Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/11/2024, 14:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88eN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88eN.exe
-
Size
72KB
-
MD5
df190e37b21597ba70e584c0ce2a80e0
-
SHA1
8ef6725ea15d326f582efb4f6785d4eff26e5a74
-
SHA256
297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88e
-
SHA512
229a765c2599aee039effa70f8d721b0c628cdbc82a1ab61fde32cae9c147a77f5913d128fb5c229014dd7fecfea8dddf5c94498a371d643e55256b93cf4b975
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIb0z6MTSqfjF:ymb3NkkiQ3mdBjFI4VV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 23 IoCs
resource yara_rule behavioral1/memory/1800-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2356-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2340-33-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2408-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2408-42-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2744-66-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2744-65-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2912-77-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2660-87-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2660-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2644-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2664-111-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/492-129-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1488-147-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/784-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2364-166-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2476-183-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1428-193-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2116-201-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2228-211-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1912-246-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1824-291-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1140-300-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2356 fxllrxr.exe 3068 hbthhb.exe 2340 htttbh.exe 2408 lfflrrr.exe 2876 nnhbhh.exe 2744 pjvvj.exe 2912 jdpvj.exe 2660 xrllflx.exe 2644 bnbhtt.exe 2664 5vjpd.exe 560 7pppv.exe 492 xrxlffr.exe 604 btnnbb.exe 1488 hhbnnt.exe 784 dvvvd.exe 2364 1xrfrlf.exe 1828 xrxxflx.exe 2476 nhbbtb.exe 1428 7pdvv.exe 2116 jvjdj.exe 2228 9lfxxxf.exe 1632 bththn.exe 600 hbhnnn.exe 628 3jdjp.exe 1912 ddvvj.exe 2248 xfxlfxl.exe 2532 lxllxxf.exe 2492 vppvd.exe 2000 pdppv.exe 1824 3ppvv.exe 1140 1ffrrff.exe 2148 btbbhn.exe 2540 7tttth.exe 2800 dvpdv.exe 2720 vjppd.exe 2892 lxfxlll.exe 2764 xrrrllx.exe 2336 nhbnnn.exe 2772 9nnthn.exe 2920 1vjjv.exe 2900 jddjp.exe 2632 frxrxfx.exe 2908 5xrfrlx.exe 524 nhhthn.exe 1972 tttbht.exe 2680 dppdj.exe 268 dvppp.exe 2600 xrlrfxr.exe 1656 bbthbn.exe 2820 vjdjd.exe 2972 vppvj.exe 1368 llflrrf.exe 2196 rrxxlxl.exe 2112 ttnbhh.exe 1640 htnnth.exe 2272 pppvd.exe 1356 vpdvv.exe 2228 xrlxxfr.exe 2596 rrlrfrl.exe 1756 hhtbnh.exe 1392 7pjjj.exe 1092 djjdv.exe 1660 fxxfflr.exe 1872 lfxfrlx.exe -
resource yara_rule behavioral1/memory/1800-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2356-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2340-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2408-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2408-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2876-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2876-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2744-66-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2744-65-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2912-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2660-87-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2660-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2644-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2664-111-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/492-129-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1488-147-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/784-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2364-166-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2476-183-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1428-193-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2116-201-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2228-211-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1912-246-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1824-291-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1140-300-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1800 wrote to memory of 2356 1800 297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88eN.exe 30 PID 1800 wrote to memory of 2356 1800 297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88eN.exe 30 PID 1800 wrote to memory of 2356 1800 297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88eN.exe 30 PID 1800 wrote to memory of 2356 1800 297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88eN.exe 30 PID 2356 wrote to memory of 3068 2356 fxllrxr.exe 31 PID 2356 wrote to memory of 3068 2356 fxllrxr.exe 31 PID 2356 wrote to memory of 3068 2356 fxllrxr.exe 31 PID 2356 wrote to memory of 3068 2356 fxllrxr.exe 31 PID 3068 wrote to memory of 2340 3068 hbthhb.exe 32 PID 3068 wrote to memory of 2340 3068 hbthhb.exe 32 PID 3068 wrote to memory of 2340 3068 hbthhb.exe 32 PID 3068 wrote to memory of 2340 3068 hbthhb.exe 32 PID 2340 wrote to memory of 2408 2340 htttbh.exe 33 PID 2340 wrote to memory of 2408 2340 htttbh.exe 33 PID 2340 wrote to memory of 2408 2340 htttbh.exe 33 PID 2340 wrote to memory of 2408 2340 htttbh.exe 33 PID 2408 wrote to memory of 2876 2408 lfflrrr.exe 34 PID 2408 wrote to memory of 2876 2408 lfflrrr.exe 34 PID 2408 wrote to memory of 2876 2408 lfflrrr.exe 34 PID 2408 wrote to memory of 2876 2408 lfflrrr.exe 34 PID 2876 wrote to memory of 2744 2876 nnhbhh.exe 35 PID 2876 wrote to memory of 2744 2876 nnhbhh.exe 35 PID 2876 wrote to memory of 2744 2876 nnhbhh.exe 35 PID 2876 wrote to memory of 2744 2876 nnhbhh.exe 35 PID 2744 wrote to memory of 2912 2744 pjvvj.exe 36 PID 2744 wrote to memory of 2912 2744 pjvvj.exe 36 PID 2744 wrote to memory of 2912 2744 pjvvj.exe 36 PID 2744 wrote to memory of 2912 2744 pjvvj.exe 36 PID 2912 wrote to memory of 2660 2912 jdpvj.exe 37 PID 2912 wrote to memory of 2660 2912 jdpvj.exe 37 PID 2912 wrote to memory of 2660 2912 jdpvj.exe 37 PID 2912 wrote to memory of 2660 2912 jdpvj.exe 37 PID 2660 wrote to memory of 2644 2660 xrllflx.exe 38 PID 2660 wrote to memory of 2644 2660 xrllflx.exe 38 PID 2660 wrote to memory of 2644 2660 xrllflx.exe 38 PID 2660 wrote to memory of 2644 2660 xrllflx.exe 38 PID 2644 wrote to memory of 2664 2644 bnbhtt.exe 39 PID 2644 wrote to memory of 2664 2644 bnbhtt.exe 39 PID 2644 wrote to memory of 2664 2644 bnbhtt.exe 39 PID 2644 wrote to memory of 2664 2644 bnbhtt.exe 39 PID 2664 wrote to memory of 560 2664 5vjpd.exe 40 PID 2664 wrote to memory of 560 2664 5vjpd.exe 40 PID 2664 wrote to memory of 560 2664 5vjpd.exe 40 PID 2664 wrote to memory of 560 2664 5vjpd.exe 40 PID 560 wrote to memory of 492 560 7pppv.exe 41 PID 560 wrote to memory of 492 560 7pppv.exe 41 PID 560 wrote to memory of 492 560 7pppv.exe 41 PID 560 wrote to memory of 492 560 7pppv.exe 41 PID 492 wrote to memory of 604 492 xrxlffr.exe 42 PID 492 wrote to memory of 604 492 xrxlffr.exe 42 PID 492 wrote to memory of 604 492 xrxlffr.exe 42 PID 492 wrote to memory of 604 492 xrxlffr.exe 42 PID 604 wrote to memory of 1488 604 btnnbb.exe 43 PID 604 wrote to memory of 1488 604 btnnbb.exe 43 PID 604 wrote to memory of 1488 604 btnnbb.exe 43 PID 604 wrote to memory of 1488 604 btnnbb.exe 43 PID 1488 wrote to memory of 784 1488 hhbnnt.exe 44 PID 1488 wrote to memory of 784 1488 hhbnnt.exe 44 PID 1488 wrote to memory of 784 1488 hhbnnt.exe 44 PID 1488 wrote to memory of 784 1488 hhbnnt.exe 44 PID 784 wrote to memory of 2364 784 dvvvd.exe 45 PID 784 wrote to memory of 2364 784 dvvvd.exe 45 PID 784 wrote to memory of 2364 784 dvvvd.exe 45 PID 784 wrote to memory of 2364 784 dvvvd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88eN.exe"C:\Users\Admin\AppData\Local\Temp\297b6597f301075930743fb0b780d6d6b27880d27979fdb18292b1ed61d5c88eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\fxllrxr.exec:\fxllrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\hbthhb.exec:\hbthhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\htttbh.exec:\htttbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\lfflrrr.exec:\lfflrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\nnhbhh.exec:\nnhbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\pjvvj.exec:\pjvvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\jdpvj.exec:\jdpvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\xrllflx.exec:\xrllflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\bnbhtt.exec:\bnbhtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\5vjpd.exec:\5vjpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\7pppv.exec:\7pppv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
\??\c:\xrxlffr.exec:\xrxlffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
\??\c:\btnnbb.exec:\btnnbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:604 -
\??\c:\hhbnnt.exec:\hhbnnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\dvvvd.exec:\dvvvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\1xrfrlf.exec:\1xrfrlf.exe17⤵
- Executes dropped EXE
PID:2364 -
\??\c:\xrxxflx.exec:\xrxxflx.exe18⤵
- Executes dropped EXE
PID:1828 -
\??\c:\nhbbtb.exec:\nhbbtb.exe19⤵
- Executes dropped EXE
PID:2476 -
\??\c:\7pdvv.exec:\7pdvv.exe20⤵
- Executes dropped EXE
PID:1428 -
\??\c:\jvjdj.exec:\jvjdj.exe21⤵
- Executes dropped EXE
PID:2116 -
\??\c:\9lfxxxf.exec:\9lfxxxf.exe22⤵
- Executes dropped EXE
PID:2228 -
\??\c:\bththn.exec:\bththn.exe23⤵
- Executes dropped EXE
PID:1632 -
\??\c:\hbhnnn.exec:\hbhnnn.exe24⤵
- Executes dropped EXE
PID:600 -
\??\c:\3jdjp.exec:\3jdjp.exe25⤵
- Executes dropped EXE
PID:628 -
\??\c:\ddvvj.exec:\ddvvj.exe26⤵
- Executes dropped EXE
PID:1912 -
\??\c:\xfxlfxl.exec:\xfxlfxl.exe27⤵
- Executes dropped EXE
PID:2248 -
\??\c:\lxllxxf.exec:\lxllxxf.exe28⤵
- Executes dropped EXE
PID:2532 -
\??\c:\vppvd.exec:\vppvd.exe29⤵
- Executes dropped EXE
PID:2492 -
\??\c:\pdppv.exec:\pdppv.exe30⤵
- Executes dropped EXE
PID:2000 -
\??\c:\3ppvv.exec:\3ppvv.exe31⤵
- Executes dropped EXE
PID:1824 -
\??\c:\1ffrrff.exec:\1ffrrff.exe32⤵
- Executes dropped EXE
PID:1140 -
\??\c:\btbbhn.exec:\btbbhn.exe33⤵
- Executes dropped EXE
PID:2148 -
\??\c:\7tttth.exec:\7tttth.exe34⤵
- Executes dropped EXE
PID:2540 -
\??\c:\dvpdv.exec:\dvpdv.exe35⤵
- Executes dropped EXE
PID:2800 -
\??\c:\vjppd.exec:\vjppd.exe36⤵
- Executes dropped EXE
PID:2720 -
\??\c:\lxfxlll.exec:\lxfxlll.exe37⤵
- Executes dropped EXE
PID:2892 -
\??\c:\xrrrllx.exec:\xrrrllx.exe38⤵
- Executes dropped EXE
PID:2764 -
\??\c:\nhbnnn.exec:\nhbnnn.exe39⤵
- Executes dropped EXE
PID:2336 -
\??\c:\9nnthn.exec:\9nnthn.exe40⤵
- Executes dropped EXE
PID:2772 -
\??\c:\1vjjv.exec:\1vjjv.exe41⤵
- Executes dropped EXE
PID:2920 -
\??\c:\jddjp.exec:\jddjp.exe42⤵
- Executes dropped EXE
PID:2900 -
\??\c:\frxrxfx.exec:\frxrxfx.exe43⤵
- Executes dropped EXE
PID:2632 -
\??\c:\5xrfrlx.exec:\5xrfrlx.exe44⤵
- Executes dropped EXE
PID:2908 -
\??\c:\nhhthn.exec:\nhhthn.exe45⤵
- Executes dropped EXE
PID:524 -
\??\c:\tttbht.exec:\tttbht.exe46⤵
- Executes dropped EXE
PID:1972 -
\??\c:\dppdj.exec:\dppdj.exe47⤵
- Executes dropped EXE
PID:2680 -
\??\c:\dvppp.exec:\dvppp.exe48⤵
- Executes dropped EXE
PID:268 -
\??\c:\xrlrfxr.exec:\xrlrfxr.exe49⤵
- Executes dropped EXE
PID:2600 -
\??\c:\bbthbn.exec:\bbthbn.exe50⤵
- Executes dropped EXE
PID:1656 -
\??\c:\vjdjd.exec:\vjdjd.exe51⤵
- Executes dropped EXE
PID:2820 -
\??\c:\vppvj.exec:\vppvj.exe52⤵
- Executes dropped EXE
PID:2972 -
\??\c:\llflrrf.exec:\llflrrf.exe53⤵
- Executes dropped EXE
PID:1368 -
\??\c:\rrxxlxl.exec:\rrxxlxl.exe54⤵
- Executes dropped EXE
PID:2196 -
\??\c:\ttnbhh.exec:\ttnbhh.exe55⤵
- Executes dropped EXE
PID:2112 -
\??\c:\htnnth.exec:\htnnth.exe56⤵
- Executes dropped EXE
PID:1640 -
\??\c:\pppvd.exec:\pppvd.exe57⤵
- Executes dropped EXE
PID:2272 -
\??\c:\vpdvv.exec:\vpdvv.exe58⤵
- Executes dropped EXE
PID:1356 -
\??\c:\xrlxxfr.exec:\xrlxxfr.exe59⤵
- Executes dropped EXE
PID:2228 -
\??\c:\rrlrfrl.exec:\rrlrfrl.exe60⤵
- Executes dropped EXE
PID:2596 -
\??\c:\hhtbnh.exec:\hhtbnh.exe61⤵
- Executes dropped EXE
PID:1756 -
\??\c:\7pjjj.exec:\7pjjj.exe62⤵
- Executes dropped EXE
PID:1392 -
\??\c:\djjdv.exec:\djjdv.exe63⤵
- Executes dropped EXE
PID:1092 -
\??\c:\fxxfflr.exec:\fxxfflr.exe64⤵
- Executes dropped EXE
PID:1660 -
\??\c:\lfxfrlx.exec:\lfxfrlx.exe65⤵
- Executes dropped EXE
PID:1872 -
\??\c:\hhnnbb.exec:\hhnnbb.exe66⤵PID:2576
-
\??\c:\vvddd.exec:\vvddd.exe67⤵PID:1228
-
\??\c:\pjppd.exec:\pjppd.exe68⤵PID:756
-
\??\c:\fxxfxlx.exec:\fxxfxlx.exe69⤵PID:1732
-
\??\c:\3lrlfxf.exec:\3lrlfxf.exe70⤵PID:2128
-
\??\c:\bhhtht.exec:\bhhtht.exe71⤵PID:2348
-
\??\c:\9tthbb.exec:\9tthbb.exe72⤵PID:1616
-
\??\c:\vppvp.exec:\vppvp.exe73⤵PID:2064
-
\??\c:\dvpjp.exec:\dvpjp.exe74⤵PID:2480
-
\??\c:\7frfxrx.exec:\7frfxrx.exe75⤵PID:2484
-
\??\c:\3hbhtt.exec:\3hbhtt.exe76⤵
- System Location Discovery: System Language Discovery
PID:3012 -
\??\c:\ttnbth.exec:\ttnbth.exe77⤵PID:3004
-
\??\c:\vpjvd.exec:\vpjvd.exe78⤵PID:2648
-
\??\c:\pdvvd.exec:\pdvvd.exe79⤵PID:2636
-
\??\c:\xrrrflx.exec:\xrrrflx.exe80⤵PID:2896
-
\??\c:\lfxxflx.exec:\lfxxflx.exe81⤵PID:2624
-
\??\c:\rlllrrx.exec:\rlllrrx.exe82⤵PID:2444
-
\??\c:\5tnhbb.exec:\5tnhbb.exe83⤵PID:2780
-
\??\c:\vvjvd.exec:\vvjvd.exe84⤵PID:664
-
\??\c:\5jjdd.exec:\5jjdd.exe85⤵
- System Location Discovery: System Language Discovery
PID:2808 -
\??\c:\lfllxfx.exec:\lfllxfx.exe86⤵PID:1972
-
\??\c:\9rrlrfr.exec:\9rrlrfr.exe87⤵PID:936
-
\??\c:\nnnhnn.exec:\nnnhnn.exe88⤵PID:2824
-
\??\c:\tnhnbn.exec:\tnhnbn.exe89⤵PID:1200
-
\??\c:\jvjdp.exec:\jvjdp.exe90⤵PID:1760
-
\??\c:\jdppv.exec:\jdppv.exe91⤵PID:1220
-
\??\c:\xrffllx.exec:\xrffllx.exe92⤵PID:3056
-
\??\c:\frlrxlr.exec:\frlrxlr.exe93⤵PID:2024
-
\??\c:\xrffflr.exec:\xrffflr.exe94⤵
- System Location Discovery: System Language Discovery
PID:2176 -
\??\c:\7tnbbn.exec:\7tnbbn.exe95⤵PID:2068
-
\??\c:\thnntt.exec:\thnntt.exe96⤵PID:1980
-
\??\c:\dvddj.exec:\dvddj.exe97⤵PID:984
-
\??\c:\jvjvv.exec:\jvjvv.exe98⤵PID:3020
-
\??\c:\lfrxflr.exec:\lfrxflr.exe99⤵PID:1632
-
\??\c:\fxxxflr.exec:\fxxxflr.exe100⤵PID:2596
-
\??\c:\bbhbtn.exec:\bbhbtn.exe101⤵PID:628
-
\??\c:\5nhhnn.exec:\5nhhnn.exe102⤵PID:2496
-
\??\c:\dvjvp.exec:\dvjvp.exe103⤵PID:344
-
\??\c:\pjjpd.exec:\pjjpd.exe104⤵PID:2524
-
\??\c:\rlrxlxr.exec:\rlrxlxr.exe105⤵PID:2532
-
\??\c:\xxxrxfl.exec:\xxxrxfl.exe106⤵PID:872
-
\??\c:\lfrrffx.exec:\lfrrffx.exe107⤵PID:1308
-
\??\c:\hnbhhn.exec:\hnbhhn.exe108⤵PID:3044
-
\??\c:\tnhnnt.exec:\tnhnnt.exe109⤵PID:1432
-
\??\c:\1pvpp.exec:\1pvpp.exe110⤵PID:2384
-
\??\c:\pjvvj.exec:\pjvvj.exe111⤵PID:2148
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe112⤵PID:2352
-
\??\c:\rrllxlf.exec:\rrllxlf.exe113⤵PID:2264
-
\??\c:\5bbnbb.exec:\5bbnbb.exe114⤵PID:2932
-
\??\c:\bthhnn.exec:\bthhnn.exe115⤵PID:2892
-
\??\c:\3vjjv.exec:\3vjjv.exe116⤵PID:2728
-
\??\c:\9jddp.exec:\9jddp.exe117⤵PID:3000
-
\??\c:\lfffrrx.exec:\lfffrrx.exe118⤵PID:2772
-
\??\c:\lfxrlxr.exec:\lfxrlxr.exe119⤵PID:2860
-
\??\c:\nbntbb.exec:\nbntbb.exe120⤵PID:2624
-
\??\c:\hhtbbh.exec:\hhtbbh.exe121⤵PID:2608
-
\??\c:\dvjpd.exec:\dvjpd.exe122⤵PID:2324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-