Analysis
-
max time kernel
31s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 04:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe
-
Size
68KB
-
MD5
6e1a0e2af53c0e36a7b136fa4d265688
-
SHA1
b1efffaa72e0ca58fb0e5e40a47cf0868dc0319e
-
SHA256
ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db
-
SHA512
26e79e3516ac2ca574b9997ac83bc6e737859b94c951cc92347a111512488324dd6f777c87b1330b0a19197e22893d2adf54328b4eb774b63caec9d13917b6f3
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJUDbAIu:ymb3NkkiQ3mdBjFIFdJ8bG
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral1/memory/2064-286-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1008-278-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1872-259-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/616-241-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2668-232-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1880-223-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1808-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1500-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2112-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2572-179-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1776-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1972-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1084-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1676-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1992-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2796-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2640-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2640-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2732-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2580-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2568-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3024-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1704-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2884-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 24 IoCs
Processes:
resource yara_rule behavioral1/memory/2064-286-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1008-278-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1872-259-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/616-241-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2668-232-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1880-223-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1808-205-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1500-196-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2112-187-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2572-179-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1776-164-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1972-143-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1084-134-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1676-125-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1992-107-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2796-99-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2640-73-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2640-72-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2732-62-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-43-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2568-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3024-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1704-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2884-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
nbtntt.exerrllllx.exedpddv.exetnnhbt.exexrrxllf.exedvppv.exelrrrrfr.exe7dpdv.exethhnbb.exepjvvj.exehhnhnn.exevpjpv.exe3hnhnn.exevppjj.exebththt.exedjppd.exehhbnbt.exe9pppv.exebhbntn.exevjppp.exennnntn.exexrffxfr.exehnhtnh.exevvpvj.exelrfxllf.exeffrxlxf.exejvpdp.exepjppj.exefxxxffl.exedvjjp.exelxrrflf.exedvpdj.exelxlrflf.exethhhhb.exe7jdjp.exerxlllfx.exebnbbnh.exevvpdv.exeppppp.exefflxxlf.exebttbtt.exenhtnnh.exepvvjd.exelxllxrx.exebbtbnt.exenhtbtb.exejjvpp.exerlflxxl.exebbttbb.exe9ttbnn.exejjjjj.exexfrxrxl.exerxrxrlx.exebhbthn.exeppvvv.exe9jpjp.exerlflxxf.exennbttn.exerflxxrl.exe1jvpp.exerllxllf.exehbntbh.exejvdjp.exerlllrxx.exepid process 1704 nbtntt.exe 3024 rrllllx.exe 2568 dpddv.exe 2580 tnnhbt.exe 2608 xrrxllf.exe 2732 dvppv.exe 2640 lrrrrfr.exe 2488 7dpdv.exe 2796 thhnbb.exe 1992 pjvvj.exe 2680 hhnhnn.exe 1676 vpjpv.exe 1084 3hnhnn.exe 1972 vppjj.exe 2544 bththt.exe 1776 djppd.exe 1712 hhbnbt.exe 2572 9pppv.exe 2112 bhbntn.exe 1500 vjppp.exe 1808 nnnntn.exe 1124 xrffxfr.exe 1880 hnhtnh.exe 2668 vvpvj.exe 616 lrfxllf.exe 2020 ffrxlxf.exe 1872 jvpdp.exe 1580 pjppj.exe 1008 fxxxffl.exe 2064 dvjjp.exe 2200 lxrrflf.exe 2896 dvpdj.exe 1704 lxlrflf.exe 1724 thhhhb.exe 2160 7jdjp.exe 2692 rxlllfx.exe 2088 bnbbnh.exe 2600 vvpdv.exe 2636 ppppp.exe 2500 fflxxlf.exe 2728 bttbtt.exe 2516 nhtnnh.exe 2596 pvvjd.exe 2488 lxllxrx.exe 2532 bbtbnt.exe 1928 nhtbtb.exe 2804 jjvpp.exe 1088 rlflxxl.exe 896 bbttbb.exe 1112 9ttbnn.exe 2812 jjjjj.exe 2688 xfrxrxl.exe 2656 rxrxrlx.exe 1772 bhbthn.exe 2188 ppvvv.exe 2912 9jpjp.exe 2300 rlflxxf.exe 2252 nnbttn.exe 680 rflxxrl.exe 444 1jvpp.exe 2436 rllxllf.exe 1516 hbntbh.exe 972 jvdjp.exe 1976 rlllrxx.exe -
Processes:
resource yara_rule behavioral1/memory/2064-286-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1008-278-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1872-259-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/616-241-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2668-232-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1880-223-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1808-205-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1500-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2112-187-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2572-179-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1776-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1972-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1084-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1676-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1992-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2796-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2640-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2732-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2568-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3024-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1704-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2884-4-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exenbtntt.exerrllllx.exedpddv.exetnnhbt.exexrrxllf.exedvppv.exelrrrrfr.exe7dpdv.exethhnbb.exepjvvj.exehhnhnn.exevpjpv.exe3hnhnn.exevppjj.exebththt.exedescription pid process target process PID 2884 wrote to memory of 1704 2884 ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe nbtntt.exe PID 2884 wrote to memory of 1704 2884 ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe nbtntt.exe PID 2884 wrote to memory of 1704 2884 ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe nbtntt.exe PID 2884 wrote to memory of 1704 2884 ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe nbtntt.exe PID 1704 wrote to memory of 3024 1704 nbtntt.exe rrllllx.exe PID 1704 wrote to memory of 3024 1704 nbtntt.exe rrllllx.exe PID 1704 wrote to memory of 3024 1704 nbtntt.exe rrllllx.exe PID 1704 wrote to memory of 3024 1704 nbtntt.exe rrllllx.exe PID 3024 wrote to memory of 2568 3024 rrllllx.exe dpddv.exe PID 3024 wrote to memory of 2568 3024 rrllllx.exe dpddv.exe PID 3024 wrote to memory of 2568 3024 rrllllx.exe dpddv.exe PID 3024 wrote to memory of 2568 3024 rrllllx.exe dpddv.exe PID 2568 wrote to memory of 2580 2568 dpddv.exe tnnhbt.exe PID 2568 wrote to memory of 2580 2568 dpddv.exe tnnhbt.exe PID 2568 wrote to memory of 2580 2568 dpddv.exe tnnhbt.exe PID 2568 wrote to memory of 2580 2568 dpddv.exe tnnhbt.exe PID 2580 wrote to memory of 2608 2580 tnnhbt.exe xrrxllf.exe PID 2580 wrote to memory of 2608 2580 tnnhbt.exe xrrxllf.exe PID 2580 wrote to memory of 2608 2580 tnnhbt.exe xrrxllf.exe PID 2580 wrote to memory of 2608 2580 tnnhbt.exe xrrxllf.exe PID 2608 wrote to memory of 2732 2608 xrrxllf.exe dvppv.exe PID 2608 wrote to memory of 2732 2608 xrrxllf.exe dvppv.exe PID 2608 wrote to memory of 2732 2608 xrrxllf.exe dvppv.exe PID 2608 wrote to memory of 2732 2608 xrrxllf.exe dvppv.exe PID 2732 wrote to memory of 2640 2732 dvppv.exe lrrrrfr.exe PID 2732 wrote to memory of 2640 2732 dvppv.exe lrrrrfr.exe PID 2732 wrote to memory of 2640 2732 dvppv.exe lrrrrfr.exe PID 2732 wrote to memory of 2640 2732 dvppv.exe lrrrrfr.exe PID 2640 wrote to memory of 2488 2640 lrrrrfr.exe 7dpdv.exe PID 2640 wrote to memory of 2488 2640 lrrrrfr.exe 7dpdv.exe PID 2640 wrote to memory of 2488 2640 lrrrrfr.exe 7dpdv.exe PID 2640 wrote to memory of 2488 2640 lrrrrfr.exe 7dpdv.exe PID 2488 wrote to memory of 2796 2488 7dpdv.exe thhnbb.exe PID 2488 wrote to memory of 2796 2488 7dpdv.exe thhnbb.exe PID 2488 wrote to memory of 2796 2488 7dpdv.exe thhnbb.exe PID 2488 wrote to memory of 2796 2488 7dpdv.exe thhnbb.exe PID 2796 wrote to memory of 1992 2796 thhnbb.exe pjvvj.exe PID 2796 wrote to memory of 1992 2796 thhnbb.exe pjvvj.exe PID 2796 wrote to memory of 1992 2796 thhnbb.exe pjvvj.exe PID 2796 wrote to memory of 1992 2796 thhnbb.exe pjvvj.exe PID 1992 wrote to memory of 2680 1992 pjvvj.exe hhnhnn.exe PID 1992 wrote to memory of 2680 1992 pjvvj.exe hhnhnn.exe PID 1992 wrote to memory of 2680 1992 pjvvj.exe hhnhnn.exe PID 1992 wrote to memory of 2680 1992 pjvvj.exe hhnhnn.exe PID 2680 wrote to memory of 1676 2680 hhnhnn.exe vpjpv.exe PID 2680 wrote to memory of 1676 2680 hhnhnn.exe vpjpv.exe PID 2680 wrote to memory of 1676 2680 hhnhnn.exe vpjpv.exe PID 2680 wrote to memory of 1676 2680 hhnhnn.exe vpjpv.exe PID 1676 wrote to memory of 1084 1676 vpjpv.exe 3hnhnn.exe PID 1676 wrote to memory of 1084 1676 vpjpv.exe 3hnhnn.exe PID 1676 wrote to memory of 1084 1676 vpjpv.exe 3hnhnn.exe PID 1676 wrote to memory of 1084 1676 vpjpv.exe 3hnhnn.exe PID 1084 wrote to memory of 1972 1084 3hnhnn.exe vppjj.exe PID 1084 wrote to memory of 1972 1084 3hnhnn.exe vppjj.exe PID 1084 wrote to memory of 1972 1084 3hnhnn.exe vppjj.exe PID 1084 wrote to memory of 1972 1084 3hnhnn.exe vppjj.exe PID 1972 wrote to memory of 2544 1972 vppjj.exe bththt.exe PID 1972 wrote to memory of 2544 1972 vppjj.exe bththt.exe PID 1972 wrote to memory of 2544 1972 vppjj.exe bththt.exe PID 1972 wrote to memory of 2544 1972 vppjj.exe bththt.exe PID 2544 wrote to memory of 1776 2544 bththt.exe djppd.exe PID 2544 wrote to memory of 1776 2544 bththt.exe djppd.exe PID 2544 wrote to memory of 1776 2544 bththt.exe djppd.exe PID 2544 wrote to memory of 1776 2544 bththt.exe djppd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe"C:\Users\Admin\AppData\Local\Temp\ad4ac567a8504503d7786105223942b3c99725b2c9cb87c2b361d7847c95d8db.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\nbtntt.exec:\nbtntt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\rrllllx.exec:\rrllllx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\dpddv.exec:\dpddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\tnnhbt.exec:\tnnhbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\xrrxllf.exec:\xrrxllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\dvppv.exec:\dvppv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\lrrrrfr.exec:\lrrrrfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\7dpdv.exec:\7dpdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\thhnbb.exec:\thhnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\pjvvj.exec:\pjvvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\hhnhnn.exec:\hhnhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\vpjpv.exec:\vpjpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\3hnhnn.exec:\3hnhnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\vppjj.exec:\vppjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\bththt.exec:\bththt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\djppd.exec:\djppd.exe17⤵
- Executes dropped EXE
PID:1776 -
\??\c:\hhbnbt.exec:\hhbnbt.exe18⤵
- Executes dropped EXE
PID:1712 -
\??\c:\9pppv.exec:\9pppv.exe19⤵
- Executes dropped EXE
PID:2572 -
\??\c:\bhbntn.exec:\bhbntn.exe20⤵
- Executes dropped EXE
PID:2112 -
\??\c:\vjppp.exec:\vjppp.exe21⤵
- Executes dropped EXE
PID:1500 -
\??\c:\nnnntn.exec:\nnnntn.exe22⤵
- Executes dropped EXE
PID:1808 -
\??\c:\xrffxfr.exec:\xrffxfr.exe23⤵
- Executes dropped EXE
PID:1124 -
\??\c:\hnhtnh.exec:\hnhtnh.exe24⤵
- Executes dropped EXE
PID:1880 -
\??\c:\vvpvj.exec:\vvpvj.exe25⤵
- Executes dropped EXE
PID:2668 -
\??\c:\lrfxllf.exec:\lrfxllf.exe26⤵
- Executes dropped EXE
PID:616 -
\??\c:\ffrxlxf.exec:\ffrxlxf.exe27⤵
- Executes dropped EXE
PID:2020 -
\??\c:\jvpdp.exec:\jvpdp.exe28⤵
- Executes dropped EXE
PID:1872 -
\??\c:\pjppj.exec:\pjppj.exe29⤵
- Executes dropped EXE
PID:1580 -
\??\c:\fxxxffl.exec:\fxxxffl.exe30⤵
- Executes dropped EXE
PID:1008 -
\??\c:\dvjjp.exec:\dvjjp.exe31⤵
- Executes dropped EXE
PID:2064 -
\??\c:\lxrrflf.exec:\lxrrflf.exe32⤵
- Executes dropped EXE
PID:2200 -
\??\c:\dvpdj.exec:\dvpdj.exe33⤵
- Executes dropped EXE
PID:2896 -
\??\c:\lxlrflf.exec:\lxlrflf.exe34⤵
- Executes dropped EXE
PID:1704 -
\??\c:\thhhhb.exec:\thhhhb.exe35⤵
- Executes dropped EXE
PID:1724 -
\??\c:\7jdjp.exec:\7jdjp.exe36⤵
- Executes dropped EXE
PID:2160 -
\??\c:\rxlllfx.exec:\rxlllfx.exe37⤵
- Executes dropped EXE
PID:2692 -
\??\c:\bnbbnh.exec:\bnbbnh.exe38⤵
- Executes dropped EXE
PID:2088 -
\??\c:\vvpdv.exec:\vvpdv.exe39⤵
- Executes dropped EXE
PID:2600 -
\??\c:\ppppp.exec:\ppppp.exe40⤵
- Executes dropped EXE
PID:2636 -
\??\c:\fflxxlf.exec:\fflxxlf.exe41⤵
- Executes dropped EXE
PID:2500 -
\??\c:\bttbtt.exec:\bttbtt.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\nhtnnh.exec:\nhtnnh.exe43⤵
- Executes dropped EXE
PID:2516 -
\??\c:\pvvjd.exec:\pvvjd.exe44⤵
- Executes dropped EXE
PID:2596 -
\??\c:\lxllxrx.exec:\lxllxrx.exe45⤵
- Executes dropped EXE
PID:2488 -
\??\c:\bbtbnt.exec:\bbtbnt.exe46⤵
- Executes dropped EXE
PID:2532 -
\??\c:\nhtbtb.exec:\nhtbtb.exe47⤵
- Executes dropped EXE
PID:1928 -
\??\c:\jjvpp.exec:\jjvpp.exe48⤵
- Executes dropped EXE
PID:2804 -
\??\c:\rlflxxl.exec:\rlflxxl.exe49⤵
- Executes dropped EXE
PID:1088 -
\??\c:\bbttbb.exec:\bbttbb.exe50⤵
- Executes dropped EXE
PID:896 -
\??\c:\9ttbnn.exec:\9ttbnn.exe51⤵
- Executes dropped EXE
PID:1112 -
\??\c:\jjjjj.exec:\jjjjj.exe52⤵
- Executes dropped EXE
PID:2812 -
\??\c:\xfrxrxl.exec:\xfrxrxl.exe53⤵
- Executes dropped EXE
PID:2688 -
\??\c:\rxrxrlx.exec:\rxrxrlx.exe54⤵
- Executes dropped EXE
PID:2656 -
\??\c:\bhbthn.exec:\bhbthn.exe55⤵
- Executes dropped EXE
PID:1772 -
\??\c:\ppvvv.exec:\ppvvv.exe56⤵
- Executes dropped EXE
PID:2188 -
\??\c:\9jpjp.exec:\9jpjp.exe57⤵
- Executes dropped EXE
PID:2912 -
\??\c:\rlflxxf.exec:\rlflxxf.exe58⤵
- Executes dropped EXE
PID:2300 -
\??\c:\nnbttn.exec:\nnbttn.exe59⤵
- Executes dropped EXE
PID:2252 -
\??\c:\rflxxrl.exec:\rflxxrl.exe60⤵
- Executes dropped EXE
PID:680 -
\??\c:\1jvpp.exec:\1jvpp.exe61⤵
- Executes dropped EXE
PID:444 -
\??\c:\rllxllf.exec:\rllxllf.exe62⤵
- Executes dropped EXE
PID:2436 -
\??\c:\hbntbh.exec:\hbntbh.exe63⤵
- Executes dropped EXE
PID:1516 -
\??\c:\jvdjp.exec:\jvdjp.exe64⤵
- Executes dropped EXE
PID:972 -
\??\c:\rlllrxx.exec:\rlllrxx.exe65⤵
- Executes dropped EXE
PID:1976 -
\??\c:\9ttbtb.exec:\9ttbtb.exe66⤵PID:400
-
\??\c:\jjddp.exec:\jjddp.exe67⤵PID:952
-
\??\c:\llllxff.exec:\llllxff.exe68⤵PID:1872
-
\??\c:\nhttbb.exec:\nhttbb.exe69⤵PID:2852
-
\??\c:\vdjpd.exec:\vdjpd.exe70⤵PID:1324
-
\??\c:\thntbt.exec:\thntbt.exe71⤵PID:872
-
\??\c:\dpvjp.exec:\dpvjp.exe72⤵PID:1988
-
\??\c:\tntbnn.exec:\tntbnn.exe73⤵PID:2032
-
\??\c:\5jdvd.exec:\5jdvd.exe74⤵PID:2948
-
\??\c:\xrlrffl.exec:\xrlrffl.exe75⤵PID:3016
-
\??\c:\frllflr.exec:\frllflr.exe76⤵PID:1720
-
\??\c:\bntnth.exec:\bntnth.exe77⤵PID:2604
-
\??\c:\vjdjv.exec:\vjdjv.exe78⤵PID:2708
-
\??\c:\1lxrfxx.exec:\1lxrfxx.exe79⤵PID:2696
-
\??\c:\nhbhnt.exec:\nhbhnt.exe80⤵PID:2756
-
\??\c:\rfxxxrf.exec:\rfxxxrf.exe81⤵PID:2800
-
\??\c:\htttbb.exec:\htttbb.exe82⤵PID:1624
-
\??\c:\5dvjv.exec:\5dvjv.exe83⤵PID:2588
-
\??\c:\rxxxxxl.exec:\rxxxxxl.exe84⤵PID:2476
-
\??\c:\hntbhn.exec:\hntbhn.exe85⤵PID:2492
-
\??\c:\hhhnbn.exec:\hhhnbn.exe86⤵PID:2936
-
\??\c:\jvpjd.exec:\jvpjd.exe87⤵PID:1992
-
\??\c:\nbtbbb.exec:\nbtbbb.exe88⤵PID:800
-
\??\c:\fxflllx.exec:\fxflllx.exe89⤵PID:760
-
\??\c:\ntbbbn.exec:\ntbbbn.exe90⤵PID:1676
-
\??\c:\pjvvd.exec:\pjvvd.exe91⤵PID:1672
-
\??\c:\vdvdd.exec:\vdvdd.exe92⤵PID:2564
-
\??\c:\xfrxflf.exec:\xfrxflf.exe93⤵PID:2544
-
\??\c:\bhnttb.exec:\bhnttb.exe94⤵PID:2760
-
\??\c:\dvjdp.exec:\dvjdp.exe95⤵PID:2944
-
\??\c:\vjpdj.exec:\vjpdj.exe96⤵PID:2412
-
\??\c:\hnhttt.exec:\hnhttt.exe97⤵PID:2284
-
\??\c:\pvppv.exec:\pvppv.exe98⤵PID:572
-
\??\c:\rlffllf.exec:\rlffllf.exe99⤵PID:1916
-
\??\c:\vpjjd.exec:\vpjjd.exe100⤵PID:1056
-
\??\c:\nbtnbb.exec:\nbtnbb.exe101⤵PID:2444
-
\??\c:\pdvvd.exec:\pdvvd.exe102⤵PID:2080
-
\??\c:\rrxxlrf.exec:\rrxxlrf.exe103⤵PID:1852
-
\??\c:\hbbbnn.exec:\hbbbnn.exe104⤵PID:2668
-
\??\c:\3jppd.exec:\3jppd.exe105⤵PID:1152
-
\??\c:\1xrlllx.exec:\1xrlllx.exe106⤵PID:1664
-
\??\c:\btntbn.exec:\btntbn.exe107⤵PID:2264
-
\??\c:\1hhbhb.exec:\1hhbhb.exe108⤵PID:2360
-
\??\c:\vjddd.exec:\vjddd.exe109⤵PID:1840
-
\??\c:\frfxflr.exec:\frfxflr.exe110⤵PID:564
-
\??\c:\nbbbbh.exec:\nbbbbh.exe111⤵PID:1564
-
\??\c:\jjpvj.exec:\jjpvj.exe112⤵PID:1864
-
\??\c:\jjdpp.exec:\jjdpp.exe113⤵PID:2968
-
\??\c:\rfflrlr.exec:\rfflrlr.exe114⤵PID:2200
-
\??\c:\thhntn.exec:\thhntn.exe115⤵PID:2884
-
\??\c:\1dpjj.exec:\1dpjj.exe116⤵PID:1704
-
\??\c:\fllrlxx.exec:\fllrlxx.exe117⤵PID:1720
-
\??\c:\httbhh.exec:\httbhh.exe118⤵PID:2980
-
\??\c:\jvdjp.exec:\jvdjp.exe119⤵PID:2744
-
\??\c:\dvdvj.exec:\dvdvj.exe120⤵PID:2104
-
\??\c:\3lxxlrr.exec:\3lxxlrr.exe121⤵PID:2612
-
\??\c:\bnbbhh.exec:\bnbbhh.exe122⤵PID:2496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-