Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 14:29
Static task
static1
Behavioral task
behavioral1
Sample
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe
Resource
win7-20240903-en
General
-
Target
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe
-
Size
72KB
-
MD5
48a14a56008816ab2cba9121afc68b50
-
SHA1
88f815e444766d3f93175995c86504fd05a67838
-
SHA256
ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbd
-
SHA512
ffb91efd11ad5d472c2909b0b2e17bf5f8d584a31293e8c6aa81a9b91c34c578eac6f37a886ffa57d3f62d247fbc328608771d881da3cb557c7edf4e9908fcea
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFdJUDbAIdiW65x:ymb3NkkiQ3mdBjFIFdJ8bViW67
Malware Config
Signatures
-
Detect Blackmoon payload 23 IoCs
resource yara_rule behavioral1/memory/2536-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2552-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2528-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2060-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1868-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1868-49-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2888-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2816-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2648-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/484-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2036-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2604-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1976-139-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2436-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2008-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2228-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2208-202-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2968-211-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/556-219-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2544-255-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1964-264-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1868-2238-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2552 rlflrxr.exe 2528 hbnntb.exe 2060 jdjpd.exe 1868 fxlrfrr.exe 2900 7rlfllr.exe 2888 1jdvd.exe 2736 dddpj.exe 2816 lrxrrxx.exe 2648 thntbb.exe 484 jdjjp.exe 2036 9dvpd.exe 2604 lxrrrrx.exe 1976 nbnbhn.exe 2436 5pjpj.exe 1064 9jpdv.exe 2008 fxrrxxf.exe 376 llflrff.exe 2952 hhnhbt.exe 2228 ddpvj.exe 2208 xrlflxf.exe 2968 7rlxxfx.exe 556 tnttth.exe 872 jjdpd.exe 2480 rlxxfff.exe 1732 7fxlxfl.exe 2544 5hhbhh.exe 1964 ppdpd.exe 1052 3fxxfrr.exe 2400 fxllxrr.exe 3000 3bnbnh.exe 2072 3jdjd.exe 1688 ddddj.exe 2592 lxxrfxr.exe 2392 5httnh.exe 2500 5tbhhb.exe 2724 ddvpd.exe 604 pjdvd.exe 2908 1xlllrl.exe 2624 rlfrfxx.exe 2792 tbtbhn.exe 2732 pvjjp.exe 2668 vvjpj.exe 2620 rlxrflx.exe 2456 7xrfflx.exe 484 tntbnt.exe 1296 hthnhh.exe 2604 pjppj.exe 2000 1jjvd.exe 796 xllxrfr.exe 2796 nhthbh.exe 1064 bttnnb.exe 2852 dvppv.exe 2956 jdvpp.exe 2864 frxxffx.exe 2656 jvjpv.exe 2228 pjvpv.exe 444 1rllflr.exe 1036 btbbbb.exe 828 tnhhbb.exe 1996 pvjvd.exe 1384 jddjv.exe 572 fxrfrxl.exe 2256 5lxfrxr.exe 1788 tbnbnb.exe -
resource yara_rule behavioral1/memory/2536-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2552-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2528-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2060-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1868-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2900-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2888-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2888-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2736-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2736-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2816-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2816-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2648-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/484-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2036-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2604-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1976-139-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2436-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2008-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2228-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2208-202-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2968-211-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/556-219-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2544-255-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1964-264-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1868-2238-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2552 2536 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 31 PID 2536 wrote to memory of 2552 2536 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 31 PID 2536 wrote to memory of 2552 2536 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 31 PID 2536 wrote to memory of 2552 2536 ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe 31 PID 2552 wrote to memory of 2528 2552 rlflrxr.exe 32 PID 2552 wrote to memory of 2528 2552 rlflrxr.exe 32 PID 2552 wrote to memory of 2528 2552 rlflrxr.exe 32 PID 2552 wrote to memory of 2528 2552 rlflrxr.exe 32 PID 2528 wrote to memory of 2060 2528 hbnntb.exe 33 PID 2528 wrote to memory of 2060 2528 hbnntb.exe 33 PID 2528 wrote to memory of 2060 2528 hbnntb.exe 33 PID 2528 wrote to memory of 2060 2528 hbnntb.exe 33 PID 2060 wrote to memory of 1868 2060 jdjpd.exe 34 PID 2060 wrote to memory of 1868 2060 jdjpd.exe 34 PID 2060 wrote to memory of 1868 2060 jdjpd.exe 34 PID 2060 wrote to memory of 1868 2060 jdjpd.exe 34 PID 1868 wrote to memory of 2900 1868 fxlrfrr.exe 35 PID 1868 wrote to memory of 2900 1868 fxlrfrr.exe 35 PID 1868 wrote to memory of 2900 1868 fxlrfrr.exe 35 PID 1868 wrote to memory of 2900 1868 fxlrfrr.exe 35 PID 2900 wrote to memory of 2888 2900 7rlfllr.exe 36 PID 2900 wrote to memory of 2888 2900 7rlfllr.exe 36 PID 2900 wrote to memory of 2888 2900 7rlfllr.exe 36 PID 2900 wrote to memory of 2888 2900 7rlfllr.exe 36 PID 2888 wrote to memory of 2736 2888 1jdvd.exe 37 PID 2888 wrote to memory of 2736 2888 1jdvd.exe 37 PID 2888 wrote to memory of 2736 2888 1jdvd.exe 37 PID 2888 wrote to memory of 2736 2888 1jdvd.exe 37 PID 2736 wrote to memory of 2816 2736 dddpj.exe 38 PID 2736 wrote to memory of 2816 2736 dddpj.exe 38 PID 2736 wrote to memory of 2816 2736 dddpj.exe 38 PID 2736 wrote to memory of 2816 2736 dddpj.exe 38 PID 2816 wrote to memory of 2648 2816 lrxrrxx.exe 39 PID 2816 wrote to memory of 2648 2816 lrxrrxx.exe 39 PID 2816 wrote to memory of 2648 2816 lrxrrxx.exe 39 PID 2816 wrote to memory of 2648 2816 lrxrrxx.exe 39 PID 2648 wrote to memory of 484 2648 thntbb.exe 40 PID 2648 wrote to memory of 484 2648 thntbb.exe 40 PID 2648 wrote to memory of 484 2648 thntbb.exe 40 PID 2648 wrote to memory of 484 2648 thntbb.exe 40 PID 484 wrote to memory of 2036 484 jdjjp.exe 41 PID 484 wrote to memory of 2036 484 jdjjp.exe 41 PID 484 wrote to memory of 2036 484 jdjjp.exe 41 PID 484 wrote to memory of 2036 484 jdjjp.exe 41 PID 2036 wrote to memory of 2604 2036 9dvpd.exe 42 PID 2036 wrote to memory of 2604 2036 9dvpd.exe 42 PID 2036 wrote to memory of 2604 2036 9dvpd.exe 42 PID 2036 wrote to memory of 2604 2036 9dvpd.exe 42 PID 2604 wrote to memory of 1976 2604 lxrrrrx.exe 43 PID 2604 wrote to memory of 1976 2604 lxrrrrx.exe 43 PID 2604 wrote to memory of 1976 2604 lxrrrrx.exe 43 PID 2604 wrote to memory of 1976 2604 lxrrrrx.exe 43 PID 1976 wrote to memory of 2436 1976 nbnbhn.exe 44 PID 1976 wrote to memory of 2436 1976 nbnbhn.exe 44 PID 1976 wrote to memory of 2436 1976 nbnbhn.exe 44 PID 1976 wrote to memory of 2436 1976 nbnbhn.exe 44 PID 2436 wrote to memory of 1064 2436 5pjpj.exe 45 PID 2436 wrote to memory of 1064 2436 5pjpj.exe 45 PID 2436 wrote to memory of 1064 2436 5pjpj.exe 45 PID 2436 wrote to memory of 1064 2436 5pjpj.exe 45 PID 1064 wrote to memory of 2008 1064 9jpdv.exe 46 PID 1064 wrote to memory of 2008 1064 9jpdv.exe 46 PID 1064 wrote to memory of 2008 1064 9jpdv.exe 46 PID 1064 wrote to memory of 2008 1064 9jpdv.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe"C:\Users\Admin\AppData\Local\Temp\ed6103c4db892df3dfe7362c7cb939db4e498414b35b98057e45d71a855babbdN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\rlflrxr.exec:\rlflrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\hbnntb.exec:\hbnntb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\jdjpd.exec:\jdjpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\fxlrfrr.exec:\fxlrfrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\7rlfllr.exec:\7rlfllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\1jdvd.exec:\1jdvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\dddpj.exec:\dddpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\lrxrrxx.exec:\lrxrrxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\thntbb.exec:\thntbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\jdjjp.exec:\jdjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
\??\c:\9dvpd.exec:\9dvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\lxrrrrx.exec:\lxrrrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\nbnbhn.exec:\nbnbhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\5pjpj.exec:\5pjpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\9jpdv.exec:\9jpdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\fxrrxxf.exec:\fxrrxxf.exe17⤵
- Executes dropped EXE
PID:2008 -
\??\c:\llflrff.exec:\llflrff.exe18⤵
- Executes dropped EXE
PID:376 -
\??\c:\hhnhbt.exec:\hhnhbt.exe19⤵
- Executes dropped EXE
PID:2952 -
\??\c:\ddpvj.exec:\ddpvj.exe20⤵
- Executes dropped EXE
PID:2228 -
\??\c:\xrlflxf.exec:\xrlflxf.exe21⤵
- Executes dropped EXE
PID:2208 -
\??\c:\7rlxxfx.exec:\7rlxxfx.exe22⤵
- Executes dropped EXE
PID:2968 -
\??\c:\tnttth.exec:\tnttth.exe23⤵
- Executes dropped EXE
PID:556 -
\??\c:\jjdpd.exec:\jjdpd.exe24⤵
- Executes dropped EXE
PID:872 -
\??\c:\rlxxfff.exec:\rlxxfff.exe25⤵
- Executes dropped EXE
PID:2480 -
\??\c:\7fxlxfl.exec:\7fxlxfl.exe26⤵
- Executes dropped EXE
PID:1732 -
\??\c:\5hhbhh.exec:\5hhbhh.exe27⤵
- Executes dropped EXE
PID:2544 -
\??\c:\ppdpd.exec:\ppdpd.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964 -
\??\c:\3fxxfrr.exec:\3fxxfrr.exe29⤵
- Executes dropped EXE
PID:1052 -
\??\c:\fxllxrr.exec:\fxllxrr.exe30⤵
- Executes dropped EXE
PID:2400 -
\??\c:\3bnbnh.exec:\3bnbnh.exe31⤵
- Executes dropped EXE
PID:3000 -
\??\c:\3jdjd.exec:\3jdjd.exe32⤵
- Executes dropped EXE
PID:2072 -
\??\c:\ddddj.exec:\ddddj.exe33⤵
- Executes dropped EXE
PID:1688 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe34⤵
- Executes dropped EXE
PID:2592 -
\??\c:\5httnh.exec:\5httnh.exe35⤵
- Executes dropped EXE
PID:2392 -
\??\c:\5tbhhb.exec:\5tbhhb.exe36⤵
- Executes dropped EXE
PID:2500 -
\??\c:\ddvpd.exec:\ddvpd.exe37⤵
- Executes dropped EXE
PID:2724 -
\??\c:\pjdvd.exec:\pjdvd.exe38⤵
- Executes dropped EXE
PID:604 -
\??\c:\1xlllrl.exec:\1xlllrl.exe39⤵
- Executes dropped EXE
PID:2908 -
\??\c:\rlfrfxx.exec:\rlfrfxx.exe40⤵
- Executes dropped EXE
PID:2624 -
\??\c:\tbtbhn.exec:\tbtbhn.exe41⤵
- Executes dropped EXE
PID:2792 -
\??\c:\pvjjp.exec:\pvjjp.exe42⤵
- Executes dropped EXE
PID:2732 -
\??\c:\vvjpj.exec:\vvjpj.exe43⤵
- Executes dropped EXE
PID:2668 -
\??\c:\rlxrflx.exec:\rlxrflx.exe44⤵
- Executes dropped EXE
PID:2620 -
\??\c:\7xrfflx.exec:\7xrfflx.exe45⤵
- Executes dropped EXE
PID:2456 -
\??\c:\tntbnt.exec:\tntbnt.exe46⤵
- Executes dropped EXE
PID:484 -
\??\c:\hthnhh.exec:\hthnhh.exe47⤵
- Executes dropped EXE
PID:1296 -
\??\c:\pjppj.exec:\pjppj.exe48⤵
- Executes dropped EXE
PID:2604 -
\??\c:\1jjvd.exec:\1jjvd.exe49⤵
- Executes dropped EXE
PID:2000 -
\??\c:\xllxrfr.exec:\xllxrfr.exe50⤵
- Executes dropped EXE
PID:796 -
\??\c:\nhthbh.exec:\nhthbh.exe51⤵
- Executes dropped EXE
PID:2796 -
\??\c:\bttnnb.exec:\bttnnb.exe52⤵
- Executes dropped EXE
PID:1064 -
\??\c:\dvppv.exec:\dvppv.exe53⤵
- Executes dropped EXE
PID:2852 -
\??\c:\jdvpp.exec:\jdvpp.exe54⤵
- Executes dropped EXE
PID:2956 -
\??\c:\frxxffx.exec:\frxxffx.exe55⤵
- Executes dropped EXE
PID:2864 -
\??\c:\jvjpv.exec:\jvjpv.exe56⤵
- Executes dropped EXE
PID:2656 -
\??\c:\pjvpv.exec:\pjvpv.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2228 -
\??\c:\1rllflr.exec:\1rllflr.exe58⤵
- Executes dropped EXE
PID:444 -
\??\c:\btbbbb.exec:\btbbbb.exe59⤵
- Executes dropped EXE
PID:1036 -
\??\c:\tnhhbb.exec:\tnhhbb.exe60⤵
- Executes dropped EXE
PID:828 -
\??\c:\pvjvd.exec:\pvjvd.exe61⤵
- Executes dropped EXE
PID:1996 -
\??\c:\jddjv.exec:\jddjv.exe62⤵
- Executes dropped EXE
PID:1384 -
\??\c:\fxrfrxl.exec:\fxrfrxl.exe63⤵
- Executes dropped EXE
PID:572 -
\??\c:\5lxfrxr.exec:\5lxfrxr.exe64⤵
- Executes dropped EXE
PID:2256 -
\??\c:\tbnbnb.exec:\tbnbnb.exe65⤵
- Executes dropped EXE
PID:1788 -
\??\c:\nhhhbb.exec:\nhhhbb.exe66⤵PID:584
-
\??\c:\jdddd.exec:\jdddd.exe67⤵PID:3056
-
\??\c:\ffrrxff.exec:\ffrrxff.exe68⤵PID:1000
-
\??\c:\7llflfx.exec:\7llflfx.exe69⤵PID:2264
-
\??\c:\1btbnt.exec:\1btbnt.exe70⤵PID:2532
-
\??\c:\vppvd.exec:\vppvd.exe71⤵PID:1572
-
\??\c:\1pjjj.exec:\1pjjj.exe72⤵PID:1944
-
\??\c:\xrlxrfx.exec:\xrlxrfx.exe73⤵PID:1688
-
\??\c:\fxrxlxr.exec:\fxrxlxr.exe74⤵PID:2152
-
\??\c:\9bbhbn.exec:\9bbhbn.exe75⤵PID:2064
-
\??\c:\ttbhtn.exec:\ttbhtn.exe76⤵PID:2804
-
\??\c:\1pvpp.exec:\1pvpp.exe77⤵PID:2892
-
\??\c:\ddvpd.exec:\ddvpd.exe78⤵PID:2800
-
\??\c:\fxlxxlf.exec:\fxlxxlf.exe79⤵PID:2900
-
\??\c:\tnnthh.exec:\tnnthh.exe80⤵PID:2492
-
\??\c:\tnbhth.exec:\tnbhth.exe81⤵PID:2756
-
\??\c:\dvjvp.exec:\dvjvp.exe82⤵
- System Location Discovery: System Language Discovery
PID:2692 -
\??\c:\ddjdp.exec:\ddjdp.exe83⤵PID:2180
-
\??\c:\xrffrxf.exec:\xrffrxf.exe84⤵PID:2632
-
\??\c:\xfxrxxr.exec:\xfxrxxr.exe85⤵PID:1744
-
\??\c:\tnntbh.exec:\tnntbh.exe86⤵PID:2036
-
\??\c:\1nthnb.exec:\1nthnb.exe87⤵PID:1092
-
\??\c:\ppjpv.exec:\ppjpv.exe88⤵PID:2144
-
\??\c:\7rrrlrx.exec:\7rrrlrx.exe89⤵PID:844
-
\??\c:\fxxrlrr.exec:\fxxrlrr.exe90⤵PID:1612
-
\??\c:\ttnbtb.exec:\ttnbtb.exe91⤵PID:1908
-
\??\c:\3bbhtn.exec:\3bbhtn.exe92⤵PID:1160
-
\??\c:\jppjj.exec:\jppjj.exe93⤵PID:2980
-
\??\c:\dvvjp.exec:\dvvjp.exe94⤵PID:2956
-
\??\c:\fflfxrl.exec:\fflfxrl.exe95⤵PID:2864
-
\??\c:\xxxrrfx.exec:\xxxrrfx.exe96⤵PID:2200
-
\??\c:\tnhhnt.exec:\tnhhnt.exe97⤵PID:2208
-
\??\c:\htbtnh.exec:\htbtnh.exe98⤵PID:1748
-
\??\c:\vvpvj.exec:\vvpvj.exe99⤵PID:1132
-
\??\c:\jdvjd.exec:\jdvjd.exe100⤵PID:1864
-
\??\c:\llfrflf.exec:\llfrflf.exe101⤵PID:688
-
\??\c:\rrlrflr.exec:\rrlrflr.exe102⤵PID:316
-
\??\c:\nnnbhn.exec:\nnnbhn.exe103⤵PID:1780
-
\??\c:\btnhnb.exec:\btnhnb.exe104⤵PID:1444
-
\??\c:\5ppvj.exec:\5ppvj.exe105⤵PID:1924
-
\??\c:\ddpdp.exec:\ddpdp.exe106⤵PID:2128
-
\??\c:\rllrrfr.exec:\rllrrfr.exe107⤵PID:868
-
\??\c:\xxlxlrx.exec:\xxlxlrx.exe108⤵PID:1784
-
\??\c:\hbtnnt.exec:\hbtnnt.exe109⤵PID:1756
-
\??\c:\tthhth.exec:\tthhth.exe110⤵PID:2080
-
\??\c:\ppddv.exec:\ppddv.exe111⤵PID:2552
-
\??\c:\7dppp.exec:\7dppp.exe112⤵PID:352
-
\??\c:\3fflxlr.exec:\3fflxlr.exe113⤵PID:2592
-
\??\c:\ththbt.exec:\ththbt.exe114⤵PID:832
-
\??\c:\bthnbh.exec:\bthnbh.exe115⤵PID:2112
-
\??\c:\pjjpp.exec:\pjjpp.exe116⤵PID:2768
-
\??\c:\jjjvp.exec:\jjjvp.exe117⤵PID:604
-
\??\c:\5rlrrxf.exec:\5rlrrxf.exe118⤵PID:2936
-
\??\c:\fflrxll.exec:\fflrxll.exe119⤵PID:2624
-
\??\c:\nhbhbh.exec:\nhbhbh.exe120⤵PID:2880
-
\??\c:\1bhnbb.exec:\1bhnbb.exe121⤵PID:2464
-
\??\c:\jjddp.exec:\jjddp.exe122⤵PID:2668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-