Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 23:22
Behavioral task
behavioral1
Sample
afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe
-
Size
331KB
-
MD5
96031a5075425b53c9d1415d84b814f0
-
SHA1
76493bceccac7ac815d45fc06725abf36b47e276
-
SHA256
afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0
-
SHA512
b4d0e84e624bc054d3763aa18f622e973aae9edaf77700e02e0b1cb0fa484fe862f6e421f2ef11ed1d0134f431713e5c8e37a5f030a1502de4bdf1695cfffab7
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeU:R4wFHoSHYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2244-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2448-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2960-27-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2960-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2756-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2904-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2620-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/868-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1744-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2080-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1140-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2444-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2696-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/840-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2220-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2264-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2264-172-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2228-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1076-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2428-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1052-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-259-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1664-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2584-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1704-305-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/944-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2128-401-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2128-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2444-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2128-420-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2696-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2452-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/780-496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2724-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2892-579-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2496-686-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1828-770-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1096-779-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1380-788-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1780-1381-0x00000000770D0000-0x00000000771EF000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2448 tvnvf.exe 2960 bxjtldd.exe 2904 prfnnb.exe 2756 jlhnpnb.exe 2784 dxlhdft.exe 2744 hlnbnht.exe 2620 thnvd.exe 1744 ntrddp.exe 868 rxrvp.exe 2080 rnvnr.exe 1140 xbdtdp.exe 2092 rdjhb.exe 3056 bhrnbnt.exe 2444 lhjbfh.exe 2808 lxdnlxn.exe 2696 plhtpx.exe 2420 hdrnj.exe 840 njdrj.exe 2220 frdbbb.exe 2264 hvjtblp.exe 2228 vxhnpn.exe 2272 vhhbh.exe 1076 jxhtvvf.exe 1900 jhrvvt.exe 2428 vbbhhjd.exe 1052 vddtn.exe 792 tthvnxj.exe 1500 fvhjnbb.exe 1372 xbbnvtt.exe 1768 lhlhlvj.exe 2668 nhhxfv.exe 2364 xvrppxj.exe 1664 hdppxdx.exe 2684 vbfrlj.exe 1928 njjptxr.exe 2032 flhppbn.exe 2664 bndddt.exe 2224 vtvdtdl.exe 1704 lpttlx.exe 2584 vfnhdf.exe 2948 dffxr.exe 2856 tbrbdrl.exe 2944 rtlrb.exe 2756 fxlxx.exe 3040 jnbfr.exe 932 ftrxx.exe 2920 xnppdx.exe 2812 prhfnjx.exe 2824 fhdffd.exe 944 rvxfrl.exe 1744 jnxbpbr.exe 1660 ttrbdr.exe 2068 jlnrttr.exe 2080 ljppftl.exe 1736 dlfvvtd.exe 896 vxfxdhx.exe 2128 npbtbft.exe 2496 fvtvd.exe 2444 rhpdlrr.exe 1444 xvlffr.exe 2808 dxlxdp.exe 2696 hrvflbd.exe 836 pddtpnr.exe 1548 jxrtp.exe -
resource yara_rule behavioral1/memory/2244-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2244-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000120fc-7.dat upx behavioral1/memory/2448-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2448-12-0x0000000000230000-0x0000000000257000-memory.dmp upx behavioral1/memory/2960-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000019394-17.dat upx behavioral1/memory/2448-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000193b8-28.dat upx behavioral1/memory/2960-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2756-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019470-37.dat upx behavioral1/memory/2904-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019489-44.dat upx behavioral1/files/0x000600000001948c-52.dat upx behavioral1/memory/2784-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019490-59.dat upx behavioral1/memory/2744-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0031000000018bbf-68.dat upx behavioral1/memory/2620-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/868-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1744-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000194eb-77.dat upx behavioral1/files/0x00070000000195bb-85.dat upx behavioral1/files/0x000500000001a309-93.dat upx behavioral1/memory/2080-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1140-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2092-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a3ab-102.dat upx behavioral1/files/0x000500000001a3f6-109.dat upx behavioral1/files/0x000500000001a3f8-117.dat upx behavioral1/memory/2444-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a3fd-126.dat upx behavioral1/memory/2808-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a400-134.dat upx behavioral1/memory/2696-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a404-142.dat upx behavioral1/files/0x000500000001a438-149.dat upx behavioral1/memory/840-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a44d-157.dat upx behavioral1/files/0x000500000001a44f-165.dat upx behavioral1/memory/2220-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a457-175.dat upx behavioral1/memory/2264-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2228-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a459-183.dat upx behavioral1/files/0x000500000001a463-191.dat upx behavioral1/files/0x000500000001a469-199.dat upx behavioral1/memory/1076-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a46b-206.dat upx behavioral1/memory/2428-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a46d-214.dat upx behavioral1/files/0x000500000001a46f-222.dat upx behavioral1/memory/1052-221-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1500-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a471-231.dat upx behavioral1/files/0x000500000001a473-237.dat upx behavioral1/files/0x000500000001a475-245.dat upx behavioral1/files/0x000500000001a477-252.dat upx behavioral1/files/0x000500000001a479-260.dat upx behavioral1/memory/1664-272-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2664-293-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2584-306-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/944-362-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtxrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fvtff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnrhrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjbttjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxnfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnrjbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnhndxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vttxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdxfdlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vblbxdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbvflnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbthx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drrbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrjhpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxjdjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbtbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxxfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfptvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbnfxvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prlvxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrbjlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlnxjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbjjplv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fntrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frptvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxttjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbfthx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbbhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjfhndn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbrbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hfljx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbbhhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpftvhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhlxj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2448 2244 afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe 30 PID 2244 wrote to memory of 2448 2244 afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe 30 PID 2244 wrote to memory of 2448 2244 afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe 30 PID 2244 wrote to memory of 2448 2244 afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe 30 PID 2448 wrote to memory of 2960 2448 tvnvf.exe 31 PID 2448 wrote to memory of 2960 2448 tvnvf.exe 31 PID 2448 wrote to memory of 2960 2448 tvnvf.exe 31 PID 2448 wrote to memory of 2960 2448 tvnvf.exe 31 PID 2960 wrote to memory of 2904 2960 bxjtldd.exe 32 PID 2960 wrote to memory of 2904 2960 bxjtldd.exe 32 PID 2960 wrote to memory of 2904 2960 bxjtldd.exe 32 PID 2960 wrote to memory of 2904 2960 bxjtldd.exe 32 PID 2904 wrote to memory of 2756 2904 prfnnb.exe 33 PID 2904 wrote to memory of 2756 2904 prfnnb.exe 33 PID 2904 wrote to memory of 2756 2904 prfnnb.exe 33 PID 2904 wrote to memory of 2756 2904 prfnnb.exe 33 PID 2756 wrote to memory of 2784 2756 jlhnpnb.exe 34 PID 2756 wrote to memory of 2784 2756 jlhnpnb.exe 34 PID 2756 wrote to memory of 2784 2756 jlhnpnb.exe 34 PID 2756 wrote to memory of 2784 2756 jlhnpnb.exe 34 PID 2784 wrote to memory of 2744 2784 dxlhdft.exe 35 PID 2784 wrote to memory of 2744 2784 dxlhdft.exe 35 PID 2784 wrote to memory of 2744 2784 dxlhdft.exe 35 PID 2784 wrote to memory of 2744 2784 dxlhdft.exe 35 PID 2744 wrote to memory of 2620 2744 hlnbnht.exe 36 PID 2744 wrote to memory of 2620 2744 hlnbnht.exe 36 PID 2744 wrote to memory of 2620 2744 hlnbnht.exe 36 PID 2744 wrote to memory of 2620 2744 hlnbnht.exe 36 PID 2620 wrote to memory of 1744 2620 thnvd.exe 37 PID 2620 wrote to memory of 1744 2620 thnvd.exe 37 PID 2620 wrote to memory of 1744 2620 thnvd.exe 37 PID 2620 wrote to memory of 1744 2620 thnvd.exe 37 PID 1744 wrote to memory of 868 1744 ntrddp.exe 38 PID 1744 wrote to memory of 868 1744 ntrddp.exe 38 PID 1744 wrote to memory of 868 1744 ntrddp.exe 38 PID 1744 wrote to memory of 868 1744 ntrddp.exe 38 PID 868 wrote to memory of 2080 868 rxrvp.exe 39 PID 868 wrote to memory of 2080 868 rxrvp.exe 39 PID 868 wrote to memory of 2080 868 rxrvp.exe 39 PID 868 wrote to memory of 2080 868 rxrvp.exe 39 PID 2080 wrote to memory of 1140 2080 rnvnr.exe 40 PID 2080 wrote to memory of 1140 2080 rnvnr.exe 40 PID 2080 wrote to memory of 1140 2080 rnvnr.exe 40 PID 2080 wrote to memory of 1140 2080 rnvnr.exe 40 PID 1140 wrote to memory of 2092 1140 xbdtdp.exe 41 PID 1140 wrote to memory of 2092 1140 xbdtdp.exe 41 PID 1140 wrote to memory of 2092 1140 xbdtdp.exe 41 PID 1140 wrote to memory of 2092 1140 xbdtdp.exe 41 PID 2092 wrote to memory of 3056 2092 rdjhb.exe 42 PID 2092 wrote to memory of 3056 2092 rdjhb.exe 42 PID 2092 wrote to memory of 3056 2092 rdjhb.exe 42 PID 2092 wrote to memory of 3056 2092 rdjhb.exe 42 PID 3056 wrote to memory of 2444 3056 bhrnbnt.exe 43 PID 3056 wrote to memory of 2444 3056 bhrnbnt.exe 43 PID 3056 wrote to memory of 2444 3056 bhrnbnt.exe 43 PID 3056 wrote to memory of 2444 3056 bhrnbnt.exe 43 PID 2444 wrote to memory of 2808 2444 lhjbfh.exe 44 PID 2444 wrote to memory of 2808 2444 lhjbfh.exe 44 PID 2444 wrote to memory of 2808 2444 lhjbfh.exe 44 PID 2444 wrote to memory of 2808 2444 lhjbfh.exe 44 PID 2808 wrote to memory of 2696 2808 lxdnlxn.exe 45 PID 2808 wrote to memory of 2696 2808 lxdnlxn.exe 45 PID 2808 wrote to memory of 2696 2808 lxdnlxn.exe 45 PID 2808 wrote to memory of 2696 2808 lxdnlxn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe"C:\Users\Admin\AppData\Local\Temp\afaaf40174dfca51c8b8934447b5e45e92fde311da37b7e2dbfa2833bbb6dcd0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\tvnvf.exec:\tvnvf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\bxjtldd.exec:\bxjtldd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\prfnnb.exec:\prfnnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\jlhnpnb.exec:\jlhnpnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\dxlhdft.exec:\dxlhdft.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\hlnbnht.exec:\hlnbnht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\thnvd.exec:\thnvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\ntrddp.exec:\ntrddp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\rxrvp.exec:\rxrvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\rnvnr.exec:\rnvnr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\xbdtdp.exec:\xbdtdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\rdjhb.exec:\rdjhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\bhrnbnt.exec:\bhrnbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\lhjbfh.exec:\lhjbfh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\lxdnlxn.exec:\lxdnlxn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\plhtpx.exec:\plhtpx.exe17⤵
- Executes dropped EXE
PID:2696 -
\??\c:\hdrnj.exec:\hdrnj.exe18⤵
- Executes dropped EXE
PID:2420 -
\??\c:\njdrj.exec:\njdrj.exe19⤵
- Executes dropped EXE
PID:840 -
\??\c:\frdbbb.exec:\frdbbb.exe20⤵
- Executes dropped EXE
PID:2220 -
\??\c:\hvjtblp.exec:\hvjtblp.exe21⤵
- Executes dropped EXE
PID:2264 -
\??\c:\vxhnpn.exec:\vxhnpn.exe22⤵
- Executes dropped EXE
PID:2228 -
\??\c:\vhhbh.exec:\vhhbh.exe23⤵
- Executes dropped EXE
PID:2272 -
\??\c:\jxhtvvf.exec:\jxhtvvf.exe24⤵
- Executes dropped EXE
PID:1076 -
\??\c:\jhrvvt.exec:\jhrvvt.exe25⤵
- Executes dropped EXE
PID:1900 -
\??\c:\vbbhhjd.exec:\vbbhhjd.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2428 -
\??\c:\vddtn.exec:\vddtn.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1052 -
\??\c:\tthvnxj.exec:\tthvnxj.exe28⤵
- Executes dropped EXE
PID:792 -
\??\c:\fvhjnbb.exec:\fvhjnbb.exe29⤵
- Executes dropped EXE
PID:1500 -
\??\c:\xbbnvtt.exec:\xbbnvtt.exe30⤵
- Executes dropped EXE
PID:1372 -
\??\c:\lhlhlvj.exec:\lhlhlvj.exe31⤵
- Executes dropped EXE
PID:1768 -
\??\c:\nhhxfv.exec:\nhhxfv.exe32⤵
- Executes dropped EXE
PID:2668 -
\??\c:\xvrppxj.exec:\xvrppxj.exe33⤵
- Executes dropped EXE
PID:2364 -
\??\c:\hdppxdx.exec:\hdppxdx.exe34⤵
- Executes dropped EXE
PID:1664 -
\??\c:\vbfrlj.exec:\vbfrlj.exe35⤵
- Executes dropped EXE
PID:2684 -
\??\c:\njjptxr.exec:\njjptxr.exe36⤵
- Executes dropped EXE
PID:1928 -
\??\c:\flhppbn.exec:\flhppbn.exe37⤵
- Executes dropped EXE
PID:2032 -
\??\c:\bndddt.exec:\bndddt.exe38⤵
- Executes dropped EXE
PID:2664 -
\??\c:\vtvdtdl.exec:\vtvdtdl.exe39⤵
- Executes dropped EXE
PID:2224 -
\??\c:\lpttlx.exec:\lpttlx.exe40⤵
- Executes dropped EXE
PID:1704 -
\??\c:\vfnhdf.exec:\vfnhdf.exe41⤵
- Executes dropped EXE
PID:2584 -
\??\c:\dffxr.exec:\dffxr.exe42⤵
- Executes dropped EXE
PID:2948 -
\??\c:\tbrbdrl.exec:\tbrbdrl.exe43⤵
- Executes dropped EXE
PID:2856 -
\??\c:\rtlrb.exec:\rtlrb.exe44⤵
- Executes dropped EXE
PID:2944 -
\??\c:\fxlxx.exec:\fxlxx.exe45⤵
- Executes dropped EXE
PID:2756 -
\??\c:\jnbfr.exec:\jnbfr.exe46⤵
- Executes dropped EXE
PID:3040 -
\??\c:\ftrxx.exec:\ftrxx.exe47⤵
- Executes dropped EXE
PID:932 -
\??\c:\xnppdx.exec:\xnppdx.exe48⤵
- Executes dropped EXE
PID:2920 -
\??\c:\prhfnjx.exec:\prhfnjx.exe49⤵
- Executes dropped EXE
PID:2812 -
\??\c:\fhdffd.exec:\fhdffd.exe50⤵
- Executes dropped EXE
PID:2824 -
\??\c:\rvxfrl.exec:\rvxfrl.exe51⤵
- Executes dropped EXE
PID:944 -
\??\c:\jnxbpbr.exec:\jnxbpbr.exe52⤵
- Executes dropped EXE
PID:1744 -
\??\c:\ttrbdr.exec:\ttrbdr.exe53⤵
- Executes dropped EXE
PID:1660 -
\??\c:\jlnrttr.exec:\jlnrttr.exe54⤵
- Executes dropped EXE
PID:2068 -
\??\c:\ljppftl.exec:\ljppftl.exe55⤵
- Executes dropped EXE
PID:2080 -
\??\c:\dlfvvtd.exec:\dlfvvtd.exe56⤵
- Executes dropped EXE
PID:1736 -
\??\c:\vxfxdhx.exec:\vxfxdhx.exe57⤵
- Executes dropped EXE
PID:896 -
\??\c:\npbtbft.exec:\npbtbft.exe58⤵
- Executes dropped EXE
PID:2128 -
\??\c:\fvtvd.exec:\fvtvd.exe59⤵
- Executes dropped EXE
PID:2496 -
\??\c:\rhpdlrr.exec:\rhpdlrr.exe60⤵
- Executes dropped EXE
PID:2444 -
\??\c:\xvlffr.exec:\xvlffr.exe61⤵
- Executes dropped EXE
PID:1444 -
\??\c:\dxlxdp.exec:\dxlxdp.exe62⤵
- Executes dropped EXE
PID:2808 -
\??\c:\hrvflbd.exec:\hrvflbd.exe63⤵
- Executes dropped EXE
PID:2696 -
\??\c:\pddtpnr.exec:\pddtpnr.exe64⤵
- Executes dropped EXE
PID:836 -
\??\c:\jxrtp.exec:\jxrtp.exe65⤵
- Executes dropped EXE
PID:1548 -
\??\c:\fvfjtr.exec:\fvfjtr.exe66⤵PID:2116
-
\??\c:\rbpvh.exec:\rbpvh.exe67⤵PID:2220
-
\??\c:\ddlprdj.exec:\ddlprdj.exe68⤵PID:2264
-
\??\c:\jbnblbv.exec:\jbnblbv.exe69⤵PID:2524
-
\??\c:\rnbdx.exec:\rnbdx.exe70⤵PID:2452
-
\??\c:\tbfthx.exec:\tbfthx.exe71⤵
- System Location Discovery: System Language Discovery
PID:2272 -
\??\c:\pjflb.exec:\pjflb.exe72⤵PID:2312
-
\??\c:\rjjpt.exec:\rjjpt.exe73⤵PID:1388
-
\??\c:\dlbfj.exec:\dlbfj.exe74⤵PID:760
-
\??\c:\brxvbfr.exec:\brxvbfr.exe75⤵PID:780
-
\??\c:\jtntbxd.exec:\jtntbxd.exe76⤵PID:1052
-
\??\c:\frprlr.exec:\frprlr.exe77⤵PID:2724
-
\??\c:\fvtnp.exec:\fvtnp.exe78⤵PID:1504
-
\??\c:\jfxvrd.exec:\jfxvrd.exe79⤵PID:676
-
\??\c:\rvtbf.exec:\rvtbf.exe80⤵PID:776
-
\??\c:\rvjtrtv.exec:\rvjtrtv.exe81⤵PID:1768
-
\??\c:\dnxhdfb.exec:\dnxhdfb.exe82⤵PID:2600
-
\??\c:\ldvjv.exec:\ldvjv.exe83⤵PID:2676
-
\??\c:\xprtpbn.exec:\xprtpbn.exe84⤵PID:2268
-
\??\c:\tnnvdl.exec:\tnnvdl.exe85⤵PID:2132
-
\??\c:\jfxbxjb.exec:\jfxbxjb.exe86⤵PID:1804
-
\??\c:\bhhlb.exec:\bhhlb.exe87⤵PID:2392
-
\??\c:\dtrdp.exec:\dtrdp.exe88⤵PID:1720
-
\??\c:\rdtnp.exec:\rdtnp.exe89⤵PID:2896
-
\??\c:\vdfxf.exec:\vdfxf.exe90⤵PID:2472
-
\??\c:\rdphlhb.exec:\rdphlhb.exe91⤵PID:2892
-
\??\c:\bbrxn.exec:\bbrxn.exe92⤵PID:2584
-
\??\c:\xpdxlx.exec:\xpdxlx.exe93⤵PID:2976
-
\??\c:\tlnlvb.exec:\tlnlvb.exe94⤵PID:3020
-
\??\c:\pplvn.exec:\pplvn.exe95⤵PID:2864
-
\??\c:\ntxnbxj.exec:\ntxnbxj.exe96⤵PID:2372
-
\??\c:\dhnxr.exec:\dhnxr.exe97⤵PID:2792
-
\??\c:\prpjrf.exec:\prpjrf.exe98⤵PID:932
-
\??\c:\hhrntt.exec:\hhrntt.exe99⤵PID:2784
-
\??\c:\jrnrt.exec:\jrnrt.exe100⤵PID:2256
-
\??\c:\dhlnfv.exec:\dhlnfv.exe101⤵PID:2596
-
\??\c:\pdhjnhb.exec:\pdhjnhb.exe102⤵PID:592
-
\??\c:\fhnhd.exec:\fhnhd.exe103⤵PID:1744
-
\??\c:\trjfdl.exec:\trjfdl.exe104⤵PID:2952
-
\??\c:\dvrvpdf.exec:\dvrvpdf.exe105⤵PID:1532
-
\??\c:\nrhrh.exec:\nrhrh.exe106⤵PID:3044
-
\??\c:\fbnfxvl.exec:\fbnfxvl.exe107⤵
- System Location Discovery: System Language Discovery
PID:3028 -
\??\c:\xfxtr.exec:\xfxtr.exe108⤵PID:316
-
\??\c:\nvdxrpn.exec:\nvdxrpn.exe109⤵PID:2128
-
\??\c:\fjhphd.exec:\fjhphd.exe110⤵PID:2496
-
\??\c:\llnpnb.exec:\llnpnb.exe111⤵PID:2444
-
\??\c:\nlbnxp.exec:\nlbnxp.exe112⤵PID:2528
-
\??\c:\hnptt.exec:\hnptt.exe113⤵PID:2808
-
\??\c:\dlplb.exec:\dlplb.exe114⤵PID:2932
-
\??\c:\ltddxx.exec:\ltddxx.exe115⤵PID:2308
-
\??\c:\fjpvp.exec:\fjpvp.exe116⤵PID:2252
-
\??\c:\fphbfvd.exec:\fphbfvd.exe117⤵PID:1760
-
\??\c:\lrfjhdh.exec:\lrfjhdh.exe118⤵PID:2284
-
\??\c:\dtdtrfv.exec:\dtdtrfv.exe119⤵PID:2564
-
\??\c:\hrrjdbd.exec:\hrrjdbd.exe120⤵PID:1844
-
\??\c:\ffdtjhp.exec:\ffdtjhp.exe121⤵PID:560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-