Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 06:49
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
d5fbe2d81bc8180a37a82f9a1ea87bc68b248009ec499c6bedf67a34ba82dd37.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
d5fbe2d81bc8180a37a82f9a1ea87bc68b248009ec499c6bedf67a34ba82dd37.exe
-
Size
190KB
-
MD5
5dcea04ec05f619f7925ed1f6d32d275
-
SHA1
c680eb7d639c6c491542a6e1a81179b9a405f690
-
SHA256
d5fbe2d81bc8180a37a82f9a1ea87bc68b248009ec499c6bedf67a34ba82dd37
-
SHA512
79c95e8512838b725c5c40db98d8e3221c590eb310a27f50ab0410834b1cc2a62e020fc020f3f02f0edd99e70eb9de4e6769d227ca599f871bd31545c64d9470
-
SSDEEP
3072:YhOmTsF93UYfwC6GIoutLmxHxae5yLpcgDE4JBuItR8pTsgnKbQFe3+d:Ycm4FmowdHoSLEaTBftapTsyFeOd
Malware Config
Signatures
-
Detect Blackmoon payload 36 IoCs
Processes:
resource yara_rule behavioral1/memory/1608-1-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/3032-19-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1896-16-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2724-29-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2688-38-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2708-54-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2580-75-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2472-72-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2464-84-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/304-92-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2768-109-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/352-121-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1572-138-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1616-147-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1408-150-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/332-166-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2964-184-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2252-202-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2840-234-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/328-237-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/848-253-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1604-276-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2212-300-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2676-326-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2716-339-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2348-373-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2156-453-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2972-468-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2960-660-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1560-706-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/332-733-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2356-851-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2816-909-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2168-1010-0x0000000000220000-0x0000000000250000-memory.dmp family_blackmoon behavioral1/memory/2168-1011-0x0000000000220000-0x0000000000250000-memory.dmp family_blackmoon behavioral1/memory/1272-1222-0x00000000001B0000-0x00000000001E0000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral1/memory/1608-1-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\rlflrrx.exe UPX behavioral1/memory/1896-8-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/3032-19-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\hbnnth.exe UPX behavioral1/memory/1896-16-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\vpppv.exe UPX behavioral1/memory/2724-29-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2688-38-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\lffrfrl.exe UPX behavioral1/memory/2708-45-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\llxflrl.exe UPX behavioral1/memory/2596-55-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\pvvvv.exe UPX behavioral1/memory/2708-54-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\fxrfxfr.exe UPX C:\bbtthn.exe UPX behavioral1/memory/2580-75-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2472-72-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\7jpdv.exe UPX behavioral1/memory/2464-84-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\xrffrrf.exe UPX behavioral1/memory/304-92-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\1nbnbh.exe UPX behavioral1/memory/2768-100-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\djvvp.exe UPX behavioral1/memory/1580-111-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2768-109-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/352-121-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\3rlfxxx.exe UPX C:\1frrffl.exe UPX behavioral1/memory/1572-129-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1572-138-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\nhthnt.exe UPX \??\c:\fxxlxlf.exe UPX behavioral1/memory/1616-147-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1408-150-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\xrfxffr.exe UPX behavioral1/memory/332-157-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\9ddpj.exe UPX behavioral1/memory/332-166-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\5vpvj.exe UPX C:\5frlrxf.exe UPX behavioral1/memory/2964-184-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\htnbtb.exe UPX C:\1vvdv.exe UPX behavioral1/memory/2252-202-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\3djvj.exe UPX \??\c:\lrlrflx.exe UPX C:\tbtttt.exe UPX C:\jdddp.exe UPX behavioral1/memory/2840-234-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/328-237-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\lxlrflr.exe UPX C:\bbnnbh.exe UPX behavioral1/memory/848-253-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\nhhhhh.exe UPX \??\c:\djdpp.exe UPX C:\5fxfffl.exe UPX behavioral1/memory/1604-276-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\bbthtt.exe UPX behavioral1/memory/2212-300-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2676-319-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2676-326-0x0000000000400000-0x0000000000430000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
rlflrrx.exehbnnth.exevpppv.exelffrfrl.exellxflrl.exepvvvv.exefxrfxfr.exebbtthn.exe7jpdv.exexrffrrf.exe1nbnbh.exedjvvp.exe3rlfxxx.exe1frrffl.exenhthnt.exefxxlxlf.exexrfxffr.exe9ddpj.exe5vpvj.exe5frlrxf.exehtnbtb.exe1vvdv.exe3djvj.exelrlrflx.exetbtttt.exejdddp.exelxlrflr.exebbnnbh.exenhhhhh.exedjdpp.exe5fxfffl.exebbthtt.exeththth.exedpvvv.exelfxfrxl.exelfxfrxf.exenbhnhn.exedvjvd.exevpvpv.exerlllrrf.exexrlxfrf.exenbbhbh.exenhthnn.exedvpjj.exerffllxf.exexrrlxxr.exebthbnn.exepjdjj.exedpddj.exerfllxxf.exefrlxffl.exenhnntb.exe1jvvd.exe3dvdj.exerfrxxxf.exexxlrxxl.exe9htbhn.exe1nttbh.exedvpvj.exe1rxfllr.exe7rlfrrx.exethbhtn.exepjvdp.exepjddj.exepid process 1896 rlflrrx.exe 3032 hbnnth.exe 2724 vpppv.exe 2688 lffrfrl.exe 2708 llxflrl.exe 2596 pvvvv.exe 2472 fxrfxfr.exe 2580 bbtthn.exe 2464 7jpdv.exe 304 xrffrrf.exe 2768 1nbnbh.exe 1580 djvvp.exe 352 3rlfxxx.exe 1572 1frrffl.exe 1616 nhthnt.exe 1408 fxxlxlf.exe 332 xrfxffr.exe 2828 9ddpj.exe 2024 5vpvj.exe 2964 5frlrxf.exe 1404 htnbtb.exe 2252 1vvdv.exe 1196 3djvj.exe 1732 lrlrflx.exe 2840 tbtttt.exe 328 jdddp.exe 1860 lxlrflr.exe 848 bbnnbh.exe 1468 nhhhhh.exe 1604 djdpp.exe 3008 5fxfffl.exe 880 bbthtt.exe 2212 ththth.exe 3036 dpvvv.exe 1628 lfxfrxl.exe 2604 lfxfrxf.exe 2676 nbhnhn.exe 2728 dvjvd.exe 2600 vpvpv.exe 2716 rlllrrf.exe 2624 xrlxfrf.exe 2120 nbbhbh.exe 2492 nhthnn.exe 2952 dvpjj.exe 2348 rffllxf.exe 1228 xrrlxxr.exe 2448 bthbnn.exe 2776 pjdjj.exe 2764 dpddj.exe 348 rfllxxf.exe 1548 frlxffl.exe 1476 nhnntb.exe 2184 1jvvd.exe 2352 3dvdj.exe 1764 rfrxxxf.exe 1656 xxlrxxl.exe 264 9htbhn.exe 2156 1nttbh.exe 2988 dvpvj.exe 2972 1rxfllr.exe 588 7rlfrrx.exe 976 thbhtn.exe 2556 pjvdp.exe 1564 pjddj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d5fbe2d81bc8180a37a82f9a1ea87bc68b248009ec499c6bedf67a34ba82dd37.exerlflrrx.exehbnnth.exevpppv.exelffrfrl.exellxflrl.exepvvvv.exefxrfxfr.exebbtthn.exe7jpdv.exexrffrrf.exe1nbnbh.exedjvvp.exe3rlfxxx.exe1frrffl.exenhthnt.exedescription pid process target process PID 1608 wrote to memory of 1896 1608 d5fbe2d81bc8180a37a82f9a1ea87bc68b248009ec499c6bedf67a34ba82dd37.exe rlflrrx.exe PID 1608 wrote to memory of 1896 1608 d5fbe2d81bc8180a37a82f9a1ea87bc68b248009ec499c6bedf67a34ba82dd37.exe rlflrrx.exe PID 1608 wrote to memory of 1896 1608 d5fbe2d81bc8180a37a82f9a1ea87bc68b248009ec499c6bedf67a34ba82dd37.exe rlflrrx.exe PID 1608 wrote to memory of 1896 1608 d5fbe2d81bc8180a37a82f9a1ea87bc68b248009ec499c6bedf67a34ba82dd37.exe rlflrrx.exe PID 1896 wrote to memory of 3032 1896 rlflrrx.exe hbnnth.exe PID 1896 wrote to memory of 3032 1896 rlflrrx.exe hbnnth.exe PID 1896 wrote to memory of 3032 1896 rlflrrx.exe hbnnth.exe PID 1896 wrote to memory of 3032 1896 rlflrrx.exe hbnnth.exe PID 3032 wrote to memory of 2724 3032 hbnnth.exe vpppv.exe PID 3032 wrote to memory of 2724 3032 hbnnth.exe vpppv.exe PID 3032 wrote to memory of 2724 3032 hbnnth.exe vpppv.exe PID 3032 wrote to memory of 2724 3032 hbnnth.exe vpppv.exe PID 2724 wrote to memory of 2688 2724 vpppv.exe lffrfrl.exe PID 2724 wrote to memory of 2688 2724 vpppv.exe lffrfrl.exe PID 2724 wrote to memory of 2688 2724 vpppv.exe lffrfrl.exe PID 2724 wrote to memory of 2688 2724 vpppv.exe lffrfrl.exe PID 2688 wrote to memory of 2708 2688 lffrfrl.exe llxflrl.exe PID 2688 wrote to memory of 2708 2688 lffrfrl.exe llxflrl.exe PID 2688 wrote to memory of 2708 2688 lffrfrl.exe llxflrl.exe PID 2688 wrote to memory of 2708 2688 lffrfrl.exe llxflrl.exe PID 2708 wrote to memory of 2596 2708 llxflrl.exe pvvvv.exe PID 2708 wrote to memory of 2596 2708 llxflrl.exe pvvvv.exe PID 2708 wrote to memory of 2596 2708 llxflrl.exe pvvvv.exe PID 2708 wrote to memory of 2596 2708 llxflrl.exe pvvvv.exe PID 2596 wrote to memory of 2472 2596 pvvvv.exe fxrfxfr.exe PID 2596 wrote to memory of 2472 2596 pvvvv.exe fxrfxfr.exe PID 2596 wrote to memory of 2472 2596 pvvvv.exe fxrfxfr.exe PID 2596 wrote to memory of 2472 2596 pvvvv.exe fxrfxfr.exe PID 2472 wrote to memory of 2580 2472 fxrfxfr.exe bbtthn.exe PID 2472 wrote to memory of 2580 2472 fxrfxfr.exe bbtthn.exe PID 2472 wrote to memory of 2580 2472 fxrfxfr.exe bbtthn.exe PID 2472 wrote to memory of 2580 2472 fxrfxfr.exe bbtthn.exe PID 2580 wrote to memory of 2464 2580 bbtthn.exe 7jpdv.exe PID 2580 wrote to memory of 2464 2580 bbtthn.exe 7jpdv.exe PID 2580 wrote to memory of 2464 2580 bbtthn.exe 7jpdv.exe PID 2580 wrote to memory of 2464 2580 bbtthn.exe 7jpdv.exe PID 2464 wrote to memory of 304 2464 7jpdv.exe xrffrrf.exe PID 2464 wrote to memory of 304 2464 7jpdv.exe xrffrrf.exe PID 2464 wrote to memory of 304 2464 7jpdv.exe xrffrrf.exe PID 2464 wrote to memory of 304 2464 7jpdv.exe xrffrrf.exe PID 304 wrote to memory of 2768 304 xrffrrf.exe 1nbnbh.exe PID 304 wrote to memory of 2768 304 xrffrrf.exe 1nbnbh.exe PID 304 wrote to memory of 2768 304 xrffrrf.exe 1nbnbh.exe PID 304 wrote to memory of 2768 304 xrffrrf.exe 1nbnbh.exe PID 2768 wrote to memory of 1580 2768 1nbnbh.exe djvvp.exe PID 2768 wrote to memory of 1580 2768 1nbnbh.exe djvvp.exe PID 2768 wrote to memory of 1580 2768 1nbnbh.exe djvvp.exe PID 2768 wrote to memory of 1580 2768 1nbnbh.exe djvvp.exe PID 1580 wrote to memory of 352 1580 djvvp.exe 3rlfxxx.exe PID 1580 wrote to memory of 352 1580 djvvp.exe 3rlfxxx.exe PID 1580 wrote to memory of 352 1580 djvvp.exe 3rlfxxx.exe PID 1580 wrote to memory of 352 1580 djvvp.exe 3rlfxxx.exe PID 352 wrote to memory of 1572 352 3rlfxxx.exe 1frrffl.exe PID 352 wrote to memory of 1572 352 3rlfxxx.exe 1frrffl.exe PID 352 wrote to memory of 1572 352 3rlfxxx.exe 1frrffl.exe PID 352 wrote to memory of 1572 352 3rlfxxx.exe 1frrffl.exe PID 1572 wrote to memory of 1616 1572 1frrffl.exe nhthnt.exe PID 1572 wrote to memory of 1616 1572 1frrffl.exe nhthnt.exe PID 1572 wrote to memory of 1616 1572 1frrffl.exe nhthnt.exe PID 1572 wrote to memory of 1616 1572 1frrffl.exe nhthnt.exe PID 1616 wrote to memory of 1408 1616 nhthnt.exe fxxlxlf.exe PID 1616 wrote to memory of 1408 1616 nhthnt.exe fxxlxlf.exe PID 1616 wrote to memory of 1408 1616 nhthnt.exe fxxlxlf.exe PID 1616 wrote to memory of 1408 1616 nhthnt.exe fxxlxlf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5fbe2d81bc8180a37a82f9a1ea87bc68b248009ec499c6bedf67a34ba82dd37.exe"C:\Users\Admin\AppData\Local\Temp\d5fbe2d81bc8180a37a82f9a1ea87bc68b248009ec499c6bedf67a34ba82dd37.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\rlflrrx.exec:\rlflrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\hbnnth.exec:\hbnnth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\vpppv.exec:\vpppv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\lffrfrl.exec:\lffrfrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\llxflrl.exec:\llxflrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\pvvvv.exec:\pvvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\fxrfxfr.exec:\fxrfxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\bbtthn.exec:\bbtthn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\7jpdv.exec:\7jpdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\xrffrrf.exec:\xrffrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:304 -
\??\c:\1nbnbh.exec:\1nbnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\djvvp.exec:\djvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\3rlfxxx.exec:\3rlfxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:352 -
\??\c:\1frrffl.exec:\1frrffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\nhthnt.exec:\nhthnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\fxxlxlf.exec:\fxxlxlf.exe17⤵
- Executes dropped EXE
PID:1408 -
\??\c:\xrfxffr.exec:\xrfxffr.exe18⤵
- Executes dropped EXE
PID:332 -
\??\c:\9ddpj.exec:\9ddpj.exe19⤵
- Executes dropped EXE
PID:2828 -
\??\c:\5vpvj.exec:\5vpvj.exe20⤵
- Executes dropped EXE
PID:2024 -
\??\c:\5frlrxf.exec:\5frlrxf.exe21⤵
- Executes dropped EXE
PID:2964 -
\??\c:\htnbtb.exec:\htnbtb.exe22⤵
- Executes dropped EXE
PID:1404 -
\??\c:\1vvdv.exec:\1vvdv.exe23⤵
- Executes dropped EXE
PID:2252 -
\??\c:\3djvj.exec:\3djvj.exe24⤵
- Executes dropped EXE
PID:1196 -
\??\c:\lrlrflx.exec:\lrlrflx.exe25⤵
- Executes dropped EXE
PID:1732 -
\??\c:\tbtttt.exec:\tbtttt.exe26⤵
- Executes dropped EXE
PID:2840 -
\??\c:\jdddp.exec:\jdddp.exe27⤵
- Executes dropped EXE
PID:328 -
\??\c:\lxlrflr.exec:\lxlrflr.exe28⤵
- Executes dropped EXE
PID:1860 -
\??\c:\bbnnbh.exec:\bbnnbh.exe29⤵
- Executes dropped EXE
PID:848 -
\??\c:\nhhhhh.exec:\nhhhhh.exe30⤵
- Executes dropped EXE
PID:1468 -
\??\c:\djdpp.exec:\djdpp.exe31⤵
- Executes dropped EXE
PID:1604 -
\??\c:\5fxfffl.exec:\5fxfffl.exe32⤵
- Executes dropped EXE
PID:3008 -
\??\c:\bbthtt.exec:\bbthtt.exe33⤵
- Executes dropped EXE
PID:880 -
\??\c:\ththth.exec:\ththth.exe34⤵
- Executes dropped EXE
PID:2212 -
\??\c:\dpvvv.exec:\dpvvv.exe35⤵
- Executes dropped EXE
PID:3036 -
\??\c:\lfxfrxl.exec:\lfxfrxl.exe36⤵
- Executes dropped EXE
PID:1628 -
\??\c:\lfxfrxf.exec:\lfxfrxf.exe37⤵
- Executes dropped EXE
PID:2604 -
\??\c:\nbhnhn.exec:\nbhnhn.exe38⤵
- Executes dropped EXE
PID:2676 -
\??\c:\dvjvd.exec:\dvjvd.exe39⤵
- Executes dropped EXE
PID:2728 -
\??\c:\vpvpv.exec:\vpvpv.exe40⤵
- Executes dropped EXE
PID:2600 -
\??\c:\rlllrrf.exec:\rlllrrf.exe41⤵
- Executes dropped EXE
PID:2716 -
\??\c:\xrlxfrf.exec:\xrlxfrf.exe42⤵
- Executes dropped EXE
PID:2624 -
\??\c:\nbbhbh.exec:\nbbhbh.exe43⤵
- Executes dropped EXE
PID:2120 -
\??\c:\nhthnn.exec:\nhthnn.exe44⤵
- Executes dropped EXE
PID:2492 -
\??\c:\dvpjj.exec:\dvpjj.exe45⤵
- Executes dropped EXE
PID:2952 -
\??\c:\rffllxf.exec:\rffllxf.exe46⤵
- Executes dropped EXE
PID:2348 -
\??\c:\xrrlxxr.exec:\xrrlxxr.exe47⤵
- Executes dropped EXE
PID:1228 -
\??\c:\bthbnn.exec:\bthbnn.exe48⤵
- Executes dropped EXE
PID:2448 -
\??\c:\pjdjj.exec:\pjdjj.exe49⤵
- Executes dropped EXE
PID:2776 -
\??\c:\dpddj.exec:\dpddj.exe50⤵
- Executes dropped EXE
PID:2764 -
\??\c:\rfllxxf.exec:\rfllxxf.exe51⤵
- Executes dropped EXE
PID:348 -
\??\c:\frlxffl.exec:\frlxffl.exe52⤵
- Executes dropped EXE
PID:1548 -
\??\c:\nhnntb.exec:\nhnntb.exe53⤵
- Executes dropped EXE
PID:1476 -
\??\c:\1jvvd.exec:\1jvvd.exe54⤵
- Executes dropped EXE
PID:2184 -
\??\c:\3dvdj.exec:\3dvdj.exe55⤵
- Executes dropped EXE
PID:2352 -
\??\c:\rfrxxxf.exec:\rfrxxxf.exe56⤵
- Executes dropped EXE
PID:1764 -
\??\c:\xxlrxxl.exec:\xxlrxxl.exe57⤵
- Executes dropped EXE
PID:1656 -
\??\c:\9htbhn.exec:\9htbhn.exe58⤵
- Executes dropped EXE
PID:264 -
\??\c:\1nttbh.exec:\1nttbh.exe59⤵
- Executes dropped EXE
PID:2156 -
\??\c:\dvpvj.exec:\dvpvj.exe60⤵
- Executes dropped EXE
PID:2988 -
\??\c:\1rxfllr.exec:\1rxfllr.exe61⤵
- Executes dropped EXE
PID:2972 -
\??\c:\7rlfrrx.exec:\7rlfrrx.exe62⤵
- Executes dropped EXE
PID:588 -
\??\c:\thbhtn.exec:\thbhtn.exe63⤵
- Executes dropped EXE
PID:976 -
\??\c:\pjvdp.exec:\pjvdp.exe64⤵
- Executes dropped EXE
PID:2556 -
\??\c:\pjddj.exec:\pjddj.exe65⤵
- Executes dropped EXE
PID:1564 -
\??\c:\5xlxflr.exec:\5xlxflr.exe66⤵PID:2084
-
\??\c:\fxrxflr.exec:\fxrxflr.exe67⤵PID:1740
-
\??\c:\hbhhnt.exec:\hbhhnt.exe68⤵PID:576
-
\??\c:\7pjjv.exec:\7pjjv.exe69⤵PID:2840
-
\??\c:\vppdj.exec:\vppdj.exe70⤵PID:324
-
\??\c:\7frrffl.exec:\7frrffl.exe71⤵PID:1016
-
\??\c:\1xllrxf.exec:\1xllrxf.exe72⤵PID:600
-
\??\c:\nbbtnt.exec:\nbbtnt.exe73⤵PID:1864
-
\??\c:\hhbnnt.exec:\hhbnnt.exe74⤵PID:1468
-
\??\c:\pdpdp.exec:\pdpdp.exe75⤵PID:2908
-
\??\c:\rffxxlr.exec:\rffxxlr.exe76⤵PID:2068
-
\??\c:\xrlrrlr.exec:\xrlrrlr.exe77⤵PID:2436
-
\??\c:\nnntbh.exec:\nnntbh.exe78⤵PID:1648
-
\??\c:\nhbbnh.exec:\nhbbnh.exe79⤵PID:1964
-
\??\c:\dpdjp.exec:\dpdjp.exe80⤵PID:1936
-
\??\c:\lxrrxxl.exec:\lxrrxxl.exe81⤵PID:1628
-
\??\c:\xfrrxrr.exec:\xfrrxrr.exe82⤵PID:2672
-
\??\c:\hhbbhh.exec:\hhbbhh.exe83⤵PID:2664
-
\??\c:\vjvvv.exec:\vjvvv.exe84⤵PID:2724
-
\??\c:\jvjjd.exec:\jvjjd.exe85⤵PID:2652
-
\??\c:\xrflrxr.exec:\xrflrxr.exe86⤵PID:2716
-
\??\c:\lfxffll.exec:\lfxffll.exe87⤵PID:2740
-
\??\c:\hbhntb.exec:\hbhntb.exe88⤵PID:2120
-
\??\c:\tbbtbb.exec:\tbbtbb.exe89⤵PID:2944
-
\??\c:\1pdjj.exec:\1pdjj.exe90⤵PID:2660
-
\??\c:\5lflxxl.exec:\5lflxxl.exe91⤵PID:1272
-
\??\c:\rfllrrr.exec:\rfllrrr.exe92⤵PID:2960
-
\??\c:\tnnhbh.exec:\tnnhbh.exe93⤵PID:2800
-
\??\c:\dpjdd.exec:\dpjdd.exe94⤵PID:1784
-
\??\c:\3jvvd.exec:\3jvvd.exe95⤵PID:1580
-
\??\c:\llffrxf.exec:\llffrxf.exe96⤵PID:1544
-
\??\c:\tnnbnn.exec:\tnnbnn.exe97⤵PID:748
-
\??\c:\3nhtnn.exec:\3nhtnn.exe98⤵PID:1476
-
\??\c:\pdvdj.exec:\pdvdj.exe99⤵PID:1560
-
\??\c:\vpjjp.exec:\vpjjp.exe100⤵PID:2200
-
\??\c:\xrlrffx.exec:\xrlrffx.exe101⤵PID:1764
-
\??\c:\nnhhtb.exec:\nnhhtb.exe102⤵PID:332
-
\??\c:\nhhnhh.exec:\nhhnhh.exe103⤵PID:1592
-
\??\c:\dvvpd.exec:\dvvpd.exe104⤵PID:2820
-
\??\c:\jjjdd.exec:\jjjdd.exe105⤵PID:2792
-
\??\c:\lxllrrx.exec:\lxllrrx.exe106⤵PID:2260
-
\??\c:\tnnbtt.exec:\tnnbtt.exe107⤵PID:2836
-
\??\c:\3hnntn.exec:\3hnntn.exe108⤵PID:2500
-
\??\c:\dvjpv.exec:\dvjpv.exe109⤵PID:2272
-
\??\c:\dvppd.exec:\dvppd.exe110⤵PID:772
-
\??\c:\lfxxffr.exec:\lfxxffr.exe111⤵PID:2416
-
\??\c:\7tnthn.exec:\7tnthn.exe112⤵PID:1296
-
\??\c:\bbtthh.exec:\bbtthh.exe113⤵PID:944
-
\??\c:\3pddj.exec:\3pddj.exe114⤵PID:884
-
\??\c:\7dpjv.exec:\7dpjv.exe115⤵PID:2112
-
\??\c:\3llrxfl.exec:\3llrxfl.exe116⤵PID:3016
-
\??\c:\htbbhn.exec:\htbbhn.exe117⤵PID:1472
-
\??\c:\btbhtt.exec:\btbhtt.exe118⤵PID:2928
-
\??\c:\pdpvp.exec:\pdpvp.exe119⤵PID:396
-
\??\c:\ppdjp.exec:\ppdjp.exe120⤵PID:2356
-
\??\c:\xlrrflr.exec:\xlrrflr.exe121⤵PID:1852
-
\??\c:\7fflrrx.exec:\7fflrrx.exe122⤵PID:1524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-