Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 15:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe
Resource
win7-20241010-en
6 signatures
120 seconds
General
-
Target
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe
-
Size
66KB
-
MD5
cd9ec96e409ba3bdf77823f1c1f0ffe0
-
SHA1
3c7c7da4c8b7d7aad15a2217df465b4c1cc37947
-
SHA256
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26
-
SHA512
57ccf0d3885ffc34bb7cff6f2e8f044b0f4c5c5a14ac769c362291b6d8fd5146a2b731ceef88b39aae4381ac55eab49be03a7f5e3a837e5a4a7d42dd1b71d46a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxeQ:ymb3NkkiQ3mdBjF0y7kbUQ
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
resource yara_rule behavioral1/memory/2844-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1628-16-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1984-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/804-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2784-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1920-52-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/804-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2316-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2656-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2656-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2564-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2540-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2556-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1648-137-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2864-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2260-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2744-173-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2256-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/828-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2956-227-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2120-254-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/876-281-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1872-290-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1628 bbbthn.exe 1984 82624.exe 804 rrfxrfl.exe 1920 xrrffrf.exe 2784 224084.exe 2316 vpjdj.exe 2656 ffxffrx.exe 2556 c246268.exe 2564 3dvpv.exe 2540 66024.exe 3068 4806280.exe 1648 o206468.exe 2864 6028402.exe 2260 vjvjp.exe 1456 llllflx.exe 2744 0840808.exe 2256 8644664.exe 828 hnhhnn.exe 2944 464628.exe 1960 88266.exe 1948 600624.exe 2956 482800.exe 276 084682.exe 1076 422488.exe 2120 tnhbnn.exe 2292 g4662.exe 2400 vpjjp.exe 876 48628.exe 1872 2442882.exe 2360 888088.exe 352 0428444.exe 1524 60246.exe 2840 ththth.exe 2464 6466228.exe 2436 thtntn.exe 1224 8888620.exe 2804 4246262.exe 2788 5htbhh.exe 2676 5nbhhh.exe 1952 dpdvv.exe 2640 e02848.exe 2952 7pvvd.exe 1008 42846.exe 2596 26260.exe 2540 046468.exe 2532 ttbhbh.exe 1788 s2440.exe 1648 1btthh.exe 1912 nbnnbh.exe 2180 frflxff.exe 1472 08064.exe 2760 5bbbbh.exe 2744 rlrfxxl.exe 1188 4800668.exe 2900 hthhbt.exe 2880 48022.exe 768 084440.exe 332 00888.exe 1848 24662.exe 2884 q06026.exe 604 202286.exe 1928 g8006.exe 2612 m2880.exe 2120 e46628.exe -
resource yara_rule behavioral1/memory/2844-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1628-16-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1628-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1984-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1984-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1984-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1984-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/804-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/804-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2784-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1920-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/804-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/804-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2316-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2564-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2556-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2556-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2556-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2556-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1648-137-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2864-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2260-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2744-173-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2256-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/828-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2956-227-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2120-254-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/876-281-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1872-290-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1btthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2662402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6268028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 1628 2844 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 28 PID 2844 wrote to memory of 1628 2844 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 28 PID 2844 wrote to memory of 1628 2844 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 28 PID 2844 wrote to memory of 1628 2844 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 28 PID 1628 wrote to memory of 1984 1628 bbbthn.exe 29 PID 1628 wrote to memory of 1984 1628 bbbthn.exe 29 PID 1628 wrote to memory of 1984 1628 bbbthn.exe 29 PID 1628 wrote to memory of 1984 1628 bbbthn.exe 29 PID 1984 wrote to memory of 804 1984 82624.exe 30 PID 1984 wrote to memory of 804 1984 82624.exe 30 PID 1984 wrote to memory of 804 1984 82624.exe 30 PID 1984 wrote to memory of 804 1984 82624.exe 30 PID 804 wrote to memory of 1920 804 rrfxrfl.exe 31 PID 804 wrote to memory of 1920 804 rrfxrfl.exe 31 PID 804 wrote to memory of 1920 804 rrfxrfl.exe 31 PID 804 wrote to memory of 1920 804 rrfxrfl.exe 31 PID 1920 wrote to memory of 2784 1920 xrrffrf.exe 32 PID 1920 wrote to memory of 2784 1920 xrrffrf.exe 32 PID 1920 wrote to memory of 2784 1920 xrrffrf.exe 32 PID 1920 wrote to memory of 2784 1920 xrrffrf.exe 32 PID 2784 wrote to memory of 2316 2784 224084.exe 33 PID 2784 wrote to memory of 2316 2784 224084.exe 33 PID 2784 wrote to memory of 2316 2784 224084.exe 33 PID 2784 wrote to memory of 2316 2784 224084.exe 33 PID 2316 wrote to memory of 2656 2316 vpjdj.exe 34 PID 2316 wrote to memory of 2656 2316 vpjdj.exe 34 PID 2316 wrote to memory of 2656 2316 vpjdj.exe 34 PID 2316 wrote to memory of 2656 2316 vpjdj.exe 34 PID 2656 wrote to memory of 2556 2656 ffxffrx.exe 35 PID 2656 wrote to memory of 2556 2656 ffxffrx.exe 35 PID 2656 wrote to memory of 2556 2656 ffxffrx.exe 35 PID 2656 wrote to memory of 2556 2656 ffxffrx.exe 35 PID 2556 wrote to memory of 2564 2556 c246268.exe 36 PID 2556 wrote to memory of 2564 2556 c246268.exe 36 PID 2556 wrote to memory of 2564 2556 c246268.exe 36 PID 2556 wrote to memory of 2564 2556 c246268.exe 36 PID 2564 wrote to memory of 2540 2564 3dvpv.exe 37 PID 2564 wrote to memory of 2540 2564 3dvpv.exe 37 PID 2564 wrote to memory of 2540 2564 3dvpv.exe 37 PID 2564 wrote to memory of 2540 2564 3dvpv.exe 37 PID 2540 wrote to memory of 3068 2540 66024.exe 38 PID 2540 wrote to memory of 3068 2540 66024.exe 38 PID 2540 wrote to memory of 3068 2540 66024.exe 38 PID 2540 wrote to memory of 3068 2540 66024.exe 38 PID 3068 wrote to memory of 1648 3068 4806280.exe 39 PID 3068 wrote to memory of 1648 3068 4806280.exe 39 PID 3068 wrote to memory of 1648 3068 4806280.exe 39 PID 3068 wrote to memory of 1648 3068 4806280.exe 39 PID 1648 wrote to memory of 2864 1648 o206468.exe 40 PID 1648 wrote to memory of 2864 1648 o206468.exe 40 PID 1648 wrote to memory of 2864 1648 o206468.exe 40 PID 1648 wrote to memory of 2864 1648 o206468.exe 40 PID 2864 wrote to memory of 2260 2864 6028402.exe 41 PID 2864 wrote to memory of 2260 2864 6028402.exe 41 PID 2864 wrote to memory of 2260 2864 6028402.exe 41 PID 2864 wrote to memory of 2260 2864 6028402.exe 41 PID 2260 wrote to memory of 1456 2260 vjvjp.exe 42 PID 2260 wrote to memory of 1456 2260 vjvjp.exe 42 PID 2260 wrote to memory of 1456 2260 vjvjp.exe 42 PID 2260 wrote to memory of 1456 2260 vjvjp.exe 42 PID 1456 wrote to memory of 2744 1456 llllflx.exe 43 PID 1456 wrote to memory of 2744 1456 llllflx.exe 43 PID 1456 wrote to memory of 2744 1456 llllflx.exe 43 PID 1456 wrote to memory of 2744 1456 llllflx.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe"C:\Users\Admin\AppData\Local\Temp\5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\bbbthn.exec:\bbbthn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\82624.exec:\82624.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\rrfxrfl.exec:\rrfxrfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\xrrffrf.exec:\xrrffrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\224084.exec:\224084.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\vpjdj.exec:\vpjdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\ffxffrx.exec:\ffxffrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\c246268.exec:\c246268.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\3dvpv.exec:\3dvpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\66024.exec:\66024.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\4806280.exec:\4806280.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\o206468.exec:\o206468.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\6028402.exec:\6028402.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\vjvjp.exec:\vjvjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\llllflx.exec:\llllflx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\0840808.exec:\0840808.exe17⤵
- Executes dropped EXE
PID:2744 -
\??\c:\8644664.exec:\8644664.exe18⤵
- Executes dropped EXE
PID:2256 -
\??\c:\hnhhnn.exec:\hnhhnn.exe19⤵
- Executes dropped EXE
PID:828 -
\??\c:\464628.exec:\464628.exe20⤵
- Executes dropped EXE
PID:2944 -
\??\c:\88266.exec:\88266.exe21⤵
- Executes dropped EXE
PID:1960 -
\??\c:\600624.exec:\600624.exe22⤵
- Executes dropped EXE
PID:1948 -
\??\c:\482800.exec:\482800.exe23⤵
- Executes dropped EXE
PID:2956 -
\??\c:\084682.exec:\084682.exe24⤵
- Executes dropped EXE
PID:276 -
\??\c:\422488.exec:\422488.exe25⤵
- Executes dropped EXE
PID:1076 -
\??\c:\tnhbnn.exec:\tnhbnn.exe26⤵
- Executes dropped EXE
PID:2120 -
\??\c:\g4662.exec:\g4662.exe27⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vpjjp.exec:\vpjjp.exe28⤵
- Executes dropped EXE
PID:2400 -
\??\c:\48628.exec:\48628.exe29⤵
- Executes dropped EXE
PID:876 -
\??\c:\2442882.exec:\2442882.exe30⤵
- Executes dropped EXE
PID:1872 -
\??\c:\888088.exec:\888088.exe31⤵
- Executes dropped EXE
PID:2360 -
\??\c:\0428444.exec:\0428444.exe32⤵
- Executes dropped EXE
PID:352 -
\??\c:\60246.exec:\60246.exe33⤵
- Executes dropped EXE
PID:1524 -
\??\c:\ththth.exec:\ththth.exe34⤵
- Executes dropped EXE
PID:2840 -
\??\c:\6466228.exec:\6466228.exe35⤵
- Executes dropped EXE
PID:2464 -
\??\c:\thtntn.exec:\thtntn.exe36⤵
- Executes dropped EXE
PID:2436 -
\??\c:\8888620.exec:\8888620.exe37⤵
- Executes dropped EXE
PID:1224 -
\??\c:\4246262.exec:\4246262.exe38⤵
- Executes dropped EXE
PID:2804 -
\??\c:\5htbhh.exec:\5htbhh.exe39⤵
- Executes dropped EXE
PID:2788 -
\??\c:\5nbhhh.exec:\5nbhhh.exe40⤵
- Executes dropped EXE
PID:2676 -
\??\c:\dpdvv.exec:\dpdvv.exe41⤵
- Executes dropped EXE
PID:1952 -
\??\c:\e02848.exec:\e02848.exe42⤵
- Executes dropped EXE
PID:2640 -
\??\c:\7pvvd.exec:\7pvvd.exe43⤵
- Executes dropped EXE
PID:2952 -
\??\c:\42846.exec:\42846.exe44⤵
- Executes dropped EXE
PID:1008 -
\??\c:\26260.exec:\26260.exe45⤵
- Executes dropped EXE
PID:2596 -
\??\c:\046468.exec:\046468.exe46⤵
- Executes dropped EXE
PID:2540 -
\??\c:\ttbhbh.exec:\ttbhbh.exe47⤵
- Executes dropped EXE
PID:2532 -
\??\c:\s2440.exec:\s2440.exe48⤵
- Executes dropped EXE
PID:1788 -
\??\c:\1btthh.exec:\1btthh.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
\??\c:\nbnnbh.exec:\nbnnbh.exe50⤵
- Executes dropped EXE
PID:1912 -
\??\c:\frflxff.exec:\frflxff.exe51⤵
- Executes dropped EXE
PID:2180 -
\??\c:\08064.exec:\08064.exe52⤵
- Executes dropped EXE
PID:1472 -
\??\c:\5bbbbh.exec:\5bbbbh.exe53⤵
- Executes dropped EXE
PID:2760 -
\??\c:\rlrfxxl.exec:\rlrfxxl.exe54⤵
- Executes dropped EXE
PID:2744 -
\??\c:\4800668.exec:\4800668.exe55⤵
- Executes dropped EXE
PID:1188 -
\??\c:\hthhbt.exec:\hthhbt.exe56⤵
- Executes dropped EXE
PID:2900 -
\??\c:\48022.exec:\48022.exe57⤵
- Executes dropped EXE
PID:2880 -
\??\c:\084440.exec:\084440.exe58⤵
- Executes dropped EXE
PID:768 -
\??\c:\00888.exec:\00888.exe59⤵
- Executes dropped EXE
PID:332 -
\??\c:\24662.exec:\24662.exe60⤵
- Executes dropped EXE
PID:1848 -
\??\c:\q06026.exec:\q06026.exe61⤵
- Executes dropped EXE
PID:2884 -
\??\c:\202286.exec:\202286.exe62⤵
- Executes dropped EXE
PID:604 -
\??\c:\g8006.exec:\g8006.exe63⤵
- Executes dropped EXE
PID:1928 -
\??\c:\m2880.exec:\m2880.exe64⤵
- Executes dropped EXE
PID:2612 -
\??\c:\e46628.exec:\e46628.exe65⤵
- Executes dropped EXE
PID:2120 -
\??\c:\5nbhhb.exec:\5nbhhb.exe66⤵PID:2052
-
\??\c:\2268264.exec:\2268264.exe67⤵PID:748
-
\??\c:\ffxfrxl.exec:\ffxfrxl.exe68⤵PID:1548
-
\??\c:\42402.exec:\42402.exe69⤵PID:2604
-
\??\c:\7ffrllx.exec:\7ffrllx.exe70⤵PID:2388
-
\??\c:\pjvdd.exec:\pjvdd.exe71⤵PID:2376
-
\??\c:\5rffllr.exec:\5rffllr.exe72⤵PID:2448
-
\??\c:\8206228.exec:\8206228.exe73⤵PID:352
-
\??\c:\886080.exec:\886080.exe74⤵PID:1924
-
\??\c:\xlrxfff.exec:\xlrxfff.exe75⤵PID:792
-
\??\c:\fxfxffr.exec:\fxfxffr.exe76⤵PID:2464
-
\??\c:\rlfrxxl.exec:\rlfrxxl.exe77⤵PID:2240
-
\??\c:\48042.exec:\48042.exe78⤵PID:1544
-
\??\c:\btbbhh.exec:\btbbhh.exe79⤵PID:2632
-
\??\c:\646682.exec:\646682.exe80⤵PID:2808
-
\??\c:\20228.exec:\20228.exe81⤵PID:2628
-
\??\c:\thhbhh.exec:\thhbhh.exe82⤵PID:2316
-
\??\c:\886266.exec:\886266.exe83⤵PID:2724
-
\??\c:\20260.exec:\20260.exe84⤵PID:2740
-
\??\c:\rlxfllx.exec:\rlxfllx.exe85⤵PID:2584
-
\??\c:\24462.exec:\24462.exe86⤵PID:2568
-
\??\c:\o248828.exec:\o248828.exe87⤵PID:988
-
\??\c:\m0220.exec:\m0220.exe88⤵PID:3068
-
\??\c:\9jvdj.exec:\9jvdj.exe89⤵PID:356
-
\??\c:\2426600.exec:\2426600.exe90⤵PID:2752
-
\??\c:\202840.exec:\202840.exe91⤵PID:2260
-
\??\c:\0840006.exec:\0840006.exe92⤵PID:2180
-
\??\c:\64688.exec:\64688.exe93⤵PID:536
-
\??\c:\42840.exec:\42840.exe94⤵PID:1672
-
\??\c:\028444.exec:\028444.exe95⤵PID:1184
-
\??\c:\nnnttb.exec:\nnnttb.exe96⤵PID:1168
-
\??\c:\lxrrrlx.exec:\lxrrrlx.exe97⤵PID:2876
-
\??\c:\222226.exec:\222226.exe98⤵PID:484
-
\??\c:\bbnnnn.exec:\bbnnnn.exe99⤵PID:2396
-
\??\c:\046800.exec:\046800.exe100⤵PID:1948
-
\??\c:\868844.exec:\868844.exe101⤵PID:2956
-
\??\c:\7xlxxfx.exec:\7xlxxfx.exe102⤵PID:1112
-
\??\c:\tnbhht.exec:\tnbhht.exe103⤵PID:2264
-
\??\c:\00284.exec:\00284.exe104⤵PID:324
-
\??\c:\7llflrf.exec:\7llflrf.exe105⤵PID:1244
-
\??\c:\88664.exec:\88664.exe106⤵PID:1904
-
\??\c:\3thtnt.exec:\3thtnt.exe107⤵PID:1032
-
\??\c:\btbbtb.exec:\btbbtb.exe108⤵PID:748
-
\??\c:\q02688.exec:\q02688.exe109⤵PID:1436
-
\??\c:\pjvjd.exec:\pjvjd.exe110⤵PID:1464
-
\??\c:\xlxxlll.exec:\xlxxlll.exe111⤵PID:2428
-
\??\c:\nhnthh.exec:\nhnthh.exe112⤵PID:1628
-
\??\c:\flxrrxl.exec:\flxrrxl.exe113⤵PID:3024
-
\??\c:\3jvvd.exec:\3jvvd.exe114⤵PID:2032
-
\??\c:\s4628.exec:\s4628.exe115⤵PID:1620
-
\??\c:\xrffrrl.exec:\xrffrrl.exe116⤵PID:1744
-
\??\c:\480028.exec:\480028.exe117⤵PID:2464
-
\??\c:\4224262.exec:\4224262.exe118⤵PID:2812
-
\??\c:\g0428.exec:\g0428.exe119⤵PID:2012
-
\??\c:\48202.exec:\48202.exe120⤵PID:1884
-
\??\c:\vpjpd.exec:\vpjpd.exe121⤵PID:2648
-
\??\c:\u262220.exec:\u262220.exe122⤵PID:2548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-