Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 18:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe
-
Size
69KB
-
MD5
371a367028b140e10f0b6bde52fe4b21
-
SHA1
6137db7d50b45f5c6fb8a27e3bfb92dc9e202bdc
-
SHA256
082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db
-
SHA512
284fb1a1eb5c01e1bc49814f0fb035158ee61b5e355f683ea4df45fe9fb02cfead89aa91bdae9ac0e3e192528f484596f80ce452e6865fd284a44218904be022
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+qjH4l:ymb3NkkiQ3mdBjFIj+qjH4l
Malware Config
Signatures
-
Detect Blackmoon payload 21 IoCs
resource yara_rule behavioral1/memory/2668-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2980-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2712-29-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2712-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2836-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2844-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2572-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3064-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2736-90-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/324-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2748-114-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2544-132-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2020-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2872-150-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1676-168-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2376-178-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2212-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1416-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/112-204-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2336-258-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2764-303-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2980 lrrxrff.exe 2712 tnhnnt.exe 2836 5xfxfrl.exe 2844 7nbbhn.exe 2572 ttnhtt.exe 3064 jjjpp.exe 324 rlflrfr.exe 2736 tnhtnb.exe 2076 5vdjv.exe 2748 1nhntn.exe 1500 hbhnhh.exe 2544 vvpdv.exe 2020 1xfrffl.exe 2872 nbnnbb.exe 1580 pjjjp.exe 1676 xxlrxrf.exe 2376 3lllfrf.exe 2212 btttbh.exe 1416 tntbnh.exe 112 pvvdd.exe 2364 5fxllll.exe 972 tnnnbh.exe 2484 ttnhtb.exe 1732 ppvdv.exe 2308 9lflrxr.exe 2336 rrlxrrl.exe 3016 nhbntt.exe 1364 djdvd.exe 1512 5xlfrlr.exe 816 lllrfff.exe 2764 bbtnbt.exe 2260 5vjdj.exe 1592 pjdpd.exe 2688 rrxrrlx.exe 2724 bbnbnb.exe 2932 bbtbhn.exe 2604 jdpjv.exe 2612 xfxrlrr.exe 2068 xlrxlrf.exe 1484 bbttth.exe 1588 9hhbnb.exe 2940 5jdvp.exe 1800 jjpjv.exe 1640 3fflfxf.exe 2628 7rxlxlr.exe 1104 7nthhb.exe 1656 jdpdv.exe 264 xxxlxfx.exe 2028 xflfxlf.exe 2868 nnbhnt.exe 1584 htthbb.exe 2992 vpjjv.exe 2540 jdppp.exe 1072 xfxxlrf.exe 2208 xffrlrl.exe 1628 ttntbn.exe 1252 1tnntb.exe 1980 ppjvj.exe 1788 1vppp.exe 1316 flxllfx.exe 792 rrrfrrf.exe 2988 nntnnb.exe 1968 5btbnt.exe 1692 ddvdp.exe -
resource yara_rule behavioral1/memory/2668-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2980-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2836-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2572-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/324-78-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/324-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3064-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3064-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3064-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2736-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/324-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2748-114-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2544-132-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2020-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2872-150-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1676-168-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2376-178-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2212-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1416-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/112-204-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2336-258-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2764-303-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2980 2668 082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe 31 PID 2668 wrote to memory of 2980 2668 082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe 31 PID 2668 wrote to memory of 2980 2668 082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe 31 PID 2668 wrote to memory of 2980 2668 082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe 31 PID 2980 wrote to memory of 2712 2980 lrrxrff.exe 32 PID 2980 wrote to memory of 2712 2980 lrrxrff.exe 32 PID 2980 wrote to memory of 2712 2980 lrrxrff.exe 32 PID 2980 wrote to memory of 2712 2980 lrrxrff.exe 32 PID 2712 wrote to memory of 2836 2712 tnhnnt.exe 33 PID 2712 wrote to memory of 2836 2712 tnhnnt.exe 33 PID 2712 wrote to memory of 2836 2712 tnhnnt.exe 33 PID 2712 wrote to memory of 2836 2712 tnhnnt.exe 33 PID 2836 wrote to memory of 2844 2836 5xfxfrl.exe 34 PID 2836 wrote to memory of 2844 2836 5xfxfrl.exe 34 PID 2836 wrote to memory of 2844 2836 5xfxfrl.exe 34 PID 2836 wrote to memory of 2844 2836 5xfxfrl.exe 34 PID 2844 wrote to memory of 2572 2844 7nbbhn.exe 35 PID 2844 wrote to memory of 2572 2844 7nbbhn.exe 35 PID 2844 wrote to memory of 2572 2844 7nbbhn.exe 35 PID 2844 wrote to memory of 2572 2844 7nbbhn.exe 35 PID 2572 wrote to memory of 3064 2572 ttnhtt.exe 36 PID 2572 wrote to memory of 3064 2572 ttnhtt.exe 36 PID 2572 wrote to memory of 3064 2572 ttnhtt.exe 36 PID 2572 wrote to memory of 3064 2572 ttnhtt.exe 36 PID 3064 wrote to memory of 324 3064 jjjpp.exe 37 PID 3064 wrote to memory of 324 3064 jjjpp.exe 37 PID 3064 wrote to memory of 324 3064 jjjpp.exe 37 PID 3064 wrote to memory of 324 3064 jjjpp.exe 37 PID 324 wrote to memory of 2736 324 rlflrfr.exe 38 PID 324 wrote to memory of 2736 324 rlflrfr.exe 38 PID 324 wrote to memory of 2736 324 rlflrfr.exe 38 PID 324 wrote to memory of 2736 324 rlflrfr.exe 38 PID 2736 wrote to memory of 2076 2736 tnhtnb.exe 39 PID 2736 wrote to memory of 2076 2736 tnhtnb.exe 39 PID 2736 wrote to memory of 2076 2736 tnhtnb.exe 39 PID 2736 wrote to memory of 2076 2736 tnhtnb.exe 39 PID 2076 wrote to memory of 2748 2076 5vdjv.exe 40 PID 2076 wrote to memory of 2748 2076 5vdjv.exe 40 PID 2076 wrote to memory of 2748 2076 5vdjv.exe 40 PID 2076 wrote to memory of 2748 2076 5vdjv.exe 40 PID 2748 wrote to memory of 1500 2748 1nhntn.exe 41 PID 2748 wrote to memory of 1500 2748 1nhntn.exe 41 PID 2748 wrote to memory of 1500 2748 1nhntn.exe 41 PID 2748 wrote to memory of 1500 2748 1nhntn.exe 41 PID 1500 wrote to memory of 2544 1500 hbhnhh.exe 42 PID 1500 wrote to memory of 2544 1500 hbhnhh.exe 42 PID 1500 wrote to memory of 2544 1500 hbhnhh.exe 42 PID 1500 wrote to memory of 2544 1500 hbhnhh.exe 42 PID 2544 wrote to memory of 2020 2544 vvpdv.exe 43 PID 2544 wrote to memory of 2020 2544 vvpdv.exe 43 PID 2544 wrote to memory of 2020 2544 vvpdv.exe 43 PID 2544 wrote to memory of 2020 2544 vvpdv.exe 43 PID 2020 wrote to memory of 2872 2020 1xfrffl.exe 44 PID 2020 wrote to memory of 2872 2020 1xfrffl.exe 44 PID 2020 wrote to memory of 2872 2020 1xfrffl.exe 44 PID 2020 wrote to memory of 2872 2020 1xfrffl.exe 44 PID 2872 wrote to memory of 1580 2872 nbnnbb.exe 45 PID 2872 wrote to memory of 1580 2872 nbnnbb.exe 45 PID 2872 wrote to memory of 1580 2872 nbnnbb.exe 45 PID 2872 wrote to memory of 1580 2872 nbnnbb.exe 45 PID 1580 wrote to memory of 1676 1580 pjjjp.exe 46 PID 1580 wrote to memory of 1676 1580 pjjjp.exe 46 PID 1580 wrote to memory of 1676 1580 pjjjp.exe 46 PID 1580 wrote to memory of 1676 1580 pjjjp.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe"C:\Users\Admin\AppData\Local\Temp\082ab0bb8f7292b1e2b117d59875f952574c07f8853362625416c5220252b6db.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\lrrxrff.exec:\lrrxrff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\tnhnnt.exec:\tnhnnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\5xfxfrl.exec:\5xfxfrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\7nbbhn.exec:\7nbbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\ttnhtt.exec:\ttnhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\jjjpp.exec:\jjjpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\rlflrfr.exec:\rlflrfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\tnhtnb.exec:\tnhtnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\5vdjv.exec:\5vdjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\1nhntn.exec:\1nhntn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\hbhnhh.exec:\hbhnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\vvpdv.exec:\vvpdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\1xfrffl.exec:\1xfrffl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\nbnnbb.exec:\nbnnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\pjjjp.exec:\pjjjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\xxlrxrf.exec:\xxlrxrf.exe17⤵
- Executes dropped EXE
PID:1676 -
\??\c:\3lllfrf.exec:\3lllfrf.exe18⤵
- Executes dropped EXE
PID:2376 -
\??\c:\btttbh.exec:\btttbh.exe19⤵
- Executes dropped EXE
PID:2212 -
\??\c:\tntbnh.exec:\tntbnh.exe20⤵
- Executes dropped EXE
PID:1416 -
\??\c:\pvvdd.exec:\pvvdd.exe21⤵
- Executes dropped EXE
PID:112 -
\??\c:\5fxllll.exec:\5fxllll.exe22⤵
- Executes dropped EXE
PID:2364 -
\??\c:\tnnnbh.exec:\tnnnbh.exe23⤵
- Executes dropped EXE
PID:972 -
\??\c:\ttnhtb.exec:\ttnhtb.exe24⤵
- Executes dropped EXE
PID:2484 -
\??\c:\ppvdv.exec:\ppvdv.exe25⤵
- Executes dropped EXE
PID:1732 -
\??\c:\9lflrxr.exec:\9lflrxr.exe26⤵
- Executes dropped EXE
PID:2308 -
\??\c:\rrlxrrl.exec:\rrlxrrl.exe27⤵
- Executes dropped EXE
PID:2336 -
\??\c:\nhbntt.exec:\nhbntt.exe28⤵
- Executes dropped EXE
PID:3016 -
\??\c:\djdvd.exec:\djdvd.exe29⤵
- Executes dropped EXE
PID:1364 -
\??\c:\5xlfrlr.exec:\5xlfrlr.exe30⤵
- Executes dropped EXE
PID:1512 -
\??\c:\lllrfff.exec:\lllrfff.exe31⤵
- Executes dropped EXE
PID:816 -
\??\c:\bbtnbt.exec:\bbtnbt.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764 -
\??\c:\5vjdj.exec:\5vjdj.exe33⤵
- Executes dropped EXE
PID:2260 -
\??\c:\pjdpd.exec:\pjdpd.exe34⤵
- Executes dropped EXE
PID:1592 -
\??\c:\rrxrrlx.exec:\rrxrrlx.exe35⤵
- Executes dropped EXE
PID:2688 -
\??\c:\bbnbnb.exec:\bbnbnb.exe36⤵
- Executes dropped EXE
PID:2724 -
\??\c:\bbtbhn.exec:\bbtbhn.exe37⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jdpjv.exec:\jdpjv.exe38⤵
- Executes dropped EXE
PID:2604 -
\??\c:\xfxrlrr.exec:\xfxrlrr.exe39⤵
- Executes dropped EXE
PID:2612 -
\??\c:\xlrxlrf.exec:\xlrxlrf.exe40⤵
- Executes dropped EXE
PID:2068 -
\??\c:\bbttth.exec:\bbttth.exe41⤵
- Executes dropped EXE
PID:1484 -
\??\c:\9hhbnb.exec:\9hhbnb.exe42⤵
- Executes dropped EXE
PID:1588 -
\??\c:\5jdvp.exec:\5jdvp.exe43⤵
- Executes dropped EXE
PID:2940 -
\??\c:\jjpjv.exec:\jjpjv.exe44⤵
- Executes dropped EXE
PID:1800 -
\??\c:\3fflfxf.exec:\3fflfxf.exe45⤵
- Executes dropped EXE
PID:1640 -
\??\c:\7rxlxlr.exec:\7rxlxlr.exe46⤵
- Executes dropped EXE
PID:2628 -
\??\c:\7nthhb.exec:\7nthhb.exe47⤵
- Executes dropped EXE
PID:1104 -
\??\c:\jdpdv.exec:\jdpdv.exe48⤵
- Executes dropped EXE
PID:1656 -
\??\c:\xxxlxfx.exec:\xxxlxfx.exe49⤵
- Executes dropped EXE
PID:264 -
\??\c:\xflfxlf.exec:\xflfxlf.exe50⤵
- Executes dropped EXE
PID:2028 -
\??\c:\nnbhnt.exec:\nnbhnt.exe51⤵
- Executes dropped EXE
PID:2868 -
\??\c:\htthbb.exec:\htthbb.exe52⤵
- Executes dropped EXE
PID:1584 -
\??\c:\vpjjv.exec:\vpjjv.exe53⤵
- Executes dropped EXE
PID:2992 -
\??\c:\jdppp.exec:\jdppp.exe54⤵
- Executes dropped EXE
PID:2540 -
\??\c:\xfxxlrf.exec:\xfxxlrf.exe55⤵
- Executes dropped EXE
PID:1072 -
\??\c:\xffrlrl.exec:\xffrlrl.exe56⤵
- Executes dropped EXE
PID:2208 -
\??\c:\ttntbn.exec:\ttntbn.exe57⤵
- Executes dropped EXE
PID:1628 -
\??\c:\1tnntb.exec:\1tnntb.exe58⤵
- Executes dropped EXE
PID:1252 -
\??\c:\ppjvj.exec:\ppjvj.exe59⤵
- Executes dropped EXE
PID:1980 -
\??\c:\1vppp.exec:\1vppp.exe60⤵
- Executes dropped EXE
PID:1788 -
\??\c:\flxllfx.exec:\flxllfx.exe61⤵
- Executes dropped EXE
PID:1316 -
\??\c:\rrrfrrf.exec:\rrrfrrf.exe62⤵
- Executes dropped EXE
PID:792 -
\??\c:\nntnnb.exec:\nntnnb.exe63⤵
- Executes dropped EXE
PID:2988 -
\??\c:\5btbnt.exec:\5btbnt.exe64⤵
- Executes dropped EXE
PID:1968 -
\??\c:\ddvdp.exec:\ddvdp.exe65⤵
- Executes dropped EXE
PID:1692 -
\??\c:\jvjdp.exec:\jvjdp.exe66⤵PID:1796
-
\??\c:\fxllrrx.exec:\fxllrrx.exe67⤵PID:1768
-
\??\c:\ffflxfx.exec:\ffflxfx.exe68⤵PID:1204
-
\??\c:\9ntthh.exec:\9ntthh.exe69⤵PID:1000
-
\??\c:\ttbnhn.exec:\ttbnhn.exe70⤵PID:1520
-
\??\c:\dpjdd.exec:\dpjdd.exe71⤵PID:2768
-
\??\c:\vjpdj.exec:\vjpdj.exe72⤵PID:2984
-
\??\c:\lfxfffr.exec:\lfxfffr.exe73⤵PID:2788
-
\??\c:\bththh.exec:\bththh.exe74⤵PID:2652
-
\??\c:\bthhnt.exec:\bthhnt.exe75⤵PID:2864
-
\??\c:\3htnnn.exec:\3htnnn.exe76⤵PID:2836
-
\??\c:\dddjp.exec:\dddjp.exe77⤵PID:2580
-
\??\c:\ddvpd.exec:\ddvpd.exe78⤵PID:2632
-
\??\c:\1flrrxx.exec:\1flrrxx.exe79⤵PID:2560
-
\??\c:\fxrfxfr.exec:\fxrfxfr.exe80⤵PID:2556
-
\??\c:\thtthn.exec:\thtthn.exe81⤵PID:2936
-
\??\c:\5hhnbh.exec:\5hhnbh.exe82⤵PID:1716
-
\??\c:\ddpvj.exec:\ddpvj.exe83⤵PID:2736
-
\??\c:\1xxrlxf.exec:\1xxrlxf.exe84⤵PID:2236
-
\??\c:\rlrxlxf.exec:\rlrxlxf.exe85⤵PID:2912
-
\??\c:\nhtthh.exec:\nhtthh.exe86⤵PID:2412
-
\??\c:\nbnhnt.exec:\nbnhnt.exe87⤵PID:876
-
\??\c:\5vdjv.exec:\5vdjv.exe88⤵PID:2036
-
\??\c:\dpvpp.exec:\dpvpp.exe89⤵
- System Location Discovery: System Language Discovery
PID:588 -
\??\c:\rlfflxr.exec:\rlfflxr.exe90⤵PID:2816
-
\??\c:\fffrxfx.exec:\fffrxfx.exe91⤵PID:2176
-
\??\c:\btnthn.exec:\btnthn.exe92⤵PID:1760
-
\??\c:\ttbhnn.exec:\ttbhnn.exe93⤵PID:1584
-
\??\c:\pjdjv.exec:\pjdjv.exe94⤵PID:3000
-
\??\c:\flflxrf.exec:\flflxrf.exe95⤵PID:1296
-
\??\c:\fxxlrxx.exec:\fxxlrxx.exe96⤵PID:1856
-
\??\c:\nhbnht.exec:\nhbnht.exe97⤵PID:2140
-
\??\c:\ttbntb.exec:\ttbntb.exe98⤵PID:1916
-
\??\c:\vvjvv.exec:\vvjvv.exe99⤵PID:2496
-
\??\c:\ddvdp.exec:\ddvdp.exe100⤵PID:2532
-
\??\c:\ffrxllr.exec:\ffrxllr.exe101⤵PID:2364
-
\??\c:\btbntb.exec:\btbntb.exe102⤵PID:1516
-
\??\c:\nnthtb.exec:\nnthtb.exe103⤵PID:2180
-
\??\c:\vvpvp.exec:\vvpvp.exe104⤵PID:1560
-
\??\c:\1dvdj.exec:\1dvdj.exe105⤵PID:2320
-
\??\c:\llrxflf.exec:\llrxflf.exe106⤵PID:2148
-
\??\c:\xxlxflx.exec:\xxlxflx.exe107⤵PID:988
-
\??\c:\nnnbnt.exec:\nnnbnt.exe108⤵PID:1208
-
\??\c:\ttbbnt.exec:\ttbbnt.exe109⤵PID:1748
-
\??\c:\ppdvd.exec:\ppdvd.exe110⤵PID:2040
-
\??\c:\dvjjp.exec:\dvjjp.exe111⤵PID:2784
-
\??\c:\lxrrxxf.exec:\lxrrxxf.exe112⤵PID:2760
-
\??\c:\rxlllxr.exec:\rxlllxr.exe113⤵PID:2260
-
\??\c:\1hbnbn.exec:\1hbnbn.exe114⤵PID:2976
-
\??\c:\vvvjp.exec:\vvvjp.exe115⤵PID:2712
-
\??\c:\pdddj.exec:\pdddj.exe116⤵PID:2672
-
\??\c:\lfxxlrx.exec:\lfxxlrx.exe117⤵PID:2836
-
\??\c:\xxrxllr.exec:\xxrxllr.exe118⤵PID:1812
-
\??\c:\1tbhtt.exec:\1tbhtt.exe119⤵
- System Location Discovery: System Language Discovery
PID:2224 -
\??\c:\bnthtb.exec:\bnthtb.exe120⤵PID:864
-
\??\c:\vpjvj.exec:\vpjvj.exe121⤵PID:2660
-
\??\c:\ddjjd.exec:\ddjjd.exe122⤵PID:2924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-