Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 02:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe
-
Size
722KB
-
MD5
fbdb7cc5708b9a4d61d75eb6d9de98e5
-
SHA1
d0afc046dcbeacad30667cebf96f195dc005f72d
-
SHA256
ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0
-
SHA512
78bbd892f0c31a9dfe36213c58bb9ca49382e2dc3898d3b95bf0fec78a74fc21c7b962ea5fbee62062d928767062375841dc8ef9fd1388fcbc421e9e81dc0e95
-
SSDEEP
12288:n3C9yMo+S0L9xRnoq7H9xqYLzKoq73lRa2dBDZn:SgD4bhoqLDqYLzKoqTPn
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
Processes:
resource yara_rule behavioral1/memory/2420-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2928-22-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1908-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2184-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2700-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2700-62-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2760-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2760-82-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2632-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2484-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2960-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1740-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2272-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1828-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2644-182-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2816-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2412-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2020-218-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1956-236-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/952-255-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2004-263-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2344-281-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2700-4284-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 24 IoCs
Processes:
resource yara_rule behavioral1/memory/2420-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2928-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2928-13-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2928-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2928-22-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1908-27-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2184-37-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2700-56-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2760-76-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2632-86-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2484-102-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2960-111-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1740-120-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2272-129-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1828-147-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2644-182-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2816-192-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2412-209-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2020-218-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1956-236-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/952-255-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2004-263-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2344-281-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2700-4284-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
rlflxxf.exebbbhth.exejjdjv.exexrlrflr.exetnbhth.exerfxxllf.exe1vvdp.exe1hnhhb.exe7tbntt.exe5pddp.exe7thtth.exeppjjp.exentbbnt.exevpvdj.exe1bbhnt.exejjjvj.exefrlxfrx.exebbhhhn.exepjddp.exejdppd.exebbnnbn.exefxfrfxf.exe3jpvd.exelxrxflr.exe5pddv.exe1rfxxfr.exejjpvv.exejjvdj.exe3nthtt.exe7pdjj.exe7nbhhn.exedvddj.exetntbtb.exevpjdj.exe1rfllxx.exebbtntt.exe7nbtbb.exepdppd.exefxfrxfl.exerlxrflf.exehntnnn.exepvddd.exexrlxlxl.exennnhbn.exejpdpd.exexfflfxr.exevpvvj.exe5frxfrf.exe9fflrxf.exentnttb.exeflllxlf.exetnbnnn.exepppvv.exelrrxrlx.exe9frllff.exenhhbbb.exevpjjv.exexlxfffx.exe9tnbnt.exejddjv.exe5lxxflr.exe1tbbbb.exetththh.exeppdjv.exepid process 2928 rlflxxf.exe 1908 bbbhth.exe 2184 jjdjv.exe 2008 xrlrflr.exe 2700 tnbhth.exe 2764 rfxxllf.exe 2760 1vvdp.exe 2632 1hnhhb.exe 2484 7tbntt.exe 2960 5pddp.exe 1740 7thtth.exe 2272 ppjjp.exe 1616 ntbbnt.exe 1828 vpvdj.exe 548 1bbhnt.exe 1176 jjjvj.exe 860 frlxfrx.exe 2644 bbhhhn.exe 2816 pjddp.exe 872 jdppd.exe 2412 bbnnbn.exe 2020 fxfrfxf.exe 3040 3jpvd.exe 1956 lxrxflr.exe 772 5pddv.exe 952 1rfxxfr.exe 2004 jjpvv.exe 948 jjvdj.exe 2344 3nthtt.exe 2188 7pdjj.exe 568 7nbhhn.exe 292 dvddj.exe 1004 tntbtb.exe 1532 vpjdj.exe 1732 1rfllxx.exe 2928 bbtntt.exe 1648 7nbtbb.exe 3000 pdppd.exe 2596 fxfrxfl.exe 2620 rlxrflf.exe 2888 hntnnn.exe 2592 pvddd.exe 2848 xrlxlxl.exe 2512 nnnhbn.exe 2464 jpdpd.exe 2540 xfflfxr.exe 2964 vpvvj.exe 3012 5frxfrf.exe 808 9fflrxf.exe 2148 ntnttb.exe 2104 flllxlf.exe 1824 tnbnnn.exe 1368 pppvv.exe 2128 lrrxrlx.exe 844 9frllff.exe 1684 nhhbbb.exe 2656 vpjjv.exe 688 xlxfffx.exe 1244 9tnbnt.exe 1400 jddjv.exe 1112 5lxxflr.exe 2100 1tbbbb.exe 1040 tththh.exe 2024 ppdjv.exe -
Processes:
resource yara_rule behavioral1/memory/2420-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2928-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2928-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2928-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2928-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1908-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2184-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2700-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2632-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2484-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2960-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1740-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2272-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1828-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2644-182-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2816-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2412-209-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2020-218-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1956-236-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/952-255-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2004-263-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2344-281-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2700-4284-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exerlflxxf.exebbbhth.exejjdjv.exexrlrflr.exetnbhth.exerfxxllf.exe1vvdp.exe1hnhhb.exe7tbntt.exe5pddp.exe7thtth.exeppjjp.exentbbnt.exevpvdj.exe1bbhnt.exedescription pid process target process PID 2420 wrote to memory of 2928 2420 ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe rlflxxf.exe PID 2420 wrote to memory of 2928 2420 ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe rlflxxf.exe PID 2420 wrote to memory of 2928 2420 ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe rlflxxf.exe PID 2420 wrote to memory of 2928 2420 ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe rlflxxf.exe PID 2928 wrote to memory of 1908 2928 rlflxxf.exe bbbhth.exe PID 2928 wrote to memory of 1908 2928 rlflxxf.exe bbbhth.exe PID 2928 wrote to memory of 1908 2928 rlflxxf.exe bbbhth.exe PID 2928 wrote to memory of 1908 2928 rlflxxf.exe bbbhth.exe PID 1908 wrote to memory of 2184 1908 bbbhth.exe jjdjv.exe PID 1908 wrote to memory of 2184 1908 bbbhth.exe jjdjv.exe PID 1908 wrote to memory of 2184 1908 bbbhth.exe jjdjv.exe PID 1908 wrote to memory of 2184 1908 bbbhth.exe jjdjv.exe PID 2184 wrote to memory of 2008 2184 jjdjv.exe xrlrflr.exe PID 2184 wrote to memory of 2008 2184 jjdjv.exe xrlrflr.exe PID 2184 wrote to memory of 2008 2184 jjdjv.exe xrlrflr.exe PID 2184 wrote to memory of 2008 2184 jjdjv.exe xrlrflr.exe PID 2008 wrote to memory of 2700 2008 xrlrflr.exe tnbhth.exe PID 2008 wrote to memory of 2700 2008 xrlrflr.exe tnbhth.exe PID 2008 wrote to memory of 2700 2008 xrlrflr.exe tnbhth.exe PID 2008 wrote to memory of 2700 2008 xrlrflr.exe tnbhth.exe PID 2700 wrote to memory of 2764 2700 tnbhth.exe rfxxllf.exe PID 2700 wrote to memory of 2764 2700 tnbhth.exe rfxxllf.exe PID 2700 wrote to memory of 2764 2700 tnbhth.exe rfxxllf.exe PID 2700 wrote to memory of 2764 2700 tnbhth.exe rfxxllf.exe PID 2764 wrote to memory of 2760 2764 rfxxllf.exe 1vvdp.exe PID 2764 wrote to memory of 2760 2764 rfxxllf.exe 1vvdp.exe PID 2764 wrote to memory of 2760 2764 rfxxllf.exe 1vvdp.exe PID 2764 wrote to memory of 2760 2764 rfxxllf.exe 1vvdp.exe PID 2760 wrote to memory of 2632 2760 1vvdp.exe 1hnhhb.exe PID 2760 wrote to memory of 2632 2760 1vvdp.exe 1hnhhb.exe PID 2760 wrote to memory of 2632 2760 1vvdp.exe 1hnhhb.exe PID 2760 wrote to memory of 2632 2760 1vvdp.exe 1hnhhb.exe PID 2632 wrote to memory of 2484 2632 1hnhhb.exe 7tbntt.exe PID 2632 wrote to memory of 2484 2632 1hnhhb.exe 7tbntt.exe PID 2632 wrote to memory of 2484 2632 1hnhhb.exe 7tbntt.exe PID 2632 wrote to memory of 2484 2632 1hnhhb.exe 7tbntt.exe PID 2484 wrote to memory of 2960 2484 7tbntt.exe 5pddp.exe PID 2484 wrote to memory of 2960 2484 7tbntt.exe 5pddp.exe PID 2484 wrote to memory of 2960 2484 7tbntt.exe 5pddp.exe PID 2484 wrote to memory of 2960 2484 7tbntt.exe 5pddp.exe PID 2960 wrote to memory of 1740 2960 5pddp.exe 7thtth.exe PID 2960 wrote to memory of 1740 2960 5pddp.exe 7thtth.exe PID 2960 wrote to memory of 1740 2960 5pddp.exe 7thtth.exe PID 2960 wrote to memory of 1740 2960 5pddp.exe 7thtth.exe PID 1740 wrote to memory of 2272 1740 7thtth.exe ppjjp.exe PID 1740 wrote to memory of 2272 1740 7thtth.exe ppjjp.exe PID 1740 wrote to memory of 2272 1740 7thtth.exe ppjjp.exe PID 1740 wrote to memory of 2272 1740 7thtth.exe ppjjp.exe PID 2272 wrote to memory of 1616 2272 ppjjp.exe ntbbnt.exe PID 2272 wrote to memory of 1616 2272 ppjjp.exe ntbbnt.exe PID 2272 wrote to memory of 1616 2272 ppjjp.exe ntbbnt.exe PID 2272 wrote to memory of 1616 2272 ppjjp.exe ntbbnt.exe PID 1616 wrote to memory of 1828 1616 ntbbnt.exe vpvdj.exe PID 1616 wrote to memory of 1828 1616 ntbbnt.exe vpvdj.exe PID 1616 wrote to memory of 1828 1616 ntbbnt.exe vpvdj.exe PID 1616 wrote to memory of 1828 1616 ntbbnt.exe vpvdj.exe PID 1828 wrote to memory of 548 1828 vpvdj.exe 1bbhnt.exe PID 1828 wrote to memory of 548 1828 vpvdj.exe 1bbhnt.exe PID 1828 wrote to memory of 548 1828 vpvdj.exe 1bbhnt.exe PID 1828 wrote to memory of 548 1828 vpvdj.exe 1bbhnt.exe PID 548 wrote to memory of 1176 548 1bbhnt.exe jjjvj.exe PID 548 wrote to memory of 1176 548 1bbhnt.exe jjjvj.exe PID 548 wrote to memory of 1176 548 1bbhnt.exe jjjvj.exe PID 548 wrote to memory of 1176 548 1bbhnt.exe jjjvj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe"C:\Users\Admin\AppData\Local\Temp\ab3cf9e9df728872a687646dc593ebfa5756f19c4adffe0dc100a48870bdafd0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\rlflxxf.exec:\rlflxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\bbbhth.exec:\bbbhth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\jjdjv.exec:\jjdjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\xrlrflr.exec:\xrlrflr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\tnbhth.exec:\tnbhth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\rfxxllf.exec:\rfxxllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\1vvdp.exec:\1vvdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\1hnhhb.exec:\1hnhhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\7tbntt.exec:\7tbntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\5pddp.exec:\5pddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\7thtth.exec:\7thtth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\ppjjp.exec:\ppjjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\ntbbnt.exec:\ntbbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\vpvdj.exec:\vpvdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\1bbhnt.exec:\1bbhnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\jjjvj.exec:\jjjvj.exe17⤵
- Executes dropped EXE
PID:1176 -
\??\c:\frlxfrx.exec:\frlxfrx.exe18⤵
- Executes dropped EXE
PID:860 -
\??\c:\bbhhhn.exec:\bbhhhn.exe19⤵
- Executes dropped EXE
PID:2644 -
\??\c:\pjddp.exec:\pjddp.exe20⤵
- Executes dropped EXE
PID:2816 -
\??\c:\jdppd.exec:\jdppd.exe21⤵
- Executes dropped EXE
PID:872 -
\??\c:\bbnnbn.exec:\bbnnbn.exe22⤵
- Executes dropped EXE
PID:2412 -
\??\c:\fxfrfxf.exec:\fxfrfxf.exe23⤵
- Executes dropped EXE
PID:2020 -
\??\c:\3jpvd.exec:\3jpvd.exe24⤵
- Executes dropped EXE
PID:3040 -
\??\c:\lxrxflr.exec:\lxrxflr.exe25⤵
- Executes dropped EXE
PID:1956 -
\??\c:\5pddv.exec:\5pddv.exe26⤵
- Executes dropped EXE
PID:772 -
\??\c:\1rfxxfr.exec:\1rfxxfr.exe27⤵
- Executes dropped EXE
PID:952 -
\??\c:\jjpvv.exec:\jjpvv.exe28⤵
- Executes dropped EXE
PID:2004 -
\??\c:\jjvdj.exec:\jjvdj.exe29⤵
- Executes dropped EXE
PID:948 -
\??\c:\3nthtt.exec:\3nthtt.exe30⤵
- Executes dropped EXE
PID:2344 -
\??\c:\7pdjj.exec:\7pdjj.exe31⤵
- Executes dropped EXE
PID:2188 -
\??\c:\7nbhhn.exec:\7nbhhn.exe32⤵
- Executes dropped EXE
PID:568 -
\??\c:\dvddj.exec:\dvddj.exe33⤵
- Executes dropped EXE
PID:292 -
\??\c:\tntbtb.exec:\tntbtb.exe34⤵
- Executes dropped EXE
PID:1004 -
\??\c:\vpjdj.exec:\vpjdj.exe35⤵
- Executes dropped EXE
PID:1532 -
\??\c:\1rfllxx.exec:\1rfllxx.exe36⤵
- Executes dropped EXE
PID:1732 -
\??\c:\bbtntt.exec:\bbtntt.exe37⤵
- Executes dropped EXE
PID:2928 -
\??\c:\7nbtbb.exec:\7nbtbb.exe38⤵
- Executes dropped EXE
PID:1648 -
\??\c:\pdppd.exec:\pdppd.exe39⤵
- Executes dropped EXE
PID:3000 -
\??\c:\fxfrxfl.exec:\fxfrxfl.exe40⤵
- Executes dropped EXE
PID:2596 -
\??\c:\rlxrflf.exec:\rlxrflf.exe41⤵
- Executes dropped EXE
PID:2620 -
\??\c:\hntnnn.exec:\hntnnn.exe42⤵
- Executes dropped EXE
PID:2888 -
\??\c:\pvddd.exec:\pvddd.exe43⤵
- Executes dropped EXE
PID:2592 -
\??\c:\xrlxlxl.exec:\xrlxlxl.exe44⤵
- Executes dropped EXE
PID:2848 -
\??\c:\nnnhbn.exec:\nnnhbn.exe45⤵
- Executes dropped EXE
PID:2512 -
\??\c:\jpdpd.exec:\jpdpd.exe46⤵
- Executes dropped EXE
PID:2464 -
\??\c:\xfflfxr.exec:\xfflfxr.exe47⤵
- Executes dropped EXE
PID:2540 -
\??\c:\vpvvj.exec:\vpvvj.exe48⤵
- Executes dropped EXE
PID:2964 -
\??\c:\5frxfrf.exec:\5frxfrf.exe49⤵
- Executes dropped EXE
PID:3012 -
\??\c:\9fflrxf.exec:\9fflrxf.exe50⤵
- Executes dropped EXE
PID:808 -
\??\c:\ntnttb.exec:\ntnttb.exe51⤵
- Executes dropped EXE
PID:2148 -
\??\c:\flllxlf.exec:\flllxlf.exe52⤵
- Executes dropped EXE
PID:2104 -
\??\c:\tnbnnn.exec:\tnbnnn.exe53⤵
- Executes dropped EXE
PID:1824 -
\??\c:\pppvv.exec:\pppvv.exe54⤵
- Executes dropped EXE
PID:1368 -
\??\c:\lrrxrlx.exec:\lrrxrlx.exe55⤵
- Executes dropped EXE
PID:2128 -
\??\c:\9frllff.exec:\9frllff.exe56⤵
- Executes dropped EXE
PID:844 -
\??\c:\nhhbbb.exec:\nhhbbb.exe57⤵
- Executes dropped EXE
PID:1684 -
\??\c:\vpjjv.exec:\vpjjv.exe58⤵
- Executes dropped EXE
PID:2656 -
\??\c:\xlxfffx.exec:\xlxfffx.exe59⤵
- Executes dropped EXE
PID:688 -
\??\c:\9tnbnt.exec:\9tnbnt.exe60⤵
- Executes dropped EXE
PID:1244 -
\??\c:\jddjv.exec:\jddjv.exe61⤵
- Executes dropped EXE
PID:1400 -
\??\c:\5lxxflr.exec:\5lxxflr.exe62⤵
- Executes dropped EXE
PID:1112 -
\??\c:\1tbbbb.exec:\1tbbbb.exe63⤵
- Executes dropped EXE
PID:2100 -
\??\c:\tththh.exec:\tththh.exe64⤵
- Executes dropped EXE
PID:1040 -
\??\c:\ppdjv.exec:\ppdjv.exe65⤵
- Executes dropped EXE
PID:2024 -
\??\c:\rlxfrfl.exec:\rlxfrfl.exe66⤵PID:1956
-
\??\c:\bhhttb.exec:\bhhttb.exe67⤵PID:772
-
\??\c:\dvvdp.exec:\dvvdp.exe68⤵PID:1980
-
\??\c:\xrfllxl.exec:\xrfllxl.exe69⤵PID:764
-
\??\c:\xfrlxfl.exec:\xfrlxfl.exe70⤵PID:2348
-
\??\c:\nththb.exec:\nththb.exe71⤵PID:3016
-
\??\c:\pjpvp.exec:\pjpvp.exe72⤵PID:2084
-
\??\c:\lfxlrrf.exec:\lfxlrrf.exe73⤵PID:1808
-
\??\c:\5htthh.exec:\5htthh.exe74⤵PID:2276
-
\??\c:\1pdvd.exec:\1pdvd.exe75⤵PID:2168
-
\??\c:\pjvvj.exec:\pjvvj.exe76⤵PID:1528
-
\??\c:\rfflxxf.exec:\rfflxxf.exe77⤵PID:1928
-
\??\c:\hbnnnn.exec:\hbnnnn.exe78⤵PID:2988
-
\??\c:\jjdjp.exec:\jjdjp.exe79⤵PID:3004
-
\??\c:\7rllrrx.exec:\7rllrrx.exe80⤵PID:1908
-
\??\c:\3ttbht.exec:\3ttbht.exe81⤵PID:2872
-
\??\c:\tnhhbn.exec:\tnhhbn.exe82⤵PID:2560
-
\??\c:\jvdjp.exec:\jvdjp.exe83⤵PID:2616
-
\??\c:\rrllxlx.exec:\rrllxlx.exe84⤵PID:2752
-
\??\c:\hhtthn.exec:\hhtthn.exe85⤵PID:2884
-
\??\c:\jjdpd.exec:\jjdpd.exe86⤵PID:2584
-
\??\c:\9xffllr.exec:\9xffllr.exe87⤵PID:2848
-
\??\c:\rlxlxxl.exec:\rlxlxxl.exe88⤵PID:2508
-
\??\c:\tnbhnb.exec:\tnbhnb.exe89⤵PID:2464
-
\??\c:\5jvvd.exec:\5jvvd.exe90⤵PID:2956
-
\??\c:\rlrflxf.exec:\rlrflxf.exe91⤵PID:2964
-
\??\c:\xrlxrrx.exec:\xrlxrrx.exe92⤵PID:1712
-
\??\c:\hbttbb.exec:\hbttbb.exe93⤵PID:808
-
\??\c:\pjvvj.exec:\pjvvj.exe94⤵PID:1356
-
\??\c:\ffrxfrf.exec:\ffrxfrf.exe95⤵PID:2104
-
\??\c:\nhntnt.exec:\nhntnt.exe96⤵PID:2144
-
\??\c:\dpvpj.exec:\dpvpj.exe97⤵PID:1452
-
\??\c:\rxrfrfl.exec:\rxrfrfl.exe98⤵PID:1176
-
\??\c:\ntnnbh.exec:\ntnnbh.exe99⤵PID:1552
-
\??\c:\rrxxlrf.exec:\rrxxlrf.exe100⤵PID:2724
-
\??\c:\hbbbnh.exec:\hbbbnh.exe101⤵PID:2536
-
\??\c:\jvjpv.exec:\jvjpv.exe102⤵PID:332
-
\??\c:\rlxlrfr.exec:\rlxlrfr.exe103⤵PID:1244
-
\??\c:\bthnnh.exec:\bthnnh.exe104⤵PID:836
-
\??\c:\5pdvj.exec:\5pdvj.exe105⤵PID:1112
-
\??\c:\jjvdj.exec:\jjvdj.exe106⤵PID:3048
-
\??\c:\lflrfll.exec:\lflrfll.exe107⤵PID:444
-
\??\c:\btnhth.exec:\btnhth.exe108⤵PID:1992
-
\??\c:\dpvdj.exec:\dpvdj.exe109⤵PID:1956
-
\??\c:\rrlxfrf.exec:\rrlxfrf.exe110⤵PID:356
-
\??\c:\hthbhb.exec:\hthbhb.exe111⤵PID:1980
-
\??\c:\1pvdj.exec:\1pvdj.exe112⤵PID:2004
-
\??\c:\jjpvd.exec:\jjpvd.exe113⤵PID:2348
-
\??\c:\lffrflr.exec:\lffrflr.exe114⤵PID:2208
-
\??\c:\tththh.exec:\tththh.exe115⤵PID:2084
-
\??\c:\jdpjd.exec:\jdpjd.exe116⤵PID:1808
-
\??\c:\fflrrlr.exec:\fflrrlr.exe117⤵PID:2276
-
\??\c:\fxllxrx.exec:\fxllxrx.exe118⤵PID:1204
-
\??\c:\btnhtn.exec:\btnhtn.exe119⤵PID:1644
-
\??\c:\3dddd.exec:\3dddd.exe120⤵PID:1660
-
\??\c:\9frrlxf.exec:\9frrlxf.exe121⤵PID:2988
-
\??\c:\tbbnth.exec:\tbbnth.exe122⤵PID:1732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-