Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:50
Behavioral task
behavioral1
Sample
27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe
-
Size
335KB
-
MD5
2f47f107a2a7722bbc816168694ad283
-
SHA1
795376aba2adb8c335753ae62064d02408862024
-
SHA256
27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65
-
SHA512
4682ec2838ef227bc0eb323cbfa1bfa203bde5b60af5a56fb18cfebba278a2cb9e9dbc243efd6e7c011f33b06a3856384c58bd31a315dc6c98b280ed8cedd847
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeHB:R4wFHoSHYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2408-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2188-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1104-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2108-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/368-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2808-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3068-54-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/3068-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1264-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1904-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2120-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2116-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1880-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1152-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1208-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2024-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2000-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1796-211-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3032-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/744-227-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/988-232-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/1732-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/772-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1896-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2336-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2408-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1760-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2964-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2788-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2724-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2288-447-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2236-469-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1344-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/396-486-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1184-512-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1884-520-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2540-534-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2400-540-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2632-589-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2456-588-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2196-590-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2764-624-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2680-663-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2120-662-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1460-674-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1788-763-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1724-830-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/288-839-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2452-1093-0x0000000077580000-0x000000007769F000-memory.dmp family_blackmoon behavioral1/memory/2452-8643-0x0000000077580000-0x000000007769F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2408 jnxxvxd.exe 1104 jdjhv.exe 2108 rjfrt.exe 368 rpppbh.exe 2808 hhrdh.exe 3068 prlvht.exe 2812 nbtvpr.exe 1264 prhplrx.exe 2700 fttphrr.exe 1904 tptfptx.exe 2692 bxvvvxl.exe 2120 hjhnd.exe 2116 ljdpx.exe 2664 nlbtbxb.exe 1880 bhfxr.exe 1152 phfnr.exe 1208 rxbppr.exe 2024 nfjpbr.exe 2000 vfhtxfn.exe 2916 bdrrvhh.exe 3004 ffftdb.exe 2252 rnfjrf.exe 2348 hjnrttv.exe 2424 xvttp.exe 1796 jvrlr.exe 3032 rjhldf.exe 744 vdplhp.exe 988 bnfld.exe 1732 xjhtd.exe 1192 lvxfxr.exe 640 bjvjl.exe 772 hjnbr.exe 2312 djhffp.exe 552 jxvhxh.exe 1896 vhlhpjn.exe 2336 xtxvnj.exe 2456 hnxlffh.exe 1604 xnhdpnd.exe 2408 tfpvfff.exe 1760 bbbnj.exe 1384 tpxltp.exe 2964 xlllj.exe 2872 bfxxf.exe 2892 tnnbb.exe 2920 xpnrvnj.exe 2788 pvdbhnf.exe 2812 bxndlp.exe 3000 vvltdd.exe 2928 thbdj.exe 2852 llfhh.exe 2724 lldnxdx.exe 2696 tnlxb.exe 1960 xtdrr.exe 1200 rpvfx.exe 2736 vjbxfh.exe 2028 txtxv.exe 1032 jjdfttj.exe 1888 njvvbt.exe 1640 hlffdpx.exe 1208 fdtnvvb.exe 1660 phfvtx.exe 1984 dhfrhtb.exe 2288 bpbvlt.exe 2940 bxbht.exe -
resource yara_rule behavioral1/memory/2188-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000e000000012267-8.dat upx behavioral1/memory/2408-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2188-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1104-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a000000016d64-16.dat upx behavioral1/files/0x0008000000016d69-25.dat upx behavioral1/memory/1104-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016fc9-34.dat upx behavioral1/memory/2108-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/368-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016fe5-42.dat upx behavioral1/memory/2808-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000170f8-50.dat upx behavioral1/memory/3068-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016d3f-59.dat upx behavioral1/files/0x000800000001756e-66.dat upx behavioral1/files/0x00050000000195b3-73.dat upx behavioral1/memory/1264-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195b5-82.dat upx behavioral1/files/0x00050000000195b7-88.dat upx behavioral1/memory/1904-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195bb-96.dat upx behavioral1/files/0x00050000000195bd-105.dat upx behavioral1/memory/2120-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c1-114.dat upx behavioral1/memory/2116-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c3-122.dat upx behavioral1/memory/1880-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c5-130.dat upx behavioral1/memory/1152-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c6-138.dat upx behavioral1/files/0x00050000000195c7-146.dat upx behavioral1/memory/1208-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2024-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2000-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001960c-154.dat upx behavioral1/files/0x0005000000019643-164.dat upx behavioral1/memory/2000-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001975a-171.dat upx behavioral1/memory/2252-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019761-179.dat upx behavioral1/memory/2252-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000197fd-188.dat upx behavioral1/files/0x0005000000019820-195.dat upx behavioral1/memory/2424-200-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001998d-203.dat upx behavioral1/files/0x0005000000019bf5-212.dat upx behavioral1/memory/3032-219-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf6-220.dat upx behavioral1/memory/744-227-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000019bf9-228.dat upx behavioral1/memory/988-232-0x00000000002C0000-0x00000000002E7000-memory.dmp upx behavioral1/files/0x0005000000019c3c-237.dat upx behavioral1/memory/1732-244-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d61-245.dat upx behavioral1/memory/1192-249-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000019d62-254.dat upx behavioral1/files/0x0005000000019d6d-260.dat upx behavioral1/memory/772-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1896-278-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1896-285-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2336-292-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2408-311-0x00000000003A0000-0x00000000003C7000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbtrnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpvfbpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvvjxvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrxpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjhldf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdlrhnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnplpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xplfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnvhrlv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdxfnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdffxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbrrvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljfjlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brljhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrnrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnttd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nprhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtlxrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjntppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rnxjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnnvfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxrvtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjfbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrblnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxbbpxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lttbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlvll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhjljdd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2408 2188 27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe 30 PID 2188 wrote to memory of 2408 2188 27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe 30 PID 2188 wrote to memory of 2408 2188 27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe 30 PID 2188 wrote to memory of 2408 2188 27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe 30 PID 2408 wrote to memory of 1104 2408 jnxxvxd.exe 31 PID 2408 wrote to memory of 1104 2408 jnxxvxd.exe 31 PID 2408 wrote to memory of 1104 2408 jnxxvxd.exe 31 PID 2408 wrote to memory of 1104 2408 jnxxvxd.exe 31 PID 1104 wrote to memory of 2108 1104 jdjhv.exe 32 PID 1104 wrote to memory of 2108 1104 jdjhv.exe 32 PID 1104 wrote to memory of 2108 1104 jdjhv.exe 32 PID 1104 wrote to memory of 2108 1104 jdjhv.exe 32 PID 2108 wrote to memory of 368 2108 rjfrt.exe 33 PID 2108 wrote to memory of 368 2108 rjfrt.exe 33 PID 2108 wrote to memory of 368 2108 rjfrt.exe 33 PID 2108 wrote to memory of 368 2108 rjfrt.exe 33 PID 368 wrote to memory of 2808 368 rpppbh.exe 34 PID 368 wrote to memory of 2808 368 rpppbh.exe 34 PID 368 wrote to memory of 2808 368 rpppbh.exe 34 PID 368 wrote to memory of 2808 368 rpppbh.exe 34 PID 2808 wrote to memory of 3068 2808 hhrdh.exe 35 PID 2808 wrote to memory of 3068 2808 hhrdh.exe 35 PID 2808 wrote to memory of 3068 2808 hhrdh.exe 35 PID 2808 wrote to memory of 3068 2808 hhrdh.exe 35 PID 3068 wrote to memory of 2812 3068 prlvht.exe 36 PID 3068 wrote to memory of 2812 3068 prlvht.exe 36 PID 3068 wrote to memory of 2812 3068 prlvht.exe 36 PID 3068 wrote to memory of 2812 3068 prlvht.exe 36 PID 2812 wrote to memory of 1264 2812 nbtvpr.exe 37 PID 2812 wrote to memory of 1264 2812 nbtvpr.exe 37 PID 2812 wrote to memory of 1264 2812 nbtvpr.exe 37 PID 2812 wrote to memory of 1264 2812 nbtvpr.exe 37 PID 1264 wrote to memory of 2700 1264 prhplrx.exe 38 PID 1264 wrote to memory of 2700 1264 prhplrx.exe 38 PID 1264 wrote to memory of 2700 1264 prhplrx.exe 38 PID 1264 wrote to memory of 2700 1264 prhplrx.exe 38 PID 2700 wrote to memory of 1904 2700 fttphrr.exe 39 PID 2700 wrote to memory of 1904 2700 fttphrr.exe 39 PID 2700 wrote to memory of 1904 2700 fttphrr.exe 39 PID 2700 wrote to memory of 1904 2700 fttphrr.exe 39 PID 1904 wrote to memory of 2692 1904 tptfptx.exe 40 PID 1904 wrote to memory of 2692 1904 tptfptx.exe 40 PID 1904 wrote to memory of 2692 1904 tptfptx.exe 40 PID 1904 wrote to memory of 2692 1904 tptfptx.exe 40 PID 2692 wrote to memory of 2120 2692 bxvvvxl.exe 41 PID 2692 wrote to memory of 2120 2692 bxvvvxl.exe 41 PID 2692 wrote to memory of 2120 2692 bxvvvxl.exe 41 PID 2692 wrote to memory of 2120 2692 bxvvvxl.exe 41 PID 2120 wrote to memory of 2116 2120 hjhnd.exe 42 PID 2120 wrote to memory of 2116 2120 hjhnd.exe 42 PID 2120 wrote to memory of 2116 2120 hjhnd.exe 42 PID 2120 wrote to memory of 2116 2120 hjhnd.exe 42 PID 2116 wrote to memory of 2664 2116 ljdpx.exe 43 PID 2116 wrote to memory of 2664 2116 ljdpx.exe 43 PID 2116 wrote to memory of 2664 2116 ljdpx.exe 43 PID 2116 wrote to memory of 2664 2116 ljdpx.exe 43 PID 2664 wrote to memory of 1880 2664 nlbtbxb.exe 44 PID 2664 wrote to memory of 1880 2664 nlbtbxb.exe 44 PID 2664 wrote to memory of 1880 2664 nlbtbxb.exe 44 PID 2664 wrote to memory of 1880 2664 nlbtbxb.exe 44 PID 1880 wrote to memory of 1152 1880 bhfxr.exe 45 PID 1880 wrote to memory of 1152 1880 bhfxr.exe 45 PID 1880 wrote to memory of 1152 1880 bhfxr.exe 45 PID 1880 wrote to memory of 1152 1880 bhfxr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe"C:\Users\Admin\AppData\Local\Temp\27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\jnxxvxd.exec:\jnxxvxd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\jdjhv.exec:\jdjhv.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\rjfrt.exec:\rjfrt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\rpppbh.exec:\rpppbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\hhrdh.exec:\hhrdh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\prlvht.exec:\prlvht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\nbtvpr.exec:\nbtvpr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\prhplrx.exec:\prhplrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\fttphrr.exec:\fttphrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\tptfptx.exec:\tptfptx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\bxvvvxl.exec:\bxvvvxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\hjhnd.exec:\hjhnd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\ljdpx.exec:\ljdpx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\nlbtbxb.exec:\nlbtbxb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\bhfxr.exec:\bhfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\phfnr.exec:\phfnr.exe17⤵
- Executes dropped EXE
PID:1152 -
\??\c:\rxbppr.exec:\rxbppr.exe18⤵
- Executes dropped EXE
PID:1208 -
\??\c:\nfjpbr.exec:\nfjpbr.exe19⤵
- Executes dropped EXE
PID:2024 -
\??\c:\vfhtxfn.exec:\vfhtxfn.exe20⤵
- Executes dropped EXE
PID:2000 -
\??\c:\bdrrvhh.exec:\bdrrvhh.exe21⤵
- Executes dropped EXE
PID:2916 -
\??\c:\ffftdb.exec:\ffftdb.exe22⤵
- Executes dropped EXE
PID:3004 -
\??\c:\rnfjrf.exec:\rnfjrf.exe23⤵
- Executes dropped EXE
PID:2252 -
\??\c:\hjnrttv.exec:\hjnrttv.exe24⤵
- Executes dropped EXE
PID:2348 -
\??\c:\xvttp.exec:\xvttp.exe25⤵
- Executes dropped EXE
PID:2424 -
\??\c:\jvrlr.exec:\jvrlr.exe26⤵
- Executes dropped EXE
PID:1796 -
\??\c:\rjhldf.exec:\rjhldf.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
\??\c:\vdplhp.exec:\vdplhp.exe28⤵
- Executes dropped EXE
PID:744 -
\??\c:\bnfld.exec:\bnfld.exe29⤵
- Executes dropped EXE
PID:988 -
\??\c:\xjhtd.exec:\xjhtd.exe30⤵
- Executes dropped EXE
PID:1732 -
\??\c:\lvxfxr.exec:\lvxfxr.exe31⤵
- Executes dropped EXE
PID:1192 -
\??\c:\bjvjl.exec:\bjvjl.exe32⤵
- Executes dropped EXE
PID:640 -
\??\c:\hjnbr.exec:\hjnbr.exe33⤵
- Executes dropped EXE
PID:772 -
\??\c:\djhffp.exec:\djhffp.exe34⤵
- Executes dropped EXE
PID:2312 -
\??\c:\jxvhxh.exec:\jxvhxh.exe35⤵
- Executes dropped EXE
PID:552 -
\??\c:\vhlhpjn.exec:\vhlhpjn.exe36⤵
- Executes dropped EXE
PID:1896 -
\??\c:\xtxvnj.exec:\xtxvnj.exe37⤵
- Executes dropped EXE
PID:2336 -
\??\c:\hnxlffh.exec:\hnxlffh.exe38⤵
- Executes dropped EXE
PID:2456 -
\??\c:\xnhdpnd.exec:\xnhdpnd.exe39⤵
- Executes dropped EXE
PID:1604 -
\??\c:\tfpvfff.exec:\tfpvfff.exe40⤵
- Executes dropped EXE
PID:2408 -
\??\c:\bbbnj.exec:\bbbnj.exe41⤵
- Executes dropped EXE
PID:1760 -
\??\c:\tpxltp.exec:\tpxltp.exe42⤵
- Executes dropped EXE
PID:1384 -
\??\c:\xlllj.exec:\xlllj.exe43⤵
- Executes dropped EXE
PID:2964 -
\??\c:\bfxxf.exec:\bfxxf.exe44⤵
- Executes dropped EXE
PID:2872 -
\??\c:\tnnbb.exec:\tnnbb.exe45⤵
- Executes dropped EXE
PID:2892 -
\??\c:\xpnrvnj.exec:\xpnrvnj.exe46⤵
- Executes dropped EXE
PID:2920 -
\??\c:\pvdbhnf.exec:\pvdbhnf.exe47⤵
- Executes dropped EXE
PID:2788 -
\??\c:\bxndlp.exec:\bxndlp.exe48⤵
- Executes dropped EXE
PID:2812 -
\??\c:\vvltdd.exec:\vvltdd.exe49⤵
- Executes dropped EXE
PID:3000 -
\??\c:\thbdj.exec:\thbdj.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2928 -
\??\c:\llfhh.exec:\llfhh.exe51⤵
- Executes dropped EXE
PID:2852 -
\??\c:\lldnxdx.exec:\lldnxdx.exe52⤵
- Executes dropped EXE
PID:2724 -
\??\c:\tnlxb.exec:\tnlxb.exe53⤵
- Executes dropped EXE
PID:2696 -
\??\c:\xtdrr.exec:\xtdrr.exe54⤵
- Executes dropped EXE
PID:1960 -
\??\c:\rpvfx.exec:\rpvfx.exe55⤵
- Executes dropped EXE
PID:1200 -
\??\c:\vjbxfh.exec:\vjbxfh.exe56⤵
- Executes dropped EXE
PID:2736 -
\??\c:\txtxv.exec:\txtxv.exe57⤵
- Executes dropped EXE
PID:2028 -
\??\c:\jjdfttj.exec:\jjdfttj.exe58⤵
- Executes dropped EXE
PID:1032 -
\??\c:\njvvbt.exec:\njvvbt.exe59⤵
- Executes dropped EXE
PID:1888 -
\??\c:\hlffdpx.exec:\hlffdpx.exe60⤵
- Executes dropped EXE
PID:1640 -
\??\c:\fdtnvvb.exec:\fdtnvvb.exe61⤵
- Executes dropped EXE
PID:1208 -
\??\c:\phfvtx.exec:\phfvtx.exe62⤵
- Executes dropped EXE
PID:1660 -
\??\c:\dhfrhtb.exec:\dhfrhtb.exe63⤵
- Executes dropped EXE
PID:1984 -
\??\c:\bpbvlt.exec:\bpbvlt.exe64⤵
- Executes dropped EXE
PID:2288 -
\??\c:\bxbht.exec:\bxbht.exe65⤵
- Executes dropped EXE
PID:2940 -
\??\c:\brntbpl.exec:\brntbpl.exe66⤵PID:2636
-
\??\c:\rldln.exec:\rldln.exe67⤵PID:3004
-
\??\c:\hpfljh.exec:\hpfljh.exe68⤵PID:2236
-
\??\c:\hdljb.exec:\hdljb.exe69⤵PID:1344
-
\??\c:\jtrvnl.exec:\jtrvnl.exe70⤵PID:880
-
\??\c:\vtlxrv.exec:\vtlxrv.exe71⤵
- System Location Discovery: System Language Discovery
PID:396 -
\??\c:\xdjbx.exec:\xdjbx.exe72⤵PID:1796
-
\??\c:\vvpxnbn.exec:\vvpxnbn.exe73⤵PID:1788
-
\??\c:\ddvdhn.exec:\ddvdhn.exe74⤵PID:1284
-
\??\c:\fhjrb.exec:\fhjrb.exe75⤵PID:2652
-
\??\c:\jtpph.exec:\jtpph.exe76⤵PID:1184
-
\??\c:\fbtrnt.exec:\fbtrnt.exe77⤵
- System Location Discovery: System Language Discovery
PID:1028 -
\??\c:\nfhdr.exec:\nfhdr.exe78⤵PID:1884
-
\??\c:\hrnflth.exec:\hrnflth.exe79⤵PID:580
-
\??\c:\ltrjpb.exec:\ltrjpb.exe80⤵PID:2540
-
\??\c:\fvxbfxt.exec:\fvxbfxt.exe81⤵PID:2400
-
\??\c:\jjvtnx.exec:\jjvtnx.exe82⤵PID:1768
-
\??\c:\pxhptl.exec:\pxhptl.exe83⤵PID:264
-
\??\c:\fjfjfb.exec:\fjfjfb.exe84⤵PID:1620
-
\??\c:\pftlxbf.exec:\pftlxbf.exe85⤵PID:1720
-
\??\c:\nrhhhdb.exec:\nrhhhdb.exe86⤵PID:288
-
\??\c:\vpvnlr.exec:\vpvnlr.exe87⤵PID:2456
-
\??\c:\vvnlj.exec:\vvnlj.exe88⤵PID:2384
-
\??\c:\ljnxb.exec:\ljnxb.exe89⤵PID:2076
-
\??\c:\lpddfn.exec:\lpddfn.exe90⤵PID:2632
-
\??\c:\vddlldf.exec:\vddlldf.exe91⤵PID:2196
-
\??\c:\flpfppf.exec:\flpfppf.exe92⤵PID:2820
-
\??\c:\xjdppvd.exec:\xjdppvd.exe93⤵PID:516
-
\??\c:\hpjnpl.exec:\hpjnpl.exe94⤵PID:2824
-
\??\c:\nrbvtjd.exec:\nrbvtjd.exe95⤵PID:3056
-
\??\c:\plvrlvb.exec:\plvrlvb.exe96⤵PID:2952
-
\??\c:\jdlnjx.exec:\jdlnjx.exe97⤵PID:2764
-
\??\c:\hfpfpjt.exec:\hfpfpjt.exe98⤵PID:1264
-
\??\c:\ffvlp.exec:\ffvlp.exe99⤵PID:2792
-
\??\c:\pfpdj.exec:\pfpdj.exe100⤵PID:2680
-
\??\c:\frpfvx.exec:\frpfvx.exe101⤵PID:2748
-
\??\c:\fjvvtd.exec:\fjvvtd.exe102⤵PID:524
-
\??\c:\nvdvn.exec:\nvdvn.exe103⤵PID:2120
-
\??\c:\rxbtpn.exec:\rxbtpn.exe104⤵PID:3016
-
\??\c:\hrblfbp.exec:\hrblfbp.exe105⤵PID:1460
-
\??\c:\fjtfjff.exec:\fjtfjff.exe106⤵PID:692
-
\??\c:\dntvbtp.exec:\dntvbtp.exe107⤵PID:1656
-
\??\c:\vhlhnlj.exec:\vhlhnlj.exe108⤵PID:2364
-
\??\c:\xdpbfhj.exec:\xdpbfhj.exe109⤵PID:2576
-
\??\c:\jplvd.exec:\jplvd.exe110⤵PID:1924
-
\??\c:\vfhrd.exec:\vfhrd.exe111⤵PID:2024
-
\??\c:\lvhlhj.exec:\lvhlhj.exe112⤵PID:1992
-
\??\c:\xflfdb.exec:\xflfdb.exe113⤵PID:1764
-
\??\c:\xfxpbx.exec:\xfxpbx.exe114⤵PID:3020
-
\??\c:\dhbbtrp.exec:\dhbbtrp.exe115⤵PID:2276
-
\??\c:\dftbfd.exec:\dftbfd.exe116⤵PID:1696
-
\??\c:\fdjlndb.exec:\fdjlndb.exe117⤵PID:2100
-
\??\c:\rnvjrhv.exec:\rnvjrhv.exe118⤵PID:1928
-
\??\c:\ttvtppb.exec:\ttvtppb.exe119⤵PID:1808
-
\??\c:\rfrfxld.exec:\rfrfxld.exe120⤵PID:2772
-
\??\c:\nxpvplj.exec:\nxpvplj.exe121⤵PID:2588
-
\??\c:\jrxth.exec:\jrxth.exe122⤵PID:1752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-