Analysis
-
max time kernel
150s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 16:52
Behavioral task
behavioral1
Sample
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe
Resource
win7-20241010-en
6 signatures
150 seconds
General
-
Target
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe
-
Size
445KB
-
MD5
fba138788d8671443ac9b7899da1c6d0
-
SHA1
e774d7e5364759a563b819ab7d3f4dc06f3f0451
-
SHA256
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775de
-
SHA512
f74774acfee06e09bdac9e3a13fdaf8d69c9c1df7be17743ac5447cd3e7836d0739bf9d72b8279368808df3bfd2cb31c97c1f1f76173e29d8d6f2ed7bef81bca
-
SSDEEP
12288:w4wFHoS9KxbNnidEhjEJd1kNpeUgI95yRoZHVaoJMOxFXnRV4PiGO0hUmH5CJ:kKxbNndhjEJd1kNpeUgI95yRoZHgoJMi
Malware Config
Signatures
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2476-7-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2792-9-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2792-17-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2892-29-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2884-39-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2784-65-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2660-56-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2968-77-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2300-100-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2204-110-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2916-129-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2312-148-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/564-165-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2564-174-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/672-201-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/692-230-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/860-256-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2036-266-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1456-298-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/3052-305-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2668-325-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2668-324-0x0000000001C80000-0x0000000001CB4000-memory.dmp family_blackmoon behavioral1/memory/2144-345-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1672-390-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1696-403-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2984-410-0x0000000000440000-0x0000000000474000-memory.dmp family_blackmoon behavioral1/memory/1992-454-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2488-460-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/628-512-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/628-511-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2560-551-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2052-571-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1812-479-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1768-209-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2908-593-0x00000000003C0000-0x00000000003F4000-memory.dmp family_blackmoon behavioral1/memory/2356-156-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2876-606-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2664-638-0x0000000000440000-0x0000000000474000-memory.dmp family_blackmoon behavioral1/memory/1912-714-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/588-727-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/700-735-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/700-736-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2792-874-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1492-904-0x0000000001CA0000-0x0000000001CD4000-memory.dmp family_blackmoon behavioral1/memory/2976-967-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2168-974-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2700-982-0x0000000000320000-0x0000000000354000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2792 phnhvdl.exe 2892 txjpdhj.exe 2884 xbdvxl.exe 2848 hlxbbhb.exe 2660 nlvrfrv.exe 2784 rjrjfb.exe 392 xbrpv.exe 2968 fbxbx.exe 1676 nttbx.exe 2300 jpppxlj.exe 2204 rdvff.exe 2976 jffhrhr.exe 2916 jflhlff.exe 1900 xhrpj.exe 2312 rbnjbfb.exe 2356 hjjpdlv.exe 564 jppfd.exe 2564 lpplvl.exe 1948 rjlptn.exe 2244 blvrt.exe 672 dnvrfld.exe 1768 ftbdfdj.exe 956 xxrlvx.exe 1076 xlbndxn.exe 692 hrvrr.exe 1376 phpdjnv.exe 860 jftxl.exe 2036 fjnbn.exe 568 jtjxjp.exe 1908 txbfdnt.exe 2128 tnxxvb.exe 1456 jdbtlbt.exe 3052 pbtjtb.exe 2476 nlxxntn.exe 1700 ptlpnrr.exe 2668 rdnpvp.exe 2892 dnrbbd.exe 3060 bpxhfvn.exe 2144 vfphjpn.exe 2252 nvnpbn.exe 2852 xjvrdnr.exe 2724 lpfrd.exe 2192 vtlbbx.exe 2264 fhpnv.exe 2308 vfhrxfb.exe 1672 ptnjr.exe 2276 nhfpvj.exe 1696 rrbbrh.exe 2984 rxhptrf.exe 2176 fppdn.exe 1176 nrjjrjt.exe 2760 pfjhnx.exe 2332 rrxbj.exe 588 vlpvjxr.exe 700 bpldx.exe 1992 nhnlf.exe 2488 hpbjp.exe 2512 fnbfbb.exe 2992 hrjrdr.exe 1812 btfhnd.exe 2516 bfvfrr.exe 1228 tnnlfhh.exe 904 nvrhj.exe 1944 vdnpj.exe -
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000c000000012266-5.dat upx behavioral1/memory/2476-7-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2792-9-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x002b0000000195bb-18.dat upx behavioral1/memory/2892-21-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2792-17-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x00080000000195c6-30.dat upx behavioral1/memory/2892-29-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2892-27-0x0000000000540000-0x0000000000574000-memory.dmp upx behavioral1/memory/2884-39-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000600000001960c-40.dat upx behavioral1/files/0x0006000000019643-48.dat upx behavioral1/files/0x000600000001975a-58.dat upx behavioral1/files/0x00080000000197fd-67.dat upx behavioral1/memory/2784-65-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2660-56-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2968-77-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x002a0000000195bd-76.dat upx behavioral1/files/0x000500000001a480-84.dat upx behavioral1/files/0x000500000001a482-93.dat upx behavioral1/files/0x000500000001a484-104.dat upx behavioral1/memory/2204-103-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2300-100-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2204-110-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a486-112.dat upx behavioral1/memory/2916-121-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a488-122.dat upx behavioral1/files/0x000500000001a48a-131.dat upx behavioral1/files/0x000500000001a48d-139.dat upx behavioral1/memory/2916-129-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a48f-147.dat upx behavioral1/memory/2312-148-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a491-157.dat upx behavioral1/files/0x000500000001a493-166.dat upx behavioral1/memory/564-165-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a499-176.dat upx behavioral1/memory/2564-174-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a49a-183.dat upx behavioral1/files/0x000500000001a49e-192.dat upx behavioral1/files/0x000500000001a49f-202.dat upx behavioral1/memory/672-201-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a4a1-210.dat upx behavioral1/files/0x000500000001a4a2-219.dat upx behavioral1/memory/692-230-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a4ab-237.dat upx behavioral1/memory/860-256-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a4b4-264.dat upx behavioral1/memory/2036-266-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a4ad-257.dat upx behavioral1/files/0x000500000001a4ba-275.dat upx behavioral1/files/0x000500000001a4bf-282.dat upx behavioral1/files/0x000500000001a4ff-290.dat upx behavioral1/memory/1456-298-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/3052-305-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a4ac-247.dat upx behavioral1/memory/860-246-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001a4a9-229.dat upx behavioral1/memory/2668-325-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2144-345-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1672-390-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1696-403-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2488-460-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/628-512-0x0000000000400000-0x0000000000434000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prpfdjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxtrlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvfjfht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnhdxbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thpjlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xhrpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjlblf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbrlxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhdnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnflnnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvrrhvt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trxxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbhvfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddlpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjpplp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djtlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnlfhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlxxntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dflvhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtnvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tffvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrnxh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pthlv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nppjbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njtnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtdxptn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxnrb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lnjfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tfjbxbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvprnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2792 2476 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 30 PID 2476 wrote to memory of 2792 2476 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 30 PID 2476 wrote to memory of 2792 2476 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 30 PID 2476 wrote to memory of 2792 2476 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 30 PID 2792 wrote to memory of 2892 2792 phnhvdl.exe 66 PID 2792 wrote to memory of 2892 2792 phnhvdl.exe 66 PID 2792 wrote to memory of 2892 2792 phnhvdl.exe 66 PID 2792 wrote to memory of 2892 2792 phnhvdl.exe 66 PID 2892 wrote to memory of 2884 2892 txjpdhj.exe 32 PID 2892 wrote to memory of 2884 2892 txjpdhj.exe 32 PID 2892 wrote to memory of 2884 2892 txjpdhj.exe 32 PID 2892 wrote to memory of 2884 2892 txjpdhj.exe 32 PID 2884 wrote to memory of 2848 2884 xbdvxl.exe 33 PID 2884 wrote to memory of 2848 2884 xbdvxl.exe 33 PID 2884 wrote to memory of 2848 2884 xbdvxl.exe 33 PID 2884 wrote to memory of 2848 2884 xbdvxl.exe 33 PID 2848 wrote to memory of 2660 2848 hlxbbhb.exe 34 PID 2848 wrote to memory of 2660 2848 hlxbbhb.exe 34 PID 2848 wrote to memory of 2660 2848 hlxbbhb.exe 34 PID 2848 wrote to memory of 2660 2848 hlxbbhb.exe 34 PID 2660 wrote to memory of 2784 2660 nlvrfrv.exe 35 PID 2660 wrote to memory of 2784 2660 nlvrfrv.exe 35 PID 2660 wrote to memory of 2784 2660 nlvrfrv.exe 35 PID 2660 wrote to memory of 2784 2660 nlvrfrv.exe 35 PID 2784 wrote to memory of 392 2784 rjrjfb.exe 36 PID 2784 wrote to memory of 392 2784 rjrjfb.exe 36 PID 2784 wrote to memory of 392 2784 rjrjfb.exe 36 PID 2784 wrote to memory of 392 2784 rjrjfb.exe 36 PID 392 wrote to memory of 2968 392 xbrpv.exe 37 PID 392 wrote to memory of 2968 392 xbrpv.exe 37 PID 392 wrote to memory of 2968 392 xbrpv.exe 37 PID 392 wrote to memory of 2968 392 xbrpv.exe 37 PID 2968 wrote to memory of 1676 2968 fbxbx.exe 38 PID 2968 wrote to memory of 1676 2968 fbxbx.exe 38 PID 2968 wrote to memory of 1676 2968 fbxbx.exe 38 PID 2968 wrote to memory of 1676 2968 fbxbx.exe 38 PID 1676 wrote to memory of 2300 1676 nttbx.exe 39 PID 1676 wrote to memory of 2300 1676 nttbx.exe 39 PID 1676 wrote to memory of 2300 1676 nttbx.exe 39 PID 1676 wrote to memory of 2300 1676 nttbx.exe 39 PID 2300 wrote to memory of 2204 2300 jpppxlj.exe 40 PID 2300 wrote to memory of 2204 2300 jpppxlj.exe 40 PID 2300 wrote to memory of 2204 2300 jpppxlj.exe 40 PID 2300 wrote to memory of 2204 2300 jpppxlj.exe 40 PID 2204 wrote to memory of 2976 2204 rdvff.exe 41 PID 2204 wrote to memory of 2976 2204 rdvff.exe 41 PID 2204 wrote to memory of 2976 2204 rdvff.exe 41 PID 2204 wrote to memory of 2976 2204 rdvff.exe 41 PID 2976 wrote to memory of 2916 2976 jffhrhr.exe 42 PID 2976 wrote to memory of 2916 2976 jffhrhr.exe 42 PID 2976 wrote to memory of 2916 2976 jffhrhr.exe 42 PID 2976 wrote to memory of 2916 2976 jffhrhr.exe 42 PID 2916 wrote to memory of 1900 2916 jflhlff.exe 43 PID 2916 wrote to memory of 1900 2916 jflhlff.exe 43 PID 2916 wrote to memory of 1900 2916 jflhlff.exe 43 PID 2916 wrote to memory of 1900 2916 jflhlff.exe 43 PID 1900 wrote to memory of 2312 1900 xhrpj.exe 44 PID 1900 wrote to memory of 2312 1900 xhrpj.exe 44 PID 1900 wrote to memory of 2312 1900 xhrpj.exe 44 PID 1900 wrote to memory of 2312 1900 xhrpj.exe 44 PID 2312 wrote to memory of 2356 2312 rbnjbfb.exe 45 PID 2312 wrote to memory of 2356 2312 rbnjbfb.exe 45 PID 2312 wrote to memory of 2356 2312 rbnjbfb.exe 45 PID 2312 wrote to memory of 2356 2312 rbnjbfb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe"C:\Users\Admin\AppData\Local\Temp\f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\phnhvdl.exec:\phnhvdl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\txjpdhj.exec:\txjpdhj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\xbdvxl.exec:\xbdvxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\hlxbbhb.exec:\hlxbbhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\nlvrfrv.exec:\nlvrfrv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\rjrjfb.exec:\rjrjfb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\xbrpv.exec:\xbrpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\fbxbx.exec:\fbxbx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\nttbx.exec:\nttbx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\jpppxlj.exec:\jpppxlj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\rdvff.exec:\rdvff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\jffhrhr.exec:\jffhrhr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\jflhlff.exec:\jflhlff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\xhrpj.exec:\xhrpj.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\rbnjbfb.exec:\rbnjbfb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\hjjpdlv.exec:\hjjpdlv.exe17⤵
- Executes dropped EXE
PID:2356 -
\??\c:\jppfd.exec:\jppfd.exe18⤵
- Executes dropped EXE
PID:564 -
\??\c:\lpplvl.exec:\lpplvl.exe19⤵
- Executes dropped EXE
PID:2564 -
\??\c:\rjlptn.exec:\rjlptn.exe20⤵
- Executes dropped EXE
PID:1948 -
\??\c:\blvrt.exec:\blvrt.exe21⤵
- Executes dropped EXE
PID:2244 -
\??\c:\dnvrfld.exec:\dnvrfld.exe22⤵
- Executes dropped EXE
PID:672 -
\??\c:\ftbdfdj.exec:\ftbdfdj.exe23⤵
- Executes dropped EXE
PID:1768 -
\??\c:\xxrlvx.exec:\xxrlvx.exe24⤵
- Executes dropped EXE
PID:956 -
\??\c:\xlbndxn.exec:\xlbndxn.exe25⤵
- Executes dropped EXE
PID:1076 -
\??\c:\hrvrr.exec:\hrvrr.exe26⤵
- Executes dropped EXE
PID:692 -
\??\c:\phpdjnv.exec:\phpdjnv.exe27⤵
- Executes dropped EXE
PID:1376 -
\??\c:\jftxl.exec:\jftxl.exe28⤵
- Executes dropped EXE
PID:860 -
\??\c:\fjnbn.exec:\fjnbn.exe29⤵
- Executes dropped EXE
PID:2036 -
\??\c:\jtjxjp.exec:\jtjxjp.exe30⤵
- Executes dropped EXE
PID:568 -
\??\c:\txbfdnt.exec:\txbfdnt.exe31⤵
- Executes dropped EXE
PID:1908 -
\??\c:\tnxxvb.exec:\tnxxvb.exe32⤵
- Executes dropped EXE
PID:2128 -
\??\c:\jdbtlbt.exec:\jdbtlbt.exe33⤵
- Executes dropped EXE
PID:1456 -
\??\c:\pbtjtb.exec:\pbtjtb.exe34⤵
- Executes dropped EXE
PID:3052 -
\??\c:\nlxxntn.exec:\nlxxntn.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476 -
\??\c:\ptlpnrr.exec:\ptlpnrr.exe36⤵
- Executes dropped EXE
PID:1700 -
\??\c:\rdnpvp.exec:\rdnpvp.exe37⤵
- Executes dropped EXE
PID:2668 -
\??\c:\dnrbbd.exec:\dnrbbd.exe38⤵
- Executes dropped EXE
PID:2892 -
\??\c:\bpxhfvn.exec:\bpxhfvn.exe39⤵
- Executes dropped EXE
PID:3060 -
\??\c:\vfphjpn.exec:\vfphjpn.exe40⤵
- Executes dropped EXE
PID:2144 -
\??\c:\nvnpbn.exec:\nvnpbn.exe41⤵
- Executes dropped EXE
PID:2252 -
\??\c:\xjvrdnr.exec:\xjvrdnr.exe42⤵
- Executes dropped EXE
PID:2852 -
\??\c:\lpfrd.exec:\lpfrd.exe43⤵
- Executes dropped EXE
PID:2724 -
\??\c:\vtlbbx.exec:\vtlbbx.exe44⤵
- Executes dropped EXE
PID:2192 -
\??\c:\fhpnv.exec:\fhpnv.exe45⤵
- Executes dropped EXE
PID:2264 -
\??\c:\vfhrxfb.exec:\vfhrxfb.exe46⤵
- Executes dropped EXE
PID:2308 -
\??\c:\ptnjr.exec:\ptnjr.exe47⤵
- Executes dropped EXE
PID:1672 -
\??\c:\nhfpvj.exec:\nhfpvj.exe48⤵
- Executes dropped EXE
PID:2276 -
\??\c:\rrbbrh.exec:\rrbbrh.exe49⤵
- Executes dropped EXE
PID:1696 -
\??\c:\rxhptrf.exec:\rxhptrf.exe50⤵
- Executes dropped EXE
PID:2984 -
\??\c:\fppdn.exec:\fppdn.exe51⤵
- Executes dropped EXE
PID:2176 -
\??\c:\nrjjrjt.exec:\nrjjrjt.exe52⤵
- Executes dropped EXE
PID:1176 -
\??\c:\pfjhnx.exec:\pfjhnx.exe53⤵
- Executes dropped EXE
PID:2760 -
\??\c:\rrxbj.exec:\rrxbj.exe54⤵
- Executes dropped EXE
PID:2332 -
\??\c:\vlpvjxr.exec:\vlpvjxr.exe55⤵
- Executes dropped EXE
PID:588 -
\??\c:\bpldx.exec:\bpldx.exe56⤵
- Executes dropped EXE
PID:700 -
\??\c:\nhnlf.exec:\nhnlf.exe57⤵
- Executes dropped EXE
PID:1992 -
\??\c:\hpbjp.exec:\hpbjp.exe58⤵
- Executes dropped EXE
PID:2488 -
\??\c:\fnbfbb.exec:\fnbfbb.exe59⤵
- Executes dropped EXE
PID:2512 -
\??\c:\hrjrdr.exec:\hrjrdr.exe60⤵
- Executes dropped EXE
PID:2992 -
\??\c:\btfhnd.exec:\btfhnd.exe61⤵
- Executes dropped EXE
PID:1812 -
\??\c:\bfvfrr.exec:\bfvfrr.exe62⤵
- Executes dropped EXE
PID:2516 -
\??\c:\tnnlfhh.exec:\tnnlfhh.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1228 -
\??\c:\nvrhj.exec:\nvrhj.exe64⤵
- Executes dropped EXE
PID:904 -
\??\c:\vdnpj.exec:\vdnpj.exe65⤵
- Executes dropped EXE
PID:1944 -
\??\c:\vtntlx.exec:\vtntlx.exe66⤵PID:628
-
\??\c:\pxnxx.exec:\pxnxx.exe67⤵PID:2456
-
\??\c:\tvvtn.exec:\tvvtn.exe68⤵PID:1348
-
\??\c:\xrvppv.exec:\xrvppv.exe69⤵PID:2560
-
\??\c:\jfnhh.exec:\jfnhh.exe70⤵
- System Location Discovery: System Language Discovery
PID:2240 -
\??\c:\tvrpdd.exec:\tvrpdd.exe71⤵PID:2028
-
\??\c:\rbfnr.exec:\rbfnr.exe72⤵PID:2272
-
\??\c:\jvtlntn.exec:\jvtlntn.exe73⤵PID:2068
-
\??\c:\vpffplj.exec:\vpffplj.exe74⤵PID:1144
-
\??\c:\hddbf.exec:\hddbf.exe75⤵PID:884
-
\??\c:\vhprpt.exec:\vhprpt.exe76⤵PID:2052
-
\??\c:\rlhrpl.exec:\rlhrpl.exe77⤵PID:3052
-
\??\c:\jnjpfbr.exec:\jnjpfbr.exe78⤵PID:108
-
\??\c:\lrjtl.exec:\lrjtl.exe79⤵PID:2908
-
\??\c:\xdbdnx.exec:\xdbdnx.exe80⤵PID:2220
-
\??\c:\ppjhf.exec:\ppjhf.exe81⤵PID:2936
-
\??\c:\lfbjb.exec:\lfbjb.exe82⤵PID:2876
-
\??\c:\rjvjf.exec:\rjvjf.exe83⤵PID:2684
-
\??\c:\xnfhj.exec:\xnfhj.exe84⤵PID:1896
-
\??\c:\hvdphnr.exec:\hvdphnr.exe85⤵PID:2776
-
\??\c:\vlxbx.exec:\vlxbx.exe86⤵PID:2664
-
\??\c:\vhrvtb.exec:\vhrvtb.exe87⤵PID:1680
-
\??\c:\nrtvfdn.exec:\nrtvfdn.exe88⤵PID:3012
-
\??\c:\tvbxfrf.exec:\tvbxfrf.exe89⤵PID:1056
-
\??\c:\djdpjlh.exec:\djdpjlh.exe90⤵PID:2208
-
\??\c:\njrthdj.exec:\njrthdj.exe91⤵PID:2172
-
\??\c:\jrxhlbn.exec:\jrxhlbn.exe92⤵PID:1976
-
\??\c:\pbtpx.exec:\pbtpx.exe93⤵PID:2720
-
\??\c:\xjrxhb.exec:\xjrxhb.exe94⤵PID:2988
-
\??\c:\ntbrlx.exec:\ntbrlx.exe95⤵PID:2984
-
\??\c:\fxnbxbn.exec:\fxnbxbn.exe96⤵PID:2996
-
\??\c:\pbdlbtb.exec:\pbdlbtb.exe97⤵PID:1872
-
\??\c:\nnnlfvn.exec:\nnnlfvn.exe98⤵PID:1912
-
\??\c:\pxdhftn.exec:\pxdhftn.exe99⤵PID:2312
-
\??\c:\fltdx.exec:\fltdx.exe100⤵PID:588
-
\??\c:\dpjtb.exec:\dpjtb.exe101⤵PID:700
-
\??\c:\nnhlnfn.exec:\nnhlnfn.exe102⤵PID:1992
-
\??\c:\dttfbh.exec:\dttfbh.exe103⤵PID:2236
-
\??\c:\nbbtbr.exec:\nbbtbr.exe104⤵PID:2324
-
\??\c:\nprfntj.exec:\nprfntj.exe105⤵PID:1248
-
\??\c:\rphpbhh.exec:\rphpbhh.exe106⤵PID:2404
-
\??\c:\prphtj.exec:\prphtj.exe107⤵PID:960
-
\??\c:\nrnxvn.exec:\nrnxvn.exe108⤵PID:1388
-
\??\c:\lfxthnf.exec:\lfxthnf.exe109⤵PID:2224
-
\??\c:\lffrnxh.exec:\lffrnxh.exe110⤵
- System Location Discovery: System Language Discovery
PID:2508 -
\??\c:\xvjllf.exec:\xvjllf.exe111⤵PID:2584
-
\??\c:\xjhxr.exec:\xjhxr.exe112⤵PID:2580
-
\??\c:\htrjldv.exec:\htrjldv.exe113⤵PID:1724
-
\??\c:\xvhpr.exec:\xvhpr.exe114⤵PID:1924
-
\??\c:\pnbdj.exec:\pnbdj.exe115⤵PID:1508
-
\??\c:\rrxrbr.exec:\rrxrbr.exe116⤵PID:2656
-
\??\c:\bxrfhff.exec:\bxrfhff.exe117⤵PID:1436
-
\??\c:\phtttn.exec:\phtttn.exe118⤵PID:616
-
\??\c:\rdfjh.exec:\rdfjh.exe119⤵PID:1884
-
\??\c:\jjppx.exec:\jjppx.exe120⤵PID:2772
-
\??\c:\bjfnjnn.exec:\bjfnjnn.exe121⤵PID:1092
-
\??\c:\nvnppbx.exec:\nvnppbx.exe122⤵PID:2792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-