Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02/11/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe
Resource
win7-20241010-en
General
-
Target
e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe
-
Size
119KB
-
MD5
ff9ff189eff875d53c2bc6878472fd50
-
SHA1
8d2cd948188fc8e1622fd1fbb6080821573a8d19
-
SHA256
e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8
-
SHA512
89ac4d2c81093a782c1bea0ccfc6381e97d7e25555ebcc7a989b62eabb059391009a22bed1775a9e6fb8f45c9626aaac5e774cfe05a878caa6a68af98ba320a0
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73oYUCD7R2F2UVbyy0zChFHOG:ymb3NkkiQ3mdBjFo73HUoMsAbrRFHH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 24 IoCs
resource yara_rule behavioral1/memory/2484-3-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2484-10-0x0000000000401000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3008-34-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2380-40-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2624-51-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2624-50-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2068-62-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1852-73-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1240-82-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1240-91-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3016-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2000-112-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1700-121-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2928-148-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1452-157-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1572-167-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1796-184-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1396-202-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1844-220-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/972-229-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1492-248-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2132-265-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1636-292-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2828 lbdjfd.exe 3008 fvhxh.exe 2380 dddbxl.exe 2624 flflb.exe 2068 pxfxrv.exe 1852 nvnlx.exe 1240 dvtbvl.exe 3016 lfbnl.exe 2000 fdxvx.exe 1700 fprlx.exe 2708 ttdhnbv.exe 568 llrxl.exe 2928 rhbjnt.exe 1452 lpprld.exe 1572 dpfnv.exe 1744 fdnvd.exe 1796 rltvtf.exe 2348 xtnrpjf.exe 1396 bhhhtrd.exe 2496 tvflrtd.exe 1844 tdtfppt.exe 972 rrvdf.exe 2056 vdtflbn.exe 1492 vtrph.exe 1688 lnbxdfb.exe 2132 nbvdhv.exe 3040 njjxf.exe 2540 jftppt.exe 1636 btnxbjp.exe 304 dhvvp.exe 2248 tfbhl.exe 2824 pllrrv.exe 1540 dfhfp.exe 2820 fjlpx.exe 2812 lrrfvn.exe 3008 ntbvt.exe 2632 bnnjnn.exe 2652 drhvrr.exe 2888 vhrlb.exe 2604 rbnhl.exe 2600 jdnphj.exe 1988 blvdrlx.exe 3036 vdrxn.exe 2092 fjvhx.exe 2320 bdxltp.exe 2000 tdlpxr.exe 2972 phtxfh.exe 1304 hvrdt.exe 1696 jjxhjdf.exe 1308 xnlrjn.exe 1048 xjtdp.exe 876 fjjljp.exe 2108 bhlfpd.exe 1780 jjfxbrt.exe 2468 dlhjhrv.exe 2112 jrrjd.exe 2244 ltndfld.exe 1396 jtfrplh.exe 2156 xnfxvpd.exe 904 dxndvlj.exe 316 ndvxntx.exe 2460 jdrfrvx.exe 2056 lvnrx.exe 3056 ldbhtn.exe -
resource yara_rule behavioral1/memory/2484-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2828-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3008-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3008-24-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3008-34-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2380-40-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2380-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2380-36-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2624-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2624-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2624-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2068-62-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1852-73-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1852-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1240-82-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1240-91-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3016-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3016-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3016-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2000-112-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1700-121-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2928-148-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1452-157-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1572-167-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1796-184-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1396-202-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1844-220-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/972-229-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1492-248-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2132-265-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1636-292-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rptrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnxdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnvbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlxxfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpnbrb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvxtlhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdrpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnlrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjpbxbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfnbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhlvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjbfpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfvfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpvfnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nxdldpx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbhjfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rltvtf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvpx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlnbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frtlpnr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjhhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bltvrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjddpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxpfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbvrphl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffnrtx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlxpjht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxpnvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dldnlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrftlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2828 2484 e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe 30 PID 2484 wrote to memory of 2828 2484 e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe 30 PID 2484 wrote to memory of 2828 2484 e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe 30 PID 2484 wrote to memory of 2828 2484 e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe 30 PID 2828 wrote to memory of 3008 2828 lbdjfd.exe 31 PID 2828 wrote to memory of 3008 2828 lbdjfd.exe 31 PID 2828 wrote to memory of 3008 2828 lbdjfd.exe 31 PID 2828 wrote to memory of 3008 2828 lbdjfd.exe 31 PID 3008 wrote to memory of 2380 3008 fvhxh.exe 32 PID 3008 wrote to memory of 2380 3008 fvhxh.exe 32 PID 3008 wrote to memory of 2380 3008 fvhxh.exe 32 PID 3008 wrote to memory of 2380 3008 fvhxh.exe 32 PID 2380 wrote to memory of 2624 2380 dddbxl.exe 33 PID 2380 wrote to memory of 2624 2380 dddbxl.exe 33 PID 2380 wrote to memory of 2624 2380 dddbxl.exe 33 PID 2380 wrote to memory of 2624 2380 dddbxl.exe 33 PID 2624 wrote to memory of 2068 2624 flflb.exe 34 PID 2624 wrote to memory of 2068 2624 flflb.exe 34 PID 2624 wrote to memory of 2068 2624 flflb.exe 34 PID 2624 wrote to memory of 2068 2624 flflb.exe 34 PID 2068 wrote to memory of 1852 2068 pxfxrv.exe 35 PID 2068 wrote to memory of 1852 2068 pxfxrv.exe 35 PID 2068 wrote to memory of 1852 2068 pxfxrv.exe 35 PID 2068 wrote to memory of 1852 2068 pxfxrv.exe 35 PID 1852 wrote to memory of 1240 1852 nvnlx.exe 36 PID 1852 wrote to memory of 1240 1852 nvnlx.exe 36 PID 1852 wrote to memory of 1240 1852 nvnlx.exe 36 PID 1852 wrote to memory of 1240 1852 nvnlx.exe 36 PID 1240 wrote to memory of 3016 1240 dvtbvl.exe 37 PID 1240 wrote to memory of 3016 1240 dvtbvl.exe 37 PID 1240 wrote to memory of 3016 1240 dvtbvl.exe 37 PID 1240 wrote to memory of 3016 1240 dvtbvl.exe 37 PID 3016 wrote to memory of 2000 3016 lfbnl.exe 38 PID 3016 wrote to memory of 2000 3016 lfbnl.exe 38 PID 3016 wrote to memory of 2000 3016 lfbnl.exe 38 PID 3016 wrote to memory of 2000 3016 lfbnl.exe 38 PID 2000 wrote to memory of 1700 2000 fdxvx.exe 39 PID 2000 wrote to memory of 1700 2000 fdxvx.exe 39 PID 2000 wrote to memory of 1700 2000 fdxvx.exe 39 PID 2000 wrote to memory of 1700 2000 fdxvx.exe 39 PID 1700 wrote to memory of 2708 1700 fprlx.exe 40 PID 1700 wrote to memory of 2708 1700 fprlx.exe 40 PID 1700 wrote to memory of 2708 1700 fprlx.exe 40 PID 1700 wrote to memory of 2708 1700 fprlx.exe 40 PID 2708 wrote to memory of 568 2708 ttdhnbv.exe 41 PID 2708 wrote to memory of 568 2708 ttdhnbv.exe 41 PID 2708 wrote to memory of 568 2708 ttdhnbv.exe 41 PID 2708 wrote to memory of 568 2708 ttdhnbv.exe 41 PID 568 wrote to memory of 2928 568 llrxl.exe 42 PID 568 wrote to memory of 2928 568 llrxl.exe 42 PID 568 wrote to memory of 2928 568 llrxl.exe 42 PID 568 wrote to memory of 2928 568 llrxl.exe 42 PID 2928 wrote to memory of 1452 2928 rhbjnt.exe 43 PID 2928 wrote to memory of 1452 2928 rhbjnt.exe 43 PID 2928 wrote to memory of 1452 2928 rhbjnt.exe 43 PID 2928 wrote to memory of 1452 2928 rhbjnt.exe 43 PID 1452 wrote to memory of 1572 1452 lpprld.exe 44 PID 1452 wrote to memory of 1572 1452 lpprld.exe 44 PID 1452 wrote to memory of 1572 1452 lpprld.exe 44 PID 1452 wrote to memory of 1572 1452 lpprld.exe 44 PID 1572 wrote to memory of 1744 1572 dpfnv.exe 45 PID 1572 wrote to memory of 1744 1572 dpfnv.exe 45 PID 1572 wrote to memory of 1744 1572 dpfnv.exe 45 PID 1572 wrote to memory of 1744 1572 dpfnv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe"C:\Users\Admin\AppData\Local\Temp\e71b6ab364935a10e6859d61d670da0213f72e361ffcd9ce7fca73b9b339a9a8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\lbdjfd.exec:\lbdjfd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\fvhxh.exec:\fvhxh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\dddbxl.exec:\dddbxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\flflb.exec:\flflb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\pxfxrv.exec:\pxfxrv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\nvnlx.exec:\nvnlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\dvtbvl.exec:\dvtbvl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\lfbnl.exec:\lfbnl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\fdxvx.exec:\fdxvx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\fprlx.exec:\fprlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\ttdhnbv.exec:\ttdhnbv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\llrxl.exec:\llrxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
\??\c:\rhbjnt.exec:\rhbjnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\lpprld.exec:\lpprld.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\dpfnv.exec:\dpfnv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\fdnvd.exec:\fdnvd.exe17⤵
- Executes dropped EXE
PID:1744 -
\??\c:\rltvtf.exec:\rltvtf.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1796 -
\??\c:\xtnrpjf.exec:\xtnrpjf.exe19⤵
- Executes dropped EXE
PID:2348 -
\??\c:\bhhhtrd.exec:\bhhhtrd.exe20⤵
- Executes dropped EXE
PID:1396 -
\??\c:\tvflrtd.exec:\tvflrtd.exe21⤵
- Executes dropped EXE
PID:2496 -
\??\c:\tdtfppt.exec:\tdtfppt.exe22⤵
- Executes dropped EXE
PID:1844 -
\??\c:\rrvdf.exec:\rrvdf.exe23⤵
- Executes dropped EXE
PID:972 -
\??\c:\vdtflbn.exec:\vdtflbn.exe24⤵
- Executes dropped EXE
PID:2056 -
\??\c:\vtrph.exec:\vtrph.exe25⤵
- Executes dropped EXE
PID:1492 -
\??\c:\lnbxdfb.exec:\lnbxdfb.exe26⤵
- Executes dropped EXE
PID:1688 -
\??\c:\nbvdhv.exec:\nbvdhv.exe27⤵
- Executes dropped EXE
PID:2132 -
\??\c:\njjxf.exec:\njjxf.exe28⤵
- Executes dropped EXE
PID:3040 -
\??\c:\jftppt.exec:\jftppt.exe29⤵
- Executes dropped EXE
PID:2540 -
\??\c:\btnxbjp.exec:\btnxbjp.exe30⤵
- Executes dropped EXE
PID:1636 -
\??\c:\dhvvp.exec:\dhvvp.exe31⤵
- Executes dropped EXE
PID:304 -
\??\c:\tfbhl.exec:\tfbhl.exe32⤵
- Executes dropped EXE
PID:2248 -
\??\c:\pllrrv.exec:\pllrrv.exe33⤵
- Executes dropped EXE
PID:2824 -
\??\c:\dfhfp.exec:\dfhfp.exe34⤵
- Executes dropped EXE
PID:1540 -
\??\c:\fjlpx.exec:\fjlpx.exe35⤵
- Executes dropped EXE
PID:2820 -
\??\c:\lrrfvn.exec:\lrrfvn.exe36⤵
- Executes dropped EXE
PID:2812 -
\??\c:\ntbvt.exec:\ntbvt.exe37⤵
- Executes dropped EXE
PID:3008 -
\??\c:\bnnjnn.exec:\bnnjnn.exe38⤵
- Executes dropped EXE
PID:2632 -
\??\c:\drhvrr.exec:\drhvrr.exe39⤵
- Executes dropped EXE
PID:2652 -
\??\c:\vhrlb.exec:\vhrlb.exe40⤵
- Executes dropped EXE
PID:2888 -
\??\c:\rbnhl.exec:\rbnhl.exe41⤵
- Executes dropped EXE
PID:2604 -
\??\c:\jdnphj.exec:\jdnphj.exe42⤵
- Executes dropped EXE
PID:2600 -
\??\c:\blvdrlx.exec:\blvdrlx.exe43⤵
- Executes dropped EXE
PID:1988 -
\??\c:\vdrxn.exec:\vdrxn.exe44⤵
- Executes dropped EXE
PID:3036 -
\??\c:\fjvhx.exec:\fjvhx.exe45⤵
- Executes dropped EXE
PID:2092 -
\??\c:\bdxltp.exec:\bdxltp.exe46⤵
- Executes dropped EXE
PID:2320 -
\??\c:\tdlpxr.exec:\tdlpxr.exe47⤵
- Executes dropped EXE
PID:2000 -
\??\c:\phtxfh.exec:\phtxfh.exe48⤵
- Executes dropped EXE
PID:2972 -
\??\c:\hvrdt.exec:\hvrdt.exe49⤵
- Executes dropped EXE
PID:1304 -
\??\c:\jjxhjdf.exec:\jjxhjdf.exe50⤵
- Executes dropped EXE
PID:1696 -
\??\c:\xnlrjn.exec:\xnlrjn.exe51⤵
- Executes dropped EXE
PID:1308 -
\??\c:\xjtdp.exec:\xjtdp.exe52⤵
- Executes dropped EXE
PID:1048 -
\??\c:\fjjljp.exec:\fjjljp.exe53⤵
- Executes dropped EXE
PID:876 -
\??\c:\bhlfpd.exec:\bhlfpd.exe54⤵
- Executes dropped EXE
PID:2108 -
\??\c:\jjfxbrt.exec:\jjfxbrt.exe55⤵
- Executes dropped EXE
PID:1780 -
\??\c:\dlhjhrv.exec:\dlhjhrv.exe56⤵
- Executes dropped EXE
PID:2468 -
\??\c:\jrrjd.exec:\jrrjd.exe57⤵
- Executes dropped EXE
PID:2112 -
\??\c:\ltndfld.exec:\ltndfld.exe58⤵
- Executes dropped EXE
PID:2244 -
\??\c:\jtfrplh.exec:\jtfrplh.exe59⤵
- Executes dropped EXE
PID:1396 -
\??\c:\xnfxvpd.exec:\xnfxvpd.exe60⤵
- Executes dropped EXE
PID:2156 -
\??\c:\dxndvlj.exec:\dxndvlj.exe61⤵
- Executes dropped EXE
PID:904 -
\??\c:\ndvxntx.exec:\ndvxntx.exe62⤵
- Executes dropped EXE
PID:316 -
\??\c:\jdrfrvx.exec:\jdrfrvx.exe63⤵
- Executes dropped EXE
PID:2460 -
\??\c:\lvnrx.exec:\lvnrx.exe64⤵
- Executes dropped EXE
PID:2056 -
\??\c:\ldbhtn.exec:\ldbhtn.exe65⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lrpnlh.exec:\lrpnlh.exe66⤵PID:360
-
\??\c:\bldpbhf.exec:\bldpbhf.exe67⤵PID:1276
-
\??\c:\lbnxd.exec:\lbnxd.exe68⤵PID:1496
-
\??\c:\frpvlbp.exec:\frpvlbp.exe69⤵PID:1976
-
\??\c:\ttpxh.exec:\ttpxh.exe70⤵PID:1560
-
\??\c:\xrnxxvb.exec:\xrnxxvb.exe71⤵PID:1592
-
\??\c:\xdjdp.exec:\xdjdp.exe72⤵PID:2280
-
\??\c:\hjftlnn.exec:\hjftlnn.exe73⤵PID:2292
-
\??\c:\lvlpvv.exec:\lvlpvv.exe74⤵PID:3020
-
\??\c:\dhrfdpf.exec:\dhrfdpf.exe75⤵PID:2764
-
\??\c:\nbfxhp.exec:\nbfxhp.exe76⤵PID:2884
-
\??\c:\ldvrxhf.exec:\ldvrxhf.exe77⤵PID:2820
-
\??\c:\xnnhdhv.exec:\xnnhdhv.exe78⤵PID:2960
-
\??\c:\lvfjxr.exec:\lvfjxr.exe79⤵PID:3008
-
\??\c:\hhfvfr.exec:\hhfvfr.exe80⤵PID:2616
-
\??\c:\rplpff.exec:\rplpff.exe81⤵PID:2652
-
\??\c:\bpjvj.exec:\bpjvj.exe82⤵PID:932
-
\??\c:\rhppj.exec:\rhppj.exe83⤵PID:2604
-
\??\c:\lfvnn.exec:\lfvnn.exe84⤵PID:2600
-
\??\c:\fdjrprb.exec:\fdjrprb.exe85⤵PID:1988
-
\??\c:\jnxfbl.exec:\jnxfbl.exe86⤵PID:2148
-
\??\c:\trbflft.exec:\trbflft.exe87⤵PID:2092
-
\??\c:\hvdlv.exec:\hvdlv.exe88⤵PID:2320
-
\??\c:\vhlvh.exec:\vhlvh.exe89⤵
- System Location Discovery: System Language Discovery
PID:2000 -
\??\c:\frtlpnr.exec:\frtlpnr.exe90⤵
- System Location Discovery: System Language Discovery
PID:664 -
\??\c:\lvvfbnt.exec:\lvvfbnt.exe91⤵PID:1304
-
\??\c:\rrjrrrr.exec:\rrjrrrr.exe92⤵PID:852
-
\??\c:\dphbx.exec:\dphbx.exe93⤵PID:1308
-
\??\c:\rbbpf.exec:\rbbpf.exe94⤵PID:1600
-
\??\c:\hdnnxfh.exec:\hdnnxfh.exe95⤵PID:876
-
\??\c:\hvrvb.exec:\hvrvb.exe96⤵PID:2108
-
\??\c:\xvtrjp.exec:\xvtrjp.exe97⤵PID:1780
-
\??\c:\jnhjb.exec:\jnhjb.exe98⤵PID:2260
-
\??\c:\nfjbhfb.exec:\nfjbhfb.exe99⤵PID:2112
-
\??\c:\xljpnbt.exec:\xljpnbt.exe100⤵PID:820
-
\??\c:\xjhbt.exec:\xjhbt.exe101⤵PID:1396
-
\??\c:\rfjpt.exec:\rfjpt.exe102⤵PID:2156
-
\??\c:\bvbpx.exec:\bvbpx.exe103⤵PID:904
-
\??\c:\djxjlnx.exec:\djxjlnx.exe104⤵PID:1952
-
\??\c:\dfxxtdr.exec:\dfxxtdr.exe105⤵PID:2460
-
\??\c:\bxhldrt.exec:\bxhldrt.exe106⤵PID:2056
-
\??\c:\hvnth.exec:\hvnth.exe107⤵PID:3056
-
\??\c:\xxjtd.exec:\xxjtd.exe108⤵PID:2052
-
\??\c:\vlfjb.exec:\vlfjb.exe109⤵PID:1276
-
\??\c:\jxprxht.exec:\jxprxht.exe110⤵PID:1496
-
\??\c:\rjbxvb.exec:\rjbxvb.exe111⤵PID:1976
-
\??\c:\nbplrfn.exec:\nbplrfn.exe112⤵PID:1040
-
\??\c:\dffnpbv.exec:\dffnpbv.exe113⤵PID:1592
-
\??\c:\fpvph.exec:\fpvph.exe114⤵PID:2252
-
\??\c:\tjfdf.exec:\tjfdf.exe115⤵PID:2292
-
\??\c:\vvvfrf.exec:\vvvfrf.exe116⤵PID:3020
-
\??\c:\vpvdr.exec:\vpvdr.exe117⤵PID:2764
-
\??\c:\lxhft.exec:\lxhft.exe118⤵PID:1504
-
\??\c:\jdtpb.exec:\jdtpb.exe119⤵PID:2820
-
\??\c:\tjhpjl.exec:\tjhpjl.exe120⤵PID:2636
-
\??\c:\btntj.exec:\btntj.exe121⤵PID:3008
-
\??\c:\vvjxjxr.exec:\vvjxjxr.exe122⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-