Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 06:16
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe
-
Size
189KB
-
MD5
299c386c9bdb7d042e553be7cfac2a1b
-
SHA1
f36ad1f24089d6ce3d924d689b00445545a9e8f5
-
SHA256
ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d
-
SHA512
9285742b255571e2b2bf4c3926193f197e433305cfb6f2fbe4a9e2fa01ac062432118b9ef753e7f0b21e437e0a62b828f8362f0d640be3f228d70dfb8381f448
-
SSDEEP
3072:YhOmTsF93UYfwC6GIoutLmxHxae5yLpcgDE4JBuItR8pTsgnKbQFe3+w:Ycm4FmowdHoSLEaTBftapTsyFeOw
Malware Config
Signatures
-
Detect Blackmoon payload 38 IoCs
Processes:
resource yara_rule behavioral1/memory/1768-123-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2420-159-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/960-219-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1304-255-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1512-297-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2256-407-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1988-564-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1612-793-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/3036-989-0x00000000002B0000-0x00000000002E0000-memory.dmp family_blackmoon behavioral1/memory/2292-941-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2108-696-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2280-690-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2968-626-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1788-478-0x0000000000220000-0x0000000000250000-memory.dmp family_blackmoon behavioral1/memory/2756-345-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2796-331-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1704-299-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1512-290-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/920-270-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1636-252-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/3052-237-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1484-234-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/676-217-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2840-208-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2420-167-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1940-151-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/1888-142-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2792-121-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2172-102-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2896-85-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2456-77-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2584-69-0x0000000000220000-0x0000000000250000-memory.dmp family_blackmoon behavioral1/memory/2584-66-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2628-64-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2668-45-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2592-29-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2920-18-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral1/memory/2876-7-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule \??\c:\xflxrxx.exe UPX \??\c:\pjvdj.exe UPX \??\c:\xrffxfl.exe UPX \??\c:\hhnhtb.exe UPX \??\c:\jdddv.exe UPX behavioral1/memory/1768-123-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\djpjp.exe UPX behavioral1/memory/2420-159-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\1jjjj.exe UPX \??\c:\xrxlrxl.exe UPX behavioral1/memory/960-219-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\9rlfffr.exe UPX behavioral1/memory/1304-255-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\vpjpp.exe UPX behavioral1/memory/1512-297-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2796-323-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2756-338-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2256-407-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1372-485-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1600-549-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1988-564-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/3000-581-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2320-682-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2832-703-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1636-742-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1612-793-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2656-813-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2268-1211-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/804-1120-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1052-1052-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1000-1039-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2380-952-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2292-941-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2228-908-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2180-870-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2540-806-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1612-786-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/952-735-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1648-722-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2108-696-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2280-690-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2232-639-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2968-626-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2520-588-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1188-548-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2916-541-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1980-522-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1540-414-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2284-364-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2756-345-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/2796-331-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1704-299-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1512-290-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\3fxxrfr.exe UPX \??\c:\rxllxfr.exe UPX behavioral1/memory/3024-280-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/920-270-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\nnhbnb.exe UPX \??\c:\bthntt.exe UPX behavioral1/memory/1636-252-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\lfxlflr.exe UPX behavioral1/memory/3052-237-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral1/memory/1484-234-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\jjdjv.exe UPX -
Executes dropped EXE 64 IoCs
Processes:
xflxrxx.exellfrflx.exenhtbtt.exepjvdj.exejdppv.exexrffxfl.exeffxlxfr.exehhnhtb.exepjdjv.exejdddv.exellfrflr.exefflxrxl.exe5nhhbh.exe7dvvj.exedjpjp.exe9rrxrxl.exe9rlrffr.exetttnth.exe1jjjj.exe7vjvj.exexrxlrxl.exerlfllrl.exenhbbnn.exebthnbb.exejjdjv.exe9rlfffr.exelfxlflr.exebthntt.exennhbnb.exevpjpp.exerxllxfr.exe3fxxrfr.exehnnhnh.exetthbnn.exevjppv.exe7lrfrrr.exelrfxfxx.exe7hthtb.exetntbhb.exedvvjj.exepjppv.exellrflfl.exenbtbhn.exevpddp.exefxxfffl.exelxllrxf.exebtntnn.exebbtbhn.exepjdpp.exeddpdp.exerrfrxrf.exehnbnhh.exetbbhbh.exevvjdj.exe3pvdd.exexrlrffl.exe9xxllxx.exe7hhntb.exebbbtbh.exevpvvj.exe9vvdj.exexrffrrl.exerfrrxfl.exehbbthn.exepid process 2920 xflxrxx.exe 2632 llfrflx.exe 2592 nhtbtt.exe 2668 pjvdj.exe 2580 jdppv.exe 2628 xrffxfl.exe 2584 ffxlxfr.exe 2456 hhnhtb.exe 2896 pjdjv.exe 2172 jdddv.exe 2684 llfrflr.exe 2792 fflxrxl.exe 1768 5nhhbh.exe 760 7dvvj.exe 1888 djpjp.exe 1940 9rrxrxl.exe 2420 9rlrffr.exe 1348 tttnth.exe 2040 1jjjj.exe 2096 7vjvj.exe 2316 xrxlrxl.exe 2840 rlfllrl.exe 676 nhbbnn.exe 960 bthnbb.exe 1484 jjdjv.exe 3052 9rlfffr.exe 1636 lfxlflr.exe 1304 bthntt.exe 920 nnhbnb.exe 2224 vpjpp.exe 3024 rxllxfr.exe 1512 3fxxrfr.exe 1704 hnnhnh.exe 2916 tthbnn.exe 2904 vjppv.exe 2368 7lrfrrr.exe 2796 lrfxfxx.exe 2604 7hthtb.exe 2756 tntbhb.exe 2908 dvvjj.exe 2440 pjppv.exe 2200 llrflfl.exe 2284 nbtbhn.exe 2516 vpddp.exe 2624 fxxfffl.exe 2900 lxllrxf.exe 2868 btntnn.exe 1224 bbtbhn.exe 1880 pjdpp.exe 2256 ddpdp.exe 1540 rrfrxrf.exe 2720 hnbnhh.exe 1332 tbbhbh.exe 2292 vvjdj.exe 2304 3pvdd.exe 2152 xrlrffl.exe 1792 9xxllxx.exe 2732 7hhntb.exe 676 bbbtbh.exe 1788 vpvvj.exe 1756 9vvdj.exe 1372 xrffrrl.exe 1836 rfrrxfl.exe 1984 hbbthn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exexflxrxx.exellfrflx.exenhtbtt.exepjvdj.exejdppv.exexrffxfl.exeffxlxfr.exehhnhtb.exepjdjv.exejdddv.exellfrflr.exefflxrxl.exe5nhhbh.exe7dvvj.exedjpjp.exedescription pid process target process PID 2876 wrote to memory of 2920 2876 ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe xflxrxx.exe PID 2876 wrote to memory of 2920 2876 ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe xflxrxx.exe PID 2876 wrote to memory of 2920 2876 ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe xflxrxx.exe PID 2876 wrote to memory of 2920 2876 ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe xflxrxx.exe PID 2920 wrote to memory of 2632 2920 xflxrxx.exe llfrflx.exe PID 2920 wrote to memory of 2632 2920 xflxrxx.exe llfrflx.exe PID 2920 wrote to memory of 2632 2920 xflxrxx.exe llfrflx.exe PID 2920 wrote to memory of 2632 2920 xflxrxx.exe llfrflx.exe PID 2632 wrote to memory of 2592 2632 llfrflx.exe pddjd.exe PID 2632 wrote to memory of 2592 2632 llfrflx.exe pddjd.exe PID 2632 wrote to memory of 2592 2632 llfrflx.exe pddjd.exe PID 2632 wrote to memory of 2592 2632 llfrflx.exe pddjd.exe PID 2592 wrote to memory of 2668 2592 nhtbtt.exe pjvdj.exe PID 2592 wrote to memory of 2668 2592 nhtbtt.exe pjvdj.exe PID 2592 wrote to memory of 2668 2592 nhtbtt.exe pjvdj.exe PID 2592 wrote to memory of 2668 2592 nhtbtt.exe pjvdj.exe PID 2668 wrote to memory of 2580 2668 pjvdj.exe jdppv.exe PID 2668 wrote to memory of 2580 2668 pjvdj.exe jdppv.exe PID 2668 wrote to memory of 2580 2668 pjvdj.exe jdppv.exe PID 2668 wrote to memory of 2580 2668 pjvdj.exe jdppv.exe PID 2580 wrote to memory of 2628 2580 jdppv.exe xrffxfl.exe PID 2580 wrote to memory of 2628 2580 jdppv.exe xrffxfl.exe PID 2580 wrote to memory of 2628 2580 jdppv.exe xrffxfl.exe PID 2580 wrote to memory of 2628 2580 jdppv.exe xrffxfl.exe PID 2628 wrote to memory of 2584 2628 xrffxfl.exe xxllxfx.exe PID 2628 wrote to memory of 2584 2628 xrffxfl.exe xxllxfx.exe PID 2628 wrote to memory of 2584 2628 xrffxfl.exe xxllxfx.exe PID 2628 wrote to memory of 2584 2628 xrffxfl.exe xxllxfx.exe PID 2584 wrote to memory of 2456 2584 ffxlxfr.exe hhnhtb.exe PID 2584 wrote to memory of 2456 2584 ffxlxfr.exe hhnhtb.exe PID 2584 wrote to memory of 2456 2584 ffxlxfr.exe hhnhtb.exe PID 2584 wrote to memory of 2456 2584 ffxlxfr.exe hhnhtb.exe PID 2456 wrote to memory of 2896 2456 hhnhtb.exe pjdjv.exe PID 2456 wrote to memory of 2896 2456 hhnhtb.exe pjdjv.exe PID 2456 wrote to memory of 2896 2456 hhnhtb.exe pjdjv.exe PID 2456 wrote to memory of 2896 2456 hhnhtb.exe pjdjv.exe PID 2896 wrote to memory of 2172 2896 pjdjv.exe jdddv.exe PID 2896 wrote to memory of 2172 2896 pjdjv.exe jdddv.exe PID 2896 wrote to memory of 2172 2896 pjdjv.exe jdddv.exe PID 2896 wrote to memory of 2172 2896 pjdjv.exe jdddv.exe PID 2172 wrote to memory of 2684 2172 jdddv.exe llfrflr.exe PID 2172 wrote to memory of 2684 2172 jdddv.exe llfrflr.exe PID 2172 wrote to memory of 2684 2172 jdddv.exe llfrflr.exe PID 2172 wrote to memory of 2684 2172 jdddv.exe llfrflr.exe PID 2684 wrote to memory of 2792 2684 llfrflr.exe fflxrxl.exe PID 2684 wrote to memory of 2792 2684 llfrflr.exe fflxrxl.exe PID 2684 wrote to memory of 2792 2684 llfrflr.exe fflxrxl.exe PID 2684 wrote to memory of 2792 2684 llfrflr.exe fflxrxl.exe PID 2792 wrote to memory of 1768 2792 fflxrxl.exe 5nhhbh.exe PID 2792 wrote to memory of 1768 2792 fflxrxl.exe 5nhhbh.exe PID 2792 wrote to memory of 1768 2792 fflxrxl.exe 5nhhbh.exe PID 2792 wrote to memory of 1768 2792 fflxrxl.exe 5nhhbh.exe PID 1768 wrote to memory of 760 1768 5nhhbh.exe 7dvvj.exe PID 1768 wrote to memory of 760 1768 5nhhbh.exe 7dvvj.exe PID 1768 wrote to memory of 760 1768 5nhhbh.exe 7dvvj.exe PID 1768 wrote to memory of 760 1768 5nhhbh.exe 7dvvj.exe PID 760 wrote to memory of 1888 760 7dvvj.exe djpjp.exe PID 760 wrote to memory of 1888 760 7dvvj.exe djpjp.exe PID 760 wrote to memory of 1888 760 7dvvj.exe djpjp.exe PID 760 wrote to memory of 1888 760 7dvvj.exe djpjp.exe PID 1888 wrote to memory of 1940 1888 djpjp.exe 9rrxrxl.exe PID 1888 wrote to memory of 1940 1888 djpjp.exe 9rrxrxl.exe PID 1888 wrote to memory of 1940 1888 djpjp.exe 9rrxrxl.exe PID 1888 wrote to memory of 1940 1888 djpjp.exe 9rrxrxl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe"C:\Users\Admin\AppData\Local\Temp\ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\xflxrxx.exec:\xflxrxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\llfrflx.exec:\llfrflx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\nhtbtt.exec:\nhtbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\pjvdj.exec:\pjvdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\jdppv.exec:\jdppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\xrffxfl.exec:\xrffxfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\ffxlxfr.exec:\ffxlxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\hhnhtb.exec:\hhnhtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\pjdjv.exec:\pjdjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\jdddv.exec:\jdddv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\llfrflr.exec:\llfrflr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\fflxrxl.exec:\fflxrxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\5nhhbh.exec:\5nhhbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\7dvvj.exec:\7dvvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\djpjp.exec:\djpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\9rrxrxl.exec:\9rrxrxl.exe17⤵
- Executes dropped EXE
PID:1940 -
\??\c:\9rlrffr.exec:\9rlrffr.exe18⤵
- Executes dropped EXE
PID:2420 -
\??\c:\tttnth.exec:\tttnth.exe19⤵
- Executes dropped EXE
PID:1348 -
\??\c:\1jjjj.exec:\1jjjj.exe20⤵
- Executes dropped EXE
PID:2040 -
\??\c:\7vjvj.exec:\7vjvj.exe21⤵
- Executes dropped EXE
PID:2096 -
\??\c:\xrxlrxl.exec:\xrxlrxl.exe22⤵
- Executes dropped EXE
PID:2316 -
\??\c:\rlfllrl.exec:\rlfllrl.exe23⤵
- Executes dropped EXE
PID:2840 -
\??\c:\nhbbnn.exec:\nhbbnn.exe24⤵
- Executes dropped EXE
PID:676 -
\??\c:\bthnbb.exec:\bthnbb.exe25⤵
- Executes dropped EXE
PID:960 -
\??\c:\jjdjv.exec:\jjdjv.exe26⤵
- Executes dropped EXE
PID:1484 -
\??\c:\9rlfffr.exec:\9rlfffr.exe27⤵
- Executes dropped EXE
PID:3052 -
\??\c:\lfxlflr.exec:\lfxlflr.exe28⤵
- Executes dropped EXE
PID:1636 -
\??\c:\bthntt.exec:\bthntt.exe29⤵
- Executes dropped EXE
PID:1304 -
\??\c:\nnhbnb.exec:\nnhbnb.exe30⤵
- Executes dropped EXE
PID:920 -
\??\c:\vpjpp.exec:\vpjpp.exe31⤵
- Executes dropped EXE
PID:2224 -
\??\c:\rxllxfr.exec:\rxllxfr.exe32⤵
- Executes dropped EXE
PID:3024 -
\??\c:\3fxxrfr.exec:\3fxxrfr.exe33⤵
- Executes dropped EXE
PID:1512 -
\??\c:\hnnhnh.exec:\hnnhnh.exe34⤵
- Executes dropped EXE
PID:1704 -
\??\c:\tthbnn.exec:\tthbnn.exe35⤵
- Executes dropped EXE
PID:2916 -
\??\c:\vjppv.exec:\vjppv.exe36⤵
- Executes dropped EXE
PID:2904 -
\??\c:\7lrfrrr.exec:\7lrfrrr.exe37⤵
- Executes dropped EXE
PID:2368 -
\??\c:\lrfxfxx.exec:\lrfxfxx.exe38⤵
- Executes dropped EXE
PID:2796 -
\??\c:\7hthtb.exec:\7hthtb.exe39⤵
- Executes dropped EXE
PID:2604 -
\??\c:\tntbhb.exec:\tntbhb.exe40⤵
- Executes dropped EXE
PID:2756 -
\??\c:\dvvjj.exec:\dvvjj.exe41⤵
- Executes dropped EXE
PID:2908 -
\??\c:\pjppv.exec:\pjppv.exe42⤵
- Executes dropped EXE
PID:2440 -
\??\c:\llrflfl.exec:\llrflfl.exe43⤵
- Executes dropped EXE
PID:2200 -
\??\c:\nbtbhn.exec:\nbtbhn.exe44⤵
- Executes dropped EXE
PID:2284 -
\??\c:\vpddp.exec:\vpddp.exe45⤵
- Executes dropped EXE
PID:2516 -
\??\c:\fxxfffl.exec:\fxxfffl.exe46⤵
- Executes dropped EXE
PID:2624 -
\??\c:\lxllrxf.exec:\lxllrxf.exe47⤵
- Executes dropped EXE
PID:2900 -
\??\c:\btntnn.exec:\btntnn.exe48⤵
- Executes dropped EXE
PID:2868 -
\??\c:\bbtbhn.exec:\bbtbhn.exe49⤵
- Executes dropped EXE
PID:1224 -
\??\c:\pjdpp.exec:\pjdpp.exe50⤵
- Executes dropped EXE
PID:1880 -
\??\c:\ddpdp.exec:\ddpdp.exe51⤵
- Executes dropped EXE
PID:2256 -
\??\c:\rrfrxrf.exec:\rrfrxrf.exe52⤵
- Executes dropped EXE
PID:1540 -
\??\c:\hnbnhh.exec:\hnbnhh.exe53⤵
- Executes dropped EXE
PID:2720 -
\??\c:\tbbhbh.exec:\tbbhbh.exe54⤵
- Executes dropped EXE
PID:1332 -
\??\c:\vvjdj.exec:\vvjdj.exe55⤵
- Executes dropped EXE
PID:2292 -
\??\c:\3pvdd.exec:\3pvdd.exe56⤵
- Executes dropped EXE
PID:2304 -
\??\c:\xrlrffl.exec:\xrlrffl.exe57⤵
- Executes dropped EXE
PID:2152 -
\??\c:\9xxllxx.exec:\9xxllxx.exe58⤵
- Executes dropped EXE
PID:1792 -
\??\c:\7hhntb.exec:\7hhntb.exe59⤵
- Executes dropped EXE
PID:2732 -
\??\c:\bbbtbh.exec:\bbbtbh.exe60⤵
- Executes dropped EXE
PID:676 -
\??\c:\vpvvj.exec:\vpvvj.exe61⤵
- Executes dropped EXE
PID:1788 -
\??\c:\9vvdj.exec:\9vvdj.exe62⤵
- Executes dropped EXE
PID:1756 -
\??\c:\xrffrrl.exec:\xrffrrl.exe63⤵
- Executes dropped EXE
PID:1372 -
\??\c:\rfrrxfl.exec:\rfrrxfl.exe64⤵
- Executes dropped EXE
PID:1836 -
\??\c:\hbbthn.exec:\hbbthn.exe65⤵
- Executes dropped EXE
PID:1984 -
\??\c:\hhthnn.exec:\hhthnn.exe66⤵PID:1188
-
\??\c:\vjppj.exec:\vjppj.exe67⤵PID:1040
-
\??\c:\dpvjp.exec:\dpvjp.exe68⤵PID:2080
-
\??\c:\jdvvj.exec:\jdvvj.exe69⤵PID:1980
-
\??\c:\xxxxlxl.exec:\xxxxlxl.exe70⤵PID:1708
-
\??\c:\rlxlrxf.exec:\rlxlrxf.exe71⤵PID:1704
-
\??\c:\bntntt.exec:\bntntt.exe72⤵PID:2916
-
\??\c:\nbbtbt.exec:\nbbtbt.exe73⤵PID:1600
-
\??\c:\7vjjj.exec:\7vjjj.exe74⤵PID:2656
-
\??\c:\pjpvj.exec:\pjpvj.exe75⤵PID:1988
-
\??\c:\rfffllx.exec:\rfffllx.exe76⤵PID:2808
-
\??\c:\xrflrxl.exec:\xrflrxl.exe77⤵PID:2760
-
\??\c:\9lxrrll.exec:\9lxrrll.exe78⤵PID:3000
-
\??\c:\hbbnbn.exec:\hbbnbn.exe79⤵PID:2520
-
\??\c:\tnhhbb.exec:\tnhhbb.exe80⤵PID:1168
-
\??\c:\ppjvj.exec:\ppjvj.exe81⤵PID:632
-
\??\c:\1xllxxx.exec:\1xllxxx.exe82⤵PID:1028
-
\??\c:\5lxrrlr.exec:\5lxrrlr.exe83⤵PID:2548
-
\??\c:\hbbhbh.exec:\hbbhbh.exe84⤵PID:2968
-
\??\c:\tnhtbn.exec:\tnhtbn.exe85⤵PID:2360
-
\??\c:\9jpvd.exec:\9jpvd.exe86⤵PID:2240
-
\??\c:\jdjjp.exec:\jdjjp.exe87⤵PID:2232
-
\??\c:\9xrrxfl.exec:\9xrrxfl.exe88⤵PID:1948
-
\??\c:\7rlrfrf.exec:\7rlrfrf.exe89⤵PID:2256
-
\??\c:\hhhnbn.exec:\hhhnbn.exe90⤵PID:2444
-
\??\c:\nhnnbh.exec:\nhnnbh.exe91⤵PID:2420
-
\??\c:\vpjpv.exec:\vpjpv.exe92⤵PID:2720
-
\??\c:\vpppv.exec:\vpppv.exe93⤵PID:2300
-
\??\c:\rfllrrx.exec:\rfllrrx.exe94⤵PID:2320
-
\??\c:\bhbtbn.exec:\bhbtbn.exe95⤵PID:2280
-
\??\c:\hthttn.exec:\hthttn.exe96⤵PID:2108
-
\??\c:\jppvp.exec:\jppvp.exe97⤵PID:2832
-
\??\c:\pdppp.exec:\pdppp.exe98⤵PID:688
-
\??\c:\9rrlffl.exec:\9rrlffl.exe99⤵PID:3016
-
\??\c:\5fxlxfr.exec:\5fxlxfr.exe100⤵PID:1648
-
\??\c:\bttbth.exec:\bttbth.exe101⤵PID:1568
-
\??\c:\vpjjp.exec:\vpjjp.exe102⤵PID:952
-
\??\c:\pjvpp.exec:\pjvpp.exe103⤵PID:1636
-
\??\c:\xrlfrxr.exec:\xrlfrxr.exe104⤵PID:2124
-
\??\c:\lfrxllr.exec:\lfrxllr.exe105⤵PID:1716
-
\??\c:\bbbhnb.exec:\bbbhnb.exe106⤵PID:2092
-
\??\c:\bbtbnb.exec:\bbtbnb.exe107⤵PID:2524
-
\??\c:\vpvdp.exec:\vpvdp.exe108⤵PID:2072
-
\??\c:\djpvd.exec:\djpvd.exe109⤵PID:3024
-
\??\c:\xrfrflf.exec:\xrfrflf.exe110⤵PID:1612
-
\??\c:\tnbhtb.exec:\tnbhtb.exe111⤵PID:956
-
\??\c:\ntnbhh.exec:\ntnbhh.exe112⤵PID:2960
-
\??\c:\dddpv.exec:\dddpv.exe113⤵PID:2540
-
\??\c:\vjppv.exec:\vjppv.exe114⤵PID:2656
-
\??\c:\ffrfxfl.exec:\ffrfxfl.exe115⤵PID:1988
-
\??\c:\fxxxxxf.exec:\fxxxxxf.exe116⤵PID:2628
-
\??\c:\bthbnn.exec:\bthbnn.exe117⤵PID:2760
-
\??\c:\btbbhh.exec:\btbbhh.exe118⤵PID:2464
-
\??\c:\5vvjp.exec:\5vvjp.exe119⤵PID:2520
-
\??\c:\7dpvv.exec:\7dpvv.exe120⤵PID:2120
-
\??\c:\7fflflx.exec:\7fflflx.exe121⤵PID:632
-
\??\c:\ffxxlrx.exec:\ffxxlrx.exe122⤵PID:1028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-