Analysis
-
max time kernel
120s -
max time network
14s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 14:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe
Resource
win7-20240708-en
6 signatures
120 seconds
General
-
Target
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe
-
Size
65KB
-
MD5
f859945ee111dbf2258f6722fc6555c0
-
SHA1
06e5c4319a815b98dae52f216b58d3923de9df63
-
SHA256
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963c
-
SHA512
ea0d755e1b4c350f2b6e9869d1a16f1c4f52a2ea12bfe5792526051995b2266040977f8d3b257b6b15ca64956907a0220189bf51f911c22c1a890c7b89b22ab5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Q:ymb3NkkiQ3mdBjFI99
Malware Config
Signatures
-
Detect Blackmoon payload 24 IoCs
resource yara_rule behavioral1/memory/2152-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2304-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2796-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2260-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2204-38-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2204-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2828-71-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1312-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2076-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2076-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2452-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2928-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2648-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2920-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/776-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1444-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2932-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2532-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2988-214-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1592-231-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1864-276-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2144-286-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/536-303-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2304 5frfxxx.exe 1236 3bbhtt.exe 2204 3nbnhb.exe 2260 3dvdj.exe 2796 lrxfrrr.exe 2828 bnbtbb.exe 1312 htttnn.exe 2076 ffxllxr.exe 2652 xrlrfxf.exe 2452 7thtbb.exe 2928 jdjpp.exe 344 vvjjv.exe 2648 3rrxfrl.exe 2920 9rfrxff.exe 776 tntntb.exe 1444 thbbhh.exe 2932 pdppp.exe 2992 rlxlrxr.exe 2532 3lxrxxx.exe 2480 btbhnt.exe 2988 hbntbh.exe 444 vvjdd.exe 1592 9frfffl.exe 948 fxllflr.exe 1600 5ttbnt.exe 1680 htbhbb.exe 1892 jjvdv.exe 1864 xxrxrlx.exe 2144 5fxrlxf.exe 2244 nthhnn.exe 536 vvjvj.exe 2180 jdjpp.exe 2404 5rxxlxx.exe 2260 rfllxxl.exe 2712 5bnhtb.exe 2776 hbnttn.exe 2868 jddpp.exe 2788 djdjp.exe 3036 1lfrllr.exe 2756 5nhnbh.exe 2596 htbtht.exe 2116 jpjvj.exe 1740 rflfrxl.exe 320 tbnnbb.exe 2880 hbhntb.exe 2928 1hthhh.exe 344 vvddj.exe 2004 1vpjp.exe 1988 fxlflff.exe 268 rfxxllx.exe 1200 5bnnbb.exe 2940 htbbbh.exe 2980 vpdpp.exe 2212 7ddvd.exe 2156 lfrrxxl.exe 1964 1rlllrx.exe 1536 3hthnn.exe 1084 hthntb.exe 3060 dvvvj.exe 900 dvjvp.exe 640 lflrrrf.exe 1900 fxfllfl.exe 1012 ntnthb.exe 316 htnhnn.exe -
resource yara_rule behavioral1/memory/2152-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2304-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2796-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2260-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2260-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2260-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2260-41-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2204-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2828-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1312-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1312-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1312-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2076-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2076-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2076-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2452-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2928-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2648-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2920-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/776-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1444-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2932-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2532-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2988-214-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1592-231-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1864-276-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2144-286-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/536-303-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ttbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrlrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2304 2152 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 30 PID 2152 wrote to memory of 2304 2152 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 30 PID 2152 wrote to memory of 2304 2152 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 30 PID 2152 wrote to memory of 2304 2152 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 30 PID 2304 wrote to memory of 1236 2304 5frfxxx.exe 31 PID 2304 wrote to memory of 1236 2304 5frfxxx.exe 31 PID 2304 wrote to memory of 1236 2304 5frfxxx.exe 31 PID 2304 wrote to memory of 1236 2304 5frfxxx.exe 31 PID 1236 wrote to memory of 2204 1236 3bbhtt.exe 32 PID 1236 wrote to memory of 2204 1236 3bbhtt.exe 32 PID 1236 wrote to memory of 2204 1236 3bbhtt.exe 32 PID 1236 wrote to memory of 2204 1236 3bbhtt.exe 32 PID 2204 wrote to memory of 2260 2204 3nbnhb.exe 33 PID 2204 wrote to memory of 2260 2204 3nbnhb.exe 33 PID 2204 wrote to memory of 2260 2204 3nbnhb.exe 33 PID 2204 wrote to memory of 2260 2204 3nbnhb.exe 33 PID 2260 wrote to memory of 2796 2260 3dvdj.exe 34 PID 2260 wrote to memory of 2796 2260 3dvdj.exe 34 PID 2260 wrote to memory of 2796 2260 3dvdj.exe 34 PID 2260 wrote to memory of 2796 2260 3dvdj.exe 34 PID 2796 wrote to memory of 2828 2796 lrxfrrr.exe 35 PID 2796 wrote to memory of 2828 2796 lrxfrrr.exe 35 PID 2796 wrote to memory of 2828 2796 lrxfrrr.exe 35 PID 2796 wrote to memory of 2828 2796 lrxfrrr.exe 35 PID 2828 wrote to memory of 1312 2828 bnbtbb.exe 36 PID 2828 wrote to memory of 1312 2828 bnbtbb.exe 36 PID 2828 wrote to memory of 1312 2828 bnbtbb.exe 36 PID 2828 wrote to memory of 1312 2828 bnbtbb.exe 36 PID 1312 wrote to memory of 2076 1312 htttnn.exe 37 PID 1312 wrote to memory of 2076 1312 htttnn.exe 37 PID 1312 wrote to memory of 2076 1312 htttnn.exe 37 PID 1312 wrote to memory of 2076 1312 htttnn.exe 37 PID 2076 wrote to memory of 2652 2076 ffxllxr.exe 38 PID 2076 wrote to memory of 2652 2076 ffxllxr.exe 38 PID 2076 wrote to memory of 2652 2076 ffxllxr.exe 38 PID 2076 wrote to memory of 2652 2076 ffxllxr.exe 38 PID 2652 wrote to memory of 2452 2652 xrlrfxf.exe 39 PID 2652 wrote to memory of 2452 2652 xrlrfxf.exe 39 PID 2652 wrote to memory of 2452 2652 xrlrfxf.exe 39 PID 2652 wrote to memory of 2452 2652 xrlrfxf.exe 39 PID 2452 wrote to memory of 2928 2452 7thtbb.exe 40 PID 2452 wrote to memory of 2928 2452 7thtbb.exe 40 PID 2452 wrote to memory of 2928 2452 7thtbb.exe 40 PID 2452 wrote to memory of 2928 2452 7thtbb.exe 40 PID 2928 wrote to memory of 344 2928 jdjpp.exe 41 PID 2928 wrote to memory of 344 2928 jdjpp.exe 41 PID 2928 wrote to memory of 344 2928 jdjpp.exe 41 PID 2928 wrote to memory of 344 2928 jdjpp.exe 41 PID 344 wrote to memory of 2648 344 vvjjv.exe 42 PID 344 wrote to memory of 2648 344 vvjjv.exe 42 PID 344 wrote to memory of 2648 344 vvjjv.exe 42 PID 344 wrote to memory of 2648 344 vvjjv.exe 42 PID 2648 wrote to memory of 2920 2648 3rrxfrl.exe 43 PID 2648 wrote to memory of 2920 2648 3rrxfrl.exe 43 PID 2648 wrote to memory of 2920 2648 3rrxfrl.exe 43 PID 2648 wrote to memory of 2920 2648 3rrxfrl.exe 43 PID 2920 wrote to memory of 776 2920 9rfrxff.exe 44 PID 2920 wrote to memory of 776 2920 9rfrxff.exe 44 PID 2920 wrote to memory of 776 2920 9rfrxff.exe 44 PID 2920 wrote to memory of 776 2920 9rfrxff.exe 44 PID 776 wrote to memory of 1444 776 tntntb.exe 45 PID 776 wrote to memory of 1444 776 tntntb.exe 45 PID 776 wrote to memory of 1444 776 tntntb.exe 45 PID 776 wrote to memory of 1444 776 tntntb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe"C:\Users\Admin\AppData\Local\Temp\08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\5frfxxx.exec:\5frfxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\3bbhtt.exec:\3bbhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\3nbnhb.exec:\3nbnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\3dvdj.exec:\3dvdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\lrxfrrr.exec:\lrxfrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\bnbtbb.exec:\bnbtbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\htttnn.exec:\htttnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\ffxllxr.exec:\ffxllxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\xrlrfxf.exec:\xrlrfxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\7thtbb.exec:\7thtbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\jdjpp.exec:\jdjpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\vvjjv.exec:\vvjjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:344 -
\??\c:\3rrxfrl.exec:\3rrxfrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\9rfrxff.exec:\9rfrxff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\tntntb.exec:\tntntb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\thbbhh.exec:\thbbhh.exe17⤵
- Executes dropped EXE
PID:1444 -
\??\c:\pdppp.exec:\pdppp.exe18⤵
- Executes dropped EXE
PID:2932 -
\??\c:\rlxlrxr.exec:\rlxlrxr.exe19⤵
- Executes dropped EXE
PID:2992 -
\??\c:\3lxrxxx.exec:\3lxrxxx.exe20⤵
- Executes dropped EXE
PID:2532 -
\??\c:\btbhnt.exec:\btbhnt.exe21⤵
- Executes dropped EXE
PID:2480 -
\??\c:\hbntbh.exec:\hbntbh.exe22⤵
- Executes dropped EXE
PID:2988 -
\??\c:\vvjdd.exec:\vvjdd.exe23⤵
- Executes dropped EXE
PID:444 -
\??\c:\9frfffl.exec:\9frfffl.exe24⤵
- Executes dropped EXE
PID:1592 -
\??\c:\fxllflr.exec:\fxllflr.exe25⤵
- Executes dropped EXE
PID:948 -
\??\c:\5ttbnt.exec:\5ttbnt.exe26⤵
- Executes dropped EXE
PID:1600 -
\??\c:\htbhbb.exec:\htbhbb.exe27⤵
- Executes dropped EXE
PID:1680 -
\??\c:\jjvdv.exec:\jjvdv.exe28⤵
- Executes dropped EXE
PID:1892 -
\??\c:\xxrxrlx.exec:\xxrxrlx.exe29⤵
- Executes dropped EXE
PID:1864 -
\??\c:\5fxrlxf.exec:\5fxrlxf.exe30⤵
- Executes dropped EXE
PID:2144 -
\??\c:\nthhnn.exec:\nthhnn.exe31⤵
- Executes dropped EXE
PID:2244 -
\??\c:\vvjvj.exec:\vvjvj.exe32⤵
- Executes dropped EXE
PID:536 -
\??\c:\jdjpp.exec:\jdjpp.exe33⤵
- Executes dropped EXE
PID:2180 -
\??\c:\5rxxlxx.exec:\5rxxlxx.exe34⤵
- Executes dropped EXE
PID:2404 -
\??\c:\rfllxxl.exec:\rfllxxl.exe35⤵
- Executes dropped EXE
PID:2260 -
\??\c:\5bnhtb.exec:\5bnhtb.exe36⤵
- Executes dropped EXE
PID:2712 -
\??\c:\hbnttn.exec:\hbnttn.exe37⤵
- Executes dropped EXE
PID:2776 -
\??\c:\jddpp.exec:\jddpp.exe38⤵
- Executes dropped EXE
PID:2868 -
\??\c:\djdjp.exec:\djdjp.exe39⤵
- Executes dropped EXE
PID:2788 -
\??\c:\1lfrllr.exec:\1lfrllr.exe40⤵
- Executes dropped EXE
PID:3036 -
\??\c:\5nhnbh.exec:\5nhnbh.exe41⤵
- Executes dropped EXE
PID:2756 -
\??\c:\htbtht.exec:\htbtht.exe42⤵
- Executes dropped EXE
PID:2596 -
\??\c:\jpjvj.exec:\jpjvj.exe43⤵
- Executes dropped EXE
PID:2116 -
\??\c:\rflfrxl.exec:\rflfrxl.exe44⤵
- Executes dropped EXE
PID:1740 -
\??\c:\tbnnbb.exec:\tbnnbb.exe45⤵
- Executes dropped EXE
PID:320 -
\??\c:\hbhntb.exec:\hbhntb.exe46⤵
- Executes dropped EXE
PID:2880 -
\??\c:\1hthhh.exec:\1hthhh.exe47⤵
- Executes dropped EXE
PID:2928 -
\??\c:\vvddj.exec:\vvddj.exe48⤵
- Executes dropped EXE
PID:344 -
\??\c:\1vpjp.exec:\1vpjp.exe49⤵
- Executes dropped EXE
PID:2004 -
\??\c:\fxlflff.exec:\fxlflff.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
\??\c:\rfxxllx.exec:\rfxxllx.exe51⤵
- Executes dropped EXE
PID:268 -
\??\c:\5bnnbb.exec:\5bnnbb.exe52⤵
- Executes dropped EXE
PID:1200 -
\??\c:\htbbbh.exec:\htbbbh.exe53⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vpdpp.exec:\vpdpp.exe54⤵
- Executes dropped EXE
PID:2980 -
\??\c:\7ddvd.exec:\7ddvd.exe55⤵
- Executes dropped EXE
PID:2212 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe56⤵
- Executes dropped EXE
PID:2156 -
\??\c:\1rlllrx.exec:\1rlllrx.exe57⤵
- Executes dropped EXE
PID:1964 -
\??\c:\3hthnn.exec:\3hthnn.exe58⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hthntb.exec:\hthntb.exe59⤵
- Executes dropped EXE
PID:1084 -
\??\c:\dvvvj.exec:\dvvvj.exe60⤵
- Executes dropped EXE
PID:3060 -
\??\c:\dvjvp.exec:\dvjvp.exe61⤵
- Executes dropped EXE
PID:900 -
\??\c:\lflrrrf.exec:\lflrrrf.exe62⤵
- Executes dropped EXE
PID:640 -
\??\c:\fxfllfl.exec:\fxfllfl.exe63⤵
- Executes dropped EXE
PID:1900 -
\??\c:\ntnthb.exec:\ntnthb.exe64⤵
- Executes dropped EXE
PID:1012 -
\??\c:\htnhnn.exec:\htnhnn.exe65⤵
- Executes dropped EXE
PID:316 -
\??\c:\vpppj.exec:\vpppj.exe66⤵PID:2536
-
\??\c:\pdppd.exec:\pdppd.exe67⤵PID:284
-
\??\c:\ffrxxrr.exec:\ffrxxrr.exe68⤵PID:2172
-
\??\c:\7lxxflf.exec:\7lxxflf.exe69⤵PID:2548
-
\??\c:\tnhnhh.exec:\tnhnhh.exe70⤵PID:2244
-
\??\c:\nnbhnb.exec:\nnbhnb.exe71⤵PID:1236
-
\??\c:\vjddd.exec:\vjddd.exe72⤵PID:2476
-
\??\c:\ddpdd.exec:\ddpdd.exe73⤵PID:2692
-
\??\c:\9ddpj.exec:\9ddpj.exe74⤵PID:1512
-
\??\c:\9frrxxf.exec:\9frrxxf.exe75⤵PID:2724
-
\??\c:\lfrxlrx.exec:\lfrxlrx.exe76⤵PID:2708
-
\??\c:\3hbtbh.exec:\3hbtbh.exe77⤵PID:2772
-
\??\c:\bntbtb.exec:\bntbtb.exe78⤵PID:2812
-
\??\c:\pjjpp.exec:\pjjpp.exe79⤵PID:2608
-
\??\c:\vjdjj.exec:\vjdjj.exe80⤵PID:2624
-
\??\c:\pjvvv.exec:\pjvvv.exe81⤵PID:2592
-
\??\c:\lflffxf.exec:\lflffxf.exe82⤵PID:2240
-
\??\c:\xxxlllx.exec:\xxxlllx.exe83⤵PID:1972
-
\??\c:\bbnbbh.exec:\bbnbbh.exe84⤵PID:2452
-
\??\c:\tnnntn.exec:\tnnntn.exe85⤵PID:1404
-
\??\c:\vvjjp.exec:\vvjjp.exe86⤵PID:2000
-
\??\c:\djppv.exec:\djppv.exe87⤵
- System Location Discovery: System Language Discovery
PID:2896 -
\??\c:\lfrrffl.exec:\lfrrffl.exe88⤵PID:2900
-
\??\c:\5lrxllr.exec:\5lrxllr.exe89⤵PID:996
-
\??\c:\rflrrrx.exec:\rflrrrx.exe90⤵PID:1616
-
\??\c:\5bnthb.exec:\5bnthb.exe91⤵PID:3008
-
\??\c:\pjvjd.exec:\pjvjd.exe92⤵PID:2964
-
\??\c:\3pjvj.exec:\3pjvj.exe93⤵PID:2108
-
\??\c:\fxrffll.exec:\fxrffll.exe94⤵PID:2212
-
\??\c:\frlrxxl.exec:\frlrxxl.exe95⤵PID:1496
-
\??\c:\3rlflrx.exec:\3rlflrx.exe96⤵PID:3004
-
\??\c:\hbtbhn.exec:\hbtbhn.exe97⤵PID:1452
-
\??\c:\htnntn.exec:\htnntn.exe98⤵PID:2560
-
\??\c:\vpdpd.exec:\vpdpd.exe99⤵PID:1148
-
\??\c:\dvvvj.exec:\dvvvj.exe100⤵PID:1080
-
\??\c:\rflrrlx.exec:\rflrrlx.exe101⤵PID:1288
-
\??\c:\frfrfll.exec:\frfrfll.exe102⤵PID:688
-
\??\c:\xlrxflr.exec:\xlrxflr.exe103⤵PID:2456
-
\??\c:\tnbhtt.exec:\tnbhtt.exe104⤵PID:1400
-
\??\c:\hbnnhb.exec:\hbnnhb.exe105⤵PID:2504
-
\??\c:\dpvvv.exec:\dpvvv.exe106⤵PID:1864
-
\??\c:\jvdvd.exec:\jvdvd.exe107⤵PID:2140
-
\??\c:\rfllrxf.exec:\rfllrxf.exe108⤵PID:980
-
\??\c:\fflffxf.exec:\fflffxf.exe109⤵PID:112
-
\??\c:\llfrffl.exec:\llfrffl.exe110⤵PID:596
-
\??\c:\tnntnt.exec:\tnntnt.exe111⤵PID:2356
-
\??\c:\bnttbb.exec:\bnttbb.exe112⤵PID:2404
-
\??\c:\vpdvv.exec:\vpdvv.exe113⤵PID:2848
-
\??\c:\vvjpv.exec:\vvjpv.exe114⤵PID:2736
-
\??\c:\llfrxxf.exec:\llfrxxf.exe115⤵PID:2128
-
\??\c:\fxlllxf.exec:\fxlllxf.exe116⤵PID:2708
-
\??\c:\bhhhbb.exec:\bhhhbb.exe117⤵PID:2324
-
\??\c:\hbhbnn.exec:\hbhbnn.exe118⤵PID:2716
-
\??\c:\thhbnt.exec:\thhbnt.exe119⤵PID:1996
-
\??\c:\7vjpv.exec:\7vjpv.exe120⤵PID:2584
-
\??\c:\pvjjj.exec:\pvjjj.exe121⤵PID:2116
-
\??\c:\lfxxxxl.exec:\lfxxxxl.exe122⤵PID:1740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-