Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 15:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe
-
Size
66KB
-
MD5
cd9ec96e409ba3bdf77823f1c1f0ffe0
-
SHA1
3c7c7da4c8b7d7aad15a2217df465b4c1cc37947
-
SHA256
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26
-
SHA512
57ccf0d3885ffc34bb7cff6f2e8f044b0f4c5c5a14ac769c362291b6d8fd5146a2b731ceef88b39aae4381ac55eab49be03a7f5e3a837e5a4a7d42dd1b71d46a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxeQ:ymb3NkkiQ3mdBjF0y7kbUQ
Malware Config
Signatures
-
Detect Blackmoon payload 18 IoCs
resource yara_rule behavioral1/memory/1392-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2592-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2656-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2804-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2800-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2516-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2128-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1168-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1648-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3020-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2760-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1976-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/808-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1964-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2172-228-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2284-236-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1536-264-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2960-290-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2592 thnttb.exe 2656 dpvvd.exe 2920 tntbnt.exe 2804 tnbbhh.exe 2800 rffxrlr.exe 2516 lrlfrrf.exe 2128 nnthth.exe 380 vjdjj.exe 1168 rfxrrlr.exe 1648 fxrlxxf.exe 2864 htbhnn.exe 3020 nnbbbb.exe 2760 vjppv.exe 1740 xlrrxxl.exe 1224 5xlxxxx.exe 1976 hhtbtb.exe 2588 hhnbth.exe 808 jdvvd.exe 1964 9jvvv.exe 2156 rflxfrx.exe 2208 hhtbth.exe 2172 5nhhnn.exe 2284 dvdvv.exe 640 pjddj.exe 2080 5llfffx.exe 1536 bnbnhh.exe 2448 nbhbhh.exe 1928 nhnbnt.exe 2960 pdvpv.exe 1164 lfxlflx.exe 3056 hbnnbt.exe 1392 5btbbb.exe 1616 dddjv.exe 2720 9jdvv.exe 2820 xfrrrlr.exe 2508 rlxflxl.exe 2788 7bttbb.exe 3068 bthnnn.exe 2776 vvpvp.exe 2504 7jdjj.exe 2668 1frxxxx.exe 2516 frfrflx.exe 2128 7rllxxf.exe 108 7bnhnt.exe 1480 7nnbtt.exe 1864 1pddp.exe 944 pvjjv.exe 3012 3xlrxxf.exe 2540 3llllfr.exe 1432 tntbhn.exe 2332 hbbbbb.exe 1740 jvjpv.exe 1132 dvvvd.exe 2740 9lrlxfl.exe 2264 rflllrr.exe 2008 thnnbb.exe 1396 7tnbnn.exe 2112 tntbnn.exe 2244 dpdjp.exe 2164 5jdvj.exe 2932 3xrrxfl.exe 2172 rlxfrxf.exe 1696 9ttbhh.exe 2076 tnhnhh.exe -
resource yara_rule behavioral1/memory/1392-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1392-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2920-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2800-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2516-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2516-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2516-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2128-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2128-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2128-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2128-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/380-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/380-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1168-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1648-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3020-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2760-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1976-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/808-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1964-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2172-228-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2284-236-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1536-264-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2960-290-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1392 wrote to memory of 2592 1392 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 28 PID 1392 wrote to memory of 2592 1392 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 28 PID 1392 wrote to memory of 2592 1392 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 28 PID 1392 wrote to memory of 2592 1392 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 28 PID 2592 wrote to memory of 2656 2592 thnttb.exe 29 PID 2592 wrote to memory of 2656 2592 thnttb.exe 29 PID 2592 wrote to memory of 2656 2592 thnttb.exe 29 PID 2592 wrote to memory of 2656 2592 thnttb.exe 29 PID 2656 wrote to memory of 2920 2656 dpvvd.exe 30 PID 2656 wrote to memory of 2920 2656 dpvvd.exe 30 PID 2656 wrote to memory of 2920 2656 dpvvd.exe 30 PID 2656 wrote to memory of 2920 2656 dpvvd.exe 30 PID 2920 wrote to memory of 2804 2920 tntbnt.exe 31 PID 2920 wrote to memory of 2804 2920 tntbnt.exe 31 PID 2920 wrote to memory of 2804 2920 tntbnt.exe 31 PID 2920 wrote to memory of 2804 2920 tntbnt.exe 31 PID 2804 wrote to memory of 2800 2804 tnbbhh.exe 32 PID 2804 wrote to memory of 2800 2804 tnbbhh.exe 32 PID 2804 wrote to memory of 2800 2804 tnbbhh.exe 32 PID 2804 wrote to memory of 2800 2804 tnbbhh.exe 32 PID 2800 wrote to memory of 2516 2800 rffxrlr.exe 33 PID 2800 wrote to memory of 2516 2800 rffxrlr.exe 33 PID 2800 wrote to memory of 2516 2800 rffxrlr.exe 33 PID 2800 wrote to memory of 2516 2800 rffxrlr.exe 33 PID 2516 wrote to memory of 2128 2516 lrlfrrf.exe 34 PID 2516 wrote to memory of 2128 2516 lrlfrrf.exe 34 PID 2516 wrote to memory of 2128 2516 lrlfrrf.exe 34 PID 2516 wrote to memory of 2128 2516 lrlfrrf.exe 34 PID 2128 wrote to memory of 380 2128 nnthth.exe 35 PID 2128 wrote to memory of 380 2128 nnthth.exe 35 PID 2128 wrote to memory of 380 2128 nnthth.exe 35 PID 2128 wrote to memory of 380 2128 nnthth.exe 35 PID 380 wrote to memory of 1168 380 vjdjj.exe 36 PID 380 wrote to memory of 1168 380 vjdjj.exe 36 PID 380 wrote to memory of 1168 380 vjdjj.exe 36 PID 380 wrote to memory of 1168 380 vjdjj.exe 36 PID 1168 wrote to memory of 1648 1168 rfxrrlr.exe 37 PID 1168 wrote to memory of 1648 1168 rfxrrlr.exe 37 PID 1168 wrote to memory of 1648 1168 rfxrrlr.exe 37 PID 1168 wrote to memory of 1648 1168 rfxrrlr.exe 37 PID 1648 wrote to memory of 2864 1648 fxrlxxf.exe 38 PID 1648 wrote to memory of 2864 1648 fxrlxxf.exe 38 PID 1648 wrote to memory of 2864 1648 fxrlxxf.exe 38 PID 1648 wrote to memory of 2864 1648 fxrlxxf.exe 38 PID 2864 wrote to memory of 3020 2864 htbhnn.exe 39 PID 2864 wrote to memory of 3020 2864 htbhnn.exe 39 PID 2864 wrote to memory of 3020 2864 htbhnn.exe 39 PID 2864 wrote to memory of 3020 2864 htbhnn.exe 39 PID 3020 wrote to memory of 2760 3020 nnbbbb.exe 40 PID 3020 wrote to memory of 2760 3020 nnbbbb.exe 40 PID 3020 wrote to memory of 2760 3020 nnbbbb.exe 40 PID 3020 wrote to memory of 2760 3020 nnbbbb.exe 40 PID 2760 wrote to memory of 1740 2760 vjppv.exe 41 PID 2760 wrote to memory of 1740 2760 vjppv.exe 41 PID 2760 wrote to memory of 1740 2760 vjppv.exe 41 PID 2760 wrote to memory of 1740 2760 vjppv.exe 41 PID 1740 wrote to memory of 1224 1740 xlrrxxl.exe 42 PID 1740 wrote to memory of 1224 1740 xlrrxxl.exe 42 PID 1740 wrote to memory of 1224 1740 xlrrxxl.exe 42 PID 1740 wrote to memory of 1224 1740 xlrrxxl.exe 42 PID 1224 wrote to memory of 1976 1224 5xlxxxx.exe 43 PID 1224 wrote to memory of 1976 1224 5xlxxxx.exe 43 PID 1224 wrote to memory of 1976 1224 5xlxxxx.exe 43 PID 1224 wrote to memory of 1976 1224 5xlxxxx.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe"C:\Users\Admin\AppData\Local\Temp\5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\thnttb.exec:\thnttb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\dpvvd.exec:\dpvvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\tntbnt.exec:\tntbnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\tnbbhh.exec:\tnbbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\rffxrlr.exec:\rffxrlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\lrlfrrf.exec:\lrlfrrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\nnthth.exec:\nnthth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\vjdjj.exec:\vjdjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\rfxrrlr.exec:\rfxrrlr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\fxrlxxf.exec:\fxrlxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\htbhnn.exec:\htbhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\nnbbbb.exec:\nnbbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\vjppv.exec:\vjppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\xlrrxxl.exec:\xlrrxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\5xlxxxx.exec:\5xlxxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\hhtbtb.exec:\hhtbtb.exe17⤵
- Executes dropped EXE
PID:1976 -
\??\c:\hhnbth.exec:\hhnbth.exe18⤵
- Executes dropped EXE
PID:2588 -
\??\c:\jdvvd.exec:\jdvvd.exe19⤵
- Executes dropped EXE
PID:808 -
\??\c:\9jvvv.exec:\9jvvv.exe20⤵
- Executes dropped EXE
PID:1964 -
\??\c:\rflxfrx.exec:\rflxfrx.exe21⤵
- Executes dropped EXE
PID:2156 -
\??\c:\hhtbth.exec:\hhtbth.exe22⤵
- Executes dropped EXE
PID:2208 -
\??\c:\5nhhnn.exec:\5nhhnn.exe23⤵
- Executes dropped EXE
PID:2172 -
\??\c:\dvdvv.exec:\dvdvv.exe24⤵
- Executes dropped EXE
PID:2284 -
\??\c:\pjddj.exec:\pjddj.exe25⤵
- Executes dropped EXE
PID:640 -
\??\c:\5llfffx.exec:\5llfffx.exe26⤵
- Executes dropped EXE
PID:2080 -
\??\c:\bnbnhh.exec:\bnbnhh.exe27⤵
- Executes dropped EXE
PID:1536 -
\??\c:\nbhbhh.exec:\nbhbhh.exe28⤵
- Executes dropped EXE
PID:2448 -
\??\c:\nhnbnt.exec:\nhnbnt.exe29⤵
- Executes dropped EXE
PID:1928 -
\??\c:\pdvpv.exec:\pdvpv.exe30⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lfxlflx.exec:\lfxlflx.exe31⤵
- Executes dropped EXE
PID:1164 -
\??\c:\hbnnbt.exec:\hbnnbt.exe32⤵
- Executes dropped EXE
PID:3056 -
\??\c:\5btbbb.exec:\5btbbb.exe33⤵
- Executes dropped EXE
PID:1392 -
\??\c:\dddjv.exec:\dddjv.exe34⤵
- Executes dropped EXE
PID:1616 -
\??\c:\9jdvv.exec:\9jdvv.exe35⤵
- Executes dropped EXE
PID:2720 -
\??\c:\xfrrrlr.exec:\xfrrrlr.exe36⤵
- Executes dropped EXE
PID:2820 -
\??\c:\rlxflxl.exec:\rlxflxl.exe37⤵
- Executes dropped EXE
PID:2508 -
\??\c:\7bttbb.exec:\7bttbb.exe38⤵
- Executes dropped EXE
PID:2788 -
\??\c:\bthnnn.exec:\bthnnn.exe39⤵
- Executes dropped EXE
PID:3068 -
\??\c:\vvpvp.exec:\vvpvp.exe40⤵
- Executes dropped EXE
PID:2776 -
\??\c:\7jdjj.exec:\7jdjj.exe41⤵
- Executes dropped EXE
PID:2504 -
\??\c:\1frxxxx.exec:\1frxxxx.exe42⤵
- Executes dropped EXE
PID:2668 -
\??\c:\frfrflx.exec:\frfrflx.exe43⤵
- Executes dropped EXE
PID:2516 -
\??\c:\7rllxxf.exec:\7rllxxf.exe44⤵
- Executes dropped EXE
PID:2128 -
\??\c:\7bnhnt.exec:\7bnhnt.exe45⤵
- Executes dropped EXE
PID:108 -
\??\c:\7nnbtt.exec:\7nnbtt.exe46⤵
- Executes dropped EXE
PID:1480 -
\??\c:\1pddp.exec:\1pddp.exe47⤵
- Executes dropped EXE
PID:1864 -
\??\c:\pvjjv.exec:\pvjjv.exe48⤵
- Executes dropped EXE
PID:944 -
\??\c:\3xlrxxf.exec:\3xlrxxf.exe49⤵
- Executes dropped EXE
PID:3012 -
\??\c:\3llllfr.exec:\3llllfr.exe50⤵
- Executes dropped EXE
PID:2540 -
\??\c:\tntbhn.exec:\tntbhn.exe51⤵
- Executes dropped EXE
PID:1432 -
\??\c:\hbbbbb.exec:\hbbbbb.exe52⤵
- Executes dropped EXE
PID:2332 -
\??\c:\jvjpv.exec:\jvjpv.exe53⤵
- Executes dropped EXE
PID:1740 -
\??\c:\dvvvd.exec:\dvvvd.exe54⤵
- Executes dropped EXE
PID:1132 -
\??\c:\9lrlxfl.exec:\9lrlxfl.exe55⤵
- Executes dropped EXE
PID:2740 -
\??\c:\rflllrr.exec:\rflllrr.exe56⤵
- Executes dropped EXE
PID:2264 -
\??\c:\thnnbb.exec:\thnnbb.exe57⤵
- Executes dropped EXE
PID:2008 -
\??\c:\7tnbnn.exec:\7tnbnn.exe58⤵
- Executes dropped EXE
PID:1396 -
\??\c:\tntbnn.exec:\tntbnn.exe59⤵
- Executes dropped EXE
PID:2112 -
\??\c:\dpdjp.exec:\dpdjp.exe60⤵
- Executes dropped EXE
PID:2244 -
\??\c:\5jdvj.exec:\5jdvj.exe61⤵
- Executes dropped EXE
PID:2164 -
\??\c:\3xrrxfl.exec:\3xrrxfl.exe62⤵
- Executes dropped EXE
PID:2932 -
\??\c:\rlxfrxf.exec:\rlxfrxf.exe63⤵
- Executes dropped EXE
PID:2172 -
\??\c:\9ttbhh.exec:\9ttbhh.exe64⤵
- Executes dropped EXE
PID:1696 -
\??\c:\tnhnhh.exec:\tnhnhh.exe65⤵
- Executes dropped EXE
PID:2076 -
\??\c:\pjpvd.exec:\pjpvd.exe66⤵PID:2004
-
\??\c:\vpppv.exec:\vpppv.exe67⤵PID:620
-
\??\c:\3rlrrxx.exec:\3rlrrxx.exe68⤵PID:2300
-
\??\c:\rrrrrrr.exec:\rrrrrrr.exe69⤵PID:796
-
\??\c:\5hthnn.exec:\5hthnn.exe70⤵PID:2344
-
\??\c:\hbhnnt.exec:\hbhnnt.exe71⤵PID:2212
-
\??\c:\vdpjd.exec:\vdpjd.exe72⤵PID:1512
-
\??\c:\jjjdd.exec:\jjjdd.exe73⤵PID:2184
-
\??\c:\thhhnh.exec:\thhhnh.exe74⤵PID:2608
-
\??\c:\7ddjv.exec:\7ddjv.exe75⤵PID:1716
-
\??\c:\jvddp.exec:\jvddp.exe76⤵PID:2188
-
\??\c:\rlrrlll.exec:\rlrrlll.exe77⤵PID:2652
-
\??\c:\7rlrffr.exec:\7rlrffr.exe78⤵PID:2704
-
\??\c:\hbbhbb.exec:\hbbhbb.exe79⤵PID:2528
-
\??\c:\3htnnt.exec:\3htnnt.exe80⤵PID:2772
-
\??\c:\vdjjj.exec:\vdjjj.exe81⤵PID:2780
-
\??\c:\vddvp.exec:\vddvp.exe82⤵PID:1532
-
\??\c:\xfrlfrx.exec:\xfrlfrx.exe83⤵PID:2996
-
\??\c:\9lxflxf.exec:\9lxflxf.exe84⤵PID:2988
-
\??\c:\5hntnt.exec:\5hntnt.exe85⤵PID:604
-
\??\c:\bhthbn.exec:\bhthbn.exe86⤵PID:696
-
\??\c:\jjvdp.exec:\jjvdp.exe87⤵PID:588
-
\??\c:\5pdjp.exec:\5pdjp.exe88⤵PID:844
-
\??\c:\7xxfxxl.exec:\7xxfxxl.exe89⤵PID:2884
-
\??\c:\5xllllx.exec:\5xllllx.exe90⤵PID:2864
-
\??\c:\1tbbbb.exec:\1tbbbb.exe91⤵PID:2024
-
\??\c:\hbhbhb.exec:\hbhbhb.exe92⤵PID:1640
-
\??\c:\vpvdp.exec:\vpvdp.exe93⤵PID:1808
-
\??\c:\pjdjj.exec:\pjdjj.exe94⤵PID:2568
-
\??\c:\llxrffr.exec:\llxrffr.exe95⤵PID:2272
-
\??\c:\thnbbb.exec:\thnbbb.exe96⤵PID:1132
-
\??\c:\nbtbnb.exec:\nbtbnb.exe97⤵PID:1992
-
\??\c:\bnhbht.exec:\bnhbht.exe98⤵PID:1428
-
\??\c:\dpjjv.exec:\dpjjv.exe99⤵PID:2152
-
\??\c:\ppdpv.exec:\ppdpv.exe100⤵PID:1396
-
\??\c:\lfxxrxx.exec:\lfxxrxx.exe101⤵PID:2364
-
\??\c:\7lxxlrx.exec:\7lxxlrx.exe102⤵PID:2204
-
\??\c:\htnhbh.exec:\htnhbh.exe103⤵PID:2120
-
\??\c:\bthnnn.exec:\bthnnn.exe104⤵PID:1540
-
\??\c:\9hbnbb.exec:\9hbnbb.exe105⤵PID:2292
-
\??\c:\5jvjj.exec:\5jvjj.exe106⤵PID:1144
-
\??\c:\lxlrxlr.exec:\lxlrxlr.exe107⤵PID:2380
-
\??\c:\xxllrxl.exec:\xxllrxl.exe108⤵PID:2248
-
\??\c:\bthnhh.exec:\bthnhh.exe109⤵PID:2304
-
\??\c:\tnbnnt.exec:\tnbnnt.exe110⤵PID:1956
-
\??\c:\tntntn.exec:\tntntn.exe111⤵PID:1928
-
\??\c:\pddpv.exec:\pddpv.exe112⤵PID:896
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe113⤵PID:3064
-
\??\c:\lfrxlll.exec:\lfrxlll.exe114⤵PID:2308
-
\??\c:\hbttbb.exec:\hbttbb.exe115⤵PID:1936
-
\??\c:\bbnntb.exec:\bbnntb.exe116⤵PID:1392
-
\??\c:\dvjvd.exec:\dvjvd.exe117⤵PID:1660
-
\??\c:\dpdjp.exec:\dpdjp.exe118⤵PID:1616
-
\??\c:\7lflrxf.exec:\7lflrxf.exe119⤵PID:2616
-
\??\c:\3xrfxxf.exec:\3xrfxxf.exe120⤵PID:2704
-
\??\c:\ntnntb.exec:\ntnntb.exe121⤵PID:2788
-
\??\c:\3tbbth.exec:\3tbbth.exe122⤵PID:3068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-