Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02/11/2024, 22:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe
-
Size
454KB
-
MD5
6c9da21d88244cb781408df9098bb230
-
SHA1
d531aacd9800e304df526c8e8dcad56f18acc9a1
-
SHA256
4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3
-
SHA512
167c74891a181137f60fd1ddc9e459fa9618baf7fb01f4cda50a5c727daf9c18325cdb1a6d1c64c42c88485ac1b74dffebde40653b203ab95f6e2ec1685655bf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRa:q7Tc2NYHUrAwfMp3CDRa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2584-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-194-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1816-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-207-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2544-218-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2544-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-276-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2268-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-322-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2920-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-435-0x00000000001E0000-0x000000000020A000-memory.dmp family_blackmoon behavioral1/memory/820-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-659-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1676-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-672-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2848-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-800-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2584 tlbnlhn.exe 2600 tdpbrdh.exe 1800 nfbplln.exe 2124 nxlbhh.exe 2440 xnflhln.exe 2780 lphlxx.exe 2904 pppfv.exe 2812 rrpblv.exe 2680 dvrvdvx.exe 1676 njnvv.exe 2632 rlbntn.exe 1648 btdff.exe 1296 xdtlvx.exe 1992 tnthfvp.exe 2640 rrnfll.exe 1808 drtxjx.exe 1952 tprtdll.exe 2996 vtxlbr.exe 2284 xbdxt.exe 2072 ppjhp.exe 1816 jjpnb.exe 2172 dhbfhbn.exe 2544 pjdxf.exe 1392 rjdhdd.exe 1756 njllp.exe 1044 rrjprnl.exe 1556 ddbdhj.exe 2236 dntdll.exe 1620 trxjd.exe 672 rlrpdd.exe 676 nfxbl.exe 2268 hlfnj.exe 1300 jfpjln.exe 2584 jbpjpd.exe 2620 vnftp.exe 2500 jbftrf.exe 1328 tpnrp.exe 2156 nvbjpp.exe 2784 hfrlhf.exe 2920 hxpdj.exe 2776 xvxlb.exe 1356 nvhrhn.exe 2876 rtnhllv.exe 1276 llpbx.exe 2676 lpfpl.exe 1676 jrdvr.exe 2096 jfjttj.exe 2632 djhdpn.exe 1152 hjdvdj.exe 2720 fxjxpld.exe 1996 lfrjdnp.exe 1488 lprft.exe 2640 xftdjj.exe 2880 vpxnlp.exe 2960 lnxjtt.exe 2864 bjbtbfp.exe 2432 phlbn.exe 2224 pvnxjfp.exe 2556 rrdldxh.exe 1476 vbphxx.exe 2184 tnxhlj.exe 820 hpdjlxr.exe 800 rrflfd.exe 1872 lrrbld.exe -
resource yara_rule behavioral1/memory/2584-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/820-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-800-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ltlnvll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntljjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjlpvdr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dffdbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nxbxld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnxldrn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdrbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnrpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djhrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxbxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tflfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbdjntd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptvrtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fndjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjhfpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbtbpxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffjflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfpjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvfjtdr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbvfrlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbftrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtdrdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfrbjxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrlvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlltrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nprll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxbvjtr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfpvrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnnxbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdtlvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthfvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2584 2368 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 30 PID 2368 wrote to memory of 2584 2368 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 30 PID 2368 wrote to memory of 2584 2368 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 30 PID 2368 wrote to memory of 2584 2368 4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe 30 PID 2584 wrote to memory of 2600 2584 tlbnlhn.exe 31 PID 2584 wrote to memory of 2600 2584 tlbnlhn.exe 31 PID 2584 wrote to memory of 2600 2584 tlbnlhn.exe 31 PID 2584 wrote to memory of 2600 2584 tlbnlhn.exe 31 PID 2600 wrote to memory of 1800 2600 tdpbrdh.exe 32 PID 2600 wrote to memory of 1800 2600 tdpbrdh.exe 32 PID 2600 wrote to memory of 1800 2600 tdpbrdh.exe 32 PID 2600 wrote to memory of 1800 2600 tdpbrdh.exe 32 PID 1800 wrote to memory of 2124 1800 nfbplln.exe 33 PID 1800 wrote to memory of 2124 1800 nfbplln.exe 33 PID 1800 wrote to memory of 2124 1800 nfbplln.exe 33 PID 1800 wrote to memory of 2124 1800 nfbplln.exe 33 PID 2124 wrote to memory of 2440 2124 nxlbhh.exe 34 PID 2124 wrote to memory of 2440 2124 nxlbhh.exe 34 PID 2124 wrote to memory of 2440 2124 nxlbhh.exe 34 PID 2124 wrote to memory of 2440 2124 nxlbhh.exe 34 PID 2440 wrote to memory of 2780 2440 xnflhln.exe 35 PID 2440 wrote to memory of 2780 2440 xnflhln.exe 35 PID 2440 wrote to memory of 2780 2440 xnflhln.exe 35 PID 2440 wrote to memory of 2780 2440 xnflhln.exe 35 PID 2780 wrote to memory of 2904 2780 lphlxx.exe 36 PID 2780 wrote to memory of 2904 2780 lphlxx.exe 36 PID 2780 wrote to memory of 2904 2780 lphlxx.exe 36 PID 2780 wrote to memory of 2904 2780 lphlxx.exe 36 PID 2904 wrote to memory of 2812 2904 pppfv.exe 37 PID 2904 wrote to memory of 2812 2904 pppfv.exe 37 PID 2904 wrote to memory of 2812 2904 pppfv.exe 37 PID 2904 wrote to memory of 2812 2904 pppfv.exe 37 PID 2812 wrote to memory of 2680 2812 rrpblv.exe 38 PID 2812 wrote to memory of 2680 2812 rrpblv.exe 38 PID 2812 wrote to memory of 2680 2812 rrpblv.exe 38 PID 2812 wrote to memory of 2680 2812 rrpblv.exe 38 PID 2680 wrote to memory of 1676 2680 dvrvdvx.exe 39 PID 2680 wrote to memory of 1676 2680 dvrvdvx.exe 39 PID 2680 wrote to memory of 1676 2680 dvrvdvx.exe 39 PID 2680 wrote to memory of 1676 2680 dvrvdvx.exe 39 PID 1676 wrote to memory of 2632 1676 njnvv.exe 40 PID 1676 wrote to memory of 2632 1676 njnvv.exe 40 PID 1676 wrote to memory of 2632 1676 njnvv.exe 40 PID 1676 wrote to memory of 2632 1676 njnvv.exe 40 PID 2632 wrote to memory of 1648 2632 rlbntn.exe 41 PID 2632 wrote to memory of 1648 2632 rlbntn.exe 41 PID 2632 wrote to memory of 1648 2632 rlbntn.exe 41 PID 2632 wrote to memory of 1648 2632 rlbntn.exe 41 PID 1648 wrote to memory of 1296 1648 btdff.exe 42 PID 1648 wrote to memory of 1296 1648 btdff.exe 42 PID 1648 wrote to memory of 1296 1648 btdff.exe 42 PID 1648 wrote to memory of 1296 1648 btdff.exe 42 PID 1296 wrote to memory of 1992 1296 xdtlvx.exe 43 PID 1296 wrote to memory of 1992 1296 xdtlvx.exe 43 PID 1296 wrote to memory of 1992 1296 xdtlvx.exe 43 PID 1296 wrote to memory of 1992 1296 xdtlvx.exe 43 PID 1992 wrote to memory of 2640 1992 tnthfvp.exe 44 PID 1992 wrote to memory of 2640 1992 tnthfvp.exe 44 PID 1992 wrote to memory of 2640 1992 tnthfvp.exe 44 PID 1992 wrote to memory of 2640 1992 tnthfvp.exe 44 PID 2640 wrote to memory of 1808 2640 rrnfll.exe 45 PID 2640 wrote to memory of 1808 2640 rrnfll.exe 45 PID 2640 wrote to memory of 1808 2640 rrnfll.exe 45 PID 2640 wrote to memory of 1808 2640 rrnfll.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe"C:\Users\Admin\AppData\Local\Temp\4e30fefef127e9103a7c932f4bee7e68d73c7384bcd1ef4ead12e64d132430b3N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\tlbnlhn.exec:\tlbnlhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\tdpbrdh.exec:\tdpbrdh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\nfbplln.exec:\nfbplln.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\nxlbhh.exec:\nxlbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\xnflhln.exec:\xnflhln.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\lphlxx.exec:\lphlxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\pppfv.exec:\pppfv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\rrpblv.exec:\rrpblv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\dvrvdvx.exec:\dvrvdvx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\njnvv.exec:\njnvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\rlbntn.exec:\rlbntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\btdff.exec:\btdff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\xdtlvx.exec:\xdtlvx.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\tnthfvp.exec:\tnthfvp.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\rrnfll.exec:\rrnfll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\drtxjx.exec:\drtxjx.exe17⤵
- Executes dropped EXE
PID:1808 -
\??\c:\tprtdll.exec:\tprtdll.exe18⤵
- Executes dropped EXE
PID:1952 -
\??\c:\vtxlbr.exec:\vtxlbr.exe19⤵
- Executes dropped EXE
PID:2996 -
\??\c:\xbdxt.exec:\xbdxt.exe20⤵
- Executes dropped EXE
PID:2284 -
\??\c:\ppjhp.exec:\ppjhp.exe21⤵
- Executes dropped EXE
PID:2072 -
\??\c:\jjpnb.exec:\jjpnb.exe22⤵
- Executes dropped EXE
PID:1816 -
\??\c:\dhbfhbn.exec:\dhbfhbn.exe23⤵
- Executes dropped EXE
PID:2172 -
\??\c:\pjdxf.exec:\pjdxf.exe24⤵
- Executes dropped EXE
PID:2544 -
\??\c:\rjdhdd.exec:\rjdhdd.exe25⤵
- Executes dropped EXE
PID:1392 -
\??\c:\njllp.exec:\njllp.exe26⤵
- Executes dropped EXE
PID:1756 -
\??\c:\rrjprnl.exec:\rrjprnl.exe27⤵
- Executes dropped EXE
PID:1044 -
\??\c:\ddbdhj.exec:\ddbdhj.exe28⤵
- Executes dropped EXE
PID:1556 -
\??\c:\dntdll.exec:\dntdll.exe29⤵
- Executes dropped EXE
PID:2236 -
\??\c:\trxjd.exec:\trxjd.exe30⤵
- Executes dropped EXE
PID:1620 -
\??\c:\rlrpdd.exec:\rlrpdd.exe31⤵
- Executes dropped EXE
PID:672 -
\??\c:\nfxbl.exec:\nfxbl.exe32⤵
- Executes dropped EXE
PID:676 -
\??\c:\hlfnj.exec:\hlfnj.exe33⤵
- Executes dropped EXE
PID:2268 -
\??\c:\jfpjln.exec:\jfpjln.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1300 -
\??\c:\jbpjpd.exec:\jbpjpd.exe35⤵
- Executes dropped EXE
PID:2584 -
\??\c:\vnftp.exec:\vnftp.exe36⤵
- Executes dropped EXE
PID:2620 -
\??\c:\jbftrf.exec:\jbftrf.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2500 -
\??\c:\tpnrp.exec:\tpnrp.exe38⤵
- Executes dropped EXE
PID:1328 -
\??\c:\nvbjpp.exec:\nvbjpp.exe39⤵
- Executes dropped EXE
PID:2156 -
\??\c:\hfrlhf.exec:\hfrlhf.exe40⤵
- Executes dropped EXE
PID:2784 -
\??\c:\hxpdj.exec:\hxpdj.exe41⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xvxlb.exec:\xvxlb.exe42⤵
- Executes dropped EXE
PID:2776 -
\??\c:\nvhrhn.exec:\nvhrhn.exe43⤵
- Executes dropped EXE
PID:1356 -
\??\c:\rtnhllv.exec:\rtnhllv.exe44⤵
- Executes dropped EXE
PID:2876 -
\??\c:\llpbx.exec:\llpbx.exe45⤵
- Executes dropped EXE
PID:1276 -
\??\c:\lpfpl.exec:\lpfpl.exe46⤵
- Executes dropped EXE
PID:2676 -
\??\c:\jrdvr.exec:\jrdvr.exe47⤵
- Executes dropped EXE
PID:1676 -
\??\c:\jfjttj.exec:\jfjttj.exe48⤵
- Executes dropped EXE
PID:2096 -
\??\c:\djhdpn.exec:\djhdpn.exe49⤵
- Executes dropped EXE
PID:2632 -
\??\c:\hjdvdj.exec:\hjdvdj.exe50⤵
- Executes dropped EXE
PID:1152 -
\??\c:\fxjxpld.exec:\fxjxpld.exe51⤵
- Executes dropped EXE
PID:2720 -
\??\c:\lfrjdnp.exec:\lfrjdnp.exe52⤵
- Executes dropped EXE
PID:1996 -
\??\c:\lprft.exec:\lprft.exe53⤵
- Executes dropped EXE
PID:1488 -
\??\c:\xftdjj.exec:\xftdjj.exe54⤵
- Executes dropped EXE
PID:2640 -
\??\c:\vpxnlp.exec:\vpxnlp.exe55⤵
- Executes dropped EXE
PID:2880 -
\??\c:\lnxjtt.exec:\lnxjtt.exe56⤵
- Executes dropped EXE
PID:2960 -
\??\c:\bjbtbfp.exec:\bjbtbfp.exe57⤵
- Executes dropped EXE
PID:2864 -
\??\c:\phlbn.exec:\phlbn.exe58⤵
- Executes dropped EXE
PID:2432 -
\??\c:\pvnxjfp.exec:\pvnxjfp.exe59⤵
- Executes dropped EXE
PID:2224 -
\??\c:\rrdldxh.exec:\rrdldxh.exe60⤵
- Executes dropped EXE
PID:2556 -
\??\c:\vbphxx.exec:\vbphxx.exe61⤵
- Executes dropped EXE
PID:1476 -
\??\c:\tnxhlj.exec:\tnxhlj.exe62⤵
- Executes dropped EXE
PID:2184 -
\??\c:\hpdjlxr.exec:\hpdjlxr.exe63⤵
- Executes dropped EXE
PID:820 -
\??\c:\rrflfd.exec:\rrflfd.exe64⤵
- Executes dropped EXE
PID:800 -
\??\c:\lrrbld.exec:\lrrbld.exe65⤵
- Executes dropped EXE
PID:1872 -
\??\c:\hblnt.exec:\hblnt.exe66⤵PID:1164
-
\??\c:\vbbfxn.exec:\vbbfxn.exe67⤵PID:3012
-
\??\c:\xnpxrff.exec:\xnpxrff.exe68⤵PID:1364
-
\??\c:\dtjdrx.exec:\dtjdrx.exe69⤵PID:1324
-
\??\c:\xdlhp.exec:\xdlhp.exe70⤵PID:2504
-
\??\c:\lrvjvr.exec:\lrvjvr.exe71⤵PID:2524
-
\??\c:\ljxhbb.exec:\ljxhbb.exe72⤵PID:2252
-
\??\c:\lbrhl.exec:\lbrhl.exe73⤵PID:2280
-
\??\c:\plrvldj.exec:\plrvldj.exe74⤵PID:2368
-
\??\c:\jnbldr.exec:\jnbldr.exe75⤵PID:768
-
\??\c:\dldtl.exec:\dldtl.exe76⤵PID:1320
-
\??\c:\xtbrvj.exec:\xtbrvj.exe77⤵PID:2348
-
\??\c:\fvhjlv.exec:\fvhjlv.exe78⤵PID:3060
-
\??\c:\pvfhd.exec:\pvfhd.exe79⤵PID:2744
-
\??\c:\hlldrtb.exec:\hlldrtb.exe80⤵PID:1328
-
\??\c:\blbbdff.exec:\blbbdff.exe81⤵PID:2156
-
\??\c:\vdlpd.exec:\vdlpd.exe82⤵PID:2784
-
\??\c:\xdlfrv.exec:\xdlfrv.exe83⤵PID:2924
-
\??\c:\xrrldtx.exec:\xrrldtx.exe84⤵PID:2952
-
\??\c:\vrrhbr.exec:\vrrhbr.exe85⤵PID:2692
-
\??\c:\fvdrrr.exec:\fvdrrr.exe86⤵PID:2876
-
\??\c:\xxfxtdh.exec:\xxfxtdh.exe87⤵PID:1276
-
\??\c:\dlvpx.exec:\dlvpx.exe88⤵PID:884
-
\??\c:\dlxfhx.exec:\dlxfhx.exe89⤵PID:1676
-
\??\c:\tdlrnx.exec:\tdlrnx.exe90⤵PID:1548
-
\??\c:\dfdldfd.exec:\dfdldfd.exe91⤵PID:1256
-
\??\c:\jtvhh.exec:\jtvhh.exe92⤵PID:2340
-
\??\c:\jppxnp.exec:\jppxnp.exe93⤵PID:2080
-
\??\c:\dlnlvx.exec:\dlnlvx.exe94⤵PID:1196
-
\??\c:\xpdfl.exec:\xpdfl.exe95⤵PID:2848
-
\??\c:\tjvrnnx.exec:\tjvrnnx.exe96⤵PID:3004
-
\??\c:\dntrt.exec:\dntrt.exe97⤵PID:1952
-
\??\c:\vprlxd.exec:\vprlxd.exe98⤵PID:2144
-
\??\c:\trrjjbf.exec:\trrjjbf.exe99⤵PID:2516
-
\??\c:\btxbfjx.exec:\btxbfjx.exe100⤵PID:3036
-
\??\c:\jlxxhn.exec:\jlxxhn.exe101⤵PID:1708
-
\??\c:\dphpdl.exec:\dphpdl.exe102⤵PID:896
-
\??\c:\nxfdx.exec:\nxfdx.exe103⤵PID:584
-
\??\c:\nxtpxp.exec:\nxtpxp.exe104⤵PID:1252
-
\??\c:\xnjhh.exec:\xnjhh.exe105⤵PID:2544
-
\??\c:\lvxbn.exec:\lvxbn.exe106⤵PID:2008
-
\??\c:\lxllnh.exec:\lxllnh.exe107⤵PID:1692
-
\??\c:\ddvtxf.exec:\ddvtxf.exe108⤵PID:1688
-
\??\c:\xjbph.exec:\xjbph.exe109⤵PID:680
-
\??\c:\drxhdnl.exec:\drxhdnl.exe110⤵PID:1248
-
\??\c:\vxxlpx.exec:\vxxlpx.exe111⤵PID:1760
-
\??\c:\jlnfp.exec:\jlnfp.exe112⤵PID:276
-
\??\c:\nprll.exec:\nprll.exe113⤵
- System Location Discovery: System Language Discovery
PID:2264 -
\??\c:\trvxv.exec:\trvxv.exe114⤵PID:2628
-
\??\c:\thrlbrd.exec:\thrlbrd.exe115⤵PID:1564
-
\??\c:\pfrbhf.exec:\pfrbhf.exe116⤵PID:1660
-
\??\c:\dnbrffn.exec:\dnbrffn.exe117⤵PID:768
-
\??\c:\fnlpbxv.exec:\fnlpbxv.exe118⤵PID:1936
-
\??\c:\thvxxbn.exec:\thvxxbn.exe119⤵PID:2448
-
\??\c:\vdfvpx.exec:\vdfvpx.exe120⤵PID:2124
-
\??\c:\rtjvpl.exec:\rtjvpl.exe121⤵PID:2520
-
\??\c:\hnntp.exec:\hnntp.exe122⤵PID:2212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-