Analysis
-
max time kernel
120s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 14:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe
Resource
win7-20240708-en
6 signatures
120 seconds
General
-
Target
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe
-
Size
65KB
-
MD5
f859945ee111dbf2258f6722fc6555c0
-
SHA1
06e5c4319a815b98dae52f216b58d3923de9df63
-
SHA256
08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963c
-
SHA512
ea0d755e1b4c350f2b6e9869d1a16f1c4f52a2ea12bfe5792526051995b2266040977f8d3b257b6b15ca64956907a0220189bf51f911c22c1a890c7b89b22ab5
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Q:ymb3NkkiQ3mdBjFI99
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
resource yara_rule behavioral2/memory/3500-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3500-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/744-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4004-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1976-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/736-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4528-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4524-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4244-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2960-70-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/220-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4372-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4224-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3844-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3820-116-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3904-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1120-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1492-145-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4756-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4000-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1464-163-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4416-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4920-181-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 744 dvdvv.exe 4004 7pvpj.exe 1976 frxlrlr.exe 736 hnnnbb.exe 4528 hbtttn.exe 4524 pvdvj.exe 2788 dvpjj.exe 4244 rxxrrll.exe 2960 3hnhbh.exe 220 pvppj.exe 4372 xrlffff.exe 4224 rxxllll.exe 3076 tbnttt.exe 3844 dpjdp.exe 1716 dppjd.exe 3820 fxxrfxr.exe 972 xrxxrrl.exe 3904 tbnhbt.exe 1836 vppjj.exe 1120 1ppjd.exe 1492 xfrlfxl.exe 4756 hbnhhb.exe 4000 3vvpj.exe 1464 vjppd.exe 4428 xrfxxfl.exe 4416 tnhhbt.exe 4920 hhhbtt.exe 3648 djjdv.exe 3124 xlrlxxr.exe 1560 5hnhhh.exe 4548 vpjvd.exe 3592 rllfffx.exe 3256 5fxrllf.exe 1856 bttbtb.exe 2416 1hnnbb.exe 3996 jddpd.exe 2432 3dvpd.exe 3624 rlfxlll.exe 2932 xxxrlrl.exe 552 tntnhh.exe 2988 5tttth.exe 4168 jpjvj.exe 1800 1dvjd.exe 4244 5llxlrf.exe 848 hhbbbt.exe 412 nhnhbn.exe 2644 pjjvv.exe 4372 ppjvj.exe 4224 9xrrlll.exe 1960 5ffxfxr.exe 1700 ntthtn.exe 2500 nbthnh.exe 852 3vvpv.exe 2676 3djvv.exe 3384 rfrfrfr.exe 928 hbhbbt.exe 2320 nnhbnb.exe 2908 tbbnbt.exe 4688 ppjvp.exe 2684 lxxlxxx.exe 4780 htbnbt.exe 5116 nhhbnh.exe 904 7dvjv.exe 4900 1jjvd.exe -
resource yara_rule behavioral2/memory/3500-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3500-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/744-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4004-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1976-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/736-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4528-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4524-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2788-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2788-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4244-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2960-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/220-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4372-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4224-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3844-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3820-116-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3904-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1120-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1492-145-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4756-153-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4000-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1464-163-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4416-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4920-181-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3500 wrote to memory of 744 3500 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 84 PID 3500 wrote to memory of 744 3500 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 84 PID 3500 wrote to memory of 744 3500 08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe 84 PID 744 wrote to memory of 4004 744 dvdvv.exe 85 PID 744 wrote to memory of 4004 744 dvdvv.exe 85 PID 744 wrote to memory of 4004 744 dvdvv.exe 85 PID 4004 wrote to memory of 1976 4004 7pvpj.exe 86 PID 4004 wrote to memory of 1976 4004 7pvpj.exe 86 PID 4004 wrote to memory of 1976 4004 7pvpj.exe 86 PID 1976 wrote to memory of 736 1976 frxlrlr.exe 87 PID 1976 wrote to memory of 736 1976 frxlrlr.exe 87 PID 1976 wrote to memory of 736 1976 frxlrlr.exe 87 PID 736 wrote to memory of 4528 736 hnnnbb.exe 88 PID 736 wrote to memory of 4528 736 hnnnbb.exe 88 PID 736 wrote to memory of 4528 736 hnnnbb.exe 88 PID 4528 wrote to memory of 4524 4528 hbtttn.exe 89 PID 4528 wrote to memory of 4524 4528 hbtttn.exe 89 PID 4528 wrote to memory of 4524 4528 hbtttn.exe 89 PID 4524 wrote to memory of 2788 4524 pvdvj.exe 90 PID 4524 wrote to memory of 2788 4524 pvdvj.exe 90 PID 4524 wrote to memory of 2788 4524 pvdvj.exe 90 PID 2788 wrote to memory of 4244 2788 dvpjj.exe 91 PID 2788 wrote to memory of 4244 2788 dvpjj.exe 91 PID 2788 wrote to memory of 4244 2788 dvpjj.exe 91 PID 4244 wrote to memory of 2960 4244 rxxrrll.exe 92 PID 4244 wrote to memory of 2960 4244 rxxrrll.exe 92 PID 4244 wrote to memory of 2960 4244 rxxrrll.exe 92 PID 2960 wrote to memory of 220 2960 3hnhbh.exe 93 PID 2960 wrote to memory of 220 2960 3hnhbh.exe 93 PID 2960 wrote to memory of 220 2960 3hnhbh.exe 93 PID 220 wrote to memory of 4372 220 pvppj.exe 94 PID 220 wrote to memory of 4372 220 pvppj.exe 94 PID 220 wrote to memory of 4372 220 pvppj.exe 94 PID 4372 wrote to memory of 4224 4372 xrlffff.exe 95 PID 4372 wrote to memory of 4224 4372 xrlffff.exe 95 PID 4372 wrote to memory of 4224 4372 xrlffff.exe 95 PID 4224 wrote to memory of 3076 4224 rxxllll.exe 96 PID 4224 wrote to memory of 3076 4224 rxxllll.exe 96 PID 4224 wrote to memory of 3076 4224 rxxllll.exe 96 PID 3076 wrote to memory of 3844 3076 tbnttt.exe 97 PID 3076 wrote to memory of 3844 3076 tbnttt.exe 97 PID 3076 wrote to memory of 3844 3076 tbnttt.exe 97 PID 3844 wrote to memory of 1716 3844 dpjdp.exe 98 PID 3844 wrote to memory of 1716 3844 dpjdp.exe 98 PID 3844 wrote to memory of 1716 3844 dpjdp.exe 98 PID 1716 wrote to memory of 3820 1716 dppjd.exe 99 PID 1716 wrote to memory of 3820 1716 dppjd.exe 99 PID 1716 wrote to memory of 3820 1716 dppjd.exe 99 PID 3820 wrote to memory of 972 3820 fxxrfxr.exe 100 PID 3820 wrote to memory of 972 3820 fxxrfxr.exe 100 PID 3820 wrote to memory of 972 3820 fxxrfxr.exe 100 PID 972 wrote to memory of 3904 972 xrxxrrl.exe 101 PID 972 wrote to memory of 3904 972 xrxxrrl.exe 101 PID 972 wrote to memory of 3904 972 xrxxrrl.exe 101 PID 3904 wrote to memory of 1836 3904 tbnhbt.exe 102 PID 3904 wrote to memory of 1836 3904 tbnhbt.exe 102 PID 3904 wrote to memory of 1836 3904 tbnhbt.exe 102 PID 1836 wrote to memory of 1120 1836 vppjj.exe 103 PID 1836 wrote to memory of 1120 1836 vppjj.exe 103 PID 1836 wrote to memory of 1120 1836 vppjj.exe 103 PID 1120 wrote to memory of 1492 1120 1ppjd.exe 104 PID 1120 wrote to memory of 1492 1120 1ppjd.exe 104 PID 1120 wrote to memory of 1492 1120 1ppjd.exe 104 PID 1492 wrote to memory of 4756 1492 xfrlfxl.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe"C:\Users\Admin\AppData\Local\Temp\08e3c566fb4c8df5e470eba9f5e97c92429e46251b632e7db544afa0f29c963cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\dvdvv.exec:\dvdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\7pvpj.exec:\7pvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\frxlrlr.exec:\frxlrlr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\hnnnbb.exec:\hnnnbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\hbtttn.exec:\hbtttn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\pvdvj.exec:\pvdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\dvpjj.exec:\dvpjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\rxxrrll.exec:\rxxrrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\3hnhbh.exec:\3hnhbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\pvppj.exec:\pvppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\xrlffff.exec:\xrlffff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\rxxllll.exec:\rxxllll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\tbnttt.exec:\tbnttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\dpjdp.exec:\dpjdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\dppjd.exec:\dppjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\fxxrfxr.exec:\fxxrfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\xrxxrrl.exec:\xrxxrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\tbnhbt.exec:\tbnhbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\vppjj.exec:\vppjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\1ppjd.exec:\1ppjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\xfrlfxl.exec:\xfrlfxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\hbnhhb.exec:\hbnhhb.exe23⤵
- Executes dropped EXE
PID:4756 -
\??\c:\3vvpj.exec:\3vvpj.exe24⤵
- Executes dropped EXE
PID:4000 -
\??\c:\vjppd.exec:\vjppd.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1464 -
\??\c:\xrfxxfl.exec:\xrfxxfl.exe26⤵
- Executes dropped EXE
PID:4428 -
\??\c:\tnhhbt.exec:\tnhhbt.exe27⤵
- Executes dropped EXE
PID:4416 -
\??\c:\hhhbtt.exec:\hhhbtt.exe28⤵
- Executes dropped EXE
PID:4920 -
\??\c:\djjdv.exec:\djjdv.exe29⤵
- Executes dropped EXE
PID:3648 -
\??\c:\xlrlxxr.exec:\xlrlxxr.exe30⤵
- Executes dropped EXE
PID:3124 -
\??\c:\5hnhhh.exec:\5hnhhh.exe31⤵
- Executes dropped EXE
PID:1560 -
\??\c:\vpjvd.exec:\vpjvd.exe32⤵
- Executes dropped EXE
PID:4548 -
\??\c:\rllfffx.exec:\rllfffx.exe33⤵
- Executes dropped EXE
PID:3592 -
\??\c:\5fxrllf.exec:\5fxrllf.exe34⤵
- Executes dropped EXE
PID:3256 -
\??\c:\bttbtb.exec:\bttbtb.exe35⤵
- Executes dropped EXE
PID:1856 -
\??\c:\1hnnbb.exec:\1hnnbb.exe36⤵
- Executes dropped EXE
PID:2416 -
\??\c:\jddpd.exec:\jddpd.exe37⤵
- Executes dropped EXE
PID:3996 -
\??\c:\3dvpd.exec:\3dvpd.exe38⤵
- Executes dropped EXE
PID:2432 -
\??\c:\rlfxlll.exec:\rlfxlll.exe39⤵
- Executes dropped EXE
PID:3624 -
\??\c:\xxxrlrl.exec:\xxxrlrl.exe40⤵
- Executes dropped EXE
PID:2932 -
\??\c:\tntnhh.exec:\tntnhh.exe41⤵
- Executes dropped EXE
PID:552 -
\??\c:\5tttth.exec:\5tttth.exe42⤵
- Executes dropped EXE
PID:2988 -
\??\c:\jpjvj.exec:\jpjvj.exe43⤵
- Executes dropped EXE
PID:4168 -
\??\c:\1dvjd.exec:\1dvjd.exe44⤵
- Executes dropped EXE
PID:1800 -
\??\c:\5llxlrf.exec:\5llxlrf.exe45⤵
- Executes dropped EXE
PID:4244 -
\??\c:\hhbbbt.exec:\hhbbbt.exe46⤵
- Executes dropped EXE
PID:848 -
\??\c:\nhnhbn.exec:\nhnhbn.exe47⤵
- Executes dropped EXE
PID:412 -
\??\c:\pjjvv.exec:\pjjvv.exe48⤵
- Executes dropped EXE
PID:2644 -
\??\c:\ppjvj.exec:\ppjvj.exe49⤵
- Executes dropped EXE
PID:4372 -
\??\c:\9xrrlll.exec:\9xrrlll.exe50⤵
- Executes dropped EXE
PID:4224 -
\??\c:\5ffxfxr.exec:\5ffxfxr.exe51⤵
- Executes dropped EXE
PID:1960 -
\??\c:\ntthtn.exec:\ntthtn.exe52⤵
- Executes dropped EXE
PID:1700 -
\??\c:\nbthnh.exec:\nbthnh.exe53⤵
- Executes dropped EXE
PID:2500 -
\??\c:\3vvpv.exec:\3vvpv.exe54⤵
- Executes dropped EXE
PID:852 -
\??\c:\3djvv.exec:\3djvv.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
\??\c:\rfrfrfr.exec:\rfrfrfr.exe56⤵
- Executes dropped EXE
PID:3384 -
\??\c:\hbhbbt.exec:\hbhbbt.exe57⤵
- Executes dropped EXE
PID:928 -
\??\c:\nnhbnb.exec:\nnhbnb.exe58⤵
- Executes dropped EXE
PID:2320 -
\??\c:\tbbnbt.exec:\tbbnbt.exe59⤵
- Executes dropped EXE
PID:2908 -
\??\c:\ppjvp.exec:\ppjvp.exe60⤵
- Executes dropped EXE
PID:4688 -
\??\c:\lxxlxxx.exec:\lxxlxxx.exe61⤵
- Executes dropped EXE
PID:2684 -
\??\c:\htbnbt.exec:\htbnbt.exe62⤵
- Executes dropped EXE
PID:4780 -
\??\c:\nhhbnh.exec:\nhhbnh.exe63⤵
- Executes dropped EXE
PID:5116 -
\??\c:\7dvjv.exec:\7dvjv.exe64⤵
- Executes dropped EXE
PID:904 -
\??\c:\1jjvd.exec:\1jjvd.exe65⤵
- Executes dropped EXE
PID:4900 -
\??\c:\rffrffx.exec:\rffrffx.exe66⤵PID:1900
-
\??\c:\rffxrfx.exec:\rffxrfx.exe67⤵PID:4920
-
\??\c:\btttht.exec:\btttht.exe68⤵PID:3260
-
\??\c:\1vdvv.exec:\1vdvv.exe69⤵PID:3648
-
\??\c:\9ddjp.exec:\9ddjp.exe70⤵PID:3268
-
\??\c:\rffrlfx.exec:\rffrlfx.exe71⤵PID:1472
-
\??\c:\xflfffx.exec:\xflfffx.exe72⤵PID:4276
-
\??\c:\7rxrlfl.exec:\7rxrlfl.exe73⤵PID:4296
-
\??\c:\bthbnh.exec:\bthbnh.exe74⤵PID:1428
-
\??\c:\dddpj.exec:\dddpj.exe75⤵PID:1936
-
\??\c:\3djjv.exec:\3djjv.exe76⤵PID:2724
-
\??\c:\lxxfrrf.exec:\lxxfrrf.exe77⤵PID:3916
-
\??\c:\rrrfxrf.exec:\rrrfxrf.exe78⤵PID:2416
-
\??\c:\9ttnnh.exec:\9ttnnh.exe79⤵PID:3996
-
\??\c:\7nthnh.exec:\7nthnh.exe80⤵PID:3080
-
\??\c:\vdjvp.exec:\vdjvp.exe81⤵PID:3112
-
\??\c:\vvdjv.exec:\vvdjv.exe82⤵PID:2328
-
\??\c:\7ffrfrl.exec:\7ffrfrl.exe83⤵PID:1432
-
\??\c:\xrlxlfx.exec:\xrlxlfx.exe84⤵PID:4432
-
\??\c:\tbthtt.exec:\tbthtt.exe85⤵PID:2804
-
\??\c:\jjpjv.exec:\jjpjv.exe86⤵PID:3456
-
\??\c:\pvpjv.exec:\pvpjv.exe87⤵PID:3188
-
\??\c:\fxrlrlx.exec:\fxrlrlx.exe88⤵PID:2364
-
\??\c:\pvpdp.exec:\pvpdp.exe89⤵PID:2344
-
\??\c:\rrlxfxl.exec:\rrlxfxl.exe90⤵PID:2568
-
\??\c:\rxrfxlx.exec:\rxrfxlx.exe91⤵PID:4352
-
\??\c:\bnbtnh.exec:\bnbtnh.exe92⤵PID:2136
-
\??\c:\xffrxrl.exec:\xffrxrl.exe93⤵PID:1960
-
\??\c:\hbhnbt.exec:\hbhnbt.exe94⤵PID:1716
-
\??\c:\7tnnbb.exec:\7tnnbb.exe95⤵PID:2172
-
\??\c:\5tnthb.exec:\5tnthb.exe96⤵PID:2040
-
\??\c:\pjdpv.exec:\pjdpv.exe97⤵PID:972
-
\??\c:\xlfrxrr.exec:\xlfrxrr.exe98⤵PID:4848
-
\??\c:\hnhbnh.exec:\hnhbnh.exe99⤵PID:5100
-
\??\c:\nbnbnb.exec:\nbnbnb.exe100⤵PID:3716
-
\??\c:\jdpjp.exec:\jdpjp.exe101⤵PID:408
-
\??\c:\xlfxfxr.exec:\xlfxfxr.exe102⤵PID:4520
-
\??\c:\lxfrfrl.exec:\lxfrfrl.exe103⤵PID:2828
-
\??\c:\nnhbtn.exec:\nnhbtn.exe104⤵PID:5088
-
\??\c:\hnbntb.exec:\hnbntb.exe105⤵PID:3780
-
\??\c:\jjpdp.exec:\jjpdp.exe106⤵PID:904
-
\??\c:\3llxlxr.exec:\3llxlxr.exe107⤵PID:5084
-
\??\c:\7llflxl.exec:\7llflxl.exe108⤵PID:4880
-
\??\c:\bthbnn.exec:\bthbnn.exe109⤵PID:2072
-
\??\c:\ntnhnn.exec:\ntnhnn.exe110⤵PID:3900
-
\??\c:\jdjvj.exec:\jdjvj.exe111⤵PID:4392
-
\??\c:\jjdpd.exec:\jjdpd.exe112⤵PID:3772
-
\??\c:\rlxrxlx.exec:\rlxrxlx.exe113⤵PID:2572
-
\??\c:\hnhhbn.exec:\hnhhbn.exe114⤵PID:4484
-
\??\c:\nbhbnb.exec:\nbhbnb.exe115⤵PID:4548
-
\??\c:\dppdj.exec:\dppdj.exe116⤵PID:3908
-
\??\c:\7pjvd.exec:\7pjvd.exe117⤵PID:1936
-
\??\c:\7pdpv.exec:\7pdpv.exe118⤵PID:4004
-
\??\c:\xlxxxll.exec:\xlxxxll.exe119⤵PID:1996
-
\??\c:\bbbhhn.exec:\bbbhhn.exe120⤵PID:1232
-
\??\c:\tbbbhb.exec:\tbbbhb.exe121⤵PID:1004
-
\??\c:\dpjvj.exec:\dpjvj.exe122⤵PID:456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-