Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/11/2024, 21:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3.exe
-
Size
120KB
-
MD5
b320df553dda4158c19fab252d462f02
-
SHA1
7913a626fb7f7a72ad664a61cae7646885c1eaba
-
SHA256
a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3
-
SHA512
e90b2737b70cbefc6a79037c3fc00474c62453f37b67d4b802b16cb5119273252c1a5b294943f5e2ee7a87d4ef8baeb58787b745cd7547ccaa5ce5f6cd330b13
-
SSDEEP
3072:ymb3NkkiQ3mdBjFWXkj7afoHvmQ+EZMYX8XFE:n3C9BRW0j/uVEZFN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 24 IoCs
resource yara_rule behavioral1/memory/2104-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2096-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3028-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3028-30-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2228-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2308-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2804-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2384-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2248-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2660-108-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1256-126-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1852-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2524-152-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2140-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1028-170-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1684-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1272-180-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/696-234-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2016-251-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1616-260-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/904-278-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1532-269-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2068-296-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3028-2121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2096 vpjjj.exe 3028 llfrfrf.exe 2228 xllrflx.exe 2308 nnnbtt.exe 2804 5dpdj.exe 2864 rfxxlxr.exe 2248 hbtbht.exe 2384 ddvdd.exe 2660 ffxlxxl.exe 292 ttnnbh.exe 1256 bhtthn.exe 1936 7dvdj.exe 1852 rlllrfx.exe 2524 lffrlrr.exe 2140 nbttnn.exe 1028 dvvjv.exe 1272 fxfrxxr.exe 1684 3rrrxxf.exe 2440 btnbnt.exe 2664 vvjvp.exe 880 ppdjp.exe 2580 ffxlxfr.exe 696 bbbhtt.exe 1348 hbnntb.exe 2016 jjddj.exe 1616 7djdd.exe 1532 ffflfrl.exe 904 tntbnt.exe 2164 hbnbnt.exe 2068 pjjjv.exe 2988 rrlffll.exe 3040 ffllrlf.exe 2108 thbtbt.exe 2700 1bbhtt.exe 2816 jdvdp.exe 2204 ddjpd.exe 2748 frflrxf.exe 2788 xrlrxfl.exe 2932 lxfllff.exe 2732 9hbhtt.exe 2644 nthhhb.exe 2276 vpddd.exe 3024 rfllrlx.exe 3020 xxlfxfr.exe 1712 3tbtth.exe 1996 hbttbb.exe 2520 htbthb.exe 1992 jdvpd.exe 1504 jddjv.exe 2500 5xxlxfr.exe 760 llrxlll.exe 1184 3bnttt.exe 1748 thhhhb.exe 2584 9jdjj.exe 1312 xxxlfll.exe 2480 thnhnn.exe 880 5bhnnh.exe 300 5tbbtt.exe 1848 7vddd.exe 2464 jjjpj.exe 2960 xrffrxf.exe 272 9fxrfxf.exe 872 thtthn.exe 1492 9thhhb.exe -
resource yara_rule behavioral1/memory/2104-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2096-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3028-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2228-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2308-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2864-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2864-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2248-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2248-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2248-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2384-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2384-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2248-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2660-108-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1256-126-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1852-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2524-152-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2140-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1028-170-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1684-188-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1272-180-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/696-234-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2016-251-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1616-260-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/904-278-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1532-269-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2068-296-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3028-2121-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2096 2104 a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3.exe 30 PID 2104 wrote to memory of 2096 2104 a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3.exe 30 PID 2104 wrote to memory of 2096 2104 a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3.exe 30 PID 2104 wrote to memory of 2096 2104 a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3.exe 30 PID 2096 wrote to memory of 3028 2096 vpjjj.exe 31 PID 2096 wrote to memory of 3028 2096 vpjjj.exe 31 PID 2096 wrote to memory of 3028 2096 vpjjj.exe 31 PID 2096 wrote to memory of 3028 2096 vpjjj.exe 31 PID 3028 wrote to memory of 2228 3028 llfrfrf.exe 32 PID 3028 wrote to memory of 2228 3028 llfrfrf.exe 32 PID 3028 wrote to memory of 2228 3028 llfrfrf.exe 32 PID 3028 wrote to memory of 2228 3028 llfrfrf.exe 32 PID 2228 wrote to memory of 2308 2228 xllrflx.exe 33 PID 2228 wrote to memory of 2308 2228 xllrflx.exe 33 PID 2228 wrote to memory of 2308 2228 xllrflx.exe 33 PID 2228 wrote to memory of 2308 2228 xllrflx.exe 33 PID 2308 wrote to memory of 2804 2308 nnnbtt.exe 34 PID 2308 wrote to memory of 2804 2308 nnnbtt.exe 34 PID 2308 wrote to memory of 2804 2308 nnnbtt.exe 34 PID 2308 wrote to memory of 2804 2308 nnnbtt.exe 34 PID 2804 wrote to memory of 2864 2804 5dpdj.exe 35 PID 2804 wrote to memory of 2864 2804 5dpdj.exe 35 PID 2804 wrote to memory of 2864 2804 5dpdj.exe 35 PID 2804 wrote to memory of 2864 2804 5dpdj.exe 35 PID 2864 wrote to memory of 2248 2864 rfxxlxr.exe 36 PID 2864 wrote to memory of 2248 2864 rfxxlxr.exe 36 PID 2864 wrote to memory of 2248 2864 rfxxlxr.exe 36 PID 2864 wrote to memory of 2248 2864 rfxxlxr.exe 36 PID 2248 wrote to memory of 2384 2248 hbtbht.exe 37 PID 2248 wrote to memory of 2384 2248 hbtbht.exe 37 PID 2248 wrote to memory of 2384 2248 hbtbht.exe 37 PID 2248 wrote to memory of 2384 2248 hbtbht.exe 37 PID 2384 wrote to memory of 2660 2384 ddvdd.exe 38 PID 2384 wrote to memory of 2660 2384 ddvdd.exe 38 PID 2384 wrote to memory of 2660 2384 ddvdd.exe 38 PID 2384 wrote to memory of 2660 2384 ddvdd.exe 38 PID 2660 wrote to memory of 292 2660 ffxlxxl.exe 39 PID 2660 wrote to memory of 292 2660 ffxlxxl.exe 39 PID 2660 wrote to memory of 292 2660 ffxlxxl.exe 39 PID 2660 wrote to memory of 292 2660 ffxlxxl.exe 39 PID 292 wrote to memory of 1256 292 ttnnbh.exe 40 PID 292 wrote to memory of 1256 292 ttnnbh.exe 40 PID 292 wrote to memory of 1256 292 ttnnbh.exe 40 PID 292 wrote to memory of 1256 292 ttnnbh.exe 40 PID 1256 wrote to memory of 1936 1256 bhtthn.exe 41 PID 1256 wrote to memory of 1936 1256 bhtthn.exe 41 PID 1256 wrote to memory of 1936 1256 bhtthn.exe 41 PID 1256 wrote to memory of 1936 1256 bhtthn.exe 41 PID 1936 wrote to memory of 1852 1936 7dvdj.exe 42 PID 1936 wrote to memory of 1852 1936 7dvdj.exe 42 PID 1936 wrote to memory of 1852 1936 7dvdj.exe 42 PID 1936 wrote to memory of 1852 1936 7dvdj.exe 42 PID 1852 wrote to memory of 2524 1852 rlllrfx.exe 43 PID 1852 wrote to memory of 2524 1852 rlllrfx.exe 43 PID 1852 wrote to memory of 2524 1852 rlllrfx.exe 43 PID 1852 wrote to memory of 2524 1852 rlllrfx.exe 43 PID 2524 wrote to memory of 2140 2524 lffrlrr.exe 44 PID 2524 wrote to memory of 2140 2524 lffrlrr.exe 44 PID 2524 wrote to memory of 2140 2524 lffrlrr.exe 44 PID 2524 wrote to memory of 2140 2524 lffrlrr.exe 44 PID 2140 wrote to memory of 1028 2140 nbttnn.exe 45 PID 2140 wrote to memory of 1028 2140 nbttnn.exe 45 PID 2140 wrote to memory of 1028 2140 nbttnn.exe 45 PID 2140 wrote to memory of 1028 2140 nbttnn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3.exe"C:\Users\Admin\AppData\Local\Temp\a44d75b276c38affb0ccb0edce2a11284731484b3c9cf2c732291b4b670046e3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\vpjjj.exec:\vpjjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\llfrfrf.exec:\llfrfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\xllrflx.exec:\xllrflx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\nnnbtt.exec:\nnnbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\5dpdj.exec:\5dpdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\rfxxlxr.exec:\rfxxlxr.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\hbtbht.exec:\hbtbht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\ddvdd.exec:\ddvdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\ffxlxxl.exec:\ffxlxxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\ttnnbh.exec:\ttnnbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:292 -
\??\c:\bhtthn.exec:\bhtthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\7dvdj.exec:\7dvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\rlllrfx.exec:\rlllrfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\lffrlrr.exec:\lffrlrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\nbttnn.exec:\nbttnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\dvvjv.exec:\dvvjv.exe17⤵
- Executes dropped EXE
PID:1028 -
\??\c:\fxfrxxr.exec:\fxfrxxr.exe18⤵
- Executes dropped EXE
PID:1272 -
\??\c:\3rrrxxf.exec:\3rrrxxf.exe19⤵
- Executes dropped EXE
PID:1684 -
\??\c:\btnbnt.exec:\btnbnt.exe20⤵
- Executes dropped EXE
PID:2440 -
\??\c:\vvjvp.exec:\vvjvp.exe21⤵
- Executes dropped EXE
PID:2664 -
\??\c:\ppdjp.exec:\ppdjp.exe22⤵
- Executes dropped EXE
PID:880 -
\??\c:\ffxlxfr.exec:\ffxlxfr.exe23⤵
- Executes dropped EXE
PID:2580 -
\??\c:\bbbhtt.exec:\bbbhtt.exe24⤵
- Executes dropped EXE
PID:696 -
\??\c:\hbnntb.exec:\hbnntb.exe25⤵
- Executes dropped EXE
PID:1348 -
\??\c:\jjddj.exec:\jjddj.exe26⤵
- Executes dropped EXE
PID:2016 -
\??\c:\7djdd.exec:\7djdd.exe27⤵
- Executes dropped EXE
PID:1616 -
\??\c:\ffflfrl.exec:\ffflfrl.exe28⤵
- Executes dropped EXE
PID:1532 -
\??\c:\tntbnt.exec:\tntbnt.exe29⤵
- Executes dropped EXE
PID:904 -
\??\c:\hbnbnt.exec:\hbnbnt.exe30⤵
- Executes dropped EXE
PID:2164 -
\??\c:\pjjjv.exec:\pjjjv.exe31⤵
- Executes dropped EXE
PID:2068 -
\??\c:\rrlffll.exec:\rrlffll.exe32⤵
- Executes dropped EXE
PID:2988 -
\??\c:\ffllrlf.exec:\ffllrlf.exe33⤵
- Executes dropped EXE
PID:3040 -
\??\c:\thbtbt.exec:\thbtbt.exe34⤵
- Executes dropped EXE
PID:2108 -
\??\c:\1bbhtt.exec:\1bbhtt.exe35⤵
- Executes dropped EXE
PID:2700 -
\??\c:\jdvdp.exec:\jdvdp.exe36⤵
- Executes dropped EXE
PID:2816 -
\??\c:\ddjpd.exec:\ddjpd.exe37⤵
- Executes dropped EXE
PID:2204 -
\??\c:\frflrxf.exec:\frflrxf.exe38⤵
- Executes dropped EXE
PID:2748 -
\??\c:\xrlrxfl.exec:\xrlrxfl.exe39⤵
- Executes dropped EXE
PID:2788 -
\??\c:\lxfllff.exec:\lxfllff.exe40⤵
- Executes dropped EXE
PID:2932 -
\??\c:\9hbhtt.exec:\9hbhtt.exe41⤵
- Executes dropped EXE
PID:2732 -
\??\c:\nthhhb.exec:\nthhhb.exe42⤵
- Executes dropped EXE
PID:2644 -
\??\c:\vpddd.exec:\vpddd.exe43⤵
- Executes dropped EXE
PID:2276 -
\??\c:\rfllrlx.exec:\rfllrlx.exe44⤵
- Executes dropped EXE
PID:3024 -
\??\c:\xxlfxfr.exec:\xxlfxfr.exe45⤵
- Executes dropped EXE
PID:3020 -
\??\c:\3tbtth.exec:\3tbtth.exe46⤵
- Executes dropped EXE
PID:1712 -
\??\c:\hbttbb.exec:\hbttbb.exe47⤵
- Executes dropped EXE
PID:1996 -
\??\c:\htbthb.exec:\htbthb.exe48⤵
- Executes dropped EXE
PID:2520 -
\??\c:\jdvpd.exec:\jdvpd.exe49⤵
- Executes dropped EXE
PID:1992 -
\??\c:\jddjv.exec:\jddjv.exe50⤵
- Executes dropped EXE
PID:1504 -
\??\c:\5xxlxfr.exec:\5xxlxfr.exe51⤵
- Executes dropped EXE
PID:2500 -
\??\c:\llrxlll.exec:\llrxlll.exe52⤵
- Executes dropped EXE
PID:760 -
\??\c:\3bnttt.exec:\3bnttt.exe53⤵
- Executes dropped EXE
PID:1184 -
\??\c:\thhhhb.exec:\thhhhb.exe54⤵
- Executes dropped EXE
PID:1748 -
\??\c:\9jdjj.exec:\9jdjj.exe55⤵
- Executes dropped EXE
PID:2584 -
\??\c:\xxxlfll.exec:\xxxlfll.exe56⤵
- Executes dropped EXE
PID:1312 -
\??\c:\thnhnn.exec:\thnhnn.exe57⤵
- Executes dropped EXE
PID:2480 -
\??\c:\5bhnnh.exec:\5bhnnh.exe58⤵
- Executes dropped EXE
PID:880 -
\??\c:\5tbbtt.exec:\5tbbtt.exe59⤵
- Executes dropped EXE
PID:300 -
\??\c:\7vddd.exec:\7vddd.exe60⤵
- Executes dropped EXE
PID:1848 -
\??\c:\jjjpj.exec:\jjjpj.exe61⤵
- Executes dropped EXE
PID:2464 -
\??\c:\xrffrxf.exec:\xrffrxf.exe62⤵
- Executes dropped EXE
PID:2960 -
\??\c:\9fxrfxf.exec:\9fxrfxf.exe63⤵
- Executes dropped EXE
PID:272 -
\??\c:\thtthn.exec:\thtthn.exe64⤵
- Executes dropped EXE
PID:872 -
\??\c:\9thhhb.exec:\9thhhb.exe65⤵
- Executes dropped EXE
PID:1492 -
\??\c:\7ddvj.exec:\7ddvj.exe66⤵PID:2972
-
\??\c:\7jvvd.exec:\7jvvd.exe67⤵PID:1588
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe68⤵PID:1592
-
\??\c:\xrlxrlf.exec:\xrlxrlf.exe69⤵PID:2340
-
\??\c:\htbhhh.exec:\htbhhh.exe70⤵PID:2924
-
\??\c:\bhnbbt.exec:\bhnbbt.exe71⤵PID:2148
-
\??\c:\jdppp.exec:\jdppp.exe72⤵PID:1280
-
\??\c:\5vppp.exec:\5vppp.exe73⤵PID:2808
-
\??\c:\dvpvv.exec:\dvpvv.exe74⤵PID:2796
-
\??\c:\5lrrrff.exec:\5lrrrff.exe75⤵PID:2800
-
\??\c:\1xlfflr.exec:\1xlfflr.exe76⤵PID:2856
-
\??\c:\thttbh.exec:\thttbh.exe77⤵PID:2792
-
\??\c:\nhtbnn.exec:\nhtbnn.exe78⤵PID:2548
-
\??\c:\htbhbh.exec:\htbhbh.exe79⤵PID:2716
-
\??\c:\pjvpp.exec:\pjvpp.exe80⤵PID:2600
-
\??\c:\7pdjp.exec:\7pdjp.exe81⤵PID:1704
-
\??\c:\7xlrrlr.exec:\7xlrrlr.exe82⤵PID:1244
-
\??\c:\fxxxlrl.exec:\fxxxlrl.exe83⤵PID:1256
-
\??\c:\thnhtn.exec:\thnhtn.exe84⤵PID:1936
-
\??\c:\1thtbh.exec:\1thtbh.exe85⤵PID:1724
-
\??\c:\7pddj.exec:\7pddj.exe86⤵PID:908
-
\??\c:\pdppp.exec:\pdppp.exe87⤵PID:2128
-
\??\c:\vpdjp.exec:\vpdjp.exe88⤵PID:1520
-
\??\c:\3lxlrlr.exec:\3lxlrlr.exe89⤵PID:832
-
\??\c:\frflrrr.exec:\frflrrr.exe90⤵PID:2636
-
\??\c:\7nbnnt.exec:\7nbnnt.exe91⤵PID:2436
-
\??\c:\ntbbhh.exec:\ntbbhh.exe92⤵PID:1148
-
\??\c:\dpvpv.exec:\dpvpv.exe93⤵PID:1760
-
\??\c:\1rxxxxf.exec:\1rxxxxf.exe94⤵PID:2664
-
\??\c:\flxxfxx.exec:\flxxfxx.exe95⤵PID:2432
-
\??\c:\5rlffff.exec:\5rlffff.exe96⤵PID:1716
-
\??\c:\5thhnh.exec:\5thhnh.exe97⤵PID:696
-
\??\c:\9dvvp.exec:\9dvvp.exe98⤵PID:2144
-
\??\c:\vjjdd.exec:\vjjdd.exe99⤵PID:2012
-
\??\c:\dppvv.exec:\dppvv.exe100⤵PID:2016
-
\??\c:\xlllllr.exec:\xlllllr.exe101⤵PID:2572
-
\??\c:\1bttbh.exec:\1bttbh.exe102⤵PID:1376
-
\??\c:\nbbhbb.exec:\nbbhbb.exe103⤵PID:1496
-
\??\c:\pjpdj.exec:\pjpdj.exe104⤵PID:2448
-
\??\c:\3pdvd.exec:\3pdvd.exe105⤵PID:2928
-
\??\c:\xrffllr.exec:\xrffllr.exe106⤵PID:1784
-
\??\c:\7fxfrrx.exec:\7fxfrrx.exe107⤵PID:2976
-
\??\c:\ttnbnb.exec:\ttnbnb.exe108⤵PID:2780
-
\??\c:\nbbbhh.exec:\nbbbhh.exe109⤵PID:3032
-
\??\c:\djdvd.exec:\djdvd.exe110⤵PID:3060
-
\??\c:\flxfrxx.exec:\flxfrxx.exe111⤵PID:2744
-
\??\c:\xxrlrxr.exec:\xxrlrxr.exe112⤵PID:2604
-
\??\c:\1ntnnn.exec:\1ntnnn.exe113⤵PID:2864
-
\??\c:\5hbhbt.exec:\5hbhbt.exe114⤵PID:2888
-
\??\c:\vdvvv.exec:\vdvvv.exe115⤵PID:2248
-
\??\c:\jdvdj.exec:\jdvdj.exe116⤵PID:2932
-
\??\c:\rfrxrrr.exec:\rfrxrrr.exe117⤵PID:2868
-
\??\c:\9xrrxxf.exec:\9xrrxxf.exe118⤵PID:2660
-
\??\c:\nbthtn.exec:\nbthtn.exe119⤵PID:2344
-
\??\c:\9vvpv.exec:\9vvpv.exe120⤵PID:3020
-
\??\c:\9jvjd.exec:\9jvjd.exe121⤵PID:1772
-
\??\c:\9xlrxxl.exec:\9xlrxxl.exe122⤵PID:2120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-