Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 13:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe
Resource
win7-20241010-en
6 signatures
120 seconds
General
-
Target
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe
-
Size
67KB
-
MD5
08cae242750fa005584264f241312370
-
SHA1
5f10bdd9878ebfd9b0f35ba972f2105d1677b79b
-
SHA256
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078b
-
SHA512
4b9508a0497deaab496bc5a6a8d9784c9142165653c6cbce9d9656772d2d66f0dc68452f2810a2ef1c5b07be81f9aa53cd713aad8fa33dfb1a640cb2af891e34
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Bqf7:ymb3NkkiQ3mdBjFI9cqf7
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral1/memory/2648-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1968-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1220-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1692-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2408-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2880-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2808-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1528-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2540-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1764-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2860-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2924-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3036-156-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/980-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/580-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2524-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2536-228-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1912-236-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1700-245-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2432-272-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1800-281-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1712-308-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1968 xfllfrl.exe 1220 8266408.exe 1692 jdjjp.exe 2408 202684.exe 2880 26880.exe 2808 vjjvd.exe 2124 dvpdv.exe 1528 rlxxfxl.exe 2688 u802846.exe 2540 rlllxxl.exe 1764 9rrfllf.exe 2860 c646068.exe 2924 9bnhtb.exe 3036 c684224.exe 980 thnbnt.exe 580 frlfxxf.exe 1300 86406.exe 2524 c040628.exe 2104 4844066.exe 2584 3bntnt.exe 1560 jvjjv.exe 2536 dddjp.exe 1912 5lxflrx.exe 1700 vjvvj.exe 1676 dvpvj.exe 1756 4862224.exe 2432 lffrfrf.exe 1800 48428.exe 292 0846808.exe 2600 4862284.exe 1712 48246.exe 2372 4286284.exe 1036 20802.exe 1256 btbhhn.exe 1976 088460.exe 2092 pvdjd.exe 2804 2406062.exe 2408 jpdvv.exe 2828 2462464.exe 2792 3htbnh.exe 3052 82488.exe 2904 8026222.exe 2676 jpdjj.exe 2752 lxfrxff.exe 2980 jddvd.exe 2484 5djdj.exe 1764 604002.exe 2744 206626.exe 3020 1xfxfxf.exe 572 68800.exe 3036 xlfrlxf.exe 1184 5lflxff.exe 1296 dpvjj.exe 1928 466222.exe 2496 42000.exe 2116 64228.exe 2136 46222.exe 276 602682.exe 1852 820424.exe 2232 1fxxxrx.exe 2660 862240.exe 2276 lfxrrrl.exe 2652 frrlrrr.exe 1704 m0402.exe -
resource yara_rule behavioral1/memory/2648-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2648-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1968-16-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1968-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1968-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1968-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1220-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1220-27-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1220-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1692-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2408-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2408-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2408-60-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2880-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1528-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1528-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1528-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1764-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2860-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2924-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-156-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/980-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/580-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2524-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2536-228-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1912-236-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1700-245-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2432-272-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1800-281-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1712-308-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0862002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c828686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4286284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 1968 2648 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 30 PID 2648 wrote to memory of 1968 2648 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 30 PID 2648 wrote to memory of 1968 2648 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 30 PID 2648 wrote to memory of 1968 2648 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 30 PID 1968 wrote to memory of 1220 1968 xfllfrl.exe 31 PID 1968 wrote to memory of 1220 1968 xfllfrl.exe 31 PID 1968 wrote to memory of 1220 1968 xfllfrl.exe 31 PID 1968 wrote to memory of 1220 1968 xfllfrl.exe 31 PID 1220 wrote to memory of 1692 1220 8266408.exe 32 PID 1220 wrote to memory of 1692 1220 8266408.exe 32 PID 1220 wrote to memory of 1692 1220 8266408.exe 32 PID 1220 wrote to memory of 1692 1220 8266408.exe 32 PID 1692 wrote to memory of 2408 1692 jdjjp.exe 33 PID 1692 wrote to memory of 2408 1692 jdjjp.exe 33 PID 1692 wrote to memory of 2408 1692 jdjjp.exe 33 PID 1692 wrote to memory of 2408 1692 jdjjp.exe 33 PID 2408 wrote to memory of 2880 2408 202684.exe 34 PID 2408 wrote to memory of 2880 2408 202684.exe 34 PID 2408 wrote to memory of 2880 2408 202684.exe 34 PID 2408 wrote to memory of 2880 2408 202684.exe 34 PID 2880 wrote to memory of 2808 2880 26880.exe 35 PID 2880 wrote to memory of 2808 2880 26880.exe 35 PID 2880 wrote to memory of 2808 2880 26880.exe 35 PID 2880 wrote to memory of 2808 2880 26880.exe 35 PID 2808 wrote to memory of 2124 2808 vjjvd.exe 36 PID 2808 wrote to memory of 2124 2808 vjjvd.exe 36 PID 2808 wrote to memory of 2124 2808 vjjvd.exe 36 PID 2808 wrote to memory of 2124 2808 vjjvd.exe 36 PID 2124 wrote to memory of 1528 2124 dvpdv.exe 37 PID 2124 wrote to memory of 1528 2124 dvpdv.exe 37 PID 2124 wrote to memory of 1528 2124 dvpdv.exe 37 PID 2124 wrote to memory of 1528 2124 dvpdv.exe 37 PID 1528 wrote to memory of 2688 1528 rlxxfxl.exe 38 PID 1528 wrote to memory of 2688 1528 rlxxfxl.exe 38 PID 1528 wrote to memory of 2688 1528 rlxxfxl.exe 38 PID 1528 wrote to memory of 2688 1528 rlxxfxl.exe 38 PID 2688 wrote to memory of 2540 2688 u802846.exe 39 PID 2688 wrote to memory of 2540 2688 u802846.exe 39 PID 2688 wrote to memory of 2540 2688 u802846.exe 39 PID 2688 wrote to memory of 2540 2688 u802846.exe 39 PID 2540 wrote to memory of 1764 2540 rlllxxl.exe 40 PID 2540 wrote to memory of 1764 2540 rlllxxl.exe 40 PID 2540 wrote to memory of 1764 2540 rlllxxl.exe 40 PID 2540 wrote to memory of 1764 2540 rlllxxl.exe 40 PID 1764 wrote to memory of 2860 1764 9rrfllf.exe 41 PID 1764 wrote to memory of 2860 1764 9rrfllf.exe 41 PID 1764 wrote to memory of 2860 1764 9rrfllf.exe 41 PID 1764 wrote to memory of 2860 1764 9rrfllf.exe 41 PID 2860 wrote to memory of 2924 2860 c646068.exe 42 PID 2860 wrote to memory of 2924 2860 c646068.exe 42 PID 2860 wrote to memory of 2924 2860 c646068.exe 42 PID 2860 wrote to memory of 2924 2860 c646068.exe 42 PID 2924 wrote to memory of 3036 2924 9bnhtb.exe 43 PID 2924 wrote to memory of 3036 2924 9bnhtb.exe 43 PID 2924 wrote to memory of 3036 2924 9bnhtb.exe 43 PID 2924 wrote to memory of 3036 2924 9bnhtb.exe 43 PID 3036 wrote to memory of 980 3036 c684224.exe 44 PID 3036 wrote to memory of 980 3036 c684224.exe 44 PID 3036 wrote to memory of 980 3036 c684224.exe 44 PID 3036 wrote to memory of 980 3036 c684224.exe 44 PID 980 wrote to memory of 580 980 thnbnt.exe 45 PID 980 wrote to memory of 580 980 thnbnt.exe 45 PID 980 wrote to memory of 580 980 thnbnt.exe 45 PID 980 wrote to memory of 580 980 thnbnt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe"C:\Users\Admin\AppData\Local\Temp\fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\xfllfrl.exec:\xfllfrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\8266408.exec:\8266408.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\jdjjp.exec:\jdjjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\202684.exec:\202684.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\26880.exec:\26880.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\vjjvd.exec:\vjjvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\dvpdv.exec:\dvpdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\rlxxfxl.exec:\rlxxfxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\u802846.exec:\u802846.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\rlllxxl.exec:\rlllxxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\9rrfllf.exec:\9rrfllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\c646068.exec:\c646068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\9bnhtb.exec:\9bnhtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\c684224.exec:\c684224.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\thnbnt.exec:\thnbnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\frlfxxf.exec:\frlfxxf.exe17⤵
- Executes dropped EXE
PID:580 -
\??\c:\86406.exec:\86406.exe18⤵
- Executes dropped EXE
PID:1300 -
\??\c:\c040628.exec:\c040628.exe19⤵
- Executes dropped EXE
PID:2524 -
\??\c:\4844066.exec:\4844066.exe20⤵
- Executes dropped EXE
PID:2104 -
\??\c:\3bntnt.exec:\3bntnt.exe21⤵
- Executes dropped EXE
PID:2584 -
\??\c:\jvjjv.exec:\jvjjv.exe22⤵
- Executes dropped EXE
PID:1560 -
\??\c:\dddjp.exec:\dddjp.exe23⤵
- Executes dropped EXE
PID:2536 -
\??\c:\5lxflrx.exec:\5lxflrx.exe24⤵
- Executes dropped EXE
PID:1912 -
\??\c:\vjvvj.exec:\vjvvj.exe25⤵
- Executes dropped EXE
PID:1700 -
\??\c:\dvpvj.exec:\dvpvj.exe26⤵
- Executes dropped EXE
PID:1676 -
\??\c:\4862224.exec:\4862224.exe27⤵
- Executes dropped EXE
PID:1756 -
\??\c:\lffrfrf.exec:\lffrfrf.exe28⤵
- Executes dropped EXE
PID:2432 -
\??\c:\48428.exec:\48428.exe29⤵
- Executes dropped EXE
PID:1800 -
\??\c:\0846808.exec:\0846808.exe30⤵
- Executes dropped EXE
PID:292 -
\??\c:\4862284.exec:\4862284.exe31⤵
- Executes dropped EXE
PID:2600 -
\??\c:\48246.exec:\48246.exe32⤵
- Executes dropped EXE
PID:1712 -
\??\c:\4286284.exec:\4286284.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372 -
\??\c:\20802.exec:\20802.exe34⤵
- Executes dropped EXE
PID:1036 -
\??\c:\btbhhn.exec:\btbhhn.exe35⤵
- Executes dropped EXE
PID:1256 -
\??\c:\088460.exec:\088460.exe36⤵
- Executes dropped EXE
PID:1976 -
\??\c:\pvdjd.exec:\pvdjd.exe37⤵
- Executes dropped EXE
PID:2092 -
\??\c:\2406062.exec:\2406062.exe38⤵
- Executes dropped EXE
PID:2804 -
\??\c:\jpdvv.exec:\jpdvv.exe39⤵
- Executes dropped EXE
PID:2408 -
\??\c:\2462464.exec:\2462464.exe40⤵
- Executes dropped EXE
PID:2828 -
\??\c:\3htbnh.exec:\3htbnh.exe41⤵
- Executes dropped EXE
PID:2792 -
\??\c:\82488.exec:\82488.exe42⤵
- Executes dropped EXE
PID:3052 -
\??\c:\8026222.exec:\8026222.exe43⤵
- Executes dropped EXE
PID:2904 -
\??\c:\jpdjj.exec:\jpdjj.exe44⤵
- Executes dropped EXE
PID:2676 -
\??\c:\lxfrxff.exec:\lxfrxff.exe45⤵
- Executes dropped EXE
PID:2752 -
\??\c:\jddvd.exec:\jddvd.exe46⤵
- Executes dropped EXE
PID:2980 -
\??\c:\5djdj.exec:\5djdj.exe47⤵
- Executes dropped EXE
PID:2484 -
\??\c:\604002.exec:\604002.exe48⤵
- Executes dropped EXE
PID:1764 -
\??\c:\206626.exec:\206626.exe49⤵
- Executes dropped EXE
PID:2744 -
\??\c:\1xfxfxf.exec:\1xfxfxf.exe50⤵
- Executes dropped EXE
PID:3020 -
\??\c:\68800.exec:\68800.exe51⤵
- Executes dropped EXE
PID:572 -
\??\c:\xlfrlxf.exec:\xlfrlxf.exe52⤵
- Executes dropped EXE
PID:3036 -
\??\c:\5lflxff.exec:\5lflxff.exe53⤵
- Executes dropped EXE
PID:1184 -
\??\c:\dpvjj.exec:\dpvjj.exe54⤵
- Executes dropped EXE
PID:1296 -
\??\c:\466222.exec:\466222.exe55⤵
- Executes dropped EXE
PID:1928 -
\??\c:\42000.exec:\42000.exe56⤵
- Executes dropped EXE
PID:2496 -
\??\c:\64228.exec:\64228.exe57⤵
- Executes dropped EXE
PID:2116 -
\??\c:\46222.exec:\46222.exe58⤵
- Executes dropped EXE
PID:2136 -
\??\c:\602682.exec:\602682.exe59⤵
- Executes dropped EXE
PID:276 -
\??\c:\820424.exec:\820424.exe60⤵
- Executes dropped EXE
PID:1852 -
\??\c:\1fxxxrx.exec:\1fxxxrx.exe61⤵
- Executes dropped EXE
PID:2232 -
\??\c:\862240.exec:\862240.exe62⤵
- Executes dropped EXE
PID:2660 -
\??\c:\lfxrrrl.exec:\lfxrrrl.exe63⤵
- Executes dropped EXE
PID:2276 -
\??\c:\frrlrrr.exec:\frrlrrr.exe64⤵
- Executes dropped EXE
PID:2652 -
\??\c:\m0402.exec:\m0402.exe65⤵
- Executes dropped EXE
PID:1704 -
\??\c:\2022884.exec:\2022884.exe66⤵PID:2248
-
\??\c:\264026.exec:\264026.exe67⤵PID:288
-
\??\c:\pddjj.exec:\pddjj.exe68⤵PID:2452
-
\??\c:\vvvdp.exec:\vvvdp.exe69⤵PID:1608
-
\??\c:\c240600.exec:\c240600.exe70⤵PID:2128
-
\??\c:\7xfxlll.exec:\7xfxlll.exe71⤵PID:1964
-
\??\c:\rflrxfl.exec:\rflrxfl.exe72⤵PID:1680
-
\??\c:\82822.exec:\82822.exe73⤵PID:824
-
\??\c:\flrrlrx.exec:\flrrlrx.exe74⤵PID:2356
-
\??\c:\424022.exec:\424022.exe75⤵PID:1844
-
\??\c:\84842.exec:\84842.exe76⤵PID:2352
-
\??\c:\46662.exec:\46662.exe77⤵PID:2448
-
\??\c:\bthnnt.exec:\bthnnt.exe78⤵PID:2396
-
\??\c:\0840600.exec:\0840600.exe79⤵PID:2780
-
\??\c:\u800600.exec:\u800600.exe80⤵PID:2832
-
\??\c:\9vjjp.exec:\9vjjp.exe81⤵PID:2836
-
\??\c:\8600222.exec:\8600222.exe82⤵PID:2936
-
\??\c:\5rlrxfr.exec:\5rlrxfr.exe83⤵PID:2712
-
\??\c:\rfrrxll.exec:\rfrrxll.exe84⤵PID:2672
-
\??\c:\088808.exec:\088808.exe85⤵PID:2796
-
\??\c:\rffrxlr.exec:\rffrxlr.exe86⤵PID:2552
-
\??\c:\084066.exec:\084066.exe87⤵PID:2852
-
\??\c:\2006266.exec:\2006266.exe88⤵PID:2296
-
\??\c:\nnnntt.exec:\nnnntt.exe89⤵PID:956
-
\??\c:\5xrrxfr.exec:\5xrrxfr.exe90⤵PID:2920
-
\??\c:\llllxfr.exec:\llllxfr.exe91⤵PID:356
-
\??\c:\ddvjd.exec:\ddvjd.exe92⤵PID:2240
-
\??\c:\pdjjp.exec:\pdjjp.exe93⤵PID:3040
-
\??\c:\nbtbhn.exec:\nbtbhn.exe94⤵PID:1424
-
\??\c:\4868006.exec:\4868006.exe95⤵PID:2500
-
\??\c:\646280.exec:\646280.exe96⤵PID:2480
-
\??\c:\o088062.exec:\o088062.exe97⤵PID:2088
-
\??\c:\1hthnt.exec:\1hthnt.exe98⤵PID:2112
-
\??\c:\nhtnbb.exec:\nhtnbb.exe99⤵PID:1992
-
\??\c:\vvjpp.exec:\vvjpp.exe100⤵PID:1472
-
\??\c:\nbtbhn.exec:\nbtbhn.exe101⤵PID:448
-
\??\c:\ttntbh.exec:\ttntbh.exe102⤵PID:2320
-
\??\c:\64662.exec:\64662.exe103⤵PID:1364
-
\??\c:\m2848.exec:\m2848.exe104⤵PID:976
-
\??\c:\0866266.exec:\0866266.exe105⤵PID:2492
-
\??\c:\tntnnn.exec:\tntnnn.exe106⤵PID:2264
-
\??\c:\xrxfrxl.exec:\xrxfrxl.exe107⤵PID:1936
-
\??\c:\9thhbh.exec:\9thhbh.exe108⤵PID:2200
-
\??\c:\1thnnn.exec:\1thnnn.exe109⤵PID:1800
-
\??\c:\8284062.exec:\8284062.exe110⤵PID:868
-
\??\c:\hbhttt.exec:\hbhttt.exe111⤵PID:2128
-
\??\c:\frllxxl.exec:\frllxxl.exe112⤵
- System Location Discovery: System Language Discovery
PID:1568 -
\??\c:\5hbbnt.exec:\5hbbnt.exe113⤵PID:2080
-
\??\c:\nbntbh.exec:\nbntbh.exe114⤵PID:1940
-
\??\c:\i240600.exec:\i240600.exe115⤵PID:1672
-
\??\c:\68404.exec:\68404.exe116⤵PID:2368
-
\??\c:\6400862.exec:\6400862.exe117⤵PID:2856
-
\??\c:\nbhnnn.exec:\nbhnnn.exe118⤵PID:2224
-
\??\c:\nntttt.exec:\nntttt.exe119⤵PID:2164
-
\??\c:\bhttbb.exec:\bhttbb.exe120⤵PID:2804
-
\??\c:\ddppj.exec:\ddppj.exe121⤵PID:2900
-
\??\c:\jvvvd.exec:\jvvvd.exe122⤵PID:2152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-