Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 17:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe
Resource
win7-20240729-en
6 signatures
120 seconds
General
-
Target
ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe
-
Size
64KB
-
MD5
4ac73c8d389f30c9b1792afe3a6819d0
-
SHA1
72358171ca7bbd162b65cec2ed83426bc81c853f
-
SHA256
ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bd
-
SHA512
59b4410d4defed00985baeb788f223583768928d888ee39d58975235e3114e2e738bf2cd5ffde48a52364afc694c83ae389d3880cda1d94d788dc9f08a754370
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxi5Cx:ymb3NkkiQ3mdBjF0y7kbqCx
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral1/memory/2640-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2328-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2804-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2664-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2804-32-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2636-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2768-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1856-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1208-93-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/892-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2968-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2356-127-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2824-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2884-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/700-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1028-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/900-235-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2320-243-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2936-252-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2516-261-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2508-279-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1048-288-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2328 tbtnnt.exe 2804 ppjdd.exe 2664 xfxrffl.exe 2636 tbbnht.exe 2768 7dvdj.exe 1856 hbthth.exe 892 tbnbbt.exe 1208 bhnhnt.exe 2968 jjdvj.exe 1808 1flffxx.exe 2356 tnhbtt.exe 2824 7htnnh.exe 2884 vjjvj.exe 2172 flfrrfr.exe 2012 nhhbbn.exe 1136 jpvpd.exe 700 pdjdj.exe 2092 3ffrflr.exe 688 nbbhtb.exe 1028 5thttn.exe 3004 ppddj.exe 2000 1xlxlff.exe 900 9rllflr.exe 2320 nthttn.exe 2936 jdpvj.exe 2516 rffrxrl.exe 1660 hbhbbt.exe 2508 3pjdv.exe 1048 xrllxlr.exe 2672 7hbbnt.exe 2236 dvddj.exe 2704 fflfrfx.exe 2700 5xxllrf.exe 2800 bhnbnt.exe 2064 nthbtb.exe 2552 3vppj.exe 2580 ddppj.exe 2768 rlxfrxl.exe 556 tnbttb.exe 1796 hnnbbn.exe 448 vpdjj.exe 2972 flxlfrx.exe 1504 xrlrfrx.exe 1952 tbnnbb.exe 1808 hnhtbb.exe 1824 5vdjd.exe 2856 7xffrxx.exe 2644 ffxxlrr.exe 2208 7bhnht.exe 2172 pdpjv.exe 1148 ppjvv.exe 292 xrrxfxf.exe 2344 5hnttt.exe 1964 vpddv.exe 1256 5dpvp.exe 688 rrxrxlx.exe 2120 lrxrrxl.exe 468 tnhbhb.exe 1076 vpdjp.exe 1940 5vvjd.exe 1816 1lrxrrl.exe 1752 htbbnt.exe 544 jdvvp.exe 2472 7jpvj.exe -
resource yara_rule behavioral1/memory/2640-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2328-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2664-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2768-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2768-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2768-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1856-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/892-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/892-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1208-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1208-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/892-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2968-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2356-127-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2824-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2884-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/700-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1028-207-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/900-235-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2320-243-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2936-252-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2516-261-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2508-279-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1048-288-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2328 2640 ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe 30 PID 2640 wrote to memory of 2328 2640 ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe 30 PID 2640 wrote to memory of 2328 2640 ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe 30 PID 2640 wrote to memory of 2328 2640 ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe 30 PID 2328 wrote to memory of 2804 2328 tbtnnt.exe 31 PID 2328 wrote to memory of 2804 2328 tbtnnt.exe 31 PID 2328 wrote to memory of 2804 2328 tbtnnt.exe 31 PID 2328 wrote to memory of 2804 2328 tbtnnt.exe 31 PID 2804 wrote to memory of 2664 2804 ppjdd.exe 32 PID 2804 wrote to memory of 2664 2804 ppjdd.exe 32 PID 2804 wrote to memory of 2664 2804 ppjdd.exe 32 PID 2804 wrote to memory of 2664 2804 ppjdd.exe 32 PID 2664 wrote to memory of 2636 2664 xfxrffl.exe 33 PID 2664 wrote to memory of 2636 2664 xfxrffl.exe 33 PID 2664 wrote to memory of 2636 2664 xfxrffl.exe 33 PID 2664 wrote to memory of 2636 2664 xfxrffl.exe 33 PID 2636 wrote to memory of 2768 2636 tbbnht.exe 34 PID 2636 wrote to memory of 2768 2636 tbbnht.exe 34 PID 2636 wrote to memory of 2768 2636 tbbnht.exe 34 PID 2636 wrote to memory of 2768 2636 tbbnht.exe 34 PID 2768 wrote to memory of 1856 2768 7dvdj.exe 35 PID 2768 wrote to memory of 1856 2768 7dvdj.exe 35 PID 2768 wrote to memory of 1856 2768 7dvdj.exe 35 PID 2768 wrote to memory of 1856 2768 7dvdj.exe 35 PID 1856 wrote to memory of 892 1856 hbthth.exe 36 PID 1856 wrote to memory of 892 1856 hbthth.exe 36 PID 1856 wrote to memory of 892 1856 hbthth.exe 36 PID 1856 wrote to memory of 892 1856 hbthth.exe 36 PID 892 wrote to memory of 1208 892 tbnbbt.exe 37 PID 892 wrote to memory of 1208 892 tbnbbt.exe 37 PID 892 wrote to memory of 1208 892 tbnbbt.exe 37 PID 892 wrote to memory of 1208 892 tbnbbt.exe 37 PID 1208 wrote to memory of 2968 1208 bhnhnt.exe 38 PID 1208 wrote to memory of 2968 1208 bhnhnt.exe 38 PID 1208 wrote to memory of 2968 1208 bhnhnt.exe 38 PID 1208 wrote to memory of 2968 1208 bhnhnt.exe 38 PID 2968 wrote to memory of 1808 2968 jjdvj.exe 39 PID 2968 wrote to memory of 1808 2968 jjdvj.exe 39 PID 2968 wrote to memory of 1808 2968 jjdvj.exe 39 PID 2968 wrote to memory of 1808 2968 jjdvj.exe 39 PID 1808 wrote to memory of 2356 1808 1flffxx.exe 40 PID 1808 wrote to memory of 2356 1808 1flffxx.exe 40 PID 1808 wrote to memory of 2356 1808 1flffxx.exe 40 PID 1808 wrote to memory of 2356 1808 1flffxx.exe 40 PID 2356 wrote to memory of 2824 2356 tnhbtt.exe 41 PID 2356 wrote to memory of 2824 2356 tnhbtt.exe 41 PID 2356 wrote to memory of 2824 2356 tnhbtt.exe 41 PID 2356 wrote to memory of 2824 2356 tnhbtt.exe 41 PID 2824 wrote to memory of 2884 2824 7htnnh.exe 42 PID 2824 wrote to memory of 2884 2824 7htnnh.exe 42 PID 2824 wrote to memory of 2884 2824 7htnnh.exe 42 PID 2824 wrote to memory of 2884 2824 7htnnh.exe 42 PID 2884 wrote to memory of 2172 2884 vjjvj.exe 43 PID 2884 wrote to memory of 2172 2884 vjjvj.exe 43 PID 2884 wrote to memory of 2172 2884 vjjvj.exe 43 PID 2884 wrote to memory of 2172 2884 vjjvj.exe 43 PID 2172 wrote to memory of 2012 2172 flfrrfr.exe 44 PID 2172 wrote to memory of 2012 2172 flfrrfr.exe 44 PID 2172 wrote to memory of 2012 2172 flfrrfr.exe 44 PID 2172 wrote to memory of 2012 2172 flfrrfr.exe 44 PID 2012 wrote to memory of 1136 2012 nhhbbn.exe 45 PID 2012 wrote to memory of 1136 2012 nhhbbn.exe 45 PID 2012 wrote to memory of 1136 2012 nhhbbn.exe 45 PID 2012 wrote to memory of 1136 2012 nhhbbn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe"C:\Users\Admin\AppData\Local\Temp\ac585616fb131218e8ddad860db6c8bf254bb3f93c477f52d87de74c7d5728bdN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\tbtnnt.exec:\tbtnnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\ppjdd.exec:\ppjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\xfxrffl.exec:\xfxrffl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\tbbnht.exec:\tbbnht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\7dvdj.exec:\7dvdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\hbthth.exec:\hbthth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\tbnbbt.exec:\tbnbbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\bhnhnt.exec:\bhnhnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\jjdvj.exec:\jjdvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\1flffxx.exec:\1flffxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\tnhbtt.exec:\tnhbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\7htnnh.exec:\7htnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\vjjvj.exec:\vjjvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\flfrrfr.exec:\flfrrfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\nhhbbn.exec:\nhhbbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\jpvpd.exec:\jpvpd.exe17⤵
- Executes dropped EXE
PID:1136 -
\??\c:\pdjdj.exec:\pdjdj.exe18⤵
- Executes dropped EXE
PID:700 -
\??\c:\3ffrflr.exec:\3ffrflr.exe19⤵
- Executes dropped EXE
PID:2092 -
\??\c:\nbbhtb.exec:\nbbhtb.exe20⤵
- Executes dropped EXE
PID:688 -
\??\c:\5thttn.exec:\5thttn.exe21⤵
- Executes dropped EXE
PID:1028 -
\??\c:\ppddj.exec:\ppddj.exe22⤵
- Executes dropped EXE
PID:3004 -
\??\c:\1xlxlff.exec:\1xlxlff.exe23⤵
- Executes dropped EXE
PID:2000 -
\??\c:\9rllflr.exec:\9rllflr.exe24⤵
- Executes dropped EXE
PID:900 -
\??\c:\nthttn.exec:\nthttn.exe25⤵
- Executes dropped EXE
PID:2320 -
\??\c:\jdpvj.exec:\jdpvj.exe26⤵
- Executes dropped EXE
PID:2936 -
\??\c:\rffrxrl.exec:\rffrxrl.exe27⤵
- Executes dropped EXE
PID:2516 -
\??\c:\hbhbbt.exec:\hbhbbt.exe28⤵
- Executes dropped EXE
PID:1660 -
\??\c:\3pjdv.exec:\3pjdv.exe29⤵
- Executes dropped EXE
PID:2508 -
\??\c:\xrllxlr.exec:\xrllxlr.exe30⤵
- Executes dropped EXE
PID:1048 -
\??\c:\7hbbnt.exec:\7hbbnt.exe31⤵
- Executes dropped EXE
PID:2672 -
\??\c:\dvddj.exec:\dvddj.exe32⤵
- Executes dropped EXE
PID:2236 -
\??\c:\fflfrfx.exec:\fflfrfx.exe33⤵
- Executes dropped EXE
PID:2704 -
\??\c:\5xxllrf.exec:\5xxllrf.exe34⤵
- Executes dropped EXE
PID:2700 -
\??\c:\bhnbnt.exec:\bhnbnt.exe35⤵
- Executes dropped EXE
PID:2800 -
\??\c:\nthbtb.exec:\nthbtb.exe36⤵
- Executes dropped EXE
PID:2064 -
\??\c:\3vppj.exec:\3vppj.exe37⤵
- Executes dropped EXE
PID:2552 -
\??\c:\ddppj.exec:\ddppj.exe38⤵
- Executes dropped EXE
PID:2580 -
\??\c:\rlxfrxl.exec:\rlxfrxl.exe39⤵
- Executes dropped EXE
PID:2768 -
\??\c:\tnbttb.exec:\tnbttb.exe40⤵
- Executes dropped EXE
PID:556 -
\??\c:\hnnbbn.exec:\hnnbbn.exe41⤵
- Executes dropped EXE
PID:1796 -
\??\c:\vpdjj.exec:\vpdjj.exe42⤵
- Executes dropped EXE
PID:448 -
\??\c:\flxlfrx.exec:\flxlfrx.exe43⤵
- Executes dropped EXE
PID:2972 -
\??\c:\xrlrfrx.exec:\xrlrfrx.exe44⤵
- Executes dropped EXE
PID:1504 -
\??\c:\tbnnbb.exec:\tbnnbb.exe45⤵
- Executes dropped EXE
PID:1952 -
\??\c:\hnhtbb.exec:\hnhtbb.exe46⤵
- Executes dropped EXE
PID:1808 -
\??\c:\5vdjd.exec:\5vdjd.exe47⤵
- Executes dropped EXE
PID:1824 -
\??\c:\7xffrxx.exec:\7xffrxx.exe48⤵
- Executes dropped EXE
PID:2856 -
\??\c:\ffxxlrr.exec:\ffxxlrr.exe49⤵
- Executes dropped EXE
PID:2644 -
\??\c:\7bhnht.exec:\7bhnht.exe50⤵
- Executes dropped EXE
PID:2208 -
\??\c:\pdpjv.exec:\pdpjv.exe51⤵
- Executes dropped EXE
PID:2172 -
\??\c:\ppjvv.exec:\ppjvv.exe52⤵
- Executes dropped EXE
PID:1148 -
\??\c:\xrrxfxf.exec:\xrrxfxf.exe53⤵
- Executes dropped EXE
PID:292 -
\??\c:\5hnttt.exec:\5hnttt.exe54⤵
- Executes dropped EXE
PID:2344 -
\??\c:\vpddv.exec:\vpddv.exe55⤵
- Executes dropped EXE
PID:1964 -
\??\c:\5dpvp.exec:\5dpvp.exe56⤵
- Executes dropped EXE
PID:1256 -
\??\c:\rrxrxlx.exec:\rrxrxlx.exe57⤵
- Executes dropped EXE
PID:688 -
\??\c:\lrxrrxl.exec:\lrxrrxl.exe58⤵
- Executes dropped EXE
PID:2120 -
\??\c:\tnhbhb.exec:\tnhbhb.exe59⤵
- Executes dropped EXE
PID:468 -
\??\c:\vpdjp.exec:\vpdjp.exe60⤵
- Executes dropped EXE
PID:1076 -
\??\c:\5vvjd.exec:\5vvjd.exe61⤵
- Executes dropped EXE
PID:1940 -
\??\c:\1lrxrrl.exec:\1lrxrrl.exe62⤵
- Executes dropped EXE
PID:1816 -
\??\c:\htbbnt.exec:\htbbnt.exe63⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jdvvp.exec:\jdvvp.exe64⤵
- Executes dropped EXE
PID:544 -
\??\c:\7jpvj.exec:\7jpvj.exe65⤵
- Executes dropped EXE
PID:2472 -
\??\c:\7fxfllx.exec:\7fxfllx.exe66⤵PID:1764
-
\??\c:\nnhthn.exec:\nnhthn.exe67⤵PID:1492
-
\??\c:\pvpvd.exec:\pvpvd.exe68⤵PID:1044
-
\??\c:\7ppvv.exec:\7ppvv.exe69⤵PID:2084
-
\??\c:\ffrflxf.exec:\ffrflxf.exe70⤵PID:2748
-
\??\c:\7lflxlr.exec:\7lflxlr.exe71⤵PID:2752
-
\??\c:\hbntnb.exec:\hbntnb.exe72⤵PID:1592
-
\??\c:\vdpjp.exec:\vdpjp.exe73⤵PID:2704
-
\??\c:\3xlfrrf.exec:\3xlfrrf.exe74⤵PID:2584
-
\??\c:\fxfxrxl.exec:\fxfxrxl.exe75⤵PID:2944
-
\??\c:\tnnhhn.exec:\tnnhhn.exe76⤵PID:2636
-
\??\c:\tnttbn.exec:\tnttbn.exe77⤵PID:2572
-
\??\c:\ddpvj.exec:\ddpvj.exe78⤵PID:2784
-
\??\c:\lrrrxff.exec:\lrrrxff.exe79⤵PID:3024
-
\??\c:\lrffrff.exec:\lrffrff.exe80⤵PID:3016
-
\??\c:\ntthbt.exec:\ntthbt.exe81⤵PID:1320
-
\??\c:\dpvdj.exec:\dpvdj.exe82⤵PID:2528
-
\??\c:\jdjvd.exec:\jdjvd.exe83⤵PID:2180
-
\??\c:\rlrxfrx.exec:\rlrxfrx.exe84⤵PID:2220
-
\??\c:\lxllrxx.exec:\lxllrxx.exe85⤵PID:2096
-
\??\c:\htbtbn.exec:\htbtbn.exe86⤵PID:1652
-
\??\c:\vdppv.exec:\vdppv.exe87⤵PID:2616
-
\??\c:\jjjjv.exec:\jjjjv.exe88⤵PID:1520
-
\??\c:\xlxrxxf.exec:\xlxrxxf.exe89⤵PID:2376
-
\??\c:\5xlfxlx.exec:\5xlfxlx.exe90⤵PID:2904
-
\??\c:\3tbhhh.exec:\3tbhhh.exe91⤵PID:2012
-
\??\c:\3pvjp.exec:\3pvjp.exe92⤵PID:580
-
\??\c:\ddpvj.exec:\ddpvj.exe93⤵PID:2040
-
\??\c:\xxrxxxr.exec:\xxrxxxr.exe94⤵PID:1836
-
\??\c:\flxxrrl.exec:\flxxrrl.exe95⤵PID:2160
-
\??\c:\ntbtnb.exec:\ntbtnb.exe96⤵PID:2632
-
\??\c:\dvddj.exec:\dvddj.exe97⤵PID:3048
-
\??\c:\pjjpd.exec:\pjjpd.exe98⤵PID:2164
-
\??\c:\rllflrx.exec:\rllflrx.exe99⤵PID:2068
-
\??\c:\lxllrxr.exec:\lxllrxr.exe100⤵PID:2060
-
\??\c:\tbtbnt.exec:\tbtbnt.exe101⤵PID:1488
-
\??\c:\bthnbn.exec:\bthnbn.exe102⤵PID:1776
-
\??\c:\jjpdd.exec:\jjpdd.exe103⤵PID:2936
-
\??\c:\9rrrxrf.exec:\9rrrxrf.exe104⤵PID:560
-
\??\c:\5lrxllr.exec:\5lrxllr.exe105⤵PID:2052
-
\??\c:\ttbhbh.exec:\ttbhbh.exe106⤵PID:1660
-
\??\c:\hnbntn.exec:\hnbntn.exe107⤵PID:1828
-
\??\c:\vvpdj.exec:\vvpdj.exe108⤵PID:1792
-
\??\c:\7lxrfrl.exec:\7lxrfrl.exe109⤵PID:2100
-
\??\c:\xrrxlxl.exec:\xrrxlxl.exe110⤵PID:2756
-
\??\c:\tnhtbn.exec:\tnhtbn.exe111⤵PID:2236
-
\??\c:\dvvdd.exec:\dvvdd.exe112⤵PID:2688
-
\??\c:\1jvvd.exec:\1jvvd.exe113⤵PID:1564
-
\??\c:\xfrlxxl.exec:\xfrlxxl.exe114⤵PID:2896
-
\??\c:\ffxlfrl.exec:\ffxlfrl.exe115⤵PID:2576
-
\??\c:\htnnhh.exec:\htnnhh.exe116⤵PID:2908
-
\??\c:\pjdjd.exec:\pjdjd.exe117⤵PID:2600
-
\??\c:\djjvd.exec:\djjvd.exe118⤵PID:2592
-
\??\c:\xxfrfrl.exec:\xxfrfrl.exe119⤵PID:2780
-
\??\c:\1rfxfxf.exec:\1rfxfxf.exe120⤵PID:892
-
\??\c:\7tthtb.exec:\7tthtb.exe121⤵PID:1912
-
\??\c:\nbhbtt.exec:\nbhbtt.exe122⤵PID:316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-