Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 20:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
93148fbc09b4f0113fbce0c0b229f9bc287487fe25bd3760a43a5abf9eaec1c9N.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
93148fbc09b4f0113fbce0c0b229f9bc287487fe25bd3760a43a5abf9eaec1c9N.exe
-
Size
80KB
-
MD5
5e53a307d9279384ffed6086ed77e4f0
-
SHA1
e8ec49e3c3817f374bdb22e37333e3c339e6cdd8
-
SHA256
93148fbc09b4f0113fbce0c0b229f9bc287487fe25bd3760a43a5abf9eaec1c9
-
SHA512
814d330c33729fd048cc3e61c6a3e9bef0cc120b373ed53a3780928dbac648a258f5cde096dd3b84dff5758e1876e1c68f5acd2ab665747265da25e00691942e
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDoLU1gxmcK8kZOt:ymb3NkkiQ3mdBjFoLkmW8ky
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
resource yara_rule behavioral1/memory/2640-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2812-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2696-19-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2696-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2108-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2108-40-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2736-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2544-64-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2544-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2720-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1528-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1868-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2240-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2832-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/652-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2440-136-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1120-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2424-190-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2400-199-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2232-208-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1612-226-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2944-261-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2084-279-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2176-288-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2696 pvddv.exe 2812 flfxxfx.exe 2108 bbtnht.exe 2736 9djpd.exe 2544 nnhbbh.exe 2720 pdvjp.exe 1528 5tthth.exe 1868 dddpj.exe 2240 1fxfrrx.exe 2832 xrxxrfl.exe 652 ttthht.exe 2440 djjdd.exe 2752 xxrxrfr.exe 2840 fxlrxll.exe 852 3bthbn.exe 2524 nnhntb.exe 1120 pppjp.exe 2424 flxfffl.exe 2400 hntnbt.exe 2232 nhnntb.exe 2956 7vpdp.exe 1612 frrxfll.exe 1268 hhtbbb.exe 568 hnntnb.exe 2732 vpjjp.exe 2944 5xxfxfr.exe 564 rlxrlrl.exe 2084 hhhbbb.exe 2176 vddpj.exe 548 rrfrrff.exe 2796 tttnbh.exe 2684 bhtnnb.exe 2712 vpdjd.exe 2760 rrrfffr.exe 1688 lrxxlxx.exe 2572 bbtbnn.exe 2884 bthtnb.exe 2672 jjjdj.exe 2624 xrffxfx.exe 3020 xrxllxl.exe 2872 5bhntb.exe 1080 jdjdj.exe 2288 1jvvj.exe 2408 rlxrlrf.exe 1308 xxxrlrl.exe 1564 nhbhhb.exe 1704 jjjpd.exe 2440 jjdjv.exe 1760 lllxrxl.exe 592 ffxrxfr.exe 2844 nhbhnt.exe 2044 hbtbhn.exe 2524 vpdpv.exe 2404 5rrxlrf.exe 2392 xrlxfrf.exe 2220 hbthnb.exe 1820 bbbntb.exe 700 jjvpv.exe 1880 9lrfxlf.exe 236 llrlrff.exe 2284 tnnbbn.exe 1400 bbnbbn.exe 1048 pppjj.exe 1216 xrflxfx.exe -
resource yara_rule behavioral1/memory/2640-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2812-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2696-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2108-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2736-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2736-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2736-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2544-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2720-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2720-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2720-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1528-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1868-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1868-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1868-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2240-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2832-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/652-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2440-136-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1120-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2424-190-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2400-199-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2232-208-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1612-226-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2944-261-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2084-279-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2176-288-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2696 2640 93148fbc09b4f0113fbce0c0b229f9bc287487fe25bd3760a43a5abf9eaec1c9N.exe 31 PID 2640 wrote to memory of 2696 2640 93148fbc09b4f0113fbce0c0b229f9bc287487fe25bd3760a43a5abf9eaec1c9N.exe 31 PID 2640 wrote to memory of 2696 2640 93148fbc09b4f0113fbce0c0b229f9bc287487fe25bd3760a43a5abf9eaec1c9N.exe 31 PID 2640 wrote to memory of 2696 2640 93148fbc09b4f0113fbce0c0b229f9bc287487fe25bd3760a43a5abf9eaec1c9N.exe 31 PID 2696 wrote to memory of 2812 2696 pvddv.exe 32 PID 2696 wrote to memory of 2812 2696 pvddv.exe 32 PID 2696 wrote to memory of 2812 2696 pvddv.exe 32 PID 2696 wrote to memory of 2812 2696 pvddv.exe 32 PID 2812 wrote to memory of 2108 2812 flfxxfx.exe 33 PID 2812 wrote to memory of 2108 2812 flfxxfx.exe 33 PID 2812 wrote to memory of 2108 2812 flfxxfx.exe 33 PID 2812 wrote to memory of 2108 2812 flfxxfx.exe 33 PID 2108 wrote to memory of 2736 2108 bbtnht.exe 34 PID 2108 wrote to memory of 2736 2108 bbtnht.exe 34 PID 2108 wrote to memory of 2736 2108 bbtnht.exe 34 PID 2108 wrote to memory of 2736 2108 bbtnht.exe 34 PID 2736 wrote to memory of 2544 2736 9djpd.exe 35 PID 2736 wrote to memory of 2544 2736 9djpd.exe 35 PID 2736 wrote to memory of 2544 2736 9djpd.exe 35 PID 2736 wrote to memory of 2544 2736 9djpd.exe 35 PID 2544 wrote to memory of 2720 2544 nnhbbh.exe 36 PID 2544 wrote to memory of 2720 2544 nnhbbh.exe 36 PID 2544 wrote to memory of 2720 2544 nnhbbh.exe 36 PID 2544 wrote to memory of 2720 2544 nnhbbh.exe 36 PID 2720 wrote to memory of 1528 2720 pdvjp.exe 37 PID 2720 wrote to memory of 1528 2720 pdvjp.exe 37 PID 2720 wrote to memory of 1528 2720 pdvjp.exe 37 PID 2720 wrote to memory of 1528 2720 pdvjp.exe 37 PID 1528 wrote to memory of 1868 1528 5tthth.exe 38 PID 1528 wrote to memory of 1868 1528 5tthth.exe 38 PID 1528 wrote to memory of 1868 1528 5tthth.exe 38 PID 1528 wrote to memory of 1868 1528 5tthth.exe 38 PID 1868 wrote to memory of 2240 1868 dddpj.exe 39 PID 1868 wrote to memory of 2240 1868 dddpj.exe 39 PID 1868 wrote to memory of 2240 1868 dddpj.exe 39 PID 1868 wrote to memory of 2240 1868 dddpj.exe 39 PID 2240 wrote to memory of 2832 2240 1fxfrrx.exe 40 PID 2240 wrote to memory of 2832 2240 1fxfrrx.exe 40 PID 2240 wrote to memory of 2832 2240 1fxfrrx.exe 40 PID 2240 wrote to memory of 2832 2240 1fxfrrx.exe 40 PID 2832 wrote to memory of 652 2832 xrxxrfl.exe 41 PID 2832 wrote to memory of 652 2832 xrxxrfl.exe 41 PID 2832 wrote to memory of 652 2832 xrxxrfl.exe 41 PID 2832 wrote to memory of 652 2832 xrxxrfl.exe 41 PID 652 wrote to memory of 2440 652 ttthht.exe 42 PID 652 wrote to memory of 2440 652 ttthht.exe 42 PID 652 wrote to memory of 2440 652 ttthht.exe 42 PID 652 wrote to memory of 2440 652 ttthht.exe 42 PID 2440 wrote to memory of 2752 2440 djjdd.exe 43 PID 2440 wrote to memory of 2752 2440 djjdd.exe 43 PID 2440 wrote to memory of 2752 2440 djjdd.exe 43 PID 2440 wrote to memory of 2752 2440 djjdd.exe 43 PID 2752 wrote to memory of 2840 2752 xxrxrfr.exe 44 PID 2752 wrote to memory of 2840 2752 xxrxrfr.exe 44 PID 2752 wrote to memory of 2840 2752 xxrxrfr.exe 44 PID 2752 wrote to memory of 2840 2752 xxrxrfr.exe 44 PID 2840 wrote to memory of 852 2840 fxlrxll.exe 45 PID 2840 wrote to memory of 852 2840 fxlrxll.exe 45 PID 2840 wrote to memory of 852 2840 fxlrxll.exe 45 PID 2840 wrote to memory of 852 2840 fxlrxll.exe 45 PID 852 wrote to memory of 2524 852 3bthbn.exe 46 PID 852 wrote to memory of 2524 852 3bthbn.exe 46 PID 852 wrote to memory of 2524 852 3bthbn.exe 46 PID 852 wrote to memory of 2524 852 3bthbn.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\93148fbc09b4f0113fbce0c0b229f9bc287487fe25bd3760a43a5abf9eaec1c9N.exe"C:\Users\Admin\AppData\Local\Temp\93148fbc09b4f0113fbce0c0b229f9bc287487fe25bd3760a43a5abf9eaec1c9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\pvddv.exec:\pvddv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\flfxxfx.exec:\flfxxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\bbtnht.exec:\bbtnht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\9djpd.exec:\9djpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\nnhbbh.exec:\nnhbbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\pdvjp.exec:\pdvjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\5tthth.exec:\5tthth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\dddpj.exec:\dddpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\1fxfrrx.exec:\1fxfrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\xrxxrfl.exec:\xrxxrfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\ttthht.exec:\ttthht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\djjdd.exec:\djjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\xxrxrfr.exec:\xxrxrfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\fxlrxll.exec:\fxlrxll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\3bthbn.exec:\3bthbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\nnhntb.exec:\nnhntb.exe17⤵
- Executes dropped EXE
PID:2524 -
\??\c:\pppjp.exec:\pppjp.exe18⤵
- Executes dropped EXE
PID:1120 -
\??\c:\flxfffl.exec:\flxfffl.exe19⤵
- Executes dropped EXE
PID:2424 -
\??\c:\hntnbt.exec:\hntnbt.exe20⤵
- Executes dropped EXE
PID:2400 -
\??\c:\nhnntb.exec:\nhnntb.exe21⤵
- Executes dropped EXE
PID:2232 -
\??\c:\7vpdp.exec:\7vpdp.exe22⤵
- Executes dropped EXE
PID:2956 -
\??\c:\frrxfll.exec:\frrxfll.exe23⤵
- Executes dropped EXE
PID:1612 -
\??\c:\hhtbbb.exec:\hhtbbb.exe24⤵
- Executes dropped EXE
PID:1268 -
\??\c:\hnntnb.exec:\hnntnb.exe25⤵
- Executes dropped EXE
PID:568 -
\??\c:\vpjjp.exec:\vpjjp.exe26⤵
- Executes dropped EXE
PID:2732 -
\??\c:\5xxfxfr.exec:\5xxfxfr.exe27⤵
- Executes dropped EXE
PID:2944 -
\??\c:\rlxrlrl.exec:\rlxrlrl.exe28⤵
- Executes dropped EXE
PID:564 -
\??\c:\hhhbbb.exec:\hhhbbb.exe29⤵
- Executes dropped EXE
PID:2084 -
\??\c:\vddpj.exec:\vddpj.exe30⤵
- Executes dropped EXE
PID:2176 -
\??\c:\rrfrrff.exec:\rrfrrff.exe31⤵
- Executes dropped EXE
PID:548 -
\??\c:\tttnbh.exec:\tttnbh.exe32⤵
- Executes dropped EXE
PID:2796 -
\??\c:\bhtnnb.exec:\bhtnnb.exe33⤵
- Executes dropped EXE
PID:2684 -
\??\c:\vpdjd.exec:\vpdjd.exe34⤵
- Executes dropped EXE
PID:2712 -
\??\c:\rrrfffr.exec:\rrrfffr.exe35⤵
- Executes dropped EXE
PID:2760 -
\??\c:\lrxxlxx.exec:\lrxxlxx.exe36⤵
- Executes dropped EXE
PID:1688 -
\??\c:\bbtbnn.exec:\bbtbnn.exe37⤵
- Executes dropped EXE
PID:2572 -
\??\c:\bthtnb.exec:\bthtnb.exe38⤵
- Executes dropped EXE
PID:2884 -
\??\c:\jjjdj.exec:\jjjdj.exe39⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xrffxfx.exec:\xrffxfx.exe40⤵
- Executes dropped EXE
PID:2624 -
\??\c:\xrxllxl.exec:\xrxllxl.exe41⤵
- Executes dropped EXE
PID:3020 -
\??\c:\5bhntb.exec:\5bhntb.exe42⤵
- Executes dropped EXE
PID:2872 -
\??\c:\jdjdj.exec:\jdjdj.exe43⤵
- Executes dropped EXE
PID:1080 -
\??\c:\1jvvj.exec:\1jvvj.exe44⤵
- Executes dropped EXE
PID:2288 -
\??\c:\rlxrlrf.exec:\rlxrlrf.exe45⤵
- Executes dropped EXE
PID:2408 -
\??\c:\xxxrlrl.exec:\xxxrlrl.exe46⤵
- Executes dropped EXE
PID:1308 -
\??\c:\nhbhhb.exec:\nhbhhb.exe47⤵
- Executes dropped EXE
PID:1564 -
\??\c:\jjjpd.exec:\jjjpd.exe48⤵
- Executes dropped EXE
PID:1704 -
\??\c:\jjdjv.exec:\jjdjv.exe49⤵
- Executes dropped EXE
PID:2440 -
\??\c:\lllxrxl.exec:\lllxrxl.exe50⤵
- Executes dropped EXE
PID:1760 -
\??\c:\ffxrxfr.exec:\ffxrxfr.exe51⤵
- Executes dropped EXE
PID:592 -
\??\c:\nhbhnt.exec:\nhbhnt.exe52⤵
- Executes dropped EXE
PID:2844 -
\??\c:\hbtbhn.exec:\hbtbhn.exe53⤵
- Executes dropped EXE
PID:2044 -
\??\c:\vpdpv.exec:\vpdpv.exe54⤵
- Executes dropped EXE
PID:2524 -
\??\c:\5rrxlrf.exec:\5rrxlrf.exe55⤵
- Executes dropped EXE
PID:2404 -
\??\c:\xrlxfrf.exec:\xrlxfrf.exe56⤵
- Executes dropped EXE
PID:2392 -
\??\c:\hbthnb.exec:\hbthnb.exe57⤵
- Executes dropped EXE
PID:2220 -
\??\c:\bbbntb.exec:\bbbntb.exe58⤵
- Executes dropped EXE
PID:1820 -
\??\c:\jjvpv.exec:\jjvpv.exe59⤵
- Executes dropped EXE
PID:700 -
\??\c:\9lrfxlf.exec:\9lrfxlf.exe60⤵
- Executes dropped EXE
PID:1880 -
\??\c:\llrlrff.exec:\llrlrff.exe61⤵
- Executes dropped EXE
PID:236 -
\??\c:\tnnbbn.exec:\tnnbbn.exe62⤵
- Executes dropped EXE
PID:2284 -
\??\c:\bbnbbn.exec:\bbnbbn.exe63⤵
- Executes dropped EXE
PID:1400 -
\??\c:\pppjj.exec:\pppjj.exe64⤵
- Executes dropped EXE
PID:1048 -
\??\c:\xrflxfx.exec:\xrflxfx.exe65⤵
- Executes dropped EXE
PID:1216 -
\??\c:\rlxfrxf.exec:\rlxfrxf.exe66⤵PID:3024
-
\??\c:\7nbbtb.exec:\7nbbtb.exe67⤵PID:2448
-
\??\c:\ththnt.exec:\ththnt.exe68⤵PID:672
-
\??\c:\jpvpp.exec:\jpvpp.exe69⤵PID:2388
-
\??\c:\1ppvv.exec:\1ppvv.exe70⤵PID:1860
-
\??\c:\xrrfxlx.exec:\xrrfxlx.exe71⤵PID:776
-
\??\c:\7lxrlff.exec:\7lxrlff.exe72⤵PID:2112
-
\??\c:\tnhthn.exec:\tnhthn.exe73⤵PID:2668
-
\??\c:\jjvjd.exec:\jjvjd.exe74⤵PID:1336
-
\??\c:\dvddp.exec:\dvddp.exe75⤵PID:1584
-
\??\c:\frxlffr.exec:\frxlffr.exe76⤵PID:2716
-
\??\c:\bbbhbn.exec:\bbbhbn.exe77⤵PID:2664
-
\??\c:\bbhhnh.exec:\bbhhnh.exe78⤵PID:2588
-
\??\c:\ddpvv.exec:\ddpvv.exe79⤵PID:2604
-
\??\c:\djvjd.exec:\djvjd.exe80⤵PID:1640
-
\??\c:\7frxrlf.exec:\7frxrlf.exe81⤵PID:2560
-
\??\c:\7ttbbb.exec:\7ttbbb.exe82⤵PID:2584
-
\??\c:\3nthth.exec:\3nthth.exe83⤵PID:2152
-
\??\c:\djjpp.exec:\djjpp.exe84⤵PID:2644
-
\??\c:\rlfxfxx.exec:\rlfxfxx.exe85⤵PID:2532
-
\??\c:\ntbthh.exec:\ntbthh.exe86⤵PID:912
-
\??\c:\1hbnbt.exec:\1hbnbt.exe87⤵PID:1500
-
\??\c:\dpppd.exec:\dpppd.exe88⤵PID:1680
-
\??\c:\fxxllxf.exec:\fxxllxf.exe89⤵PID:2752
-
\??\c:\rxrfrrl.exec:\rxrfrrl.exe90⤵PID:2852
-
\??\c:\nnthtb.exec:\nnthtb.exe91⤵PID:1072
-
\??\c:\hbntnt.exec:\hbntnt.exe92⤵PID:2756
-
\??\c:\jdjvj.exec:\jdjvj.exe93⤵PID:2196
-
\??\c:\llxllff.exec:\llxllff.exe94⤵PID:1040
-
\??\c:\lxlxfrx.exec:\lxlxfrx.exe95⤵PID:2052
-
\??\c:\7nthbn.exec:\7nthbn.exe96⤵PID:2424
-
\??\c:\dvvjd.exec:\dvvjd.exe97⤵PID:2968
-
\??\c:\1vpdp.exec:\1vpdp.exe98⤵PID:1708
-
\??\c:\ffrlxrr.exec:\ffrlxrr.exe99⤵PID:1140
-
\??\c:\ttnbnn.exec:\ttnbnn.exe100⤵PID:1296
-
\??\c:\thtthh.exec:\thtthh.exe101⤵PID:1612
-
\??\c:\vjdvv.exec:\vjdvv.exe102⤵PID:2432
-
\??\c:\vpdjd.exec:\vpdjd.exe103⤵PID:568
-
\??\c:\rlfrlfr.exec:\rlfrlfr.exe104⤵PID:2732
-
\??\c:\llrfrxf.exec:\llrfrxf.exe105⤵PID:556
-
\??\c:\nnntnt.exec:\nnntnt.exe106⤵PID:564
-
\??\c:\9djdv.exec:\9djdv.exe107⤵PID:1016
-
\??\c:\jjddj.exec:\jjddj.exe108⤵PID:2436
-
\??\c:\rllllrf.exec:\rllllrf.exe109⤵PID:2176
-
\??\c:\5rllflx.exec:\5rllflx.exe110⤵PID:2412
-
\??\c:\tnbbhn.exec:\tnbbhn.exe111⤵PID:2656
-
\??\c:\bnnhnn.exec:\bnnhnn.exe112⤵PID:2796
-
\??\c:\pjdpd.exec:\pjdpd.exe113⤵PID:2684
-
\??\c:\lfrrffr.exec:\lfrrffr.exe114⤵PID:2108
-
\??\c:\xxffrfr.exec:\xxffrfr.exe115⤵PID:2876
-
\??\c:\9nhhtt.exec:\9nhhtt.exe116⤵PID:1688
-
\??\c:\1bbnhn.exec:\1bbnhn.exe117⤵PID:2768
-
\??\c:\jjpdp.exec:\jjpdp.exe118⤵PID:2884
-
\??\c:\pvppp.exec:\pvppp.exe119⤵PID:1516
-
\??\c:\1xrfrxf.exec:\1xrfrxf.exe120⤵PID:2012
-
\??\c:\pvvpd.exec:\pvvpd.exe121⤵PID:2976
-
\??\c:\jppjv.exec:\jppjv.exe122⤵PID:2872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-