Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 16:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
99b5d2f3e5e39dd087dd218827cf4a2d0f7299400b7ba55d0c54940b9a734be4N.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
99b5d2f3e5e39dd087dd218827cf4a2d0f7299400b7ba55d0c54940b9a734be4N.exe
-
Size
231KB
-
MD5
80881c1aa22234077a6289bbcff436c0
-
SHA1
704719568aa1693eba7ce8ed484d7d1dfc34702c
-
SHA256
99b5d2f3e5e39dd087dd218827cf4a2d0f7299400b7ba55d0c54940b9a734be4
-
SHA512
3861469de08e5528a824c36993646719f5b511babe5546f0f9ddbde09fee3cb2bf6eca8d441b8c435651f29f51376b640451c8b1bb15bf355c29738152b7aae0
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4xLjBeG+LV:n3C9BRo7MlrWKo+lxKk
Malware Config
Signatures
-
Detect Blackmoon payload 21 IoCs
resource yara_rule behavioral1/memory/2332-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2480-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3024-25-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2152-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2652-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2856-63-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2708-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2156-89-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2596-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2512-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2748-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1056-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1032-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2792-156-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1948-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2368-192-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/676-200-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1964-246-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1640-254-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2396-272-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2332-299-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2332 xrxlllx.exe 3024 tntnbb.exe 2152 1vvdj.exe 2652 htnhnh.exe 2856 pdvdp.exe 2708 rrlrfxf.exe 2156 5bttnn.exe 2560 5flffxx.exe 2596 1ttbbb.exe 2512 pjjvp.exe 2748 3fxfrrx.exe 1056 3thhnn.exe 1032 ppjjd.exe 2792 xlrlrrx.exe 1948 bnbntb.exe 1300 dvpjp.exe 2584 rxfxxlx.exe 2368 bnhntt.exe 676 7pvvv.exe 1652 vvppv.exe 3036 5flfllr.exe 1832 3nhhtn.exe 1088 9vjjp.exe 1964 lfxllfr.exe 1640 hbbhtn.exe 2172 1dpjp.exe 2396 rrfxxrf.exe 1752 pjvdj.exe 2480 flflrrx.exe 2332 thtttb.exe 1688 vpddj.exe 2640 fxlrfxf.exe 2192 btbhhn.exe 2176 vpjvd.exe 2964 vjjpp.exe 2552 1lxrrrx.exe 1860 9bthtt.exe 2708 htbbhh.exe 2828 jjdpd.exe 2624 jvddv.exe 2416 llxfrxr.exe 1716 lfrxxxl.exe 1732 nbttbh.exe 2512 bbtbhn.exe 336 vpvdp.exe 2364 frfrflr.exe 2768 fxxlxfr.exe 2752 nbnbnn.exe 1240 hhtbbt.exe 1772 9vvpj.exe 2260 dvpdv.exe 2076 7fxxrfr.exe 1280 1lxrxxf.exe 1788 bbbnhh.exe 2924 jjddj.exe 2940 jjjpd.exe 696 9xrxrxx.exe 1952 llfxlll.exe 920 tthtnt.exe 644 nnnbtt.exe 1480 pjjvd.exe 376 vvpdv.exe 2444 xrflxfr.exe 396 ttnttt.exe -
resource yara_rule behavioral1/memory/2332-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2480-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3024-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2480-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2152-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2652-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2856-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2856-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2856-63-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2708-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2708-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2708-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2156-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2156-80-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2156-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2560-93-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2560-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2596-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2512-120-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2748-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1056-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1032-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-156-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1948-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2368-192-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/676-200-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1964-246-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1640-254-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2396-272-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2332-299-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfflrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2332 2480 99b5d2f3e5e39dd087dd218827cf4a2d0f7299400b7ba55d0c54940b9a734be4N.exe 31 PID 2480 wrote to memory of 2332 2480 99b5d2f3e5e39dd087dd218827cf4a2d0f7299400b7ba55d0c54940b9a734be4N.exe 31 PID 2480 wrote to memory of 2332 2480 99b5d2f3e5e39dd087dd218827cf4a2d0f7299400b7ba55d0c54940b9a734be4N.exe 31 PID 2480 wrote to memory of 2332 2480 99b5d2f3e5e39dd087dd218827cf4a2d0f7299400b7ba55d0c54940b9a734be4N.exe 31 PID 2332 wrote to memory of 3024 2332 xrxlllx.exe 32 PID 2332 wrote to memory of 3024 2332 xrxlllx.exe 32 PID 2332 wrote to memory of 3024 2332 xrxlllx.exe 32 PID 2332 wrote to memory of 3024 2332 xrxlllx.exe 32 PID 3024 wrote to memory of 2152 3024 tntnbb.exe 33 PID 3024 wrote to memory of 2152 3024 tntnbb.exe 33 PID 3024 wrote to memory of 2152 3024 tntnbb.exe 33 PID 3024 wrote to memory of 2152 3024 tntnbb.exe 33 PID 2152 wrote to memory of 2652 2152 1vvdj.exe 34 PID 2152 wrote to memory of 2652 2152 1vvdj.exe 34 PID 2152 wrote to memory of 2652 2152 1vvdj.exe 34 PID 2152 wrote to memory of 2652 2152 1vvdj.exe 34 PID 2652 wrote to memory of 2856 2652 htnhnh.exe 35 PID 2652 wrote to memory of 2856 2652 htnhnh.exe 35 PID 2652 wrote to memory of 2856 2652 htnhnh.exe 35 PID 2652 wrote to memory of 2856 2652 htnhnh.exe 35 PID 2856 wrote to memory of 2708 2856 pdvdp.exe 36 PID 2856 wrote to memory of 2708 2856 pdvdp.exe 36 PID 2856 wrote to memory of 2708 2856 pdvdp.exe 36 PID 2856 wrote to memory of 2708 2856 pdvdp.exe 36 PID 2708 wrote to memory of 2156 2708 rrlrfxf.exe 37 PID 2708 wrote to memory of 2156 2708 rrlrfxf.exe 37 PID 2708 wrote to memory of 2156 2708 rrlrfxf.exe 37 PID 2708 wrote to memory of 2156 2708 rrlrfxf.exe 37 PID 2156 wrote to memory of 2560 2156 5bttnn.exe 38 PID 2156 wrote to memory of 2560 2156 5bttnn.exe 38 PID 2156 wrote to memory of 2560 2156 5bttnn.exe 38 PID 2156 wrote to memory of 2560 2156 5bttnn.exe 38 PID 2560 wrote to memory of 2596 2560 5flffxx.exe 39 PID 2560 wrote to memory of 2596 2560 5flffxx.exe 39 PID 2560 wrote to memory of 2596 2560 5flffxx.exe 39 PID 2560 wrote to memory of 2596 2560 5flffxx.exe 39 PID 2596 wrote to memory of 2512 2596 1ttbbb.exe 40 PID 2596 wrote to memory of 2512 2596 1ttbbb.exe 40 PID 2596 wrote to memory of 2512 2596 1ttbbb.exe 40 PID 2596 wrote to memory of 2512 2596 1ttbbb.exe 40 PID 2512 wrote to memory of 2748 2512 pjjvp.exe 41 PID 2512 wrote to memory of 2748 2512 pjjvp.exe 41 PID 2512 wrote to memory of 2748 2512 pjjvp.exe 41 PID 2512 wrote to memory of 2748 2512 pjjvp.exe 41 PID 2748 wrote to memory of 1056 2748 3fxfrrx.exe 42 PID 2748 wrote to memory of 1056 2748 3fxfrrx.exe 42 PID 2748 wrote to memory of 1056 2748 3fxfrrx.exe 42 PID 2748 wrote to memory of 1056 2748 3fxfrrx.exe 42 PID 1056 wrote to memory of 1032 1056 3thhnn.exe 43 PID 1056 wrote to memory of 1032 1056 3thhnn.exe 43 PID 1056 wrote to memory of 1032 1056 3thhnn.exe 43 PID 1056 wrote to memory of 1032 1056 3thhnn.exe 43 PID 1032 wrote to memory of 2792 1032 ppjjd.exe 44 PID 1032 wrote to memory of 2792 1032 ppjjd.exe 44 PID 1032 wrote to memory of 2792 1032 ppjjd.exe 44 PID 1032 wrote to memory of 2792 1032 ppjjd.exe 44 PID 2792 wrote to memory of 1948 2792 xlrlrrx.exe 45 PID 2792 wrote to memory of 1948 2792 xlrlrrx.exe 45 PID 2792 wrote to memory of 1948 2792 xlrlrrx.exe 45 PID 2792 wrote to memory of 1948 2792 xlrlrrx.exe 45 PID 1948 wrote to memory of 1300 1948 bnbntb.exe 46 PID 1948 wrote to memory of 1300 1948 bnbntb.exe 46 PID 1948 wrote to memory of 1300 1948 bnbntb.exe 46 PID 1948 wrote to memory of 1300 1948 bnbntb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\99b5d2f3e5e39dd087dd218827cf4a2d0f7299400b7ba55d0c54940b9a734be4N.exe"C:\Users\Admin\AppData\Local\Temp\99b5d2f3e5e39dd087dd218827cf4a2d0f7299400b7ba55d0c54940b9a734be4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\xrxlllx.exec:\xrxlllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\tntnbb.exec:\tntnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\1vvdj.exec:\1vvdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\htnhnh.exec:\htnhnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\pdvdp.exec:\pdvdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\rrlrfxf.exec:\rrlrfxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\5bttnn.exec:\5bttnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\5flffxx.exec:\5flffxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\1ttbbb.exec:\1ttbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\pjjvp.exec:\pjjvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\3fxfrrx.exec:\3fxfrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\3thhnn.exec:\3thhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\ppjjd.exec:\ppjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\xlrlrrx.exec:\xlrlrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\bnbntb.exec:\bnbntb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\dvpjp.exec:\dvpjp.exe17⤵
- Executes dropped EXE
PID:1300 -
\??\c:\rxfxxlx.exec:\rxfxxlx.exe18⤵
- Executes dropped EXE
PID:2584 -
\??\c:\bnhntt.exec:\bnhntt.exe19⤵
- Executes dropped EXE
PID:2368 -
\??\c:\7pvvv.exec:\7pvvv.exe20⤵
- Executes dropped EXE
PID:676 -
\??\c:\vvppv.exec:\vvppv.exe21⤵
- Executes dropped EXE
PID:1652 -
\??\c:\5flfllr.exec:\5flfllr.exe22⤵
- Executes dropped EXE
PID:3036 -
\??\c:\3nhhtn.exec:\3nhhtn.exe23⤵
- Executes dropped EXE
PID:1832 -
\??\c:\9vjjp.exec:\9vjjp.exe24⤵
- Executes dropped EXE
PID:1088 -
\??\c:\lfxllfr.exec:\lfxllfr.exe25⤵
- Executes dropped EXE
PID:1964 -
\??\c:\hbbhtn.exec:\hbbhtn.exe26⤵
- Executes dropped EXE
PID:1640 -
\??\c:\1dpjp.exec:\1dpjp.exe27⤵
- Executes dropped EXE
PID:2172 -
\??\c:\rrfxxrf.exec:\rrfxxrf.exe28⤵
- Executes dropped EXE
PID:2396 -
\??\c:\pjvdj.exec:\pjvdj.exe29⤵
- Executes dropped EXE
PID:1752 -
\??\c:\flflrrx.exec:\flflrrx.exe30⤵
- Executes dropped EXE
PID:2480 -
\??\c:\thtttb.exec:\thtttb.exe31⤵
- Executes dropped EXE
PID:2332 -
\??\c:\vpddj.exec:\vpddj.exe32⤵
- Executes dropped EXE
PID:1688 -
\??\c:\fxlrfxf.exec:\fxlrfxf.exe33⤵
- Executes dropped EXE
PID:2640 -
\??\c:\btbhhn.exec:\btbhhn.exe34⤵
- Executes dropped EXE
PID:2192 -
\??\c:\vpjvd.exec:\vpjvd.exe35⤵
- Executes dropped EXE
PID:2176 -
\??\c:\vjjpp.exec:\vjjpp.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
\??\c:\1lxrrrx.exec:\1lxrrrx.exe37⤵
- Executes dropped EXE
PID:2552 -
\??\c:\9bthtt.exec:\9bthtt.exe38⤵
- Executes dropped EXE
PID:1860 -
\??\c:\htbbhh.exec:\htbbhh.exe39⤵
- Executes dropped EXE
PID:2708 -
\??\c:\jjdpd.exec:\jjdpd.exe40⤵
- Executes dropped EXE
PID:2828 -
\??\c:\jvddv.exec:\jvddv.exe41⤵
- Executes dropped EXE
PID:2624 -
\??\c:\llxfrxr.exec:\llxfrxr.exe42⤵
- Executes dropped EXE
PID:2416 -
\??\c:\lfrxxxl.exec:\lfrxxxl.exe43⤵
- Executes dropped EXE
PID:1716 -
\??\c:\nbttbh.exec:\nbttbh.exe44⤵
- Executes dropped EXE
PID:1732 -
\??\c:\bbtbhn.exec:\bbtbhn.exe45⤵
- Executes dropped EXE
PID:2512 -
\??\c:\vpvdp.exec:\vpvdp.exe46⤵
- Executes dropped EXE
PID:336 -
\??\c:\frfrflr.exec:\frfrflr.exe47⤵
- Executes dropped EXE
PID:2364 -
\??\c:\fxxlxfr.exec:\fxxlxfr.exe48⤵
- Executes dropped EXE
PID:2768 -
\??\c:\nbnbnn.exec:\nbnbnn.exe49⤵
- Executes dropped EXE
PID:2752 -
\??\c:\hhtbbt.exec:\hhtbbt.exe50⤵
- Executes dropped EXE
PID:1240 -
\??\c:\9vvpj.exec:\9vvpj.exe51⤵
- Executes dropped EXE
PID:1772 -
\??\c:\dvpdv.exec:\dvpdv.exe52⤵
- Executes dropped EXE
PID:2260 -
\??\c:\7fxxrfr.exec:\7fxxrfr.exe53⤵
- Executes dropped EXE
PID:2076 -
\??\c:\1lxrxxf.exec:\1lxrxxf.exe54⤵
- Executes dropped EXE
PID:1280 -
\??\c:\bbbnhh.exec:\bbbnhh.exe55⤵
- Executes dropped EXE
PID:1788 -
\??\c:\jjddj.exec:\jjddj.exe56⤵
- Executes dropped EXE
PID:2924 -
\??\c:\jjjpd.exec:\jjjpd.exe57⤵
- Executes dropped EXE
PID:2940 -
\??\c:\9xrxrxx.exec:\9xrxrxx.exe58⤵
- Executes dropped EXE
PID:696 -
\??\c:\llfxlll.exec:\llfxlll.exe59⤵
- Executes dropped EXE
PID:1952 -
\??\c:\tthtnt.exec:\tthtnt.exe60⤵
- Executes dropped EXE
PID:920 -
\??\c:\nnnbtt.exec:\nnnbtt.exe61⤵
- Executes dropped EXE
PID:644 -
\??\c:\pjjvd.exec:\pjjvd.exe62⤵
- Executes dropped EXE
PID:1480 -
\??\c:\vvpdv.exec:\vvpdv.exe63⤵
- Executes dropped EXE
PID:376 -
\??\c:\xrflxfr.exec:\xrflxfr.exe64⤵
- Executes dropped EXE
PID:2444 -
\??\c:\ttnttt.exec:\ttnttt.exe65⤵
- Executes dropped EXE
PID:396 -
\??\c:\nhbtnn.exec:\nhbtnn.exe66⤵PID:2396
-
\??\c:\9vjvj.exec:\9vjvj.exe67⤵PID:1680
-
\??\c:\vppvv.exec:\vppvv.exe68⤵PID:536
-
\??\c:\ffrflxl.exec:\ffrflxl.exe69⤵PID:1564
-
\??\c:\xxrxflf.exec:\xxrxflf.exe70⤵PID:2468
-
\??\c:\hbhtnn.exec:\hbhtnn.exe71⤵PID:3016
-
\??\c:\dvpdj.exec:\dvpdj.exe72⤵PID:2640
-
\??\c:\vpppd.exec:\vpppd.exe73⤵PID:2876
-
\??\c:\9rlfffx.exec:\9rlfffx.exe74⤵PID:2704
-
\??\c:\7fflxfr.exec:\7fflxfr.exe75⤵PID:856
-
\??\c:\hbnbnh.exec:\hbnbnh.exe76⤵PID:2960
-
\??\c:\ddpvd.exec:\ddpvd.exe77⤵PID:2672
-
\??\c:\7jjvd.exec:\7jjvd.exe78⤵PID:2556
-
\??\c:\5rlrxxf.exec:\5rlrxxf.exe79⤵PID:2660
-
\??\c:\fxfllrr.exec:\fxfllrr.exe80⤵PID:2668
-
\??\c:\7nbnbn.exec:\7nbnbn.exe81⤵PID:2416
-
\??\c:\vpjvp.exec:\vpjvp.exe82⤵PID:2776
-
\??\c:\jdjpp.exec:\jdjpp.exe83⤵PID:1492
-
\??\c:\rllxxlx.exec:\rllxxlx.exe84⤵PID:596
-
\??\c:\llrxfll.exec:\llrxfll.exe85⤵PID:532
-
\??\c:\3tnhtb.exec:\3tnhtb.exe86⤵PID:2784
-
\??\c:\7pvpv.exec:\7pvpv.exe87⤵PID:2916
-
\??\c:\pjpvd.exec:\pjpvd.exe88⤵PID:2108
-
\??\c:\frflrrl.exec:\frflrrl.exe89⤵PID:2040
-
\??\c:\rrfxlrf.exec:\rrfxlrf.exe90⤵PID:824
-
\??\c:\nnthtt.exec:\nnthtt.exe91⤵PID:2136
-
\??\c:\1jdjv.exec:\1jdjv.exe92⤵PID:2476
-
\??\c:\9dpvp.exec:\9dpvp.exe93⤵PID:1816
-
\??\c:\xrffrxl.exec:\xrffrxl.exe94⤵PID:1624
-
\??\c:\rlllllx.exec:\rlllllx.exe95⤵PID:2948
-
\??\c:\3bthtt.exec:\3bthtt.exe96⤵PID:2932
-
\??\c:\htbttn.exec:\htbttn.exe97⤵PID:960
-
\??\c:\jdddd.exec:\jdddd.exe98⤵PID:2500
-
\??\c:\llxlxlf.exec:\llxlxlf.exe99⤵PID:1868
-
\??\c:\xxllffr.exec:\xxllffr.exe100⤵PID:1380
-
\??\c:\bthbhn.exec:\bthbhn.exe101⤵PID:1704
-
\??\c:\dvjvj.exec:\dvjvj.exe102⤵PID:2344
-
\??\c:\dvdjp.exec:\dvdjp.exe103⤵PID:2308
-
\??\c:\lfxfxfl.exec:\lfxfxfl.exe104⤵PID:2996
-
\??\c:\lfflfrx.exec:\lfflfrx.exe105⤵PID:1752
-
\??\c:\7bnbtt.exec:\7bnbtt.exe106⤵PID:2460
-
\??\c:\1jdjv.exec:\1jdjv.exe107⤵PID:1580
-
\??\c:\3jdjd.exec:\3jdjd.exe108⤵PID:1052
-
\??\c:\fxllflx.exec:\fxllflx.exe109⤵PID:2432
-
\??\c:\lfxfflx.exec:\lfxfflx.exe110⤵PID:2228
-
\??\c:\tbttbb.exec:\tbttbb.exe111⤵PID:2736
-
\??\c:\dpdjd.exec:\dpdjd.exe112⤵PID:2176
-
\??\c:\xxlxrrf.exec:\xxlxrrf.exe113⤵PID:2964
-
\??\c:\fxxfrrl.exec:\fxxfrrl.exe114⤵PID:2552
-
\??\c:\bbbhtt.exec:\bbbhtt.exe115⤵PID:2664
-
\??\c:\ttnbhn.exec:\ttnbhn.exe116⤵PID:2708
-
\??\c:\pjjvp.exec:\pjjvp.exe117⤵PID:1312
-
\??\c:\ffxfllr.exec:\ffxfllr.exe118⤵PID:2828
-
\??\c:\1lfflrf.exec:\1lfflrf.exe119⤵PID:2392
-
\??\c:\tnhtbb.exec:\tnhtbb.exe120⤵PID:1716
-
\??\c:\3dvdd.exec:\3dvdd.exe121⤵PID:1764
-
\??\c:\dvpdv.exec:\dvpdv.exe122⤵PID:2512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-