Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 03:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c28162411f8eea3c0cdf6d4839412305525bd926232b4f1317f11e1379109739.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
c28162411f8eea3c0cdf6d4839412305525bd926232b4f1317f11e1379109739.exe
-
Size
394KB
-
MD5
b6fabc596ea06ba33fa135ec85cbd66e
-
SHA1
64b66f663545457c966b642a66f34d3578d83ae4
-
SHA256
c28162411f8eea3c0cdf6d4839412305525bd926232b4f1317f11e1379109739
-
SHA512
5c18c60179711b1d3cf695b55249999349f26b103ebdb177c2940cd643dceebe45d38dc7092ef6528c3eebbf8c018bc46b8f2d9a6a669f043386b7a461bcc214
-
SSDEEP
6144:n3C9BRIG0asYFm71mPfkVB8dKwaO5CVwOlf:n3C9uYA7okVqdKwaO5CVf
Malware Config
Signatures
-
Detect Blackmoon payload 21 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1968-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2088-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3028-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2756-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2508-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2676-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2516-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2936-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1808-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1372-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2728-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2920-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1900-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2160-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1944-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1888-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1100-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2952-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/372-257-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/580-293-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 26 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1740-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1968-15-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2088-26-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3028-36-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2756-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2756-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2756-55-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2508-58-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2676-78-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2516-87-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2516-86-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2516-96-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2936-104-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1808-114-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1372-122-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2728-132-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2920-140-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1900-150-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2160-159-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1944-168-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1888-176-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1100-186-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2952-204-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/372-257-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/580-293-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
jjvdj.exebbhhtt.exejdpvd.exexrlxxxl.exe9lxxflr.exebthhtt.exe7dvdj.exerlffrxl.exetnbhtb.exepdpvj.exetnntnt.exe5jjpd.exe9lrlrxf.exe5btbht.exeflrrxrx.exenhhhbb.exe1pjpp.exebnbbtn.exe9pjjp.exelxffxxx.exebnbbhb.exe3vpvj.exenhbntb.exe5htnnt.exefxffrfx.exehtbntt.exevjvdd.exefrllxxf.exeppdpd.exexxxxffr.exeddvjv.exefxlrllx.exe3tnnbb.exepjvjp.exe7xrrxxf.exelxllxxl.exe1bhhnt.exedpjdd.exe3xxxlrx.exebnbbbb.exeddppj.exe7djpd.exexrxxxxr.exe5tthnh.exe1dpjj.exevpjpd.exexrllxxl.exehbhhtt.exe5vvvd.exedjjvj.exelxrrxfl.exetnbbhb.exevpddj.exexxrxlfr.exe1lrrlfx.exe7hhntb.exepdppv.exerfrflrf.exerfrlrlr.exe7thhnn.exe1pdvv.exedjddv.exelfxllxx.exe7httnt.exepid process 1968 jjvdj.exe 2088 bbhhtt.exe 3028 jdpvd.exe 2756 xrlxxxl.exe 2508 9lxxflr.exe 2604 bthhtt.exe 2676 7dvdj.exe 2516 rlffrxl.exe 2936 tnbhtb.exe 1808 pdpvj.exe 1372 tnntnt.exe 2728 5jjpd.exe 2920 9lrlrxf.exe 1900 5btbht.exe 2160 flrrxrx.exe 1944 nhhhbb.exe 1888 1pjpp.exe 1100 bnbbtn.exe 2432 9pjjp.exe 2952 lxffxxx.exe 2304 bnbbhb.exe 2268 3vpvj.exe 2864 nhbntb.exe 2464 5htnnt.exe 1548 fxffrfx.exe 372 htbntt.exe 832 vjvdd.exe 756 frllxxf.exe 2280 ppdpd.exe 580 xxxxffr.exe 2416 ddvjv.exe 2056 fxlrllx.exe 1580 3tnnbb.exe 2956 pjvjp.exe 2836 7xrrxxf.exe 2088 lxllxxl.exe 2760 1bhhnt.exe 2652 dpjdd.exe 2620 3xxxlrx.exe 2528 bnbbbb.exe 2784 ddppj.exe 2668 7djpd.exe 2564 xrxxxxr.exe 1644 5tthnh.exe 2548 1dpjj.exe 1752 vpjpd.exe 1808 xrllxxl.exe 2712 hbhhtt.exe 2832 5vvvd.exe 1416 djjvj.exe 1584 lxrrxfl.exe 1628 tnbbhb.exe 2224 vpddj.exe 2060 xxrxlfr.exe 1564 1lrrlfx.exe 1168 7hhntb.exe 1280 pdppv.exe 860 rfrflrf.exe 2092 rfrlrlr.exe 2288 7thhnn.exe 2380 1pdvv.exe 2268 djddv.exe 2692 lfxllxx.exe 1672 7httnt.exe -
Processes:
resource yara_rule behavioral1/memory/1740-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1740-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1968-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2088-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3028-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2508-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2676-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2516-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2516-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2516-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2936-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1808-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1372-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2920-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1900-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2160-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1944-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1888-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1100-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2952-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/372-257-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/580-293-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c28162411f8eea3c0cdf6d4839412305525bd926232b4f1317f11e1379109739.exejjvdj.exebbhhtt.exejdpvd.exexrlxxxl.exe9lxxflr.exebthhtt.exe7dvdj.exerlffrxl.exetnbhtb.exepdpvj.exetnntnt.exe5jjpd.exe9lrlrxf.exe5btbht.exeflrrxrx.exedescription pid process target process PID 1740 wrote to memory of 1968 1740 c28162411f8eea3c0cdf6d4839412305525bd926232b4f1317f11e1379109739.exe jjvdj.exe PID 1740 wrote to memory of 1968 1740 c28162411f8eea3c0cdf6d4839412305525bd926232b4f1317f11e1379109739.exe jjvdj.exe PID 1740 wrote to memory of 1968 1740 c28162411f8eea3c0cdf6d4839412305525bd926232b4f1317f11e1379109739.exe jjvdj.exe PID 1740 wrote to memory of 1968 1740 c28162411f8eea3c0cdf6d4839412305525bd926232b4f1317f11e1379109739.exe jjvdj.exe PID 1968 wrote to memory of 2088 1968 jjvdj.exe bbhhtt.exe PID 1968 wrote to memory of 2088 1968 jjvdj.exe bbhhtt.exe PID 1968 wrote to memory of 2088 1968 jjvdj.exe bbhhtt.exe PID 1968 wrote to memory of 2088 1968 jjvdj.exe bbhhtt.exe PID 2088 wrote to memory of 3028 2088 bbhhtt.exe jdpvd.exe PID 2088 wrote to memory of 3028 2088 bbhhtt.exe jdpvd.exe PID 2088 wrote to memory of 3028 2088 bbhhtt.exe jdpvd.exe PID 2088 wrote to memory of 3028 2088 bbhhtt.exe jdpvd.exe PID 3028 wrote to memory of 2756 3028 jdpvd.exe xrlxxxl.exe PID 3028 wrote to memory of 2756 3028 jdpvd.exe xrlxxxl.exe PID 3028 wrote to memory of 2756 3028 jdpvd.exe xrlxxxl.exe PID 3028 wrote to memory of 2756 3028 jdpvd.exe xrlxxxl.exe PID 2756 wrote to memory of 2508 2756 xrlxxxl.exe 9lxxflr.exe PID 2756 wrote to memory of 2508 2756 xrlxxxl.exe 9lxxflr.exe PID 2756 wrote to memory of 2508 2756 xrlxxxl.exe 9lxxflr.exe PID 2756 wrote to memory of 2508 2756 xrlxxxl.exe 9lxxflr.exe PID 2508 wrote to memory of 2604 2508 9lxxflr.exe bthhtt.exe PID 2508 wrote to memory of 2604 2508 9lxxflr.exe bthhtt.exe PID 2508 wrote to memory of 2604 2508 9lxxflr.exe bthhtt.exe PID 2508 wrote to memory of 2604 2508 9lxxflr.exe bthhtt.exe PID 2604 wrote to memory of 2676 2604 bthhtt.exe 7dvdj.exe PID 2604 wrote to memory of 2676 2604 bthhtt.exe 7dvdj.exe PID 2604 wrote to memory of 2676 2604 bthhtt.exe 7dvdj.exe PID 2604 wrote to memory of 2676 2604 bthhtt.exe 7dvdj.exe PID 2676 wrote to memory of 2516 2676 7dvdj.exe rlffrxl.exe PID 2676 wrote to memory of 2516 2676 7dvdj.exe rlffrxl.exe PID 2676 wrote to memory of 2516 2676 7dvdj.exe rlffrxl.exe PID 2676 wrote to memory of 2516 2676 7dvdj.exe rlffrxl.exe PID 2516 wrote to memory of 2936 2516 rlffrxl.exe tnbhtb.exe PID 2516 wrote to memory of 2936 2516 rlffrxl.exe tnbhtb.exe PID 2516 wrote to memory of 2936 2516 rlffrxl.exe tnbhtb.exe PID 2516 wrote to memory of 2936 2516 rlffrxl.exe tnbhtb.exe PID 2936 wrote to memory of 1808 2936 tnbhtb.exe pdpvj.exe PID 2936 wrote to memory of 1808 2936 tnbhtb.exe pdpvj.exe PID 2936 wrote to memory of 1808 2936 tnbhtb.exe pdpvj.exe PID 2936 wrote to memory of 1808 2936 tnbhtb.exe pdpvj.exe PID 1808 wrote to memory of 1372 1808 pdpvj.exe tnntnt.exe PID 1808 wrote to memory of 1372 1808 pdpvj.exe tnntnt.exe PID 1808 wrote to memory of 1372 1808 pdpvj.exe tnntnt.exe PID 1808 wrote to memory of 1372 1808 pdpvj.exe tnntnt.exe PID 1372 wrote to memory of 2728 1372 tnntnt.exe 5jjpd.exe PID 1372 wrote to memory of 2728 1372 tnntnt.exe 5jjpd.exe PID 1372 wrote to memory of 2728 1372 tnntnt.exe 5jjpd.exe PID 1372 wrote to memory of 2728 1372 tnntnt.exe 5jjpd.exe PID 2728 wrote to memory of 2920 2728 5jjpd.exe 9lrlrxf.exe PID 2728 wrote to memory of 2920 2728 5jjpd.exe 9lrlrxf.exe PID 2728 wrote to memory of 2920 2728 5jjpd.exe 9lrlrxf.exe PID 2728 wrote to memory of 2920 2728 5jjpd.exe 9lrlrxf.exe PID 2920 wrote to memory of 1900 2920 9lrlrxf.exe 5btbht.exe PID 2920 wrote to memory of 1900 2920 9lrlrxf.exe 5btbht.exe PID 2920 wrote to memory of 1900 2920 9lrlrxf.exe 5btbht.exe PID 2920 wrote to memory of 1900 2920 9lrlrxf.exe 5btbht.exe PID 1900 wrote to memory of 2160 1900 5btbht.exe flrrxrx.exe PID 1900 wrote to memory of 2160 1900 5btbht.exe flrrxrx.exe PID 1900 wrote to memory of 2160 1900 5btbht.exe flrrxrx.exe PID 1900 wrote to memory of 2160 1900 5btbht.exe flrrxrx.exe PID 2160 wrote to memory of 1944 2160 flrrxrx.exe nhhhbb.exe PID 2160 wrote to memory of 1944 2160 flrrxrx.exe nhhhbb.exe PID 2160 wrote to memory of 1944 2160 flrrxrx.exe nhhhbb.exe PID 2160 wrote to memory of 1944 2160 flrrxrx.exe nhhhbb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c28162411f8eea3c0cdf6d4839412305525bd926232b4f1317f11e1379109739.exe"C:\Users\Admin\AppData\Local\Temp\c28162411f8eea3c0cdf6d4839412305525bd926232b4f1317f11e1379109739.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\jjvdj.exec:\jjvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\bbhhtt.exec:\bbhhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\jdpvd.exec:\jdpvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\xrlxxxl.exec:\xrlxxxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\9lxxflr.exec:\9lxxflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\bthhtt.exec:\bthhtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\7dvdj.exec:\7dvdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\rlffrxl.exec:\rlffrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\tnbhtb.exec:\tnbhtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\pdpvj.exec:\pdpvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\tnntnt.exec:\tnntnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\5jjpd.exec:\5jjpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\9lrlrxf.exec:\9lrlrxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\5btbht.exec:\5btbht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\flrrxrx.exec:\flrrxrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\nhhhbb.exec:\nhhhbb.exe17⤵
- Executes dropped EXE
PID:1944 -
\??\c:\1pjpp.exec:\1pjpp.exe18⤵
- Executes dropped EXE
PID:1888 -
\??\c:\bnbbtn.exec:\bnbbtn.exe19⤵
- Executes dropped EXE
PID:1100 -
\??\c:\9pjjp.exec:\9pjjp.exe20⤵
- Executes dropped EXE
PID:2432 -
\??\c:\lxffxxx.exec:\lxffxxx.exe21⤵
- Executes dropped EXE
PID:2952 -
\??\c:\bnbbhb.exec:\bnbbhb.exe22⤵
- Executes dropped EXE
PID:2304 -
\??\c:\3vpvj.exec:\3vpvj.exe23⤵
- Executes dropped EXE
PID:2268 -
\??\c:\nhbntb.exec:\nhbntb.exe24⤵
- Executes dropped EXE
PID:2864 -
\??\c:\5htnnt.exec:\5htnnt.exe25⤵
- Executes dropped EXE
PID:2464 -
\??\c:\fxffrfx.exec:\fxffrfx.exe26⤵
- Executes dropped EXE
PID:1548 -
\??\c:\htbntt.exec:\htbntt.exe27⤵
- Executes dropped EXE
PID:372 -
\??\c:\vjvdd.exec:\vjvdd.exe28⤵
- Executes dropped EXE
PID:832 -
\??\c:\frllxxf.exec:\frllxxf.exe29⤵
- Executes dropped EXE
PID:756 -
\??\c:\ppdpd.exec:\ppdpd.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\xxxxffr.exec:\xxxxffr.exe31⤵
- Executes dropped EXE
PID:580 -
\??\c:\ddvjv.exec:\ddvjv.exe32⤵
- Executes dropped EXE
PID:2416 -
\??\c:\fxlrllx.exec:\fxlrllx.exe33⤵
- Executes dropped EXE
PID:2056 -
\??\c:\3tnnbb.exec:\3tnnbb.exe34⤵
- Executes dropped EXE
PID:1580 -
\??\c:\pjvjp.exec:\pjvjp.exe35⤵
- Executes dropped EXE
PID:2956 -
\??\c:\7xrrxxf.exec:\7xrrxxf.exe36⤵
- Executes dropped EXE
PID:2836 -
\??\c:\lxllxxl.exec:\lxllxxl.exe37⤵
- Executes dropped EXE
PID:2088 -
\??\c:\1bhhnt.exec:\1bhhnt.exe38⤵
- Executes dropped EXE
PID:2760 -
\??\c:\dpjdd.exec:\dpjdd.exe39⤵
- Executes dropped EXE
PID:2652 -
\??\c:\3xxxlrx.exec:\3xxxlrx.exe40⤵
- Executes dropped EXE
PID:2620 -
\??\c:\bnbbbb.exec:\bnbbbb.exe41⤵
- Executes dropped EXE
PID:2528 -
\??\c:\ddppj.exec:\ddppj.exe42⤵
- Executes dropped EXE
PID:2784 -
\??\c:\7djpd.exec:\7djpd.exe43⤵
- Executes dropped EXE
PID:2668 -
\??\c:\xrxxxxr.exec:\xrxxxxr.exe44⤵
- Executes dropped EXE
PID:2564 -
\??\c:\5tthnh.exec:\5tthnh.exe45⤵
- Executes dropped EXE
PID:1644 -
\??\c:\1dpjj.exec:\1dpjj.exe46⤵
- Executes dropped EXE
PID:2548 -
\??\c:\vpjpd.exec:\vpjpd.exe47⤵
- Executes dropped EXE
PID:1752 -
\??\c:\xrllxxl.exec:\xrllxxl.exe48⤵
- Executes dropped EXE
PID:1808 -
\??\c:\hbhhtt.exec:\hbhhtt.exe49⤵
- Executes dropped EXE
PID:2712 -
\??\c:\5vvvd.exec:\5vvvd.exe50⤵
- Executes dropped EXE
PID:2832 -
\??\c:\djjvj.exec:\djjvj.exe51⤵
- Executes dropped EXE
PID:1416 -
\??\c:\lxrrxfl.exec:\lxrrxfl.exe52⤵
- Executes dropped EXE
PID:1584 -
\??\c:\tnbbhb.exec:\tnbbhb.exe53⤵
- Executes dropped EXE
PID:1628 -
\??\c:\vpddj.exec:\vpddj.exe54⤵
- Executes dropped EXE
PID:2224 -
\??\c:\xxrxlfr.exec:\xxrxlfr.exe55⤵
- Executes dropped EXE
PID:2060 -
\??\c:\1lrrlfx.exec:\1lrrlfx.exe56⤵
- Executes dropped EXE
PID:1564 -
\??\c:\7hhntb.exec:\7hhntb.exe57⤵
- Executes dropped EXE
PID:1168 -
\??\c:\pdppv.exec:\pdppv.exe58⤵
- Executes dropped EXE
PID:1280 -
\??\c:\rfrflrf.exec:\rfrflrf.exe59⤵
- Executes dropped EXE
PID:860 -
\??\c:\rfrlrlr.exec:\rfrlrlr.exe60⤵
- Executes dropped EXE
PID:2092 -
\??\c:\7thhnn.exec:\7thhnn.exe61⤵
- Executes dropped EXE
PID:2288 -
\??\c:\1pdvv.exec:\1pdvv.exe62⤵
- Executes dropped EXE
PID:2380 -
\??\c:\djddv.exec:\djddv.exe63⤵
- Executes dropped EXE
PID:2268 -
\??\c:\lfxllxx.exec:\lfxllxx.exe64⤵
- Executes dropped EXE
PID:2692 -
\??\c:\7httnt.exec:\7httnt.exe65⤵
- Executes dropped EXE
PID:1672 -
\??\c:\hhttbb.exec:\hhttbb.exe66⤵PID:1812
-
\??\c:\dvddj.exec:\dvddj.exe67⤵PID:768
-
\??\c:\xfllllr.exec:\xfllllr.exe68⤵PID:2008
-
\??\c:\rlxxllx.exec:\rlxxllx.exe69⤵PID:2308
-
\??\c:\nhbnbh.exec:\nhbnbh.exe70⤵PID:1876
-
\??\c:\djdjp.exec:\djdjp.exe71⤵PID:2376
-
\??\c:\lfrlrlr.exec:\lfrlrlr.exe72⤵PID:2040
-
\??\c:\rrflxxl.exec:\rrflxxl.exe73⤵PID:880
-
\??\c:\nnbhhn.exec:\nnbhhn.exe74⤵PID:2012
-
\??\c:\dpddd.exec:\dpddd.exe75⤵PID:1740
-
\??\c:\ppddj.exec:\ppddj.exe76⤵PID:1984
-
\??\c:\lxlrrlr.exec:\lxlrrlr.exe77⤵PID:2924
-
\??\c:\nhtbnn.exec:\nhtbnn.exe78⤵PID:2840
-
\??\c:\djvjj.exec:\djvjj.exe79⤵PID:3028
-
\??\c:\pjjjp.exec:\pjjjp.exe80⤵PID:3068
-
\??\c:\frlrxfr.exec:\frlrxfr.exe81⤵PID:2756
-
\??\c:\btnthn.exec:\btnthn.exe82⤵PID:2752
-
\??\c:\7thttb.exec:\7thttb.exe83⤵PID:2696
-
\??\c:\vvpjp.exec:\vvpjp.exe84⤵PID:2640
-
\??\c:\5fxfrxl.exec:\5fxfrxl.exe85⤵PID:2580
-
\??\c:\7flllrx.exec:\7flllrx.exe86⤵PID:2576
-
\??\c:\1httbh.exec:\1httbh.exe87⤵PID:2552
-
\??\c:\pjjdp.exec:\pjjdp.exe88⤵PID:1376
-
\??\c:\ppppp.exec:\ppppp.exe89⤵PID:2572
-
\??\c:\7rlrrxf.exec:\7rlrrxf.exe90⤵PID:2488
-
\??\c:\nhthnt.exec:\nhthnt.exe91⤵PID:316
-
\??\c:\hhtnnn.exec:\hhtnnn.exe92⤵PID:1736
-
\??\c:\5dddp.exec:\5dddp.exe93⤵PID:1792
-
\??\c:\lllllfr.exec:\lllllfr.exe94⤵PID:1064
-
\??\c:\rlrflrx.exec:\rlrflrx.exe95⤵PID:684
-
\??\c:\5bthnb.exec:\5bthnb.exe96⤵PID:2160
-
\??\c:\pjvpv.exec:\pjvpv.exe97⤵PID:1888
-
\??\c:\1vddj.exec:\1vddj.exe98⤵PID:2392
-
\??\c:\xrlxfxl.exec:\xrlxfxl.exe99⤵PID:1356
-
\??\c:\1flrfll.exec:\1flrfll.exe100⤵PID:656
-
\??\c:\ttnttb.exec:\ttnttb.exe101⤵PID:1212
-
\??\c:\nnnttt.exec:\nnnttt.exe102⤵PID:2284
-
\??\c:\dvvdp.exec:\dvvdp.exe103⤵PID:2336
-
\??\c:\9xllrxf.exec:\9xllrxf.exe104⤵PID:1992
-
\??\c:\xlfxflr.exec:\xlfxflr.exe105⤵PID:824
-
\??\c:\9btttb.exec:\9btttb.exe106⤵PID:548
-
\??\c:\dvpdp.exec:\dvpdp.exe107⤵PID:348
-
\??\c:\1dvvv.exec:\1dvvv.exe108⤵PID:2984
-
\??\c:\5xfxfrf.exec:\5xfxfrf.exe109⤵PID:2356
-
\??\c:\bnbbnt.exec:\bnbbnt.exe110⤵PID:712
-
\??\c:\tnhntt.exec:\tnhntt.exe111⤵PID:2988
-
\??\c:\pjddj.exec:\pjddj.exe112⤵PID:2112
-
\??\c:\vpvdj.exec:\vpvdj.exe113⤵PID:2404
-
\??\c:\lfrrxfl.exec:\lfrrxfl.exe114⤵PID:2044
-
\??\c:\tbtttt.exec:\tbtttt.exe115⤵PID:1604
-
\??\c:\hbbbnn.exec:\hbbbnn.exe116⤵PID:1600
-
\??\c:\jdvjv.exec:\jdvjv.exe117⤵PID:1724
-
\??\c:\rllxxfx.exec:\rllxxfx.exe118⤵PID:1580
-
\??\c:\lxrxllx.exec:\lxrxllx.exe119⤵PID:3000
-
\??\c:\tnbhtb.exec:\tnbhtb.exe120⤵PID:2836
-
\??\c:\vpjdv.exec:\vpjdv.exe121⤵PID:2860
-
\??\c:\dvpjp.exec:\dvpjp.exe122⤵PID:2652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-