Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe
-
Size
454KB
-
MD5
f586ee83258bf58dc0e8a2dddfd24ed8
-
SHA1
a11cdfa5c58e6c97220c228d9d3cb5ca5f612baf
-
SHA256
5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704
-
SHA512
860cfce80fd989ad8318d7c31e64bf32feec7ac1916941233441dc90452980308a438a7730abf7eb33938d7da45c89760ccb7cebc17380f64693d90ac055e86f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeET:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2056-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-51-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2720-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/816-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/652-340-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2748-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-365-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/760-372-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2776-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/928-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-658-0x0000000000280000-0x00000000002AA000-memory.dmp family_blackmoon behavioral1/memory/2072-677-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1036-741-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/916-780-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1804-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-866-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2820 rpbxx.exe 2856 hlfnxnj.exe 2332 bnlxxdt.exe 2980 bxlxtlj.exe 2912 bhnfnfp.exe 2720 lddvrv.exe 2848 fvvrfb.exe 2572 jjfrff.exe 1300 trpjxdv.exe 2824 bnhxptn.exe 2660 rlvvn.exe 3068 pnppnbb.exe 2584 tdlph.exe 1340 lnlhrff.exe 1036 fjjhvvj.exe 2376 jvxvt.exe 1140 nfxrb.exe 2124 pnpxdjl.exe 2188 pvrthf.exe 2088 ftrnpb.exe 1536 nthjx.exe 1564 pddljb.exe 1284 hflhpt.exe 1028 rnxvtx.exe 1304 jxtvtt.exe 1532 bbttrf.exe 1752 fbllltb.exe 1776 jhjfv.exe 1744 pvfvdv.exe 804 hptlpnn.exe 2456 dbthtnd.exe 816 jbvrlvf.exe 2264 ljpvtj.exe 2140 jlpnvf.exe 652 tvrlhpl.exe 2960 fdbvnt.exe 2880 bbdrxj.exe 2116 pdrll.exe 2748 nbjbxn.exe 2920 fndbb.exe 2740 bnfrhx.exe 760 hnvtjn.exe 2776 npxfvrv.exe 2704 frhxbld.exe 2388 pnnrnt.exe 968 hfnpt.exe 1352 nvjnxdr.exe 2536 dfnlbr.exe 2304 dlrnv.exe 2160 jtxxvrt.exe 2668 njvvt.exe 2360 xxvrvv.exe 2636 nrddbj.exe 1012 pddvrbd.exe 844 rvvvvtx.exe 1824 jjfhvtr.exe 1280 xndjb.exe 2124 xflxrb.exe 2676 bptfff.exe 2524 rljprl.exe 2480 rtjflv.exe 616 rlrjxt.exe 1560 htvbnr.exe 948 jfpbpxf.exe -
resource yara_rule behavioral1/memory/2056-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/816-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/652-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1012-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/928-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-819-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jlllhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhjjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvxpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhhdlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppnnrdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrvptv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpxvlhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbjdbhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvnxfft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbtvbtl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phhvnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnnrnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrjxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvlxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bphpdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvpbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdjvnhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfphbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnfntvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbbdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvrthr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvxvnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrntbvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jltxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjndxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pthnvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvtlrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfhhfv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjxtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbbln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfxrb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxhnff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdprx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfvrn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxvhnvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttltlbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dljnhlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvjnxdr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvhhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxvnhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvpbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxfvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rljprl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rpdjntt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2820 2056 5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe 29 PID 2056 wrote to memory of 2820 2056 5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe 29 PID 2056 wrote to memory of 2820 2056 5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe 29 PID 2056 wrote to memory of 2820 2056 5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe 29 PID 2820 wrote to memory of 2856 2820 rpbxx.exe 30 PID 2820 wrote to memory of 2856 2820 rpbxx.exe 30 PID 2820 wrote to memory of 2856 2820 rpbxx.exe 30 PID 2820 wrote to memory of 2856 2820 rpbxx.exe 30 PID 2856 wrote to memory of 2332 2856 hlfnxnj.exe 31 PID 2856 wrote to memory of 2332 2856 hlfnxnj.exe 31 PID 2856 wrote to memory of 2332 2856 hlfnxnj.exe 31 PID 2856 wrote to memory of 2332 2856 hlfnxnj.exe 31 PID 2332 wrote to memory of 2980 2332 bnlxxdt.exe 32 PID 2332 wrote to memory of 2980 2332 bnlxxdt.exe 32 PID 2332 wrote to memory of 2980 2332 bnlxxdt.exe 32 PID 2332 wrote to memory of 2980 2332 bnlxxdt.exe 32 PID 2980 wrote to memory of 2912 2980 bxlxtlj.exe 33 PID 2980 wrote to memory of 2912 2980 bxlxtlj.exe 33 PID 2980 wrote to memory of 2912 2980 bxlxtlj.exe 33 PID 2980 wrote to memory of 2912 2980 bxlxtlj.exe 33 PID 2912 wrote to memory of 2720 2912 bhnfnfp.exe 34 PID 2912 wrote to memory of 2720 2912 bhnfnfp.exe 34 PID 2912 wrote to memory of 2720 2912 bhnfnfp.exe 34 PID 2912 wrote to memory of 2720 2912 bhnfnfp.exe 34 PID 2720 wrote to memory of 2848 2720 lddvrv.exe 35 PID 2720 wrote to memory of 2848 2720 lddvrv.exe 35 PID 2720 wrote to memory of 2848 2720 lddvrv.exe 35 PID 2720 wrote to memory of 2848 2720 lddvrv.exe 35 PID 2848 wrote to memory of 2572 2848 fvvrfb.exe 36 PID 2848 wrote to memory of 2572 2848 fvvrfb.exe 36 PID 2848 wrote to memory of 2572 2848 fvvrfb.exe 36 PID 2848 wrote to memory of 2572 2848 fvvrfb.exe 36 PID 2572 wrote to memory of 1300 2572 jjfrff.exe 37 PID 2572 wrote to memory of 1300 2572 jjfrff.exe 37 PID 2572 wrote to memory of 1300 2572 jjfrff.exe 37 PID 2572 wrote to memory of 1300 2572 jjfrff.exe 37 PID 1300 wrote to memory of 2824 1300 trpjxdv.exe 38 PID 1300 wrote to memory of 2824 1300 trpjxdv.exe 38 PID 1300 wrote to memory of 2824 1300 trpjxdv.exe 38 PID 1300 wrote to memory of 2824 1300 trpjxdv.exe 38 PID 2824 wrote to memory of 2660 2824 bnhxptn.exe 39 PID 2824 wrote to memory of 2660 2824 bnhxptn.exe 39 PID 2824 wrote to memory of 2660 2824 bnhxptn.exe 39 PID 2824 wrote to memory of 2660 2824 bnhxptn.exe 39 PID 2660 wrote to memory of 3068 2660 rlvvn.exe 40 PID 2660 wrote to memory of 3068 2660 rlvvn.exe 40 PID 2660 wrote to memory of 3068 2660 rlvvn.exe 40 PID 2660 wrote to memory of 3068 2660 rlvvn.exe 40 PID 3068 wrote to memory of 2584 3068 pnppnbb.exe 41 PID 3068 wrote to memory of 2584 3068 pnppnbb.exe 41 PID 3068 wrote to memory of 2584 3068 pnppnbb.exe 41 PID 3068 wrote to memory of 2584 3068 pnppnbb.exe 41 PID 2584 wrote to memory of 1340 2584 tdlph.exe 42 PID 2584 wrote to memory of 1340 2584 tdlph.exe 42 PID 2584 wrote to memory of 1340 2584 tdlph.exe 42 PID 2584 wrote to memory of 1340 2584 tdlph.exe 42 PID 1340 wrote to memory of 1036 1340 lnlhrff.exe 43 PID 1340 wrote to memory of 1036 1340 lnlhrff.exe 43 PID 1340 wrote to memory of 1036 1340 lnlhrff.exe 43 PID 1340 wrote to memory of 1036 1340 lnlhrff.exe 43 PID 1036 wrote to memory of 2376 1036 fjjhvvj.exe 44 PID 1036 wrote to memory of 2376 1036 fjjhvvj.exe 44 PID 1036 wrote to memory of 2376 1036 fjjhvvj.exe 44 PID 1036 wrote to memory of 2376 1036 fjjhvvj.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe"C:\Users\Admin\AppData\Local\Temp\5076638e9aa543e55ba71018aebe900aaffa71a6e3dd55ebac3454d9ef445704.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\rpbxx.exec:\rpbxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\hlfnxnj.exec:\hlfnxnj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\bnlxxdt.exec:\bnlxxdt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\bxlxtlj.exec:\bxlxtlj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\bhnfnfp.exec:\bhnfnfp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\lddvrv.exec:\lddvrv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\fvvrfb.exec:\fvvrfb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\jjfrff.exec:\jjfrff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\trpjxdv.exec:\trpjxdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\bnhxptn.exec:\bnhxptn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\rlvvn.exec:\rlvvn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\pnppnbb.exec:\pnppnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\tdlph.exec:\tdlph.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\lnlhrff.exec:\lnlhrff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\fjjhvvj.exec:\fjjhvvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\jvxvt.exec:\jvxvt.exe17⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nfxrb.exec:\nfxrb.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1140 -
\??\c:\pnpxdjl.exec:\pnpxdjl.exe19⤵
- Executes dropped EXE
PID:2124 -
\??\c:\pvrthf.exec:\pvrthf.exe20⤵
- Executes dropped EXE
PID:2188 -
\??\c:\ftrnpb.exec:\ftrnpb.exe21⤵
- Executes dropped EXE
PID:2088 -
\??\c:\nthjx.exec:\nthjx.exe22⤵
- Executes dropped EXE
PID:1536 -
\??\c:\pddljb.exec:\pddljb.exe23⤵
- Executes dropped EXE
PID:1564 -
\??\c:\hflhpt.exec:\hflhpt.exe24⤵
- Executes dropped EXE
PID:1284 -
\??\c:\rnxvtx.exec:\rnxvtx.exe25⤵
- Executes dropped EXE
PID:1028 -
\??\c:\jxtvtt.exec:\jxtvtt.exe26⤵
- Executes dropped EXE
PID:1304 -
\??\c:\bbttrf.exec:\bbttrf.exe27⤵
- Executes dropped EXE
PID:1532 -
\??\c:\fbllltb.exec:\fbllltb.exe28⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jhjfv.exec:\jhjfv.exe29⤵
- Executes dropped EXE
PID:1776 -
\??\c:\pvfvdv.exec:\pvfvdv.exe30⤵
- Executes dropped EXE
PID:1744 -
\??\c:\hptlpnn.exec:\hptlpnn.exe31⤵
- Executes dropped EXE
PID:804 -
\??\c:\dbthtnd.exec:\dbthtnd.exe32⤵
- Executes dropped EXE
PID:2456 -
\??\c:\jbvrlvf.exec:\jbvrlvf.exe33⤵
- Executes dropped EXE
PID:816 -
\??\c:\ljpvtj.exec:\ljpvtj.exe34⤵
- Executes dropped EXE
PID:2264 -
\??\c:\jlpnvf.exec:\jlpnvf.exe35⤵
- Executes dropped EXE
PID:2140 -
\??\c:\tvrlhpl.exec:\tvrlhpl.exe36⤵
- Executes dropped EXE
PID:652 -
\??\c:\fdbvnt.exec:\fdbvnt.exe37⤵
- Executes dropped EXE
PID:2960 -
\??\c:\bbdrxj.exec:\bbdrxj.exe38⤵
- Executes dropped EXE
PID:2880 -
\??\c:\pdrll.exec:\pdrll.exe39⤵
- Executes dropped EXE
PID:2116 -
\??\c:\nbjbxn.exec:\nbjbxn.exe40⤵
- Executes dropped EXE
PID:2748 -
\??\c:\fndbb.exec:\fndbb.exe41⤵
- Executes dropped EXE
PID:2920 -
\??\c:\bnfrhx.exec:\bnfrhx.exe42⤵
- Executes dropped EXE
PID:2740 -
\??\c:\hnvtjn.exec:\hnvtjn.exe43⤵
- Executes dropped EXE
PID:760 -
\??\c:\npxfvrv.exec:\npxfvrv.exe44⤵
- Executes dropped EXE
PID:2776 -
\??\c:\frhxbld.exec:\frhxbld.exe45⤵
- Executes dropped EXE
PID:2704 -
\??\c:\pnnrnt.exec:\pnnrnt.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
\??\c:\hfnpt.exec:\hfnpt.exe47⤵
- Executes dropped EXE
PID:968 -
\??\c:\nvjnxdr.exec:\nvjnxdr.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1352 -
\??\c:\dfnlbr.exec:\dfnlbr.exe49⤵
- Executes dropped EXE
PID:2536 -
\??\c:\dlrnv.exec:\dlrnv.exe50⤵
- Executes dropped EXE
PID:2304 -
\??\c:\jtxxvrt.exec:\jtxxvrt.exe51⤵
- Executes dropped EXE
PID:2160 -
\??\c:\njvvt.exec:\njvvt.exe52⤵
- Executes dropped EXE
PID:2668 -
\??\c:\xxvrvv.exec:\xxvrvv.exe53⤵
- Executes dropped EXE
PID:2360 -
\??\c:\nrddbj.exec:\nrddbj.exe54⤵
- Executes dropped EXE
PID:2636 -
\??\c:\pddvrbd.exec:\pddvrbd.exe55⤵
- Executes dropped EXE
PID:1012 -
\??\c:\rvvvvtx.exec:\rvvvvtx.exe56⤵
- Executes dropped EXE
PID:844 -
\??\c:\jjfhvtr.exec:\jjfhvtr.exe57⤵
- Executes dropped EXE
PID:1824 -
\??\c:\xndjb.exec:\xndjb.exe58⤵
- Executes dropped EXE
PID:1280 -
\??\c:\xflxrb.exec:\xflxrb.exe59⤵
- Executes dropped EXE
PID:2124 -
\??\c:\bptfff.exec:\bptfff.exe60⤵
- Executes dropped EXE
PID:2676 -
\??\c:\rljprl.exec:\rljprl.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524 -
\??\c:\rtjflv.exec:\rtjflv.exe62⤵
- Executes dropped EXE
PID:2480 -
\??\c:\rlrjxt.exec:\rlrjxt.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:616 -
\??\c:\htvbnr.exec:\htvbnr.exe64⤵
- Executes dropped EXE
PID:1560 -
\??\c:\jfpbpxf.exec:\jfpbpxf.exe65⤵
- Executes dropped EXE
PID:948 -
\??\c:\vdfbtbr.exec:\vdfbtbr.exe66⤵PID:2296
-
\??\c:\nhdtd.exec:\nhdtd.exe67⤵PID:1688
-
\??\c:\njjpt.exec:\njjpt.exe68⤵PID:1556
-
\??\c:\rxtvf.exec:\rxtvf.exe69⤵PID:1532
-
\??\c:\jxlnhv.exec:\jxlnhv.exe70⤵PID:1252
-
\??\c:\tlpnlpn.exec:\tlpnlpn.exe71⤵PID:1964
-
\??\c:\vxfxb.exec:\vxfxb.exe72⤵PID:928
-
\??\c:\fvljv.exec:\fvljv.exe73⤵PID:1984
-
\??\c:\tvvvh.exec:\tvvvh.exe74⤵PID:2796
-
\??\c:\bjxjjfx.exec:\bjxjjfx.exe75⤵PID:1516
-
\??\c:\nrtpx.exec:\nrtpx.exe76⤵PID:2288
-
\??\c:\xnjvhxh.exec:\xnjvhxh.exe77⤵PID:2056
-
\??\c:\rjxxr.exec:\rjxxr.exe78⤵PID:1612
-
\??\c:\vvvxr.exec:\vvvxr.exe79⤵PID:2512
-
\??\c:\nbflp.exec:\nbflp.exe80⤵PID:2972
-
\??\c:\rjjhtn.exec:\rjjhtn.exe81⤵PID:2884
-
\??\c:\bvfrx.exec:\bvfrx.exe82⤵PID:2948
-
\??\c:\pvntpfx.exec:\pvntpfx.exe83⤵PID:2760
-
\??\c:\ljrdl.exec:\ljrdl.exe84⤵PID:2936
-
\??\c:\dndjlvb.exec:\dndjlvb.exe85⤵PID:2728
-
\??\c:\fjttp.exec:\fjttp.exe86⤵PID:2592
-
\??\c:\ldbvdbt.exec:\ldbvdbt.exe87⤵PID:2788
-
\??\c:\rvnxrn.exec:\rvnxrn.exe88⤵PID:1988
-
\??\c:\thvprj.exec:\thvprj.exe89⤵PID:2072
-
\??\c:\dddtfdp.exec:\dddtfdp.exe90⤵PID:2228
-
\??\c:\vvhhx.exec:\vvhhx.exe91⤵
- System Location Discovery: System Language Discovery
PID:1620 -
\??\c:\nxnbxht.exec:\nxnbxht.exe92⤵PID:2824
-
\??\c:\ndhbh.exec:\ndhbh.exe93⤵PID:1264
-
\??\c:\nxvdl.exec:\nxvdl.exe94⤵PID:2132
-
\??\c:\fbrbvx.exec:\fbrbvx.exe95⤵PID:2604
-
\??\c:\bvrjhn.exec:\bvrjhn.exe96⤵PID:2668
-
\??\c:\rpxxv.exec:\rpxxv.exe97⤵PID:2336
-
\??\c:\rxhjxt.exec:\rxhjxt.exe98⤵PID:2344
-
\??\c:\txrnpfr.exec:\txrnpfr.exe99⤵PID:1036
-
\??\c:\jjjhvnf.exec:\jjjhvnf.exe100⤵PID:1920
-
\??\c:\tlrplfr.exec:\tlrplfr.exe101⤵PID:2144
-
\??\c:\jhftj.exec:\jhftj.exe102⤵PID:2204
-
\??\c:\dlhtl.exec:\dlhtl.exe103⤵PID:2104
-
\??\c:\ddnrjrx.exec:\ddnrjrx.exe104⤵PID:2176
-
\??\c:\bdhxrd.exec:\bdhxrd.exe105⤵PID:916
-
\??\c:\lfxtp.exec:\lfxtp.exe106⤵PID:2292
-
\??\c:\thpvl.exec:\thpvl.exe107⤵PID:1004
-
\??\c:\hdrdvbj.exec:\hdrdvbj.exe108⤵PID:2476
-
\??\c:\lfxxxx.exec:\lfxxxx.exe109⤵PID:1804
-
\??\c:\xxhnff.exec:\xxhnff.exe110⤵
- System Location Discovery: System Language Discovery
PID:2932 -
\??\c:\fdprx.exec:\fdprx.exe111⤵
- System Location Discovery: System Language Discovery
PID:896 -
\??\c:\ljdvl.exec:\ljdvl.exe112⤵PID:1704
-
\??\c:\bfbpn.exec:\bfbpn.exe113⤵PID:820
-
\??\c:\jjnpbp.exec:\jjnpbp.exe114⤵PID:304
-
\??\c:\ndnbh.exec:\ndnbh.exe115⤵PID:956
-
\??\c:\pdfht.exec:\pdfht.exe116⤵PID:944
-
\??\c:\jpbrfl.exec:\jpbrfl.exe117⤵PID:2712
-
\??\c:\tllrjbj.exec:\tllrjbj.exe118⤵PID:1984
-
\??\c:\jbfhrxf.exec:\jbfhrxf.exe119⤵PID:2796
-
\??\c:\lnfhdfv.exec:\lnfhdfv.exe120⤵PID:2916
-
\??\c:\dfdjdt.exec:\dfdjdt.exe121⤵PID:2288
-
\??\c:\jlphff.exec:\jlphff.exe122⤵PID:2140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-