Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe
Resource
win7-20240729-en
General
-
Target
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe
-
Size
72KB
-
MD5
48a14a56008816ab2cba9121afc68b50
-
SHA1
88f815e444766d3f93175995c86504fd05a67838
-
SHA256
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbd
-
SHA512
ffb91efd11ad5d472c2909b0b2e17bf5f8d584a31293e8c6aa81a9b91c34c578eac6f37a886ffa57d3f62d247fbc328608771d881da3cb557c7edf4e9908fcea
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJUDbAIdiW65x:ymb3NkkiQ3mdBjFIFdJ8bViW67
Malware Config
Signatures
-
Detect Blackmoon payload 20 IoCs
resource yara_rule behavioral1/memory/2420-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2584-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2584-22-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2940-46-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2984-41-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2984-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2828-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2312-308-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/976-281-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2316-272-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/560-219-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2100-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1296-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1112-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1992-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/372-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2512-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/636-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3060-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2532-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2584 3xxxxfr.exe 2804 tnbbbb.exe 2984 pvppj.exe 2940 fxrrllx.exe 2532 xlrxxfx.exe 2828 ddpvj.exe 2724 vdvjp.exe 3060 fxrfxxf.exe 636 frxxfll.exe 2512 htbttb.exe 372 7tbbtb.exe 1992 ppjdp.exe 1112 jdpdv.exe 1260 9jjpj.exe 1912 xlxxxfr.exe 1296 lfflffl.exe 1748 rflxxfl.exe 3000 9hbbhn.exe 2344 nhtthh.exe 2100 7jjpd.exe 560 1pdjv.exe 1084 lfffrrf.exe 2004 9xrrflr.exe 2180 xrxxflr.exe 1784 nhbhnn.exe 2340 5httbb.exe 2316 dvpjv.exe 976 jdppd.exe 1936 frllrlf.exe 2320 7xrlxxr.exe 2312 nhbbbh.exe 2892 bntnhh.exe 2812 7pdvj.exe 1528 dvppp.exe 1592 pjppd.exe 2760 rxfxrlx.exe 2852 xllllll.exe 2684 3fllrxl.exe 2780 3bhnbb.exe 3056 3ntnhh.exe 2728 nhtttt.exe 2156 9vjvv.exe 300 9jjvv.exe 2568 jdvjd.exe 2104 frffllr.exe 2148 xllxffl.exe 1600 5lxlrlr.exe 1476 5htthh.exe 2068 hbnbtn.exe 1572 tnbbbh.exe 2088 7pvjd.exe 2620 jdvjj.exe 2376 9rllrrx.exe 2360 rfrxxxl.exe 2244 7fxxfff.exe 280 tbtthb.exe 1324 tntbnn.exe 2692 9nhhnt.exe 1960 3pvjp.exe 2324 7pdjj.exe 1092 xrfrxfx.exe 1088 hhtbnt.exe 2340 bbtbnn.exe 2064 hhntbn.exe -
resource yara_rule behavioral1/memory/2420-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2584-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2584-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2584-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2940-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2984-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2532-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2532-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2828-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2312-308-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/976-281-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2316-272-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/560-219-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2100-209-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1296-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1112-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1992-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/372-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2512-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/636-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3060-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3060-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3060-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2724-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2724-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2828-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2828-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2532-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2828-67-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5httbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2584 2420 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 29 PID 2420 wrote to memory of 2584 2420 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 29 PID 2420 wrote to memory of 2584 2420 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 29 PID 2420 wrote to memory of 2584 2420 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 29 PID 2584 wrote to memory of 2804 2584 3xxxxfr.exe 30 PID 2584 wrote to memory of 2804 2584 3xxxxfr.exe 30 PID 2584 wrote to memory of 2804 2584 3xxxxfr.exe 30 PID 2584 wrote to memory of 2804 2584 3xxxxfr.exe 30 PID 2804 wrote to memory of 2984 2804 tnbbbb.exe 31 PID 2804 wrote to memory of 2984 2804 tnbbbb.exe 31 PID 2804 wrote to memory of 2984 2804 tnbbbb.exe 31 PID 2804 wrote to memory of 2984 2804 tnbbbb.exe 31 PID 2984 wrote to memory of 2940 2984 pvppj.exe 32 PID 2984 wrote to memory of 2940 2984 pvppj.exe 32 PID 2984 wrote to memory of 2940 2984 pvppj.exe 32 PID 2984 wrote to memory of 2940 2984 pvppj.exe 32 PID 2940 wrote to memory of 2532 2940 fxrrllx.exe 33 PID 2940 wrote to memory of 2532 2940 fxrrllx.exe 33 PID 2940 wrote to memory of 2532 2940 fxrrllx.exe 33 PID 2940 wrote to memory of 2532 2940 fxrrllx.exe 33 PID 2532 wrote to memory of 2828 2532 xlrxxfx.exe 34 PID 2532 wrote to memory of 2828 2532 xlrxxfx.exe 34 PID 2532 wrote to memory of 2828 2532 xlrxxfx.exe 34 PID 2532 wrote to memory of 2828 2532 xlrxxfx.exe 34 PID 2828 wrote to memory of 2724 2828 ddpvj.exe 35 PID 2828 wrote to memory of 2724 2828 ddpvj.exe 35 PID 2828 wrote to memory of 2724 2828 ddpvj.exe 35 PID 2828 wrote to memory of 2724 2828 ddpvj.exe 35 PID 2724 wrote to memory of 3060 2724 vdvjp.exe 36 PID 2724 wrote to memory of 3060 2724 vdvjp.exe 36 PID 2724 wrote to memory of 3060 2724 vdvjp.exe 36 PID 2724 wrote to memory of 3060 2724 vdvjp.exe 36 PID 3060 wrote to memory of 636 3060 fxrfxxf.exe 37 PID 3060 wrote to memory of 636 3060 fxrfxxf.exe 37 PID 3060 wrote to memory of 636 3060 fxrfxxf.exe 37 PID 3060 wrote to memory of 636 3060 fxrfxxf.exe 37 PID 636 wrote to memory of 2512 636 frxxfll.exe 38 PID 636 wrote to memory of 2512 636 frxxfll.exe 38 PID 636 wrote to memory of 2512 636 frxxfll.exe 38 PID 636 wrote to memory of 2512 636 frxxfll.exe 38 PID 2512 wrote to memory of 372 2512 htbttb.exe 39 PID 2512 wrote to memory of 372 2512 htbttb.exe 39 PID 2512 wrote to memory of 372 2512 htbttb.exe 39 PID 2512 wrote to memory of 372 2512 htbttb.exe 39 PID 372 wrote to memory of 1992 372 7tbbtb.exe 40 PID 372 wrote to memory of 1992 372 7tbbtb.exe 40 PID 372 wrote to memory of 1992 372 7tbbtb.exe 40 PID 372 wrote to memory of 1992 372 7tbbtb.exe 40 PID 1992 wrote to memory of 1112 1992 ppjdp.exe 41 PID 1992 wrote to memory of 1112 1992 ppjdp.exe 41 PID 1992 wrote to memory of 1112 1992 ppjdp.exe 41 PID 1992 wrote to memory of 1112 1992 ppjdp.exe 41 PID 1112 wrote to memory of 1260 1112 jdpdv.exe 42 PID 1112 wrote to memory of 1260 1112 jdpdv.exe 42 PID 1112 wrote to memory of 1260 1112 jdpdv.exe 42 PID 1112 wrote to memory of 1260 1112 jdpdv.exe 42 PID 1260 wrote to memory of 1912 1260 9jjpj.exe 43 PID 1260 wrote to memory of 1912 1260 9jjpj.exe 43 PID 1260 wrote to memory of 1912 1260 9jjpj.exe 43 PID 1260 wrote to memory of 1912 1260 9jjpj.exe 43 PID 1912 wrote to memory of 1296 1912 xlxxxfr.exe 44 PID 1912 wrote to memory of 1296 1912 xlxxxfr.exe 44 PID 1912 wrote to memory of 1296 1912 xlxxxfr.exe 44 PID 1912 wrote to memory of 1296 1912 xlxxxfr.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe"C:\Users\Admin\AppData\Local\Temp\ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\3xxxxfr.exec:\3xxxxfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\tnbbbb.exec:\tnbbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\pvppj.exec:\pvppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\fxrrllx.exec:\fxrrllx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\xlrxxfx.exec:\xlrxxfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\ddpvj.exec:\ddpvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\vdvjp.exec:\vdvjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\fxrfxxf.exec:\fxrfxxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\frxxfll.exec:\frxxfll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\htbttb.exec:\htbttb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\7tbbtb.exec:\7tbbtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\ppjdp.exec:\ppjdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\jdpdv.exec:\jdpdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\9jjpj.exec:\9jjpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\xlxxxfr.exec:\xlxxxfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\lfflffl.exec:\lfflffl.exe17⤵
- Executes dropped EXE
PID:1296 -
\??\c:\rflxxfl.exec:\rflxxfl.exe18⤵
- Executes dropped EXE
PID:1748 -
\??\c:\9hbbhn.exec:\9hbbhn.exe19⤵
- Executes dropped EXE
PID:3000 -
\??\c:\nhtthh.exec:\nhtthh.exe20⤵
- Executes dropped EXE
PID:2344 -
\??\c:\7jjpd.exec:\7jjpd.exe21⤵
- Executes dropped EXE
PID:2100 -
\??\c:\1pdjv.exec:\1pdjv.exe22⤵
- Executes dropped EXE
PID:560 -
\??\c:\lfffrrf.exec:\lfffrrf.exe23⤵
- Executes dropped EXE
PID:1084 -
\??\c:\9xrrflr.exec:\9xrrflr.exe24⤵
- Executes dropped EXE
PID:2004 -
\??\c:\xrxxflr.exec:\xrxxflr.exe25⤵
- Executes dropped EXE
PID:2180 -
\??\c:\nhbhnn.exec:\nhbhnn.exe26⤵
- Executes dropped EXE
PID:1784 -
\??\c:\5httbb.exec:\5httbb.exe27⤵
- Executes dropped EXE
PID:2340 -
\??\c:\dvpjv.exec:\dvpjv.exe28⤵
- Executes dropped EXE
PID:2316 -
\??\c:\jdppd.exec:\jdppd.exe29⤵
- Executes dropped EXE
PID:976 -
\??\c:\frllrlf.exec:\frllrlf.exe30⤵
- Executes dropped EXE
PID:1936 -
\??\c:\7xrlxxr.exec:\7xrlxxr.exe31⤵
- Executes dropped EXE
PID:2320 -
\??\c:\nhbbbh.exec:\nhbbbh.exe32⤵
- Executes dropped EXE
PID:2312 -
\??\c:\bntnhh.exec:\bntnhh.exe33⤵
- Executes dropped EXE
PID:2892 -
\??\c:\7pdvj.exec:\7pdvj.exe34⤵
- Executes dropped EXE
PID:2812 -
\??\c:\dvppp.exec:\dvppp.exe35⤵
- Executes dropped EXE
PID:1528 -
\??\c:\pjppd.exec:\pjppd.exe36⤵
- Executes dropped EXE
PID:1592 -
\??\c:\rxfxrlx.exec:\rxfxrlx.exe37⤵
- Executes dropped EXE
PID:2760 -
\??\c:\xllllll.exec:\xllllll.exe38⤵
- Executes dropped EXE
PID:2852 -
\??\c:\3fllrxl.exec:\3fllrxl.exe39⤵
- Executes dropped EXE
PID:2684 -
\??\c:\3bhnbb.exec:\3bhnbb.exe40⤵
- Executes dropped EXE
PID:2780 -
\??\c:\3ntnhh.exec:\3ntnhh.exe41⤵
- Executes dropped EXE
PID:3056 -
\??\c:\nhtttt.exec:\nhtttt.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\9vjvv.exec:\9vjvv.exe43⤵
- Executes dropped EXE
PID:2156 -
\??\c:\9jjvv.exec:\9jjvv.exe44⤵
- Executes dropped EXE
PID:300 -
\??\c:\jdvjd.exec:\jdvjd.exe45⤵
- Executes dropped EXE
PID:2568 -
\??\c:\frffllr.exec:\frffllr.exe46⤵
- Executes dropped EXE
PID:2104 -
\??\c:\xllxffl.exec:\xllxffl.exe47⤵
- Executes dropped EXE
PID:2148 -
\??\c:\5lxlrlr.exec:\5lxlrlr.exe48⤵
- Executes dropped EXE
PID:1600 -
\??\c:\5htthh.exec:\5htthh.exe49⤵
- Executes dropped EXE
PID:1476 -
\??\c:\hbnbtn.exec:\hbnbtn.exe50⤵
- Executes dropped EXE
PID:2068 -
\??\c:\tnbbbh.exec:\tnbbbh.exe51⤵
- Executes dropped EXE
PID:1572 -
\??\c:\7pvjd.exec:\7pvjd.exe52⤵
- Executes dropped EXE
PID:2088 -
\??\c:\jdvjj.exec:\jdvjj.exe53⤵
- Executes dropped EXE
PID:2620 -
\??\c:\9rllrrx.exec:\9rllrrx.exe54⤵
- Executes dropped EXE
PID:2376 -
\??\c:\rfrxxxl.exec:\rfrxxxl.exe55⤵
- Executes dropped EXE
PID:2360 -
\??\c:\7fxxfff.exec:\7fxxfff.exe56⤵
- Executes dropped EXE
PID:2244 -
\??\c:\tbtthb.exec:\tbtthb.exe57⤵
- Executes dropped EXE
PID:280 -
\??\c:\tntbnn.exec:\tntbnn.exe58⤵
- Executes dropped EXE
PID:1324 -
\??\c:\9nhhnt.exec:\9nhhnt.exe59⤵
- Executes dropped EXE
PID:2692 -
\??\c:\3pvjp.exec:\3pvjp.exe60⤵
- Executes dropped EXE
PID:1960 -
\??\c:\7pdjj.exec:\7pdjj.exe61⤵
- Executes dropped EXE
PID:2324 -
\??\c:\xrfrxfx.exec:\xrfrxfx.exe62⤵
- Executes dropped EXE
PID:1092 -
\??\c:\hhtbnt.exec:\hhtbnt.exe63⤵
- Executes dropped EXE
PID:1088 -
\??\c:\bbtbnn.exec:\bbtbnn.exe64⤵
- Executes dropped EXE
PID:2340 -
\??\c:\hhntbn.exec:\hhntbn.exe65⤵
- Executes dropped EXE
PID:2064 -
\??\c:\jdjpd.exec:\jdjpd.exe66⤵PID:2364
-
\??\c:\7pppd.exec:\7pppd.exe67⤵PID:2200
-
\??\c:\1jjpv.exec:\1jjpv.exe68⤵PID:2616
-
\??\c:\7rrrfll.exec:\7rrrfll.exe69⤵PID:2140
-
\??\c:\bbhtnt.exec:\bbhtnt.exe70⤵PID:2544
-
\??\c:\thnntt.exec:\thnntt.exe71⤵PID:580
-
\??\c:\bbttnt.exec:\bbttnt.exe72⤵PID:2016
-
\??\c:\ddjpd.exec:\ddjpd.exe73⤵PID:1580
-
\??\c:\jjddp.exec:\jjddp.exe74⤵PID:2896
-
\??\c:\ppjjv.exec:\ppjjv.exe75⤵PID:2848
-
\??\c:\3jpvj.exec:\3jpvj.exe76⤵PID:2760
-
\??\c:\lrfxrrf.exec:\lrfxrrf.exe77⤵PID:2284
-
\??\c:\5xxfflx.exec:\5xxfflx.exe78⤵PID:2712
-
\??\c:\xrrfrxl.exec:\xrrfrxl.exe79⤵PID:2204
-
\??\c:\9nntnn.exec:\9nntnn.exe80⤵PID:2824
-
\??\c:\tnhthh.exec:\tnhthh.exe81⤵PID:2468
-
\??\c:\hbnbnt.exec:\hbnbnt.exe82⤵PID:2728
-
\??\c:\dpjpd.exec:\dpjpd.exe83⤵PID:2024
-
\??\c:\7vvdj.exec:\7vvdj.exe84⤵PID:372
-
\??\c:\jppjd.exec:\jppjd.exe85⤵PID:652
-
\??\c:\3fflxlf.exec:\3fflxlf.exe86⤵PID:2704
-
\??\c:\9llfrrf.exec:\9llfrrf.exe87⤵PID:1148
-
\??\c:\xrlxrxf.exec:\xrlxrxf.exe88⤵PID:768
-
\??\c:\tnhntb.exec:\tnhntb.exe89⤵PID:1156
-
\??\c:\7hntnb.exec:\7hntnb.exe90⤵PID:3032
-
\??\c:\hbntnn.exec:\hbntnn.exe91⤵PID:3004
-
\??\c:\dvpdp.exec:\dvpdp.exe92⤵PID:1656
-
\??\c:\3vpvv.exec:\3vpvv.exe93⤵PID:2236
-
\??\c:\vjvdj.exec:\vjvdj.exe94⤵PID:2396
-
\??\c:\xrffllx.exec:\xrffllx.exe95⤵PID:1604
-
\??\c:\xxxfrrx.exec:\xxxfrrx.exe96⤵PID:1996
-
\??\c:\rrlxfrr.exec:\rrlxfrr.exe97⤵PID:756
-
\??\c:\tthtbh.exec:\tthtbh.exe98⤵PID:1084
-
\??\c:\hbntht.exec:\hbntht.exe99⤵PID:2548
-
\??\c:\nbthhn.exec:\nbthhn.exe100⤵PID:1924
-
\??\c:\ddvjp.exec:\ddvjp.exe101⤵PID:2208
-
\??\c:\djpvp.exec:\djpvp.exe102⤵PID:2948
-
\??\c:\dvppv.exec:\dvppv.exe103⤵PID:2400
-
\??\c:\flrllrr.exec:\flrllrr.exe104⤵PID:1180
-
\??\c:\rrxflrl.exec:\rrxflrl.exe105⤵PID:2316
-
\??\c:\fxrlfll.exec:\fxrlfll.exe106⤵PID:2064
-
\??\c:\btbnhh.exec:\btbnhh.exe107⤵PID:3008
-
\??\c:\3tntnt.exec:\3tntnt.exe108⤵PID:2596
-
\??\c:\nhbnhn.exec:\nhbnhn.exe109⤵PID:2740
-
\??\c:\vpjvj.exec:\vpjvj.exe110⤵PID:2140
-
\??\c:\djdjj.exec:\djdjj.exe111⤵PID:2312
-
\??\c:\dvjdp.exec:\dvjdp.exe112⤵PID:2776
-
\??\c:\xrlrrxl.exec:\xrlrrxl.exe113⤵PID:2816
-
\??\c:\1frfrrf.exec:\1frfrrf.exe114⤵PID:1552
-
\??\c:\rrrflff.exec:\rrrflff.exe115⤵PID:1172
-
\??\c:\tnbnnb.exec:\tnbnnb.exe116⤵PID:2688
-
\??\c:\bbnntt.exec:\bbnntt.exe117⤵PID:2880
-
\??\c:\hhbntb.exec:\hhbntb.exe118⤵PID:2916
-
\??\c:\jdppv.exec:\jdppv.exe119⤵PID:2540
-
\??\c:\jdvjp.exec:\jdvjp.exe120⤵PID:2160
-
\??\c:\ddpvj.exec:\ddpvj.exe121⤵PID:448
-
\??\c:\rxxrxll.exec:\rxxrxll.exe122⤵PID:2220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-