Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 13:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe
Resource
win7-20240708-en
6 signatures
120 seconds
General
-
Target
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe
-
Size
66KB
-
MD5
5794f03936c353d89fafe0a0274c6e10
-
SHA1
84d00b43452b5cd12f9dfcbccb532b9640110e77
-
SHA256
96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195de
-
SHA512
87a3e1f27258c37f316aefb6d9c6cf38e9b72ffded8f4333cd80742e4762aa1908eba2cf0a69ca1f416553575c86a1e3c57f744ec67532b8222501479931e595
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27BqflM:ymb3NkkiQ3mdBjFI9cqfa
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
resource yara_rule behavioral1/memory/2572-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1948-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2156-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2156-20-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3012-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/532-53-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2856-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2804-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2296-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2780-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2676-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2212-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2444-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1764-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1612-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1604-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2908-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2196-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1784-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1368-237-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1572-254-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/344-263-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2156-2092-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2156 bbnbhh.exe 1948 hbnnbb.exe 3012 jjjvp.exe 532 flxxlrf.exe 2856 nnbnbb.exe 2804 ppjdj.exe 2296 rrrflxf.exe 2780 tnbhnt.exe 2676 tbttbh.exe 2212 jdpvj.exe 2444 frxllxf.exe 1764 9lflxfx.exe 1612 tnbhtt.exe 1788 9dpvd.exe 1800 jdppp.exe 1604 ffxflxl.exe 2908 1rrxffr.exe 2164 httntt.exe 2196 dvjjp.exe 1784 jdpvd.exe 1648 xllfrfl.exe 2712 1xlrxfr.exe 1368 5tbhnn.exe 1944 pddpd.exe 1572 vvpvj.exe 344 ffxfrxl.exe 1304 lffrllr.exe 572 bbntbh.exe 2504 vpdpd.exe 1956 5vvpd.exe 2148 rlxxffl.exe 2796 7xlrxlx.exe 2244 bnbhnt.exe 2924 hbntth.exe 2720 djvvd.exe 2740 7jvpv.exe 3020 vjdjp.exe 2944 fxlxllx.exe 2636 9lfrfrl.exe 2624 tnbntb.exe 2688 xlffrfx.exe 2020 xrflxlf.exe 1712 htbnnt.exe 1928 tnhhth.exe 2428 vpdvp.exe 1668 jjdpv.exe 1144 rrfrrrx.exe 1992 3lrfxlx.exe 1596 9tntbb.exe 792 htbtbn.exe 2892 jdjjv.exe 2912 5dpvd.exe 2208 rlflrrf.exe 2964 9lllrrf.exe 352 7btbht.exe 1072 nhbhnt.exe 1020 vvpvd.exe 2216 pjdjj.exe 1216 1ffrxfr.exe 1280 xxlxfrx.exe 1532 rrlxfxl.exe 2476 tnbnbh.exe 2484 hbnttt.exe 2544 ddvpd.exe -
resource yara_rule behavioral1/memory/2572-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1948-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2156-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3012-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/532-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/532-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/532-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2856-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2296-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2296-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2296-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2780-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2780-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2780-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2296-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2780-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2676-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2212-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2444-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1764-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1612-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1604-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2908-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2196-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1784-209-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1368-237-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1572-254-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/344-263-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2156-2092-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2156 2572 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 30 PID 2572 wrote to memory of 2156 2572 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 30 PID 2572 wrote to memory of 2156 2572 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 30 PID 2572 wrote to memory of 2156 2572 96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe 30 PID 2156 wrote to memory of 1948 2156 bbnbhh.exe 31 PID 2156 wrote to memory of 1948 2156 bbnbhh.exe 31 PID 2156 wrote to memory of 1948 2156 bbnbhh.exe 31 PID 2156 wrote to memory of 1948 2156 bbnbhh.exe 31 PID 1948 wrote to memory of 3012 1948 hbnnbb.exe 32 PID 1948 wrote to memory of 3012 1948 hbnnbb.exe 32 PID 1948 wrote to memory of 3012 1948 hbnnbb.exe 32 PID 1948 wrote to memory of 3012 1948 hbnnbb.exe 32 PID 3012 wrote to memory of 532 3012 jjjvp.exe 33 PID 3012 wrote to memory of 532 3012 jjjvp.exe 33 PID 3012 wrote to memory of 532 3012 jjjvp.exe 33 PID 3012 wrote to memory of 532 3012 jjjvp.exe 33 PID 532 wrote to memory of 2856 532 flxxlrf.exe 34 PID 532 wrote to memory of 2856 532 flxxlrf.exe 34 PID 532 wrote to memory of 2856 532 flxxlrf.exe 34 PID 532 wrote to memory of 2856 532 flxxlrf.exe 34 PID 2856 wrote to memory of 2804 2856 nnbnbb.exe 35 PID 2856 wrote to memory of 2804 2856 nnbnbb.exe 35 PID 2856 wrote to memory of 2804 2856 nnbnbb.exe 35 PID 2856 wrote to memory of 2804 2856 nnbnbb.exe 35 PID 2804 wrote to memory of 2296 2804 ppjdj.exe 36 PID 2804 wrote to memory of 2296 2804 ppjdj.exe 36 PID 2804 wrote to memory of 2296 2804 ppjdj.exe 36 PID 2804 wrote to memory of 2296 2804 ppjdj.exe 36 PID 2296 wrote to memory of 2780 2296 rrrflxf.exe 37 PID 2296 wrote to memory of 2780 2296 rrrflxf.exe 37 PID 2296 wrote to memory of 2780 2296 rrrflxf.exe 37 PID 2296 wrote to memory of 2780 2296 rrrflxf.exe 37 PID 2780 wrote to memory of 2676 2780 tnbhnt.exe 38 PID 2780 wrote to memory of 2676 2780 tnbhnt.exe 38 PID 2780 wrote to memory of 2676 2780 tnbhnt.exe 38 PID 2780 wrote to memory of 2676 2780 tnbhnt.exe 38 PID 2676 wrote to memory of 2212 2676 tbttbh.exe 39 PID 2676 wrote to memory of 2212 2676 tbttbh.exe 39 PID 2676 wrote to memory of 2212 2676 tbttbh.exe 39 PID 2676 wrote to memory of 2212 2676 tbttbh.exe 39 PID 2212 wrote to memory of 2444 2212 jdpvj.exe 40 PID 2212 wrote to memory of 2444 2212 jdpvj.exe 40 PID 2212 wrote to memory of 2444 2212 jdpvj.exe 40 PID 2212 wrote to memory of 2444 2212 jdpvj.exe 40 PID 2444 wrote to memory of 1764 2444 frxllxf.exe 41 PID 2444 wrote to memory of 1764 2444 frxllxf.exe 41 PID 2444 wrote to memory of 1764 2444 frxllxf.exe 41 PID 2444 wrote to memory of 1764 2444 frxllxf.exe 41 PID 1764 wrote to memory of 1612 1764 9lflxfx.exe 42 PID 1764 wrote to memory of 1612 1764 9lflxfx.exe 42 PID 1764 wrote to memory of 1612 1764 9lflxfx.exe 42 PID 1764 wrote to memory of 1612 1764 9lflxfx.exe 42 PID 1612 wrote to memory of 1788 1612 tnbhtt.exe 43 PID 1612 wrote to memory of 1788 1612 tnbhtt.exe 43 PID 1612 wrote to memory of 1788 1612 tnbhtt.exe 43 PID 1612 wrote to memory of 1788 1612 tnbhtt.exe 43 PID 1788 wrote to memory of 1800 1788 9dpvd.exe 44 PID 1788 wrote to memory of 1800 1788 9dpvd.exe 44 PID 1788 wrote to memory of 1800 1788 9dpvd.exe 44 PID 1788 wrote to memory of 1800 1788 9dpvd.exe 44 PID 1800 wrote to memory of 1604 1800 jdppp.exe 45 PID 1800 wrote to memory of 1604 1800 jdppp.exe 45 PID 1800 wrote to memory of 1604 1800 jdppp.exe 45 PID 1800 wrote to memory of 1604 1800 jdppp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe"C:\Users\Admin\AppData\Local\Temp\96b5c77bc349fe0f1ca0c21736a52518cd9dcc70db2031fb601f6f101cd195deN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\bbnbhh.exec:\bbnbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\hbnnbb.exec:\hbnnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\jjjvp.exec:\jjjvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\flxxlrf.exec:\flxxlrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\nnbnbb.exec:\nnbnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\ppjdj.exec:\ppjdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\rrrflxf.exec:\rrrflxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\tnbhnt.exec:\tnbhnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\tbttbh.exec:\tbttbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\jdpvj.exec:\jdpvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\frxllxf.exec:\frxllxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\9lflxfx.exec:\9lflxfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\tnbhtt.exec:\tnbhtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\9dpvd.exec:\9dpvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\jdppp.exec:\jdppp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\ffxflxl.exec:\ffxflxl.exe17⤵
- Executes dropped EXE
PID:1604 -
\??\c:\1rrxffr.exec:\1rrxffr.exe18⤵
- Executes dropped EXE
PID:2908 -
\??\c:\httntt.exec:\httntt.exe19⤵
- Executes dropped EXE
PID:2164 -
\??\c:\dvjjp.exec:\dvjjp.exe20⤵
- Executes dropped EXE
PID:2196 -
\??\c:\jdpvd.exec:\jdpvd.exe21⤵
- Executes dropped EXE
PID:1784 -
\??\c:\xllfrfl.exec:\xllfrfl.exe22⤵
- Executes dropped EXE
PID:1648 -
\??\c:\1xlrxfr.exec:\1xlrxfr.exe23⤵
- Executes dropped EXE
PID:2712 -
\??\c:\5tbhnn.exec:\5tbhnn.exe24⤵
- Executes dropped EXE
PID:1368 -
\??\c:\pddpd.exec:\pddpd.exe25⤵
- Executes dropped EXE
PID:1944 -
\??\c:\vvpvj.exec:\vvpvj.exe26⤵
- Executes dropped EXE
PID:1572 -
\??\c:\ffxfrxl.exec:\ffxfrxl.exe27⤵
- Executes dropped EXE
PID:344 -
\??\c:\lffrllr.exec:\lffrllr.exe28⤵
- Executes dropped EXE
PID:1304 -
\??\c:\bbntbh.exec:\bbntbh.exe29⤵
- Executes dropped EXE
PID:572 -
\??\c:\vpdpd.exec:\vpdpd.exe30⤵
- Executes dropped EXE
PID:2504 -
\??\c:\5vvpd.exec:\5vvpd.exe31⤵
- Executes dropped EXE
PID:1956 -
\??\c:\rlxxffl.exec:\rlxxffl.exe32⤵
- Executes dropped EXE
PID:2148 -
\??\c:\7xlrxlx.exec:\7xlrxlx.exe33⤵
- Executes dropped EXE
PID:2796 -
\??\c:\bnbhnt.exec:\bnbhnt.exe34⤵
- Executes dropped EXE
PID:2244 -
\??\c:\hbntth.exec:\hbntth.exe35⤵
- Executes dropped EXE
PID:2924 -
\??\c:\djvvd.exec:\djvvd.exe36⤵
- Executes dropped EXE
PID:2720 -
\??\c:\7jvpv.exec:\7jvpv.exe37⤵
- Executes dropped EXE
PID:2740 -
\??\c:\vjdjp.exec:\vjdjp.exe38⤵
- Executes dropped EXE
PID:3020 -
\??\c:\fxlxllx.exec:\fxlxllx.exe39⤵
- Executes dropped EXE
PID:2944 -
\??\c:\9lfrfrl.exec:\9lfrfrl.exe40⤵
- Executes dropped EXE
PID:2636 -
\??\c:\tnbntb.exec:\tnbntb.exe41⤵
- Executes dropped EXE
PID:2624 -
\??\c:\xlffrfx.exec:\xlffrfx.exe42⤵
- Executes dropped EXE
PID:2688 -
\??\c:\xrflxlf.exec:\xrflxlf.exe43⤵
- Executes dropped EXE
PID:2020 -
\??\c:\htbnnt.exec:\htbnnt.exe44⤵
- Executes dropped EXE
PID:1712 -
\??\c:\tnhhth.exec:\tnhhth.exe45⤵
- Executes dropped EXE
PID:1928 -
\??\c:\vpdvp.exec:\vpdvp.exe46⤵
- Executes dropped EXE
PID:2428 -
\??\c:\jjdpv.exec:\jjdpv.exe47⤵
- Executes dropped EXE
PID:1668 -
\??\c:\rrfrrrx.exec:\rrfrrrx.exe48⤵
- Executes dropped EXE
PID:1144 -
\??\c:\3lrfxlx.exec:\3lrfxlx.exe49⤵
- Executes dropped EXE
PID:1992 -
\??\c:\9tntbb.exec:\9tntbb.exe50⤵
- Executes dropped EXE
PID:1596 -
\??\c:\htbtbn.exec:\htbtbn.exe51⤵
- Executes dropped EXE
PID:792 -
\??\c:\jdjjv.exec:\jdjjv.exe52⤵
- Executes dropped EXE
PID:2892 -
\??\c:\5dpvd.exec:\5dpvd.exe53⤵
- Executes dropped EXE
PID:2912 -
\??\c:\rlflrrf.exec:\rlflrrf.exe54⤵
- Executes dropped EXE
PID:2208 -
\??\c:\9lllrrf.exec:\9lllrrf.exe55⤵
- Executes dropped EXE
PID:2964 -
\??\c:\7btbht.exec:\7btbht.exe56⤵
- Executes dropped EXE
PID:352 -
\??\c:\nhbhnt.exec:\nhbhnt.exe57⤵
- Executes dropped EXE
PID:1072 -
\??\c:\vvpvd.exec:\vvpvd.exe58⤵
- Executes dropped EXE
PID:1020 -
\??\c:\pjdjj.exec:\pjdjj.exe59⤵
- Executes dropped EXE
PID:2216 -
\??\c:\1ffrxfr.exec:\1ffrxfr.exe60⤵
- Executes dropped EXE
PID:1216 -
\??\c:\xxlxfrx.exec:\xxlxfrx.exe61⤵
- Executes dropped EXE
PID:1280 -
\??\c:\rrlxfxl.exec:\rrlxfxl.exe62⤵
- Executes dropped EXE
PID:1532 -
\??\c:\tnbnbh.exec:\tnbnbh.exe63⤵
- Executes dropped EXE
PID:2476 -
\??\c:\hbnttt.exec:\hbnttt.exe64⤵
- Executes dropped EXE
PID:2484 -
\??\c:\ddvpd.exec:\ddvpd.exe65⤵
- Executes dropped EXE
PID:2544 -
\??\c:\jdpdd.exec:\jdpdd.exe66⤵PID:2204
-
\??\c:\3lffflx.exec:\3lffflx.exe67⤵PID:2176
-
\??\c:\rlflrrx.exec:\rlflrrx.exe68⤵PID:2416
-
\??\c:\bntnnb.exec:\bntnnb.exe69⤵PID:1592
-
\??\c:\ttbbnb.exec:\ttbbnb.exe70⤵PID:2396
-
\??\c:\5vdjp.exec:\5vdjp.exe71⤵PID:2440
-
\??\c:\vpjdj.exec:\vpjdj.exe72⤵PID:2240
-
\??\c:\7dpdd.exec:\7dpdd.exe73⤵PID:2244
-
\??\c:\7frflrf.exec:\7frflrf.exe74⤵PID:2772
-
\??\c:\3rllxfl.exec:\3rllxfl.exe75⤵PID:2844
-
\??\c:\tnnbth.exec:\tnnbth.exe76⤵PID:2776
-
\??\c:\3bbnbh.exec:\3bbnbh.exe77⤵PID:3020
-
\??\c:\3hhhnn.exec:\3hhhnn.exe78⤵PID:2648
-
\??\c:\vpddp.exec:\vpddp.exe79⤵PID:2636
-
\??\c:\9ddjp.exec:\9ddjp.exe80⤵PID:1976
-
\??\c:\xrlrflr.exec:\xrlrflr.exe81⤵PID:2688
-
\??\c:\llxfxxl.exec:\llxfxxl.exe82⤵PID:1512
-
\??\c:\ttnnhn.exec:\ttnnhn.exe83⤵PID:1712
-
\??\c:\hhhbnh.exec:\hhhbnh.exe84⤵PID:1616
-
\??\c:\1jvvj.exec:\1jvvj.exe85⤵PID:2428
-
\??\c:\9vjdj.exec:\9vjdj.exe86⤵PID:1528
-
\??\c:\xlffxfr.exec:\xlffxfr.exe87⤵PID:1144
-
\??\c:\1ffflrf.exec:\1ffflrf.exe88⤵PID:2680
-
\??\c:\ntnthh.exec:\ntnthh.exe89⤵PID:1596
-
\??\c:\htbnnb.exec:\htbnnb.exe90⤵PID:792
-
\??\c:\5pjvv.exec:\5pjvv.exe91⤵PID:2892
-
\??\c:\pppdj.exec:\pppdj.exe92⤵PID:2292
-
\??\c:\xflxflx.exec:\xflxflx.exe93⤵PID:2208
-
\??\c:\fxxxrrf.exec:\fxxxrrf.exe94⤵PID:1676
-
\??\c:\lxrxllx.exec:\lxrxllx.exe95⤵PID:1460
-
\??\c:\9bhbhh.exec:\9bhbhh.exe96⤵PID:1072
-
\??\c:\9ttbnt.exec:\9ttbnt.exe97⤵PID:324
-
\??\c:\9jjvj.exec:\9jjvj.exe98⤵PID:1704
-
\??\c:\vpdjv.exec:\vpdjv.exe99⤵PID:2652
-
\??\c:\7xxlxfr.exec:\7xxlxfr.exe100⤵PID:1280
-
\??\c:\5xflxlf.exec:\5xflxlf.exe101⤵PID:1532
-
\??\c:\bnhnhh.exec:\bnhnhh.exe102⤵PID:1032
-
\??\c:\hbnntb.exec:\hbnntb.exe103⤵PID:2484
-
\??\c:\tbttth.exec:\tbttth.exe104⤵PID:2280
-
\??\c:\3jvdj.exec:\3jvdj.exe105⤵PID:2308
-
\??\c:\lfxfffr.exec:\lfxfffr.exe106⤵PID:2376
-
\??\c:\lflrxxl.exec:\lflrxxl.exe107⤵PID:1932
-
\??\c:\9xlflff.exec:\9xlflff.exe108⤵PID:2516
-
\??\c:\nbtbbb.exec:\nbtbbb.exe109⤵PID:1628
-
\??\c:\nbhnnn.exec:\nbhnnn.exe110⤵PID:2760
-
\??\c:\jvpvd.exec:\jvpvd.exe111⤵PID:2840
-
\??\c:\7dpdj.exec:\7dpdj.exe112⤵PID:2860
-
\??\c:\9lxlrxl.exec:\9lxlrxl.exe113⤵PID:2620
-
\??\c:\xlrrffx.exec:\xlrrffx.exe114⤵PID:2700
-
\??\c:\lfffflx.exec:\lfffflx.exe115⤵PID:2784
-
\??\c:\htnnth.exec:\htnnth.exe116⤵PID:2612
-
\??\c:\nhtntb.exec:\nhtntb.exe117⤵PID:2632
-
\??\c:\dvvvv.exec:\dvvvv.exe118⤵PID:2940
-
\??\c:\lfxfrrx.exec:\lfxfrrx.exe119⤵PID:2028
-
\??\c:\thbbhb.exec:\thbbhb.exe120⤵PID:1988
-
\??\c:\bnbtht.exec:\bnbtht.exe121⤵PID:1828
-
\??\c:\jvjvv.exec:\jvjvv.exe122⤵PID:1836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-