Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe
-
Size
455KB
-
MD5
4f58c898a8af55ec26dcd816bc81c8ad
-
SHA1
64b0ddb224d0635c85e80adf64c78042eab0897f
-
SHA256
436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41
-
SHA512
896d0075c4cde61d2dea296d6a4a099b6f03c0c884519f57442d1477f75469c4c6b39714535ec07d57fc5870ac068809b07dac9e45c4cea65f1d6a3abac2ea47
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTy:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2280-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-45-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2960-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-240-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2932-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/972-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-277-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2772-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-336-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2956-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-385-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2176-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-392-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2092-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1168-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-620-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2936-640-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2684-646-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3024-677-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1208-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2028 hxjvvdx.exe 844 jfrvtl.exe 2512 jndxtjp.exe 2916 hxfvbdb.exe 2960 xpbxvbr.exe 2972 vvrdb.exe 2712 xpppx.exe 2688 bnvxpdp.exe 2744 bvfbn.exe 1152 lpnxn.exe 3024 rrlvrr.exe 3008 rtjht.exe 1492 rttfjj.exe 2996 jdrdvld.exe 580 prnnblf.exe 1976 hvjrr.exe 1740 xxddl.exe 2452 njfxpbv.exe 2536 tvrdn.exe 2268 pxdprr.exe 1932 btldtdf.exe 2420 ndhllvt.exe 1144 dbbff.exe 2244 dtdbdf.exe 1728 rjdnnhh.exe 2616 lphjh.exe 2932 hhjrb.exe 972 tpxlxlv.exe 2632 pbxvt.exe 2572 hjrnrfp.exe 1676 bdntnp.exe 2280 btxjrtf.exe 1244 dlvrnr.exe 2172 xbljdj.exe 2772 fdvllt.exe 2408 nhnpljp.exe 2968 vxdxnvt.exe 2956 hhntfx.exe 2560 xblvtf.exe 2936 ptfthj.exe 3048 hvhfrht.exe 2748 vxtppb.exe 2736 dhxtfph.exe 2176 thxbrp.exe 3060 hfnxp.exe 2092 jrvnx.exe 2312 drndb.exe 1928 bvhtll.exe 1464 xhdxx.exe 3020 tljdb.exe 1628 xbprpb.exe 652 rrxhdt.exe 1920 hjvvnbp.exe 756 dtrdlpj.exe 2192 vvhrp.exe 2248 xjrjd.exe 2252 nhtbxfh.exe 2788 htdbn.exe 1468 ntrhpl.exe 1932 njnllv.exe 2420 lxxxhrr.exe 2272 jxvhfn.exe 1948 hpfrxvd.exe 1168 dbrtv.exe -
resource yara_rule behavioral1/memory/2280-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/972-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-703-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjftd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxrdfdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlbbbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thrxrhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hpjjlt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhnrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjpljb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdtbph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prdxfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tblbtjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjbjfjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjnjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpjlbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fldrbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxjvvdx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjtbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldnbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tddxdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnvlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jtfhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbntvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rthhjjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fttfpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjlxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvptl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrpxjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrpxxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfvttdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbbrfhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dflhtpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hprpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2028 2280 436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe 29 PID 2280 wrote to memory of 2028 2280 436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe 29 PID 2280 wrote to memory of 2028 2280 436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe 29 PID 2280 wrote to memory of 2028 2280 436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe 29 PID 2028 wrote to memory of 844 2028 hxjvvdx.exe 30 PID 2028 wrote to memory of 844 2028 hxjvvdx.exe 30 PID 2028 wrote to memory of 844 2028 hxjvvdx.exe 30 PID 2028 wrote to memory of 844 2028 hxjvvdx.exe 30 PID 844 wrote to memory of 2512 844 jfrvtl.exe 31 PID 844 wrote to memory of 2512 844 jfrvtl.exe 31 PID 844 wrote to memory of 2512 844 jfrvtl.exe 31 PID 844 wrote to memory of 2512 844 jfrvtl.exe 31 PID 2512 wrote to memory of 2916 2512 jndxtjp.exe 32 PID 2512 wrote to memory of 2916 2512 jndxtjp.exe 32 PID 2512 wrote to memory of 2916 2512 jndxtjp.exe 32 PID 2512 wrote to memory of 2916 2512 jndxtjp.exe 32 PID 2916 wrote to memory of 2960 2916 hxfvbdb.exe 33 PID 2916 wrote to memory of 2960 2916 hxfvbdb.exe 33 PID 2916 wrote to memory of 2960 2916 hxfvbdb.exe 33 PID 2916 wrote to memory of 2960 2916 hxfvbdb.exe 33 PID 2960 wrote to memory of 2972 2960 xpbxvbr.exe 34 PID 2960 wrote to memory of 2972 2960 xpbxvbr.exe 34 PID 2960 wrote to memory of 2972 2960 xpbxvbr.exe 34 PID 2960 wrote to memory of 2972 2960 xpbxvbr.exe 34 PID 2972 wrote to memory of 2712 2972 vvrdb.exe 35 PID 2972 wrote to memory of 2712 2972 vvrdb.exe 35 PID 2972 wrote to memory of 2712 2972 vvrdb.exe 35 PID 2972 wrote to memory of 2712 2972 vvrdb.exe 35 PID 2712 wrote to memory of 2688 2712 xpppx.exe 36 PID 2712 wrote to memory of 2688 2712 xpppx.exe 36 PID 2712 wrote to memory of 2688 2712 xpppx.exe 36 PID 2712 wrote to memory of 2688 2712 xpppx.exe 36 PID 2688 wrote to memory of 2744 2688 bnvxpdp.exe 37 PID 2688 wrote to memory of 2744 2688 bnvxpdp.exe 37 PID 2688 wrote to memory of 2744 2688 bnvxpdp.exe 37 PID 2688 wrote to memory of 2744 2688 bnvxpdp.exe 37 PID 2744 wrote to memory of 1152 2744 bvfbn.exe 38 PID 2744 wrote to memory of 1152 2744 bvfbn.exe 38 PID 2744 wrote to memory of 1152 2744 bvfbn.exe 38 PID 2744 wrote to memory of 1152 2744 bvfbn.exe 38 PID 1152 wrote to memory of 3024 1152 lpnxn.exe 39 PID 1152 wrote to memory of 3024 1152 lpnxn.exe 39 PID 1152 wrote to memory of 3024 1152 lpnxn.exe 39 PID 1152 wrote to memory of 3024 1152 lpnxn.exe 39 PID 3024 wrote to memory of 3008 3024 rrlvrr.exe 40 PID 3024 wrote to memory of 3008 3024 rrlvrr.exe 40 PID 3024 wrote to memory of 3008 3024 rrlvrr.exe 40 PID 3024 wrote to memory of 3008 3024 rrlvrr.exe 40 PID 3008 wrote to memory of 1492 3008 rtjht.exe 41 PID 3008 wrote to memory of 1492 3008 rtjht.exe 41 PID 3008 wrote to memory of 1492 3008 rtjht.exe 41 PID 3008 wrote to memory of 1492 3008 rtjht.exe 41 PID 1492 wrote to memory of 2996 1492 rttfjj.exe 42 PID 1492 wrote to memory of 2996 1492 rttfjj.exe 42 PID 1492 wrote to memory of 2996 1492 rttfjj.exe 42 PID 1492 wrote to memory of 2996 1492 rttfjj.exe 42 PID 2996 wrote to memory of 580 2996 jdrdvld.exe 43 PID 2996 wrote to memory of 580 2996 jdrdvld.exe 43 PID 2996 wrote to memory of 580 2996 jdrdvld.exe 43 PID 2996 wrote to memory of 580 2996 jdrdvld.exe 43 PID 580 wrote to memory of 1976 580 prnnblf.exe 44 PID 580 wrote to memory of 1976 580 prnnblf.exe 44 PID 580 wrote to memory of 1976 580 prnnblf.exe 44 PID 580 wrote to memory of 1976 580 prnnblf.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe"C:\Users\Admin\AppData\Local\Temp\436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\hxjvvdx.exec:\hxjvvdx.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\jfrvtl.exec:\jfrvtl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\jndxtjp.exec:\jndxtjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\hxfvbdb.exec:\hxfvbdb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\xpbxvbr.exec:\xpbxvbr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\vvrdb.exec:\vvrdb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\xpppx.exec:\xpppx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\bnvxpdp.exec:\bnvxpdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\bvfbn.exec:\bvfbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\lpnxn.exec:\lpnxn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\rrlvrr.exec:\rrlvrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\rtjht.exec:\rtjht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\rttfjj.exec:\rttfjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\jdrdvld.exec:\jdrdvld.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\prnnblf.exec:\prnnblf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\hvjrr.exec:\hvjrr.exe17⤵
- Executes dropped EXE
PID:1976 -
\??\c:\xxddl.exec:\xxddl.exe18⤵
- Executes dropped EXE
PID:1740 -
\??\c:\njfxpbv.exec:\njfxpbv.exe19⤵
- Executes dropped EXE
PID:2452 -
\??\c:\tvrdn.exec:\tvrdn.exe20⤵
- Executes dropped EXE
PID:2536 -
\??\c:\pxdprr.exec:\pxdprr.exe21⤵
- Executes dropped EXE
PID:2268 -
\??\c:\btldtdf.exec:\btldtdf.exe22⤵
- Executes dropped EXE
PID:1932 -
\??\c:\ndhllvt.exec:\ndhllvt.exe23⤵
- Executes dropped EXE
PID:2420 -
\??\c:\dbbff.exec:\dbbff.exe24⤵
- Executes dropped EXE
PID:1144 -
\??\c:\dtdbdf.exec:\dtdbdf.exe25⤵
- Executes dropped EXE
PID:2244 -
\??\c:\rjdnnhh.exec:\rjdnnhh.exe26⤵
- Executes dropped EXE
PID:1728 -
\??\c:\lphjh.exec:\lphjh.exe27⤵
- Executes dropped EXE
PID:2616 -
\??\c:\hhjrb.exec:\hhjrb.exe28⤵
- Executes dropped EXE
PID:2932 -
\??\c:\tpxlxlv.exec:\tpxlxlv.exe29⤵
- Executes dropped EXE
PID:972 -
\??\c:\pbxvt.exec:\pbxvt.exe30⤵
- Executes dropped EXE
PID:2632 -
\??\c:\hjrnrfp.exec:\hjrnrfp.exe31⤵
- Executes dropped EXE
PID:2572 -
\??\c:\bdntnp.exec:\bdntnp.exe32⤵
- Executes dropped EXE
PID:1676 -
\??\c:\btxjrtf.exec:\btxjrtf.exe33⤵
- Executes dropped EXE
PID:2280 -
\??\c:\dlvrnr.exec:\dlvrnr.exe34⤵
- Executes dropped EXE
PID:1244 -
\??\c:\xbljdj.exec:\xbljdj.exe35⤵
- Executes dropped EXE
PID:2172 -
\??\c:\fdvllt.exec:\fdvllt.exe36⤵
- Executes dropped EXE
PID:2772 -
\??\c:\nhnpljp.exec:\nhnpljp.exe37⤵
- Executes dropped EXE
PID:2408 -
\??\c:\vxdxnvt.exec:\vxdxnvt.exe38⤵
- Executes dropped EXE
PID:2968 -
\??\c:\hhntfx.exec:\hhntfx.exe39⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xblvtf.exec:\xblvtf.exe40⤵
- Executes dropped EXE
PID:2560 -
\??\c:\ptfthj.exec:\ptfthj.exe41⤵
- Executes dropped EXE
PID:2936 -
\??\c:\hvhfrht.exec:\hvhfrht.exe42⤵
- Executes dropped EXE
PID:3048 -
\??\c:\vxtppb.exec:\vxtppb.exe43⤵
- Executes dropped EXE
PID:2748 -
\??\c:\dhxtfph.exec:\dhxtfph.exe44⤵
- Executes dropped EXE
PID:2736 -
\??\c:\thxbrp.exec:\thxbrp.exe45⤵
- Executes dropped EXE
PID:2176 -
\??\c:\hfnxp.exec:\hfnxp.exe46⤵
- Executes dropped EXE
PID:3060 -
\??\c:\jrvnx.exec:\jrvnx.exe47⤵
- Executes dropped EXE
PID:2092 -
\??\c:\drndb.exec:\drndb.exe48⤵
- Executes dropped EXE
PID:2312 -
\??\c:\bvhtll.exec:\bvhtll.exe49⤵
- Executes dropped EXE
PID:1928 -
\??\c:\xhdxx.exec:\xhdxx.exe50⤵
- Executes dropped EXE
PID:1464 -
\??\c:\tljdb.exec:\tljdb.exe51⤵
- Executes dropped EXE
PID:3020 -
\??\c:\xbprpb.exec:\xbprpb.exe52⤵
- Executes dropped EXE
PID:1628 -
\??\c:\rrxhdt.exec:\rrxhdt.exe53⤵
- Executes dropped EXE
PID:652 -
\??\c:\hjvvnbp.exec:\hjvvnbp.exe54⤵
- Executes dropped EXE
PID:1920 -
\??\c:\dtrdlpj.exec:\dtrdlpj.exe55⤵
- Executes dropped EXE
PID:756 -
\??\c:\vvhrp.exec:\vvhrp.exe56⤵
- Executes dropped EXE
PID:2192 -
\??\c:\xjrjd.exec:\xjrjd.exe57⤵
- Executes dropped EXE
PID:2248 -
\??\c:\nhtbxfh.exec:\nhtbxfh.exe58⤵
- Executes dropped EXE
PID:2252 -
\??\c:\htdbn.exec:\htdbn.exe59⤵
- Executes dropped EXE
PID:2788 -
\??\c:\ntrhpl.exec:\ntrhpl.exe60⤵
- Executes dropped EXE
PID:1468 -
\??\c:\njnllv.exec:\njnllv.exe61⤵
- Executes dropped EXE
PID:1932 -
\??\c:\lxxxhrr.exec:\lxxxhrr.exe62⤵
- Executes dropped EXE
PID:2420 -
\??\c:\jxvhfn.exec:\jxvhfn.exe63⤵
- Executes dropped EXE
PID:2272 -
\??\c:\hpfrxvd.exec:\hpfrxvd.exe64⤵
- Executes dropped EXE
PID:1948 -
\??\c:\dbrtv.exec:\dbrtv.exe65⤵
- Executes dropped EXE
PID:1168 -
\??\c:\hlnlh.exec:\hlnlh.exe66⤵PID:1768
-
\??\c:\fdlhd.exec:\fdlhd.exe67⤵PID:2616
-
\??\c:\frttlvd.exec:\frttlvd.exe68⤵PID:1028
-
\??\c:\hpjjlt.exec:\hpjjlt.exe69⤵
- System Location Discovery: System Language Discovery
PID:1084 -
\??\c:\prvnth.exec:\prvnth.exe70⤵PID:2576
-
\??\c:\nbfrhtd.exec:\nbfrhtd.exe71⤵PID:1108
-
\??\c:\rfxfr.exec:\rfxfr.exe72⤵PID:2608
-
\??\c:\flblrdb.exec:\flblrdb.exe73⤵PID:2352
-
\??\c:\drtnxlf.exec:\drtnxlf.exe74⤵PID:2000
-
\??\c:\lltdbr.exec:\lltdbr.exe75⤵PID:1260
-
\??\c:\tfpxb.exec:\tfpxb.exe76⤵PID:1244
-
\??\c:\vxlnxx.exec:\vxlnxx.exe77⤵PID:2832
-
\??\c:\tlldr.exec:\tlldr.exe78⤵PID:2440
-
\??\c:\rjjfn.exec:\rjjfn.exe79⤵PID:2912
-
\??\c:\plndxb.exec:\plndxb.exe80⤵PID:2816
-
\??\c:\vxjdjl.exec:\vxjdjl.exe81⤵PID:2008
-
\??\c:\ddtdb.exec:\ddtdb.exe82⤵PID:2716
-
\??\c:\hhjln.exec:\hhjln.exe83⤵PID:2936
-
\??\c:\rtxxr.exec:\rtxxr.exe84⤵PID:2684
-
\??\c:\nbrvnjn.exec:\nbrvnjn.exe85⤵PID:2688
-
\??\c:\vffrrbt.exec:\vffrrbt.exe86⤵PID:2768
-
\??\c:\nttjvn.exec:\nttjvn.exe87⤵PID:3016
-
\??\c:\fpxbj.exec:\fpxbj.exe88⤵PID:2760
-
\??\c:\xdfjb.exec:\xdfjb.exe89⤵PID:3024
-
\??\c:\rhrfn.exec:\rhrfn.exe90⤵PID:1120
-
\??\c:\xvvnff.exec:\xvvnff.exe91⤵PID:1476
-
\??\c:\tlrxj.exec:\tlrxj.exe92⤵PID:1208
-
\??\c:\dfbjhx.exec:\dfbjhx.exe93⤵PID:980
-
\??\c:\ldbjj.exec:\ldbjj.exe94⤵PID:1628
-
\??\c:\xffpf.exec:\xffpf.exe95⤵PID:1816
-
\??\c:\fprbhnn.exec:\fprbhnn.exe96⤵PID:1920
-
\??\c:\jbhhdpn.exec:\jbhhdpn.exe97⤵PID:756
-
\??\c:\prxrx.exec:\prxrx.exe98⤵PID:1224
-
\??\c:\nlpnj.exec:\nlpnj.exe99⤵PID:2260
-
\??\c:\xxvxvdt.exec:\xxvxvdt.exe100⤵PID:2252
-
\??\c:\bfvttdh.exec:\bfvttdh.exe101⤵
- System Location Discovery: System Language Discovery
PID:2492 -
\??\c:\ldvbnx.exec:\ldvbnx.exe102⤵PID:2600
-
\??\c:\hnlrrh.exec:\hnlrrh.exe103⤵PID:1060
-
\??\c:\lhvbjvx.exec:\lhvbjvx.exe104⤵PID:2272
-
\??\c:\nhhbndb.exec:\nhhbndb.exe105⤵PID:1664
-
\??\c:\xbbfr.exec:\xbbfr.exe106⤵PID:1168
-
\??\c:\lxlnp.exec:\lxlnp.exe107⤵PID:1460
-
\??\c:\xhjlbd.exec:\xhjlbd.exe108⤵PID:1696
-
\??\c:\lrttp.exec:\lrttp.exe109⤵PID:932
-
\??\c:\frvjt.exec:\frvjt.exe110⤵PID:2932
-
\??\c:\xptbbbf.exec:\xptbbbf.exe111⤵PID:972
-
\??\c:\tdpdv.exec:\tdpdv.exe112⤵PID:2576
-
\??\c:\rdldlx.exec:\rdldlx.exe113⤵PID:2460
-
\??\c:\dfxfr.exec:\dfxfr.exe114⤵PID:2368
-
\??\c:\hndnvjj.exec:\hndnvjj.exe115⤵PID:1568
-
\??\c:\ldpdxx.exec:\ldpdxx.exe116⤵PID:2000
-
\??\c:\fldffr.exec:\fldffr.exe117⤵PID:3064
-
\??\c:\dthfd.exec:\dthfd.exe118⤵PID:2188
-
\??\c:\bldxdfr.exec:\bldxdfr.exe119⤵PID:2800
-
\??\c:\vblhhld.exec:\vblhhld.exe120⤵PID:2440
-
\??\c:\ntjhld.exec:\ntjhld.exe121⤵PID:2892
-
\??\c:\dhdlxx.exec:\dhdlxx.exe122⤵PID:2844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-