Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 05:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe
-
Size
228KB
-
MD5
d28ec3ee6f43290613106abec5a95b26
-
SHA1
16fd5aef00e2e612903d50d8e06cc07831a11e6d
-
SHA256
fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709
-
SHA512
4beab6a2e6e60fbcc35424044eac9d3c698b284754cc5e02bdb23c04366c23d5693fcdcba22694cd9507e86b7febc1050f4f12d630261a820708a630cf58e5ca
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLn/c1J:n3C9BRo7MlrWKo+lxKk1J
Malware Config
Signatures
-
Detect Blackmoon payload 19 IoCs
Processes:
resource yara_rule behavioral1/memory/1444-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1964-22-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2112-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2336-36-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2744-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3036-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2840-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2972-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2808-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1644-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/308-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1616-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1504-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/856-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/844-239-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1656-248-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2904-276-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2768-293-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1756-302-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 26 IoCs
Processes:
resource yara_rule behavioral1/memory/1444-3-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1444-10-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1964-13-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1964-22-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2112-25-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2336-36-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2744-45-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/3036-56-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2840-65-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2840-66-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2840-64-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2840-75-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2584-88-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2584-87-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2972-104-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2808-122-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1644-132-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/308-140-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1616-158-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1504-185-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/856-194-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/844-239-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1656-248-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2904-276-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2768-293-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/1756-302-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
hthnnn.exe5lfllrf.exebbnnbh.exe5ddvj.exe9fflffl.exehtbttn.exerfrrffl.exehhhtht.exepjjpv.exexrxxxxl.exe9bbthh.exethbtnn.exe5lrrrrx.exexrrxflr.exe1vjvd.exe1dvdp.exehhbhnn.exebtnnhb.exejdpvd.exerrffxfr.exedvpvd.exevpjvd.exerrlrflx.exe9bnnbb.exedvvdv.exevppdj.exe5htthn.exe9htnhh.exejjdvp.exe3fxrxrx.exehbtbnb.exevpdjp.exelxxfrxl.exehbtbtb.exennhnbb.exepjddp.exe9pjjp.exefxlxllr.exerlxfrrf.exenhthnt.exepdppv.exeddpvd.exefrflrrl.exeffxfllx.exehbhhtb.exejdddv.exeddjpj.exelfrxlfr.exelfxxxfl.exenbttbb.exebtthtt.exejjvdp.exe3rllffl.exeflfrrlx.exe5tnthn.exevpdjj.exe5jddp.exe1lffrrf.exeffrxffx.exennhnhh.exe7btbhh.exeddvjv.exepjppj.exerlxffrx.exepid process 1964 hthnnn.exe 2112 5lfllrf.exe 2336 bbnnbh.exe 2744 5ddvj.exe 3036 9fflffl.exe 2840 htbttn.exe 2448 rfrrffl.exe 2584 hhhtht.exe 2972 pjjpv.exe 1820 xrxxxxl.exe 2808 9bbthh.exe 1644 thbtnn.exe 308 5lrrrrx.exe 1932 xrrxflr.exe 1616 1vjvd.exe 1660 1dvdp.exe 592 hhbhnn.exe 1504 btnnhb.exe 856 jdpvd.exe 2492 rrffxfr.exe 1104 dvpvd.exe 2940 vpjvd.exe 1480 rrlrflx.exe 844 9bnnbb.exe 1656 dvvdv.exe 764 vppdj.exe 1052 5htthn.exe 2904 9htnhh.exe 2068 jjdvp.exe 2768 3fxrxrx.exe 1756 hbtbnb.exe 1940 vpdjp.exe 2188 lxxfrxl.exe 2988 hbtbtb.exe 1720 nnhnbb.exe 1252 pjddp.exe 2716 9pjjp.exe 2668 fxlxllr.exe 2748 rlxfrrf.exe 2776 nhthnt.exe 2796 pdppv.exe 2820 ddpvd.exe 3032 frflrrl.exe 2556 ffxfllx.exe 2584 hbhhtb.exe 2572 jdddv.exe 2816 ddjpj.exe 2612 lfrxlfr.exe 2844 lfxxxfl.exe 548 nbttbb.exe 2020 btthtt.exe 1944 jjvdp.exe 2220 3rllffl.exe 2212 flfrrlx.exe 768 5tnthn.exe 1512 vpdjj.exe 1292 5jddp.exe 1452 1lffrrf.exe 2260 ffrxffx.exe 1816 nnhnhh.exe 632 7btbhh.exe 1568 ddvjv.exe 1232 pjppj.exe 2352 rlxffrx.exe -
Processes:
resource yara_rule behavioral1/memory/1444-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1444-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1964-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1964-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2112-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2336-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2744-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2840-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2840-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2840-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2840-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2584-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2584-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2972-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1644-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/308-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1616-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1504-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/856-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/844-239-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1656-248-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2904-276-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2768-293-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1756-302-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exehthnnn.exe5lfllrf.exebbnnbh.exe5ddvj.exe9fflffl.exehtbttn.exerfrrffl.exehhhtht.exepjjpv.exexrxxxxl.exe9bbthh.exethbtnn.exe5lrrrrx.exexrrxflr.exe1vjvd.exedescription pid process target process PID 1444 wrote to memory of 1964 1444 fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe hthnnn.exe PID 1444 wrote to memory of 1964 1444 fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe hthnnn.exe PID 1444 wrote to memory of 1964 1444 fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe hthnnn.exe PID 1444 wrote to memory of 1964 1444 fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe hthnnn.exe PID 1964 wrote to memory of 2112 1964 hthnnn.exe 5lfllrf.exe PID 1964 wrote to memory of 2112 1964 hthnnn.exe 5lfllrf.exe PID 1964 wrote to memory of 2112 1964 hthnnn.exe 5lfllrf.exe PID 1964 wrote to memory of 2112 1964 hthnnn.exe 5lfllrf.exe PID 2112 wrote to memory of 2336 2112 5lfllrf.exe bbnnbh.exe PID 2112 wrote to memory of 2336 2112 5lfllrf.exe bbnnbh.exe PID 2112 wrote to memory of 2336 2112 5lfllrf.exe bbnnbh.exe PID 2112 wrote to memory of 2336 2112 5lfllrf.exe bbnnbh.exe PID 2336 wrote to memory of 2744 2336 bbnnbh.exe 5ddvj.exe PID 2336 wrote to memory of 2744 2336 bbnnbh.exe 5ddvj.exe PID 2336 wrote to memory of 2744 2336 bbnnbh.exe 5ddvj.exe PID 2336 wrote to memory of 2744 2336 bbnnbh.exe 5ddvj.exe PID 2744 wrote to memory of 3036 2744 5ddvj.exe 9fflffl.exe PID 2744 wrote to memory of 3036 2744 5ddvj.exe 9fflffl.exe PID 2744 wrote to memory of 3036 2744 5ddvj.exe 9fflffl.exe PID 2744 wrote to memory of 3036 2744 5ddvj.exe 9fflffl.exe PID 3036 wrote to memory of 2840 3036 9fflffl.exe htbttn.exe PID 3036 wrote to memory of 2840 3036 9fflffl.exe htbttn.exe PID 3036 wrote to memory of 2840 3036 9fflffl.exe htbttn.exe PID 3036 wrote to memory of 2840 3036 9fflffl.exe htbttn.exe PID 2840 wrote to memory of 2448 2840 htbttn.exe rfrrffl.exe PID 2840 wrote to memory of 2448 2840 htbttn.exe rfrrffl.exe PID 2840 wrote to memory of 2448 2840 htbttn.exe rfrrffl.exe PID 2840 wrote to memory of 2448 2840 htbttn.exe rfrrffl.exe PID 2448 wrote to memory of 2584 2448 rfrrffl.exe hhhtht.exe PID 2448 wrote to memory of 2584 2448 rfrrffl.exe hhhtht.exe PID 2448 wrote to memory of 2584 2448 rfrrffl.exe hhhtht.exe PID 2448 wrote to memory of 2584 2448 rfrrffl.exe hhhtht.exe PID 2584 wrote to memory of 2972 2584 hhhtht.exe pjjpv.exe PID 2584 wrote to memory of 2972 2584 hhhtht.exe pjjpv.exe PID 2584 wrote to memory of 2972 2584 hhhtht.exe pjjpv.exe PID 2584 wrote to memory of 2972 2584 hhhtht.exe pjjpv.exe PID 2972 wrote to memory of 1820 2972 pjjpv.exe xrxxxxl.exe PID 2972 wrote to memory of 1820 2972 pjjpv.exe xrxxxxl.exe PID 2972 wrote to memory of 1820 2972 pjjpv.exe xrxxxxl.exe PID 2972 wrote to memory of 1820 2972 pjjpv.exe xrxxxxl.exe PID 1820 wrote to memory of 2808 1820 xrxxxxl.exe 9bbthh.exe PID 1820 wrote to memory of 2808 1820 xrxxxxl.exe 9bbthh.exe PID 1820 wrote to memory of 2808 1820 xrxxxxl.exe 9bbthh.exe PID 1820 wrote to memory of 2808 1820 xrxxxxl.exe 9bbthh.exe PID 2808 wrote to memory of 1644 2808 9bbthh.exe thbtnn.exe PID 2808 wrote to memory of 1644 2808 9bbthh.exe thbtnn.exe PID 2808 wrote to memory of 1644 2808 9bbthh.exe thbtnn.exe PID 2808 wrote to memory of 1644 2808 9bbthh.exe thbtnn.exe PID 1644 wrote to memory of 308 1644 thbtnn.exe 5lrrrrx.exe PID 1644 wrote to memory of 308 1644 thbtnn.exe 5lrrrrx.exe PID 1644 wrote to memory of 308 1644 thbtnn.exe 5lrrrrx.exe PID 1644 wrote to memory of 308 1644 thbtnn.exe 5lrrrrx.exe PID 308 wrote to memory of 1932 308 5lrrrrx.exe xrrxflr.exe PID 308 wrote to memory of 1932 308 5lrrrrx.exe xrrxflr.exe PID 308 wrote to memory of 1932 308 5lrrrrx.exe xrrxflr.exe PID 308 wrote to memory of 1932 308 5lrrrrx.exe xrrxflr.exe PID 1932 wrote to memory of 1616 1932 xrrxflr.exe 1vjvd.exe PID 1932 wrote to memory of 1616 1932 xrrxflr.exe 1vjvd.exe PID 1932 wrote to memory of 1616 1932 xrrxflr.exe 1vjvd.exe PID 1932 wrote to memory of 1616 1932 xrrxflr.exe 1vjvd.exe PID 1616 wrote to memory of 1660 1616 1vjvd.exe 1dvdp.exe PID 1616 wrote to memory of 1660 1616 1vjvd.exe 1dvdp.exe PID 1616 wrote to memory of 1660 1616 1vjvd.exe 1dvdp.exe PID 1616 wrote to memory of 1660 1616 1vjvd.exe 1dvdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe"C:\Users\Admin\AppData\Local\Temp\fa86f0aa9203eb626eaede966c5ba14b67adbaec1bc6962b7daa7414e0db9709.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\hthnnn.exec:\hthnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\5lfllrf.exec:\5lfllrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\bbnnbh.exec:\bbnnbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\5ddvj.exec:\5ddvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\9fflffl.exec:\9fflffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\htbttn.exec:\htbttn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\rfrrffl.exec:\rfrrffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\hhhtht.exec:\hhhtht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\pjjpv.exec:\pjjpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\xrxxxxl.exec:\xrxxxxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\9bbthh.exec:\9bbthh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\thbtnn.exec:\thbtnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\5lrrrrx.exec:\5lrrrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:308 -
\??\c:\xrrxflr.exec:\xrrxflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\1vjvd.exec:\1vjvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\1dvdp.exec:\1dvdp.exe17⤵
- Executes dropped EXE
PID:1660 -
\??\c:\hhbhnn.exec:\hhbhnn.exe18⤵
- Executes dropped EXE
PID:592 -
\??\c:\btnnhb.exec:\btnnhb.exe19⤵
- Executes dropped EXE
PID:1504 -
\??\c:\jdpvd.exec:\jdpvd.exe20⤵
- Executes dropped EXE
PID:856 -
\??\c:\rrffxfr.exec:\rrffxfr.exe21⤵
- Executes dropped EXE
PID:2492 -
\??\c:\dvpvd.exec:\dvpvd.exe22⤵
- Executes dropped EXE
PID:1104 -
\??\c:\vpjvd.exec:\vpjvd.exe23⤵
- Executes dropped EXE
PID:2940 -
\??\c:\rrlrflx.exec:\rrlrflx.exe24⤵
- Executes dropped EXE
PID:1480 -
\??\c:\9bnnbb.exec:\9bnnbb.exe25⤵
- Executes dropped EXE
PID:844 -
\??\c:\dvvdv.exec:\dvvdv.exe26⤵
- Executes dropped EXE
PID:1656 -
\??\c:\vppdj.exec:\vppdj.exe27⤵
- Executes dropped EXE
PID:764 -
\??\c:\5htthn.exec:\5htthn.exe28⤵
- Executes dropped EXE
PID:1052 -
\??\c:\9htnhh.exec:\9htnhh.exe29⤵
- Executes dropped EXE
PID:2904 -
\??\c:\jjdvp.exec:\jjdvp.exe30⤵
- Executes dropped EXE
PID:2068 -
\??\c:\3fxrxrx.exec:\3fxrxrx.exe31⤵
- Executes dropped EXE
PID:2768 -
\??\c:\hbtbnb.exec:\hbtbnb.exe32⤵
- Executes dropped EXE
PID:1756 -
\??\c:\vpdjp.exec:\vpdjp.exe33⤵
- Executes dropped EXE
PID:1940 -
\??\c:\lxxfrxl.exec:\lxxfrxl.exe34⤵
- Executes dropped EXE
PID:2188 -
\??\c:\hbtbtb.exec:\hbtbtb.exe35⤵
- Executes dropped EXE
PID:2988 -
\??\c:\nnhnbb.exec:\nnhnbb.exe36⤵
- Executes dropped EXE
PID:1720 -
\??\c:\pjddp.exec:\pjddp.exe37⤵
- Executes dropped EXE
PID:1252 -
\??\c:\9pjjp.exec:\9pjjp.exe38⤵
- Executes dropped EXE
PID:2716 -
\??\c:\fxlxllr.exec:\fxlxllr.exe39⤵
- Executes dropped EXE
PID:2668 -
\??\c:\rlxfrrf.exec:\rlxfrrf.exe40⤵
- Executes dropped EXE
PID:2748 -
\??\c:\nhthnt.exec:\nhthnt.exe41⤵
- Executes dropped EXE
PID:2776 -
\??\c:\pdppv.exec:\pdppv.exe42⤵
- Executes dropped EXE
PID:2796 -
\??\c:\ddpvd.exec:\ddpvd.exe43⤵
- Executes dropped EXE
PID:2820 -
\??\c:\frflrrl.exec:\frflrrl.exe44⤵
- Executes dropped EXE
PID:3032 -
\??\c:\ffxfllx.exec:\ffxfllx.exe45⤵
- Executes dropped EXE
PID:2556 -
\??\c:\hbhhtb.exec:\hbhhtb.exe46⤵
- Executes dropped EXE
PID:2584 -
\??\c:\jdddv.exec:\jdddv.exe47⤵
- Executes dropped EXE
PID:2572 -
\??\c:\ddjpj.exec:\ddjpj.exe48⤵
- Executes dropped EXE
PID:2816 -
\??\c:\lfrxlfr.exec:\lfrxlfr.exe49⤵
- Executes dropped EXE
PID:2612 -
\??\c:\lfxxxfl.exec:\lfxxxfl.exe50⤵
- Executes dropped EXE
PID:2844 -
\??\c:\nbttbb.exec:\nbttbb.exe51⤵
- Executes dropped EXE
PID:548 -
\??\c:\btthtt.exec:\btthtt.exe52⤵
- Executes dropped EXE
PID:2020 -
\??\c:\jjvdp.exec:\jjvdp.exe53⤵
- Executes dropped EXE
PID:1944 -
\??\c:\3rllffl.exec:\3rllffl.exe54⤵
- Executes dropped EXE
PID:2220 -
\??\c:\flfrrlx.exec:\flfrrlx.exe55⤵
- Executes dropped EXE
PID:2212 -
\??\c:\5tnthn.exec:\5tnthn.exe56⤵
- Executes dropped EXE
PID:768 -
\??\c:\vpdjj.exec:\vpdjj.exe57⤵
- Executes dropped EXE
PID:1512 -
\??\c:\5jddp.exec:\5jddp.exe58⤵
- Executes dropped EXE
PID:1292 -
\??\c:\1lffrrf.exec:\1lffrrf.exe59⤵
- Executes dropped EXE
PID:1452 -
\??\c:\ffrxffx.exec:\ffrxffx.exe60⤵
- Executes dropped EXE
PID:2260 -
\??\c:\nnhnhh.exec:\nnhnhh.exe61⤵
- Executes dropped EXE
PID:1816 -
\??\c:\7btbhh.exec:\7btbhh.exe62⤵
- Executes dropped EXE
PID:632 -
\??\c:\ddvjv.exec:\ddvjv.exe63⤵
- Executes dropped EXE
PID:1568 -
\??\c:\pjppj.exec:\pjppj.exe64⤵
- Executes dropped EXE
PID:1232 -
\??\c:\rlxffrx.exec:\rlxffrx.exe65⤵
- Executes dropped EXE
PID:2352 -
\??\c:\hnnbbt.exec:\hnnbbt.exe66⤵PID:1988
-
\??\c:\hthnbb.exec:\hthnbb.exe67⤵PID:2460
-
\??\c:\vpdjj.exec:\vpdjj.exe68⤵PID:952
-
\??\c:\vpvvd.exec:\vpvvd.exe69⤵PID:2436
-
\??\c:\xrxxffl.exec:\xrxxffl.exe70⤵PID:876
-
\??\c:\1lfrffl.exec:\1lfrffl.exe71⤵PID:1748
-
\??\c:\hnhntb.exec:\hnhntb.exe72⤵PID:992
-
\??\c:\pdvvv.exec:\pdvvv.exe73⤵PID:2324
-
\??\c:\5vvdp.exec:\5vvdp.exe74⤵PID:2284
-
\??\c:\lfxxlrf.exec:\lfxxlrf.exe75⤵PID:1692
-
\??\c:\xrlrflr.exec:\xrlrflr.exe76⤵PID:2032
-
\??\c:\bttbhh.exec:\bttbhh.exe77⤵PID:1092
-
\??\c:\5bbhnn.exec:\5bbhnn.exe78⤵PID:2152
-
\??\c:\pjddp.exec:\pjddp.exe79⤵PID:3024
-
\??\c:\fxfxffl.exec:\fxfxffl.exe80⤵PID:2664
-
\??\c:\rrfrrxl.exec:\rrfrrxl.exe81⤵PID:2736
-
\??\c:\bnttbh.exec:\bnttbh.exe82⤵PID:2792
-
\??\c:\jjddv.exec:\jjddv.exe83⤵PID:3036
-
\??\c:\pjppv.exec:\pjppv.exe84⤵PID:2784
-
\??\c:\lfrrxfl.exec:\lfrrxfl.exe85⤵PID:2524
-
\??\c:\lfxfrfr.exec:\lfxfrfr.exe86⤵PID:2680
-
\??\c:\3htnbh.exec:\3htnbh.exe87⤵PID:2564
-
\??\c:\7nhntt.exec:\7nhntt.exe88⤵PID:1596
-
\??\c:\1pjvd.exec:\1pjvd.exe89⤵PID:1604
-
\??\c:\fxllxlx.exec:\fxllxlx.exe90⤵PID:1820
-
\??\c:\5xxlxfl.exec:\5xxlxfl.exe91⤵PID:756
-
\??\c:\3hhbhn.exec:\3hhbhn.exe92⤵PID:1808
-
\??\c:\3jvpp.exec:\3jvpp.exe93⤵PID:1636
-
\??\c:\vpddj.exec:\vpddj.exe94⤵PID:788
-
\??\c:\fxfxfxf.exec:\fxfxfxf.exe95⤵PID:1952
-
\??\c:\xrffrrx.exec:\xrffrrx.exe96⤵PID:372
-
\??\c:\hbhttb.exec:\hbhttb.exe97⤵PID:320
-
\??\c:\5jvjp.exec:\5jvjp.exe98⤵PID:556
-
\??\c:\1jjjv.exec:\1jjjv.exe99⤵PID:1580
-
\??\c:\jddjj.exec:\jddjj.exe100⤵PID:2608
-
\??\c:\xlrrllr.exec:\xlrrllr.exe101⤵PID:1192
-
\??\c:\nhttbb.exec:\nhttbb.exe102⤵PID:2724
-
\??\c:\bnhtbh.exec:\bnhtbh.exe103⤵PID:1728
-
\??\c:\jddjv.exec:\jddjv.exe104⤵PID:1380
-
\??\c:\jdvdp.exec:\jdvdp.exe105⤵PID:2400
-
\??\c:\rlxflrx.exec:\rlxflrx.exe106⤵PID:1480
-
\??\c:\rrfflrx.exec:\rrfflrx.exe107⤵PID:844
-
\??\c:\nnhthb.exec:\nnhthb.exe108⤵PID:1600
-
\??\c:\hthhnn.exec:\hthhnn.exe109⤵PID:948
-
\??\c:\jdpvj.exec:\jdpvj.exe110⤵PID:900
-
\??\c:\3dvdv.exec:\3dvdv.exe111⤵PID:1788
-
\??\c:\5xffffl.exec:\5xffffl.exe112⤵PID:776
-
\??\c:\thtntt.exec:\thtntt.exe113⤵PID:2068
-
\??\c:\btbbhb.exec:\btbbhb.exe114⤵PID:2880
-
\??\c:\7pdjv.exec:\7pdjv.exe115⤵PID:2156
-
\??\c:\1jjpv.exec:\1jjpv.exe116⤵PID:2452
-
\??\c:\lflrffl.exec:\lflrffl.exe117⤵PID:1564
-
\??\c:\7thnbb.exec:\7thnbb.exe118⤵PID:1280
-
\??\c:\bthhtt.exec:\bthhtt.exe119⤵PID:2968
-
\??\c:\vpdvj.exec:\vpdvj.exe120⤵PID:1720
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe121⤵PID:2620
-
\??\c:\rlllrll.exec:\rlllrll.exe122⤵PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-