Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 01:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9acee2f9f0707bb64d96822025e0d953857d98dc35f544858fd2b9751e870d71.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
9acee2f9f0707bb64d96822025e0d953857d98dc35f544858fd2b9751e870d71.exe
-
Size
345KB
-
MD5
13da0427b6343b55b5ac929f3da93d09
-
SHA1
4236eac7a17ca15a9b3f43b67160a49939365480
-
SHA256
9acee2f9f0707bb64d96822025e0d953857d98dc35f544858fd2b9751e870d71
-
SHA512
0a8157345658d111de9a764009c854f394a866f15ab2097e7c692aa241b754a54af0fa37f43871878971fea4d494002513570fb437e7e1c52cb0c183289fb390
-
SSDEEP
6144:n3C9BRo/AIX2MUXownfWQkyCpxwJz9e0pQowLh3EhToK9cT085mnFhXjmnwJQyIX:n3C9uDnUXoSWlnwJv90aKToFqwfIBd
Malware Config
Signatures
-
Detect Blackmoon payload 27 IoCs
Processes:
resource yara_rule behavioral2/memory/384-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4972-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2116-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3644-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3420-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4908-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4512-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3928-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4432-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3424-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2036-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4480-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3384-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3144-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2172-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2624-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5036-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1780-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2212-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1296-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4944-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1280-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4428-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1104-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3052-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1272-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1848-203-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 27 IoCs
Processes:
resource yara_rule behavioral2/memory/384-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4972-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2116-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3644-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3420-32-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4908-39-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4512-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3928-52-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4432-60-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3424-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2036-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4480-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3384-89-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3144-95-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2172-107-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2624-115-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5036-121-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1780-125-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2212-131-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1296-149-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4944-143-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1280-155-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4428-164-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1104-172-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3052-167-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1272-186-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1848-203-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
nhhbbb.exedddpj.exevdvvp.exefxfxxxr.exejddvd.exefxllffx.exethbhth.exe3lrrxxf.exexrlflfl.exebnbbbb.exejvdvp.exeflrlllf.exetnhhtn.exexrrlfxx.exenbbtnh.exevpvdv.exelxxrllf.exetttnnh.exepddjd.exennbnnn.exeppdvp.exexxfxlxr.exehhnhbb.exe7vddv.exebtbthh.exepjdpj.exevpvpp.exefxlllfx.exennbnnb.exejpdvp.exenbhhnn.exenhtntb.exeppjjd.exebbbhnt.exejvvpd.exebnhtnt.exedppvp.exejvddj.exerfrfffl.exehbhbhb.exe1llfllf.exehnnthb.exe5ffxlfx.exenbthbt.exevpdvj.exerffrfxl.exe3xxlffx.exebhtbbb.exe7pdpd.exe7ddpv.exexlfxlfr.exetbbhth.exe5bbbnh.exejpvjj.exexxfxlfx.exefxrrlfx.exe9nbtnn.exe9tthtb.exejpvdj.exexfxrfrf.exelxxlrlx.exetntnbt.exedvpdv.exejpjvp.exepid process 4972 nhhbbb.exe 3644 dddpj.exe 2116 vdvvp.exe 3420 fxfxxxr.exe 4908 jddvd.exe 4512 fxllffx.exe 3928 thbhth.exe 4432 3lrrxxf.exe 3424 xrlflfl.exe 2036 bnbbbb.exe 4480 jvdvp.exe 3384 flrlllf.exe 3144 tnhhtn.exe 1332 xrrlfxx.exe 2172 nbbtnh.exe 2624 vpvdv.exe 5036 lxxrllf.exe 1780 tttnnh.exe 2212 pddjd.exe 400 nnbnnn.exe 4944 ppdvp.exe 1296 xxfxlxr.exe 1280 hhnhbb.exe 4428 7vddv.exe 3052 btbthh.exe 1104 pjdpj.exe 628 vpvpp.exe 1272 fxlllfx.exe 1564 nnbnnb.exe 2692 jpdvp.exe 1848 nbhhnn.exe 2116 nhtntb.exe 516 ppjjd.exe 2040 bbbhnt.exe 3764 jvvpd.exe 4360 bnhtnt.exe 1136 dppvp.exe 4192 jvddj.exe 3840 rfrfffl.exe 1828 hbhbhb.exe 3992 1llfllf.exe 1468 hnnthb.exe 2964 5ffxlfx.exe 804 nbthbt.exe 3900 vpdvj.exe 1204 rffrfxl.exe 3384 3xxlffx.exe 2912 bhtbbb.exe 1472 7pdpd.exe 2092 7ddpv.exe 3436 xlfxlfr.exe 736 tbbhth.exe 4956 5bbbnh.exe 4000 jpvjj.exe 2960 xxfxlfx.exe 1188 fxrrlfx.exe 3576 9nbtnn.exe 1924 9tthtb.exe 3416 jpvdj.exe 800 xfxrfrf.exe 1404 lxxlrlx.exe 828 tntnbt.exe 4936 dvpdv.exe 1736 jpjvp.exe -
Processes:
resource yara_rule behavioral2/memory/384-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4972-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2116-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3644-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3420-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4908-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4512-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3928-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4432-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3424-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2036-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4480-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3384-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3144-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2172-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2624-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5036-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1780-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2212-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1296-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4944-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1280-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4428-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1104-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3052-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1272-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1848-203-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9acee2f9f0707bb64d96822025e0d953857d98dc35f544858fd2b9751e870d71.exenhhbbb.exedddpj.exevdvvp.exefxfxxxr.exejddvd.exefxllffx.exethbhth.exe3lrrxxf.exexrlflfl.exebnbbbb.exejvdvp.exeflrlllf.exetnhhtn.exexrrlfxx.exenbbtnh.exevpvdv.exelxxrllf.exetttnnh.exepddjd.exennbnnn.exeppdvp.exedescription pid process target process PID 384 wrote to memory of 4972 384 9acee2f9f0707bb64d96822025e0d953857d98dc35f544858fd2b9751e870d71.exe nhhbbb.exe PID 384 wrote to memory of 4972 384 9acee2f9f0707bb64d96822025e0d953857d98dc35f544858fd2b9751e870d71.exe nhhbbb.exe PID 384 wrote to memory of 4972 384 9acee2f9f0707bb64d96822025e0d953857d98dc35f544858fd2b9751e870d71.exe nhhbbb.exe PID 4972 wrote to memory of 3644 4972 nhhbbb.exe dddpj.exe PID 4972 wrote to memory of 3644 4972 nhhbbb.exe dddpj.exe PID 4972 wrote to memory of 3644 4972 nhhbbb.exe dddpj.exe PID 3644 wrote to memory of 2116 3644 dddpj.exe vdvvp.exe PID 3644 wrote to memory of 2116 3644 dddpj.exe vdvvp.exe PID 3644 wrote to memory of 2116 3644 dddpj.exe vdvvp.exe PID 2116 wrote to memory of 3420 2116 vdvvp.exe fxfxxxr.exe PID 2116 wrote to memory of 3420 2116 vdvvp.exe fxfxxxr.exe PID 2116 wrote to memory of 3420 2116 vdvvp.exe fxfxxxr.exe PID 3420 wrote to memory of 4908 3420 fxfxxxr.exe jddvd.exe PID 3420 wrote to memory of 4908 3420 fxfxxxr.exe jddvd.exe PID 3420 wrote to memory of 4908 3420 fxfxxxr.exe jddvd.exe PID 4908 wrote to memory of 4512 4908 jddvd.exe fxllffx.exe PID 4908 wrote to memory of 4512 4908 jddvd.exe fxllffx.exe PID 4908 wrote to memory of 4512 4908 jddvd.exe fxllffx.exe PID 4512 wrote to memory of 3928 4512 fxllffx.exe thbhth.exe PID 4512 wrote to memory of 3928 4512 fxllffx.exe thbhth.exe PID 4512 wrote to memory of 3928 4512 fxllffx.exe thbhth.exe PID 3928 wrote to memory of 4432 3928 thbhth.exe 3lrrxxf.exe PID 3928 wrote to memory of 4432 3928 thbhth.exe 3lrrxxf.exe PID 3928 wrote to memory of 4432 3928 thbhth.exe 3lrrxxf.exe PID 4432 wrote to memory of 3424 4432 3lrrxxf.exe xrlflfl.exe PID 4432 wrote to memory of 3424 4432 3lrrxxf.exe xrlflfl.exe PID 4432 wrote to memory of 3424 4432 3lrrxxf.exe xrlflfl.exe PID 3424 wrote to memory of 2036 3424 xrlflfl.exe bnbbbb.exe PID 3424 wrote to memory of 2036 3424 xrlflfl.exe bnbbbb.exe PID 3424 wrote to memory of 2036 3424 xrlflfl.exe bnbbbb.exe PID 2036 wrote to memory of 4480 2036 bnbbbb.exe jvdvp.exe PID 2036 wrote to memory of 4480 2036 bnbbbb.exe jvdvp.exe PID 2036 wrote to memory of 4480 2036 bnbbbb.exe jvdvp.exe PID 4480 wrote to memory of 3384 4480 jvdvp.exe flrlllf.exe PID 4480 wrote to memory of 3384 4480 jvdvp.exe flrlllf.exe PID 4480 wrote to memory of 3384 4480 jvdvp.exe flrlllf.exe PID 3384 wrote to memory of 3144 3384 flrlllf.exe tnhhtn.exe PID 3384 wrote to memory of 3144 3384 flrlllf.exe tnhhtn.exe PID 3384 wrote to memory of 3144 3384 flrlllf.exe tnhhtn.exe PID 3144 wrote to memory of 1332 3144 tnhhtn.exe xrrlfxx.exe PID 3144 wrote to memory of 1332 3144 tnhhtn.exe xrrlfxx.exe PID 3144 wrote to memory of 1332 3144 tnhhtn.exe xrrlfxx.exe PID 1332 wrote to memory of 2172 1332 xrrlfxx.exe nbbtnh.exe PID 1332 wrote to memory of 2172 1332 xrrlfxx.exe nbbtnh.exe PID 1332 wrote to memory of 2172 1332 xrrlfxx.exe nbbtnh.exe PID 2172 wrote to memory of 2624 2172 nbbtnh.exe vpvdv.exe PID 2172 wrote to memory of 2624 2172 nbbtnh.exe vpvdv.exe PID 2172 wrote to memory of 2624 2172 nbbtnh.exe vpvdv.exe PID 2624 wrote to memory of 5036 2624 vpvdv.exe lxxrllf.exe PID 2624 wrote to memory of 5036 2624 vpvdv.exe lxxrllf.exe PID 2624 wrote to memory of 5036 2624 vpvdv.exe lxxrllf.exe PID 5036 wrote to memory of 1780 5036 lxxrllf.exe tttnnh.exe PID 5036 wrote to memory of 1780 5036 lxxrllf.exe tttnnh.exe PID 5036 wrote to memory of 1780 5036 lxxrllf.exe tttnnh.exe PID 1780 wrote to memory of 2212 1780 tttnnh.exe pddjd.exe PID 1780 wrote to memory of 2212 1780 tttnnh.exe pddjd.exe PID 1780 wrote to memory of 2212 1780 tttnnh.exe pddjd.exe PID 2212 wrote to memory of 400 2212 pddjd.exe nnbnnn.exe PID 2212 wrote to memory of 400 2212 pddjd.exe nnbnnn.exe PID 2212 wrote to memory of 400 2212 pddjd.exe nnbnnn.exe PID 400 wrote to memory of 4944 400 nnbnnn.exe ppdvp.exe PID 400 wrote to memory of 4944 400 nnbnnn.exe ppdvp.exe PID 400 wrote to memory of 4944 400 nnbnnn.exe ppdvp.exe PID 4944 wrote to memory of 1296 4944 ppdvp.exe xxfxlxr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9acee2f9f0707bb64d96822025e0d953857d98dc35f544858fd2b9751e870d71.exe"C:\Users\Admin\AppData\Local\Temp\9acee2f9f0707bb64d96822025e0d953857d98dc35f544858fd2b9751e870d71.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\nhhbbb.exec:\nhhbbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\dddpj.exec:\dddpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\vdvvp.exec:\vdvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\fxfxxxr.exec:\fxfxxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\jddvd.exec:\jddvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\fxllffx.exec:\fxllffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\thbhth.exec:\thbhth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\3lrrxxf.exec:\3lrrxxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\xrlflfl.exec:\xrlflfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\bnbbbb.exec:\bnbbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\jvdvp.exec:\jvdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\flrlllf.exec:\flrlllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\tnhhtn.exec:\tnhhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\xrrlfxx.exec:\xrrlfxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\nbbtnh.exec:\nbbtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\vpvdv.exec:\vpvdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\lxxrllf.exec:\lxxrllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\tttnnh.exec:\tttnnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\pddjd.exec:\pddjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\nnbnnn.exec:\nnbnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\ppdvp.exec:\ppdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\xxfxlxr.exec:\xxfxlxr.exe23⤵
- Executes dropped EXE
PID:1296 -
\??\c:\hhnhbb.exec:\hhnhbb.exe24⤵
- Executes dropped EXE
PID:1280 -
\??\c:\7vddv.exec:\7vddv.exe25⤵
- Executes dropped EXE
PID:4428 -
\??\c:\btbthh.exec:\btbthh.exe26⤵
- Executes dropped EXE
PID:3052 -
\??\c:\pjdpj.exec:\pjdpj.exe27⤵
- Executes dropped EXE
PID:1104 -
\??\c:\vpvpp.exec:\vpvpp.exe28⤵
- Executes dropped EXE
PID:628 -
\??\c:\fxlllfx.exec:\fxlllfx.exe29⤵
- Executes dropped EXE
PID:1272 -
\??\c:\nnbnnb.exec:\nnbnnb.exe30⤵
- Executes dropped EXE
PID:1564 -
\??\c:\jpdvp.exec:\jpdvp.exe31⤵
- Executes dropped EXE
PID:2692 -
\??\c:\nbhhnn.exec:\nbhhnn.exe32⤵
- Executes dropped EXE
PID:1848 -
\??\c:\nhtntb.exec:\nhtntb.exe33⤵
- Executes dropped EXE
PID:2116 -
\??\c:\ppjjd.exec:\ppjjd.exe34⤵
- Executes dropped EXE
PID:516 -
\??\c:\bbbhnt.exec:\bbbhnt.exe35⤵
- Executes dropped EXE
PID:2040 -
\??\c:\jvvpd.exec:\jvvpd.exe36⤵
- Executes dropped EXE
PID:3764 -
\??\c:\bnhtnt.exec:\bnhtnt.exe37⤵
- Executes dropped EXE
PID:4360 -
\??\c:\dppvp.exec:\dppvp.exe38⤵
- Executes dropped EXE
PID:1136 -
\??\c:\jvddj.exec:\jvddj.exe39⤵
- Executes dropped EXE
PID:4192 -
\??\c:\rfrfffl.exec:\rfrfffl.exe40⤵
- Executes dropped EXE
PID:3840 -
\??\c:\hbhbhb.exec:\hbhbhb.exe41⤵
- Executes dropped EXE
PID:1828 -
\??\c:\1llfllf.exec:\1llfllf.exe42⤵
- Executes dropped EXE
PID:3992 -
\??\c:\hnnthb.exec:\hnnthb.exe43⤵
- Executes dropped EXE
PID:1468 -
\??\c:\5ffxlfx.exec:\5ffxlfx.exe44⤵
- Executes dropped EXE
PID:2964 -
\??\c:\nbthbt.exec:\nbthbt.exe45⤵
- Executes dropped EXE
PID:804 -
\??\c:\vpdvj.exec:\vpdvj.exe46⤵
- Executes dropped EXE
PID:3900 -
\??\c:\rffrfxl.exec:\rffrfxl.exe47⤵
- Executes dropped EXE
PID:1204 -
\??\c:\3xxlffx.exec:\3xxlffx.exe48⤵
- Executes dropped EXE
PID:3384 -
\??\c:\bhtbbb.exec:\bhtbbb.exe49⤵
- Executes dropped EXE
PID:2912 -
\??\c:\7pdpd.exec:\7pdpd.exe50⤵
- Executes dropped EXE
PID:1472 -
\??\c:\7ddpv.exec:\7ddpv.exe51⤵
- Executes dropped EXE
PID:2092 -
\??\c:\xlfxlfr.exec:\xlfxlfr.exe52⤵
- Executes dropped EXE
PID:3436 -
\??\c:\tbbhth.exec:\tbbhth.exe53⤵
- Executes dropped EXE
PID:736 -
\??\c:\5bbbnh.exec:\5bbbnh.exe54⤵
- Executes dropped EXE
PID:4956 -
\??\c:\jpvjj.exec:\jpvjj.exe55⤵
- Executes dropped EXE
PID:4000 -
\??\c:\xxfxlfx.exec:\xxfxlfx.exe56⤵
- Executes dropped EXE
PID:2960 -
\??\c:\fxrrlfx.exec:\fxrrlfx.exe57⤵
- Executes dropped EXE
PID:1188 -
\??\c:\9nbtnn.exec:\9nbtnn.exe58⤵
- Executes dropped EXE
PID:3576 -
\??\c:\9tthtb.exec:\9tthtb.exe59⤵
- Executes dropped EXE
PID:1924 -
\??\c:\jpvdj.exec:\jpvdj.exe60⤵
- Executes dropped EXE
PID:3416 -
\??\c:\xfxrfrf.exec:\xfxrfrf.exe61⤵
- Executes dropped EXE
PID:800 -
\??\c:\lxxlrlx.exec:\lxxlrlx.exe62⤵
- Executes dropped EXE
PID:1404 -
\??\c:\tntnbt.exec:\tntnbt.exe63⤵
- Executes dropped EXE
PID:828 -
\??\c:\dvpdv.exec:\dvpdv.exe64⤵
- Executes dropped EXE
PID:4936 -
\??\c:\jpjvp.exec:\jpjvp.exe65⤵
- Executes dropped EXE
PID:1736 -
\??\c:\1rlxllf.exec:\1rlxllf.exe66⤵PID:4544
-
\??\c:\nhhbtn.exec:\nhhbtn.exe67⤵PID:4108
-
\??\c:\dddpv.exec:\dddpv.exe68⤵PID:3124
-
\??\c:\3pppj.exec:\3pppj.exe69⤵PID:412
-
\??\c:\xfrxrff.exec:\xfrxrff.exe70⤵PID:4392
-
\??\c:\1tnhhh.exec:\1tnhhh.exe71⤵PID:1564
-
\??\c:\vjdvp.exec:\vjdvp.exe72⤵PID:1852
-
\??\c:\9jvjv.exec:\9jvjv.exe73⤵PID:2672
-
\??\c:\3fxlfrl.exec:\3fxlfrl.exe74⤵PID:3696
-
\??\c:\ttnbtn.exec:\ttnbtn.exe75⤵PID:4712
-
\??\c:\htbhbt.exec:\htbhbt.exe76⤵PID:2984
-
\??\c:\jvvpj.exec:\jvvpj.exe77⤵PID:2040
-
\??\c:\vjjvj.exec:\vjjvj.exe78⤵PID:1796
-
\??\c:\frxlxlx.exec:\frxlxlx.exe79⤵PID:4360
-
\??\c:\nhhbtn.exec:\nhhbtn.exe80⤵PID:4724
-
\??\c:\btbnnh.exec:\btbnnh.exe81⤵PID:4764
-
\??\c:\3jvpj.exec:\3jvpj.exe82⤵PID:3424
-
\??\c:\3flxxrl.exec:\3flxxrl.exe83⤵PID:2276
-
\??\c:\7xrlxxl.exec:\7xrlxxl.exe84⤵PID:464
-
\??\c:\1htnbb.exec:\1htnbb.exe85⤵PID:3148
-
\??\c:\3tthbt.exec:\3tthbt.exe86⤵PID:804
-
\??\c:\vjdjv.exec:\vjdjv.exe87⤵PID:1348
-
\??\c:\lllxlfr.exec:\lllxlfr.exe88⤵PID:3748
-
\??\c:\xxfrlfx.exec:\xxfrlfx.exe89⤵PID:5116
-
\??\c:\1hhbtn.exec:\1hhbtn.exe90⤵PID:4436
-
\??\c:\jdpjv.exec:\jdpjv.exe91⤵PID:2172
-
\??\c:\ddvdj.exec:\ddvdj.exe92⤵PID:2756
-
\??\c:\xllxlxl.exec:\xllxlxl.exe93⤵PID:5076
-
\??\c:\5nttnt.exec:\5nttnt.exe94⤵PID:2624
-
\??\c:\nhhthh.exec:\nhhthh.exe95⤵PID:1836
-
\??\c:\dpjdp.exec:\dpjdp.exe96⤵PID:4000
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe97⤵PID:4740
-
\??\c:\9rlxllx.exec:\9rlxllx.exe98⤵PID:1188
-
\??\c:\hnbhbb.exec:\hnbhbb.exe99⤵PID:3576
-
\??\c:\nbbthb.exec:\nbbthb.exe100⤵PID:948
-
\??\c:\pjjdd.exec:\pjjdd.exe101⤵PID:2356
-
\??\c:\vvdvj.exec:\vvdvj.exe102⤵PID:800
-
\??\c:\9rlxlfr.exec:\9rlxlfr.exe103⤵PID:3140
-
\??\c:\ttnnnh.exec:\ttnnnh.exe104⤵PID:1184
-
\??\c:\vppdd.exec:\vppdd.exe105⤵PID:4936
-
\??\c:\9jjvp.exec:\9jjvp.exe106⤵PID:2032
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe107⤵PID:1700
-
\??\c:\htbnhb.exec:\htbnhb.exe108⤵PID:4220
-
\??\c:\bbhnhb.exec:\bbhnhb.exe109⤵PID:2976
-
\??\c:\dppjv.exec:\dppjv.exe110⤵PID:5072
-
\??\c:\dvjvp.exec:\dvjvp.exe111⤵PID:4980
-
\??\c:\rxxlxrf.exec:\rxxlxrf.exe112⤵PID:4712
-
\??\c:\ntnbtn.exec:\ntnbtn.exe113⤵PID:8
-
\??\c:\hbntnh.exec:\hbntnh.exe114⤵PID:864
-
\??\c:\dvdpd.exec:\dvdpd.exe115⤵PID:1400
-
\??\c:\rrfxlfr.exec:\rrfxlfr.exe116⤵PID:3116
-
\??\c:\tbbthb.exec:\tbbthb.exe117⤵PID:3848
-
\??\c:\hhttnb.exec:\hhttnb.exe118⤵PID:1580
-
\??\c:\pvvjv.exec:\pvvjv.exe119⤵PID:3096
-
\??\c:\pdpdv.exec:\pdpdv.exe120⤵PID:4904
-
\??\c:\lrrlrlf.exec:\lrrlrlf.exe121⤵PID:532
-
\??\c:\bthbth.exec:\bthbth.exe122⤵PID:3300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-