Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 08:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f0ca9f1eb5bbf54caf024c5711ae8502b1fb24436c3d7d41e89dabd3acd94f5d.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
f0ca9f1eb5bbf54caf024c5711ae8502b1fb24436c3d7d41e89dabd3acd94f5d.exe
-
Size
159KB
-
MD5
0a06bf2c722aebed680eb542b50eff09
-
SHA1
639d2c4bb278d776bebd45e512e854b4e51b0198
-
SHA256
f0ca9f1eb5bbf54caf024c5711ae8502b1fb24436c3d7d41e89dabd3acd94f5d
-
SHA512
d0faf645787b265c8cbb7bbf55afcc1f3726887d62d107da5e364a30b5c6e160593707861ae016e61e385b01df96ddaa65c6f6c0bb523762a4fcdfead3f46970
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo7LAIbT2NRUv8XK9wnftqPQhSLcINkSyCmtI:n3C9BRo/AIX2MUXownfWQkyCmtI
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
Processes:
resource yara_rule behavioral2/memory/3968-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4616-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3588-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4092-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4324-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1964-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5032-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2012-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5016-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1700-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4388-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2312-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1080-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2440-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2260-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/408-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1360-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3180-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1048-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4652-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4888-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4500-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 25 IoCs
Processes:
resource yara_rule behavioral2/memory/3968-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4616-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3588-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1964-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1964-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4092-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4324-41-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1964-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5032-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5032-62-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2012-64-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5016-69-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1700-77-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4388-86-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2312-92-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1080-98-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2440-104-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2260-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/408-145-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1360-152-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3180-171-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1048-181-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4652-193-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4888-199-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4500-207-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
jpvvp.exeflxrffx.exehbhhbn.exe9rrllll.exebbbtnn.exe3nnnbb.exe9frlrxf.exefxfrllx.exeththhb.exevjpjd.exedddvp.exetbnhnn.exejdjvp.exexrfxrlx.exetbhhbb.exejdjdp.exe5fxrllf.exexxrxlrr.exe7hnttt.exebthhhn.exe3llxrlf.exe7lrrrrl.exe3btnbb.exelxfrllf.exehhnhnn.exehbnhhh.exevpvpp.exellxxxxf.exehbbbbb.exetntbnn.exeffxrllr.exexrxrlfr.exehtbnhh.exehtbbnn.exe9pvpd.exerlxrffr.exeflxfffx.exebbnnnn.exe7tthtt.exepvdvp.exe7vvpp.exerxrlfff.exelxffxxr.exebntnnn.exepdjpj.exe3flffxr.exe3xxxffl.exebttnhh.exe3tnhtt.exevdjdv.exexrllxxx.exexxxxflf.exenhbtnn.exebnhbnn.exevpppd.exefxfrrrx.exethbbnn.exeppvjv.exejjddv.exelrflrfx.exehnnbtt.exetnthhh.exeddpjd.exejpppv.exepid process 4616 jpvvp.exe 3588 flxrffx.exe 1964 hbhhbn.exe 4092 9rrllll.exe 4324 bbbtnn.exe 3828 3nnnbb.exe 5032 9frlrxf.exe 2012 fxfrllx.exe 5016 ththhb.exe 1700 vjpjd.exe 4388 dddvp.exe 2312 tbnhnn.exe 1080 jdjvp.exe 2440 xrfxrlx.exe 2684 tbhhbb.exe 2768 jdjdp.exe 632 5fxrllf.exe 2260 xxrxlrr.exe 1280 7hnttt.exe 948 bthhhn.exe 408 3llxrlf.exe 1360 7lrrrrl.exe 2392 3btnbb.exe 1136 lxfrllf.exe 3180 hhnhnn.exe 232 hbnhhh.exe 1048 vpvpp.exe 4752 llxxxxf.exe 4652 hbbbbb.exe 4888 tntbnn.exe 4500 ffxrllr.exe 2028 xrxrlfr.exe 4044 htbnhh.exe 3424 htbbnn.exe 3076 9pvpd.exe 2484 rlxrffr.exe 1580 flxfffx.exe 3856 bbnnnn.exe 1664 7tthtt.exe 536 pvdvp.exe 4300 7vvpp.exe 3672 rxrlfff.exe 3596 lxffxxr.exe 4568 bntnnn.exe 3588 pdjpj.exe 904 3flffxr.exe 2068 3xxxffl.exe 1504 bttnhh.exe 440 3tnhtt.exe 3432 vdjdv.exe 2116 xrllxxx.exe 3256 xxxxflf.exe 4848 nhbtnn.exe 5016 bnhbnn.exe 4816 vpppd.exe 3932 fxfrrrx.exe 3436 thbbnn.exe 3152 ppvjv.exe 3000 jjddv.exe 4032 lrflrfx.exe 216 hnnbtt.exe 1804 tnthhh.exe 2436 ddpjd.exe 1952 jpppv.exe -
Processes:
resource yara_rule behavioral2/memory/3968-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4616-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3588-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1964-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1964-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4092-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4324-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1964-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5032-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5032-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2012-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5016-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1700-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4388-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2312-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1080-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2440-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2260-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/408-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1360-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3180-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1048-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4652-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4888-199-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4500-207-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f0ca9f1eb5bbf54caf024c5711ae8502b1fb24436c3d7d41e89dabd3acd94f5d.exejpvvp.exeflxrffx.exehbhhbn.exe9rrllll.exebbbtnn.exe3nnnbb.exe9frlrxf.exefxfrllx.exeththhb.exevjpjd.exedddvp.exetbnhnn.exejdjvp.exexrfxrlx.exetbhhbb.exejdjdp.exe5fxrllf.exexxrxlrr.exe7hnttt.exebthhhn.exe3llxrlf.exedescription pid process target process PID 3968 wrote to memory of 4616 3968 f0ca9f1eb5bbf54caf024c5711ae8502b1fb24436c3d7d41e89dabd3acd94f5d.exe jpvvp.exe PID 3968 wrote to memory of 4616 3968 f0ca9f1eb5bbf54caf024c5711ae8502b1fb24436c3d7d41e89dabd3acd94f5d.exe jpvvp.exe PID 3968 wrote to memory of 4616 3968 f0ca9f1eb5bbf54caf024c5711ae8502b1fb24436c3d7d41e89dabd3acd94f5d.exe jpvvp.exe PID 4616 wrote to memory of 3588 4616 jpvvp.exe flxrffx.exe PID 4616 wrote to memory of 3588 4616 jpvvp.exe flxrffx.exe PID 4616 wrote to memory of 3588 4616 jpvvp.exe flxrffx.exe PID 3588 wrote to memory of 1964 3588 flxrffx.exe hbhhbn.exe PID 3588 wrote to memory of 1964 3588 flxrffx.exe hbhhbn.exe PID 3588 wrote to memory of 1964 3588 flxrffx.exe hbhhbn.exe PID 1964 wrote to memory of 4092 1964 hbhhbn.exe 9rrllll.exe PID 1964 wrote to memory of 4092 1964 hbhhbn.exe 9rrllll.exe PID 1964 wrote to memory of 4092 1964 hbhhbn.exe 9rrllll.exe PID 4092 wrote to memory of 4324 4092 9rrllll.exe bbbtnn.exe PID 4092 wrote to memory of 4324 4092 9rrllll.exe bbbtnn.exe PID 4092 wrote to memory of 4324 4092 9rrllll.exe bbbtnn.exe PID 4324 wrote to memory of 3828 4324 bbbtnn.exe 3nnnbb.exe PID 4324 wrote to memory of 3828 4324 bbbtnn.exe 3nnnbb.exe PID 4324 wrote to memory of 3828 4324 bbbtnn.exe 3nnnbb.exe PID 3828 wrote to memory of 5032 3828 3nnnbb.exe 9frlrxf.exe PID 3828 wrote to memory of 5032 3828 3nnnbb.exe 9frlrxf.exe PID 3828 wrote to memory of 5032 3828 3nnnbb.exe 9frlrxf.exe PID 5032 wrote to memory of 2012 5032 9frlrxf.exe fxfrllx.exe PID 5032 wrote to memory of 2012 5032 9frlrxf.exe fxfrllx.exe PID 5032 wrote to memory of 2012 5032 9frlrxf.exe fxfrllx.exe PID 2012 wrote to memory of 5016 2012 fxfrllx.exe ththhb.exe PID 2012 wrote to memory of 5016 2012 fxfrllx.exe ththhb.exe PID 2012 wrote to memory of 5016 2012 fxfrllx.exe ththhb.exe PID 5016 wrote to memory of 1700 5016 ththhb.exe vjpjd.exe PID 5016 wrote to memory of 1700 5016 ththhb.exe vjpjd.exe PID 5016 wrote to memory of 1700 5016 ththhb.exe vjpjd.exe PID 1700 wrote to memory of 4388 1700 vjpjd.exe dddvp.exe PID 1700 wrote to memory of 4388 1700 vjpjd.exe dddvp.exe PID 1700 wrote to memory of 4388 1700 vjpjd.exe dddvp.exe PID 4388 wrote to memory of 2312 4388 dddvp.exe tbnhnn.exe PID 4388 wrote to memory of 2312 4388 dddvp.exe tbnhnn.exe PID 4388 wrote to memory of 2312 4388 dddvp.exe tbnhnn.exe PID 2312 wrote to memory of 1080 2312 tbnhnn.exe jdjvp.exe PID 2312 wrote to memory of 1080 2312 tbnhnn.exe jdjvp.exe PID 2312 wrote to memory of 1080 2312 tbnhnn.exe jdjvp.exe PID 1080 wrote to memory of 2440 1080 jdjvp.exe xrfxrlx.exe PID 1080 wrote to memory of 2440 1080 jdjvp.exe xrfxrlx.exe PID 1080 wrote to memory of 2440 1080 jdjvp.exe xrfxrlx.exe PID 2440 wrote to memory of 2684 2440 xrfxrlx.exe tbhhbb.exe PID 2440 wrote to memory of 2684 2440 xrfxrlx.exe tbhhbb.exe PID 2440 wrote to memory of 2684 2440 xrfxrlx.exe tbhhbb.exe PID 2684 wrote to memory of 2768 2684 tbhhbb.exe jdjdp.exe PID 2684 wrote to memory of 2768 2684 tbhhbb.exe jdjdp.exe PID 2684 wrote to memory of 2768 2684 tbhhbb.exe jdjdp.exe PID 2768 wrote to memory of 632 2768 jdjdp.exe 5fxrllf.exe PID 2768 wrote to memory of 632 2768 jdjdp.exe 5fxrllf.exe PID 2768 wrote to memory of 632 2768 jdjdp.exe 5fxrllf.exe PID 632 wrote to memory of 2260 632 5fxrllf.exe xxrxlrr.exe PID 632 wrote to memory of 2260 632 5fxrllf.exe xxrxlrr.exe PID 632 wrote to memory of 2260 632 5fxrllf.exe xxrxlrr.exe PID 2260 wrote to memory of 1280 2260 xxrxlrr.exe 7hnttt.exe PID 2260 wrote to memory of 1280 2260 xxrxlrr.exe 7hnttt.exe PID 2260 wrote to memory of 1280 2260 xxrxlrr.exe 7hnttt.exe PID 1280 wrote to memory of 948 1280 7hnttt.exe bthhhn.exe PID 1280 wrote to memory of 948 1280 7hnttt.exe bthhhn.exe PID 1280 wrote to memory of 948 1280 7hnttt.exe bthhhn.exe PID 948 wrote to memory of 408 948 bthhhn.exe 3llxrlf.exe PID 948 wrote to memory of 408 948 bthhhn.exe 3llxrlf.exe PID 948 wrote to memory of 408 948 bthhhn.exe 3llxrlf.exe PID 408 wrote to memory of 1360 408 3llxrlf.exe 7lrrrrl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0ca9f1eb5bbf54caf024c5711ae8502b1fb24436c3d7d41e89dabd3acd94f5d.exe"C:\Users\Admin\AppData\Local\Temp\f0ca9f1eb5bbf54caf024c5711ae8502b1fb24436c3d7d41e89dabd3acd94f5d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\jpvvp.exec:\jpvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\flxrffx.exec:\flxrffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\hbhhbn.exec:\hbhhbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\9rrllll.exec:\9rrllll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\bbbtnn.exec:\bbbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\3nnnbb.exec:\3nnnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\9frlrxf.exec:\9frlrxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\fxfrllx.exec:\fxfrllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\ththhb.exec:\ththhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\vjpjd.exec:\vjpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\dddvp.exec:\dddvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\tbnhnn.exec:\tbnhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\jdjvp.exec:\jdjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\xrfxrlx.exec:\xrfxrlx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\tbhhbb.exec:\tbhhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\jdjdp.exec:\jdjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\5fxrllf.exec:\5fxrllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\xxrxlrr.exec:\xxrxlrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\7hnttt.exec:\7hnttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\bthhhn.exec:\bthhhn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\3llxrlf.exec:\3llxrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\7lrrrrl.exec:\7lrrrrl.exe23⤵
- Executes dropped EXE
PID:1360 -
\??\c:\3btnbb.exec:\3btnbb.exe24⤵
- Executes dropped EXE
PID:2392 -
\??\c:\lxfrllf.exec:\lxfrllf.exe25⤵
- Executes dropped EXE
PID:1136 -
\??\c:\hhnhnn.exec:\hhnhnn.exe26⤵
- Executes dropped EXE
PID:3180 -
\??\c:\hbnhhh.exec:\hbnhhh.exe27⤵
- Executes dropped EXE
PID:232 -
\??\c:\vpvpp.exec:\vpvpp.exe28⤵
- Executes dropped EXE
PID:1048 -
\??\c:\llxxxxf.exec:\llxxxxf.exe29⤵
- Executes dropped EXE
PID:4752 -
\??\c:\hbbbbb.exec:\hbbbbb.exe30⤵
- Executes dropped EXE
PID:4652 -
\??\c:\tntbnn.exec:\tntbnn.exe31⤵
- Executes dropped EXE
PID:4888 -
\??\c:\ffxrllr.exec:\ffxrllr.exe32⤵
- Executes dropped EXE
PID:4500 -
\??\c:\xrxrlfr.exec:\xrxrlfr.exe33⤵
- Executes dropped EXE
PID:2028 -
\??\c:\htbnhh.exec:\htbnhh.exe34⤵
- Executes dropped EXE
PID:4044 -
\??\c:\htbbnn.exec:\htbbnn.exe35⤵
- Executes dropped EXE
PID:3424 -
\??\c:\9pvpd.exec:\9pvpd.exe36⤵
- Executes dropped EXE
PID:3076 -
\??\c:\rlxrffr.exec:\rlxrffr.exe37⤵
- Executes dropped EXE
PID:2484 -
\??\c:\flxfffx.exec:\flxfffx.exe38⤵
- Executes dropped EXE
PID:1580 -
\??\c:\bbnnnn.exec:\bbnnnn.exe39⤵
- Executes dropped EXE
PID:3856 -
\??\c:\7tthtt.exec:\7tthtt.exe40⤵
- Executes dropped EXE
PID:1664 -
\??\c:\pvdvp.exec:\pvdvp.exe41⤵
- Executes dropped EXE
PID:536 -
\??\c:\7vvpp.exec:\7vvpp.exe42⤵
- Executes dropped EXE
PID:4300 -
\??\c:\rxrlfff.exec:\rxrlfff.exe43⤵
- Executes dropped EXE
PID:3672 -
\??\c:\lxffxxr.exec:\lxffxxr.exe44⤵
- Executes dropped EXE
PID:3596 -
\??\c:\bntnnn.exec:\bntnnn.exe45⤵
- Executes dropped EXE
PID:4568 -
\??\c:\pdjpj.exec:\pdjpj.exe46⤵
- Executes dropped EXE
PID:3588 -
\??\c:\3flffxr.exec:\3flffxr.exe47⤵
- Executes dropped EXE
PID:904 -
\??\c:\3xxxffl.exec:\3xxxffl.exe48⤵
- Executes dropped EXE
PID:2068 -
\??\c:\bttnhh.exec:\bttnhh.exe49⤵
- Executes dropped EXE
PID:1504 -
\??\c:\3tnhtt.exec:\3tnhtt.exe50⤵
- Executes dropped EXE
PID:440 -
\??\c:\vdjdv.exec:\vdjdv.exe51⤵
- Executes dropped EXE
PID:3432 -
\??\c:\xrllxxx.exec:\xrllxxx.exe52⤵
- Executes dropped EXE
PID:2116 -
\??\c:\xxxxflf.exec:\xxxxflf.exe53⤵
- Executes dropped EXE
PID:3256 -
\??\c:\nhbtnn.exec:\nhbtnn.exe54⤵
- Executes dropped EXE
PID:4848 -
\??\c:\bnhbnn.exec:\bnhbnn.exe55⤵
- Executes dropped EXE
PID:5016 -
\??\c:\vpppd.exec:\vpppd.exe56⤵
- Executes dropped EXE
PID:4816 -
\??\c:\fxfrrrx.exec:\fxfrrrx.exe57⤵
- Executes dropped EXE
PID:3932 -
\??\c:\thbbnn.exec:\thbbnn.exe58⤵
- Executes dropped EXE
PID:3436 -
\??\c:\ppvjv.exec:\ppvjv.exe59⤵
- Executes dropped EXE
PID:3152 -
\??\c:\jjddv.exec:\jjddv.exe60⤵
- Executes dropped EXE
PID:3000 -
\??\c:\lrflrfx.exec:\lrflrfx.exe61⤵
- Executes dropped EXE
PID:4032 -
\??\c:\hnnbtt.exec:\hnnbtt.exe62⤵
- Executes dropped EXE
PID:216 -
\??\c:\tnthhh.exec:\tnthhh.exe63⤵
- Executes dropped EXE
PID:1804 -
\??\c:\ddpjd.exec:\ddpjd.exe64⤵
- Executes dropped EXE
PID:2436 -
\??\c:\jpppv.exec:\jpppv.exe65⤵
- Executes dropped EXE
PID:1952 -
\??\c:\ffrrlll.exec:\ffrrlll.exe66⤵PID:3084
-
\??\c:\bhtthh.exec:\bhtthh.exe67⤵PID:2044
-
\??\c:\bhtnhb.exec:\bhtnhb.exe68⤵PID:1476
-
\??\c:\9djvd.exec:\9djvd.exe69⤵PID:4820
-
\??\c:\rxllfxx.exec:\rxllfxx.exe70⤵PID:4704
-
\??\c:\thnbtn.exec:\thnbtn.exe71⤵PID:428
-
\??\c:\3vvdd.exec:\3vvdd.exe72⤵PID:2516
-
\??\c:\fxffrrx.exec:\fxffrrx.exe73⤵PID:1272
-
\??\c:\nbtnhh.exec:\nbtnhh.exe74⤵PID:1360
-
\??\c:\pjjdv.exec:\pjjdv.exe75⤵PID:1380
-
\??\c:\hbtbnh.exec:\hbtbnh.exe76⤵PID:1672
-
\??\c:\5jjdd.exec:\5jjdd.exe77⤵PID:4904
-
\??\c:\1xfxxxr.exec:\1xfxxxr.exe78⤵PID:3188
-
\??\c:\xffxxxr.exec:\xffxxxr.exe79⤵PID:2604
-
\??\c:\1nnbtt.exec:\1nnbtt.exe80⤵PID:4236
-
\??\c:\vjvdd.exec:\vjvdd.exe81⤵PID:4312
-
\??\c:\fxxrfrl.exec:\fxxrfrl.exe82⤵PID:4332
-
\??\c:\nnbttt.exec:\nnbttt.exe83⤵PID:2192
-
\??\c:\pjdjj.exec:\pjdjj.exe84⤵PID:4888
-
\??\c:\7ppdv.exec:\7ppdv.exe85⤵PID:4604
-
\??\c:\llrlffx.exec:\llrlffx.exe86⤵PID:4488
-
\??\c:\btttnn.exec:\btttnn.exe87⤵PID:624
-
\??\c:\7tbbnn.exec:\7tbbnn.exe88⤵PID:4576
-
\??\c:\pvvvj.exec:\pvvvj.exe89⤵PID:628
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe90⤵PID:4648
-
\??\c:\hnnttb.exec:\hnnttb.exe91⤵PID:4544
-
\??\c:\btnntn.exec:\btnntn.exe92⤵PID:1900
-
\??\c:\ddpdv.exec:\ddpdv.exe93⤵PID:2708
-
\??\c:\1xxxrxr.exec:\1xxxrxr.exe94⤵PID:3796
-
\??\c:\3flrlll.exec:\3flrlll.exe95⤵PID:3672
-
\??\c:\hhhhnh.exec:\hhhhnh.exe96⤵PID:3596
-
\??\c:\ddvdd.exec:\ddvdd.exe97⤵PID:4568
-
\??\c:\pjjdv.exec:\pjjdv.exe98⤵PID:2540
-
\??\c:\fllffxx.exec:\fllffxx.exe99⤵PID:4552
-
\??\c:\5nttbb.exec:\5nttbb.exe100⤵PID:3224
-
\??\c:\jdvpd.exec:\jdvpd.exe101⤵PID:4324
-
\??\c:\bhnntn.exec:\bhnntn.exe102⤵PID:772
-
\??\c:\5vppj.exec:\5vppj.exe103⤵PID:3432
-
\??\c:\lrlxxxl.exec:\lrlxxxl.exe104⤵PID:2116
-
\??\c:\ffxxxxx.exec:\ffxxxxx.exe105⤵PID:3892
-
\??\c:\nnbbtn.exec:\nnbbtn.exe106⤵PID:2404
-
\??\c:\vddvp.exec:\vddvp.exe107⤵PID:864
-
\??\c:\lflfxxr.exec:\lflfxxr.exe108⤵PID:4816
-
\??\c:\llxrxxx.exec:\llxrxxx.exe109⤵PID:3932
-
\??\c:\nhhbnn.exec:\nhhbnn.exe110⤵PID:4080
-
\??\c:\hhnntn.exec:\hhnntn.exe111⤵PID:4572
-
\??\c:\pjpjd.exec:\pjpjd.exe112⤵PID:3376
-
\??\c:\xfxxrrr.exec:\xfxxrrr.exe113⤵PID:4032
-
\??\c:\5fffrrl.exec:\5fffrrl.exe114⤵PID:224
-
\??\c:\9hhhbb.exec:\9hhhbb.exe115⤵PID:2844
-
\??\c:\jdpjj.exec:\jdpjj.exe116⤵PID:2436
-
\??\c:\lxfxxxx.exec:\lxfxxxx.exe117⤵PID:1952
-
\??\c:\1fffxxx.exec:\1fffxxx.exe118⤵PID:3084
-
\??\c:\7hhhbt.exec:\7hhhbt.exe119⤵PID:396
-
\??\c:\bntnhh.exec:\bntnhh.exe120⤵PID:1692
-
\??\c:\jpvpj.exec:\jpvpj.exe121⤵PID:4820
-
\??\c:\rrfxlxr.exec:\rrfxlxr.exe122⤵PID:948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-