Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 12:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe
-
Size
454KB
-
MD5
7ba5cf9ccf91971156e89587a374d2ef
-
SHA1
59df94ed6115acbb131c06be2da06ae8c96367d8
-
SHA256
824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7
-
SHA512
a261d1bcb548a05ba2906b4738aeff1b39e032ee2a441eb1ba6bb4d923598302aaaa9ea313818e139a56b9d6f190e7fb9efc4a0895c99c21d2592f574419f503
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRJ:q7Tc2NYHUrAwfMp3CDRJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/3044-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-115-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1148-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1160-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-232-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1372-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1100-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-465-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/780-473-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2248-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-504-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2588-515-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1044-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1356-528-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1356-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-553-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2824-615-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2616-659-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2664-675-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1652-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-696-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1492-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1660 vfpfl.exe 2200 jlhddlx.exe 2836 nnjxtvn.exe 2760 fjtdfht.exe 2648 fnrlj.exe 2660 bfnhv.exe 2644 bdxjthd.exe 1940 jthbnt.exe 1476 bhhlt.exe 1240 trjvn.exe 1148 rfnjr.exe 1480 fvbtrl.exe 1160 tvxxx.exe 636 fdtlb.exe 940 bjrbnv.exe 584 tbnrpvl.exe 2792 vlbxt.exe 2344 tlbld.exe 2492 hnrhjh.exe 2140 nptfp.exe 2004 bprjtnn.exe 956 jhnjf.exe 1044 dlppt.exe 2156 bfrdf.exe 1372 pxtjdl.exe 2940 hnxvbvl.exe 1060 vrrnff.exe 2312 pjjjxl.exe 2284 pfdxnx.exe 2044 bxdvfll.exe 2260 lrrxhl.exe 696 tfdxdvj.exe 1792 nhfpd.exe 2904 ntrhb.exe 2388 nfvrf.exe 2980 fvdfjv.exe 2832 hjptr.exe 2880 xjnxhd.exe 2992 hdpphb.exe 2896 phlnbt.exe 2728 pnbdttn.exe 2908 fvjrhbn.exe 2632 bnvdjlp.exe 2228 hxddbv.exe 1300 vndpdvp.exe 2596 jtblhh.exe 1100 bvxjxxv.exe 1240 rttrpxx.exe 2036 rtnvr.exe 2000 frhnp.exe 2584 dhrdvfd.exe 2788 nxtjdln.exe 636 tbxvphj.exe 780 vhlfl.exe 692 drjtxd.exe 3016 jnpjxxr.exe 2440 ttjljbp.exe 2248 fbnptv.exe 2292 xffjltt.exe 2588 ndbnpb.exe 1020 lrvndxh.exe 912 phblxhv.exe 2376 rrnpntv.exe 1044 hrxtvx.exe -
resource yara_rule behavioral1/memory/3044-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-504-0x0000000000350000-0x000000000037A000-memory.dmp upx behavioral1/memory/1044-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-717-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbvbfvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btdhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfnpnfv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpfvdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfthtrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlfhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnfnvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttthp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhffb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvrtr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvjnrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpjjlvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjdljhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbjxjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbxjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdflhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dptdfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftjfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjdjnpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxbpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhjxrjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfjnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bljnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phnbxdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 1660 3044 824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe 30 PID 3044 wrote to memory of 1660 3044 824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe 30 PID 3044 wrote to memory of 1660 3044 824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe 30 PID 3044 wrote to memory of 1660 3044 824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe 30 PID 1660 wrote to memory of 2200 1660 vfpfl.exe 31 PID 1660 wrote to memory of 2200 1660 vfpfl.exe 31 PID 1660 wrote to memory of 2200 1660 vfpfl.exe 31 PID 1660 wrote to memory of 2200 1660 vfpfl.exe 31 PID 2200 wrote to memory of 2836 2200 jlhddlx.exe 32 PID 2200 wrote to memory of 2836 2200 jlhddlx.exe 32 PID 2200 wrote to memory of 2836 2200 jlhddlx.exe 32 PID 2200 wrote to memory of 2836 2200 jlhddlx.exe 32 PID 2836 wrote to memory of 2760 2836 nnjxtvn.exe 33 PID 2836 wrote to memory of 2760 2836 nnjxtvn.exe 33 PID 2836 wrote to memory of 2760 2836 nnjxtvn.exe 33 PID 2836 wrote to memory of 2760 2836 nnjxtvn.exe 33 PID 2760 wrote to memory of 2648 2760 fjtdfht.exe 34 PID 2760 wrote to memory of 2648 2760 fjtdfht.exe 34 PID 2760 wrote to memory of 2648 2760 fjtdfht.exe 34 PID 2760 wrote to memory of 2648 2760 fjtdfht.exe 34 PID 2648 wrote to memory of 2660 2648 fnrlj.exe 35 PID 2648 wrote to memory of 2660 2648 fnrlj.exe 35 PID 2648 wrote to memory of 2660 2648 fnrlj.exe 35 PID 2648 wrote to memory of 2660 2648 fnrlj.exe 35 PID 2660 wrote to memory of 2644 2660 bfnhv.exe 36 PID 2660 wrote to memory of 2644 2660 bfnhv.exe 36 PID 2660 wrote to memory of 2644 2660 bfnhv.exe 36 PID 2660 wrote to memory of 2644 2660 bfnhv.exe 36 PID 2644 wrote to memory of 1940 2644 bdxjthd.exe 37 PID 2644 wrote to memory of 1940 2644 bdxjthd.exe 37 PID 2644 wrote to memory of 1940 2644 bdxjthd.exe 37 PID 2644 wrote to memory of 1940 2644 bdxjthd.exe 37 PID 1940 wrote to memory of 1476 1940 jthbnt.exe 38 PID 1940 wrote to memory of 1476 1940 jthbnt.exe 38 PID 1940 wrote to memory of 1476 1940 jthbnt.exe 38 PID 1940 wrote to memory of 1476 1940 jthbnt.exe 38 PID 1476 wrote to memory of 1240 1476 bhhlt.exe 39 PID 1476 wrote to memory of 1240 1476 bhhlt.exe 39 PID 1476 wrote to memory of 1240 1476 bhhlt.exe 39 PID 1476 wrote to memory of 1240 1476 bhhlt.exe 39 PID 1240 wrote to memory of 1148 1240 trjvn.exe 40 PID 1240 wrote to memory of 1148 1240 trjvn.exe 40 PID 1240 wrote to memory of 1148 1240 trjvn.exe 40 PID 1240 wrote to memory of 1148 1240 trjvn.exe 40 PID 1148 wrote to memory of 1480 1148 rfnjr.exe 41 PID 1148 wrote to memory of 1480 1148 rfnjr.exe 41 PID 1148 wrote to memory of 1480 1148 rfnjr.exe 41 PID 1148 wrote to memory of 1480 1148 rfnjr.exe 41 PID 1480 wrote to memory of 1160 1480 fvbtrl.exe 42 PID 1480 wrote to memory of 1160 1480 fvbtrl.exe 42 PID 1480 wrote to memory of 1160 1480 fvbtrl.exe 42 PID 1480 wrote to memory of 1160 1480 fvbtrl.exe 42 PID 1160 wrote to memory of 636 1160 tvxxx.exe 43 PID 1160 wrote to memory of 636 1160 tvxxx.exe 43 PID 1160 wrote to memory of 636 1160 tvxxx.exe 43 PID 1160 wrote to memory of 636 1160 tvxxx.exe 43 PID 636 wrote to memory of 940 636 fdtlb.exe 44 PID 636 wrote to memory of 940 636 fdtlb.exe 44 PID 636 wrote to memory of 940 636 fdtlb.exe 44 PID 636 wrote to memory of 940 636 fdtlb.exe 44 PID 940 wrote to memory of 584 940 bjrbnv.exe 45 PID 940 wrote to memory of 584 940 bjrbnv.exe 45 PID 940 wrote to memory of 584 940 bjrbnv.exe 45 PID 940 wrote to memory of 584 940 bjrbnv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe"C:\Users\Admin\AppData\Local\Temp\824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\vfpfl.exec:\vfpfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\jlhddlx.exec:\jlhddlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\nnjxtvn.exec:\nnjxtvn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\fjtdfht.exec:\fjtdfht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\fnrlj.exec:\fnrlj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\bfnhv.exec:\bfnhv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\bdxjthd.exec:\bdxjthd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\jthbnt.exec:\jthbnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\bhhlt.exec:\bhhlt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\trjvn.exec:\trjvn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\rfnjr.exec:\rfnjr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\fvbtrl.exec:\fvbtrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\tvxxx.exec:\tvxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\fdtlb.exec:\fdtlb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\bjrbnv.exec:\bjrbnv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\tbnrpvl.exec:\tbnrpvl.exe17⤵
- Executes dropped EXE
PID:584 -
\??\c:\vlbxt.exec:\vlbxt.exe18⤵
- Executes dropped EXE
PID:2792 -
\??\c:\tlbld.exec:\tlbld.exe19⤵
- Executes dropped EXE
PID:2344 -
\??\c:\hnrhjh.exec:\hnrhjh.exe20⤵
- Executes dropped EXE
PID:2492 -
\??\c:\nptfp.exec:\nptfp.exe21⤵
- Executes dropped EXE
PID:2140 -
\??\c:\bprjtnn.exec:\bprjtnn.exe22⤵
- Executes dropped EXE
PID:2004 -
\??\c:\jhnjf.exec:\jhnjf.exe23⤵
- Executes dropped EXE
PID:956 -
\??\c:\dlppt.exec:\dlppt.exe24⤵
- Executes dropped EXE
PID:1044 -
\??\c:\bfrdf.exec:\bfrdf.exe25⤵
- Executes dropped EXE
PID:2156 -
\??\c:\pxtjdl.exec:\pxtjdl.exe26⤵
- Executes dropped EXE
PID:1372 -
\??\c:\hnxvbvl.exec:\hnxvbvl.exe27⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vrrnff.exec:\vrrnff.exe28⤵
- Executes dropped EXE
PID:1060 -
\??\c:\pjjjxl.exec:\pjjjxl.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312 -
\??\c:\pfdxnx.exec:\pfdxnx.exe30⤵
- Executes dropped EXE
PID:2284 -
\??\c:\bxdvfll.exec:\bxdvfll.exe31⤵
- Executes dropped EXE
PID:2044 -
\??\c:\lrrxhl.exec:\lrrxhl.exe32⤵
- Executes dropped EXE
PID:2260 -
\??\c:\tfdxdvj.exec:\tfdxdvj.exe33⤵
- Executes dropped EXE
PID:696 -
\??\c:\nhfpd.exec:\nhfpd.exe34⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ntrhb.exec:\ntrhb.exe35⤵
- Executes dropped EXE
PID:2904 -
\??\c:\nfvrf.exec:\nfvrf.exe36⤵
- Executes dropped EXE
PID:2388 -
\??\c:\fvdfjv.exec:\fvdfjv.exe37⤵
- Executes dropped EXE
PID:2980 -
\??\c:\hjptr.exec:\hjptr.exe38⤵
- Executes dropped EXE
PID:2832 -
\??\c:\xjnxhd.exec:\xjnxhd.exe39⤵
- Executes dropped EXE
PID:2880 -
\??\c:\hdpphb.exec:\hdpphb.exe40⤵
- Executes dropped EXE
PID:2992 -
\??\c:\phlnbt.exec:\phlnbt.exe41⤵
- Executes dropped EXE
PID:2896 -
\??\c:\pnbdttn.exec:\pnbdttn.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\fvjrhbn.exec:\fvjrhbn.exe43⤵
- Executes dropped EXE
PID:2908 -
\??\c:\bnvdjlp.exec:\bnvdjlp.exe44⤵
- Executes dropped EXE
PID:2632 -
\??\c:\hxddbv.exec:\hxddbv.exe45⤵
- Executes dropped EXE
PID:2228 -
\??\c:\vndpdvp.exec:\vndpdvp.exe46⤵
- Executes dropped EXE
PID:1300 -
\??\c:\jtblhh.exec:\jtblhh.exe47⤵
- Executes dropped EXE
PID:2596 -
\??\c:\bvxjxxv.exec:\bvxjxxv.exe48⤵
- Executes dropped EXE
PID:1100 -
\??\c:\rttrpxx.exec:\rttrpxx.exe49⤵
- Executes dropped EXE
PID:1240 -
\??\c:\rtnvr.exec:\rtnvr.exe50⤵
- Executes dropped EXE
PID:2036 -
\??\c:\frhnp.exec:\frhnp.exe51⤵
- Executes dropped EXE
PID:2000 -
\??\c:\dhrdvfd.exec:\dhrdvfd.exe52⤵
- Executes dropped EXE
PID:2584 -
\??\c:\nxtjdln.exec:\nxtjdln.exe53⤵
- Executes dropped EXE
PID:2788 -
\??\c:\tbxvphj.exec:\tbxvphj.exe54⤵
- Executes dropped EXE
PID:636 -
\??\c:\vhlfl.exec:\vhlfl.exe55⤵
- Executes dropped EXE
PID:780 -
\??\c:\drjtxd.exec:\drjtxd.exe56⤵
- Executes dropped EXE
PID:692 -
\??\c:\jnpjxxr.exec:\jnpjxxr.exe57⤵
- Executes dropped EXE
PID:3016 -
\??\c:\ttjljbp.exec:\ttjljbp.exe58⤵
- Executes dropped EXE
PID:2440 -
\??\c:\fbnptv.exec:\fbnptv.exe59⤵
- Executes dropped EXE
PID:2248 -
\??\c:\xffjltt.exec:\xffjltt.exe60⤵
- Executes dropped EXE
PID:2292 -
\??\c:\ndbnpb.exec:\ndbnpb.exe61⤵
- Executes dropped EXE
PID:2588 -
\??\c:\lrvndxh.exec:\lrvndxh.exe62⤵
- Executes dropped EXE
PID:1020 -
\??\c:\phblxhv.exec:\phblxhv.exe63⤵
- Executes dropped EXE
PID:912 -
\??\c:\rrnpntv.exec:\rrnpntv.exe64⤵
- Executes dropped EXE
PID:2376 -
\??\c:\hrxtvx.exec:\hrxtvx.exe65⤵
- Executes dropped EXE
PID:1044 -
\??\c:\rffjth.exec:\rffjth.exe66⤵PID:1356
-
\??\c:\pbrhvp.exec:\pbrhvp.exe67⤵PID:2556
-
\??\c:\fplrb.exec:\fplrb.exe68⤵PID:1572
-
\??\c:\bfrpltt.exec:\bfrpltt.exe69⤵PID:1964
-
\??\c:\rdfpr.exec:\rdfpr.exe70⤵PID:1528
-
\??\c:\xvtffrp.exec:\xvtffrp.exe71⤵PID:2324
-
\??\c:\ppjtx.exec:\ppjtx.exe72⤵PID:108
-
\??\c:\nvnfxbl.exec:\nvnfxbl.exe73⤵PID:548
-
\??\c:\bnjxp.exec:\bnjxp.exe74⤵PID:1336
-
\??\c:\bfbvlr.exec:\bfbvlr.exe75⤵PID:1236
-
\??\c:\frtdbbx.exec:\frtdbbx.exe76⤵PID:1636
-
\??\c:\hblbjj.exec:\hblbjj.exe77⤵PID:1824
-
\??\c:\xlfbb.exec:\xlfbb.exe78⤵PID:2016
-
\??\c:\rtljxfv.exec:\rtljxfv.exe79⤵PID:2824
-
\??\c:\xpvnptf.exec:\xpvnptf.exe80⤵PID:1608
-
\??\c:\dxdxhth.exec:\dxdxhth.exe81⤵PID:2828
-
\??\c:\hhfjnj.exec:\hhfjnj.exe82⤵PID:2772
-
\??\c:\nrpvlnr.exec:\nrpvlnr.exe83⤵PID:2764
-
\??\c:\rbxbbb.exec:\rbxbbb.exe84⤵PID:2972
-
\??\c:\xtbrn.exec:\xtbrn.exe85⤵PID:2616
-
\??\c:\ftjfr.exec:\ftjfr.exe86⤵
- System Location Discovery: System Language Discovery
PID:2624 -
\??\c:\xbjtddj.exec:\xbjtddj.exe87⤵PID:2664
-
\??\c:\tpjtrrh.exec:\tpjtrrh.exe88⤵PID:2592
-
\??\c:\tntldrd.exec:\tntldrd.exe89⤵PID:1652
-
\??\c:\dhjbl.exec:\dhjbl.exe90⤵PID:2368
-
\??\c:\xhxbb.exec:\xhxbb.exe91⤵PID:2008
-
\??\c:\dnlpt.exec:\dnlpt.exe92⤵PID:2516
-
\??\c:\ltxhj.exec:\ltxhj.exe93⤵PID:1492
-
\??\c:\fdtpfv.exec:\fdtpfv.exe94⤵PID:1912
-
\??\c:\fdxln.exec:\fdxln.exe95⤵PID:1936
-
\??\c:\xvtntb.exec:\xvtntb.exe96⤵PID:2680
-
\??\c:\ndxjftd.exec:\ndxjftd.exe97⤵PID:780
-
\??\c:\fndbvht.exec:\fndbvht.exe98⤵PID:1844
-
\??\c:\jnbrfj.exec:\jnbrfj.exe99⤵PID:2792
-
\??\c:\vxbpv.exec:\vxbpv.exe100⤵
- System Location Discovery: System Language Discovery
PID:2344 -
\??\c:\hljjdtf.exec:\hljjdtf.exe101⤵PID:2148
-
\??\c:\dllrprr.exec:\dllrprr.exe102⤵PID:856
-
\??\c:\nvjpnvr.exec:\nvjpnvr.exe103⤵PID:2096
-
\??\c:\prlhvf.exec:\prlhvf.exe104⤵PID:1168
-
\??\c:\pxdjv.exec:\pxdjv.exe105⤵PID:1620
-
\??\c:\fxrdtt.exec:\fxrdtt.exe106⤵PID:1616
-
\??\c:\vblfhj.exec:\vblfhj.exe107⤵PID:2408
-
\??\c:\hnvbrr.exec:\hnvbrr.exe108⤵PID:2156
-
\??\c:\vtnprnt.exec:\vtnprnt.exe109⤵PID:2488
-
\??\c:\lnddbtn.exec:\lnddbtn.exe110⤵PID:932
-
\??\c:\drjxp.exec:\drjxp.exe111⤵PID:1800
-
\??\c:\blnhv.exec:\blnhv.exe112⤵PID:2176
-
\??\c:\pjhtlx.exec:\pjhtlx.exe113⤵PID:1528
-
\??\c:\drffj.exec:\drffj.exe114⤵PID:2324
-
\??\c:\fdjrjlv.exec:\fdjrjlv.exe115⤵PID:2512
-
\??\c:\dnhddr.exec:\dnhddr.exe116⤵PID:1808
-
\??\c:\vtltrhv.exec:\vtltrhv.exe117⤵PID:1248
-
\??\c:\vpptph.exec:\vpptph.exe118⤵PID:1236
-
\??\c:\pfndvl.exec:\pfndvl.exe119⤵PID:2528
-
\??\c:\bhllxnl.exec:\bhllxnl.exe120⤵PID:2564
-
\??\c:\fdxtlhx.exec:\fdxtlhx.exe121⤵PID:2200
-
\??\c:\ptnrtv.exec:\ptnrtv.exe122⤵PID:1580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-