Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe
-
Size
454KB
-
MD5
b78f3f3a60cf3e45c91adbb2e0e32899
-
SHA1
1ca46fda3d2ba5d270fe4fd6083cf29e553599d2
-
SHA256
19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f
-
SHA512
d79a955ae0c34b0e0700d33588a7d4afa6e8401dd7884b6c5536ffc4793d5a554deb79b7bd4753fdcc6e716eb6d799b8951326eea6ddc34a6bba2d3b2491975d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2052-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-24-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2928-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-74-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3016-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-140-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1388-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-212-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1704-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-372-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1612-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-399-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2280-407-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1640-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-475-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/264-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1416-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-747-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2716-819-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/264-843-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2356 vpfptt.exe 1628 tlvjf.exe 2816 rbnjh.exe 1576 xdflh.exe 2884 vxjbbfb.exe 2928 tpfdjp.exe 3016 bpvhxp.exe 2680 tjtptrj.exe 2696 xdtdd.exe 2396 ptnrxx.exe 1572 dnrrppf.exe 2964 ljvblt.exe 1924 dlfthnp.exe 2924 hpplpx.exe 2808 bjnjfxx.exe 1388 rbrjn.exe 2120 dnbdfl.exe 2916 bhllrrj.exe 1056 hhbdd.exe 2496 btdptr.exe 1088 xjpjrbd.exe 2004 jdxrjdr.exe 976 xvlpft.exe 1084 tbvrpl.exe 1704 hhtnr.exe 1528 vfdtj.exe 560 xdtbb.exe 2464 vvjhx.exe 1592 vxjnph.exe 376 pjlxlp.exe 876 vbdlxnh.exe 2304 ddxnnfl.exe 2560 ppbhtfr.exe 1696 jftnr.exe 2016 llblp.exe 2760 ldjfpt.exe 2780 jfthhr.exe 1576 nddnhhn.exe 2756 nttjljp.exe 2232 lxtdrh.exe 2928 nprpt.exe 2868 rjfrtdf.exe 2644 pjlrb.exe 2280 dlnbjtn.exe 1612 tvhhdll.exe 2396 dbpnvf.exe 1104 dnnpx.exe 1908 ptblh.exe 2076 tldxdtv.exe 1924 rvrdfvt.exe 1556 jdplr.exe 948 htrtx.exe 1640 dpbhflf.exe 1880 tptlr.exe 3008 fnndd.exe 2388 pxdrfp.exe 1944 jpvprv.exe 2080 dfphll.exe 2408 dpjfxdx.exe 2176 flftf.exe 916 jfxxlpf.exe 908 rdppjp.exe 1684 pthfp.exe 2608 ltnvhp.exe -
resource yara_rule behavioral1/memory/2052-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-203-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1088-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-819-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/264-843-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbjhbbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nddffvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpbhflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlnvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdjxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvrdrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxjbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ltblf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjfrtdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxfphnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttjljp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbxvprn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxptnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jtrrnr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrjnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plrjhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llpbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vftnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrphpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbtlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhtxrxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lddlln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrrtd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlvbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxnhdrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdlnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlvxjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttjbfnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vphhhdt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2356 2052 19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe 31 PID 2052 wrote to memory of 2356 2052 19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe 31 PID 2052 wrote to memory of 2356 2052 19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe 31 PID 2052 wrote to memory of 2356 2052 19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe 31 PID 2356 wrote to memory of 1628 2356 vpfptt.exe 32 PID 2356 wrote to memory of 1628 2356 vpfptt.exe 32 PID 2356 wrote to memory of 1628 2356 vpfptt.exe 32 PID 2356 wrote to memory of 1628 2356 vpfptt.exe 32 PID 1628 wrote to memory of 2816 1628 tlvjf.exe 33 PID 1628 wrote to memory of 2816 1628 tlvjf.exe 33 PID 1628 wrote to memory of 2816 1628 tlvjf.exe 33 PID 1628 wrote to memory of 2816 1628 tlvjf.exe 33 PID 2816 wrote to memory of 1576 2816 rbnjh.exe 34 PID 2816 wrote to memory of 1576 2816 rbnjh.exe 34 PID 2816 wrote to memory of 1576 2816 rbnjh.exe 34 PID 2816 wrote to memory of 1576 2816 rbnjh.exe 34 PID 1576 wrote to memory of 2884 1576 xdflh.exe 35 PID 1576 wrote to memory of 2884 1576 xdflh.exe 35 PID 1576 wrote to memory of 2884 1576 xdflh.exe 35 PID 1576 wrote to memory of 2884 1576 xdflh.exe 35 PID 2884 wrote to memory of 2928 2884 vxjbbfb.exe 36 PID 2884 wrote to memory of 2928 2884 vxjbbfb.exe 36 PID 2884 wrote to memory of 2928 2884 vxjbbfb.exe 36 PID 2884 wrote to memory of 2928 2884 vxjbbfb.exe 36 PID 2928 wrote to memory of 3016 2928 tpfdjp.exe 37 PID 2928 wrote to memory of 3016 2928 tpfdjp.exe 37 PID 2928 wrote to memory of 3016 2928 tpfdjp.exe 37 PID 2928 wrote to memory of 3016 2928 tpfdjp.exe 37 PID 3016 wrote to memory of 2680 3016 bpvhxp.exe 38 PID 3016 wrote to memory of 2680 3016 bpvhxp.exe 38 PID 3016 wrote to memory of 2680 3016 bpvhxp.exe 38 PID 3016 wrote to memory of 2680 3016 bpvhxp.exe 38 PID 2680 wrote to memory of 2696 2680 tjtptrj.exe 39 PID 2680 wrote to memory of 2696 2680 tjtptrj.exe 39 PID 2680 wrote to memory of 2696 2680 tjtptrj.exe 39 PID 2680 wrote to memory of 2696 2680 tjtptrj.exe 39 PID 2696 wrote to memory of 2396 2696 xdtdd.exe 40 PID 2696 wrote to memory of 2396 2696 xdtdd.exe 40 PID 2696 wrote to memory of 2396 2696 xdtdd.exe 40 PID 2696 wrote to memory of 2396 2696 xdtdd.exe 40 PID 2396 wrote to memory of 1572 2396 ptnrxx.exe 41 PID 2396 wrote to memory of 1572 2396 ptnrxx.exe 41 PID 2396 wrote to memory of 1572 2396 ptnrxx.exe 41 PID 2396 wrote to memory of 1572 2396 ptnrxx.exe 41 PID 1572 wrote to memory of 2964 1572 dnrrppf.exe 42 PID 1572 wrote to memory of 2964 1572 dnrrppf.exe 42 PID 1572 wrote to memory of 2964 1572 dnrrppf.exe 42 PID 1572 wrote to memory of 2964 1572 dnrrppf.exe 42 PID 2964 wrote to memory of 1924 2964 ljvblt.exe 43 PID 2964 wrote to memory of 1924 2964 ljvblt.exe 43 PID 2964 wrote to memory of 1924 2964 ljvblt.exe 43 PID 2964 wrote to memory of 1924 2964 ljvblt.exe 43 PID 1924 wrote to memory of 2924 1924 dlfthnp.exe 44 PID 1924 wrote to memory of 2924 1924 dlfthnp.exe 44 PID 1924 wrote to memory of 2924 1924 dlfthnp.exe 44 PID 1924 wrote to memory of 2924 1924 dlfthnp.exe 44 PID 2924 wrote to memory of 2808 2924 hpplpx.exe 45 PID 2924 wrote to memory of 2808 2924 hpplpx.exe 45 PID 2924 wrote to memory of 2808 2924 hpplpx.exe 45 PID 2924 wrote to memory of 2808 2924 hpplpx.exe 45 PID 2808 wrote to memory of 1388 2808 bjnjfxx.exe 46 PID 2808 wrote to memory of 1388 2808 bjnjfxx.exe 46 PID 2808 wrote to memory of 1388 2808 bjnjfxx.exe 46 PID 2808 wrote to memory of 1388 2808 bjnjfxx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe"C:\Users\Admin\AppData\Local\Temp\19b1190642f60f0370b5a3d5dd9132d63754dc57f050f1541fa8ebedb0e4285f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\vpfptt.exec:\vpfptt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\tlvjf.exec:\tlvjf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\rbnjh.exec:\rbnjh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\xdflh.exec:\xdflh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\vxjbbfb.exec:\vxjbbfb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\tpfdjp.exec:\tpfdjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\bpvhxp.exec:\bpvhxp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\tjtptrj.exec:\tjtptrj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\xdtdd.exec:\xdtdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\ptnrxx.exec:\ptnrxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\dnrrppf.exec:\dnrrppf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\ljvblt.exec:\ljvblt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\dlfthnp.exec:\dlfthnp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\hpplpx.exec:\hpplpx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\bjnjfxx.exec:\bjnjfxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\rbrjn.exec:\rbrjn.exe17⤵
- Executes dropped EXE
PID:1388 -
\??\c:\dnbdfl.exec:\dnbdfl.exe18⤵
- Executes dropped EXE
PID:2120 -
\??\c:\bhllrrj.exec:\bhllrrj.exe19⤵
- Executes dropped EXE
PID:2916 -
\??\c:\hhbdd.exec:\hhbdd.exe20⤵
- Executes dropped EXE
PID:1056 -
\??\c:\btdptr.exec:\btdptr.exe21⤵
- Executes dropped EXE
PID:2496 -
\??\c:\xjpjrbd.exec:\xjpjrbd.exe22⤵
- Executes dropped EXE
PID:1088 -
\??\c:\jdxrjdr.exec:\jdxrjdr.exe23⤵
- Executes dropped EXE
PID:2004 -
\??\c:\xvlpft.exec:\xvlpft.exe24⤵
- Executes dropped EXE
PID:976 -
\??\c:\tbvrpl.exec:\tbvrpl.exe25⤵
- Executes dropped EXE
PID:1084 -
\??\c:\hhtnr.exec:\hhtnr.exe26⤵
- Executes dropped EXE
PID:1704 -
\??\c:\vfdtj.exec:\vfdtj.exe27⤵
- Executes dropped EXE
PID:1528 -
\??\c:\xdtbb.exec:\xdtbb.exe28⤵
- Executes dropped EXE
PID:560 -
\??\c:\vvjhx.exec:\vvjhx.exe29⤵
- Executes dropped EXE
PID:2464 -
\??\c:\vxjnph.exec:\vxjnph.exe30⤵
- Executes dropped EXE
PID:1592 -
\??\c:\pjlxlp.exec:\pjlxlp.exe31⤵
- Executes dropped EXE
PID:376 -
\??\c:\vbdlxnh.exec:\vbdlxnh.exe32⤵
- Executes dropped EXE
PID:876 -
\??\c:\ddxnnfl.exec:\ddxnnfl.exe33⤵
- Executes dropped EXE
PID:2304 -
\??\c:\ppbhtfr.exec:\ppbhtfr.exe34⤵
- Executes dropped EXE
PID:2560 -
\??\c:\jftnr.exec:\jftnr.exe35⤵
- Executes dropped EXE
PID:1696 -
\??\c:\llblp.exec:\llblp.exe36⤵
- Executes dropped EXE
PID:2016 -
\??\c:\ldjfpt.exec:\ldjfpt.exe37⤵
- Executes dropped EXE
PID:2760 -
\??\c:\jfthhr.exec:\jfthhr.exe38⤵
- Executes dropped EXE
PID:2780 -
\??\c:\nddnhhn.exec:\nddnhhn.exe39⤵
- Executes dropped EXE
PID:1576 -
\??\c:\nttjljp.exec:\nttjljp.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756 -
\??\c:\lxtdrh.exec:\lxtdrh.exe41⤵
- Executes dropped EXE
PID:2232 -
\??\c:\nprpt.exec:\nprpt.exe42⤵
- Executes dropped EXE
PID:2928 -
\??\c:\rjfrtdf.exec:\rjfrtdf.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
\??\c:\pjlrb.exec:\pjlrb.exe44⤵
- Executes dropped EXE
PID:2644 -
\??\c:\dlnbjtn.exec:\dlnbjtn.exe45⤵
- Executes dropped EXE
PID:2280 -
\??\c:\tvhhdll.exec:\tvhhdll.exe46⤵
- Executes dropped EXE
PID:1612 -
\??\c:\dbpnvf.exec:\dbpnvf.exe47⤵
- Executes dropped EXE
PID:2396 -
\??\c:\dnnpx.exec:\dnnpx.exe48⤵
- Executes dropped EXE
PID:1104 -
\??\c:\ptblh.exec:\ptblh.exe49⤵
- Executes dropped EXE
PID:1908 -
\??\c:\tldxdtv.exec:\tldxdtv.exe50⤵
- Executes dropped EXE
PID:2076 -
\??\c:\rvrdfvt.exec:\rvrdfvt.exe51⤵
- Executes dropped EXE
PID:1924 -
\??\c:\jdplr.exec:\jdplr.exe52⤵
- Executes dropped EXE
PID:1556 -
\??\c:\htrtx.exec:\htrtx.exe53⤵
- Executes dropped EXE
PID:948 -
\??\c:\dpbhflf.exec:\dpbhflf.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1640 -
\??\c:\tptlr.exec:\tptlr.exe55⤵
- Executes dropped EXE
PID:1880 -
\??\c:\fnndd.exec:\fnndd.exe56⤵
- Executes dropped EXE
PID:3008 -
\??\c:\pxdrfp.exec:\pxdrfp.exe57⤵
- Executes dropped EXE
PID:2388 -
\??\c:\jpvprv.exec:\jpvprv.exe58⤵
- Executes dropped EXE
PID:1944 -
\??\c:\dfphll.exec:\dfphll.exe59⤵
- Executes dropped EXE
PID:2080 -
\??\c:\dpjfxdx.exec:\dpjfxdx.exe60⤵
- Executes dropped EXE
PID:2408 -
\??\c:\flftf.exec:\flftf.exe61⤵
- Executes dropped EXE
PID:2176 -
\??\c:\jfxxlpf.exec:\jfxxlpf.exe62⤵
- Executes dropped EXE
PID:916 -
\??\c:\rdppjp.exec:\rdppjp.exe63⤵
- Executes dropped EXE
PID:908 -
\??\c:\pthfp.exec:\pthfp.exe64⤵
- Executes dropped EXE
PID:1684 -
\??\c:\ltnvhp.exec:\ltnvhp.exe65⤵
- Executes dropped EXE
PID:2608 -
\??\c:\hnphhr.exec:\hnphhr.exe66⤵PID:336
-
\??\c:\htnrjp.exec:\htnrjp.exe67⤵PID:1328
-
\??\c:\dpdbhv.exec:\dpdbhv.exe68⤵PID:568
-
\??\c:\vfjjrdf.exec:\vfjjrdf.exe69⤵PID:560
-
\??\c:\pbppxfl.exec:\pbppxfl.exe70⤵PID:584
-
\??\c:\tldxpr.exec:\tldxpr.exe71⤵PID:264
-
\??\c:\vtbpjpj.exec:\vtbpjpj.exe72⤵PID:2444
-
\??\c:\njlnvr.exec:\njlnvr.exe73⤵PID:2564
-
\??\c:\flbntp.exec:\flbntp.exe74⤵PID:2344
-
\??\c:\dxhnbdn.exec:\dxhnbdn.exe75⤵PID:1532
-
\??\c:\pbvpndj.exec:\pbvpndj.exe76⤵PID:2932
-
\??\c:\jhlrpfx.exec:\jhlrpfx.exe77⤵PID:1628
-
\??\c:\dpptrl.exec:\dpptrl.exe78⤵PID:2772
-
\??\c:\tbrxxrv.exec:\tbrxxrv.exe79⤵PID:2844
-
\??\c:\fpddhhf.exec:\fpddhhf.exe80⤵PID:3052
-
\??\c:\rnlhrt.exec:\rnlhrt.exe81⤵PID:2904
-
\??\c:\ftpddh.exec:\ftpddh.exe82⤵PID:2756
-
\??\c:\bbhvt.exec:\bbhvt.exe83⤵PID:2232
-
\??\c:\lltjx.exec:\lltjx.exe84⤵PID:2628
-
\??\c:\nnrxrtf.exec:\nnrxrtf.exe85⤵PID:2800
-
\??\c:\nxfnf.exec:\nxfnf.exe86⤵PID:2688
-
\??\c:\xfntbp.exec:\xfntbp.exe87⤵PID:2696
-
\??\c:\vdnxdp.exec:\vdnxdp.exe88⤵PID:1612
-
\??\c:\jbrffjt.exec:\jbrffjt.exe89⤵PID:2396
-
\??\c:\pbfjfd.exec:\pbfjfd.exe90⤵PID:2524
-
\??\c:\jbfdbrp.exec:\jbfdbrp.exe91⤵PID:1416
-
\??\c:\ndfblb.exec:\ndfblb.exe92⤵PID:1100
-
\??\c:\fvpdl.exec:\fvpdl.exe93⤵PID:1904
-
\??\c:\nfjfbn.exec:\nfjfbn.exe94⤵PID:2988
-
\??\c:\xrtbp.exec:\xrtbp.exe95⤵PID:2732
-
\??\c:\jrrlhtp.exec:\jrrlhtp.exe96⤵PID:2428
-
\??\c:\fdpxnhf.exec:\fdpxnhf.exe97⤵PID:3000
-
\??\c:\pfpjpvl.exec:\pfpjpvl.exe98⤵PID:2400
-
\??\c:\xvbvfhd.exec:\xvbvfhd.exe99⤵PID:2088
-
\??\c:\pntpfpd.exec:\pntpfpd.exe100⤵PID:1660
-
\??\c:\dlpxff.exec:\dlpxff.exe101⤵PID:2496
-
\??\c:\lfndrb.exec:\lfndrb.exe102⤵PID:2072
-
\??\c:\bjfftj.exec:\bjfftj.exe103⤵PID:1644
-
\??\c:\lrvtdjh.exec:\lrvtdjh.exe104⤵PID:972
-
\??\c:\bljhff.exec:\bljhff.exe105⤵PID:1356
-
\??\c:\vhppnb.exec:\vhppnb.exe106⤵PID:2460
-
\??\c:\pnnjrl.exec:\pnnjrl.exe107⤵PID:1292
-
\??\c:\lplld.exec:\lplld.exe108⤵PID:1072
-
\??\c:\vfplhbb.exec:\vfplhbb.exe109⤵PID:1528
-
\??\c:\rvrllr.exec:\rvrllr.exe110⤵PID:2520
-
\??\c:\lxtjpv.exec:\lxtjpv.exe111⤵PID:2716
-
\??\c:\tfvpxxd.exec:\tfvpxxd.exe112⤵PID:560
-
\??\c:\vrfph.exec:\vrfph.exe113⤵PID:584
-
\??\c:\rtvrv.exec:\rtvrv.exe114⤵PID:264
-
\??\c:\httvp.exec:\httvp.exe115⤵PID:2364
-
\??\c:\bnlpf.exec:\bnlpf.exe116⤵PID:1668
-
\??\c:\jdvtj.exec:\jdvtj.exe117⤵PID:1608
-
\??\c:\vtjbl.exec:\vtjbl.exe118⤵PID:1532
-
\??\c:\txrpd.exec:\txrpd.exe119⤵PID:2932
-
\??\c:\ntxnl.exec:\ntxnl.exe120⤵PID:1628
-
\??\c:\vhpfdbr.exec:\vhpfdbr.exe121⤵PID:1376
-
\??\c:\hfdrrd.exec:\hfdrrd.exe122⤵PID:2844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-