Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 01:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe
-
Size
62KB
-
MD5
16a4e1d8555b3ac9e82b143235df4805
-
SHA1
7edc99943c989105ca2c32357e082549d6b8ae2d
-
SHA256
a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3
-
SHA512
ca41b53ea4bdd0fa9d026fdf119ca95b5e5f21a52080e7e9fc1583865f0f0209730ec37e955f2179d1947e514b0a882f40387860474dae141c55e731b7b81de8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJULh1214aK:ymb3NkkiQ3mdBjFIFdJmdaK
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
resource yara_rule behavioral1/memory/1720-9-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1232-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2080-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2712-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2704-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2596-68-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2596-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2424-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2892-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2892-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2316-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1832-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2520-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1868-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1632-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/264-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/572-175-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/832-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2656-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2220-219-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1768-229-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2388-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2336-255-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 27 IoCs
resource yara_rule behavioral1/memory/1720-9-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1232-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2080-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2712-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2704-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2596-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2424-73-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2424-72-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2424-71-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2424-81-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2892-86-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2892-84-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2892-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2892-93-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2316-103-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1832-111-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2520-121-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1868-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1632-139-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/264-165-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/572-175-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/832-193-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2656-201-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2220-219-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1768-229-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2388-237-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2336-255-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 1232 rlxxffl.exe 2080 hhhhth.exe 2712 dvjdj.exe 2704 xlxxlxx.exe 2700 fflfrxl.exe 2596 5nhtnn.exe 2424 dpvvp.exe 2892 hbntnn.exe 2316 vpjdj.exe 1832 rlrrlrf.exe 2520 lffrxfx.exe 1868 hbbntb.exe 1632 bnbttt.exe 1532 vdjvp.exe 784 fxrxfrf.exe 264 hbnnbh.exe 572 9nhhhh.exe 1256 vjdjd.exe 832 pjpjj.exe 2656 lllrflx.exe 2196 7ttbhb.exe 2220 tnbntb.exe 1768 dvddj.exe 2388 ffrfrxf.exe 3040 rlrrrfr.exe 2336 1hhnhb.exe 352 7pppd.exe 1512 vpjvj.exe 1844 xrffrlf.exe 2024 nhbnth.exe 868 tnbhhb.exe 1720 9pjvj.exe 2524 dvjpj.exe 1252 xrxrxxx.exe 2536 rfrrxxx.exe 2588 httbbb.exe 2704 vpddp.exe 1524 9jjjj.exe 2464 vpvvj.exe 2452 xrxlxlx.exe 2716 rflrxfx.exe 2480 nhtbnn.exe 2440 dvppv.exe 2148 1djpp.exe 1556 rlfxxll.exe 2316 xrflxlx.exe 1688 rxllxxr.exe 1708 htbhhn.exe 1864 thnttt.exe 1660 jpvdd.exe 1560 pjpvd.exe 1572 xrlrrrx.exe 664 fxllxfl.exe 1400 9tbthh.exe 1196 bthtnn.exe 2744 5vpjp.exe 1564 1jdpp.exe 2780 rlrxxlr.exe 2200 9rllrrx.exe 2008 9hhbnh.exe 2232 5vjpj.exe 1796 dvppj.exe 1680 ffxxffr.exe 2064 nhtbhh.exe -
resource yara_rule behavioral1/memory/1720-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1232-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2080-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2704-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2596-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2424-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2424-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2424-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2424-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2892-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2892-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2892-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2892-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2316-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1832-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2520-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1868-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1632-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/264-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/572-175-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/832-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2220-219-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1768-229-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2388-237-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2336-255-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1720 wrote to memory of 1232 1720 a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe 28 PID 1720 wrote to memory of 1232 1720 a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe 28 PID 1720 wrote to memory of 1232 1720 a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe 28 PID 1720 wrote to memory of 1232 1720 a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe 28 PID 1232 wrote to memory of 2080 1232 rlxxffl.exe 29 PID 1232 wrote to memory of 2080 1232 rlxxffl.exe 29 PID 1232 wrote to memory of 2080 1232 rlxxffl.exe 29 PID 1232 wrote to memory of 2080 1232 rlxxffl.exe 29 PID 2080 wrote to memory of 2712 2080 hhhhth.exe 30 PID 2080 wrote to memory of 2712 2080 hhhhth.exe 30 PID 2080 wrote to memory of 2712 2080 hhhhth.exe 30 PID 2080 wrote to memory of 2712 2080 hhhhth.exe 30 PID 2712 wrote to memory of 2704 2712 dvjdj.exe 31 PID 2712 wrote to memory of 2704 2712 dvjdj.exe 31 PID 2712 wrote to memory of 2704 2712 dvjdj.exe 31 PID 2712 wrote to memory of 2704 2712 dvjdj.exe 31 PID 2704 wrote to memory of 2700 2704 xlxxlxx.exe 32 PID 2704 wrote to memory of 2700 2704 xlxxlxx.exe 32 PID 2704 wrote to memory of 2700 2704 xlxxlxx.exe 32 PID 2704 wrote to memory of 2700 2704 xlxxlxx.exe 32 PID 2700 wrote to memory of 2596 2700 fflfrxl.exe 33 PID 2700 wrote to memory of 2596 2700 fflfrxl.exe 33 PID 2700 wrote to memory of 2596 2700 fflfrxl.exe 33 PID 2700 wrote to memory of 2596 2700 fflfrxl.exe 33 PID 2596 wrote to memory of 2424 2596 5nhtnn.exe 34 PID 2596 wrote to memory of 2424 2596 5nhtnn.exe 34 PID 2596 wrote to memory of 2424 2596 5nhtnn.exe 34 PID 2596 wrote to memory of 2424 2596 5nhtnn.exe 34 PID 2424 wrote to memory of 2892 2424 dpvvp.exe 35 PID 2424 wrote to memory of 2892 2424 dpvvp.exe 35 PID 2424 wrote to memory of 2892 2424 dpvvp.exe 35 PID 2424 wrote to memory of 2892 2424 dpvvp.exe 35 PID 2892 wrote to memory of 2316 2892 hbntnn.exe 36 PID 2892 wrote to memory of 2316 2892 hbntnn.exe 36 PID 2892 wrote to memory of 2316 2892 hbntnn.exe 36 PID 2892 wrote to memory of 2316 2892 hbntnn.exe 36 PID 2316 wrote to memory of 1832 2316 vpjdj.exe 37 PID 2316 wrote to memory of 1832 2316 vpjdj.exe 37 PID 2316 wrote to memory of 1832 2316 vpjdj.exe 37 PID 2316 wrote to memory of 1832 2316 vpjdj.exe 37 PID 1832 wrote to memory of 2520 1832 rlrrlrf.exe 38 PID 1832 wrote to memory of 2520 1832 rlrrlrf.exe 38 PID 1832 wrote to memory of 2520 1832 rlrrlrf.exe 38 PID 1832 wrote to memory of 2520 1832 rlrrlrf.exe 38 PID 2520 wrote to memory of 1868 2520 lffrxfx.exe 39 PID 2520 wrote to memory of 1868 2520 lffrxfx.exe 39 PID 2520 wrote to memory of 1868 2520 lffrxfx.exe 39 PID 2520 wrote to memory of 1868 2520 lffrxfx.exe 39 PID 1868 wrote to memory of 1632 1868 hbbntb.exe 40 PID 1868 wrote to memory of 1632 1868 hbbntb.exe 40 PID 1868 wrote to memory of 1632 1868 hbbntb.exe 40 PID 1868 wrote to memory of 1632 1868 hbbntb.exe 40 PID 1632 wrote to memory of 1532 1632 bnbttt.exe 41 PID 1632 wrote to memory of 1532 1632 bnbttt.exe 41 PID 1632 wrote to memory of 1532 1632 bnbttt.exe 41 PID 1632 wrote to memory of 1532 1632 bnbttt.exe 41 PID 1532 wrote to memory of 784 1532 vdjvp.exe 42 PID 1532 wrote to memory of 784 1532 vdjvp.exe 42 PID 1532 wrote to memory of 784 1532 vdjvp.exe 42 PID 1532 wrote to memory of 784 1532 vdjvp.exe 42 PID 784 wrote to memory of 264 784 fxrxfrf.exe 43 PID 784 wrote to memory of 264 784 fxrxfrf.exe 43 PID 784 wrote to memory of 264 784 fxrxfrf.exe 43 PID 784 wrote to memory of 264 784 fxrxfrf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe"C:\Users\Admin\AppData\Local\Temp\a6f7a974b8c7e768f3ede273528526aca3141b4c23af1ffff65a31583aa678a3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\rlxxffl.exec:\rlxxffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\hhhhth.exec:\hhhhth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\dvjdj.exec:\dvjdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\xlxxlxx.exec:\xlxxlxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\fflfrxl.exec:\fflfrxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\5nhtnn.exec:\5nhtnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\dpvvp.exec:\dpvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\hbntnn.exec:\hbntnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\vpjdj.exec:\vpjdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\rlrrlrf.exec:\rlrrlrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\lffrxfx.exec:\lffrxfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\hbbntb.exec:\hbbntb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\bnbttt.exec:\bnbttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\vdjvp.exec:\vdjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\fxrxfrf.exec:\fxrxfrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\hbnnbh.exec:\hbnnbh.exe17⤵
- Executes dropped EXE
PID:264 -
\??\c:\9nhhhh.exec:\9nhhhh.exe18⤵
- Executes dropped EXE
PID:572 -
\??\c:\vjdjd.exec:\vjdjd.exe19⤵
- Executes dropped EXE
PID:1256 -
\??\c:\pjpjj.exec:\pjpjj.exe20⤵
- Executes dropped EXE
PID:832 -
\??\c:\lllrflx.exec:\lllrflx.exe21⤵
- Executes dropped EXE
PID:2656 -
\??\c:\7ttbhb.exec:\7ttbhb.exe22⤵
- Executes dropped EXE
PID:2196 -
\??\c:\tnbntb.exec:\tnbntb.exe23⤵
- Executes dropped EXE
PID:2220 -
\??\c:\dvddj.exec:\dvddj.exe24⤵
- Executes dropped EXE
PID:1768 -
\??\c:\ffrfrxf.exec:\ffrfrxf.exe25⤵
- Executes dropped EXE
PID:2388 -
\??\c:\rlrrrfr.exec:\rlrrrfr.exe26⤵
- Executes dropped EXE
PID:3040 -
\??\c:\1hhnhb.exec:\1hhnhb.exe27⤵
- Executes dropped EXE
PID:2336 -
\??\c:\7pppd.exec:\7pppd.exe28⤵
- Executes dropped EXE
PID:352 -
\??\c:\vpjvj.exec:\vpjvj.exe29⤵
- Executes dropped EXE
PID:1512 -
\??\c:\xrffrlf.exec:\xrffrlf.exe30⤵
- Executes dropped EXE
PID:1844 -
\??\c:\nhbnth.exec:\nhbnth.exe31⤵
- Executes dropped EXE
PID:2024 -
\??\c:\tnbhhb.exec:\tnbhhb.exe32⤵
- Executes dropped EXE
PID:868 -
\??\c:\9pjvj.exec:\9pjvj.exe33⤵
- Executes dropped EXE
PID:1720 -
\??\c:\dvjpj.exec:\dvjpj.exe34⤵
- Executes dropped EXE
PID:2524 -
\??\c:\xrxrxxx.exec:\xrxrxxx.exe35⤵
- Executes dropped EXE
PID:1252 -
\??\c:\rfrrxxx.exec:\rfrrxxx.exe36⤵
- Executes dropped EXE
PID:2536 -
\??\c:\httbbb.exec:\httbbb.exe37⤵
- Executes dropped EXE
PID:2588 -
\??\c:\vpddp.exec:\vpddp.exe38⤵
- Executes dropped EXE
PID:2704 -
\??\c:\9jjjj.exec:\9jjjj.exe39⤵
- Executes dropped EXE
PID:1524 -
\??\c:\vpvvj.exec:\vpvvj.exe40⤵
- Executes dropped EXE
PID:2464 -
\??\c:\xrxlxlx.exec:\xrxlxlx.exe41⤵
- Executes dropped EXE
PID:2452 -
\??\c:\rflrxfx.exec:\rflrxfx.exe42⤵
- Executes dropped EXE
PID:2716 -
\??\c:\nhtbnn.exec:\nhtbnn.exe43⤵
- Executes dropped EXE
PID:2480 -
\??\c:\dvppv.exec:\dvppv.exe44⤵
- Executes dropped EXE
PID:2440 -
\??\c:\1djpp.exec:\1djpp.exe45⤵
- Executes dropped EXE
PID:2148 -
\??\c:\rlfxxll.exec:\rlfxxll.exe46⤵
- Executes dropped EXE
PID:1556 -
\??\c:\xrflxlx.exec:\xrflxlx.exe47⤵
- Executes dropped EXE
PID:2316 -
\??\c:\rxllxxr.exec:\rxllxxr.exe48⤵
- Executes dropped EXE
PID:1688 -
\??\c:\htbhhn.exec:\htbhhn.exe49⤵
- Executes dropped EXE
PID:1708 -
\??\c:\thnttt.exec:\thnttt.exe50⤵
- Executes dropped EXE
PID:1864 -
\??\c:\jpvdd.exec:\jpvdd.exe51⤵
- Executes dropped EXE
PID:1660 -
\??\c:\pjpvd.exec:\pjpvd.exe52⤵
- Executes dropped EXE
PID:1560 -
\??\c:\xrlrrrx.exec:\xrlrrrx.exe53⤵
- Executes dropped EXE
PID:1572 -
\??\c:\fxllxfl.exec:\fxllxfl.exe54⤵
- Executes dropped EXE
PID:664 -
\??\c:\9tbthh.exec:\9tbthh.exe55⤵
- Executes dropped EXE
PID:1400 -
\??\c:\bthtnn.exec:\bthtnn.exe56⤵
- Executes dropped EXE
PID:1196 -
\??\c:\5vpjp.exec:\5vpjp.exe57⤵
- Executes dropped EXE
PID:2744 -
\??\c:\1jdpp.exec:\1jdpp.exe58⤵
- Executes dropped EXE
PID:1564 -
\??\c:\rlrxxlr.exec:\rlrxxlr.exe59⤵
- Executes dropped EXE
PID:2780 -
\??\c:\9rllrrx.exec:\9rllrrx.exe60⤵
- Executes dropped EXE
PID:2200 -
\??\c:\9hhbnh.exec:\9hhbnh.exe61⤵
- Executes dropped EXE
PID:2008 -
\??\c:\5vjpj.exec:\5vjpj.exe62⤵
- Executes dropped EXE
PID:2232 -
\??\c:\dvppj.exec:\dvppj.exe63⤵
- Executes dropped EXE
PID:1796 -
\??\c:\ffxxffr.exec:\ffxxffr.exe64⤵
- Executes dropped EXE
PID:1680 -
\??\c:\nhtbhh.exec:\nhtbhh.exe65⤵
- Executes dropped EXE
PID:2064 -
\??\c:\btnbtt.exec:\btnbtt.exe66⤵PID:2332
-
\??\c:\dvvjj.exec:\dvvjj.exe67⤵PID:300
-
\??\c:\djvdj.exec:\djvdj.exe68⤵PID:2832
-
\??\c:\rlrrxfl.exec:\rlrrxfl.exe69⤵PID:2992
-
\??\c:\7llrfrl.exec:\7llrfrl.exe70⤵PID:2164
-
\??\c:\tthnbb.exec:\tthnbb.exe71⤵PID:2912
-
\??\c:\nnbbhn.exec:\nnbbhn.exe72⤵PID:1112
-
\??\c:\bbnbhn.exec:\bbnbhn.exe73⤵PID:2000
-
\??\c:\pdjdp.exec:\pdjdp.exe74⤵PID:2360
-
\??\c:\vpjvd.exec:\vpjvd.exe75⤵PID:2736
-
\??\c:\lfrxfrf.exec:\lfrxfrf.exe76⤵PID:2572
-
\??\c:\9fxlrfl.exec:\9fxlrfl.exe77⤵PID:2080
-
\??\c:\thtnnn.exec:\thtnnn.exe78⤵PID:2584
-
\??\c:\nntbhn.exec:\nntbhn.exe79⤵PID:2564
-
\??\c:\dpjdj.exec:\dpjdj.exe80⤵PID:1520
-
\??\c:\vpdjp.exec:\vpdjp.exe81⤵PID:2540
-
\??\c:\3vjjp.exec:\3vjjp.exe82⤵PID:2568
-
\??\c:\rrllxrx.exec:\rrllxrx.exe83⤵PID:2544
-
\??\c:\3lflxfr.exec:\3lflxfr.exe84⤵PID:2504
-
\??\c:\7tttbb.exec:\7tttbb.exe85⤵PID:2888
-
\??\c:\bnnnhb.exec:\bnnnhb.exe86⤵PID:792
-
\??\c:\vvddj.exec:\vvddj.exe87⤵PID:1540
-
\??\c:\jjvvj.exec:\jjvvj.exe88⤵PID:1596
-
\??\c:\vpddj.exec:\vpddj.exe89⤵PID:2532
-
\??\c:\rllrxxf.exec:\rllrxxf.exe90⤵PID:748
-
\??\c:\xxrfrrf.exec:\xxrfrrf.exe91⤵PID:1888
-
\??\c:\9thttt.exec:\9thttt.exe92⤵PID:1860
-
\??\c:\nnhbhh.exec:\nnhbhh.exe93⤵PID:1632
-
\??\c:\bbtnth.exec:\bbtnth.exe94⤵PID:1616
-
\??\c:\pvpdv.exec:\pvpdv.exe95⤵PID:532
-
\??\c:\vpdjv.exec:\vpdjv.exe96⤵PID:652
-
\??\c:\1xfxlxl.exec:\1xfxlxl.exe97⤵PID:2396
-
\??\c:\rlflxlx.exec:\rlflxlx.exe98⤵PID:1428
-
\??\c:\nbttbh.exec:\nbttbh.exe99⤵PID:1248
-
\??\c:\nhbnhn.exec:\nhbnhn.exe100⤵PID:2784
-
\??\c:\vpdjd.exec:\vpdjd.exe101⤵PID:2392
-
\??\c:\5jdjp.exec:\5jdjp.exe102⤵PID:828
-
\??\c:\1rrlrrl.exec:\1rrlrrl.exe103⤵PID:1384
-
\??\c:\9xxflrx.exec:\9xxflrx.exe104⤵PID:1712
-
\??\c:\hbbbnn.exec:\hbbbnn.exe105⤵PID:604
-
\??\c:\ttntth.exec:\ttntth.exe106⤵PID:2388
-
\??\c:\ppdjd.exec:\ppdjd.exe107⤵PID:1088
-
\??\c:\ppvjd.exec:\ppvjd.exe108⤵PID:1900
-
\??\c:\rlrlrlr.exec:\rlrlrlr.exe109⤵PID:628
-
\??\c:\rrllrfl.exec:\rrllrfl.exe110⤵PID:3036
-
\??\c:\llxffff.exec:\llxffff.exe111⤵PID:1948
-
\??\c:\nnbhbb.exec:\nnbhbb.exe112⤵PID:2908
-
\??\c:\nnhntn.exec:\nnhntn.exe113⤵PID:2860
-
\??\c:\pvvpd.exec:\pvvpd.exe114⤵PID:864
-
\??\c:\jvpjp.exec:\jvpjp.exe115⤵PID:2032
-
\??\c:\lxlrrfl.exec:\lxlrrfl.exe116⤵PID:3052
-
\??\c:\lfrrxff.exec:\lfrrxff.exe117⤵PID:3056
-
\??\c:\tnnthb.exec:\tnnthb.exe118⤵PID:3028
-
\??\c:\htnnbt.exec:\htnnbt.exe119⤵PID:2712
-
\??\c:\7hbtnh.exec:\7hbtnh.exe120⤵PID:2960
-
\??\c:\dvddp.exec:\dvddp.exe121⤵PID:1192
-
\??\c:\7pjpp.exec:\7pjpp.exe122⤵PID:2812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-