Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe
-
Size
87KB
-
MD5
2d4f260a06e38b013381ac37bf11d783
-
SHA1
be452d9c551e438cb936f2b3267a07cccc764de6
-
SHA256
b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16
-
SHA512
77c238645c858f430f2b2b35837b02fa47944911036c1ad96ebcc91807afd25b235cd8192cf66ee50aaba19aa4ab84c2a1c68e1baed3dabe85e79d68e8c40fcb
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2wV3jaCJ5jH3eH5:ymb3NkkiQ3mdBjF+3TU2K3bJZXC
Malware Config
Signatures
-
Detect Blackmoon payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/2328-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1028-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2852-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2304-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2616-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2580-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2640-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1660-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1820-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1504-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2760-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1512-154-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2712-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1180-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3064-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1972-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/376-253-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1880-262-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/340-271-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1732-298-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 24 IoCs
Processes:
resource yara_rule behavioral1/memory/2328-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1028-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2852-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2852-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2304-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2616-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2640-65-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2640-64-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2640-63-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-55-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2640-74-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1660-100-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1820-110-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1504-118-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2760-128-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1512-154-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2712-164-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1180-172-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3064-190-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1972-208-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/376-253-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1880-262-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/340-271-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1732-298-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
fxlflfx.exe5bnnhh.exe7vppj.exeflfllfl.exehhbtht.exejjpjv.exellfrlxr.exellflxfl.exetnbhhn.exedvjpd.exe3dpdv.exerrflxlx.exerlxfllf.exe9tthtb.exevdjpj.exeddjpp.exexrlxflf.exenbbnbn.exevvvjv.exe1pjjv.exefffrlrl.exenhbhtb.exehtnbnt.exevpvjd.exexrllxrr.exexllxlfr.exehbtbht.exe5vdvv.exerlfxrlx.exefxrlxlf.exenhbnhn.exedpjpv.exe9vjdv.exexrffffl.exefrlfllr.exe9tnbnt.exevvjpd.exeffffllf.exe9lrffxr.exe3hntbh.exehbthnh.exepjdjv.exejvjjp.exe9rrxfll.exelxlflrr.exenbnhnh.exepjjpj.exejvjjj.exerlffffr.exefxllllr.exenhhntt.exepjdpv.exevvvvj.exexrflrrx.exe3rrrlrr.exehbnthh.exethtnnt.exevpdpv.exedvdpp.exexlxxffl.exexxrffrr.exethbtbb.exehhnnnn.exe5pjjj.exepid process 1028 fxlflfx.exe 2852 5bnnhh.exe 2304 7vppj.exe 2616 flfllfl.exe 2580 hhbtht.exe 2640 jjpjv.exe 1600 llfrlxr.exe 2424 llflxfl.exe 1660 tnbhhn.exe 1820 dvjpd.exe 1504 3dpdv.exe 2760 rrflxlx.exe 1628 rlxfllf.exe 928 9tthtb.exe 1512 vdjpj.exe 2712 ddjpp.exe 1180 xrlxflf.exe 848 nbbnbn.exe 3064 vvvjv.exe 2100 1pjjv.exe 1972 fffrlrl.exe 768 nhbhtb.exe 1412 htnbnt.exe 1868 vpvjd.exe 2356 xrllxrr.exe 376 xllxlfr.exe 1880 hbtbht.exe 340 5vdvv.exe 2952 rlfxrlx.exe 2956 fxrlxlf.exe 1732 nhbnhn.exe 1680 dpjpv.exe 1592 9vjdv.exe 2896 xrffffl.exe 2320 frlfllr.exe 2516 9tnbnt.exe 2528 vvjpd.exe 2572 ffffllf.exe 2620 9lrffxr.exe 2688 3hntbh.exe 2444 hbthnh.exe 2940 pjdjv.exe 2464 jvjjp.exe 2376 9rrxfll.exe 2748 lxlflrr.exe 2868 nbnhnh.exe 1272 pjjpj.exe 1320 jvjjj.exe 2760 rlffffr.exe 884 fxllllr.exe 1968 nhhntt.exe 1776 pjdpv.exe 1508 vvvvj.exe 620 xrflrrx.exe 1160 3rrrlrr.exe 2092 hbnthh.exe 2208 thtnnt.exe 2292 vpdpv.exe 2360 dvdpp.exe 2008 xlxxffl.exe 1188 xxrffrr.exe 1872 thbtbb.exe 1952 hhnnnn.exe 332 5pjjj.exe -
Processes:
resource yara_rule behavioral1/memory/2328-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1028-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2852-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2852-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2304-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2616-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1660-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1820-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1504-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1512-154-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1180-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3064-190-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1972-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/376-253-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1880-262-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/340-271-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1732-298-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exefxlflfx.exe5bnnhh.exe7vppj.exeflfllfl.exehhbtht.exejjpjv.exellfrlxr.exellflxfl.exetnbhhn.exedvjpd.exe3dpdv.exerrflxlx.exerlxfllf.exe9tthtb.exevdjpj.exedescription pid process target process PID 2328 wrote to memory of 1028 2328 b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe fxlflfx.exe PID 2328 wrote to memory of 1028 2328 b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe fxlflfx.exe PID 2328 wrote to memory of 1028 2328 b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe fxlflfx.exe PID 2328 wrote to memory of 1028 2328 b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe fxlflfx.exe PID 1028 wrote to memory of 2852 1028 fxlflfx.exe 5bnnhh.exe PID 1028 wrote to memory of 2852 1028 fxlflfx.exe 5bnnhh.exe PID 1028 wrote to memory of 2852 1028 fxlflfx.exe 5bnnhh.exe PID 1028 wrote to memory of 2852 1028 fxlflfx.exe 5bnnhh.exe PID 2852 wrote to memory of 2304 2852 5bnnhh.exe 7vppj.exe PID 2852 wrote to memory of 2304 2852 5bnnhh.exe 7vppj.exe PID 2852 wrote to memory of 2304 2852 5bnnhh.exe 7vppj.exe PID 2852 wrote to memory of 2304 2852 5bnnhh.exe 7vppj.exe PID 2304 wrote to memory of 2616 2304 7vppj.exe flfllfl.exe PID 2304 wrote to memory of 2616 2304 7vppj.exe flfllfl.exe PID 2304 wrote to memory of 2616 2304 7vppj.exe flfllfl.exe PID 2304 wrote to memory of 2616 2304 7vppj.exe flfllfl.exe PID 2616 wrote to memory of 2580 2616 flfllfl.exe hhbtht.exe PID 2616 wrote to memory of 2580 2616 flfllfl.exe hhbtht.exe PID 2616 wrote to memory of 2580 2616 flfllfl.exe hhbtht.exe PID 2616 wrote to memory of 2580 2616 flfllfl.exe hhbtht.exe PID 2580 wrote to memory of 2640 2580 hhbtht.exe jjpjv.exe PID 2580 wrote to memory of 2640 2580 hhbtht.exe jjpjv.exe PID 2580 wrote to memory of 2640 2580 hhbtht.exe jjpjv.exe PID 2580 wrote to memory of 2640 2580 hhbtht.exe jjpjv.exe PID 2640 wrote to memory of 1600 2640 jjpjv.exe llfrlxr.exe PID 2640 wrote to memory of 1600 2640 jjpjv.exe llfrlxr.exe PID 2640 wrote to memory of 1600 2640 jjpjv.exe llfrlxr.exe PID 2640 wrote to memory of 1600 2640 jjpjv.exe llfrlxr.exe PID 1600 wrote to memory of 2424 1600 llfrlxr.exe llflxfl.exe PID 1600 wrote to memory of 2424 1600 llfrlxr.exe llflxfl.exe PID 1600 wrote to memory of 2424 1600 llfrlxr.exe llflxfl.exe PID 1600 wrote to memory of 2424 1600 llfrlxr.exe llflxfl.exe PID 2424 wrote to memory of 1660 2424 llflxfl.exe tnbhhn.exe PID 2424 wrote to memory of 1660 2424 llflxfl.exe tnbhhn.exe PID 2424 wrote to memory of 1660 2424 llflxfl.exe tnbhhn.exe PID 2424 wrote to memory of 1660 2424 llflxfl.exe tnbhhn.exe PID 1660 wrote to memory of 1820 1660 tnbhhn.exe dvjpd.exe PID 1660 wrote to memory of 1820 1660 tnbhhn.exe dvjpd.exe PID 1660 wrote to memory of 1820 1660 tnbhhn.exe dvjpd.exe PID 1660 wrote to memory of 1820 1660 tnbhhn.exe dvjpd.exe PID 1820 wrote to memory of 1504 1820 dvjpd.exe 3dpdv.exe PID 1820 wrote to memory of 1504 1820 dvjpd.exe 3dpdv.exe PID 1820 wrote to memory of 1504 1820 dvjpd.exe 3dpdv.exe PID 1820 wrote to memory of 1504 1820 dvjpd.exe 3dpdv.exe PID 1504 wrote to memory of 2760 1504 3dpdv.exe rrflxlx.exe PID 1504 wrote to memory of 2760 1504 3dpdv.exe rrflxlx.exe PID 1504 wrote to memory of 2760 1504 3dpdv.exe rrflxlx.exe PID 1504 wrote to memory of 2760 1504 3dpdv.exe rrflxlx.exe PID 2760 wrote to memory of 1628 2760 rrflxlx.exe rlxfllf.exe PID 2760 wrote to memory of 1628 2760 rrflxlx.exe rlxfllf.exe PID 2760 wrote to memory of 1628 2760 rrflxlx.exe rlxfllf.exe PID 2760 wrote to memory of 1628 2760 rrflxlx.exe rlxfllf.exe PID 1628 wrote to memory of 928 1628 rlxfllf.exe 9tthtb.exe PID 1628 wrote to memory of 928 1628 rlxfllf.exe 9tthtb.exe PID 1628 wrote to memory of 928 1628 rlxfllf.exe 9tthtb.exe PID 1628 wrote to memory of 928 1628 rlxfllf.exe 9tthtb.exe PID 928 wrote to memory of 1512 928 9tthtb.exe vdjpj.exe PID 928 wrote to memory of 1512 928 9tthtb.exe vdjpj.exe PID 928 wrote to memory of 1512 928 9tthtb.exe vdjpj.exe PID 928 wrote to memory of 1512 928 9tthtb.exe vdjpj.exe PID 1512 wrote to memory of 2712 1512 vdjpj.exe ddjpp.exe PID 1512 wrote to memory of 2712 1512 vdjpj.exe ddjpp.exe PID 1512 wrote to memory of 2712 1512 vdjpj.exe ddjpp.exe PID 1512 wrote to memory of 2712 1512 vdjpj.exe ddjpp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe"C:\Users\Admin\AppData\Local\Temp\b855a5bb12da066d7a0baf4945fbe39b950e314f47e5183fb8915c2e0ebe8f16.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\fxlflfx.exec:\fxlflfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\5bnnhh.exec:\5bnnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\7vppj.exec:\7vppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\flfllfl.exec:\flfllfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\hhbtht.exec:\hhbtht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\jjpjv.exec:\jjpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\llfrlxr.exec:\llfrlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\llflxfl.exec:\llflxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\tnbhhn.exec:\tnbhhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\dvjpd.exec:\dvjpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\3dpdv.exec:\3dpdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\rrflxlx.exec:\rrflxlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\rlxfllf.exec:\rlxfllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\9tthtb.exec:\9tthtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
\??\c:\vdjpj.exec:\vdjpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\ddjpp.exec:\ddjpp.exe17⤵
- Executes dropped EXE
PID:2712 -
\??\c:\xrlxflf.exec:\xrlxflf.exe18⤵
- Executes dropped EXE
PID:1180 -
\??\c:\nbbnbn.exec:\nbbnbn.exe19⤵
- Executes dropped EXE
PID:848 -
\??\c:\vvvjv.exec:\vvvjv.exe20⤵
- Executes dropped EXE
PID:3064 -
\??\c:\1pjjv.exec:\1pjjv.exe21⤵
- Executes dropped EXE
PID:2100 -
\??\c:\fffrlrl.exec:\fffrlrl.exe22⤵
- Executes dropped EXE
PID:1972 -
\??\c:\nhbhtb.exec:\nhbhtb.exe23⤵
- Executes dropped EXE
PID:768 -
\??\c:\htnbnt.exec:\htnbnt.exe24⤵
- Executes dropped EXE
PID:1412 -
\??\c:\vpvjd.exec:\vpvjd.exe25⤵
- Executes dropped EXE
PID:1868 -
\??\c:\xrllxrr.exec:\xrllxrr.exe26⤵
- Executes dropped EXE
PID:2356 -
\??\c:\xllxlfr.exec:\xllxlfr.exe27⤵
- Executes dropped EXE
PID:376 -
\??\c:\hbtbht.exec:\hbtbht.exe28⤵
- Executes dropped EXE
PID:1880 -
\??\c:\5vdvv.exec:\5vdvv.exe29⤵
- Executes dropped EXE
PID:340 -
\??\c:\rlfxrlx.exec:\rlfxrlx.exe30⤵
- Executes dropped EXE
PID:2952 -
\??\c:\fxrlxlf.exec:\fxrlxlf.exe31⤵
- Executes dropped EXE
PID:2956 -
\??\c:\nhbnhn.exec:\nhbnhn.exe32⤵
- Executes dropped EXE
PID:1732 -
\??\c:\dpjpv.exec:\dpjpv.exe33⤵
- Executes dropped EXE
PID:1680 -
\??\c:\9vjdv.exec:\9vjdv.exe34⤵
- Executes dropped EXE
PID:1592 -
\??\c:\xrffffl.exec:\xrffffl.exe35⤵
- Executes dropped EXE
PID:2896 -
\??\c:\frlfllr.exec:\frlfllr.exe36⤵
- Executes dropped EXE
PID:2320 -
\??\c:\9tnbnt.exec:\9tnbnt.exe37⤵
- Executes dropped EXE
PID:2516 -
\??\c:\vvjpd.exec:\vvjpd.exe38⤵
- Executes dropped EXE
PID:2528 -
\??\c:\ffffllf.exec:\ffffllf.exe39⤵
- Executes dropped EXE
PID:2572 -
\??\c:\9lrffxr.exec:\9lrffxr.exe40⤵
- Executes dropped EXE
PID:2620 -
\??\c:\3hntbh.exec:\3hntbh.exe41⤵
- Executes dropped EXE
PID:2688 -
\??\c:\hbthnh.exec:\hbthnh.exe42⤵
- Executes dropped EXE
PID:2444 -
\??\c:\pjdjv.exec:\pjdjv.exe43⤵
- Executes dropped EXE
PID:2940 -
\??\c:\jvjjp.exec:\jvjjp.exe44⤵
- Executes dropped EXE
PID:2464 -
\??\c:\9rrxfll.exec:\9rrxfll.exe45⤵
- Executes dropped EXE
PID:2376 -
\??\c:\lxlflrr.exec:\lxlflrr.exe46⤵
- Executes dropped EXE
PID:2748 -
\??\c:\nbnhnh.exec:\nbnhnh.exe47⤵
- Executes dropped EXE
PID:2868 -
\??\c:\pjjpj.exec:\pjjpj.exe48⤵
- Executes dropped EXE
PID:1272 -
\??\c:\jvjjj.exec:\jvjjj.exe49⤵
- Executes dropped EXE
PID:1320 -
\??\c:\rlffffr.exec:\rlffffr.exe50⤵
- Executes dropped EXE
PID:2760 -
\??\c:\fxllllr.exec:\fxllllr.exe51⤵
- Executes dropped EXE
PID:884 -
\??\c:\nhhntt.exec:\nhhntt.exe52⤵
- Executes dropped EXE
PID:1968 -
\??\c:\pjdpv.exec:\pjdpv.exe53⤵
- Executes dropped EXE
PID:1776 -
\??\c:\vvvvj.exec:\vvvvj.exe54⤵
- Executes dropped EXE
PID:1508 -
\??\c:\xrflrrx.exec:\xrflrrx.exe55⤵
- Executes dropped EXE
PID:620 -
\??\c:\3rrrlrr.exec:\3rrrlrr.exe56⤵
- Executes dropped EXE
PID:1160 -
\??\c:\hbnthh.exec:\hbnthh.exe57⤵
- Executes dropped EXE
PID:2092 -
\??\c:\thtnnt.exec:\thtnnt.exe58⤵
- Executes dropped EXE
PID:2208 -
\??\c:\vpdpv.exec:\vpdpv.exe59⤵
- Executes dropped EXE
PID:2292 -
\??\c:\dvdpp.exec:\dvdpp.exe60⤵
- Executes dropped EXE
PID:2360 -
\??\c:\xlxxffl.exec:\xlxxffl.exe61⤵
- Executes dropped EXE
PID:2008 -
\??\c:\xxrffrr.exec:\xxrffrr.exe62⤵
- Executes dropped EXE
PID:1188 -
\??\c:\thbtbb.exec:\thbtbb.exe63⤵
- Executes dropped EXE
PID:1872 -
\??\c:\hhnnnn.exec:\hhnnnn.exe64⤵
- Executes dropped EXE
PID:1952 -
\??\c:\5pjjj.exec:\5pjjj.exe65⤵
- Executes dropped EXE
PID:332 -
\??\c:\jddpv.exec:\jddpv.exe66⤵PID:1764
-
\??\c:\rlflrrx.exec:\rlflrrx.exe67⤵PID:1404
-
\??\c:\bthtnn.exec:\bthtnn.exe68⤵PID:1420
-
\??\c:\nhhhht.exec:\nhhhht.exe69⤵PID:3068
-
\??\c:\pdjjv.exec:\pdjjv.exe70⤵PID:3000
-
\??\c:\jvdvj.exec:\jvdvj.exe71⤵PID:3004
-
\??\c:\xfrlxxx.exec:\xfrlxxx.exe72⤵PID:2956
-
\??\c:\bhnhtb.exec:\bhnhtb.exe73⤵PID:1676
-
\??\c:\hhnbth.exec:\hhnbth.exe74⤵PID:1664
-
\??\c:\pjvvp.exec:\pjvvp.exe75⤵PID:1708
-
\??\c:\jdjpj.exec:\jdjpj.exe76⤵PID:1592
-
\??\c:\1fxrlff.exec:\1fxrlff.exe77⤵PID:2916
-
\??\c:\flrlrll.exec:\flrlrll.exe78⤵PID:2532
-
\??\c:\ntntnb.exec:\ntntnb.exe79⤵PID:2648
-
\??\c:\bnbhhn.exec:\bnbhhn.exe80⤵PID:2528
-
\??\c:\jvpvp.exec:\jvpvp.exe81⤵PID:2260
-
\??\c:\pvvvj.exec:\pvvvj.exe82⤵PID:2684
-
\??\c:\1xrxllr.exec:\1xrxllr.exe83⤵PID:2672
-
\??\c:\xrfxllx.exec:\xrfxllx.exe84⤵PID:2440
-
\??\c:\3bnbhh.exec:\3bnbhh.exe85⤵PID:2496
-
\??\c:\hnhnhb.exec:\hnhnhb.exe86⤵PID:2936
-
\??\c:\3hhnhh.exec:\3hhnhh.exe87⤵PID:2436
-
\??\c:\dpjpv.exec:\dpjpv.exe88⤵PID:1820
-
\??\c:\pjdjv.exec:\pjdjv.exe89⤵PID:2136
-
\??\c:\9rrrxrx.exec:\9rrrxrx.exe90⤵PID:1612
-
\??\c:\rlfxfxf.exec:\rlfxfxf.exe91⤵PID:1352
-
\??\c:\bhnbhn.exec:\bhnbhn.exe92⤵PID:1684
-
\??\c:\tnhtth.exec:\tnhtth.exe93⤵PID:932
-
\??\c:\3btbbh.exec:\3btbbh.exe94⤵PID:1512
-
\??\c:\1dpjj.exec:\1dpjj.exe95⤵PID:1668
-
\??\c:\jvjpp.exec:\jvjpp.exe96⤵PID:1296
-
\??\c:\7fxflrx.exec:\7fxflrx.exe97⤵PID:1444
-
\??\c:\lfffxfl.exec:\lfffxfl.exe98⤵PID:848
-
\??\c:\1tnbnn.exec:\1tnbnn.exe99⤵PID:1984
-
\??\c:\hbnttt.exec:\hbnttt.exe100⤵PID:2056
-
\??\c:\1pppv.exec:\1pppv.exe101⤵PID:748
-
\??\c:\pjjpp.exec:\pjjpp.exe102⤵PID:692
-
\??\c:\frfxfff.exec:\frfxfff.exe103⤵PID:1424
-
\??\c:\lfrffrf.exec:\lfrffrf.exe104⤵PID:1988
-
\??\c:\9nhntt.exec:\9nhntt.exe105⤵PID:1216
-
\??\c:\nhbttn.exec:\nhbttn.exe106⤵PID:1784
-
\??\c:\1htttn.exec:\1htttn.exe107⤵PID:936
-
\??\c:\vpjjp.exec:\vpjjp.exe108⤵PID:3036
-
\??\c:\9vpvv.exec:\9vpvv.exe109⤵PID:2280
-
\??\c:\xflxrxx.exec:\xflxrxx.exe110⤵PID:340
-
\??\c:\lxfrlrx.exec:\lxfrlrx.exe111⤵PID:3028
-
\??\c:\bthnnt.exec:\bthnnt.exe112⤵PID:3060
-
\??\c:\bthttt.exec:\bthttt.exe113⤵PID:1104
-
\??\c:\jdvjp.exec:\jdvjp.exe114⤵PID:2328
-
\??\c:\dvdpj.exec:\dvdpj.exe115⤵PID:1676
-
\??\c:\lfllxxf.exec:\lfllxxf.exe116⤵PID:2332
-
\??\c:\1xlrxxx.exec:\1xlrxxx.exe117⤵PID:2904
-
\??\c:\nnbhbb.exec:\nnbhbb.exe118⤵PID:1840
-
\??\c:\bthhnb.exec:\bthhnb.exe119⤵PID:2776
-
\??\c:\vvjvj.exec:\vvjvj.exe120⤵PID:2656
-
\??\c:\pjdpp.exec:\pjdpp.exe121⤵PID:2668
-
\??\c:\7lrrxrf.exec:\7lrrxrf.exe122⤵PID:2788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-