Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 03:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe
-
Size
67KB
-
MD5
53c2b642afd212fa7aeccaf9087e64b1
-
SHA1
fc70f1ebcf2d26b30437e4765808fe2e0bf5272a
-
SHA256
9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0
-
SHA512
9fe432f93981772589825ac480427a9a820c0ea5d7e73dd83bfb2abb73d4c04de413530655446efae07329b73984c982474f87561aa7d9d13b4e63ef851021b4
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUuYp+5C8+LuvPrgpX6:ymb3NkkiQ3mdBjF0yMlwrj
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral1/memory/1612-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2620-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2580-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2588-43-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2524-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2444-54-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2444-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2672-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2512-83-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2512-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3052-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1236-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1116-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2120-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1244-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2344-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2776-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2200-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2188-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/580-220-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1112-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2276-264-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1784-291-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 25 IoCs
Processes:
resource yara_rule behavioral1/memory/1612-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1612-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2620-15-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2588-42-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2524-58-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2444-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2672-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2512-82-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3052-87-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1236-102-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1116-112-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2120-130-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1244-138-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2344-148-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2776-174-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2200-192-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2188-210-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/580-220-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1112-237-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2276-264-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1784-291-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
3ppvj.exexrlxxxl.exepjvpv.exefxxflxf.exebththn.exenhbnbh.exevpjvd.exellflffr.exe1bbhbh.exebbbnht.exevpdjp.exexrrfflr.exelllxlrf.exe9nthtt.exedvpvd.exe1dvdj.exerrxrrfx.exe9hbhtb.exetnntnt.exevvdjp.exelfrfxfr.exexfxxlxr.exe7ntthh.exebbntbn.exepddjv.exejjjvd.exellxxfff.exelfrxrrx.exevvpdv.exe3fxffrf.exerrlfrrf.exe3hbhth.exejpjvv.exeppvjd.exefxffrxf.exe1bttbb.exehbnntt.exeddjvd.exedvjpv.exe5jjvp.exefrfflrx.exettbhbh.exebbtthn.exe1jppj.exe9pvdv.exerfxxrlx.exehhbnht.exe5bhhtt.exepjvjp.exedvdpv.exeffflxlx.exerllxllx.exetnntnn.exebtbthb.exe3jjjp.exeppjvd.exellfxrfr.exellrlllf.exehthbhb.exehbtbtt.exejjjvp.exe7jjdd.exellllrxf.exefxlrrxl.exepid process 2620 3ppvj.exe 2580 xrlxxxl.exe 2588 pjvpv.exe 2444 fxxflxf.exe 2524 bththn.exe 2672 nhbnbh.exe 2512 vpjvd.exe 3052 llflffr.exe 1236 1bbhbh.exe 1116 bbbnht.exe 992 vpdjp.exe 2120 xrrfflr.exe 1244 lllxlrf.exe 2344 9nthtt.exe 2096 dvpvd.exe 2088 1dvdj.exe 2776 rrxrrfx.exe 2908 9hbhtb.exe 2200 tnntnt.exe 2832 vvdjp.exe 2188 lfrfxfr.exe 580 xfxxlxr.exe 568 7ntthh.exe 1112 bbntbn.exe 1944 pddjv.exe 1872 jjjvd.exe 2276 llxxfff.exe 2880 lfrxrrx.exe 2300 vvpdv.exe 1784 3fxffrf.exe 876 rrlfrrf.exe 2084 3hbhth.exe 1624 jpjvv.exe 2968 ppvjd.exe 2620 fxffrxf.exe 2828 1bttbb.exe 2816 hbnntt.exe 2552 ddjvd.exe 2788 dvjpv.exe 2072 5jjvp.exe 2492 frfflrx.exe 2368 ttbhbh.exe 1760 bbtthn.exe 1224 1jppj.exe 1364 9pvdv.exe 2704 rfxxrlx.exe 1116 hhbnht.exe 2240 5bhhtt.exe 1452 pjvjp.exe 1648 dvdpv.exe 2388 ffflxlx.exe 2764 rllxllx.exe 1232 tnntnn.exe 1032 btbthb.exe 492 3jjjp.exe 2796 ppjvd.exe 1996 llfxrfr.exe 2164 llrlllf.exe 2768 hthbhb.exe 680 hbtbtt.exe 1568 jjjvp.exe 1812 7jjdd.exe 1280 llllrxf.exe 1756 fxlrrxl.exe -
Processes:
resource yara_rule behavioral1/memory/1612-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1612-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2588-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2524-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2444-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2672-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2512-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3052-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1236-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1116-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2120-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1244-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2344-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2776-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2200-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2188-210-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/580-220-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1112-237-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2276-264-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1784-291-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe3ppvj.exexrlxxxl.exepjvpv.exefxxflxf.exebththn.exenhbnbh.exevpjvd.exellflffr.exe1bbhbh.exebbbnht.exevpdjp.exexrrfflr.exelllxlrf.exe9nthtt.exedvpvd.exedescription pid process target process PID 1612 wrote to memory of 2620 1612 9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe 3ppvj.exe PID 1612 wrote to memory of 2620 1612 9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe 3ppvj.exe PID 1612 wrote to memory of 2620 1612 9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe 3ppvj.exe PID 1612 wrote to memory of 2620 1612 9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe 3ppvj.exe PID 2620 wrote to memory of 2580 2620 3ppvj.exe xrlxxxl.exe PID 2620 wrote to memory of 2580 2620 3ppvj.exe xrlxxxl.exe PID 2620 wrote to memory of 2580 2620 3ppvj.exe xrlxxxl.exe PID 2620 wrote to memory of 2580 2620 3ppvj.exe xrlxxxl.exe PID 2580 wrote to memory of 2588 2580 xrlxxxl.exe pjvpv.exe PID 2580 wrote to memory of 2588 2580 xrlxxxl.exe pjvpv.exe PID 2580 wrote to memory of 2588 2580 xrlxxxl.exe pjvpv.exe PID 2580 wrote to memory of 2588 2580 xrlxxxl.exe pjvpv.exe PID 2588 wrote to memory of 2444 2588 pjvpv.exe fxxflxf.exe PID 2588 wrote to memory of 2444 2588 pjvpv.exe fxxflxf.exe PID 2588 wrote to memory of 2444 2588 pjvpv.exe fxxflxf.exe PID 2588 wrote to memory of 2444 2588 pjvpv.exe fxxflxf.exe PID 2444 wrote to memory of 2524 2444 fxxflxf.exe bththn.exe PID 2444 wrote to memory of 2524 2444 fxxflxf.exe bththn.exe PID 2444 wrote to memory of 2524 2444 fxxflxf.exe bththn.exe PID 2444 wrote to memory of 2524 2444 fxxflxf.exe bththn.exe PID 2524 wrote to memory of 2672 2524 bththn.exe nhbnbh.exe PID 2524 wrote to memory of 2672 2524 bththn.exe nhbnbh.exe PID 2524 wrote to memory of 2672 2524 bththn.exe nhbnbh.exe PID 2524 wrote to memory of 2672 2524 bththn.exe nhbnbh.exe PID 2672 wrote to memory of 2512 2672 nhbnbh.exe vpjvd.exe PID 2672 wrote to memory of 2512 2672 nhbnbh.exe vpjvd.exe PID 2672 wrote to memory of 2512 2672 nhbnbh.exe vpjvd.exe PID 2672 wrote to memory of 2512 2672 nhbnbh.exe vpjvd.exe PID 2512 wrote to memory of 3052 2512 vpjvd.exe llflffr.exe PID 2512 wrote to memory of 3052 2512 vpjvd.exe llflffr.exe PID 2512 wrote to memory of 3052 2512 vpjvd.exe llflffr.exe PID 2512 wrote to memory of 3052 2512 vpjvd.exe llflffr.exe PID 3052 wrote to memory of 1236 3052 llflffr.exe 1bbhbh.exe PID 3052 wrote to memory of 1236 3052 llflffr.exe 1bbhbh.exe PID 3052 wrote to memory of 1236 3052 llflffr.exe 1bbhbh.exe PID 3052 wrote to memory of 1236 3052 llflffr.exe 1bbhbh.exe PID 1236 wrote to memory of 1116 1236 1bbhbh.exe bbbnht.exe PID 1236 wrote to memory of 1116 1236 1bbhbh.exe bbbnht.exe PID 1236 wrote to memory of 1116 1236 1bbhbh.exe bbbnht.exe PID 1236 wrote to memory of 1116 1236 1bbhbh.exe bbbnht.exe PID 1116 wrote to memory of 992 1116 bbbnht.exe vpdjp.exe PID 1116 wrote to memory of 992 1116 bbbnht.exe vpdjp.exe PID 1116 wrote to memory of 992 1116 bbbnht.exe vpdjp.exe PID 1116 wrote to memory of 992 1116 bbbnht.exe vpdjp.exe PID 992 wrote to memory of 2120 992 vpdjp.exe xrrfflr.exe PID 992 wrote to memory of 2120 992 vpdjp.exe xrrfflr.exe PID 992 wrote to memory of 2120 992 vpdjp.exe xrrfflr.exe PID 992 wrote to memory of 2120 992 vpdjp.exe xrrfflr.exe PID 2120 wrote to memory of 1244 2120 xrrfflr.exe lllxlrf.exe PID 2120 wrote to memory of 1244 2120 xrrfflr.exe lllxlrf.exe PID 2120 wrote to memory of 1244 2120 xrrfflr.exe lllxlrf.exe PID 2120 wrote to memory of 1244 2120 xrrfflr.exe lllxlrf.exe PID 1244 wrote to memory of 2344 1244 lllxlrf.exe 9nthtt.exe PID 1244 wrote to memory of 2344 1244 lllxlrf.exe 9nthtt.exe PID 1244 wrote to memory of 2344 1244 lllxlrf.exe 9nthtt.exe PID 1244 wrote to memory of 2344 1244 lllxlrf.exe 9nthtt.exe PID 2344 wrote to memory of 2096 2344 9nthtt.exe dvpvd.exe PID 2344 wrote to memory of 2096 2344 9nthtt.exe dvpvd.exe PID 2344 wrote to memory of 2096 2344 9nthtt.exe dvpvd.exe PID 2344 wrote to memory of 2096 2344 9nthtt.exe dvpvd.exe PID 2096 wrote to memory of 2088 2096 dvpvd.exe 1dvdj.exe PID 2096 wrote to memory of 2088 2096 dvpvd.exe 1dvdj.exe PID 2096 wrote to memory of 2088 2096 dvpvd.exe 1dvdj.exe PID 2096 wrote to memory of 2088 2096 dvpvd.exe 1dvdj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe"C:\Users\Admin\AppData\Local\Temp\9e3e753c3e0127b1627d1c5b350a393dc9713187ec06bc6257209f0c7546fbc0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\3ppvj.exec:\3ppvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\xrlxxxl.exec:\xrlxxxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\pjvpv.exec:\pjvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\fxxflxf.exec:\fxxflxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\bththn.exec:\bththn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\nhbnbh.exec:\nhbnbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\vpjvd.exec:\vpjvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\llflffr.exec:\llflffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\1bbhbh.exec:\1bbhbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\bbbnht.exec:\bbbnht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\vpdjp.exec:\vpdjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\xrrfflr.exec:\xrrfflr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\lllxlrf.exec:\lllxlrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\9nthtt.exec:\9nthtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\dvpvd.exec:\dvpvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\1dvdj.exec:\1dvdj.exe17⤵
- Executes dropped EXE
PID:2088 -
\??\c:\rrxrrfx.exec:\rrxrrfx.exe18⤵
- Executes dropped EXE
PID:2776 -
\??\c:\9hbhtb.exec:\9hbhtb.exe19⤵
- Executes dropped EXE
PID:2908 -
\??\c:\tnntnt.exec:\tnntnt.exe20⤵
- Executes dropped EXE
PID:2200 -
\??\c:\vvdjp.exec:\vvdjp.exe21⤵
- Executes dropped EXE
PID:2832 -
\??\c:\lfrfxfr.exec:\lfrfxfr.exe22⤵
- Executes dropped EXE
PID:2188 -
\??\c:\xfxxlxr.exec:\xfxxlxr.exe23⤵
- Executes dropped EXE
PID:580 -
\??\c:\7ntthh.exec:\7ntthh.exe24⤵
- Executes dropped EXE
PID:568 -
\??\c:\bbntbn.exec:\bbntbn.exe25⤵
- Executes dropped EXE
PID:1112 -
\??\c:\pddjv.exec:\pddjv.exe26⤵
- Executes dropped EXE
PID:1944 -
\??\c:\jjjvd.exec:\jjjvd.exe27⤵
- Executes dropped EXE
PID:1872 -
\??\c:\llxxfff.exec:\llxxfff.exe28⤵
- Executes dropped EXE
PID:2276 -
\??\c:\lfrxrrx.exec:\lfrxrrx.exe29⤵
- Executes dropped EXE
PID:2880 -
\??\c:\vvpdv.exec:\vvpdv.exe30⤵
- Executes dropped EXE
PID:2300 -
\??\c:\3fxffrf.exec:\3fxffrf.exe31⤵
- Executes dropped EXE
PID:1784 -
\??\c:\rrlfrrf.exec:\rrlfrrf.exe32⤵
- Executes dropped EXE
PID:876 -
\??\c:\3hbhth.exec:\3hbhth.exe33⤵
- Executes dropped EXE
PID:2084 -
\??\c:\jpjvv.exec:\jpjvv.exe34⤵
- Executes dropped EXE
PID:1624 -
\??\c:\ppvjd.exec:\ppvjd.exe35⤵
- Executes dropped EXE
PID:2968 -
\??\c:\fxffrxf.exec:\fxffrxf.exe36⤵
- Executes dropped EXE
PID:2620 -
\??\c:\1bttbb.exec:\1bttbb.exe37⤵
- Executes dropped EXE
PID:2828 -
\??\c:\hbnntt.exec:\hbnntt.exe38⤵
- Executes dropped EXE
PID:2816 -
\??\c:\ddjvd.exec:\ddjvd.exe39⤵
- Executes dropped EXE
PID:2552 -
\??\c:\dvjpv.exec:\dvjpv.exe40⤵
- Executes dropped EXE
PID:2788 -
\??\c:\5jjvp.exec:\5jjvp.exe41⤵
- Executes dropped EXE
PID:2072 -
\??\c:\frfflrx.exec:\frfflrx.exe42⤵
- Executes dropped EXE
PID:2492 -
\??\c:\ttbhbh.exec:\ttbhbh.exe43⤵
- Executes dropped EXE
PID:2368 -
\??\c:\bbtthn.exec:\bbtthn.exe44⤵
- Executes dropped EXE
PID:1760 -
\??\c:\1jppj.exec:\1jppj.exe45⤵
- Executes dropped EXE
PID:1224 -
\??\c:\9pvdv.exec:\9pvdv.exe46⤵
- Executes dropped EXE
PID:1364 -
\??\c:\rfxxrlx.exec:\rfxxrlx.exe47⤵
- Executes dropped EXE
PID:2704 -
\??\c:\hhbnht.exec:\hhbnht.exe48⤵
- Executes dropped EXE
PID:1116 -
\??\c:\5bhhtt.exec:\5bhhtt.exe49⤵
- Executes dropped EXE
PID:2240 -
\??\c:\pjvjp.exec:\pjvjp.exe50⤵
- Executes dropped EXE
PID:1452 -
\??\c:\dvdpv.exec:\dvdpv.exe51⤵
- Executes dropped EXE
PID:1648 -
\??\c:\ffflxlx.exec:\ffflxlx.exe52⤵
- Executes dropped EXE
PID:2388 -
\??\c:\rllxllx.exec:\rllxllx.exe53⤵
- Executes dropped EXE
PID:2764 -
\??\c:\tnntnn.exec:\tnntnn.exe54⤵
- Executes dropped EXE
PID:1232 -
\??\c:\btbthb.exec:\btbthb.exe55⤵
- Executes dropped EXE
PID:1032 -
\??\c:\3jjjp.exec:\3jjjp.exe56⤵
- Executes dropped EXE
PID:492 -
\??\c:\ppjvd.exec:\ppjvd.exe57⤵
- Executes dropped EXE
PID:2796 -
\??\c:\llfxrfr.exec:\llfxrfr.exe58⤵
- Executes dropped EXE
PID:1996 -
\??\c:\llrlllf.exec:\llrlllf.exe59⤵
- Executes dropped EXE
PID:2164 -
\??\c:\hthbhb.exec:\hthbhb.exe60⤵
- Executes dropped EXE
PID:2768 -
\??\c:\hbtbtt.exec:\hbtbtt.exe61⤵
- Executes dropped EXE
PID:680 -
\??\c:\jjjvp.exec:\jjjvp.exe62⤵
- Executes dropped EXE
PID:1568 -
\??\c:\7jjdd.exec:\7jjdd.exe63⤵
- Executes dropped EXE
PID:1812 -
\??\c:\llllrxf.exec:\llllrxf.exe64⤵
- Executes dropped EXE
PID:1280 -
\??\c:\fxlrrxl.exec:\fxlrrxl.exe65⤵
- Executes dropped EXE
PID:1756 -
\??\c:\tttbnn.exec:\tttbnn.exe66⤵PID:1308
-
\??\c:\bttbtb.exec:\bttbtb.exe67⤵PID:1668
-
\??\c:\dvdjj.exec:\dvdjj.exe68⤵PID:900
-
\??\c:\jvppp.exec:\jvppp.exe69⤵PID:2080
-
\??\c:\rlxrlxr.exec:\rlxrlxr.exe70⤵PID:2880
-
\??\c:\hnttht.exec:\hnttht.exe71⤵PID:2848
-
\??\c:\nnnbth.exec:\nnnbth.exe72⤵PID:1424
-
\??\c:\pdjjp.exec:\pdjjp.exe73⤵PID:2384
-
\??\c:\vpvdd.exec:\vpvdd.exe74⤵PID:2960
-
\??\c:\7jdpj.exec:\7jdpj.exe75⤵PID:2084
-
\??\c:\9rlflll.exec:\9rlflll.exe76⤵PID:1624
-
\??\c:\ffrfxrf.exec:\ffrfxrf.exe77⤵PID:2968
-
\??\c:\bhnnhh.exec:\bhnnhh.exe78⤵PID:2620
-
\??\c:\nnhtbb.exec:\nnhtbb.exe79⤵PID:2636
-
\??\c:\ddpvp.exec:\ddpvp.exe80⤵PID:2816
-
\??\c:\vvdpv.exec:\vvdpv.exe81⤵PID:2552
-
\??\c:\lflxffr.exec:\lflxffr.exe82⤵PID:2788
-
\??\c:\rlxxffl.exec:\rlxxffl.exe83⤵PID:2072
-
\??\c:\btbntt.exec:\btbntt.exe84⤵PID:2904
-
\??\c:\bbnbht.exec:\bbnbht.exe85⤵PID:2368
-
\??\c:\jvppv.exec:\jvppv.exe86⤵PID:1760
-
\??\c:\vpjdp.exec:\vpjdp.exe87⤵PID:1224
-
\??\c:\lxlllrl.exec:\lxlllrl.exe88⤵PID:1364
-
\??\c:\rlrxxxl.exec:\rlrxxxl.exe89⤵PID:2704
-
\??\c:\btnbhh.exec:\btnbhh.exe90⤵PID:840
-
\??\c:\hbthnb.exec:\hbthnb.exe91⤵PID:2240
-
\??\c:\vvjdp.exec:\vvjdp.exe92⤵PID:1608
-
\??\c:\3pvdj.exec:\3pvdj.exe93⤵PID:1648
-
\??\c:\9xlxllx.exec:\9xlxllx.exe94⤵PID:2388
-
\??\c:\5rxfllx.exec:\5rxfllx.exe95⤵PID:2036
-
\??\c:\llrxrlf.exec:\llrxrlf.exe96⤵PID:1232
-
\??\c:\7tttbh.exec:\7tttbh.exe97⤵PID:1032
-
\??\c:\9tnbtt.exec:\9tnbtt.exe98⤵PID:492
-
\??\c:\vpjvj.exec:\vpjvj.exe99⤵PID:2796
-
\??\c:\jdvvd.exec:\jdvvd.exe100⤵PID:2216
-
\??\c:\lfxfrfx.exec:\lfxfrfx.exe101⤵PID:332
-
\??\c:\1rxflrl.exec:\1rxflrl.exe102⤵PID:2768
-
\??\c:\9thnbh.exec:\9thnbh.exe103⤵PID:1408
-
\??\c:\9hhtbh.exec:\9hhtbh.exe104⤵PID:1568
-
\??\c:\3ddpj.exec:\3ddpj.exe105⤵PID:1812
-
\??\c:\vjddj.exec:\vjddj.exe106⤵PID:1280
-
\??\c:\xxfllxl.exec:\xxfllxl.exe107⤵PID:928
-
\??\c:\rlfxflx.exec:\rlfxflx.exe108⤵PID:1308
-
\??\c:\tnbhtt.exec:\tnbhtt.exe109⤵PID:1668
-
\??\c:\3nbnth.exec:\3nbnth.exe110⤵PID:3060
-
\??\c:\jjjpj.exec:\jjjpj.exe111⤵PID:2080
-
\??\c:\vpddj.exec:\vpddj.exe112⤵PID:2880
-
\??\c:\3lffrlx.exec:\3lffrlx.exe113⤵PID:2848
-
\??\c:\xxrflxf.exec:\xxrflxf.exe114⤵PID:1780
-
\??\c:\bnbnhh.exec:\bnbnhh.exe115⤵PID:1612
-
\??\c:\nhtbhh.exec:\nhtbhh.exe116⤵PID:2528
-
\??\c:\vppvj.exec:\vppvj.exe117⤵PID:2644
-
\??\c:\7jdjv.exec:\7jdjv.exe118⤵PID:2972
-
\??\c:\5flxffl.exec:\5flxffl.exe119⤵PID:2968
-
\??\c:\7rfrffr.exec:\7rfrffr.exe120⤵PID:2728
-
\??\c:\hbntbb.exec:\hbntbb.exe121⤵PID:2636
-
\??\c:\nnhnhh.exec:\nnhnhh.exe122⤵PID:2548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-