Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 04:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe
-
Size
307KB
-
MD5
b295f77a09287a47c4e99001615ba867
-
SHA1
091ebd70a4a514093a3460a1fa7cff574bcb01f3
-
SHA256
e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95
-
SHA512
84308dd2cd585c5a2a2ee89a3fd0ea14958f45c439bf20e899453d2f8e1fc520e28b13bf72de44ee5f2454642951d2d11bf6958ea7d9124a8deaa0583d82afe9
-
SSDEEP
6144:n3C9BRo/AIuuOthLmH403Pyr6UWO6jUl7sPgvwN9:n3C9uDVOXLmHBKWyn+Pgvu9
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
Processes:
resource yara_rule behavioral1/memory/1920-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2220-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1632-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2620-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2720-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2672-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2532-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2684-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2580-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1948-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2976-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2740-133-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2160-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1332-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2760-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2868-169-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/272-177-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1688-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/768-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/580-213-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1516-240-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/944-267-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2012-285-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 29 IoCs
Processes:
resource yara_rule behavioral1/memory/2220-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1920-15-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2220-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1632-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2620-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2620-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2620-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2620-44-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2720-48-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2672-58-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2532-68-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2684-78-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-88-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-87-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2580-97-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1948-105-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2976-123-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2740-133-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2160-142-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1332-151-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2760-159-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2868-169-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/272-177-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1688-195-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/768-204-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/580-213-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1516-240-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/944-267-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2012-285-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
1xlllrx.exe5thhnt.exe5vjjj.exenhbbbb.exe9dppp.exelxrlxrx.exebhbhnt.exejdpvd.exexfrxxxf.exe1vvpv.exe9fxffff.exexllrxxr.exedvvdj.exe3rfffxf.exehbbhnb.exedvjjj.exe3frxlxf.exenbhhhh.exe1lxffrx.exe5nthhn.exe1dpvj.exefxrrfxx.exethtbhh.exejvjdp.exelxlflll.exenbbbbb.exevpdpp.exe9fxflrx.exejjdjp.exepjdpp.exetnbnbh.exebnhhtt.exellxlrxf.exe3xxfllx.exetnbnbn.exe1jdjv.exejpjjv.exefrffrxf.exe9thnnh.exehhthnt.exevdpvd.exe3xllxfr.exehhbnbh.exedvvjd.exe5pvjd.exelllxrrl.exehhhhtt.exe9nbntb.exejdvdj.exe3xrfllx.exebtnbnt.exepddpv.exe1vvjj.exe5rlllrl.exerrrxlxr.exe7nnnnt.exe5pjvj.exexrxxflr.exe1xxfllx.exehbhnbh.exedddpd.exejdddp.exelfrxrrl.exebnbhbb.exepid process 1920 1xlllrx.exe 1632 5thhnt.exe 2620 5vjjj.exe 2720 nhbbbb.exe 2672 9dppp.exe 2532 lxrlxrx.exe 2684 bhbhnt.exe 2580 jdpvd.exe 1948 xfrxxxf.exe 2964 1vvpv.exe 2976 9fxffff.exe 2740 xllrxxr.exe 2160 dvvdj.exe 1332 3rfffxf.exe 2760 hbbhnb.exe 2868 dvjjj.exe 272 3frxlxf.exe 1912 nbhhhh.exe 1688 1lxffrx.exe 768 5nthhn.exe 580 1dpvj.exe 1744 fxrrfxx.exe 1544 thtbhh.exe 1516 jvjdp.exe 2364 lxlflll.exe 316 nbbbbb.exe 944 vpdpp.exe 1960 9fxflrx.exe 2012 jjdjp.exe 904 pjdpp.exe 2180 tnbnbh.exe 2416 bnhhtt.exe 2172 llxlrxf.exe 1612 3xxfllx.exe 2408 tnbnbn.exe 2248 1jdjv.exe 2644 jpjjv.exe 2376 frffrxf.exe 3008 9thnnh.exe 2664 hhthnt.exe 2076 vdpvd.exe 2800 3xllxfr.exe 2532 hhbnbh.exe 2508 dvvjd.exe 2552 5pvjd.exe 2168 lllxrrl.exe 2896 hhhhtt.exe 3064 9nbntb.exe 2960 jdvdj.exe 1400 3xrfllx.exe 1272 btnbnt.exe 2312 pddpv.exe 2764 1vvjj.exe 2892 5rlllrl.exe 2140 rrrxlxr.exe 2144 7nnnnt.exe 372 5pjvj.exe 3024 xrxxflr.exe 660 1xxfllx.exe 1724 hbhnbh.exe 1652 dddpd.exe 2008 jdddp.exe 2124 lfrxrrl.exe 2480 bnbhbb.exe -
Processes:
resource yara_rule behavioral1/memory/2220-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1920-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2220-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1632-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2720-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2672-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2532-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2684-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1948-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2976-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2740-133-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2160-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1332-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2868-169-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/272-177-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1688-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/768-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/580-213-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1516-240-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/944-267-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2012-285-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe1xlllrx.exe5thhnt.exe5vjjj.exenhbbbb.exe9dppp.exelxrlxrx.exebhbhnt.exejdpvd.exexfrxxxf.exe1vvpv.exe9fxffff.exexllrxxr.exedvvdj.exe3rfffxf.exehbbhnb.exedescription pid process target process PID 2220 wrote to memory of 1920 2220 e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe 1xlllrx.exe PID 2220 wrote to memory of 1920 2220 e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe 1xlllrx.exe PID 2220 wrote to memory of 1920 2220 e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe 1xlllrx.exe PID 2220 wrote to memory of 1920 2220 e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe 1xlllrx.exe PID 1920 wrote to memory of 1632 1920 1xlllrx.exe 5thhnt.exe PID 1920 wrote to memory of 1632 1920 1xlllrx.exe 5thhnt.exe PID 1920 wrote to memory of 1632 1920 1xlllrx.exe 5thhnt.exe PID 1920 wrote to memory of 1632 1920 1xlllrx.exe 5thhnt.exe PID 1632 wrote to memory of 2620 1632 5thhnt.exe 5vjjj.exe PID 1632 wrote to memory of 2620 1632 5thhnt.exe 5vjjj.exe PID 1632 wrote to memory of 2620 1632 5thhnt.exe 5vjjj.exe PID 1632 wrote to memory of 2620 1632 5thhnt.exe 5vjjj.exe PID 2620 wrote to memory of 2720 2620 5vjjj.exe nhbbbb.exe PID 2620 wrote to memory of 2720 2620 5vjjj.exe nhbbbb.exe PID 2620 wrote to memory of 2720 2620 5vjjj.exe nhbbbb.exe PID 2620 wrote to memory of 2720 2620 5vjjj.exe nhbbbb.exe PID 2720 wrote to memory of 2672 2720 nhbbbb.exe 9dppp.exe PID 2720 wrote to memory of 2672 2720 nhbbbb.exe 9dppp.exe PID 2720 wrote to memory of 2672 2720 nhbbbb.exe 9dppp.exe PID 2720 wrote to memory of 2672 2720 nhbbbb.exe 9dppp.exe PID 2672 wrote to memory of 2532 2672 9dppp.exe lxrlxrx.exe PID 2672 wrote to memory of 2532 2672 9dppp.exe lxrlxrx.exe PID 2672 wrote to memory of 2532 2672 9dppp.exe lxrlxrx.exe PID 2672 wrote to memory of 2532 2672 9dppp.exe lxrlxrx.exe PID 2532 wrote to memory of 2684 2532 lxrlxrx.exe bhbhnt.exe PID 2532 wrote to memory of 2684 2532 lxrlxrx.exe bhbhnt.exe PID 2532 wrote to memory of 2684 2532 lxrlxrx.exe bhbhnt.exe PID 2532 wrote to memory of 2684 2532 lxrlxrx.exe bhbhnt.exe PID 2684 wrote to memory of 2580 2684 bhbhnt.exe jdpvd.exe PID 2684 wrote to memory of 2580 2684 bhbhnt.exe jdpvd.exe PID 2684 wrote to memory of 2580 2684 bhbhnt.exe jdpvd.exe PID 2684 wrote to memory of 2580 2684 bhbhnt.exe jdpvd.exe PID 2580 wrote to memory of 1948 2580 jdpvd.exe xfrxxxf.exe PID 2580 wrote to memory of 1948 2580 jdpvd.exe xfrxxxf.exe PID 2580 wrote to memory of 1948 2580 jdpvd.exe xfrxxxf.exe PID 2580 wrote to memory of 1948 2580 jdpvd.exe xfrxxxf.exe PID 1948 wrote to memory of 2964 1948 xfrxxxf.exe 1vvpv.exe PID 1948 wrote to memory of 2964 1948 xfrxxxf.exe 1vvpv.exe PID 1948 wrote to memory of 2964 1948 xfrxxxf.exe 1vvpv.exe PID 1948 wrote to memory of 2964 1948 xfrxxxf.exe 1vvpv.exe PID 2964 wrote to memory of 2976 2964 1vvpv.exe 9fxffff.exe PID 2964 wrote to memory of 2976 2964 1vvpv.exe 9fxffff.exe PID 2964 wrote to memory of 2976 2964 1vvpv.exe 9fxffff.exe PID 2964 wrote to memory of 2976 2964 1vvpv.exe 9fxffff.exe PID 2976 wrote to memory of 2740 2976 9fxffff.exe xllrxxr.exe PID 2976 wrote to memory of 2740 2976 9fxffff.exe xllrxxr.exe PID 2976 wrote to memory of 2740 2976 9fxffff.exe xllrxxr.exe PID 2976 wrote to memory of 2740 2976 9fxffff.exe xllrxxr.exe PID 2740 wrote to memory of 2160 2740 xllrxxr.exe dvvdj.exe PID 2740 wrote to memory of 2160 2740 xllrxxr.exe dvvdj.exe PID 2740 wrote to memory of 2160 2740 xllrxxr.exe dvvdj.exe PID 2740 wrote to memory of 2160 2740 xllrxxr.exe dvvdj.exe PID 2160 wrote to memory of 1332 2160 dvvdj.exe 3rfffxf.exe PID 2160 wrote to memory of 1332 2160 dvvdj.exe 3rfffxf.exe PID 2160 wrote to memory of 1332 2160 dvvdj.exe 3rfffxf.exe PID 2160 wrote to memory of 1332 2160 dvvdj.exe 3rfffxf.exe PID 1332 wrote to memory of 2760 1332 3rfffxf.exe hbbhnb.exe PID 1332 wrote to memory of 2760 1332 3rfffxf.exe hbbhnb.exe PID 1332 wrote to memory of 2760 1332 3rfffxf.exe hbbhnb.exe PID 1332 wrote to memory of 2760 1332 3rfffxf.exe hbbhnb.exe PID 2760 wrote to memory of 2868 2760 hbbhnb.exe dvjjj.exe PID 2760 wrote to memory of 2868 2760 hbbhnb.exe dvjjj.exe PID 2760 wrote to memory of 2868 2760 hbbhnb.exe dvjjj.exe PID 2760 wrote to memory of 2868 2760 hbbhnb.exe dvjjj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe"C:\Users\Admin\AppData\Local\Temp\e94755e57e3a7bb156665a02c3d31aa8b54260120ab6feeecd804579696d4b95.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\1xlllrx.exec:\1xlllrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\5thhnt.exec:\5thhnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\5vjjj.exec:\5vjjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\nhbbbb.exec:\nhbbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\9dppp.exec:\9dppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\lxrlxrx.exec:\lxrlxrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\bhbhnt.exec:\bhbhnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\jdpvd.exec:\jdpvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\xfrxxxf.exec:\xfrxxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\1vvpv.exec:\1vvpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\9fxffff.exec:\9fxffff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\xllrxxr.exec:\xllrxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\dvvdj.exec:\dvvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\3rfffxf.exec:\3rfffxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\hbbhnb.exec:\hbbhnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\dvjjj.exec:\dvjjj.exe17⤵
- Executes dropped EXE
PID:2868 -
\??\c:\3frxlxf.exec:\3frxlxf.exe18⤵
- Executes dropped EXE
PID:272 -
\??\c:\nbhhhh.exec:\nbhhhh.exe19⤵
- Executes dropped EXE
PID:1912 -
\??\c:\1lxffrx.exec:\1lxffrx.exe20⤵
- Executes dropped EXE
PID:1688 -
\??\c:\5nthhn.exec:\5nthhn.exe21⤵
- Executes dropped EXE
PID:768 -
\??\c:\1dpvj.exec:\1dpvj.exe22⤵
- Executes dropped EXE
PID:580 -
\??\c:\fxrrfxx.exec:\fxrrfxx.exe23⤵
- Executes dropped EXE
PID:1744 -
\??\c:\thtbhh.exec:\thtbhh.exe24⤵
- Executes dropped EXE
PID:1544 -
\??\c:\jvjdp.exec:\jvjdp.exe25⤵
- Executes dropped EXE
PID:1516 -
\??\c:\lxlflll.exec:\lxlflll.exe26⤵
- Executes dropped EXE
PID:2364 -
\??\c:\nbbbbb.exec:\nbbbbb.exe27⤵
- Executes dropped EXE
PID:316 -
\??\c:\vpdpp.exec:\vpdpp.exe28⤵
- Executes dropped EXE
PID:944 -
\??\c:\9fxflrx.exec:\9fxflrx.exe29⤵
- Executes dropped EXE
PID:1960 -
\??\c:\jjdjp.exec:\jjdjp.exe30⤵
- Executes dropped EXE
PID:2012 -
\??\c:\pjdpp.exec:\pjdpp.exe31⤵
- Executes dropped EXE
PID:904 -
\??\c:\tnbnbh.exec:\tnbnbh.exe32⤵
- Executes dropped EXE
PID:2180 -
\??\c:\bnhhtt.exec:\bnhhtt.exe33⤵
- Executes dropped EXE
PID:2416 -
\??\c:\llxlrxf.exec:\llxlrxf.exe34⤵
- Executes dropped EXE
PID:2172 -
\??\c:\3xxfllx.exec:\3xxfllx.exe35⤵
- Executes dropped EXE
PID:1612 -
\??\c:\tnbnbn.exec:\tnbnbn.exe36⤵
- Executes dropped EXE
PID:2408 -
\??\c:\1jdjv.exec:\1jdjv.exe37⤵
- Executes dropped EXE
PID:2248 -
\??\c:\jpjjv.exec:\jpjjv.exe38⤵
- Executes dropped EXE
PID:2644 -
\??\c:\frffrxf.exec:\frffrxf.exe39⤵
- Executes dropped EXE
PID:2376 -
\??\c:\9thnnh.exec:\9thnnh.exe40⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hhthnt.exec:\hhthnt.exe41⤵
- Executes dropped EXE
PID:2664 -
\??\c:\vdpvd.exec:\vdpvd.exe42⤵
- Executes dropped EXE
PID:2076 -
\??\c:\3xllxfr.exec:\3xllxfr.exe43⤵
- Executes dropped EXE
PID:2800 -
\??\c:\hhbnbh.exec:\hhbnbh.exe44⤵
- Executes dropped EXE
PID:2532 -
\??\c:\dvvjd.exec:\dvvjd.exe45⤵
- Executes dropped EXE
PID:2508 -
\??\c:\5pvjd.exec:\5pvjd.exe46⤵
- Executes dropped EXE
PID:2552 -
\??\c:\lllxrrl.exec:\lllxrrl.exe47⤵
- Executes dropped EXE
PID:2168 -
\??\c:\hhhhtt.exec:\hhhhtt.exe48⤵
- Executes dropped EXE
PID:2896 -
\??\c:\9nbntb.exec:\9nbntb.exe49⤵
- Executes dropped EXE
PID:3064 -
\??\c:\jdvdj.exec:\jdvdj.exe50⤵
- Executes dropped EXE
PID:2960 -
\??\c:\3xrfllx.exec:\3xrfllx.exe51⤵
- Executes dropped EXE
PID:1400 -
\??\c:\btnbnt.exec:\btnbnt.exe52⤵
- Executes dropped EXE
PID:1272 -
\??\c:\pddpv.exec:\pddpv.exe53⤵
- Executes dropped EXE
PID:2312 -
\??\c:\1vvjj.exec:\1vvjj.exe54⤵
- Executes dropped EXE
PID:2764 -
\??\c:\5rlllrl.exec:\5rlllrl.exe55⤵
- Executes dropped EXE
PID:2892 -
\??\c:\rrrxlxr.exec:\rrrxlxr.exe56⤵
- Executes dropped EXE
PID:2140 -
\??\c:\7nnnnt.exec:\7nnnnt.exe57⤵
- Executes dropped EXE
PID:2144 -
\??\c:\5pjvj.exec:\5pjvj.exe58⤵
- Executes dropped EXE
PID:372 -
\??\c:\xrxxflr.exec:\xrxxflr.exe59⤵
- Executes dropped EXE
PID:3024 -
\??\c:\1xxfllx.exec:\1xxfllx.exe60⤵
- Executes dropped EXE
PID:660 -
\??\c:\hbhnbh.exec:\hbhnbh.exe61⤵
- Executes dropped EXE
PID:1724 -
\??\c:\dddpd.exec:\dddpd.exe62⤵
- Executes dropped EXE
PID:1652 -
\??\c:\jdddp.exec:\jdddp.exe63⤵
- Executes dropped EXE
PID:2008 -
\??\c:\lfrxrrl.exec:\lfrxrrl.exe64⤵
- Executes dropped EXE
PID:2124 -
\??\c:\bnbhbb.exec:\bnbhbb.exe65⤵
- Executes dropped EXE
PID:2480 -
\??\c:\pdvvd.exec:\pdvvd.exe66⤵PID:548
-
\??\c:\pjdpp.exec:\pjdpp.exe67⤵PID:1560
-
\??\c:\lffflxl.exec:\lffflxl.exe68⤵PID:1336
-
\??\c:\xxlrxfr.exec:\xxlrxfr.exe69⤵PID:2356
-
\??\c:\nhntbb.exec:\nhntbb.exe70⤵PID:1956
-
\??\c:\1pppd.exec:\1pppd.exe71⤵PID:2096
-
\??\c:\vpjvv.exec:\vpjvv.exe72⤵PID:3000
-
\??\c:\fxllrlr.exec:\fxllrlr.exe73⤵PID:2012
-
\??\c:\1frxxll.exec:\1frxxll.exe74⤵PID:2252
-
\??\c:\bnhnnt.exec:\bnhnnt.exe75⤵PID:828
-
\??\c:\ddvjp.exec:\ddvjp.exe76⤵PID:2016
-
\??\c:\jjvpd.exec:\jjvpd.exe77⤵PID:2220
-
\??\c:\ffrxlxf.exec:\ffrxlxf.exe78⤵PID:2420
-
\??\c:\ttnhbn.exec:\ttnhbn.exe79⤵PID:2372
-
\??\c:\9bthtt.exec:\9bthtt.exe80⤵PID:2828
-
\??\c:\jdvjj.exec:\jdvjj.exe81⤵PID:1196
-
\??\c:\jjvjv.exec:\jjvjv.exe82⤵PID:2704
-
\??\c:\1xlrxxf.exec:\1xlrxxf.exe83⤵PID:2636
-
\??\c:\9tnbtt.exec:\9tnbtt.exe84⤵PID:2796
-
\??\c:\tnhhbb.exec:\tnhhbb.exe85⤵PID:2812
-
\??\c:\pvjpd.exec:\pvjpd.exe86⤵PID:2564
-
\??\c:\5vjdj.exec:\5vjdj.exe87⤵PID:2540
-
\??\c:\rrflrxf.exec:\rrflrxf.exe88⤵PID:2240
-
\??\c:\tnthtb.exec:\tnthtb.exe89⤵PID:2100
-
\??\c:\9pdjj.exec:\9pdjj.exe90⤵PID:2948
-
\??\c:\vpdvd.exec:\vpdvd.exe91⤵PID:2780
-
\??\c:\7xrfllr.exec:\7xrfllr.exe92⤵PID:1256
-
\??\c:\xrxxffl.exec:\xrxxffl.exe93⤵PID:2136
-
\??\c:\thtbbn.exec:\thtbbn.exe94⤵PID:1308
-
\??\c:\pdppv.exec:\pdppv.exe95⤵PID:1448
-
\??\c:\ppjjv.exec:\ppjjv.exe96⤵PID:1292
-
\??\c:\fxrrxxf.exec:\fxrrxxf.exe97⤵PID:2792
-
\??\c:\nbtbhn.exec:\nbtbhn.exe98⤵PID:2888
-
\??\c:\3bhnth.exec:\3bhnth.exe99⤵PID:796
-
\??\c:\pjdjp.exec:\pjdjp.exe100⤵PID:1752
-
\??\c:\lfrxlll.exec:\lfrxlll.exe101⤵PID:3016
-
\??\c:\fxrfllr.exec:\fxrfllr.exe102⤵PID:2032
-
\??\c:\tnbnbn.exec:\tnbnbn.exe103⤵PID:624
-
\??\c:\jdpvd.exec:\jdpvd.exe104⤵PID:1100
-
\??\c:\3pjpv.exec:\3pjpv.exe105⤵PID:1484
-
\??\c:\rrlllrx.exec:\rrlllrx.exe106⤵PID:1856
-
\??\c:\fflflrx.exec:\fflflrx.exe107⤵PID:2056
-
\??\c:\nnbhbb.exec:\nnbhbb.exe108⤵PID:412
-
\??\c:\jjjjv.exec:\jjjjv.exe109⤵PID:292
-
\??\c:\3ppvj.exec:\3ppvj.exe110⤵PID:1968
-
\??\c:\lfxxllx.exec:\lfxxllx.exe111⤵PID:1676
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe112⤵PID:1980
-
\??\c:\5hbhnb.exec:\5hbhnb.exe113⤵PID:944
-
\??\c:\3vddd.exec:\3vddd.exe114⤵PID:2388
-
\??\c:\dpjpj.exec:\dpjpj.exe115⤵PID:2320
-
\??\c:\fflxffl.exec:\fflxffl.exe116⤵PID:1396
-
\??\c:\fxllfxl.exec:\fxllfxl.exe117⤵PID:1792
-
\??\c:\nbbhtt.exec:\nbbhtt.exe118⤵PID:3048
-
\??\c:\nhbthh.exec:\nhbthh.exe119⤵PID:1044
-
\??\c:\jvvpv.exec:\jvvpv.exe120⤵PID:2172
-
\??\c:\ffrrlxf.exec:\ffrrlxf.exe121⤵PID:2824
-
\??\c:\llxfffl.exec:\llxfffl.exe122⤵PID:2408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-