Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-09-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916.exe
Resource
win7-20240708-en
General
-
Target
b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916.exe
-
Size
79KB
-
MD5
5bf3d85491ed0bb928281b5d7381a0af
-
SHA1
c0b66e5d9d4cd6ecfb090f15417da0ce710512f0
-
SHA256
b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916
-
SHA512
fbe1757fd1d78341d9250bb771efaeca74e36e8880e1e462588e5e5b0e8e59ee4eed3be0c8ee4ceb7bbc3036c028949f2c7922495c1f6ad13bcc7b0a6b03d9b9
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIpWCz+FR4RzWqC5rINFE4yeq:ymb3NkkiQ3mdBjFIsIpZ+R4RzWqCu4n
Malware Config
Signatures
-
Detect Blackmoon payload 19 IoCs
resource yara_rule behavioral1/memory/2280-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2108-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1672-30-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1672-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2200-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2828-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2880-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2844-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2628-96-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1760-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2672-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1268-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2904-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/484-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/716-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1336-213-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/844-221-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2584-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2588-248-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2108 3lrrxlr.exe 1672 htbhtn.exe 2200 9vvpv.exe 2828 jdvdj.exe 2888 bththb.exe 2880 nhnnnt.exe 2844 vjpjv.exe 2628 xflrxrr.exe 1760 3hbntt.exe 2136 btnttb.exe 3036 pvpdj.exe 2672 xrflxfr.exe 1268 bnhntt.exe 2904 9hhtht.exe 1924 5pjvp.exe 1988 7dvvv.exe 2648 1xxxffl.exe 484 nhbhnt.exe 716 nhntbh.exe 584 jjjdd.exe 1336 llffrxl.exe 844 lffxxxx.exe 2584 bbnnnt.exe 1320 3dvpv.exe 2588 dddjv.exe 1300 7frllll.exe 2060 bbnbbb.exe 1936 pvjdp.exe 2332 pdvjv.exe 1752 xxfxlrr.exe 1716 xxlllrf.exe 2548 3hhhbb.exe 2080 1tbhht.exe 2088 pjjdd.exe 2228 ddvdj.exe 2348 lfrfflf.exe 2736 hhthbh.exe 2292 hbnhhb.exe 2848 vpvjj.exe 2748 dpvvp.exe 2664 ffrlrrf.exe 2688 hbhbbb.exe 3044 ppvjj.exe 1556 1jppv.exe 2856 9lrrxfl.exe 2136 3rllrxf.exe 3036 tnthbb.exe 1164 7vppv.exe 1524 7vvjd.exe 1416 dpddj.exe 1984 llflrxl.exe 1832 ntbhnn.exe 2120 hhbttn.exe 540 vvpdv.exe 1640 vvpvj.exe 1768 frrrxfr.exe 2788 tnhntb.exe 584 5hhbhn.exe 2084 pjdjp.exe 2492 7ddvj.exe 1520 xlfxfxx.exe 1876 7hbtnt.exe 3000 7btbht.exe 1376 bnthth.exe -
resource yara_rule behavioral1/memory/2280-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2280-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2108-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1672-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2200-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2828-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2828-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2828-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2880-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2880-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2880-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2628-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2628-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2628-96-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1760-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2672-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1268-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2904-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/484-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/716-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1336-213-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/844-221-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2584-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2588-248-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2108 2280 b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916.exe 30 PID 2280 wrote to memory of 2108 2280 b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916.exe 30 PID 2280 wrote to memory of 2108 2280 b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916.exe 30 PID 2280 wrote to memory of 2108 2280 b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916.exe 30 PID 2108 wrote to memory of 1672 2108 3lrrxlr.exe 31 PID 2108 wrote to memory of 1672 2108 3lrrxlr.exe 31 PID 2108 wrote to memory of 1672 2108 3lrrxlr.exe 31 PID 2108 wrote to memory of 1672 2108 3lrrxlr.exe 31 PID 1672 wrote to memory of 2200 1672 htbhtn.exe 32 PID 1672 wrote to memory of 2200 1672 htbhtn.exe 32 PID 1672 wrote to memory of 2200 1672 htbhtn.exe 32 PID 1672 wrote to memory of 2200 1672 htbhtn.exe 32 PID 2200 wrote to memory of 2828 2200 9vvpv.exe 33 PID 2200 wrote to memory of 2828 2200 9vvpv.exe 33 PID 2200 wrote to memory of 2828 2200 9vvpv.exe 33 PID 2200 wrote to memory of 2828 2200 9vvpv.exe 33 PID 2828 wrote to memory of 2888 2828 jdvdj.exe 34 PID 2828 wrote to memory of 2888 2828 jdvdj.exe 34 PID 2828 wrote to memory of 2888 2828 jdvdj.exe 34 PID 2828 wrote to memory of 2888 2828 jdvdj.exe 34 PID 2888 wrote to memory of 2880 2888 bththb.exe 35 PID 2888 wrote to memory of 2880 2888 bththb.exe 35 PID 2888 wrote to memory of 2880 2888 bththb.exe 35 PID 2888 wrote to memory of 2880 2888 bththb.exe 35 PID 2880 wrote to memory of 2844 2880 nhnnnt.exe 36 PID 2880 wrote to memory of 2844 2880 nhnnnt.exe 36 PID 2880 wrote to memory of 2844 2880 nhnnnt.exe 36 PID 2880 wrote to memory of 2844 2880 nhnnnt.exe 36 PID 2844 wrote to memory of 2628 2844 vjpjv.exe 37 PID 2844 wrote to memory of 2628 2844 vjpjv.exe 37 PID 2844 wrote to memory of 2628 2844 vjpjv.exe 37 PID 2844 wrote to memory of 2628 2844 vjpjv.exe 37 PID 2628 wrote to memory of 1760 2628 xflrxrr.exe 38 PID 2628 wrote to memory of 1760 2628 xflrxrr.exe 38 PID 2628 wrote to memory of 1760 2628 xflrxrr.exe 38 PID 2628 wrote to memory of 1760 2628 xflrxrr.exe 38 PID 1760 wrote to memory of 2136 1760 3hbntt.exe 39 PID 1760 wrote to memory of 2136 1760 3hbntt.exe 39 PID 1760 wrote to memory of 2136 1760 3hbntt.exe 39 PID 1760 wrote to memory of 2136 1760 3hbntt.exe 39 PID 2136 wrote to memory of 3036 2136 btnttb.exe 40 PID 2136 wrote to memory of 3036 2136 btnttb.exe 40 PID 2136 wrote to memory of 3036 2136 btnttb.exe 40 PID 2136 wrote to memory of 3036 2136 btnttb.exe 40 PID 3036 wrote to memory of 2672 3036 pvpdj.exe 41 PID 3036 wrote to memory of 2672 3036 pvpdj.exe 41 PID 3036 wrote to memory of 2672 3036 pvpdj.exe 41 PID 3036 wrote to memory of 2672 3036 pvpdj.exe 41 PID 2672 wrote to memory of 1268 2672 xrflxfr.exe 42 PID 2672 wrote to memory of 1268 2672 xrflxfr.exe 42 PID 2672 wrote to memory of 1268 2672 xrflxfr.exe 42 PID 2672 wrote to memory of 1268 2672 xrflxfr.exe 42 PID 1268 wrote to memory of 2904 1268 bnhntt.exe 43 PID 1268 wrote to memory of 2904 1268 bnhntt.exe 43 PID 1268 wrote to memory of 2904 1268 bnhntt.exe 43 PID 1268 wrote to memory of 2904 1268 bnhntt.exe 43 PID 2904 wrote to memory of 1924 2904 9hhtht.exe 44 PID 2904 wrote to memory of 1924 2904 9hhtht.exe 44 PID 2904 wrote to memory of 1924 2904 9hhtht.exe 44 PID 2904 wrote to memory of 1924 2904 9hhtht.exe 44 PID 1924 wrote to memory of 1988 1924 5pjvp.exe 45 PID 1924 wrote to memory of 1988 1924 5pjvp.exe 45 PID 1924 wrote to memory of 1988 1924 5pjvp.exe 45 PID 1924 wrote to memory of 1988 1924 5pjvp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916.exe"C:\Users\Admin\AppData\Local\Temp\b631c5c66bef2e77934162d152b05ae5576830fc4cf3f3e25bbb2903663a9916.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\3lrrxlr.exec:\3lrrxlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\htbhtn.exec:\htbhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\9vvpv.exec:\9vvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\jdvdj.exec:\jdvdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\bththb.exec:\bththb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\nhnnnt.exec:\nhnnnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\vjpjv.exec:\vjpjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\xflrxrr.exec:\xflrxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\3hbntt.exec:\3hbntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\btnttb.exec:\btnttb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\pvpdj.exec:\pvpdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\xrflxfr.exec:\xrflxfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\bnhntt.exec:\bnhntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\9hhtht.exec:\9hhtht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\5pjvp.exec:\5pjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\7dvvv.exec:\7dvvv.exe17⤵
- Executes dropped EXE
PID:1988 -
\??\c:\1xxxffl.exec:\1xxxffl.exe18⤵
- Executes dropped EXE
PID:2648 -
\??\c:\nhbhnt.exec:\nhbhnt.exe19⤵
- Executes dropped EXE
PID:484 -
\??\c:\nhntbh.exec:\nhntbh.exe20⤵
- Executes dropped EXE
PID:716 -
\??\c:\jjjdd.exec:\jjjdd.exe21⤵
- Executes dropped EXE
PID:584 -
\??\c:\llffrxl.exec:\llffrxl.exe22⤵
- Executes dropped EXE
PID:1336 -
\??\c:\lffxxxx.exec:\lffxxxx.exe23⤵
- Executes dropped EXE
PID:844 -
\??\c:\bbnnnt.exec:\bbnnnt.exe24⤵
- Executes dropped EXE
PID:2584 -
\??\c:\3dvpv.exec:\3dvpv.exe25⤵
- Executes dropped EXE
PID:1320 -
\??\c:\dddjv.exec:\dddjv.exe26⤵
- Executes dropped EXE
PID:2588 -
\??\c:\7frllll.exec:\7frllll.exe27⤵
- Executes dropped EXE
PID:1300 -
\??\c:\bbnbbb.exec:\bbnbbb.exe28⤵
- Executes dropped EXE
PID:2060 -
\??\c:\pvjdp.exec:\pvjdp.exe29⤵
- Executes dropped EXE
PID:1936 -
\??\c:\pdvjv.exec:\pdvjv.exe30⤵
- Executes dropped EXE
PID:2332 -
\??\c:\xxfxlrr.exec:\xxfxlrr.exe31⤵
- Executes dropped EXE
PID:1752 -
\??\c:\xxlllrf.exec:\xxlllrf.exe32⤵
- Executes dropped EXE
PID:1716 -
\??\c:\3hhhbb.exec:\3hhhbb.exe33⤵
- Executes dropped EXE
PID:2548 -
\??\c:\1tbhht.exec:\1tbhht.exe34⤵
- Executes dropped EXE
PID:2080 -
\??\c:\pjjdd.exec:\pjjdd.exe35⤵
- Executes dropped EXE
PID:2088 -
\??\c:\ddvdj.exec:\ddvdj.exe36⤵
- Executes dropped EXE
PID:2228 -
\??\c:\lfrfflf.exec:\lfrfflf.exe37⤵
- Executes dropped EXE
PID:2348 -
\??\c:\hhthbh.exec:\hhthbh.exe38⤵
- Executes dropped EXE
PID:2736 -
\??\c:\hbnhhb.exec:\hbnhhb.exe39⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vpvjj.exec:\vpvjj.exe40⤵
- Executes dropped EXE
PID:2848 -
\??\c:\dpvvp.exec:\dpvvp.exe41⤵
- Executes dropped EXE
PID:2748 -
\??\c:\ffrlrrf.exec:\ffrlrrf.exe42⤵
- Executes dropped EXE
PID:2664 -
\??\c:\hbhbbb.exec:\hbhbbb.exe43⤵
- Executes dropped EXE
PID:2688 -
\??\c:\ppvjj.exec:\ppvjj.exe44⤵
- Executes dropped EXE
PID:3044 -
\??\c:\1jppv.exec:\1jppv.exe45⤵
- Executes dropped EXE
PID:1556 -
\??\c:\9lrrxfl.exec:\9lrrxfl.exe46⤵
- Executes dropped EXE
PID:2856 -
\??\c:\3rllrxf.exec:\3rllrxf.exe47⤵
- Executes dropped EXE
PID:2136 -
\??\c:\tnthbb.exec:\tnthbb.exe48⤵
- Executes dropped EXE
PID:3036 -
\??\c:\7vppv.exec:\7vppv.exe49⤵
- Executes dropped EXE
PID:1164 -
\??\c:\7vvjd.exec:\7vvjd.exe50⤵
- Executes dropped EXE
PID:1524 -
\??\c:\dpddj.exec:\dpddj.exe51⤵
- Executes dropped EXE
PID:1416 -
\??\c:\llflrxl.exec:\llflrxl.exe52⤵
- Executes dropped EXE
PID:1984 -
\??\c:\ntbhnn.exec:\ntbhnn.exe53⤵
- Executes dropped EXE
PID:1832 -
\??\c:\hhbttn.exec:\hhbttn.exe54⤵
- Executes dropped EXE
PID:2120 -
\??\c:\vvpdv.exec:\vvpdv.exe55⤵
- Executes dropped EXE
PID:540 -
\??\c:\vvpvj.exec:\vvpvj.exe56⤵
- Executes dropped EXE
PID:1640 -
\??\c:\frrrxfr.exec:\frrrxfr.exe57⤵
- Executes dropped EXE
PID:1768 -
\??\c:\tnhntb.exec:\tnhntb.exe58⤵
- Executes dropped EXE
PID:2788 -
\??\c:\5hhbhn.exec:\5hhbhn.exe59⤵
- Executes dropped EXE
PID:584 -
\??\c:\pjdjp.exec:\pjdjp.exe60⤵
- Executes dropped EXE
PID:2084 -
\??\c:\7ddvj.exec:\7ddvj.exe61⤵
- Executes dropped EXE
PID:2492 -
\??\c:\xlfxfxx.exec:\xlfxfxx.exe62⤵
- Executes dropped EXE
PID:1520 -
\??\c:\7hbtnt.exec:\7hbtnt.exe63⤵
- Executes dropped EXE
PID:1876 -
\??\c:\7btbht.exec:\7btbht.exe64⤵
- Executes dropped EXE
PID:3000 -
\??\c:\bnthth.exec:\bnthth.exe65⤵
- Executes dropped EXE
PID:1376 -
\??\c:\5pvpv.exec:\5pvpv.exe66⤵PID:2320
-
\??\c:\dvpjp.exec:\dvpjp.exe67⤵PID:2532
-
\??\c:\7lfxxxr.exec:\7lfxxxr.exe68⤵PID:2956
-
\??\c:\5fxfflx.exec:\5fxfflx.exe69⤵PID:2032
-
\??\c:\btntbb.exec:\btntbb.exe70⤵PID:2000
-
\??\c:\9htthn.exec:\9htthn.exe71⤵PID:2552
-
\??\c:\jvjvd.exec:\jvjvd.exe72⤵PID:2528
-
\??\c:\dpddd.exec:\dpddd.exe73⤵PID:2108
-
\??\c:\xlrrrrx.exec:\xlrrrrx.exe74⤵PID:1564
-
\??\c:\htbbbh.exec:\htbbbh.exe75⤵PID:2720
-
\??\c:\nnbtbt.exec:\nnbtbt.exe76⤵PID:2716
-
\??\c:\nhttbh.exec:\nhttbh.exe77⤵PID:2812
-
\??\c:\vjvpv.exec:\vjvpv.exe78⤵PID:2616
-
\??\c:\jdjjp.exec:\jdjjp.exe79⤵PID:2884
-
\??\c:\flxxlfl.exec:\flxxlfl.exe80⤵PID:2632
-
\??\c:\rrffrrx.exec:\rrffrrx.exe81⤵PID:2880
-
\??\c:\tthbnt.exec:\tthbnt.exe82⤵PID:2652
-
\??\c:\3bnthn.exec:\3bnthn.exe83⤵PID:2844
-
\??\c:\dvpjj.exec:\dvpjj.exe84⤵PID:3056
-
\??\c:\9vjvd.exec:\9vjvd.exe85⤵PID:1056
-
\??\c:\1lxxllf.exec:\1lxxllf.exe86⤵PID:2424
-
\??\c:\rfrrlxl.exec:\rfrrlxl.exe87⤵PID:1140
-
\??\c:\hbhbht.exec:\hbhbht.exe88⤵PID:2864
-
\??\c:\bhtttn.exec:\bhtttn.exe89⤵PID:2144
-
\??\c:\5pvpp.exec:\5pvpp.exe90⤵PID:1948
-
\??\c:\vvjpj.exec:\vvjpj.exe91⤵PID:2932
-
\??\c:\3xfffxf.exec:\3xfffxf.exe92⤵PID:1872
-
\??\c:\fxrrflx.exec:\fxrrflx.exe93⤵PID:2296
-
\??\c:\3nbbnt.exec:\3nbbnt.exe94⤵PID:2472
-
\??\c:\btnntt.exec:\btnntt.exe95⤵PID:332
-
\??\c:\vvddv.exec:\vvddv.exe96⤵PID:608
-
\??\c:\xrfrrrf.exec:\xrfrrrf.exe97⤵PID:1120
-
\??\c:\rfxxxxf.exec:\rfxxxxf.exe98⤵PID:2432
-
\??\c:\httntt.exec:\httntt.exe99⤵PID:1604
-
\??\c:\ttnttb.exec:\ttnttb.exe100⤵PID:1176
-
\??\c:\pdjjp.exec:\pdjjp.exe101⤵PID:1996
-
\??\c:\pvppd.exec:\pvppd.exe102⤵PID:1608
-
\??\c:\lrfxrrx.exec:\lrfxrrx.exe103⤵PID:1756
-
\??\c:\rrlrflf.exec:\rrlrflf.exe104⤵PID:1784
-
\??\c:\5ffxrrx.exec:\5ffxrrx.exe105⤵PID:2488
-
\??\c:\bbtbnn.exec:\bbtbnn.exe106⤵PID:2264
-
\??\c:\7thtbt.exec:\7thtbt.exe107⤵PID:2060
-
\??\c:\jvvvv.exec:\jvvvv.exe108⤵PID:1500
-
\??\c:\jvddj.exec:\jvddj.exe109⤵PID:2044
-
\??\c:\pjvdj.exec:\pjvdj.exe110⤵PID:2184
-
\??\c:\frxfllr.exec:\frxfllr.exe111⤵PID:2092
-
\??\c:\llxrrxf.exec:\llxrrxf.exe112⤵PID:1692
-
\??\c:\nbhttn.exec:\nbhttn.exe113⤵PID:2536
-
\??\c:\1tnnnh.exec:\1tnnnh.exe114⤵PID:2952
-
\??\c:\jvjpd.exec:\jvjpd.exe115⤵PID:2284
-
\??\c:\pdjpd.exec:\pdjpd.exe116⤵PID:2868
-
\??\c:\rflrxxx.exec:\rflrxxx.exe117⤵PID:2764
-
\??\c:\xlrxfrx.exec:\xlrxfrx.exe118⤵PID:2772
-
\??\c:\nhttnt.exec:\nhttnt.exe119⤵PID:2920
-
\??\c:\htbhtb.exec:\htbhtb.exe120⤵PID:2884
-
\??\c:\nhtthh.exec:\nhtthh.exe121⤵PID:2832
-
\??\c:\1dpjj.exec:\1dpjj.exe122⤵PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-