Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 06:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe
-
Size
83KB
-
MD5
f9d9ea898558d780190e26db3713a318
-
SHA1
1e73ce7f7318a5b36243b3f3a7e5e0c1552f9c20
-
SHA256
cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30
-
SHA512
0c1219381966ccd0243f19b52d49e734e5cecbb556855c9ea9f543f4b56cd9dca14e4163f1d5ae4f4460220e401ebb1aa256107d49ec0ebad68f6130efd1e6d7
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDInWeNCYGyA2R7JkZPsv7w:ymb3NkkiQ3mdBjFIWeFGyA9Pz
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
Processes:
resource yara_rule behavioral1/memory/1068-154-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2236-306-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2360-270-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2292-252-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/448-244-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2544-234-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1656-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1928-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2812-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/636-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2316-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1340-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1524-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2500-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2500-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2468-78-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2468-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3040-68-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3040-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2720-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2788-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3060-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2728-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2060-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 31 IoCs
Processes:
resource yara_rule behavioral1/memory/3060-24-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1068-154-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2236-306-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2360-270-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2292-252-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/448-244-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2544-234-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1656-208-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1928-199-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2812-162-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/636-135-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2316-127-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1340-108-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1524-95-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2500-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2500-82-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2500-80-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2468-77-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3040-66-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2720-51-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2720-50-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2720-48-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2788-46-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2788-38-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2788-36-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2788-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3060-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3060-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3060-22-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2728-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2060-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
bththh.exepjdpd.exe3pvdp.exelllxllf.exelfrxlrl.exe5xxfxfl.exennbnnn.exetnntnt.exevvpvv.exejjdjd.exejjdvj.exefllllrf.exebnnnnb.exehtbhhn.exeppjpv.exe1jvjv.exefflxlrf.exelfflxfr.exehhthtt.exe3hbntb.exevpppv.exepjdpj.exelllxflf.exerlllffl.exettnnhn.exehbnthn.exeddvjd.exevppjd.exe5rfrrxf.exeffxrlxr.exebttttt.exenhnthh.exevvpvv.exejjddj.exerxxlxfl.exe5ffxflx.exehbhnbn.exebthntb.exe1ttbbh.exejvjvj.exepdvvv.exefxflrrx.exerfrrfxf.exehhtthh.exe5nnbbt.exe9jddj.exedvpvv.exepdjjj.exe5jvdd.exefrfxrrf.exefxlxflf.exerrfflrx.exennbntt.exe1bntnh.exepjvvv.exepjvdp.exelxxllff.exe5xlllll.exerlrlfll.exelfrxffl.exenbbhnn.exethttbh.exe9bnntt.exe3dvjj.exepid process 2728 bththh.exe 3060 pjdpd.exe 2788 3pvdp.exe 2720 lllxllf.exe 3040 lfrxlrl.exe 2468 5xxfxfl.exe 2500 nnbnnn.exe 1524 tnntnt.exe 1340 vvpvv.exe 948 jjdjd.exe 2316 jjdvj.exe 636 fllllrf.exe 1812 bnnnnb.exe 1068 htbhhn.exe 2812 ppjpv.exe 1192 1jvjv.exe 2372 fflxlrf.exe 2852 lfflxfr.exe 1928 hhthtt.exe 1656 3hbntb.exe 488 vpppv.exe 1368 pjdpj.exe 2544 lllxflf.exe 448 rlllffl.exe 2292 ttnnhn.exe 952 hbnthn.exe 2360 ddvjd.exe 864 vppjd.exe 620 5rfrrxf.exe 908 ffxrlxr.exe 2236 bttttt.exe 2728 nhnthh.exe 2860 vvpvv.exe 2576 jjddj.exe 2552 rxxlxfl.exe 2640 5ffxflx.exe 2820 hbhnbn.exe 2444 bthntb.exe 2848 1ttbbh.exe 3004 jvjvj.exe 1996 pdvvv.exe 944 fxflrrx.exe 2516 rfrrfxf.exe 1620 hhtthh.exe 2044 5nnbbt.exe 2680 9jddj.exe 2620 dvpvv.exe 2664 pdjjj.exe 856 5jvdd.exe 2536 frfxrrf.exe 1100 fxlxflf.exe 2764 rrfflrx.exe 1740 nnbntt.exe 1648 1bntnh.exe 540 pjvvv.exe 240 pjvdp.exe 1120 lxxllff.exe 2752 5xlllll.exe 1368 rlrlfll.exe 860 lfrxffl.exe 1904 nbbhnn.exe 2940 thttbh.exe 968 9bnntt.exe 2008 3dvjj.exe -
Processes:
resource yara_rule behavioral1/memory/3060-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1068-154-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2236-306-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2360-270-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2292-252-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/448-244-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2544-234-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1656-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1928-199-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2812-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/636-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2316-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1340-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1524-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2500-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2500-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2500-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2468-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3040-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2720-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2720-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2720-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2788-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2788-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2788-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2788-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3060-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3060-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3060-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2060-3-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exebththh.exepjdpd.exe3pvdp.exelllxllf.exelfrxlrl.exe5xxfxfl.exennbnnn.exetnntnt.exevvpvv.exejjdjd.exejjdvj.exefllllrf.exebnnnnb.exehtbhhn.exeppjpv.exedescription pid process target process PID 2060 wrote to memory of 2728 2060 cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe bththh.exe PID 2060 wrote to memory of 2728 2060 cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe bththh.exe PID 2060 wrote to memory of 2728 2060 cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe bththh.exe PID 2060 wrote to memory of 2728 2060 cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe bththh.exe PID 2728 wrote to memory of 3060 2728 bththh.exe pjdpd.exe PID 2728 wrote to memory of 3060 2728 bththh.exe pjdpd.exe PID 2728 wrote to memory of 3060 2728 bththh.exe pjdpd.exe PID 2728 wrote to memory of 3060 2728 bththh.exe pjdpd.exe PID 3060 wrote to memory of 2788 3060 pjdpd.exe 3pvdp.exe PID 3060 wrote to memory of 2788 3060 pjdpd.exe 3pvdp.exe PID 3060 wrote to memory of 2788 3060 pjdpd.exe 3pvdp.exe PID 3060 wrote to memory of 2788 3060 pjdpd.exe 3pvdp.exe PID 2788 wrote to memory of 2720 2788 3pvdp.exe lllxllf.exe PID 2788 wrote to memory of 2720 2788 3pvdp.exe lllxllf.exe PID 2788 wrote to memory of 2720 2788 3pvdp.exe lllxllf.exe PID 2788 wrote to memory of 2720 2788 3pvdp.exe lllxllf.exe PID 2720 wrote to memory of 3040 2720 lllxllf.exe lfrxlrl.exe PID 2720 wrote to memory of 3040 2720 lllxllf.exe lfrxlrl.exe PID 2720 wrote to memory of 3040 2720 lllxllf.exe lfrxlrl.exe PID 2720 wrote to memory of 3040 2720 lllxllf.exe lfrxlrl.exe PID 3040 wrote to memory of 2468 3040 lfrxlrl.exe 5xxfxfl.exe PID 3040 wrote to memory of 2468 3040 lfrxlrl.exe 5xxfxfl.exe PID 3040 wrote to memory of 2468 3040 lfrxlrl.exe 5xxfxfl.exe PID 3040 wrote to memory of 2468 3040 lfrxlrl.exe 5xxfxfl.exe PID 2468 wrote to memory of 2500 2468 5xxfxfl.exe nnbnnn.exe PID 2468 wrote to memory of 2500 2468 5xxfxfl.exe nnbnnn.exe PID 2468 wrote to memory of 2500 2468 5xxfxfl.exe nnbnnn.exe PID 2468 wrote to memory of 2500 2468 5xxfxfl.exe nnbnnn.exe PID 2500 wrote to memory of 1524 2500 nnbnnn.exe tnntnt.exe PID 2500 wrote to memory of 1524 2500 nnbnnn.exe tnntnt.exe PID 2500 wrote to memory of 1524 2500 nnbnnn.exe tnntnt.exe PID 2500 wrote to memory of 1524 2500 nnbnnn.exe tnntnt.exe PID 1524 wrote to memory of 1340 1524 tnntnt.exe vvpvv.exe PID 1524 wrote to memory of 1340 1524 tnntnt.exe vvpvv.exe PID 1524 wrote to memory of 1340 1524 tnntnt.exe vvpvv.exe PID 1524 wrote to memory of 1340 1524 tnntnt.exe vvpvv.exe PID 1340 wrote to memory of 948 1340 vvpvv.exe jjdjd.exe PID 1340 wrote to memory of 948 1340 vvpvv.exe jjdjd.exe PID 1340 wrote to memory of 948 1340 vvpvv.exe jjdjd.exe PID 1340 wrote to memory of 948 1340 vvpvv.exe jjdjd.exe PID 948 wrote to memory of 2316 948 jjdjd.exe jjdvj.exe PID 948 wrote to memory of 2316 948 jjdjd.exe jjdvj.exe PID 948 wrote to memory of 2316 948 jjdjd.exe jjdvj.exe PID 948 wrote to memory of 2316 948 jjdjd.exe jjdvj.exe PID 2316 wrote to memory of 636 2316 jjdvj.exe fllllrf.exe PID 2316 wrote to memory of 636 2316 jjdvj.exe fllllrf.exe PID 2316 wrote to memory of 636 2316 jjdvj.exe fllllrf.exe PID 2316 wrote to memory of 636 2316 jjdvj.exe fllllrf.exe PID 636 wrote to memory of 1812 636 fllllrf.exe bnnnnb.exe PID 636 wrote to memory of 1812 636 fllllrf.exe bnnnnb.exe PID 636 wrote to memory of 1812 636 fllllrf.exe bnnnnb.exe PID 636 wrote to memory of 1812 636 fllllrf.exe bnnnnb.exe PID 1812 wrote to memory of 1068 1812 bnnnnb.exe htbhhn.exe PID 1812 wrote to memory of 1068 1812 bnnnnb.exe htbhhn.exe PID 1812 wrote to memory of 1068 1812 bnnnnb.exe htbhhn.exe PID 1812 wrote to memory of 1068 1812 bnnnnb.exe htbhhn.exe PID 1068 wrote to memory of 2812 1068 htbhhn.exe ppjpv.exe PID 1068 wrote to memory of 2812 1068 htbhhn.exe ppjpv.exe PID 1068 wrote to memory of 2812 1068 htbhhn.exe ppjpv.exe PID 1068 wrote to memory of 2812 1068 htbhhn.exe ppjpv.exe PID 2812 wrote to memory of 1192 2812 ppjpv.exe 1jvjv.exe PID 2812 wrote to memory of 1192 2812 ppjpv.exe 1jvjv.exe PID 2812 wrote to memory of 1192 2812 ppjpv.exe 1jvjv.exe PID 2812 wrote to memory of 1192 2812 ppjpv.exe 1jvjv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe"C:\Users\Admin\AppData\Local\Temp\cdc4abe407610ab8d5c1aa44f219293da0b63a4155aceb09c48bce6ec4c55a30.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\bththh.exec:\bththh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\pjdpd.exec:\pjdpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\3pvdp.exec:\3pvdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\lllxllf.exec:\lllxllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\lfrxlrl.exec:\lfrxlrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\5xxfxfl.exec:\5xxfxfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\nnbnnn.exec:\nnbnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\tnntnt.exec:\tnntnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\vvpvv.exec:\vvpvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\jjdjd.exec:\jjdjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\jjdvj.exec:\jjdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\fllllrf.exec:\fllllrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\bnnnnb.exec:\bnnnnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\htbhhn.exec:\htbhhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\ppjpv.exec:\ppjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\1jvjv.exec:\1jvjv.exe17⤵
- Executes dropped EXE
PID:1192 -
\??\c:\fflxlrf.exec:\fflxlrf.exe18⤵
- Executes dropped EXE
PID:2372 -
\??\c:\lfflxfr.exec:\lfflxfr.exe19⤵
- Executes dropped EXE
PID:2852 -
\??\c:\hhthtt.exec:\hhthtt.exe20⤵
- Executes dropped EXE
PID:1928 -
\??\c:\3hbntb.exec:\3hbntb.exe21⤵
- Executes dropped EXE
PID:1656 -
\??\c:\vpppv.exec:\vpppv.exe22⤵
- Executes dropped EXE
PID:488 -
\??\c:\pjdpj.exec:\pjdpj.exe23⤵
- Executes dropped EXE
PID:1368 -
\??\c:\lllxflf.exec:\lllxflf.exe24⤵
- Executes dropped EXE
PID:2544 -
\??\c:\rlllffl.exec:\rlllffl.exe25⤵
- Executes dropped EXE
PID:448 -
\??\c:\ttnnhn.exec:\ttnnhn.exe26⤵
- Executes dropped EXE
PID:2292 -
\??\c:\hbnthn.exec:\hbnthn.exe27⤵
- Executes dropped EXE
PID:952 -
\??\c:\ddvjd.exec:\ddvjd.exe28⤵
- Executes dropped EXE
PID:2360 -
\??\c:\vppjd.exec:\vppjd.exe29⤵
- Executes dropped EXE
PID:864 -
\??\c:\5rfrrxf.exec:\5rfrrxf.exe30⤵
- Executes dropped EXE
PID:620 -
\??\c:\ffxrlxr.exec:\ffxrlxr.exe31⤵
- Executes dropped EXE
PID:908 -
\??\c:\bttttt.exec:\bttttt.exe32⤵
- Executes dropped EXE
PID:2236 -
\??\c:\nhnthh.exec:\nhnthh.exe33⤵
- Executes dropped EXE
PID:2728 -
\??\c:\vvpvv.exec:\vvpvv.exe34⤵
- Executes dropped EXE
PID:2860 -
\??\c:\jjddj.exec:\jjddj.exe35⤵
- Executes dropped EXE
PID:2576 -
\??\c:\rxxlxfl.exec:\rxxlxfl.exe36⤵
- Executes dropped EXE
PID:2552 -
\??\c:\5ffxflx.exec:\5ffxflx.exe37⤵
- Executes dropped EXE
PID:2640 -
\??\c:\hbhnbn.exec:\hbhnbn.exe38⤵
- Executes dropped EXE
PID:2820 -
\??\c:\bthntb.exec:\bthntb.exe39⤵
- Executes dropped EXE
PID:2444 -
\??\c:\1ttbbh.exec:\1ttbbh.exe40⤵
- Executes dropped EXE
PID:2848 -
\??\c:\jvjvj.exec:\jvjvj.exe41⤵
- Executes dropped EXE
PID:3004 -
\??\c:\pdvvv.exec:\pdvvv.exe42⤵
- Executes dropped EXE
PID:1996 -
\??\c:\fxflrrx.exec:\fxflrrx.exe43⤵
- Executes dropped EXE
PID:944 -
\??\c:\rfrrfxf.exec:\rfrrfxf.exe44⤵
- Executes dropped EXE
PID:2516 -
\??\c:\hhtthh.exec:\hhtthh.exe45⤵
- Executes dropped EXE
PID:1620 -
\??\c:\5nnbbt.exec:\5nnbbt.exe46⤵
- Executes dropped EXE
PID:2044 -
\??\c:\9jddj.exec:\9jddj.exe47⤵
- Executes dropped EXE
PID:2680 -
\??\c:\dvpvv.exec:\dvpvv.exe48⤵
- Executes dropped EXE
PID:2620 -
\??\c:\pdjjj.exec:\pdjjj.exe49⤵
- Executes dropped EXE
PID:2664 -
\??\c:\5jvdd.exec:\5jvdd.exe50⤵
- Executes dropped EXE
PID:856 -
\??\c:\frfxrrf.exec:\frfxrrf.exe51⤵
- Executes dropped EXE
PID:2536 -
\??\c:\fxlxflf.exec:\fxlxflf.exe52⤵
- Executes dropped EXE
PID:1100 -
\??\c:\rrfflrx.exec:\rrfflrx.exe53⤵
- Executes dropped EXE
PID:2764 -
\??\c:\nnbntt.exec:\nnbntt.exe54⤵
- Executes dropped EXE
PID:1740 -
\??\c:\1bntnh.exec:\1bntnh.exe55⤵
- Executes dropped EXE
PID:1648 -
\??\c:\pjvvv.exec:\pjvvv.exe56⤵
- Executes dropped EXE
PID:540 -
\??\c:\pjvdp.exec:\pjvdp.exe57⤵
- Executes dropped EXE
PID:240 -
\??\c:\lxxllff.exec:\lxxllff.exe58⤵
- Executes dropped EXE
PID:1120 -
\??\c:\5xlllll.exec:\5xlllll.exe59⤵
- Executes dropped EXE
PID:2752 -
\??\c:\rlrlfll.exec:\rlrlfll.exe60⤵
- Executes dropped EXE
PID:1368 -
\??\c:\lfrxffl.exec:\lfrxffl.exe61⤵
- Executes dropped EXE
PID:860 -
\??\c:\nbbhnn.exec:\nbbhnn.exe62⤵
- Executes dropped EXE
PID:1904 -
\??\c:\thttbh.exec:\thttbh.exe63⤵
- Executes dropped EXE
PID:2940 -
\??\c:\9bnntt.exec:\9bnntt.exe64⤵
- Executes dropped EXE
PID:968 -
\??\c:\3dvjj.exec:\3dvjj.exe65⤵
- Executes dropped EXE
PID:2008 -
\??\c:\3pvvp.exec:\3pvvp.exe66⤵PID:2360
-
\??\c:\pdjjv.exec:\pdjjv.exe67⤵PID:2836
-
\??\c:\1fxlrrr.exec:\1fxlrrr.exe68⤵PID:2328
-
\??\c:\rxffxrx.exec:\rxffxrx.exe69⤵PID:2532
-
\??\c:\lrxrrlf.exec:\lrxrrlf.exe70⤵PID:908
-
\??\c:\1nbhnn.exec:\1nbhnn.exe71⤵PID:2236
-
\??\c:\bttbnh.exec:\bttbnh.exe72⤵PID:2728
-
\??\c:\9ttntt.exec:\9ttntt.exe73⤵PID:2108
-
\??\c:\vjvpp.exec:\vjvpp.exe74⤵PID:2652
-
\??\c:\jvjdd.exec:\jvjdd.exe75⤵PID:2704
-
\??\c:\3pjjv.exec:\3pjjv.exe76⤵PID:2552
-
\??\c:\pdpjp.exec:\pdpjp.exe77⤵PID:2116
-
\??\c:\7llxlrl.exec:\7llxlrl.exe78⤵PID:2052
-
\??\c:\llfrlrx.exec:\llfrlrx.exe79⤵PID:2820
-
\??\c:\lfrxxfr.exec:\lfrxxfr.exe80⤵PID:2444
-
\??\c:\1ttnbn.exec:\1ttnbn.exe81⤵PID:2364
-
\??\c:\nnbbnh.exec:\nnbbnh.exe82⤵PID:2972
-
\??\c:\dpdvv.exec:\dpdvv.exe83⤵PID:1268
-
\??\c:\pvjjp.exec:\pvjjp.exe84⤵PID:2168
-
\??\c:\dppjj.exec:\dppjj.exe85⤵PID:1468
-
\??\c:\xrxxllx.exec:\xrxxllx.exe86⤵PID:2756
-
\??\c:\9lllrlr.exec:\9lllrlr.exe87⤵PID:1448
-
\??\c:\fxfllfl.exec:\fxfllfl.exe88⤵PID:1756
-
\??\c:\5hthth.exec:\5hthth.exe89⤵PID:2460
-
\??\c:\bntbtt.exec:\bntbtt.exe90⤵PID:1680
-
\??\c:\htbhnn.exec:\htbhnn.exe91⤵PID:2508
-
\??\c:\pjdpd.exec:\pjdpd.exe92⤵PID:1768
-
\??\c:\dpdpd.exec:\dpdpd.exe93⤵PID:2856
-
\??\c:\ttnnhh.exec:\ttnnhh.exe94⤵PID:1964
-
\??\c:\nhthnn.exec:\nhthnn.exe95⤵PID:2248
-
\??\c:\nhtbbt.exec:\nhtbbt.exe96⤵PID:1888
-
\??\c:\bnhhnn.exec:\bnhhnn.exe97⤵PID:596
-
\??\c:\dvjvv.exec:\dvjvv.exe98⤵PID:1160
-
\??\c:\dpvjd.exec:\dpvjd.exe99⤵PID:2424
-
\??\c:\djpjj.exec:\djpjj.exe100⤵PID:1120
-
\??\c:\frxlxxf.exec:\frxlxxf.exe101⤵PID:2100
-
\??\c:\lfrxffl.exec:\lfrxffl.exe102⤵PID:2544
-
\??\c:\5xxffff.exec:\5xxffff.exe103⤵PID:448
-
\??\c:\ffrrlfx.exec:\ffrrlfx.exe104⤵PID:1904
-
\??\c:\3bnnbt.exec:\3bnnbt.exe105⤵PID:2868
-
\??\c:\tnhbtn.exec:\tnhbtn.exe106⤵PID:588
-
\??\c:\nbtbtb.exec:\nbtbtb.exe107⤵PID:2408
-
\??\c:\1thnth.exec:\1thnth.exe108⤵PID:3068
-
\??\c:\dpppd.exec:\dpppd.exe109⤵PID:2672
-
\??\c:\pvdpv.exec:\pvdpv.exe110⤵PID:2252
-
\??\c:\pdjdp.exec:\pdjdp.exe111⤵PID:1128
-
\??\c:\fxffxxf.exec:\fxffxxf.exe112⤵PID:908
-
\??\c:\lfxfxfx.exec:\lfxfxfx.exe113⤵PID:2144
-
\??\c:\rlxflfx.exec:\rlxflfx.exe114⤵PID:1240
-
\??\c:\5bthhb.exec:\5bthhb.exe115⤵PID:2576
-
\??\c:\htbbtt.exec:\htbbtt.exe116⤵PID:2716
-
\??\c:\bhtbtt.exec:\bhtbtt.exe117⤵PID:2480
-
\??\c:\pjpdv.exec:\pjpdv.exe118⤵PID:3040
-
\??\c:\vpddj.exec:\vpddj.exe119⤵PID:2116
-
\??\c:\pjvvd.exec:\pjvvd.exe120⤵PID:2512
-
\??\c:\9fxrxxf.exec:\9fxrxxf.exe121⤵PID:2952
-
\??\c:\lfxflff.exec:\lfxflff.exe122⤵PID:2956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-