Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 05:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe
Resource
win7-20231129-en
6 signatures
150 seconds
General
-
Target
ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe
-
Size
394KB
-
MD5
7d7be8aae6008ed64716476b06c1d783
-
SHA1
19306cb4773938f1998c5732f8472a8e132e6606
-
SHA256
ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798
-
SHA512
e87cd8336060f02f2ccfc59747a8e476740494d5097a1daa47f0c6fe6bd8d3d9a0196141fc179b9aaf75911240236eccd93f66415fde22cd813341400faa994d
-
SSDEEP
6144:n3C9BRIG0asYFm71mPfkVB8dKwaO5CVwOlz:n3C9uYA7okVqdKwaO5CVz
Malware Config
Signatures
-
Detect Blackmoon payload 17 IoCs
Processes:
resource yara_rule behavioral1/memory/952-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1824-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3068-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2800-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2564-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2648-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2616-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2912-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2728-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1100-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1696-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2784-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2760-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2320-198-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1752-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1120-234-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2332-278-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 17 IoCs
Processes:
resource yara_rule behavioral1/memory/952-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1824-14-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3068-23-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2800-34-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2564-43-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2648-54-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2616-63-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2912-73-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2728-83-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1100-108-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1696-116-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2784-126-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2760-152-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2320-198-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1752-206-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1120-234-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2332-278-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
xxlffxx.exebtnbnb.exe1rllrlf.exennnbhn.exe3vvjd.exefxxfrxr.exehtttnt.exexrxlxrl.exenhthbh.exeddjjp.exerfxfllf.exehhtbnt.exejvppv.exerxfrlrr.exetbnnbh.exevvvpd.exe7lrrrxx.exebthhnn.exe1pdvd.exedvjvj.exehbtbhn.exepppvd.exerrlxlrf.exe1httbb.exejppvp.exepjvdd.exepjdjv.exe1dpjp.exe3hnbbb.exepdvvv.exelfrrxxl.exetbnbbt.exeddjpv.exelfxlffx.exehbnhnh.exedpjjp.exepvpvj.exe5lfxfff.exefrffllr.exe7btthn.exepjjjv.exejpdvj.exerfxxflr.exebnhntn.exenbtnhb.exejpdjp.exe9rxxrrl.exexxlrrrx.exenthhnh.exennhhbt.exejdvjj.exelffllrf.exexrffxfr.exenbntnn.exe1ppdd.exe9dvjp.exerflxfxr.exerllrrrx.exebbnnbb.exejvppv.exepjvdd.exerrfrfrf.exelrllrrr.exentnhhb.exepid process 1824 xxlffxx.exe 3068 btnbnb.exe 2800 1rllrlf.exe 2564 nnnbhn.exe 2648 3vvjd.exe 2616 fxxfrxr.exe 2912 htttnt.exe 2728 xrxlxrl.exe 2532 nhthbh.exe 1100 ddjjp.exe 1696 rfxfllf.exe 2784 hhtbnt.exe 2696 jvppv.exe 2020 rxfrlrr.exe 2760 tbnnbh.exe 2888 vvvpd.exe 2828 7lrrrxx.exe 1516 bthhnn.exe 2156 1pdvd.exe 2320 dvjvj.exe 1752 hbtbhn.exe 688 pppvd.exe 1004 rrlxlrf.exe 1120 1httbb.exe 2944 jppvp.exe 1684 pjvdd.exe 616 pjdjv.exe 2968 1dpjp.exe 2332 3hnbbb.exe 1312 pdvvv.exe 2972 lfrrxxl.exe 1768 tbnbbt.exe 1088 ddjpv.exe 2024 lfxlffx.exe 3052 hbnhnh.exe 2540 dpjjp.exe 3068 pvpvj.exe 2584 5lfxfff.exe 2708 frffllr.exe 2052 7btthn.exe 2732 pjjjv.exe 2336 jpdvj.exe 2000 rfxxflr.exe 2476 bnhntn.exe 2500 nbtnhb.exe 2064 jpdjp.exe 2556 9rxxrrl.exe 1696 xxlrrrx.exe 2524 nthhnh.exe 2824 nnhhbt.exe 940 jdvjj.exe 2676 lffllrf.exe 2844 xrffxfr.exe 1996 nbntnn.exe 1620 1ppdd.exe 2056 9dvjp.exe 1516 rflxfxr.exe 1724 rllrrrx.exe 2360 bbnnbb.exe 2112 jvppv.exe 2440 pjvdd.exe 1504 rrfrfrf.exe 1496 lrllrrr.exe 1624 ntnhhb.exe -
Processes:
resource yara_rule behavioral1/memory/952-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1824-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3068-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2800-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2564-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2648-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2616-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2912-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1100-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1696-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2784-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2320-198-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1752-206-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1120-234-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2332-278-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exexxlffxx.exebtnbnb.exe1rllrlf.exennnbhn.exe3vvjd.exefxxfrxr.exehtttnt.exexrxlxrl.exenhthbh.exeddjjp.exerfxfllf.exehhtbnt.exejvppv.exerxfrlrr.exetbnnbh.exedescription pid process target process PID 952 wrote to memory of 1824 952 ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe xxlffxx.exe PID 952 wrote to memory of 1824 952 ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe xxlffxx.exe PID 952 wrote to memory of 1824 952 ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe xxlffxx.exe PID 952 wrote to memory of 1824 952 ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe xxlffxx.exe PID 1824 wrote to memory of 3068 1824 xxlffxx.exe btnbnb.exe PID 1824 wrote to memory of 3068 1824 xxlffxx.exe btnbnb.exe PID 1824 wrote to memory of 3068 1824 xxlffxx.exe btnbnb.exe PID 1824 wrote to memory of 3068 1824 xxlffxx.exe btnbnb.exe PID 3068 wrote to memory of 2800 3068 btnbnb.exe 1rllrlf.exe PID 3068 wrote to memory of 2800 3068 btnbnb.exe 1rllrlf.exe PID 3068 wrote to memory of 2800 3068 btnbnb.exe 1rllrlf.exe PID 3068 wrote to memory of 2800 3068 btnbnb.exe 1rllrlf.exe PID 2800 wrote to memory of 2564 2800 1rllrlf.exe nnnbhn.exe PID 2800 wrote to memory of 2564 2800 1rllrlf.exe nnnbhn.exe PID 2800 wrote to memory of 2564 2800 1rllrlf.exe nnnbhn.exe PID 2800 wrote to memory of 2564 2800 1rllrlf.exe nnnbhn.exe PID 2564 wrote to memory of 2648 2564 nnnbhn.exe 3vvjd.exe PID 2564 wrote to memory of 2648 2564 nnnbhn.exe 3vvjd.exe PID 2564 wrote to memory of 2648 2564 nnnbhn.exe 3vvjd.exe PID 2564 wrote to memory of 2648 2564 nnnbhn.exe 3vvjd.exe PID 2648 wrote to memory of 2616 2648 3vvjd.exe fxxfrxr.exe PID 2648 wrote to memory of 2616 2648 3vvjd.exe fxxfrxr.exe PID 2648 wrote to memory of 2616 2648 3vvjd.exe fxxfrxr.exe PID 2648 wrote to memory of 2616 2648 3vvjd.exe fxxfrxr.exe PID 2616 wrote to memory of 2912 2616 fxxfrxr.exe htttnt.exe PID 2616 wrote to memory of 2912 2616 fxxfrxr.exe htttnt.exe PID 2616 wrote to memory of 2912 2616 fxxfrxr.exe htttnt.exe PID 2616 wrote to memory of 2912 2616 fxxfrxr.exe htttnt.exe PID 2912 wrote to memory of 2728 2912 htttnt.exe xrxlxrl.exe PID 2912 wrote to memory of 2728 2912 htttnt.exe xrxlxrl.exe PID 2912 wrote to memory of 2728 2912 htttnt.exe xrxlxrl.exe PID 2912 wrote to memory of 2728 2912 htttnt.exe xrxlxrl.exe PID 2728 wrote to memory of 2532 2728 xrxlxrl.exe nhthbh.exe PID 2728 wrote to memory of 2532 2728 xrxlxrl.exe nhthbh.exe PID 2728 wrote to memory of 2532 2728 xrxlxrl.exe nhthbh.exe PID 2728 wrote to memory of 2532 2728 xrxlxrl.exe nhthbh.exe PID 2532 wrote to memory of 1100 2532 nhthbh.exe ddjjp.exe PID 2532 wrote to memory of 1100 2532 nhthbh.exe ddjjp.exe PID 2532 wrote to memory of 1100 2532 nhthbh.exe ddjjp.exe PID 2532 wrote to memory of 1100 2532 nhthbh.exe ddjjp.exe PID 1100 wrote to memory of 1696 1100 ddjjp.exe rfxfllf.exe PID 1100 wrote to memory of 1696 1100 ddjjp.exe rfxfllf.exe PID 1100 wrote to memory of 1696 1100 ddjjp.exe rfxfllf.exe PID 1100 wrote to memory of 1696 1100 ddjjp.exe rfxfllf.exe PID 1696 wrote to memory of 2784 1696 rfxfllf.exe hhtbnt.exe PID 1696 wrote to memory of 2784 1696 rfxfllf.exe hhtbnt.exe PID 1696 wrote to memory of 2784 1696 rfxfllf.exe hhtbnt.exe PID 1696 wrote to memory of 2784 1696 rfxfllf.exe hhtbnt.exe PID 2784 wrote to memory of 2696 2784 hhtbnt.exe jvppv.exe PID 2784 wrote to memory of 2696 2784 hhtbnt.exe jvppv.exe PID 2784 wrote to memory of 2696 2784 hhtbnt.exe jvppv.exe PID 2784 wrote to memory of 2696 2784 hhtbnt.exe jvppv.exe PID 2696 wrote to memory of 2020 2696 jvppv.exe rxfrlrr.exe PID 2696 wrote to memory of 2020 2696 jvppv.exe rxfrlrr.exe PID 2696 wrote to memory of 2020 2696 jvppv.exe rxfrlrr.exe PID 2696 wrote to memory of 2020 2696 jvppv.exe rxfrlrr.exe PID 2020 wrote to memory of 2760 2020 rxfrlrr.exe tbnnbh.exe PID 2020 wrote to memory of 2760 2020 rxfrlrr.exe tbnnbh.exe PID 2020 wrote to memory of 2760 2020 rxfrlrr.exe tbnnbh.exe PID 2020 wrote to memory of 2760 2020 rxfrlrr.exe tbnnbh.exe PID 2760 wrote to memory of 2888 2760 tbnnbh.exe vvvpd.exe PID 2760 wrote to memory of 2888 2760 tbnnbh.exe vvvpd.exe PID 2760 wrote to memory of 2888 2760 tbnnbh.exe vvvpd.exe PID 2760 wrote to memory of 2888 2760 tbnnbh.exe vvvpd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe"C:\Users\Admin\AppData\Local\Temp\ef85ee945c0c4713ee502e597c4b11f02d51d0b2f04112ff699662093349c798.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\xxlffxx.exec:\xxlffxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\btnbnb.exec:\btnbnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\1rllrlf.exec:\1rllrlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\nnnbhn.exec:\nnnbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\3vvjd.exec:\3vvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\fxxfrxr.exec:\fxxfrxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\htttnt.exec:\htttnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\xrxlxrl.exec:\xrxlxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\nhthbh.exec:\nhthbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\ddjjp.exec:\ddjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\rfxfllf.exec:\rfxfllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\hhtbnt.exec:\hhtbnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\jvppv.exec:\jvppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\rxfrlrr.exec:\rxfrlrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\tbnnbh.exec:\tbnnbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\vvvpd.exec:\vvvpd.exe17⤵
- Executes dropped EXE
PID:2888 -
\??\c:\7lrrrxx.exec:\7lrrrxx.exe18⤵
- Executes dropped EXE
PID:2828 -
\??\c:\bthhnn.exec:\bthhnn.exe19⤵
- Executes dropped EXE
PID:1516 -
\??\c:\1pdvd.exec:\1pdvd.exe20⤵
- Executes dropped EXE
PID:2156 -
\??\c:\dvjvj.exec:\dvjvj.exe21⤵
- Executes dropped EXE
PID:2320 -
\??\c:\hbtbhn.exec:\hbtbhn.exe22⤵
- Executes dropped EXE
PID:1752 -
\??\c:\pppvd.exec:\pppvd.exe23⤵
- Executes dropped EXE
PID:688 -
\??\c:\rrlxlrf.exec:\rrlxlrf.exe24⤵
- Executes dropped EXE
PID:1004 -
\??\c:\1httbb.exec:\1httbb.exe25⤵
- Executes dropped EXE
PID:1120 -
\??\c:\jppvp.exec:\jppvp.exe26⤵
- Executes dropped EXE
PID:2944 -
\??\c:\pjvdd.exec:\pjvdd.exe27⤵
- Executes dropped EXE
PID:1684 -
\??\c:\pjdjv.exec:\pjdjv.exe28⤵
- Executes dropped EXE
PID:616 -
\??\c:\1dpjp.exec:\1dpjp.exe29⤵
- Executes dropped EXE
PID:2968 -
\??\c:\3hnbbb.exec:\3hnbbb.exe30⤵
- Executes dropped EXE
PID:2332 -
\??\c:\pdvvv.exec:\pdvvv.exe31⤵
- Executes dropped EXE
PID:1312 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe32⤵
- Executes dropped EXE
PID:2972 -
\??\c:\tbnbbt.exec:\tbnbbt.exe33⤵
- Executes dropped EXE
PID:1768 -
\??\c:\ddjpv.exec:\ddjpv.exe34⤵
- Executes dropped EXE
PID:1088 -
\??\c:\9lffxxx.exec:\9lffxxx.exe35⤵PID:952
-
\??\c:\lfxlffx.exec:\lfxlffx.exe36⤵
- Executes dropped EXE
PID:2024 -
\??\c:\hbnhnh.exec:\hbnhnh.exe37⤵
- Executes dropped EXE
PID:3052 -
\??\c:\dpjjp.exec:\dpjjp.exe38⤵
- Executes dropped EXE
PID:2540 -
\??\c:\pvpvj.exec:\pvpvj.exe39⤵
- Executes dropped EXE
PID:3068 -
\??\c:\5lfxfff.exec:\5lfxfff.exe40⤵
- Executes dropped EXE
PID:2584 -
\??\c:\frffllr.exec:\frffllr.exe41⤵
- Executes dropped EXE
PID:2708 -
\??\c:\7btthn.exec:\7btthn.exe42⤵
- Executes dropped EXE
PID:2052 -
\??\c:\pjjjv.exec:\pjjjv.exe43⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jpdvj.exec:\jpdvj.exe44⤵
- Executes dropped EXE
PID:2336 -
\??\c:\rfxxflr.exec:\rfxxflr.exe45⤵
- Executes dropped EXE
PID:2000 -
\??\c:\bnhntn.exec:\bnhntn.exe46⤵
- Executes dropped EXE
PID:2476 -
\??\c:\nbtnhb.exec:\nbtnhb.exe47⤵
- Executes dropped EXE
PID:2500 -
\??\c:\jpdjp.exec:\jpdjp.exe48⤵
- Executes dropped EXE
PID:2064 -
\??\c:\9rxxrrl.exec:\9rxxrrl.exe49⤵
- Executes dropped EXE
PID:2556 -
\??\c:\xxlrrrx.exec:\xxlrrrx.exe50⤵
- Executes dropped EXE
PID:1696 -
\??\c:\nthhnh.exec:\nthhnh.exe51⤵
- Executes dropped EXE
PID:2524 -
\??\c:\nnhhbt.exec:\nnhhbt.exe52⤵
- Executes dropped EXE
PID:2824 -
\??\c:\jdvjj.exec:\jdvjj.exe53⤵
- Executes dropped EXE
PID:940 -
\??\c:\lffllrf.exec:\lffllrf.exe54⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xrffxfr.exec:\xrffxfr.exe55⤵
- Executes dropped EXE
PID:2844 -
\??\c:\nbntnn.exec:\nbntnn.exe56⤵
- Executes dropped EXE
PID:1996 -
\??\c:\1ppdd.exec:\1ppdd.exe57⤵
- Executes dropped EXE
PID:1620 -
\??\c:\9dvjp.exec:\9dvjp.exe58⤵
- Executes dropped EXE
PID:2056 -
\??\c:\rflxfxr.exec:\rflxfxr.exe59⤵
- Executes dropped EXE
PID:1516 -
\??\c:\rllrrrx.exec:\rllrrrx.exe60⤵
- Executes dropped EXE
PID:1724 -
\??\c:\bbnnbb.exec:\bbnnbb.exe61⤵
- Executes dropped EXE
PID:2360 -
\??\c:\jvppv.exec:\jvppv.exe62⤵
- Executes dropped EXE
PID:2112 -
\??\c:\pjvdd.exec:\pjvdd.exe63⤵
- Executes dropped EXE
PID:2440 -
\??\c:\rrfrfrf.exec:\rrfrfrf.exe64⤵
- Executes dropped EXE
PID:1504 -
\??\c:\lrllrrr.exec:\lrllrrr.exe65⤵
- Executes dropped EXE
PID:1496 -
\??\c:\ntnhhb.exec:\ntnhhb.exe66⤵
- Executes dropped EXE
PID:1624 -
\??\c:\1vppp.exec:\1vppp.exe67⤵PID:2432
-
\??\c:\ppjpd.exec:\ppjpd.exe68⤵PID:764
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe69⤵PID:1684
-
\??\c:\tnhhnn.exec:\tnhhnn.exe70⤵PID:1864
-
\??\c:\tnnhnh.exec:\tnnhnh.exe71⤵PID:2312
-
\??\c:\5dpvv.exec:\5dpvv.exe72⤵PID:2232
-
\??\c:\pjddj.exec:\pjddj.exe73⤵PID:1344
-
\??\c:\rlxfflf.exec:\rlxfflf.exe74⤵PID:2420
-
\??\c:\1thhhh.exec:\1thhhh.exe75⤵PID:2380
-
\??\c:\jvdvv.exec:\jvdvv.exe76⤵PID:768
-
\??\c:\1dvpj.exec:\1dvpj.exe77⤵PID:1088
-
\??\c:\xrllxxf.exec:\xrllxxf.exe78⤵PID:1720
-
\??\c:\1rxxxxx.exec:\1rxxxxx.exe79⤵PID:1824
-
\??\c:\1hbtbb.exec:\1hbtbb.exe80⤵PID:3012
-
\??\c:\dvpdv.exec:\dvpdv.exe81⤵PID:3056
-
\??\c:\pjjjj.exec:\pjjjj.exe82⤵PID:2800
-
\??\c:\lfrllrx.exec:\lfrllrx.exe83⤵PID:2720
-
\??\c:\hhttht.exec:\hhttht.exe84⤵PID:2464
-
\??\c:\nhhhbh.exec:\nhhhbh.exe85⤵PID:2744
-
\??\c:\7jvpv.exec:\7jvpv.exe86⤵PID:1668
-
\??\c:\rlfxffl.exec:\rlfxffl.exe87⤵PID:2512
-
\??\c:\rfxrxrx.exec:\rfxrxrx.exe88⤵PID:2508
-
\??\c:\bthhtn.exec:\bthhtn.exe89⤵PID:2728
-
\??\c:\thtbhh.exec:\thtbhh.exe90⤵PID:2532
-
\??\c:\ddpdj.exec:\ddpdj.exe91⤵PID:2860
-
\??\c:\frflrrr.exec:\frflrrr.exe92⤵PID:2792
-
\??\c:\fxxxxxf.exec:\fxxxxxf.exe93⤵PID:2672
-
\??\c:\btbbbb.exec:\btbbbb.exe94⤵PID:2832
-
\??\c:\hnhhhn.exec:\hnhhhn.exe95⤵PID:2840
-
\??\c:\dpjjp.exec:\dpjjp.exe96⤵PID:2020
-
\??\c:\xrffffr.exec:\xrffffr.exe97⤵PID:2760
-
\??\c:\rfrxxff.exec:\rfrxxff.exe98⤵PID:1820
-
\??\c:\3htnbt.exec:\3htnbt.exe99⤵PID:2820
-
\??\c:\hbbhnh.exec:\hbbhnh.exe100⤵PID:2120
-
\??\c:\9dddj.exec:\9dddj.exe101⤵PID:2552
-
\??\c:\3xlrlll.exec:\3xlrlll.exe102⤵PID:2104
-
\??\c:\lfxflfl.exec:\lfxflfl.exe103⤵PID:1268
-
\??\c:\nhntbb.exec:\nhntbb.exe104⤵PID:268
-
\??\c:\jvppj.exec:\jvppj.exe105⤵PID:1976
-
\??\c:\dpdjj.exec:\dpdjj.exe106⤵PID:688
-
\??\c:\xlxfffl.exec:\xlxfffl.exe107⤵PID:336
-
\??\c:\5xlfxrr.exec:\5xlfxrr.exe108⤵PID:1640
-
\??\c:\ntbbnh.exec:\ntbbnh.exe109⤵PID:848
-
\??\c:\5vvdd.exec:\5vvdd.exe110⤵PID:980
-
\??\c:\9vpvv.exec:\9vpvv.exe111⤵PID:1324
-
\??\c:\9fxllrf.exec:\9fxllrf.exe112⤵PID:1064
-
\??\c:\lxxfrxl.exec:\lxxfrxl.exe113⤵PID:2976
-
\??\c:\nnnntn.exec:\nnnntn.exe114⤵PID:1080
-
\??\c:\nbnnnn.exec:\nbnnnn.exe115⤵PID:108
-
\??\c:\vpppj.exec:\vpppj.exe116⤵PID:1016
-
\??\c:\llflfxf.exec:\llflfxf.exe117⤵PID:1692
-
\??\c:\bbnntt.exec:\bbnntt.exe118⤵PID:1776
-
\??\c:\hbnthh.exec:\hbnthh.exe119⤵PID:2996
-
\??\c:\7jdvv.exec:\7jdvv.exe120⤵PID:952
-
\??\c:\frllrxl.exec:\frllrxl.exe121⤵PID:1916
-
\??\c:\llfxflx.exec:\llfxflx.exe122⤵PID:3052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-