Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 01:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe
-
Size
78KB
-
MD5
6b929fe3b72c06b0b38e4a10180bd77c
-
SHA1
c878b7eadc3ca7cea0bad6703203a951fa4ed87b
-
SHA256
a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd
-
SHA512
cc0ae527a0f1f47ac687caa925b0963f60de610c886c8e285e9bc75fa88bc226224111131183376126e24a9cb5f4fb5530805cc43928814c299a54392f6f7950
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIYgC/KSLJEd2aQ:ymb3NkkiQ3mdBjFI3eFC/Q
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
resource yara_rule behavioral1/memory/2180-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2968-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2892-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2664-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2664-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2668-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2784-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2692-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2692-71-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/796-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2072-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1728-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2980-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1736-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1252-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1584-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2836-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2104-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2092-215-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1484-233-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1776-251-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/468-260-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1820-269-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2348-296-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 30 IoCs
resource yara_rule behavioral1/memory/2180-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2968-15-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2968-13-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2968-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2892-30-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2664-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2664-37-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2664-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2664-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2668-49-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2668-48-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2668-58-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2784-62-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2692-72-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2692-71-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/796-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2072-93-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1728-107-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2980-126-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1736-135-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1252-153-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1584-161-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2836-171-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2104-207-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2092-215-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1484-233-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1776-251-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/468-260-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1820-269-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2348-296-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 2968 5xxlrfl.exe 2892 nhtbnt.exe 2664 hbnnbb.exe 2668 5fxflfr.exe 2784 pdpjp.exe 2692 7xlfxlx.exe 796 bbhbtt.exe 2072 hhbnhn.exe 1728 ddddj.exe 2884 lxrxxfr.exe 2980 1rlflrx.exe 1736 nhhthn.exe 2236 pppjp.exe 1252 3vvpv.exe 1584 ffxfxxl.exe 2836 9bbbnb.exe 1304 dvpdv.exe 1220 ddvjp.exe 2724 xffxxfx.exe 2104 thhbtn.exe 2092 5jpjj.exe 476 7djvd.exe 1484 fffxrrf.exe 1132 bbttnt.exe 1776 pjvvp.exe 468 ddpvj.exe 1820 bbtnbn.exe 864 hhhtnt.exe 2060 1vpvp.exe 2348 ffflxfx.exe 1496 3nnbnt.exe 1732 vppvp.exe 848 xrlrllf.exe 1800 xxlxlxr.exe 2972 hnbhbh.exe 3060 vjjjd.exe 2756 9vdjj.exe 2780 rfxxrrx.exe 2664 nnhtth.exe 2552 bnhnbh.exe 2544 5jjpd.exe 2572 ffxrflr.exe 2512 ffrxflf.exe 2688 nnnnnt.exe 2472 jjvdp.exe 1616 jjdpp.exe 1728 9lrllll.exe 2964 7lxfffl.exe 548 btntbn.exe 2280 nhnbbh.exe 2576 djvvv.exe 2236 5ppjj.exe 1668 xrllffr.exe 2356 9xflrff.exe 2024 tnttbh.exe 1388 pjpdj.exe 2096 xrxllll.exe 2052 llrfffr.exe 1308 nhnbtb.exe 2936 tthnnt.exe 320 dvpdj.exe 2084 jppdd.exe 692 fxrlrxf.exe 1812 rxlflll.exe -
resource yara_rule behavioral1/memory/2180-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2968-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2968-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2968-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2892-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2664-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2664-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2664-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2664-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2668-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2668-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2668-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2784-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2692-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2692-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/796-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2072-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1728-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2980-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1736-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1252-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1584-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2836-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2104-207-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2092-215-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1484-233-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1776-251-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/468-260-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1820-269-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2348-296-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2968 2180 a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe 28 PID 2180 wrote to memory of 2968 2180 a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe 28 PID 2180 wrote to memory of 2968 2180 a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe 28 PID 2180 wrote to memory of 2968 2180 a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe 28 PID 2968 wrote to memory of 2892 2968 5xxlrfl.exe 29 PID 2968 wrote to memory of 2892 2968 5xxlrfl.exe 29 PID 2968 wrote to memory of 2892 2968 5xxlrfl.exe 29 PID 2968 wrote to memory of 2892 2968 5xxlrfl.exe 29 PID 2892 wrote to memory of 2664 2892 nhtbnt.exe 30 PID 2892 wrote to memory of 2664 2892 nhtbnt.exe 30 PID 2892 wrote to memory of 2664 2892 nhtbnt.exe 30 PID 2892 wrote to memory of 2664 2892 nhtbnt.exe 30 PID 2664 wrote to memory of 2668 2664 hbnnbb.exe 31 PID 2664 wrote to memory of 2668 2664 hbnnbb.exe 31 PID 2664 wrote to memory of 2668 2664 hbnnbb.exe 31 PID 2664 wrote to memory of 2668 2664 hbnnbb.exe 31 PID 2668 wrote to memory of 2784 2668 5fxflfr.exe 32 PID 2668 wrote to memory of 2784 2668 5fxflfr.exe 32 PID 2668 wrote to memory of 2784 2668 5fxflfr.exe 32 PID 2668 wrote to memory of 2784 2668 5fxflfr.exe 32 PID 2784 wrote to memory of 2692 2784 pdpjp.exe 33 PID 2784 wrote to memory of 2692 2784 pdpjp.exe 33 PID 2784 wrote to memory of 2692 2784 pdpjp.exe 33 PID 2784 wrote to memory of 2692 2784 pdpjp.exe 33 PID 2692 wrote to memory of 796 2692 7xlfxlx.exe 34 PID 2692 wrote to memory of 796 2692 7xlfxlx.exe 34 PID 2692 wrote to memory of 796 2692 7xlfxlx.exe 34 PID 2692 wrote to memory of 796 2692 7xlfxlx.exe 34 PID 796 wrote to memory of 2072 796 bbhbtt.exe 35 PID 796 wrote to memory of 2072 796 bbhbtt.exe 35 PID 796 wrote to memory of 2072 796 bbhbtt.exe 35 PID 796 wrote to memory of 2072 796 bbhbtt.exe 35 PID 2072 wrote to memory of 1728 2072 hhbnhn.exe 36 PID 2072 wrote to memory of 1728 2072 hhbnhn.exe 36 PID 2072 wrote to memory of 1728 2072 hhbnhn.exe 36 PID 2072 wrote to memory of 1728 2072 hhbnhn.exe 36 PID 1728 wrote to memory of 2884 1728 ddddj.exe 37 PID 1728 wrote to memory of 2884 1728 ddddj.exe 37 PID 1728 wrote to memory of 2884 1728 ddddj.exe 37 PID 1728 wrote to memory of 2884 1728 ddddj.exe 37 PID 2884 wrote to memory of 2980 2884 lxrxxfr.exe 38 PID 2884 wrote to memory of 2980 2884 lxrxxfr.exe 38 PID 2884 wrote to memory of 2980 2884 lxrxxfr.exe 38 PID 2884 wrote to memory of 2980 2884 lxrxxfr.exe 38 PID 2980 wrote to memory of 1736 2980 1rlflrx.exe 39 PID 2980 wrote to memory of 1736 2980 1rlflrx.exe 39 PID 2980 wrote to memory of 1736 2980 1rlflrx.exe 39 PID 2980 wrote to memory of 1736 2980 1rlflrx.exe 39 PID 1736 wrote to memory of 2236 1736 nhhthn.exe 40 PID 1736 wrote to memory of 2236 1736 nhhthn.exe 40 PID 1736 wrote to memory of 2236 1736 nhhthn.exe 40 PID 1736 wrote to memory of 2236 1736 nhhthn.exe 40 PID 2236 wrote to memory of 1252 2236 pppjp.exe 41 PID 2236 wrote to memory of 1252 2236 pppjp.exe 41 PID 2236 wrote to memory of 1252 2236 pppjp.exe 41 PID 2236 wrote to memory of 1252 2236 pppjp.exe 41 PID 1252 wrote to memory of 1584 1252 3vvpv.exe 42 PID 1252 wrote to memory of 1584 1252 3vvpv.exe 42 PID 1252 wrote to memory of 1584 1252 3vvpv.exe 42 PID 1252 wrote to memory of 1584 1252 3vvpv.exe 42 PID 1584 wrote to memory of 2836 1584 ffxfxxl.exe 43 PID 1584 wrote to memory of 2836 1584 ffxfxxl.exe 43 PID 1584 wrote to memory of 2836 1584 ffxfxxl.exe 43 PID 1584 wrote to memory of 2836 1584 ffxfxxl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe"C:\Users\Admin\AppData\Local\Temp\a38e099c3e8f0227566f9aecc9453cc4992f3dc77e008e3a038b732e04b753fd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\5xxlrfl.exec:\5xxlrfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\nhtbnt.exec:\nhtbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\hbnnbb.exec:\hbnnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\5fxflfr.exec:\5fxflfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\pdpjp.exec:\pdpjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\7xlfxlx.exec:\7xlfxlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\bbhbtt.exec:\bbhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\hhbnhn.exec:\hhbnhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\ddddj.exec:\ddddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\lxrxxfr.exec:\lxrxxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\1rlflrx.exec:\1rlflrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\nhhthn.exec:\nhhthn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\pppjp.exec:\pppjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\3vvpv.exec:\3vvpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\ffxfxxl.exec:\ffxfxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\9bbbnb.exec:\9bbbnb.exe17⤵
- Executes dropped EXE
PID:2836 -
\??\c:\dvpdv.exec:\dvpdv.exe18⤵
- Executes dropped EXE
PID:1304 -
\??\c:\ddvjp.exec:\ddvjp.exe19⤵
- Executes dropped EXE
PID:1220 -
\??\c:\xffxxfx.exec:\xffxxfx.exe20⤵
- Executes dropped EXE
PID:2724 -
\??\c:\thhbtn.exec:\thhbtn.exe21⤵
- Executes dropped EXE
PID:2104 -
\??\c:\5jpjj.exec:\5jpjj.exe22⤵
- Executes dropped EXE
PID:2092 -
\??\c:\7djvd.exec:\7djvd.exe23⤵
- Executes dropped EXE
PID:476 -
\??\c:\fffxrrf.exec:\fffxrrf.exe24⤵
- Executes dropped EXE
PID:1484 -
\??\c:\bbttnt.exec:\bbttnt.exe25⤵
- Executes dropped EXE
PID:1132 -
\??\c:\pjvvp.exec:\pjvvp.exe26⤵
- Executes dropped EXE
PID:1776 -
\??\c:\ddpvj.exec:\ddpvj.exe27⤵
- Executes dropped EXE
PID:468 -
\??\c:\bbtnbn.exec:\bbtnbn.exe28⤵
- Executes dropped EXE
PID:1820 -
\??\c:\hhhtnt.exec:\hhhtnt.exe29⤵
- Executes dropped EXE
PID:864 -
\??\c:\1vpvp.exec:\1vpvp.exe30⤵
- Executes dropped EXE
PID:2060 -
\??\c:\ffflxfx.exec:\ffflxfx.exe31⤵
- Executes dropped EXE
PID:2348 -
\??\c:\3nnbnt.exec:\3nnbnt.exe32⤵
- Executes dropped EXE
PID:1496 -
\??\c:\vppvp.exec:\vppvp.exe33⤵
- Executes dropped EXE
PID:1732 -
\??\c:\xrlrllf.exec:\xrlrllf.exe34⤵
- Executes dropped EXE
PID:848 -
\??\c:\xxlxlxr.exec:\xxlxlxr.exe35⤵
- Executes dropped EXE
PID:1800 -
\??\c:\hnbhbh.exec:\hnbhbh.exe36⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vjjjd.exec:\vjjjd.exe37⤵
- Executes dropped EXE
PID:3060 -
\??\c:\9vdjj.exec:\9vdjj.exe38⤵
- Executes dropped EXE
PID:2756 -
\??\c:\rfxxrrx.exec:\rfxxrrx.exe39⤵
- Executes dropped EXE
PID:2780 -
\??\c:\nnhtth.exec:\nnhtth.exe40⤵
- Executes dropped EXE
PID:2664 -
\??\c:\bnhnbh.exec:\bnhnbh.exe41⤵
- Executes dropped EXE
PID:2552 -
\??\c:\5jjpd.exec:\5jjpd.exe42⤵
- Executes dropped EXE
PID:2544 -
\??\c:\ffxrflr.exec:\ffxrflr.exe43⤵
- Executes dropped EXE
PID:2572 -
\??\c:\ffrxflf.exec:\ffrxflf.exe44⤵
- Executes dropped EXE
PID:2512 -
\??\c:\nnnnnt.exec:\nnnnnt.exe45⤵
- Executes dropped EXE
PID:2688 -
\??\c:\jjvdp.exec:\jjvdp.exe46⤵
- Executes dropped EXE
PID:2472 -
\??\c:\jjdpp.exec:\jjdpp.exe47⤵
- Executes dropped EXE
PID:1616 -
\??\c:\9lrllll.exec:\9lrllll.exe48⤵
- Executes dropped EXE
PID:1728 -
\??\c:\7lxfffl.exec:\7lxfffl.exe49⤵
- Executes dropped EXE
PID:2964 -
\??\c:\btntbn.exec:\btntbn.exe50⤵
- Executes dropped EXE
PID:548 -
\??\c:\nhnbbh.exec:\nhnbbh.exe51⤵
- Executes dropped EXE
PID:2280 -
\??\c:\djvvv.exec:\djvvv.exe52⤵
- Executes dropped EXE
PID:2576 -
\??\c:\5ppjj.exec:\5ppjj.exe53⤵
- Executes dropped EXE
PID:2236 -
\??\c:\xrllffr.exec:\xrllffr.exe54⤵
- Executes dropped EXE
PID:1668 -
\??\c:\9xflrff.exec:\9xflrff.exe55⤵
- Executes dropped EXE
PID:2356 -
\??\c:\tnttbh.exec:\tnttbh.exe56⤵
- Executes dropped EXE
PID:2024 -
\??\c:\pjpdj.exec:\pjpdj.exe57⤵
- Executes dropped EXE
PID:1388 -
\??\c:\xrxllll.exec:\xrxllll.exe58⤵
- Executes dropped EXE
PID:2096 -
\??\c:\llrfffr.exec:\llrfffr.exe59⤵
- Executes dropped EXE
PID:2052 -
\??\c:\nhnbtb.exec:\nhnbtb.exe60⤵
- Executes dropped EXE
PID:1308 -
\??\c:\tthnnt.exec:\tthnnt.exe61⤵
- Executes dropped EXE
PID:2936 -
\??\c:\dvpdj.exec:\dvpdj.exe62⤵
- Executes dropped EXE
PID:320 -
\??\c:\jppdd.exec:\jppdd.exe63⤵
- Executes dropped EXE
PID:2084 -
\??\c:\fxrlrxf.exec:\fxrlrxf.exe64⤵
- Executes dropped EXE
PID:692 -
\??\c:\rxlflll.exec:\rxlflll.exe65⤵
- Executes dropped EXE
PID:1812 -
\??\c:\btbhbt.exec:\btbhbt.exe66⤵PID:2484
-
\??\c:\jdjvd.exec:\jdjvd.exe67⤵PID:1136
-
\??\c:\dvppp.exec:\dvppp.exe68⤵PID:1384
-
\??\c:\xrrflrl.exec:\xrrflrl.exe69⤵PID:684
-
\??\c:\lfrxllx.exec:\lfrxllx.exe70⤵PID:900
-
\??\c:\bbtnth.exec:\bbtnth.exe71⤵PID:2324
-
\??\c:\dvdpd.exec:\dvdpd.exe72⤵PID:1704
-
\??\c:\1pjvp.exec:\1pjvp.exe73⤵PID:1900
-
\??\c:\rfrxxrl.exec:\rfrxxrl.exe74⤵PID:2152
-
\??\c:\xrxfllr.exec:\xrxfllr.exe75⤵PID:1292
-
\??\c:\bbhnhn.exec:\bbhnhn.exe76⤵PID:1980
-
\??\c:\ttbttt.exec:\ttbttt.exe77⤵PID:2960
-
\??\c:\pjddj.exec:\pjddj.exe78⤵PID:3056
-
\??\c:\5dpjj.exec:\5dpjj.exe79⤵PID:1800
-
\??\c:\rlrlxfl.exec:\rlrlxfl.exe80⤵PID:2628
-
\??\c:\llfrxll.exec:\llfrxll.exe81⤵PID:2660
-
\??\c:\bntbnt.exec:\bntbnt.exe82⤵PID:2676
-
\??\c:\3nhbbb.exec:\3nhbbb.exe83⤵PID:2040
-
\??\c:\dvddd.exec:\dvddd.exe84⤵PID:2828
-
\??\c:\rlffllr.exec:\rlffllr.exe85⤵PID:2408
-
\??\c:\xxllxfl.exec:\xxllxfl.exe86⤵PID:2800
-
\??\c:\htnttt.exec:\htnttt.exe87⤵PID:2572
-
\??\c:\5bnnnt.exec:\5bnnnt.exe88⤵PID:2528
-
\??\c:\9vjvd.exec:\9vjvd.exe89⤵PID:2532
-
\??\c:\llxffll.exec:\llxffll.exe90⤵PID:2604
-
\??\c:\lfflrrx.exec:\lfflrrx.exe91⤵PID:2888
-
\??\c:\fxxfxxf.exec:\fxxfxxf.exe92⤵PID:2880
-
\??\c:\bbtbht.exec:\bbtbht.exe93⤵PID:3032
-
\??\c:\pjdjj.exec:\pjdjj.exe94⤵PID:1716
-
\??\c:\ddvvj.exec:\ddvvj.exe95⤵PID:2280
-
\??\c:\ffxfxlr.exec:\ffxfxlr.exe96⤵PID:2172
-
\??\c:\rlrlrxr.exec:\rlrlrxr.exe97⤵PID:2320
-
\??\c:\bnhbhn.exec:\bnhbhn.exe98⤵PID:2504
-
\??\c:\1thhhn.exec:\1thhhn.exe99⤵PID:620
-
\??\c:\ddppv.exec:\ddppv.exe100⤵PID:836
-
\??\c:\jdvpd.exec:\jdvpd.exe101⤵PID:1184
-
\??\c:\xrrflrx.exec:\xrrflrx.exe102⤵PID:1492
-
\??\c:\lffrfrr.exec:\lffrfrr.exe103⤵PID:2696
-
\??\c:\5thntb.exec:\5thntb.exe104⤵PID:2932
-
\??\c:\1bbhtt.exec:\1bbhtt.exe105⤵PID:532
-
\??\c:\3pjvj.exec:\3pjvj.exe106⤵PID:584
-
\??\c:\vdpjj.exec:\vdpjj.exe107⤵PID:1632
-
\??\c:\nhnthn.exec:\nhnthn.exe108⤵PID:1856
-
\??\c:\thhtht.exec:\thhtht.exe109⤵PID:708
-
\??\c:\pjvjj.exec:\pjvjj.exe110⤵PID:1776
-
\??\c:\vdppj.exec:\vdppj.exe111⤵PID:1864
-
\??\c:\rfxlrxr.exec:\rfxlrxr.exe112⤵PID:1384
-
\??\c:\llxrflr.exec:\llxrflr.exe113⤵PID:400
-
\??\c:\bthhbh.exec:\bthhbh.exe114⤵PID:1028
-
\??\c:\hhnhtb.exec:\hhnhtb.exe115⤵PID:272
-
\??\c:\vpjvv.exec:\vpjvv.exe116⤵PID:2156
-
\??\c:\rxrxfxx.exec:\rxrxfxx.exe117⤵PID:1652
-
\??\c:\3frlrll.exec:\3frlrll.exe118⤵PID:2432
-
\??\c:\tbtthn.exec:\tbtthn.exe119⤵PID:2956
-
\??\c:\tbbnnb.exec:\tbbnnb.exe120⤵PID:1600
-
\??\c:\vpvjp.exec:\vpvjp.exe121⤵PID:2444
-
\??\c:\xrxffrl.exec:\xrxffrl.exe122⤵PID:2896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-