Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 03:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d7e9bc14451db88c7b6f6dd4d95a07e35bcda8b790560c40a771052855a9c36c.exe
Resource
win7-20240419-en
windows7-x64
6 signatures
150 seconds
General
-
Target
d7e9bc14451db88c7b6f6dd4d95a07e35bcda8b790560c40a771052855a9c36c.exe
-
Size
93KB
-
MD5
1494f69e2047eee2296d84b01406cec2
-
SHA1
5449dc0fed0068668f3d5aeadb752c4c06a5309a
-
SHA256
d7e9bc14451db88c7b6f6dd4d95a07e35bcda8b790560c40a771052855a9c36c
-
SHA512
76f1dfd0f908a215d5477932be4d900732588f3de8ae18ba35fcf54759d9690fa89aa4c04addbda7d668f1130854636f1c74041ecee942b5e5fae4031073ffb1
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLuePjDYlR3hnjKXIQSe9oEJ:ymb3NkkiQ3mdBjFoLucjDilOZho6
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
Processes:
resource yara_rule behavioral2/memory/3856-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3912-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3928-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4436-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1200-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3112-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4492-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4396-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4280-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1296-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1296-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2900-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1444-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3620-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/320-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3848-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2456-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4728-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1912-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3876-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/628-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2304-154-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/672-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1216-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4436-514-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4492-4171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 30 IoCs
Processes:
resource yara_rule behavioral2/memory/3856-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3856-8-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3912-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3928-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4436-27-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1200-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3112-39-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4492-49-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4492-47-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4396-55-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4280-61-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4280-62-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4280-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1296-71-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1296-70-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2900-79-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1444-89-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3620-93-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/320-100-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3848-106-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2456-113-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4728-120-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1912-124-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3876-137-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/628-147-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2304-154-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/672-172-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1216-189-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4436-514-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4492-4171-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
hhtbbt.exehthtbt.exejdpjv.exexlrffxr.exehtttnt.exejdjdp.exejjvpd.exeffxrrrx.exehnbtnn.exejdjdd.exe5llfrlf.exebthbtt.exenhtttb.exejdvdv.exelxfrxlx.exetbbtht.exedpvpd.exepjdvp.exexlrrrrl.exenbnhbt.exepjpjd.exefrlfxrl.exetnbtbb.exebtbbbn.exe7vvpd.exehhnhhb.exeppppj.exe3ddvj.exe7rlfxxr.exe3tnnhb.exevjddv.exe5nnnhh.exejjppj.exerllfffx.exenttnhb.exedpvpd.exexrxrlff.exe1lffxrl.exettbbbh.exetbtthh.exejdpdv.exepjjpj.exelxrfrrl.exefrlllll.exehhhbbt.exepvddv.exevdppj.exexxrlxxr.exelxlfrlf.exethhnbn.exethnhbb.exedvvpj.exevppjv.exelfrfxrr.exefxxxrrl.exebbttnn.exe7vddv.exepjvdv.exefrrxrrl.exe5tttnh.exehntnbb.exeddjvp.exevpvpd.exerxfxlfx.exepid process 3912 hhtbbt.exe 3928 hthtbt.exe 4436 jdpjv.exe 1200 xlrffxr.exe 3112 htttnt.exe 4492 jdjdp.exe 4396 jjvpd.exe 4280 ffxrrrx.exe 1296 hnbtnn.exe 2900 jdjdd.exe 1444 5llfrlf.exe 3620 bthbtt.exe 320 nhtttb.exe 3848 jdvdv.exe 2456 lxfrxlx.exe 4728 tbbtht.exe 1912 dpvpd.exe 3844 pjdvp.exe 3876 xlrrrrl.exe 4560 nbnhbt.exe 628 pjpjd.exe 2304 frlfxrl.exe 3644 tnbtbb.exe 3996 btbbbn.exe 672 7vvpd.exe 2716 hhnhhb.exe 1536 ppppj.exe 1216 3ddvj.exe 4400 7rlfxxr.exe 1592 3tnnhb.exe 612 vjddv.exe 1132 5nnnhh.exe 2808 jjppj.exe 2476 rllfffx.exe 1968 nttnhb.exe 3948 dpvpd.exe 2308 xrxrlff.exe 644 1lffxrl.exe 4296 ttbbbh.exe 220 tbtthh.exe 3664 jdpdv.exe 3976 pjjpj.exe 3388 lxrfrrl.exe 4452 frlllll.exe 4536 hhhbbt.exe 4316 pvddv.exe 3684 vdppj.exe 1472 xxrlxxr.exe 4388 lxlfrlf.exe 4312 thhnbn.exe 1540 thnhbb.exe 868 dvvpj.exe 4680 vppjv.exe 4980 lfrfxrr.exe 1608 fxxxrrl.exe 4008 bbttnn.exe 1728 7vddv.exe 4280 pjvdv.exe 4876 frrxrrl.exe 2904 5tttnh.exe 2900 hntnbb.exe 1436 ddjvp.exe 4900 vpvpd.exe 1288 rxfxlfx.exe -
Processes:
resource yara_rule behavioral2/memory/3856-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3856-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3912-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3928-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4436-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1200-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3112-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4492-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4492-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4396-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4280-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4280-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4280-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1296-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1296-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2900-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1444-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3620-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/320-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3848-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2456-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4728-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1912-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3876-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/628-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2304-154-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/672-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1216-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4436-514-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4492-4171-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d7e9bc14451db88c7b6f6dd4d95a07e35bcda8b790560c40a771052855a9c36c.exehhtbbt.exehthtbt.exejdpjv.exexlrffxr.exehtttnt.exejdjdp.exejjvpd.exeffxrrrx.exehnbtnn.exejdjdd.exe5llfrlf.exebthbtt.exenhtttb.exejdvdv.exelxfrxlx.exetbbtht.exedpvpd.exepjdvp.exexlrrrrl.exenbnhbt.exepjpjd.exedescription pid process target process PID 3856 wrote to memory of 3912 3856 d7e9bc14451db88c7b6f6dd4d95a07e35bcda8b790560c40a771052855a9c36c.exe hhtbbt.exe PID 3856 wrote to memory of 3912 3856 d7e9bc14451db88c7b6f6dd4d95a07e35bcda8b790560c40a771052855a9c36c.exe hhtbbt.exe PID 3856 wrote to memory of 3912 3856 d7e9bc14451db88c7b6f6dd4d95a07e35bcda8b790560c40a771052855a9c36c.exe hhtbbt.exe PID 3912 wrote to memory of 3928 3912 hhtbbt.exe hthtbt.exe PID 3912 wrote to memory of 3928 3912 hhtbbt.exe hthtbt.exe PID 3912 wrote to memory of 3928 3912 hhtbbt.exe hthtbt.exe PID 3928 wrote to memory of 4436 3928 hthtbt.exe jdpjv.exe PID 3928 wrote to memory of 4436 3928 hthtbt.exe jdpjv.exe PID 3928 wrote to memory of 4436 3928 hthtbt.exe jdpjv.exe PID 4436 wrote to memory of 1200 4436 jdpjv.exe xlrffxr.exe PID 4436 wrote to memory of 1200 4436 jdpjv.exe xlrffxr.exe PID 4436 wrote to memory of 1200 4436 jdpjv.exe xlrffxr.exe PID 1200 wrote to memory of 3112 1200 xlrffxr.exe htttnt.exe PID 1200 wrote to memory of 3112 1200 xlrffxr.exe htttnt.exe PID 1200 wrote to memory of 3112 1200 xlrffxr.exe htttnt.exe PID 3112 wrote to memory of 4492 3112 htttnt.exe jdjdp.exe PID 3112 wrote to memory of 4492 3112 htttnt.exe jdjdp.exe PID 3112 wrote to memory of 4492 3112 htttnt.exe jdjdp.exe PID 4492 wrote to memory of 4396 4492 jdjdp.exe jjvpd.exe PID 4492 wrote to memory of 4396 4492 jdjdp.exe jjvpd.exe PID 4492 wrote to memory of 4396 4492 jdjdp.exe jjvpd.exe PID 4396 wrote to memory of 4280 4396 jjvpd.exe ffxrrrx.exe PID 4396 wrote to memory of 4280 4396 jjvpd.exe ffxrrrx.exe PID 4396 wrote to memory of 4280 4396 jjvpd.exe ffxrrrx.exe PID 4280 wrote to memory of 1296 4280 ffxrrrx.exe hnbtnn.exe PID 4280 wrote to memory of 1296 4280 ffxrrrx.exe hnbtnn.exe PID 4280 wrote to memory of 1296 4280 ffxrrrx.exe hnbtnn.exe PID 1296 wrote to memory of 2900 1296 hnbtnn.exe jdjdd.exe PID 1296 wrote to memory of 2900 1296 hnbtnn.exe jdjdd.exe PID 1296 wrote to memory of 2900 1296 hnbtnn.exe jdjdd.exe PID 2900 wrote to memory of 1444 2900 jdjdd.exe 5llfrlf.exe PID 2900 wrote to memory of 1444 2900 jdjdd.exe 5llfrlf.exe PID 2900 wrote to memory of 1444 2900 jdjdd.exe 5llfrlf.exe PID 1444 wrote to memory of 3620 1444 5llfrlf.exe bthbtt.exe PID 1444 wrote to memory of 3620 1444 5llfrlf.exe bthbtt.exe PID 1444 wrote to memory of 3620 1444 5llfrlf.exe bthbtt.exe PID 3620 wrote to memory of 320 3620 bthbtt.exe nhtttb.exe PID 3620 wrote to memory of 320 3620 bthbtt.exe nhtttb.exe PID 3620 wrote to memory of 320 3620 bthbtt.exe nhtttb.exe PID 320 wrote to memory of 3848 320 nhtttb.exe jdvdv.exe PID 320 wrote to memory of 3848 320 nhtttb.exe jdvdv.exe PID 320 wrote to memory of 3848 320 nhtttb.exe jdvdv.exe PID 3848 wrote to memory of 2456 3848 jdvdv.exe lxfrxlx.exe PID 3848 wrote to memory of 2456 3848 jdvdv.exe lxfrxlx.exe PID 3848 wrote to memory of 2456 3848 jdvdv.exe lxfrxlx.exe PID 2456 wrote to memory of 4728 2456 lxfrxlx.exe tbbtht.exe PID 2456 wrote to memory of 4728 2456 lxfrxlx.exe tbbtht.exe PID 2456 wrote to memory of 4728 2456 lxfrxlx.exe tbbtht.exe PID 4728 wrote to memory of 1912 4728 tbbtht.exe dpvpd.exe PID 4728 wrote to memory of 1912 4728 tbbtht.exe dpvpd.exe PID 4728 wrote to memory of 1912 4728 tbbtht.exe dpvpd.exe PID 1912 wrote to memory of 3844 1912 dpvpd.exe pjdvp.exe PID 1912 wrote to memory of 3844 1912 dpvpd.exe pjdvp.exe PID 1912 wrote to memory of 3844 1912 dpvpd.exe pjdvp.exe PID 3844 wrote to memory of 3876 3844 pjdvp.exe xlrrrrl.exe PID 3844 wrote to memory of 3876 3844 pjdvp.exe xlrrrrl.exe PID 3844 wrote to memory of 3876 3844 pjdvp.exe xlrrrrl.exe PID 3876 wrote to memory of 4560 3876 xlrrrrl.exe nbnhbt.exe PID 3876 wrote to memory of 4560 3876 xlrrrrl.exe nbnhbt.exe PID 3876 wrote to memory of 4560 3876 xlrrrrl.exe nbnhbt.exe PID 4560 wrote to memory of 628 4560 nbnhbt.exe pjpjd.exe PID 4560 wrote to memory of 628 4560 nbnhbt.exe pjpjd.exe PID 4560 wrote to memory of 628 4560 nbnhbt.exe pjpjd.exe PID 628 wrote to memory of 2304 628 pjpjd.exe frlfxrl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7e9bc14451db88c7b6f6dd4d95a07e35bcda8b790560c40a771052855a9c36c.exe"C:\Users\Admin\AppData\Local\Temp\d7e9bc14451db88c7b6f6dd4d95a07e35bcda8b790560c40a771052855a9c36c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\hhtbbt.exec:\hhtbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\hthtbt.exec:\hthtbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\jdpjv.exec:\jdpjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\xlrffxr.exec:\xlrffxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\htttnt.exec:\htttnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\jdjdp.exec:\jdjdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\jjvpd.exec:\jjvpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\ffxrrrx.exec:\ffxrrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\hnbtnn.exec:\hnbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\jdjdd.exec:\jdjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\5llfrlf.exec:\5llfrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\bthbtt.exec:\bthbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\nhtttb.exec:\nhtttb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\jdvdv.exec:\jdvdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\lxfrxlx.exec:\lxfrxlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\tbbtht.exec:\tbbtht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\dpvpd.exec:\dpvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\pjdvp.exec:\pjdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\xlrrrrl.exec:\xlrrrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\nbnhbt.exec:\nbnhbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\pjpjd.exec:\pjpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\frlfxrl.exec:\frlfxrl.exe23⤵
- Executes dropped EXE
PID:2304 -
\??\c:\tnbtbb.exec:\tnbtbb.exe24⤵
- Executes dropped EXE
PID:3644 -
\??\c:\btbbbn.exec:\btbbbn.exe25⤵
- Executes dropped EXE
PID:3996 -
\??\c:\7vvpd.exec:\7vvpd.exe26⤵
- Executes dropped EXE
PID:672 -
\??\c:\hhnhhb.exec:\hhnhhb.exe27⤵
- Executes dropped EXE
PID:2716 -
\??\c:\ppppj.exec:\ppppj.exe28⤵
- Executes dropped EXE
PID:1536 -
\??\c:\3ddvj.exec:\3ddvj.exe29⤵
- Executes dropped EXE
PID:1216 -
\??\c:\7rlfxxr.exec:\7rlfxxr.exe30⤵
- Executes dropped EXE
PID:4400 -
\??\c:\3tnnhb.exec:\3tnnhb.exe31⤵
- Executes dropped EXE
PID:1592 -
\??\c:\vjddv.exec:\vjddv.exe32⤵
- Executes dropped EXE
PID:612 -
\??\c:\5nnnhh.exec:\5nnnhh.exe33⤵
- Executes dropped EXE
PID:1132 -
\??\c:\jjppj.exec:\jjppj.exe34⤵
- Executes dropped EXE
PID:2808 -
\??\c:\rllfffx.exec:\rllfffx.exe35⤵
- Executes dropped EXE
PID:2476 -
\??\c:\nttnhb.exec:\nttnhb.exe36⤵
- Executes dropped EXE
PID:1968 -
\??\c:\dpvpd.exec:\dpvpd.exe37⤵
- Executes dropped EXE
PID:3948 -
\??\c:\xrxrlff.exec:\xrxrlff.exe38⤵
- Executes dropped EXE
PID:2308 -
\??\c:\1lffxrl.exec:\1lffxrl.exe39⤵
- Executes dropped EXE
PID:644 -
\??\c:\ttbbbh.exec:\ttbbbh.exe40⤵
- Executes dropped EXE
PID:4296 -
\??\c:\tbtthh.exec:\tbtthh.exe41⤵
- Executes dropped EXE
PID:220 -
\??\c:\jdpdv.exec:\jdpdv.exe42⤵
- Executes dropped EXE
PID:3664 -
\??\c:\pjjpj.exec:\pjjpj.exe43⤵
- Executes dropped EXE
PID:3976 -
\??\c:\lxrfrrl.exec:\lxrfrrl.exe44⤵
- Executes dropped EXE
PID:3388 -
\??\c:\frlllll.exec:\frlllll.exe45⤵
- Executes dropped EXE
PID:4452 -
\??\c:\hhhbbt.exec:\hhhbbt.exe46⤵
- Executes dropped EXE
PID:4536 -
\??\c:\pvddv.exec:\pvddv.exe47⤵
- Executes dropped EXE
PID:4316 -
\??\c:\vdppj.exec:\vdppj.exe48⤵
- Executes dropped EXE
PID:3684 -
\??\c:\xxrlxxr.exec:\xxrlxxr.exe49⤵
- Executes dropped EXE
PID:1472 -
\??\c:\lxlfrlf.exec:\lxlfrlf.exe50⤵
- Executes dropped EXE
PID:4388 -
\??\c:\thhnbn.exec:\thhnbn.exe51⤵
- Executes dropped EXE
PID:4312 -
\??\c:\thnhbb.exec:\thnhbb.exe52⤵
- Executes dropped EXE
PID:1540 -
\??\c:\dvvpj.exec:\dvvpj.exe53⤵
- Executes dropped EXE
PID:868 -
\??\c:\vppjv.exec:\vppjv.exe54⤵
- Executes dropped EXE
PID:4680 -
\??\c:\lfrfxrr.exec:\lfrfxrr.exe55⤵
- Executes dropped EXE
PID:4980 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe56⤵
- Executes dropped EXE
PID:1608 -
\??\c:\bbttnn.exec:\bbttnn.exe57⤵
- Executes dropped EXE
PID:4008 -
\??\c:\7vddv.exec:\7vddv.exe58⤵
- Executes dropped EXE
PID:1728 -
\??\c:\pjvdv.exec:\pjvdv.exe59⤵
- Executes dropped EXE
PID:4280 -
\??\c:\frrxrrl.exec:\frrxrrl.exe60⤵
- Executes dropped EXE
PID:4876 -
\??\c:\5tttnh.exec:\5tttnh.exe61⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hntnbb.exec:\hntnbb.exe62⤵
- Executes dropped EXE
PID:2900 -
\??\c:\ddjvp.exec:\ddjvp.exe63⤵
- Executes dropped EXE
PID:1436 -
\??\c:\vpvpd.exec:\vpvpd.exe64⤵
- Executes dropped EXE
PID:4900 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe65⤵
- Executes dropped EXE
PID:1288 -
\??\c:\nthbbn.exec:\nthbbn.exe66⤵PID:2876
-
\??\c:\9bbbbb.exec:\9bbbbb.exe67⤵PID:2228
-
\??\c:\pddvj.exec:\pddvj.exe68⤵PID:2172
-
\??\c:\5jjjd.exec:\5jjjd.exe69⤵PID:2916
-
\??\c:\lflfllf.exec:\lflfllf.exe70⤵PID:3424
-
\??\c:\rflrllf.exec:\rflrllf.exe71⤵PID:3616
-
\??\c:\nbtnnb.exec:\nbtnnb.exe72⤵PID:3104
-
\??\c:\xffxrrl.exec:\xffxrrl.exe73⤵PID:2436
-
\??\c:\frlfllr.exec:\frlfllr.exe74⤵PID:1484
-
\??\c:\bbnbht.exec:\bbnbht.exe75⤵PID:2936
-
\??\c:\jddvv.exec:\jddvv.exe76⤵PID:4668
-
\??\c:\pjpdv.exec:\pjpdv.exe77⤵PID:5004
-
\??\c:\xllfxrl.exec:\xllfxrl.exe78⤵PID:4160
-
\??\c:\hbttnn.exec:\hbttnn.exe79⤵PID:3644
-
\??\c:\nhnhhb.exec:\nhnhhb.exe80⤵PID:3492
-
\??\c:\ddjvp.exec:\ddjvp.exe81⤵PID:4628
-
\??\c:\vvpjd.exec:\vvpjd.exe82⤵PID:2800
-
\??\c:\xllrlrr.exec:\xllrlrr.exe83⤵PID:4852
-
\??\c:\thbttn.exec:\thbttn.exe84⤵PID:796
-
\??\c:\btbbtt.exec:\btbbtt.exe85⤵PID:2108
-
\??\c:\7pddp.exec:\7pddp.exe86⤵PID:1768
-
\??\c:\3jvpp.exec:\3jvpp.exe87⤵PID:2012
-
\??\c:\rxfxlll.exec:\rxfxlll.exe88⤵PID:4936
-
\??\c:\hbbbbb.exec:\hbbbbb.exe89⤵PID:2788
-
\??\c:\pjjdv.exec:\pjjdv.exe90⤵PID:4664
-
\??\c:\dvdpj.exec:\dvdpj.exe91⤵PID:4912
-
\??\c:\lxlfffx.exec:\lxlfffx.exe92⤵PID:3392
-
\??\c:\rxrfxxr.exec:\rxrfxxr.exe93⤵PID:4624
-
\??\c:\bbhhhh.exec:\bbhhhh.exe94⤵PID:396
-
\??\c:\1vvvp.exec:\1vvvp.exe95⤵PID:4824
-
\??\c:\ppjvj.exec:\ppjvj.exe96⤵PID:3340
-
\??\c:\rlffxrr.exec:\rlffxrr.exe97⤵PID:3192
-
\??\c:\lfrffff.exec:\lfrffff.exe98⤵PID:3256
-
\??\c:\hhhhbb.exec:\hhhhbb.exe99⤵PID:1416
-
\??\c:\jvdjv.exec:\jvdjv.exe100⤵PID:3648
-
\??\c:\vvjdp.exec:\vvjdp.exe101⤵PID:4796
-
\??\c:\1rrlxrl.exec:\1rrlxrl.exe102⤵PID:4352
-
\??\c:\5lrxxxx.exec:\5lrxxxx.exe103⤵PID:3608
-
\??\c:\hthhbb.exec:\hthhbb.exe104⤵PID:3856
-
\??\c:\jdppv.exec:\jdppv.exe105⤵PID:5020
-
\??\c:\vjdvp.exec:\vjdvp.exe106⤵PID:4948
-
\??\c:\lfxrrlf.exec:\lfxrrlf.exe107⤵PID:2596
-
\??\c:\rxrrffx.exec:\rxrrffx.exe108⤵PID:4436
-
\??\c:\bthhbt.exec:\bthhbt.exe109⤵PID:988
-
\??\c:\pjppj.exec:\pjppj.exe110⤵PID:3112
-
\??\c:\lfffrrl.exec:\lfffrrl.exe111⤵PID:4500
-
\??\c:\xrllffx.exec:\xrllffx.exe112⤵PID:4228
-
\??\c:\5hbbtt.exec:\5hbbtt.exe113⤵PID:4960
-
\??\c:\nhnnbt.exec:\nhnnbt.exe114⤵PID:5084
-
\??\c:\pjvvv.exec:\pjvvv.exe115⤵PID:4532
-
\??\c:\xrfrfxl.exec:\xrfrfxl.exe116⤵PID:2128
-
\??\c:\lllfllf.exec:\lllfllf.exe117⤵PID:896
-
\??\c:\bthtnn.exec:\bthtnn.exe118⤵PID:3316
-
\??\c:\frrlrrr.exec:\frrlrrr.exe119⤵PID:2056
-
\??\c:\flllllf.exec:\flllllf.exe120⤵PID:3444
-
\??\c:\tnnnnt.exec:\tnnnnt.exe121⤵PID:3620
-
\??\c:\bhbtnn.exec:\bhbtnn.exe122⤵PID:3720
-
\??\c:\vjjdd.exec:\vjjdd.exe123⤵PID:2376
-
\??\c:\vvddj.exec:\vvddj.exe124⤵PID:1012
-
\??\c:\5xlfffl.exec:\5xlfffl.exe125⤵PID:1480
-
\??\c:\rrffllr.exec:\rrffllr.exe126⤵PID:2196
-
\??\c:\nbbbtt.exec:\nbbbtt.exe127⤵PID:2952
-
\??\c:\tttnhh.exec:\tttnhh.exe128⤵PID:5108
-
\??\c:\djddv.exec:\djddv.exe129⤵PID:2332
-
\??\c:\vdpjv.exec:\vdpjv.exe130⤵PID:2176
-
\??\c:\lrxrfxr.exec:\lrxrfxr.exe131⤵PID:4944
-
\??\c:\5bhnnn.exec:\5bhnnn.exe132⤵PID:4832
-
\??\c:\3tnhtb.exec:\3tnhtb.exe133⤵PID:720
-
\??\c:\3pjjv.exec:\3pjjv.exe134⤵PID:1568
-
\??\c:\dvjjd.exec:\dvjjd.exe135⤵PID:116
-
\??\c:\llffxfx.exec:\llffxfx.exe136⤵PID:2628
-
\??\c:\nhnhnn.exec:\nhnhnn.exe137⤵PID:2420
-
\??\c:\tbbhhh.exec:\tbbhhh.exe138⤵PID:3916
-
\??\c:\1ddvp.exec:\1ddvp.exe139⤵PID:1148
-
\??\c:\vvpjp.exec:\vvpjp.exe140⤵PID:4224
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe141⤵PID:1708
-
\??\c:\htbbbb.exec:\htbbbb.exe142⤵PID:4700
-
\??\c:\btbtnn.exec:\btbtnn.exe143⤵PID:2240
-
\??\c:\ppvpj.exec:\ppvpj.exe144⤵PID:4400
-
\??\c:\pjjjj.exec:\pjjjj.exe145⤵PID:2888
-
\??\c:\ffxrlxr.exec:\ffxrlxr.exe146⤵PID:4592
-
\??\c:\ttbbtt.exec:\ttbbtt.exe147⤵PID:1420
-
\??\c:\hhbnhh.exec:\hhbnhh.exe148⤵PID:4440
-
\??\c:\djvdp.exec:\djvdp.exe149⤵PID:4264
-
\??\c:\1pdvp.exec:\1pdvp.exe150⤵PID:1760
-
\??\c:\djjpd.exec:\djjpd.exe151⤵PID:5040
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe152⤵PID:5032
-
\??\c:\bhnttt.exec:\bhnttt.exe153⤵PID:2912
-
\??\c:\bnnhtn.exec:\bnnhtn.exe154⤵PID:4348
-
\??\c:\pvjdv.exec:\pvjdv.exe155⤵PID:1800
-
\??\c:\llxrlxl.exec:\llxrlxl.exe156⤵PID:1884
-
\??\c:\fffxrrr.exec:\fffxrrr.exe157⤵PID:2356
-
\??\c:\tnnhhh.exec:\tnnhhh.exe158⤵PID:744
-
\??\c:\nnttbb.exec:\nnttbb.exe159⤵PID:4336
-
\??\c:\jvvpp.exec:\jvvpp.exe160⤵PID:5112
-
\??\c:\jvpjd.exec:\jvpjd.exe161⤵PID:2544
-
\??\c:\rxxrlll.exec:\rxxrlll.exe162⤵PID:3912
-
\??\c:\bntbtt.exec:\bntbtt.exe163⤵PID:3928
-
\??\c:\ntbtnn.exec:\ntbtnn.exe164⤵PID:5016
-
\??\c:\1xxrllf.exec:\1xxrllf.exe165⤵PID:1392
-
\??\c:\xflrrff.exec:\xflrrff.exe166⤵PID:3440
-
\??\c:\nhnntt.exec:\nhnntt.exe167⤵PID:988
-
\??\c:\1tnhtn.exec:\1tnhtn.exe168⤵PID:3112
-
\??\c:\vppjd.exec:\vppjd.exe169⤵PID:3416
-
\??\c:\dvpjj.exec:\dvpjj.exe170⤵PID:4004
-
\??\c:\lllxlxr.exec:\lllxlxr.exe171⤵PID:4960
-
\??\c:\btnnhn.exec:\btnnhn.exe172⤵PID:5084
-
\??\c:\tbtnht.exec:\tbtnht.exe173⤵PID:456
-
\??\c:\djppj.exec:\djppj.exe174⤵PID:2092
-
\??\c:\vppjd.exec:\vppjd.exe175⤵PID:4924
-
\??\c:\flrlxxr.exec:\flrlxxr.exe176⤵PID:4860
-
\??\c:\tnhnhh.exec:\tnhnhh.exe177⤵PID:2016
-
\??\c:\bnhbtn.exec:\bnhbtn.exe178⤵PID:1772
-
\??\c:\vjddv.exec:\vjddv.exe179⤵PID:4060
-
\??\c:\9jjdv.exec:\9jjdv.exe180⤵PID:5056
-
\??\c:\rlrfffr.exec:\rlrfffr.exe181⤵PID:1664
-
\??\c:\nbhbnn.exec:\nbhbnn.exe182⤵PID:2604
-
\??\c:\hbnhnh.exec:\hbnhnh.exe183⤵PID:1912
-
\??\c:\dvddd.exec:\dvddd.exe184⤵PID:2196
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe185⤵PID:3844
-
\??\c:\7lllffx.exec:\7lllffx.exe186⤵PID:4932
-
\??\c:\5tnnhb.exec:\5tnnhb.exe187⤵PID:2332
-
\??\c:\hbbthh.exec:\hbbthh.exe188⤵PID:2176
-
\??\c:\jjvpd.exec:\jjvpd.exe189⤵PID:4944
-
\??\c:\dddpj.exec:\dddpj.exe190⤵PID:4344
-
\??\c:\xlfxrrr.exec:\xlfxrrr.exe191⤵PID:4632
-
\??\c:\ntttbb.exec:\ntttbb.exe192⤵PID:1568
-
\??\c:\nnhbtt.exec:\nnhbtt.exe193⤵PID:116
-
\??\c:\dpvvp.exec:\dpvvp.exe194⤵PID:672
-
\??\c:\1lfxrrr.exec:\1lfxrrr.exe195⤵PID:2600
-
\??\c:\ffllfrl.exec:\ffllfrl.exe196⤵PID:2184
-
\??\c:\9thhhh.exec:\9thhhh.exe197⤵PID:2932
-
\??\c:\1tbttt.exec:\1tbttt.exe198⤵PID:2652
-
\??\c:\vvdvp.exec:\vvdvp.exe199⤵PID:2968
-
\??\c:\rrrrfrl.exec:\rrrrfrl.exe200⤵PID:2920
-
\??\c:\llffffx.exec:\llffffx.exe201⤵PID:3324
-
\??\c:\htbtnn.exec:\htbtnn.exe202⤵PID:404
-
\??\c:\bbhbhh.exec:\bbhbhh.exe203⤵PID:4612
-
\??\c:\dvvvp.exec:\dvvvp.exe204⤵PID:3600
-
\??\c:\3dvpd.exec:\3dvpd.exe205⤵PID:4220
-
\??\c:\rlrrlxr.exec:\rlrrlxr.exe206⤵PID:2608
-
\??\c:\llllfxx.exec:\llllfxx.exe207⤵PID:2672
-
\??\c:\hbntnt.exec:\hbntnt.exe208⤵PID:1328
-
\??\c:\vjjpj.exec:\vjjpj.exe209⤵PID:4740
-
\??\c:\pddpj.exec:\pddpj.exe210⤵PID:216
-
\??\c:\7rrfrff.exec:\7rrfrff.exe211⤵PID:208
-
\??\c:\nbtnhh.exec:\nbtnhh.exe212⤵PID:4444
-
\??\c:\bntbtn.exec:\bntbtn.exe213⤵PID:4956
-
\??\c:\5pvpd.exec:\5pvpd.exe214⤵PID:4360
-
\??\c:\ddjdv.exec:\ddjdv.exe215⤵PID:3880
-
\??\c:\ffxlffx.exec:\ffxlffx.exe216⤵PID:4316
-
\??\c:\nhbbbn.exec:\nhbbbn.exe217⤵PID:2940
-
\??\c:\7bhhhh.exec:\7bhhhh.exe218⤵PID:4520
-
\??\c:\pjjdp.exec:\pjjdp.exe219⤵PID:384
-
\??\c:\rrffxrx.exec:\rrffxrx.exe220⤵PID:4312
-
\??\c:\fxfrlxl.exec:\fxfrlxl.exe221⤵PID:4232
-
\??\c:\nhhhbt.exec:\nhhhbt.exe222⤵PID:3440
-
\??\c:\nnnnhh.exec:\nnnnhh.exe223⤵PID:1428
-
\??\c:\vvdvj.exec:\vvdvj.exe224⤵PID:3280
-
\??\c:\pdjvp.exec:\pdjvp.exe225⤵PID:1712
-
\??\c:\rrxrxlf.exec:\rrxrxlf.exe226⤵PID:2560
-
\??\c:\hhhbtn.exec:\hhhbtn.exe227⤵PID:4576
-
\??\c:\bntthh.exec:\bntthh.exe228⤵PID:2100
-
\??\c:\9ddvj.exec:\9ddvj.exe229⤵PID:2028
-
\??\c:\jvvvj.exec:\jvvvj.exe230⤵PID:3316
-
\??\c:\flrlffx.exec:\flrlffx.exe231⤵PID:1016
-
\??\c:\bnnhbb.exec:\bnnhbb.exe232⤵PID:2964
-
\??\c:\ttbbnt.exec:\ttbbnt.exe233⤵PID:4132
-
\??\c:\pjddv.exec:\pjddv.exe234⤵PID:4900
-
\??\c:\dvvpj.exec:\dvvpj.exe235⤵PID:5060
-
\??\c:\9jpjv.exec:\9jpjv.exe236⤵PID:3336
-
\??\c:\lrfxxxx.exec:\lrfxxxx.exe237⤵PID:4432
-
\??\c:\hbnnhh.exec:\hbnnhh.exe238⤵PID:1372
-
\??\c:\1bbthh.exec:\1bbthh.exe239⤵PID:4448
-
\??\c:\vvjjj.exec:\vvjjj.exe240⤵PID:3132
-
\??\c:\pjjdp.exec:\pjjdp.exe241⤵PID:1028
-
\??\c:\rlxrxxr.exec:\rlxrxxr.exe242⤵PID:3876