehhbtbb.exe5jjdp.exe7pvpj.exefxxxrrr.exelxxxlrl.exe7bbbtb.exe7pvvj.exe9llfxxr.exerlrrllf.exehbbbtt.exe3djdv.exejvvvj.exexxllfxx.exepid process 4324 jddpj.exe 4528 jvvpd.exe 4036 rflllfx.exe 3240 btbnnh.exe 4884 dvvpd.exe 4976 5xxxlff.exe 1372 lfxxrlf.exe 2152 pdvpj.exe 1544 lfxrfrl.exe 764 9frlfxl.exe 4000 tnhbtt.exe 3920 dpdvv.exe 1424 1vvjd.exe 3948 fxrllrr.exe 1672 bttthh.exe 3884 1nhbtn.exe 4504 vpjdv.exe 2384 fxfrfxx.exe 4228 fxlfllx.exe 1396 btthbn.exe 3008 7nhbnn.exe 4616 vpdvv.exe 1984 lflfrrl.exe 3664 fflfxxr.exe 4384 btnhbt.exe 2468 3hhbnn.exe 1124 1pvvp.exe 1796 rxrlxxl.exe 3660 7xrrffx.exe 2268 hhnhnh.exe 4396 bhntht.exe 2392 dvpjd.exe 3596 fffxllf.exe 1480 5lxxxxx.exe 4836 5bbtnn.exe 4776 nttnnh.exe 4444 jvdjd.exe 3592 jjddv.exe 388 rrfllrl.exe 4528 flffrrl.exe 4060 thtthn.exe 4036 nhnnhh.exe 2328 frrlfrl.exe 2996 3lllfxr.exe 3752 hnnnhh.exe 892 5ttnbt.exe 1556 jjdvd.exe 4712 9jvvd.exe 5044 pjjjp.exe 2364 5lrrlxf.exe 3340 xfrxfll.exe 1352 hhbtbb.exe 632 5jjdp.exe 3580 7pvpj.exe 1484 fxxxrrr.exe 2248 lxxxlrl.exe 1476 7bbbtb.exe 852 7pvvj.exe 876 9llfxxr.exe 1300 rlrrllf.exe 4504 hbbbtt.exe 1976 3djdv.exe 4228 jvvvj.exe 4696 xxllfxx.exe -
Processes:
resource yara_rule behavioral2/memory/3896-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4324-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4528-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4036-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3240-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3240-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4884-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4976-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1372-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/764-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4000-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3920-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1424-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3948-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1672-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3884-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4504-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4228-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1396-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3008-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3664-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4384-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2468-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1796-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2268-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-201-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cfc16ebaa34ab8a7bbb02b5ffa6944f2418bddeaed38022206080d3990645de0.exejddpj.exejvvpd.exerflllfx.exebtbnnh.exedvvpd.exe5xxxlff.exelfxxrlf.exepdvpj.exelfxrfrl.exe9frlfxl.exetnhbtt.exedpdvv.exe1vvjd.exefxrllrr.exebttthh.exe1nhbtn.exevpjdv.exefxfrfxx.exefxlfllx.exebtthbn.exe7nhbnn.exedescription pid process target process PID 3896 wrote to memory of 4324 3896 cfc16ebaa34ab8a7bbb02b5ffa6944f2418bddeaed38022206080d3990645de0.exe jddpj.exe PID 3896 wrote to memory of 4324 3896 cfc16ebaa34ab8a7bbb02b5ffa6944f2418bddeaed38022206080d3990645de0.exe jddpj.exe PID 3896 wrote to memory of 4324 3896 cfc16ebaa34ab8a7bbb02b5ffa6944f2418bddeaed38022206080d3990645de0.exe jddpj.exe PID 4324 wrote to memory of 4528 4324 jddpj.exe jvvpd.exe PID 4324 wrote to memory of 4528 4324 jddpj.exe jvvpd.exe PID 4324 wrote to memory of 4528 4324 jddpj.exe jvvpd.exe PID 4528 wrote to memory of 4036 4528 jvvpd.exe rflllfx.exe PID 4528 wrote to memory of 4036 4528 jvvpd.exe rflllfx.exe PID 4528 wrote to memory of 4036 4528 jvvpd.exe rflllfx.exe PID 4036 wrote to memory of 3240 4036 rflllfx.exe btbnnh.exe PID 4036 wrote to memory of 3240 4036 rflllfx.exe btbnnh.exe PID 4036 wrote to memory of 3240 4036 rflllfx.exe btbnnh.exe PID 3240 wrote to memory of 4884 3240 btbnnh.exe dvvpd.exe PID 3240 wrote to memory of 4884 3240 btbnnh.exe dvvpd.exe PID 3240 wrote to memory of 4884 3240 btbnnh.exe dvvpd.exe PID 4884 wrote to memory of 4976 4884 dvvpd.exe 5xxxlff.exe PID 4884 wrote to memory of 4976 4884 dvvpd.exe 5xxxlff.exe PID 4884 wrote to memory of 4976 4884 dvvpd.exe 5xxxlff.exe PID 4976 wrote to memory of 1372 4976 5xxxlff.exe lfxxrlf.exe PID 4976 wrote to memory of 1372 4976 5xxxlff.exe lfxxrlf.exe PID 4976 wrote to memory of 1372 4976 5xxxlff.exe lfxxrlf.exe PID 1372 wrote to memory of 2152 1372 lfxxrlf.exe pdvpj.exe PID 1372 wrote to memory of 2152 1372 lfxxrlf.exe pdvpj.exe PID 1372 wrote to memory of 2152 1372 lfxxrlf.exe pdvpj.exe PID 2152 wrote to memory of 1544 2152 pdvpj.exe lfxrfrl.exe PID 2152 wrote to memory of 1544 2152 pdvpj.exe lfxrfrl.exe PID 2152 wrote to memory of 1544 2152 pdvpj.exe lfxrfrl.exe PID 1544 wrote to memory of 764 1544 lfxrfrl.exe 9frlfxl.exe PID 1544 wrote to memory of 764 1544 lfxrfrl.exe 9frlfxl.exe PID 1544 wrote to memory of 764 1544 lfxrfrl.exe 9frlfxl.exe PID 764 wrote to memory of 4000 764 9frlfxl.exe tnhbtt.exe PID 764 wrote to memory of 4000 764 9frlfxl.exe tnhbtt.exe PID 764 wrote to memory of 4000 764 9frlfxl.exe tnhbtt.exe PID 4000 wrote to memory of 3920 4000 tnhbtt.exe dpdvv.exe PID 4000 wrote to memory of 3920 4000 tnhbtt.exe dpdvv.exe PID 4000 wrote to memory of 3920 4000 tnhbtt.exe dpdvv.exe PID 3920 wrote to memory of 1424 3920 dpdvv.exe 1vvjd.exe PID 3920 wrote to memory of 1424 3920 dpdvv.exe 1vvjd.exe PID 3920 wrote to memory of 1424 3920 dpdvv.exe 1vvjd.exe PID 1424 wrote to memory of 3948 1424 1vvjd.exe fxrllrr.exe PID 1424 wrote to memory of 3948 1424 1vvjd.exe fxrllrr.exe PID 1424 wrote to memory of 3948 1424 1vvjd.exe fxrllrr.exe PID 3948 wrote to memory of 1672 3948 fxrllrr.exe bttthh.exe PID 3948 wrote to memory of 1672 3948 fxrllrr.exe bttthh.exe PID 3948 wrote to memory of 1672 3948 fxrllrr.exe bttthh.exe PID 1672 wrote to memory of 3884 1672 bttthh.exe 1nhbtn.exe PID 1672 wrote to memory of 3884 1672 bttthh.exe 1nhbtn.exe PID 1672 wrote to memory of 3884 1672 bttthh.exe 1nhbtn.exe PID 3884 wrote to memory of 4504 3884 1nhbtn.exe vpjdv.exe PID 3884 wrote to memory of 4504 3884 1nhbtn.exe vpjdv.exe PID 3884 wrote to memory of 4504 3884 1nhbtn.exe vpjdv.exe PID 4504 wrote to memory of 2384 4504 vpjdv.exe fxfrfxx.exe PID 4504 wrote to memory of 2384 4504 vpjdv.exe fxfrfxx.exe PID 4504 wrote to memory of 2384 4504 vpjdv.exe fxfrfxx.exe PID 2384 wrote to memory of 4228 2384 fxfrfxx.exe fxlfllx.exe PID 2384 wrote to memory of 4228 2384 fxfrfxx.exe fxlfllx.exe PID 2384 wrote to memory of 4228 2384 fxfrfxx.exe fxlfllx.exe PID 4228 wrote to memory of 1396 4228 fxlfllx.exe btthbn.exe PID 4228 wrote to memory of 1396 4228 fxlfllx.exe btthbn.exe PID 4228 wrote to memory of 1396 4228 fxlfllx.exe btthbn.exe PID 1396 wrote to memory of 3008 1396 btthbn.exe 7nhbnn.exe PID 1396 wrote to memory of 3008 1396 btthbn.exe 7nhbnn.exe PID 1396 wrote to memory of 3008 1396 btthbn.exe 7nhbnn.exe PID 3008 wrote to memory of 4616 3008 7nhbnn.exe vpdvv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfc16ebaa34ab8a7bbb02b5ffa6944f2418bddeaed38022206080d3990645de0.exe"C:\Users\Admin\AppData\Local\Temp\cfc16ebaa34ab8a7bbb02b5ffa6944f2418bddeaed38022206080d3990645de0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\jddpj.exec:\jddpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\jvvpd.exec:\jvvpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\rflllfx.exec:\rflllfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\btbnnh.exec:\btbnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\dvvpd.exec:\dvvpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\5xxxlff.exec:\5xxxlff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\lfxxrlf.exec:\lfxxrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\pdvpj.exec:\pdvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\lfxrfrl.exec:\lfxrfrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\9frlfxl.exec:\9frlfxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\tnhbtt.exec:\tnhbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\dpdvv.exec:\dpdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\1vvjd.exec:\1vvjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\fxrllrr.exec:\fxrllrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\bttthh.exec:\bttthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\1nhbtn.exec:\1nhbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\vpjdv.exec:\vpjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\fxfrfxx.exec:\fxfrfxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\fxlfllx.exec:\fxlfllx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\btthbn.exec:\btthbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\7nhbnn.exec:\7nhbnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\vpdvv.exec:\vpdvv.exe23⤵
- Executes dropped EXE
PID:4616 -
\??\c:\lflfrrl.exec:\lflfrrl.exe24⤵
- Executes dropped EXE
PID:1984 -
\??\c:\fflfxxr.exec:\fflfxxr.exe25⤵
- Executes dropped EXE
PID:3664 -
\??\c:\btnhbt.exec:\btnhbt.exe26⤵
- Executes dropped EXE
PID:4384 -
\??\c:\3hhbnn.exec:\3hhbnn.exe27⤵
- Executes dropped EXE
PID:2468 -
\??\c:\1pvvp.exec:\1pvvp.exe28⤵
- Executes dropped EXE
PID:1124 -
\??\c:\rxrlxxl.exec:\rxrlxxl.exe29⤵
- Executes dropped EXE
PID:1796 -
\??\c:\7xrrffx.exec:\7xrrffx.exe30⤵
- Executes dropped EXE
PID:3660 -
\??\c:\hhnhnh.exec:\hhnhnh.exe31⤵
- Executes dropped EXE
PID:2268 -
\??\c:\bhntht.exec:\bhntht.exe32⤵
- Executes dropped EXE
PID:4396 -
\??\c:\dvpjd.exec:\dvpjd.exe33⤵
- Executes dropped EXE
PID:2392 -
\??\c:\fffxllf.exec:\fffxllf.exe34⤵
- Executes dropped EXE
PID:3596 -
\??\c:\5lxxxxx.exec:\5lxxxxx.exe35⤵
- Executes dropped EXE
PID:1480 -
\??\c:\5bbtnn.exec:\5bbtnn.exe36⤵
- Executes dropped EXE
PID:4836 -
\??\c:\nttnnh.exec:\nttnnh.exe37⤵
- Executes dropped EXE
PID:4776 -
\??\c:\jvdjd.exec:\jvdjd.exe38⤵
- Executes dropped EXE
PID:4444 -
\??\c:\jjddv.exec:\jjddv.exe39⤵
- Executes dropped EXE
PID:3592 -
\??\c:\rrfllrl.exec:\rrfllrl.exe40⤵
- Executes dropped EXE
PID:388 -
\??\c:\flffrrl.exec:\flffrrl.exe41⤵
- Executes dropped EXE
PID:4528 -
\??\c:\thtthn.exec:\thtthn.exe42⤵
- Executes dropped EXE
PID:4060 -
\??\c:\nhnnhh.exec:\nhnnhh.exe43⤵
- Executes dropped EXE
PID:4036 -
\??\c:\frrlfrl.exec:\frrlfrl.exe44⤵
- Executes dropped EXE
PID:2328 -
\??\c:\3lllfxr.exec:\3lllfxr.exe45⤵
- Executes dropped EXE
PID:2996 -
\??\c:\hnnnhh.exec:\hnnnhh.exe46⤵
- Executes dropped EXE
PID:3752 -
\??\c:\5ttnbt.exec:\5ttnbt.exe47⤵
- Executes dropped EXE
PID:892 -
\??\c:\jjdvd.exec:\jjdvd.exe48⤵
- Executes dropped EXE
PID:1556 -
\??\c:\9jvvd.exec:\9jvvd.exe49⤵
- Executes dropped EXE
PID:4712 -
\??\c:\pjjjp.exec:\pjjjp.exe50⤵
- Executes dropped EXE
PID:5044 -
\??\c:\5lrrlxf.exec:\5lrrlxf.exe51⤵
- Executes dropped EXE
PID:2364 -
\??\c:\xfrxfll.exec:\xfrxfll.exe52⤵
- Executes dropped EXE
PID:3340 -
\??\c:\hhbtbb.exec:\hhbtbb.exe53⤵
- Executes dropped EXE
PID:1352 -
\??\c:\5jjdp.exec:\5jjdp.exe54⤵
- Executes dropped EXE
PID:632 -
\??\c:\7pvpj.exec:\7pvpj.exe55⤵
- Executes dropped EXE
PID:3580 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe56⤵
- Executes dropped EXE
PID:1484 -
\??\c:\lxxxlrl.exec:\lxxxlrl.exe57⤵
- Executes dropped EXE
PID:2248 -
\??\c:\7bbbtb.exec:\7bbbtb.exe58⤵
- Executes dropped EXE
PID:1476 -
\??\c:\7pvvj.exec:\7pvvj.exe59⤵
- Executes dropped EXE
PID:852 -
\??\c:\9llfxxr.exec:\9llfxxr.exe60⤵
- Executes dropped EXE
PID:876 -
\??\c:\rlrrllf.exec:\rlrrllf.exe61⤵
- Executes dropped EXE
PID:1300 -
\??\c:\hbbbtt.exec:\hbbbtt.exe62⤵
- Executes dropped EXE
PID:4504 -
\??\c:\3djdv.exec:\3djdv.exe63⤵
- Executes dropped EXE
PID:1976 -
\??\c:\jvvvj.exec:\jvvvj.exe64⤵
- Executes dropped EXE
PID:4228 -
\??\c:\xxllfxx.exec:\xxllfxx.exe65⤵
- Executes dropped EXE
PID:4696 -
\??\c:\7ttnnh.exec:\7ttnnh.exe66⤵PID:3116
-
\??\c:\9bbtnt.exec:\9bbtnt.exe67⤵PID:4900
-
\??\c:\3djpp.exec:\3djpp.exe68⤵PID:1984
-
\??\c:\lfxlfxr.exec:\lfxlfxr.exe69⤵PID:1524
-
\??\c:\3rlrrrl.exec:\3rlrrrl.exe70⤵PID:2884
-
\??\c:\tbbbtb.exec:\tbbbtb.exe71⤵PID:644
-
\??\c:\btbbtt.exec:\btbbtt.exe72⤵PID:1124
-
\??\c:\vpjvj.exec:\vpjvj.exe73⤵PID:1536
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe74⤵PID:3816
-
\??\c:\xrrlffx.exec:\xrrlffx.exe75⤵PID:3536
-
\??\c:\htttnh.exec:\htttnh.exe76⤵PID:2932
-
\??\c:\3ppjv.exec:\3ppjv.exe77⤵PID:4572
-
\??\c:\7dvpj.exec:\7dvpj.exe78⤵PID:2396
-
\??\c:\frrfrrl.exec:\frrfrrl.exe79⤵PID:3596
-
\??\c:\3fflrrf.exec:\3fflrrf.exe80⤵PID:4788
-
\??\c:\9tnnbb.exec:\9tnnbb.exe81⤵PID:4376
-
\??\c:\hbhbtt.exec:\hbhbtt.exe82⤵PID:2972
-
\??\c:\5dddp.exec:\5dddp.exe83⤵PID:4908
-
\??\c:\pvjdp.exec:\pvjdp.exe84⤵PID:1988
-
\??\c:\1xfxllf.exec:\1xfxllf.exe85⤵PID:4560
-
\??\c:\rlxxxfx.exec:\rlxxxfx.exe86⤵PID:3900
-
\??\c:\bnnttn.exec:\bnnttn.exe87⤵PID:2276
-
\??\c:\nntttt.exec:\nntttt.exe88⤵PID:4408
-
\??\c:\bntbtt.exec:\bntbtt.exe89⤵PID:4976
-
\??\c:\1jppp.exec:\1jppp.exe90⤵PID:5072
-
\??\c:\jpddd.exec:\jpddd.exe91⤵PID:2716
-
\??\c:\7lffxrx.exec:\7lffxrx.exe92⤵PID:624
-
\??\c:\1xrlxxr.exec:\1xrlxxr.exe93⤵PID:2228
-
\??\c:\5bbtnn.exec:\5bbtnn.exe94⤵PID:2320
-
\??\c:\ttthhb.exec:\ttthhb.exe95⤵PID:4000
-
\??\c:\3dddv.exec:\3dddv.exe96⤵PID:3212
-
\??\c:\pddvv.exec:\pddvv.exe97⤵PID:4412
-
\??\c:\rrrrlrr.exec:\rrrrlrr.exe98⤵PID:1468
-
\??\c:\9xfxfxl.exec:\9xfxfxl.exe99⤵PID:3980
-
\??\c:\hthhhb.exec:\hthhhb.exe100⤵PID:2780
-
\??\c:\5nnhtn.exec:\5nnhtn.exe101⤵PID:860
-
\??\c:\ddjjp.exec:\ddjjp.exe102⤵PID:2232
-
\??\c:\pdvvd.exec:\pdvvd.exe103⤵PID:1156
-
\??\c:\xrrllll.exec:\xrrllll.exe104⤵PID:876
-
\??\c:\3ffllll.exec:\3ffllll.exe105⤵PID:3384
-
\??\c:\hhbbbb.exec:\hhbbbb.exe106⤵PID:4968
-
\??\c:\hthbbb.exec:\hthbbb.exe107⤵PID:2628
-
\??\c:\jpppj.exec:\jpppj.exe108⤵PID:3008
-
\??\c:\vjdjd.exec:\vjdjd.exe109⤵PID:2500
-
\??\c:\7rrrlfx.exec:\7rrrlfx.exe110⤵PID:2832
-
\??\c:\5rxxxff.exec:\5rxxxff.exe111⤵PID:3428
-
\??\c:\nbhbhh.exec:\nbhbhh.exe112⤵PID:1816
-
\??\c:\dvvvp.exec:\dvvvp.exe113⤵PID:1040
-
\??\c:\lfxlxxr.exec:\lfxlxxr.exe114⤵PID:868
-
\??\c:\rllxlrx.exec:\rllxlrx.exe115⤵PID:3964
-
\??\c:\hbbtnn.exec:\hbbtnn.exe116⤵PID:3220
-
\??\c:\bthhbb.exec:\bthhbb.exe117⤵PID:1796
-
\??\c:\dvpjv.exec:\dvpjv.exe118⤵PID:2576
-
\??\c:\vjddp.exec:\vjddp.exe119⤵PID:4852
-
\??\c:\9rrlxxr.exec:\9rrlxxr.exe120⤵PID:1904
-
\??\c:\xrxlrlr.exec:\xrxlrlr.exe121⤵PID:4692
-
\??\c:\thbthh.exec:\thbthh.exe122⤵PID:4584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-