Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 18:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe
-
Size
78KB
-
MD5
b4aad9e9832c9777edb6794b946cdc80
-
SHA1
04b8f1b1e2c70b55088f0bd231477ddaba65d2f7
-
SHA256
92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50
-
SHA512
b2ebd91dbd872fddf2037c6cffd7ab036624118fab7c8fd757a195155a6703330470f8d72c5a79d2536261eaf9c7afa26d06c062b9ab4e9242f71561935f2af3
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb7GTi3ldD56u:ymb3NkkiQ3mdBjFIWYB56u
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral1/memory/1708-7-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1708-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2956-20-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2244-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1780-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2808-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2252-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1276-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2552-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1540-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1984-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1940-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2088-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1928-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/484-165-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2972-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2572-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3000-209-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1084-219-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1604-227-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2424-236-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1620-254-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2956 xlflxlx.exe 2244 pdjdj.exe 1780 dvdjp.exe 2252 xrffrrl.exe 2808 ddpvp.exe 2540 1frxffl.exe 1276 xrffrlx.exe 1268 nnnthn.exe 2552 ttbtbb.exe 2984 5dpjp.exe 1540 1fxxfxf.exe 1984 xlrlfll.exe 1940 5nhntt.exe 2088 jjvvj.exe 1928 lllrlfx.exe 484 rxlrrxr.exe 1908 1thhnt.exe 2972 vjppp.exe 2572 fxlffxx.exe 2428 9nbthn.exe 3000 hhnhhh.exe 1084 1dppv.exe 1604 5ffllxr.exe 2424 9xxrrll.exe 1652 hbbhtb.exe 1620 ppjvv.exe 2264 xrxxlfl.exe 1732 nhnbhn.exe 888 vvjpd.exe 1628 ffxrrll.exe 1552 9xxxffx.exe 2156 nhnntt.exe 2204 1pjdj.exe 1924 ppdjv.exe 1780 9lffxxx.exe 3056 7htbhn.exe 2792 htnntt.exe 2832 5dvjj.exe 2660 vpjpp.exe 2556 1lrrlrl.exe 2532 bbbhth.exe 2656 bbnbnh.exe 2552 nhnttb.exe 2980 9pvdp.exe 2996 lrfflrx.exe 2060 7rlrfll.exe 1680 5nthbn.exe 1940 hthtbt.exe 1796 jjjvp.exe 1928 xxlxfrf.exe 636 lfxflrf.exe 1064 5nnbht.exe 1908 nnnhnh.exe 2740 vvvjv.exe 2732 fxrxlrr.exe 2412 5xrlrlr.exe 2924 nttnht.exe 1656 1dddd.exe 1916 vjddj.exe 684 hbtthh.exe 1396 ddvdd.exe 1800 vjpvv.exe 2316 rlrxffl.exe 1768 lfrlxfr.exe -
resource yara_rule behavioral1/memory/2956-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1708-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2956-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2244-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1780-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2252-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2252-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2252-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1276-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1276-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2552-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1540-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1984-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1940-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2088-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1928-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/484-165-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2972-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2572-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3000-209-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1084-219-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1604-227-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2424-236-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1620-254-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2956 1708 92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe 31 PID 1708 wrote to memory of 2956 1708 92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe 31 PID 1708 wrote to memory of 2956 1708 92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe 31 PID 1708 wrote to memory of 2956 1708 92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe 31 PID 2956 wrote to memory of 2244 2956 xlflxlx.exe 32 PID 2956 wrote to memory of 2244 2956 xlflxlx.exe 32 PID 2956 wrote to memory of 2244 2956 xlflxlx.exe 32 PID 2956 wrote to memory of 2244 2956 xlflxlx.exe 32 PID 2244 wrote to memory of 1780 2244 pdjdj.exe 33 PID 2244 wrote to memory of 1780 2244 pdjdj.exe 33 PID 2244 wrote to memory of 1780 2244 pdjdj.exe 33 PID 2244 wrote to memory of 1780 2244 pdjdj.exe 33 PID 1780 wrote to memory of 2252 1780 dvdjp.exe 34 PID 1780 wrote to memory of 2252 1780 dvdjp.exe 34 PID 1780 wrote to memory of 2252 1780 dvdjp.exe 34 PID 1780 wrote to memory of 2252 1780 dvdjp.exe 34 PID 2252 wrote to memory of 2808 2252 xrffrrl.exe 35 PID 2252 wrote to memory of 2808 2252 xrffrrl.exe 35 PID 2252 wrote to memory of 2808 2252 xrffrrl.exe 35 PID 2252 wrote to memory of 2808 2252 xrffrrl.exe 35 PID 2808 wrote to memory of 2540 2808 ddpvp.exe 36 PID 2808 wrote to memory of 2540 2808 ddpvp.exe 36 PID 2808 wrote to memory of 2540 2808 ddpvp.exe 36 PID 2808 wrote to memory of 2540 2808 ddpvp.exe 36 PID 2540 wrote to memory of 1276 2540 1frxffl.exe 37 PID 2540 wrote to memory of 1276 2540 1frxffl.exe 37 PID 2540 wrote to memory of 1276 2540 1frxffl.exe 37 PID 2540 wrote to memory of 1276 2540 1frxffl.exe 37 PID 1276 wrote to memory of 1268 1276 xrffrlx.exe 38 PID 1276 wrote to memory of 1268 1276 xrffrlx.exe 38 PID 1276 wrote to memory of 1268 1276 xrffrlx.exe 38 PID 1276 wrote to memory of 1268 1276 xrffrlx.exe 38 PID 1268 wrote to memory of 2552 1268 nnnthn.exe 39 PID 1268 wrote to memory of 2552 1268 nnnthn.exe 39 PID 1268 wrote to memory of 2552 1268 nnnthn.exe 39 PID 1268 wrote to memory of 2552 1268 nnnthn.exe 39 PID 2552 wrote to memory of 2984 2552 ttbtbb.exe 40 PID 2552 wrote to memory of 2984 2552 ttbtbb.exe 40 PID 2552 wrote to memory of 2984 2552 ttbtbb.exe 40 PID 2552 wrote to memory of 2984 2552 ttbtbb.exe 40 PID 2984 wrote to memory of 1540 2984 5dpjp.exe 41 PID 2984 wrote to memory of 1540 2984 5dpjp.exe 41 PID 2984 wrote to memory of 1540 2984 5dpjp.exe 41 PID 2984 wrote to memory of 1540 2984 5dpjp.exe 41 PID 1540 wrote to memory of 1984 1540 1fxxfxf.exe 42 PID 1540 wrote to memory of 1984 1540 1fxxfxf.exe 42 PID 1540 wrote to memory of 1984 1540 1fxxfxf.exe 42 PID 1540 wrote to memory of 1984 1540 1fxxfxf.exe 42 PID 1984 wrote to memory of 1940 1984 xlrlfll.exe 43 PID 1984 wrote to memory of 1940 1984 xlrlfll.exe 43 PID 1984 wrote to memory of 1940 1984 xlrlfll.exe 43 PID 1984 wrote to memory of 1940 1984 xlrlfll.exe 43 PID 1940 wrote to memory of 2088 1940 5nhntt.exe 44 PID 1940 wrote to memory of 2088 1940 5nhntt.exe 44 PID 1940 wrote to memory of 2088 1940 5nhntt.exe 44 PID 1940 wrote to memory of 2088 1940 5nhntt.exe 44 PID 2088 wrote to memory of 1928 2088 jjvvj.exe 45 PID 2088 wrote to memory of 1928 2088 jjvvj.exe 45 PID 2088 wrote to memory of 1928 2088 jjvvj.exe 45 PID 2088 wrote to memory of 1928 2088 jjvvj.exe 45 PID 1928 wrote to memory of 484 1928 lllrlfx.exe 46 PID 1928 wrote to memory of 484 1928 lllrlfx.exe 46 PID 1928 wrote to memory of 484 1928 lllrlfx.exe 46 PID 1928 wrote to memory of 484 1928 lllrlfx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe"C:\Users\Admin\AppData\Local\Temp\92bb4b882335da3f3e5ea0c35ac38ca02b95be5e4b36aaf41440eb7a37d5fd50N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\xlflxlx.exec:\xlflxlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\pdjdj.exec:\pdjdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\dvdjp.exec:\dvdjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\xrffrrl.exec:\xrffrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\ddpvp.exec:\ddpvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\1frxffl.exec:\1frxffl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\xrffrlx.exec:\xrffrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\nnnthn.exec:\nnnthn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\ttbtbb.exec:\ttbtbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\5dpjp.exec:\5dpjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\1fxxfxf.exec:\1fxxfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\xlrlfll.exec:\xlrlfll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\5nhntt.exec:\5nhntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\jjvvj.exec:\jjvvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\lllrlfx.exec:\lllrlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\rxlrrxr.exec:\rxlrrxr.exe17⤵
- Executes dropped EXE
PID:484 -
\??\c:\1thhnt.exec:\1thhnt.exe18⤵
- Executes dropped EXE
PID:1908 -
\??\c:\vjppp.exec:\vjppp.exe19⤵
- Executes dropped EXE
PID:2972 -
\??\c:\fxlffxx.exec:\fxlffxx.exe20⤵
- Executes dropped EXE
PID:2572 -
\??\c:\9nbthn.exec:\9nbthn.exe21⤵
- Executes dropped EXE
PID:2428 -
\??\c:\hhnhhh.exec:\hhnhhh.exe22⤵
- Executes dropped EXE
PID:3000 -
\??\c:\1dppv.exec:\1dppv.exe23⤵
- Executes dropped EXE
PID:1084 -
\??\c:\5ffllxr.exec:\5ffllxr.exe24⤵
- Executes dropped EXE
PID:1604 -
\??\c:\9xxrrll.exec:\9xxrrll.exe25⤵
- Executes dropped EXE
PID:2424 -
\??\c:\hbbhtb.exec:\hbbhtb.exe26⤵
- Executes dropped EXE
PID:1652 -
\??\c:\ppjvv.exec:\ppjvv.exe27⤵
- Executes dropped EXE
PID:1620 -
\??\c:\xrxxlfl.exec:\xrxxlfl.exe28⤵
- Executes dropped EXE
PID:2264 -
\??\c:\nhnbhn.exec:\nhnbhn.exe29⤵
- Executes dropped EXE
PID:1732 -
\??\c:\vvjpd.exec:\vvjpd.exe30⤵
- Executes dropped EXE
PID:888 -
\??\c:\ffxrrll.exec:\ffxrrll.exe31⤵
- Executes dropped EXE
PID:1628 -
\??\c:\9xxxffx.exec:\9xxxffx.exe32⤵
- Executes dropped EXE
PID:1552 -
\??\c:\nhnntt.exec:\nhnntt.exe33⤵
- Executes dropped EXE
PID:2156 -
\??\c:\1pjdj.exec:\1pjdj.exe34⤵
- Executes dropped EXE
PID:2204 -
\??\c:\ppdjv.exec:\ppdjv.exe35⤵
- Executes dropped EXE
PID:1924 -
\??\c:\9lffxxx.exec:\9lffxxx.exe36⤵
- Executes dropped EXE
PID:1780 -
\??\c:\7htbhn.exec:\7htbhn.exe37⤵
- Executes dropped EXE
PID:3056 -
\??\c:\htnntt.exec:\htnntt.exe38⤵
- Executes dropped EXE
PID:2792 -
\??\c:\5dvjj.exec:\5dvjj.exe39⤵
- Executes dropped EXE
PID:2832 -
\??\c:\vpjpp.exec:\vpjpp.exe40⤵
- Executes dropped EXE
PID:2660 -
\??\c:\1lrrlrl.exec:\1lrrlrl.exe41⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bbbhth.exec:\bbbhth.exe42⤵
- Executes dropped EXE
PID:2532 -
\??\c:\bbnbnh.exec:\bbnbnh.exe43⤵
- Executes dropped EXE
PID:2656 -
\??\c:\nhnttb.exec:\nhnttb.exe44⤵
- Executes dropped EXE
PID:2552 -
\??\c:\9pvdp.exec:\9pvdp.exe45⤵
- Executes dropped EXE
PID:2980 -
\??\c:\lrfflrx.exec:\lrfflrx.exe46⤵
- Executes dropped EXE
PID:2996 -
\??\c:\7rlrfll.exec:\7rlrfll.exe47⤵
- Executes dropped EXE
PID:2060 -
\??\c:\5nthbn.exec:\5nthbn.exe48⤵
- Executes dropped EXE
PID:1680 -
\??\c:\hthtbt.exec:\hthtbt.exe49⤵
- Executes dropped EXE
PID:1940 -
\??\c:\jjjvp.exec:\jjjvp.exe50⤵
- Executes dropped EXE
PID:1796 -
\??\c:\xxlxfrf.exec:\xxlxfrf.exe51⤵
- Executes dropped EXE
PID:1928 -
\??\c:\lfxflrf.exec:\lfxflrf.exe52⤵
- Executes dropped EXE
PID:636 -
\??\c:\5nnbht.exec:\5nnbht.exe53⤵
- Executes dropped EXE
PID:1064 -
\??\c:\nnnhnh.exec:\nnnhnh.exe54⤵
- Executes dropped EXE
PID:1908 -
\??\c:\vvvjv.exec:\vvvjv.exe55⤵
- Executes dropped EXE
PID:2740 -
\??\c:\fxrxlrr.exec:\fxrxlrr.exe56⤵
- Executes dropped EXE
PID:2732 -
\??\c:\5xrlrlr.exec:\5xrlrlr.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2412 -
\??\c:\nttnht.exec:\nttnht.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
\??\c:\1dddd.exec:\1dddd.exe59⤵
- Executes dropped EXE
PID:1656 -
\??\c:\vjddj.exec:\vjddj.exe60⤵
- Executes dropped EXE
PID:1916 -
\??\c:\hbtthh.exec:\hbtthh.exe61⤵
- Executes dropped EXE
PID:684 -
\??\c:\ddvdd.exec:\ddvdd.exe62⤵
- Executes dropped EXE
PID:1396 -
\??\c:\vjpvv.exec:\vjpvv.exe63⤵
- Executes dropped EXE
PID:1800 -
\??\c:\rlrxffl.exec:\rlrxffl.exe64⤵
- Executes dropped EXE
PID:2316 -
\??\c:\lfrlxfr.exec:\lfrlxfr.exe65⤵
- Executes dropped EXE
PID:1768 -
\??\c:\hhnbnt.exec:\hhnbnt.exe66⤵PID:572
-
\??\c:\pjdpd.exec:\pjdpd.exe67⤵PID:2168
-
\??\c:\pjpvv.exec:\pjpvv.exe68⤵PID:1432
-
\??\c:\lxrrffl.exec:\lxrrffl.exe69⤵PID:1708
-
\??\c:\lxlrffr.exec:\lxlrffr.exe70⤵PID:1696
-
\??\c:\nnbtbt.exec:\nnbtbt.exe71⤵PID:3008
-
\??\c:\1tbttt.exec:\1tbttt.exe72⤵PID:2948
-
\??\c:\jdddd.exec:\jdddd.exe73⤵PID:2188
-
\??\c:\9rrxrxr.exec:\9rrxrxr.exe74⤵PID:3060
-
\??\c:\lflfffl.exec:\lflfffl.exe75⤵PID:2132
-
\??\c:\1ttbth.exec:\1ttbth.exe76⤵PID:2804
-
\??\c:\nhnntt.exec:\nhnntt.exe77⤵PID:2784
-
\??\c:\vpjpv.exec:\vpjpv.exe78⤵PID:2652
-
\??\c:\1dvvd.exec:\1dvvd.exe79⤵PID:2860
-
\??\c:\1rlxrrl.exec:\1rlxrrl.exe80⤵PID:3032
-
\??\c:\3ffrflr.exec:\3ffrflr.exe81⤵PID:2548
-
\??\c:\nhbhnn.exec:\nhbhnn.exe82⤵PID:2672
-
\??\c:\btbbbb.exec:\btbbbb.exe83⤵PID:2536
-
\??\c:\9pjjp.exec:\9pjjp.exe84⤵PID:1472
-
\??\c:\dvppj.exec:\dvppj.exe85⤵PID:1660
-
\??\c:\frxrrrx.exec:\frxrrrx.exe86⤵PID:2356
-
\??\c:\nbbhnh.exec:\nbbhnh.exe87⤵PID:788
-
\??\c:\ttnbtt.exec:\ttnbtt.exe88⤵PID:2744
-
\??\c:\dvvdp.exec:\dvvdp.exe89⤵PID:1940
-
\??\c:\vddvp.exec:\vddvp.exe90⤵PID:540
-
\??\c:\xllrxff.exec:\xllrxff.exe91⤵PID:1284
-
\??\c:\9fffllr.exec:\9fffllr.exe92⤵PID:1156
-
\??\c:\5bhntn.exec:\5bhntn.exe93⤵PID:1152
-
\??\c:\bthnbb.exec:\bthnbb.exe94⤵PID:2728
-
\??\c:\9pjdv.exec:\9pjdv.exe95⤵PID:2572
-
\??\c:\ddjdd.exec:\ddjdd.exe96⤵PID:2960
-
\??\c:\xfxllff.exec:\xfxllff.exe97⤵PID:2928
-
\??\c:\btbntt.exec:\btbntt.exe98⤵PID:2400
-
\??\c:\9bbhnn.exec:\9bbhnn.exe99⤵PID:1356
-
\??\c:\ddjjp.exec:\ddjjp.exe100⤵PID:396
-
\??\c:\vjddv.exec:\vjddv.exe101⤵PID:684
-
\??\c:\frrlrll.exec:\frrlrll.exe102⤵PID:1324
-
\??\c:\ttnttn.exec:\ttnttn.exe103⤵PID:1724
-
\??\c:\nbnntb.exec:\nbnntb.exe104⤵PID:1056
-
\??\c:\1pddd.exec:\1pddd.exe105⤵PID:872
-
\??\c:\jdpdp.exec:\jdpdp.exe106⤵PID:2484
-
\??\c:\lxllrll.exec:\lxllrll.exe107⤵
- System Location Discovery: System Language Discovery
PID:876 -
\??\c:\lfrllfl.exec:\lfrllfl.exe108⤵PID:2952
-
\??\c:\5tttbh.exec:\5tttbh.exe109⤵PID:2500
-
\??\c:\nnnhnh.exec:\nnnhnh.exe110⤵PID:2956
-
\??\c:\dvjpp.exec:\dvjpp.exe111⤵PID:2964
-
\??\c:\9rlffrx.exec:\9rlffrx.exe112⤵PID:2892
-
\??\c:\xrxflll.exec:\xrxflll.exe113⤵PID:2208
-
\??\c:\5nbhht.exec:\5nbhht.exe114⤵PID:1292
-
\??\c:\7thbbh.exec:\7thbbh.exe115⤵PID:2252
-
\??\c:\vpdpd.exec:\vpdpd.exe116⤵PID:2820
-
\??\c:\vpddp.exec:\vpddp.exe117⤵PID:2692
-
\??\c:\rrlllxf.exec:\rrlllxf.exe118⤵PID:2828
-
\??\c:\xlfxxfr.exec:\xlfxxfr.exe119⤵PID:2704
-
\??\c:\bhtbnt.exec:\bhtbnt.exe120⤵
- System Location Discovery: System Language Discovery
PID:2528 -
\??\c:\vvvjv.exec:\vvvjv.exe121⤵PID:2564
-
\??\c:\jjdjv.exec:\jjdjv.exe122⤵PID:3036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-