Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 05:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe
-
Size
88KB
-
MD5
e28712d9295e1d03c0ef5639f96acafa
-
SHA1
b5753af638056f649006ecd2e21fb90a23bb5fb5
-
SHA256
b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7
-
SHA512
bc479b2d0286a2def27ca182924503d8ead16fcbc69c1f92b84f818954d7e8da513d7665772337dec804476938a2f176e7a98f9c42eda6ce7c003150123949c2
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+C2iJvRirE0DmmdL2jqWkBY:ymb3NkkiQ3mdBjF+3TU2iBRioSumWS1i
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
Processes:
resource yara_rule behavioral1/memory/2872-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3040-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2920-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2604-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2520-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2592-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2472-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2472-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2384-80-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/588-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2692-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1748-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1580-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1520-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1808-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2732-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1060-229-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2980-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/972-255-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2004-291-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2244-300-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2604-1682-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 26 IoCs
Processes:
resource yara_rule behavioral1/memory/2872-4-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3040-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2920-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2604-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2604-36-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2520-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2592-57-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2592-55-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2592-53-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2472-68-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2472-67-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2472-65-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2384-80-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/588-102-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2692-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1748-157-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1580-174-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1520-183-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1808-193-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2732-210-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1060-229-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2980-237-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/972-255-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2004-291-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2244-300-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2604-1682-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
nphvdvh.exerndpl.exejnbrxj.exevpvbxb.exehthnjpp.exefdjxx.exetpvpxhl.exejndlvrp.exexjbdx.exelfbvpx.exenpvxbth.exerpfjtn.exelpxhtp.exepjpxnh.exellxprl.exehpfdv.exevxtfrbb.exepjtrdp.exexljth.exehtntrhv.exeptvjx.exetlnhjhn.exepfrtx.exejldvxh.exexbvvhp.exerhrhrj.exexbtvtb.exevxlhddn.exepjnndf.exedtrnn.exebplnlpl.exedljpl.exehphhv.exehvfblvx.exejdlfv.exetnxlrp.exebvbhh.exehlpnxh.exeprxnth.exefvdrbb.exexpjbrp.exenblhvrd.exelllbjt.exebbthhjb.exerxvvld.exejvvpvb.exevbdvr.exepjnrbl.exetpxprj.exettllrjt.exevrbbnr.exevlbdfbx.exejxdflj.exehxxrhfp.exebfblth.exehbrpr.exenbrhf.exerfrll.exevlxtlph.exejxdpv.exebjptnn.exeffjtj.exethlxv.exehdvpbv.exepid process 3040 nphvdvh.exe 2920 rndpl.exe 2604 jnbrxj.exe 2520 vpvbxb.exe 2592 hthnjpp.exe 2472 fdjxx.exe 2384 tpvpxhl.exe 2788 jndlvrp.exe 588 xjbdx.exe 2204 lfbvpx.exe 1796 npvxbth.exe 2692 rpfjtn.exe 1228 lpxhtp.exe 1936 pjpxnh.exe 1748 llxprl.exe 2100 hpfdv.exe 1580 vxtfrbb.exe 1520 pjtrdp.exe 1808 xljth.exe 2468 htntrhv.exe 2732 ptvjx.exe 3000 tlnhjhn.exe 1060 pfrtx.exe 2980 jldvxh.exe 1844 xbvvhp.exe 972 rhrhrj.exe 1712 xbtvtb.exe 1096 vxlhddn.exe 2996 pjnndf.exe 2004 dtrnn.exe 2244 bplnlpl.exe 748 dljpl.exe 1292 hphhv.exe 2876 hvfblvx.exe 2892 jdlfv.exe 2856 tnxlrp.exe 2464 bvbhh.exe 2580 hlpnxh.exe 2716 prxnth.exe 2560 fvdrbb.exe 3048 xpjbrp.exe 2712 nblhvrd.exe 2540 lllbjt.exe 2436 bbthhjb.exe 2556 rxvvld.exe 572 jvvpvb.exe 2352 vbdvr.exe 588 pjnrbl.exe 2204 tpxprj.exe 2680 ttllrjt.exe 1948 vrbbnr.exe 3020 vlbdfbx.exe 1228 jxdflj.exe 1848 hxxrhfp.exe 1656 bfblth.exe 2896 hbrpr.exe 1252 nbrhf.exe 1524 rfrll.exe 852 vlxtlph.exe 2056 jxdpv.exe 2468 bjptnn.exe 2748 ffjtj.exe 1436 thlxv.exe 2112 hdvpbv.exe -
Processes:
resource yara_rule behavioral1/memory/2872-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3040-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2920-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2604-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2604-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2520-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2472-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2472-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2472-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2384-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/588-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2692-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1748-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1580-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1520-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1808-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2732-210-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1060-229-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2980-237-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/972-255-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2004-291-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2244-300-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2604-1682-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exenphvdvh.exerndpl.exejnbrxj.exevpvbxb.exehthnjpp.exefdjxx.exetpvpxhl.exejndlvrp.exexjbdx.exelfbvpx.exenpvxbth.exerpfjtn.exelpxhtp.exepjpxnh.exellxprl.exedescription pid process target process PID 2872 wrote to memory of 3040 2872 b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe nphvdvh.exe PID 2872 wrote to memory of 3040 2872 b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe nphvdvh.exe PID 2872 wrote to memory of 3040 2872 b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe nphvdvh.exe PID 2872 wrote to memory of 3040 2872 b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe nphvdvh.exe PID 3040 wrote to memory of 2920 3040 nphvdvh.exe rndpl.exe PID 3040 wrote to memory of 2920 3040 nphvdvh.exe rndpl.exe PID 3040 wrote to memory of 2920 3040 nphvdvh.exe rndpl.exe PID 3040 wrote to memory of 2920 3040 nphvdvh.exe rndpl.exe PID 2920 wrote to memory of 2604 2920 rndpl.exe jnbrxj.exe PID 2920 wrote to memory of 2604 2920 rndpl.exe jnbrxj.exe PID 2920 wrote to memory of 2604 2920 rndpl.exe jnbrxj.exe PID 2920 wrote to memory of 2604 2920 rndpl.exe jnbrxj.exe PID 2604 wrote to memory of 2520 2604 jnbrxj.exe vpvbxb.exe PID 2604 wrote to memory of 2520 2604 jnbrxj.exe vpvbxb.exe PID 2604 wrote to memory of 2520 2604 jnbrxj.exe vpvbxb.exe PID 2604 wrote to memory of 2520 2604 jnbrxj.exe vpvbxb.exe PID 2520 wrote to memory of 2592 2520 vpvbxb.exe hthnjpp.exe PID 2520 wrote to memory of 2592 2520 vpvbxb.exe hthnjpp.exe PID 2520 wrote to memory of 2592 2520 vpvbxb.exe hthnjpp.exe PID 2520 wrote to memory of 2592 2520 vpvbxb.exe hthnjpp.exe PID 2592 wrote to memory of 2472 2592 hthnjpp.exe fdjxx.exe PID 2592 wrote to memory of 2472 2592 hthnjpp.exe fdjxx.exe PID 2592 wrote to memory of 2472 2592 hthnjpp.exe fdjxx.exe PID 2592 wrote to memory of 2472 2592 hthnjpp.exe fdjxx.exe PID 2472 wrote to memory of 2384 2472 fdjxx.exe tpvpxhl.exe PID 2472 wrote to memory of 2384 2472 fdjxx.exe tpvpxhl.exe PID 2472 wrote to memory of 2384 2472 fdjxx.exe tpvpxhl.exe PID 2472 wrote to memory of 2384 2472 fdjxx.exe tpvpxhl.exe PID 2384 wrote to memory of 2788 2384 tpvpxhl.exe jndlvrp.exe PID 2384 wrote to memory of 2788 2384 tpvpxhl.exe jndlvrp.exe PID 2384 wrote to memory of 2788 2384 tpvpxhl.exe jndlvrp.exe PID 2384 wrote to memory of 2788 2384 tpvpxhl.exe jndlvrp.exe PID 2788 wrote to memory of 588 2788 jndlvrp.exe xjbdx.exe PID 2788 wrote to memory of 588 2788 jndlvrp.exe xjbdx.exe PID 2788 wrote to memory of 588 2788 jndlvrp.exe xjbdx.exe PID 2788 wrote to memory of 588 2788 jndlvrp.exe xjbdx.exe PID 588 wrote to memory of 2204 588 xjbdx.exe lfbvpx.exe PID 588 wrote to memory of 2204 588 xjbdx.exe lfbvpx.exe PID 588 wrote to memory of 2204 588 xjbdx.exe lfbvpx.exe PID 588 wrote to memory of 2204 588 xjbdx.exe lfbvpx.exe PID 2204 wrote to memory of 1796 2204 lfbvpx.exe npvxbth.exe PID 2204 wrote to memory of 1796 2204 lfbvpx.exe npvxbth.exe PID 2204 wrote to memory of 1796 2204 lfbvpx.exe npvxbth.exe PID 2204 wrote to memory of 1796 2204 lfbvpx.exe npvxbth.exe PID 1796 wrote to memory of 2692 1796 npvxbth.exe rpfjtn.exe PID 1796 wrote to memory of 2692 1796 npvxbth.exe rpfjtn.exe PID 1796 wrote to memory of 2692 1796 npvxbth.exe rpfjtn.exe PID 1796 wrote to memory of 2692 1796 npvxbth.exe rpfjtn.exe PID 2692 wrote to memory of 1228 2692 rpfjtn.exe lpxhtp.exe PID 2692 wrote to memory of 1228 2692 rpfjtn.exe lpxhtp.exe PID 2692 wrote to memory of 1228 2692 rpfjtn.exe lpxhtp.exe PID 2692 wrote to memory of 1228 2692 rpfjtn.exe lpxhtp.exe PID 1228 wrote to memory of 1936 1228 lpxhtp.exe pjpxnh.exe PID 1228 wrote to memory of 1936 1228 lpxhtp.exe pjpxnh.exe PID 1228 wrote to memory of 1936 1228 lpxhtp.exe pjpxnh.exe PID 1228 wrote to memory of 1936 1228 lpxhtp.exe pjpxnh.exe PID 1936 wrote to memory of 1748 1936 pjpxnh.exe llxprl.exe PID 1936 wrote to memory of 1748 1936 pjpxnh.exe llxprl.exe PID 1936 wrote to memory of 1748 1936 pjpxnh.exe llxprl.exe PID 1936 wrote to memory of 1748 1936 pjpxnh.exe llxprl.exe PID 1748 wrote to memory of 2100 1748 llxprl.exe hpfdv.exe PID 1748 wrote to memory of 2100 1748 llxprl.exe hpfdv.exe PID 1748 wrote to memory of 2100 1748 llxprl.exe hpfdv.exe PID 1748 wrote to memory of 2100 1748 llxprl.exe hpfdv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe"C:\Users\Admin\AppData\Local\Temp\b6c1f031abd7bdcd88d4e5726b36aab6878b6ca1076856103e09776ac81035e7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\nphvdvh.exec:\nphvdvh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\rndpl.exec:\rndpl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\jnbrxj.exec:\jnbrxj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\vpvbxb.exec:\vpvbxb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\hthnjpp.exec:\hthnjpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\fdjxx.exec:\fdjxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\tpvpxhl.exec:\tpvpxhl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\jndlvrp.exec:\jndlvrp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\xjbdx.exec:\xjbdx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588 -
\??\c:\lfbvpx.exec:\lfbvpx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\npvxbth.exec:\npvxbth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\rpfjtn.exec:\rpfjtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\lpxhtp.exec:\lpxhtp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\pjpxnh.exec:\pjpxnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\llxprl.exec:\llxprl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\hpfdv.exec:\hpfdv.exe17⤵
- Executes dropped EXE
PID:2100 -
\??\c:\vxtfrbb.exec:\vxtfrbb.exe18⤵
- Executes dropped EXE
PID:1580 -
\??\c:\pjtrdp.exec:\pjtrdp.exe19⤵
- Executes dropped EXE
PID:1520 -
\??\c:\xljth.exec:\xljth.exe20⤵
- Executes dropped EXE
PID:1808 -
\??\c:\htntrhv.exec:\htntrhv.exe21⤵
- Executes dropped EXE
PID:2468 -
\??\c:\ptvjx.exec:\ptvjx.exe22⤵
- Executes dropped EXE
PID:2732 -
\??\c:\tlnhjhn.exec:\tlnhjhn.exe23⤵
- Executes dropped EXE
PID:3000 -
\??\c:\pfrtx.exec:\pfrtx.exe24⤵
- Executes dropped EXE
PID:1060 -
\??\c:\jldvxh.exec:\jldvxh.exe25⤵
- Executes dropped EXE
PID:2980 -
\??\c:\xbvvhp.exec:\xbvvhp.exe26⤵
- Executes dropped EXE
PID:1844 -
\??\c:\rhrhrj.exec:\rhrhrj.exe27⤵
- Executes dropped EXE
PID:972 -
\??\c:\xbtvtb.exec:\xbtvtb.exe28⤵
- Executes dropped EXE
PID:1712 -
\??\c:\vxlhddn.exec:\vxlhddn.exe29⤵
- Executes dropped EXE
PID:1096 -
\??\c:\pjnndf.exec:\pjnndf.exe30⤵
- Executes dropped EXE
PID:2996 -
\??\c:\dtrnn.exec:\dtrnn.exe31⤵
- Executes dropped EXE
PID:2004 -
\??\c:\bplnlpl.exec:\bplnlpl.exe32⤵
- Executes dropped EXE
PID:2244 -
\??\c:\dljpl.exec:\dljpl.exe33⤵
- Executes dropped EXE
PID:748 -
\??\c:\hphhv.exec:\hphhv.exe34⤵
- Executes dropped EXE
PID:1292 -
\??\c:\hvfblvx.exec:\hvfblvx.exe35⤵
- Executes dropped EXE
PID:2876 -
\??\c:\jdlfv.exec:\jdlfv.exe36⤵
- Executes dropped EXE
PID:2892 -
\??\c:\tnxlrp.exec:\tnxlrp.exe37⤵
- Executes dropped EXE
PID:2856 -
\??\c:\bvbhh.exec:\bvbhh.exe38⤵
- Executes dropped EXE
PID:2464 -
\??\c:\hlpnxh.exec:\hlpnxh.exe39⤵
- Executes dropped EXE
PID:2580 -
\??\c:\prxnth.exec:\prxnth.exe40⤵
- Executes dropped EXE
PID:2716 -
\??\c:\fvdrbb.exec:\fvdrbb.exe41⤵
- Executes dropped EXE
PID:2560 -
\??\c:\xpjbrp.exec:\xpjbrp.exe42⤵
- Executes dropped EXE
PID:3048 -
\??\c:\nblhvrd.exec:\nblhvrd.exe43⤵
- Executes dropped EXE
PID:2712 -
\??\c:\lllbjt.exec:\lllbjt.exe44⤵
- Executes dropped EXE
PID:2540 -
\??\c:\bbthhjb.exec:\bbthhjb.exe45⤵
- Executes dropped EXE
PID:2436 -
\??\c:\rxvvld.exec:\rxvvld.exe46⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jvvpvb.exec:\jvvpvb.exe47⤵
- Executes dropped EXE
PID:572 -
\??\c:\vbdvr.exec:\vbdvr.exe48⤵
- Executes dropped EXE
PID:2352 -
\??\c:\pjnrbl.exec:\pjnrbl.exe49⤵
- Executes dropped EXE
PID:588 -
\??\c:\tpxprj.exec:\tpxprj.exe50⤵
- Executes dropped EXE
PID:2204 -
\??\c:\ttllrjt.exec:\ttllrjt.exe51⤵
- Executes dropped EXE
PID:2680 -
\??\c:\vrbbnr.exec:\vrbbnr.exe52⤵
- Executes dropped EXE
PID:1948 -
\??\c:\vlbdfbx.exec:\vlbdfbx.exe53⤵
- Executes dropped EXE
PID:3020 -
\??\c:\jxdflj.exec:\jxdflj.exe54⤵
- Executes dropped EXE
PID:1228 -
\??\c:\hxxrhfp.exec:\hxxrhfp.exe55⤵
- Executes dropped EXE
PID:1848 -
\??\c:\bfblth.exec:\bfblth.exe56⤵
- Executes dropped EXE
PID:1656 -
\??\c:\hbrpr.exec:\hbrpr.exe57⤵
- Executes dropped EXE
PID:2896 -
\??\c:\nbrhf.exec:\nbrhf.exe58⤵
- Executes dropped EXE
PID:1252 -
\??\c:\rfrll.exec:\rfrll.exe59⤵
- Executes dropped EXE
PID:1524 -
\??\c:\vlxtlph.exec:\vlxtlph.exe60⤵
- Executes dropped EXE
PID:852 -
\??\c:\jxdpv.exec:\jxdpv.exe61⤵
- Executes dropped EXE
PID:2056 -
\??\c:\bjptnn.exec:\bjptnn.exe62⤵
- Executes dropped EXE
PID:2468 -
\??\c:\ffjtj.exec:\ffjtj.exe63⤵
- Executes dropped EXE
PID:2748 -
\??\c:\thlxv.exec:\thlxv.exe64⤵
- Executes dropped EXE
PID:1436 -
\??\c:\hdvpbv.exec:\hdvpbv.exe65⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rftbfx.exec:\rftbfx.exe66⤵PID:2968
-
\??\c:\hxfxvx.exec:\hxfxvx.exe67⤵PID:1672
-
\??\c:\nfpfjff.exec:\nfpfjff.exe68⤵PID:1008
-
\??\c:\rnphljx.exec:\rnphljx.exe69⤵PID:1740
-
\??\c:\ltfdhr.exec:\ltfdhr.exe70⤵PID:2264
-
\??\c:\rbrtrr.exec:\rbrtrr.exe71⤵PID:320
-
\??\c:\hntfn.exec:\hntfn.exe72⤵PID:2908
-
\??\c:\nnpbfrf.exec:\nnpbfrf.exe73⤵PID:1344
-
\??\c:\lfbvrb.exec:\lfbvrb.exe74⤵PID:2272
-
\??\c:\bjnpxt.exec:\bjnpxt.exe75⤵PID:1616
-
\??\c:\tbxrd.exec:\tbxrd.exe76⤵PID:876
-
\??\c:\hdbjhjb.exec:\hdbjhjb.exe77⤵PID:1164
-
\??\c:\rbxbd.exec:\rbxbd.exe78⤵PID:2152
-
\??\c:\hflpbb.exec:\hflpbb.exe79⤵PID:1596
-
\??\c:\xnxbp.exec:\xnxbp.exe80⤵PID:2892
-
\??\c:\vtldrr.exec:\vtldrr.exe81⤵PID:2856
-
\??\c:\djnjl.exec:\djnjl.exe82⤵PID:2464
-
\??\c:\tbblfpp.exec:\tbblfpp.exe83⤵PID:2576
-
\??\c:\hbjdn.exec:\hbjdn.exe84⤵PID:2536
-
\??\c:\rjpff.exec:\rjpff.exe85⤵PID:2548
-
\??\c:\bnjtx.exec:\bnjtx.exe86⤵PID:2476
-
\??\c:\xtpvlr.exec:\xtpvlr.exe87⤵PID:2428
-
\??\c:\trtvfvt.exec:\trtvfvt.exe88⤵PID:772
-
\??\c:\bfjflp.exec:\bfjflp.exe89⤵PID:2436
-
\??\c:\njpbtlb.exec:\njpbtlb.exe90⤵PID:2568
-
\??\c:\ppplln.exec:\ppplln.exe91⤵PID:1472
-
\??\c:\rrprrdr.exec:\rrprrdr.exe92⤵PID:1588
-
\??\c:\rjvbf.exec:\rjvbf.exe93⤵PID:2432
-
\??\c:\ddbrvjl.exec:\ddbrvjl.exe94⤵PID:2808
-
\??\c:\rnnfpl.exec:\rnnfpl.exe95⤵PID:2136
-
\??\c:\fpbjpnh.exec:\fpbjpnh.exe96⤵PID:1804
-
\??\c:\tddxxt.exec:\tddxxt.exe97⤵PID:1972
-
\??\c:\bbtlp.exec:\bbtlp.exe98⤵PID:1748
-
\??\c:\hbjjpt.exec:\hbjjpt.exe99⤵PID:1636
-
\??\c:\nhvxnt.exec:\nhvxnt.exe100⤵PID:1248
-
\??\c:\rpjthfj.exec:\rpjthfj.exe101⤵PID:2208
-
\??\c:\nrvlxp.exec:\nrvlxp.exe102⤵PID:1508
-
\??\c:\hhlljfr.exec:\hhlljfr.exe103⤵PID:2236
-
\??\c:\xthvl.exec:\xthvl.exe104⤵PID:1792
-
\??\c:\fxrbrj.exec:\fxrbrj.exe105⤵PID:2984
-
\??\c:\jpjbpj.exec:\jpjbpj.exe106⤵PID:2928
-
\??\c:\btnprb.exec:\btnprb.exe107⤵PID:2748
-
\??\c:\nnbjff.exec:\nnbjff.exe108⤵PID:2008
-
\??\c:\nfbhxt.exec:\nfbhxt.exe109⤵PID:3052
-
\??\c:\xpjrv.exec:\xpjrv.exe110⤵PID:1988
-
\??\c:\nbrfjx.exec:\nbrfjx.exe111⤵PID:1544
-
\??\c:\jxftthv.exec:\jxftthv.exe112⤵PID:1528
-
\??\c:\hprhnfh.exec:\hprhnfh.exe113⤵PID:1868
-
\??\c:\ttvjxh.exec:\ttvjxh.exe114⤵PID:1088
-
\??\c:\bprrvtx.exec:\bprrvtx.exe115⤵PID:1156
-
\??\c:\ltndxj.exec:\ltndxj.exe116⤵PID:1736
-
\??\c:\ptjph.exec:\ptjph.exe117⤵PID:2996
-
\??\c:\lxvlpjh.exec:\lxvlpjh.exe118⤵PID:2192
-
\??\c:\fnbndj.exec:\fnbndj.exe119⤵PID:2740
-
\??\c:\jvxhpxn.exec:\jvxhpxn.exe120⤵PID:748
-
\??\c:\pltbjvh.exec:\pltbjvh.exe121⤵PID:2068
-
\??\c:\drvfpd.exec:\drvfpd.exe122⤵PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-