Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe
-
Size
454KB
-
MD5
93e7a04c0c38b78117ea6718d36de650
-
SHA1
ea92c0589c7c37b23be137cb96535bb4e6529d86
-
SHA256
fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aa
-
SHA512
ad133aaaa031b2edd8a47b8b9f9152c785b64dd03ba2bddec981f04e14eea5fea7f3cbf4fc8770fe610fea21d36539468758cc56f0bb330ac15d32fd4725a8e3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbejr:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2332-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-24-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2324-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-47-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2120-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-73-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2656-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/460-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/680-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/680-246-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1008-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-388-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2360-387-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2360-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-419-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2280-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-493-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/600-506-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2012-537-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2284-550-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2012-557-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2444-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-571-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2536-587-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1888-604-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2624-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-671-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1624-687-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2976-698-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1072-725-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3004-756-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1968 dbnjj.exe 2324 vhjnxhr.exe 2416 tttfdhd.exe 2808 ntprj.exe 2736 jdxfb.exe 2120 bnttd.exe 2788 npdtdl.exe 2656 hnfpn.exe 1928 dlrhl.exe 2580 fpfphl.exe 2996 lvnbp.exe 2836 dvnbprf.exe 460 hxtxnh.exe 2772 bbxhp.exe 804 vltnjnr.exe 1760 rtnln.exe 2404 xvxrb.exe 1920 xvhpn.exe 1116 fltdj.exe 3056 bdltt.exe 1140 rxndxph.exe 680 bldjtd.exe 1152 nvpntxx.exe 628 dbhblp.exe 764 bdhdtdt.exe 1008 hfjxf.exe 1792 ndvvnpt.exe 2276 bjltbj.exe 572 xxlrnnt.exe 1740 npnltxr.exe 2116 fdfhbn.exe 2332 tfphpp.exe 2880 pjlbfp.exe 1888 vjpxjx.exe 2408 xbndv.exe 2700 phrdtfl.exe 2368 lnjnpdj.exe 2600 hpbpn.exe 2876 jfjfdtf.exe 1716 fbvft.exe 2864 fdvfb.exe 1688 bbtjlv.exe 2360 rvxbtlj.exe 2652 brbhjfd.exe 2900 pjnlb.exe 1624 dtjtjb.exe 2912 jdljf.exe 2916 rxbtrv.exe 2964 xhdvld.exe 792 bdxbbhv.exe 1360 thxxjhr.exe 804 dbdvrxv.exe 1924 ttdfbx.exe 2280 hlvbf.exe 2000 xlrfpp.exe 2052 flrnpnj.exe 2060 vxxjlrd.exe 1200 tthjntv.exe 1196 ddpntn.exe 1140 xxthx.exe 600 lvnlff.exe 288 bxpnn.exe 2228 hhbpvdj.exe 1904 btlhjlx.exe -
resource yara_rule behavioral1/memory/2332-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/460-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-557-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2444-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-587-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/2724-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-627-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2624-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-746-0x00000000001B0000-0x00000000001DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndvvnpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpxdbrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbptnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbndb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rpxvvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfrpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htvnndh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vptxxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdhxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vffblx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plhnbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plblxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdbbph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxxfhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljnxvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jllxrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtljxnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnrpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdhrvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjhbvvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvbxbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlbvxrn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrdfxxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbxhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xhjhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljrdxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhrtdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fvldbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrdbfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbvft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbptxnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxbfxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lnvrhff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fjnljtl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nndptp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npdfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbrrrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rljltv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbdfft.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 1968 2332 fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe 31 PID 2332 wrote to memory of 1968 2332 fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe 31 PID 2332 wrote to memory of 1968 2332 fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe 31 PID 2332 wrote to memory of 1968 2332 fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe 31 PID 1968 wrote to memory of 2324 1968 dbnjj.exe 32 PID 1968 wrote to memory of 2324 1968 dbnjj.exe 32 PID 1968 wrote to memory of 2324 1968 dbnjj.exe 32 PID 1968 wrote to memory of 2324 1968 dbnjj.exe 32 PID 2324 wrote to memory of 2416 2324 vhjnxhr.exe 33 PID 2324 wrote to memory of 2416 2324 vhjnxhr.exe 33 PID 2324 wrote to memory of 2416 2324 vhjnxhr.exe 33 PID 2324 wrote to memory of 2416 2324 vhjnxhr.exe 33 PID 2416 wrote to memory of 2808 2416 tttfdhd.exe 34 PID 2416 wrote to memory of 2808 2416 tttfdhd.exe 34 PID 2416 wrote to memory of 2808 2416 tttfdhd.exe 34 PID 2416 wrote to memory of 2808 2416 tttfdhd.exe 34 PID 2808 wrote to memory of 2736 2808 ntprj.exe 35 PID 2808 wrote to memory of 2736 2808 ntprj.exe 35 PID 2808 wrote to memory of 2736 2808 ntprj.exe 35 PID 2808 wrote to memory of 2736 2808 ntprj.exe 35 PID 2736 wrote to memory of 2120 2736 jdxfb.exe 36 PID 2736 wrote to memory of 2120 2736 jdxfb.exe 36 PID 2736 wrote to memory of 2120 2736 jdxfb.exe 36 PID 2736 wrote to memory of 2120 2736 jdxfb.exe 36 PID 2120 wrote to memory of 2788 2120 bnttd.exe 37 PID 2120 wrote to memory of 2788 2120 bnttd.exe 37 PID 2120 wrote to memory of 2788 2120 bnttd.exe 37 PID 2120 wrote to memory of 2788 2120 bnttd.exe 37 PID 2788 wrote to memory of 2656 2788 npdtdl.exe 38 PID 2788 wrote to memory of 2656 2788 npdtdl.exe 38 PID 2788 wrote to memory of 2656 2788 npdtdl.exe 38 PID 2788 wrote to memory of 2656 2788 npdtdl.exe 38 PID 2656 wrote to memory of 1928 2656 hnfpn.exe 39 PID 2656 wrote to memory of 1928 2656 hnfpn.exe 39 PID 2656 wrote to memory of 1928 2656 hnfpn.exe 39 PID 2656 wrote to memory of 1928 2656 hnfpn.exe 39 PID 1928 wrote to memory of 2580 1928 dlrhl.exe 40 PID 1928 wrote to memory of 2580 1928 dlrhl.exe 40 PID 1928 wrote to memory of 2580 1928 dlrhl.exe 40 PID 1928 wrote to memory of 2580 1928 dlrhl.exe 40 PID 2580 wrote to memory of 2996 2580 fpfphl.exe 41 PID 2580 wrote to memory of 2996 2580 fpfphl.exe 41 PID 2580 wrote to memory of 2996 2580 fpfphl.exe 41 PID 2580 wrote to memory of 2996 2580 fpfphl.exe 41 PID 2996 wrote to memory of 2836 2996 lvnbp.exe 42 PID 2996 wrote to memory of 2836 2996 lvnbp.exe 42 PID 2996 wrote to memory of 2836 2996 lvnbp.exe 42 PID 2996 wrote to memory of 2836 2996 lvnbp.exe 42 PID 2836 wrote to memory of 460 2836 dvnbprf.exe 43 PID 2836 wrote to memory of 460 2836 dvnbprf.exe 43 PID 2836 wrote to memory of 460 2836 dvnbprf.exe 43 PID 2836 wrote to memory of 460 2836 dvnbprf.exe 43 PID 460 wrote to memory of 2772 460 hxtxnh.exe 44 PID 460 wrote to memory of 2772 460 hxtxnh.exe 44 PID 460 wrote to memory of 2772 460 hxtxnh.exe 44 PID 460 wrote to memory of 2772 460 hxtxnh.exe 44 PID 2772 wrote to memory of 804 2772 bbxhp.exe 45 PID 2772 wrote to memory of 804 2772 bbxhp.exe 45 PID 2772 wrote to memory of 804 2772 bbxhp.exe 45 PID 2772 wrote to memory of 804 2772 bbxhp.exe 45 PID 804 wrote to memory of 1760 804 vltnjnr.exe 46 PID 804 wrote to memory of 1760 804 vltnjnr.exe 46 PID 804 wrote to memory of 1760 804 vltnjnr.exe 46 PID 804 wrote to memory of 1760 804 vltnjnr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe"C:\Users\Admin\AppData\Local\Temp\fb6462cbf2981353ecf854aaafa90971f7d8ac6fda3315d70eebd2f9587656aaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\dbnjj.exec:\dbnjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\vhjnxhr.exec:\vhjnxhr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\tttfdhd.exec:\tttfdhd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\ntprj.exec:\ntprj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\jdxfb.exec:\jdxfb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\bnttd.exec:\bnttd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\npdtdl.exec:\npdtdl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\hnfpn.exec:\hnfpn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\dlrhl.exec:\dlrhl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\fpfphl.exec:\fpfphl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\lvnbp.exec:\lvnbp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\dvnbprf.exec:\dvnbprf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\hxtxnh.exec:\hxtxnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
\??\c:\bbxhp.exec:\bbxhp.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\vltnjnr.exec:\vltnjnr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\rtnln.exec:\rtnln.exe17⤵
- Executes dropped EXE
PID:1760 -
\??\c:\xvxrb.exec:\xvxrb.exe18⤵
- Executes dropped EXE
PID:2404 -
\??\c:\xvhpn.exec:\xvhpn.exe19⤵
- Executes dropped EXE
PID:1920 -
\??\c:\fltdj.exec:\fltdj.exe20⤵
- Executes dropped EXE
PID:1116 -
\??\c:\bdltt.exec:\bdltt.exe21⤵
- Executes dropped EXE
PID:3056 -
\??\c:\rxndxph.exec:\rxndxph.exe22⤵
- Executes dropped EXE
PID:1140 -
\??\c:\bldjtd.exec:\bldjtd.exe23⤵
- Executes dropped EXE
PID:680 -
\??\c:\nvpntxx.exec:\nvpntxx.exe24⤵
- Executes dropped EXE
PID:1152 -
\??\c:\dbhblp.exec:\dbhblp.exe25⤵
- Executes dropped EXE
PID:628 -
\??\c:\bdhdtdt.exec:\bdhdtdt.exe26⤵
- Executes dropped EXE
PID:764 -
\??\c:\hfjxf.exec:\hfjxf.exe27⤵
- Executes dropped EXE
PID:1008 -
\??\c:\ndvvnpt.exec:\ndvvnpt.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792 -
\??\c:\bjltbj.exec:\bjltbj.exe29⤵
- Executes dropped EXE
PID:2276 -
\??\c:\xxlrnnt.exec:\xxlrnnt.exe30⤵
- Executes dropped EXE
PID:572 -
\??\c:\npnltxr.exec:\npnltxr.exe31⤵
- Executes dropped EXE
PID:1740 -
\??\c:\fdfhbn.exec:\fdfhbn.exe32⤵
- Executes dropped EXE
PID:2116 -
\??\c:\tfphpp.exec:\tfphpp.exe33⤵
- Executes dropped EXE
PID:2332 -
\??\c:\pjlbfp.exec:\pjlbfp.exe34⤵
- Executes dropped EXE
PID:2880 -
\??\c:\vjpxjx.exec:\vjpxjx.exe35⤵
- Executes dropped EXE
PID:1888 -
\??\c:\xbndv.exec:\xbndv.exe36⤵
- Executes dropped EXE
PID:2408 -
\??\c:\phrdtfl.exec:\phrdtfl.exe37⤵
- Executes dropped EXE
PID:2700 -
\??\c:\lnjnpdj.exec:\lnjnpdj.exe38⤵
- Executes dropped EXE
PID:2368 -
\??\c:\hpbpn.exec:\hpbpn.exe39⤵
- Executes dropped EXE
PID:2600 -
\??\c:\jfjfdtf.exec:\jfjfdtf.exe40⤵
- Executes dropped EXE
PID:2876 -
\??\c:\fbvft.exec:\fbvft.exe41⤵
- Executes dropped EXE
PID:1716 -
\??\c:\fdvfb.exec:\fdvfb.exe42⤵
- Executes dropped EXE
PID:2864 -
\??\c:\bbtjlv.exec:\bbtjlv.exe43⤵
- Executes dropped EXE
PID:1688 -
\??\c:\rvxbtlj.exec:\rvxbtlj.exe44⤵
- Executes dropped EXE
PID:2360 -
\??\c:\brbhjfd.exec:\brbhjfd.exe45⤵
- Executes dropped EXE
PID:2652 -
\??\c:\pjnlb.exec:\pjnlb.exe46⤵
- Executes dropped EXE
PID:2900 -
\??\c:\dtjtjb.exec:\dtjtjb.exe47⤵
- Executes dropped EXE
PID:1624 -
\??\c:\jdljf.exec:\jdljf.exe48⤵
- Executes dropped EXE
PID:2912 -
\??\c:\rxbtrv.exec:\rxbtrv.exe49⤵
- Executes dropped EXE
PID:2916 -
\??\c:\xhdvld.exec:\xhdvld.exe50⤵
- Executes dropped EXE
PID:2964 -
\??\c:\bdxbbhv.exec:\bdxbbhv.exe51⤵
- Executes dropped EXE
PID:792 -
\??\c:\thxxjhr.exec:\thxxjhr.exe52⤵
- Executes dropped EXE
PID:1360 -
\??\c:\dbdvrxv.exec:\dbdvrxv.exe53⤵
- Executes dropped EXE
PID:804 -
\??\c:\ttdfbx.exec:\ttdfbx.exe54⤵
- Executes dropped EXE
PID:1924 -
\??\c:\hlvbf.exec:\hlvbf.exe55⤵
- Executes dropped EXE
PID:2280 -
\??\c:\xlrfpp.exec:\xlrfpp.exe56⤵
- Executes dropped EXE
PID:2000 -
\??\c:\flrnpnj.exec:\flrnpnj.exe57⤵
- Executes dropped EXE
PID:2052 -
\??\c:\vxxjlrd.exec:\vxxjlrd.exe58⤵
- Executes dropped EXE
PID:2060 -
\??\c:\tthjntv.exec:\tthjntv.exe59⤵
- Executes dropped EXE
PID:1200 -
\??\c:\ddpntn.exec:\ddpntn.exe60⤵
- Executes dropped EXE
PID:1196 -
\??\c:\xxthx.exec:\xxthx.exe61⤵
- Executes dropped EXE
PID:1140 -
\??\c:\lvnlff.exec:\lvnlff.exe62⤵
- Executes dropped EXE
PID:600 -
\??\c:\bxpnn.exec:\bxpnn.exe63⤵
- Executes dropped EXE
PID:288 -
\??\c:\hhbpvdj.exec:\hhbpvdj.exe64⤵
- Executes dropped EXE
PID:2228 -
\??\c:\btlhjlx.exec:\btlhjlx.exe65⤵
- Executes dropped EXE
PID:1904 -
\??\c:\nhbhpfx.exec:\nhbhpfx.exe66⤵PID:1932
-
\??\c:\dbbfjp.exec:\dbbfjp.exe67⤵PID:2012
-
\??\c:\jxxxtl.exec:\jxxxtl.exe68⤵PID:2444
-
\??\c:\fxlbhf.exec:\fxlbhf.exe69⤵PID:2284
-
\??\c:\dpvvtn.exec:\dpvvtn.exe70⤵PID:2456
-
\??\c:\vbtrt.exec:\vbtrt.exe71⤵PID:2412
-
\??\c:\brlfnbd.exec:\brlfnbd.exe72⤵PID:884
-
\??\c:\tpndbxn.exec:\tpndbxn.exe73⤵PID:1952
-
\??\c:\pxlrtx.exec:\pxlrtx.exe74⤵PID:2524
-
\??\c:\jfhbhvp.exec:\jfhbhvp.exe75⤵PID:2536
-
\??\c:\rhnjln.exec:\rhnjln.exe76⤵PID:1696
-
\??\c:\xbdfft.exec:\xbdfft.exe77⤵
- System Location Discovery: System Language Discovery
PID:1888 -
\??\c:\ddphxfd.exec:\ddphxfd.exe78⤵PID:2724
-
\??\c:\tltjtn.exec:\tltjtn.exe79⤵PID:2744
-
\??\c:\dlxfnx.exec:\dlxfnx.exe80⤵PID:2808
-
\??\c:\vtbltvj.exec:\vtbltvj.exe81⤵PID:2712
-
\??\c:\vffblx.exec:\vffblx.exe82⤵
- System Location Discovery: System Language Discovery
PID:2628 -
\??\c:\fplvftt.exec:\fplvftt.exe83⤵PID:2616
-
\??\c:\dbhpxrv.exec:\dbhpxrv.exe84⤵PID:2624
-
\??\c:\jnbfxl.exec:\jnbfxl.exe85⤵PID:2256
-
\??\c:\nlbpjnn.exec:\nlbpjnn.exe86⤵PID:1244
-
\??\c:\xrxtvhh.exec:\xrxtvhh.exe87⤵PID:1928
-
\??\c:\ndhhtnt.exec:\ndhhtnt.exe88⤵PID:2652
-
\??\c:\pxvdnhp.exec:\pxvdnhp.exe89⤵PID:2920
-
\??\c:\nlhlrv.exec:\nlhlrv.exe90⤵PID:1624
-
\??\c:\xlnpnb.exec:\xlnpnb.exe91⤵PID:2976
-
\??\c:\fffdl.exec:\fffdl.exe92⤵PID:460
-
\??\c:\trdnrpv.exec:\trdnrpv.exe93⤵PID:896
-
\??\c:\bldjvhf.exec:\bldjvhf.exe94⤵PID:792
-
\??\c:\jphrlb.exec:\jphrlb.exe95⤵PID:1072
-
\??\c:\flbtd.exec:\flbtd.exe96⤵PID:1988
-
\??\c:\pvlrh.exec:\pvlrh.exe97⤵PID:2044
-
\??\c:\fvhvt.exec:\fvhvt.exe98⤵PID:2068
-
\??\c:\flrbjb.exec:\flrbjb.exe99⤵PID:2208
-
\??\c:\lntxtr.exec:\lntxtr.exe100⤵PID:3004
-
\??\c:\tlptd.exec:\tlptd.exe101⤵PID:3056
-
\??\c:\xvnvfj.exec:\xvnvfj.exe102⤵PID:1468
-
\??\c:\vrfnfh.exec:\vrfnfh.exe103⤵PID:1148
-
\??\c:\nljdl.exec:\nljdl.exe104⤵PID:904
-
\??\c:\jjldh.exec:\jjldh.exe105⤵PID:2108
-
\??\c:\nlrfbjn.exec:\nlrfbjn.exe106⤵PID:628
-
\??\c:\frhnhfd.exec:\frhnhfd.exe107⤵PID:2432
-
\??\c:\prdff.exec:\prdff.exe108⤵PID:1712
-
\??\c:\bvvff.exec:\bvvff.exe109⤵PID:548
-
\??\c:\hlxtt.exec:\hlxtt.exe110⤵PID:1532
-
\??\c:\bjhtf.exec:\bjhtf.exe111⤵PID:2276
-
\??\c:\nhdxd.exec:\nhdxd.exe112⤵PID:1464
-
\??\c:\flxxnjd.exec:\flxxnjd.exe113⤵PID:2336
-
\??\c:\vnlxfvj.exec:\vnlxfvj.exe114⤵PID:556
-
\??\c:\dhlxx.exec:\dhlxx.exe115⤵PID:2172
-
\??\c:\trbtpj.exec:\trbtpj.exe116⤵PID:1560
-
\??\c:\nxhjvv.exec:\nxhjvv.exe117⤵PID:1948
-
\??\c:\njblfr.exec:\njblfr.exe118⤵PID:1408
-
\??\c:\vltbxb.exec:\vltbxb.exe119⤵PID:2268
-
\??\c:\nhpvp.exec:\nhpvp.exe120⤵PID:2824
-
\??\c:\vxhbx.exec:\vxhbx.exe121⤵PID:2488
-
\??\c:\jjndvrt.exec:\jjndvrt.exe122⤵PID:2700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-