Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 15:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe
Resource
win7-20241010-en
6 signatures
120 seconds
General
-
Target
bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe
-
Size
70KB
-
MD5
55c088b8535eeac9767154da189a5340
-
SHA1
0f78de3e71fe34b48258d7a9c005b8bfa42ae744
-
SHA256
bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56
-
SHA512
f30def3da564fe4208b2d8c594d93d89ce97f898bb51a478972f8e3302507854067b339b267218610e3add13550d4e86f32a3e8f6d01c319032728103af431a5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yUPqrDZ5Rxfu:ymb3NkkiQ3mdBjF0yUmrfu
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral1/memory/2352-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1712-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2360-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2376-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2376-41-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2304-59-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2844-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2800-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2656-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2672-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2204-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/920-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1872-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2992-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1512-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/376-170-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1224-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1028-215-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2088-224-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2356-277-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1680-286-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/272-295-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2352 llfxrlf.exe 2360 6602026.exe 2376 rxrxrrr.exe 2844 6084286.exe 2304 1nnnbb.exe 2656 2842048.exe 2800 5pjjd.exe 2672 hbhthn.exe 2204 068840.exe 920 24042.exe 1872 3pddj.exe 2992 bbnbht.exe 1512 xlxfffr.exe 3048 2822628.exe 2872 4402048.exe 376 s8808.exe 1572 2066206.exe 2444 ntttth.exe 1944 vjddp.exe 1224 rrlffrf.exe 1028 222446.exe 2088 flllflf.exe 976 60082.exe 1468 dvvpv.exe 924 hnnhnb.exe 2012 9lllfrf.exe 2064 240802.exe 2356 20622.exe 1680 ttnnbb.exe 272 k86062.exe 864 g8628.exe 2364 rxlffrl.exe 1644 o486022.exe 2288 xrfffrl.exe 2916 7bbbnb.exe 2788 028462.exe 2840 xrxrfrf.exe 2652 llxlflx.exe 1556 rllrfxr.exe 2684 g6402.exe 2640 5nhnbb.exe 1796 rlrxffx.exe 2036 66280.exe 3008 864606.exe 1068 s8006.exe 1736 s4624.exe 2884 vpjpv.exe 2888 ppdpd.exe 904 djddd.exe 2968 djjvv.exe 3036 hhtbbn.exe 2028 nhnbbn.exe 2456 jdddj.exe 1956 400408.exe 2296 i240620.exe 1944 w66488.exe 280 20846.exe 1692 04628.exe 1772 9nnnbt.exe 2604 k68466.exe 2192 jdvpv.exe 1592 q40026.exe 1940 jddpv.exe 2324 0648848.exe -
resource yara_rule behavioral1/memory/1712-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2352-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1712-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2360-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2376-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-46-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2304-59-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2800-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2672-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2204-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/920-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1872-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2992-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1512-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/376-170-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1224-205-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1028-215-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2088-224-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2356-277-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1680-286-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/272-295-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0804602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u460084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 666428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2352 1712 bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe 31 PID 1712 wrote to memory of 2352 1712 bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe 31 PID 1712 wrote to memory of 2352 1712 bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe 31 PID 1712 wrote to memory of 2352 1712 bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe 31 PID 2352 wrote to memory of 2360 2352 llfxrlf.exe 32 PID 2352 wrote to memory of 2360 2352 llfxrlf.exe 32 PID 2352 wrote to memory of 2360 2352 llfxrlf.exe 32 PID 2352 wrote to memory of 2360 2352 llfxrlf.exe 32 PID 2360 wrote to memory of 2376 2360 6602026.exe 33 PID 2360 wrote to memory of 2376 2360 6602026.exe 33 PID 2360 wrote to memory of 2376 2360 6602026.exe 33 PID 2360 wrote to memory of 2376 2360 6602026.exe 33 PID 2376 wrote to memory of 2844 2376 rxrxrrr.exe 34 PID 2376 wrote to memory of 2844 2376 rxrxrrr.exe 34 PID 2376 wrote to memory of 2844 2376 rxrxrrr.exe 34 PID 2376 wrote to memory of 2844 2376 rxrxrrr.exe 34 PID 2844 wrote to memory of 2304 2844 6084286.exe 35 PID 2844 wrote to memory of 2304 2844 6084286.exe 35 PID 2844 wrote to memory of 2304 2844 6084286.exe 35 PID 2844 wrote to memory of 2304 2844 6084286.exe 35 PID 2304 wrote to memory of 2656 2304 1nnnbb.exe 36 PID 2304 wrote to memory of 2656 2304 1nnnbb.exe 36 PID 2304 wrote to memory of 2656 2304 1nnnbb.exe 36 PID 2304 wrote to memory of 2656 2304 1nnnbb.exe 36 PID 2656 wrote to memory of 2800 2656 2842048.exe 37 PID 2656 wrote to memory of 2800 2656 2842048.exe 37 PID 2656 wrote to memory of 2800 2656 2842048.exe 37 PID 2656 wrote to memory of 2800 2656 2842048.exe 37 PID 2800 wrote to memory of 2672 2800 5pjjd.exe 38 PID 2800 wrote to memory of 2672 2800 5pjjd.exe 38 PID 2800 wrote to memory of 2672 2800 5pjjd.exe 38 PID 2800 wrote to memory of 2672 2800 5pjjd.exe 38 PID 2672 wrote to memory of 2204 2672 hbhthn.exe 39 PID 2672 wrote to memory of 2204 2672 hbhthn.exe 39 PID 2672 wrote to memory of 2204 2672 hbhthn.exe 39 PID 2672 wrote to memory of 2204 2672 hbhthn.exe 39 PID 2204 wrote to memory of 920 2204 068840.exe 40 PID 2204 wrote to memory of 920 2204 068840.exe 40 PID 2204 wrote to memory of 920 2204 068840.exe 40 PID 2204 wrote to memory of 920 2204 068840.exe 40 PID 920 wrote to memory of 1872 920 24042.exe 41 PID 920 wrote to memory of 1872 920 24042.exe 41 PID 920 wrote to memory of 1872 920 24042.exe 41 PID 920 wrote to memory of 1872 920 24042.exe 41 PID 1872 wrote to memory of 2992 1872 3pddj.exe 42 PID 1872 wrote to memory of 2992 1872 3pddj.exe 42 PID 1872 wrote to memory of 2992 1872 3pddj.exe 42 PID 1872 wrote to memory of 2992 1872 3pddj.exe 42 PID 2992 wrote to memory of 1512 2992 bbnbht.exe 43 PID 2992 wrote to memory of 1512 2992 bbnbht.exe 43 PID 2992 wrote to memory of 1512 2992 bbnbht.exe 43 PID 2992 wrote to memory of 1512 2992 bbnbht.exe 43 PID 1512 wrote to memory of 3048 1512 xlxfffr.exe 44 PID 1512 wrote to memory of 3048 1512 xlxfffr.exe 44 PID 1512 wrote to memory of 3048 1512 xlxfffr.exe 44 PID 1512 wrote to memory of 3048 1512 xlxfffr.exe 44 PID 3048 wrote to memory of 2872 3048 2822628.exe 45 PID 3048 wrote to memory of 2872 3048 2822628.exe 45 PID 3048 wrote to memory of 2872 3048 2822628.exe 45 PID 3048 wrote to memory of 2872 3048 2822628.exe 45 PID 2872 wrote to memory of 376 2872 4402048.exe 46 PID 2872 wrote to memory of 376 2872 4402048.exe 46 PID 2872 wrote to memory of 376 2872 4402048.exe 46 PID 2872 wrote to memory of 376 2872 4402048.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe"C:\Users\Admin\AppData\Local\Temp\bb9e93860450ddea4a9f4faaa5f496fbe1e90715cbf89cfe28fff58224c79d56N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\llfxrlf.exec:\llfxrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\6602026.exec:\6602026.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\rxrxrrr.exec:\rxrxrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\6084286.exec:\6084286.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\1nnnbb.exec:\1nnnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\2842048.exec:\2842048.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\5pjjd.exec:\5pjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\hbhthn.exec:\hbhthn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\068840.exec:\068840.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\24042.exec:\24042.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\3pddj.exec:\3pddj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\bbnbht.exec:\bbnbht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\xlxfffr.exec:\xlxfffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\2822628.exec:\2822628.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\4402048.exec:\4402048.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\s8808.exec:\s8808.exe17⤵
- Executes dropped EXE
PID:376 -
\??\c:\2066206.exec:\2066206.exe18⤵
- Executes dropped EXE
PID:1572 -
\??\c:\ntttth.exec:\ntttth.exe19⤵
- Executes dropped EXE
PID:2444 -
\??\c:\vjddp.exec:\vjddp.exe20⤵
- Executes dropped EXE
PID:1944 -
\??\c:\rrlffrf.exec:\rrlffrf.exe21⤵
- Executes dropped EXE
PID:1224 -
\??\c:\222446.exec:\222446.exe22⤵
- Executes dropped EXE
PID:1028 -
\??\c:\flllflf.exec:\flllflf.exe23⤵
- Executes dropped EXE
PID:2088 -
\??\c:\60082.exec:\60082.exe24⤵
- Executes dropped EXE
PID:976 -
\??\c:\dvvpv.exec:\dvvpv.exe25⤵
- Executes dropped EXE
PID:1468 -
\??\c:\hnnhnb.exec:\hnnhnb.exe26⤵
- Executes dropped EXE
PID:924 -
\??\c:\9lllfrf.exec:\9lllfrf.exe27⤵
- Executes dropped EXE
PID:2012 -
\??\c:\240802.exec:\240802.exe28⤵
- Executes dropped EXE
PID:2064 -
\??\c:\20622.exec:\20622.exe29⤵
- Executes dropped EXE
PID:2356 -
\??\c:\ttnnbb.exec:\ttnnbb.exe30⤵
- Executes dropped EXE
PID:1680 -
\??\c:\k86062.exec:\k86062.exe31⤵
- Executes dropped EXE
PID:272 -
\??\c:\g8628.exec:\g8628.exe32⤵
- Executes dropped EXE
PID:864 -
\??\c:\rxlffrl.exec:\rxlffrl.exe33⤵
- Executes dropped EXE
PID:2364 -
\??\c:\o486022.exec:\o486022.exe34⤵
- Executes dropped EXE
PID:1644 -
\??\c:\xrfffrl.exec:\xrfffrl.exe35⤵
- Executes dropped EXE
PID:2288 -
\??\c:\7bbbnb.exec:\7bbbnb.exe36⤵
- Executes dropped EXE
PID:2916 -
\??\c:\028462.exec:\028462.exe37⤵
- Executes dropped EXE
PID:2788 -
\??\c:\xrxrfrf.exec:\xrxrfrf.exe38⤵
- Executes dropped EXE
PID:2840 -
\??\c:\llxlflx.exec:\llxlflx.exe39⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rllrfxr.exec:\rllrfxr.exe40⤵
- Executes dropped EXE
PID:1556 -
\??\c:\g6402.exec:\g6402.exe41⤵
- Executes dropped EXE
PID:2684 -
\??\c:\5nhnbb.exec:\5nhnbb.exe42⤵
- Executes dropped EXE
PID:2640 -
\??\c:\rlrxffx.exec:\rlrxffx.exe43⤵
- Executes dropped EXE
PID:1796 -
\??\c:\66280.exec:\66280.exe44⤵
- Executes dropped EXE
PID:2036 -
\??\c:\864606.exec:\864606.exe45⤵
- Executes dropped EXE
PID:3008 -
\??\c:\s8006.exec:\s8006.exe46⤵
- Executes dropped EXE
PID:1068 -
\??\c:\s4624.exec:\s4624.exe47⤵
- Executes dropped EXE
PID:1736 -
\??\c:\vpjpv.exec:\vpjpv.exe48⤵
- Executes dropped EXE
PID:2884 -
\??\c:\ppdpd.exec:\ppdpd.exe49⤵
- Executes dropped EXE
PID:2888 -
\??\c:\djddd.exec:\djddd.exe50⤵
- Executes dropped EXE
PID:904 -
\??\c:\djjvv.exec:\djjvv.exe51⤵
- Executes dropped EXE
PID:2968 -
\??\c:\hhtbbn.exec:\hhtbbn.exe52⤵
- Executes dropped EXE
PID:3036 -
\??\c:\nhnbbn.exec:\nhnbbn.exe53⤵
- Executes dropped EXE
PID:2028 -
\??\c:\jdddj.exec:\jdddj.exe54⤵
- Executes dropped EXE
PID:2456 -
\??\c:\400408.exec:\400408.exe55⤵
- Executes dropped EXE
PID:1956 -
\??\c:\i240620.exec:\i240620.exe56⤵
- Executes dropped EXE
PID:2296 -
\??\c:\w66488.exec:\w66488.exe57⤵
- Executes dropped EXE
PID:1944 -
\??\c:\20846.exec:\20846.exe58⤵
- Executes dropped EXE
PID:280 -
\??\c:\04628.exec:\04628.exe59⤵
- Executes dropped EXE
PID:1692 -
\??\c:\9nnnbt.exec:\9nnnbt.exe60⤵
- Executes dropped EXE
PID:1772 -
\??\c:\k68466.exec:\k68466.exe61⤵
- Executes dropped EXE
PID:2604 -
\??\c:\jdvpv.exec:\jdvpv.exe62⤵
- Executes dropped EXE
PID:2192 -
\??\c:\q40026.exec:\q40026.exe63⤵
- Executes dropped EXE
PID:1592 -
\??\c:\jddpv.exec:\jddpv.exe64⤵
- Executes dropped EXE
PID:1940 -
\??\c:\0648848.exec:\0648848.exe65⤵
- Executes dropped EXE
PID:2324 -
\??\c:\hbnntt.exec:\hbnntt.exe66⤵PID:1660
-
\??\c:\1llxxll.exec:\1llxxll.exe67⤵PID:2064
-
\??\c:\g0226.exec:\g0226.exe68⤵PID:2188
-
\??\c:\lfrlrrf.exec:\lfrlrrf.exe69⤵PID:2316
-
\??\c:\026442.exec:\026442.exe70⤵PID:2328
-
\??\c:\8846026.exec:\8846026.exe71⤵PID:2568
-
\??\c:\c862440.exec:\c862440.exe72⤵PID:864
-
\??\c:\ffxlxll.exec:\ffxlxll.exe73⤵PID:1176
-
\??\c:\2280868.exec:\2280868.exe74⤵PID:2580
-
\??\c:\btbhtb.exec:\btbhtb.exe75⤵PID:2940
-
\??\c:\40426.exec:\40426.exe76⤵PID:2936
-
\??\c:\nhtnbb.exec:\nhtnbb.exe77⤵PID:2764
-
\??\c:\48884.exec:\48884.exe78⤵PID:3056
-
\??\c:\9ffflrx.exec:\9ffflrx.exe79⤵PID:2912
-
\??\c:\44860.exec:\44860.exe80⤵PID:2688
-
\??\c:\068428.exec:\068428.exe81⤵PID:2704
-
\??\c:\m4464.exec:\m4464.exe82⤵PID:2680
-
\??\c:\24846.exec:\24846.exe83⤵PID:1104
-
\??\c:\tbnbbt.exec:\tbnbbt.exe84⤵PID:1540
-
\??\c:\lxxfflr.exec:\lxxfflr.exe85⤵PID:2848
-
\??\c:\8224268.exec:\8224268.exe86⤵PID:2988
-
\??\c:\xrlrllr.exec:\xrlrllr.exe87⤵PID:1480
-
\??\c:\2602680.exec:\2602680.exe88⤵PID:2964
-
\??\c:\0668406.exec:\0668406.exe89⤵PID:2856
-
\??\c:\w60644.exec:\w60644.exe90⤵PID:316
-
\??\c:\26626.exec:\26626.exe91⤵PID:2024
-
\??\c:\6040048.exec:\6040048.exe92⤵PID:1700
-
\??\c:\860442.exec:\860442.exe93⤵PID:2472
-
\??\c:\68282.exec:\68282.exe94⤵PID:1892
-
\??\c:\vppjv.exec:\vppjv.exe95⤵PID:2244
-
\??\c:\tnbbbn.exec:\tnbbbn.exe96⤵PID:2560
-
\??\c:\7xrxffx.exec:\7xrxffx.exe97⤵PID:2572
-
\??\c:\pvvvd.exec:\pvvvd.exe98⤵PID:2484
-
\??\c:\w86684.exec:\w86684.exe99⤵PID:2512
-
\??\c:\2268846.exec:\2268846.exe100⤵PID:1248
-
\??\c:\ppvdd.exec:\ppvdd.exe101⤵PID:2228
-
\??\c:\60242.exec:\60242.exe102⤵PID:1448
-
\??\c:\s4202.exec:\s4202.exe103⤵PID:284
-
\??\c:\06244.exec:\06244.exe104⤵PID:2164
-
\??\c:\48800.exec:\48800.exe105⤵PID:2404
-
\??\c:\2080842.exec:\2080842.exe106⤵PID:1984
-
\??\c:\684824.exec:\684824.exe107⤵PID:2432
-
\??\c:\thnnhh.exec:\thnnhh.exe108⤵PID:912
-
\??\c:\lxxxfxr.exec:\lxxxfxr.exe109⤵PID:1712
-
\??\c:\666484.exec:\666484.exe110⤵PID:2436
-
\??\c:\82280.exec:\82280.exe111⤵PID:1528
-
\??\c:\vjjdp.exec:\vjjdp.exe112⤵PID:1900
-
\??\c:\q46248.exec:\q46248.exe113⤵PID:2724
-
\??\c:\jjjjp.exec:\jjjjp.exe114⤵PID:2376
-
\??\c:\rrflxxl.exec:\rrflxxl.exe115⤵PID:2180
-
\??\c:\260202.exec:\260202.exe116⤵PID:2944
-
\??\c:\480066.exec:\480066.exe117⤵PID:2840
-
\??\c:\826462.exec:\826462.exe118⤵PID:2652
-
\??\c:\04068.exec:\04068.exe119⤵PID:1556
-
\??\c:\046628.exec:\046628.exe120⤵PID:2684
-
\??\c:\02068.exec:\02068.exe121⤵PID:2640
-
\??\c:\thnbtb.exec:\thnbtb.exe122⤵PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-