Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 06:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4959a9f623d5022735f4f240629bf3c00600cdfb9f92ae3624a0fbb0fa3a784.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
d4959a9f623d5022735f4f240629bf3c00600cdfb9f92ae3624a0fbb0fa3a784.exe
-
Size
87KB
-
MD5
d0e85d775c0fbf08d58cdaf9cc9b7e77
-
SHA1
874f00737e6b42ed5dd43873c4a1cfa2fa40589c
-
SHA256
d4959a9f623d5022735f4f240629bf3c00600cdfb9f92ae3624a0fbb0fa3a784
-
SHA512
0f3e28d008e59c1a6dad318c13ffb8ae0dda22a800dd8d9373eb691b9fd8ca53f00cdcaef8bc3dcb569e24b78df1022b66fbacff9e00af03f7c13e8529f7a781
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2wV3jaCJ5jH3eHb:ymb3NkkiQ3mdBjF+3TU2K3bJZXA
Malware Config
Signatures
-
Detect Blackmoon payload 21 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2472-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2728-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2728-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2792-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2896-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/300-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2576-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2768-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2908-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1992-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/392-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2572-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1704-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1116-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2084-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/836-216-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/580-233-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/940-260-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/404-251-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2948-305-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 31 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2472-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2364-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2364-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2364-22-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2728-37-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2728-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2728-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2728-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2792-48-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2792-50-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2792-47-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2896-62-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2896-60-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2896-59-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/300-73-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2576-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2368-92-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2768-108-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2908-125-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1992-135-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/392-153-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2572-171-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1704-179-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1116-197-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2084-207-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/836-216-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/580-233-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/940-260-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/404-251-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2948-305-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
1nntbh.exepdpjj.exe5hbhbn.exelrfrfrf.exeppdjp.exevvpjv.exetbthhh.exeddjpv.exellfxlrl.exebttnnh.exevvpvj.exe3xlxrrx.exehbthtt.exepjvjd.exe7frxfrf.exebhbtbb.exedvvdj.exevpppd.exebnbtnh.exenhhhbh.exe1dpvd.exe1xrxllf.exenbbhbb.exexfxfxrr.exefxlflxr.exebbnhnn.exejddpd.exefxfxllr.exerxrfrfx.exehbtntt.exebthtth.exerrfrrff.exebbnnnb.exethbhbn.exepdpjd.exe9pvdp.exelllrlrx.exehthbnh.exe3vjdj.exerxxfrrl.exentthbn.exejjvjp.exelfxffrf.exe7lrlxlx.exenhbhtt.exepjdjv.exe9dppd.exexrlrllx.exehhbthn.exebbbbbn.exejjdjv.exe7flfrfx.exelxfrxrl.exenhttht.exejjjvj.exe9fxfxfr.exeffxlxrr.exehbhthb.exe7dpvd.exejjvdj.exellflxxf.exe5btthh.exenthtbt.exedjvvp.exepid process 2472 1nntbh.exe 2364 pdpjj.exe 2728 5hbhbn.exe 2792 lrfrfrf.exe 2896 ppdjp.exe 300 vvpjv.exe 2576 tbthhh.exe 2368 ddjpv.exe 2768 llfxlrl.exe 2840 bttnnh.exe 2908 vvpvj.exe 1992 3xlxrrx.exe 1536 hbthtt.exe 392 pjvjd.exe 756 7frxfrf.exe 2572 bhbtbb.exe 1704 dvvdj.exe 1656 vpppd.exe 1116 bnbtnh.exe 2084 nhhhbh.exe 836 1dpvd.exe 2328 1xrxllf.exe 580 nbbhbb.exe 804 xfxfxrr.exe 404 fxlflxr.exe 940 bbnhnn.exe 752 jddpd.exe 1504 fxfxllr.exe 556 rxrfrfx.exe 1764 hbtntt.exe 2948 bthtth.exe 1624 rrfrrff.exe 1796 bbnnnb.exe 2652 thbhbn.exe 2620 pdpjd.exe 2364 9pvdp.exe 2660 lllrlrx.exe 2940 hthbnh.exe 2696 3vjdj.exe 2896 rxxfrrl.exe 2556 ntthbn.exe 300 jjvjp.exe 2680 lfxffrf.exe 2016 7lrlxlx.exe 2772 nhbhtt.exe 2904 pjdjv.exe 2880 9dppd.exe 2484 xrlrllx.exe 2036 hhbthn.exe 1688 bbbbbn.exe 800 jjdjv.exe 392 7flfrfx.exe 672 lxfrxrl.exe 1748 nhttht.exe 316 jjjvj.exe 1760 9fxfxfr.exe 2608 ffxlxrr.exe 1156 hbhthb.exe 1284 7dpvd.exe 1244 jjvdj.exe 2068 llflxxf.exe 2052 5btthh.exe 1092 nthtbt.exe 1588 djvvp.exe -
Processes:
resource yara_rule behavioral1/memory/1944-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2472-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2364-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2364-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2364-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2896-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2896-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2896-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/300-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2576-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2368-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2768-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2908-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1992-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/392-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2572-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1704-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1116-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2084-207-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/836-216-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/580-233-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/940-260-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/404-251-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2948-305-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d4959a9f623d5022735f4f240629bf3c00600cdfb9f92ae3624a0fbb0fa3a784.exe1nntbh.exepdpjj.exe5hbhbn.exelrfrfrf.exeppdjp.exevvpjv.exetbthhh.exeddjpv.exellfxlrl.exebttnnh.exevvpvj.exe3xlxrrx.exehbthtt.exepjvjd.exe7frxfrf.exedescription pid process target process PID 1944 wrote to memory of 2472 1944 d4959a9f623d5022735f4f240629bf3c00600cdfb9f92ae3624a0fbb0fa3a784.exe 1nntbh.exe PID 1944 wrote to memory of 2472 1944 d4959a9f623d5022735f4f240629bf3c00600cdfb9f92ae3624a0fbb0fa3a784.exe 1nntbh.exe PID 1944 wrote to memory of 2472 1944 d4959a9f623d5022735f4f240629bf3c00600cdfb9f92ae3624a0fbb0fa3a784.exe 1nntbh.exe PID 1944 wrote to memory of 2472 1944 d4959a9f623d5022735f4f240629bf3c00600cdfb9f92ae3624a0fbb0fa3a784.exe 1nntbh.exe PID 2472 wrote to memory of 2364 2472 1nntbh.exe pdpjj.exe PID 2472 wrote to memory of 2364 2472 1nntbh.exe pdpjj.exe PID 2472 wrote to memory of 2364 2472 1nntbh.exe pdpjj.exe PID 2472 wrote to memory of 2364 2472 1nntbh.exe pdpjj.exe PID 2364 wrote to memory of 2728 2364 pdpjj.exe 5hbhbn.exe PID 2364 wrote to memory of 2728 2364 pdpjj.exe 5hbhbn.exe PID 2364 wrote to memory of 2728 2364 pdpjj.exe 5hbhbn.exe PID 2364 wrote to memory of 2728 2364 pdpjj.exe 5hbhbn.exe PID 2728 wrote to memory of 2792 2728 5hbhbn.exe lrfrfrf.exe PID 2728 wrote to memory of 2792 2728 5hbhbn.exe lrfrfrf.exe PID 2728 wrote to memory of 2792 2728 5hbhbn.exe lrfrfrf.exe PID 2728 wrote to memory of 2792 2728 5hbhbn.exe lrfrfrf.exe PID 2792 wrote to memory of 2896 2792 lrfrfrf.exe ppdjp.exe PID 2792 wrote to memory of 2896 2792 lrfrfrf.exe ppdjp.exe PID 2792 wrote to memory of 2896 2792 lrfrfrf.exe ppdjp.exe PID 2792 wrote to memory of 2896 2792 lrfrfrf.exe ppdjp.exe PID 2896 wrote to memory of 300 2896 ppdjp.exe vvpjv.exe PID 2896 wrote to memory of 300 2896 ppdjp.exe vvpjv.exe PID 2896 wrote to memory of 300 2896 ppdjp.exe vvpjv.exe PID 2896 wrote to memory of 300 2896 ppdjp.exe vvpjv.exe PID 300 wrote to memory of 2576 300 vvpjv.exe tbthhh.exe PID 300 wrote to memory of 2576 300 vvpjv.exe tbthhh.exe PID 300 wrote to memory of 2576 300 vvpjv.exe tbthhh.exe PID 300 wrote to memory of 2576 300 vvpjv.exe tbthhh.exe PID 2576 wrote to memory of 2368 2576 tbthhh.exe ddjpv.exe PID 2576 wrote to memory of 2368 2576 tbthhh.exe ddjpv.exe PID 2576 wrote to memory of 2368 2576 tbthhh.exe ddjpv.exe PID 2576 wrote to memory of 2368 2576 tbthhh.exe ddjpv.exe PID 2368 wrote to memory of 2768 2368 ddjpv.exe llfxlrl.exe PID 2368 wrote to memory of 2768 2368 ddjpv.exe llfxlrl.exe PID 2368 wrote to memory of 2768 2368 ddjpv.exe llfxlrl.exe PID 2368 wrote to memory of 2768 2368 ddjpv.exe llfxlrl.exe PID 2768 wrote to memory of 2840 2768 llfxlrl.exe bttnnh.exe PID 2768 wrote to memory of 2840 2768 llfxlrl.exe bttnnh.exe PID 2768 wrote to memory of 2840 2768 llfxlrl.exe bttnnh.exe PID 2768 wrote to memory of 2840 2768 llfxlrl.exe bttnnh.exe PID 2840 wrote to memory of 2908 2840 bttnnh.exe vvpvj.exe PID 2840 wrote to memory of 2908 2840 bttnnh.exe vvpvj.exe PID 2840 wrote to memory of 2908 2840 bttnnh.exe vvpvj.exe PID 2840 wrote to memory of 2908 2840 bttnnh.exe vvpvj.exe PID 2908 wrote to memory of 1992 2908 vvpvj.exe 3xlxrrx.exe PID 2908 wrote to memory of 1992 2908 vvpvj.exe 3xlxrrx.exe PID 2908 wrote to memory of 1992 2908 vvpvj.exe 3xlxrrx.exe PID 2908 wrote to memory of 1992 2908 vvpvj.exe 3xlxrrx.exe PID 1992 wrote to memory of 1536 1992 3xlxrrx.exe hbthtt.exe PID 1992 wrote to memory of 1536 1992 3xlxrrx.exe hbthtt.exe PID 1992 wrote to memory of 1536 1992 3xlxrrx.exe hbthtt.exe PID 1992 wrote to memory of 1536 1992 3xlxrrx.exe hbthtt.exe PID 1536 wrote to memory of 392 1536 hbthtt.exe pjvjd.exe PID 1536 wrote to memory of 392 1536 hbthtt.exe pjvjd.exe PID 1536 wrote to memory of 392 1536 hbthtt.exe pjvjd.exe PID 1536 wrote to memory of 392 1536 hbthtt.exe pjvjd.exe PID 392 wrote to memory of 756 392 pjvjd.exe 7frxfrf.exe PID 392 wrote to memory of 756 392 pjvjd.exe 7frxfrf.exe PID 392 wrote to memory of 756 392 pjvjd.exe 7frxfrf.exe PID 392 wrote to memory of 756 392 pjvjd.exe 7frxfrf.exe PID 756 wrote to memory of 2572 756 7frxfrf.exe bhbtbb.exe PID 756 wrote to memory of 2572 756 7frxfrf.exe bhbtbb.exe PID 756 wrote to memory of 2572 756 7frxfrf.exe bhbtbb.exe PID 756 wrote to memory of 2572 756 7frxfrf.exe bhbtbb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4959a9f623d5022735f4f240629bf3c00600cdfb9f92ae3624a0fbb0fa3a784.exe"C:\Users\Admin\AppData\Local\Temp\d4959a9f623d5022735f4f240629bf3c00600cdfb9f92ae3624a0fbb0fa3a784.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\1nntbh.exec:\1nntbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\pdpjj.exec:\pdpjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\5hbhbn.exec:\5hbhbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\lrfrfrf.exec:\lrfrfrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\ppdjp.exec:\ppdjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\vvpjv.exec:\vvpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:300 -
\??\c:\tbthhh.exec:\tbthhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\ddjpv.exec:\ddjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\llfxlrl.exec:\llfxlrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\bttnnh.exec:\bttnnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\vvpvj.exec:\vvpvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\3xlxrrx.exec:\3xlxrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\hbthtt.exec:\hbthtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\pjvjd.exec:\pjvjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\7frxfrf.exec:\7frxfrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\bhbtbb.exec:\bhbtbb.exe17⤵
- Executes dropped EXE
PID:2572 -
\??\c:\dvvdj.exec:\dvvdj.exe18⤵
- Executes dropped EXE
PID:1704 -
\??\c:\vpppd.exec:\vpppd.exe19⤵
- Executes dropped EXE
PID:1656 -
\??\c:\bnbtnh.exec:\bnbtnh.exe20⤵
- Executes dropped EXE
PID:1116 -
\??\c:\nhhhbh.exec:\nhhhbh.exe21⤵
- Executes dropped EXE
PID:2084 -
\??\c:\1dpvd.exec:\1dpvd.exe22⤵
- Executes dropped EXE
PID:836 -
\??\c:\1xrxllf.exec:\1xrxllf.exe23⤵
- Executes dropped EXE
PID:2328 -
\??\c:\nbbhbb.exec:\nbbhbb.exe24⤵
- Executes dropped EXE
PID:580 -
\??\c:\xfxfxrr.exec:\xfxfxrr.exe25⤵
- Executes dropped EXE
PID:804 -
\??\c:\fxlflxr.exec:\fxlflxr.exe26⤵
- Executes dropped EXE
PID:404 -
\??\c:\bbnhnn.exec:\bbnhnn.exe27⤵
- Executes dropped EXE
PID:940 -
\??\c:\jddpd.exec:\jddpd.exe28⤵
- Executes dropped EXE
PID:752 -
\??\c:\fxfxllr.exec:\fxfxllr.exe29⤵
- Executes dropped EXE
PID:1504 -
\??\c:\rxrfrfx.exec:\rxrfrfx.exe30⤵
- Executes dropped EXE
PID:556 -
\??\c:\hbtntt.exec:\hbtntt.exe31⤵
- Executes dropped EXE
PID:1764 -
\??\c:\bthtth.exec:\bthtth.exe32⤵
- Executes dropped EXE
PID:2948 -
\??\c:\rrfrrff.exec:\rrfrrff.exe33⤵
- Executes dropped EXE
PID:1624 -
\??\c:\bbnnnb.exec:\bbnnnb.exe34⤵
- Executes dropped EXE
PID:1796 -
\??\c:\thbhbn.exec:\thbhbn.exe35⤵
- Executes dropped EXE
PID:2652 -
\??\c:\pdpjd.exec:\pdpjd.exe36⤵
- Executes dropped EXE
PID:2620 -
\??\c:\9pvdp.exec:\9pvdp.exe37⤵
- Executes dropped EXE
PID:2364 -
\??\c:\lllrlrx.exec:\lllrlrx.exe38⤵
- Executes dropped EXE
PID:2660 -
\??\c:\hthbnh.exec:\hthbnh.exe39⤵
- Executes dropped EXE
PID:2940 -
\??\c:\3vjdj.exec:\3vjdj.exe40⤵
- Executes dropped EXE
PID:2696 -
\??\c:\rxxfrrl.exec:\rxxfrrl.exe41⤵
- Executes dropped EXE
PID:2896 -
\??\c:\ntthbn.exec:\ntthbn.exe42⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jjvjp.exec:\jjvjp.exe43⤵
- Executes dropped EXE
PID:300 -
\??\c:\lfxffrf.exec:\lfxffrf.exe44⤵
- Executes dropped EXE
PID:2680 -
\??\c:\7lrlxlx.exec:\7lrlxlx.exe45⤵
- Executes dropped EXE
PID:2016 -
\??\c:\nhbhtt.exec:\nhbhtt.exe46⤵
- Executes dropped EXE
PID:2772 -
\??\c:\pjdjv.exec:\pjdjv.exe47⤵
- Executes dropped EXE
PID:2904 -
\??\c:\9dppd.exec:\9dppd.exe48⤵
- Executes dropped EXE
PID:2880 -
\??\c:\xrlrllx.exec:\xrlrllx.exe49⤵
- Executes dropped EXE
PID:2484 -
\??\c:\hhbthn.exec:\hhbthn.exe50⤵
- Executes dropped EXE
PID:2036 -
\??\c:\bbbbbn.exec:\bbbbbn.exe51⤵
- Executes dropped EXE
PID:1688 -
\??\c:\jjdjv.exec:\jjdjv.exe52⤵
- Executes dropped EXE
PID:800 -
\??\c:\7flfrfx.exec:\7flfrfx.exe53⤵
- Executes dropped EXE
PID:392 -
\??\c:\lxfrxrl.exec:\lxfrxrl.exe54⤵
- Executes dropped EXE
PID:672 -
\??\c:\nhttht.exec:\nhttht.exe55⤵
- Executes dropped EXE
PID:1748 -
\??\c:\jjjvj.exec:\jjjvj.exe56⤵
- Executes dropped EXE
PID:316 -
\??\c:\9fxfxfr.exec:\9fxfxfr.exe57⤵
- Executes dropped EXE
PID:1760 -
\??\c:\ffxlxrr.exec:\ffxlxrr.exe58⤵
- Executes dropped EXE
PID:2608 -
\??\c:\hbhthb.exec:\hbhthb.exe59⤵
- Executes dropped EXE
PID:1156 -
\??\c:\7dpvd.exec:\7dpvd.exe60⤵
- Executes dropped EXE
PID:1284 -
\??\c:\jjvdj.exec:\jjvdj.exe61⤵
- Executes dropped EXE
PID:1244 -
\??\c:\llflxxf.exec:\llflxxf.exe62⤵
- Executes dropped EXE
PID:2068 -
\??\c:\5btthh.exec:\5btthh.exe63⤵
- Executes dropped EXE
PID:2052 -
\??\c:\nthtbt.exec:\nthtbt.exe64⤵
- Executes dropped EXE
PID:1092 -
\??\c:\djvvp.exec:\djvvp.exe65⤵
- Executes dropped EXE
PID:1588 -
\??\c:\rrlfrxl.exec:\rrlfrxl.exe66⤵PID:404
-
\??\c:\xrxlrfl.exec:\xrxlrfl.exe67⤵PID:692
-
\??\c:\bnthhn.exec:\bnthhn.exe68⤵PID:3064
-
\??\c:\dddpd.exec:\dddpd.exe69⤵PID:1596
-
\??\c:\1fxllfl.exec:\1fxllfl.exe70⤵PID:2448
-
\??\c:\xlxxlfl.exec:\xlxxlfl.exe71⤵PID:1800
-
\??\c:\htnntb.exec:\htnntb.exe72⤵PID:1616
-
\??\c:\hnbtbb.exec:\hnbtbb.exe73⤵PID:1676
-
\??\c:\pjdjv.exec:\pjdjv.exe74⤵PID:2700
-
\??\c:\jvvvj.exec:\jvvvj.exe75⤵PID:1684
-
\??\c:\frxlffl.exec:\frxlffl.exe76⤵PID:2804
-
\??\c:\tbtnnt.exec:\tbtnnt.exe77⤵PID:2280
-
\??\c:\bhhbbt.exec:\bhhbbt.exe78⤵PID:2668
-
\??\c:\djjvj.exec:\djjvj.exe79⤵PID:2644
-
\??\c:\7vjdv.exec:\7vjdv.exe80⤵PID:2628
-
\??\c:\djdpj.exec:\djdpj.exe81⤵PID:2812
-
\??\c:\rxfxxfr.exec:\rxfxxfr.exe82⤵PID:2684
-
\??\c:\xlfffxr.exec:\xlfffxr.exe83⤵PID:2528
-
\??\c:\bbthtt.exec:\bbthtt.exe84⤵PID:2624
-
\??\c:\bbbnbh.exec:\bbbnbh.exe85⤵PID:2564
-
\??\c:\bhhnnb.exec:\bhhnnb.exe86⤵PID:2680
-
\??\c:\1vpjd.exec:\1vpjd.exe87⤵PID:2844
-
\??\c:\vdddd.exec:\vdddd.exe88⤵PID:2920
-
\??\c:\llffrfl.exec:\llffrfl.exe89⤵PID:1224
-
\??\c:\xfxxxrl.exec:\xfxxxrl.exe90⤵PID:2908
-
\??\c:\rlrxxxr.exec:\rlrxxxr.exe91⤵PID:1600
-
\??\c:\bthntb.exec:\bthntb.exe92⤵PID:1776
-
\??\c:\hbbhnh.exec:\hbbhnh.exe93⤵PID:1048
-
\??\c:\nnthtt.exec:\nnthtt.exe94⤵PID:796
-
\??\c:\dvjdj.exec:\dvjdj.exe95⤵PID:756
-
\??\c:\pvvpj.exec:\pvvpj.exe96⤵PID:1672
-
\??\c:\dvjpv.exec:\dvjpv.exe97⤵PID:376
-
\??\c:\lfllrrf.exec:\lfllrrf.exe98⤵PID:1648
-
\??\c:\llxfrxl.exec:\llxfrxl.exe99⤵PID:2352
-
\??\c:\5nnbtt.exec:\5nnbtt.exe100⤵PID:2372
-
\??\c:\thtbth.exec:\thtbth.exe101⤵PID:2440
-
\??\c:\tbhhhb.exec:\tbhhhb.exe102⤵PID:1872
-
\??\c:\vvjjv.exec:\vvjjv.exe103⤵PID:2972
-
\??\c:\ppjjv.exec:\ppjjv.exe104⤵PID:1864
-
\??\c:\jjdjv.exec:\jjdjv.exe105⤵PID:1908
-
\??\c:\7xxfrrf.exec:\7xxfrrf.exe106⤵PID:1092
-
\??\c:\ffrfllx.exec:\ffrfllx.exe107⤵PID:2456
-
\??\c:\3bbnhh.exec:\3bbnhh.exe108⤵PID:404
-
\??\c:\bntbhb.exec:\bntbhb.exe109⤵PID:752
-
\??\c:\bhnhhb.exec:\bhnhhb.exe110⤵PID:3008
-
\??\c:\vvpdp.exec:\vvpdp.exe111⤵PID:2596
-
\??\c:\7lrrfrx.exec:\7lrrfrx.exe112⤵PID:892
-
\??\c:\3flxrff.exec:\3flxrff.exe113⤵PID:2264
-
\??\c:\tthtth.exec:\tthtth.exe114⤵PID:984
-
\??\c:\5tntnh.exec:\5tntnh.exe115⤵PID:2160
-
\??\c:\1bbnnb.exec:\1bbnnb.exe116⤵PID:1944
-
\??\c:\pjvjp.exec:\pjvjp.exe117⤵PID:2640
-
\??\c:\vvjjp.exec:\vvjjp.exe118⤵PID:2804
-
\??\c:\xlrlxrl.exec:\xlrlxrl.exe119⤵PID:2712
-
\??\c:\xxrxxxl.exec:\xxrxxxl.exe120⤵PID:2364
-
\??\c:\xxfrlfx.exec:\xxfrlfx.exe121⤵PID:2660
-
\??\c:\btnnbb.exec:\btnnbb.exe122⤵PID:2940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-