Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 05:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe
-
Size
394KB
-
MD5
7d7be8aae6008ed64716476b06c1d783
-
SHA1
19306cb4773938f1998c5732f8472a8e132e6606
-
SHA256
ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798
-
SHA512
e87cd8336060f02f2ccfc59747a8e476740494d5097a1daa47f0c6fe6bd8d3d9a0196141fc179b9aaf75911240236eccd93f66415fde22cd813341400faa994d
-
SSDEEP
6144:n3C9BRIG0asYFm71mPfkVB8dKwaO5CVwOlz:n3C9uYA7okVqdKwaO5CVz
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
Processes:
resource yara_rule behavioral2/memory/2860-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4576-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1724-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1228-31-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2708-39-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3720-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4532-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3952-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1804-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1440-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3068-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3192-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5000-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1424-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/432-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1960-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3568-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3928-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3276-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2080-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4164-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4052-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4124-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3088-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2520-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 28 IoCs
Processes:
resource yara_rule behavioral2/memory/2860-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4576-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1724-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1228-31-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2708-39-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3720-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3720-48-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4532-51-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4532-57-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3952-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5104-66-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1804-73-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1440-89-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3068-95-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3192-100-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/5000-107-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1424-113-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/432-119-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1960-125-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3568-130-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3928-138-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3276-149-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2080-164-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4164-169-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4052-175-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4124-181-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3088-193-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2520-199-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
jdjdd.exebbnnhh.exe5dpjd.exe1rxxrxr.exevpddv.exexllxrff.exepjpjj.exexxfflll.exeppjjj.exerxxxxlf.exethnnnn.exeddvpp.exehnnhbb.exevvvvv.exerlrrlll.exeddjvv.exelrlllrr.exevjvvp.exe3xlfxxr.exe7hnnhh.exe9djdd.exe5nnhbt.exejvvpp.exe7xxxrxx.exenhtnhn.exe9ddvj.exe3fxrrrl.exejdddd.exelxxrrll.exe5xrrlll.exehthbbb.exevdjpd.exe1nhbnn.exe1bnhnn.exepjddv.exelrfrrll.exelffxrrx.exebbtnnn.exevvpjj.exepdjjj.exe3llxxrr.exetttnnn.exenntttb.exe3jddd.exefxllrrx.exefrxrllr.exebbttbh.exevvjpp.exenhhbtt.exedpvvp.exefflfrrl.exerxlxlrl.exebtbtnh.exe7pvvp.exevvvvp.exerrfffxx.exebhbbhh.exepvppv.exe3ppjd.exe3rlfrlx.exehhtttt.exevjpjv.exe5fxxxff.exe9xffxxx.exepid process 4576 jdjdd.exe 1724 bbnnhh.exe 2292 5dpjd.exe 1228 1rxxrxr.exe 2708 vpddv.exe 3720 xllxrff.exe 4532 pjpjj.exe 3952 xxfflll.exe 5104 ppjjj.exe 1804 rxxxxlf.exe 3584 thnnnn.exe 1440 ddvpp.exe 3068 hnnhbb.exe 3192 vvvvv.exe 5000 rlrrlll.exe 1424 ddjvv.exe 432 lrlllrr.exe 1960 vjvvp.exe 3568 3xlfxxr.exe 3928 7hnnhh.exe 3280 9djdd.exe 3276 5nnhbt.exe 496 jvvpp.exe 2080 7xxxrxx.exe 4164 nhtnhn.exe 4052 9ddvj.exe 4124 3fxrrrl.exe 4448 jdddd.exe 3088 lxxrrll.exe 2520 5xrrlll.exe 2300 hthbbb.exe 4720 vdjpd.exe 4396 1nhbnn.exe 4024 1bnhnn.exe 4308 pjddv.exe 5112 lrfrrll.exe 1508 lffxrrx.exe 3988 bbtnnn.exe 1708 vvpjj.exe 2424 pdjjj.exe 560 3llxxrr.exe 4364 tttnnn.exe 2132 nntttb.exe 4916 3jddd.exe 1944 fxllrrx.exe 4064 frxrllr.exe 3204 bbttbh.exe 5028 vvjpp.exe 5016 nhhbtt.exe 3684 dpvvp.exe 3552 fflfrrl.exe 5000 rxlxlrl.exe 3420 btbtnh.exe 4076 7pvvp.exe 4264 vvvvp.exe 3864 rrfffxx.exe 1992 bhbbhh.exe 5040 pvppv.exe 3016 3ppjd.exe 1728 3rlfrlx.exe 1624 hhtttt.exe 3432 vjpjv.exe 496 5fxxxff.exe 4844 9xffxxx.exe -
Processes:
resource yara_rule behavioral2/memory/2860-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4576-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1724-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1228-31-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2708-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3720-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3720-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4532-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4532-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3952-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5104-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1804-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1440-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3068-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3192-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5000-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1424-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/432-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1960-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3568-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3928-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3276-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2080-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4164-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4052-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4124-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3088-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2520-199-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exejdjdd.exebbnnhh.exe5dpjd.exe1rxxrxr.exevpddv.exexllxrff.exepjpjj.exexxfflll.exeppjjj.exerxxxxlf.exethnnnn.exeddvpp.exehnnhbb.exevvvvv.exerlrrlll.exeddjvv.exelrlllrr.exevjvvp.exe3xlfxxr.exe7hnnhh.exe9djdd.exedescription pid process target process PID 2860 wrote to memory of 4576 2860 ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe jdjdd.exe PID 2860 wrote to memory of 4576 2860 ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe jdjdd.exe PID 2860 wrote to memory of 4576 2860 ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe jdjdd.exe PID 4576 wrote to memory of 1724 4576 jdjdd.exe bbnnhh.exe PID 4576 wrote to memory of 1724 4576 jdjdd.exe bbnnhh.exe PID 4576 wrote to memory of 1724 4576 jdjdd.exe bbnnhh.exe PID 1724 wrote to memory of 2292 1724 bbnnhh.exe 5dpjd.exe PID 1724 wrote to memory of 2292 1724 bbnnhh.exe 5dpjd.exe PID 1724 wrote to memory of 2292 1724 bbnnhh.exe 5dpjd.exe PID 2292 wrote to memory of 1228 2292 5dpjd.exe 1rxxrxr.exe PID 2292 wrote to memory of 1228 2292 5dpjd.exe 1rxxrxr.exe PID 2292 wrote to memory of 1228 2292 5dpjd.exe 1rxxrxr.exe PID 1228 wrote to memory of 2708 1228 1rxxrxr.exe vpddv.exe PID 1228 wrote to memory of 2708 1228 1rxxrxr.exe vpddv.exe PID 1228 wrote to memory of 2708 1228 1rxxrxr.exe vpddv.exe PID 2708 wrote to memory of 3720 2708 vpddv.exe xllxrff.exe PID 2708 wrote to memory of 3720 2708 vpddv.exe xllxrff.exe PID 2708 wrote to memory of 3720 2708 vpddv.exe xllxrff.exe PID 3720 wrote to memory of 4532 3720 xllxrff.exe pjpjj.exe PID 3720 wrote to memory of 4532 3720 xllxrff.exe pjpjj.exe PID 3720 wrote to memory of 4532 3720 xllxrff.exe pjpjj.exe PID 4532 wrote to memory of 3952 4532 pjpjj.exe xxfflll.exe PID 4532 wrote to memory of 3952 4532 pjpjj.exe xxfflll.exe PID 4532 wrote to memory of 3952 4532 pjpjj.exe xxfflll.exe PID 3952 wrote to memory of 5104 3952 xxfflll.exe ppjjj.exe PID 3952 wrote to memory of 5104 3952 xxfflll.exe ppjjj.exe PID 3952 wrote to memory of 5104 3952 xxfflll.exe ppjjj.exe PID 5104 wrote to memory of 1804 5104 ppjjj.exe rxxxxlf.exe PID 5104 wrote to memory of 1804 5104 ppjjj.exe rxxxxlf.exe PID 5104 wrote to memory of 1804 5104 ppjjj.exe rxxxxlf.exe PID 1804 wrote to memory of 3584 1804 rxxxxlf.exe thnnnn.exe PID 1804 wrote to memory of 3584 1804 rxxxxlf.exe thnnnn.exe PID 1804 wrote to memory of 3584 1804 rxxxxlf.exe thnnnn.exe PID 3584 wrote to memory of 1440 3584 thnnnn.exe ddvpp.exe PID 3584 wrote to memory of 1440 3584 thnnnn.exe ddvpp.exe PID 3584 wrote to memory of 1440 3584 thnnnn.exe ddvpp.exe PID 1440 wrote to memory of 3068 1440 ddvpp.exe hnnhbb.exe PID 1440 wrote to memory of 3068 1440 ddvpp.exe hnnhbb.exe PID 1440 wrote to memory of 3068 1440 ddvpp.exe hnnhbb.exe PID 3068 wrote to memory of 3192 3068 hnnhbb.exe vvvvv.exe PID 3068 wrote to memory of 3192 3068 hnnhbb.exe vvvvv.exe PID 3068 wrote to memory of 3192 3068 hnnhbb.exe vvvvv.exe PID 3192 wrote to memory of 5000 3192 vvvvv.exe rlrrlll.exe PID 3192 wrote to memory of 5000 3192 vvvvv.exe rlrrlll.exe PID 3192 wrote to memory of 5000 3192 vvvvv.exe rlrrlll.exe PID 5000 wrote to memory of 1424 5000 rlrrlll.exe ddjvv.exe PID 5000 wrote to memory of 1424 5000 rlrrlll.exe ddjvv.exe PID 5000 wrote to memory of 1424 5000 rlrrlll.exe ddjvv.exe PID 1424 wrote to memory of 432 1424 ddjvv.exe lrlllrr.exe PID 1424 wrote to memory of 432 1424 ddjvv.exe lrlllrr.exe PID 1424 wrote to memory of 432 1424 ddjvv.exe lrlllrr.exe PID 432 wrote to memory of 1960 432 lrlllrr.exe vjvvp.exe PID 432 wrote to memory of 1960 432 lrlllrr.exe vjvvp.exe PID 432 wrote to memory of 1960 432 lrlllrr.exe vjvvp.exe PID 1960 wrote to memory of 3568 1960 vjvvp.exe 3xlfxxr.exe PID 1960 wrote to memory of 3568 1960 vjvvp.exe 3xlfxxr.exe PID 1960 wrote to memory of 3568 1960 vjvvp.exe 3xlfxxr.exe PID 3568 wrote to memory of 3928 3568 3xlfxxr.exe 7hnnhh.exe PID 3568 wrote to memory of 3928 3568 3xlfxxr.exe 7hnnhh.exe PID 3568 wrote to memory of 3928 3568 3xlfxxr.exe 7hnnhh.exe PID 3928 wrote to memory of 3280 3928 7hnnhh.exe 9djdd.exe PID 3928 wrote to memory of 3280 3928 7hnnhh.exe 9djdd.exe PID 3928 wrote to memory of 3280 3928 7hnnhh.exe 9djdd.exe PID 3280 wrote to memory of 3276 3280 9djdd.exe 5nnhbt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe"C:\Users\Admin\AppData\Local\Temp\ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\jdjdd.exec:\jdjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\bbnnhh.exec:\bbnnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\5dpjd.exec:\5dpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\1rxxrxr.exec:\1rxxrxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\vpddv.exec:\vpddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\xllxrff.exec:\xllxrff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\pjpjj.exec:\pjpjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\xxfflll.exec:\xxfflll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\ppjjj.exec:\ppjjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\rxxxxlf.exec:\rxxxxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\thnnnn.exec:\thnnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\ddvpp.exec:\ddvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\hnnhbb.exec:\hnnhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\vvvvv.exec:\vvvvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\rlrrlll.exec:\rlrrlll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\ddjvv.exec:\ddjvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\lrlllrr.exec:\lrlllrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\vjvvp.exec:\vjvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\3xlfxxr.exec:\3xlfxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\7hnnhh.exec:\7hnnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\9djdd.exec:\9djdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\5nnhbt.exec:\5nnhbt.exe23⤵
- Executes dropped EXE
PID:3276 -
\??\c:\jvvpp.exec:\jvvpp.exe24⤵
- Executes dropped EXE
PID:496 -
\??\c:\7xxxrxx.exec:\7xxxrxx.exe25⤵
- Executes dropped EXE
PID:2080 -
\??\c:\nhtnhn.exec:\nhtnhn.exe26⤵
- Executes dropped EXE
PID:4164 -
\??\c:\9ddvj.exec:\9ddvj.exe27⤵
- Executes dropped EXE
PID:4052 -
\??\c:\3fxrrrl.exec:\3fxrrrl.exe28⤵
- Executes dropped EXE
PID:4124 -
\??\c:\jdddd.exec:\jdddd.exe29⤵
- Executes dropped EXE
PID:4448 -
\??\c:\lxxrrll.exec:\lxxrrll.exe30⤵
- Executes dropped EXE
PID:3088 -
\??\c:\5xrrlll.exec:\5xrrlll.exe31⤵
- Executes dropped EXE
PID:2520 -
\??\c:\hthbbb.exec:\hthbbb.exe32⤵
- Executes dropped EXE
PID:2300 -
\??\c:\vdjpd.exec:\vdjpd.exe33⤵
- Executes dropped EXE
PID:4720 -
\??\c:\1nhbnn.exec:\1nhbnn.exe34⤵
- Executes dropped EXE
PID:4396 -
\??\c:\1bnhnn.exec:\1bnhnn.exe35⤵
- Executes dropped EXE
PID:4024 -
\??\c:\pjddv.exec:\pjddv.exe36⤵
- Executes dropped EXE
PID:4308 -
\??\c:\lrfrrll.exec:\lrfrrll.exe37⤵
- Executes dropped EXE
PID:5112 -
\??\c:\lffxrrx.exec:\lffxrrx.exe38⤵
- Executes dropped EXE
PID:1508 -
\??\c:\bbtnnn.exec:\bbtnnn.exe39⤵
- Executes dropped EXE
PID:3988 -
\??\c:\vvpjj.exec:\vvpjj.exe40⤵
- Executes dropped EXE
PID:1708 -
\??\c:\pdjjj.exec:\pdjjj.exe41⤵
- Executes dropped EXE
PID:2424 -
\??\c:\3llxxrr.exec:\3llxxrr.exe42⤵
- Executes dropped EXE
PID:560 -
\??\c:\tttnnn.exec:\tttnnn.exe43⤵
- Executes dropped EXE
PID:4364 -
\??\c:\nntttb.exec:\nntttb.exe44⤵
- Executes dropped EXE
PID:2132 -
\??\c:\3jddd.exec:\3jddd.exe45⤵
- Executes dropped EXE
PID:4916 -
\??\c:\fxllrrx.exec:\fxllrrx.exe46⤵
- Executes dropped EXE
PID:1944 -
\??\c:\frxrllr.exec:\frxrllr.exe47⤵
- Executes dropped EXE
PID:4064 -
\??\c:\bbttbh.exec:\bbttbh.exe48⤵
- Executes dropped EXE
PID:3204 -
\??\c:\vvjpp.exec:\vvjpp.exe49⤵
- Executes dropped EXE
PID:5028 -
\??\c:\nhhbtt.exec:\nhhbtt.exe50⤵
- Executes dropped EXE
PID:5016 -
\??\c:\dpvvp.exec:\dpvvp.exe51⤵
- Executes dropped EXE
PID:3684 -
\??\c:\fflfrrl.exec:\fflfrrl.exe52⤵
- Executes dropped EXE
PID:3552 -
\??\c:\rxlxlrl.exec:\rxlxlrl.exe53⤵
- Executes dropped EXE
PID:5000 -
\??\c:\btbtnh.exec:\btbtnh.exe54⤵
- Executes dropped EXE
PID:3420 -
\??\c:\7pvvp.exec:\7pvvp.exe55⤵
- Executes dropped EXE
PID:4076 -
\??\c:\vvvvp.exec:\vvvvp.exe56⤵
- Executes dropped EXE
PID:4264 -
\??\c:\rrfffxx.exec:\rrfffxx.exe57⤵
- Executes dropped EXE
PID:3864 -
\??\c:\bhbbhh.exec:\bhbbhh.exe58⤵
- Executes dropped EXE
PID:1992 -
\??\c:\pvppv.exec:\pvppv.exe59⤵
- Executes dropped EXE
PID:5040 -
\??\c:\3ppjd.exec:\3ppjd.exe60⤵
- Executes dropped EXE
PID:3016 -
\??\c:\3rlfrlx.exec:\3rlfrlx.exe61⤵
- Executes dropped EXE
PID:1728 -
\??\c:\hhtttt.exec:\hhtttt.exe62⤵
- Executes dropped EXE
PID:1624 -
\??\c:\vjpjv.exec:\vjpjv.exe63⤵
- Executes dropped EXE
PID:3432 -
\??\c:\5fxxxff.exec:\5fxxxff.exe64⤵
- Executes dropped EXE
PID:496 -
\??\c:\9xffxxx.exec:\9xffxxx.exe65⤵
- Executes dropped EXE
PID:4844 -
\??\c:\hhhttb.exec:\hhhttb.exe66⤵PID:1912
-
\??\c:\vvvvp.exec:\vvvvp.exe67⤵PID:1416
-
\??\c:\ddvpj.exec:\ddvpj.exe68⤵PID:2188
-
\??\c:\flxrllf.exec:\flxrllf.exe69⤵PID:4124
-
\??\c:\nbnhbb.exec:\nbnhbb.exe70⤵PID:1248
-
\??\c:\jdjpj.exec:\jdjpj.exe71⤵PID:1368
-
\??\c:\djppj.exec:\djppj.exe72⤵PID:232
-
\??\c:\7fxrxxf.exec:\7fxrxxf.exe73⤵PID:3556
-
\??\c:\ntnhhh.exec:\ntnhhh.exe74⤵PID:1600
-
\??\c:\pvddd.exec:\pvddd.exe75⤵PID:4372
-
\??\c:\jjppj.exec:\jjppj.exe76⤵PID:2736
-
\??\c:\llfxrxr.exec:\llfxrxr.exe77⤵PID:4396
-
\??\c:\nbhbtb.exec:\nbhbtb.exe78⤵PID:4408
-
\??\c:\ntnnhh.exec:\ntnnhh.exe79⤵PID:1724
-
\??\c:\dvdvp.exec:\dvdvp.exe80⤵PID:1020
-
\??\c:\lllllrf.exec:\lllllrf.exe81⤵PID:3744
-
\??\c:\xrfffff.exec:\xrfffff.exe82⤵PID:1708
-
\??\c:\bhhtnn.exec:\bhhtnn.exe83⤵PID:2424
-
\??\c:\dvdvj.exec:\dvdvj.exe84⤵PID:1936
-
\??\c:\lrfxrrr.exec:\lrfxrrr.exe85⤵PID:4364
-
\??\c:\rlfxrrf.exec:\rlfxrrf.exe86⤵PID:2132
-
\??\c:\hbbtnn.exec:\hbbtnn.exe87⤵PID:4636
-
\??\c:\hthbbt.exec:\hthbbt.exe88⤵PID:2120
-
\??\c:\5jdvp.exec:\5jdvp.exe89⤵PID:1804
-
\??\c:\rxrlfll.exec:\rxrlfll.exe90⤵PID:776
-
\??\c:\hnnntt.exec:\hnnntt.exe91⤵PID:2032
-
\??\c:\bthbbt.exec:\bthbbt.exe92⤵PID:4436
-
\??\c:\vpjjp.exec:\vpjjp.exe93⤵PID:5016
-
\??\c:\9flfxxr.exec:\9flfxxr.exe94⤵PID:1528
-
\??\c:\xxflfff.exec:\xxflfff.exe95⤵PID:4068
-
\??\c:\htnhhb.exec:\htnhhb.exe96⤵PID:1272
-
\??\c:\5thhhh.exec:\5thhhh.exe97⤵PID:5116
-
\??\c:\pdvvv.exec:\pdvvv.exe98⤵PID:980
-
\??\c:\lffxrrr.exec:\lffxrrr.exe99⤵PID:4076
-
\??\c:\1xfxxfx.exec:\1xfxxfx.exe100⤵PID:4780
-
\??\c:\tnnnhh.exec:\tnnnhh.exe101⤵PID:4992
-
\??\c:\vvvvv.exec:\vvvvv.exe102⤵PID:2948
-
\??\c:\3jvvp.exec:\3jvvp.exe103⤵PID:2752
-
\??\c:\fxrlllx.exec:\fxrlllx.exe104⤵PID:4392
-
\??\c:\rfrrllf.exec:\rfrrllf.exe105⤵PID:2340
-
\??\c:\hhbbbb.exec:\hhbbbb.exe106⤵PID:4428
-
\??\c:\jvvpj.exec:\jvvpj.exe107⤵PID:3816
-
\??\c:\vdvpj.exec:\vdvpj.exe108⤵PID:4460
-
\??\c:\fllxxfl.exec:\fllxxfl.exe109⤵PID:3380
-
\??\c:\flffxrl.exec:\flffxrl.exe110⤵PID:220
-
\??\c:\5bbbbh.exec:\5bbbbh.exe111⤵PID:4560
-
\??\c:\vvpdv.exec:\vvpdv.exe112⤵PID:3220
-
\??\c:\djppv.exec:\djppv.exe113⤵PID:3200
-
\??\c:\fxxxfff.exec:\fxxxfff.exe114⤵PID:4456
-
\??\c:\5fxffff.exec:\5fxffff.exe115⤵PID:232
-
\??\c:\hhbttt.exec:\hhbttt.exe116⤵PID:3392
-
\??\c:\pdjdv.exec:\pdjdv.exe117⤵PID:2860
-
\??\c:\lfllxff.exec:\lfllxff.exe118⤵PID:2736
-
\??\c:\rllllfx.exec:\rllllfx.exe119⤵PID:1884
-
\??\c:\9hhbtt.exec:\9hhbtt.exe120⤵PID:904
-
\??\c:\tnhhtb.exec:\tnhhtb.exe121⤵PID:2296
-
\??\c:\ddpjd.exec:\ddpjd.exe122⤵PID:1928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-