Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 02:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe
-
Size
722KB
-
MD5
fbdb7cc5708b9a4d61d75eb6d9de98e5
-
SHA1
d0afc046dcbeacad30667cebf96f195dc005f72d
-
SHA256
ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0
-
SHA512
78bbd892f0c31a9dfe36213c58bb9ca49382e2dc3898d3b95bf0fec78a74fc21c7b962ea5fbee62062d928767062375841dc8ef9fd1388fcbc421e9e81dc0e95
-
SSDEEP
12288:n3C9yMo+S0L9xRnoq7H9xqYLzKoq73lRa2dBDZn:SgD4bhoqLDqYLzKoqTPn
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral2/memory/1080-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2572-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4336-17-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4872-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4896-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4784-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4468-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2176-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3164-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3696-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2324-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1836-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4840-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4504-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1748-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3660-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4828-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2072-154-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4292-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4380-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4736-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3716-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2728-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3604-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 31 IoCs
Processes:
resource yara_rule behavioral2/memory/1080-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2572-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4336-17-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4872-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4872-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4896-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4872-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4872-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4896-39-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4784-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4784-43-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4784-42-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4784-51-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4468-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2176-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3164-66-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3696-95-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2324-100-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1836-112-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4840-107-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4504-121-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1748-131-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3660-137-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4828-143-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2072-154-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4292-167-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4380-175-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4736-179-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3716-185-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2728-196-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3604-206-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
3dvpj.exefrxxrll.exehntnhh.exexrxrffr.exerrfxrxr.exe7nnntn.exevjjpj.exefxfffff.exe3hhhbb.exe9xrlfff.exebhnhbb.exedvdvv.exe3vdvd.exepjjdd.exelxlxrrl.exenhbbtt.exellfffxx.exe1dddv.exeflxrllx.exetbhtnn.exe3tnnhh.exepvvpd.exepvppv.exepjjvp.exe7djdj.exellxlrfl.exelfffxxx.exexflfffx.exetnnnbh.exevppjd.exellfffxx.exevjjdv.exelrxxrrr.exebbhhhh.exevjjjp.exefrrlrrx.exebthbhb.exepjjdd.exerrxrrrl.exe9bntnb.exevjjjd.exeflrlfff.exe3thhhh.exe1rxxxfx.exebbhbtt.exepvddd.exexxrllff.exebnnhbt.exejjjjd.exefrrrrrl.exetbbbbb.exefrxxfff.exe3hbbtt.exevjjdv.exexfrrlrl.exenhttbb.exedddvp.exelxxrxxr.exehbhbnb.exevvdvd.exejdvvp.exe9xxrrll.exevjpjj.exexxrlxrf.exepid process 2572 3dvpj.exe 4336 frxxrll.exe 4872 hntnhh.exe 4896 xrxrffr.exe 4784 rrfxrxr.exe 4468 7nnntn.exe 2176 vjjpj.exe 3164 fxfffff.exe 4776 3hhhbb.exe 4980 9xrlfff.exe 4612 bhnhbb.exe 3696 dvdvv.exe 2324 3vdvd.exe 4840 pjjdd.exe 1836 lxlxrrl.exe 4504 nhbbtt.exe 100 llfffxx.exe 1748 1dddv.exe 3660 flxrllx.exe 4828 tbhtnn.exe 4124 3tnnhh.exe 2072 pvvpd.exe 2160 pvppv.exe 4292 pjjvp.exe 4380 7djdj.exe 4736 llxlrfl.exe 3716 lfffxxx.exe 2920 xflfffx.exe 2728 tnnnbh.exe 3604 vppjd.exe 3756 llfffxx.exe 4784 vjjdv.exe 2684 lrxxrrr.exe 2588 bbhhhh.exe 4668 vjjjp.exe 468 frrlrrx.exe 4548 bthbhb.exe 4832 pjjdd.exe 3248 rrxrrrl.exe 4980 9bntnb.exe 1632 vjjjd.exe 4616 flrlfff.exe 1004 3thhhh.exe 3952 1rxxxfx.exe 4932 bbhbtt.exe 4676 pvddd.exe 2020 xxrllff.exe 4504 bnnhbt.exe 4724 jjjjd.exe 460 frrrrrl.exe 1776 tbbbbb.exe 3660 frxxfff.exe 1648 3hbbtt.exe 3076 vjjdv.exe 3676 xfrrlrl.exe 4276 nhttbb.exe 2452 dddvp.exe 3044 lxxrxxr.exe 4948 hbhbnb.exe 1008 vvdvd.exe 3756 jdvvp.exe 4332 9xxrrll.exe 5060 vjpjj.exe 3596 xxrlxrf.exe -
Processes:
resource yara_rule behavioral2/memory/1080-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2572-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4336-17-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4872-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4872-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4896-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4872-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4872-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4896-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4784-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4784-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4784-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4784-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4468-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2176-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3164-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3696-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2324-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1836-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4840-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4504-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1748-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3660-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4828-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2072-154-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4292-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4380-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4736-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3716-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2728-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3604-206-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe3dvpj.exefrxxrll.exehntnhh.exexrxrffr.exerrfxrxr.exe7nnntn.exevjjpj.exefxfffff.exe3hhhbb.exe9xrlfff.exebhnhbb.exedvdvv.exe3vdvd.exepjjdd.exelxlxrrl.exenhbbtt.exellfffxx.exe1dddv.exeflxrllx.exetbhtnn.exe3tnnhh.exedescription pid process target process PID 1080 wrote to memory of 2572 1080 ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe 3dvpj.exe PID 1080 wrote to memory of 2572 1080 ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe 3dvpj.exe PID 1080 wrote to memory of 2572 1080 ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe 3dvpj.exe PID 2572 wrote to memory of 4336 2572 3dvpj.exe frxxrll.exe PID 2572 wrote to memory of 4336 2572 3dvpj.exe frxxrll.exe PID 2572 wrote to memory of 4336 2572 3dvpj.exe frxxrll.exe PID 4336 wrote to memory of 4872 4336 frxxrll.exe hntnhh.exe PID 4336 wrote to memory of 4872 4336 frxxrll.exe hntnhh.exe PID 4336 wrote to memory of 4872 4336 frxxrll.exe hntnhh.exe PID 4872 wrote to memory of 4896 4872 hntnhh.exe xrxrffr.exe PID 4872 wrote to memory of 4896 4872 hntnhh.exe xrxrffr.exe PID 4872 wrote to memory of 4896 4872 hntnhh.exe xrxrffr.exe PID 4896 wrote to memory of 4784 4896 xrxrffr.exe rrfxrxr.exe PID 4896 wrote to memory of 4784 4896 xrxrffr.exe rrfxrxr.exe PID 4896 wrote to memory of 4784 4896 xrxrffr.exe rrfxrxr.exe PID 4784 wrote to memory of 4468 4784 rrfxrxr.exe 7nnntn.exe PID 4784 wrote to memory of 4468 4784 rrfxrxr.exe 7nnntn.exe PID 4784 wrote to memory of 4468 4784 rrfxrxr.exe 7nnntn.exe PID 4468 wrote to memory of 2176 4468 7nnntn.exe vjjpj.exe PID 4468 wrote to memory of 2176 4468 7nnntn.exe vjjpj.exe PID 4468 wrote to memory of 2176 4468 7nnntn.exe vjjpj.exe PID 2176 wrote to memory of 3164 2176 vjjpj.exe fxfffff.exe PID 2176 wrote to memory of 3164 2176 vjjpj.exe fxfffff.exe PID 2176 wrote to memory of 3164 2176 vjjpj.exe fxfffff.exe PID 3164 wrote to memory of 4776 3164 fxfffff.exe 3hhhbb.exe PID 3164 wrote to memory of 4776 3164 fxfffff.exe 3hhhbb.exe PID 3164 wrote to memory of 4776 3164 fxfffff.exe 3hhhbb.exe PID 4776 wrote to memory of 4980 4776 3hhhbb.exe 9xrlfff.exe PID 4776 wrote to memory of 4980 4776 3hhhbb.exe 9xrlfff.exe PID 4776 wrote to memory of 4980 4776 3hhhbb.exe 9xrlfff.exe PID 4980 wrote to memory of 4612 4980 9xrlfff.exe bhnhbb.exe PID 4980 wrote to memory of 4612 4980 9xrlfff.exe bhnhbb.exe PID 4980 wrote to memory of 4612 4980 9xrlfff.exe bhnhbb.exe PID 4612 wrote to memory of 3696 4612 bhnhbb.exe dvdvv.exe PID 4612 wrote to memory of 3696 4612 bhnhbb.exe dvdvv.exe PID 4612 wrote to memory of 3696 4612 bhnhbb.exe dvdvv.exe PID 3696 wrote to memory of 2324 3696 dvdvv.exe 3vdvd.exe PID 3696 wrote to memory of 2324 3696 dvdvv.exe 3vdvd.exe PID 3696 wrote to memory of 2324 3696 dvdvv.exe 3vdvd.exe PID 2324 wrote to memory of 4840 2324 3vdvd.exe pjjdd.exe PID 2324 wrote to memory of 4840 2324 3vdvd.exe pjjdd.exe PID 2324 wrote to memory of 4840 2324 3vdvd.exe pjjdd.exe PID 4840 wrote to memory of 1836 4840 pjjdd.exe lxlxrrl.exe PID 4840 wrote to memory of 1836 4840 pjjdd.exe lxlxrrl.exe PID 4840 wrote to memory of 1836 4840 pjjdd.exe lxlxrrl.exe PID 1836 wrote to memory of 4504 1836 lxlxrrl.exe nhbbtt.exe PID 1836 wrote to memory of 4504 1836 lxlxrrl.exe nhbbtt.exe PID 1836 wrote to memory of 4504 1836 lxlxrrl.exe nhbbtt.exe PID 4504 wrote to memory of 100 4504 nhbbtt.exe llfffxx.exe PID 4504 wrote to memory of 100 4504 nhbbtt.exe llfffxx.exe PID 4504 wrote to memory of 100 4504 nhbbtt.exe llfffxx.exe PID 100 wrote to memory of 1748 100 llfffxx.exe 1dddv.exe PID 100 wrote to memory of 1748 100 llfffxx.exe 1dddv.exe PID 100 wrote to memory of 1748 100 llfffxx.exe 1dddv.exe PID 1748 wrote to memory of 3660 1748 1dddv.exe flxrllx.exe PID 1748 wrote to memory of 3660 1748 1dddv.exe flxrllx.exe PID 1748 wrote to memory of 3660 1748 1dddv.exe flxrllx.exe PID 3660 wrote to memory of 4828 3660 flxrllx.exe tbhtnn.exe PID 3660 wrote to memory of 4828 3660 flxrllx.exe tbhtnn.exe PID 3660 wrote to memory of 4828 3660 flxrllx.exe tbhtnn.exe PID 4828 wrote to memory of 4124 4828 tbhtnn.exe 3tnnhh.exe PID 4828 wrote to memory of 4124 4828 tbhtnn.exe 3tnnhh.exe PID 4828 wrote to memory of 4124 4828 tbhtnn.exe 3tnnhh.exe PID 4124 wrote to memory of 2072 4124 3tnnhh.exe pvvpd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe"C:\Users\Admin\AppData\Local\Temp\ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\3dvpj.exec:\3dvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\frxxrll.exec:\frxxrll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\hntnhh.exec:\hntnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\xrxrffr.exec:\xrxrffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\rrfxrxr.exec:\rrfxrxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\7nnntn.exec:\7nnntn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\vjjpj.exec:\vjjpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\fxfffff.exec:\fxfffff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\3hhhbb.exec:\3hhhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\9xrlfff.exec:\9xrlfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\bhnhbb.exec:\bhnhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\dvdvv.exec:\dvdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\3vdvd.exec:\3vdvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\pjjdd.exec:\pjjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\lxlxrrl.exec:\lxlxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\nhbbtt.exec:\nhbbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\llfffxx.exec:\llfffxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\1dddv.exec:\1dddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\flxrllx.exec:\flxrllx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\tbhtnn.exec:\tbhtnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\3tnnhh.exec:\3tnnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\pvvpd.exec:\pvvpd.exe23⤵
- Executes dropped EXE
PID:2072 -
\??\c:\pvppv.exec:\pvppv.exe24⤵
- Executes dropped EXE
PID:2160 -
\??\c:\pjjvp.exec:\pjjvp.exe25⤵
- Executes dropped EXE
PID:4292 -
\??\c:\7djdj.exec:\7djdj.exe26⤵
- Executes dropped EXE
PID:4380 -
\??\c:\llxlrfl.exec:\llxlrfl.exe27⤵
- Executes dropped EXE
PID:4736 -
\??\c:\lfffxxx.exec:\lfffxxx.exe28⤵
- Executes dropped EXE
PID:3716 -
\??\c:\xflfffx.exec:\xflfffx.exe29⤵
- Executes dropped EXE
PID:2920 -
\??\c:\tnnnbh.exec:\tnnnbh.exe30⤵
- Executes dropped EXE
PID:2728 -
\??\c:\vppjd.exec:\vppjd.exe31⤵
- Executes dropped EXE
PID:3604 -
\??\c:\llfffxx.exec:\llfffxx.exe32⤵
- Executes dropped EXE
PID:3756 -
\??\c:\vjjdv.exec:\vjjdv.exe33⤵
- Executes dropped EXE
PID:4784 -
\??\c:\lrxxrrr.exec:\lrxxrrr.exe34⤵
- Executes dropped EXE
PID:2684 -
\??\c:\bbhhhh.exec:\bbhhhh.exe35⤵
- Executes dropped EXE
PID:2588 -
\??\c:\vjjjp.exec:\vjjjp.exe36⤵
- Executes dropped EXE
PID:4668 -
\??\c:\frrlrrx.exec:\frrlrrx.exe37⤵
- Executes dropped EXE
PID:468 -
\??\c:\bthbhb.exec:\bthbhb.exe38⤵
- Executes dropped EXE
PID:4548 -
\??\c:\pjjdd.exec:\pjjdd.exe39⤵
- Executes dropped EXE
PID:4832 -
\??\c:\rrxrrrl.exec:\rrxrrrl.exe40⤵
- Executes dropped EXE
PID:3248 -
\??\c:\9bntnb.exec:\9bntnb.exe41⤵
- Executes dropped EXE
PID:4980 -
\??\c:\vjjjd.exec:\vjjjd.exe42⤵
- Executes dropped EXE
PID:1632 -
\??\c:\flrlfff.exec:\flrlfff.exe43⤵
- Executes dropped EXE
PID:4616 -
\??\c:\3thhhh.exec:\3thhhh.exe44⤵
- Executes dropped EXE
PID:1004 -
\??\c:\1rxxxfx.exec:\1rxxxfx.exe45⤵
- Executes dropped EXE
PID:3952 -
\??\c:\bbhbtt.exec:\bbhbtt.exe46⤵
- Executes dropped EXE
PID:4932 -
\??\c:\pvddd.exec:\pvddd.exe47⤵
- Executes dropped EXE
PID:4676 -
\??\c:\xxrllff.exec:\xxrllff.exe48⤵
- Executes dropped EXE
PID:2020 -
\??\c:\bnnhbt.exec:\bnnhbt.exe49⤵
- Executes dropped EXE
PID:4504 -
\??\c:\jjjjd.exec:\jjjjd.exe50⤵
- Executes dropped EXE
PID:4724 -
\??\c:\frrrrrl.exec:\frrrrrl.exe51⤵
- Executes dropped EXE
PID:460 -
\??\c:\tbbbbb.exec:\tbbbbb.exe52⤵
- Executes dropped EXE
PID:1776 -
\??\c:\frxxfff.exec:\frxxfff.exe53⤵
- Executes dropped EXE
PID:3660 -
\??\c:\3hbbtt.exec:\3hbbtt.exe54⤵
- Executes dropped EXE
PID:1648 -
\??\c:\vjjdv.exec:\vjjdv.exe55⤵
- Executes dropped EXE
PID:3076 -
\??\c:\xfrrlrl.exec:\xfrrlrl.exe56⤵
- Executes dropped EXE
PID:3676 -
\??\c:\nhttbb.exec:\nhttbb.exe57⤵
- Executes dropped EXE
PID:4276 -
\??\c:\dddvp.exec:\dddvp.exe58⤵
- Executes dropped EXE
PID:2452 -
\??\c:\lxxrxxr.exec:\lxxrxxr.exe59⤵
- Executes dropped EXE
PID:3044 -
\??\c:\hbhbnb.exec:\hbhbnb.exe60⤵
- Executes dropped EXE
PID:4948 -
\??\c:\vvdvd.exec:\vvdvd.exe61⤵
- Executes dropped EXE
PID:1008 -
\??\c:\jdvvp.exec:\jdvvp.exe62⤵
- Executes dropped EXE
PID:3756 -
\??\c:\9xxrrll.exec:\9xxrrll.exe63⤵
- Executes dropped EXE
PID:4332 -
\??\c:\vjpjj.exec:\vjpjj.exe64⤵
- Executes dropped EXE
PID:5060 -
\??\c:\xxrlxrf.exec:\xxrlxrf.exe65⤵
- Executes dropped EXE
PID:3596 -
\??\c:\5nbbbh.exec:\5nbbbh.exe66⤵PID:4556
-
\??\c:\jvppj.exec:\jvppj.exe67⤵PID:1672
-
\??\c:\llrrxfx.exec:\llrrxfx.exe68⤵PID:1120
-
\??\c:\lxxxrxr.exec:\lxxxrxr.exe69⤵PID:3292
-
\??\c:\tbbttt.exec:\tbbttt.exe70⤵PID:368
-
\??\c:\jvjjd.exec:\jvjjd.exe71⤵PID:1956
-
\??\c:\ffxrllf.exec:\ffxrllf.exe72⤵PID:2708
-
\??\c:\pvpjd.exec:\pvpjd.exe73⤵PID:4968
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe74⤵PID:1164
-
\??\c:\hhbnhh.exec:\hhbnhh.exe75⤵PID:4912
-
\??\c:\jpdvd.exec:\jpdvd.exe76⤵PID:1300
-
\??\c:\rfffxxr.exec:\rfffxxr.exe77⤵PID:1332
-
\??\c:\pjpjj.exec:\pjpjj.exe78⤵PID:3708
-
\??\c:\vpjdv.exec:\vpjdv.exe79⤵PID:1144
-
\??\c:\xxllrrf.exec:\xxllrrf.exe80⤵PID:4072
-
\??\c:\nnnhbb.exec:\nnnhbb.exe81⤵PID:2320
-
\??\c:\9pvvp.exec:\9pvvp.exe82⤵PID:1748
-
\??\c:\xfllfff.exec:\xfllfff.exe83⤵PID:4008
-
\??\c:\tntttn.exec:\tntttn.exe84⤵PID:4124
-
\??\c:\3pjdv.exec:\3pjdv.exe85⤵PID:2668
-
\??\c:\xrlrrxr.exec:\xrlrrxr.exe86⤵PID:3000
-
\??\c:\nhnhbh.exec:\nhnhbh.exe87⤵PID:4376
-
\??\c:\pjpjp.exec:\pjpjp.exe88⤵PID:2452
-
\??\c:\xflfxrl.exec:\xflfxrl.exe89⤵PID:2076
-
\??\c:\hbnnth.exec:\hbnnth.exe90⤵PID:1576
-
\??\c:\ddddv.exec:\ddddv.exe91⤵PID:3452
-
\??\c:\9lrrrxl.exec:\9lrrrxl.exe92⤵PID:1712
-
\??\c:\frxrllf.exec:\frxrllf.exe93⤵PID:1220
-
\??\c:\htnnnn.exec:\htnnnn.exe94⤵PID:4900
-
\??\c:\vvdvp.exec:\vvdvp.exe95⤵PID:4644
-
\??\c:\7lxrlrl.exec:\7lxrlrl.exe96⤵PID:4556
-
\??\c:\7ntttt.exec:\7ntttt.exe97⤵PID:4588
-
\??\c:\vdvvv.exec:\vdvvv.exe98⤵PID:1120
-
\??\c:\fxllfff.exec:\fxllfff.exe99⤵PID:1272
-
\??\c:\3bhbht.exec:\3bhbht.exe100⤵PID:4888
-
\??\c:\jjjvd.exec:\jjjvd.exe101⤵PID:3268
-
\??\c:\lxlllll.exec:\lxlllll.exe102⤵PID:4028
-
\??\c:\hnnnnn.exec:\hnnnnn.exe103⤵PID:2204
-
\??\c:\5hbhbb.exec:\5hbhbb.exe104⤵PID:4616
-
\??\c:\ffllrrl.exec:\ffllrrl.exe105⤵PID:4912
-
\??\c:\hbbtbb.exec:\hbbtbb.exe106⤵PID:2924
-
\??\c:\jdjvd.exec:\jdjvd.exe107⤵PID:2284
-
\??\c:\djpjd.exec:\djpjd.exe108⤵PID:636
-
\??\c:\frxrrrl.exec:\frxrrrl.exe109⤵PID:100
-
\??\c:\btbtbb.exec:\btbtbb.exe110⤵PID:3376
-
\??\c:\pvjjd.exec:\pvjjd.exe111⤵PID:5008
-
\??\c:\9xxrlll.exec:\9xxrlll.exe112⤵PID:3408
-
\??\c:\ntbtnn.exec:\ntbtnn.exe113⤵PID:1248
-
\??\c:\pdpjd.exec:\pdpjd.exe114⤵PID:1648
-
\??\c:\pdppd.exec:\pdppd.exe115⤵PID:1308
-
\??\c:\xllffxx.exec:\xllffxx.exe116⤵PID:3076
-
\??\c:\bnntbn.exec:\bnntbn.exe117⤵PID:3676
-
\??\c:\dvjdv.exec:\dvjdv.exe118⤵PID:4276
-
\??\c:\fxxrlxr.exec:\fxxrlxr.exe119⤵PID:2468
-
\??\c:\bttnhh.exec:\bttnhh.exe120⤵PID:3044
-
\??\c:\vdddd.exec:\vdddd.exe121⤵PID:396
-
\??\c:\ddppp.exec:\ddppp.exe122⤵PID:1008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-