Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 21:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
451e330c80f7784cb9c980c089252bf454e97bf29432caf7419971cefc44d38a.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
451e330c80f7784cb9c980c089252bf454e97bf29432caf7419971cefc44d38a.exe
-
Size
71KB
-
MD5
6d4c6b2b189aa2bae17b60322901f153
-
SHA1
6978b0f8f3630a6ffa21c075f280086d0286d356
-
SHA256
451e330c80f7784cb9c980c089252bf454e97bf29432caf7419971cefc44d38a
-
SHA512
c5182059b9e8e21a61058775f70e752e3444fe87abac9c77ef1668b91ded616cf74f34c3a2ad2b35a7c1c2ae4ecbd926d8310e0bad94365f5b1b87264f5388be
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjF:ymb3NkkiQ3mdBjFI4VV
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
resource yara_rule behavioral2/memory/3868-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3868-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3968-13-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1036-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4668-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4204-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2864-41-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2484-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1836-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2804-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/60-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3088-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4532-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1300-97-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1724-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2628-109-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/5040-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3472-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4920-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/216-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4748-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2728-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2940-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3968 286606.exe 1036 5lxffrl.exe 4668 rrxrrrr.exe 4204 824402.exe 2864 8248800.exe 2484 0404882.exe 2212 4260044.exe 60 pjppv.exe 2804 824826.exe 1836 8426688.exe 3088 nnnbnb.exe 4532 frxxxrx.exe 1300 7nhbbb.exe 1724 68266.exe 2628 vvpvv.exe 2368 hbthbb.exe 3780 208008.exe 5040 xxxxrff.exe 3472 w22260.exe 4920 q46600.exe 3620 0644282.exe 4348 680000.exe 216 3lllxxx.exe 4748 nnbtbb.exe 2080 3ddvp.exe 1832 hbhbnn.exe 2728 frrxffr.exe 2940 0866004.exe 3428 040044.exe 4304 5fxlxff.exe 4396 1xxxxrr.exe 1112 fflllxx.exe 4616 062266.exe 4996 u626000.exe 4544 8066222.exe 4132 68060.exe 1136 xfrlffx.exe 4276 vpvjd.exe 1796 dpjpj.exe 3968 66080.exe 552 g8882.exe 4024 0040666.exe 900 e84448.exe 3476 s0600.exe 1316 88064.exe 432 thttnt.exe 2356 frfxxff.exe 4884 6008282.exe 3988 nbhnhh.exe 2288 xxxxrrf.exe 2224 284040.exe 3128 6022666.exe 4264 3djjj.exe 2616 djdpd.exe 3088 5lxxxfx.exe 2412 rlllfff.exe 700 40864.exe 2072 8484042.exe 4372 406248.exe 4272 bnttht.exe 2512 m8484.exe 916 rxxxlll.exe 2424 bthnhh.exe 1692 nhhhbb.exe -
resource yara_rule behavioral2/memory/3868-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3868-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3968-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3968-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3968-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1036-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4668-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4204-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2864-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4204-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2484-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1836-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2804-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/60-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3088-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4532-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1300-97-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1724-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2628-109-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/5040-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3472-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4920-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/216-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4748-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2728-181-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2940-187-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k84260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w00084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8660260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 204644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3868 wrote to memory of 3968 3868 451e330c80f7784cb9c980c089252bf454e97bf29432caf7419971cefc44d38a.exe 83 PID 3868 wrote to memory of 3968 3868 451e330c80f7784cb9c980c089252bf454e97bf29432caf7419971cefc44d38a.exe 83 PID 3868 wrote to memory of 3968 3868 451e330c80f7784cb9c980c089252bf454e97bf29432caf7419971cefc44d38a.exe 83 PID 3968 wrote to memory of 1036 3968 286606.exe 85 PID 3968 wrote to memory of 1036 3968 286606.exe 85 PID 3968 wrote to memory of 1036 3968 286606.exe 85 PID 1036 wrote to memory of 4668 1036 5lxffrl.exe 87 PID 1036 wrote to memory of 4668 1036 5lxffrl.exe 87 PID 1036 wrote to memory of 4668 1036 5lxffrl.exe 87 PID 4668 wrote to memory of 4204 4668 rrxrrrr.exe 88 PID 4668 wrote to memory of 4204 4668 rrxrrrr.exe 88 PID 4668 wrote to memory of 4204 4668 rrxrrrr.exe 88 PID 4204 wrote to memory of 2864 4204 824402.exe 89 PID 4204 wrote to memory of 2864 4204 824402.exe 89 PID 4204 wrote to memory of 2864 4204 824402.exe 89 PID 2864 wrote to memory of 2484 2864 8248800.exe 90 PID 2864 wrote to memory of 2484 2864 8248800.exe 90 PID 2864 wrote to memory of 2484 2864 8248800.exe 90 PID 2484 wrote to memory of 2212 2484 0404882.exe 91 PID 2484 wrote to memory of 2212 2484 0404882.exe 91 PID 2484 wrote to memory of 2212 2484 0404882.exe 91 PID 2212 wrote to memory of 60 2212 4260044.exe 93 PID 2212 wrote to memory of 60 2212 4260044.exe 93 PID 2212 wrote to memory of 60 2212 4260044.exe 93 PID 60 wrote to memory of 2804 60 pjppv.exe 94 PID 60 wrote to memory of 2804 60 pjppv.exe 94 PID 60 wrote to memory of 2804 60 pjppv.exe 94 PID 2804 wrote to memory of 1836 2804 824826.exe 95 PID 2804 wrote to memory of 1836 2804 824826.exe 95 PID 2804 wrote to memory of 1836 2804 824826.exe 95 PID 1836 wrote to memory of 3088 1836 8426688.exe 96 PID 1836 wrote to memory of 3088 1836 8426688.exe 96 PID 1836 wrote to memory of 3088 1836 8426688.exe 96 PID 3088 wrote to memory of 4532 3088 nnnbnb.exe 97 PID 3088 wrote to memory of 4532 3088 nnnbnb.exe 97 PID 3088 wrote to memory of 4532 3088 nnnbnb.exe 97 PID 4532 wrote to memory of 1300 4532 frxxxrx.exe 98 PID 4532 wrote to memory of 1300 4532 frxxxrx.exe 98 PID 4532 wrote to memory of 1300 4532 frxxxrx.exe 98 PID 1300 wrote to memory of 1724 1300 7nhbbb.exe 99 PID 1300 wrote to memory of 1724 1300 7nhbbb.exe 99 PID 1300 wrote to memory of 1724 1300 7nhbbb.exe 99 PID 1724 wrote to memory of 2628 1724 68266.exe 100 PID 1724 wrote to memory of 2628 1724 68266.exe 100 PID 1724 wrote to memory of 2628 1724 68266.exe 100 PID 2628 wrote to memory of 2368 2628 vvpvv.exe 101 PID 2628 wrote to memory of 2368 2628 vvpvv.exe 101 PID 2628 wrote to memory of 2368 2628 vvpvv.exe 101 PID 2368 wrote to memory of 3780 2368 hbthbb.exe 102 PID 2368 wrote to memory of 3780 2368 hbthbb.exe 102 PID 2368 wrote to memory of 3780 2368 hbthbb.exe 102 PID 3780 wrote to memory of 5040 3780 208008.exe 103 PID 3780 wrote to memory of 5040 3780 208008.exe 103 PID 3780 wrote to memory of 5040 3780 208008.exe 103 PID 5040 wrote to memory of 3472 5040 xxxxrff.exe 104 PID 5040 wrote to memory of 3472 5040 xxxxrff.exe 104 PID 5040 wrote to memory of 3472 5040 xxxxrff.exe 104 PID 3472 wrote to memory of 4920 3472 w22260.exe 105 PID 3472 wrote to memory of 4920 3472 w22260.exe 105 PID 3472 wrote to memory of 4920 3472 w22260.exe 105 PID 4920 wrote to memory of 3620 4920 q46600.exe 106 PID 4920 wrote to memory of 3620 4920 q46600.exe 106 PID 4920 wrote to memory of 3620 4920 q46600.exe 106 PID 3620 wrote to memory of 4348 3620 0644282.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\451e330c80f7784cb9c980c089252bf454e97bf29432caf7419971cefc44d38a.exe"C:\Users\Admin\AppData\Local\Temp\451e330c80f7784cb9c980c089252bf454e97bf29432caf7419971cefc44d38a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\286606.exec:\286606.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\5lxffrl.exec:\5lxffrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\rrxrrrr.exec:\rrxrrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\824402.exec:\824402.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\8248800.exec:\8248800.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\0404882.exec:\0404882.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\4260044.exec:\4260044.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\pjppv.exec:\pjppv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\824826.exec:\824826.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\8426688.exec:\8426688.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\nnnbnb.exec:\nnnbnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\frxxxrx.exec:\frxxxrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\7nhbbb.exec:\7nhbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\68266.exec:\68266.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\vvpvv.exec:\vvpvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\hbthbb.exec:\hbthbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\208008.exec:\208008.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\xxxxrff.exec:\xxxxrff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\w22260.exec:\w22260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\q46600.exec:\q46600.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\0644282.exec:\0644282.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\680000.exec:\680000.exe23⤵
- Executes dropped EXE
PID:4348 -
\??\c:\3lllxxx.exec:\3lllxxx.exe24⤵
- Executes dropped EXE
PID:216 -
\??\c:\nnbtbb.exec:\nnbtbb.exe25⤵
- Executes dropped EXE
PID:4748 -
\??\c:\3ddvp.exec:\3ddvp.exe26⤵
- Executes dropped EXE
PID:2080 -
\??\c:\hbhbnn.exec:\hbhbnn.exe27⤵
- Executes dropped EXE
PID:1832 -
\??\c:\frrxffr.exec:\frrxffr.exe28⤵
- Executes dropped EXE
PID:2728 -
\??\c:\0866004.exec:\0866004.exe29⤵
- Executes dropped EXE
PID:2940 -
\??\c:\040044.exec:\040044.exe30⤵
- Executes dropped EXE
PID:3428 -
\??\c:\5fxlxff.exec:\5fxlxff.exe31⤵
- Executes dropped EXE
PID:4304 -
\??\c:\1xxxxrr.exec:\1xxxxrr.exe32⤵
- Executes dropped EXE
PID:4396 -
\??\c:\fflllxx.exec:\fflllxx.exe33⤵
- Executes dropped EXE
PID:1112 -
\??\c:\062266.exec:\062266.exe34⤵
- Executes dropped EXE
PID:4616 -
\??\c:\u626000.exec:\u626000.exe35⤵
- Executes dropped EXE
PID:4996 -
\??\c:\8066222.exec:\8066222.exe36⤵
- Executes dropped EXE
PID:4544 -
\??\c:\68060.exec:\68060.exe37⤵
- Executes dropped EXE
PID:4132 -
\??\c:\xfrlffx.exec:\xfrlffx.exe38⤵
- Executes dropped EXE
PID:1136 -
\??\c:\vpvjd.exec:\vpvjd.exe39⤵
- Executes dropped EXE
PID:4276 -
\??\c:\dpjpj.exec:\dpjpj.exe40⤵
- Executes dropped EXE
PID:1796 -
\??\c:\66080.exec:\66080.exe41⤵
- Executes dropped EXE
PID:3968 -
\??\c:\g8882.exec:\g8882.exe42⤵
- Executes dropped EXE
PID:552 -
\??\c:\0040666.exec:\0040666.exe43⤵
- Executes dropped EXE
PID:4024 -
\??\c:\e84448.exec:\e84448.exe44⤵
- Executes dropped EXE
PID:900 -
\??\c:\s0600.exec:\s0600.exe45⤵
- Executes dropped EXE
PID:3476 -
\??\c:\88064.exec:\88064.exe46⤵
- Executes dropped EXE
PID:1316 -
\??\c:\thttnt.exec:\thttnt.exe47⤵
- Executes dropped EXE
PID:432 -
\??\c:\frfxxff.exec:\frfxxff.exe48⤵
- Executes dropped EXE
PID:2356 -
\??\c:\6008282.exec:\6008282.exe49⤵
- Executes dropped EXE
PID:4884 -
\??\c:\nbhnhh.exec:\nbhnhh.exe50⤵
- Executes dropped EXE
PID:3988 -
\??\c:\xxxxrrf.exec:\xxxxrrf.exe51⤵
- Executes dropped EXE
PID:2288 -
\??\c:\284040.exec:\284040.exe52⤵
- Executes dropped EXE
PID:2224 -
\??\c:\6022666.exec:\6022666.exe53⤵
- Executes dropped EXE
PID:3128 -
\??\c:\3djjj.exec:\3djjj.exe54⤵
- Executes dropped EXE
PID:4264 -
\??\c:\djdpd.exec:\djdpd.exe55⤵
- Executes dropped EXE
PID:2616 -
\??\c:\5lxxxfx.exec:\5lxxxfx.exe56⤵
- Executes dropped EXE
PID:3088 -
\??\c:\rlllfff.exec:\rlllfff.exe57⤵
- Executes dropped EXE
PID:2412 -
\??\c:\40864.exec:\40864.exe58⤵
- Executes dropped EXE
PID:700 -
\??\c:\8484042.exec:\8484042.exe59⤵
- Executes dropped EXE
PID:2072 -
\??\c:\406248.exec:\406248.exe60⤵
- Executes dropped EXE
PID:4372 -
\??\c:\bnttht.exec:\bnttht.exe61⤵
- Executes dropped EXE
PID:4272 -
\??\c:\m8484.exec:\m8484.exe62⤵
- Executes dropped EXE
PID:2512 -
\??\c:\rxxxlll.exec:\rxxxlll.exe63⤵
- Executes dropped EXE
PID:916 -
\??\c:\bthnhh.exec:\bthnhh.exe64⤵
- Executes dropped EXE
PID:2424 -
\??\c:\nhhhbb.exec:\nhhhbb.exe65⤵
- Executes dropped EXE
PID:1692 -
\??\c:\xrlxrrr.exec:\xrlxrrr.exe66⤵PID:2960
-
\??\c:\nhhbbh.exec:\nhhbbh.exe67⤵PID:5100
-
\??\c:\1flxrfx.exec:\1flxrfx.exe68⤵PID:208
-
\??\c:\ppppp.exec:\ppppp.exe69⤵PID:2164
-
\??\c:\e00826.exec:\e00826.exe70⤵PID:1388
-
\??\c:\646260.exec:\646260.exe71⤵PID:3056
-
\??\c:\bhtbht.exec:\bhtbht.exe72⤵PID:3980
-
\??\c:\6200662.exec:\6200662.exe73⤵PID:2084
-
\??\c:\dvvjd.exec:\dvvjd.exe74⤵PID:2428
-
\??\c:\lxxrxrx.exec:\lxxrxrx.exe75⤵PID:2408
-
\??\c:\402002.exec:\402002.exe76⤵PID:2940
-
\??\c:\dppjj.exec:\dppjj.exe77⤵PID:516
-
\??\c:\frrfrlf.exec:\frrfrlf.exe78⤵PID:468
-
\??\c:\flrfxrl.exec:\flrfxrl.exe79⤵PID:4304
-
\??\c:\3vpdv.exec:\3vpdv.exe80⤵PID:640
-
\??\c:\e28206.exec:\e28206.exe81⤵PID:4508
-
\??\c:\dpjdj.exec:\dpjdj.exe82⤵PID:4452
-
\??\c:\4408604.exec:\4408604.exe83⤵PID:3624
-
\??\c:\s2264.exec:\s2264.exe84⤵PID:4876
-
\??\c:\206426.exec:\206426.exe85⤵PID:4356
-
\??\c:\7xxlxxr.exec:\7xxlxxr.exe86⤵PID:3976
-
\??\c:\lllrxfl.exec:\lllrxfl.exe87⤵PID:4276
-
\??\c:\thhhhn.exec:\thhhhn.exe88⤵PID:1980
-
\??\c:\nntntn.exec:\nntntn.exe89⤵
- System Location Discovery: System Language Discovery
PID:3968 -
\??\c:\xllxffx.exec:\xllxffx.exe90⤵PID:552
-
\??\c:\tnhbnh.exec:\tnhbnh.exe91⤵PID:3136
-
\??\c:\7bbthh.exec:\7bbthh.exe92⤵PID:900
-
\??\c:\tbhbnh.exec:\tbhbnh.exe93⤵PID:3568
-
\??\c:\llffxxx.exec:\llffxxx.exe94⤵PID:1316
-
\??\c:\lfxrrll.exec:\lfxrrll.exe95⤵PID:1224
-
\??\c:\64666.exec:\64666.exe96⤵PID:3636
-
\??\c:\pvppp.exec:\pvppp.exe97⤵PID:4252
-
\??\c:\jvpjv.exec:\jvpjv.exe98⤵PID:2036
-
\??\c:\5lrrxxx.exec:\5lrrxxx.exe99⤵PID:4780
-
\??\c:\844004.exec:\844004.exe100⤵PID:2224
-
\??\c:\2246202.exec:\2246202.exe101⤵PID:2968
-
\??\c:\648260.exec:\648260.exe102⤵PID:4264
-
\??\c:\8226482.exec:\8226482.exe103⤵PID:3580
-
\??\c:\jppjp.exec:\jppjp.exe104⤵PID:3644
-
\??\c:\nbtnhb.exec:\nbtnhb.exe105⤵PID:3628
-
\??\c:\xflfxff.exec:\xflfxff.exe106⤵PID:2936
-
\??\c:\84042.exec:\84042.exe107⤵PID:2896
-
\??\c:\jjpdp.exec:\jjpdp.exe108⤵PID:4372
-
\??\c:\844844.exec:\844844.exe109⤵PID:5020
-
\??\c:\btnhhn.exec:\btnhhn.exe110⤵PID:1720
-
\??\c:\82688.exec:\82688.exe111⤵PID:4016
-
\??\c:\pjdvj.exec:\pjdvj.exe112⤵PID:2740
-
\??\c:\5tbthb.exec:\5tbthb.exe113⤵PID:2268
-
\??\c:\rlrlffl.exec:\rlrlffl.exe114⤵PID:2380
-
\??\c:\02200.exec:\02200.exe115⤵PID:3620
-
\??\c:\886220.exec:\886220.exe116⤵PID:220
-
\??\c:\8800486.exec:\8800486.exe117⤵PID:4808
-
\??\c:\08484.exec:\08484.exe118⤵PID:372
-
\??\c:\5rrlxxr.exec:\5rrlxxr.exe119⤵PID:4748
-
\??\c:\2622682.exec:\2622682.exe120⤵PID:1000
-
\??\c:\460062.exec:\460062.exe121⤵PID:3388
-
\??\c:\1xrlffx.exec:\1xrlffx.exe122⤵PID:1084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-