Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 07:44
Behavioral task
behavioral1
Sample
3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe
-
Size
335KB
-
MD5
5c607a1bc09df2b598835688cd4bef86
-
SHA1
059ec216e2d5e557570179b623107a8fe7ef5b23
-
SHA256
3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e
-
SHA512
44074d20040f262c4f3ebbac6cffd1374042fdbc74570cb6e7c1897351b31c75de67d5951dcde6df2796bab46111af4b5a08c62d8812a0019314d6a3e217f3ae
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRp:R4wFHoSHYHUrAwfMp3CDRp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/1820-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2916-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2836-22-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2836-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2956-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2860-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2544-75-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/964-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1724-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2228-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1620-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2168-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2192-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3028-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1848-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2064-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2364-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2076-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1804-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2244-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2520-242-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1912-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2024-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2024-257-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2976-341-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2380-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1660-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2356-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-407-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2344-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2344-462-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1284-503-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1744-547-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1488-565-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2720-625-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2980-631-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2804-642-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2916 pnlllpr.exe 2836 fnhtjb.exe 2956 ppttb.exe 2860 ntbpn.exe 2904 xpxjh.exe 3024 xfhdr.exe 2784 fbnnprt.exe 2544 vdljx.exe 964 jnnxxnp.exe 1724 hxbtb.exe 2228 tvnlfd.exe 1620 jvtplx.exe 3068 rxrnj.exe 2168 fjltnb.exe 2192 fxbjt.exe 3048 lhvfbn.exe 2664 lxhfdxn.exe 3028 hvpdbl.exe 1848 njvbp.exe 2368 dftlht.exe 2064 ptpdvd.exe 2364 nxrlfvj.exe 2076 dphpf.exe 516 txthfpb.exe 2520 tdhjt.exe 1792 vrdjx.exe 1804 brtfjd.exe 2244 fvtjlht.exe 1912 jhvvj.exe 2024 ltvbvhx.exe 1656 tfndj.exe 908 bhprf.exe 1728 hbfxrpp.exe 1924 nlxthpb.exe 2148 rhphbdh.exe 1712 ltvjvbx.exe 2288 tdlvth.exe 2868 bbxnnf.exe 2140 pflnp.exe 2504 rjdhrx.exe 2976 ljhplph.exe 2332 tffrb.exe 2972 ptndlxt.exe 2844 brhlpl.exe 2912 jbbrvh.exe 1084 xpbrtr.exe 2744 vrvfbt.exe 2756 fhpjrr.exe 2224 ddlhxp.exe 2544 xpddtnl.exe 2380 jflbt.exe 1660 nxdfhhj.exe 2348 pfdvd.exe 2356 bfndp.exe 2576 bbptnr.exe 2084 fvdrpnn.exe 2668 thbnx.exe 2816 vlpxxld.exe 1012 rxhtd.exe 2300 njvxp.exe 2344 bpxdb.exe 1032 lhpfb.exe 2044 plptrpr.exe 2184 rnhpdr.exe -
resource yara_rule behavioral1/memory/1820-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1820-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000012255-7.dat upx behavioral1/files/0x00080000000170f8-16.dat upx behavioral1/memory/2916-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001756b-25.dat upx behavioral1/memory/2836-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001756e-34.dat upx behavioral1/memory/2860-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2956-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2860-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0002000000018334-46.dat upx behavioral1/memory/2904-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000186b7-52.dat upx behavioral1/files/0x0009000000016d69-59.dat upx behavioral1/memory/3024-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2544-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2784-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000018f85-67.dat upx behavioral1/files/0x00050000000195bb-77.dat upx behavioral1/memory/964-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195bd-85.dat upx behavioral1/files/0x00050000000195c1-94.dat upx behavioral1/memory/1724-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2228-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c3-104.dat upx behavioral1/memory/1620-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c5-112.dat upx behavioral1/files/0x00050000000195c6-119.dat upx behavioral1/memory/2168-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c7-127.dat upx behavioral1/memory/2192-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001960c-135.dat upx behavioral1/files/0x0005000000019643-143.dat upx behavioral1/memory/2664-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001975a-151.dat upx behavioral1/files/0x0005000000019761-158.dat upx behavioral1/memory/3028-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000197fd-169.dat upx behavioral1/memory/1848-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019820-176.dat upx behavioral1/memory/2064-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001998d-184.dat upx behavioral1/memory/2364-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf5-192.dat upx behavioral1/memory/2076-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2076-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf6-200.dat upx behavioral1/files/0x0005000000019bf9-208.dat upx behavioral1/files/0x0005000000019c3c-216.dat upx behavioral1/files/0x0005000000019d61-224.dat upx behavioral1/memory/1804-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d62-232.dat upx behavioral1/memory/2244-240-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d6d-241.dat upx behavioral1/memory/1912-249-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019e92-250.dat upx behavioral1/memory/2024-258-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019fd4-259.dat upx behavioral1/files/0x0005000000019fdd-266.dat upx behavioral1/memory/1924-278-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2148-284-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1712-291-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1084-347-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlpfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnfdflv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjbpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpfvrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntlvln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbllfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvnjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prxbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rftpjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrvxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nprdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptjtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbfvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlbpnpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhjjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbxvhjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrhttvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnttlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrbvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thfpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldhtf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vplbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdftbrb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrdjltt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhnhlht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htdljtv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jttvrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxtxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnvxdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddrxtd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dftnfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpdjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbftl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtxfvlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjhvbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httjnhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftlnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2916 1820 3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe 29 PID 1820 wrote to memory of 2916 1820 3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe 29 PID 1820 wrote to memory of 2916 1820 3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe 29 PID 1820 wrote to memory of 2916 1820 3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe 29 PID 2916 wrote to memory of 2836 2916 pnlllpr.exe 30 PID 2916 wrote to memory of 2836 2916 pnlllpr.exe 30 PID 2916 wrote to memory of 2836 2916 pnlllpr.exe 30 PID 2916 wrote to memory of 2836 2916 pnlllpr.exe 30 PID 2836 wrote to memory of 2956 2836 fnhtjb.exe 31 PID 2836 wrote to memory of 2956 2836 fnhtjb.exe 31 PID 2836 wrote to memory of 2956 2836 fnhtjb.exe 31 PID 2836 wrote to memory of 2956 2836 fnhtjb.exe 31 PID 2956 wrote to memory of 2860 2956 ppttb.exe 32 PID 2956 wrote to memory of 2860 2956 ppttb.exe 32 PID 2956 wrote to memory of 2860 2956 ppttb.exe 32 PID 2956 wrote to memory of 2860 2956 ppttb.exe 32 PID 2860 wrote to memory of 2904 2860 ntbpn.exe 33 PID 2860 wrote to memory of 2904 2860 ntbpn.exe 33 PID 2860 wrote to memory of 2904 2860 ntbpn.exe 33 PID 2860 wrote to memory of 2904 2860 ntbpn.exe 33 PID 2904 wrote to memory of 3024 2904 xpxjh.exe 34 PID 2904 wrote to memory of 3024 2904 xpxjh.exe 34 PID 2904 wrote to memory of 3024 2904 xpxjh.exe 34 PID 2904 wrote to memory of 3024 2904 xpxjh.exe 34 PID 3024 wrote to memory of 2784 3024 xfhdr.exe 35 PID 3024 wrote to memory of 2784 3024 xfhdr.exe 35 PID 3024 wrote to memory of 2784 3024 xfhdr.exe 35 PID 3024 wrote to memory of 2784 3024 xfhdr.exe 35 PID 2784 wrote to memory of 2544 2784 fbnnprt.exe 36 PID 2784 wrote to memory of 2544 2784 fbnnprt.exe 36 PID 2784 wrote to memory of 2544 2784 fbnnprt.exe 36 PID 2784 wrote to memory of 2544 2784 fbnnprt.exe 36 PID 2544 wrote to memory of 964 2544 vdljx.exe 37 PID 2544 wrote to memory of 964 2544 vdljx.exe 37 PID 2544 wrote to memory of 964 2544 vdljx.exe 37 PID 2544 wrote to memory of 964 2544 vdljx.exe 37 PID 964 wrote to memory of 1724 964 jnnxxnp.exe 38 PID 964 wrote to memory of 1724 964 jnnxxnp.exe 38 PID 964 wrote to memory of 1724 964 jnnxxnp.exe 38 PID 964 wrote to memory of 1724 964 jnnxxnp.exe 38 PID 1724 wrote to memory of 2228 1724 hxbtb.exe 39 PID 1724 wrote to memory of 2228 1724 hxbtb.exe 39 PID 1724 wrote to memory of 2228 1724 hxbtb.exe 39 PID 1724 wrote to memory of 2228 1724 hxbtb.exe 39 PID 2228 wrote to memory of 1620 2228 tvnlfd.exe 40 PID 2228 wrote to memory of 1620 2228 tvnlfd.exe 40 PID 2228 wrote to memory of 1620 2228 tvnlfd.exe 40 PID 2228 wrote to memory of 1620 2228 tvnlfd.exe 40 PID 1620 wrote to memory of 3068 1620 jvtplx.exe 41 PID 1620 wrote to memory of 3068 1620 jvtplx.exe 41 PID 1620 wrote to memory of 3068 1620 jvtplx.exe 41 PID 1620 wrote to memory of 3068 1620 jvtplx.exe 41 PID 3068 wrote to memory of 2168 3068 rxrnj.exe 42 PID 3068 wrote to memory of 2168 3068 rxrnj.exe 42 PID 3068 wrote to memory of 2168 3068 rxrnj.exe 42 PID 3068 wrote to memory of 2168 3068 rxrnj.exe 42 PID 2168 wrote to memory of 2192 2168 fjltnb.exe 43 PID 2168 wrote to memory of 2192 2168 fjltnb.exe 43 PID 2168 wrote to memory of 2192 2168 fjltnb.exe 43 PID 2168 wrote to memory of 2192 2168 fjltnb.exe 43 PID 2192 wrote to memory of 3048 2192 fxbjt.exe 44 PID 2192 wrote to memory of 3048 2192 fxbjt.exe 44 PID 2192 wrote to memory of 3048 2192 fxbjt.exe 44 PID 2192 wrote to memory of 3048 2192 fxbjt.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe"C:\Users\Admin\AppData\Local\Temp\3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\pnlllpr.exec:\pnlllpr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\fnhtjb.exec:\fnhtjb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\ppttb.exec:\ppttb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\ntbpn.exec:\ntbpn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\xpxjh.exec:\xpxjh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\xfhdr.exec:\xfhdr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\fbnnprt.exec:\fbnnprt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\vdljx.exec:\vdljx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\jnnxxnp.exec:\jnnxxnp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\hxbtb.exec:\hxbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\tvnlfd.exec:\tvnlfd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\jvtplx.exec:\jvtplx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\rxrnj.exec:\rxrnj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\fjltnb.exec:\fjltnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\fxbjt.exec:\fxbjt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\lhvfbn.exec:\lhvfbn.exe17⤵
- Executes dropped EXE
PID:3048 -
\??\c:\lxhfdxn.exec:\lxhfdxn.exe18⤵
- Executes dropped EXE
PID:2664 -
\??\c:\hvpdbl.exec:\hvpdbl.exe19⤵
- Executes dropped EXE
PID:3028 -
\??\c:\njvbp.exec:\njvbp.exe20⤵
- Executes dropped EXE
PID:1848 -
\??\c:\dftlht.exec:\dftlht.exe21⤵
- Executes dropped EXE
PID:2368 -
\??\c:\ptpdvd.exec:\ptpdvd.exe22⤵
- Executes dropped EXE
PID:2064 -
\??\c:\nxrlfvj.exec:\nxrlfvj.exe23⤵
- Executes dropped EXE
PID:2364 -
\??\c:\dphpf.exec:\dphpf.exe24⤵
- Executes dropped EXE
PID:2076 -
\??\c:\txthfpb.exec:\txthfpb.exe25⤵
- Executes dropped EXE
PID:516 -
\??\c:\tdhjt.exec:\tdhjt.exe26⤵
- Executes dropped EXE
PID:2520 -
\??\c:\vrdjx.exec:\vrdjx.exe27⤵
- Executes dropped EXE
PID:1792 -
\??\c:\brtfjd.exec:\brtfjd.exe28⤵
- Executes dropped EXE
PID:1804 -
\??\c:\fvtjlht.exec:\fvtjlht.exe29⤵
- Executes dropped EXE
PID:2244 -
\??\c:\jhvvj.exec:\jhvvj.exe30⤵
- Executes dropped EXE
PID:1912 -
\??\c:\ltvbvhx.exec:\ltvbvhx.exe31⤵
- Executes dropped EXE
PID:2024 -
\??\c:\tfndj.exec:\tfndj.exe32⤵
- Executes dropped EXE
PID:1656 -
\??\c:\bhprf.exec:\bhprf.exe33⤵
- Executes dropped EXE
PID:908 -
\??\c:\hbfxrpp.exec:\hbfxrpp.exe34⤵
- Executes dropped EXE
PID:1728 -
\??\c:\nlxthpb.exec:\nlxthpb.exe35⤵
- Executes dropped EXE
PID:1924 -
\??\c:\rhphbdh.exec:\rhphbdh.exe36⤵
- Executes dropped EXE
PID:2148 -
\??\c:\ltvjvbx.exec:\ltvjvbx.exe37⤵
- Executes dropped EXE
PID:1712 -
\??\c:\tdlvth.exec:\tdlvth.exe38⤵
- Executes dropped EXE
PID:2288 -
\??\c:\bbxnnf.exec:\bbxnnf.exe39⤵
- Executes dropped EXE
PID:2868 -
\??\c:\pflnp.exec:\pflnp.exe40⤵
- Executes dropped EXE
PID:2140 -
\??\c:\rjdhrx.exec:\rjdhrx.exe41⤵
- Executes dropped EXE
PID:2504 -
\??\c:\ljhplph.exec:\ljhplph.exe42⤵
- Executes dropped EXE
PID:2976 -
\??\c:\tffrb.exec:\tffrb.exe43⤵
- Executes dropped EXE
PID:2332 -
\??\c:\ptndlxt.exec:\ptndlxt.exe44⤵
- Executes dropped EXE
PID:2972 -
\??\c:\brhlpl.exec:\brhlpl.exe45⤵
- Executes dropped EXE
PID:2844 -
\??\c:\jbbrvh.exec:\jbbrvh.exe46⤵
- Executes dropped EXE
PID:2912 -
\??\c:\xpbrtr.exec:\xpbrtr.exe47⤵
- Executes dropped EXE
PID:1084 -
\??\c:\vrvfbt.exec:\vrvfbt.exe48⤵
- Executes dropped EXE
PID:2744 -
\??\c:\fhpjrr.exec:\fhpjrr.exe49⤵
- Executes dropped EXE
PID:2756 -
\??\c:\ddlhxp.exec:\ddlhxp.exe50⤵
- Executes dropped EXE
PID:2224 -
\??\c:\xpddtnl.exec:\xpddtnl.exe51⤵
- Executes dropped EXE
PID:2544 -
\??\c:\jflbt.exec:\jflbt.exe52⤵
- Executes dropped EXE
PID:2380 -
\??\c:\nxdfhhj.exec:\nxdfhhj.exe53⤵
- Executes dropped EXE
PID:1660 -
\??\c:\pfdvd.exec:\pfdvd.exe54⤵
- Executes dropped EXE
PID:2348 -
\??\c:\bfndp.exec:\bfndp.exe55⤵
- Executes dropped EXE
PID:2356 -
\??\c:\bbptnr.exec:\bbptnr.exe56⤵
- Executes dropped EXE
PID:2576 -
\??\c:\fvdrpnn.exec:\fvdrpnn.exe57⤵
- Executes dropped EXE
PID:2084 -
\??\c:\thbnx.exec:\thbnx.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668 -
\??\c:\vlpxxld.exec:\vlpxxld.exe59⤵
- Executes dropped EXE
PID:2816 -
\??\c:\rxhtd.exec:\rxhtd.exe60⤵
- Executes dropped EXE
PID:1012 -
\??\c:\njvxp.exec:\njvxp.exe61⤵
- Executes dropped EXE
PID:2300 -
\??\c:\bpxdb.exec:\bpxdb.exe62⤵
- Executes dropped EXE
PID:2344 -
\??\c:\lhpfb.exec:\lhpfb.exe63⤵
- Executes dropped EXE
PID:1032 -
\??\c:\plptrpr.exec:\plptrpr.exe64⤵
- Executes dropped EXE
PID:2044 -
\??\c:\rnhpdr.exec:\rnhpdr.exe65⤵
- Executes dropped EXE
PID:2184 -
\??\c:\bvrjhv.exec:\bvrjhv.exe66⤵PID:2144
-
\??\c:\bxxtfl.exec:\bxxtfl.exe67⤵PID:2088
-
\??\c:\dtpvxp.exec:\dtpvxp.exe68⤵PID:2164
-
\??\c:\vlpjbxv.exec:\vlpjbxv.exe69⤵PID:2684
-
\??\c:\nlfpjjx.exec:\nlfpjjx.exe70⤵PID:2524
-
\??\c:\ddhrbh.exec:\ddhrbh.exe71⤵PID:1056
-
\??\c:\hpvthn.exec:\hpvthn.exe72⤵PID:1284
-
\??\c:\xlbpnpt.exec:\xlbpnpt.exe73⤵
- System Location Discovery: System Language Discovery
PID:2988 -
\??\c:\vhdnb.exec:\vhdnb.exe74⤵PID:896
-
\??\c:\rrtxn.exec:\rrtxn.exe75⤵PID:1360
-
\??\c:\fhvxl.exec:\fhvxl.exe76⤵PID:756
-
\??\c:\rjlndbh.exec:\rjlndbh.exe77⤵PID:2196
-
\??\c:\vbtxr.exec:\vbtxr.exe78⤵PID:1912
-
\??\c:\lrbnjdv.exec:\lrbnjdv.exe79⤵PID:304
-
\??\c:\rhjjn.exec:\rhjjn.exe80⤵
- System Location Discovery: System Language Discovery
PID:1744 -
\??\c:\dvntvj.exec:\dvntvj.exe81⤵PID:432
-
\??\c:\vvnjx.exec:\vvnjx.exe82⤵
- System Location Discovery: System Language Discovery
PID:2528 -
\??\c:\xvdrj.exec:\xvdrj.exe83⤵PID:1488
-
\??\c:\ltvxl.exec:\ltvxl.exe84⤵PID:1512
-
\??\c:\nxfhfb.exec:\nxfhfb.exe85⤵PID:2264
-
\??\c:\hjjhb.exec:\hjjhb.exe86⤵PID:1820
-
\??\c:\vvnbdfd.exec:\vvnbdfd.exe87⤵PID:2820
-
\??\c:\pbrtxph.exec:\pbrtxph.exe88⤵PID:1580
-
\??\c:\tbdptvl.exec:\tbdptvl.exe89⤵PID:2952
-
\??\c:\nlnxvfr.exec:\nlnxvfr.exe90⤵PID:2948
-
\??\c:\jbbdbl.exec:\jbbdbl.exe91⤵PID:2852
-
\??\c:\xplhvb.exec:\xplhvb.exe92⤵PID:2980
-
\??\c:\pdnnlbh.exec:\pdnnlbh.exe93⤵PID:2136
-
\??\c:\tvndv.exec:\tvndv.exe94⤵PID:2900
-
\??\c:\fhblvhh.exec:\fhblvhh.exe95⤵PID:2720
-
\??\c:\jbpvpjv.exec:\jbpvpjv.exe96⤵PID:2968
-
\??\c:\dhnhlht.exec:\dhnhlht.exe97⤵
- System Location Discovery: System Language Discovery
PID:2804 -
\??\c:\nfvdlt.exec:\nfvdlt.exe98⤵PID:2092
-
\??\c:\vxtrjhr.exec:\vxtrjhr.exe99⤵PID:2224
-
\??\c:\pfplxd.exec:\pfplxd.exe100⤵PID:2544
-
\??\c:\ljbnb.exec:\ljbnb.exe101⤵PID:2408
-
\??\c:\lrtxbn.exec:\lrtxbn.exe102⤵PID:1660
-
\??\c:\bnnfbjj.exec:\bnnfbjj.exe103⤵PID:2536
-
\??\c:\dvtnrtf.exec:\dvtnrtf.exe104⤵PID:2172
-
\??\c:\tvdnxbp.exec:\tvdnxbp.exe105⤵PID:3052
-
\??\c:\jtjnl.exec:\jtjnl.exe106⤵PID:2584
-
\??\c:\pjpbjlp.exec:\pjpbjlp.exe107⤵PID:2336
-
\??\c:\prtxhb.exec:\prtxhb.exe108⤵PID:2372
-
\??\c:\hrfpph.exec:\hrfpph.exe109⤵PID:2376
-
\??\c:\dlvntj.exec:\dlvntj.exe110⤵PID:2648
-
\??\c:\vjprpn.exec:\vjprpn.exe111⤵PID:852
-
\??\c:\bxvhv.exec:\bxvhv.exe112⤵PID:1824
-
\??\c:\dphlh.exec:\dphlh.exe113⤵PID:2352
-
\??\c:\jlbpjl.exec:\jlbpjl.exe114⤵PID:1864
-
\??\c:\jtrhd.exec:\jtrhd.exe115⤵PID:2404
-
\??\c:\jbnhl.exec:\jbnhl.exe116⤵PID:2180
-
\??\c:\bvphbt.exec:\bvphbt.exe117⤵PID:916
-
\??\c:\nfrjph.exec:\nfrjph.exe118⤵PID:824
-
\??\c:\hpdrd.exec:\hpdrd.exe119⤵PID:524
-
\??\c:\xxdblhb.exec:\xxdblhb.exe120⤵PID:2680
-
\??\c:\jldvjrd.exec:\jldvjrd.exe121⤵PID:1868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-