Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 14:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe
-
Size
65KB
-
MD5
f859945ee111dbf2258f6722fc6555c0
-
SHA1
06e5c4319a815b98dae52f216b58d3923de9df63
-
SHA256
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963c
-
SHA512
ea0d755e1b4c350f2b6e9869d1a16f1c4f52a2ea12bfe5792526051995b2266040977f8d3b257b6b15ca64956907a0220189bf51f911c22c1a890c7b89b22ab5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Q:ymb3NkkiQ3mdBjFI99
Malware Config
Signatures
-
Detect Blackmoon payload 21 IoCs
resource yara_rule behavioral1/memory/292-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1512-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2260-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2356-50-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-44-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3004-39-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3004-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3016-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2748-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2608-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2232-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1256-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1472-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1124-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2936-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2708-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/960-235-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2396-272-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/892-289-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/768-298-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2356-1741-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1512 9rffffl.exe 2260 3tnnbb.exe 3004 ddppj.exe 2356 vjppj.exe 2824 lrxfxff.exe 3016 1fxfllx.exe 2772 nbtbnn.exe 2748 pjvpj.exe 2608 7vjpv.exe 2252 ffrrffr.exe 2232 9bnntt.exe 1416 pdpvd.exe 1256 vpddj.exe 1472 rlllllr.exe 2848 1lflrxf.exe 1124 bttbnn.exe 2936 thnntt.exe 1408 jvddj.exe 2952 7jdpd.exe 1980 1lflrrr.exe 2708 5xlrffl.exe 2128 bnbbhh.exe 3036 9tthhn.exe 960 dvvdj.exe 2552 jdvdj.exe 1912 7lxlrlr.exe 2208 9hbnnn.exe 2396 btnbnh.exe 2496 ppvvj.exe 892 3jddj.exe 768 frrxllx.exe 2308 tnhbnh.exe 1516 5hbhtb.exe 2932 7vdjp.exe 2196 vjvjp.exe 1704 9vjjp.exe 2484 rlrrxxl.exe 2740 rfrxfrr.exe 2928 fxllffx.exe 2904 bbtbhb.exe 2844 thbbnn.exe 2772 dvjjj.exe 2612 pdvdp.exe 2688 rfllllr.exe 2492 hbbbhn.exe 580 ppddj.exe 2232 frfllrf.exe 1316 frfffxr.exe 976 9lxxfff.exe 1684 nbbnbt.exe 1252 vpdvp.exe 1608 dpddp.exe 1124 djvdv.exe 1148 lfrrxrr.exe 2220 5rlxfxf.exe 2944 7bhntt.exe 1844 bthnhh.exe 1984 ddpvd.exe 344 5jppv.exe 2128 fxxlxfl.exe 1764 frxxfxx.exe 3044 bthnnt.exe 1496 1tbhnn.exe 2552 1pjvd.exe -
resource yara_rule behavioral1/memory/292-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1512-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2260-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2356-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3004-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3016-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2772-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2772-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2772-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2748-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2608-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2232-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1256-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1472-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1124-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2936-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2708-209-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/960-235-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2396-272-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/892-289-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/768-298-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2356-1741-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 292 wrote to memory of 1512 292 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 30 PID 292 wrote to memory of 1512 292 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 30 PID 292 wrote to memory of 1512 292 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 30 PID 292 wrote to memory of 1512 292 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 30 PID 1512 wrote to memory of 2260 1512 9rffffl.exe 31 PID 1512 wrote to memory of 2260 1512 9rffffl.exe 31 PID 1512 wrote to memory of 2260 1512 9rffffl.exe 31 PID 1512 wrote to memory of 2260 1512 9rffffl.exe 31 PID 2260 wrote to memory of 3004 2260 3tnnbb.exe 32 PID 2260 wrote to memory of 3004 2260 3tnnbb.exe 32 PID 2260 wrote to memory of 3004 2260 3tnnbb.exe 32 PID 2260 wrote to memory of 3004 2260 3tnnbb.exe 32 PID 3004 wrote to memory of 2356 3004 ddppj.exe 33 PID 3004 wrote to memory of 2356 3004 ddppj.exe 33 PID 3004 wrote to memory of 2356 3004 ddppj.exe 33 PID 3004 wrote to memory of 2356 3004 ddppj.exe 33 PID 2356 wrote to memory of 2824 2356 vjppj.exe 34 PID 2356 wrote to memory of 2824 2356 vjppj.exe 34 PID 2356 wrote to memory of 2824 2356 vjppj.exe 34 PID 2356 wrote to memory of 2824 2356 vjppj.exe 34 PID 2824 wrote to memory of 3016 2824 lrxfxff.exe 35 PID 2824 wrote to memory of 3016 2824 lrxfxff.exe 35 PID 2824 wrote to memory of 3016 2824 lrxfxff.exe 35 PID 2824 wrote to memory of 3016 2824 lrxfxff.exe 35 PID 3016 wrote to memory of 2772 3016 1fxfllx.exe 36 PID 3016 wrote to memory of 2772 3016 1fxfllx.exe 36 PID 3016 wrote to memory of 2772 3016 1fxfllx.exe 36 PID 3016 wrote to memory of 2772 3016 1fxfllx.exe 36 PID 2772 wrote to memory of 2748 2772 nbtbnn.exe 37 PID 2772 wrote to memory of 2748 2772 nbtbnn.exe 37 PID 2772 wrote to memory of 2748 2772 nbtbnn.exe 37 PID 2772 wrote to memory of 2748 2772 nbtbnn.exe 37 PID 2748 wrote to memory of 2608 2748 pjvpj.exe 38 PID 2748 wrote to memory of 2608 2748 pjvpj.exe 38 PID 2748 wrote to memory of 2608 2748 pjvpj.exe 38 PID 2748 wrote to memory of 2608 2748 pjvpj.exe 38 PID 2608 wrote to memory of 2252 2608 7vjpv.exe 39 PID 2608 wrote to memory of 2252 2608 7vjpv.exe 39 PID 2608 wrote to memory of 2252 2608 7vjpv.exe 39 PID 2608 wrote to memory of 2252 2608 7vjpv.exe 39 PID 2252 wrote to memory of 2232 2252 ffrrffr.exe 40 PID 2252 wrote to memory of 2232 2252 ffrrffr.exe 40 PID 2252 wrote to memory of 2232 2252 ffrrffr.exe 40 PID 2252 wrote to memory of 2232 2252 ffrrffr.exe 40 PID 2232 wrote to memory of 1416 2232 9bnntt.exe 41 PID 2232 wrote to memory of 1416 2232 9bnntt.exe 41 PID 2232 wrote to memory of 1416 2232 9bnntt.exe 41 PID 2232 wrote to memory of 1416 2232 9bnntt.exe 41 PID 1416 wrote to memory of 1256 1416 pdpvd.exe 42 PID 1416 wrote to memory of 1256 1416 pdpvd.exe 42 PID 1416 wrote to memory of 1256 1416 pdpvd.exe 42 PID 1416 wrote to memory of 1256 1416 pdpvd.exe 42 PID 1256 wrote to memory of 1472 1256 vpddj.exe 43 PID 1256 wrote to memory of 1472 1256 vpddj.exe 43 PID 1256 wrote to memory of 1472 1256 vpddj.exe 43 PID 1256 wrote to memory of 1472 1256 vpddj.exe 43 PID 1472 wrote to memory of 2848 1472 rlllllr.exe 44 PID 1472 wrote to memory of 2848 1472 rlllllr.exe 44 PID 1472 wrote to memory of 2848 1472 rlllllr.exe 44 PID 1472 wrote to memory of 2848 1472 rlllllr.exe 44 PID 2848 wrote to memory of 1124 2848 1lflrxf.exe 45 PID 2848 wrote to memory of 1124 2848 1lflrxf.exe 45 PID 2848 wrote to memory of 1124 2848 1lflrxf.exe 45 PID 2848 wrote to memory of 1124 2848 1lflrxf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe"C:\Users\Admin\AppData\Local\Temp\08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:292 -
\??\c:\9rffffl.exec:\9rffffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\3tnnbb.exec:\3tnnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\ddppj.exec:\ddppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\vjppj.exec:\vjppj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\lrxfxff.exec:\lrxfxff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\1fxfllx.exec:\1fxfllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\nbtbnn.exec:\nbtbnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\pjvpj.exec:\pjvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\7vjpv.exec:\7vjpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\ffrrffr.exec:\ffrrffr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\9bnntt.exec:\9bnntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\pdpvd.exec:\pdpvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\vpddj.exec:\vpddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\rlllllr.exec:\rlllllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\1lflrxf.exec:\1lflrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\bttbnn.exec:\bttbnn.exe17⤵
- Executes dropped EXE
PID:1124 -
\??\c:\thnntt.exec:\thnntt.exe18⤵
- Executes dropped EXE
PID:2936 -
\??\c:\jvddj.exec:\jvddj.exe19⤵
- Executes dropped EXE
PID:1408 -
\??\c:\7jdpd.exec:\7jdpd.exe20⤵
- Executes dropped EXE
PID:2952 -
\??\c:\1lflrrr.exec:\1lflrrr.exe21⤵
- Executes dropped EXE
PID:1980 -
\??\c:\5xlrffl.exec:\5xlrffl.exe22⤵
- Executes dropped EXE
PID:2708 -
\??\c:\bnbbhh.exec:\bnbbhh.exe23⤵
- Executes dropped EXE
PID:2128 -
\??\c:\9tthhn.exec:\9tthhn.exe24⤵
- Executes dropped EXE
PID:3036 -
\??\c:\dvvdj.exec:\dvvdj.exe25⤵
- Executes dropped EXE
PID:960 -
\??\c:\jdvdj.exec:\jdvdj.exe26⤵
- Executes dropped EXE
PID:2552 -
\??\c:\7lxlrlr.exec:\7lxlrlr.exe27⤵
- Executes dropped EXE
PID:1912 -
\??\c:\9hbnnn.exec:\9hbnnn.exe28⤵
- Executes dropped EXE
PID:2208 -
\??\c:\btnbnh.exec:\btnbnh.exe29⤵
- Executes dropped EXE
PID:2396 -
\??\c:\ppvvj.exec:\ppvvj.exe30⤵
- Executes dropped EXE
PID:2496 -
\??\c:\3jddj.exec:\3jddj.exe31⤵
- Executes dropped EXE
PID:892 -
\??\c:\frrxllx.exec:\frrxllx.exe32⤵
- Executes dropped EXE
PID:768 -
\??\c:\tnhbnh.exec:\tnhbnh.exe33⤵
- Executes dropped EXE
PID:2308 -
\??\c:\5hbhtb.exec:\5hbhtb.exe34⤵
- Executes dropped EXE
PID:1516 -
\??\c:\7vdjp.exec:\7vdjp.exe35⤵
- Executes dropped EXE
PID:2932 -
\??\c:\vjvjp.exec:\vjvjp.exe36⤵
- Executes dropped EXE
PID:2196 -
\??\c:\9vjjp.exec:\9vjjp.exe37⤵
- Executes dropped EXE
PID:1704 -
\??\c:\rlrrxxl.exec:\rlrrxxl.exe38⤵
- Executes dropped EXE
PID:2484 -
\??\c:\rfrxfrr.exec:\rfrxfrr.exe39⤵
- Executes dropped EXE
PID:2740 -
\??\c:\fxllffx.exec:\fxllffx.exe40⤵
- Executes dropped EXE
PID:2928 -
\??\c:\bbtbhb.exec:\bbtbhb.exe41⤵
- Executes dropped EXE
PID:2904 -
\??\c:\thbbnn.exec:\thbbnn.exe42⤵
- Executes dropped EXE
PID:2844 -
\??\c:\dvjjj.exec:\dvjjj.exe43⤵
- Executes dropped EXE
PID:2772 -
\??\c:\pdvdp.exec:\pdvdp.exe44⤵
- Executes dropped EXE
PID:2612 -
\??\c:\rfllllr.exec:\rfllllr.exe45⤵
- Executes dropped EXE
PID:2688 -
\??\c:\hbbbhn.exec:\hbbbhn.exe46⤵
- Executes dropped EXE
PID:2492 -
\??\c:\ppddj.exec:\ppddj.exe47⤵
- Executes dropped EXE
PID:580 -
\??\c:\frfllrf.exec:\frfllrf.exe48⤵
- Executes dropped EXE
PID:2232 -
\??\c:\frfffxr.exec:\frfffxr.exe49⤵
- Executes dropped EXE
PID:1316 -
\??\c:\9lxxfff.exec:\9lxxfff.exe50⤵
- Executes dropped EXE
PID:976 -
\??\c:\nbbnbt.exec:\nbbnbt.exe51⤵
- Executes dropped EXE
PID:1684 -
\??\c:\vpdvp.exec:\vpdvp.exe52⤵
- Executes dropped EXE
PID:1252 -
\??\c:\dpddp.exec:\dpddp.exe53⤵
- Executes dropped EXE
PID:1608 -
\??\c:\djvdv.exec:\djvdv.exe54⤵
- Executes dropped EXE
PID:1124 -
\??\c:\lfrrxrr.exec:\lfrrxrr.exe55⤵
- Executes dropped EXE
PID:1148 -
\??\c:\5rlxfxf.exec:\5rlxfxf.exe56⤵
- Executes dropped EXE
PID:2220 -
\??\c:\7bhntt.exec:\7bhntt.exe57⤵
- Executes dropped EXE
PID:2944 -
\??\c:\bthnhh.exec:\bthnhh.exe58⤵
- Executes dropped EXE
PID:1844 -
\??\c:\ddpvd.exec:\ddpvd.exe59⤵
- Executes dropped EXE
PID:1984 -
\??\c:\5jppv.exec:\5jppv.exe60⤵
- Executes dropped EXE
PID:344 -
\??\c:\fxxlxfl.exec:\fxxlxfl.exe61⤵
- Executes dropped EXE
PID:2128 -
\??\c:\frxxfxx.exec:\frxxfxx.exe62⤵
- Executes dropped EXE
PID:1764 -
\??\c:\bthnnt.exec:\bthnnt.exe63⤵
- Executes dropped EXE
PID:3044 -
\??\c:\1tbhnn.exec:\1tbhnn.exe64⤵
- Executes dropped EXE
PID:1496 -
\??\c:\1pjvd.exec:\1pjvd.exe65⤵
- Executes dropped EXE
PID:2552 -
\??\c:\5pvdj.exec:\5pvdj.exe66⤵PID:2804
-
\??\c:\rlrrfff.exec:\rlrrfff.exe67⤵PID:2164
-
\??\c:\fxlxllr.exec:\fxlxllr.exe68⤵PID:2280
-
\??\c:\3lflrxf.exec:\3lflrxf.exe69⤵PID:1488
-
\??\c:\1nbbbb.exec:\1nbbbb.exe70⤵PID:2540
-
\??\c:\bntnbt.exec:\bntnbt.exe71⤵PID:892
-
\??\c:\1jvdd.exec:\1jvdd.exe72⤵PID:2088
-
\??\c:\jvjjj.exec:\jvjjj.exe73⤵PID:1512
-
\??\c:\5xlflfl.exec:\5xlflfl.exe74⤵PID:2692
-
\??\c:\xlxffxf.exec:\xlxffxf.exe75⤵PID:2216
-
\??\c:\fxrxflx.exec:\fxrxflx.exe76⤵PID:2072
-
\??\c:\hbhntb.exec:\hbhntb.exe77⤵PID:1708
-
\??\c:\3nbbhh.exec:\3nbbhh.exe78⤵PID:2888
-
\??\c:\3dddj.exec:\3dddj.exe79⤵PID:2736
-
\??\c:\7jdpd.exec:\7jdpd.exe80⤵PID:2744
-
\??\c:\jdppj.exec:\jdppj.exe81⤵PID:2648
-
\??\c:\rlrlffl.exec:\rlrlffl.exe82⤵PID:2964
-
\??\c:\rrxllfr.exec:\rrxllfr.exe83⤵PID:2668
-
\??\c:\nnnhnb.exec:\nnnhnb.exe84⤵PID:2664
-
\??\c:\7tnhnn.exec:\7tnhnn.exe85⤵PID:2136
-
\??\c:\vpjjp.exec:\vpjjp.exe86⤵PID:2360
-
\??\c:\pdppp.exec:\pdppp.exe87⤵PID:1096
-
\??\c:\xrlrffr.exec:\xrlrffr.exe88⤵PID:852
-
\??\c:\xrrxrrl.exec:\xrrxrrl.exe89⤵PID:2232
-
\??\c:\nhnthh.exec:\nhnthh.exe90⤵PID:2868
-
\??\c:\nnnnbb.exec:\nnnnbb.exe91⤵PID:2920
-
\??\c:\dpppv.exec:\dpppv.exe92⤵PID:532
-
\??\c:\1jvdj.exec:\1jvdj.exe93⤵PID:1128
-
\??\c:\5rffxxf.exec:\5rffxxf.exe94⤵PID:2040
-
\??\c:\1xlrxxf.exec:\1xlrxxf.exe95⤵PID:2860
-
\??\c:\frxxfxf.exec:\frxxfxf.exe96⤵PID:2996
-
\??\c:\3thhtn.exec:\3thhtn.exe97⤵PID:2076
-
\??\c:\bnttnn.exec:\bnttnn.exe98⤵PID:2560
-
\??\c:\dpddp.exec:\dpddp.exe99⤵PID:2444
-
\??\c:\jdjpd.exec:\jdjpd.exe100⤵PID:1940
-
\??\c:\xrrrxxx.exec:\xrrrxxx.exe101⤵PID:2592
-
\??\c:\xxlrffr.exec:\xxlrffr.exe102⤵PID:628
-
\??\c:\thtbtt.exec:\thtbtt.exe103⤵PID:652
-
\??\c:\5pddv.exec:\5pddv.exe104⤵PID:836
-
\??\c:\dpdvv.exec:\dpdvv.exe105⤵PID:1276
-
\??\c:\3lxrxxx.exec:\3lxrxxx.exe106⤵PID:2528
-
\??\c:\frrrfxf.exec:\frrrfxf.exe107⤵PID:2208
-
\??\c:\fxrrxxl.exec:\fxrrxxl.exe108⤵PID:704
-
\??\c:\bbbhnn.exec:\bbbhnn.exe109⤵PID:2280
-
\??\c:\vdddv.exec:\vdddv.exe110⤵PID:3020
-
\??\c:\5ppjd.exec:\5ppjd.exe111⤵PID:1996
-
\??\c:\xrlxlfl.exec:\xrlxlfl.exe112⤵PID:2284
-
\??\c:\xrflfxl.exec:\xrflfxl.exe113⤵PID:2060
-
\??\c:\xrflrlr.exec:\xrflrlr.exe114⤵PID:2428
-
\??\c:\ttttbb.exec:\ttttbb.exe115⤵PID:2912
-
\??\c:\btbhnn.exec:\btbhnn.exe116⤵PID:1560
-
\??\c:\vjppd.exec:\vjppd.exe117⤵PID:2268
-
\??\c:\9djdj.exec:\9djdj.exe118⤵PID:2820
-
\??\c:\lxfxrrr.exec:\lxfxrrr.exe119⤵PID:2752
-
\??\c:\fxfflll.exec:\fxfflll.exe120⤵PID:2432
-
\??\c:\btbhnn.exec:\btbhnn.exe121⤵PID:3016
-
\??\c:\nbnhtt.exec:\nbnhtt.exe122⤵PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-