Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 04:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe
-
Size
307KB
-
MD5
b295f77a09287a47c4e99001615ba867
-
SHA1
091ebd70a4a514093a3460a1fa7cff574bcb01f3
-
SHA256
e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95
-
SHA512
84308dd2cd585c5a2a2ee89a3fd0ea14958f45c439bf20e899453d2f8e1fc520e28b13bf72de44ee5f2454642951d2d11bf6958ea7d9124a8deaa0583d82afe9
-
SSDEEP
6144:n3C9BRo/AIuuOthLmH403Pyr6UWO6jUl7sPgvwN9:n3C9uDVOXLmHBKWyn+Pgvu9
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
Processes:
resource yara_rule behavioral2/memory/4572-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4692-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3592-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2376-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4144-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2808-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1620-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2908-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3728-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3692-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3004-84-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1788-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3616-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2092-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1852-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4856-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3716-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1172-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2320-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4588-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/724-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2136-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5008-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1576-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3184-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 27 IoCs
Processes:
resource yara_rule behavioral2/memory/4572-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4692-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4692-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4692-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3592-20-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2376-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4144-40-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2808-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1620-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2908-61-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3728-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3692-75-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3004-84-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1788-90-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3616-96-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2092-116-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1852-121-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4856-128-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3716-132-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1172-137-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2320-149-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4588-161-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/724-167-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2136-180-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5008-186-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1576-199-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3184-204-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
vvdvv.exexrfrxfx.exenttbtt.exerrxrffr.exedvjdj.exepjppp.exexrflxff.exepppvd.exeflfxxfl.exejvdvp.exerxrrrrl.exenttttt.exevvdvj.exexfllflx.exevdpjd.exefxfxxfx.exe1vdvv.exehhtnnn.exehttnnn.exejjdpd.exefxfxllf.exevpdvv.exelflfffx.exenntthn.exe7dppd.exelllfxll.exe5ntttt.exevvjvv.exexxxrlll.exebtbbbh.exepdddv.exehnhbtt.exejddvp.exerrfxxrx.exe5nnnnt.exe5vddd.exelxlfxxx.exerrfxrrr.exe3nttnt.exe7jvvd.exelffffxf.exehbhbtb.exedjvvv.exeffxxrxf.exebtthbb.exevdjdd.exejddpj.exe5frfxrr.exehhnnhn.exeffxlfrl.exehntnnn.exe9ppdd.exexrrlfrr.exexrfxfxf.exepjvdp.exexrxrllf.exellrxrxf.exebnnnnn.exepjdvv.exelrrrxrl.exebhnttb.exepddpv.exerxlllrl.exetnhnbt.exepid process 4692 vvdvv.exe 3592 xrfrxfx.exe 4740 nttbtt.exe 2376 rrxrffr.exe 4144 dvjdj.exe 2808 pjppp.exe 1620 xrflxff.exe 2908 pppvd.exe 3728 flfxxfl.exe 3692 jvdvp.exe 3004 rxrrrrl.exe 1788 nttttt.exe 3616 vvdvj.exe 3920 xfllflx.exe 4524 vdpjd.exe 2092 fxfxxfx.exe 1852 1vdvv.exe 4856 hhtnnn.exe 3716 httnnn.exe 1172 jjdpd.exe 5056 fxfxllf.exe 2320 vpdvv.exe 4916 lflfffx.exe 4588 nntthn.exe 724 7dppd.exe 3780 lllfxll.exe 2136 5ntttt.exe 5008 vvjvv.exe 3776 xxxrlll.exe 1576 btbbbh.exe 3184 pdddv.exe 1768 hnhbtt.exe 392 jddvp.exe 1032 rrfxxrx.exe 4632 5nnnnt.exe 708 5vddd.exe 3164 lxlfxxx.exe 3664 rrfxrrr.exe 3592 3nttnt.exe 4740 7jvvd.exe 1408 lffffxf.exe 4932 hbhbtb.exe 3228 djvvv.exe 3732 ffxxrxf.exe 4084 btthbb.exe 2732 vdjdd.exe 2124 jddpj.exe 3728 5frfxrr.exe 1712 hhnnhn.exe 100 ffxlfrl.exe 2616 hntnnn.exe 3280 9ppdd.exe 3616 xrrlfrr.exe 3496 xrfxfxf.exe 2140 pjvdp.exe 556 xrxrllf.exe 2580 llrxrxf.exe 2528 bnnnnn.exe 1852 pjdvv.exe 2884 lrrrxrl.exe 4468 bhnttb.exe 468 pddpv.exe 1016 rxlllrl.exe 1640 tnhnbt.exe -
Processes:
resource yara_rule behavioral2/memory/4572-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4692-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4692-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4692-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3592-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2376-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4144-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2808-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1620-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2908-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3728-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3692-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3004-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1788-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3616-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2092-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1852-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4856-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3716-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1172-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2320-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4588-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/724-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2136-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5008-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1576-199-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3184-204-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exevvdvv.exexrfrxfx.exenttbtt.exerrxrffr.exedvjdj.exepjppp.exexrflxff.exepppvd.exeflfxxfl.exejvdvp.exerxrrrrl.exenttttt.exevvdvj.exexfllflx.exevdpjd.exefxfxxfx.exe1vdvv.exehhtnnn.exehttnnn.exejjdpd.exefxfxllf.exedescription pid process target process PID 4572 wrote to memory of 4692 4572 e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe vvdvv.exe PID 4572 wrote to memory of 4692 4572 e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe vvdvv.exe PID 4572 wrote to memory of 4692 4572 e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe vvdvv.exe PID 4692 wrote to memory of 3592 4692 vvdvv.exe xrfrxfx.exe PID 4692 wrote to memory of 3592 4692 vvdvv.exe xrfrxfx.exe PID 4692 wrote to memory of 3592 4692 vvdvv.exe xrfrxfx.exe PID 3592 wrote to memory of 4740 3592 xrfrxfx.exe nttbtt.exe PID 3592 wrote to memory of 4740 3592 xrfrxfx.exe nttbtt.exe PID 3592 wrote to memory of 4740 3592 xrfrxfx.exe nttbtt.exe PID 4740 wrote to memory of 2376 4740 nttbtt.exe rrxrffr.exe PID 4740 wrote to memory of 2376 4740 nttbtt.exe rrxrffr.exe PID 4740 wrote to memory of 2376 4740 nttbtt.exe rrxrffr.exe PID 2376 wrote to memory of 4144 2376 rrxrffr.exe dvjdj.exe PID 2376 wrote to memory of 4144 2376 rrxrffr.exe dvjdj.exe PID 2376 wrote to memory of 4144 2376 rrxrffr.exe dvjdj.exe PID 4144 wrote to memory of 2808 4144 dvjdj.exe pjppp.exe PID 4144 wrote to memory of 2808 4144 dvjdj.exe pjppp.exe PID 4144 wrote to memory of 2808 4144 dvjdj.exe pjppp.exe PID 2808 wrote to memory of 1620 2808 pjppp.exe xrflxff.exe PID 2808 wrote to memory of 1620 2808 pjppp.exe xrflxff.exe PID 2808 wrote to memory of 1620 2808 pjppp.exe xrflxff.exe PID 1620 wrote to memory of 2908 1620 xrflxff.exe pppvd.exe PID 1620 wrote to memory of 2908 1620 xrflxff.exe pppvd.exe PID 1620 wrote to memory of 2908 1620 xrflxff.exe pppvd.exe PID 2908 wrote to memory of 3728 2908 pppvd.exe flfxxfl.exe PID 2908 wrote to memory of 3728 2908 pppvd.exe flfxxfl.exe PID 2908 wrote to memory of 3728 2908 pppvd.exe flfxxfl.exe PID 3728 wrote to memory of 3692 3728 flfxxfl.exe jvdvp.exe PID 3728 wrote to memory of 3692 3728 flfxxfl.exe jvdvp.exe PID 3728 wrote to memory of 3692 3728 flfxxfl.exe jvdvp.exe PID 3692 wrote to memory of 3004 3692 jvdvp.exe rxrrrrl.exe PID 3692 wrote to memory of 3004 3692 jvdvp.exe rxrrrrl.exe PID 3692 wrote to memory of 3004 3692 jvdvp.exe rxrrrrl.exe PID 3004 wrote to memory of 1788 3004 rxrrrrl.exe nttttt.exe PID 3004 wrote to memory of 1788 3004 rxrrrrl.exe nttttt.exe PID 3004 wrote to memory of 1788 3004 rxrrrrl.exe nttttt.exe PID 1788 wrote to memory of 3616 1788 nttttt.exe vvdvj.exe PID 1788 wrote to memory of 3616 1788 nttttt.exe vvdvj.exe PID 1788 wrote to memory of 3616 1788 nttttt.exe vvdvj.exe PID 3616 wrote to memory of 3920 3616 vvdvj.exe xfllflx.exe PID 3616 wrote to memory of 3920 3616 vvdvj.exe xfllflx.exe PID 3616 wrote to memory of 3920 3616 vvdvj.exe xfllflx.exe PID 3920 wrote to memory of 4524 3920 xfllflx.exe vdpjd.exe PID 3920 wrote to memory of 4524 3920 xfllflx.exe vdpjd.exe PID 3920 wrote to memory of 4524 3920 xfllflx.exe vdpjd.exe PID 4524 wrote to memory of 2092 4524 vdpjd.exe fxfxxfx.exe PID 4524 wrote to memory of 2092 4524 vdpjd.exe fxfxxfx.exe PID 4524 wrote to memory of 2092 4524 vdpjd.exe fxfxxfx.exe PID 2092 wrote to memory of 1852 2092 fxfxxfx.exe 1vdvv.exe PID 2092 wrote to memory of 1852 2092 fxfxxfx.exe 1vdvv.exe PID 2092 wrote to memory of 1852 2092 fxfxxfx.exe 1vdvv.exe PID 1852 wrote to memory of 4856 1852 1vdvv.exe hhtnnn.exe PID 1852 wrote to memory of 4856 1852 1vdvv.exe hhtnnn.exe PID 1852 wrote to memory of 4856 1852 1vdvv.exe hhtnnn.exe PID 4856 wrote to memory of 3716 4856 hhtnnn.exe httnnn.exe PID 4856 wrote to memory of 3716 4856 hhtnnn.exe httnnn.exe PID 4856 wrote to memory of 3716 4856 hhtnnn.exe httnnn.exe PID 3716 wrote to memory of 1172 3716 httnnn.exe jjdpd.exe PID 3716 wrote to memory of 1172 3716 httnnn.exe jjdpd.exe PID 3716 wrote to memory of 1172 3716 httnnn.exe jjdpd.exe PID 1172 wrote to memory of 5056 1172 jjdpd.exe fxfxllf.exe PID 1172 wrote to memory of 5056 1172 jjdpd.exe fxfxllf.exe PID 1172 wrote to memory of 5056 1172 jjdpd.exe fxfxllf.exe PID 5056 wrote to memory of 2320 5056 fxfxllf.exe vpdvv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe"C:\Users\Admin\AppData\Local\Temp\e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\vvdvv.exec:\vvdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\xrfrxfx.exec:\xrfrxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\nttbtt.exec:\nttbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\rrxrffr.exec:\rrxrffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\dvjdj.exec:\dvjdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\pjppp.exec:\pjppp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\xrflxff.exec:\xrflxff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\pppvd.exec:\pppvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\flfxxfl.exec:\flfxxfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\jvdvp.exec:\jvdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\rxrrrrl.exec:\rxrrrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\nttttt.exec:\nttttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\vvdvj.exec:\vvdvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\xfllflx.exec:\xfllflx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\vdpjd.exec:\vdpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\fxfxxfx.exec:\fxfxxfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\1vdvv.exec:\1vdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\hhtnnn.exec:\hhtnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\httnnn.exec:\httnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\jjdpd.exec:\jjdpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\fxfxllf.exec:\fxfxllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\vpdvv.exec:\vpdvv.exe23⤵
- Executes dropped EXE
PID:2320 -
\??\c:\lflfffx.exec:\lflfffx.exe24⤵
- Executes dropped EXE
PID:4916 -
\??\c:\nntthn.exec:\nntthn.exe25⤵
- Executes dropped EXE
PID:4588 -
\??\c:\7dppd.exec:\7dppd.exe26⤵
- Executes dropped EXE
PID:724 -
\??\c:\lllfxll.exec:\lllfxll.exe27⤵
- Executes dropped EXE
PID:3780 -
\??\c:\5ntttt.exec:\5ntttt.exe28⤵
- Executes dropped EXE
PID:2136 -
\??\c:\vvjvv.exec:\vvjvv.exe29⤵
- Executes dropped EXE
PID:5008 -
\??\c:\xxxrlll.exec:\xxxrlll.exe30⤵
- Executes dropped EXE
PID:3776 -
\??\c:\btbbbh.exec:\btbbbh.exe31⤵
- Executes dropped EXE
PID:1576 -
\??\c:\pdddv.exec:\pdddv.exe32⤵
- Executes dropped EXE
PID:3184 -
\??\c:\hnhbtt.exec:\hnhbtt.exe33⤵
- Executes dropped EXE
PID:1768 -
\??\c:\jddvp.exec:\jddvp.exe34⤵
- Executes dropped EXE
PID:392 -
\??\c:\rrfxxrx.exec:\rrfxxrx.exe35⤵
- Executes dropped EXE
PID:1032 -
\??\c:\5nnnnt.exec:\5nnnnt.exe36⤵
- Executes dropped EXE
PID:4632 -
\??\c:\5vddd.exec:\5vddd.exe37⤵
- Executes dropped EXE
PID:708 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe38⤵
- Executes dropped EXE
PID:3164 -
\??\c:\rrfxrrr.exec:\rrfxrrr.exe39⤵
- Executes dropped EXE
PID:3664 -
\??\c:\3nttnt.exec:\3nttnt.exe40⤵
- Executes dropped EXE
PID:3592 -
\??\c:\7jvvd.exec:\7jvvd.exe41⤵
- Executes dropped EXE
PID:4740 -
\??\c:\lffffxf.exec:\lffffxf.exe42⤵
- Executes dropped EXE
PID:1408 -
\??\c:\hbhbtb.exec:\hbhbtb.exe43⤵
- Executes dropped EXE
PID:4932 -
\??\c:\djvvv.exec:\djvvv.exe44⤵
- Executes dropped EXE
PID:3228 -
\??\c:\ffxxrxf.exec:\ffxxrxf.exe45⤵
- Executes dropped EXE
PID:3732 -
\??\c:\btthbb.exec:\btthbb.exe46⤵
- Executes dropped EXE
PID:4084 -
\??\c:\vdjdd.exec:\vdjdd.exe47⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jddpj.exec:\jddpj.exe48⤵
- Executes dropped EXE
PID:2124 -
\??\c:\5frfxrr.exec:\5frfxrr.exe49⤵
- Executes dropped EXE
PID:3728 -
\??\c:\hhnnhn.exec:\hhnnhn.exe50⤵
- Executes dropped EXE
PID:1712 -
\??\c:\ffxlfrl.exec:\ffxlfrl.exe51⤵
- Executes dropped EXE
PID:100 -
\??\c:\hntnnn.exec:\hntnnn.exe52⤵
- Executes dropped EXE
PID:2616 -
\??\c:\9ppdd.exec:\9ppdd.exe53⤵
- Executes dropped EXE
PID:3280 -
\??\c:\xrrlfrr.exec:\xrrlfrr.exe54⤵
- Executes dropped EXE
PID:3616 -
\??\c:\xrfxfxf.exec:\xrfxfxf.exe55⤵
- Executes dropped EXE
PID:3496 -
\??\c:\pjvdp.exec:\pjvdp.exe56⤵
- Executes dropped EXE
PID:2140 -
\??\c:\xrxrllf.exec:\xrxrllf.exe57⤵
- Executes dropped EXE
PID:556 -
\??\c:\llrxrxf.exec:\llrxrxf.exe58⤵
- Executes dropped EXE
PID:2580 -
\??\c:\bnnnnn.exec:\bnnnnn.exe59⤵
- Executes dropped EXE
PID:2528 -
\??\c:\pjdvv.exec:\pjdvv.exe60⤵
- Executes dropped EXE
PID:1852 -
\??\c:\lrrrxrl.exec:\lrrrxrl.exe61⤵
- Executes dropped EXE
PID:2884 -
\??\c:\bhnttb.exec:\bhnttb.exe62⤵
- Executes dropped EXE
PID:4468 -
\??\c:\pddpv.exec:\pddpv.exe63⤵
- Executes dropped EXE
PID:468 -
\??\c:\rxlllrl.exec:\rxlllrl.exe64⤵
- Executes dropped EXE
PID:1016 -
\??\c:\tnhnbt.exec:\tnhnbt.exe65⤵
- Executes dropped EXE
PID:1640 -
\??\c:\bbtnbb.exec:\bbtnbb.exe66⤵PID:1004
-
\??\c:\vjddv.exec:\vjddv.exe67⤵PID:2928
-
\??\c:\fllxrfl.exec:\fllxrfl.exe68⤵PID:928
-
\??\c:\htbttn.exec:\htbttn.exe69⤵PID:1104
-
\??\c:\bbhbth.exec:\bbhbth.exe70⤵PID:748
-
\??\c:\ddvpv.exec:\ddvpv.exe71⤵PID:436
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe72⤵PID:3780
-
\??\c:\nnhbtt.exec:\nnhbtt.exe73⤵PID:2136
-
\??\c:\1pjdd.exec:\1pjdd.exe74⤵PID:2324
-
\??\c:\vvvpp.exec:\vvvpp.exe75⤵PID:3376
-
\??\c:\frxxrrr.exec:\frxxrrr.exe76⤵PID:1948
-
\??\c:\httnhb.exec:\httnhb.exe77⤵PID:2000
-
\??\c:\5dddv.exec:\5dddv.exe78⤵PID:1428
-
\??\c:\dvdjd.exec:\dvdjd.exe79⤵PID:1680
-
\??\c:\rfllfff.exec:\rfllfff.exe80⤵PID:1912
-
\??\c:\9htttt.exec:\9htttt.exe81⤵PID:4420
-
\??\c:\ntbbbb.exec:\ntbbbb.exe82⤵PID:4424
-
\??\c:\pdjvp.exec:\pdjvp.exe83⤵PID:3024
-
\??\c:\xxffllx.exec:\xxffllx.exe84⤵PID:4860
-
\??\c:\5bhbtt.exec:\5bhbtt.exe85⤵PID:1400
-
\??\c:\vvddp.exec:\vvddp.exe86⤵PID:4988
-
\??\c:\nhhbhb.exec:\nhhbhb.exe87⤵PID:2976
-
\??\c:\vdjvv.exec:\vdjvv.exe88⤵PID:4380
-
\??\c:\xrllfff.exec:\xrllfff.exe89⤵PID:4256
-
\??\c:\rlllrxx.exec:\rlllrxx.exe90⤵PID:2808
-
\??\c:\btttnn.exec:\btttnn.exe91⤵PID:4300
-
\??\c:\pdppp.exec:\pdppp.exe92⤵PID:3292
-
\??\c:\pddvv.exec:\pddvv.exe93⤵PID:2744
-
\??\c:\xrfxxxr.exec:\xrfxxxr.exe94⤵PID:3744
-
\??\c:\ttnhtt.exec:\ttnhtt.exe95⤵PID:1156
-
\??\c:\bbhbhh.exec:\bbhbhh.exe96⤵PID:2168
-
\??\c:\jpppj.exec:\jpppj.exe97⤵PID:4100
-
\??\c:\dvppp.exec:\dvppp.exe98⤵PID:1432
-
\??\c:\rxrrlxl.exec:\rxrrlxl.exe99⤵PID:5092
-
\??\c:\bnbntt.exec:\bnbntt.exe100⤵PID:4400
-
\??\c:\tbnnhn.exec:\tbnnhn.exe101⤵PID:4524
-
\??\c:\ddjpp.exec:\ddjpp.exe102⤵PID:3636
-
\??\c:\5frrrrl.exec:\5frrrrl.exe103⤵PID:4896
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe104⤵PID:1644
-
\??\c:\dpddv.exec:\dpddv.exe105⤵PID:2792
-
\??\c:\7lrlfxf.exec:\7lrlfxf.exe106⤵PID:4280
-
\??\c:\lxxxrxx.exec:\lxxxrxx.exe107⤵PID:3768
-
\??\c:\hhtnnh.exec:\hhtnnh.exe108⤵PID:1144
-
\??\c:\vpddp.exec:\vpddp.exe109⤵PID:4372
-
\??\c:\5xxrrxx.exec:\5xxrrxx.exe110⤵PID:1692
-
\??\c:\9xfxrrl.exec:\9xfxrrl.exe111⤵PID:1600
-
\??\c:\nhnnnn.exec:\nhnnnn.exe112⤵PID:1048
-
\??\c:\pvdpj.exec:\pvdpj.exe113⤵PID:4460
-
\??\c:\flfxfxl.exec:\flfxfxl.exe114⤵PID:932
-
\??\c:\xrxrxrr.exec:\xrxrxrr.exe115⤵PID:4908
-
\??\c:\1ntnhh.exec:\1ntnhh.exe116⤵PID:2432
-
\??\c:\vjvpj.exec:\vjvpj.exe117⤵PID:3288
-
\??\c:\xrrlffx.exec:\xrrlffx.exe118⤵PID:4192
-
\??\c:\rlxffxx.exec:\rlxffxx.exe119⤵PID:3776
-
\??\c:\1bbttt.exec:\1bbttt.exe120⤵PID:4016
-
\??\c:\tntbtt.exec:\tntbtt.exe121⤵PID:3184
-
\??\c:\vjvpp.exec:\vjvpp.exe122⤵PID:2000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-