Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 03:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe
Resource
win7-20240215-en
6 signatures
150 seconds
General
-
Target
a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe
-
Size
247KB
-
MD5
4a9f67752e64749cc880f344800891f3
-
SHA1
35b58495fbeb410b2ef2a3f415ea0137665d736d
-
SHA256
a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42
-
SHA512
355038103828515c692130a244f79c05b049ca2211ae09bc293a3dc3f887572d0d442911c952e9e04371998f69441b3a6fdfb36df2eefb027671e44112c326ad
-
SSDEEP
6144:n3C9BRo/AIX27NHWpU00VIxas1oa3YiFRV6E:n3C9uD6AUDCa4NYmRh
Malware Config
Signatures
-
Detect Blackmoon payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/2952-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2460-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2608-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2172-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2516-284-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/600-222-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2924-212-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2676-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2536-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1688-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2040-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2432-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2460-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2460-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2756-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2592-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2588-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1288-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1288-22-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3056-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 23 IoCs
Processes:
resource yara_rule behavioral1/memory/2952-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2460-69-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2608-89-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2172-105-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2516-284-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/600-222-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2924-212-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2676-168-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2536-159-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1688-141-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2040-132-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2432-79-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2460-68-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2460-66-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2756-64-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2756-55-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2756-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2756-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2592-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2588-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1288-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1288-22-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3056-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
tnbthh.exevvppj.exeddvjv.exelflxffr.exebtnbhn.exenntnhh.exe5vpvd.exe3dppd.exerrlrlrf.exetthnhn.exe1vdjj.exejjjdp.exexlffffl.exe1hbhht.exethttbh.exejvpdv.exevdppd.exelfrlxxl.exebtbnhb.exe9htbhn.exe9ddpj.exe3jpdp.exelxrxflx.exe5hbntb.exethbtnn.exe5dvjp.exerfxllxr.exexrllxxf.exebththh.exeddpjp.exexxrfflr.exe9fxxffl.exe7nnnnn.exejddpj.exeddpvj.exefxrrllf.exerllrfrx.exevpdjp.exexxflrxl.exexxxfrxf.exerrlxllf.exebthnbb.exevjdpp.exelfflfxr.exexrrrffx.exe5tthhh.exetthhhn.exeddppj.exefxrrllr.exexfxfxlx.exe9ttbnt.exennbthh.exejpjpv.exepjddp.exefrfflfr.exeflfxffr.exehbntnb.exejddpj.exevvvjv.exexxxxllr.exerfflrxl.exehbbtnt.exebbnbhn.exedjdpp.exepid process 3056 tnbthh.exe 1288 vvppj.exe 2588 ddvjv.exe 2592 lflxffr.exe 2756 btnbhn.exe 2460 nntnhh.exe 2432 5vpvd.exe 2608 3dppd.exe 2172 rrlrlrf.exe 2892 tthnhn.exe 2104 1vdjj.exe 2040 jjjdp.exe 1688 xlffffl.exe 2524 1hbhht.exe 2536 thttbh.exe 2676 jvpdv.exe 1792 vdppd.exe 1548 lfrlxxl.exe 1944 btbnhb.exe 2416 9htbhn.exe 2924 9ddpj.exe 600 3jpdp.exe 1096 lxrxflx.exe 2140 5hbntb.exe 2404 thbtnn.exe 780 5dvjp.exe 2372 rfxllxr.exe 712 xrllxxf.exe 2516 bththh.exe 2344 ddpjp.exe 888 xxrfflr.exe 1308 9fxxffl.exe 1616 7nnnnn.exe 2528 jddpj.exe 2544 ddpvj.exe 2628 fxrrllf.exe 1284 rllrfrx.exe 2464 vpdjp.exe 2552 xxflrxl.exe 2468 xxxfrxf.exe 1340 rrlxllf.exe 2740 bthnbb.exe 2992 vjdpp.exe 2284 lfflfxr.exe 2816 xrrrffx.exe 1748 5tthhh.exe 2612 tthhhn.exe 2704 ddppj.exe 2524 fxrrllr.exe 2872 xfxfxlx.exe 1604 9ttbnt.exe 644 nnbthh.exe 1808 jpjpv.exe 2932 pjddp.exe 2248 frfflfr.exe 2416 flfxffr.exe 684 hbntnb.exe 592 jddpj.exe 860 vvvjv.exe 1572 xxxxllr.exe 1996 rfflrxl.exe 1660 hbbtnt.exe 964 bbnbhn.exe 2220 djdpp.exe -
Processes:
resource yara_rule behavioral1/memory/2952-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2460-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2608-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2172-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2516-284-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/600-222-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2924-212-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2676-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2536-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1688-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2040-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2432-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2460-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2460-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2588-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1288-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1288-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3056-14-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exetnbthh.exevvppj.exeddvjv.exelflxffr.exebtnbhn.exenntnhh.exe5vpvd.exe3dppd.exerrlrlrf.exetthnhn.exe1vdjj.exejjjdp.exexlffffl.exe1hbhht.exethttbh.exedescription pid process target process PID 2952 wrote to memory of 3056 2952 a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe tnbthh.exe PID 2952 wrote to memory of 3056 2952 a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe tnbthh.exe PID 2952 wrote to memory of 3056 2952 a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe tnbthh.exe PID 2952 wrote to memory of 3056 2952 a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe tnbthh.exe PID 3056 wrote to memory of 1288 3056 tnbthh.exe vvppj.exe PID 3056 wrote to memory of 1288 3056 tnbthh.exe vvppj.exe PID 3056 wrote to memory of 1288 3056 tnbthh.exe vvppj.exe PID 3056 wrote to memory of 1288 3056 tnbthh.exe vvppj.exe PID 1288 wrote to memory of 2588 1288 vvppj.exe ddvjv.exe PID 1288 wrote to memory of 2588 1288 vvppj.exe ddvjv.exe PID 1288 wrote to memory of 2588 1288 vvppj.exe ddvjv.exe PID 1288 wrote to memory of 2588 1288 vvppj.exe ddvjv.exe PID 2588 wrote to memory of 2592 2588 ddvjv.exe PID 2588 wrote to memory of 2592 2588 ddvjv.exe PID 2588 wrote to memory of 2592 2588 ddvjv.exe PID 2588 wrote to memory of 2592 2588 ddvjv.exe PID 2592 wrote to memory of 2756 2592 lflxffr.exe btnbhn.exe PID 2592 wrote to memory of 2756 2592 lflxffr.exe btnbhn.exe PID 2592 wrote to memory of 2756 2592 lflxffr.exe btnbhn.exe PID 2592 wrote to memory of 2756 2592 lflxffr.exe btnbhn.exe PID 2756 wrote to memory of 2460 2756 btnbhn.exe nntnhh.exe PID 2756 wrote to memory of 2460 2756 btnbhn.exe nntnhh.exe PID 2756 wrote to memory of 2460 2756 btnbhn.exe nntnhh.exe PID 2756 wrote to memory of 2460 2756 btnbhn.exe nntnhh.exe PID 2460 wrote to memory of 2432 2460 nntnhh.exe 5vpvd.exe PID 2460 wrote to memory of 2432 2460 nntnhh.exe 5vpvd.exe PID 2460 wrote to memory of 2432 2460 nntnhh.exe 5vpvd.exe PID 2460 wrote to memory of 2432 2460 nntnhh.exe 5vpvd.exe PID 2432 wrote to memory of 2608 2432 5vpvd.exe 3dppd.exe PID 2432 wrote to memory of 2608 2432 5vpvd.exe 3dppd.exe PID 2432 wrote to memory of 2608 2432 5vpvd.exe 3dppd.exe PID 2432 wrote to memory of 2608 2432 5vpvd.exe 3dppd.exe PID 2608 wrote to memory of 2172 2608 3dppd.exe rrlrlrf.exe PID 2608 wrote to memory of 2172 2608 3dppd.exe rrlrlrf.exe PID 2608 wrote to memory of 2172 2608 3dppd.exe rrlrlrf.exe PID 2608 wrote to memory of 2172 2608 3dppd.exe rrlrlrf.exe PID 2172 wrote to memory of 2892 2172 rrlrlrf.exe tthnhn.exe PID 2172 wrote to memory of 2892 2172 rrlrlrf.exe tthnhn.exe PID 2172 wrote to memory of 2892 2172 rrlrlrf.exe tthnhn.exe PID 2172 wrote to memory of 2892 2172 rrlrlrf.exe tthnhn.exe PID 2892 wrote to memory of 2104 2892 tthnhn.exe 1vdjj.exe PID 2892 wrote to memory of 2104 2892 tthnhn.exe 1vdjj.exe PID 2892 wrote to memory of 2104 2892 tthnhn.exe 1vdjj.exe PID 2892 wrote to memory of 2104 2892 tthnhn.exe 1vdjj.exe PID 2104 wrote to memory of 2040 2104 1vdjj.exe djjdp.exe PID 2104 wrote to memory of 2040 2104 1vdjj.exe djjdp.exe PID 2104 wrote to memory of 2040 2104 1vdjj.exe djjdp.exe PID 2104 wrote to memory of 2040 2104 1vdjj.exe djjdp.exe PID 2040 wrote to memory of 1688 2040 jjjdp.exe xlffffl.exe PID 2040 wrote to memory of 1688 2040 jjjdp.exe xlffffl.exe PID 2040 wrote to memory of 1688 2040 jjjdp.exe xlffffl.exe PID 2040 wrote to memory of 1688 2040 jjjdp.exe xlffffl.exe PID 1688 wrote to memory of 2524 1688 xlffffl.exe 1hbhht.exe PID 1688 wrote to memory of 2524 1688 xlffffl.exe 1hbhht.exe PID 1688 wrote to memory of 2524 1688 xlffffl.exe 1hbhht.exe PID 1688 wrote to memory of 2524 1688 xlffffl.exe 1hbhht.exe PID 2524 wrote to memory of 2536 2524 1hbhht.exe thttbh.exe PID 2524 wrote to memory of 2536 2524 1hbhht.exe thttbh.exe PID 2524 wrote to memory of 2536 2524 1hbhht.exe thttbh.exe PID 2524 wrote to memory of 2536 2524 1hbhht.exe thttbh.exe PID 2536 wrote to memory of 2676 2536 thttbh.exe jvpdv.exe PID 2536 wrote to memory of 2676 2536 thttbh.exe jvpdv.exe PID 2536 wrote to memory of 2676 2536 thttbh.exe jvpdv.exe PID 2536 wrote to memory of 2676 2536 thttbh.exe jvpdv.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe"C:\Users\Admin\AppData\Local\Temp\a2d2a0c93849f45babfdb746dbf63be0b61d2e33e545c4595c8439cb5f7cac42.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\tnbthh.exec:\tnbthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\vvppj.exec:\vvppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\ddvjv.exec:\ddvjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\lflxffr.exec:\lflxffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\btnbhn.exec:\btnbhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\nntnhh.exec:\nntnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\5vpvd.exec:\5vpvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\3dppd.exec:\3dppd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\rrlrlrf.exec:\rrlrlrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\tthnhn.exec:\tthnhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\1vdjj.exec:\1vdjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\jjjdp.exec:\jjjdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\xlffffl.exec:\xlffffl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\1hbhht.exec:\1hbhht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\thttbh.exec:\thttbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\jvpdv.exec:\jvpdv.exe17⤵
- Executes dropped EXE
PID:2676 -
\??\c:\vdppd.exec:\vdppd.exe18⤵
- Executes dropped EXE
PID:1792 -
\??\c:\lfrlxxl.exec:\lfrlxxl.exe19⤵
- Executes dropped EXE
PID:1548 -
\??\c:\btbnhb.exec:\btbnhb.exe20⤵
- Executes dropped EXE
PID:1944 -
\??\c:\9htbhn.exec:\9htbhn.exe21⤵
- Executes dropped EXE
PID:2416 -
\??\c:\9ddpj.exec:\9ddpj.exe22⤵
- Executes dropped EXE
PID:2924 -
\??\c:\3jpdp.exec:\3jpdp.exe23⤵
- Executes dropped EXE
PID:600 -
\??\c:\lxrxflx.exec:\lxrxflx.exe24⤵
- Executes dropped EXE
PID:1096 -
\??\c:\5hbntb.exec:\5hbntb.exe25⤵
- Executes dropped EXE
PID:2140 -
\??\c:\thbtnn.exec:\thbtnn.exe26⤵
- Executes dropped EXE
PID:2404 -
\??\c:\5dvjp.exec:\5dvjp.exe27⤵
- Executes dropped EXE
PID:780 -
\??\c:\rfxllxr.exec:\rfxllxr.exe28⤵
- Executes dropped EXE
PID:2372 -
\??\c:\xrllxxf.exec:\xrllxxf.exe29⤵
- Executes dropped EXE
PID:712 -
\??\c:\bththh.exec:\bththh.exe30⤵
- Executes dropped EXE
PID:2516 -
\??\c:\ddpjp.exec:\ddpjp.exe31⤵
- Executes dropped EXE
PID:2344 -
\??\c:\xxrfflr.exec:\xxrfflr.exe32⤵
- Executes dropped EXE
PID:888 -
\??\c:\9fxxffl.exec:\9fxxffl.exe33⤵
- Executes dropped EXE
PID:1308 -
\??\c:\7nnnnn.exec:\7nnnnn.exe34⤵
- Executes dropped EXE
PID:1616 -
\??\c:\jddpj.exec:\jddpj.exe35⤵
- Executes dropped EXE
PID:2528 -
\??\c:\ddpvj.exec:\ddpvj.exe36⤵
- Executes dropped EXE
PID:2544 -
\??\c:\fxrrllf.exec:\fxrrllf.exe37⤵
- Executes dropped EXE
PID:2628 -
\??\c:\rllrfrx.exec:\rllrfrx.exe38⤵
- Executes dropped EXE
PID:1284 -
\??\c:\vpdjp.exec:\vpdjp.exe39⤵
- Executes dropped EXE
PID:2464 -
\??\c:\xxflrxl.exec:\xxflrxl.exe40⤵
- Executes dropped EXE
PID:2552 -
\??\c:\xxxfrxf.exec:\xxxfrxf.exe41⤵
- Executes dropped EXE
PID:2468 -
\??\c:\rrlxllf.exec:\rrlxllf.exe42⤵
- Executes dropped EXE
PID:1340 -
\??\c:\bthnbb.exec:\bthnbb.exe43⤵
- Executes dropped EXE
PID:2740 -
\??\c:\vjdpp.exec:\vjdpp.exe44⤵
- Executes dropped EXE
PID:2992 -
\??\c:\lfflfxr.exec:\lfflfxr.exe45⤵
- Executes dropped EXE
PID:2284 -
\??\c:\xrrrffx.exec:\xrrrffx.exe46⤵
- Executes dropped EXE
PID:2816 -
\??\c:\5tthhh.exec:\5tthhh.exe47⤵
- Executes dropped EXE
PID:1748 -
\??\c:\tthhhn.exec:\tthhhn.exe48⤵
- Executes dropped EXE
PID:2612 -
\??\c:\ddppj.exec:\ddppj.exe49⤵
- Executes dropped EXE
PID:2704 -
\??\c:\fxrrllr.exec:\fxrrllr.exe50⤵
- Executes dropped EXE
PID:2524 -
\??\c:\xfxfxlx.exec:\xfxfxlx.exe51⤵
- Executes dropped EXE
PID:2872 -
\??\c:\9ttbnt.exec:\9ttbnt.exe52⤵
- Executes dropped EXE
PID:1604 -
\??\c:\nnbthh.exec:\nnbthh.exe53⤵
- Executes dropped EXE
PID:644 -
\??\c:\jpjpv.exec:\jpjpv.exe54⤵
- Executes dropped EXE
PID:1808 -
\??\c:\pjddp.exec:\pjddp.exe55⤵
- Executes dropped EXE
PID:2932 -
\??\c:\frfflfr.exec:\frfflfr.exe56⤵
- Executes dropped EXE
PID:2248 -
\??\c:\flfxffr.exec:\flfxffr.exe57⤵
- Executes dropped EXE
PID:2416 -
\??\c:\hbntnb.exec:\hbntnb.exe58⤵
- Executes dropped EXE
PID:684 -
\??\c:\jddpj.exec:\jddpj.exe59⤵
- Executes dropped EXE
PID:592 -
\??\c:\vvvjv.exec:\vvvjv.exe60⤵
- Executes dropped EXE
PID:860 -
\??\c:\xxxxllr.exec:\xxxxllr.exe61⤵
- Executes dropped EXE
PID:1572 -
\??\c:\rfflrxl.exec:\rfflrxl.exe62⤵
- Executes dropped EXE
PID:1996 -
\??\c:\hbbtnt.exec:\hbbtnt.exe63⤵
- Executes dropped EXE
PID:1660 -
\??\c:\bbnbhn.exec:\bbnbhn.exe64⤵
- Executes dropped EXE
PID:964 -
\??\c:\djdpp.exec:\djdpp.exe65⤵
- Executes dropped EXE
PID:2220 -
\??\c:\jdppv.exec:\jdppv.exe66⤵PID:328
-
\??\c:\rrfrxfr.exec:\rrfrxfr.exe67⤵PID:768
-
\??\c:\xlxxrxl.exec:\xlxxrxl.exe68⤵PID:928
-
\??\c:\ttbnth.exec:\ttbnth.exe69⤵PID:1104
-
\??\c:\nhhnhn.exec:\nhhnhn.exe70⤵PID:2944
-
\??\c:\dvjpd.exec:\dvjpd.exe71⤵PID:1308
-
\??\c:\vvppv.exec:\vvppv.exe72⤵PID:2764
-
\??\c:\xrflxfx.exec:\xrflxfx.exe73⤵PID:2060
-
\??\c:\rflxrll.exec:\rflxrll.exe74⤵PID:2636
-
\??\c:\tthbtt.exec:\tthbtt.exe75⤵PID:2588
-
\??\c:\nthntn.exec:\nthntn.exe76⤵PID:2748
-
\??\c:\dpdvp.exec:\dpdvp.exe77⤵PID:2336
-
\??\c:\jjvjd.exec:\jjvjd.exe78⤵PID:2716
-
\??\c:\flfrfrx.exec:\flfrfrx.exe79⤵PID:2456
-
\??\c:\nnhtnb.exec:\nnhtnb.exe80⤵PID:2552
-
\??\c:\7tntbt.exec:\7tntbt.exe81⤵PID:3012
-
\??\c:\jdppd.exec:\jdppd.exe82⤵PID:2860
-
\??\c:\vvpjv.exec:\vvpjv.exe83⤵PID:2964
-
\??\c:\1lxxllr.exec:\1lxxllr.exe84⤵PID:2984
-
\??\c:\rrfxxxf.exec:\rrfxxxf.exe85⤵PID:2668
-
\??\c:\bbthnt.exec:\bbthnt.exe86⤵PID:2816
-
\??\c:\hthhbb.exec:\hthhbb.exe87⤵PID:2504
-
\??\c:\jjdjv.exec:\jjdjv.exe88⤵PID:2696
-
\??\c:\7jvdp.exec:\7jvdp.exe89⤵PID:2804
-
\??\c:\vjvjj.exec:\vjvjj.exe90⤵PID:2484
-
\??\c:\llxxflx.exec:\llxxflx.exe91⤵PID:2880
-
\??\c:\lfrxflr.exec:\lfrxflr.exe92⤵PID:848
-
\??\c:\hbtthn.exec:\hbtthn.exe93⤵PID:1640
-
\??\c:\nhtnbb.exec:\nhtnbb.exe94⤵PID:2056
-
\??\c:\5vvjj.exec:\5vvjj.exe95⤵PID:1208
-
\??\c:\fffllrr.exec:\fffllrr.exe96⤵PID:2684
-
\??\c:\llxlxfr.exec:\llxlxfr.exe97⤵PID:2288
-
\??\c:\bhtntt.exec:\bhtntt.exe98⤵PID:2248
-
\??\c:\7hnnnn.exec:\7hnnnn.exe99⤵PID:828
-
\??\c:\jpjvj.exec:\jpjvj.exe100⤵PID:584
-
\??\c:\jdvvp.exec:\jdvvp.exe101⤵PID:560
-
\??\c:\5vppp.exec:\5vppp.exe102⤵PID:1668
-
\??\c:\ffrrffr.exec:\ffrrffr.exe103⤵PID:1572
-
\??\c:\3frrrxx.exec:\3frrrxx.exe104⤵PID:1996
-
\??\c:\1bnnbn.exec:\1bnnbn.exe105⤵PID:1660
-
\??\c:\5thhnt.exec:\5thhnt.exe106⤵PID:964
-
\??\c:\jjvdj.exec:\jjvdj.exe107⤵PID:2220
-
\??\c:\jjvjv.exec:\jjvjv.exe108⤵PID:328
-
\??\c:\5jjjv.exec:\5jjjv.exe109⤵PID:900
-
\??\c:\xxrllxx.exec:\xxrllxx.exe110⤵PID:1000
-
\??\c:\xrllffr.exec:\xrllffr.exe111⤵PID:2340
-
\??\c:\tnhnbh.exec:\tnhnbh.exe112⤵PID:764
-
\??\c:\nnhnbh.exec:\nnhnbh.exe113⤵PID:1724
-
\??\c:\jdppv.exec:\jdppv.exe114⤵PID:2388
-
\??\c:\rrrxflr.exec:\rrrxflr.exe115⤵PID:1964
-
\??\c:\xxrrxlx.exec:\xxrrxlx.exe116⤵PID:2912
-
\??\c:\7nthnn.exec:\7nthnn.exe117⤵PID:2736
-
\??\c:\hbnthn.exec:\hbnthn.exe118⤵PID:2168
-
\??\c:\9jpvv.exec:\9jpvv.exe119⤵PID:2960
-
\??\c:\ddpvj.exec:\ddpvj.exe120⤵PID:2480
-
\??\c:\5dvvv.exec:\5dvvv.exe121⤵PID:3004
-
\??\c:\frfflrl.exec:\frfflrl.exe122⤵PID:1692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-