Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 17:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe
-
Size
59KB
-
MD5
47cbe180e3f031c5f995da25249841d0
-
SHA1
e8f3d6d8a4d5f952cdc0acacd62bfc75cbd09187
-
SHA256
bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19a
-
SHA512
9f227e6e9ba7262d3012a0acfb78f5b81098ea9e47e8e29c8313b6a73743aac60d0eb8afdadb3c11b82701af849a6a823282432f8663e5a63dfb20b3c795f277
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIFgw:ymb3NkkiQ3mdBjFIF7
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral1/memory/3004-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1728-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2296-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2376-29-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2376-30-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2732-54-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2792-58-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2216-76-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2864-81-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2596-99-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1720-117-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1036-125-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2116-135-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1620-143-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1556-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1004-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2328-197-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2156-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1068-233-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1292-243-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2176-291-0x00000000772F0000-0x00000000773EA000-memory.dmp family_blackmoon behavioral1/memory/2176-290-0x00000000773F0000-0x000000007750F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1728 pjdjd.exe 2376 rxxlxfx.exe 2296 nhbthn.exe 2732 hbbbnb.exe 2792 rrxxlrf.exe 2216 bhntnn.exe 2864 dddvp.exe 2596 1pppv.exe 3032 7tnthb.exe 1720 bbtntb.exe 1036 dpppd.exe 2116 xrrlflf.exe 1620 7xrfrrf.exe 732 tnhntb.exe 2076 jjvjd.exe 1556 ddvdv.exe 2420 llxlflf.exe 1004 ffxxlfr.exe 2328 hhtbhh.exe 2156 9ddpd.exe 1764 7pvdj.exe 444 llxrlxl.exe 1068 ttbnbb.exe 1292 bbbtnt.exe 1936 vvvpj.exe 2948 jjvjj.exe 676 xrlrffr.exe 1288 tnbnbn.exe 2960 hhthtb.exe 2176 9vvdv.exe 2192 lfxlllx.exe 2940 ddvjv.exe 2780 vppdj.exe 2784 ffxflrf.exe 2424 9fxflrx.exe 2716 bhbbnb.exe 2744 hhbnhh.exe 2124 9dpdp.exe 2920 7vjpv.exe 2272 3xxfflx.exe 2656 rrlfrrx.exe 2168 ttbhth.exe 3032 bbhnbh.exe 576 vvvpd.exe 1724 vvdjv.exe 2652 xxflffr.exe 1780 frfrlrf.exe 236 tbtbtb.exe 976 hbnhnt.exe 1908 hhthth.exe 1572 1jjdj.exe 2480 7rxrrfr.exe 1564 llxrfrf.exe 1004 nnhttb.exe 2144 bthbbh.exe 1392 ppvjv.exe 600 ddpjj.exe 2484 rrlxlrf.exe 1888 xrfxrxl.exe 1224 1nnbhh.exe 2280 hbhnhn.exe 2432 jdppp.exe 2292 vpdjv.exe 2148 ffxxxfr.exe -
resource yara_rule behavioral1/memory/3004-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3004-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1728-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2296-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2376-29-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2732-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2732-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2732-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-58-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2216-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2216-67-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2216-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2864-81-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2596-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2596-90-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2596-99-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1720-117-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1036-125-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2116-135-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1620-143-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1556-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1004-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2328-197-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2156-207-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1068-233-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1292-243-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2176-290-0x00000000773F0000-0x000000007750F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1728 3004 bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe 30 PID 3004 wrote to memory of 1728 3004 bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe 30 PID 3004 wrote to memory of 1728 3004 bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe 30 PID 3004 wrote to memory of 1728 3004 bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe 30 PID 1728 wrote to memory of 2376 1728 pjdjd.exe 31 PID 1728 wrote to memory of 2376 1728 pjdjd.exe 31 PID 1728 wrote to memory of 2376 1728 pjdjd.exe 31 PID 1728 wrote to memory of 2376 1728 pjdjd.exe 31 PID 2376 wrote to memory of 2296 2376 rxxlxfx.exe 32 PID 2376 wrote to memory of 2296 2376 rxxlxfx.exe 32 PID 2376 wrote to memory of 2296 2376 rxxlxfx.exe 32 PID 2376 wrote to memory of 2296 2376 rxxlxfx.exe 32 PID 2296 wrote to memory of 2732 2296 nhbthn.exe 33 PID 2296 wrote to memory of 2732 2296 nhbthn.exe 33 PID 2296 wrote to memory of 2732 2296 nhbthn.exe 33 PID 2296 wrote to memory of 2732 2296 nhbthn.exe 33 PID 2732 wrote to memory of 2792 2732 hbbbnb.exe 34 PID 2732 wrote to memory of 2792 2732 hbbbnb.exe 34 PID 2732 wrote to memory of 2792 2732 hbbbnb.exe 34 PID 2732 wrote to memory of 2792 2732 hbbbnb.exe 34 PID 2792 wrote to memory of 2216 2792 rrxxlrf.exe 35 PID 2792 wrote to memory of 2216 2792 rrxxlrf.exe 35 PID 2792 wrote to memory of 2216 2792 rrxxlrf.exe 35 PID 2792 wrote to memory of 2216 2792 rrxxlrf.exe 35 PID 2216 wrote to memory of 2864 2216 bhntnn.exe 36 PID 2216 wrote to memory of 2864 2216 bhntnn.exe 36 PID 2216 wrote to memory of 2864 2216 bhntnn.exe 36 PID 2216 wrote to memory of 2864 2216 bhntnn.exe 36 PID 2864 wrote to memory of 2596 2864 dddvp.exe 37 PID 2864 wrote to memory of 2596 2864 dddvp.exe 37 PID 2864 wrote to memory of 2596 2864 dddvp.exe 37 PID 2864 wrote to memory of 2596 2864 dddvp.exe 37 PID 2596 wrote to memory of 3032 2596 1pppv.exe 38 PID 2596 wrote to memory of 3032 2596 1pppv.exe 38 PID 2596 wrote to memory of 3032 2596 1pppv.exe 38 PID 2596 wrote to memory of 3032 2596 1pppv.exe 38 PID 3032 wrote to memory of 1720 3032 7tnthb.exe 39 PID 3032 wrote to memory of 1720 3032 7tnthb.exe 39 PID 3032 wrote to memory of 1720 3032 7tnthb.exe 39 PID 3032 wrote to memory of 1720 3032 7tnthb.exe 39 PID 1720 wrote to memory of 1036 1720 bbtntb.exe 40 PID 1720 wrote to memory of 1036 1720 bbtntb.exe 40 PID 1720 wrote to memory of 1036 1720 bbtntb.exe 40 PID 1720 wrote to memory of 1036 1720 bbtntb.exe 40 PID 1036 wrote to memory of 2116 1036 dpppd.exe 41 PID 1036 wrote to memory of 2116 1036 dpppd.exe 41 PID 1036 wrote to memory of 2116 1036 dpppd.exe 41 PID 1036 wrote to memory of 2116 1036 dpppd.exe 41 PID 2116 wrote to memory of 1620 2116 xrrlflf.exe 42 PID 2116 wrote to memory of 1620 2116 xrrlflf.exe 42 PID 2116 wrote to memory of 1620 2116 xrrlflf.exe 42 PID 2116 wrote to memory of 1620 2116 xrrlflf.exe 42 PID 1620 wrote to memory of 732 1620 7xrfrrf.exe 43 PID 1620 wrote to memory of 732 1620 7xrfrrf.exe 43 PID 1620 wrote to memory of 732 1620 7xrfrrf.exe 43 PID 1620 wrote to memory of 732 1620 7xrfrrf.exe 43 PID 732 wrote to memory of 2076 732 tnhntb.exe 44 PID 732 wrote to memory of 2076 732 tnhntb.exe 44 PID 732 wrote to memory of 2076 732 tnhntb.exe 44 PID 732 wrote to memory of 2076 732 tnhntb.exe 44 PID 2076 wrote to memory of 1556 2076 jjvjd.exe 45 PID 2076 wrote to memory of 1556 2076 jjvjd.exe 45 PID 2076 wrote to memory of 1556 2076 jjvjd.exe 45 PID 2076 wrote to memory of 1556 2076 jjvjd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe"C:\Users\Admin\AppData\Local\Temp\bd98292b03e32d2823900b389158a95409a42cbeb6a67703a156bcc7a6e0b19aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\pjdjd.exec:\pjdjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\rxxlxfx.exec:\rxxlxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\nhbthn.exec:\nhbthn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\hbbbnb.exec:\hbbbnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\rrxxlrf.exec:\rrxxlrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\bhntnn.exec:\bhntnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\dddvp.exec:\dddvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\1pppv.exec:\1pppv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\7tnthb.exec:\7tnthb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\bbtntb.exec:\bbtntb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\dpppd.exec:\dpppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\xrrlflf.exec:\xrrlflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\7xrfrrf.exec:\7xrfrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\tnhntb.exec:\tnhntb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\jjvjd.exec:\jjvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\ddvdv.exec:\ddvdv.exe17⤵
- Executes dropped EXE
PID:1556 -
\??\c:\llxlflf.exec:\llxlflf.exe18⤵
- Executes dropped EXE
PID:2420 -
\??\c:\ffxxlfr.exec:\ffxxlfr.exe19⤵
- Executes dropped EXE
PID:1004 -
\??\c:\hhtbhh.exec:\hhtbhh.exe20⤵
- Executes dropped EXE
PID:2328 -
\??\c:\9ddpd.exec:\9ddpd.exe21⤵
- Executes dropped EXE
PID:2156 -
\??\c:\7pvdj.exec:\7pvdj.exe22⤵
- Executes dropped EXE
PID:1764 -
\??\c:\llxrlxl.exec:\llxrlxl.exe23⤵
- Executes dropped EXE
PID:444 -
\??\c:\ttbnbb.exec:\ttbnbb.exe24⤵
- Executes dropped EXE
PID:1068 -
\??\c:\bbbtnt.exec:\bbbtnt.exe25⤵
- Executes dropped EXE
PID:1292 -
\??\c:\vvvpj.exec:\vvvpj.exe26⤵
- Executes dropped EXE
PID:1936 -
\??\c:\jjvjj.exec:\jjvjj.exe27⤵
- Executes dropped EXE
PID:2948 -
\??\c:\xrlrffr.exec:\xrlrffr.exe28⤵
- Executes dropped EXE
PID:676 -
\??\c:\tnbnbn.exec:\tnbnbn.exe29⤵
- Executes dropped EXE
PID:1288 -
\??\c:\hhthtb.exec:\hhthtb.exe30⤵
- Executes dropped EXE
PID:2960 -
\??\c:\9vvdv.exec:\9vvdv.exe31⤵
- Executes dropped EXE
PID:2176 -
\??\c:\jjjdj.exec:\jjjdj.exe32⤵PID:3060
-
\??\c:\lfxlllx.exec:\lfxlllx.exe33⤵
- Executes dropped EXE
PID:2192 -
\??\c:\ddvjv.exec:\ddvjv.exe34⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vppdj.exec:\vppdj.exe35⤵
- Executes dropped EXE
PID:2780 -
\??\c:\ffxflrf.exec:\ffxflrf.exe36⤵
- Executes dropped EXE
PID:2784 -
\??\c:\9fxflrx.exec:\9fxflrx.exe37⤵
- Executes dropped EXE
PID:2424 -
\??\c:\bhbbnb.exec:\bhbbnb.exe38⤵
- Executes dropped EXE
PID:2716 -
\??\c:\hhbnhh.exec:\hhbnhh.exe39⤵
- Executes dropped EXE
PID:2744 -
\??\c:\9dpdp.exec:\9dpdp.exe40⤵
- Executes dropped EXE
PID:2124 -
\??\c:\7vjpv.exec:\7vjpv.exe41⤵
- Executes dropped EXE
PID:2920 -
\??\c:\3xxfflx.exec:\3xxfflx.exe42⤵
- Executes dropped EXE
PID:2272 -
\??\c:\rrlfrrx.exec:\rrlfrrx.exe43⤵
- Executes dropped EXE
PID:2656 -
\??\c:\ttbhth.exec:\ttbhth.exe44⤵
- Executes dropped EXE
PID:2168 -
\??\c:\bbhnbh.exec:\bbhnbh.exe45⤵
- Executes dropped EXE
PID:3032 -
\??\c:\vvvpd.exec:\vvvpd.exe46⤵
- Executes dropped EXE
PID:576 -
\??\c:\vvdjv.exec:\vvdjv.exe47⤵
- Executes dropped EXE
PID:1724 -
\??\c:\xxflffr.exec:\xxflffr.exe48⤵
- Executes dropped EXE
PID:2652 -
\??\c:\frfrlrf.exec:\frfrlrf.exe49⤵
- Executes dropped EXE
PID:1780 -
\??\c:\tbtbtb.exec:\tbtbtb.exe50⤵
- Executes dropped EXE
PID:236 -
\??\c:\hbnhnt.exec:\hbnhnt.exe51⤵
- Executes dropped EXE
PID:976 -
\??\c:\hhthth.exec:\hhthth.exe52⤵
- Executes dropped EXE
PID:1908 -
\??\c:\1jjdj.exec:\1jjdj.exe53⤵
- Executes dropped EXE
PID:1572 -
\??\c:\7rxrrfr.exec:\7rxrrfr.exe54⤵
- Executes dropped EXE
PID:2480 -
\??\c:\llxrfrf.exec:\llxrfrf.exe55⤵
- Executes dropped EXE
PID:1564 -
\??\c:\nnhttb.exec:\nnhttb.exe56⤵
- Executes dropped EXE
PID:1004 -
\??\c:\bthbbh.exec:\bthbbh.exe57⤵
- Executes dropped EXE
PID:2144 -
\??\c:\ppvjv.exec:\ppvjv.exe58⤵
- Executes dropped EXE
PID:1392 -
\??\c:\ddpjj.exec:\ddpjj.exe59⤵
- Executes dropped EXE
PID:600 -
\??\c:\rrlxlrf.exec:\rrlxlrf.exe60⤵
- Executes dropped EXE
PID:2484 -
\??\c:\xrfxrxl.exec:\xrfxrxl.exe61⤵
- Executes dropped EXE
PID:1888 -
\??\c:\1nnbhh.exec:\1nnbhh.exe62⤵
- Executes dropped EXE
PID:1224 -
\??\c:\hbhnhn.exec:\hbhnhn.exe63⤵
- Executes dropped EXE
PID:2280 -
\??\c:\jdppp.exec:\jdppp.exe64⤵
- Executes dropped EXE
PID:2432 -
\??\c:\vpdjv.exec:\vpdjv.exe65⤵
- Executes dropped EXE
PID:2292 -
\??\c:\ffxxxfr.exec:\ffxxxfr.exe66⤵
- Executes dropped EXE
PID:2148 -
\??\c:\9rllrxl.exec:\9rllrxl.exe67⤵PID:1560
-
\??\c:\tnhtbh.exec:\tnhtbh.exe68⤵PID:872
-
\??\c:\3ttnbh.exec:\3ttnbh.exe69⤵PID:940
-
\??\c:\jjvdd.exec:\jjvdd.exe70⤵PID:2536
-
\??\c:\pjpvv.exec:\pjpvv.exe71⤵PID:3020
-
\??\c:\lllxffr.exec:\lllxffr.exe72⤵PID:2376
-
\??\c:\1rfxrxr.exec:\1rfxrxr.exe73⤵PID:2192
-
\??\c:\tnbtbn.exec:\tnbtbn.exe74⤵
- System Location Discovery: System Language Discovery
PID:2684 -
\??\c:\ttttnb.exec:\ttttnb.exe75⤵PID:2780
-
\??\c:\3dddj.exec:\3dddj.exe76⤵PID:2784
-
\??\c:\pjpvp.exec:\pjpvp.exe77⤵PID:2828
-
\??\c:\lfrxxfx.exec:\lfrxxfx.exe78⤵PID:2716
-
\??\c:\llrfxlx.exec:\llrfxlx.exe79⤵PID:2792
-
\??\c:\xrrrrfr.exec:\xrrrrfr.exe80⤵PID:2124
-
\??\c:\ttbnbt.exec:\ttbnbt.exe81⤵PID:2604
-
\??\c:\dvvdp.exec:\dvvdp.exe82⤵PID:2864
-
\??\c:\dvjjj.exec:\dvjjj.exe83⤵PID:3040
-
\??\c:\llllxlr.exec:\llllxlr.exe84⤵PID:2712
-
\??\c:\rrlrxxr.exec:\rrlrxxr.exe85⤵PID:2580
-
\??\c:\1ttbhb.exec:\1ttbhb.exe86⤵PID:576
-
\??\c:\hhttnt.exec:\hhttnt.exe87⤵PID:1044
-
\??\c:\jjpdp.exec:\jjpdp.exe88⤵PID:2116
-
\??\c:\dvvdv.exec:\dvvdv.exe89⤵PID:2016
-
\??\c:\flrflrx.exec:\flrflrx.exe90⤵PID:792
-
\??\c:\rlffllf.exec:\rlffllf.exe91⤵PID:732
-
\??\c:\ntbttb.exec:\ntbttb.exe92⤵PID:1908
-
\??\c:\3hthnt.exec:\3hthnt.exe93⤵PID:2924
-
\??\c:\pvddv.exec:\pvddv.exe94⤵PID:2480
-
\??\c:\vvvvj.exec:\vvvvj.exe95⤵PID:2876
-
\??\c:\9lrxxlx.exec:\9lrxxlx.exe96⤵PID:1004
-
\??\c:\1nnhbh.exec:\1nnhbh.exe97⤵PID:2196
-
\??\c:\7nhbbh.exec:\7nhbbh.exe98⤵PID:1392
-
\??\c:\nnttth.exec:\nnttth.exe99⤵PID:404
-
\??\c:\vpjpd.exec:\vpjpd.exe100⤵PID:848
-
\??\c:\rrrrxlx.exec:\rrrrxlx.exe101⤵PID:2972
-
\??\c:\xxxlfll.exec:\xxxlfll.exe102⤵PID:1224
-
\??\c:\nntthh.exec:\nntthh.exe103⤵PID:1784
-
\??\c:\nnhnbb.exec:\nnhnbb.exe104⤵PID:2432
-
\??\c:\jjvvd.exec:\jjvvd.exe105⤵PID:2224
-
\??\c:\1pjpd.exec:\1pjpd.exe106⤵PID:1568
-
\??\c:\7jvjj.exec:\7jvjj.exe107⤵PID:1984
-
\??\c:\rxffxxf.exec:\rxffxxf.exe108⤵PID:872
-
\??\c:\flrfrxl.exec:\flrfrxl.exe109⤵PID:2096
-
\??\c:\nnntht.exec:\nnntht.exe110⤵PID:2524
-
\??\c:\nnhthn.exec:\nnhthn.exe111⤵PID:3064
-
\??\c:\pjpjv.exec:\pjpjv.exe112⤵PID:2376
-
\??\c:\rrllflx.exec:\rrllflx.exe113⤵PID:2740
-
\??\c:\5ffxllr.exec:\5ffxllr.exe114⤵
- System Location Discovery: System Language Discovery
PID:2684 -
\??\c:\tnhbhh.exec:\tnhbhh.exe115⤵PID:2308
-
\??\c:\5nttbh.exec:\5nttbh.exe116⤵PID:2784
-
\??\c:\dvjpp.exec:\dvjpp.exe117⤵PID:2832
-
\??\c:\3vvdv.exec:\3vvdv.exe118⤵PID:2716
-
\??\c:\3xxxfrx.exec:\3xxxfrx.exe119⤵PID:2744
-
\??\c:\rllxfrx.exec:\rllxfrx.exe120⤵PID:2124
-
\??\c:\hhhbnb.exec:\hhhbnb.exe121⤵PID:2920
-
\??\c:\3hhnnt.exec:\3hhnnt.exe122⤵PID:2864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-