Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe
-
Size
454KB
-
MD5
373891f5042c85942afacca7707213c9
-
SHA1
4ba9967071b9eec00b3e3123758d67aea33a4826
-
SHA256
2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e
-
SHA512
8b45c6760d551f21d58068771c6e9d96db36e7f22e7b028780124a348890ed4612ebf9c5e6a9708029e7f6749f6aa710548d9f1f8a59332faf4e3a3d6eada456
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/1104-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-44-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-70-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-134-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/520-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/904-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-261-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2284-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-328-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2120-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-400-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2992-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/904-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/764-519-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/700-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-580-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/884-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-728-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1608-745-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/452-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-812-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2132-807-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2116-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-849-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2604-925-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2696-963-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2008-1007-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-1124-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2532 lppvxd.exe 1888 pblvxd.exe 2488 dhnjxv.exe 2808 rfjbtf.exe 2720 vbrxj.exe 2832 phxdxhp.exe 2820 prpnbj.exe 2668 trtprdb.exe 2360 fvtxlvx.exe 2572 tpvnjd.exe 2900 pvbvrv.exe 2836 rrrphj.exe 520 xtvln.exe 2984 nnvdvx.exe 1640 ltfvx.exe 1760 jpbtppd.exe 828 nthdht.exe 1920 jppvvff.exe 2000 fxbfxb.exe 2500 nplxvl.exe 3016 lflbxv.exe 1196 dbpjnf.exe 1612 vhbfblb.exe 904 nnrdlh.exe 872 hhbpv.exe 1548 bxbhbjd.exe 2400 nxhhfx.exe 2444 fpbpfl.exe 2284 rbpnp.exe 2148 bpbftrr.exe 884 bhbvjhb.exe 2528 hfnhx.exe 1888 rhlpf.exe 1948 fljdbf.exe 1696 lbbfrpb.exe 2872 vppvph.exe 2812 jfxnvb.exe 2796 jtlndxl.exe 2436 hdtdbb.exe 2120 bxltlfn.exe 2616 djpdvfp.exe 2608 vjjjj.exe 2820 hvnhpp.exe 1928 jtxrbxb.exe 2188 npxrrfd.exe 2840 hvfdbjt.exe 2992 bvjxr.exe 2784 hdhfdx.exe 2960 dxvhpbb.exe 2924 dtlxl.exe 2948 pbptpl.exe 1672 vdpph.exe 1676 trvfrxl.exe 1908 fpnhxtx.exe 2692 prvvvbh.exe 2556 bnthhr.exe 1920 bdhrp.exe 1056 hvbfpf.exe 3004 brhfvx.exe 1308 tdltl.exe 1796 xnflp.exe 996 xlbhf.exe 988 rdtrt.exe 904 fnvbpr.exe -
resource yara_rule behavioral1/memory/1104-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-44-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2808-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/520-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-400-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2992-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-519-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/700-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/452-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-963-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2020-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-1007-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-1075-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-1124-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hphrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjrflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtfpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djhxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nxpvlt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plvrdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnxnpxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbjtfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trfvrn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffnvjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language txftrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfhtvhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnlhhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbrvnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnlrtll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhjntvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfpndp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljbfjjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jthxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfxbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbnvjbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpxfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tfdxvtf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrthx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrhdvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjfrjvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrprh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdbxxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbvfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnnllft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpdxjh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1104 wrote to memory of 2532 1104 2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe 31 PID 1104 wrote to memory of 2532 1104 2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe 31 PID 1104 wrote to memory of 2532 1104 2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe 31 PID 1104 wrote to memory of 2532 1104 2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe 31 PID 2532 wrote to memory of 1888 2532 lppvxd.exe 32 PID 2532 wrote to memory of 1888 2532 lppvxd.exe 32 PID 2532 wrote to memory of 1888 2532 lppvxd.exe 32 PID 2532 wrote to memory of 1888 2532 lppvxd.exe 32 PID 1888 wrote to memory of 2488 1888 pblvxd.exe 33 PID 1888 wrote to memory of 2488 1888 pblvxd.exe 33 PID 1888 wrote to memory of 2488 1888 pblvxd.exe 33 PID 1888 wrote to memory of 2488 1888 pblvxd.exe 33 PID 2488 wrote to memory of 2808 2488 dhnjxv.exe 34 PID 2488 wrote to memory of 2808 2488 dhnjxv.exe 34 PID 2488 wrote to memory of 2808 2488 dhnjxv.exe 34 PID 2488 wrote to memory of 2808 2488 dhnjxv.exe 34 PID 2808 wrote to memory of 2720 2808 rfjbtf.exe 35 PID 2808 wrote to memory of 2720 2808 rfjbtf.exe 35 PID 2808 wrote to memory of 2720 2808 rfjbtf.exe 35 PID 2808 wrote to memory of 2720 2808 rfjbtf.exe 35 PID 2720 wrote to memory of 2832 2720 vbrxj.exe 36 PID 2720 wrote to memory of 2832 2720 vbrxj.exe 36 PID 2720 wrote to memory of 2832 2720 vbrxj.exe 36 PID 2720 wrote to memory of 2832 2720 vbrxj.exe 36 PID 2832 wrote to memory of 2820 2832 phxdxhp.exe 37 PID 2832 wrote to memory of 2820 2832 phxdxhp.exe 37 PID 2832 wrote to memory of 2820 2832 phxdxhp.exe 37 PID 2832 wrote to memory of 2820 2832 phxdxhp.exe 37 PID 2820 wrote to memory of 2668 2820 prpnbj.exe 38 PID 2820 wrote to memory of 2668 2820 prpnbj.exe 38 PID 2820 wrote to memory of 2668 2820 prpnbj.exe 38 PID 2820 wrote to memory of 2668 2820 prpnbj.exe 38 PID 2668 wrote to memory of 2360 2668 trtprdb.exe 39 PID 2668 wrote to memory of 2360 2668 trtprdb.exe 39 PID 2668 wrote to memory of 2360 2668 trtprdb.exe 39 PID 2668 wrote to memory of 2360 2668 trtprdb.exe 39 PID 2360 wrote to memory of 2572 2360 fvtxlvx.exe 40 PID 2360 wrote to memory of 2572 2360 fvtxlvx.exe 40 PID 2360 wrote to memory of 2572 2360 fvtxlvx.exe 40 PID 2360 wrote to memory of 2572 2360 fvtxlvx.exe 40 PID 2572 wrote to memory of 2900 2572 tpvnjd.exe 41 PID 2572 wrote to memory of 2900 2572 tpvnjd.exe 41 PID 2572 wrote to memory of 2900 2572 tpvnjd.exe 41 PID 2572 wrote to memory of 2900 2572 tpvnjd.exe 41 PID 2900 wrote to memory of 2836 2900 pvbvrv.exe 42 PID 2900 wrote to memory of 2836 2900 pvbvrv.exe 42 PID 2900 wrote to memory of 2836 2900 pvbvrv.exe 42 PID 2900 wrote to memory of 2836 2900 pvbvrv.exe 42 PID 2836 wrote to memory of 520 2836 rrrphj.exe 43 PID 2836 wrote to memory of 520 2836 rrrphj.exe 43 PID 2836 wrote to memory of 520 2836 rrrphj.exe 43 PID 2836 wrote to memory of 520 2836 rrrphj.exe 43 PID 520 wrote to memory of 2984 520 xtvln.exe 44 PID 520 wrote to memory of 2984 520 xtvln.exe 44 PID 520 wrote to memory of 2984 520 xtvln.exe 44 PID 520 wrote to memory of 2984 520 xtvln.exe 44 PID 2984 wrote to memory of 1640 2984 nnvdvx.exe 45 PID 2984 wrote to memory of 1640 2984 nnvdvx.exe 45 PID 2984 wrote to memory of 1640 2984 nnvdvx.exe 45 PID 2984 wrote to memory of 1640 2984 nnvdvx.exe 45 PID 1640 wrote to memory of 1760 1640 ltfvx.exe 46 PID 1640 wrote to memory of 1760 1640 ltfvx.exe 46 PID 1640 wrote to memory of 1760 1640 ltfvx.exe 46 PID 1640 wrote to memory of 1760 1640 ltfvx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe"C:\Users\Admin\AppData\Local\Temp\2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\lppvxd.exec:\lppvxd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\pblvxd.exec:\pblvxd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\dhnjxv.exec:\dhnjxv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\rfjbtf.exec:\rfjbtf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\vbrxj.exec:\vbrxj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\phxdxhp.exec:\phxdxhp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\prpnbj.exec:\prpnbj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\trtprdb.exec:\trtprdb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\fvtxlvx.exec:\fvtxlvx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\tpvnjd.exec:\tpvnjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\pvbvrv.exec:\pvbvrv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\rrrphj.exec:\rrrphj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\xtvln.exec:\xtvln.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:520 -
\??\c:\nnvdvx.exec:\nnvdvx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\ltfvx.exec:\ltfvx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\jpbtppd.exec:\jpbtppd.exe17⤵
- Executes dropped EXE
PID:1760 -
\??\c:\nthdht.exec:\nthdht.exe18⤵
- Executes dropped EXE
PID:828 -
\??\c:\jppvvff.exec:\jppvvff.exe19⤵
- Executes dropped EXE
PID:1920 -
\??\c:\fxbfxb.exec:\fxbfxb.exe20⤵
- Executes dropped EXE
PID:2000 -
\??\c:\nplxvl.exec:\nplxvl.exe21⤵
- Executes dropped EXE
PID:2500 -
\??\c:\lflbxv.exec:\lflbxv.exe22⤵
- Executes dropped EXE
PID:3016 -
\??\c:\dbpjnf.exec:\dbpjnf.exe23⤵
- Executes dropped EXE
PID:1196 -
\??\c:\vhbfblb.exec:\vhbfblb.exe24⤵
- Executes dropped EXE
PID:1612 -
\??\c:\nnrdlh.exec:\nnrdlh.exe25⤵
- Executes dropped EXE
PID:904 -
\??\c:\hhbpv.exec:\hhbpv.exe26⤵
- Executes dropped EXE
PID:872 -
\??\c:\bxbhbjd.exec:\bxbhbjd.exe27⤵
- Executes dropped EXE
PID:1548 -
\??\c:\nxhhfx.exec:\nxhhfx.exe28⤵
- Executes dropped EXE
PID:2400 -
\??\c:\fpbpfl.exec:\fpbpfl.exe29⤵
- Executes dropped EXE
PID:2444 -
\??\c:\rbpnp.exec:\rbpnp.exe30⤵
- Executes dropped EXE
PID:2284 -
\??\c:\bpbftrr.exec:\bpbftrr.exe31⤵
- Executes dropped EXE
PID:2148 -
\??\c:\bhbvjhb.exec:\bhbvjhb.exe32⤵
- Executes dropped EXE
PID:884 -
\??\c:\hfnhx.exec:\hfnhx.exe33⤵
- Executes dropped EXE
PID:2528 -
\??\c:\rhlpf.exec:\rhlpf.exe34⤵
- Executes dropped EXE
PID:1888 -
\??\c:\fljdbf.exec:\fljdbf.exe35⤵
- Executes dropped EXE
PID:1948 -
\??\c:\lbbfrpb.exec:\lbbfrpb.exe36⤵
- Executes dropped EXE
PID:1696 -
\??\c:\vppvph.exec:\vppvph.exe37⤵
- Executes dropped EXE
PID:2872 -
\??\c:\jfxnvb.exec:\jfxnvb.exe38⤵
- Executes dropped EXE
PID:2812 -
\??\c:\jtlndxl.exec:\jtlndxl.exe39⤵
- Executes dropped EXE
PID:2796 -
\??\c:\hdtdbb.exec:\hdtdbb.exe40⤵
- Executes dropped EXE
PID:2436 -
\??\c:\bxltlfn.exec:\bxltlfn.exe41⤵
- Executes dropped EXE
PID:2120 -
\??\c:\djpdvfp.exec:\djpdvfp.exe42⤵
- Executes dropped EXE
PID:2616 -
\??\c:\vjjjj.exec:\vjjjj.exe43⤵
- Executes dropped EXE
PID:2608 -
\??\c:\hvnhpp.exec:\hvnhpp.exe44⤵
- Executes dropped EXE
PID:2820 -
\??\c:\jtxrbxb.exec:\jtxrbxb.exe45⤵
- Executes dropped EXE
PID:1928 -
\??\c:\npxrrfd.exec:\npxrrfd.exe46⤵
- Executes dropped EXE
PID:2188 -
\??\c:\hvfdbjt.exec:\hvfdbjt.exe47⤵
- Executes dropped EXE
PID:2840 -
\??\c:\bvjxr.exec:\bvjxr.exe48⤵
- Executes dropped EXE
PID:2992 -
\??\c:\hdhfdx.exec:\hdhfdx.exe49⤵
- Executes dropped EXE
PID:2784 -
\??\c:\dxvhpbb.exec:\dxvhpbb.exe50⤵
- Executes dropped EXE
PID:2960 -
\??\c:\dtlxl.exec:\dtlxl.exe51⤵
- Executes dropped EXE
PID:2924 -
\??\c:\pbptpl.exec:\pbptpl.exe52⤵
- Executes dropped EXE
PID:2948 -
\??\c:\vdpph.exec:\vdpph.exe53⤵
- Executes dropped EXE
PID:1672 -
\??\c:\trvfrxl.exec:\trvfrxl.exe54⤵
- Executes dropped EXE
PID:1676 -
\??\c:\fpnhxtx.exec:\fpnhxtx.exe55⤵
- Executes dropped EXE
PID:1908 -
\??\c:\prvvvbh.exec:\prvvvbh.exe56⤵
- Executes dropped EXE
PID:2692 -
\??\c:\bnthhr.exec:\bnthhr.exe57⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bdhrp.exec:\bdhrp.exe58⤵
- Executes dropped EXE
PID:1920 -
\??\c:\hvbfpf.exec:\hvbfpf.exe59⤵
- Executes dropped EXE
PID:1056 -
\??\c:\brhfvx.exec:\brhfvx.exe60⤵
- Executes dropped EXE
PID:3004 -
\??\c:\tdltl.exec:\tdltl.exe61⤵
- Executes dropped EXE
PID:1308 -
\??\c:\xnflp.exec:\xnflp.exe62⤵
- Executes dropped EXE
PID:1796 -
\??\c:\xlbhf.exec:\xlbhf.exe63⤵
- Executes dropped EXE
PID:996 -
\??\c:\rdtrt.exec:\rdtrt.exe64⤵
- Executes dropped EXE
PID:988 -
\??\c:\fnvbpr.exec:\fnvbpr.exe65⤵
- Executes dropped EXE
PID:904 -
\??\c:\tvndjj.exec:\tvndjj.exe66⤵PID:764
-
\??\c:\jnxrxl.exec:\jnxrxl.exe67⤵PID:872
-
\??\c:\txxhb.exec:\txxhb.exe68⤵PID:1092
-
\??\c:\nfnfnx.exec:\nfnfnx.exe69⤵PID:700
-
\??\c:\hllrfr.exec:\hllrfr.exe70⤵PID:564
-
\??\c:\djlbdx.exec:\djlbdx.exe71⤵PID:2328
-
\??\c:\hfvndjd.exec:\hfvndjd.exe72⤵PID:1656
-
\??\c:\vfrdpd.exec:\vfrdpd.exe73⤵PID:2316
-
\??\c:\lrlffhh.exec:\lrlffhh.exe74⤵PID:2172
-
\??\c:\hhrfb.exec:\hhrfb.exe75⤵PID:884
-
\??\c:\xvjhbv.exec:\xvjhbv.exe76⤵PID:2884
-
\??\c:\xfprx.exec:\xfprx.exe77⤵PID:2780
-
\??\c:\bnblhxv.exec:\bnblhxv.exe78⤵PID:2368
-
\??\c:\jjbpf.exec:\jjbpf.exe79⤵PID:2268
-
\??\c:\vfhbjnf.exec:\vfhbjnf.exe80⤵PID:2872
-
\??\c:\xdnpjxb.exec:\xdnpjxb.exe81⤵PID:2736
-
\??\c:\vnllbn.exec:\vnllbn.exe82⤵PID:2808
-
\??\c:\dhdrrbt.exec:\dhdrrbt.exe83⤵PID:2720
-
\??\c:\vnxxl.exec:\vnxxl.exe84⤵PID:2728
-
\??\c:\ffnvfd.exec:\ffnvfd.exe85⤵PID:2588
-
\??\c:\dbffx.exec:\dbffx.exe86⤵PID:2592
-
\??\c:\tptvtbt.exec:\tptvtbt.exe87⤵PID:1536
-
\??\c:\hjfvfdv.exec:\hjfvfdv.exe88⤵PID:2256
-
\??\c:\lbvrv.exec:\lbvrv.exe89⤵PID:2188
-
\??\c:\fjxdv.exec:\fjxdv.exe90⤵PID:2652
-
\??\c:\vxfjhdr.exec:\vxfjhdr.exe91⤵PID:2888
-
\??\c:\vnpfjnh.exec:\vnpfjnh.exe92⤵PID:2784
-
\??\c:\nhpvn.exec:\nhpvn.exe93⤵PID:944
-
\??\c:\ljrftpd.exec:\ljrftpd.exe94⤵PID:2936
-
\??\c:\fbfjvr.exec:\fbfjvr.exe95⤵PID:2164
-
\??\c:\bnjlnlx.exec:\bnjlnlx.exe96⤵PID:1124
-
\??\c:\thdhljn.exec:\thdhljn.exe97⤵PID:2020
-
\??\c:\ppbthbb.exec:\ppbthbb.exe98⤵PID:2404
-
\??\c:\jdhhl.exec:\jdhhl.exe99⤵PID:2280
-
\??\c:\pdfxln.exec:\pdfxln.exe100⤵PID:2060
-
\??\c:\pnjhdd.exec:\pnjhdd.exe101⤵PID:1608
-
\??\c:\jdbbx.exec:\jdbbx.exe102⤵PID:2000
-
\??\c:\bnbdth.exec:\bnbdth.exe103⤵PID:1200
-
\??\c:\hbbnfxt.exec:\hbbnfxt.exe104⤵PID:844
-
\??\c:\jjfth.exec:\jjfth.exe105⤵PID:644
-
\??\c:\hppfjr.exec:\hppfjr.exe106⤵PID:996
-
\??\c:\tnvlp.exec:\tnvlp.exe107⤵PID:452
-
\??\c:\dhxpfnr.exec:\dhxpfnr.exe108⤵PID:1484
-
\??\c:\vtfpvp.exec:\vtfpvp.exe109⤵
- System Location Discovery: System Language Discovery
PID:1528 -
\??\c:\dlhvfnd.exec:\dlhvfnd.exe110⤵PID:1932
-
\??\c:\rvfhl.exec:\rvfhl.exe111⤵PID:2132
-
\??\c:\nnpvvv.exec:\nnpvvv.exe112⤵PID:836
-
\??\c:\thrjtvf.exec:\thrjtvf.exe113⤵PID:1700
-
\??\c:\dljhl.exec:\dljhl.exe114⤵PID:2344
-
\??\c:\fxlbrn.exec:\fxlbrn.exe115⤵PID:1464
-
\??\c:\djhxp.exec:\djhxp.exe116⤵
- System Location Discovery: System Language Discovery
PID:1656 -
\??\c:\lrnbp.exec:\lrnbp.exe117⤵PID:2116
-
\??\c:\hpnjvx.exec:\hpnjvx.exe118⤵PID:2172
-
\??\c:\xlvhhht.exec:\xlvhhht.exe119⤵PID:2688
-
\??\c:\hjljp.exec:\hjljp.exe120⤵PID:2884
-
\??\c:\prxnnf.exec:\prxnnf.exe121⤵PID:2824
-
\??\c:\xxxvpv.exec:\xxxvpv.exe122⤵PID:2368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-