Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 07:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e8e140d9bea877a35db267f04cc5272e35f5b628b21c7f3cdd2b64c4b52f1382.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
e8e140d9bea877a35db267f04cc5272e35f5b628b21c7f3cdd2b64c4b52f1382.exe
-
Size
116KB
-
MD5
4d9d84d1d4c9997764478e19085bb05f
-
SHA1
f130d2aaa3b68a97f642dc1373acdeb816f67e15
-
SHA256
e8e140d9bea877a35db267f04cc5272e35f5b628b21c7f3cdd2b64c4b52f1382
-
SHA512
2ea03641013fbdc97f0857073542984ecea8b4907745e1a349945f14de1e58ecce6c39c253b40502de6c228e892d85052dec7e34b04d7435eba5c0a57c11859c
-
SSDEEP
3072:ymb3NkkiQ3mdBjFosxXGPXbXQMFHLgDWSmjlkFF:n3C9BRosxW8MFHLMWvlI
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
Processes:
resource yara_rule behavioral2/memory/4308-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1992-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3236-211-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3668-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3192-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4476-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5008-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4812-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4432-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2888-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2388-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1996-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3484-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4360-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5088-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1432-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3736-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4828-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1616-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1616-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4132-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4132-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1624-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4908-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/412-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/264-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 32 IoCs
Processes:
resource yara_rule behavioral2/memory/4308-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1992-109-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3236-211-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3668-205-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3192-199-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4476-193-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5008-175-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4812-172-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4432-151-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2888-148-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2388-139-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1996-133-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3484-127-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4360-115-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5088-103-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1432-81-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3736-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4828-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1616-60-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1616-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1616-58-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3092-51-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3092-50-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3092-49-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4132-42-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4132-41-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1624-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4908-28-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4308-19-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4308-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/412-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/264-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
ttnhhh.exe1jvpj.exedvdvv.exerrrrxxx.exerxffxxx.exe3nnbtt.exenhthtt.exedpddv.exexxlfxxf.exe3xlxrxr.exehtttnn.exethhbbb.exe5jjdv.exerllfxrr.exelxffxxx.exebtbbbh.exevddvv.exejddvp.exerxxrllf.exelfrlfxx.exetttttn.exevpdvd.exepjpdv.exe5xxlxrr.exebhbbbb.exedpvpj.exelxxlfxl.exerrfxlfl.exethttht.exe1vvpj.exexrlffxx.exe7bnnbn.exepjdjd.exeppdvp.exe7rxrlrl.exenthhhn.exehbbbtb.exejdjdv.exe1pvjj.exerxfrlff.exerrrrrll.exetttttb.exentbtnn.exe9ddvp.exevppjj.exexrxrlrl.exe9xrrrfx.exenbttnn.exetnhbbh.exedpjjj.exejvvvv.exe3xfxxxf.exexffxfff.exennnhbb.exebhhbnh.exedvvpp.exellffxxx.exe3ffxllf.exehtbbtn.exetnnhnn.exeppddv.exedpjvp.exe7rfrllr.exerlfrxfl.exepid process 412 ttnhhh.exe 4308 1jvpj.exe 4908 dvdvv.exe 1624 rrrrxxx.exe 4132 rxffxxx.exe 3092 3nnbtt.exe 1616 nhthtt.exe 4828 dpddv.exe 3736 xxlfxxf.exe 1432 3xlxrxr.exe 2716 htttnn.exe 1152 thhbbb.exe 5088 5jjdv.exe 1992 rllfxrr.exe 4360 lxffxxx.exe 3248 btbbbh.exe 3484 vddvv.exe 1996 jddvp.exe 2388 rxxrllf.exe 2888 lfrlfxx.exe 4432 tttttn.exe 2812 vpdvd.exe 3680 pjpdv.exe 4812 5xxlxrr.exe 5008 bhbbbb.exe 3860 dpvpj.exe 1600 lxxlfxl.exe 4476 rrfxlfl.exe 3192 thttht.exe 3668 1vvpj.exe 3236 xrlffxx.exe 4336 7bnnbn.exe 4640 pjdjd.exe 4704 ppdvp.exe 4192 7rxrlrl.exe 2364 nthhhn.exe 3188 hbbbtb.exe 1076 jdjdv.exe 2988 1pvjj.exe 2680 rxfrlff.exe 2984 rrrrrll.exe 4736 tttttb.exe 3516 ntbtnn.exe 880 9ddvp.exe 2636 vppjj.exe 5116 xrxrlrl.exe 2252 9xrrrfx.exe 1840 nbttnn.exe 4624 tnhbbh.exe 2556 dpjjj.exe 644 jvvvv.exe 4960 3xfxxxf.exe 4404 xffxfff.exe 1092 nnnhbb.exe 4016 bhhbnh.exe 4416 dvvpp.exe 2196 llffxxx.exe 3552 3ffxllf.exe 3408 htbbtn.exe 3964 tnnhnn.exe 1828 ppddv.exe 4568 dpjvp.exe 2512 7rfrllr.exe 556 rlfrxfl.exe -
Processes:
resource yara_rule behavioral2/memory/4308-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1992-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3236-211-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3668-205-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3192-199-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4476-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5008-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4812-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4432-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2888-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2388-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1996-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3484-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4360-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5088-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1432-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3736-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4828-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1616-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1616-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1616-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3092-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3092-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3092-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4132-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4132-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1624-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4908-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4308-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4308-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/412-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/264-4-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e8e140d9bea877a35db267f04cc5272e35f5b628b21c7f3cdd2b64c4b52f1382.exettnhhh.exe1jvpj.exedvdvv.exerrrrxxx.exerxffxxx.exe3nnbtt.exenhthtt.exedpddv.exexxlfxxf.exe3xlxrxr.exehtttnn.exethhbbb.exe5jjdv.exerllfxrr.exelxffxxx.exebtbbbh.exevddvv.exejddvp.exerxxrllf.exelfrlfxx.exetttttn.exedescription pid process target process PID 264 wrote to memory of 412 264 e8e140d9bea877a35db267f04cc5272e35f5b628b21c7f3cdd2b64c4b52f1382.exe ttnhhh.exe PID 264 wrote to memory of 412 264 e8e140d9bea877a35db267f04cc5272e35f5b628b21c7f3cdd2b64c4b52f1382.exe ttnhhh.exe PID 264 wrote to memory of 412 264 e8e140d9bea877a35db267f04cc5272e35f5b628b21c7f3cdd2b64c4b52f1382.exe ttnhhh.exe PID 412 wrote to memory of 4308 412 ttnhhh.exe 1jvpj.exe PID 412 wrote to memory of 4308 412 ttnhhh.exe 1jvpj.exe PID 412 wrote to memory of 4308 412 ttnhhh.exe 1jvpj.exe PID 4308 wrote to memory of 4908 4308 1jvpj.exe dvdvv.exe PID 4308 wrote to memory of 4908 4308 1jvpj.exe dvdvv.exe PID 4308 wrote to memory of 4908 4308 1jvpj.exe dvdvv.exe PID 4908 wrote to memory of 1624 4908 dvdvv.exe rrrrxxx.exe PID 4908 wrote to memory of 1624 4908 dvdvv.exe rrrrxxx.exe PID 4908 wrote to memory of 1624 4908 dvdvv.exe rrrrxxx.exe PID 1624 wrote to memory of 4132 1624 rrrrxxx.exe rxffxxx.exe PID 1624 wrote to memory of 4132 1624 rrrrxxx.exe rxffxxx.exe PID 1624 wrote to memory of 4132 1624 rrrrxxx.exe rxffxxx.exe PID 4132 wrote to memory of 3092 4132 rxffxxx.exe 3nnbtt.exe PID 4132 wrote to memory of 3092 4132 rxffxxx.exe 3nnbtt.exe PID 4132 wrote to memory of 3092 4132 rxffxxx.exe 3nnbtt.exe PID 3092 wrote to memory of 1616 3092 3nnbtt.exe nhthtt.exe PID 3092 wrote to memory of 1616 3092 3nnbtt.exe nhthtt.exe PID 3092 wrote to memory of 1616 3092 3nnbtt.exe nhthtt.exe PID 1616 wrote to memory of 4828 1616 nhthtt.exe dpddv.exe PID 1616 wrote to memory of 4828 1616 nhthtt.exe dpddv.exe PID 1616 wrote to memory of 4828 1616 nhthtt.exe dpddv.exe PID 4828 wrote to memory of 3736 4828 dpddv.exe xxlfxxf.exe PID 4828 wrote to memory of 3736 4828 dpddv.exe xxlfxxf.exe PID 4828 wrote to memory of 3736 4828 dpddv.exe xxlfxxf.exe PID 3736 wrote to memory of 1432 3736 xxlfxxf.exe 3xlxrxr.exe PID 3736 wrote to memory of 1432 3736 xxlfxxf.exe 3xlxrxr.exe PID 3736 wrote to memory of 1432 3736 xxlfxxf.exe 3xlxrxr.exe PID 1432 wrote to memory of 2716 1432 3xlxrxr.exe htttnn.exe PID 1432 wrote to memory of 2716 1432 3xlxrxr.exe htttnn.exe PID 1432 wrote to memory of 2716 1432 3xlxrxr.exe htttnn.exe PID 2716 wrote to memory of 1152 2716 htttnn.exe thhbbb.exe PID 2716 wrote to memory of 1152 2716 htttnn.exe thhbbb.exe PID 2716 wrote to memory of 1152 2716 htttnn.exe thhbbb.exe PID 1152 wrote to memory of 5088 1152 thhbbb.exe 5jjdv.exe PID 1152 wrote to memory of 5088 1152 thhbbb.exe 5jjdv.exe PID 1152 wrote to memory of 5088 1152 thhbbb.exe 5jjdv.exe PID 5088 wrote to memory of 1992 5088 5jjdv.exe rllfxrr.exe PID 5088 wrote to memory of 1992 5088 5jjdv.exe rllfxrr.exe PID 5088 wrote to memory of 1992 5088 5jjdv.exe rllfxrr.exe PID 1992 wrote to memory of 4360 1992 rllfxrr.exe lxffxxx.exe PID 1992 wrote to memory of 4360 1992 rllfxrr.exe lxffxxx.exe PID 1992 wrote to memory of 4360 1992 rllfxrr.exe lxffxxx.exe PID 4360 wrote to memory of 3248 4360 lxffxxx.exe btbbbh.exe PID 4360 wrote to memory of 3248 4360 lxffxxx.exe btbbbh.exe PID 4360 wrote to memory of 3248 4360 lxffxxx.exe btbbbh.exe PID 3248 wrote to memory of 3484 3248 btbbbh.exe vddvv.exe PID 3248 wrote to memory of 3484 3248 btbbbh.exe vddvv.exe PID 3248 wrote to memory of 3484 3248 btbbbh.exe vddvv.exe PID 3484 wrote to memory of 1996 3484 vddvv.exe jddvp.exe PID 3484 wrote to memory of 1996 3484 vddvv.exe jddvp.exe PID 3484 wrote to memory of 1996 3484 vddvv.exe jddvp.exe PID 1996 wrote to memory of 2388 1996 jddvp.exe rxxrllf.exe PID 1996 wrote to memory of 2388 1996 jddvp.exe rxxrllf.exe PID 1996 wrote to memory of 2388 1996 jddvp.exe rxxrllf.exe PID 2388 wrote to memory of 2888 2388 rxxrllf.exe lfrlfxx.exe PID 2388 wrote to memory of 2888 2388 rxxrllf.exe lfrlfxx.exe PID 2388 wrote to memory of 2888 2388 rxxrllf.exe lfrlfxx.exe PID 2888 wrote to memory of 4432 2888 lfrlfxx.exe thbthh.exe PID 2888 wrote to memory of 4432 2888 lfrlfxx.exe thbthh.exe PID 2888 wrote to memory of 4432 2888 lfrlfxx.exe thbthh.exe PID 4432 wrote to memory of 2812 4432 tttttn.exe vpdvd.exe
Processes
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\e8e140d9bea877a35db267f04cc5272e35f5b628b21c7f3cdd2b64c4b52f1382.exe"C:\Users\Admin\AppData\Local\Temp\e8e140d9bea877a35db267f04cc5272e35f5b628b21c7f3cdd2b64c4b52f1382.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\ttnhhh.exec:\ttnhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\1jvpj.exec:\1jvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\dvdvv.exec:\dvdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\rrrrxxx.exec:\rrrrxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\rxffxxx.exec:\rxffxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\3nnbtt.exec:\3nnbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\nhthtt.exec:\nhthtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\dpddv.exec:\dpddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\xxlfxxf.exec:\xxlfxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\3xlxrxr.exec:\3xlxrxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\htttnn.exec:\htttnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\thhbbb.exec:\thhbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\5jjdv.exec:\5jjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\rllfxrr.exec:\rllfxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\lxffxxx.exec:\lxffxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\btbbbh.exec:\btbbbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\vddvv.exec:\vddvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\jddvp.exec:\jddvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\rxxrllf.exec:\rxxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\lfrlfxx.exec:\lfrlfxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\tttttn.exec:\tttttn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\vpdvd.exec:\vpdvd.exe23⤵
- Executes dropped EXE
PID:2812 -
\??\c:\pjpdv.exec:\pjpdv.exe24⤵
- Executes dropped EXE
PID:3680 -
\??\c:\5xxlxrr.exec:\5xxlxrr.exe25⤵
- Executes dropped EXE
PID:4812 -
\??\c:\bhbbbb.exec:\bhbbbb.exe26⤵
- Executes dropped EXE
PID:5008 -
\??\c:\dpvpj.exec:\dpvpj.exe27⤵
- Executes dropped EXE
PID:3860 -
\??\c:\lxxlfxl.exec:\lxxlfxl.exe28⤵
- Executes dropped EXE
PID:1600 -
\??\c:\rrfxlfl.exec:\rrfxlfl.exe29⤵
- Executes dropped EXE
PID:4476 -
\??\c:\thttht.exec:\thttht.exe30⤵
- Executes dropped EXE
PID:3192 -
\??\c:\1vvpj.exec:\1vvpj.exe31⤵
- Executes dropped EXE
PID:3668 -
\??\c:\xrlffxx.exec:\xrlffxx.exe32⤵
- Executes dropped EXE
PID:3236 -
\??\c:\7bnnbn.exec:\7bnnbn.exe33⤵
- Executes dropped EXE
PID:4336 -
\??\c:\pjdjd.exec:\pjdjd.exe34⤵
- Executes dropped EXE
PID:4640 -
\??\c:\ppdvp.exec:\ppdvp.exe35⤵
- Executes dropped EXE
PID:4704 -
\??\c:\xrxlxxr.exec:\xrxlxxr.exe36⤵PID:4428
-
\??\c:\7rxrlrl.exec:\7rxrlrl.exe37⤵
- Executes dropped EXE
PID:4192 -
\??\c:\nthhhn.exec:\nthhhn.exe38⤵
- Executes dropped EXE
PID:2364 -
\??\c:\hbbbtb.exec:\hbbbtb.exe39⤵
- Executes dropped EXE
PID:3188 -
\??\c:\jdjdv.exec:\jdjdv.exe40⤵
- Executes dropped EXE
PID:1076 -
\??\c:\1pvjj.exec:\1pvjj.exe41⤵
- Executes dropped EXE
PID:2988 -
\??\c:\rxfrlff.exec:\rxfrlff.exe42⤵
- Executes dropped EXE
PID:2680 -
\??\c:\rrrrrll.exec:\rrrrrll.exe43⤵
- Executes dropped EXE
PID:2984 -
\??\c:\tttttb.exec:\tttttb.exe44⤵
- Executes dropped EXE
PID:4736 -
\??\c:\ntbtnn.exec:\ntbtnn.exe45⤵
- Executes dropped EXE
PID:3516 -
\??\c:\9ddvp.exec:\9ddvp.exe46⤵
- Executes dropped EXE
PID:880 -
\??\c:\vppjj.exec:\vppjj.exe47⤵
- Executes dropped EXE
PID:2636 -
\??\c:\xrxrlrl.exec:\xrxrlrl.exe48⤵
- Executes dropped EXE
PID:5116 -
\??\c:\9xrrrfx.exec:\9xrrrfx.exe49⤵
- Executes dropped EXE
PID:2252 -
\??\c:\nbttnn.exec:\nbttnn.exe50⤵
- Executes dropped EXE
PID:1840 -
\??\c:\tnhbbh.exec:\tnhbbh.exe51⤵
- Executes dropped EXE
PID:4624 -
\??\c:\dpjjj.exec:\dpjjj.exe52⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jvvvv.exec:\jvvvv.exe53⤵
- Executes dropped EXE
PID:644 -
\??\c:\3xfxxxf.exec:\3xfxxxf.exe54⤵
- Executes dropped EXE
PID:4960 -
\??\c:\xffxfff.exec:\xffxfff.exe55⤵
- Executes dropped EXE
PID:4404 -
\??\c:\nnnhbb.exec:\nnnhbb.exe56⤵
- Executes dropped EXE
PID:1092 -
\??\c:\bhhbnh.exec:\bhhbnh.exe57⤵
- Executes dropped EXE
PID:4016 -
\??\c:\dvvpp.exec:\dvvpp.exe58⤵
- Executes dropped EXE
PID:4416 -
\??\c:\llffxxx.exec:\llffxxx.exe59⤵
- Executes dropped EXE
PID:2196 -
\??\c:\3ffxllf.exec:\3ffxllf.exe60⤵
- Executes dropped EXE
PID:3552 -
\??\c:\htbbtn.exec:\htbbtn.exe61⤵
- Executes dropped EXE
PID:3408 -
\??\c:\tnnhnn.exec:\tnnhnn.exe62⤵
- Executes dropped EXE
PID:3964 -
\??\c:\ppddv.exec:\ppddv.exe63⤵
- Executes dropped EXE
PID:1828 -
\??\c:\dpjvp.exec:\dpjvp.exe64⤵
- Executes dropped EXE
PID:4568 -
\??\c:\7rfrllr.exec:\7rfrllr.exe65⤵
- Executes dropped EXE
PID:2512 -
\??\c:\rlfrxfl.exec:\rlfrxfl.exe66⤵
- Executes dropped EXE
PID:556 -
\??\c:\tttnnh.exec:\tttnnh.exe67⤵PID:3156
-
\??\c:\nbhttb.exec:\nbhttb.exe68⤵PID:3604
-
\??\c:\dvjdv.exec:\dvjdv.exe69⤵PID:1588
-
\??\c:\fxfffff.exec:\fxfffff.exe70⤵PID:2308
-
\??\c:\ffrfllf.exec:\ffrfllf.exe71⤵PID:1400
-
\??\c:\btnhth.exec:\btnhth.exe72⤵PID:4292
-
\??\c:\tbbttt.exec:\tbbttt.exe73⤵PID:264
-
\??\c:\vppjd.exec:\vppjd.exe74⤵PID:4564
-
\??\c:\vdjdv.exec:\vdjdv.exe75⤵PID:464
-
\??\c:\frffxxx.exec:\frffxxx.exe76⤵PID:4200
-
\??\c:\htbbbt.exec:\htbbbt.exe77⤵PID:2500
-
\??\c:\hnnbtb.exec:\hnnbtb.exe78⤵PID:4796
-
\??\c:\dvdjj.exec:\dvdjj.exe79⤵PID:5012
-
\??\c:\fxxrffx.exec:\fxxrffx.exe80⤵PID:1876
-
\??\c:\3fllrxx.exec:\3fllrxx.exe81⤵PID:3756
-
\??\c:\3tnhbt.exec:\3tnhbt.exe82⤵PID:5016
-
\??\c:\hntttb.exec:\hntttb.exe83⤵PID:1628
-
\??\c:\3pvvp.exec:\3pvvp.exe84⤵PID:5064
-
\??\c:\dvjdd.exec:\dvjdd.exe85⤵PID:1340
-
\??\c:\7rrrfll.exec:\7rrrfll.exe86⤵PID:3616
-
\??\c:\5xlfrxr.exec:\5xlfrxr.exe87⤵PID:400
-
\??\c:\fxfffff.exec:\fxfffff.exe88⤵PID:4780
-
\??\c:\hhhnnb.exec:\hhhnnb.exe89⤵PID:4552
-
\??\c:\btbbtt.exec:\btbbtt.exe90⤵PID:4400
-
\??\c:\djjvp.exec:\djjvp.exe91⤵PID:2504
-
\??\c:\vpvpj.exec:\vpvpj.exe92⤵PID:408
-
\??\c:\bnnbht.exec:\bnnbht.exe93⤵PID:4432
-
\??\c:\ddvpd.exec:\ddvpd.exe94⤵PID:2812
-
\??\c:\pppjj.exec:\pppjj.exe95⤵PID:3680
-
\??\c:\frlxfll.exec:\frlxfll.exe96⤵PID:1492
-
\??\c:\3xxrlll.exec:\3xxrlll.exe97⤵PID:1052
-
\??\c:\nhnhbh.exec:\nhnhbh.exe98⤵PID:3964
-
\??\c:\ntbttt.exec:\ntbttt.exe99⤵PID:2624
-
\??\c:\pdjdv.exec:\pdjdv.exe100⤵PID:4568
-
\??\c:\jvpjv.exec:\jvpjv.exe101⤵PID:2512
-
\??\c:\lflfrrr.exec:\lflfrrr.exe102⤵PID:436
-
\??\c:\xrllfxx.exec:\xrllfxx.exe103⤵PID:3236
-
\??\c:\5nbbhn.exec:\5nbbhn.exe104⤵PID:2968
-
\??\c:\nhnhbt.exec:\nhnhbt.exe105⤵PID:4640
-
\??\c:\jddvj.exec:\jddvj.exe106⤵PID:2800
-
\??\c:\jvpjd.exec:\jvpjd.exe107⤵PID:228
-
\??\c:\xrrlxrr.exec:\xrrlxrr.exe108⤵PID:4408
-
\??\c:\3lfxrlf.exec:\3lfxrlf.exe109⤵PID:1900
-
\??\c:\7bhbtn.exec:\7bhbtn.exe110⤵PID:4348
-
\??\c:\nhbtnb.exec:\nhbtnb.exe111⤵PID:1644
-
\??\c:\vvvjv.exec:\vvvjv.exe112⤵PID:4996
-
\??\c:\jdvvd.exec:\jdvvd.exe113⤵PID:3648
-
\??\c:\lxfrffr.exec:\lxfrffr.exe114⤵PID:3224
-
\??\c:\xrlfxrr.exec:\xrlfxrr.exe115⤵PID:928
-
\??\c:\httntt.exec:\httntt.exe116⤵PID:1316
-
\??\c:\nthbnh.exec:\nthbnh.exe117⤵PID:4900
-
\??\c:\vvpvd.exec:\vvpvd.exe118⤵PID:452
-
\??\c:\pjppj.exec:\pjppj.exe119⤵PID:2340
-
\??\c:\xrrlffr.exec:\xrrlffr.exe120⤵PID:1652
-
\??\c:\xllfxxl.exec:\xllfxxl.exe121⤵PID:1840
-
\??\c:\3tthbt.exec:\3tthbt.exe122⤵PID:4624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-