Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 02:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6690191a5890dcae91980931b6ca26385d88be6b25fd272454ab66acfbed6a8.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
c6690191a5890dcae91980931b6ca26385d88be6b25fd272454ab66acfbed6a8.exe
-
Size
70KB
-
MD5
583e8424ce92cc09d4f807e1c6dc8881
-
SHA1
7a3e72677111ee7720852771c150e27691b7fc46
-
SHA256
c6690191a5890dcae91980931b6ca26385d88be6b25fd272454ab66acfbed6a8
-
SHA512
a35586c393f0218192893b98ddad6de07e0d4b65a2cee16cee4ddbd670d2f9f85dab7936fbdbbb17898806ffb77d5a988babe32ff28aa250176de3651671e338
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfj2:ymb3NkkiQ3mdBjFI4Vm
Malware Config
Signatures
-
Detect Blackmoon payload 20 IoCs
resource yara_rule behavioral1/memory/1704-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2104-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1924-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2696-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2856-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2912-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2756-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2600-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2172-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/572-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2932-130-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1900-140-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2796-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1268-158-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2964-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3052-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/536-194-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3036-265-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1728-274-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2108-301-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2104 tbnnnt.exe 1924 pjvvj.exe 2696 rrffflr.exe 2856 hnntbb.exe 2756 vpjpj.exe 2912 rrlrffr.exe 2908 hbbtnt.exe 2600 jjvdv.exe 2172 xxxfrxr.exe 572 hhbhth.exe 660 tnbnhn.exe 2932 vpdjp.exe 1900 rrlllxl.exe 2796 3nhbtt.exe 1268 pdvdj.exe 2964 1lllllr.exe 1432 frffrrx.exe 3052 9bntth.exe 536 dvvjv.exe 584 3rrxlrf.exe 3020 5ttntn.exe 856 nhhhbb.exe 3016 7vjvd.exe 960 rlfflll.exe 576 fxfxfrr.exe 2036 hbttbn.exe 3036 hhhtbb.exe 1728 xlfllfr.exe 352 xfrfffl.exe 2148 thtttb.exe 2108 3vppj.exe 2540 fffrrrf.exe 2056 fxrlflr.exe 1708 hhbtbh.exe 2316 jdvdd.exe 2864 jdpdv.exe 2204 fxrflrx.exe 2312 lfrfffr.exe 1980 hbthnb.exe 2816 9nhhhh.exe 1776 dvvvp.exe 2908 frflrlr.exe 2436 xxxlfrl.exe 1964 bnbtbh.exe 1912 bhnbbn.exe 2564 pppdj.exe 2840 5rxlflx.exe 1232 fxfxlrx.exe 2000 9tbhth.exe 2796 vpppv.exe 1816 pvddp.exe 1268 7fxxlrx.exe 2188 xxrlrxr.exe 752 5hbbtb.exe 3052 nnbnbh.exe 1632 pjvvd.exe 1476 pjdvd.exe 552 rfrrrxf.exe 3020 xrrxlrf.exe 856 tthnnn.exe 1784 vpdpv.exe 2828 dpdjp.exe 576 1fxlffr.exe 1028 5ffrlrf.exe -
resource yara_rule behavioral1/memory/1704-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2104-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1924-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2696-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2856-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2912-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2756-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2600-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2600-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2600-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2172-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/572-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2932-130-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1900-140-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2796-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1268-158-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3052-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/536-194-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-265-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1728-274-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2108-301-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fflxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2104 1704 c6690191a5890dcae91980931b6ca26385d88be6b25fd272454ab66acfbed6a8.exe 30 PID 1704 wrote to memory of 2104 1704 c6690191a5890dcae91980931b6ca26385d88be6b25fd272454ab66acfbed6a8.exe 30 PID 1704 wrote to memory of 2104 1704 c6690191a5890dcae91980931b6ca26385d88be6b25fd272454ab66acfbed6a8.exe 30 PID 1704 wrote to memory of 2104 1704 c6690191a5890dcae91980931b6ca26385d88be6b25fd272454ab66acfbed6a8.exe 30 PID 2104 wrote to memory of 1924 2104 tbnnnt.exe 31 PID 2104 wrote to memory of 1924 2104 tbnnnt.exe 31 PID 2104 wrote to memory of 1924 2104 tbnnnt.exe 31 PID 2104 wrote to memory of 1924 2104 tbnnnt.exe 31 PID 1924 wrote to memory of 2696 1924 pjvvj.exe 32 PID 1924 wrote to memory of 2696 1924 pjvvj.exe 32 PID 1924 wrote to memory of 2696 1924 pjvvj.exe 32 PID 1924 wrote to memory of 2696 1924 pjvvj.exe 32 PID 2696 wrote to memory of 2856 2696 rrffflr.exe 33 PID 2696 wrote to memory of 2856 2696 rrffflr.exe 33 PID 2696 wrote to memory of 2856 2696 rrffflr.exe 33 PID 2696 wrote to memory of 2856 2696 rrffflr.exe 33 PID 2856 wrote to memory of 2756 2856 hnntbb.exe 34 PID 2856 wrote to memory of 2756 2856 hnntbb.exe 34 PID 2856 wrote to memory of 2756 2856 hnntbb.exe 34 PID 2856 wrote to memory of 2756 2856 hnntbb.exe 34 PID 2756 wrote to memory of 2912 2756 vpjpj.exe 35 PID 2756 wrote to memory of 2912 2756 vpjpj.exe 35 PID 2756 wrote to memory of 2912 2756 vpjpj.exe 35 PID 2756 wrote to memory of 2912 2756 vpjpj.exe 35 PID 2912 wrote to memory of 2908 2912 rrlrffr.exe 36 PID 2912 wrote to memory of 2908 2912 rrlrffr.exe 36 PID 2912 wrote to memory of 2908 2912 rrlrffr.exe 36 PID 2912 wrote to memory of 2908 2912 rrlrffr.exe 36 PID 2908 wrote to memory of 2600 2908 hbbtnt.exe 37 PID 2908 wrote to memory of 2600 2908 hbbtnt.exe 37 PID 2908 wrote to memory of 2600 2908 hbbtnt.exe 37 PID 2908 wrote to memory of 2600 2908 hbbtnt.exe 37 PID 2600 wrote to memory of 2172 2600 jjvdv.exe 38 PID 2600 wrote to memory of 2172 2600 jjvdv.exe 38 PID 2600 wrote to memory of 2172 2600 jjvdv.exe 38 PID 2600 wrote to memory of 2172 2600 jjvdv.exe 38 PID 2172 wrote to memory of 572 2172 xxxfrxr.exe 39 PID 2172 wrote to memory of 572 2172 xxxfrxr.exe 39 PID 2172 wrote to memory of 572 2172 xxxfrxr.exe 39 PID 2172 wrote to memory of 572 2172 xxxfrxr.exe 39 PID 572 wrote to memory of 660 572 hhbhth.exe 40 PID 572 wrote to memory of 660 572 hhbhth.exe 40 PID 572 wrote to memory of 660 572 hhbhth.exe 40 PID 572 wrote to memory of 660 572 hhbhth.exe 40 PID 660 wrote to memory of 2932 660 tnbnhn.exe 41 PID 660 wrote to memory of 2932 660 tnbnhn.exe 41 PID 660 wrote to memory of 2932 660 tnbnhn.exe 41 PID 660 wrote to memory of 2932 660 tnbnhn.exe 41 PID 2932 wrote to memory of 1900 2932 vpdjp.exe 42 PID 2932 wrote to memory of 1900 2932 vpdjp.exe 42 PID 2932 wrote to memory of 1900 2932 vpdjp.exe 42 PID 2932 wrote to memory of 1900 2932 vpdjp.exe 42 PID 1900 wrote to memory of 2796 1900 rrlllxl.exe 43 PID 1900 wrote to memory of 2796 1900 rrlllxl.exe 43 PID 1900 wrote to memory of 2796 1900 rrlllxl.exe 43 PID 1900 wrote to memory of 2796 1900 rrlllxl.exe 43 PID 2796 wrote to memory of 1268 2796 3nhbtt.exe 44 PID 2796 wrote to memory of 1268 2796 3nhbtt.exe 44 PID 2796 wrote to memory of 1268 2796 3nhbtt.exe 44 PID 2796 wrote to memory of 1268 2796 3nhbtt.exe 44 PID 1268 wrote to memory of 2964 1268 pdvdj.exe 45 PID 1268 wrote to memory of 2964 1268 pdvdj.exe 45 PID 1268 wrote to memory of 2964 1268 pdvdj.exe 45 PID 1268 wrote to memory of 2964 1268 pdvdj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6690191a5890dcae91980931b6ca26385d88be6b25fd272454ab66acfbed6a8.exe"C:\Users\Admin\AppData\Local\Temp\c6690191a5890dcae91980931b6ca26385d88be6b25fd272454ab66acfbed6a8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\tbnnnt.exec:\tbnnnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\pjvvj.exec:\pjvvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\rrffflr.exec:\rrffflr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\hnntbb.exec:\hnntbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\vpjpj.exec:\vpjpj.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\rrlrffr.exec:\rrlrffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\hbbtnt.exec:\hbbtnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\jjvdv.exec:\jjvdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\xxxfrxr.exec:\xxxfrxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\hhbhth.exec:\hhbhth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\tnbnhn.exec:\tnbnhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
\??\c:\vpdjp.exec:\vpdjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\rrlllxl.exec:\rrlllxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\3nhbtt.exec:\3nhbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\pdvdj.exec:\pdvdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\1lllllr.exec:\1lllllr.exe17⤵
- Executes dropped EXE
PID:2964 -
\??\c:\frffrrx.exec:\frffrrx.exe18⤵
- Executes dropped EXE
PID:1432 -
\??\c:\9bntth.exec:\9bntth.exe19⤵
- Executes dropped EXE
PID:3052 -
\??\c:\dvvjv.exec:\dvvjv.exe20⤵
- Executes dropped EXE
PID:536 -
\??\c:\3rrxlrf.exec:\3rrxlrf.exe21⤵
- Executes dropped EXE
PID:584 -
\??\c:\5ttntn.exec:\5ttntn.exe22⤵
- Executes dropped EXE
PID:3020 -
\??\c:\nhhhbb.exec:\nhhhbb.exe23⤵
- Executes dropped EXE
PID:856 -
\??\c:\7vjvd.exec:\7vjvd.exe24⤵
- Executes dropped EXE
PID:3016 -
\??\c:\rlfflll.exec:\rlfflll.exe25⤵
- Executes dropped EXE
PID:960 -
\??\c:\fxfxfrr.exec:\fxfxfrr.exe26⤵
- Executes dropped EXE
PID:576 -
\??\c:\hbttbn.exec:\hbttbn.exe27⤵
- Executes dropped EXE
PID:2036 -
\??\c:\hhhtbb.exec:\hhhtbb.exe28⤵
- Executes dropped EXE
PID:3036 -
\??\c:\xlfllfr.exec:\xlfllfr.exe29⤵
- Executes dropped EXE
PID:1728 -
\??\c:\xfrfffl.exec:\xfrfffl.exe30⤵
- Executes dropped EXE
PID:352 -
\??\c:\thtttb.exec:\thtttb.exe31⤵
- Executes dropped EXE
PID:2148 -
\??\c:\3vppj.exec:\3vppj.exe32⤵
- Executes dropped EXE
PID:2108 -
\??\c:\fffrrrf.exec:\fffrrrf.exe33⤵
- Executes dropped EXE
PID:2540 -
\??\c:\fxrlflr.exec:\fxrlflr.exe34⤵
- Executes dropped EXE
PID:2056 -
\??\c:\hhbtbh.exec:\hhbtbh.exe35⤵
- Executes dropped EXE
PID:1708 -
\??\c:\jdvdd.exec:\jdvdd.exe36⤵
- Executes dropped EXE
PID:2316 -
\??\c:\jdpdv.exec:\jdpdv.exe37⤵
- Executes dropped EXE
PID:2864 -
\??\c:\fxrflrx.exec:\fxrflrx.exe38⤵
- Executes dropped EXE
PID:2204 -
\??\c:\lfrfffr.exec:\lfrfffr.exe39⤵
- Executes dropped EXE
PID:2312 -
\??\c:\hbthnb.exec:\hbthnb.exe40⤵
- Executes dropped EXE
PID:1980 -
\??\c:\9nhhhh.exec:\9nhhhh.exe41⤵
- Executes dropped EXE
PID:2816 -
\??\c:\dvvvp.exec:\dvvvp.exe42⤵
- Executes dropped EXE
PID:1776 -
\??\c:\frflrlr.exec:\frflrlr.exe43⤵
- Executes dropped EXE
PID:2908 -
\??\c:\xxxlfrl.exec:\xxxlfrl.exe44⤵
- Executes dropped EXE
PID:2436 -
\??\c:\bnbtbh.exec:\bnbtbh.exe45⤵
- Executes dropped EXE
PID:1964 -
\??\c:\bhnbbn.exec:\bhnbbn.exe46⤵
- Executes dropped EXE
PID:1912 -
\??\c:\pppdj.exec:\pppdj.exe47⤵
- Executes dropped EXE
PID:2564 -
\??\c:\5rxlflx.exec:\5rxlflx.exe48⤵
- Executes dropped EXE
PID:2840 -
\??\c:\fxfxlrx.exec:\fxfxlrx.exe49⤵
- Executes dropped EXE
PID:1232 -
\??\c:\9tbhth.exec:\9tbhth.exe50⤵
- Executes dropped EXE
PID:2000 -
\??\c:\vpppv.exec:\vpppv.exe51⤵
- Executes dropped EXE
PID:2796 -
\??\c:\pvddp.exec:\pvddp.exe52⤵
- Executes dropped EXE
PID:1816 -
\??\c:\7fxxlrx.exec:\7fxxlrx.exe53⤵
- Executes dropped EXE
PID:1268 -
\??\c:\xxrlrxr.exec:\xxrlrxr.exe54⤵
- Executes dropped EXE
PID:2188 -
\??\c:\5hbbtb.exec:\5hbbtb.exe55⤵
- Executes dropped EXE
PID:752 -
\??\c:\nnbnbh.exec:\nnbnbh.exe56⤵
- Executes dropped EXE
PID:3052 -
\??\c:\pjvvd.exec:\pjvvd.exe57⤵
- Executes dropped EXE
PID:1632 -
\??\c:\pjdvd.exec:\pjdvd.exe58⤵
- Executes dropped EXE
PID:1476 -
\??\c:\rfrrrxf.exec:\rfrrrxf.exe59⤵
- Executes dropped EXE
PID:552 -
\??\c:\xrrxlrf.exec:\xrrxlrf.exe60⤵
- Executes dropped EXE
PID:3020 -
\??\c:\tthnnn.exec:\tthnnn.exe61⤵
- Executes dropped EXE
PID:856 -
\??\c:\vpdpv.exec:\vpdpv.exe62⤵
- Executes dropped EXE
PID:1784 -
\??\c:\dpdjp.exec:\dpdjp.exe63⤵
- Executes dropped EXE
PID:2828 -
\??\c:\1fxlffr.exec:\1fxlffr.exe64⤵
- Executes dropped EXE
PID:576 -
\??\c:\5ffrlrf.exec:\5ffrlrf.exe65⤵
- Executes dropped EXE
PID:1028 -
\??\c:\3ntbnn.exec:\3ntbnn.exe66⤵PID:376
-
\??\c:\1thhtt.exec:\1thhtt.exe67⤵PID:2052
-
\??\c:\5vvdj.exec:\5vvdj.exe68⤵PID:2476
-
\??\c:\jvppv.exec:\jvppv.exe69⤵PID:1040
-
\??\c:\xrlrllx.exec:\xrlrllx.exe70⤵PID:352
-
\??\c:\tnhnhn.exec:\tnhnhn.exe71⤵PID:2148
-
\??\c:\hthbnh.exec:\hthbnh.exe72⤵PID:2372
-
\??\c:\pjvpv.exec:\pjvpv.exe73⤵PID:2572
-
\??\c:\ffrlxlx.exec:\ffrlxlx.exe74⤵PID:2324
-
\??\c:\rllrxxf.exec:\rllrxxf.exe75⤵PID:2696
-
\??\c:\hbbthb.exec:\hbbthb.exe76⤵PID:2876
-
\??\c:\9jddj.exec:\9jddj.exe77⤵PID:2996
-
\??\c:\jjpvj.exec:\jjpvj.exe78⤵PID:2860
-
\??\c:\9xrrfxf.exec:\9xrrfxf.exe79⤵PID:2756
-
\??\c:\hthbnh.exec:\hthbnh.exe80⤵PID:2312
-
\??\c:\hbtnnt.exec:\hbtnnt.exe81⤵PID:2800
-
\??\c:\jvjpj.exec:\jvjpj.exe82⤵PID:2620
-
\??\c:\jvddp.exec:\jvddp.exe83⤵PID:2652
-
\??\c:\xrxlxfx.exec:\xrxlxfx.exe84⤵PID:2776
-
\??\c:\1fflrxl.exec:\1fflrxl.exe85⤵PID:1700
-
\??\c:\bbnbhb.exec:\bbnbhb.exe86⤵PID:272
-
\??\c:\dvpvj.exec:\dvpvj.exe87⤵PID:1888
-
\??\c:\3pjdd.exec:\3pjdd.exe88⤵PID:1724
-
\??\c:\lrxxlrx.exec:\lrxxlrx.exe89⤵PID:356
-
\??\c:\rlxfrrx.exec:\rlxfrrx.exe90⤵PID:2364
-
\??\c:\hbbhbn.exec:\hbbhbn.exe91⤵PID:2832
-
\??\c:\nnhtbh.exec:\nnhtbh.exe92⤵PID:1120
-
\??\c:\pjpvd.exec:\pjpvd.exe93⤵PID:1348
-
\??\c:\xrrrxxr.exec:\xrrrxxr.exe94⤵PID:1644
-
\??\c:\rlrllfl.exec:\rlrllfl.exe95⤵PID:1472
-
\??\c:\hbttbh.exec:\hbttbh.exe96⤵PID:2288
-
\??\c:\nthhnb.exec:\nthhnb.exe97⤵PID:2280
-
\??\c:\djjjj.exec:\djjjj.exe98⤵PID:2444
-
\??\c:\7vdpp.exec:\7vdpp.exe99⤵PID:1476
-
\??\c:\9fllrrr.exec:\9fllrrr.exe100⤵PID:1072
-
\??\c:\bthhtb.exec:\bthhtb.exe101⤵PID:2028
-
\??\c:\3bhtbh.exec:\3bhtbh.exe102⤵PID:1612
-
\??\c:\3vjpv.exec:\3vjpv.exe103⤵PID:2084
-
\??\c:\vjvpv.exec:\vjvpv.exe104⤵PID:2488
-
\??\c:\ffrxllx.exec:\ffrxllx.exe105⤵PID:2036
-
\??\c:\lflrfrx.exec:\lflrfrx.exe106⤵PID:1028
-
\??\c:\tnbnhn.exec:\tnbnhn.exe107⤵PID:3036
-
\??\c:\nhntbb.exec:\nhntbb.exe108⤵PID:1728
-
\??\c:\vvppd.exec:\vvppd.exe109⤵PID:1480
-
\??\c:\rlxlfrx.exec:\rlxlfrx.exe110⤵PID:2096
-
\??\c:\rxlllxf.exec:\rxlllxf.exe111⤵PID:1812
-
\??\c:\hhthtt.exec:\hhthtt.exe112⤵PID:1264
-
\??\c:\tnbtnt.exec:\tnbtnt.exe113⤵PID:2540
-
\??\c:\vpppd.exec:\vpppd.exe114⤵PID:1604
-
\??\c:\3ddjd.exec:\3ddjd.exe115⤵PID:2752
-
\??\c:\xlrrlll.exec:\xlrrlll.exe116⤵PID:2060
-
\??\c:\fxflrxx.exec:\fxflrxx.exe117⤵PID:2864
-
\??\c:\nhttnn.exec:\nhttnn.exe118⤵PID:2760
-
\??\c:\thnbhn.exec:\thnbhn.exe119⤵PID:2896
-
\??\c:\9pjjj.exec:\9pjjj.exe120⤵PID:2912
-
\??\c:\rlfrflx.exec:\rlfrflx.exe121⤵PID:2660
-
\??\c:\rlxfrxx.exec:\rlxfrxx.exe122⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-