Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 19:43
Behavioral task
behavioral1
Sample
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe
-
Size
332KB
-
MD5
718282396c93a1b834a49a61ec1caeac
-
SHA1
6c5a47a597ecf7d48d3244e2fe5a22387231fe21
-
SHA256
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87
-
SHA512
6b76f7361a43683237ea7d052a45266ab2c6dc246246db230563b4dc9d9e2560a245b99c137a222909291042512d33fa844b68c05963e7d2fc846535d4aee91d
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbel:R4wFHoSHYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2260-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1116-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2000-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2760-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1936-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2680-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/832-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/800-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1920-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/924-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2572-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/800-161-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1728-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1628-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2020-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1156-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1736-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1724-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1528-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2452-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1408-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2452-295-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2604-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2972-400-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1504-447-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2988-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2176-477-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/1148-483-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2424-490-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1724-507-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2948-529-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2180-535-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/856-553-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1408-559-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2208-575-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/1904-614-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1364-7687-0x0000000077170000-0x000000007726A000-memory.dmp family_blackmoon behavioral1/memory/1364-10953-0x0000000077050000-0x000000007716F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1116 pvlhtjn.exe 2000 tthvvnd.exe 2388 bbfxdr.exe 2760 fflpv.exe 2900 xpljp.exe 2752 lhfrv.exe 2912 bxpbjt.exe 2644 hlrtpd.exe 320 tpntp.exe 2576 fxjnn.exe 2680 rxjtbnn.exe 1936 xxxpn.exe 832 bbtnlj.exe 2852 pdrdxp.exe 800 nhftjl.exe 1920 jxndv.exe 924 xbhxt.exe 2572 lfjlfp.exe 1628 nxjjlx.exe 1728 vlxrrh.exe 2020 xvbjxhb.exe 1156 bnpplj.exe 3068 hhvdbbr.exe 1164 hpplb.exe 1184 ldxvfr.exe 1736 prrpx.exe 1724 nvvldbx.exe 1688 phnrrn.exe 1540 rjxhjb.exe 2416 tljxd.exe 1528 dbxddh.exe 2452 vfptfhf.exe 880 nljlt.exe 1408 xnhntv.exe 2340 fdxbptb.exe 2112 rlvhnr.exe 2188 rhnfh.exe 2964 jhrndt.exe 2812 jntvrrl.exe 2728 vlnvrh.exe 2748 hnfppxx.exe 2892 vrffdtn.exe 2900 bvvhjv.exe 2628 dflntt.exe 2824 hfdvb.exe 2756 jpffj.exe 2788 ptdxfxv.exe 2464 fxxdtjx.exe 2604 rbrxd.exe 2576 rffxpf.exe 2832 dhnlx.exe 1936 lvbxdl.exe 2976 tvjtn.exe 2972 vtxxx.exe 1948 vjrhfxf.exe 2980 dtvvldv.exe 2944 xfvvfxh.exe 1928 jnppd.exe 2100 fppdrrv.exe 2988 rrnvjj.exe 2168 dndln.exe 1504 bjbvbb.exe 1332 bvjnb.exe 2176 ldbht.exe -
resource yara_rule behavioral1/memory/2260-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2260-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a000000012262-8.dat upx behavioral1/memory/2000-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1116-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016c23-15.dat upx behavioral1/files/0x0007000000016cab-25.dat upx behavioral1/memory/2000-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016ccc-34.dat upx behavioral1/memory/2900-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2760-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016cd8-40.dat upx behavioral1/memory/2900-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016ce0-50.dat upx behavioral1/files/0x0008000000016ce9-58.dat upx behavioral1/memory/2644-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016ace-68.dat upx behavioral1/memory/2912-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/320-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194a3-74.dat upx behavioral1/files/0x00050000000194eb-83.dat upx behavioral1/memory/2576-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194ef-91.dat upx behavioral1/files/0x000500000001950f-98.dat upx behavioral1/memory/1936-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2680-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019515-107.dat upx behavioral1/files/0x0005000000019547-115.dat upx behavioral1/memory/832-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001957c-124.dat upx behavioral1/files/0x00050000000195a7-134.dat upx behavioral1/memory/800-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1920-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195a9-141.dat upx behavioral1/memory/924-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2572-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195ab-151.dat upx behavioral1/memory/1628-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195ad-160.dat upx behavioral1/files/0x00050000000195af-169.dat upx behavioral1/memory/1728-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1628-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195b1-178.dat upx behavioral1/memory/2020-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195b3-186.dat upx behavioral1/memory/1156-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195b5-194.dat upx behavioral1/files/0x00050000000195b7-201.dat upx behavioral1/files/0x00050000000195bb-209.dat upx behavioral1/files/0x00050000000195bd-218.dat upx behavioral1/files/0x00050000000195c1-225.dat upx behavioral1/memory/1736-224-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1724-232-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c3-233.dat upx behavioral1/files/0x00050000000195c5-241.dat upx behavioral1/files/0x00050000000195c6-251.dat upx behavioral1/files/0x00050000000195c7-260.dat upx behavioral1/files/0x000500000001960c-269.dat upx behavioral1/memory/1528-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2452-275-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/880-277-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1408-284-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2604-370-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2944-412-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtdhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrffdtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxbnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jtvtdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thfbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfvtlnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdjvhpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptpfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxjxpxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnpxdff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdhdbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnvbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rnlprjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrvrjbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjfxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjbpnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjhrdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrljj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phdffbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njblht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhhjfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdnrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbrhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xppfvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thdht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfthpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnprr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnhdj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 1116 2260 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 31 PID 2260 wrote to memory of 1116 2260 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 31 PID 2260 wrote to memory of 1116 2260 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 31 PID 2260 wrote to memory of 1116 2260 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 31 PID 1116 wrote to memory of 2000 1116 pvlhtjn.exe 32 PID 1116 wrote to memory of 2000 1116 pvlhtjn.exe 32 PID 1116 wrote to memory of 2000 1116 pvlhtjn.exe 32 PID 1116 wrote to memory of 2000 1116 pvlhtjn.exe 32 PID 2000 wrote to memory of 2388 2000 tthvvnd.exe 33 PID 2000 wrote to memory of 2388 2000 tthvvnd.exe 33 PID 2000 wrote to memory of 2388 2000 tthvvnd.exe 33 PID 2000 wrote to memory of 2388 2000 tthvvnd.exe 33 PID 2388 wrote to memory of 2760 2388 bbfxdr.exe 34 PID 2388 wrote to memory of 2760 2388 bbfxdr.exe 34 PID 2388 wrote to memory of 2760 2388 bbfxdr.exe 34 PID 2388 wrote to memory of 2760 2388 bbfxdr.exe 34 PID 2760 wrote to memory of 2900 2760 fflpv.exe 35 PID 2760 wrote to memory of 2900 2760 fflpv.exe 35 PID 2760 wrote to memory of 2900 2760 fflpv.exe 35 PID 2760 wrote to memory of 2900 2760 fflpv.exe 35 PID 2900 wrote to memory of 2752 2900 xpljp.exe 36 PID 2900 wrote to memory of 2752 2900 xpljp.exe 36 PID 2900 wrote to memory of 2752 2900 xpljp.exe 36 PID 2900 wrote to memory of 2752 2900 xpljp.exe 36 PID 2752 wrote to memory of 2912 2752 lhfrv.exe 37 PID 2752 wrote to memory of 2912 2752 lhfrv.exe 37 PID 2752 wrote to memory of 2912 2752 lhfrv.exe 37 PID 2752 wrote to memory of 2912 2752 lhfrv.exe 37 PID 2912 wrote to memory of 2644 2912 bxpbjt.exe 38 PID 2912 wrote to memory of 2644 2912 bxpbjt.exe 38 PID 2912 wrote to memory of 2644 2912 bxpbjt.exe 38 PID 2912 wrote to memory of 2644 2912 bxpbjt.exe 38 PID 2644 wrote to memory of 320 2644 hlrtpd.exe 39 PID 2644 wrote to memory of 320 2644 hlrtpd.exe 39 PID 2644 wrote to memory of 320 2644 hlrtpd.exe 39 PID 2644 wrote to memory of 320 2644 hlrtpd.exe 39 PID 320 wrote to memory of 2576 320 tpntp.exe 40 PID 320 wrote to memory of 2576 320 tpntp.exe 40 PID 320 wrote to memory of 2576 320 tpntp.exe 40 PID 320 wrote to memory of 2576 320 tpntp.exe 40 PID 2576 wrote to memory of 2680 2576 fxjnn.exe 41 PID 2576 wrote to memory of 2680 2576 fxjnn.exe 41 PID 2576 wrote to memory of 2680 2576 fxjnn.exe 41 PID 2576 wrote to memory of 2680 2576 fxjnn.exe 41 PID 2680 wrote to memory of 1936 2680 rxjtbnn.exe 42 PID 2680 wrote to memory of 1936 2680 rxjtbnn.exe 42 PID 2680 wrote to memory of 1936 2680 rxjtbnn.exe 42 PID 2680 wrote to memory of 1936 2680 rxjtbnn.exe 42 PID 1936 wrote to memory of 832 1936 xxxpn.exe 43 PID 1936 wrote to memory of 832 1936 xxxpn.exe 43 PID 1936 wrote to memory of 832 1936 xxxpn.exe 43 PID 1936 wrote to memory of 832 1936 xxxpn.exe 43 PID 832 wrote to memory of 2852 832 bbtnlj.exe 44 PID 832 wrote to memory of 2852 832 bbtnlj.exe 44 PID 832 wrote to memory of 2852 832 bbtnlj.exe 44 PID 832 wrote to memory of 2852 832 bbtnlj.exe 44 PID 2852 wrote to memory of 800 2852 pdrdxp.exe 45 PID 2852 wrote to memory of 800 2852 pdrdxp.exe 45 PID 2852 wrote to memory of 800 2852 pdrdxp.exe 45 PID 2852 wrote to memory of 800 2852 pdrdxp.exe 45 PID 800 wrote to memory of 1920 800 nhftjl.exe 46 PID 800 wrote to memory of 1920 800 nhftjl.exe 46 PID 800 wrote to memory of 1920 800 nhftjl.exe 46 PID 800 wrote to memory of 1920 800 nhftjl.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe"C:\Users\Admin\AppData\Local\Temp\105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\pvlhtjn.exec:\pvlhtjn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\tthvvnd.exec:\tthvvnd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\bbfxdr.exec:\bbfxdr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\fflpv.exec:\fflpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\xpljp.exec:\xpljp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\lhfrv.exec:\lhfrv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\bxpbjt.exec:\bxpbjt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\hlrtpd.exec:\hlrtpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\tpntp.exec:\tpntp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\fxjnn.exec:\fxjnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\rxjtbnn.exec:\rxjtbnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\xxxpn.exec:\xxxpn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\bbtnlj.exec:\bbtnlj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\pdrdxp.exec:\pdrdxp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\nhftjl.exec:\nhftjl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\jxndv.exec:\jxndv.exe17⤵
- Executes dropped EXE
PID:1920 -
\??\c:\xbhxt.exec:\xbhxt.exe18⤵
- Executes dropped EXE
PID:924 -
\??\c:\lfjlfp.exec:\lfjlfp.exe19⤵
- Executes dropped EXE
PID:2572 -
\??\c:\nxjjlx.exec:\nxjjlx.exe20⤵
- Executes dropped EXE
PID:1628 -
\??\c:\vlxrrh.exec:\vlxrrh.exe21⤵
- Executes dropped EXE
PID:1728 -
\??\c:\xvbjxhb.exec:\xvbjxhb.exe22⤵
- Executes dropped EXE
PID:2020 -
\??\c:\bnpplj.exec:\bnpplj.exe23⤵
- Executes dropped EXE
PID:1156 -
\??\c:\hhvdbbr.exec:\hhvdbbr.exe24⤵
- Executes dropped EXE
PID:3068 -
\??\c:\hpplb.exec:\hpplb.exe25⤵
- Executes dropped EXE
PID:1164 -
\??\c:\ldxvfr.exec:\ldxvfr.exe26⤵
- Executes dropped EXE
PID:1184 -
\??\c:\prrpx.exec:\prrpx.exe27⤵
- Executes dropped EXE
PID:1736 -
\??\c:\nvvldbx.exec:\nvvldbx.exe28⤵
- Executes dropped EXE
PID:1724 -
\??\c:\phnrrn.exec:\phnrrn.exe29⤵
- Executes dropped EXE
PID:1688 -
\??\c:\rjxhjb.exec:\rjxhjb.exe30⤵
- Executes dropped EXE
PID:1540 -
\??\c:\tljxd.exec:\tljxd.exe31⤵
- Executes dropped EXE
PID:2416 -
\??\c:\dbxddh.exec:\dbxddh.exe32⤵
- Executes dropped EXE
PID:1528 -
\??\c:\vfptfhf.exec:\vfptfhf.exe33⤵
- Executes dropped EXE
PID:2452 -
\??\c:\nljlt.exec:\nljlt.exe34⤵
- Executes dropped EXE
PID:880 -
\??\c:\xnhntv.exec:\xnhntv.exe35⤵
- Executes dropped EXE
PID:1408 -
\??\c:\fdxbptb.exec:\fdxbptb.exe36⤵
- Executes dropped EXE
PID:2340 -
\??\c:\rlvhnr.exec:\rlvhnr.exe37⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rhnfh.exec:\rhnfh.exe38⤵
- Executes dropped EXE
PID:2188 -
\??\c:\jhrndt.exec:\jhrndt.exe39⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jntvrrl.exec:\jntvrrl.exe40⤵
- Executes dropped EXE
PID:2812 -
\??\c:\vlnvrh.exec:\vlnvrh.exe41⤵
- Executes dropped EXE
PID:2728 -
\??\c:\hnfppxx.exec:\hnfppxx.exe42⤵
- Executes dropped EXE
PID:2748 -
\??\c:\vrffdtn.exec:\vrffdtn.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
\??\c:\bvvhjv.exec:\bvvhjv.exe44⤵
- Executes dropped EXE
PID:2900 -
\??\c:\dflntt.exec:\dflntt.exe45⤵
- Executes dropped EXE
PID:2628 -
\??\c:\hfdvb.exec:\hfdvb.exe46⤵
- Executes dropped EXE
PID:2824 -
\??\c:\jpffj.exec:\jpffj.exe47⤵
- Executes dropped EXE
PID:2756 -
\??\c:\ptdxfxv.exec:\ptdxfxv.exe48⤵
- Executes dropped EXE
PID:2788 -
\??\c:\fxxdtjx.exec:\fxxdtjx.exe49⤵
- Executes dropped EXE
PID:2464 -
\??\c:\rbrxd.exec:\rbrxd.exe50⤵
- Executes dropped EXE
PID:2604 -
\??\c:\rffxpf.exec:\rffxpf.exe51⤵
- Executes dropped EXE
PID:2576 -
\??\c:\dhnlx.exec:\dhnlx.exe52⤵
- Executes dropped EXE
PID:2832 -
\??\c:\lvbxdl.exec:\lvbxdl.exe53⤵
- Executes dropped EXE
PID:1936 -
\??\c:\tvjtn.exec:\tvjtn.exe54⤵
- Executes dropped EXE
PID:2976 -
\??\c:\vtxxx.exec:\vtxxx.exe55⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vjrhfxf.exec:\vjrhfxf.exe56⤵
- Executes dropped EXE
PID:1948 -
\??\c:\dtvvldv.exec:\dtvvldv.exe57⤵
- Executes dropped EXE
PID:2980 -
\??\c:\xfvvfxh.exec:\xfvvfxh.exe58⤵
- Executes dropped EXE
PID:2944 -
\??\c:\jnppd.exec:\jnppd.exe59⤵
- Executes dropped EXE
PID:1928 -
\??\c:\fppdrrv.exec:\fppdrrv.exe60⤵
- Executes dropped EXE
PID:2100 -
\??\c:\rrnvjj.exec:\rrnvjj.exe61⤵
- Executes dropped EXE
PID:2988 -
\??\c:\dndln.exec:\dndln.exe62⤵
- Executes dropped EXE
PID:2168 -
\??\c:\bjbvbb.exec:\bjbvbb.exe63⤵
- Executes dropped EXE
PID:1504 -
\??\c:\bvjnb.exec:\bvjnb.exe64⤵
- Executes dropped EXE
PID:1332 -
\??\c:\ldbht.exec:\ldbht.exe65⤵
- Executes dropped EXE
PID:2176 -
\??\c:\tfnjtfb.exec:\tfnjtfb.exe66⤵PID:1064
-
\??\c:\ndnfj.exec:\ndnfj.exe67⤵PID:1268
-
\??\c:\dbflhrt.exec:\dbflhrt.exe68⤵PID:1800
-
\??\c:\frlrd.exec:\frlrd.exe69⤵PID:1148
-
\??\c:\dndfhx.exec:\dndfhx.exe70⤵PID:2424
-
\??\c:\dbtnxb.exec:\dbtnxb.exe71⤵PID:1780
-
\??\c:\htrpxpd.exec:\htrpxpd.exe72⤵PID:2004
-
\??\c:\nhvdb.exec:\nhvdb.exe73⤵PID:1724
-
\??\c:\xrhnpf.exec:\xrhnpf.exe74⤵PID:1688
-
\??\c:\vjjdjt.exec:\vjjdjt.exe75⤵PID:1828
-
\??\c:\vdjlp.exec:\vdjlp.exe76⤵PID:2372
-
\??\c:\fbdpfvb.exec:\fbdpfvb.exe77⤵PID:2948
-
\??\c:\djpjfxr.exec:\djpjfxr.exe78⤵PID:2180
-
\??\c:\xddrj.exec:\xddrj.exe79⤵PID:568
-
\??\c:\rpxtdnr.exec:\rpxtdnr.exe80⤵PID:872
-
\??\c:\jrbvrxb.exec:\jrbvrxb.exe81⤵PID:856
-
\??\c:\nrpbjpn.exec:\nrpbjpn.exe82⤵PID:1408
-
\??\c:\bhfpnj.exec:\bhfpnj.exe83⤵PID:1600
-
\??\c:\hhjjdlf.exec:\hhjjdlf.exe84⤵PID:2008
-
\??\c:\jntfdnp.exec:\jntfdnp.exe85⤵PID:2208
-
\??\c:\dldrtb.exec:\dldrtb.exe86⤵PID:2440
-
\??\c:\jlphxjj.exec:\jlphxjj.exe87⤵PID:2448
-
\??\c:\npfdbl.exec:\npfdbl.exe88⤵PID:2728
-
\??\c:\dxndfhb.exec:\dxndfhb.exe89⤵PID:3044
-
\??\c:\vpxbxrt.exec:\vpxbxrt.exe90⤵PID:2892
-
\??\c:\dhhbv.exec:\dhhbv.exe91⤵PID:2900
-
\??\c:\rrxbr.exec:\rrxbr.exe92⤵PID:2628
-
\??\c:\xfprl.exec:\xfprl.exe93⤵PID:1904
-
\??\c:\ptjrx.exec:\ptjrx.exe94⤵PID:2756
-
\??\c:\tvlxdv.exec:\tvlxdv.exe95⤵PID:2788
-
\??\c:\nrbpbv.exec:\nrbpbv.exe96⤵PID:2464
-
\??\c:\xvphbn.exec:\xvphbn.exe97⤵PID:2604
-
\??\c:\rvhdvx.exec:\rvhdvx.exe98⤵PID:2296
-
\??\c:\dpnnnn.exec:\dpnnnn.exe99⤵PID:1868
-
\??\c:\dpnxbx.exec:\dpnxbx.exe100⤵PID:2836
-
\??\c:\bhlbbtx.exec:\bhlbbtx.exe101⤵PID:2976
-
\??\c:\ptxnnh.exec:\ptxnnh.exe102⤵PID:2972
-
\??\c:\fpnhjdv.exec:\fpnhjdv.exe103⤵PID:2860
-
\??\c:\pfrxj.exec:\pfrxj.exe104⤵PID:2300
-
\??\c:\jrljfn.exec:\jrljfn.exe105⤵PID:2944
-
\??\c:\lpxpdv.exec:\lpxpdv.exe106⤵PID:2660
-
\??\c:\ndfxn.exec:\ndfxn.exe107⤵PID:2476
-
\??\c:\dbfbp.exec:\dbfbp.exe108⤵PID:2808
-
\??\c:\xvprh.exec:\xvprh.exe109⤵PID:2716
-
\??\c:\bnxnnpl.exec:\bnxnnpl.exe110⤵PID:2544
-
\??\c:\vvhbp.exec:\vvhbp.exe111⤵PID:1812
-
\??\c:\xxdbjjb.exec:\xxdbjjb.exe112⤵PID:2020
-
\??\c:\llxpvv.exec:\llxpvv.exe113⤵PID:928
-
\??\c:\ptpfp.exec:\ptpfp.exe114⤵
- System Location Discovery: System Language Discovery
PID:2816 -
\??\c:\jfjnfb.exec:\jfjnfb.exe115⤵PID:1480
-
\??\c:\fdrpbb.exec:\fdrpbb.exe116⤵PID:968
-
\??\c:\bvvxdl.exec:\bvvxdl.exe117⤵PID:2420
-
\??\c:\hhtjrfj.exec:\hhtjrfj.exe118⤵PID:612
-
\??\c:\rvhtl.exec:\rvhtl.exe119⤵PID:1060
-
\??\c:\bpnjr.exec:\bpnjr.exe120⤵PID:2004
-
\??\c:\rjhrdv.exec:\rjhrdv.exe121⤵
- System Location Discovery: System Language Discovery
PID:2044 -
\??\c:\htrnphp.exec:\htrnphp.exe122⤵PID:1412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-