Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 03:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c1ab006b04314cb9796a35877e978ba7d7dee6942ac7c6e67adcb294f9525cf3.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
c1ab006b04314cb9796a35877e978ba7d7dee6942ac7c6e67adcb294f9525cf3.exe
-
Size
229KB
-
MD5
c4a0fa47f09e765b79167d9837f1b587
-
SHA1
e9c9f920eb31cff1bc9e92aec6ef00b313a7500e
-
SHA256
c1ab006b04314cb9796a35877e978ba7d7dee6942ac7c6e67adcb294f9525cf3
-
SHA512
1af09dd6aea664c0d7fd324558681a1d04dfe1870a12263d865a410b95cc18daa569d53a9e506926dfae9e4280cf2ec63172b625e165f65d5de428c3e36c6eb1
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1R:n3C9BRo7MlrWKo+lxKk1R
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
Processes:
resource yara_rule behavioral2/memory/1652-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4092-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1692-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4372-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2720-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4976-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2940-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2940-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/868-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5056-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4824-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1720-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4844-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2196-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4572-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3700-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1888-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1844-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4084-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/388-154-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1588-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3172-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2836-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1932-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1448-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4288-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 26 IoCs
Processes:
resource yara_rule behavioral2/memory/1652-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4092-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1692-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4372-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2720-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4976-38-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2940-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2940-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/868-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5056-61-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4824-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1720-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4844-89-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2196-95-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4572-104-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3700-106-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1888-113-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1844-131-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4084-142-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/388-154-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1588-160-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3172-167-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2836-174-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1932-179-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1448-185-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4288-203-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
vjvjv.exedjpdp.exe3fxlrlf.exevppjd.exerxrfrlx.exevpjdp.exe5frlffr.exehtbtnh.exedjpjv.exevjpjv.exe1httht.exehbthtn.exerlrllxl.exexrrlxlf.exevjjvp.exe7vpjp.exe5bnhtn.exepjjvp.exexfffxrr.exe5bnhbb.exevpjdp.exexxrfxxr.exe1lxrfxl.exenbbnht.exevpdvp.exe1xxlffr.exetnbtnn.exe9jpjp.exexflxllf.exenbbhbb.exepdpjj.exelxrlrlr.exebnnnbh.exetthbnn.exe5vpdv.exe9frlrrf.exelflffxr.exe7bnhtn.exe1bthnh.exe5jjpp.exeflfrxlf.exexrlfrlf.exehttnnh.exettbnbn.exedppdp.exedppjv.exerrrlxrf.exenbbntn.exetbbthb.exevdpdd.exelxlxlxl.exexlflxrf.exe3nhbnh.exehbtnbh.exevpjvp.exepdvpd.exe9xfxlfx.exe5rlfxrl.exennhbtn.exevpjdj.exevvdpd.exe7rlflxl.exenbthtn.exebnhtnh.exepid process 4092 vjvjv.exe 1692 djpdp.exe 4372 3fxlrlf.exe 2720 vppjd.exe 4976 rxrfrlx.exe 2940 vpjdp.exe 868 5frlffr.exe 5056 htbtnh.exe 5088 djpjv.exe 4824 vjpjv.exe 1720 1httht.exe 4844 hbthtn.exe 2196 rlrllxl.exe 4572 xrrlxlf.exe 3700 vjjvp.exe 1888 7vpjp.exe 4500 5bnhtn.exe 4768 pjjvp.exe 1844 xfffxrr.exe 4172 5bnhbb.exe 4084 vpjdp.exe 3088 xxrfxxr.exe 388 1lxrfxl.exe 1588 nbbnht.exe 3172 vpdvp.exe 2836 1xxlffr.exe 1932 tnbtnn.exe 1448 9jpjp.exe 1948 xflxllf.exe 5100 nbbhbb.exe 4288 pdpjj.exe 1192 lxrlrlr.exe 3216 bnnnbh.exe 3492 tthbnn.exe 1404 5vpdv.exe 4620 9frlrrf.exe 4880 lflffxr.exe 1644 7bnhtn.exe 2164 1bthnh.exe 1656 5jjpp.exe 4352 flfrxlf.exe 5064 xrlfrlf.exe 3612 httnnh.exe 2708 ttbnbn.exe 224 dppdp.exe 4372 dppjv.exe 1616 rrrlxrf.exe 32 nbbntn.exe 3652 tbbthb.exe 1268 vdpdd.exe 396 lxlxlxl.exe 2900 xlflxrf.exe 5032 3nhbnh.exe 3040 hbtnbh.exe 4836 vpjvp.exe 2132 pdvpd.exe 1720 9xfxlfx.exe 1900 5rlfxrl.exe 60 nnhbtn.exe 1412 vpjdj.exe 5112 vvdpd.exe 3332 7rlflxl.exe 4164 nbthtn.exe 400 bnhtnh.exe -
Processes:
resource yara_rule behavioral2/memory/1652-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4092-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1692-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4372-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2720-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4976-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2940-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2940-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/868-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5056-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4824-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1720-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4844-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2196-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4572-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3700-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1888-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1844-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4084-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/388-154-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1588-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3172-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2836-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1932-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1448-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4288-203-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c1ab006b04314cb9796a35877e978ba7d7dee6942ac7c6e67adcb294f9525cf3.exevjvjv.exedjpdp.exe3fxlrlf.exevppjd.exerxrfrlx.exevpjdp.exe5frlffr.exehtbtnh.exedjpjv.exevjpjv.exe1httht.exehbthtn.exerlrllxl.exexrrlxlf.exevjjvp.exe7vpjp.exe5bnhtn.exepjjvp.exexfffxrr.exe5bnhbb.exevpjdp.exedescription pid process target process PID 1652 wrote to memory of 4092 1652 c1ab006b04314cb9796a35877e978ba7d7dee6942ac7c6e67adcb294f9525cf3.exe vjvjv.exe PID 1652 wrote to memory of 4092 1652 c1ab006b04314cb9796a35877e978ba7d7dee6942ac7c6e67adcb294f9525cf3.exe vjvjv.exe PID 1652 wrote to memory of 4092 1652 c1ab006b04314cb9796a35877e978ba7d7dee6942ac7c6e67adcb294f9525cf3.exe vjvjv.exe PID 4092 wrote to memory of 1692 4092 vjvjv.exe djpdp.exe PID 4092 wrote to memory of 1692 4092 vjvjv.exe djpdp.exe PID 4092 wrote to memory of 1692 4092 vjvjv.exe djpdp.exe PID 1692 wrote to memory of 4372 1692 djpdp.exe 3fxlrlf.exe PID 1692 wrote to memory of 4372 1692 djpdp.exe 3fxlrlf.exe PID 1692 wrote to memory of 4372 1692 djpdp.exe 3fxlrlf.exe PID 4372 wrote to memory of 2720 4372 3fxlrlf.exe vppjd.exe PID 4372 wrote to memory of 2720 4372 3fxlrlf.exe vppjd.exe PID 4372 wrote to memory of 2720 4372 3fxlrlf.exe vppjd.exe PID 2720 wrote to memory of 4976 2720 vppjd.exe rxrfrlx.exe PID 2720 wrote to memory of 4976 2720 vppjd.exe rxrfrlx.exe PID 2720 wrote to memory of 4976 2720 vppjd.exe rxrfrlx.exe PID 4976 wrote to memory of 2940 4976 rxrfrlx.exe vpjdp.exe PID 4976 wrote to memory of 2940 4976 rxrfrlx.exe vpjdp.exe PID 4976 wrote to memory of 2940 4976 rxrfrlx.exe vpjdp.exe PID 2940 wrote to memory of 868 2940 vpjdp.exe 5frlffr.exe PID 2940 wrote to memory of 868 2940 vpjdp.exe 5frlffr.exe PID 2940 wrote to memory of 868 2940 vpjdp.exe 5frlffr.exe PID 868 wrote to memory of 5056 868 5frlffr.exe htbtnh.exe PID 868 wrote to memory of 5056 868 5frlffr.exe htbtnh.exe PID 868 wrote to memory of 5056 868 5frlffr.exe htbtnh.exe PID 5056 wrote to memory of 5088 5056 htbtnh.exe djpjv.exe PID 5056 wrote to memory of 5088 5056 htbtnh.exe djpjv.exe PID 5056 wrote to memory of 5088 5056 htbtnh.exe djpjv.exe PID 5088 wrote to memory of 4824 5088 djpjv.exe vjpjv.exe PID 5088 wrote to memory of 4824 5088 djpjv.exe vjpjv.exe PID 5088 wrote to memory of 4824 5088 djpjv.exe vjpjv.exe PID 4824 wrote to memory of 1720 4824 vjpjv.exe 1httht.exe PID 4824 wrote to memory of 1720 4824 vjpjv.exe 1httht.exe PID 4824 wrote to memory of 1720 4824 vjpjv.exe 1httht.exe PID 1720 wrote to memory of 4844 1720 1httht.exe hbthtn.exe PID 1720 wrote to memory of 4844 1720 1httht.exe hbthtn.exe PID 1720 wrote to memory of 4844 1720 1httht.exe hbthtn.exe PID 4844 wrote to memory of 2196 4844 hbthtn.exe rlrllxl.exe PID 4844 wrote to memory of 2196 4844 hbthtn.exe rlrllxl.exe PID 4844 wrote to memory of 2196 4844 hbthtn.exe rlrllxl.exe PID 2196 wrote to memory of 4572 2196 rlrllxl.exe xrrlxlf.exe PID 2196 wrote to memory of 4572 2196 rlrllxl.exe xrrlxlf.exe PID 2196 wrote to memory of 4572 2196 rlrllxl.exe xrrlxlf.exe PID 4572 wrote to memory of 3700 4572 xrrlxlf.exe vjjvp.exe PID 4572 wrote to memory of 3700 4572 xrrlxlf.exe vjjvp.exe PID 4572 wrote to memory of 3700 4572 xrrlxlf.exe vjjvp.exe PID 3700 wrote to memory of 1888 3700 vjjvp.exe 7vpjp.exe PID 3700 wrote to memory of 1888 3700 vjjvp.exe 7vpjp.exe PID 3700 wrote to memory of 1888 3700 vjjvp.exe 7vpjp.exe PID 1888 wrote to memory of 4500 1888 7vpjp.exe 5bnhtn.exe PID 1888 wrote to memory of 4500 1888 7vpjp.exe 5bnhtn.exe PID 1888 wrote to memory of 4500 1888 7vpjp.exe 5bnhtn.exe PID 4500 wrote to memory of 4768 4500 5bnhtn.exe pjjvp.exe PID 4500 wrote to memory of 4768 4500 5bnhtn.exe pjjvp.exe PID 4500 wrote to memory of 4768 4500 5bnhtn.exe pjjvp.exe PID 4768 wrote to memory of 1844 4768 pjjvp.exe xfffxrr.exe PID 4768 wrote to memory of 1844 4768 pjjvp.exe xfffxrr.exe PID 4768 wrote to memory of 1844 4768 pjjvp.exe xfffxrr.exe PID 1844 wrote to memory of 4172 1844 xfffxrr.exe 5bnhbb.exe PID 1844 wrote to memory of 4172 1844 xfffxrr.exe 5bnhbb.exe PID 1844 wrote to memory of 4172 1844 xfffxrr.exe 5bnhbb.exe PID 4172 wrote to memory of 4084 4172 5bnhbb.exe vpjdp.exe PID 4172 wrote to memory of 4084 4172 5bnhbb.exe vpjdp.exe PID 4172 wrote to memory of 4084 4172 5bnhbb.exe vpjdp.exe PID 4084 wrote to memory of 3088 4084 vpjdp.exe xxrfxxr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1ab006b04314cb9796a35877e978ba7d7dee6942ac7c6e67adcb294f9525cf3.exe"C:\Users\Admin\AppData\Local\Temp\c1ab006b04314cb9796a35877e978ba7d7dee6942ac7c6e67adcb294f9525cf3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\vjvjv.exec:\vjvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\djpdp.exec:\djpdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\3fxlrlf.exec:\3fxlrlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\vppjd.exec:\vppjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\rxrfrlx.exec:\rxrfrlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\vpjdp.exec:\vpjdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\5frlffr.exec:\5frlffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\htbtnh.exec:\htbtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\djpjv.exec:\djpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\vjpjv.exec:\vjpjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\1httht.exec:\1httht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\hbthtn.exec:\hbthtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\rlrllxl.exec:\rlrllxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\xrrlxlf.exec:\xrrlxlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\vjjvp.exec:\vjjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\7vpjp.exec:\7vpjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\5bnhtn.exec:\5bnhtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\pjjvp.exec:\pjjvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\xfffxrr.exec:\xfffxrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\5bnhbb.exec:\5bnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\vpjdp.exec:\vpjdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\xxrfxxr.exec:\xxrfxxr.exe23⤵
- Executes dropped EXE
PID:3088 -
\??\c:\1lxrfxl.exec:\1lxrfxl.exe24⤵
- Executes dropped EXE
PID:388 -
\??\c:\nbbnht.exec:\nbbnht.exe25⤵
- Executes dropped EXE
PID:1588 -
\??\c:\vpdvp.exec:\vpdvp.exe26⤵
- Executes dropped EXE
PID:3172 -
\??\c:\1xxlffr.exec:\1xxlffr.exe27⤵
- Executes dropped EXE
PID:2836 -
\??\c:\tnbtnn.exec:\tnbtnn.exe28⤵
- Executes dropped EXE
PID:1932 -
\??\c:\9jpjp.exec:\9jpjp.exe29⤵
- Executes dropped EXE
PID:1448 -
\??\c:\xflxllf.exec:\xflxllf.exe30⤵
- Executes dropped EXE
PID:1948 -
\??\c:\nbbhbb.exec:\nbbhbb.exe31⤵
- Executes dropped EXE
PID:5100 -
\??\c:\pdpjj.exec:\pdpjj.exe32⤵
- Executes dropped EXE
PID:4288 -
\??\c:\lxrlrlr.exec:\lxrlrlr.exe33⤵
- Executes dropped EXE
PID:1192 -
\??\c:\bnnnbh.exec:\bnnnbh.exe34⤵
- Executes dropped EXE
PID:3216 -
\??\c:\tthbnn.exec:\tthbnn.exe35⤵
- Executes dropped EXE
PID:3492 -
\??\c:\5vpdv.exec:\5vpdv.exe36⤵
- Executes dropped EXE
PID:1404 -
\??\c:\9frlrrf.exec:\9frlrrf.exe37⤵
- Executes dropped EXE
PID:4620 -
\??\c:\lflffxr.exec:\lflffxr.exe38⤵
- Executes dropped EXE
PID:4880 -
\??\c:\7bnhtn.exec:\7bnhtn.exe39⤵
- Executes dropped EXE
PID:1644 -
\??\c:\1bthnh.exec:\1bthnh.exe40⤵
- Executes dropped EXE
PID:2164 -
\??\c:\5jjpp.exec:\5jjpp.exe41⤵
- Executes dropped EXE
PID:1656 -
\??\c:\flfrxlf.exec:\flfrxlf.exe42⤵
- Executes dropped EXE
PID:4352 -
\??\c:\xrlfrlf.exec:\xrlfrlf.exe43⤵
- Executes dropped EXE
PID:5064 -
\??\c:\httnnh.exec:\httnnh.exe44⤵
- Executes dropped EXE
PID:3612 -
\??\c:\ttbnbn.exec:\ttbnbn.exe45⤵
- Executes dropped EXE
PID:2708 -
\??\c:\dppdp.exec:\dppdp.exe46⤵
- Executes dropped EXE
PID:224 -
\??\c:\dppjv.exec:\dppjv.exe47⤵
- Executes dropped EXE
PID:4372 -
\??\c:\rrrlxrf.exec:\rrrlxrf.exe48⤵
- Executes dropped EXE
PID:1616 -
\??\c:\nbbntn.exec:\nbbntn.exe49⤵
- Executes dropped EXE
PID:32 -
\??\c:\tbbthb.exec:\tbbthb.exe50⤵
- Executes dropped EXE
PID:3652 -
\??\c:\vdpdd.exec:\vdpdd.exe51⤵
- Executes dropped EXE
PID:1268 -
\??\c:\lxlxlxl.exec:\lxlxlxl.exe52⤵
- Executes dropped EXE
PID:396 -
\??\c:\xlflxrf.exec:\xlflxrf.exe53⤵
- Executes dropped EXE
PID:2900 -
\??\c:\3nhbnh.exec:\3nhbnh.exe54⤵
- Executes dropped EXE
PID:5032 -
\??\c:\hbtnbh.exec:\hbtnbh.exe55⤵
- Executes dropped EXE
PID:3040 -
\??\c:\vpjvp.exec:\vpjvp.exe56⤵
- Executes dropped EXE
PID:4836 -
\??\c:\pdvpd.exec:\pdvpd.exe57⤵
- Executes dropped EXE
PID:2132 -
\??\c:\9xfxlfx.exec:\9xfxlfx.exe58⤵
- Executes dropped EXE
PID:1720 -
\??\c:\5rlfxrl.exec:\5rlfxrl.exe59⤵
- Executes dropped EXE
PID:1900 -
\??\c:\nnhbtn.exec:\nnhbtn.exe60⤵
- Executes dropped EXE
PID:60 -
\??\c:\vpjdj.exec:\vpjdj.exe61⤵
- Executes dropped EXE
PID:1412 -
\??\c:\vvdpd.exec:\vvdpd.exe62⤵
- Executes dropped EXE
PID:5112 -
\??\c:\7rlflxl.exec:\7rlflxl.exe63⤵
- Executes dropped EXE
PID:3332 -
\??\c:\nbthtn.exec:\nbthtn.exe64⤵
- Executes dropped EXE
PID:4164 -
\??\c:\bnhtnh.exec:\bnhtnh.exe65⤵
- Executes dropped EXE
PID:400 -
\??\c:\jddpd.exec:\jddpd.exe66⤵PID:4016
-
\??\c:\vppdd.exec:\vppdd.exe67⤵PID:4980
-
\??\c:\xllxlfr.exec:\xllxlfr.exe68⤵PID:4080
-
\??\c:\xfrlxfr.exec:\xfrlxfr.exe69⤵PID:3056
-
\??\c:\ththth.exec:\ththth.exe70⤵PID:4804
-
\??\c:\5ddvj.exec:\5ddvj.exe71⤵PID:2876
-
\??\c:\3fxfrfx.exec:\3fxfrfx.exe72⤵PID:3624
-
\??\c:\xfxxlfx.exec:\xfxxlfx.exe73⤵PID:2884
-
\??\c:\1tnhtn.exec:\1tnhtn.exe74⤵PID:2136
-
\??\c:\nhbtnt.exec:\nhbtnt.exe75⤵PID:1728
-
\??\c:\9dpjv.exec:\9dpjv.exe76⤵PID:4604
-
\??\c:\xllfrlx.exec:\xllfrlx.exe77⤵PID:5016
-
\??\c:\lxxxrlf.exec:\lxxxrlf.exe78⤵PID:3172
-
\??\c:\btnhbt.exec:\btnhbt.exe79⤵PID:4268
-
\??\c:\jjpjd.exec:\jjpjd.exe80⤵PID:4284
-
\??\c:\vppjv.exec:\vppjv.exe81⤵PID:4424
-
\??\c:\lrfrllf.exec:\lrfrllf.exe82⤵PID:1448
-
\??\c:\tttnhb.exec:\tttnhb.exe83⤵PID:1944
-
\??\c:\7ddvd.exec:\7ddvd.exe84⤵PID:676
-
\??\c:\pdjdp.exec:\pdjdp.exe85⤵PID:2912
-
\??\c:\rrxlxrr.exec:\rrxlxrr.exe86⤵PID:3508
-
\??\c:\bbbnbb.exec:\bbbnbb.exe87⤵PID:2368
-
\??\c:\hnnhtn.exec:\hnnhtn.exe88⤵PID:4044
-
\??\c:\dpvpv.exec:\dpvpv.exe89⤵PID:884
-
\??\c:\5rfrfxr.exec:\5rfrfxr.exe90⤵PID:3112
-
\??\c:\llrlfxr.exec:\llrlfxr.exe91⤵PID:4656
-
\??\c:\bttnhb.exec:\bttnhb.exe92⤵PID:4880
-
\??\c:\tbthbt.exec:\tbthbt.exe93⤵PID:4460
-
\??\c:\9vpjd.exec:\9vpjd.exe94⤵PID:2164
-
\??\c:\pdvpd.exec:\pdvpd.exe95⤵PID:1656
-
\??\c:\5rrlxlf.exec:\5rrlxlf.exe96⤵PID:4352
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe97⤵PID:5064
-
\??\c:\bntnhn.exec:\bntnhn.exe98⤵PID:1692
-
\??\c:\tnthbt.exec:\tnthbt.exe99⤵PID:4296
-
\??\c:\3dvjv.exec:\3dvjv.exe100⤵PID:4188
-
\??\c:\pjdvj.exec:\pjdvj.exe101⤵PID:4372
-
\??\c:\frxlxxl.exec:\frxlxxl.exe102⤵PID:1616
-
\??\c:\5fxrllx.exec:\5fxrllx.exe103⤵PID:1784
-
\??\c:\bnhbbt.exec:\bnhbbt.exe104⤵PID:3832
-
\??\c:\hhhthb.exec:\hhhthb.exe105⤵PID:2672
-
\??\c:\vvvjd.exec:\vvvjd.exe106⤵PID:396
-
\??\c:\dvpdp.exec:\dvpdp.exe107⤵PID:2900
-
\??\c:\rrrlrlf.exec:\rrrlrlf.exe108⤵PID:5032
-
\??\c:\nhbhtb.exec:\nhbhtb.exe109⤵PID:2020
-
\??\c:\ttnbnh.exec:\ttnbnh.exe110⤵PID:2600
-
\??\c:\pjjjp.exec:\pjjjp.exe111⤵PID:2760
-
\??\c:\vddpj.exec:\vddpj.exe112⤵PID:960
-
\??\c:\llrflxl.exec:\llrflxl.exe113⤵PID:2196
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe114⤵PID:840
-
\??\c:\nbhtnh.exec:\nbhtnh.exe115⤵PID:3208
-
\??\c:\bnnhbn.exec:\bnnhbn.exe116⤵PID:2372
-
\??\c:\pdppj.exec:\pdppj.exe117⤵PID:3332
-
\??\c:\5frrlrr.exec:\5frrlrr.exe118⤵PID:4164
-
\??\c:\jpvjd.exec:\jpvjd.exe119⤵PID:400
-
\??\c:\5xxrxxx.exec:\5xxrxxx.exe120⤵PID:4016
-
\??\c:\nhhhtb.exec:\nhhhtb.exe121⤵PID:4980
-
\??\c:\pvjpv.exec:\pvjpv.exe122⤵PID:1804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-