Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 22:42
Behavioral task
behavioral1
Sample
4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe
-
Size
345KB
-
MD5
c8d9b8efb236e3e4afcb4bb4e9d55f80
-
SHA1
8b0f6bb9486add6a3ff825a67ea3960bc8523d06
-
SHA256
4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761
-
SHA512
0237d50c7039818367b89640793fa1af7c8382d534395bfaaa7fbb4622c8821d6d3dcc52092fcfc206791944cbb38423d203e9aad5ec8762037986597d27361a
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAo:R4wFHoS3WXZshJX2VGdo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2592-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2448-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2876-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2876-23-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/640-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3020-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2448-49-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1476-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2256-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2380-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1144-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3048-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2360-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2444-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1972-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2116-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1900-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1052-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2056-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1128-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1544-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2384-270-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2580-287-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1612-303-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2984-311-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1612-321-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2976-319-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2880-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2752-346-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2928-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2068-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2380-383-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/588-389-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/2192-407-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2836-418-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2192-424-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2836-437-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2232-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/676-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1748-530-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2148-573-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2800-623-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2800-641-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1684-663-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1972-703-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2932-714-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2448 tndflbp.exe 2876 rnbxbpf.exe 640 jhprjp.exe 3020 ttffvp.exe 1476 rltrv.exe 1376 jhrbrff.exe 2824 bvhtxhl.exe 2256 btxpbjr.exe 3048 rvfrp.exe 2380 drpxnr.exe 1116 pfdtbhv.exe 1144 vrfjn.exe 2360 xbthv.exe 2444 rltth.exe 3024 bplbx.exe 1972 dtxxvfv.exe 2932 xxxnltj.exe 1932 ljljxd.exe 2116 nxfvjff.exe 2112 lnhvrh.exe 2280 lbhxd.exe 2276 tfvrb.exe 1072 hpprp.exe 1900 flbntnb.exe 1992 ttdpx.exe 1052 fbxvd.exe 2056 bnttf.exe 1504 flvrnl.exe 776 bpdtdbp.exe 1128 nbdpthd.exe 1544 jbvxp.exe 2384 jnjxvh.exe 2036 fdfnjb.exe 1168 fvxrl.exe 2580 xnnlpfv.exe 2148 hjjbd.exe 1604 xhhrtjj.exe 1612 btdbv.exe 1480 drtdpfn.exe 2984 jrttp.exe 2976 dnbdhfj.exe 2880 hxjdd.exe 2864 ljrjl.exe 2792 tpldv.exe 2752 xjfpld.exe 2748 bnjbn.exe 2648 jfbrrht.exe 2824 ddldn.exe 2928 dpldpfv.exe 944 nxrjx.exe 2068 fblblx.exe 2380 jnlvpr.exe 588 pbnddfp.exe 2348 nxbpv.exe 2156 vjvrd.exe 2192 jbrjtnp.exe 2104 rhrvtl.exe 2836 nlbvrp.exe 2736 lrrtrdp.exe 856 fvxxb.exe 1956 xrvtl.exe 612 tpdnbt.exe 1776 rbnld.exe 2708 jjrnljb.exe -
resource yara_rule behavioral1/memory/2592-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000120fc-7.dat upx behavioral1/memory/2592-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000019394-16.dat upx behavioral1/memory/2448-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000193b8-24.dat upx behavioral1/memory/640-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2876-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019470-35.dat upx behavioral1/memory/640-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1476-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3020-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019489-42.dat upx behavioral1/files/0x000600000001948c-53.dat upx behavioral1/memory/1476-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019490-61.dat upx behavioral1/files/0x0031000000018bbf-70.dat upx behavioral1/memory/2824-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000194eb-77.dat upx behavioral1/memory/2256-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000195bb-85.dat upx behavioral1/memory/2380-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a309-93.dat upx behavioral1/files/0x000500000001a3ab-102.dat upx behavioral1/files/0x000500000001a3f6-111.dat upx behavioral1/memory/1144-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3048-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a3f8-120.dat upx behavioral1/memory/2360-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a3fd-127.dat upx behavioral1/memory/2444-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3024-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a400-135.dat upx behavioral1/memory/1972-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a404-145.dat upx behavioral1/memory/2932-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1972-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a438-153.dat upx behavioral1/memory/2932-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a44d-161.dat upx behavioral1/memory/2116-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a44f-169.dat upx behavioral1/files/0x000500000001a457-176.dat upx behavioral1/memory/2280-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a459-186.dat upx behavioral1/memory/2276-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a463-192.dat upx behavioral1/files/0x000500000001a469-198.dat upx behavioral1/files/0x000500000001a46b-206.dat upx behavioral1/memory/1900-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a46d-214.dat upx behavioral1/memory/1052-222-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a46f-223.dat upx behavioral1/memory/2056-224-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a471-232.dat upx behavioral1/memory/2056-231-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a473-239.dat upx behavioral1/files/0x000500000001a475-247.dat upx behavioral1/files/0x000500000001a477-255.dat upx behavioral1/memory/1128-254-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a479-263.dat upx behavioral1/memory/1544-262-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2036-271-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2880-328-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxhffv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ltrxvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxjbvrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdxxrdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnbdhfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brvprd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvfhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlnvlvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvlhjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fjrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhfbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxbdx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drnhjtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbbhpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntfvdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvtjht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvnbnlv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlbfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnrfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhbptj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrdbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhljjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhfht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbxjbpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nxbpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2448 2592 4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe 30 PID 2592 wrote to memory of 2448 2592 4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe 30 PID 2592 wrote to memory of 2448 2592 4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe 30 PID 2592 wrote to memory of 2448 2592 4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe 30 PID 2448 wrote to memory of 2876 2448 tndflbp.exe 31 PID 2448 wrote to memory of 2876 2448 tndflbp.exe 31 PID 2448 wrote to memory of 2876 2448 tndflbp.exe 31 PID 2448 wrote to memory of 2876 2448 tndflbp.exe 31 PID 2876 wrote to memory of 640 2876 rnbxbpf.exe 32 PID 2876 wrote to memory of 640 2876 rnbxbpf.exe 32 PID 2876 wrote to memory of 640 2876 rnbxbpf.exe 32 PID 2876 wrote to memory of 640 2876 rnbxbpf.exe 32 PID 640 wrote to memory of 3020 640 jhprjp.exe 33 PID 640 wrote to memory of 3020 640 jhprjp.exe 33 PID 640 wrote to memory of 3020 640 jhprjp.exe 33 PID 640 wrote to memory of 3020 640 jhprjp.exe 33 PID 3020 wrote to memory of 1476 3020 ttffvp.exe 34 PID 3020 wrote to memory of 1476 3020 ttffvp.exe 34 PID 3020 wrote to memory of 1476 3020 ttffvp.exe 34 PID 3020 wrote to memory of 1476 3020 ttffvp.exe 34 PID 1476 wrote to memory of 1376 1476 rltrv.exe 35 PID 1476 wrote to memory of 1376 1476 rltrv.exe 35 PID 1476 wrote to memory of 1376 1476 rltrv.exe 35 PID 1476 wrote to memory of 1376 1476 rltrv.exe 35 PID 1376 wrote to memory of 2824 1376 jhrbrff.exe 36 PID 1376 wrote to memory of 2824 1376 jhrbrff.exe 36 PID 1376 wrote to memory of 2824 1376 jhrbrff.exe 36 PID 1376 wrote to memory of 2824 1376 jhrbrff.exe 36 PID 2824 wrote to memory of 2256 2824 bvhtxhl.exe 37 PID 2824 wrote to memory of 2256 2824 bvhtxhl.exe 37 PID 2824 wrote to memory of 2256 2824 bvhtxhl.exe 37 PID 2824 wrote to memory of 2256 2824 bvhtxhl.exe 37 PID 2256 wrote to memory of 3048 2256 btxpbjr.exe 38 PID 2256 wrote to memory of 3048 2256 btxpbjr.exe 38 PID 2256 wrote to memory of 3048 2256 btxpbjr.exe 38 PID 2256 wrote to memory of 3048 2256 btxpbjr.exe 38 PID 3048 wrote to memory of 2380 3048 rvfrp.exe 39 PID 3048 wrote to memory of 2380 3048 rvfrp.exe 39 PID 3048 wrote to memory of 2380 3048 rvfrp.exe 39 PID 3048 wrote to memory of 2380 3048 rvfrp.exe 39 PID 2380 wrote to memory of 1116 2380 drpxnr.exe 40 PID 2380 wrote to memory of 1116 2380 drpxnr.exe 40 PID 2380 wrote to memory of 1116 2380 drpxnr.exe 40 PID 2380 wrote to memory of 1116 2380 drpxnr.exe 40 PID 1116 wrote to memory of 1144 1116 pfdtbhv.exe 41 PID 1116 wrote to memory of 1144 1116 pfdtbhv.exe 41 PID 1116 wrote to memory of 1144 1116 pfdtbhv.exe 41 PID 1116 wrote to memory of 1144 1116 pfdtbhv.exe 41 PID 1144 wrote to memory of 2360 1144 vrfjn.exe 42 PID 1144 wrote to memory of 2360 1144 vrfjn.exe 42 PID 1144 wrote to memory of 2360 1144 vrfjn.exe 42 PID 1144 wrote to memory of 2360 1144 vrfjn.exe 42 PID 2360 wrote to memory of 2444 2360 xbthv.exe 43 PID 2360 wrote to memory of 2444 2360 xbthv.exe 43 PID 2360 wrote to memory of 2444 2360 xbthv.exe 43 PID 2360 wrote to memory of 2444 2360 xbthv.exe 43 PID 2444 wrote to memory of 3024 2444 rltth.exe 44 PID 2444 wrote to memory of 3024 2444 rltth.exe 44 PID 2444 wrote to memory of 3024 2444 rltth.exe 44 PID 2444 wrote to memory of 3024 2444 rltth.exe 44 PID 3024 wrote to memory of 1972 3024 bplbx.exe 45 PID 3024 wrote to memory of 1972 3024 bplbx.exe 45 PID 3024 wrote to memory of 1972 3024 bplbx.exe 45 PID 3024 wrote to memory of 1972 3024 bplbx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe"C:\Users\Admin\AppData\Local\Temp\4acfeb374e7c5eb088b72402be1fd5153fa0a0ea9bf2f33978dd66c4df787761N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\tndflbp.exec:\tndflbp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\rnbxbpf.exec:\rnbxbpf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\jhprjp.exec:\jhprjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\ttffvp.exec:\ttffvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\rltrv.exec:\rltrv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\jhrbrff.exec:\jhrbrff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\bvhtxhl.exec:\bvhtxhl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\btxpbjr.exec:\btxpbjr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\rvfrp.exec:\rvfrp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\drpxnr.exec:\drpxnr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\pfdtbhv.exec:\pfdtbhv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\vrfjn.exec:\vrfjn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\xbthv.exec:\xbthv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\rltth.exec:\rltth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\bplbx.exec:\bplbx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\dtxxvfv.exec:\dtxxvfv.exe17⤵
- Executes dropped EXE
PID:1972 -
\??\c:\xxxnltj.exec:\xxxnltj.exe18⤵
- Executes dropped EXE
PID:2932 -
\??\c:\ljljxd.exec:\ljljxd.exe19⤵
- Executes dropped EXE
PID:1932 -
\??\c:\nxfvjff.exec:\nxfvjff.exe20⤵
- Executes dropped EXE
PID:2116 -
\??\c:\lnhvrh.exec:\lnhvrh.exe21⤵
- Executes dropped EXE
PID:2112 -
\??\c:\lbhxd.exec:\lbhxd.exe22⤵
- Executes dropped EXE
PID:2280 -
\??\c:\tfvrb.exec:\tfvrb.exe23⤵
- Executes dropped EXE
PID:2276 -
\??\c:\hpprp.exec:\hpprp.exe24⤵
- Executes dropped EXE
PID:1072 -
\??\c:\flbntnb.exec:\flbntnb.exe25⤵
- Executes dropped EXE
PID:1900 -
\??\c:\ttdpx.exec:\ttdpx.exe26⤵
- Executes dropped EXE
PID:1992 -
\??\c:\fbxvd.exec:\fbxvd.exe27⤵
- Executes dropped EXE
PID:1052 -
\??\c:\bnttf.exec:\bnttf.exe28⤵
- Executes dropped EXE
PID:2056 -
\??\c:\flvrnl.exec:\flvrnl.exe29⤵
- Executes dropped EXE
PID:1504 -
\??\c:\bpdtdbp.exec:\bpdtdbp.exe30⤵
- Executes dropped EXE
PID:776 -
\??\c:\nbdpthd.exec:\nbdpthd.exe31⤵
- Executes dropped EXE
PID:1128 -
\??\c:\jbvxp.exec:\jbvxp.exe32⤵
- Executes dropped EXE
PID:1544 -
\??\c:\jnjxvh.exec:\jnjxvh.exe33⤵
- Executes dropped EXE
PID:2384 -
\??\c:\fdfnjb.exec:\fdfnjb.exe34⤵
- Executes dropped EXE
PID:2036 -
\??\c:\fvxrl.exec:\fvxrl.exe35⤵
- Executes dropped EXE
PID:1168 -
\??\c:\xnnlpfv.exec:\xnnlpfv.exe36⤵
- Executes dropped EXE
PID:2580 -
\??\c:\hjjbd.exec:\hjjbd.exe37⤵
- Executes dropped EXE
PID:2148 -
\??\c:\xhhrtjj.exec:\xhhrtjj.exe38⤵
- Executes dropped EXE
PID:1604 -
\??\c:\btdbv.exec:\btdbv.exe39⤵
- Executes dropped EXE
PID:1612 -
\??\c:\drtdpfn.exec:\drtdpfn.exe40⤵
- Executes dropped EXE
PID:1480 -
\??\c:\jrttp.exec:\jrttp.exe41⤵
- Executes dropped EXE
PID:2984 -
\??\c:\dnbdhfj.exec:\dnbdhfj.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
\??\c:\hxjdd.exec:\hxjdd.exe43⤵
- Executes dropped EXE
PID:2880 -
\??\c:\ljrjl.exec:\ljrjl.exe44⤵
- Executes dropped EXE
PID:2864 -
\??\c:\tpldv.exec:\tpldv.exe45⤵
- Executes dropped EXE
PID:2792 -
\??\c:\xjfpld.exec:\xjfpld.exe46⤵
- Executes dropped EXE
PID:2752 -
\??\c:\bnjbn.exec:\bnjbn.exe47⤵
- Executes dropped EXE
PID:2748 -
\??\c:\jfbrrht.exec:\jfbrrht.exe48⤵
- Executes dropped EXE
PID:2648 -
\??\c:\ddldn.exec:\ddldn.exe49⤵
- Executes dropped EXE
PID:2824 -
\??\c:\dpldpfv.exec:\dpldpfv.exe50⤵
- Executes dropped EXE
PID:2928 -
\??\c:\nxrjx.exec:\nxrjx.exe51⤵
- Executes dropped EXE
PID:944 -
\??\c:\fblblx.exec:\fblblx.exe52⤵
- Executes dropped EXE
PID:2068 -
\??\c:\jnlvpr.exec:\jnlvpr.exe53⤵
- Executes dropped EXE
PID:2380 -
\??\c:\pbnddfp.exec:\pbnddfp.exe54⤵
- Executes dropped EXE
PID:588 -
\??\c:\nxbpv.exec:\nxbpv.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
\??\c:\vjvrd.exec:\vjvrd.exe56⤵
- Executes dropped EXE
PID:2156 -
\??\c:\jbrjtnp.exec:\jbrjtnp.exe57⤵
- Executes dropped EXE
PID:2192 -
\??\c:\rhrvtl.exec:\rhrvtl.exe58⤵
- Executes dropped EXE
PID:2104 -
\??\c:\nlbvrp.exec:\nlbvrp.exe59⤵
- Executes dropped EXE
PID:2836 -
\??\c:\lrrtrdp.exec:\lrrtrdp.exe60⤵
- Executes dropped EXE
PID:2736 -
\??\c:\fvxxb.exec:\fvxxb.exe61⤵
- Executes dropped EXE
PID:856 -
\??\c:\xrvtl.exec:\xrvtl.exe62⤵
- Executes dropped EXE
PID:1956 -
\??\c:\tpdnbt.exec:\tpdnbt.exe63⤵
- Executes dropped EXE
PID:612 -
\??\c:\rbnld.exec:\rbnld.exe64⤵
- Executes dropped EXE
PID:1776 -
\??\c:\jjrnljb.exec:\jjrnljb.exe65⤵
- Executes dropped EXE
PID:2708 -
\??\c:\xdnfpv.exec:\xdnfpv.exe66⤵PID:2576
-
\??\c:\jhvxj.exec:\jhvxj.exe67⤵PID:2452
-
\??\c:\xfrnrjp.exec:\xfrnrjp.exe68⤵PID:2232
-
\??\c:\fbnjvvb.exec:\fbnjvvb.exe69⤵PID:2276
-
\??\c:\vbvpvrf.exec:\vbvpvrf.exe70⤵PID:980
-
\??\c:\bbrnxvr.exec:\bbrnxvr.exe71⤵PID:1896
-
\??\c:\jffhht.exec:\jffhht.exe72⤵PID:1556
-
\??\c:\jrfttxj.exec:\jrfttxj.exe73⤵PID:2428
-
\??\c:\vfbxp.exec:\vfbxp.exe74⤵PID:1052
-
\??\c:\xrtrhn.exec:\xrtrhn.exe75⤵PID:1748
-
\??\c:\ftftf.exec:\ftftf.exe76⤵PID:1836
-
\??\c:\btllhp.exec:\btllhp.exe77⤵PID:676
-
\??\c:\nlbbln.exec:\nlbbln.exe78⤵PID:1192
-
\??\c:\hdhll.exec:\hdhll.exe79⤵PID:1088
-
\??\c:\jhrln.exec:\jhrln.exe80⤵PID:2600
-
\??\c:\npbrxp.exec:\npbrxp.exe81⤵PID:332
-
\??\c:\xptfhxx.exec:\xptfhxx.exe82⤵PID:2412
-
\??\c:\ddlff.exec:\ddlff.exe83⤵PID:2036
-
\??\c:\njbldbv.exec:\njbldbv.exe84⤵PID:1168
-
\??\c:\bprjd.exec:\bprjd.exe85⤵PID:2580
-
\??\c:\pxphhbr.exec:\pxphhbr.exe86⤵PID:2148
-
\??\c:\jpbbdrd.exec:\jpbbdrd.exe87⤵PID:1584
-
\??\c:\xtpnjhp.exec:\xtpnjhp.exe88⤵PID:1612
-
\??\c:\xlpxjvd.exec:\xlpxjvd.exe89⤵PID:2236
-
\??\c:\hblpf.exec:\hblpf.exe90⤵PID:2852
-
\??\c:\xjpjnl.exec:\xjpjnl.exe91⤵PID:2976
-
\??\c:\flpxn.exec:\flpxn.exe92⤵PID:2908
-
\??\c:\tnpdjn.exec:\tnpdjn.exe93⤵PID:2784
-
\??\c:\xffbp.exec:\xffbp.exe94⤵PID:1476
-
\??\c:\bfrpfvx.exec:\bfrpfvx.exe95⤵PID:2800
-
\??\c:\ndhtpd.exec:\ndhtpd.exe96⤵PID:2624
-
\??\c:\nbxhd.exec:\nbxhd.exe97⤵PID:2812
-
\??\c:\xdxtxhd.exec:\xdxtxhd.exe98⤵PID:2732
-
\??\c:\jdnfxb.exec:\jdnfxb.exe99⤵PID:2928
-
\??\c:\vjjvlf.exec:\vjjvlf.exe100⤵PID:2020
-
\??\c:\rhdtp.exec:\rhdtp.exe101⤵PID:984
-
\??\c:\ppdnn.exec:\ppdnn.exe102⤵PID:1684
-
\??\c:\ftfxxjh.exec:\ftfxxjh.exe103⤵PID:1532
-
\??\c:\hhpjhn.exec:\hhpjhn.exe104⤵PID:2348
-
\??\c:\jvfltj.exec:\jvfltj.exe105⤵PID:2788
-
\??\c:\hlxfppr.exec:\hlxfppr.exe106⤵PID:2192
-
\??\c:\bfdhh.exec:\bfdhh.exe107⤵PID:3060
-
\??\c:\rvpnnjx.exec:\rvpnnjx.exe108⤵PID:2296
-
\??\c:\pfvfh.exec:\pfvfh.exe109⤵PID:1972
-
\??\c:\bvjdtr.exec:\bvjdtr.exe110⤵PID:1176
-
\??\c:\jrhxpht.exec:\jrhxpht.exe111⤵PID:2932
-
\??\c:\nblnhn.exec:\nblnhn.exe112⤵PID:1108
-
\??\c:\ddhxh.exec:\ddhxh.exe113⤵PID:2264
-
\??\c:\tftvd.exec:\tftvd.exe114⤵PID:2484
-
\??\c:\rtvxtnh.exec:\rtvxtnh.exe115⤵PID:2564
-
\??\c:\lnxtt.exec:\lnxtt.exe116⤵PID:2280
-
\??\c:\jpnptb.exec:\jpnptb.exe117⤵PID:1960
-
\??\c:\ljjdxxd.exec:\ljjdxxd.exe118⤵PID:1844
-
\??\c:\lphnvtd.exec:\lphnvtd.exe119⤵PID:1072
-
\??\c:\bjpnx.exec:\bjpnx.exe120⤵PID:2636
-
\??\c:\vdldvl.exec:\vdldvl.exe121⤵PID:2208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-