Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 05:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe
-
Size
228KB
-
MD5
d28ec3ee6f43290613106abec5a95b26
-
SHA1
16fd5aef00e2e612903d50d8e06cc07831a11e6d
-
SHA256
fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709
-
SHA512
4beab6a2e6e60fbcc35424044eac9d3c698b284754cc5e02bdb23c04366c23d5693fcdcba22694cd9507e86b7febc1050f4f12d630261a820708a630cf58e5ca
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1J:n3C9BRo7MlrWKo+lxKk1J
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
Processes:
resource yara_rule behavioral2/memory/4280-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2924-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1064-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3980-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4320-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1056-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1732-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4876-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2668-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4652-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1176-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4456-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/556-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4484-154-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3452-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2928-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4176-202-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1324-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/788-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4688-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/612-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3176-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4048-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4016-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4480-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 32 IoCs
Processes:
resource yara_rule behavioral2/memory/4280-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2924-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1064-30-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3980-18-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4320-11-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1056-52-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1056-51-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1056-57-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1732-61-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1732-60-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1732-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4876-82-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4876-77-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4876-76-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4876-75-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2668-88-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4652-106-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1176-112-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4456-117-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/556-125-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4484-154-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3452-172-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/2928-208-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4176-202-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/1324-192-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/788-184-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4688-167-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/612-161-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3176-151-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4048-142-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4016-137-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/4480-133-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
xflrlfl.exenhhbtn.exe9pjdd.exerrrrrrr.exexrfxxxx.exepjjdv.exe7xllffl.exe9frlflx.exejpppj.exexxxxxff.exefrfffff.exenbtttt.exejdppv.exerrflflf.exehbhnhn.exe9jvvv.exedvddd.exerlrlflf.exebbtbbh.exevjpvd.exe3jvvp.exe9rrllll.exehbnhbb.exe3bhttb.exevpddp.exe5xrlllf.exenhbbtt.exepvddp.exerlrrlll.exefxflfxx.exetbnnnt.exe1jddd.exevjppd.exerlfffrr.exe9lrllrr.exebbhbnh.exetbnnnh.exevdjjj.exeffxxxxx.exeffrrxff.exe7hbbbn.exeppjvv.exeddppp.exelxllrff.exexlfrxxx.exenhhhnn.exe9hbhth.exe7vvvd.exepvvvv.exexxlflll.exeflrlrrr.exebbbbbh.exejdjjd.exe7ffxfff.exerlxrrrx.exebbnhhh.exeppjjd.exe9jppp.exe9xfrrrl.exetbbbth.exejjppj.exe9ppjj.exexfxlrrr.exetbbbtt.exepid process 4320 xflrlfl.exe 3980 nhhbtn.exe 2924 9pjdd.exe 1064 rrrrrrr.exe 2464 xrfxxxx.exe 1728 pjjdv.exe 1056 7xllffl.exe 1732 9frlflx.exe 2304 jpppj.exe 4876 xxxxxff.exe 2668 frfffff.exe 8 nbtttt.exe 2400 jdppv.exe 4652 rrflflf.exe 1176 hbhnhn.exe 4456 9jvvv.exe 556 dvddd.exe 4480 rlrlflf.exe 4016 bbtbbh.exe 4048 vjpvd.exe 3176 3jvvp.exe 4484 9rrllll.exe 612 hbnhbb.exe 4688 3bhttb.exe 3452 vpddp.exe 1680 5xrlllf.exe 788 nhbbtt.exe 1324 pvddp.exe 780 rlrrlll.exe 4176 fxflfxx.exe 2928 tbnnnt.exe 4332 1jddd.exe 3928 vjppd.exe 2100 rlfffrr.exe 4388 9lrllrr.exe 3104 bbhbnh.exe 4432 tbnnnh.exe 1900 vdjjj.exe 1724 ffxxxxx.exe 3612 ffrrxff.exe 1360 7hbbbn.exe 1712 ppjvv.exe 1120 ddppp.exe 1304 lxllrff.exe 1132 xlfrxxx.exe 2876 nhhhnn.exe 1584 9hbhth.exe 2488 7vvvd.exe 1540 pvvvv.exe 1436 xxlflll.exe 4968 flrlrrr.exe 4180 bbbbbh.exe 2212 jdjjd.exe 2912 7ffxfff.exe 4876 rlxrrrx.exe 2744 bbnhhh.exe 1836 ppjjd.exe 3828 9jppp.exe 8 9xfrrrl.exe 4356 tbbbth.exe 1864 jjppj.exe 4928 9ppjj.exe 2328 xfxlrrr.exe 2344 tbbbtt.exe -
Processes:
resource yara_rule behavioral2/memory/4280-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2924-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1064-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3980-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4320-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1056-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1056-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1056-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1732-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1732-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1732-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4876-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4876-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4876-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4876-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2668-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4652-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1176-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4456-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/556-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4484-154-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3452-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2928-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4176-202-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1324-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/788-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4688-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/612-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3176-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4048-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4016-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4480-133-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exexflrlfl.exenhhbtn.exe9pjdd.exerrrrrrr.exexrfxxxx.exepjjdv.exe7xllffl.exe9frlflx.exejpppj.exexxxxxff.exefrfffff.exenbtttt.exejdppv.exerrflflf.exehbhnhn.exe9jvvv.exedvddd.exerlrlflf.exebbtbbh.exevjpvd.exe3jvvp.exedescription pid process target process PID 4280 wrote to memory of 4320 4280 fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe xflrlfl.exe PID 4280 wrote to memory of 4320 4280 fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe xflrlfl.exe PID 4280 wrote to memory of 4320 4280 fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe xflrlfl.exe PID 4320 wrote to memory of 3980 4320 xflrlfl.exe nhhbtn.exe PID 4320 wrote to memory of 3980 4320 xflrlfl.exe nhhbtn.exe PID 4320 wrote to memory of 3980 4320 xflrlfl.exe nhhbtn.exe PID 3980 wrote to memory of 2924 3980 nhhbtn.exe 9pjdd.exe PID 3980 wrote to memory of 2924 3980 nhhbtn.exe 9pjdd.exe PID 3980 wrote to memory of 2924 3980 nhhbtn.exe 9pjdd.exe PID 2924 wrote to memory of 1064 2924 9pjdd.exe rrrrrrr.exe PID 2924 wrote to memory of 1064 2924 9pjdd.exe rrrrrrr.exe PID 2924 wrote to memory of 1064 2924 9pjdd.exe rrrrrrr.exe PID 1064 wrote to memory of 2464 1064 rrrrrrr.exe xrfxxxx.exe PID 1064 wrote to memory of 2464 1064 rrrrrrr.exe xrfxxxx.exe PID 1064 wrote to memory of 2464 1064 rrrrrrr.exe xrfxxxx.exe PID 2464 wrote to memory of 1728 2464 xrfxxxx.exe pjjdv.exe PID 2464 wrote to memory of 1728 2464 xrfxxxx.exe pjjdv.exe PID 2464 wrote to memory of 1728 2464 xrfxxxx.exe pjjdv.exe PID 1728 wrote to memory of 1056 1728 pjjdv.exe 7xllffl.exe PID 1728 wrote to memory of 1056 1728 pjjdv.exe 7xllffl.exe PID 1728 wrote to memory of 1056 1728 pjjdv.exe 7xllffl.exe PID 1056 wrote to memory of 1732 1056 7xllffl.exe 9frlflx.exe PID 1056 wrote to memory of 1732 1056 7xllffl.exe 9frlflx.exe PID 1056 wrote to memory of 1732 1056 7xllffl.exe 9frlflx.exe PID 1732 wrote to memory of 2304 1732 9frlflx.exe jpppj.exe PID 1732 wrote to memory of 2304 1732 9frlflx.exe jpppj.exe PID 1732 wrote to memory of 2304 1732 9frlflx.exe jpppj.exe PID 2304 wrote to memory of 4876 2304 jpppj.exe rlxrrrx.exe PID 2304 wrote to memory of 4876 2304 jpppj.exe rlxrrrx.exe PID 2304 wrote to memory of 4876 2304 jpppj.exe rlxrrrx.exe PID 4876 wrote to memory of 2668 4876 xxxxxff.exe frfffff.exe PID 4876 wrote to memory of 2668 4876 xxxxxff.exe frfffff.exe PID 4876 wrote to memory of 2668 4876 xxxxxff.exe frfffff.exe PID 2668 wrote to memory of 8 2668 frfffff.exe 9xfrrrl.exe PID 2668 wrote to memory of 8 2668 frfffff.exe 9xfrrrl.exe PID 2668 wrote to memory of 8 2668 frfffff.exe 9xfrrrl.exe PID 8 wrote to memory of 2400 8 nbtttt.exe jdppv.exe PID 8 wrote to memory of 2400 8 nbtttt.exe jdppv.exe PID 8 wrote to memory of 2400 8 nbtttt.exe jdppv.exe PID 2400 wrote to memory of 4652 2400 jdppv.exe rrflflf.exe PID 2400 wrote to memory of 4652 2400 jdppv.exe rrflflf.exe PID 2400 wrote to memory of 4652 2400 jdppv.exe rrflflf.exe PID 4652 wrote to memory of 1176 4652 rrflflf.exe hbhnhn.exe PID 4652 wrote to memory of 1176 4652 rrflflf.exe hbhnhn.exe PID 4652 wrote to memory of 1176 4652 rrflflf.exe hbhnhn.exe PID 1176 wrote to memory of 4456 1176 hbhnhn.exe 9jvvv.exe PID 1176 wrote to memory of 4456 1176 hbhnhn.exe 9jvvv.exe PID 1176 wrote to memory of 4456 1176 hbhnhn.exe 9jvvv.exe PID 4456 wrote to memory of 556 4456 9jvvv.exe dvddd.exe PID 4456 wrote to memory of 556 4456 9jvvv.exe dvddd.exe PID 4456 wrote to memory of 556 4456 9jvvv.exe dvddd.exe PID 556 wrote to memory of 4480 556 dvddd.exe rlrlflf.exe PID 556 wrote to memory of 4480 556 dvddd.exe rlrlflf.exe PID 556 wrote to memory of 4480 556 dvddd.exe rlrlflf.exe PID 4480 wrote to memory of 4016 4480 rlrlflf.exe bbtbbh.exe PID 4480 wrote to memory of 4016 4480 rlrlflf.exe bbtbbh.exe PID 4480 wrote to memory of 4016 4480 rlrlflf.exe bbtbbh.exe PID 4016 wrote to memory of 4048 4016 bbtbbh.exe flrrrrr.exe PID 4016 wrote to memory of 4048 4016 bbtbbh.exe flrrrrr.exe PID 4016 wrote to memory of 4048 4016 bbtbbh.exe flrrrrr.exe PID 4048 wrote to memory of 3176 4048 vjpvd.exe 3jvvp.exe PID 4048 wrote to memory of 3176 4048 vjpvd.exe 3jvvp.exe PID 4048 wrote to memory of 3176 4048 vjpvd.exe 3jvvp.exe PID 3176 wrote to memory of 4484 3176 3jvvp.exe hbnttb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe"C:\Users\Admin\AppData\Local\Temp\fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\xflrlfl.exec:\xflrlfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\nhhbtn.exec:\nhhbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\9pjdd.exec:\9pjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\pjjdv.exec:\pjjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\7xllffl.exec:\7xllffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\9frlflx.exec:\9frlflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\jpppj.exec:\jpppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\xxxxxff.exec:\xxxxxff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\frfffff.exec:\frfffff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\nbtttt.exec:\nbtttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\jdppv.exec:\jdppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\rrflflf.exec:\rrflflf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\hbhnhn.exec:\hbhnhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\9jvvv.exec:\9jvvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\dvddd.exec:\dvddd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\rlrlflf.exec:\rlrlflf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\bbtbbh.exec:\bbtbbh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\vjpvd.exec:\vjpvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\3jvvp.exec:\3jvvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\9rrllll.exec:\9rrllll.exe23⤵
- Executes dropped EXE
PID:4484 -
\??\c:\hbnhbb.exec:\hbnhbb.exe24⤵
- Executes dropped EXE
PID:612 -
\??\c:\3bhttb.exec:\3bhttb.exe25⤵
- Executes dropped EXE
PID:4688 -
\??\c:\vpddp.exec:\vpddp.exe26⤵
- Executes dropped EXE
PID:3452 -
\??\c:\5xrlllf.exec:\5xrlllf.exe27⤵
- Executes dropped EXE
PID:1680 -
\??\c:\nhbbtt.exec:\nhbbtt.exe28⤵
- Executes dropped EXE
PID:788 -
\??\c:\pvddp.exec:\pvddp.exe29⤵
- Executes dropped EXE
PID:1324 -
\??\c:\rlrrlll.exec:\rlrrlll.exe30⤵
- Executes dropped EXE
PID:780 -
\??\c:\fxflfxx.exec:\fxflfxx.exe31⤵
- Executes dropped EXE
PID:4176 -
\??\c:\tbnnnt.exec:\tbnnnt.exe32⤵
- Executes dropped EXE
PID:2928 -
\??\c:\1jddd.exec:\1jddd.exe33⤵
- Executes dropped EXE
PID:4332 -
\??\c:\vjppd.exec:\vjppd.exe34⤵
- Executes dropped EXE
PID:3928 -
\??\c:\rlfffrr.exec:\rlfffrr.exe35⤵
- Executes dropped EXE
PID:2100 -
\??\c:\9lrllrr.exec:\9lrllrr.exe36⤵
- Executes dropped EXE
PID:4388 -
\??\c:\bbhbnh.exec:\bbhbnh.exe37⤵
- Executes dropped EXE
PID:3104 -
\??\c:\tbnnnh.exec:\tbnnnh.exe38⤵
- Executes dropped EXE
PID:4432 -
\??\c:\vdjjj.exec:\vdjjj.exe39⤵
- Executes dropped EXE
PID:1900 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe40⤵
- Executes dropped EXE
PID:1724 -
\??\c:\ffrrxff.exec:\ffrrxff.exe41⤵
- Executes dropped EXE
PID:3612 -
\??\c:\bhhhhh.exec:\bhhhhh.exe42⤵PID:4488
-
\??\c:\7hbbbn.exec:\7hbbbn.exe43⤵
- Executes dropped EXE
PID:1360 -
\??\c:\ppjvv.exec:\ppjvv.exe44⤵
- Executes dropped EXE
PID:1712 -
\??\c:\ddppp.exec:\ddppp.exe45⤵
- Executes dropped EXE
PID:1120 -
\??\c:\lxllrff.exec:\lxllrff.exe46⤵
- Executes dropped EXE
PID:1304 -
\??\c:\xlfrxxx.exec:\xlfrxxx.exe47⤵
- Executes dropped EXE
PID:1132 -
\??\c:\nhhhnn.exec:\nhhhnn.exe48⤵
- Executes dropped EXE
PID:2876 -
\??\c:\9hbhth.exec:\9hbhth.exe49⤵
- Executes dropped EXE
PID:1584 -
\??\c:\7vvvd.exec:\7vvvd.exe50⤵
- Executes dropped EXE
PID:2488 -
\??\c:\pvvvv.exec:\pvvvv.exe51⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xxlflll.exec:\xxlflll.exe52⤵
- Executes dropped EXE
PID:1436 -
\??\c:\flrlrrr.exec:\flrlrrr.exe53⤵
- Executes dropped EXE
PID:4968 -
\??\c:\bbbbbh.exec:\bbbbbh.exe54⤵
- Executes dropped EXE
PID:4180 -
\??\c:\jdjjd.exec:\jdjjd.exe55⤵
- Executes dropped EXE
PID:2212 -
\??\c:\7ffxfff.exec:\7ffxfff.exe56⤵
- Executes dropped EXE
PID:2912 -
\??\c:\rlxrrrx.exec:\rlxrrrx.exe57⤵
- Executes dropped EXE
PID:4876 -
\??\c:\bbnhhh.exec:\bbnhhh.exe58⤵
- Executes dropped EXE
PID:2744 -
\??\c:\ppjjd.exec:\ppjjd.exe59⤵
- Executes dropped EXE
PID:1836 -
\??\c:\9jppp.exec:\9jppp.exe60⤵
- Executes dropped EXE
PID:3828 -
\??\c:\9xfrrrl.exec:\9xfrrrl.exe61⤵
- Executes dropped EXE
PID:8 -
\??\c:\tbbbth.exec:\tbbbth.exe62⤵
- Executes dropped EXE
PID:4356 -
\??\c:\jjppj.exec:\jjppj.exe63⤵
- Executes dropped EXE
PID:1864 -
\??\c:\9ppjj.exec:\9ppjj.exe64⤵
- Executes dropped EXE
PID:4928 -
\??\c:\xfxlrrr.exec:\xfxlrrr.exe65⤵
- Executes dropped EXE
PID:2328 -
\??\c:\tbbbtt.exec:\tbbbtt.exe66⤵
- Executes dropped EXE
PID:2344 -
\??\c:\9ddvj.exec:\9ddvj.exe67⤵PID:3096
-
\??\c:\pdddj.exec:\pdddj.exe68⤵PID:4692
-
\??\c:\flrrxfx.exec:\flrrxfx.exe69⤵PID:4336
-
\??\c:\flrrrrr.exec:\flrrrrr.exe70⤵PID:4048
-
\??\c:\tntnnn.exec:\tntnnn.exe71⤵PID:892
-
\??\c:\hbnttb.exec:\hbnttb.exe72⤵PID:4484
-
\??\c:\ppppp.exec:\ppppp.exe73⤵PID:4544
-
\??\c:\rflflfl.exec:\rflflfl.exe74⤵PID:3068
-
\??\c:\lrxrrrr.exec:\lrxrrrr.exe75⤵PID:4980
-
\??\c:\3btttb.exec:\3btttb.exe76⤵PID:3412
-
\??\c:\bhnntb.exec:\bhnntb.exe77⤵PID:2684
-
\??\c:\vpvvv.exec:\vpvvv.exe78⤵PID:3388
-
\??\c:\pdjjj.exec:\pdjjj.exe79⤵PID:2616
-
\??\c:\9llllrr.exec:\9llllrr.exe80⤵PID:4176
-
\??\c:\xffxlrx.exec:\xffxlrx.exe81⤵PID:2300
-
\??\c:\nhbhnb.exec:\nhbhnb.exe82⤵PID:2392
-
\??\c:\hhnhbn.exec:\hhnhbn.exe83⤵PID:4168
-
\??\c:\pjvvp.exec:\pjvvp.exe84⤵PID:820
-
\??\c:\rlrlfff.exec:\rlrlfff.exe85⤵PID:2592
-
\??\c:\lflfffx.exec:\lflfffx.exe86⤵PID:2656
-
\??\c:\hnttbb.exec:\hnttbb.exe87⤵PID:1496
-
\??\c:\jpjdv.exec:\jpjdv.exe88⤵PID:4432
-
\??\c:\rlrllxf.exec:\rlrllxf.exe89⤵PID:2348
-
\??\c:\hhhhhh.exec:\hhhhhh.exe90⤵PID:4436
-
\??\c:\bthbhh.exec:\bthbhh.exe91⤵PID:4424
-
\??\c:\jvddv.exec:\jvddv.exe92⤵PID:1368
-
\??\c:\llrlfrr.exec:\llrlfrr.exe93⤵PID:2800
-
\??\c:\tbttnn.exec:\tbttnn.exe94⤵PID:3236
-
\??\c:\fxlffxr.exec:\fxlffxr.exe95⤵PID:3172
-
\??\c:\pvddv.exec:\pvddv.exe96⤵PID:4640
-
\??\c:\nhttnb.exec:\nhttnb.exe97⤵PID:1064
-
\??\c:\7pvvv.exec:\7pvvv.exe98⤵PID:1572
-
\??\c:\5ffxrrr.exec:\5ffxrrr.exe99⤵PID:3044
-
\??\c:\bnttnn.exec:\bnttnn.exe100⤵PID:3892
-
\??\c:\llxrlfr.exec:\llxrlfr.exe101⤵PID:4532
-
\??\c:\7ttnnh.exec:\7ttnnh.exe102⤵PID:3024
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe103⤵PID:3196
-
\??\c:\1thhnt.exec:\1thhnt.exe104⤵PID:2004
-
\??\c:\vpvpj.exec:\vpvpj.exe105⤵PID:4528
-
\??\c:\flrrllr.exec:\flrrllr.exe106⤵PID:1488
-
\??\c:\rrrrrxr.exec:\rrrrrxr.exe107⤵PID:3692
-
\??\c:\ppvjd.exec:\ppvjd.exe108⤵PID:2472
-
\??\c:\1lxxrxx.exec:\1lxxrxx.exe109⤵PID:1028
-
\??\c:\tthbtt.exec:\tthbtt.exe110⤵PID:5080
-
\??\c:\pvvdv.exec:\pvvdv.exe111⤵PID:3916
-
\??\c:\3bhntt.exec:\3bhntt.exe112⤵PID:1196
-
\??\c:\lllfffx.exec:\lllfffx.exe113⤵PID:4652
-
\??\c:\9jjvp.exec:\9jjvp.exe114⤵PID:4080
-
\??\c:\3nhhtt.exec:\3nhhtt.exe115⤵PID:4828
-
\??\c:\xxlfxxr.exec:\xxlfxxr.exe116⤵PID:2396
-
\??\c:\hbbthh.exec:\hbbthh.exe117⤵PID:2536
-
\??\c:\jdvpj.exec:\jdvpj.exe118⤵PID:4456
-
\??\c:\jdppd.exec:\jdppd.exe119⤵PID:4016
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe120⤵PID:3056
-
\??\c:\btthbt.exec:\btthbt.exe121⤵PID:4880
-
\??\c:\ttnbtb.exec:\ttnbtb.exe122⤵PID:3684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-