Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-09-2024 21:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bfaba925143fe5b888b4fcccbe66a800N.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
120 seconds
General
-
Target
bfaba925143fe5b888b4fcccbe66a800N.exe
-
Size
68KB
-
MD5
bfaba925143fe5b888b4fcccbe66a800
-
SHA1
05f82d1d603cf7adaabd62e7c5f8e39c0c42679e
-
SHA256
5dc23cf3f9e28d6923d50d11bb0dacb191a24d240a1a36a28781ca145b1ef958
-
SHA512
6955e220af497b33e7cbb3911ff2008871f8ac3f8874c4fd3ec28db70ef3506a6d92fd6b342ddf9030e097da432df9b015673805921913a59700d19c8d0c5b1c
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIsIoAcb:ymb3NkkiQ3mdBjFIsIVcb
Malware Config
Signatures
-
Detect Blackmoon payload 20 IoCs
resource yara_rule behavioral1/memory/1568-10-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2208-28-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2948-23-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2384-37-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2740-56-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2656-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2656-67-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2568-79-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2660-92-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2124-106-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2932-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2356-124-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1740-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1484-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2912-170-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2980-205-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2044-214-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1988-277-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1176-286-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2656-329-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2948 vfbbt.exe 2208 hfddtr.exe 2384 jbnjj.exe 2740 phjtnp.exe 2656 nvrjp.exe 2568 djtplp.exe 2544 ftjjv.exe 2660 fvjdjjb.exe 2124 pvffr.exe 2932 lxphh.exe 2356 pjtbft.exe 2460 dlvdr.exe 1740 fnhfbp.exe 1484 xdrnjbt.exe 940 ntpbfn.exe 2912 txfjbp.exe 2328 xblnvv.exe 852 vtvvhjd.exe 1812 lvjxx.exe 2980 nhvjtpv.exe 2044 bpdnrxd.exe 1296 fvvjtrj.exe 1500 jvrfv.exe 1540 jfdbn.exe 976 xhhhjl.exe 2416 tbvjvr.exe 1676 blxhrld.exe 1988 txtdvf.exe 1176 trjvft.exe 308 hvxdfjh.exe 1692 nhrtdtj.exe 2252 tnvfxrn.exe 696 bvvtjvf.exe 2216 bdhlb.exe 3064 xjlnb.exe 2820 tntbp.exe 2684 vbtblnr.exe 2620 llnndbd.exe 2768 jjpfl.exe 2808 dddvflv.exe 2700 bfjnr.exe 2868 lrxnd.exe 2560 ptfffj.exe 3036 jfxjlhf.exe 3048 fnhljx.exe 2520 pdjhj.exe 3028 ldbnpdr.exe 1288 ttfxdrn.exe 2356 rnnjt.exe 1428 rbntfp.exe 2156 fvlfj.exe 1788 fdtrlx.exe 2528 lxvnhp.exe 940 rtbdp.exe 2840 xjhrt.exe 1108 vvbrp.exe 1624 ttphtt.exe 1820 xdnhnp.exe 2976 bjfjf.exe 2176 vbntf.exe 2344 plnrtv.exe 2128 pdvhbn.exe 2864 ndlfffp.exe 2000 nlnbdbn.exe -
resource yara_rule behavioral1/memory/1568-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1568-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2948-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2948-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2948-13-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2208-28-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2948-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2384-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2740-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2740-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2740-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2656-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2568-70-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2568-71-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2568-79-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2660-92-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2124-106-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2932-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2356-124-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1740-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1484-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2912-170-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2980-205-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2044-214-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1988-277-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1176-286-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbxvlrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xhxvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfdxpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlhxpbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfldthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxndj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvpjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhbrvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfbfnpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thpft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvhfnr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtrvjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjhrlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fjhndjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhvjtpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxbnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnpvxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxldvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjvnnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tllxffh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbpfdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbfjpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dftjtrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjxnjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptfffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frdrvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxbnxh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brthlxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhndbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnjbln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtlxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvbtf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvlxtl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htxfjvv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1568 wrote to memory of 2948 1568 bfaba925143fe5b888b4fcccbe66a800N.exe 29 PID 1568 wrote to memory of 2948 1568 bfaba925143fe5b888b4fcccbe66a800N.exe 29 PID 1568 wrote to memory of 2948 1568 bfaba925143fe5b888b4fcccbe66a800N.exe 29 PID 1568 wrote to memory of 2948 1568 bfaba925143fe5b888b4fcccbe66a800N.exe 29 PID 2948 wrote to memory of 2208 2948 vfbbt.exe 30 PID 2948 wrote to memory of 2208 2948 vfbbt.exe 30 PID 2948 wrote to memory of 2208 2948 vfbbt.exe 30 PID 2948 wrote to memory of 2208 2948 vfbbt.exe 30 PID 2208 wrote to memory of 2384 2208 hfddtr.exe 31 PID 2208 wrote to memory of 2384 2208 hfddtr.exe 31 PID 2208 wrote to memory of 2384 2208 hfddtr.exe 31 PID 2208 wrote to memory of 2384 2208 hfddtr.exe 31 PID 2384 wrote to memory of 2740 2384 jbnjj.exe 32 PID 2384 wrote to memory of 2740 2384 jbnjj.exe 32 PID 2384 wrote to memory of 2740 2384 jbnjj.exe 32 PID 2384 wrote to memory of 2740 2384 jbnjj.exe 32 PID 2740 wrote to memory of 2656 2740 phjtnp.exe 33 PID 2740 wrote to memory of 2656 2740 phjtnp.exe 33 PID 2740 wrote to memory of 2656 2740 phjtnp.exe 33 PID 2740 wrote to memory of 2656 2740 phjtnp.exe 33 PID 2656 wrote to memory of 2568 2656 nvrjp.exe 34 PID 2656 wrote to memory of 2568 2656 nvrjp.exe 34 PID 2656 wrote to memory of 2568 2656 nvrjp.exe 34 PID 2656 wrote to memory of 2568 2656 nvrjp.exe 34 PID 2568 wrote to memory of 2544 2568 djtplp.exe 35 PID 2568 wrote to memory of 2544 2568 djtplp.exe 35 PID 2568 wrote to memory of 2544 2568 djtplp.exe 35 PID 2568 wrote to memory of 2544 2568 djtplp.exe 35 PID 2544 wrote to memory of 2660 2544 ftjjv.exe 36 PID 2544 wrote to memory of 2660 2544 ftjjv.exe 36 PID 2544 wrote to memory of 2660 2544 ftjjv.exe 36 PID 2544 wrote to memory of 2660 2544 ftjjv.exe 36 PID 2660 wrote to memory of 2124 2660 fvjdjjb.exe 37 PID 2660 wrote to memory of 2124 2660 fvjdjjb.exe 37 PID 2660 wrote to memory of 2124 2660 fvjdjjb.exe 37 PID 2660 wrote to memory of 2124 2660 fvjdjjb.exe 37 PID 2124 wrote to memory of 2932 2124 pvffr.exe 38 PID 2124 wrote to memory of 2932 2124 pvffr.exe 38 PID 2124 wrote to memory of 2932 2124 pvffr.exe 38 PID 2124 wrote to memory of 2932 2124 pvffr.exe 38 PID 2932 wrote to memory of 2356 2932 lxphh.exe 39 PID 2932 wrote to memory of 2356 2932 lxphh.exe 39 PID 2932 wrote to memory of 2356 2932 lxphh.exe 39 PID 2932 wrote to memory of 2356 2932 lxphh.exe 39 PID 2356 wrote to memory of 2460 2356 pjtbft.exe 40 PID 2356 wrote to memory of 2460 2356 pjtbft.exe 40 PID 2356 wrote to memory of 2460 2356 pjtbft.exe 40 PID 2356 wrote to memory of 2460 2356 pjtbft.exe 40 PID 2460 wrote to memory of 1740 2460 dlvdr.exe 41 PID 2460 wrote to memory of 1740 2460 dlvdr.exe 41 PID 2460 wrote to memory of 1740 2460 dlvdr.exe 41 PID 2460 wrote to memory of 1740 2460 dlvdr.exe 41 PID 1740 wrote to memory of 1484 1740 fnhfbp.exe 42 PID 1740 wrote to memory of 1484 1740 fnhfbp.exe 42 PID 1740 wrote to memory of 1484 1740 fnhfbp.exe 42 PID 1740 wrote to memory of 1484 1740 fnhfbp.exe 42 PID 1484 wrote to memory of 940 1484 xdrnjbt.exe 43 PID 1484 wrote to memory of 940 1484 xdrnjbt.exe 43 PID 1484 wrote to memory of 940 1484 xdrnjbt.exe 43 PID 1484 wrote to memory of 940 1484 xdrnjbt.exe 43 PID 940 wrote to memory of 2912 940 ntpbfn.exe 44 PID 940 wrote to memory of 2912 940 ntpbfn.exe 44 PID 940 wrote to memory of 2912 940 ntpbfn.exe 44 PID 940 wrote to memory of 2912 940 ntpbfn.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfaba925143fe5b888b4fcccbe66a800N.exe"C:\Users\Admin\AppData\Local\Temp\bfaba925143fe5b888b4fcccbe66a800N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\vfbbt.exec:\vfbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\hfddtr.exec:\hfddtr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\jbnjj.exec:\jbnjj.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\phjtnp.exec:\phjtnp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\nvrjp.exec:\nvrjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\djtplp.exec:\djtplp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\ftjjv.exec:\ftjjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\fvjdjjb.exec:\fvjdjjb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\pvffr.exec:\pvffr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\lxphh.exec:\lxphh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\pjtbft.exec:\pjtbft.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\dlvdr.exec:\dlvdr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\fnhfbp.exec:\fnhfbp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\xdrnjbt.exec:\xdrnjbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\ntpbfn.exec:\ntpbfn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\txfjbp.exec:\txfjbp.exe17⤵
- Executes dropped EXE
PID:2912 -
\??\c:\xblnvv.exec:\xblnvv.exe18⤵
- Executes dropped EXE
PID:2328 -
\??\c:\vtvvhjd.exec:\vtvvhjd.exe19⤵
- Executes dropped EXE
PID:852 -
\??\c:\lvjxx.exec:\lvjxx.exe20⤵
- Executes dropped EXE
PID:1812 -
\??\c:\nhvjtpv.exec:\nhvjtpv.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980 -
\??\c:\bpdnrxd.exec:\bpdnrxd.exe22⤵
- Executes dropped EXE
PID:2044 -
\??\c:\fvvjtrj.exec:\fvvjtrj.exe23⤵
- Executes dropped EXE
PID:1296 -
\??\c:\jvrfv.exec:\jvrfv.exe24⤵
- Executes dropped EXE
PID:1500 -
\??\c:\jfdbn.exec:\jfdbn.exe25⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xhhhjl.exec:\xhhhjl.exe26⤵
- Executes dropped EXE
PID:976 -
\??\c:\tbvjvr.exec:\tbvjvr.exe27⤵
- Executes dropped EXE
PID:2416 -
\??\c:\blxhrld.exec:\blxhrld.exe28⤵
- Executes dropped EXE
PID:1676 -
\??\c:\txtdvf.exec:\txtdvf.exe29⤵
- Executes dropped EXE
PID:1988 -
\??\c:\trjvft.exec:\trjvft.exe30⤵
- Executes dropped EXE
PID:1176 -
\??\c:\hvxdfjh.exec:\hvxdfjh.exe31⤵
- Executes dropped EXE
PID:308 -
\??\c:\nhrtdtj.exec:\nhrtdtj.exe32⤵
- Executes dropped EXE
PID:1692 -
\??\c:\tnvfxrn.exec:\tnvfxrn.exe33⤵
- Executes dropped EXE
PID:2252 -
\??\c:\bvvtjvf.exec:\bvvtjvf.exe34⤵
- Executes dropped EXE
PID:696 -
\??\c:\bdhlb.exec:\bdhlb.exe35⤵
- Executes dropped EXE
PID:2216 -
\??\c:\xjlnb.exec:\xjlnb.exe36⤵
- Executes dropped EXE
PID:3064 -
\??\c:\tntbp.exec:\tntbp.exe37⤵
- Executes dropped EXE
PID:2820 -
\??\c:\vbtblnr.exec:\vbtblnr.exe38⤵
- Executes dropped EXE
PID:2684 -
\??\c:\llnndbd.exec:\llnndbd.exe39⤵
- Executes dropped EXE
PID:2620 -
\??\c:\jjpfl.exec:\jjpfl.exe40⤵
- Executes dropped EXE
PID:2768 -
\??\c:\dddvflv.exec:\dddvflv.exe41⤵
- Executes dropped EXE
PID:2808 -
\??\c:\bfjnr.exec:\bfjnr.exe42⤵
- Executes dropped EXE
PID:2700 -
\??\c:\lrxnd.exec:\lrxnd.exe43⤵
- Executes dropped EXE
PID:2868 -
\??\c:\ptfffj.exec:\ptfffj.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560 -
\??\c:\jfxjlhf.exec:\jfxjlhf.exe45⤵
- Executes dropped EXE
PID:3036 -
\??\c:\fnhljx.exec:\fnhljx.exe46⤵
- Executes dropped EXE
PID:3048 -
\??\c:\pdjhj.exec:\pdjhj.exe47⤵
- Executes dropped EXE
PID:2520 -
\??\c:\ldbnpdr.exec:\ldbnpdr.exe48⤵
- Executes dropped EXE
PID:3028 -
\??\c:\ttfxdrn.exec:\ttfxdrn.exe49⤵
- Executes dropped EXE
PID:1288 -
\??\c:\rnnjt.exec:\rnnjt.exe50⤵
- Executes dropped EXE
PID:2356 -
\??\c:\rbntfp.exec:\rbntfp.exe51⤵
- Executes dropped EXE
PID:1428 -
\??\c:\fvlfj.exec:\fvlfj.exe52⤵
- Executes dropped EXE
PID:2156 -
\??\c:\fdtrlx.exec:\fdtrlx.exe53⤵
- Executes dropped EXE
PID:1788 -
\??\c:\lxvnhp.exec:\lxvnhp.exe54⤵
- Executes dropped EXE
PID:2528 -
\??\c:\rtbdp.exec:\rtbdp.exe55⤵
- Executes dropped EXE
PID:940 -
\??\c:\xjhrt.exec:\xjhrt.exe56⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vvbrp.exec:\vvbrp.exe57⤵
- Executes dropped EXE
PID:1108 -
\??\c:\ttphtt.exec:\ttphtt.exe58⤵
- Executes dropped EXE
PID:1624 -
\??\c:\xdnhnp.exec:\xdnhnp.exe59⤵
- Executes dropped EXE
PID:1820 -
\??\c:\bjfjf.exec:\bjfjf.exe60⤵
- Executes dropped EXE
PID:2976 -
\??\c:\vbntf.exec:\vbntf.exe61⤵
- Executes dropped EXE
PID:2176 -
\??\c:\plnrtv.exec:\plnrtv.exe62⤵
- Executes dropped EXE
PID:2344 -
\??\c:\pdvhbn.exec:\pdvhbn.exe63⤵
- Executes dropped EXE
PID:2128 -
\??\c:\ndlfffp.exec:\ndlfffp.exe64⤵
- Executes dropped EXE
PID:2864 -
\??\c:\nlnbdbn.exec:\nlnbdbn.exe65⤵
- Executes dropped EXE
PID:2000 -
\??\c:\jlrfp.exec:\jlrfp.exe66⤵PID:1060
-
\??\c:\lhjflb.exec:\lhjflb.exe67⤵PID:1724
-
\??\c:\nhfrhj.exec:\nhfrhj.exe68⤵PID:2148
-
\??\c:\vlhhd.exec:\vlhhd.exe69⤵PID:2396
-
\??\c:\xntfbhp.exec:\xntfbhp.exe70⤵PID:1676
-
\??\c:\jnjnj.exec:\jnjnj.exe71⤵PID:1076
-
\??\c:\tjfjnxv.exec:\tjfjnxv.exe72⤵PID:2300
-
\??\c:\fhndv.exec:\fhndv.exe73⤵PID:1656
-
\??\c:\bbdnb.exec:\bbdnb.exe74⤵PID:1536
-
\??\c:\ddhntrf.exec:\ddhntrf.exe75⤵PID:876
-
\??\c:\jrplbj.exec:\jrplbj.exe76⤵PID:1104
-
\??\c:\xlnvfl.exec:\xlnvfl.exe77⤵PID:2096
-
\??\c:\bhllnl.exec:\bhllnl.exe78⤵PID:2268
-
\??\c:\rhphtj.exec:\rhphtj.exe79⤵PID:3064
-
\??\c:\xthprbj.exec:\xthprbj.exe80⤵PID:2032
-
\??\c:\bfnrn.exec:\bfnrn.exe81⤵PID:2744
-
\??\c:\dxdpxfn.exec:\dxdpxfn.exe82⤵PID:2692
-
\??\c:\xndxvv.exec:\xndxvv.exe83⤵PID:2740
-
\??\c:\hlvfhpr.exec:\hlvfhpr.exe84⤵PID:2900
-
\??\c:\dnvjhnx.exec:\dnvjhnx.exe85⤵PID:2588
-
\??\c:\dltvjll.exec:\dltvjll.exe86⤵PID:3068
-
\??\c:\nrdxff.exec:\nrdxff.exe87⤵PID:1992
-
\??\c:\dttxxhb.exec:\dttxxhb.exe88⤵PID:3048
-
\??\c:\phlhrb.exec:\phlhrb.exe89⤵PID:2520
-
\??\c:\lprjllj.exec:\lprjllj.exe90⤵PID:1868
-
\??\c:\lntjj.exec:\lntjj.exe91⤵PID:3028
-
\??\c:\nvbpv.exec:\nvbpv.exe92⤵PID:2828
-
\??\c:\nnpxdf.exec:\nnpxdf.exe93⤵PID:956
-
\??\c:\bfbhtbv.exec:\bfbhtbv.exe94⤵PID:2052
-
\??\c:\vtnjbpv.exec:\vtnjbpv.exe95⤵PID:1772
-
\??\c:\htlbtf.exec:\htlbtf.exe96⤵PID:1384
-
\??\c:\nlhvfjd.exec:\nlhvfjd.exe97⤵PID:2856
-
\??\c:\vtxffv.exec:\vtxffv.exe98⤵PID:2824
-
\??\c:\rlvtbvv.exec:\rlvtbvv.exe99⤵PID:692
-
\??\c:\xprhf.exec:\xprhf.exe100⤵PID:1056
-
\??\c:\hpjvv.exec:\hpjvv.exe101⤵PID:1120
-
\??\c:\lpxfr.exec:\lpxfr.exe102⤵PID:2224
-
\??\c:\jhtbdj.exec:\jhtbdj.exe103⤵PID:2036
-
\??\c:\ffjph.exec:\ffjph.exe104⤵PID:2164
-
\??\c:\xxrblj.exec:\xxrblj.exe105⤵PID:2344
-
\??\c:\fptdp.exec:\fptdp.exe106⤵PID:832
-
\??\c:\ptrttv.exec:\ptrttv.exe107⤵PID:2492
-
\??\c:\bdlnr.exec:\bdlnr.exe108⤵PID:928
-
\??\c:\vfddnj.exec:\vfddnj.exe109⤵PID:1572
-
\??\c:\tprpvfd.exec:\tprpvfd.exe110⤵PID:1744
-
\??\c:\nrnhdlf.exec:\nrnhdlf.exe111⤵PID:1976
-
\??\c:\jthxnb.exec:\jthxnb.exe112⤵PID:1256
-
\??\c:\bvfpdrn.exec:\bvfpdrn.exe113⤵PID:1676
-
\??\c:\xvxfbtp.exec:\xvxfbtp.exe114⤵PID:1732
-
\??\c:\txtnj.exec:\txtnj.exe115⤵PID:2836
-
\??\c:\pxfln.exec:\pxfln.exe116⤵PID:888
-
\??\c:\nlppvf.exec:\nlppvf.exe117⤵PID:1568
-
\??\c:\dppnh.exec:\dppnh.exe118⤵PID:536
-
\??\c:\jjrhtxr.exec:\jjrhtxr.exe119⤵PID:2064
-
\??\c:\lrlthv.exec:\lrlthv.exe120⤵PID:2016
-
\??\c:\fnbjfd.exec:\fnbjfd.exe121⤵PID:936
-
\??\c:\nbfhlxf.exec:\nbfhlxf.exe122⤵PID:1716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-