Analysis
-
max time kernel
151s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 14:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe
Resource
win7-20241010-en
6 signatures
150 seconds
General
-
Target
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe
-
Size
67KB
-
MD5
08cae242750fa005584264f241312370
-
SHA1
5f10bdd9878ebfd9b0f35ba972f2105d1677b79b
-
SHA256
fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078b
-
SHA512
4b9508a0497deaab496bc5a6a8d9784c9142165653c6cbce9d9656772d2d66f0dc68452f2810a2ef1c5b07be81f9aa53cd713aad8fa33dfb1a640cb2af891e34
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDI9L27Bqf7:ymb3NkkiQ3mdBjFI9cqf7
Malware Config
Signatures
-
Detect Blackmoon payload 22 IoCs
resource yara_rule behavioral1/memory/2052-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2544-14-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2560-24-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1080-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2788-43-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2468-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2468-71-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2684-86-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2264-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2396-101-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/672-110-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2964-119-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2976-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2808-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1652-155-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1756-164-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2144-182-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2248-191-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2072-210-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/972-227-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/880-246-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1328-254-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2544 ptxdd.exe 2560 plbbjv.exe 1080 trdbj.exe 2788 thplhd.exe 2784 thrpv.exe 2468 fjprpfj.exe 2264 ltxvvxj.exe 2684 drvtljh.exe 2396 ddrvxdf.exe 672 fdljbt.exe 2964 pvtlvl.exe 1100 vpfdtv.exe 2976 lbftfv.exe 2808 xbhxn.exe 1652 nxhth.exe 1756 jfnjt.exe 2984 xfdtxb.exe 2144 hfplv.exe 2248 vjfjp.exe 1828 rlhdnrv.exe 2072 pjvdj.exe 1644 fxxhhl.exe 972 dftflr.exe 2460 pptbf.exe 880 rntvbr.exe 1328 ddnpt.exe 3068 nllvdl.exe 2716 hlvfp.exe 2488 ndbxv.exe 2364 vdtndfh.exe 2356 xjxtrh.exe 2104 bxrhxf.exe 2932 txvfvvl.exe 2760 hfnlf.exe 2852 bljrp.exe 1600 bfbjbx.exe 2860 trtnj.exe 2908 nnhrx.exe 2900 lbpjp.exe 3024 hnnljf.exe 2688 rplltl.exe 2124 tdrjfvd.exe 2372 bhfbpnb.exe 692 jfnnhl.exe 2952 ffxtbdb.exe 1908 fldpd.exe 2300 xpxtbhp.exe 2924 xjbjxbx.exe 2096 hfhjdf.exe 1296 txrjjf.exe 1176 dhfrrrj.exe 1652 hjrprdl.exe 2184 dfjrvn.exe 1240 hpdlbb.exe 2388 rpdtxxn.exe 1252 vljdnl.exe 2504 dvvpx.exe 1064 fljvp.exe 2152 nhvvl.exe 960 npjjbv.exe 2944 bjrtjxt.exe 1704 htbrx.exe 1460 rbrvbbf.exe 1468 xpfrtjn.exe -
resource yara_rule behavioral1/memory/2052-4-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2544-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2560-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1080-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2788-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2784-54-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2264-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2468-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2684-86-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2264-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2396-101-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/672-110-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-119-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2976-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2808-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1652-155-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1756-164-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2144-182-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2248-191-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2072-210-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/972-227-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/880-246-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1328-254-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvjxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfvjhbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjfrlt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fljvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htrpvlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpljphb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjltbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtjfbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtdvxtv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhlxpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhlhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftlnjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbjrdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrflpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jtpdtd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hfnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlbpxbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnrhxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhvrjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddxbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfldtv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2544 2052 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 31 PID 2052 wrote to memory of 2544 2052 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 31 PID 2052 wrote to memory of 2544 2052 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 31 PID 2052 wrote to memory of 2544 2052 fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe 31 PID 2544 wrote to memory of 2560 2544 ptxdd.exe 32 PID 2544 wrote to memory of 2560 2544 ptxdd.exe 32 PID 2544 wrote to memory of 2560 2544 ptxdd.exe 32 PID 2544 wrote to memory of 2560 2544 ptxdd.exe 32 PID 2560 wrote to memory of 1080 2560 plbbjv.exe 33 PID 2560 wrote to memory of 1080 2560 plbbjv.exe 33 PID 2560 wrote to memory of 1080 2560 plbbjv.exe 33 PID 2560 wrote to memory of 1080 2560 plbbjv.exe 33 PID 1080 wrote to memory of 2788 1080 trdbj.exe 34 PID 1080 wrote to memory of 2788 1080 trdbj.exe 34 PID 1080 wrote to memory of 2788 1080 trdbj.exe 34 PID 1080 wrote to memory of 2788 1080 trdbj.exe 34 PID 2788 wrote to memory of 2784 2788 thplhd.exe 35 PID 2788 wrote to memory of 2784 2788 thplhd.exe 35 PID 2788 wrote to memory of 2784 2788 thplhd.exe 35 PID 2788 wrote to memory of 2784 2788 thplhd.exe 35 PID 2784 wrote to memory of 2468 2784 thrpv.exe 36 PID 2784 wrote to memory of 2468 2784 thrpv.exe 36 PID 2784 wrote to memory of 2468 2784 thrpv.exe 36 PID 2784 wrote to memory of 2468 2784 thrpv.exe 36 PID 2468 wrote to memory of 2264 2468 fjprpfj.exe 37 PID 2468 wrote to memory of 2264 2468 fjprpfj.exe 37 PID 2468 wrote to memory of 2264 2468 fjprpfj.exe 37 PID 2468 wrote to memory of 2264 2468 fjprpfj.exe 37 PID 2264 wrote to memory of 2684 2264 ltxvvxj.exe 38 PID 2264 wrote to memory of 2684 2264 ltxvvxj.exe 38 PID 2264 wrote to memory of 2684 2264 ltxvvxj.exe 38 PID 2264 wrote to memory of 2684 2264 ltxvvxj.exe 38 PID 2684 wrote to memory of 2396 2684 drvtljh.exe 39 PID 2684 wrote to memory of 2396 2684 drvtljh.exe 39 PID 2684 wrote to memory of 2396 2684 drvtljh.exe 39 PID 2684 wrote to memory of 2396 2684 drvtljh.exe 39 PID 2396 wrote to memory of 672 2396 ddrvxdf.exe 40 PID 2396 wrote to memory of 672 2396 ddrvxdf.exe 40 PID 2396 wrote to memory of 672 2396 ddrvxdf.exe 40 PID 2396 wrote to memory of 672 2396 ddrvxdf.exe 40 PID 672 wrote to memory of 2964 672 fdljbt.exe 41 PID 672 wrote to memory of 2964 672 fdljbt.exe 41 PID 672 wrote to memory of 2964 672 fdljbt.exe 41 PID 672 wrote to memory of 2964 672 fdljbt.exe 41 PID 2964 wrote to memory of 1100 2964 pvtlvl.exe 42 PID 2964 wrote to memory of 1100 2964 pvtlvl.exe 42 PID 2964 wrote to memory of 1100 2964 pvtlvl.exe 42 PID 2964 wrote to memory of 1100 2964 pvtlvl.exe 42 PID 1100 wrote to memory of 2976 1100 vpfdtv.exe 43 PID 1100 wrote to memory of 2976 1100 vpfdtv.exe 43 PID 1100 wrote to memory of 2976 1100 vpfdtv.exe 43 PID 1100 wrote to memory of 2976 1100 vpfdtv.exe 43 PID 2976 wrote to memory of 2808 2976 lbftfv.exe 44 PID 2976 wrote to memory of 2808 2976 lbftfv.exe 44 PID 2976 wrote to memory of 2808 2976 lbftfv.exe 44 PID 2976 wrote to memory of 2808 2976 lbftfv.exe 44 PID 2808 wrote to memory of 1652 2808 xbhxn.exe 45 PID 2808 wrote to memory of 1652 2808 xbhxn.exe 45 PID 2808 wrote to memory of 1652 2808 xbhxn.exe 45 PID 2808 wrote to memory of 1652 2808 xbhxn.exe 45 PID 1652 wrote to memory of 1756 1652 nxhth.exe 46 PID 1652 wrote to memory of 1756 1652 nxhth.exe 46 PID 1652 wrote to memory of 1756 1652 nxhth.exe 46 PID 1652 wrote to memory of 1756 1652 nxhth.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe"C:\Users\Admin\AppData\Local\Temp\fe487cd825fe6d56a0ef72f202dc44412256761583b241f2b91f474b42d8078bN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\ptxdd.exec:\ptxdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\plbbjv.exec:\plbbjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\trdbj.exec:\trdbj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\thplhd.exec:\thplhd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\thrpv.exec:\thrpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\fjprpfj.exec:\fjprpfj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\ltxvvxj.exec:\ltxvvxj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\drvtljh.exec:\drvtljh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\ddrvxdf.exec:\ddrvxdf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\fdljbt.exec:\fdljbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\pvtlvl.exec:\pvtlvl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\vpfdtv.exec:\vpfdtv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\lbftfv.exec:\lbftfv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\xbhxn.exec:\xbhxn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\nxhth.exec:\nxhth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\jfnjt.exec:\jfnjt.exe17⤵
- Executes dropped EXE
PID:1756 -
\??\c:\xfdtxb.exec:\xfdtxb.exe18⤵
- Executes dropped EXE
PID:2984 -
\??\c:\hfplv.exec:\hfplv.exe19⤵
- Executes dropped EXE
PID:2144 -
\??\c:\vjfjp.exec:\vjfjp.exe20⤵
- Executes dropped EXE
PID:2248 -
\??\c:\rlhdnrv.exec:\rlhdnrv.exe21⤵
- Executes dropped EXE
PID:1828 -
\??\c:\pjvdj.exec:\pjvdj.exe22⤵
- Executes dropped EXE
PID:2072 -
\??\c:\fxxhhl.exec:\fxxhhl.exe23⤵
- Executes dropped EXE
PID:1644 -
\??\c:\dftflr.exec:\dftflr.exe24⤵
- Executes dropped EXE
PID:972 -
\??\c:\pptbf.exec:\pptbf.exe25⤵
- Executes dropped EXE
PID:2460 -
\??\c:\rntvbr.exec:\rntvbr.exe26⤵
- Executes dropped EXE
PID:880 -
\??\c:\ddnpt.exec:\ddnpt.exe27⤵
- Executes dropped EXE
PID:1328 -
\??\c:\nllvdl.exec:\nllvdl.exe28⤵
- Executes dropped EXE
PID:3068 -
\??\c:\hlvfp.exec:\hlvfp.exe29⤵
- Executes dropped EXE
PID:2716 -
\??\c:\ndbxv.exec:\ndbxv.exe30⤵
- Executes dropped EXE
PID:2488 -
\??\c:\vdtndfh.exec:\vdtndfh.exe31⤵
- Executes dropped EXE
PID:2364 -
\??\c:\xjxtrh.exec:\xjxtrh.exe32⤵
- Executes dropped EXE
PID:2356 -
\??\c:\bxrhxf.exec:\bxrhxf.exe33⤵
- Executes dropped EXE
PID:2104 -
\??\c:\txvfvvl.exec:\txvfvvl.exe34⤵
- Executes dropped EXE
PID:2932 -
\??\c:\hfnlf.exec:\hfnlf.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760 -
\??\c:\bljrp.exec:\bljrp.exe36⤵
- Executes dropped EXE
PID:2852 -
\??\c:\bfbjbx.exec:\bfbjbx.exe37⤵
- Executes dropped EXE
PID:1600 -
\??\c:\trtnj.exec:\trtnj.exe38⤵
- Executes dropped EXE
PID:2860 -
\??\c:\nnhrx.exec:\nnhrx.exe39⤵
- Executes dropped EXE
PID:2908 -
\??\c:\lbpjp.exec:\lbpjp.exe40⤵
- Executes dropped EXE
PID:2900 -
\??\c:\hnnljf.exec:\hnnljf.exe41⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rplltl.exec:\rplltl.exe42⤵
- Executes dropped EXE
PID:2688 -
\??\c:\tdrjfvd.exec:\tdrjfvd.exe43⤵
- Executes dropped EXE
PID:2124 -
\??\c:\bhfbpnb.exec:\bhfbpnb.exe44⤵
- Executes dropped EXE
PID:2372 -
\??\c:\jfnnhl.exec:\jfnnhl.exe45⤵
- Executes dropped EXE
PID:692 -
\??\c:\ffxtbdb.exec:\ffxtbdb.exe46⤵
- Executes dropped EXE
PID:2952 -
\??\c:\fldpd.exec:\fldpd.exe47⤵
- Executes dropped EXE
PID:1908 -
\??\c:\xpxtbhp.exec:\xpxtbhp.exe48⤵
- Executes dropped EXE
PID:2300 -
\??\c:\xjbjxbx.exec:\xjbjxbx.exe49⤵
- Executes dropped EXE
PID:2924 -
\??\c:\hfhjdf.exec:\hfhjdf.exe50⤵
- Executes dropped EXE
PID:2096 -
\??\c:\txrjjf.exec:\txrjjf.exe51⤵
- Executes dropped EXE
PID:1296 -
\??\c:\dhfrrrj.exec:\dhfrrrj.exe52⤵
- Executes dropped EXE
PID:1176 -
\??\c:\hjrprdl.exec:\hjrprdl.exe53⤵
- Executes dropped EXE
PID:1652 -
\??\c:\dfjrvn.exec:\dfjrvn.exe54⤵
- Executes dropped EXE
PID:2184 -
\??\c:\hpdlbb.exec:\hpdlbb.exe55⤵
- Executes dropped EXE
PID:1240 -
\??\c:\rpdtxxn.exec:\rpdtxxn.exe56⤵
- Executes dropped EXE
PID:2388 -
\??\c:\vljdnl.exec:\vljdnl.exe57⤵
- Executes dropped EXE
PID:1252 -
\??\c:\dvvpx.exec:\dvvpx.exe58⤵
- Executes dropped EXE
PID:2504 -
\??\c:\fljvp.exec:\fljvp.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1064 -
\??\c:\nhvvl.exec:\nhvvl.exe60⤵
- Executes dropped EXE
PID:2152 -
\??\c:\npjjbv.exec:\npjjbv.exe61⤵
- Executes dropped EXE
PID:960 -
\??\c:\bjrtjxt.exec:\bjrtjxt.exe62⤵
- Executes dropped EXE
PID:2944 -
\??\c:\htbrx.exec:\htbrx.exe63⤵
- Executes dropped EXE
PID:1704 -
\??\c:\rbrvbbf.exec:\rbrvbbf.exe64⤵
- Executes dropped EXE
PID:1460 -
\??\c:\xpfrtjn.exec:\xpfrtjn.exe65⤵
- Executes dropped EXE
PID:1468 -
\??\c:\bntdh.exec:\bntdh.exe66⤵PID:1968
-
\??\c:\bpjvr.exec:\bpjvr.exe67⤵PID:1444
-
\??\c:\ljbpnr.exec:\ljbpnr.exe68⤵PID:264
-
\??\c:\nnfdjt.exec:\nnfdjt.exe69⤵PID:376
-
\??\c:\pjdfbh.exec:\pjdfbh.exe70⤵PID:1988
-
\??\c:\jfntt.exec:\jfntt.exe71⤵PID:2052
-
\??\c:\jtbxfb.exec:\jtbxfb.exe72⤵PID:1700
-
\??\c:\vvpvdn.exec:\vvpvdn.exe73⤵PID:596
-
\??\c:\dpxnfxv.exec:\dpxnfxv.exe74⤵PID:2560
-
\??\c:\phrfxxb.exec:\phrfxxb.exe75⤵PID:2500
-
\??\c:\ppjhbnp.exec:\ppjhbnp.exe76⤵PID:1568
-
\??\c:\rdvtx.exec:\rdvtx.exe77⤵PID:2844
-
\??\c:\lrblndv.exec:\lrblndv.exe78⤵PID:2228
-
\??\c:\txfbdht.exec:\txfbdht.exe79⤵PID:2928
-
\??\c:\bblpvd.exec:\bblpvd.exe80⤵PID:2828
-
\??\c:\dtlxll.exec:\dtlxll.exe81⤵PID:2868
-
\??\c:\tfnhrf.exec:\tfnhrf.exe82⤵PID:2704
-
\??\c:\rhlxpb.exec:\rhlxpb.exe83⤵
- System Location Discovery: System Language Discovery
PID:1144 -
\??\c:\trhphhn.exec:\trhphhn.exe84⤵PID:2472
-
\??\c:\nftxhd.exec:\nftxhd.exe85⤵PID:1300
-
\??\c:\bbbffx.exec:\bbbffx.exe86⤵PID:692
-
\??\c:\dxvlbjd.exec:\dxvlbjd.exe87⤵PID:752
-
\??\c:\nxthb.exec:\nxthb.exe88⤵PID:2968
-
\??\c:\ntfrjxl.exec:\ntfrjxl.exe89⤵PID:536
-
\??\c:\vldxt.exec:\vldxt.exe90⤵PID:2976
-
\??\c:\bxtlf.exec:\bxtlf.exe91⤵PID:1884
-
\??\c:\fxrxl.exec:\fxrxl.exe92⤵PID:1900
-
\??\c:\lxfvr.exec:\lxfvr.exe93⤵PID:3008
-
\??\c:\xvldjpd.exec:\xvldjpd.exe94⤵PID:2244
-
\??\c:\tjhnl.exec:\tjhnl.exe95⤵PID:2080
-
\??\c:\nlrpfjv.exec:\nlrpfjv.exe96⤵PID:2728
-
\??\c:\dntlt.exec:\dntlt.exe97⤵PID:2248
-
\??\c:\rdbxjt.exec:\rdbxjt.exe98⤵PID:1736
-
\??\c:\dtrlnfn.exec:\dtrlnfn.exe99⤵PID:1064
-
\??\c:\tpxrxjn.exec:\tpxrxjn.exe100⤵PID:916
-
\??\c:\fdhrl.exec:\fdhrl.exe101⤵PID:1620
-
\??\c:\jpnln.exec:\jpnln.exe102⤵PID:2948
-
\??\c:\djhjxd.exec:\djhjxd.exe103⤵PID:900
-
\??\c:\jlnjp.exec:\jlnjp.exe104⤵PID:1536
-
\??\c:\lpbvrdx.exec:\lpbvrdx.exe105⤵PID:1552
-
\??\c:\jxxhjv.exec:\jxxhjv.exe106⤵PID:2420
-
\??\c:\rdbdfdx.exec:\rdbdfdx.exe107⤵PID:1952
-
\??\c:\frhvjbb.exec:\frhvjbb.exe108⤵PID:3012
-
\??\c:\nlxjx.exec:\nlxjx.exe109⤵PID:884
-
\??\c:\bjntd.exec:\bjntd.exe110⤵PID:2316
-
\??\c:\bfjbxln.exec:\bfjbxln.exe111⤵PID:1832
-
\??\c:\lxhtdpp.exec:\lxhtdpp.exe112⤵PID:2216
-
\??\c:\ntrtx.exec:\ntrtx.exe113⤵PID:596
-
\??\c:\ndbnbb.exec:\ndbnbb.exe114⤵PID:588
-
\??\c:\lddvhbt.exec:\lddvhbt.exe115⤵PID:1376
-
\??\c:\jlnbvr.exec:\jlnbvr.exe116⤵PID:2852
-
\??\c:\jrtdd.exec:\jrtdd.exe117⤵PID:1576
-
\??\c:\vjlrnfb.exec:\vjlrnfb.exe118⤵PID:2860
-
\??\c:\ttpdtn.exec:\ttpdtn.exe119⤵PID:2876
-
\??\c:\hfxnl.exec:\hfxnl.exe120⤵PID:2900
-
\??\c:\prrvxlb.exec:\prrvxlb.exe121⤵PID:2676
-
\??\c:\rlnbnr.exec:\rlnbnr.exe122⤵PID:2896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-