Analysis
-
max time kernel
120s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 15:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe
Resource
win7-20241010-en
6 signatures
120 seconds
General
-
Target
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe
-
Size
66KB
-
MD5
cd9ec96e409ba3bdf77823f1c1f0ffe0
-
SHA1
3c7c7da4c8b7d7aad15a2217df465b4c1cc37947
-
SHA256
5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26
-
SHA512
57ccf0d3885ffc34bb7cff6f2e8f044b0f4c5c5a14ac769c362291b6d8fd5146a2b731ceef88b39aae4381ac55eab49be03a7f5e3a837e5a4a7d42dd1b71d46a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxeQ:ymb3NkkiQ3mdBjF0y7kbUQ
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
resource yara_rule behavioral2/memory/4872-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4872-9-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2788-12-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4852-19-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2492-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4296-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3076-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2852-49-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1156-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/524-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3060-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2960-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3560-94-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1916-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2532-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/4004-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/1220-118-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3768-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3200-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3004-172-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3920-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2444-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/2688-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2788 o808620.exe 4852 pdjvp.exe 2492 6288226.exe 4296 5btnhb.exe 3076 0202086.exe 2852 0448264.exe 1156 42264.exe 1592 9lflflf.exe 524 ntnhtb.exe 3060 9hnhbt.exe 2960 26600.exe 3560 jjvjv.exe 1916 82062.exe 2532 424204.exe 4004 e40426.exe 1220 4022060.exe 4412 tntttt.exe 3768 624488.exe 4800 m4482.exe 4672 m6820.exe 1828 066600.exe 3200 46448.exe 2180 a4482.exe 3048 llrllll.exe 3004 6040668.exe 440 242222.exe 3920 9btnhh.exe 3940 3lrlxxx.exe 2444 jdddd.exe 2688 pdddp.exe 2552 lxxlflf.exe 5092 jpddv.exe 1816 nhbbhh.exe 5112 088826.exe 4544 68044.exe 1400 u404226.exe 620 bbnnbb.exe 1176 c844848.exe 3700 vjpjd.exe 4796 2040460.exe 436 djpdd.exe 4464 8222660.exe 4148 8204440.exe 2720 u200444.exe 3100 002666.exe 2920 flrxxfr.exe 536 6048602.exe 2124 2288200.exe 3232 468222.exe 4948 djjdp.exe 464 pjjjp.exe 512 86048.exe 4832 6044460.exe 3900 pjjpd.exe 4104 tntnnn.exe 3740 htnnhh.exe 4088 60044.exe 2880 60468.exe 1916 4402666.exe 2532 46848.exe 3208 60282.exe 3960 nnnbth.exe 5104 nnhbhh.exe 4384 6824840.exe -
resource yara_rule behavioral2/memory/4872-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4872-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2788-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4852-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2492-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4296-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4296-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4296-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3076-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2852-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1156-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/524-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3060-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3060-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3060-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3060-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2960-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3560-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1916-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2532-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/4004-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/1220-118-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3768-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3200-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3004-172-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3920-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2444-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2688-204-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8026484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6064222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0860646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i404488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6080460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 064488.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4872 wrote to memory of 2788 4872 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 84 PID 4872 wrote to memory of 2788 4872 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 84 PID 4872 wrote to memory of 2788 4872 5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe 84 PID 2788 wrote to memory of 4852 2788 o808620.exe 85 PID 2788 wrote to memory of 4852 2788 o808620.exe 85 PID 2788 wrote to memory of 4852 2788 o808620.exe 85 PID 4852 wrote to memory of 2492 4852 pdjvp.exe 86 PID 4852 wrote to memory of 2492 4852 pdjvp.exe 86 PID 4852 wrote to memory of 2492 4852 pdjvp.exe 86 PID 2492 wrote to memory of 4296 2492 6288226.exe 87 PID 2492 wrote to memory of 4296 2492 6288226.exe 87 PID 2492 wrote to memory of 4296 2492 6288226.exe 87 PID 4296 wrote to memory of 3076 4296 5btnhb.exe 88 PID 4296 wrote to memory of 3076 4296 5btnhb.exe 88 PID 4296 wrote to memory of 3076 4296 5btnhb.exe 88 PID 3076 wrote to memory of 2852 3076 0202086.exe 89 PID 3076 wrote to memory of 2852 3076 0202086.exe 89 PID 3076 wrote to memory of 2852 3076 0202086.exe 89 PID 2852 wrote to memory of 1156 2852 0448264.exe 90 PID 2852 wrote to memory of 1156 2852 0448264.exe 90 PID 2852 wrote to memory of 1156 2852 0448264.exe 90 PID 1156 wrote to memory of 1592 1156 42264.exe 91 PID 1156 wrote to memory of 1592 1156 42264.exe 91 PID 1156 wrote to memory of 1592 1156 42264.exe 91 PID 1592 wrote to memory of 524 1592 9lflflf.exe 92 PID 1592 wrote to memory of 524 1592 9lflflf.exe 92 PID 1592 wrote to memory of 524 1592 9lflflf.exe 92 PID 524 wrote to memory of 3060 524 ntnhtb.exe 93 PID 524 wrote to memory of 3060 524 ntnhtb.exe 93 PID 524 wrote to memory of 3060 524 ntnhtb.exe 93 PID 3060 wrote to memory of 2960 3060 9hnhbt.exe 94 PID 3060 wrote to memory of 2960 3060 9hnhbt.exe 94 PID 3060 wrote to memory of 2960 3060 9hnhbt.exe 94 PID 2960 wrote to memory of 3560 2960 26600.exe 95 PID 2960 wrote to memory of 3560 2960 26600.exe 95 PID 2960 wrote to memory of 3560 2960 26600.exe 95 PID 3560 wrote to memory of 1916 3560 jjvjv.exe 96 PID 3560 wrote to memory of 1916 3560 jjvjv.exe 96 PID 3560 wrote to memory of 1916 3560 jjvjv.exe 96 PID 1916 wrote to memory of 2532 1916 82062.exe 97 PID 1916 wrote to memory of 2532 1916 82062.exe 97 PID 1916 wrote to memory of 2532 1916 82062.exe 97 PID 2532 wrote to memory of 4004 2532 424204.exe 98 PID 2532 wrote to memory of 4004 2532 424204.exe 98 PID 2532 wrote to memory of 4004 2532 424204.exe 98 PID 4004 wrote to memory of 1220 4004 e40426.exe 99 PID 4004 wrote to memory of 1220 4004 e40426.exe 99 PID 4004 wrote to memory of 1220 4004 e40426.exe 99 PID 1220 wrote to memory of 4412 1220 4022060.exe 100 PID 1220 wrote to memory of 4412 1220 4022060.exe 100 PID 1220 wrote to memory of 4412 1220 4022060.exe 100 PID 4412 wrote to memory of 3768 4412 tntttt.exe 101 PID 4412 wrote to memory of 3768 4412 tntttt.exe 101 PID 4412 wrote to memory of 3768 4412 tntttt.exe 101 PID 3768 wrote to memory of 4800 3768 624488.exe 102 PID 3768 wrote to memory of 4800 3768 624488.exe 102 PID 3768 wrote to memory of 4800 3768 624488.exe 102 PID 4800 wrote to memory of 4672 4800 m4482.exe 103 PID 4800 wrote to memory of 4672 4800 m4482.exe 103 PID 4800 wrote to memory of 4672 4800 m4482.exe 103 PID 4672 wrote to memory of 1828 4672 m6820.exe 104 PID 4672 wrote to memory of 1828 4672 m6820.exe 104 PID 4672 wrote to memory of 1828 4672 m6820.exe 104 PID 1828 wrote to memory of 3200 1828 066600.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe"C:\Users\Admin\AppData\Local\Temp\5140774ff6af843e00954ed8c2d6e8523f62149d6f8d169f56bd599d0556eb26N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\o808620.exec:\o808620.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\pdjvp.exec:\pdjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\6288226.exec:\6288226.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\5btnhb.exec:\5btnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\0202086.exec:\0202086.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\0448264.exec:\0448264.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\42264.exec:\42264.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\9lflflf.exec:\9lflflf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\ntnhtb.exec:\ntnhtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
\??\c:\9hnhbt.exec:\9hnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\26600.exec:\26600.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\jjvjv.exec:\jjvjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\82062.exec:\82062.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\424204.exec:\424204.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\e40426.exec:\e40426.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\4022060.exec:\4022060.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\tntttt.exec:\tntttt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\624488.exec:\624488.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\m4482.exec:\m4482.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\m6820.exec:\m6820.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\066600.exec:\066600.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\46448.exec:\46448.exe23⤵
- Executes dropped EXE
PID:3200 -
\??\c:\a4482.exec:\a4482.exe24⤵
- Executes dropped EXE
PID:2180 -
\??\c:\llrllll.exec:\llrllll.exe25⤵
- Executes dropped EXE
PID:3048 -
\??\c:\6040668.exec:\6040668.exe26⤵
- Executes dropped EXE
PID:3004 -
\??\c:\242222.exec:\242222.exe27⤵
- Executes dropped EXE
PID:440 -
\??\c:\9btnhh.exec:\9btnhh.exe28⤵
- Executes dropped EXE
PID:3920 -
\??\c:\3lrlxxx.exec:\3lrlxxx.exe29⤵
- Executes dropped EXE
PID:3940 -
\??\c:\jdddd.exec:\jdddd.exe30⤵
- Executes dropped EXE
PID:2444 -
\??\c:\pdddp.exec:\pdddp.exe31⤵
- Executes dropped EXE
PID:2688 -
\??\c:\lxxlflf.exec:\lxxlflf.exe32⤵
- Executes dropped EXE
PID:2552 -
\??\c:\jpddv.exec:\jpddv.exe33⤵
- Executes dropped EXE
PID:5092 -
\??\c:\nhbbhh.exec:\nhbbhh.exe34⤵
- Executes dropped EXE
PID:1816 -
\??\c:\088826.exec:\088826.exe35⤵
- Executes dropped EXE
PID:5112 -
\??\c:\68044.exec:\68044.exe36⤵
- Executes dropped EXE
PID:4544 -
\??\c:\u404226.exec:\u404226.exe37⤵
- Executes dropped EXE
PID:1400 -
\??\c:\bbnnbb.exec:\bbnnbb.exe38⤵
- Executes dropped EXE
PID:620 -
\??\c:\c844848.exec:\c844848.exe39⤵
- Executes dropped EXE
PID:1176 -
\??\c:\vjpjd.exec:\vjpjd.exe40⤵
- Executes dropped EXE
PID:3700 -
\??\c:\2040460.exec:\2040460.exe41⤵
- Executes dropped EXE
PID:4796 -
\??\c:\djpdd.exec:\djpdd.exe42⤵
- Executes dropped EXE
PID:436 -
\??\c:\8222660.exec:\8222660.exe43⤵
- Executes dropped EXE
PID:4464 -
\??\c:\8204440.exec:\8204440.exe44⤵
- Executes dropped EXE
PID:4148 -
\??\c:\u200444.exec:\u200444.exe45⤵
- Executes dropped EXE
PID:2720 -
\??\c:\002666.exec:\002666.exe46⤵
- Executes dropped EXE
PID:3100 -
\??\c:\flrxxfr.exec:\flrxxfr.exe47⤵
- Executes dropped EXE
PID:2920 -
\??\c:\6048602.exec:\6048602.exe48⤵
- Executes dropped EXE
PID:536 -
\??\c:\2288200.exec:\2288200.exe49⤵
- Executes dropped EXE
PID:2124 -
\??\c:\468222.exec:\468222.exe50⤵
- Executes dropped EXE
PID:3232 -
\??\c:\djjdp.exec:\djjdp.exe51⤵
- Executes dropped EXE
PID:4948 -
\??\c:\pjjjp.exec:\pjjjp.exe52⤵
- Executes dropped EXE
PID:464 -
\??\c:\86048.exec:\86048.exe53⤵
- Executes dropped EXE
PID:512 -
\??\c:\6044460.exec:\6044460.exe54⤵
- Executes dropped EXE
PID:4832 -
\??\c:\pjjpd.exec:\pjjpd.exe55⤵
- Executes dropped EXE
PID:3900 -
\??\c:\tntnnn.exec:\tntnnn.exe56⤵
- Executes dropped EXE
PID:4104 -
\??\c:\htnnhh.exec:\htnnhh.exe57⤵
- Executes dropped EXE
PID:3740 -
\??\c:\60044.exec:\60044.exe58⤵
- Executes dropped EXE
PID:4088 -
\??\c:\60468.exec:\60468.exe59⤵
- Executes dropped EXE
PID:2880 -
\??\c:\4402666.exec:\4402666.exe60⤵
- Executes dropped EXE
PID:1916 -
\??\c:\46848.exec:\46848.exe61⤵
- Executes dropped EXE
PID:2532 -
\??\c:\60282.exec:\60282.exe62⤵
- Executes dropped EXE
PID:3208 -
\??\c:\nnnbth.exec:\nnnbth.exe63⤵
- Executes dropped EXE
PID:3960 -
\??\c:\nnhbhh.exec:\nnhbhh.exe64⤵
- Executes dropped EXE
PID:5104 -
\??\c:\6824840.exec:\6824840.exe65⤵
- Executes dropped EXE
PID:4384 -
\??\c:\3vjjv.exec:\3vjjv.exe66⤵PID:3156
-
\??\c:\268002.exec:\268002.exe67⤵PID:372
-
\??\c:\xxrfxxr.exec:\xxrfxxr.exe68⤵PID:1148
-
\??\c:\62026.exec:\62026.exe69⤵PID:3132
-
\??\c:\bbhbtt.exec:\bbhbtt.exe70⤵PID:4248
-
\??\c:\htbttt.exec:\htbttt.exe71⤵PID:4052
-
\??\c:\xlfxlxx.exec:\xlfxlxx.exe72⤵PID:1320
-
\??\c:\xxffrxx.exec:\xxffrxx.exe73⤵PID:2916
-
\??\c:\hbttnn.exec:\hbttnn.exe74⤵PID:3124
-
\??\c:\jjjdv.exec:\jjjdv.exe75⤵PID:2936
-
\??\c:\4422880.exec:\4422880.exe76⤵PID:4112
-
\??\c:\5hbttb.exec:\5hbttb.exe77⤵PID:1660
-
\??\c:\1xrfxlr.exec:\1xrfxlr.exe78⤵PID:1196
-
\??\c:\4204684.exec:\4204684.exe79⤵PID:4492
-
\??\c:\c862822.exec:\c862822.exe80⤵PID:2348
-
\??\c:\jjppj.exec:\jjppj.exe81⤵PID:3420
-
\??\c:\2684622.exec:\2684622.exe82⤵PID:3896
-
\??\c:\4804448.exec:\4804448.exe83⤵PID:1200
-
\??\c:\26660.exec:\26660.exe84⤵PID:2644
-
\??\c:\rrrrrrr.exec:\rrrrrrr.exe85⤵PID:4532
-
\??\c:\lxffxff.exec:\lxffxff.exe86⤵PID:4544
-
\??\c:\80288.exec:\80288.exe87⤵PID:2664
-
\??\c:\1vvvp.exec:\1vvvp.exe88⤵PID:1684
-
\??\c:\xxrfrrr.exec:\xxrfrrr.exe89⤵PID:4500
-
\??\c:\a6826.exec:\a6826.exe90⤵PID:2548
-
\??\c:\7pvpj.exec:\7pvpj.exe91⤵PID:4196
-
\??\c:\tbnnhn.exec:\tbnnhn.exe92⤵PID:4444
-
\??\c:\4404862.exec:\4404862.exe93⤵PID:4464
-
\??\c:\26448.exec:\26448.exe94⤵PID:4148
-
\??\c:\fffxffx.exec:\fffxffx.exe95⤵PID:4872
-
\??\c:\jpvdd.exec:\jpvdd.exe96⤵PID:1072
-
\??\c:\jjpjv.exec:\jjpjv.exe97⤵PID:3516
-
\??\c:\2028666.exec:\2028666.exe98⤵PID:4264
-
\??\c:\bnntbn.exec:\bnntbn.exe99⤵PID:3708
-
\??\c:\bbntht.exec:\bbntht.exe100⤵PID:2776
-
\??\c:\4622222.exec:\4622222.exe101⤵PID:4180
-
\??\c:\dvpdd.exec:\dvpdd.exe102⤵PID:5044
-
\??\c:\28482.exec:\28482.exe103⤵PID:4668
-
\??\c:\2688222.exec:\2688222.exe104⤵PID:1932
-
\??\c:\ttbbnh.exec:\ttbbnh.exe105⤵PID:3560
-
\??\c:\6244882.exec:\6244882.exe106⤵PID:4268
-
\??\c:\806262.exec:\806262.exe107⤵PID:3944
-
\??\c:\422260.exec:\422260.exe108⤵PID:700
-
\??\c:\a6260.exec:\a6260.exe109⤵PID:1412
-
\??\c:\fllfffx.exec:\fllfffx.exe110⤵
- System Location Discovery: System Language Discovery
PID:4808 -
\??\c:\406044.exec:\406044.exe111⤵PID:3844
-
\??\c:\8288446.exec:\8288446.exe112⤵PID:2044
-
\??\c:\xfrxxxf.exec:\xfrxxxf.exe113⤵PID:4612
-
\??\c:\u244006.exec:\u244006.exe114⤵PID:2384
-
\??\c:\822600.exec:\822600.exe115⤵PID:1852
-
\??\c:\xlrrllr.exec:\xlrrllr.exe116⤵PID:796
-
\??\c:\086600.exec:\086600.exe117⤵PID:2876
-
\??\c:\lflflll.exec:\lflflll.exe118⤵PID:3484
-
\??\c:\48880.exec:\48880.exe119⤵PID:1664
-
\??\c:\40220.exec:\40220.exe120⤵PID:3580
-
\??\c:\28004.exec:\28004.exe121⤵PID:4480
-
\??\c:\680666.exec:\680666.exe122⤵PID:440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-