Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 13:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe
-
Size
66KB
-
MD5
1c92d3d625902c12c664fa6e4740d560
-
SHA1
da1f88e951cdacc56e3df95a3df4aea8c934170a
-
SHA256
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87
-
SHA512
61ba8905cbd610725ddd2c6007cae9f63690631464988f85e721ca23ba409a34865ff0288a11982ed89de652b50ba6ea1094fbff3551f4997e096e2a27d6445a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxes:ymb3NkkiQ3mdBjF0y7kbUs
Malware Config
Signatures
-
Detect Blackmoon payload 21 IoCs
resource yara_rule behavioral1/memory/2772-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2820-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2408-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2576-40-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1840-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1668-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2804-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2576-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2636-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2384-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2392-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2052-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/828-128-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2608-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/832-156-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2956-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2252-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1584-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2492-228-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2152-245-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2328-254-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2820 vpvvv.exe 2408 7rxlxlx.exe 2576 lfrfxxl.exe 2804 bnbhnn.exe 2620 1ppdv.exe 1840 pjdjd.exe 1668 fxxrflx.exe 2636 rlxflrx.exe 2392 3vpvd.exe 2384 lfrxffr.exe 2052 xrxrfrx.exe 828 tnbtbh.exe 1408 1jpdv.exe 2608 jdpvd.exe 832 1rfrflr.exe 2956 btbbnn.exe 2220 9ttbhh.exe 2140 jdvpv.exe 2252 7xxlxlf.exe 448 1bhhnt.exe 1584 hbnbhh.exe 1580 jvppd.exe 2492 dvjvd.exe 948 lfxlrrf.exe 2152 xrrxffx.exe 2328 tnbhnh.exe 1432 vpjjp.exe 2272 5jjpp.exe 892 lxllrrr.exe 2104 rrlrlrx.exe 2676 tnhhhh.exe 2932 bnnnbt.exe 2764 jvjjp.exe 3036 dvdjp.exe 1516 5frflrx.exe 2568 1rlrxxf.exe 2716 nnbhbt.exe 2336 hhbhtt.exe 2344 jdpjd.exe 2884 vpdjj.exe 1876 vvppj.exe 2868 xxlrlxl.exe 536 1fffllx.exe 2392 nhtnhh.exe 1004 vppjv.exe 1040 pjdjp.exe 1208 5pjdj.exe 664 xxrflrf.exe 1408 7flllxx.exe 1824 hbbhbh.exe 1924 nbbhtt.exe 316 3jdjv.exe 2840 djvvd.exe 568 1ffxrfx.exe 884 7rllrrx.exe 1640 5tnbhn.exe 2108 bntntt.exe 1540 dvdpv.exe 1780 xlxllrr.exe 1828 xrlrxxf.exe 980 rxxfllf.exe 948 3ttnbh.exe 1352 vdjvv.exe 2276 vpjpp.exe -
resource yara_rule behavioral1/memory/2772-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2820-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2408-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1840-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1668-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2804-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2576-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2384-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2392-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2052-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/828-128-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2608-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/832-156-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2956-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2252-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1584-210-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2492-228-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2152-245-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2328-254-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2820 2772 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 30 PID 2772 wrote to memory of 2820 2772 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 30 PID 2772 wrote to memory of 2820 2772 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 30 PID 2772 wrote to memory of 2820 2772 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 30 PID 2820 wrote to memory of 2408 2820 vpvvv.exe 31 PID 2820 wrote to memory of 2408 2820 vpvvv.exe 31 PID 2820 wrote to memory of 2408 2820 vpvvv.exe 31 PID 2820 wrote to memory of 2408 2820 vpvvv.exe 31 PID 2408 wrote to memory of 2576 2408 7rxlxlx.exe 32 PID 2408 wrote to memory of 2576 2408 7rxlxlx.exe 32 PID 2408 wrote to memory of 2576 2408 7rxlxlx.exe 32 PID 2408 wrote to memory of 2576 2408 7rxlxlx.exe 32 PID 2576 wrote to memory of 2804 2576 lfrfxxl.exe 33 PID 2576 wrote to memory of 2804 2576 lfrfxxl.exe 33 PID 2576 wrote to memory of 2804 2576 lfrfxxl.exe 33 PID 2576 wrote to memory of 2804 2576 lfrfxxl.exe 33 PID 2804 wrote to memory of 2620 2804 bnbhnn.exe 34 PID 2804 wrote to memory of 2620 2804 bnbhnn.exe 34 PID 2804 wrote to memory of 2620 2804 bnbhnn.exe 34 PID 2804 wrote to memory of 2620 2804 bnbhnn.exe 34 PID 2620 wrote to memory of 1840 2620 1ppdv.exe 35 PID 2620 wrote to memory of 1840 2620 1ppdv.exe 35 PID 2620 wrote to memory of 1840 2620 1ppdv.exe 35 PID 2620 wrote to memory of 1840 2620 1ppdv.exe 35 PID 1840 wrote to memory of 1668 1840 pjdjd.exe 36 PID 1840 wrote to memory of 1668 1840 pjdjd.exe 36 PID 1840 wrote to memory of 1668 1840 pjdjd.exe 36 PID 1840 wrote to memory of 1668 1840 pjdjd.exe 36 PID 1668 wrote to memory of 2636 1668 fxxrflx.exe 37 PID 1668 wrote to memory of 2636 1668 fxxrflx.exe 37 PID 1668 wrote to memory of 2636 1668 fxxrflx.exe 37 PID 1668 wrote to memory of 2636 1668 fxxrflx.exe 37 PID 2636 wrote to memory of 2392 2636 rlxflrx.exe 38 PID 2636 wrote to memory of 2392 2636 rlxflrx.exe 38 PID 2636 wrote to memory of 2392 2636 rlxflrx.exe 38 PID 2636 wrote to memory of 2392 2636 rlxflrx.exe 38 PID 2392 wrote to memory of 2384 2392 3vpvd.exe 39 PID 2392 wrote to memory of 2384 2392 3vpvd.exe 39 PID 2392 wrote to memory of 2384 2392 3vpvd.exe 39 PID 2392 wrote to memory of 2384 2392 3vpvd.exe 39 PID 2384 wrote to memory of 2052 2384 lfrxffr.exe 40 PID 2384 wrote to memory of 2052 2384 lfrxffr.exe 40 PID 2384 wrote to memory of 2052 2384 lfrxffr.exe 40 PID 2384 wrote to memory of 2052 2384 lfrxffr.exe 40 PID 2052 wrote to memory of 828 2052 xrxrfrx.exe 41 PID 2052 wrote to memory of 828 2052 xrxrfrx.exe 41 PID 2052 wrote to memory of 828 2052 xrxrfrx.exe 41 PID 2052 wrote to memory of 828 2052 xrxrfrx.exe 41 PID 828 wrote to memory of 1408 828 tnbtbh.exe 42 PID 828 wrote to memory of 1408 828 tnbtbh.exe 42 PID 828 wrote to memory of 1408 828 tnbtbh.exe 42 PID 828 wrote to memory of 1408 828 tnbtbh.exe 42 PID 1408 wrote to memory of 2608 1408 1jpdv.exe 43 PID 1408 wrote to memory of 2608 1408 1jpdv.exe 43 PID 1408 wrote to memory of 2608 1408 1jpdv.exe 43 PID 1408 wrote to memory of 2608 1408 1jpdv.exe 43 PID 2608 wrote to memory of 832 2608 jdpvd.exe 44 PID 2608 wrote to memory of 832 2608 jdpvd.exe 44 PID 2608 wrote to memory of 832 2608 jdpvd.exe 44 PID 2608 wrote to memory of 832 2608 jdpvd.exe 44 PID 832 wrote to memory of 2956 832 1rfrflr.exe 45 PID 832 wrote to memory of 2956 832 1rfrflr.exe 45 PID 832 wrote to memory of 2956 832 1rfrflr.exe 45 PID 832 wrote to memory of 2956 832 1rfrflr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe"C:\Users\Admin\AppData\Local\Temp\db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\vpvvv.exec:\vpvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\7rxlxlx.exec:\7rxlxlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\lfrfxxl.exec:\lfrfxxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\bnbhnn.exec:\bnbhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\1ppdv.exec:\1ppdv.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\pjdjd.exec:\pjdjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\fxxrflx.exec:\fxxrflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\rlxflrx.exec:\rlxflrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\3vpvd.exec:\3vpvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\lfrxffr.exec:\lfrxffr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\xrxrfrx.exec:\xrxrfrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\tnbtbh.exec:\tnbtbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\1jpdv.exec:\1jpdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\jdpvd.exec:\jdpvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\1rfrflr.exec:\1rfrflr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\btbbnn.exec:\btbbnn.exe17⤵
- Executes dropped EXE
PID:2956 -
\??\c:\9ttbhh.exec:\9ttbhh.exe18⤵
- Executes dropped EXE
PID:2220 -
\??\c:\jdvpv.exec:\jdvpv.exe19⤵
- Executes dropped EXE
PID:2140 -
\??\c:\7xxlxlf.exec:\7xxlxlf.exe20⤵
- Executes dropped EXE
PID:2252 -
\??\c:\1bhhnt.exec:\1bhhnt.exe21⤵
- Executes dropped EXE
PID:448 -
\??\c:\hbnbhh.exec:\hbnbhh.exe22⤵
- Executes dropped EXE
PID:1584 -
\??\c:\jvppd.exec:\jvppd.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580 -
\??\c:\dvjvd.exec:\dvjvd.exe24⤵
- Executes dropped EXE
PID:2492 -
\??\c:\lfxlrrf.exec:\lfxlrrf.exe25⤵
- Executes dropped EXE
PID:948 -
\??\c:\xrrxffx.exec:\xrrxffx.exe26⤵
- Executes dropped EXE
PID:2152 -
\??\c:\tnbhnh.exec:\tnbhnh.exe27⤵
- Executes dropped EXE
PID:2328 -
\??\c:\vpjjp.exec:\vpjjp.exe28⤵
- Executes dropped EXE
PID:1432 -
\??\c:\5jjpp.exec:\5jjpp.exe29⤵
- Executes dropped EXE
PID:2272 -
\??\c:\lxllrrr.exec:\lxllrrr.exe30⤵
- Executes dropped EXE
PID:892 -
\??\c:\rrlrlrx.exec:\rrlrlrx.exe31⤵
- Executes dropped EXE
PID:2104 -
\??\c:\tnhhhh.exec:\tnhhhh.exe32⤵
- Executes dropped EXE
PID:2676 -
\??\c:\bnnnbt.exec:\bnnnbt.exe33⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jvjjp.exec:\jvjjp.exe34⤵
- Executes dropped EXE
PID:2764 -
\??\c:\dvdjp.exec:\dvdjp.exe35⤵
- Executes dropped EXE
PID:3036 -
\??\c:\5frflrx.exec:\5frflrx.exe36⤵
- Executes dropped EXE
PID:1516 -
\??\c:\1rlrxxf.exec:\1rlrxxf.exe37⤵
- Executes dropped EXE
PID:2568 -
\??\c:\nnbhbt.exec:\nnbhbt.exe38⤵
- Executes dropped EXE
PID:2716 -
\??\c:\hhbhtt.exec:\hhbhtt.exe39⤵
- Executes dropped EXE
PID:2336 -
\??\c:\jdpjd.exec:\jdpjd.exe40⤵
- Executes dropped EXE
PID:2344 -
\??\c:\vpdjj.exec:\vpdjj.exe41⤵
- Executes dropped EXE
PID:2884 -
\??\c:\vvppj.exec:\vvppj.exe42⤵
- Executes dropped EXE
PID:1876 -
\??\c:\xxlrlxl.exec:\xxlrlxl.exe43⤵
- Executes dropped EXE
PID:2868 -
\??\c:\1fffllx.exec:\1fffllx.exe44⤵
- Executes dropped EXE
PID:536 -
\??\c:\nhtnhh.exec:\nhtnhh.exe45⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vppjv.exec:\vppjv.exe46⤵
- Executes dropped EXE
PID:1004 -
\??\c:\pjdjp.exec:\pjdjp.exe47⤵
- Executes dropped EXE
PID:1040 -
\??\c:\5pjdj.exec:\5pjdj.exe48⤵
- Executes dropped EXE
PID:1208 -
\??\c:\xxrflrf.exec:\xxrflrf.exe49⤵
- Executes dropped EXE
PID:664 -
\??\c:\7flllxx.exec:\7flllxx.exe50⤵
- Executes dropped EXE
PID:1408 -
\??\c:\hbbhbh.exec:\hbbhbh.exe51⤵
- Executes dropped EXE
PID:1824 -
\??\c:\nbbhtt.exec:\nbbhtt.exe52⤵
- Executes dropped EXE
PID:1924 -
\??\c:\3jdjv.exec:\3jdjv.exe53⤵
- Executes dropped EXE
PID:316 -
\??\c:\djvvd.exec:\djvvd.exe54⤵
- Executes dropped EXE
PID:2840 -
\??\c:\1ffxrfx.exec:\1ffxrfx.exe55⤵
- Executes dropped EXE
PID:568 -
\??\c:\7rllrrx.exec:\7rllrrx.exe56⤵
- Executes dropped EXE
PID:884 -
\??\c:\5tnbhn.exec:\5tnbhn.exe57⤵
- Executes dropped EXE
PID:1640 -
\??\c:\bntntt.exec:\bntntt.exe58⤵
- Executes dropped EXE
PID:2108 -
\??\c:\dvdpv.exec:\dvdpv.exe59⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xlxllrr.exec:\xlxllrr.exe60⤵
- Executes dropped EXE
PID:1780 -
\??\c:\xrlrxxf.exec:\xrlrxxf.exe61⤵
- Executes dropped EXE
PID:1828 -
\??\c:\rxxfllf.exec:\rxxfllf.exe62⤵
- Executes dropped EXE
PID:980 -
\??\c:\3ttnbh.exec:\3ttnbh.exe63⤵
- Executes dropped EXE
PID:948 -
\??\c:\vdjvv.exec:\vdjvv.exe64⤵
- Executes dropped EXE
PID:1352 -
\??\c:\vpjpp.exec:\vpjpp.exe65⤵
- Executes dropped EXE
PID:2276 -
\??\c:\lfrfflx.exec:\lfrfflx.exe66⤵PID:1676
-
\??\c:\5xxllll.exec:\5xxllll.exe67⤵PID:1724
-
\??\c:\hnbhht.exec:\hnbhht.exe68⤵PID:1836
-
\??\c:\tnbntb.exec:\tnbntb.exe69⤵PID:2996
-
\??\c:\7jdvp.exec:\7jdvp.exe70⤵PID:3000
-
\??\c:\jdvjd.exec:\jdvjd.exe71⤵PID:2948
-
\??\c:\fxflrfl.exec:\fxflrfl.exe72⤵PID:2128
-
\??\c:\lfxrrrx.exec:\lfxrrrx.exe73⤵PID:2796
-
\??\c:\btntbh.exec:\btntbh.exe74⤵PID:2100
-
\??\c:\htnntb.exec:\htnntb.exe75⤵PID:2552
-
\??\c:\jvvpv.exec:\jvvpv.exe76⤵PID:2804
-
\??\c:\vpjjp.exec:\vpjjp.exe77⤵PID:2620
-
\??\c:\xlxfffl.exec:\xlxfffl.exe78⤵PID:1392
-
\??\c:\lxxfxfx.exec:\lxxfxfx.exe79⤵PID:1784
-
\??\c:\tthnnn.exec:\tthnnn.exe80⤵PID:1224
-
\??\c:\jddvj.exec:\jddvj.exe81⤵PID:2904
-
\??\c:\jdpdv.exec:\jdpdv.exe82⤵PID:2880
-
\??\c:\fxllxxr.exec:\fxllxxr.exe83⤵PID:544
-
\??\c:\ffrfrxf.exec:\ffrfrxf.exe84⤵PID:1932
-
\??\c:\btbbhn.exec:\btbbhn.exe85⤵PID:1188
-
\??\c:\pppdj.exec:\pppdj.exe86⤵PID:476
-
\??\c:\vpdvp.exec:\vpdvp.exe87⤵PID:1900
-
\??\c:\xrlrflr.exec:\xrlrflr.exe88⤵PID:2836
-
\??\c:\9bnhnb.exec:\9bnhnb.exe89⤵
- System Location Discovery: System Language Discovery
PID:1660 -
\??\c:\hbntbt.exec:\hbntbt.exe90⤵PID:2608
-
\??\c:\jdjpv.exec:\jdjpv.exe91⤵PID:2532
-
\??\c:\7dddd.exec:\7dddd.exe92⤵PID:2956
-
\??\c:\fxrxffr.exec:\fxrxffr.exe93⤵PID:2112
-
\??\c:\xlxffxf.exec:\xlxffxf.exe94⤵PID:2220
-
\??\c:\btthtb.exec:\btthtb.exe95⤵PID:2352
-
\??\c:\5nnnhh.exec:\5nnnhh.exe96⤵PID:1108
-
\??\c:\jvpdd.exec:\jvpdd.exe97⤵PID:1100
-
\??\c:\ppjvj.exec:\ppjvj.exe98⤵PID:1256
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe99⤵PID:668
-
\??\c:\3nnhnh.exec:\3nnhnh.exe100⤵PID:844
-
\??\c:\ttbhnn.exec:\ttbhnn.exe101⤵PID:932
-
\??\c:\vpppv.exec:\vpppv.exe102⤵PID:1700
-
\??\c:\vpvdv.exec:\vpvdv.exe103⤵PID:1476
-
\??\c:\dppdd.exec:\dppdd.exe104⤵PID:2968
-
\??\c:\rlflrxf.exec:\rlflrxf.exe105⤵PID:2156
-
\??\c:\5fxxxxx.exec:\5fxxxxx.exe106⤵PID:2272
-
\??\c:\3ttbnb.exec:\3ttbnb.exe107⤵PID:3052
-
\??\c:\3hthtt.exec:\3hthtt.exe108⤵PID:880
-
\??\c:\ppjvj.exec:\ppjvj.exe109⤵PID:2772
-
\??\c:\pdpdj.exec:\pdpdj.exe110⤵PID:2788
-
\??\c:\rlffxxf.exec:\rlffxxf.exe111⤵PID:2440
-
\??\c:\rlrxlrf.exec:\rlrxlrf.exe112⤵PID:2728
-
\??\c:\llffllr.exec:\llffllr.exe113⤵PID:2572
-
\??\c:\nbtbhn.exec:\nbtbhn.exe114⤵PID:2548
-
\??\c:\nhtttt.exec:\nhtttt.exe115⤵PID:1524
-
\??\c:\jdvvv.exec:\jdvvv.exe116⤵PID:2432
-
\??\c:\pjdjp.exec:\pjdjp.exe117⤵PID:3032
-
\??\c:\lxlllll.exec:\lxlllll.exe118⤵PID:2336
-
\??\c:\3fflrlr.exec:\3fflrlr.exe119⤵PID:2876
-
\??\c:\lxffrrx.exec:\lxffrrx.exe120⤵PID:2896
-
\??\c:\bthntb.exec:\bthntb.exe121⤵PID:2860
-
\??\c:\1btthb.exec:\1btthb.exe122⤵PID:2268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-