Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 01:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe
Resource
win7-20240215-en
6 signatures
150 seconds
General
-
Target
a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe
-
Size
77KB
-
MD5
799c046913d5cbd2ac311204e9aa689f
-
SHA1
c633407f3d6cc12838e30aaedd10e469f25a1c4d
-
SHA256
a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1
-
SHA512
e63a0cb629a7fc0555c7cd8bd41fea821019276e7ab4584ff4a995cb5795677e7108833af09cfe8e8a7119722c26681fb08a6c1e89b112910742307812ddd7b4
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73tgygQwKjiawEmBgU:ymb3NkkiQ3mdBjFo73thgQ/wEkt
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
resource yara_rule behavioral1/memory/1256-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2124-29-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2124-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2632-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2132-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2580-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2580-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2724-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2456-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2980-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2796-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2964-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1896-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2416-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/320-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1556-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2116-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2260-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/956-222-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2180-232-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/876-240-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1364-249-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/944-268-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2520-285-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 26 IoCs
resource yara_rule behavioral1/memory/1256-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2124-28-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2632-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2132-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-42-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2624-56-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2624-55-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2724-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2456-78-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2980-88-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2796-112-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2964-120-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1896-125-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2416-142-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/320-159-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1556-178-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2116-186-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2260-196-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/956-222-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2180-232-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/876-240-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1364-249-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/944-268-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2520-285-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
pid Process 2132 dvjpd.exe 2124 lrrfxxx.exe 2632 lxfxxxf.exe 2580 hthnnt.exe 2624 rxlllfr.exe 2724 bntbbb.exe 2456 htbbbt.exe 2980 vjdpd.exe 2320 rlxflrf.exe 2796 xrllxxf.exe 2964 hhbhtt.exe 1896 tthhtn.exe 1628 dvjpd.exe 2416 jvddj.exe 1856 fxrxrxf.exe 320 bthntb.exe 2776 pjpvj.exe 1556 9vjdj.exe 2116 llxxllr.exe 2260 xlxfrrl.exe 1228 7btbnb.exe 2044 hthbht.exe 956 dppdj.exe 2180 lfxlxrf.exe 876 bnbbhh.exe 1364 jddjv.exe 1716 ffxfxlf.exe 944 nnnhtb.exe 1796 vvvpd.exe 2520 jdvdd.exe 2084 7lflfrl.exe 776 nbhhbh.exe 2148 nbnbhh.exe 2036 7vjjj.exe 2544 frxfrxf.exe 2256 lfflrrf.exe 2652 btbhnt.exe 2448 nhntnn.exe 2636 pvpvj.exe 2468 pjvpv.exe 2608 fxlrrxl.exe 2404 xrflrxf.exe 2724 nttttn.exe 2460 jvppv.exe 3068 vpjdd.exe 1268 xlrlrfl.exe 2836 btnnht.exe 2844 tbbtbb.exe 2964 dvdjv.exe 1896 xlxrxxf.exe 1628 1nhhhh.exe 2720 tnbbhh.exe 2788 pdjdp.exe 2540 7vpvp.exe 1528 rlrrxxl.exe 1448 rlrfffl.exe 1556 hhbtbb.exe 2236 hnbntn.exe 560 jdpdp.exe 2424 vjvvp.exe 596 fxrrxlx.exe 1500 lfrxrrx.exe 956 thnnnh.exe 3020 jdddp.exe -
resource yara_rule behavioral1/memory/1256-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2124-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2632-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2132-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2624-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2624-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2724-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2456-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2980-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2796-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1896-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2416-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/320-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1556-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2116-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2260-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/956-222-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2180-232-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/876-240-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1364-249-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/944-268-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2520-285-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1256 wrote to memory of 2132 1256 a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe 28 PID 1256 wrote to memory of 2132 1256 a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe 28 PID 1256 wrote to memory of 2132 1256 a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe 28 PID 1256 wrote to memory of 2132 1256 a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe 28 PID 2132 wrote to memory of 2124 2132 dvjpd.exe 29 PID 2132 wrote to memory of 2124 2132 dvjpd.exe 29 PID 2132 wrote to memory of 2124 2132 dvjpd.exe 29 PID 2132 wrote to memory of 2124 2132 dvjpd.exe 29 PID 2124 wrote to memory of 2632 2124 lrrfxxx.exe 30 PID 2124 wrote to memory of 2632 2124 lrrfxxx.exe 30 PID 2124 wrote to memory of 2632 2124 lrrfxxx.exe 30 PID 2124 wrote to memory of 2632 2124 lrrfxxx.exe 30 PID 2632 wrote to memory of 2580 2632 lxfxxxf.exe 31 PID 2632 wrote to memory of 2580 2632 lxfxxxf.exe 31 PID 2632 wrote to memory of 2580 2632 lxfxxxf.exe 31 PID 2632 wrote to memory of 2580 2632 lxfxxxf.exe 31 PID 2580 wrote to memory of 2624 2580 hthnnt.exe 32 PID 2580 wrote to memory of 2624 2580 hthnnt.exe 32 PID 2580 wrote to memory of 2624 2580 hthnnt.exe 32 PID 2580 wrote to memory of 2624 2580 hthnnt.exe 32 PID 2624 wrote to memory of 2724 2624 rxlllfr.exe 33 PID 2624 wrote to memory of 2724 2624 rxlllfr.exe 33 PID 2624 wrote to memory of 2724 2624 rxlllfr.exe 33 PID 2624 wrote to memory of 2724 2624 rxlllfr.exe 33 PID 2724 wrote to memory of 2456 2724 bntbbb.exe 34 PID 2724 wrote to memory of 2456 2724 bntbbb.exe 34 PID 2724 wrote to memory of 2456 2724 bntbbb.exe 34 PID 2724 wrote to memory of 2456 2724 bntbbb.exe 34 PID 2456 wrote to memory of 2980 2456 htbbbt.exe 35 PID 2456 wrote to memory of 2980 2456 htbbbt.exe 35 PID 2456 wrote to memory of 2980 2456 htbbbt.exe 35 PID 2456 wrote to memory of 2980 2456 htbbbt.exe 35 PID 2980 wrote to memory of 2320 2980 vjdpd.exe 36 PID 2980 wrote to memory of 2320 2980 vjdpd.exe 36 PID 2980 wrote to memory of 2320 2980 vjdpd.exe 36 PID 2980 wrote to memory of 2320 2980 vjdpd.exe 36 PID 2320 wrote to memory of 2796 2320 rlxflrf.exe 37 PID 2320 wrote to memory of 2796 2320 rlxflrf.exe 37 PID 2320 wrote to memory of 2796 2320 rlxflrf.exe 37 PID 2320 wrote to memory of 2796 2320 rlxflrf.exe 37 PID 2796 wrote to memory of 2964 2796 xrllxxf.exe 38 PID 2796 wrote to memory of 2964 2796 xrllxxf.exe 38 PID 2796 wrote to memory of 2964 2796 xrllxxf.exe 38 PID 2796 wrote to memory of 2964 2796 xrllxxf.exe 38 PID 2964 wrote to memory of 1896 2964 hhbhtt.exe 39 PID 2964 wrote to memory of 1896 2964 hhbhtt.exe 39 PID 2964 wrote to memory of 1896 2964 hhbhtt.exe 39 PID 2964 wrote to memory of 1896 2964 hhbhtt.exe 39 PID 1896 wrote to memory of 1628 1896 tthhtn.exe 40 PID 1896 wrote to memory of 1628 1896 tthhtn.exe 40 PID 1896 wrote to memory of 1628 1896 tthhtn.exe 40 PID 1896 wrote to memory of 1628 1896 tthhtn.exe 40 PID 1628 wrote to memory of 2416 1628 dvjpd.exe 41 PID 1628 wrote to memory of 2416 1628 dvjpd.exe 41 PID 1628 wrote to memory of 2416 1628 dvjpd.exe 41 PID 1628 wrote to memory of 2416 1628 dvjpd.exe 41 PID 2416 wrote to memory of 1856 2416 jvddj.exe 42 PID 2416 wrote to memory of 1856 2416 jvddj.exe 42 PID 2416 wrote to memory of 1856 2416 jvddj.exe 42 PID 2416 wrote to memory of 1856 2416 jvddj.exe 42 PID 1856 wrote to memory of 320 1856 fxrxrxf.exe 43 PID 1856 wrote to memory of 320 1856 fxrxrxf.exe 43 PID 1856 wrote to memory of 320 1856 fxrxrxf.exe 43 PID 1856 wrote to memory of 320 1856 fxrxrxf.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe"C:\Users\Admin\AppData\Local\Temp\a70e244ea9703caeb621ddef77109359c9cbdec303b1c42e7b33d9d7db056ba1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\dvjpd.exec:\dvjpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\lrrfxxx.exec:\lrrfxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\lxfxxxf.exec:\lxfxxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\hthnnt.exec:\hthnnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\rxlllfr.exec:\rxlllfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\bntbbb.exec:\bntbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\htbbbt.exec:\htbbbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\vjdpd.exec:\vjdpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\rlxflrf.exec:\rlxflrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\xrllxxf.exec:\xrllxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\hhbhtt.exec:\hhbhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\tthhtn.exec:\tthhtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\dvjpd.exec:\dvjpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\jvddj.exec:\jvddj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\fxrxrxf.exec:\fxrxrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\bthntb.exec:\bthntb.exe17⤵
- Executes dropped EXE
PID:320 -
\??\c:\pjpvj.exec:\pjpvj.exe18⤵
- Executes dropped EXE
PID:2776 -
\??\c:\9vjdj.exec:\9vjdj.exe19⤵
- Executes dropped EXE
PID:1556 -
\??\c:\llxxllr.exec:\llxxllr.exe20⤵
- Executes dropped EXE
PID:2116 -
\??\c:\xlxfrrl.exec:\xlxfrrl.exe21⤵
- Executes dropped EXE
PID:2260 -
\??\c:\7btbnb.exec:\7btbnb.exe22⤵
- Executes dropped EXE
PID:1228 -
\??\c:\hthbht.exec:\hthbht.exe23⤵
- Executes dropped EXE
PID:2044 -
\??\c:\dppdj.exec:\dppdj.exe24⤵
- Executes dropped EXE
PID:956 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe25⤵
- Executes dropped EXE
PID:2180 -
\??\c:\bnbbhh.exec:\bnbbhh.exe26⤵
- Executes dropped EXE
PID:876 -
\??\c:\jddjv.exec:\jddjv.exe27⤵
- Executes dropped EXE
PID:1364 -
\??\c:\ffxfxlf.exec:\ffxfxlf.exe28⤵
- Executes dropped EXE
PID:1716 -
\??\c:\nnnhtb.exec:\nnnhtb.exe29⤵
- Executes dropped EXE
PID:944 -
\??\c:\vvvpd.exec:\vvvpd.exe30⤵
- Executes dropped EXE
PID:1796 -
\??\c:\jdvdd.exec:\jdvdd.exe31⤵
- Executes dropped EXE
PID:2520 -
\??\c:\7lflfrl.exec:\7lflfrl.exe32⤵
- Executes dropped EXE
PID:2084 -
\??\c:\nbhhbh.exec:\nbhhbh.exe33⤵
- Executes dropped EXE
PID:776 -
\??\c:\nbnbhh.exec:\nbnbhh.exe34⤵
- Executes dropped EXE
PID:2148 -
\??\c:\7vjjj.exec:\7vjjj.exe35⤵
- Executes dropped EXE
PID:2036 -
\??\c:\frxfrxf.exec:\frxfrxf.exe36⤵
- Executes dropped EXE
PID:2544 -
\??\c:\lfflrrf.exec:\lfflrrf.exe37⤵
- Executes dropped EXE
PID:2256 -
\??\c:\btbhnt.exec:\btbhnt.exe38⤵
- Executes dropped EXE
PID:2652 -
\??\c:\nhntnn.exec:\nhntnn.exe39⤵
- Executes dropped EXE
PID:2448 -
\??\c:\pvpvj.exec:\pvpvj.exe40⤵
- Executes dropped EXE
PID:2636 -
\??\c:\pjvpv.exec:\pjvpv.exe41⤵
- Executes dropped EXE
PID:2468 -
\??\c:\fxlrrxl.exec:\fxlrrxl.exe42⤵
- Executes dropped EXE
PID:2608 -
\??\c:\xrflrxf.exec:\xrflrxf.exe43⤵
- Executes dropped EXE
PID:2404 -
\??\c:\nttttn.exec:\nttttn.exe44⤵
- Executes dropped EXE
PID:2724 -
\??\c:\jvppv.exec:\jvppv.exe45⤵
- Executes dropped EXE
PID:2460 -
\??\c:\vpjdd.exec:\vpjdd.exe46⤵
- Executes dropped EXE
PID:3068 -
\??\c:\xlrlrfl.exec:\xlrlrfl.exe47⤵
- Executes dropped EXE
PID:1268 -
\??\c:\btnnht.exec:\btnnht.exe48⤵
- Executes dropped EXE
PID:2836 -
\??\c:\tbbtbb.exec:\tbbtbb.exe49⤵
- Executes dropped EXE
PID:2844 -
\??\c:\dvdjv.exec:\dvdjv.exe50⤵
- Executes dropped EXE
PID:2964 -
\??\c:\xlxrxxf.exec:\xlxrxxf.exe51⤵
- Executes dropped EXE
PID:1896 -
\??\c:\1nhhhh.exec:\1nhhhh.exe52⤵
- Executes dropped EXE
PID:1628 -
\??\c:\tnbbhh.exec:\tnbbhh.exe53⤵
- Executes dropped EXE
PID:2720 -
\??\c:\pdjdp.exec:\pdjdp.exe54⤵
- Executes dropped EXE
PID:2788 -
\??\c:\7vpvp.exec:\7vpvp.exe55⤵
- Executes dropped EXE
PID:2540 -
\??\c:\rlrrxxl.exec:\rlrrxxl.exe56⤵
- Executes dropped EXE
PID:1528 -
\??\c:\rlrfffl.exec:\rlrfffl.exe57⤵
- Executes dropped EXE
PID:1448 -
\??\c:\hhbtbb.exec:\hhbtbb.exe58⤵
- Executes dropped EXE
PID:1556 -
\??\c:\hnbntn.exec:\hnbntn.exe59⤵
- Executes dropped EXE
PID:2236 -
\??\c:\jdpdp.exec:\jdpdp.exe60⤵
- Executes dropped EXE
PID:560 -
\??\c:\vjvvp.exec:\vjvvp.exe61⤵
- Executes dropped EXE
PID:2424 -
\??\c:\fxrrxlx.exec:\fxrrxlx.exe62⤵
- Executes dropped EXE
PID:596 -
\??\c:\lfrxrrx.exec:\lfrxrrx.exe63⤵
- Executes dropped EXE
PID:1500 -
\??\c:\thnnnh.exec:\thnnnh.exe64⤵
- Executes dropped EXE
PID:956 -
\??\c:\jdddp.exec:\jdddp.exe65⤵
- Executes dropped EXE
PID:3020 -
\??\c:\5jvjj.exec:\5jvjj.exe66⤵PID:1008
-
\??\c:\rlllrxf.exec:\rlllrxf.exe67⤵PID:292
-
\??\c:\ffrxffl.exec:\ffrxffl.exe68⤵PID:1364
-
\??\c:\9bnttt.exec:\9bnttt.exe69⤵PID:1716
-
\??\c:\hbtbht.exec:\hbtbht.exe70⤵PID:1296
-
\??\c:\9jddj.exec:\9jddj.exe71⤵PID:1668
-
\??\c:\3vdjj.exec:\3vdjj.exe72⤵PID:404
-
\??\c:\fxllllr.exec:\fxllllr.exe73⤵PID:1512
-
\??\c:\3lxfflr.exec:\3lxfflr.exe74⤵PID:2348
-
\??\c:\bbnthh.exec:\bbnthh.exe75⤵PID:1712
-
\??\c:\pjvpp.exec:\pjvpp.exe76⤵PID:1804
-
\??\c:\jjpjv.exec:\jjpjv.exe77⤵PID:1272
-
\??\c:\fflfrfr.exec:\fflfrfr.exe78⤵PID:1608
-
\??\c:\lfffffl.exec:\lfffffl.exe79⤵PID:2248
-
\??\c:\nbntnn.exec:\nbntnn.exe80⤵PID:2568
-
\??\c:\bttthn.exec:\bttthn.exe81⤵PID:2744
-
\??\c:\9jvdv.exec:\9jvdv.exe82⤵PID:2736
-
\??\c:\vdvpd.exec:\vdvpd.exe83⤵PID:2556
-
\??\c:\rlxxlrf.exec:\rlxxlrf.exe84⤵PID:2624
-
\??\c:\rlfrflf.exec:\rlfrflf.exe85⤵PID:2676
-
\??\c:\bbhnbn.exec:\bbhnbn.exe86⤵PID:2436
-
\??\c:\9nnbnt.exec:\9nnbnt.exe87⤵PID:2560
-
\??\c:\vjddd.exec:\vjddd.exe88⤵PID:2792
-
\??\c:\pjddp.exec:\pjddp.exe89⤵PID:1988
-
\??\c:\5fxrxrx.exec:\5fxrxrx.exe90⤵PID:2940
-
\??\c:\lxrxlxl.exec:\lxrxlxl.exe91⤵PID:2428
-
\??\c:\thbttt.exec:\thbttt.exe92⤵PID:1788
-
\??\c:\9nnnbb.exec:\9nnnbb.exe93⤵PID:1708
-
\??\c:\3vpjv.exec:\3vpjv.exe94⤵PID:1684
-
\??\c:\pdpjj.exec:\pdpjj.exe95⤵PID:2160
-
\??\c:\pvjjj.exec:\pvjjj.exe96⤵PID:2684
-
\??\c:\5xlrxfx.exec:\5xlrxfx.exe97⤵PID:1664
-
\??\c:\frfllrf.exec:\frfllrf.exe98⤵PID:2776
-
\??\c:\1hthbh.exec:\1hthbh.exe99⤵PID:1536
-
\??\c:\nhbbbh.exec:\nhbbbh.exe100⤵PID:3032
-
\??\c:\dvjjv.exec:\dvjjv.exe101⤵PID:2232
-
\??\c:\3jvvp.exec:\3jvvp.exe102⤵PID:2260
-
\??\c:\9vvvj.exec:\9vvvj.exe103⤵PID:324
-
\??\c:\frxfllx.exec:\frxfllx.exe104⤵PID:2916
-
\??\c:\xfrrfrl.exec:\xfrrfrl.exe105⤵PID:1244
-
\??\c:\bthhnh.exec:\bthhnh.exe106⤵PID:652
-
\??\c:\htthhh.exec:\htthhh.exe107⤵PID:1564
-
\??\c:\jdddd.exec:\jdddd.exe108⤵PID:1100
-
\??\c:\1pjpv.exec:\1pjpv.exe109⤵PID:2176
-
\??\c:\xxxrlfl.exec:\xxxrlfl.exe110⤵PID:600
-
\??\c:\xrlfrrf.exec:\xrlfrrf.exe111⤵PID:1052
-
\??\c:\nhthhh.exec:\nhthhh.exe112⤵PID:944
-
\??\c:\hbtttb.exec:\hbtttb.exe113⤵PID:1796
-
\??\c:\hbhbnn.exec:\hbhbnn.exe114⤵PID:572
-
\??\c:\jddjp.exec:\jddjp.exe115⤵PID:2084
-
\??\c:\ppjvd.exec:\ppjvd.exe116⤵PID:1980
-
\??\c:\xrlrflr.exec:\xrlrflr.exe117⤵PID:2012
-
\??\c:\5ffxrfx.exec:\5ffxrfx.exe118⤵PID:2148
-
\??\c:\thhbtb.exec:\thhbtb.exe119⤵PID:2036
-
\??\c:\ttntnb.exec:\ttntnb.exe120⤵PID:2120
-
\??\c:\dvjjp.exec:\dvjjp.exe121⤵PID:1724
-
\??\c:\jvjpj.exec:\jvjpj.exe122⤵PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-