Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 08:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eecc4a2260d8f4d3303a297dfcd8424820d6bca6781290b87dbcc2317bff0d3b.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
eecc4a2260d8f4d3303a297dfcd8424820d6bca6781290b87dbcc2317bff0d3b.exe
-
Size
306KB
-
MD5
fc9506f362f209ea129eecb0e1967458
-
SHA1
72ea93e299cfee69cb91c869c262e7578d5a8b4f
-
SHA256
eecc4a2260d8f4d3303a297dfcd8424820d6bca6781290b87dbcc2317bff0d3b
-
SHA512
989b8aa44b1cee6546bc4eca3a5b90dc29029a3b76601418fd317c6f28b4beb365300874f2493a0e2d5768399ba6e13da508c0230be321a4eed9640bc4619ca5
-
SSDEEP
6144:n3C9BRo/AIuuOthLmH403Pyr6UWO6jUl7sPgvwNA:n3C9uDVOXLmHBKWyn+PgvuA
Malware Config
Signatures
-
Detect Blackmoon payload 26 IoCs
Processes:
resource yara_rule behavioral2/memory/4632-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/436-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1648-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/912-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5044-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2144-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1924-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1292-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1768-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/944-160-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3420-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1116-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1784-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/984-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/364-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2100-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2876-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/228-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3088-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3740-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3084-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1344-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4832-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4732-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4400-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3644-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 34 IoCs
Processes:
resource yara_rule behavioral2/memory/4632-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3644-19-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3644-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/436-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4400-27-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1648-36-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/912-43-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4832-58-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5044-87-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2144-105-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1924-111-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1292-123-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1768-153-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/944-160-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3420-165-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1116-184-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1784-198-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/984-207-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/364-171-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2100-139-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2876-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/228-117-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3088-99-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3740-93-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5044-82-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5044-81-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5044-80-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3084-73-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1344-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4832-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4732-51-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4400-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4400-28-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3644-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
3nbbbh.exejdjdd.exehbhhhh.exejdddv.exe3vjjp.exe9llfllx.exenhtnnn.exelrfxrxr.exehbnnnt.exenbtnnn.exejpdvp.exethntnn.exevvvvv.exe5vvvp.exexxrxlrf.exedvvdj.exefxxxxll.exe9lxxxll.exenbnnnn.exepjpjp.exebnbbhn.exevdpdd.exe9lxlxrf.exerllffll.exepvppd.exelxrxrrr.exehtbhht.exebnnnht.exejddpd.exexrlfxxr.exedpddv.exefxllrlr.exebhbnbt.exeppppp.exepvppv.exelrfxxxx.exetbnhth.exe7vppj.exepdppp.exellfllrx.exebbbbbb.exethhhbn.exefflfrfl.exenhhbtn.exejjppj.exe9rrlrrl.exexfxrrlr.exehttttb.exevjpjd.exexxfxrrr.exettbhnt.exevpjjp.exe3xflfll.exefxrrrrr.exe1djpv.exevdddd.exexllfxlf.exe5thbbn.exe3pdvp.exepdpjj.exefxfrxrx.exebtbnnb.exejpjjv.exeffxrffl.exepid process 436 3nbbbh.exe 3644 jdjdd.exe 4400 hbhhhh.exe 1648 jdddv.exe 912 3vjjp.exe 4732 9llfllx.exe 4832 nhtnnn.exe 1344 lrfxrxr.exe 3084 hbnnnt.exe 5044 nbtnnn.exe 3740 jpdvp.exe 3088 thntnn.exe 2144 vvvvv.exe 1924 5vvvp.exe 228 xxrxlrf.exe 1292 dvvdj.exe 2876 fxxxxll.exe 2100 9lxxxll.exe 704 nbnnnn.exe 544 pjpjp.exe 1768 bnbbhn.exe 944 vdpdd.exe 3420 9lxlxrf.exe 364 rllffll.exe 2324 pvppd.exe 1116 lxrxrrr.exe 3044 htbhht.exe 1784 bnnnht.exe 1916 jddpd.exe 984 xrlfxxr.exe 1848 dpddv.exe 4576 fxllrlr.exe 1164 bhbnbt.exe 5112 ppppp.exe 3836 pvppv.exe 836 lrfxxxx.exe 3448 tbnhth.exe 2064 7vppj.exe 1648 pdppp.exe 3064 llfllrx.exe 3584 bbbbbb.exe 3972 thhhbn.exe 3384 fflfrfl.exe 1944 nhhbtn.exe 4532 jjppj.exe 2248 9rrlrrl.exe 3904 xfxrrlr.exe 4056 httttb.exe 4988 vjpjd.exe 1968 xxfxrrr.exe 3164 ttbhnt.exe 1368 vpjjp.exe 2360 3xflfll.exe 2876 fxrrrrr.exe 2840 1djpv.exe 2480 vdddd.exe 2680 xllfxlf.exe 544 5thbbn.exe 3104 3pdvp.exe 944 pdpjj.exe 2116 fxfrxrx.exe 4152 btbnnb.exe 3520 jpjjv.exe 3920 ffxrffl.exe -
Processes:
resource yara_rule behavioral2/memory/4632-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3644-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3644-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/436-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4400-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1648-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/912-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4832-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5044-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2144-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1924-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1292-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1768-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/944-160-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3420-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1116-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1784-198-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/984-207-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/364-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2100-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2876-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/228-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3088-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3740-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5044-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5044-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5044-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3084-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1344-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4832-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4732-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4400-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4400-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3644-23-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
eecc4a2260d8f4d3303a297dfcd8424820d6bca6781290b87dbcc2317bff0d3b.exe3nbbbh.exejdjdd.exehbhhhh.exejdddv.exe3vjjp.exe9llfllx.exenhtnnn.exelrfxrxr.exehbnnnt.exenbtnnn.exejpdvp.exethntnn.exevvvvv.exe5vvvp.exexxrxlrf.exedvvdj.exefxxxxll.exe9lxxxll.exenbnnnn.exepjpjp.exebnbbhn.exedescription pid process target process PID 4632 wrote to memory of 436 4632 eecc4a2260d8f4d3303a297dfcd8424820d6bca6781290b87dbcc2317bff0d3b.exe 3nbbbh.exe PID 4632 wrote to memory of 436 4632 eecc4a2260d8f4d3303a297dfcd8424820d6bca6781290b87dbcc2317bff0d3b.exe 3nbbbh.exe PID 4632 wrote to memory of 436 4632 eecc4a2260d8f4d3303a297dfcd8424820d6bca6781290b87dbcc2317bff0d3b.exe 3nbbbh.exe PID 436 wrote to memory of 3644 436 3nbbbh.exe jdjdd.exe PID 436 wrote to memory of 3644 436 3nbbbh.exe jdjdd.exe PID 436 wrote to memory of 3644 436 3nbbbh.exe jdjdd.exe PID 3644 wrote to memory of 4400 3644 jdjdd.exe hbhhhh.exe PID 3644 wrote to memory of 4400 3644 jdjdd.exe hbhhhh.exe PID 3644 wrote to memory of 4400 3644 jdjdd.exe hbhhhh.exe PID 4400 wrote to memory of 1648 4400 hbhhhh.exe jdddv.exe PID 4400 wrote to memory of 1648 4400 hbhhhh.exe jdddv.exe PID 4400 wrote to memory of 1648 4400 hbhhhh.exe jdddv.exe PID 1648 wrote to memory of 912 1648 jdddv.exe 3vjjp.exe PID 1648 wrote to memory of 912 1648 jdddv.exe 3vjjp.exe PID 1648 wrote to memory of 912 1648 jdddv.exe 3vjjp.exe PID 912 wrote to memory of 4732 912 3vjjp.exe 9llfllx.exe PID 912 wrote to memory of 4732 912 3vjjp.exe 9llfllx.exe PID 912 wrote to memory of 4732 912 3vjjp.exe 9llfllx.exe PID 4732 wrote to memory of 4832 4732 9llfllx.exe nhtnnn.exe PID 4732 wrote to memory of 4832 4732 9llfllx.exe nhtnnn.exe PID 4732 wrote to memory of 4832 4732 9llfllx.exe nhtnnn.exe PID 4832 wrote to memory of 1344 4832 nhtnnn.exe lrfxrxr.exe PID 4832 wrote to memory of 1344 4832 nhtnnn.exe lrfxrxr.exe PID 4832 wrote to memory of 1344 4832 nhtnnn.exe lrfxrxr.exe PID 1344 wrote to memory of 3084 1344 lrfxrxr.exe hbnnnt.exe PID 1344 wrote to memory of 3084 1344 lrfxrxr.exe hbnnnt.exe PID 1344 wrote to memory of 3084 1344 lrfxrxr.exe hbnnnt.exe PID 3084 wrote to memory of 5044 3084 hbnnnt.exe nbtnnn.exe PID 3084 wrote to memory of 5044 3084 hbnnnt.exe nbtnnn.exe PID 3084 wrote to memory of 5044 3084 hbnnnt.exe nbtnnn.exe PID 5044 wrote to memory of 3740 5044 nbtnnn.exe jpdvp.exe PID 5044 wrote to memory of 3740 5044 nbtnnn.exe jpdvp.exe PID 5044 wrote to memory of 3740 5044 nbtnnn.exe jpdvp.exe PID 3740 wrote to memory of 3088 3740 jpdvp.exe thntnn.exe PID 3740 wrote to memory of 3088 3740 jpdvp.exe thntnn.exe PID 3740 wrote to memory of 3088 3740 jpdvp.exe thntnn.exe PID 3088 wrote to memory of 2144 3088 thntnn.exe vvvvv.exe PID 3088 wrote to memory of 2144 3088 thntnn.exe vvvvv.exe PID 3088 wrote to memory of 2144 3088 thntnn.exe vvvvv.exe PID 2144 wrote to memory of 1924 2144 vvvvv.exe 5vvvp.exe PID 2144 wrote to memory of 1924 2144 vvvvv.exe 5vvvp.exe PID 2144 wrote to memory of 1924 2144 vvvvv.exe 5vvvp.exe PID 1924 wrote to memory of 228 1924 5vvvp.exe xxrxlrf.exe PID 1924 wrote to memory of 228 1924 5vvvp.exe xxrxlrf.exe PID 1924 wrote to memory of 228 1924 5vvvp.exe xxrxlrf.exe PID 228 wrote to memory of 1292 228 xxrxlrf.exe dvvdj.exe PID 228 wrote to memory of 1292 228 xxrxlrf.exe dvvdj.exe PID 228 wrote to memory of 1292 228 xxrxlrf.exe dvvdj.exe PID 1292 wrote to memory of 2876 1292 dvvdj.exe fxxxxll.exe PID 1292 wrote to memory of 2876 1292 dvvdj.exe fxxxxll.exe PID 1292 wrote to memory of 2876 1292 dvvdj.exe fxxxxll.exe PID 2876 wrote to memory of 2100 2876 fxxxxll.exe 9lxxxll.exe PID 2876 wrote to memory of 2100 2876 fxxxxll.exe 9lxxxll.exe PID 2876 wrote to memory of 2100 2876 fxxxxll.exe 9lxxxll.exe PID 2100 wrote to memory of 704 2100 9lxxxll.exe nbnnnn.exe PID 2100 wrote to memory of 704 2100 9lxxxll.exe nbnnnn.exe PID 2100 wrote to memory of 704 2100 9lxxxll.exe nbnnnn.exe PID 704 wrote to memory of 544 704 nbnnnn.exe 5thbbn.exe PID 704 wrote to memory of 544 704 nbnnnn.exe 5thbbn.exe PID 704 wrote to memory of 544 704 nbnnnn.exe 5thbbn.exe PID 544 wrote to memory of 1768 544 pjpjp.exe bnbbhn.exe PID 544 wrote to memory of 1768 544 pjpjp.exe bnbbhn.exe PID 544 wrote to memory of 1768 544 pjpjp.exe bnbbhn.exe PID 1768 wrote to memory of 944 1768 bnbbhn.exe pdpjj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eecc4a2260d8f4d3303a297dfcd8424820d6bca6781290b87dbcc2317bff0d3b.exe"C:\Users\Admin\AppData\Local\Temp\eecc4a2260d8f4d3303a297dfcd8424820d6bca6781290b87dbcc2317bff0d3b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\3nbbbh.exec:\3nbbbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\jdjdd.exec:\jdjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\hbhhhh.exec:\hbhhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\jdddv.exec:\jdddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\3vjjp.exec:\3vjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\9llfllx.exec:\9llfllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\nhtnnn.exec:\nhtnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\lrfxrxr.exec:\lrfxrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\hbnnnt.exec:\hbnnnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\nbtnnn.exec:\nbtnnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\jpdvp.exec:\jpdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\thntnn.exec:\thntnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\vvvvv.exec:\vvvvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\5vvvp.exec:\5vvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\xxrxlrf.exec:\xxrxlrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\dvvdj.exec:\dvvdj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\fxxxxll.exec:\fxxxxll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\9lxxxll.exec:\9lxxxll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\nbnnnn.exec:\nbnnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\pjpjp.exec:\pjpjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\bnbbhn.exec:\bnbbhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\vdpdd.exec:\vdpdd.exe23⤵
- Executes dropped EXE
PID:944 -
\??\c:\9lxlxrf.exec:\9lxlxrf.exe24⤵
- Executes dropped EXE
PID:3420 -
\??\c:\rllffll.exec:\rllffll.exe25⤵
- Executes dropped EXE
PID:364 -
\??\c:\pvppd.exec:\pvppd.exe26⤵
- Executes dropped EXE
PID:2324 -
\??\c:\lxrxrrr.exec:\lxrxrrr.exe27⤵
- Executes dropped EXE
PID:1116 -
\??\c:\htbhht.exec:\htbhht.exe28⤵
- Executes dropped EXE
PID:3044 -
\??\c:\bnnnht.exec:\bnnnht.exe29⤵
- Executes dropped EXE
PID:1784 -
\??\c:\jddpd.exec:\jddpd.exe30⤵
- Executes dropped EXE
PID:1916 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe31⤵
- Executes dropped EXE
PID:984 -
\??\c:\dpddv.exec:\dpddv.exe32⤵
- Executes dropped EXE
PID:1848 -
\??\c:\fxllrlr.exec:\fxllrlr.exe33⤵
- Executes dropped EXE
PID:4576 -
\??\c:\bhbnbt.exec:\bhbnbt.exe34⤵
- Executes dropped EXE
PID:1164 -
\??\c:\ppppp.exec:\ppppp.exe35⤵
- Executes dropped EXE
PID:5112 -
\??\c:\pvppv.exec:\pvppv.exe36⤵
- Executes dropped EXE
PID:3836 -
\??\c:\lrfxxxx.exec:\lrfxxxx.exe37⤵
- Executes dropped EXE
PID:836 -
\??\c:\tbnhth.exec:\tbnhth.exe38⤵
- Executes dropped EXE
PID:3448 -
\??\c:\7vppj.exec:\7vppj.exe39⤵
- Executes dropped EXE
PID:2064 -
\??\c:\pdppp.exec:\pdppp.exe40⤵
- Executes dropped EXE
PID:1648 -
\??\c:\llfllrx.exec:\llfllrx.exe41⤵
- Executes dropped EXE
PID:3064 -
\??\c:\bbbbbb.exec:\bbbbbb.exe42⤵
- Executes dropped EXE
PID:3584 -
\??\c:\thhhbn.exec:\thhhbn.exe43⤵
- Executes dropped EXE
PID:3972 -
\??\c:\fflfrfl.exec:\fflfrfl.exe44⤵
- Executes dropped EXE
PID:3384 -
\??\c:\nhhbtn.exec:\nhhbtn.exe45⤵
- Executes dropped EXE
PID:1944 -
\??\c:\jjppj.exec:\jjppj.exe46⤵
- Executes dropped EXE
PID:4532 -
\??\c:\9rrlrrl.exec:\9rrlrrl.exe47⤵
- Executes dropped EXE
PID:2248 -
\??\c:\xfxrrlr.exec:\xfxrrlr.exe48⤵
- Executes dropped EXE
PID:3904 -
\??\c:\httttb.exec:\httttb.exe49⤵
- Executes dropped EXE
PID:4056 -
\??\c:\vjpjd.exec:\vjpjd.exe50⤵
- Executes dropped EXE
PID:4988 -
\??\c:\xxfxrrr.exec:\xxfxrrr.exe51⤵
- Executes dropped EXE
PID:1968 -
\??\c:\ttbhnt.exec:\ttbhnt.exe52⤵
- Executes dropped EXE
PID:3164 -
\??\c:\vpjjp.exec:\vpjjp.exe53⤵
- Executes dropped EXE
PID:1368 -
\??\c:\3xflfll.exec:\3xflfll.exe54⤵
- Executes dropped EXE
PID:2360 -
\??\c:\fxrrrrr.exec:\fxrrrrr.exe55⤵
- Executes dropped EXE
PID:2876 -
\??\c:\1djpv.exec:\1djpv.exe56⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vdddd.exec:\vdddd.exe57⤵
- Executes dropped EXE
PID:2480 -
\??\c:\xllfxlf.exec:\xllfxlf.exe58⤵
- Executes dropped EXE
PID:2680 -
\??\c:\5thbbn.exec:\5thbbn.exe59⤵
- Executes dropped EXE
PID:544 -
\??\c:\3pdvp.exec:\3pdvp.exe60⤵
- Executes dropped EXE
PID:3104 -
\??\c:\pdpjj.exec:\pdpjj.exe61⤵
- Executes dropped EXE
PID:944 -
\??\c:\fxfrxrx.exec:\fxfrxrx.exe62⤵
- Executes dropped EXE
PID:2116 -
\??\c:\btbnnb.exec:\btbnnb.exe63⤵
- Executes dropped EXE
PID:4152 -
\??\c:\jpjjv.exec:\jpjjv.exe64⤵
- Executes dropped EXE
PID:3520 -
\??\c:\ffxrffl.exec:\ffxrffl.exe65⤵
- Executes dropped EXE
PID:3920 -
\??\c:\dddjp.exec:\dddjp.exe66⤵PID:2312
-
\??\c:\frxxfff.exec:\frxxfff.exe67⤵PID:2776
-
\??\c:\hbhbht.exec:\hbhbht.exe68⤵PID:3984
-
\??\c:\9ppvv.exec:\9ppvv.exe69⤵PID:1700
-
\??\c:\fxlllxx.exec:\fxlllxx.exe70⤵PID:3040
-
\??\c:\nhnhhn.exec:\nhnhhn.exe71⤵PID:3692
-
\??\c:\vjvvj.exec:\vjvvj.exe72⤵PID:2004
-
\??\c:\fllfxxr.exec:\fllfxxr.exe73⤵PID:4380
-
\??\c:\tbbtnh.exec:\tbbtnh.exe74⤵PID:1236
-
\??\c:\7vddv.exec:\7vddv.exe75⤵PID:5112
-
\??\c:\fxxrllx.exec:\fxxrllx.exe76⤵PID:2636
-
\??\c:\hbnnnn.exec:\hbnnnn.exe77⤵PID:3392
-
\??\c:\bhhbnh.exec:\bhhbnh.exe78⤵PID:3624
-
\??\c:\3djdv.exec:\3djdv.exe79⤵PID:3448
-
\??\c:\lrrlfff.exec:\lrrlfff.exe80⤵PID:2064
-
\??\c:\thnhhh.exec:\thnhhh.exe81⤵PID:4708
-
\??\c:\jdddd.exec:\jdddd.exe82⤵PID:876
-
\??\c:\ddppv.exec:\ddppv.exe83⤵PID:5116
-
\??\c:\3xllfff.exec:\3xllfff.exe84⤵PID:3992
-
\??\c:\bhnnht.exec:\bhnnht.exe85⤵PID:3132
-
\??\c:\jjppp.exec:\jjppp.exe86⤵PID:4660
-
\??\c:\5xfxrxr.exec:\5xfxrxr.exe87⤵PID:412
-
\??\c:\tthbnn.exec:\tthbnn.exe88⤵PID:4004
-
\??\c:\ppdjv.exec:\ppdjv.exe89⤵PID:4472
-
\??\c:\lfrllrl.exec:\lfrllrl.exe90⤵PID:3904
-
\??\c:\tntnnn.exec:\tntnnn.exe91⤵PID:216
-
\??\c:\ttnhth.exec:\ttnhth.exe92⤵PID:4652
-
\??\c:\jjvvd.exec:\jjvvd.exe93⤵PID:3228
-
\??\c:\xrrlfff.exec:\xrrlfff.exe94⤵PID:1672
-
\??\c:\thttbh.exec:\thttbh.exe95⤵PID:1808
-
\??\c:\7btnhb.exec:\7btnhb.exe96⤵PID:464
-
\??\c:\ppddp.exec:\ppddp.exe97⤵PID:1976
-
\??\c:\9flfxxx.exec:\9flfxxx.exe98⤵PID:3880
-
\??\c:\fxfxfxx.exec:\fxfxfxx.exe99⤵PID:3996
-
\??\c:\tbtntn.exec:\tbtntn.exe100⤵PID:768
-
\??\c:\ddppd.exec:\ddppd.exe101⤵PID:4940
-
\??\c:\ddvvd.exec:\ddvvd.exe102⤵PID:2308
-
\??\c:\lllfxrr.exec:\lllfxrr.exe103⤵PID:3320
-
\??\c:\5btnhh.exec:\5btnhh.exe104⤵PID:4156
-
\??\c:\tbnthn.exec:\tbnthn.exe105⤵PID:1592
-
\??\c:\jdjjp.exec:\jdjjp.exe106⤵PID:1784
-
\??\c:\rrxfxxr.exec:\rrxfxxr.exe107⤵PID:3180
-
\??\c:\llflfll.exec:\llflfll.exe108⤵PID:3148
-
\??\c:\btnnnn.exec:\btnnnn.exe109⤵PID:1848
-
\??\c:\pjjdv.exec:\pjjdv.exe110⤵PID:1872
-
\??\c:\jvddv.exec:\jvddv.exe111⤵PID:4380
-
\??\c:\fxxrrrx.exec:\fxxrrrx.exe112⤵PID:3080
-
\??\c:\tbttnt.exec:\tbttnt.exe113⤵PID:1572
-
\??\c:\jdjdv.exec:\jdjdv.exe114⤵PID:4640
-
\??\c:\ffllrrl.exec:\ffllrrl.exe115⤵PID:3800
-
\??\c:\9ffflxr.exec:\9ffflxr.exe116⤵PID:2772
-
\??\c:\5ntnbb.exec:\5ntnbb.exe117⤵PID:2072
-
\??\c:\jpdvp.exec:\jpdvp.exe118⤵PID:4880
-
\??\c:\7ffxxxx.exec:\7ffxxxx.exe119⤵PID:2180
-
\??\c:\rllfxrl.exec:\rllfxrl.exe120⤵PID:5096
-
\??\c:\hhhbbb.exec:\hhhbbb.exe121⤵PID:1560
-
\??\c:\tnhbbb.exec:\tnhbbb.exe122⤵PID:404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-