Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 13:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe
Resource
win7-20241010-en
6 signatures
150 seconds
General
-
Target
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe
-
Size
66KB
-
MD5
1c92d3d625902c12c664fa6e4740d560
-
SHA1
da1f88e951cdacc56e3df95a3df4aea8c934170a
-
SHA256
db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87
-
SHA512
61ba8905cbd610725ddd2c6007cae9f63690631464988f85e721ca23ba409a34865ff0288a11982ed89de652b50ba6ea1094fbff3551f4997e096e2a27d6445a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND0yU+kbxes:ymb3NkkiQ3mdBjF0y7kbUs
Malware Config
Signatures
-
Detect Blackmoon payload 21 IoCs
resource yara_rule behavioral1/memory/1728-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2536-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2268-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2856-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2488-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3036-68-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2708-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2636-98-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1456-107-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2572-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/460-142-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2020-151-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1908-161-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2520-187-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3048-196-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/940-206-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/996-215-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2448-241-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1156-277-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2460-286-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1472-295-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2536 hrrbjpf.exe 2268 xpvpx.exe 2488 hnpfn.exe 2856 jhjdv.exe 2868 drdlbfp.exe 3036 fvrjbr.exe 2708 vnpxdp.exe 2636 jddjvx.exe 1456 hxxllxl.exe 2572 pvnpnht.exe 2900 vflfvdd.exe 2888 tpjxj.exe 460 xfjhxlf.exe 2020 plfrv.exe 1908 fxhfhxp.exe 2508 fjbdvl.exe 2084 xrflth.exe 2520 ffhxb.exe 3048 jxdrlbn.exe 940 lhlvhv.exe 996 vrflhxp.exe 1148 nftfpjl.exe 1956 pfdjv.exe 2448 fhxtrh.exe 3060 hrrbl.exe 700 blbrjvf.exe 2540 vdjjvpr.exe 1156 xhjll.exe 2460 ldprlh.exe 1472 jlllxv.exe 2532 dhbbpv.exe 2780 frxpxdb.exe 1596 vfnftrv.exe 1300 drrlxbt.exe 2368 rxjlxt.exe 1644 rbjtf.exe 1648 vrldx.exe 2136 vdnhdjn.exe 2876 vrfdvpl.exe 2592 jxrhbh.exe 2672 vjxlj.exe 2644 rfvfnrx.exe 2764 tbrjh.exe 2952 rfntd.exe 2652 httptn.exe 2684 rpblrn.exe 2960 fbbbttn.exe 2924 rbbjr.exe 1280 tfdxp.exe 2124 jxfpr.exe 828 hbhtxd.exe 2068 nplnrlt.exe 1116 pllnx.exe 2204 dptjtl.exe 3004 bbdhhft.exe 1308 dtlft.exe 3024 rrxptph.exe 600 bfbtr.exe 1200 jvdddj.exe 1148 ppnpxv.exe 644 phjlhr.exe 1548 ntddhd.exe 628 hbxxhh.exe 3060 tjtlvnt.exe -
resource yara_rule behavioral1/memory/1728-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2536-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2268-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2488-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2488-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2856-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2488-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2868-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2868-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3036-68-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2708-77-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2708-76-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2708-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-89-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-88-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-98-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1456-107-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2572-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/460-142-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2020-151-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1908-161-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2520-187-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3048-196-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/940-206-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/996-215-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2448-241-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1156-277-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2460-286-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1472-295-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddhpnbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fvrrrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrpxh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrvfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjtxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljxlhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvhnblv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvpnvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfjvxfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndhnjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrpldxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnfxld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjtlvnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dndnfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language txrhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpbppxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhfjfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttrxprh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbxnrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjbvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvxxpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjhpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rnrrxlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbbhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdbpfbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2536 1728 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 31 PID 1728 wrote to memory of 2536 1728 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 31 PID 1728 wrote to memory of 2536 1728 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 31 PID 1728 wrote to memory of 2536 1728 db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe 31 PID 2536 wrote to memory of 2268 2536 hrrbjpf.exe 32 PID 2536 wrote to memory of 2268 2536 hrrbjpf.exe 32 PID 2536 wrote to memory of 2268 2536 hrrbjpf.exe 32 PID 2536 wrote to memory of 2268 2536 hrrbjpf.exe 32 PID 2268 wrote to memory of 2488 2268 xpvpx.exe 33 PID 2268 wrote to memory of 2488 2268 xpvpx.exe 33 PID 2268 wrote to memory of 2488 2268 xpvpx.exe 33 PID 2268 wrote to memory of 2488 2268 xpvpx.exe 33 PID 2488 wrote to memory of 2856 2488 hnpfn.exe 34 PID 2488 wrote to memory of 2856 2488 hnpfn.exe 34 PID 2488 wrote to memory of 2856 2488 hnpfn.exe 34 PID 2488 wrote to memory of 2856 2488 hnpfn.exe 34 PID 2856 wrote to memory of 2868 2856 jhjdv.exe 35 PID 2856 wrote to memory of 2868 2856 jhjdv.exe 35 PID 2856 wrote to memory of 2868 2856 jhjdv.exe 35 PID 2856 wrote to memory of 2868 2856 jhjdv.exe 35 PID 2868 wrote to memory of 3036 2868 drdlbfp.exe 36 PID 2868 wrote to memory of 3036 2868 drdlbfp.exe 36 PID 2868 wrote to memory of 3036 2868 drdlbfp.exe 36 PID 2868 wrote to memory of 3036 2868 drdlbfp.exe 36 PID 3036 wrote to memory of 2708 3036 fvrjbr.exe 37 PID 3036 wrote to memory of 2708 3036 fvrjbr.exe 37 PID 3036 wrote to memory of 2708 3036 fvrjbr.exe 37 PID 3036 wrote to memory of 2708 3036 fvrjbr.exe 37 PID 2708 wrote to memory of 2636 2708 vnpxdp.exe 38 PID 2708 wrote to memory of 2636 2708 vnpxdp.exe 38 PID 2708 wrote to memory of 2636 2708 vnpxdp.exe 38 PID 2708 wrote to memory of 2636 2708 vnpxdp.exe 38 PID 2636 wrote to memory of 1456 2636 jddjvx.exe 39 PID 2636 wrote to memory of 1456 2636 jddjvx.exe 39 PID 2636 wrote to memory of 1456 2636 jddjvx.exe 39 PID 2636 wrote to memory of 1456 2636 jddjvx.exe 39 PID 1456 wrote to memory of 2572 1456 hxxllxl.exe 40 PID 1456 wrote to memory of 2572 1456 hxxllxl.exe 40 PID 1456 wrote to memory of 2572 1456 hxxllxl.exe 40 PID 1456 wrote to memory of 2572 1456 hxxllxl.exe 40 PID 2572 wrote to memory of 2900 2572 pvnpnht.exe 41 PID 2572 wrote to memory of 2900 2572 pvnpnht.exe 41 PID 2572 wrote to memory of 2900 2572 pvnpnht.exe 41 PID 2572 wrote to memory of 2900 2572 pvnpnht.exe 41 PID 2900 wrote to memory of 2888 2900 vflfvdd.exe 42 PID 2900 wrote to memory of 2888 2900 vflfvdd.exe 42 PID 2900 wrote to memory of 2888 2900 vflfvdd.exe 42 PID 2900 wrote to memory of 2888 2900 vflfvdd.exe 42 PID 2888 wrote to memory of 460 2888 tpjxj.exe 43 PID 2888 wrote to memory of 460 2888 tpjxj.exe 43 PID 2888 wrote to memory of 460 2888 tpjxj.exe 43 PID 2888 wrote to memory of 460 2888 tpjxj.exe 43 PID 460 wrote to memory of 2020 460 xfjhxlf.exe 44 PID 460 wrote to memory of 2020 460 xfjhxlf.exe 44 PID 460 wrote to memory of 2020 460 xfjhxlf.exe 44 PID 460 wrote to memory of 2020 460 xfjhxlf.exe 44 PID 2020 wrote to memory of 1908 2020 plfrv.exe 45 PID 2020 wrote to memory of 1908 2020 plfrv.exe 45 PID 2020 wrote to memory of 1908 2020 plfrv.exe 45 PID 2020 wrote to memory of 1908 2020 plfrv.exe 45 PID 1908 wrote to memory of 2508 1908 fxhfhxp.exe 46 PID 1908 wrote to memory of 2508 1908 fxhfhxp.exe 46 PID 1908 wrote to memory of 2508 1908 fxhfhxp.exe 46 PID 1908 wrote to memory of 2508 1908 fxhfhxp.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe"C:\Users\Admin\AppData\Local\Temp\db165ebd56453dd365534af7bd38970ad903cf4851a7356bce9a3bd1671e9c87N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\hrrbjpf.exec:\hrrbjpf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\xpvpx.exec:\xpvpx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\hnpfn.exec:\hnpfn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\jhjdv.exec:\jhjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\drdlbfp.exec:\drdlbfp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\fvrjbr.exec:\fvrjbr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\vnpxdp.exec:\vnpxdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\jddjvx.exec:\jddjvx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\hxxllxl.exec:\hxxllxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\pvnpnht.exec:\pvnpnht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\vflfvdd.exec:\vflfvdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\tpjxj.exec:\tpjxj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\xfjhxlf.exec:\xfjhxlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
\??\c:\plfrv.exec:\plfrv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\fxhfhxp.exec:\fxhfhxp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\fjbdvl.exec:\fjbdvl.exe17⤵
- Executes dropped EXE
PID:2508 -
\??\c:\xrflth.exec:\xrflth.exe18⤵
- Executes dropped EXE
PID:2084 -
\??\c:\ffhxb.exec:\ffhxb.exe19⤵
- Executes dropped EXE
PID:2520 -
\??\c:\jxdrlbn.exec:\jxdrlbn.exe20⤵
- Executes dropped EXE
PID:3048 -
\??\c:\lhlvhv.exec:\lhlvhv.exe21⤵
- Executes dropped EXE
PID:940 -
\??\c:\vrflhxp.exec:\vrflhxp.exe22⤵
- Executes dropped EXE
PID:996 -
\??\c:\nftfpjl.exec:\nftfpjl.exe23⤵
- Executes dropped EXE
PID:1148 -
\??\c:\pfdjv.exec:\pfdjv.exe24⤵
- Executes dropped EXE
PID:1956 -
\??\c:\fhxtrh.exec:\fhxtrh.exe25⤵
- Executes dropped EXE
PID:2448 -
\??\c:\hrrbl.exec:\hrrbl.exe26⤵
- Executes dropped EXE
PID:3060 -
\??\c:\blbrjvf.exec:\blbrjvf.exe27⤵
- Executes dropped EXE
PID:700 -
\??\c:\vdjjvpr.exec:\vdjjvpr.exe28⤵
- Executes dropped EXE
PID:2540 -
\??\c:\xhjll.exec:\xhjll.exe29⤵
- Executes dropped EXE
PID:1156 -
\??\c:\ldprlh.exec:\ldprlh.exe30⤵
- Executes dropped EXE
PID:2460 -
\??\c:\jlllxv.exec:\jlllxv.exe31⤵
- Executes dropped EXE
PID:1472 -
\??\c:\dhbbpv.exec:\dhbbpv.exe32⤵
- Executes dropped EXE
PID:2532 -
\??\c:\frxpxdb.exec:\frxpxdb.exe33⤵
- Executes dropped EXE
PID:2780 -
\??\c:\vfnftrv.exec:\vfnftrv.exe34⤵
- Executes dropped EXE
PID:1596 -
\??\c:\drrlxbt.exec:\drrlxbt.exe35⤵
- Executes dropped EXE
PID:1300 -
\??\c:\rxjlxt.exec:\rxjlxt.exe36⤵
- Executes dropped EXE
PID:2368 -
\??\c:\rbjtf.exec:\rbjtf.exe37⤵
- Executes dropped EXE
PID:1644 -
\??\c:\vrldx.exec:\vrldx.exe38⤵
- Executes dropped EXE
PID:1648 -
\??\c:\vdnhdjn.exec:\vdnhdjn.exe39⤵
- Executes dropped EXE
PID:2136 -
\??\c:\vrfdvpl.exec:\vrfdvpl.exe40⤵
- Executes dropped EXE
PID:2876 -
\??\c:\jxrhbh.exec:\jxrhbh.exe41⤵
- Executes dropped EXE
PID:2592 -
\??\c:\vjxlj.exec:\vjxlj.exe42⤵
- Executes dropped EXE
PID:2672 -
\??\c:\rfvfnrx.exec:\rfvfnrx.exe43⤵
- Executes dropped EXE
PID:2644 -
\??\c:\tbrjh.exec:\tbrjh.exe44⤵
- Executes dropped EXE
PID:2764 -
\??\c:\rfntd.exec:\rfntd.exe45⤵
- Executes dropped EXE
PID:2952 -
\??\c:\httptn.exec:\httptn.exe46⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rpblrn.exec:\rpblrn.exe47⤵
- Executes dropped EXE
PID:2684 -
\??\c:\fbbbttn.exec:\fbbbttn.exe48⤵
- Executes dropped EXE
PID:2960 -
\??\c:\rbbjr.exec:\rbbjr.exe49⤵
- Executes dropped EXE
PID:2924 -
\??\c:\tfdxp.exec:\tfdxp.exe50⤵
- Executes dropped EXE
PID:1280 -
\??\c:\jxfpr.exec:\jxfpr.exe51⤵
- Executes dropped EXE
PID:2124 -
\??\c:\hbhtxd.exec:\hbhtxd.exe52⤵
- Executes dropped EXE
PID:828 -
\??\c:\nplnrlt.exec:\nplnrlt.exe53⤵
- Executes dropped EXE
PID:2068 -
\??\c:\pllnx.exec:\pllnx.exe54⤵
- Executes dropped EXE
PID:1116 -
\??\c:\dptjtl.exec:\dptjtl.exe55⤵
- Executes dropped EXE
PID:2204 -
\??\c:\bbdhhft.exec:\bbdhhft.exe56⤵
- Executes dropped EXE
PID:3004 -
\??\c:\dtlft.exec:\dtlft.exe57⤵
- Executes dropped EXE
PID:1308 -
\??\c:\rrxptph.exec:\rrxptph.exe58⤵
- Executes dropped EXE
PID:3024 -
\??\c:\bfbtr.exec:\bfbtr.exe59⤵
- Executes dropped EXE
PID:600 -
\??\c:\jvdddj.exec:\jvdddj.exe60⤵
- Executes dropped EXE
PID:1200 -
\??\c:\ppnpxv.exec:\ppnpxv.exe61⤵
- Executes dropped EXE
PID:1148 -
\??\c:\phjlhr.exec:\phjlhr.exe62⤵
- Executes dropped EXE
PID:644 -
\??\c:\ntddhd.exec:\ntddhd.exe63⤵
- Executes dropped EXE
PID:1548 -
\??\c:\hbxxhh.exec:\hbxxhh.exe64⤵
- Executes dropped EXE
PID:628 -
\??\c:\tjtlvnt.exec:\tjtlvnt.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
\??\c:\nxxljl.exec:\nxxljl.exe66⤵PID:1792
-
\??\c:\tnlnppb.exec:\tnlnppb.exe67⤵PID:564
-
\??\c:\lbpfh.exec:\lbpfh.exe68⤵PID:2096
-
\??\c:\jtjffpx.exec:\jtjffpx.exe69⤵PID:2320
-
\??\c:\vpnpl.exec:\vpnpl.exe70⤵PID:2180
-
\??\c:\fnrxfp.exec:\fnrxfp.exe71⤵PID:556
-
\??\c:\hvllt.exec:\hvllt.exe72⤵PID:1408
-
\??\c:\prbtbx.exec:\prbtbx.exe73⤵PID:2056
-
\??\c:\brbhphr.exec:\brbhphr.exe74⤵PID:1888
-
\??\c:\bntrlbx.exec:\bntrlbx.exe75⤵PID:2740
-
\??\c:\vvvnxdv.exec:\vvvnxdv.exe76⤵PID:1820
-
\??\c:\xjjnxt.exec:\xjjnxt.exe77⤵PID:2804
-
\??\c:\fnprl.exec:\fnprl.exe78⤵PID:2860
-
\??\c:\tnjvj.exec:\tnjvj.exe79⤵PID:2436
-
\??\c:\fhtvpxr.exec:\fhtvpxr.exe80⤵PID:576
-
\??\c:\pjrxb.exec:\pjrxb.exe81⤵PID:2588
-
\??\c:\dhxxn.exec:\dhxxn.exe82⤵PID:2288
-
\??\c:\jpxff.exec:\jpxff.exe83⤵PID:2636
-
\??\c:\lvhfdj.exec:\lvhfdj.exe84⤵PID:2608
-
\??\c:\lrbrn.exec:\lrbrn.exe85⤵PID:2248
-
\??\c:\xtljr.exec:\xtljr.exe86⤵PID:2572
-
\??\c:\dxnnpt.exec:\dxnnpt.exe87⤵PID:2840
-
\??\c:\xnjfjxf.exec:\xnjfjxf.exe88⤵PID:2948
-
\??\c:\lvvxljf.exec:\lvvxljf.exe89⤵PID:792
-
\??\c:\vxjdnbb.exec:\vxjdnbb.exe90⤵PID:832
-
\??\c:\hxjdjpl.exec:\hxjdjpl.exe91⤵PID:2452
-
\??\c:\hvnpbl.exec:\hvnpbl.exe92⤵PID:1908
-
\??\c:\rtvnr.exec:\rtvnr.exe93⤵PID:1652
-
\??\c:\bfnntj.exec:\bfnntj.exe94⤵PID:2200
-
\??\c:\fprrl.exec:\fprrl.exe95⤵PID:2292
-
\??\c:\rvtjhr.exec:\rvtjhr.exe96⤵PID:1248
-
\??\c:\bbjprjj.exec:\bbjprjj.exe97⤵PID:936
-
\??\c:\hpptrdr.exec:\hpptrdr.exe98⤵PID:1180
-
\??\c:\rjlfdfb.exec:\rjlfdfb.exe99⤵PID:1168
-
\??\c:\vbbhr.exec:\vbbhr.exe100⤵
- System Location Discovery: System Language Discovery
PID:680 -
\??\c:\fljnb.exec:\fljnb.exe101⤵PID:872
-
\??\c:\pfrhn.exec:\pfrhn.exe102⤵PID:988
-
\??\c:\hhhfb.exec:\hhhfb.exe103⤵PID:1548
-
\??\c:\fjpdnbb.exec:\fjpdnbb.exe104⤵PID:1532
-
\??\c:\jjtxxx.exec:\jjtxxx.exe105⤵
- System Location Discovery: System Language Discovery
PID:836 -
\??\c:\rprplt.exec:\rprplt.exe106⤵PID:2328
-
\??\c:\btnjht.exec:\btnjht.exe107⤵PID:564
-
\??\c:\hjvlf.exec:\hjvlf.exe108⤵PID:1464
-
\??\c:\fntfdx.exec:\fntfdx.exe109⤵PID:2316
-
\??\c:\tdlvt.exec:\tdlvt.exe110⤵PID:876
-
\??\c:\bnhjlt.exec:\bnhjlt.exe111⤵PID:1560
-
\??\c:\jbxfh.exec:\jbxfh.exe112⤵PID:2296
-
\??\c:\ldlxdd.exec:\ldlxdd.exe113⤵PID:856
-
\??\c:\hrjjf.exec:\hrjjf.exe114⤵PID:2324
-
\??\c:\nntnpt.exec:\nntnpt.exe115⤵PID:2300
-
\??\c:\xjrrx.exec:\xjrrx.exe116⤵PID:2744
-
\??\c:\lvrlr.exec:\lvrlr.exe117⤵PID:2720
-
\??\c:\hrrjfrx.exec:\hrrjfrx.exe118⤵PID:2712
-
\??\c:\vdldbpj.exec:\vdldbpj.exe119⤵PID:2436
-
\??\c:\xljlxln.exec:\xljlxln.exe120⤵PID:2648
-
\??\c:\fvthvhd.exec:\fvthvhd.exe121⤵PID:2588
-
\??\c:\hfldtj.exec:\hfldtj.exe122⤵PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-