Analysis
-
max time kernel
133s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 04:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aa010b29bc667e0bbffdc072f1fa545e97027afc8d98b60557112272b2df09c4.exe
Resource
win7-20240419-en
6 signatures
150 seconds
General
-
Target
aa010b29bc667e0bbffdc072f1fa545e97027afc8d98b60557112272b2df09c4.exe
-
Size
69KB
-
MD5
45b4c434f15ba9d4423286486fe914ec
-
SHA1
300a301eee790f39f2170f9c85a46f1f5de81ed8
-
SHA256
aa010b29bc667e0bbffdc072f1fa545e97027afc8d98b60557112272b2df09c4
-
SHA512
c715b5920cc82cbec75ea34b78821deb0cc67d860a1d995d2ebab53e35c03ba85d4cbe833caf194eb7fb79f097ff3958aeea12365083caa29a5b82a3831fbab3
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUwcsbY/Y:ymb3NkkiQ3mdBjF0yjcsMg
Malware Config
Signatures
-
Detect Blackmoon payload 25 IoCs
Processes:
resource yara_rule behavioral1/memory/2568-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1128-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/656-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/884-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2972-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1772-305-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2400-296-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2136-287-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/916-269-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1812-260-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1676-234-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1256-225-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/668-216-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2912-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2720-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2924-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2724-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2824-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2824-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2776-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2964-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2796-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2612-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1508-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1028-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 34 IoCs
Processes:
resource yara_rule behavioral1/memory/2568-72-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1128-135-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/656-171-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/884-189-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2972-207-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1772-305-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2400-296-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2136-287-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/916-269-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1812-260-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1676-234-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1256-225-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/668-216-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2912-161-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2720-144-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2924-117-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2724-108-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2824-92-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2824-91-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2824-89-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2568-69-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2776-66-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2568-68-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2776-57-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2776-56-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2776-55-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2964-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2796-36-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2612-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2612-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2612-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2612-22-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1508-13-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1028-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
1vppd.exerrrlfrr.exe1nbnbt.exepvvpv.exexxfrxfx.exexllflfl.exehhbhnn.exevjpdv.exe9djjp.exellfxxxx.exe3hthth.exehnntnb.exeppvvp.exevvjjd.exe3rrrrff.exexxrxllf.exetntnht.exettthtn.exe3jvpp.exefxxrrrx.exefrflfxl.exetnbtbb.exetnnnbb.exepjvpd.exeppvvd.exeflrllfr.exebnnhhb.exedvpjp.exedjpdj.exelxflrxx.exeflxfffx.exebhnnhh.exe3jvvj.exevdjpp.exerrrffff.exexlllrlx.exe7nbbhh.exehbntbh.exeddddv.exe3jvjd.exe5rfflfl.exerlrxlfl.exe7bnhnt.exepjdpd.exejddjp.exeflxxrfr.exeflfrrrf.exebhthnn.exe1tnbhh.exevddvd.exe1rrrllf.exebthbtt.exevvpvv.exevdddd.exerxxxffr.exe7rllflx.exe1btnhn.exedppjj.exelfrrxfl.exefxxfxxl.exenbthhn.exenhbnhh.exedvjjj.exevvddp.exepid process 1508 1vppd.exe 2612 rrrlfrr.exe 2796 1nbnbt.exe 2964 pvvpv.exe 2776 xxfrxfx.exe 2568 xllflfl.exe 2584 hhbhnn.exe 2824 vjpdv.exe 2724 9djjp.exe 2924 llfxxxx.exe 3048 3hthth.exe 1128 hnntnb.exe 2720 ppvvp.exe 2496 vvjjd.exe 2912 3rrrrff.exe 656 xxrxllf.exe 1724 tntnht.exe 884 ttthtn.exe 2500 3jvpp.exe 2972 fxxrrrx.exe 668 frflfxl.exe 1256 tnbtbb.exe 1676 tnnnbb.exe 808 pjvpd.exe 700 ppvvd.exe 1812 flrllfr.exe 916 bnnhhb.exe 1164 dvpjp.exe 2136 djpdj.exe 2400 lxflrxx.exe 1772 flxfffx.exe 1028 bhnnhh.exe 2420 3jvvj.exe 2360 vdjpp.exe 2832 rrrffff.exe 2392 xlllrlx.exe 2964 7nbbhh.exe 2576 hbntbh.exe 2644 ddddv.exe 2372 3jvjd.exe 2260 5rfflfl.exe 2892 rlrxlfl.exe 3036 7bnhnt.exe 1264 pjdpd.exe 1628 jddjp.exe 912 flxxrfr.exe 2060 flfrrrf.exe 2904 bhthnn.exe 280 1tnbhh.exe 1660 vddvd.exe 1324 1rrrllf.exe 2448 bthbtt.exe 2000 vvpvv.exe 2456 vdddd.exe 540 rxxxffr.exe 668 7rllflx.exe 1316 1btnhn.exe 348 dppjj.exe 2128 lfrrxfl.exe 1312 fxxfxxl.exe 2620 nbthhn.exe 1812 nhbnhh.exe 468 dvjjj.exe 1104 vvddp.exe -
Processes:
resource yara_rule behavioral1/memory/2568-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1128-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/656-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/884-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2972-207-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1772-305-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2400-296-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2136-287-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/916-269-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1812-260-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1676-234-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1256-225-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/668-216-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2912-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2720-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2924-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2724-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2824-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2824-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2824-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2568-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2776-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2568-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2776-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2776-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2776-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2796-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2612-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2612-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2612-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2612-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1508-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1028-4-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
aa010b29bc667e0bbffdc072f1fa545e97027afc8d98b60557112272b2df09c4.exe1vppd.exerrrlfrr.exe1nbnbt.exepvvpv.exexxfrxfx.exexllflfl.exehhbhnn.exevjpdv.exe9djjp.exellfxxxx.exe3hthth.exehnntnb.exeppvvp.exevvjjd.exe3rrrrff.exedescription pid process target process PID 1028 wrote to memory of 1508 1028 aa010b29bc667e0bbffdc072f1fa545e97027afc8d98b60557112272b2df09c4.exe 1vppd.exe PID 1028 wrote to memory of 1508 1028 aa010b29bc667e0bbffdc072f1fa545e97027afc8d98b60557112272b2df09c4.exe 1vppd.exe PID 1028 wrote to memory of 1508 1028 aa010b29bc667e0bbffdc072f1fa545e97027afc8d98b60557112272b2df09c4.exe 1vppd.exe PID 1028 wrote to memory of 1508 1028 aa010b29bc667e0bbffdc072f1fa545e97027afc8d98b60557112272b2df09c4.exe 1vppd.exe PID 1508 wrote to memory of 2612 1508 1vppd.exe rrrlfrr.exe PID 1508 wrote to memory of 2612 1508 1vppd.exe rrrlfrr.exe PID 1508 wrote to memory of 2612 1508 1vppd.exe rrrlfrr.exe PID 1508 wrote to memory of 2612 1508 1vppd.exe rrrlfrr.exe PID 2612 wrote to memory of 2796 2612 rrrlfrr.exe 1nbnbt.exe PID 2612 wrote to memory of 2796 2612 rrrlfrr.exe 1nbnbt.exe PID 2612 wrote to memory of 2796 2612 rrrlfrr.exe 1nbnbt.exe PID 2612 wrote to memory of 2796 2612 rrrlfrr.exe 1nbnbt.exe PID 2796 wrote to memory of 2964 2796 1nbnbt.exe bbtnbn.exe PID 2796 wrote to memory of 2964 2796 1nbnbt.exe bbtnbn.exe PID 2796 wrote to memory of 2964 2796 1nbnbt.exe bbtnbn.exe PID 2796 wrote to memory of 2964 2796 1nbnbt.exe bbtnbn.exe PID 2964 wrote to memory of 2776 2964 pvvpv.exe xxfrxfx.exe PID 2964 wrote to memory of 2776 2964 pvvpv.exe xxfrxfx.exe PID 2964 wrote to memory of 2776 2964 pvvpv.exe xxfrxfx.exe PID 2964 wrote to memory of 2776 2964 pvvpv.exe xxfrxfx.exe PID 2776 wrote to memory of 2568 2776 xxfrxfx.exe xllflfl.exe PID 2776 wrote to memory of 2568 2776 xxfrxfx.exe xllflfl.exe PID 2776 wrote to memory of 2568 2776 xxfrxfx.exe xllflfl.exe PID 2776 wrote to memory of 2568 2776 xxfrxfx.exe xllflfl.exe PID 2568 wrote to memory of 2584 2568 xllflfl.exe hhbhnn.exe PID 2568 wrote to memory of 2584 2568 xllflfl.exe hhbhnn.exe PID 2568 wrote to memory of 2584 2568 xllflfl.exe hhbhnn.exe PID 2568 wrote to memory of 2584 2568 xllflfl.exe hhbhnn.exe PID 2584 wrote to memory of 2824 2584 hhbhnn.exe nntbtt.exe PID 2584 wrote to memory of 2824 2584 hhbhnn.exe nntbtt.exe PID 2584 wrote to memory of 2824 2584 hhbhnn.exe nntbtt.exe PID 2584 wrote to memory of 2824 2584 hhbhnn.exe nntbtt.exe PID 2824 wrote to memory of 2724 2824 vjpdv.exe 9djjp.exe PID 2824 wrote to memory of 2724 2824 vjpdv.exe 9djjp.exe PID 2824 wrote to memory of 2724 2824 vjpdv.exe 9djjp.exe PID 2824 wrote to memory of 2724 2824 vjpdv.exe 9djjp.exe PID 2724 wrote to memory of 2924 2724 9djjp.exe nthbnn.exe PID 2724 wrote to memory of 2924 2724 9djjp.exe nthbnn.exe PID 2724 wrote to memory of 2924 2724 9djjp.exe nthbnn.exe PID 2724 wrote to memory of 2924 2724 9djjp.exe nthbnn.exe PID 2924 wrote to memory of 3048 2924 llfxxxx.exe 3hthth.exe PID 2924 wrote to memory of 3048 2924 llfxxxx.exe 3hthth.exe PID 2924 wrote to memory of 3048 2924 llfxxxx.exe 3hthth.exe PID 2924 wrote to memory of 3048 2924 llfxxxx.exe 3hthth.exe PID 3048 wrote to memory of 1128 3048 3hthth.exe hnntnb.exe PID 3048 wrote to memory of 1128 3048 3hthth.exe hnntnb.exe PID 3048 wrote to memory of 1128 3048 3hthth.exe hnntnb.exe PID 3048 wrote to memory of 1128 3048 3hthth.exe hnntnb.exe PID 1128 wrote to memory of 2720 1128 hnntnb.exe ppvvp.exe PID 1128 wrote to memory of 2720 1128 hnntnb.exe ppvvp.exe PID 1128 wrote to memory of 2720 1128 hnntnb.exe ppvvp.exe PID 1128 wrote to memory of 2720 1128 hnntnb.exe ppvvp.exe PID 2720 wrote to memory of 2496 2720 ppvvp.exe vvjjd.exe PID 2720 wrote to memory of 2496 2720 ppvvp.exe vvjjd.exe PID 2720 wrote to memory of 2496 2720 ppvvp.exe vvjjd.exe PID 2720 wrote to memory of 2496 2720 ppvvp.exe vvjjd.exe PID 2496 wrote to memory of 2912 2496 vvjjd.exe 3rrrrff.exe PID 2496 wrote to memory of 2912 2496 vvjjd.exe 3rrrrff.exe PID 2496 wrote to memory of 2912 2496 vvjjd.exe 3rrrrff.exe PID 2496 wrote to memory of 2912 2496 vvjjd.exe 3rrrrff.exe PID 2912 wrote to memory of 656 2912 3rrrrff.exe xxrxllf.exe PID 2912 wrote to memory of 656 2912 3rrrrff.exe xxrxllf.exe PID 2912 wrote to memory of 656 2912 3rrrrff.exe xxrxllf.exe PID 2912 wrote to memory of 656 2912 3rrrrff.exe xxrxllf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa010b29bc667e0bbffdc072f1fa545e97027afc8d98b60557112272b2df09c4.exe"C:\Users\Admin\AppData\Local\Temp\aa010b29bc667e0bbffdc072f1fa545e97027afc8d98b60557112272b2df09c4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\1vppd.exec:\1vppd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\rrrlfrr.exec:\rrrlfrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\1nbnbt.exec:\1nbnbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\pvvpv.exec:\pvvpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\xxfrxfx.exec:\xxfrxfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\xllflfl.exec:\xllflfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\hhbhnn.exec:\hhbhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\vjpdv.exec:\vjpdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\9djjp.exec:\9djjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\llfxxxx.exec:\llfxxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\3hthth.exec:\3hthth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\hnntnb.exec:\hnntnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\ppvvp.exec:\ppvvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\vvjjd.exec:\vvjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\3rrrrff.exec:\3rrrrff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\xxrxllf.exec:\xxrxllf.exe17⤵
- Executes dropped EXE
PID:656 -
\??\c:\tntnht.exec:\tntnht.exe18⤵
- Executes dropped EXE
PID:1724 -
\??\c:\ttthtn.exec:\ttthtn.exe19⤵
- Executes dropped EXE
PID:884 -
\??\c:\3jvpp.exec:\3jvpp.exe20⤵
- Executes dropped EXE
PID:2500 -
\??\c:\fxxrrrx.exec:\fxxrrrx.exe21⤵
- Executes dropped EXE
PID:2972 -
\??\c:\frflfxl.exec:\frflfxl.exe22⤵
- Executes dropped EXE
PID:668 -
\??\c:\tnbtbb.exec:\tnbtbb.exe23⤵
- Executes dropped EXE
PID:1256 -
\??\c:\tnnnbb.exec:\tnnnbb.exe24⤵
- Executes dropped EXE
PID:1676 -
\??\c:\pjvpd.exec:\pjvpd.exe25⤵
- Executes dropped EXE
PID:808 -
\??\c:\ppvvd.exec:\ppvvd.exe26⤵
- Executes dropped EXE
PID:700 -
\??\c:\flrllfr.exec:\flrllfr.exe27⤵
- Executes dropped EXE
PID:1812 -
\??\c:\bnnhhb.exec:\bnnhhb.exe28⤵
- Executes dropped EXE
PID:916 -
\??\c:\dvpjp.exec:\dvpjp.exe29⤵
- Executes dropped EXE
PID:1164 -
\??\c:\djpdj.exec:\djpdj.exe30⤵
- Executes dropped EXE
PID:2136 -
\??\c:\lxflrxx.exec:\lxflrxx.exe31⤵
- Executes dropped EXE
PID:2400 -
\??\c:\flxfffx.exec:\flxfffx.exe32⤵
- Executes dropped EXE
PID:1772 -
\??\c:\bhnnhh.exec:\bhnnhh.exe33⤵
- Executes dropped EXE
PID:1028 -
\??\c:\3jvvj.exec:\3jvvj.exe34⤵
- Executes dropped EXE
PID:2420 -
\??\c:\vdjpp.exec:\vdjpp.exe35⤵
- Executes dropped EXE
PID:2360 -
\??\c:\rrrffff.exec:\rrrffff.exe36⤵
- Executes dropped EXE
PID:2832 -
\??\c:\xlllrlx.exec:\xlllrlx.exe37⤵
- Executes dropped EXE
PID:2392 -
\??\c:\7nbbhh.exec:\7nbbhh.exe38⤵
- Executes dropped EXE
PID:2964 -
\??\c:\hbntbh.exec:\hbntbh.exe39⤵
- Executes dropped EXE
PID:2576 -
\??\c:\ddddv.exec:\ddddv.exe40⤵
- Executes dropped EXE
PID:2644 -
\??\c:\3jvjd.exec:\3jvjd.exe41⤵
- Executes dropped EXE
PID:2372 -
\??\c:\5rfflfl.exec:\5rfflfl.exe42⤵
- Executes dropped EXE
PID:2260 -
\??\c:\rlrxlfl.exec:\rlrxlfl.exe43⤵
- Executes dropped EXE
PID:2892 -
\??\c:\7bnhnt.exec:\7bnhnt.exe44⤵
- Executes dropped EXE
PID:3036 -
\??\c:\pjdpd.exec:\pjdpd.exe45⤵
- Executes dropped EXE
PID:1264 -
\??\c:\jddjp.exec:\jddjp.exe46⤵
- Executes dropped EXE
PID:1628 -
\??\c:\flxxrfr.exec:\flxxrfr.exe47⤵
- Executes dropped EXE
PID:912 -
\??\c:\flfrrrf.exec:\flfrrrf.exe48⤵
- Executes dropped EXE
PID:2060 -
\??\c:\bhthnn.exec:\bhthnn.exe49⤵
- Executes dropped EXE
PID:2904 -
\??\c:\1tnbhh.exec:\1tnbhh.exe50⤵
- Executes dropped EXE
PID:280 -
\??\c:\vddvd.exec:\vddvd.exe51⤵
- Executes dropped EXE
PID:1660 -
\??\c:\1rrrllf.exec:\1rrrllf.exe52⤵
- Executes dropped EXE
PID:1324 -
\??\c:\bthbtt.exec:\bthbtt.exe53⤵
- Executes dropped EXE
PID:2448 -
\??\c:\vvpvv.exec:\vvpvv.exe54⤵
- Executes dropped EXE
PID:2000 -
\??\c:\vdddd.exec:\vdddd.exe55⤵
- Executes dropped EXE
PID:2456 -
\??\c:\rxxxffr.exec:\rxxxffr.exe56⤵
- Executes dropped EXE
PID:540 -
\??\c:\7rllflx.exec:\7rllflx.exe57⤵
- Executes dropped EXE
PID:668 -
\??\c:\1btnhn.exec:\1btnhn.exe58⤵
- Executes dropped EXE
PID:1316 -
\??\c:\dppjj.exec:\dppjj.exe59⤵
- Executes dropped EXE
PID:348 -
\??\c:\lfrrxfl.exec:\lfrrxfl.exe60⤵
- Executes dropped EXE
PID:2128 -
\??\c:\fxxfxxl.exec:\fxxfxxl.exe61⤵
- Executes dropped EXE
PID:1312 -
\??\c:\nbthhn.exec:\nbthhn.exe62⤵
- Executes dropped EXE
PID:2620 -
\??\c:\nhbnhh.exec:\nhbnhh.exe63⤵
- Executes dropped EXE
PID:1812 -
\??\c:\dvjjj.exec:\dvjjj.exe64⤵
- Executes dropped EXE
PID:468 -
\??\c:\vvddp.exec:\vvddp.exe65⤵
- Executes dropped EXE
PID:1104 -
\??\c:\llxxlrf.exec:\llxxlrf.exe66⤵PID:2152
-
\??\c:\rrxllfx.exec:\rrxllfx.exe67⤵PID:2056
-
\??\c:\tbhhht.exec:\tbhhht.exe68⤵PID:2400
-
\??\c:\1hhbhh.exec:\1hhbhh.exe69⤵PID:2032
-
\??\c:\nnbnnn.exec:\nnbnnn.exe70⤵PID:2012
-
\??\c:\pvdvv.exec:\pvdvv.exe71⤵PID:2256
-
\??\c:\pjpvp.exec:\pjpvp.exe72⤵PID:2828
-
\??\c:\xffxfxf.exec:\xffxfxf.exe73⤵PID:2788
-
\??\c:\lrfxfrr.exec:\lrfxfrr.exe74⤵PID:2556
-
\??\c:\fxllffr.exec:\fxllffr.exe75⤵PID:2688
-
\??\c:\bbtnbn.exec:\bbtnbn.exe76⤵PID:2964
-
\??\c:\9htbbb.exec:\9htbbb.exe77⤵PID:2844
-
\??\c:\pjdvd.exec:\pjdvd.exe78⤵PID:3068
-
\??\c:\9vppp.exec:\9vppp.exe79⤵PID:2564
-
\??\c:\ppddj.exec:\ppddj.exe80⤵PID:2868
-
\??\c:\xrlxllf.exec:\xrlxllf.exe81⤵PID:2948
-
\??\c:\lrxfrrr.exec:\lrxfrrr.exe82⤵PID:2892
-
\??\c:\hthhtb.exec:\hthhtb.exe83⤵PID:624
-
\??\c:\hbttbb.exec:\hbttbb.exe84⤵PID:2508
-
\??\c:\djvvv.exec:\djvvv.exe85⤵PID:2540
-
\??\c:\pdpvj.exec:\pdpvj.exe86⤵PID:912
-
\??\c:\lflxlrf.exec:\lflxlrf.exe87⤵PID:1464
-
\??\c:\flxxxrf.exec:\flxxxrf.exe88⤵PID:1836
-
\??\c:\ttbhtb.exec:\ttbhtb.exe89⤵PID:896
-
\??\c:\tnhtbh.exec:\tnhtbh.exe90⤵PID:1972
-
\??\c:\7dvpv.exec:\7dvpv.exe91⤵PID:3032
-
\??\c:\vvpvp.exec:\vvpvp.exe92⤵PID:852
-
\??\c:\jdddp.exec:\jdddp.exe93⤵PID:2888
-
\??\c:\fxxflxr.exec:\fxxflxr.exe94⤵PID:768
-
\??\c:\5rlfrxl.exec:\5rlfrxl.exe95⤵PID:2920
-
\??\c:\ffxxllr.exec:\ffxxllr.exe96⤵PID:960
-
\??\c:\tnbhnn.exec:\tnbhnn.exe97⤵PID:1040
-
\??\c:\tbbtbb.exec:\tbbtbb.exe98⤵PID:2572
-
\??\c:\vvppd.exec:\vvppd.exe99⤵PID:1012
-
\??\c:\vdvdp.exec:\vdvdp.exe100⤵PID:808
-
\??\c:\1ddvj.exec:\1ddvj.exe101⤵PID:1976
-
\??\c:\rlfxfxl.exec:\rlfxfxl.exe102⤵PID:1796
-
\??\c:\xxxlrlf.exec:\xxxlrlf.exe103⤵PID:856
-
\??\c:\tbbhnb.exec:\tbbhnb.exe104⤵PID:2604
-
\??\c:\ntbhnt.exec:\ntbhnt.exe105⤵PID:2120
-
\??\c:\dvvdj.exec:\dvvdj.exe106⤵PID:3024
-
\??\c:\dpdvd.exec:\dpdvd.exe107⤵PID:2300
-
\??\c:\frxrxxl.exec:\frxrxxl.exe108⤵PID:1884
-
\??\c:\lxfxrxx.exec:\lxfxrxx.exe109⤵PID:2444
-
\??\c:\xxlflfl.exec:\xxlflfl.exe110⤵PID:2224
-
\??\c:\ttnhnt.exec:\ttnhnt.exe111⤵PID:2816
-
\??\c:\tbttth.exec:\tbttth.exe112⤵PID:2648
-
\??\c:\dppvv.exec:\dppvv.exe113⤵PID:1944
-
\??\c:\jppjd.exec:\jppjd.exe114⤵PID:2784
-
\??\c:\dvddj.exec:\dvddj.exe115⤵PID:2776
-
\??\c:\lrxlfxr.exec:\lrxlfxr.exe116⤵PID:2552
-
\??\c:\ffflrll.exec:\ffflrll.exe117⤵PID:2576
-
\??\c:\thhhnn.exec:\thhhnn.exe118⤵PID:2584
-
\??\c:\ntthnh.exec:\ntthnh.exe119⤵PID:2976
-
\??\c:\jvjvv.exec:\jvjvv.exe120⤵PID:2732
-
\??\c:\dppjd.exec:\dppjd.exe121⤵PID:3040
-
\??\c:\5pddj.exec:\5pddj.exe122⤵PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-