Analysis
-
max time kernel
12s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 09:30
Static task
static1
Behavioral task
behavioral1
Sample
665e2c1ba6da46930f6751a2c984dac5a83082e54efe5bd9f24fae53d082da48N.exe
Resource
win7-20241010-en
General
-
Target
665e2c1ba6da46930f6751a2c984dac5a83082e54efe5bd9f24fae53d082da48N.exe
-
Size
75KB
-
MD5
b7f69c53be6094db14af1ff834a1ae70
-
SHA1
e1ca6b42d31e6cbba701b12cc48ba599ce86246c
-
SHA256
665e2c1ba6da46930f6751a2c984dac5a83082e54efe5bd9f24fae53d082da48
-
SHA512
f2287ca08dcc70f7396a5665b09bd1a0ac78e5608a01d1ceb0ff349c4386e7f5f17f5b78ca534321041bf9016092f0283192a67054541658e0c61b70ea17aade
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIvuzk358nLA89OGvrFVHmPi:ymb3NkkiQ3mdBjFIvl358nLA89OMFVHD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 21 IoCs
resource yara_rule behavioral1/memory/1272-15-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2896-48-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2964-61-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2800-75-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2744-104-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1016-176-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1804-239-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/704-284-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2396-301-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1764-274-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1208-248-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2128-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2068-220-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2380-185-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1948-131-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1856-122-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1044-113-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2540-85-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2884-64-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2928-35-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2528-4-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1272 lfjtr.exe 2928 vrtfjx.exe 2896 bvfrxbl.exe 2964 brfld.exe 2884 dhxxp.exe 2800 xjtdjfn.exe 2540 tpbln.exe 2744 rnddt.exe 1044 hftbf.exe 1856 pdhbrj.exe 1948 dxdfvth.exe 1828 ldbjntd.exe 3004 jflfnt.exe 2480 trlthvr.exe 2448 rbtpjvp.exe 1016 vnfhbbf.exe 2380 thrhx.exe 2412 ltpddj.exe 1204 xxhfd.exe 2232 vlhntbn.exe 2068 tfxhdl.exe 2128 frddvhr.exe 1804 rlnvlfn.exe 1208 ptfvrf.exe 1492 fxjnjvj.exe 2296 xddhlxd.exe 1764 xphnhln.exe 704 nddrdfp.exe 2612 vtphvt.exe 2396 bbtjpx.exe 1708 dvrxv.exe 2904 xlrvvh.exe 3060 dvljjx.exe 2992 fflff.exe 2780 ttdtr.exe 2288 ftjpt.exe 2508 vjpjbx.exe 2540 xnfhn.exe 2740 lrxdx.exe 2940 jtnndjb.exe 2424 xtrdl.exe 1836 dddbbtn.exe 1948 hrhpp.exe 1828 fxnfvt.exe 1412 rdbddlr.exe 2336 rtxvnvr.exe 1800 xtddb.exe 548 bnxtl.exe 2420 njxlthv.exe 2152 bvjpr.exe 1872 dlhhl.exe 2312 dhtnld.exe 2196 dtnfjvt.exe 892 tjljv.exe 2692 hpjdblr.exe 2016 jrthpbn.exe 1384 brftjdt.exe 2228 xddtj.exe 1868 fdjbtrb.exe 2296 hppljbj.exe 2580 nnbtvbj.exe 1764 jjttpdj.exe 1752 rdlpxr.exe 2620 hnvtdj.exe -
resource yara_rule behavioral1/memory/1272-15-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2896-39-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2896-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2800-75-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2744-95-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2744-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1016-176-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1804-239-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/704-284-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2396-301-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1764-274-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1208-248-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2128-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2068-220-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2380-185-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1948-131-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1856-122-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1044-113-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2744-94-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-84-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2884-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2964-53-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2896-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2896-37-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2928-35-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2928-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2928-25-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1272-14-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1272-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2528-4-0x0000000000400000-0x0000000000429000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drfbdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvrxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlrdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnfjjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtrdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptbll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fltpbll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fndnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trddrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndxnfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttdtr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdjbtrb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdbrplh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtnfjvt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnpxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdrvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvxfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfxtxft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hftbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brftjdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvntdlt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lljdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fftnhhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxtft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvdjnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fjtnbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvrhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlvdhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnpbbvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtxldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrhhxdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxhjrln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dljhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djfdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hppljbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjlvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnfbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjftp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbxdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvrdhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nxvxrhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtphvt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxnfvt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxhtvt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfpnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvjbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlrnxhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvfrxbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jflfnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thrhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfnbrvt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fjdjhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jlvfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxbph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvljjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtxvnvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbxpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nddrdfp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 1272 2528 665e2c1ba6da46930f6751a2c984dac5a83082e54efe5bd9f24fae53d082da48N.exe 129 PID 2528 wrote to memory of 1272 2528 665e2c1ba6da46930f6751a2c984dac5a83082e54efe5bd9f24fae53d082da48N.exe 129 PID 2528 wrote to memory of 1272 2528 665e2c1ba6da46930f6751a2c984dac5a83082e54efe5bd9f24fae53d082da48N.exe 129 PID 2528 wrote to memory of 1272 2528 665e2c1ba6da46930f6751a2c984dac5a83082e54efe5bd9f24fae53d082da48N.exe 129 PID 1272 wrote to memory of 2928 1272 lfjtr.exe 31 PID 1272 wrote to memory of 2928 1272 lfjtr.exe 31 PID 1272 wrote to memory of 2928 1272 lfjtr.exe 31 PID 1272 wrote to memory of 2928 1272 lfjtr.exe 31 PID 2928 wrote to memory of 2896 2928 vrtfjx.exe 32 PID 2928 wrote to memory of 2896 2928 vrtfjx.exe 32 PID 2928 wrote to memory of 2896 2928 vrtfjx.exe 32 PID 2928 wrote to memory of 2896 2928 vrtfjx.exe 32 PID 2896 wrote to memory of 2964 2896 bvfrxbl.exe 33 PID 2896 wrote to memory of 2964 2896 bvfrxbl.exe 33 PID 2896 wrote to memory of 2964 2896 bvfrxbl.exe 33 PID 2896 wrote to memory of 2964 2896 bvfrxbl.exe 33 PID 2964 wrote to memory of 2884 2964 brfld.exe 34 PID 2964 wrote to memory of 2884 2964 brfld.exe 34 PID 2964 wrote to memory of 2884 2964 brfld.exe 34 PID 2964 wrote to memory of 2884 2964 brfld.exe 34 PID 2884 wrote to memory of 2800 2884 dhxxp.exe 35 PID 2884 wrote to memory of 2800 2884 dhxxp.exe 35 PID 2884 wrote to memory of 2800 2884 dhxxp.exe 35 PID 2884 wrote to memory of 2800 2884 dhxxp.exe 35 PID 2800 wrote to memory of 2540 2800 xjtdjfn.exe 36 PID 2800 wrote to memory of 2540 2800 xjtdjfn.exe 36 PID 2800 wrote to memory of 2540 2800 xjtdjfn.exe 36 PID 2800 wrote to memory of 2540 2800 xjtdjfn.exe 36 PID 2540 wrote to memory of 2744 2540 tpbln.exe 37 PID 2540 wrote to memory of 2744 2540 tpbln.exe 37 PID 2540 wrote to memory of 2744 2540 tpbln.exe 37 PID 2540 wrote to memory of 2744 2540 tpbln.exe 37 PID 2744 wrote to memory of 1044 2744 rnddt.exe 38 PID 2744 wrote to memory of 1044 2744 rnddt.exe 38 PID 2744 wrote to memory of 1044 2744 rnddt.exe 38 PID 2744 wrote to memory of 1044 2744 rnddt.exe 38 PID 1044 wrote to memory of 1856 1044 hftbf.exe 39 PID 1044 wrote to memory of 1856 1044 hftbf.exe 39 PID 1044 wrote to memory of 1856 1044 hftbf.exe 39 PID 1044 wrote to memory of 1856 1044 hftbf.exe 39 PID 1856 wrote to memory of 1948 1856 pdhbrj.exe 40 PID 1856 wrote to memory of 1948 1856 pdhbrj.exe 40 PID 1856 wrote to memory of 1948 1856 pdhbrj.exe 40 PID 1856 wrote to memory of 1948 1856 pdhbrj.exe 40 PID 1948 wrote to memory of 1828 1948 dxdfvth.exe 41 PID 1948 wrote to memory of 1828 1948 dxdfvth.exe 41 PID 1948 wrote to memory of 1828 1948 dxdfvth.exe 41 PID 1948 wrote to memory of 1828 1948 dxdfvth.exe 41 PID 1828 wrote to memory of 3004 1828 ldbjntd.exe 1799 PID 1828 wrote to memory of 3004 1828 ldbjntd.exe 1799 PID 1828 wrote to memory of 3004 1828 ldbjntd.exe 1799 PID 1828 wrote to memory of 3004 1828 ldbjntd.exe 1799 PID 3004 wrote to memory of 2480 3004 jflfnt.exe 43 PID 3004 wrote to memory of 2480 3004 jflfnt.exe 43 PID 3004 wrote to memory of 2480 3004 jflfnt.exe 43 PID 3004 wrote to memory of 2480 3004 jflfnt.exe 43 PID 2480 wrote to memory of 2448 2480 trlthvr.exe 44 PID 2480 wrote to memory of 2448 2480 trlthvr.exe 44 PID 2480 wrote to memory of 2448 2480 trlthvr.exe 44 PID 2480 wrote to memory of 2448 2480 trlthvr.exe 44 PID 2448 wrote to memory of 1016 2448 rbtpjvp.exe 45 PID 2448 wrote to memory of 1016 2448 rbtpjvp.exe 45 PID 2448 wrote to memory of 1016 2448 rbtpjvp.exe 45 PID 2448 wrote to memory of 1016 2448 rbtpjvp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\665e2c1ba6da46930f6751a2c984dac5a83082e54efe5bd9f24fae53d082da48N.exe"C:\Users\Admin\AppData\Local\Temp\665e2c1ba6da46930f6751a2c984dac5a83082e54efe5bd9f24fae53d082da48N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\lfjtr.exec:\lfjtr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\vrtfjx.exec:\vrtfjx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\bvfrxbl.exec:\bvfrxbl.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\brfld.exec:\brfld.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\dhxxp.exec:\dhxxp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\xjtdjfn.exec:\xjtdjfn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\tpbln.exec:\tpbln.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\rnddt.exec:\rnddt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\hftbf.exec:\hftbf.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\pdhbrj.exec:\pdhbrj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\dxdfvth.exec:\dxdfvth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\ldbjntd.exec:\ldbjntd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\jflfnt.exec:\jflfnt.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\trlthvr.exec:\trlthvr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\rbtpjvp.exec:\rbtpjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\vnfhbbf.exec:\vnfhbbf.exe17⤵
- Executes dropped EXE
PID:1016 -
\??\c:\thrhx.exec:\thrhx.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
\??\c:\ltpddj.exec:\ltpddj.exe19⤵
- Executes dropped EXE
PID:2412 -
\??\c:\xxhfd.exec:\xxhfd.exe20⤵
- Executes dropped EXE
PID:1204 -
\??\c:\vlhntbn.exec:\vlhntbn.exe21⤵
- Executes dropped EXE
PID:2232 -
\??\c:\tfxhdl.exec:\tfxhdl.exe22⤵
- Executes dropped EXE
PID:2068 -
\??\c:\frddvhr.exec:\frddvhr.exe23⤵
- Executes dropped EXE
PID:2128 -
\??\c:\rlnvlfn.exec:\rlnvlfn.exe24⤵
- Executes dropped EXE
PID:1804 -
\??\c:\ptfvrf.exec:\ptfvrf.exe25⤵
- Executes dropped EXE
PID:1208 -
\??\c:\fxjnjvj.exec:\fxjnjvj.exe26⤵
- Executes dropped EXE
PID:1492 -
\??\c:\xddhlxd.exec:\xddhlxd.exe27⤵
- Executes dropped EXE
PID:2296 -
\??\c:\xphnhln.exec:\xphnhln.exe28⤵
- Executes dropped EXE
PID:1764 -
\??\c:\nddrdfp.exec:\nddrdfp.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:704 -
\??\c:\vtphvt.exec:\vtphvt.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612 -
\??\c:\bbtjpx.exec:\bbtjpx.exe31⤵
- Executes dropped EXE
PID:2396 -
\??\c:\dvrxv.exec:\dvrxv.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708 -
\??\c:\xlrvvh.exec:\xlrvvh.exe33⤵
- Executes dropped EXE
PID:2904 -
\??\c:\dvljjx.exec:\dvljjx.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
\??\c:\fflff.exec:\fflff.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
\??\c:\ttdtr.exec:\ttdtr.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
\??\c:\ftjpt.exec:\ftjpt.exe37⤵
- Executes dropped EXE
PID:2288 -
\??\c:\vjpjbx.exec:\vjpjbx.exe38⤵
- Executes dropped EXE
PID:2508 -
\??\c:\xnfhn.exec:\xnfhn.exe39⤵
- Executes dropped EXE
PID:2540 -
\??\c:\lrxdx.exec:\lrxdx.exe40⤵
- Executes dropped EXE
PID:2740 -
\??\c:\jtnndjb.exec:\jtnndjb.exe41⤵
- Executes dropped EXE
PID:2940 -
\??\c:\xtrdl.exec:\xtrdl.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424 -
\??\c:\dddbbtn.exec:\dddbbtn.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1836 -
\??\c:\hrhpp.exec:\hrhpp.exe44⤵
- Executes dropped EXE
PID:1948 -
\??\c:\fxnfvt.exec:\fxnfvt.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1828 -
\??\c:\rdbddlr.exec:\rdbddlr.exe46⤵
- Executes dropped EXE
PID:1412 -
\??\c:\rtxvnvr.exec:\rtxvnvr.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
\??\c:\xtddb.exec:\xtddb.exe48⤵
- Executes dropped EXE
PID:1800 -
\??\c:\bnxtl.exec:\bnxtl.exe49⤵
- Executes dropped EXE
PID:548 -
\??\c:\njxlthv.exec:\njxlthv.exe50⤵
- Executes dropped EXE
PID:2420 -
\??\c:\bvjpr.exec:\bvjpr.exe51⤵
- Executes dropped EXE
PID:2152 -
\??\c:\dlhhl.exec:\dlhhl.exe52⤵
- Executes dropped EXE
PID:1872 -
\??\c:\dhtnld.exec:\dhtnld.exe53⤵
- Executes dropped EXE
PID:2312 -
\??\c:\dtnfjvt.exec:\dtnfjvt.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196 -
\??\c:\tjljv.exec:\tjljv.exe55⤵
- Executes dropped EXE
PID:892 -
\??\c:\hpjdblr.exec:\hpjdblr.exe56⤵
- Executes dropped EXE
PID:2692 -
\??\c:\jrthpbn.exec:\jrthpbn.exe57⤵
- Executes dropped EXE
PID:2016 -
\??\c:\brftjdt.exec:\brftjdt.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384 -
\??\c:\xddtj.exec:\xddtj.exe59⤵
- Executes dropped EXE
PID:2228 -
\??\c:\fdjbtrb.exec:\fdjbtrb.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868 -
\??\c:\hppljbj.exec:\hppljbj.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296 -
\??\c:\nnbtvbj.exec:\nnbtvbj.exe62⤵
- Executes dropped EXE
PID:2580 -
\??\c:\jjttpdj.exec:\jjttpdj.exe63⤵
- Executes dropped EXE
PID:1764 -
\??\c:\rdlpxr.exec:\rdlpxr.exe64⤵
- Executes dropped EXE
PID:1752 -
\??\c:\hnvtdj.exec:\hnvtdj.exe65⤵
- Executes dropped EXE
PID:2620 -
\??\c:\nhlpf.exec:\nhlpf.exe66⤵PID:2008
-
\??\c:\jjlvn.exec:\jjlvn.exe67⤵
- System Location Discovery: System Language Discovery
PID:2976 -
\??\c:\rtxldn.exec:\rtxldn.exe68⤵
- System Location Discovery: System Language Discovery
PID:2776 -
\??\c:\xnblb.exec:\xnblb.exe69⤵PID:2904
-
\??\c:\tphftdd.exec:\tphftdd.exe70⤵PID:2804
-
\??\c:\fjtnbv.exec:\fjtnbv.exe71⤵
- System Location Discovery: System Language Discovery
PID:3032 -
\??\c:\hrhhxdj.exec:\hrhhxdj.exe72⤵
- System Location Discovery: System Language Discovery
PID:2892 -
\??\c:\bfhdbl.exec:\bfhdbl.exe73⤵PID:1944
-
\??\c:\ppxjh.exec:\ppxjh.exe74⤵PID:3040
-
\??\c:\rxfnp.exec:\rxfnp.exe75⤵PID:2144
-
\??\c:\vlrdj.exec:\vlrdj.exe76⤵
- System Location Discovery: System Language Discovery
PID:1920 -
\??\c:\jbbnphd.exec:\jbbnphd.exe77⤵PID:2280
-
\??\c:\jjxnjhn.exec:\jjxnjhn.exe78⤵PID:2304
-
\??\c:\hrxjb.exec:\hrxjb.exe79⤵PID:2472
-
\??\c:\nxhdv.exec:\nxhdv.exe80⤵PID:1984
-
\??\c:\llrhfhb.exec:\llrhfhb.exe81⤵PID:2276
-
\??\c:\vnpxd.exec:\vnpxd.exe82⤵
- System Location Discovery: System Language Discovery
PID:1828 -
\??\c:\htbjvll.exec:\htbjvll.exe83⤵PID:1412
-
\??\c:\rfpnpbr.exec:\rfpnpbr.exe84⤵PID:2348
-
\??\c:\rvbxl.exec:\rvbxl.exe85⤵PID:2036
-
\??\c:\phnvnl.exec:\phnvnl.exe86⤵PID:2300
-
\??\c:\xhllv.exec:\xhllv.exe87⤵PID:2356
-
\??\c:\jxhjrln.exec:\jxhjrln.exe88⤵
- System Location Discovery: System Language Discovery
PID:2176 -
\??\c:\jbthl.exec:\jbthl.exe89⤵PID:2500
-
\??\c:\fflrpjp.exec:\fflrpjp.exe90⤵PID:2468
-
\??\c:\jbpbr.exec:\jbpbr.exe91⤵PID:1972
-
\??\c:\ffvvb.exec:\ffvvb.exe92⤵PID:1636
-
\??\c:\txljn.exec:\txljn.exe93⤵PID:2128
-
\??\c:\tdrvr.exec:\tdrvr.exe94⤵
- System Location Discovery: System Language Discovery
PID:1804 -
\??\c:\pfnbrvt.exec:\pfnbrvt.exe95⤵
- System Location Discovery: System Language Discovery
PID:2132 -
\??\c:\fjdjhnn.exec:\fjdjhnn.exe96⤵
- System Location Discovery: System Language Discovery
PID:1676 -
\??\c:\ddbftbx.exec:\ddbftbx.exe97⤵PID:1020
-
\??\c:\lljdp.exec:\lljdp.exe98⤵
- System Location Discovery: System Language Discovery
PID:2064 -
\??\c:\ptbll.exec:\ptbll.exe99⤵
- System Location Discovery: System Language Discovery
PID:1680 -
\??\c:\xdlhpn.exec:\xdlhpn.exe100⤵PID:2012
-
\??\c:\rtrrtb.exec:\rtrrtb.exe101⤵PID:1272
-
\??\c:\fftnhhr.exec:\fftnhhr.exe102⤵
- System Location Discovery: System Language Discovery
PID:1332 -
\??\c:\dnjbbpj.exec:\dnjbbpj.exe103⤵PID:2876
-
\??\c:\hnfrl.exec:\hnfrl.exe104⤵
- System Location Discovery: System Language Discovery
PID:2864 -
\??\c:\tnnfbd.exec:\tnnfbd.exe105⤵
- System Location Discovery: System Language Discovery
PID:636 -
\??\c:\jdpph.exec:\jdpph.exe106⤵PID:1288
-
\??\c:\xvlhv.exec:\xvlhv.exe107⤵PID:2804
-
\??\c:\rhjbnrx.exec:\rhjbnrx.exe108⤵PID:2780
-
\??\c:\rrjfr.exec:\rrjfr.exe109⤵PID:2552
-
\??\c:\djrxdj.exec:\djrxdj.exe110⤵PID:1996
-
\??\c:\fltpbll.exec:\fltpbll.exe111⤵
- System Location Discovery: System Language Discovery
PID:2456 -
\??\c:\fhbbp.exec:\fhbbp.exe112⤵PID:1652
-
\??\c:\fxtft.exec:\fxtft.exe113⤵
- System Location Discovery: System Language Discovery
PID:572 -
\??\c:\rvhdp.exec:\rvhdp.exe114⤵PID:436
-
\??\c:\bhrlhx.exec:\bhrlhx.exe115⤵PID:1656
-
\??\c:\btbndbd.exec:\btbndbd.exe116⤵PID:2136
-
\??\c:\hvttlft.exec:\hvttlft.exe117⤵PID:980
-
\??\c:\drxtvt.exec:\drxtvt.exe118⤵PID:2276
-
\??\c:\pnftt.exec:\pnftt.exe119⤵PID:1828
-
\??\c:\lprxb.exec:\lprxb.exe120⤵PID:1412
-
\??\c:\hlhdd.exec:\hlhdd.exe121⤵PID:2348
-
\??\c:\dxhtvt.exec:\dxhtvt.exe122⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-