Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe
-
Size
454KB
-
MD5
ebe2600d634bfceb3ec7732c4edf9284
-
SHA1
e129af3e22fa0b3dcef775e74704026ee1c4d2e2
-
SHA256
bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88
-
SHA512
dc4bd3ee9c9629e67399859cfa4f938f03e38fe60ac19391ad5b559f48dedef0dd67bb90a89d5ae6efbcf38e0a6cebcce273c2d15161178183f03ab50f39318e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2532-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1116-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1076-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-535-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2040-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-575-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2904-615-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2812-619-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2288-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1360-865-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2064-877-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1904-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-956-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-981-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1484-1031-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1016-1070-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2532 lfppl.exe 2964 nhrfdfd.exe 2728 bxbhtv.exe 2936 jrnrjlj.exe 2928 ppnpjd.exe 2644 jfxpp.exe 2668 nhlvr.exe 2672 bndtj.exe 2148 rrtnj.exe 2680 vhdntt.exe 1936 vvtbrj.exe 1740 hlttr.exe 2968 lffjr.exe 1948 hdpnlrf.exe 1464 rdllt.exe 1896 hdltfbn.exe 2404 dlvbtnb.exe 2168 lvxlnjx.exe 2544 lpxhvhp.exe 1076 lrbtj.exe 2224 tbfxn.exe 276 bdhpt.exe 1148 prxfxv.exe 1736 jlpppfl.exe 1724 plbrfd.exe 2308 fhrbt.exe 2580 lxtnx.exe 1660 njvbxtp.exe 1528 plfnxb.exe 2372 jbnnjr.exe 1976 nttxlvh.exe 536 vrdhrb.exe 2556 rvpxn.exe 2064 npbhfpr.exe 1708 jbbhhb.exe 2432 lhvldnf.exe 2872 nrlvn.exe 2900 bnjhnt.exe 2744 dxldh.exe 1552 tnnldv.exe 2780 tlhvlh.exe 2620 xrfllv.exe 2684 nlhxxl.exe 2740 ffbjbh.exe 1104 hphtft.exe 2296 njvrf.exe 2844 nfjpp.exe 2708 vtrbl.exe 2952 xfxlb.exe 1980 hnhddbj.exe 2860 dxljr.exe 2980 nfpxdv.exe 1288 xjbhbpr.exe 1624 xlbpn.exe 1892 fhpth.exe 2988 txpbll.exe 2404 rvxnhrj.exe 2056 dvhddxr.exe 2096 dfphr.exe 1352 blhbbjd.exe 3060 rtpxbp.exe 1268 lvbvv.exe 620 rhjrnr.exe 1824 lpjbr.exe -
resource yara_rule behavioral1/memory/2532-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-615-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1900-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-930-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-956-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-1032-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-1072-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrjrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxjlpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnndhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrtnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvrxfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvfthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdthvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjfvbxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnvjtl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plbrfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnxbxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpbrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlhjbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrdnddn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rpjvtlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jlxrbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdjdllv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxvpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnjdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trpdnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbdltbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njndv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpfnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxpln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhdjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrnrjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrlvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhdjnvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jlppl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvrfdft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthjrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pndtlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jtfltd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1116 wrote to memory of 2532 1116 bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe 31 PID 1116 wrote to memory of 2532 1116 bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe 31 PID 1116 wrote to memory of 2532 1116 bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe 31 PID 1116 wrote to memory of 2532 1116 bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe 31 PID 2532 wrote to memory of 2964 2532 lfppl.exe 32 PID 2532 wrote to memory of 2964 2532 lfppl.exe 32 PID 2532 wrote to memory of 2964 2532 lfppl.exe 32 PID 2532 wrote to memory of 2964 2532 lfppl.exe 32 PID 2964 wrote to memory of 2728 2964 nhrfdfd.exe 33 PID 2964 wrote to memory of 2728 2964 nhrfdfd.exe 33 PID 2964 wrote to memory of 2728 2964 nhrfdfd.exe 33 PID 2964 wrote to memory of 2728 2964 nhrfdfd.exe 33 PID 2728 wrote to memory of 2936 2728 bxbhtv.exe 34 PID 2728 wrote to memory of 2936 2728 bxbhtv.exe 34 PID 2728 wrote to memory of 2936 2728 bxbhtv.exe 34 PID 2728 wrote to memory of 2936 2728 bxbhtv.exe 34 PID 2936 wrote to memory of 2928 2936 jrnrjlj.exe 35 PID 2936 wrote to memory of 2928 2936 jrnrjlj.exe 35 PID 2936 wrote to memory of 2928 2936 jrnrjlj.exe 35 PID 2936 wrote to memory of 2928 2936 jrnrjlj.exe 35 PID 2928 wrote to memory of 2644 2928 ppnpjd.exe 36 PID 2928 wrote to memory of 2644 2928 ppnpjd.exe 36 PID 2928 wrote to memory of 2644 2928 ppnpjd.exe 36 PID 2928 wrote to memory of 2644 2928 ppnpjd.exe 36 PID 2644 wrote to memory of 2668 2644 jfxpp.exe 37 PID 2644 wrote to memory of 2668 2644 jfxpp.exe 37 PID 2644 wrote to memory of 2668 2644 jfxpp.exe 37 PID 2644 wrote to memory of 2668 2644 jfxpp.exe 37 PID 2668 wrote to memory of 2672 2668 nhlvr.exe 38 PID 2668 wrote to memory of 2672 2668 nhlvr.exe 38 PID 2668 wrote to memory of 2672 2668 nhlvr.exe 38 PID 2668 wrote to memory of 2672 2668 nhlvr.exe 38 PID 2672 wrote to memory of 2148 2672 bndtj.exe 39 PID 2672 wrote to memory of 2148 2672 bndtj.exe 39 PID 2672 wrote to memory of 2148 2672 bndtj.exe 39 PID 2672 wrote to memory of 2148 2672 bndtj.exe 39 PID 2148 wrote to memory of 2680 2148 rrtnj.exe 40 PID 2148 wrote to memory of 2680 2148 rrtnj.exe 40 PID 2148 wrote to memory of 2680 2148 rrtnj.exe 40 PID 2148 wrote to memory of 2680 2148 rrtnj.exe 40 PID 2680 wrote to memory of 1936 2680 vhdntt.exe 41 PID 2680 wrote to memory of 1936 2680 vhdntt.exe 41 PID 2680 wrote to memory of 1936 2680 vhdntt.exe 41 PID 2680 wrote to memory of 1936 2680 vhdntt.exe 41 PID 1936 wrote to memory of 1740 1936 vvtbrj.exe 42 PID 1936 wrote to memory of 1740 1936 vvtbrj.exe 42 PID 1936 wrote to memory of 1740 1936 vvtbrj.exe 42 PID 1936 wrote to memory of 1740 1936 vvtbrj.exe 42 PID 1740 wrote to memory of 2968 1740 hlttr.exe 43 PID 1740 wrote to memory of 2968 1740 hlttr.exe 43 PID 1740 wrote to memory of 2968 1740 hlttr.exe 43 PID 1740 wrote to memory of 2968 1740 hlttr.exe 43 PID 2968 wrote to memory of 1948 2968 lffjr.exe 44 PID 2968 wrote to memory of 1948 2968 lffjr.exe 44 PID 2968 wrote to memory of 1948 2968 lffjr.exe 44 PID 2968 wrote to memory of 1948 2968 lffjr.exe 44 PID 1948 wrote to memory of 1464 1948 hdpnlrf.exe 45 PID 1948 wrote to memory of 1464 1948 hdpnlrf.exe 45 PID 1948 wrote to memory of 1464 1948 hdpnlrf.exe 45 PID 1948 wrote to memory of 1464 1948 hdpnlrf.exe 45 PID 1464 wrote to memory of 1896 1464 rdllt.exe 46 PID 1464 wrote to memory of 1896 1464 rdllt.exe 46 PID 1464 wrote to memory of 1896 1464 rdllt.exe 46 PID 1464 wrote to memory of 1896 1464 rdllt.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe"C:\Users\Admin\AppData\Local\Temp\bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\lfppl.exec:\lfppl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\nhrfdfd.exec:\nhrfdfd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\bxbhtv.exec:\bxbhtv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\jrnrjlj.exec:\jrnrjlj.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\ppnpjd.exec:\ppnpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\jfxpp.exec:\jfxpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\nhlvr.exec:\nhlvr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\bndtj.exec:\bndtj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\rrtnj.exec:\rrtnj.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\vhdntt.exec:\vhdntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\vvtbrj.exec:\vvtbrj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\hlttr.exec:\hlttr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\lffjr.exec:\lffjr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\hdpnlrf.exec:\hdpnlrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\rdllt.exec:\rdllt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\hdltfbn.exec:\hdltfbn.exe17⤵
- Executes dropped EXE
PID:1896 -
\??\c:\dlvbtnb.exec:\dlvbtnb.exe18⤵
- Executes dropped EXE
PID:2404 -
\??\c:\lvxlnjx.exec:\lvxlnjx.exe19⤵
- Executes dropped EXE
PID:2168 -
\??\c:\lpxhvhp.exec:\lpxhvhp.exe20⤵
- Executes dropped EXE
PID:2544 -
\??\c:\lrbtj.exec:\lrbtj.exe21⤵
- Executes dropped EXE
PID:1076 -
\??\c:\tbfxn.exec:\tbfxn.exe22⤵
- Executes dropped EXE
PID:2224 -
\??\c:\bdhpt.exec:\bdhpt.exe23⤵
- Executes dropped EXE
PID:276 -
\??\c:\prxfxv.exec:\prxfxv.exe24⤵
- Executes dropped EXE
PID:1148 -
\??\c:\jlpppfl.exec:\jlpppfl.exe25⤵
- Executes dropped EXE
PID:1736 -
\??\c:\plbrfd.exec:\plbrfd.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724 -
\??\c:\fhrbt.exec:\fhrbt.exe27⤵
- Executes dropped EXE
PID:2308 -
\??\c:\lxtnx.exec:\lxtnx.exe28⤵
- Executes dropped EXE
PID:2580 -
\??\c:\njvbxtp.exec:\njvbxtp.exe29⤵
- Executes dropped EXE
PID:1660 -
\??\c:\plfnxb.exec:\plfnxb.exe30⤵
- Executes dropped EXE
PID:1528 -
\??\c:\jbnnjr.exec:\jbnnjr.exe31⤵
- Executes dropped EXE
PID:2372 -
\??\c:\nttxlvh.exec:\nttxlvh.exe32⤵
- Executes dropped EXE
PID:1976 -
\??\c:\vrdhrb.exec:\vrdhrb.exe33⤵
- Executes dropped EXE
PID:536 -
\??\c:\rvpxn.exec:\rvpxn.exe34⤵
- Executes dropped EXE
PID:2556 -
\??\c:\npbhfpr.exec:\npbhfpr.exe35⤵
- Executes dropped EXE
PID:2064 -
\??\c:\jbbhhb.exec:\jbbhhb.exe36⤵
- Executes dropped EXE
PID:1708 -
\??\c:\lhvldnf.exec:\lhvldnf.exe37⤵
- Executes dropped EXE
PID:2432 -
\??\c:\nrlvn.exec:\nrlvn.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2872 -
\??\c:\bnjhnt.exec:\bnjhnt.exe39⤵
- Executes dropped EXE
PID:2900 -
\??\c:\dxldh.exec:\dxldh.exe40⤵
- Executes dropped EXE
PID:2744 -
\??\c:\tnnldv.exec:\tnnldv.exe41⤵
- Executes dropped EXE
PID:1552 -
\??\c:\tlhvlh.exec:\tlhvlh.exe42⤵
- Executes dropped EXE
PID:2780 -
\??\c:\xrfllv.exec:\xrfllv.exe43⤵
- Executes dropped EXE
PID:2620 -
\??\c:\nlhxxl.exec:\nlhxxl.exe44⤵
- Executes dropped EXE
PID:2684 -
\??\c:\ffbjbh.exec:\ffbjbh.exe45⤵
- Executes dropped EXE
PID:2740 -
\??\c:\hphtft.exec:\hphtft.exe46⤵
- Executes dropped EXE
PID:1104 -
\??\c:\njvrf.exec:\njvrf.exe47⤵
- Executes dropped EXE
PID:2296 -
\??\c:\nfjpp.exec:\nfjpp.exe48⤵
- Executes dropped EXE
PID:2844 -
\??\c:\vtrbl.exec:\vtrbl.exe49⤵
- Executes dropped EXE
PID:2708 -
\??\c:\xfxlb.exec:\xfxlb.exe50⤵
- Executes dropped EXE
PID:2952 -
\??\c:\hnhddbj.exec:\hnhddbj.exe51⤵
- Executes dropped EXE
PID:1980 -
\??\c:\dxljr.exec:\dxljr.exe52⤵
- Executes dropped EXE
PID:2860 -
\??\c:\nfpxdv.exec:\nfpxdv.exe53⤵
- Executes dropped EXE
PID:2980 -
\??\c:\xjbhbpr.exec:\xjbhbpr.exe54⤵
- Executes dropped EXE
PID:1288 -
\??\c:\xlbpn.exec:\xlbpn.exe55⤵
- Executes dropped EXE
PID:1624 -
\??\c:\fhpth.exec:\fhpth.exe56⤵
- Executes dropped EXE
PID:1892 -
\??\c:\txpbll.exec:\txpbll.exe57⤵
- Executes dropped EXE
PID:2988 -
\??\c:\rvxnhrj.exec:\rvxnhrj.exe58⤵
- Executes dropped EXE
PID:2404 -
\??\c:\dvhddxr.exec:\dvhddxr.exe59⤵
- Executes dropped EXE
PID:2056 -
\??\c:\dfphr.exec:\dfphr.exe60⤵
- Executes dropped EXE
PID:2096 -
\??\c:\blhbbjd.exec:\blhbbjd.exe61⤵
- Executes dropped EXE
PID:1352 -
\??\c:\rtpxbp.exec:\rtpxbp.exe62⤵
- Executes dropped EXE
PID:3060 -
\??\c:\lvbvv.exec:\lvbvv.exe63⤵
- Executes dropped EXE
PID:1268 -
\??\c:\rhjrnr.exec:\rhjrnr.exe64⤵
- Executes dropped EXE
PID:620 -
\??\c:\lpjbr.exec:\lpjbr.exe65⤵
- Executes dropped EXE
PID:1824 -
\??\c:\lndbbv.exec:\lndbbv.exe66⤵PID:1148
-
\??\c:\bfbvx.exec:\bfbvx.exe67⤵PID:1736
-
\??\c:\bjptjl.exec:\bjptjl.exe68⤵PID:828
-
\??\c:\dbtjp.exec:\dbtjp.exe69⤵PID:1472
-
\??\c:\hnjjf.exec:\hnjjf.exe70⤵PID:2040
-
\??\c:\trpdnh.exec:\trpdnh.exe71⤵
- System Location Discovery: System Language Discovery
PID:2480 -
\??\c:\fhrfn.exec:\fhrfn.exe72⤵PID:2092
-
\??\c:\vlnxpld.exec:\vlnxpld.exe73⤵PID:2180
-
\??\c:\lvlvr.exec:\lvlvr.exe74⤵PID:2960
-
\??\c:\rnbvtf.exec:\rnbvtf.exe75⤵PID:1668
-
\??\c:\thdhp.exec:\thdhp.exe76⤵PID:3028
-
\??\c:\nhlbbd.exec:\nhlbbd.exe77⤵PID:2536
-
\??\c:\jbrdp.exec:\jbrdp.exe78⤵PID:1600
-
\??\c:\fhtddf.exec:\fhtddf.exe79⤵PID:2812
-
\??\c:\tnvlvnr.exec:\tnvlvnr.exe80⤵PID:2456
-
\??\c:\xrhtjvj.exec:\xrhtjvj.exe81⤵PID:2768
-
\??\c:\fhnfnrl.exec:\fhnfnrl.exe82⤵PID:2904
-
\??\c:\vhbtpvp.exec:\vhbtpvp.exe83⤵PID:2192
-
\??\c:\ddxllt.exec:\ddxllt.exe84⤵PID:2360
-
\??\c:\bnvlnp.exec:\bnvlnp.exe85⤵PID:2648
-
\??\c:\jfptfxl.exec:\jfptfxl.exe86⤵PID:3024
-
\??\c:\vtfxtlr.exec:\vtfxtlr.exe87⤵PID:2616
-
\??\c:\nrnlb.exec:\nrnlb.exe88⤵PID:2636
-
\??\c:\hrvhrhn.exec:\hrvhrhn.exe89⤵PID:2692
-
\??\c:\flxdlxn.exec:\flxdlxn.exe90⤵PID:2088
-
\??\c:\hndfv.exec:\hndfv.exe91⤵PID:656
-
\??\c:\fxrtd.exec:\fxrtd.exe92⤵PID:2688
-
\??\c:\rhldn.exec:\rhldn.exe93⤵PID:1916
-
\??\c:\hpdfn.exec:\hpdfn.exe94⤵PID:2720
-
\??\c:\rnrfbl.exec:\rnrfbl.exe95⤵PID:1712
-
\??\c:\nfjlfr.exec:\nfjlfr.exe96⤵PID:1176
-
\??\c:\jvfppv.exec:\jvfppv.exe97⤵PID:2300
-
\??\c:\lttbn.exec:\lttbn.exe98⤵PID:924
-
\??\c:\lxrjvjr.exec:\lxrjvjr.exe99⤵PID:1900
-
\??\c:\ftbrh.exec:\ftbrh.exe100⤵PID:2076
-
\??\c:\xbdjd.exec:\xbdjd.exe101⤵PID:1044
-
\??\c:\jdptdrj.exec:\jdptdrj.exe102⤵PID:1484
-
\??\c:\dhplvx.exec:\dhplvx.exe103⤵PID:2288
-
\??\c:\pdnvdj.exec:\pdnvdj.exe104⤵PID:1156
-
\??\c:\dxjlpj.exec:\dxjlpj.exe105⤵
- System Location Discovery: System Language Discovery
PID:1172 -
\??\c:\xpbvn.exec:\xpbvn.exe106⤵PID:1480
-
\??\c:\tvphd.exec:\tvphd.exe107⤵PID:1164
-
\??\c:\nvfprd.exec:\nvfprd.exe108⤵PID:1016
-
\??\c:\trvxnvf.exec:\trvxnvf.exe109⤵PID:1716
-
\??\c:\lndvbp.exec:\lndvbp.exe110⤵PID:2120
-
\??\c:\nvhht.exec:\nvhht.exe111⤵PID:1780
-
\??\c:\jrvhldj.exec:\jrvhldj.exe112⤵PID:2004
-
\??\c:\thjprnf.exec:\thjprnf.exe113⤵PID:2044
-
\??\c:\njjfph.exec:\njjfph.exe114⤵PID:1540
-
\??\c:\vrlrr.exec:\vrlrr.exe115⤵PID:2040
-
\??\c:\hrjllff.exec:\hrjllff.exe116⤵PID:236
-
\??\c:\rrtdvfn.exec:\rrtdvfn.exe117⤵PID:2092
-
\??\c:\llbpxtv.exec:\llbpxtv.exe118⤵PID:1360
-
\??\c:\xrnhjlv.exec:\xrnhjlv.exe119⤵PID:1672
-
\??\c:\ntxtrbh.exec:\ntxtrbh.exe120⤵PID:2552
-
\??\c:\rhvvbv.exec:\rhvvbv.exe121⤵PID:1116
-
\??\c:\djjvbn.exec:\djjvbn.exe122⤵PID:2536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-