Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 02:10
Behavioral task
behavioral1
Sample
95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
General
-
Target
95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe
-
Size
3.7MB
-
MD5
abe04a5143418c4bf41fba56344e507d
-
SHA1
3db0daea625c1dcdf860ce7ce079dac7014f954d
-
SHA256
95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a
-
SHA512
d1762e470038fd9b919ed0b817206a10215348f49767db40e5ffb9ba420ba0d7c58ca7ab495bc65ae0d6304362a2f1f05abd69ebfbc06325ab7b4d7f7adb174f
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98q:U6XLq/qPPslzKx/dJg1ErmN3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1064-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2316-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2764-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-42-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2612-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3052-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1200-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2924-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1992-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2116-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2428-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2400-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2476-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/236-217-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2324-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/280-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1512-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1008-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2040-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1188-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1744-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2812-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2616-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2468-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2432-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1516-472-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/904-496-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2084-511-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/620-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2564-575-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1312-587-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1780-627-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2908-666-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2176-767-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3040-864-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2780-1015-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2116-1039-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2508-1153-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2508-1172-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2732-1197-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2764-1211-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2316 pbnvh.exe 2740 drdhtr.exe 2744 hfbfnh.exe 2896 hvdjj.exe 2764 bnxbtfn.exe 2612 lvbjn.exe 3052 fxbhh.exe 1200 bhhhl.exe 2168 pldvvn.exe 2924 fjfnpt.exe 2228 fnhdtxj.exe 2912 fvlbbvf.exe 1992 hbbtb.exe 1924 ttpdlf.exe 2240 xdbxh.exe 2304 nrrrfr.exe 548 dvhvtvf.exe 2428 jhtlf.exe 2116 vnbdh.exe 2400 pfdfdx.exe 2424 nljjnx.exe 2476 xvxxlrn.exe 236 rjvnl.exe 280 dxfxfhr.exe 2324 hxhxd.exe 1528 llxjdtx.exe 1512 rntdp.exe 2040 xlvth.exe 1008 bpvdxf.exe 1188 ppbfnf.exe 108 xfnxd.exe 1788 hfnxjf.exe 2264 jfrjt.exe 2448 nvrjl.exe 2812 bxfnp.exe 2732 xfppj.exe 2616 jblvn.exe 2828 xdnxrvl.exe 2756 xxntprd.exe 3056 vlhxnl.exe 2736 xtfxrn.exe 576 nxxdxvn.exe 1672 djhphl.exe 2892 ndrjlj.exe 2888 hppfjl.exe 552 rrxlr.exe 1020 rbbbbdd.exe 2560 bdrhlnr.exe 340 rbhtx.exe 2632 jxtvhtt.exe 2240 tblbt.exe 2136 pjlvr.exe 2336 ltpdldt.exe 2468 dvllxr.exe 2432 hrrpbb.exe 2116 rtftbh.exe 2420 hpfhpvj.exe 1516 pljlrnv.exe 1808 jndfxht.exe 776 rvxpvxr.exe 904 xhxnhjp.exe 964 hpxfvb.exe 2084 hprdnbd.exe 2552 tpjpljp.exe -
resource yara_rule behavioral1/memory/1064-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0003000000018334-5.dat upx behavioral1/memory/1064-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2740-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2316-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000019515-17.dat upx behavioral1/memory/2316-16-0x00000000005C0000-0x00000000005E7000-memory.dmp upx behavioral1/files/0x00080000000195a9-27.dat upx behavioral1/memory/2740-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000195af-38.dat upx behavioral1/memory/2744-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019547-49.dat upx behavioral1/memory/2896-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2764-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2896-42-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00060000000195b5-58.dat upx behavioral1/files/0x00060000000195b7-66.dat upx behavioral1/memory/2612-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3052-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000195bb-75.dat upx behavioral1/files/0x00070000000195bd-85.dat upx behavioral1/memory/1200-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a46f-92.dat upx behavioral1/files/0x000500000001a471-102.dat upx behavioral1/memory/2924-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a473-110.dat upx behavioral1/memory/2912-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1992-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a475-119.dat upx behavioral1/files/0x000500000001a477-128.dat upx behavioral1/files/0x000500000001a479-138.dat upx behavioral1/files/0x000500000001a47b-145.dat upx behavioral1/files/0x000500000001a47d-154.dat upx behavioral1/files/0x000500000001a480-162.dat upx behavioral1/files/0x000500000001a482-172.dat upx behavioral1/memory/2116-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a484-183.dat upx behavioral1/memory/2116-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2428-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a486-192.dat upx behavioral1/memory/2400-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a488-199.dat upx behavioral1/memory/2476-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a48a-209.dat upx behavioral1/files/0x000500000001a48d-220.dat upx behavioral1/files/0x000500000001a48f-228.dat upx behavioral1/memory/2324-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/280-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a491-238.dat upx behavioral1/files/0x000500000001a493-247.dat upx behavioral1/memory/1512-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a499-253.dat upx behavioral1/files/0x000500000001a49a-263.dat upx behavioral1/memory/1008-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2040-265-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a49e-275.dat upx behavioral1/files/0x000500000001a49f-284.dat upx behavioral1/memory/1188-282-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4a1-294.dat upx behavioral1/memory/1744-312-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2812-326-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2616-333-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2828-340-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2828-347-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtrnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtpbvrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvjvxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nxpbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnvfrxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpdnvdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbbrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fptxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxbpxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdnxrvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pftlnrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvlffjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllnvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffdnvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfxvbtv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnrtp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fhtvfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrhjbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvbjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nddfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfljxbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttpdlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language txddbdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xphph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrnlpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rttrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjrtrhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npdprxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rndlvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfbnpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtfxrn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbtvtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpldfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrnnhff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hppfjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hptxnfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxjdnrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlxnfbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fhvlrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvltxlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnrvnxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffhfbrb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndxvlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpfnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtrpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrftvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnfldnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htxtx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfnxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djhphl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbnjhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbfbxhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpjfbhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjtrjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbvddn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fljxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvpfnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbnvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dblrjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xljrvv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 2316 1064 95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe 30 PID 1064 wrote to memory of 2316 1064 95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe 30 PID 1064 wrote to memory of 2316 1064 95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe 30 PID 1064 wrote to memory of 2316 1064 95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe 30 PID 2316 wrote to memory of 2740 2316 pbnvh.exe 31 PID 2316 wrote to memory of 2740 2316 pbnvh.exe 31 PID 2316 wrote to memory of 2740 2316 pbnvh.exe 31 PID 2316 wrote to memory of 2740 2316 pbnvh.exe 31 PID 2740 wrote to memory of 2744 2740 drdhtr.exe 32 PID 2740 wrote to memory of 2744 2740 drdhtr.exe 32 PID 2740 wrote to memory of 2744 2740 drdhtr.exe 32 PID 2740 wrote to memory of 2744 2740 drdhtr.exe 32 PID 2744 wrote to memory of 2896 2744 hfbfnh.exe 33 PID 2744 wrote to memory of 2896 2744 hfbfnh.exe 33 PID 2744 wrote to memory of 2896 2744 hfbfnh.exe 33 PID 2744 wrote to memory of 2896 2744 hfbfnh.exe 33 PID 2896 wrote to memory of 2764 2896 hvdjj.exe 34 PID 2896 wrote to memory of 2764 2896 hvdjj.exe 34 PID 2896 wrote to memory of 2764 2896 hvdjj.exe 34 PID 2896 wrote to memory of 2764 2896 hvdjj.exe 34 PID 2764 wrote to memory of 2612 2764 bnxbtfn.exe 35 PID 2764 wrote to memory of 2612 2764 bnxbtfn.exe 35 PID 2764 wrote to memory of 2612 2764 bnxbtfn.exe 35 PID 2764 wrote to memory of 2612 2764 bnxbtfn.exe 35 PID 2612 wrote to memory of 3052 2612 lvbjn.exe 36 PID 2612 wrote to memory of 3052 2612 lvbjn.exe 36 PID 2612 wrote to memory of 3052 2612 lvbjn.exe 36 PID 2612 wrote to memory of 3052 2612 lvbjn.exe 36 PID 3052 wrote to memory of 1200 3052 fxbhh.exe 37 PID 3052 wrote to memory of 1200 3052 fxbhh.exe 37 PID 3052 wrote to memory of 1200 3052 fxbhh.exe 37 PID 3052 wrote to memory of 1200 3052 fxbhh.exe 37 PID 1200 wrote to memory of 2168 1200 bhhhl.exe 38 PID 1200 wrote to memory of 2168 1200 bhhhl.exe 38 PID 1200 wrote to memory of 2168 1200 bhhhl.exe 38 PID 1200 wrote to memory of 2168 1200 bhhhl.exe 38 PID 2168 wrote to memory of 2924 2168 pldvvn.exe 39 PID 2168 wrote to memory of 2924 2168 pldvvn.exe 39 PID 2168 wrote to memory of 2924 2168 pldvvn.exe 39 PID 2168 wrote to memory of 2924 2168 pldvvn.exe 39 PID 2924 wrote to memory of 2228 2924 fjfnpt.exe 40 PID 2924 wrote to memory of 2228 2924 fjfnpt.exe 40 PID 2924 wrote to memory of 2228 2924 fjfnpt.exe 40 PID 2924 wrote to memory of 2228 2924 fjfnpt.exe 40 PID 2228 wrote to memory of 2912 2228 fnhdtxj.exe 41 PID 2228 wrote to memory of 2912 2228 fnhdtxj.exe 41 PID 2228 wrote to memory of 2912 2228 fnhdtxj.exe 41 PID 2228 wrote to memory of 2912 2228 fnhdtxj.exe 41 PID 2912 wrote to memory of 1992 2912 fvlbbvf.exe 42 PID 2912 wrote to memory of 1992 2912 fvlbbvf.exe 42 PID 2912 wrote to memory of 1992 2912 fvlbbvf.exe 42 PID 2912 wrote to memory of 1992 2912 fvlbbvf.exe 42 PID 1992 wrote to memory of 1924 1992 hbbtb.exe 43 PID 1992 wrote to memory of 1924 1992 hbbtb.exe 43 PID 1992 wrote to memory of 1924 1992 hbbtb.exe 43 PID 1992 wrote to memory of 1924 1992 hbbtb.exe 43 PID 1924 wrote to memory of 2240 1924 ttpdlf.exe 81 PID 1924 wrote to memory of 2240 1924 ttpdlf.exe 81 PID 1924 wrote to memory of 2240 1924 ttpdlf.exe 81 PID 1924 wrote to memory of 2240 1924 ttpdlf.exe 81 PID 2240 wrote to memory of 2304 2240 xdbxh.exe 45 PID 2240 wrote to memory of 2304 2240 xdbxh.exe 45 PID 2240 wrote to memory of 2304 2240 xdbxh.exe 45 PID 2240 wrote to memory of 2304 2240 xdbxh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe"C:\Users\Admin\AppData\Local\Temp\95a537854b0be1c3645a102df893e693de29fc0bc028cf9e9634fe8f5d3e3e5a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\pbnvh.exec:\pbnvh.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\drdhtr.exec:\drdhtr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\hfbfnh.exec:\hfbfnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\hvdjj.exec:\hvdjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\bnxbtfn.exec:\bnxbtfn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\lvbjn.exec:\lvbjn.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\fxbhh.exec:\fxbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\bhhhl.exec:\bhhhl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\pldvvn.exec:\pldvvn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\fjfnpt.exec:\fjfnpt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\fnhdtxj.exec:\fnhdtxj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\fvlbbvf.exec:\fvlbbvf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\hbbtb.exec:\hbbtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\ttpdlf.exec:\ttpdlf.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\xdbxh.exec:\xdbxh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\nrrrfr.exec:\nrrrfr.exe17⤵
- Executes dropped EXE
PID:2304 -
\??\c:\dvhvtvf.exec:\dvhvtvf.exe18⤵
- Executes dropped EXE
PID:548 -
\??\c:\jhtlf.exec:\jhtlf.exe19⤵
- Executes dropped EXE
PID:2428 -
\??\c:\vnbdh.exec:\vnbdh.exe20⤵
- Executes dropped EXE
PID:2116 -
\??\c:\pfdfdx.exec:\pfdfdx.exe21⤵
- Executes dropped EXE
PID:2400 -
\??\c:\nljjnx.exec:\nljjnx.exe22⤵
- Executes dropped EXE
PID:2424 -
\??\c:\xvxxlrn.exec:\xvxxlrn.exe23⤵
- Executes dropped EXE
PID:2476 -
\??\c:\rjvnl.exec:\rjvnl.exe24⤵
- Executes dropped EXE
PID:236 -
\??\c:\dxfxfhr.exec:\dxfxfhr.exe25⤵
- Executes dropped EXE
PID:280 -
\??\c:\hxhxd.exec:\hxhxd.exe26⤵
- Executes dropped EXE
PID:2324 -
\??\c:\llxjdtx.exec:\llxjdtx.exe27⤵
- Executes dropped EXE
PID:1528 -
\??\c:\rntdp.exec:\rntdp.exe28⤵
- Executes dropped EXE
PID:1512 -
\??\c:\xlvth.exec:\xlvth.exe29⤵
- Executes dropped EXE
PID:2040 -
\??\c:\bpvdxf.exec:\bpvdxf.exe30⤵
- Executes dropped EXE
PID:1008 -
\??\c:\ppbfnf.exec:\ppbfnf.exe31⤵
- Executes dropped EXE
PID:1188 -
\??\c:\xfnxd.exec:\xfnxd.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:108 -
\??\c:\hfnxjf.exec:\hfnxjf.exe33⤵
- Executes dropped EXE
PID:1788 -
\??\c:\jfrjt.exec:\jfrjt.exe34⤵
- Executes dropped EXE
PID:2264 -
\??\c:\hvvfxvn.exec:\hvvfxvn.exe35⤵PID:1744
-
\??\c:\nvrjl.exec:\nvrjl.exe36⤵
- Executes dropped EXE
PID:2448 -
\??\c:\bxfnp.exec:\bxfnp.exe37⤵
- Executes dropped EXE
PID:2812 -
\??\c:\xfppj.exec:\xfppj.exe38⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jblvn.exec:\jblvn.exe39⤵
- Executes dropped EXE
PID:2616 -
\??\c:\xdnxrvl.exec:\xdnxrvl.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828 -
\??\c:\xxntprd.exec:\xxntprd.exe41⤵
- Executes dropped EXE
PID:2756 -
\??\c:\vlhxnl.exec:\vlhxnl.exe42⤵
- Executes dropped EXE
PID:3056 -
\??\c:\xtfxrn.exec:\xtfxrn.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736 -
\??\c:\nxxdxvn.exec:\nxxdxvn.exe44⤵
- Executes dropped EXE
PID:576 -
\??\c:\djhphl.exec:\djhphl.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672 -
\??\c:\ndrjlj.exec:\ndrjlj.exe46⤵
- Executes dropped EXE
PID:2892 -
\??\c:\hppfjl.exec:\hppfjl.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
\??\c:\rrxlr.exec:\rrxlr.exe48⤵
- Executes dropped EXE
PID:552 -
\??\c:\rbbbbdd.exec:\rbbbbdd.exe49⤵
- Executes dropped EXE
PID:1020 -
\??\c:\bdrhlnr.exec:\bdrhlnr.exe50⤵
- Executes dropped EXE
PID:2560 -
\??\c:\rbhtx.exec:\rbhtx.exe51⤵
- Executes dropped EXE
PID:340 -
\??\c:\jxtvhtt.exec:\jxtvhtt.exe52⤵
- Executes dropped EXE
PID:2632 -
\??\c:\tblbt.exec:\tblbt.exe53⤵
- Executes dropped EXE
PID:2240 -
\??\c:\pjlvr.exec:\pjlvr.exe54⤵
- Executes dropped EXE
PID:2136 -
\??\c:\ltpdldt.exec:\ltpdldt.exe55⤵
- Executes dropped EXE
PID:2336 -
\??\c:\dvllxr.exec:\dvllxr.exe56⤵
- Executes dropped EXE
PID:2468 -
\??\c:\hrrpbb.exec:\hrrpbb.exe57⤵
- Executes dropped EXE
PID:2432 -
\??\c:\rtftbh.exec:\rtftbh.exe58⤵
- Executes dropped EXE
PID:2116 -
\??\c:\hpfhpvj.exec:\hpfhpvj.exe59⤵
- Executes dropped EXE
PID:2420 -
\??\c:\pljlrnv.exec:\pljlrnv.exe60⤵
- Executes dropped EXE
PID:1516 -
\??\c:\jndfxht.exec:\jndfxht.exe61⤵
- Executes dropped EXE
PID:1808 -
\??\c:\rvxpvxr.exec:\rvxpvxr.exe62⤵
- Executes dropped EXE
PID:776 -
\??\c:\xhxnhjp.exec:\xhxnhjp.exe63⤵
- Executes dropped EXE
PID:904 -
\??\c:\hpxfvb.exec:\hpxfvb.exe64⤵
- Executes dropped EXE
PID:964 -
\??\c:\hprdnbd.exec:\hprdnbd.exe65⤵
- Executes dropped EXE
PID:2084 -
\??\c:\tpjpljp.exec:\tpjpljp.exe66⤵
- Executes dropped EXE
PID:2552 -
\??\c:\rjfhhfx.exec:\rjfhhfx.exe67⤵PID:1148
-
\??\c:\tfpxh.exec:\tfpxh.exe68⤵PID:1228
-
\??\c:\xbblbh.exec:\xbblbh.exe69⤵PID:2524
-
\??\c:\vpnrxnh.exec:\vpnrxnh.exe70⤵PID:1616
-
\??\c:\jjrpp.exec:\jjrpp.exe71⤵PID:2968
-
\??\c:\rjbrxlr.exec:\rjbrxlr.exe72⤵PID:2504
-
\??\c:\lbfxf.exec:\lbfxf.exe73⤵PID:2368
-
\??\c:\rvbfxjp.exec:\rvbfxjp.exe74⤵PID:620
-
\??\c:\thrlhpb.exec:\thrlhpb.exe75⤵PID:108
-
\??\c:\tdjnvt.exec:\tdjnvt.exe76⤵PID:2564
-
\??\c:\pblphpt.exec:\pblphpt.exe77⤵PID:1312
-
\??\c:\hnnhfb.exec:\hnnhfb.exe78⤵PID:848
-
\??\c:\rlvvxb.exec:\rlvvxb.exe79⤵PID:2684
-
\??\c:\nvppvl.exec:\nvppvl.exe80⤵PID:2748
-
\??\c:\jlbhv.exec:\jlbhv.exe81⤵PID:2860
-
\??\c:\frrhvb.exec:\frrhvb.exe82⤵PID:2732
-
\??\c:\jhpfr.exec:\jhpfr.exe83⤵PID:1332
-
\??\c:\plrdp.exec:\plrdp.exe84⤵PID:1780
-
\??\c:\tpfnpd.exec:\tpfnpd.exe85⤵
- System Location Discovery: System Language Discovery
PID:2656 -
\??\c:\llvhdx.exec:\llvhdx.exe86⤵PID:2624
-
\??\c:\fljhxv.exec:\fljhxv.exe87⤵PID:2992
-
\??\c:\lnvhd.exec:\lnvhd.exe88⤵PID:3060
-
\??\c:\hddtj.exec:\hddtj.exe89⤵PID:396
-
\??\c:\lblhv.exec:\lblhv.exe90⤵PID:2908
-
\??\c:\lxvrd.exec:\lxvrd.exe91⤵PID:772
-
\??\c:\dfnhbl.exec:\dfnhbl.exe92⤵PID:2944
-
\??\c:\lxnfx.exec:\lxnfx.exe93⤵PID:2760
-
\??\c:\xrbjbx.exec:\xrbjbx.exe94⤵PID:2044
-
\??\c:\btnxh.exec:\btnxh.exe95⤵PID:1020
-
\??\c:\pjvvxp.exec:\pjvvxp.exe96⤵PID:1796
-
\??\c:\blddljh.exec:\blddljh.exe97⤵PID:2956
-
\??\c:\tfrpjd.exec:\tfrpjd.exe98⤵PID:1572
-
\??\c:\jbtvtnh.exec:\jbtvtnh.exe99⤵
- System Location Discovery: System Language Discovery
PID:2212 -
\??\c:\hptxnfh.exec:\hptxnfh.exe100⤵
- System Location Discovery: System Language Discovery
PID:548 -
\??\c:\xpntjd.exec:\xpntjd.exe101⤵PID:1764
-
\??\c:\vpbfd.exec:\vpbfd.exe102⤵PID:2404
-
\??\c:\ntjhdx.exec:\ntjhdx.exe103⤵PID:1360
-
\??\c:\fxllrnj.exec:\fxllrnj.exe104⤵
- System Location Discovery: System Language Discovery
PID:2440 -
\??\c:\dblrjj.exec:\dblrjj.exe105⤵
- System Location Discovery: System Language Discovery
PID:2176 -
\??\c:\xpdnvdh.exec:\xpdnvdh.exe106⤵
- System Location Discovery: System Language Discovery
PID:1288 -
\??\c:\dxhljb.exec:\dxhljb.exe107⤵PID:2492
-
\??\c:\xffpb.exec:\xffpb.exe108⤵PID:2156
-
\??\c:\lxlfnl.exec:\lxlfnl.exe109⤵PID:2004
-
\??\c:\tbjxf.exec:\tbjxf.exe110⤵PID:1496
-
\??\c:\pftlnrl.exec:\pftlnrl.exe111⤵
- System Location Discovery: System Language Discovery
PID:2084 -
\??\c:\xpprtd.exec:\xpprtd.exe112⤵PID:1508
-
\??\c:\xfdfhrj.exec:\xfdfhrj.exe113⤵PID:1528
-
\??\c:\hhrndlj.exec:\hhrndlj.exe114⤵PID:1804
-
\??\c:\lxhnx.exec:\lxhnx.exe115⤵PID:2524
-
\??\c:\pfrxvj.exec:\pfrxvj.exe116⤵PID:708
-
\??\c:\hjtjrth.exec:\hjtjrth.exe117⤵PID:2968
-
\??\c:\xxjdnrj.exec:\xxjdnrj.exe118⤵
- System Location Discovery: System Language Discovery
PID:828 -
\??\c:\xbvvxv.exec:\xbvvxv.exe119⤵PID:1008
-
\??\c:\hhpnjx.exec:\hhpnjx.exe120⤵PID:2528
-
\??\c:\flfrtjh.exec:\flfrtjh.exe121⤵PID:3040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-