Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 18:09
Static task
static1
Behavioral task
behavioral1
Sample
6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe
Resource
win7-20241010-en
General
-
Target
6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe
-
Size
94KB
-
MD5
5e62e687bff8b221a7bc9ce25c44af40
-
SHA1
782b3c99c29b1733532838e1a00c4fba6e1820da
-
SHA256
6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342
-
SHA512
9fedd851cc944e88a5caa8bbf7ff609569a2a4e17f2fc7142ce21593b8287070ef9c1b506e9b8f83e63459d1ab84606552eddb97e5216435db6543a94be364a8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo7xCkTsIwtOa2dY36i9XFhiKjVZ:ymb3NkkiQ3mdBjFo7LAIb+FbI+TN
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral1/memory/1304-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2572-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/768-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2240-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/356-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2780-69-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2780-68-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2964-88-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2992-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2964-95-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2692-105-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2988-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1644-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2736-141-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2884-149-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/856-186-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1720-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1792-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1916-239-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2412-257-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2604-275-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2780-1223-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2572 hbhhnn.exe 768 jdvvd.exe 2240 9dvpv.exe 356 82002.exe 2928 08684.exe 2780 9djvj.exe 2992 frfxffr.exe 2964 9xrxrxl.exe 2692 60806.exe 2988 hthhhn.exe 584 hbtbhh.exe 1644 rlllxxf.exe 2736 rlrfrxl.exe 2884 5xflllr.exe 804 ddvdj.exe 1560 48044.exe 1932 42628.exe 856 thntbh.exe 1720 44808.exe 2392 86222.exe 2364 5btbtt.exe 1408 086460.exe 1792 9pddp.exe 1916 bbnhnn.exe 1860 1pdjp.exe 2412 s8686.exe 1316 6040002.exe 2604 042804.exe 236 204662.exe 872 rflfffr.exe 2384 264026.exe 1032 hbnhnt.exe 684 9ppdv.exe 316 2200880.exe 2500 vpjpv.exe 2244 42806.exe 2804 48224.exe 2324 xxlxllr.exe 2304 864440.exe 2976 q46886.exe 2700 60284.exe 2844 u484246.exe 2812 c022444.exe 2796 g8064.exe 2532 2624068.exe 1972 6644662.exe 3044 7vpjp.exe 3056 5jddd.exe 2776 2048406.exe 3064 08066.exe 1936 420062.exe 1356 tnhbbb.exe 1260 tnhhbt.exe 2716 1lrrffl.exe 2156 1thhnn.exe 1620 88668.exe 1720 bthbtn.exe 2084 080000.exe 2172 648400.exe 1120 42880.exe 1784 vpvdj.exe 1588 llfrrxf.exe 1916 u668044.exe 560 4600280.exe -
resource yara_rule behavioral1/memory/1304-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2572-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/768-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2240-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/356-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2780-69-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2992-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2992-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2992-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2692-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2988-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1644-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2736-141-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2884-149-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/856-186-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1720-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1792-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1916-239-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2412-257-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2604-275-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2780-1223-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 404068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w46688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w20240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i026626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4262828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrxxxl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1304 wrote to memory of 2572 1304 6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe 30 PID 1304 wrote to memory of 2572 1304 6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe 30 PID 1304 wrote to memory of 2572 1304 6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe 30 PID 1304 wrote to memory of 2572 1304 6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe 30 PID 2572 wrote to memory of 768 2572 hbhhnn.exe 31 PID 2572 wrote to memory of 768 2572 hbhhnn.exe 31 PID 2572 wrote to memory of 768 2572 hbhhnn.exe 31 PID 2572 wrote to memory of 768 2572 hbhhnn.exe 31 PID 768 wrote to memory of 2240 768 jdvvd.exe 32 PID 768 wrote to memory of 2240 768 jdvvd.exe 32 PID 768 wrote to memory of 2240 768 jdvvd.exe 32 PID 768 wrote to memory of 2240 768 jdvvd.exe 32 PID 2240 wrote to memory of 356 2240 9dvpv.exe 33 PID 2240 wrote to memory of 356 2240 9dvpv.exe 33 PID 2240 wrote to memory of 356 2240 9dvpv.exe 33 PID 2240 wrote to memory of 356 2240 9dvpv.exe 33 PID 356 wrote to memory of 2928 356 82002.exe 34 PID 356 wrote to memory of 2928 356 82002.exe 34 PID 356 wrote to memory of 2928 356 82002.exe 34 PID 356 wrote to memory of 2928 356 82002.exe 34 PID 2928 wrote to memory of 2780 2928 08684.exe 35 PID 2928 wrote to memory of 2780 2928 08684.exe 35 PID 2928 wrote to memory of 2780 2928 08684.exe 35 PID 2928 wrote to memory of 2780 2928 08684.exe 35 PID 2780 wrote to memory of 2992 2780 9djvj.exe 36 PID 2780 wrote to memory of 2992 2780 9djvj.exe 36 PID 2780 wrote to memory of 2992 2780 9djvj.exe 36 PID 2780 wrote to memory of 2992 2780 9djvj.exe 36 PID 2992 wrote to memory of 2964 2992 frfxffr.exe 37 PID 2992 wrote to memory of 2964 2992 frfxffr.exe 37 PID 2992 wrote to memory of 2964 2992 frfxffr.exe 37 PID 2992 wrote to memory of 2964 2992 frfxffr.exe 37 PID 2964 wrote to memory of 2692 2964 9xrxrxl.exe 38 PID 2964 wrote to memory of 2692 2964 9xrxrxl.exe 38 PID 2964 wrote to memory of 2692 2964 9xrxrxl.exe 38 PID 2964 wrote to memory of 2692 2964 9xrxrxl.exe 38 PID 2692 wrote to memory of 2988 2692 60806.exe 39 PID 2692 wrote to memory of 2988 2692 60806.exe 39 PID 2692 wrote to memory of 2988 2692 60806.exe 39 PID 2692 wrote to memory of 2988 2692 60806.exe 39 PID 2988 wrote to memory of 584 2988 hthhhn.exe 40 PID 2988 wrote to memory of 584 2988 hthhhn.exe 40 PID 2988 wrote to memory of 584 2988 hthhhn.exe 40 PID 2988 wrote to memory of 584 2988 hthhhn.exe 40 PID 584 wrote to memory of 1644 584 hbtbhh.exe 41 PID 584 wrote to memory of 1644 584 hbtbhh.exe 41 PID 584 wrote to memory of 1644 584 hbtbhh.exe 41 PID 584 wrote to memory of 1644 584 hbtbhh.exe 41 PID 1644 wrote to memory of 2736 1644 rlllxxf.exe 42 PID 1644 wrote to memory of 2736 1644 rlllxxf.exe 42 PID 1644 wrote to memory of 2736 1644 rlllxxf.exe 42 PID 1644 wrote to memory of 2736 1644 rlllxxf.exe 42 PID 2736 wrote to memory of 2884 2736 rlrfrxl.exe 43 PID 2736 wrote to memory of 2884 2736 rlrfrxl.exe 43 PID 2736 wrote to memory of 2884 2736 rlrfrxl.exe 43 PID 2736 wrote to memory of 2884 2736 rlrfrxl.exe 43 PID 2884 wrote to memory of 804 2884 5xflllr.exe 44 PID 2884 wrote to memory of 804 2884 5xflllr.exe 44 PID 2884 wrote to memory of 804 2884 5xflllr.exe 44 PID 2884 wrote to memory of 804 2884 5xflllr.exe 44 PID 804 wrote to memory of 1560 804 ddvdj.exe 45 PID 804 wrote to memory of 1560 804 ddvdj.exe 45 PID 804 wrote to memory of 1560 804 ddvdj.exe 45 PID 804 wrote to memory of 1560 804 ddvdj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe"C:\Users\Admin\AppData\Local\Temp\6e34bdcc30a64fc49728c4875548c39bf12b9c7e574b6988756d21ab1d6cb342N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\hbhhnn.exec:\hbhhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\jdvvd.exec:\jdvvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\9dvpv.exec:\9dvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\82002.exec:\82002.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:356 -
\??\c:\08684.exec:\08684.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\9djvj.exec:\9djvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\frfxffr.exec:\frfxffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\9xrxrxl.exec:\9xrxrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\60806.exec:\60806.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\hthhhn.exec:\hthhhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\hbtbhh.exec:\hbtbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\rlllxxf.exec:\rlllxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\rlrfrxl.exec:\rlrfrxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\5xflllr.exec:\5xflllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\ddvdj.exec:\ddvdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\48044.exec:\48044.exe17⤵
- Executes dropped EXE
PID:1560 -
\??\c:\42628.exec:\42628.exe18⤵
- Executes dropped EXE
PID:1932 -
\??\c:\thntbh.exec:\thntbh.exe19⤵
- Executes dropped EXE
PID:856 -
\??\c:\44808.exec:\44808.exe20⤵
- Executes dropped EXE
PID:1720 -
\??\c:\86222.exec:\86222.exe21⤵
- Executes dropped EXE
PID:2392 -
\??\c:\5btbtt.exec:\5btbtt.exe22⤵
- Executes dropped EXE
PID:2364 -
\??\c:\086460.exec:\086460.exe23⤵
- Executes dropped EXE
PID:1408 -
\??\c:\9pddp.exec:\9pddp.exe24⤵
- Executes dropped EXE
PID:1792 -
\??\c:\bbnhnn.exec:\bbnhnn.exe25⤵
- Executes dropped EXE
PID:1916 -
\??\c:\1pdjp.exec:\1pdjp.exe26⤵
- Executes dropped EXE
PID:1860 -
\??\c:\s8686.exec:\s8686.exe27⤵
- Executes dropped EXE
PID:2412 -
\??\c:\6040002.exec:\6040002.exe28⤵
- Executes dropped EXE
PID:1316 -
\??\c:\042804.exec:\042804.exe29⤵
- Executes dropped EXE
PID:2604 -
\??\c:\204662.exec:\204662.exe30⤵
- Executes dropped EXE
PID:236 -
\??\c:\rflfffr.exec:\rflfffr.exe31⤵
- Executes dropped EXE
PID:872 -
\??\c:\264026.exec:\264026.exe32⤵
- Executes dropped EXE
PID:2384 -
\??\c:\hbnhnt.exec:\hbnhnt.exe33⤵
- Executes dropped EXE
PID:1032 -
\??\c:\9ppdv.exec:\9ppdv.exe34⤵
- Executes dropped EXE
PID:684 -
\??\c:\2200880.exec:\2200880.exe35⤵
- Executes dropped EXE
PID:316 -
\??\c:\vpjpv.exec:\vpjpv.exe36⤵
- Executes dropped EXE
PID:2500 -
\??\c:\42806.exec:\42806.exe37⤵
- Executes dropped EXE
PID:2244 -
\??\c:\48224.exec:\48224.exe38⤵
- Executes dropped EXE
PID:2804 -
\??\c:\xxlxllr.exec:\xxlxllr.exe39⤵
- Executes dropped EXE
PID:2324 -
\??\c:\864440.exec:\864440.exe40⤵
- Executes dropped EXE
PID:2304 -
\??\c:\q46886.exec:\q46886.exe41⤵
- Executes dropped EXE
PID:2976 -
\??\c:\60284.exec:\60284.exe42⤵
- Executes dropped EXE
PID:2700 -
\??\c:\u484246.exec:\u484246.exe43⤵
- Executes dropped EXE
PID:2844 -
\??\c:\c022444.exec:\c022444.exe44⤵
- Executes dropped EXE
PID:2812 -
\??\c:\g8064.exec:\g8064.exe45⤵
- Executes dropped EXE
PID:2796 -
\??\c:\2624068.exec:\2624068.exe46⤵
- Executes dropped EXE
PID:2532 -
\??\c:\6644662.exec:\6644662.exe47⤵
- Executes dropped EXE
PID:1972 -
\??\c:\7vpjp.exec:\7vpjp.exe48⤵
- Executes dropped EXE
PID:3044 -
\??\c:\5jddd.exec:\5jddd.exe49⤵
- Executes dropped EXE
PID:3056 -
\??\c:\2048406.exec:\2048406.exe50⤵
- Executes dropped EXE
PID:2776 -
\??\c:\08066.exec:\08066.exe51⤵
- Executes dropped EXE
PID:3064 -
\??\c:\420062.exec:\420062.exe52⤵
- Executes dropped EXE
PID:1936 -
\??\c:\tnhbbb.exec:\tnhbbb.exe53⤵
- Executes dropped EXE
PID:1356 -
\??\c:\tnhhbt.exec:\tnhhbt.exe54⤵
- Executes dropped EXE
PID:1260 -
\??\c:\1lrrffl.exec:\1lrrffl.exe55⤵
- Executes dropped EXE
PID:2716 -
\??\c:\1thhnn.exec:\1thhnn.exe56⤵
- Executes dropped EXE
PID:2156 -
\??\c:\88668.exec:\88668.exe57⤵
- Executes dropped EXE
PID:1620 -
\??\c:\bthbtn.exec:\bthbtn.exe58⤵
- Executes dropped EXE
PID:1720 -
\??\c:\080000.exec:\080000.exe59⤵
- Executes dropped EXE
PID:2084 -
\??\c:\648400.exec:\648400.exe60⤵
- Executes dropped EXE
PID:2172 -
\??\c:\42880.exec:\42880.exe61⤵
- Executes dropped EXE
PID:1120 -
\??\c:\vpvdj.exec:\vpvdj.exe62⤵
- Executes dropped EXE
PID:1784 -
\??\c:\llfrrxf.exec:\llfrrxf.exe63⤵
- Executes dropped EXE
PID:1588 -
\??\c:\u668044.exec:\u668044.exe64⤵
- Executes dropped EXE
PID:1916 -
\??\c:\4600280.exec:\4600280.exe65⤵
- Executes dropped EXE
PID:560 -
\??\c:\m2066.exec:\m2066.exe66⤵PID:1804
-
\??\c:\rlxfllx.exec:\rlxfllx.exe67⤵PID:2060
-
\??\c:\pvpjp.exec:\pvpjp.exe68⤵PID:1316
-
\??\c:\bhnbhh.exec:\bhnbhh.exe69⤵PID:1672
-
\??\c:\vppjj.exec:\vppjj.exe70⤵PID:884
-
\??\c:\64228.exec:\64228.exe71⤵PID:752
-
\??\c:\pjpjj.exec:\pjpjj.exe72⤵PID:2596
-
\??\c:\dvpvd.exec:\dvpvd.exe73⤵PID:112
-
\??\c:\rlxfxxf.exec:\rlxfxxf.exe74⤵PID:1840
-
\??\c:\vddvv.exec:\vddvv.exe75⤵PID:684
-
\??\c:\nhnhhn.exec:\nhnhhn.exe76⤵PID:1680
-
\??\c:\5dvjj.exec:\5dvjj.exe77⤵PID:2500
-
\??\c:\btttht.exec:\btttht.exe78⤵PID:2944
-
\??\c:\thtnnt.exec:\thtnnt.exe79⤵PID:2804
-
\??\c:\6424068.exec:\6424068.exe80⤵PID:2324
-
\??\c:\2046462.exec:\2046462.exe81⤵PID:2304
-
\??\c:\bbnbnb.exec:\bbnbnb.exe82⤵PID:2976
-
\??\c:\rrfrlrl.exec:\rrfrlrl.exe83⤵PID:2700
-
\??\c:\rrlfrfx.exec:\rrlfrfx.exe84⤵PID:2844
-
\??\c:\60468.exec:\60468.exe85⤵PID:2964
-
\??\c:\hbhbhh.exec:\hbhbhh.exe86⤵PID:2556
-
\??\c:\bbtthn.exec:\bbtthn.exe87⤵PID:2108
-
\??\c:\a4684.exec:\a4684.exe88⤵PID:1972
-
\??\c:\484088.exec:\484088.exe89⤵PID:3044
-
\??\c:\pjvvj.exec:\pjvvj.exe90⤵PID:2876
-
\??\c:\rrllxxr.exec:\rrllxxr.exe91⤵PID:2776
-
\??\c:\tnhnnt.exec:\tnhnnt.exe92⤵PID:3024
-
\??\c:\m0402.exec:\m0402.exe93⤵PID:1936
-
\??\c:\266628.exec:\266628.exe94⤵PID:1356
-
\??\c:\226802.exec:\226802.exe95⤵PID:1260
-
\??\c:\jjvjv.exec:\jjvjv.exe96⤵PID:2716
-
\??\c:\i860624.exec:\i860624.exe97⤵PID:2132
-
\??\c:\9ffrlxl.exec:\9ffrlxl.exe98⤵PID:1852
-
\??\c:\tnbbhn.exec:\tnbbhn.exe99⤵PID:1720
-
\??\c:\88246.exec:\88246.exe100⤵PID:2468
-
\??\c:\pjjjp.exec:\pjjjp.exe101⤵PID:2032
-
\??\c:\484080.exec:\484080.exe102⤵PID:2656
-
\??\c:\7llllxf.exec:\7llllxf.exe103⤵PID:2360
-
\??\c:\6004022.exec:\6004022.exe104⤵PID:956
-
\??\c:\k86288.exec:\k86288.exe105⤵PID:1916
-
\??\c:\xrrlxlx.exec:\xrrlxlx.exe106⤵PID:560
-
\??\c:\44264.exec:\44264.exe107⤵PID:1804
-
\??\c:\flrxxxl.exec:\flrxxxl.exe108⤵
- System Location Discovery: System Language Discovery
PID:2060 -
\??\c:\640680.exec:\640680.exe109⤵PID:1316
-
\??\c:\9tbbbb.exec:\9tbbbb.exe110⤵PID:328
-
\??\c:\ntnhtb.exec:\ntnhtb.exe111⤵PID:884
-
\??\c:\608882.exec:\608882.exe112⤵PID:2760
-
\??\c:\420684.exec:\420684.exe113⤵PID:2596
-
\??\c:\jdpdv.exec:\jdpdv.exe114⤵PID:112
-
\??\c:\42064.exec:\42064.exe115⤵PID:1676
-
\??\c:\202060.exec:\202060.exe116⤵PID:1736
-
\??\c:\jjvpp.exec:\jjvpp.exe117⤵PID:2460
-
\??\c:\1nbtnh.exec:\1nbtnh.exe118⤵
- System Location Discovery: System Language Discovery
PID:2948 -
\??\c:\lfxrxxx.exec:\lfxrxxx.exe119⤵PID:2944
-
\??\c:\04664.exec:\04664.exe120⤵PID:2828
-
\??\c:\q04460.exec:\q04460.exe121⤵PID:2324
-
\??\c:\4282224.exec:\4282224.exe122⤵PID:2704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-