Analysis
-
max time kernel
150s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 01:11
Behavioral task
behavioral1
Sample
92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
General
-
Target
92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe
-
Size
3.7MB
-
MD5
e0eff6d0a82d2c91cf69f8a93ea44fc7
-
SHA1
3d11aaae04000028fca1c554871e92013fc28049
-
SHA256
92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb
-
SHA512
d7505b7cd77fd559965cf78fc313e1433698087dc7231a3c983508efbdd028871b5df7bef22b3efe4d204a40b586f9f639d0cbcaee38997e332bb37bbf13ff00
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98l:U6XLq/qPPslzKx/dJg1ErmNc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2820-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2988-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2220-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2968-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3020-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2756-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2620-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1168-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2268-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2652-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2176-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1872-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2484-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2472-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2084-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2436-195-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2064-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1040-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2064-235-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1464-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2104-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2676-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2464-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-297-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2664-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1592-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2996-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2904-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2096-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1976-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3032-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1736-435-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1136-489-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1060-498-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2064-506-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2064-505-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2012-513-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2064-532-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/948-560-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1748-573-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1964-598-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1964-620-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3052-680-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2648-687-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3024-709-0x00000000001C0000-0x00000000001E7000-memory.dmp family_blackmoon behavioral1/memory/2432-740-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2524-792-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/2832-892-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1968-992-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2988 nxhrt.exe 2220 tbfxj.exe 2968 bdtxn.exe 2948 hhfdpt.exe 3020 ndfnxhx.exe 2908 vvrpjvf.exe 2756 xpdtrvj.exe 2620 jnrjvpd.exe 1168 dpvhtl.exe 2268 npplbnn.exe 2652 tvdvhbf.exe 3060 tvjfffl.exe 1472 phjrln.exe 2176 dnxtvlf.exe 1872 hvlfnl.exe 2484 lvbjfnr.exe 1248 vrxhxl.exe 2472 xldjdv.exe 2084 jhvfxb.exe 2512 dtnrpvr.exe 2436 hvlllrx.exe 2064 ptrhldd.exe 2116 xjbnrn.exe 1040 pxjjd.exe 1464 drrtfnx.exe 2104 hhxpj.exe 2188 fxnpjvj.exe 108 lvjpfx.exe 2676 xnnthd.exe 2464 ftvpdh.exe 2716 hbtlllp.exe 2664 ptbfj.exe 1592 bnbdrb.exe 2832 jnjjd.exe 2956 pvxrl.exe 2996 jvxxddn.exe 2900 btphpnb.exe 2168 fnxdjp.exe 3020 tptxb.exe 2772 vjxxrv.exe 2964 dbvplp.exe 2596 hffvhl.exe 1784 vnbdllh.exe 2904 lddnnt.exe 1756 vhlbrnl.exe 2744 hpdfd.exe 3016 hpvhnh.exe 3048 lnvhdh.exe 2096 vbndxl.exe 1976 pftpnfx.exe 3032 hfvdxx.exe 1736 vfjtdj.exe 1332 jtlffh.exe 2432 fflhl.exe 2244 nffdlx.exe 1124 ttrfj.exe 2200 hdjrhx.exe 2524 bhxvfd.exe 836 xbxxl.exe 1136 dlhxp.exe 1060 ddptp.exe 2064 lbrfnr.exe 2012 lbllj.exe 692 bvlfl.exe -
resource yara_rule behavioral1/memory/2820-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c000000012262-8.dat upx behavioral1/memory/2820-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2988-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016d69-17.dat upx behavioral1/files/0x0008000000016fc9-27.dat upx behavioral1/memory/2220-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2968-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0012000000016d3f-38.dat upx behavioral1/files/0x00070000000170f8-45.dat upx behavioral1/memory/3020-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001756b-54.dat upx behavioral1/memory/2756-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001756e-62.dat upx behavioral1/files/0x0002000000018334-72.dat upx behavioral1/memory/2620-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2756-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000186b7-82.dat upx behavioral1/memory/2620-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001932a-94.dat upx behavioral1/memory/1168-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2268-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195bd-102.dat upx behavioral1/files/0x00050000000195c1-112.dat upx behavioral1/memory/2652-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c3-119.dat upx behavioral1/files/0x00050000000195c5-127.dat upx behavioral1/files/0x00050000000195c6-136.dat upx behavioral1/memory/2176-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c7-146.dat upx behavioral1/memory/1872-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001960c-155.dat upx behavioral1/memory/2484-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019643-165.dat upx behavioral1/memory/2472-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001975a-174.dat upx behavioral1/files/0x0005000000019761-183.dat upx behavioral1/memory/2084-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000197fd-191.dat upx behavioral1/files/0x0005000000019820-200.dat upx behavioral1/files/0x000500000001998d-209.dat upx behavioral1/memory/2064-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1040-219-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf5-218.dat upx behavioral1/files/0x0005000000019bf6-226.dat upx behavioral1/files/0x0005000000019bf9-236.dat upx behavioral1/memory/1464-234-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c3c-245.dat upx behavioral1/memory/2104-244-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d61-254.dat upx behavioral1/memory/2676-265-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d62-264.dat upx behavioral1/files/0x0005000000019d6d-273.dat upx behavioral1/memory/2464-274-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019e92-281.dat upx behavioral1/files/0x0005000000019fd4-290.dat upx behavioral1/memory/2664-295-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1592-306-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2996-327-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2772-353-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2964-354-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2904-381-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2096-414-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1976-422-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhlvxbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptrhldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plprddr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvjxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xhrlrvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvfbxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlvdfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhvfxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxhvvhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvhxhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrntnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phtthhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfvbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfplt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvhtl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxpnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfdrlvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxtljht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djxnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phpnxpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbjpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdhdhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fvrvtpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvdhlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvtvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtflxpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjplfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntxftn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxrtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njrtjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrnxjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpnvxhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdlxdpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vltnrrp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fhfxrbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnxjxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xprfhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfhrhxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfftrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdnrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbrjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvndphh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drpdnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvbrxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvbdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndpltlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llnbdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfjhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtlhpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fvdvfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrfhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xhvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhfdpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftpxvdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bblrdnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fhbbldr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjllt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxprxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xntlpjv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2988 2820 92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe 30 PID 2820 wrote to memory of 2988 2820 92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe 30 PID 2820 wrote to memory of 2988 2820 92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe 30 PID 2820 wrote to memory of 2988 2820 92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe 30 PID 2988 wrote to memory of 2220 2988 nxhrt.exe 31 PID 2988 wrote to memory of 2220 2988 nxhrt.exe 31 PID 2988 wrote to memory of 2220 2988 nxhrt.exe 31 PID 2988 wrote to memory of 2220 2988 nxhrt.exe 31 PID 2220 wrote to memory of 2968 2220 tbfxj.exe 32 PID 2220 wrote to memory of 2968 2220 tbfxj.exe 32 PID 2220 wrote to memory of 2968 2220 tbfxj.exe 32 PID 2220 wrote to memory of 2968 2220 tbfxj.exe 32 PID 2968 wrote to memory of 2948 2968 bdtxn.exe 33 PID 2968 wrote to memory of 2948 2968 bdtxn.exe 33 PID 2968 wrote to memory of 2948 2968 bdtxn.exe 33 PID 2968 wrote to memory of 2948 2968 bdtxn.exe 33 PID 2948 wrote to memory of 3020 2948 hhfdpt.exe 34 PID 2948 wrote to memory of 3020 2948 hhfdpt.exe 34 PID 2948 wrote to memory of 3020 2948 hhfdpt.exe 34 PID 2948 wrote to memory of 3020 2948 hhfdpt.exe 34 PID 3020 wrote to memory of 2908 3020 ndfnxhx.exe 35 PID 3020 wrote to memory of 2908 3020 ndfnxhx.exe 35 PID 3020 wrote to memory of 2908 3020 ndfnxhx.exe 35 PID 3020 wrote to memory of 2908 3020 ndfnxhx.exe 35 PID 2908 wrote to memory of 2756 2908 vvrpjvf.exe 36 PID 2908 wrote to memory of 2756 2908 vvrpjvf.exe 36 PID 2908 wrote to memory of 2756 2908 vvrpjvf.exe 36 PID 2908 wrote to memory of 2756 2908 vvrpjvf.exe 36 PID 2756 wrote to memory of 2620 2756 xpdtrvj.exe 37 PID 2756 wrote to memory of 2620 2756 xpdtrvj.exe 37 PID 2756 wrote to memory of 2620 2756 xpdtrvj.exe 37 PID 2756 wrote to memory of 2620 2756 xpdtrvj.exe 37 PID 2620 wrote to memory of 1168 2620 jnrjvpd.exe 38 PID 2620 wrote to memory of 1168 2620 jnrjvpd.exe 38 PID 2620 wrote to memory of 1168 2620 jnrjvpd.exe 38 PID 2620 wrote to memory of 1168 2620 jnrjvpd.exe 38 PID 1168 wrote to memory of 2268 1168 dpvhtl.exe 39 PID 1168 wrote to memory of 2268 1168 dpvhtl.exe 39 PID 1168 wrote to memory of 2268 1168 dpvhtl.exe 39 PID 1168 wrote to memory of 2268 1168 dpvhtl.exe 39 PID 2268 wrote to memory of 2652 2268 npplbnn.exe 40 PID 2268 wrote to memory of 2652 2268 npplbnn.exe 40 PID 2268 wrote to memory of 2652 2268 npplbnn.exe 40 PID 2268 wrote to memory of 2652 2268 npplbnn.exe 40 PID 2652 wrote to memory of 3060 2652 tvdvhbf.exe 41 PID 2652 wrote to memory of 3060 2652 tvdvhbf.exe 41 PID 2652 wrote to memory of 3060 2652 tvdvhbf.exe 41 PID 2652 wrote to memory of 3060 2652 tvdvhbf.exe 41 PID 3060 wrote to memory of 1472 3060 tvjfffl.exe 42 PID 3060 wrote to memory of 1472 3060 tvjfffl.exe 42 PID 3060 wrote to memory of 1472 3060 tvjfffl.exe 42 PID 3060 wrote to memory of 1472 3060 tvjfffl.exe 42 PID 1472 wrote to memory of 2176 1472 phjrln.exe 43 PID 1472 wrote to memory of 2176 1472 phjrln.exe 43 PID 1472 wrote to memory of 2176 1472 phjrln.exe 43 PID 1472 wrote to memory of 2176 1472 phjrln.exe 43 PID 2176 wrote to memory of 1872 2176 dnxtvlf.exe 44 PID 2176 wrote to memory of 1872 2176 dnxtvlf.exe 44 PID 2176 wrote to memory of 1872 2176 dnxtvlf.exe 44 PID 2176 wrote to memory of 1872 2176 dnxtvlf.exe 44 PID 1872 wrote to memory of 2484 1872 hvlfnl.exe 45 PID 1872 wrote to memory of 2484 1872 hvlfnl.exe 45 PID 1872 wrote to memory of 2484 1872 hvlfnl.exe 45 PID 1872 wrote to memory of 2484 1872 hvlfnl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe"C:\Users\Admin\AppData\Local\Temp\92dfab4ba0ef30567bf74ddaa3df9aa1dbf3ce27a6749fb68e27563eeb2f46bb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\nxhrt.exec:\nxhrt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\tbfxj.exec:\tbfxj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\bdtxn.exec:\bdtxn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\hhfdpt.exec:\hhfdpt.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\ndfnxhx.exec:\ndfnxhx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\vvrpjvf.exec:\vvrpjvf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\xpdtrvj.exec:\xpdtrvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\jnrjvpd.exec:\jnrjvpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\dpvhtl.exec:\dpvhtl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\npplbnn.exec:\npplbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\tvdvhbf.exec:\tvdvhbf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\tvjfffl.exec:\tvjfffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\phjrln.exec:\phjrln.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\dnxtvlf.exec:\dnxtvlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\hvlfnl.exec:\hvlfnl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\lvbjfnr.exec:\lvbjfnr.exe17⤵
- Executes dropped EXE
PID:2484 -
\??\c:\vrxhxl.exec:\vrxhxl.exe18⤵
- Executes dropped EXE
PID:1248 -
\??\c:\xldjdv.exec:\xldjdv.exe19⤵
- Executes dropped EXE
PID:2472 -
\??\c:\jhvfxb.exec:\jhvfxb.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084 -
\??\c:\dtnrpvr.exec:\dtnrpvr.exe21⤵
- Executes dropped EXE
PID:2512 -
\??\c:\hvlllrx.exec:\hvlllrx.exe22⤵
- Executes dropped EXE
PID:2436 -
\??\c:\ptrhldd.exec:\ptrhldd.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064 -
\??\c:\xjbnrn.exec:\xjbnrn.exe24⤵
- Executes dropped EXE
PID:2116 -
\??\c:\pxjjd.exec:\pxjjd.exe25⤵
- Executes dropped EXE
PID:1040 -
\??\c:\drrtfnx.exec:\drrtfnx.exe26⤵
- Executes dropped EXE
PID:1464 -
\??\c:\hhxpj.exec:\hhxpj.exe27⤵
- Executes dropped EXE
PID:2104 -
\??\c:\fxnpjvj.exec:\fxnpjvj.exe28⤵
- Executes dropped EXE
PID:2188 -
\??\c:\lvjpfx.exec:\lvjpfx.exe29⤵
- Executes dropped EXE
PID:108 -
\??\c:\xnnthd.exec:\xnnthd.exe30⤵
- Executes dropped EXE
PID:2676 -
\??\c:\ftvpdh.exec:\ftvpdh.exe31⤵
- Executes dropped EXE
PID:2464 -
\??\c:\hbtlllp.exec:\hbtlllp.exe32⤵
- Executes dropped EXE
PID:2716 -
\??\c:\ptbfj.exec:\ptbfj.exe33⤵
- Executes dropped EXE
PID:2664 -
\??\c:\bnbdrb.exec:\bnbdrb.exe34⤵
- Executes dropped EXE
PID:1592 -
\??\c:\jnjjd.exec:\jnjjd.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
\??\c:\pvxrl.exec:\pvxrl.exe36⤵
- Executes dropped EXE
PID:2956 -
\??\c:\jvxxddn.exec:\jvxxddn.exe37⤵
- Executes dropped EXE
PID:2996 -
\??\c:\btphpnb.exec:\btphpnb.exe38⤵
- Executes dropped EXE
PID:2900 -
\??\c:\fnxdjp.exec:\fnxdjp.exe39⤵
- Executes dropped EXE
PID:2168 -
\??\c:\tptxb.exec:\tptxb.exe40⤵
- Executes dropped EXE
PID:3020 -
\??\c:\vjxxrv.exec:\vjxxrv.exe41⤵
- Executes dropped EXE
PID:2772 -
\??\c:\dbvplp.exec:\dbvplp.exe42⤵
- Executes dropped EXE
PID:2964 -
\??\c:\hffvhl.exec:\hffvhl.exe43⤵
- Executes dropped EXE
PID:2596 -
\??\c:\vnbdllh.exec:\vnbdllh.exe44⤵
- Executes dropped EXE
PID:1784 -
\??\c:\lddnnt.exec:\lddnnt.exe45⤵
- Executes dropped EXE
PID:2904 -
\??\c:\vhlbrnl.exec:\vhlbrnl.exe46⤵
- Executes dropped EXE
PID:1756 -
\??\c:\hpdfd.exec:\hpdfd.exe47⤵
- Executes dropped EXE
PID:2744 -
\??\c:\hpvhnh.exec:\hpvhnh.exe48⤵
- Executes dropped EXE
PID:3016 -
\??\c:\lnvhdh.exec:\lnvhdh.exe49⤵
- Executes dropped EXE
PID:3048 -
\??\c:\vbndxl.exec:\vbndxl.exe50⤵
- Executes dropped EXE
PID:2096 -
\??\c:\pftpnfx.exec:\pftpnfx.exe51⤵
- Executes dropped EXE
PID:1976 -
\??\c:\hfvdxx.exec:\hfvdxx.exe52⤵
- Executes dropped EXE
PID:3032 -
\??\c:\vfjtdj.exec:\vfjtdj.exe53⤵
- Executes dropped EXE
PID:1736 -
\??\c:\jtlffh.exec:\jtlffh.exe54⤵
- Executes dropped EXE
PID:1332 -
\??\c:\fflhl.exec:\fflhl.exe55⤵
- Executes dropped EXE
PID:2432 -
\??\c:\nffdlx.exec:\nffdlx.exe56⤵
- Executes dropped EXE
PID:2244 -
\??\c:\ttrfj.exec:\ttrfj.exe57⤵
- Executes dropped EXE
PID:1124 -
\??\c:\hdjrhx.exec:\hdjrhx.exe58⤵
- Executes dropped EXE
PID:2200 -
\??\c:\bhxvfd.exec:\bhxvfd.exe59⤵
- Executes dropped EXE
PID:2524 -
\??\c:\xbxxl.exec:\xbxxl.exe60⤵
- Executes dropped EXE
PID:836 -
\??\c:\dlhxp.exec:\dlhxp.exe61⤵
- Executes dropped EXE
PID:1136 -
\??\c:\ddptp.exec:\ddptp.exe62⤵
- Executes dropped EXE
PID:1060 -
\??\c:\lbrfnr.exec:\lbrfnr.exe63⤵
- Executes dropped EXE
PID:2064 -
\??\c:\lbllj.exec:\lbllj.exe64⤵
- Executes dropped EXE
PID:2012 -
\??\c:\bvlfl.exec:\bvlfl.exe65⤵
- Executes dropped EXE
PID:692 -
\??\c:\hxlltvp.exec:\hxlltvp.exe66⤵PID:2052
-
\??\c:\vxfjv.exec:\vxfjv.exe67⤵PID:1464
-
\??\c:\vhrdnjt.exec:\vhrdnjt.exe68⤵PID:932
-
\??\c:\txnjvxh.exec:\txnjvxh.exe69⤵PID:1780
-
\??\c:\fpbvtvn.exec:\fpbvtvn.exe70⤵PID:760
-
\??\c:\ttxlrv.exec:\ttxlrv.exe71⤵PID:948
-
\??\c:\hppvj.exec:\hppvj.exe72⤵PID:800
-
\??\c:\rfvlrn.exec:\rfvlrn.exe73⤵PID:1748
-
\??\c:\vrffh.exec:\vrffh.exe74⤵PID:892
-
\??\c:\pbbjbjj.exec:\pbbjbjj.exe75⤵PID:1672
-
\??\c:\vlddbjb.exec:\vlddbjb.exe76⤵PID:2932
-
\??\c:\bbldftb.exec:\bbldftb.exe77⤵PID:1964
-
\??\c:\bjvtlv.exec:\bjvtlv.exe78⤵PID:3064
-
\??\c:\pnxbndn.exec:\pnxbndn.exe79⤵PID:2980
-
\??\c:\xhtntrn.exec:\xhtntrn.exe80⤵PID:2940
-
\??\c:\hlxlxt.exec:\hlxlxt.exe81⤵PID:2996
-
\??\c:\ftlpjn.exec:\ftlpjn.exe82⤵PID:2900
-
\??\c:\bfnvx.exec:\bfnvx.exe83⤵PID:2156
-
\??\c:\pjxnfvj.exec:\pjxnfvj.exe84⤵PID:3020
-
\??\c:\fjvndhx.exec:\fjvndhx.exe85⤵PID:2344
-
\??\c:\nhvtll.exec:\nhvtll.exe86⤵PID:2552
-
\??\c:\vltnrrp.exec:\vltnrrp.exe87⤵
- System Location Discovery: System Language Discovery
PID:3052 -
\??\c:\xtblf.exec:\xtblf.exe88⤵PID:1168
-
\??\c:\bxxhv.exec:\bxxhv.exe89⤵PID:2404
-
\??\c:\fxhvvhf.exec:\fxhvvhf.exe90⤵
- System Location Discovery: System Language Discovery
PID:2876 -
\??\c:\jbrpp.exec:\jbrpp.exe91⤵PID:2648
-
\??\c:\rhbjvdb.exec:\rhbjvdb.exe92⤵PID:3044
-
\??\c:\bdhtx.exec:\bdhtx.exe93⤵PID:752
-
\??\c:\dhdvlpn.exec:\dhdvlpn.exe94⤵PID:1808
-
\??\c:\dndft.exec:\dndft.exe95⤵PID:3024
-
\??\c:\pxxthdh.exec:\pxxthdh.exe96⤵PID:2028
-
\??\c:\djntnrx.exec:\djntnrx.exe97⤵PID:2800
-
\??\c:\vlvppfp.exec:\vlvppfp.exe98⤵PID:1736
-
\??\c:\ffjpft.exec:\ffjpft.exe99⤵PID:1332
-
\??\c:\bpthpx.exec:\bpthpx.exe100⤵PID:2432
-
\??\c:\vftljt.exec:\vftljt.exe101⤵PID:2472
-
\??\c:\jdnrlxr.exec:\jdnrlxr.exe102⤵
- System Location Discovery: System Language Discovery
PID:2492 -
\??\c:\hpphhht.exec:\hpphhht.exe103⤵PID:2200
-
\??\c:\rftrt.exec:\rftrt.exe104⤵PID:2524
-
\??\c:\hpjvfpj.exec:\hpjvfpj.exe105⤵PID:764
-
\??\c:\bdrrvtp.exec:\bdrrvtp.exe106⤵PID:1136
-
\??\c:\rhrph.exec:\rhrph.exe107⤵PID:1064
-
\??\c:\fvxpp.exec:\fvxpp.exe108⤵PID:872
-
\??\c:\hvrnfv.exec:\hvrnfv.exe109⤵PID:1480
-
\??\c:\jbbbblj.exec:\jbbbblj.exe110⤵PID:1520
-
\??\c:\frdnh.exec:\frdnh.exe111⤵PID:1084
-
\??\c:\lhrvfxj.exec:\lhrvfxj.exe112⤵PID:2388
-
\??\c:\fprllt.exec:\fprllt.exe113⤵PID:612
-
\??\c:\dhdrhn.exec:\dhdrhn.exe114⤵PID:2188
-
\??\c:\xhfpnht.exec:\xhfpnht.exe115⤵PID:812
-
\??\c:\rrftltl.exec:\rrftltl.exe116⤵PID:1288
-
\??\c:\vbftxp.exec:\vbftxp.exe117⤵PID:1884
-
\??\c:\nfnppdh.exec:\nfnppdh.exe118⤵PID:2004
-
\??\c:\lvjfd.exec:\lvjfd.exe119⤵PID:1720
-
\??\c:\hrtbxbv.exec:\hrtbxbv.exe120⤵PID:2108
-
\??\c:\phpnxpd.exec:\phpnxpd.exe121⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-