Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 17:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe
Resource
win7-20240903-en
5 signatures
120 seconds
General
-
Target
198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe
-
Size
51KB
-
MD5
5b8bf7213d1e02668211437da3532190
-
SHA1
71148a1485f39bebd3c9bee7fd42a17ead74fb8b
-
SHA256
198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311
-
SHA512
5fd74d6fbc7e04bcb4aaff01a6a10b37293b71d779ff51a0823364816bdf553637b3cb770b39f6dca0c6a8dac9f273a930818353be52ca70b1ac17c66577c95e
-
SSDEEP
1536:mAocdpeVoBDulhzHMb7xNAa04Mcg5IKvXC:0cdpeeBSHHMHLf9RyIKC
Malware Config
Signatures
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2260-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2676-18-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2688-27-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2540-32-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2540-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2560-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2260-46-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2564-60-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2700-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2564-67-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2144-75-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2144-78-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/648-86-0x00000000002C0000-0x00000000002E9000-memory.dmp family_blackmoon behavioral1/memory/648-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2096-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2572-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1684-120-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/648-127-0x00000000002C0000-0x00000000002E9000-memory.dmp family_blackmoon behavioral1/memory/2776-153-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2336-188-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2488-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1160-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2052-233-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2052-232-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1632-250-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/696-260-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2616-285-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1352-315-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2780-321-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1584-335-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2544-342-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2596-349-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2140-357-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2128-377-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2108-385-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2168-443-0x00000000003C0000-0x00000000003E9000-memory.dmp family_blackmoon behavioral1/memory/1904-445-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2060-461-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/1240-555-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2536-615-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2932-635-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/484-669-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1000-681-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/2236-708-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/592-936-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1856-1034-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2960-1083-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2796-1096-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2748-1109-0x00000000002C0000-0x00000000002E9000-memory.dmp family_blackmoon behavioral1/memory/2796-1116-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2676 xfxlrll.exe 2688 ddpvv.exe 2540 djdjp.exe 2560 3rlllxr.exe 2700 hhtbhn.exe 2564 ddvjp.exe 2144 xflflxx.exe 648 nnhnbh.exe 2572 pdvvd.exe 2096 5xrrflr.exe 2232 9rlllrr.exe 1684 hbhntn.exe 1000 bbnhhn.exe 808 vvddd.exe 2776 xxllllx.exe 292 hhtthn.exe 1904 hhtbhh.exe 1780 3jpvj.exe 2336 xrllrrx.exe 2488 lfrrxlx.exe 1160 nththh.exe 916 9pjpd.exe 1628 pjjvv.exe 2052 xxrlrxl.exe 1712 bththb.exe 1632 nhtttt.exe 696 vpddd.exe 1396 ttnhbn.exe 2960 3hnnnt.exe 2616 1vpjv.exe 2744 pvjpd.exe 2804 ffrffrx.exe 2788 nnnnbb.exe 1352 bbnbhn.exe 2780 djdvj.exe 2872 djdpp.exe 1584 lrlxrfx.exe 2544 tttbnn.exe 2596 7tbbbh.exe 2140 jdpdj.exe 2920 ffflxlr.exe 2160 fflfxlx.exe 2128 bbnbht.exe 2108 ttbhnb.exe 864 pppjv.exe 2012 7xlrrff.exe 1052 llflrrx.exe 1900 thttbb.exe 2900 htbnbh.exe 2740 jdjjv.exe 1072 frxxffr.exe 1332 rxrxlxl.exe 2168 hnbtht.exe 1904 9bnbht.exe 2360 jvvvd.exe 2060 dvvdp.exe 1908 xfrfffl.exe 2176 5thtnh.exe 1384 nbttbb.exe 1748 dvpjd.exe 924 jjpvv.exe 1648 3fxlrxf.exe 2028 9lxflrx.exe 1644 tnhtbb.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2676 2260 198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe 30 PID 2260 wrote to memory of 2676 2260 198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe 30 PID 2260 wrote to memory of 2676 2260 198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe 30 PID 2260 wrote to memory of 2676 2260 198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe 30 PID 2676 wrote to memory of 2688 2676 xfxlrll.exe 31 PID 2676 wrote to memory of 2688 2676 xfxlrll.exe 31 PID 2676 wrote to memory of 2688 2676 xfxlrll.exe 31 PID 2676 wrote to memory of 2688 2676 xfxlrll.exe 31 PID 2688 wrote to memory of 2540 2688 ddpvv.exe 32 PID 2688 wrote to memory of 2540 2688 ddpvv.exe 32 PID 2688 wrote to memory of 2540 2688 ddpvv.exe 32 PID 2688 wrote to memory of 2540 2688 ddpvv.exe 32 PID 2540 wrote to memory of 2560 2540 djdjp.exe 33 PID 2540 wrote to memory of 2560 2540 djdjp.exe 33 PID 2540 wrote to memory of 2560 2540 djdjp.exe 33 PID 2540 wrote to memory of 2560 2540 djdjp.exe 33 PID 2560 wrote to memory of 2700 2560 3rlllxr.exe 34 PID 2560 wrote to memory of 2700 2560 3rlllxr.exe 34 PID 2560 wrote to memory of 2700 2560 3rlllxr.exe 34 PID 2560 wrote to memory of 2700 2560 3rlllxr.exe 34 PID 2700 wrote to memory of 2564 2700 hhtbhn.exe 35 PID 2700 wrote to memory of 2564 2700 hhtbhn.exe 35 PID 2700 wrote to memory of 2564 2700 hhtbhn.exe 35 PID 2700 wrote to memory of 2564 2700 hhtbhn.exe 35 PID 2564 wrote to memory of 2144 2564 ddvjp.exe 36 PID 2564 wrote to memory of 2144 2564 ddvjp.exe 36 PID 2564 wrote to memory of 2144 2564 ddvjp.exe 36 PID 2564 wrote to memory of 2144 2564 ddvjp.exe 36 PID 2144 wrote to memory of 648 2144 xflflxx.exe 37 PID 2144 wrote to memory of 648 2144 xflflxx.exe 37 PID 2144 wrote to memory of 648 2144 xflflxx.exe 37 PID 2144 wrote to memory of 648 2144 xflflxx.exe 37 PID 648 wrote to memory of 2572 648 nnhnbh.exe 38 PID 648 wrote to memory of 2572 648 nnhnbh.exe 38 PID 648 wrote to memory of 2572 648 nnhnbh.exe 38 PID 648 wrote to memory of 2572 648 nnhnbh.exe 38 PID 2572 wrote to memory of 2096 2572 pdvvd.exe 39 PID 2572 wrote to memory of 2096 2572 pdvvd.exe 39 PID 2572 wrote to memory of 2096 2572 pdvvd.exe 39 PID 2572 wrote to memory of 2096 2572 pdvvd.exe 39 PID 2096 wrote to memory of 2232 2096 5xrrflr.exe 40 PID 2096 wrote to memory of 2232 2096 5xrrflr.exe 40 PID 2096 wrote to memory of 2232 2096 5xrrflr.exe 40 PID 2096 wrote to memory of 2232 2096 5xrrflr.exe 40 PID 2232 wrote to memory of 1684 2232 9rlllrr.exe 41 PID 2232 wrote to memory of 1684 2232 9rlllrr.exe 41 PID 2232 wrote to memory of 1684 2232 9rlllrr.exe 41 PID 2232 wrote to memory of 1684 2232 9rlllrr.exe 41 PID 1684 wrote to memory of 1000 1684 hbhntn.exe 42 PID 1684 wrote to memory of 1000 1684 hbhntn.exe 42 PID 1684 wrote to memory of 1000 1684 hbhntn.exe 42 PID 1684 wrote to memory of 1000 1684 hbhntn.exe 42 PID 1000 wrote to memory of 808 1000 bbnhhn.exe 43 PID 1000 wrote to memory of 808 1000 bbnhhn.exe 43 PID 1000 wrote to memory of 808 1000 bbnhhn.exe 43 PID 1000 wrote to memory of 808 1000 bbnhhn.exe 43 PID 808 wrote to memory of 2776 808 vvddd.exe 44 PID 808 wrote to memory of 2776 808 vvddd.exe 44 PID 808 wrote to memory of 2776 808 vvddd.exe 44 PID 808 wrote to memory of 2776 808 vvddd.exe 44 PID 2776 wrote to memory of 292 2776 xxllllx.exe 45 PID 2776 wrote to memory of 292 2776 xxllllx.exe 45 PID 2776 wrote to memory of 292 2776 xxllllx.exe 45 PID 2776 wrote to memory of 292 2776 xxllllx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe"C:\Users\Admin\AppData\Local\Temp\198cf36859ff38a88963f37737c8748f5a3aabd9d7a6b0b3c94e12e49ac2d311N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\xfxlrll.exec:\xfxlrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\ddpvv.exec:\ddpvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\djdjp.exec:\djdjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\3rlllxr.exec:\3rlllxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\hhtbhn.exec:\hhtbhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\ddvjp.exec:\ddvjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\xflflxx.exec:\xflflxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\nnhnbh.exec:\nnhnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\pdvvd.exec:\pdvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\5xrrflr.exec:\5xrrflr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\9rlllrr.exec:\9rlllrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\hbhntn.exec:\hbhntn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\bbnhhn.exec:\bbnhhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\vvddd.exec:\vvddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\xxllllx.exec:\xxllllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\hhtthn.exec:\hhtthn.exe17⤵
- Executes dropped EXE
PID:292 -
\??\c:\hhtbhh.exec:\hhtbhh.exe18⤵
- Executes dropped EXE
PID:1904 -
\??\c:\3jpvj.exec:\3jpvj.exe19⤵
- Executes dropped EXE
PID:1780 -
\??\c:\xrllrrx.exec:\xrllrrx.exe20⤵
- Executes dropped EXE
PID:2336 -
\??\c:\lfrrxlx.exec:\lfrrxlx.exe21⤵
- Executes dropped EXE
PID:2488 -
\??\c:\nththh.exec:\nththh.exe22⤵
- Executes dropped EXE
PID:1160 -
\??\c:\9pjpd.exec:\9pjpd.exe23⤵
- Executes dropped EXE
PID:916 -
\??\c:\pjjvv.exec:\pjjvv.exe24⤵
- Executes dropped EXE
PID:1628 -
\??\c:\xxrlrxl.exec:\xxrlrxl.exe25⤵
- Executes dropped EXE
PID:2052 -
\??\c:\bththb.exec:\bththb.exe26⤵
- Executes dropped EXE
PID:1712 -
\??\c:\nhtttt.exec:\nhtttt.exe27⤵
- Executes dropped EXE
PID:1632 -
\??\c:\vpddd.exec:\vpddd.exe28⤵
- Executes dropped EXE
PID:696 -
\??\c:\ttnhbn.exec:\ttnhbn.exe29⤵
- Executes dropped EXE
PID:1396 -
\??\c:\3hnnnt.exec:\3hnnnt.exe30⤵
- Executes dropped EXE
PID:2960 -
\??\c:\1vpjv.exec:\1vpjv.exe31⤵
- Executes dropped EXE
PID:2616 -
\??\c:\pvjpd.exec:\pvjpd.exe32⤵
- Executes dropped EXE
PID:2744 -
\??\c:\ffrffrx.exec:\ffrffrx.exe33⤵
- Executes dropped EXE
PID:2804 -
\??\c:\nnnnbb.exec:\nnnnbb.exe34⤵
- Executes dropped EXE
PID:2788 -
\??\c:\bbnbhn.exec:\bbnbhn.exe35⤵
- Executes dropped EXE
PID:1352 -
\??\c:\djdvj.exec:\djdvj.exe36⤵
- Executes dropped EXE
PID:2780 -
\??\c:\djdpp.exec:\djdpp.exe37⤵
- Executes dropped EXE
PID:2872 -
\??\c:\lrlxrfx.exec:\lrlxrfx.exe38⤵
- Executes dropped EXE
PID:1584 -
\??\c:\tttbnn.exec:\tttbnn.exe39⤵
- Executes dropped EXE
PID:2544 -
\??\c:\7tbbbh.exec:\7tbbbh.exe40⤵
- Executes dropped EXE
PID:2596 -
\??\c:\jdpdj.exec:\jdpdj.exe41⤵
- Executes dropped EXE
PID:2140 -
\??\c:\ffflxlr.exec:\ffflxlr.exe42⤵
- Executes dropped EXE
PID:2920 -
\??\c:\fflfxlx.exec:\fflfxlx.exe43⤵
- Executes dropped EXE
PID:2160 -
\??\c:\bbnbht.exec:\bbnbht.exe44⤵
- Executes dropped EXE
PID:2128 -
\??\c:\ttbhnb.exec:\ttbhnb.exe45⤵
- Executes dropped EXE
PID:2108 -
\??\c:\pppjv.exec:\pppjv.exe46⤵
- Executes dropped EXE
PID:864 -
\??\c:\7xlrrff.exec:\7xlrrff.exe47⤵
- Executes dropped EXE
PID:2012 -
\??\c:\llflrrx.exec:\llflrrx.exe48⤵
- Executes dropped EXE
PID:1052 -
\??\c:\thttbb.exec:\thttbb.exe49⤵
- Executes dropped EXE
PID:1900 -
\??\c:\htbnbh.exec:\htbnbh.exe50⤵
- Executes dropped EXE
PID:2900 -
\??\c:\jdjjv.exec:\jdjjv.exe51⤵
- Executes dropped EXE
PID:2740 -
\??\c:\frxxffr.exec:\frxxffr.exe52⤵
- Executes dropped EXE
PID:1072 -
\??\c:\rxrxlxl.exec:\rxrxlxl.exe53⤵
- Executes dropped EXE
PID:1332 -
\??\c:\hnbtht.exec:\hnbtht.exe54⤵
- Executes dropped EXE
PID:2168 -
\??\c:\9bnbht.exec:\9bnbht.exe55⤵
- Executes dropped EXE
PID:1904 -
\??\c:\jvvvd.exec:\jvvvd.exe56⤵
- Executes dropped EXE
PID:2360 -
\??\c:\dvvdp.exec:\dvvdp.exe57⤵
- Executes dropped EXE
PID:2060 -
\??\c:\xfrfffl.exec:\xfrfffl.exe58⤵
- Executes dropped EXE
PID:1908 -
\??\c:\5thtnh.exec:\5thtnh.exe59⤵
- Executes dropped EXE
PID:2176 -
\??\c:\nbttbb.exec:\nbttbb.exe60⤵
- Executes dropped EXE
PID:1384 -
\??\c:\dvpjd.exec:\dvpjd.exe61⤵
- Executes dropped EXE
PID:1748 -
\??\c:\jjpvv.exec:\jjpvv.exe62⤵
- Executes dropped EXE
PID:924 -
\??\c:\3fxlrxf.exec:\3fxlrxf.exe63⤵
- Executes dropped EXE
PID:1648 -
\??\c:\9lxflrx.exec:\9lxflrx.exe64⤵
- Executes dropped EXE
PID:2028 -
\??\c:\tnhtbb.exec:\tnhtbb.exe65⤵
- Executes dropped EXE
PID:1644 -
\??\c:\vdvdj.exec:\vdvdj.exe66⤵
- System Location Discovery: System Language Discovery
PID:3000 -
\??\c:\7vvdd.exec:\7vvdd.exe67⤵PID:1240
-
\??\c:\9rlrxfr.exec:\9rlrxfr.exe68⤵PID:1504
-
\??\c:\5bhnhh.exec:\5bhnhh.exe69⤵PID:2076
-
\??\c:\hhnnbn.exec:\hhnnbn.exe70⤵PID:2480
-
\??\c:\jppvv.exec:\jppvv.exe71⤵PID:1592
-
\??\c:\pjddv.exec:\pjddv.exe72⤵PID:2744
-
\??\c:\7rffllr.exec:\7rffllr.exe73⤵PID:1604
-
\??\c:\xlflxfl.exec:\xlflxfl.exe74⤵PID:2640
-
\??\c:\nhbbnn.exec:\nhbbnn.exe75⤵PID:2784
-
\??\c:\dvjjp.exec:\dvjjp.exe76⤵PID:2840
-
\??\c:\9pjvv.exec:\9pjvv.exe77⤵PID:2692
-
\??\c:\rlxlfrl.exec:\rlxlfrl.exe78⤵PID:2800
-
\??\c:\xfxfxxl.exec:\xfxfxxl.exe79⤵PID:1584
-
\??\c:\btnnbh.exec:\btnnbh.exe80⤵PID:2536
-
\??\c:\hhhbhh.exec:\hhhbhh.exe81⤵PID:2576
-
\??\c:\xxrfflf.exec:\xxrfflf.exe82⤵PID:2140
-
\??\c:\5nbbhn.exec:\5nbbhn.exe83⤵PID:2932
-
\??\c:\hhtbhn.exec:\hhtbhn.exe84⤵PID:2572
-
\??\c:\5jdpd.exec:\5jdpd.exe85⤵PID:2096
-
\??\c:\jdddp.exec:\jdddp.exe86⤵PID:2108
-
\??\c:\xrlfrxf.exec:\xrlfrxf.exe87⤵PID:444
-
\??\c:\lrflrrf.exec:\lrflrrf.exe88⤵PID:2888
-
\??\c:\hnbtht.exec:\hnbtht.exe89⤵PID:484
-
\??\c:\nnbhnt.exec:\nnbhnt.exe90⤵PID:1000
-
\??\c:\7pvdd.exec:\7pvdd.exe91⤵PID:2600
-
\??\c:\xxlrxxr.exec:\xxlrxxr.exe92⤵PID:2520
-
\??\c:\llrrxfx.exec:\llrrxfx.exe93⤵PID:292
-
\??\c:\1tnbtb.exec:\1tnbtb.exe94⤵PID:2236
-
\??\c:\bbtthh.exec:\bbtthh.exe95⤵PID:1936
-
\??\c:\7tnnth.exec:\7tnnth.exe96⤵PID:1904
-
\??\c:\7ppdd.exec:\7ppdd.exe97⤵PID:1780
-
\??\c:\rrfrfrx.exec:\rrfrfrx.exe98⤵PID:1292
-
\??\c:\3xlllrx.exec:\3xlllrx.exe99⤵PID:1284
-
\??\c:\bhnbhn.exec:\bhnbhn.exe100⤵PID:2064
-
\??\c:\nnthth.exec:\nnthth.exe101⤵PID:1736
-
\??\c:\ddvjp.exec:\ddvjp.exe102⤵PID:912
-
\??\c:\pjvjd.exec:\pjvjd.exe103⤵PID:928
-
\??\c:\frlrxrx.exec:\frlrxrx.exe104⤵PID:924
-
\??\c:\fxlrrxl.exec:\fxlrrxl.exe105⤵PID:276
-
\??\c:\tbbtht.exec:\tbbtht.exe106⤵PID:2816
-
\??\c:\htnnht.exec:\htnnht.exe107⤵PID:796
-
\??\c:\7vjdp.exec:\7vjdp.exe108⤵PID:1012
-
\??\c:\1pvjv.exec:\1pvjv.exe109⤵PID:1540
-
\??\c:\lrfflxl.exec:\lrfflxl.exe110⤵PID:2448
-
\??\c:\xxlrllx.exec:\xxlrllx.exe111⤵PID:904
-
\??\c:\7hbbhn.exec:\7hbbhn.exe112⤵PID:2636
-
\??\c:\nnnnnb.exec:\nnnnnb.exe113⤵PID:2496
-
\??\c:\vjvjj.exec:\vjvjj.exe114⤵PID:1608
-
\??\c:\ppvdp.exec:\ppvdp.exe115⤵PID:2296
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe116⤵PID:1604
-
\??\c:\xxlfrrx.exec:\xxlfrrx.exe117⤵PID:2640
-
\??\c:\tbttbh.exec:\tbttbh.exe118⤵PID:2416
-
\??\c:\djpvv.exec:\djpvv.exe119⤵PID:2072
-
\??\c:\dvjvp.exec:\dvjvp.exe120⤵PID:2604
-
\??\c:\rxxxlrl.exec:\rxxxlrl.exe121⤵PID:1360
-
\??\c:\xxlrxfx.exec:\xxlrxfx.exe122⤵PID:1584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-