Analysis
-
max time kernel
150s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe
-
Size
454KB
-
MD5
5b5e55e9109ef0c766a32ea8d1070723
-
SHA1
55149d7e7fe851a0eada703f46a0ae265a4dfa2e
-
SHA256
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866
-
SHA512
c21648d477d3a0b9e20b178259f1070e4770d6375cf487c9e3f722b2f0b9c7964bd75d96ee4008dc05e7f624011999a5900dfc5d68e2c6a6f87a40affe099799
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2104-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1472-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/644-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-147-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1944-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/904-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-197-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1500-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-257-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/940-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-309-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1236-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-341-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2444-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-373-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2348-385-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2604-401-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3040-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-435-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1564-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-511-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1972-547-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2504-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-603-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2616-636-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2860-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-670-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2344-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-684-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1480 ljfdfx.exe 1472 fhvfj.exe 2068 hvlxxnl.exe 668 hljjp.exe 2940 dxjpjxb.exe 644 tbnfbh.exe 2680 tbhtxhp.exe 1656 brxlt.exe 2796 rvlfj.exe 1632 hnnpppr.exe 2080 fbvlr.exe 2272 nphlpdv.exe 2812 blndd.exe 1584 dlvpj.exe 2140 fpdbt.exe 1944 npbbp.exe 848 tlnpvtv.exe 2248 pvnhbb.exe 2264 htrfdlt.exe 2520 xfdblf.exe 904 ptltjhd.exe 2028 drfdf.exe 1500 ljlvb.exe 2412 prflb.exe 2600 bvrtb.exe 1004 ddvdtn.exe 940 ffbht.exe 2252 tvpth.exe 236 rlthlhd.exe 2384 brppn.exe 1736 rdlpbl.exe 1236 lptdljt.exe 2300 bdhlv.exe 2804 hprxj.exe 3012 vhhhh.exe 2444 vpdjb.exe 2868 njhjhxx.exe 2996 bxflj.exe 2136 hblrdh.exe 2972 bltbb.exe 2760 pvttlb.exe 2772 pxnttp.exe 2348 fbhntrh.exe 2388 pthjhf.exe 2604 vrddt.exe 1632 ldxljlh.exe 3040 bfhrhpt.exe 2968 tlvdt.exe 1040 hdvfrj.exe 2812 tvbthv.exe 1576 fxpprfv.exe 2340 vnllv.exe 1676 pfhxdv.exe 320 fddfr.exe 760 tvtvthp.exe 2148 ntdnvv.exe 2372 ljlbht.exe 2496 bbxdb.exe 2512 hpprjnf.exe 600 bvhdx.exe 1564 rhhtjp.exe 2028 vtjrf.exe 1972 pptbhnb.exe 1280 rllfj.exe -
resource yara_rule behavioral1/memory/2104-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/940-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-401-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3040-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-603-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2980-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-670-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2344-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-699-0x0000000000320000-0x000000000034A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tfjtfth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htrjxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vllbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntphxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rpbpbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvlfbdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjdvhvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpxvtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptltjhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drtjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpbfvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frpvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bljpvtd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hpprjnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbjlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxvbbhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrdvrp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvpjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lttldhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfnbrhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbvlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxdx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvlxxnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drtftl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxbjrb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptpxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdhlv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnpjrn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxtrpx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njddvfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdxrfvt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpdfv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htrtxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 1480 2104 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 30 PID 2104 wrote to memory of 1480 2104 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 30 PID 2104 wrote to memory of 1480 2104 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 30 PID 2104 wrote to memory of 1480 2104 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 30 PID 1480 wrote to memory of 1472 1480 ljfdfx.exe 31 PID 1480 wrote to memory of 1472 1480 ljfdfx.exe 31 PID 1480 wrote to memory of 1472 1480 ljfdfx.exe 31 PID 1480 wrote to memory of 1472 1480 ljfdfx.exe 31 PID 1472 wrote to memory of 2068 1472 fhvfj.exe 32 PID 1472 wrote to memory of 2068 1472 fhvfj.exe 32 PID 1472 wrote to memory of 2068 1472 fhvfj.exe 32 PID 1472 wrote to memory of 2068 1472 fhvfj.exe 32 PID 2068 wrote to memory of 668 2068 hvlxxnl.exe 33 PID 2068 wrote to memory of 668 2068 hvlxxnl.exe 33 PID 2068 wrote to memory of 668 2068 hvlxxnl.exe 33 PID 2068 wrote to memory of 668 2068 hvlxxnl.exe 33 PID 668 wrote to memory of 2940 668 hljjp.exe 34 PID 668 wrote to memory of 2940 668 hljjp.exe 34 PID 668 wrote to memory of 2940 668 hljjp.exe 34 PID 668 wrote to memory of 2940 668 hljjp.exe 34 PID 2940 wrote to memory of 644 2940 dxjpjxb.exe 35 PID 2940 wrote to memory of 644 2940 dxjpjxb.exe 35 PID 2940 wrote to memory of 644 2940 dxjpjxb.exe 35 PID 2940 wrote to memory of 644 2940 dxjpjxb.exe 35 PID 644 wrote to memory of 2680 644 tbnfbh.exe 36 PID 644 wrote to memory of 2680 644 tbnfbh.exe 36 PID 644 wrote to memory of 2680 644 tbnfbh.exe 36 PID 644 wrote to memory of 2680 644 tbnfbh.exe 36 PID 2680 wrote to memory of 1656 2680 tbhtxhp.exe 37 PID 2680 wrote to memory of 1656 2680 tbhtxhp.exe 37 PID 2680 wrote to memory of 1656 2680 tbhtxhp.exe 37 PID 2680 wrote to memory of 1656 2680 tbhtxhp.exe 37 PID 1656 wrote to memory of 2796 1656 brxlt.exe 38 PID 1656 wrote to memory of 2796 1656 brxlt.exe 38 PID 1656 wrote to memory of 2796 1656 brxlt.exe 38 PID 1656 wrote to memory of 2796 1656 brxlt.exe 38 PID 2796 wrote to memory of 1632 2796 rvlfj.exe 39 PID 2796 wrote to memory of 1632 2796 rvlfj.exe 39 PID 2796 wrote to memory of 1632 2796 rvlfj.exe 39 PID 2796 wrote to memory of 1632 2796 rvlfj.exe 39 PID 1632 wrote to memory of 2080 1632 hnnpppr.exe 40 PID 1632 wrote to memory of 2080 1632 hnnpppr.exe 40 PID 1632 wrote to memory of 2080 1632 hnnpppr.exe 40 PID 1632 wrote to memory of 2080 1632 hnnpppr.exe 40 PID 2080 wrote to memory of 2272 2080 fbvlr.exe 41 PID 2080 wrote to memory of 2272 2080 fbvlr.exe 41 PID 2080 wrote to memory of 2272 2080 fbvlr.exe 41 PID 2080 wrote to memory of 2272 2080 fbvlr.exe 41 PID 2272 wrote to memory of 2812 2272 nphlpdv.exe 42 PID 2272 wrote to memory of 2812 2272 nphlpdv.exe 42 PID 2272 wrote to memory of 2812 2272 nphlpdv.exe 42 PID 2272 wrote to memory of 2812 2272 nphlpdv.exe 42 PID 2812 wrote to memory of 1584 2812 blndd.exe 43 PID 2812 wrote to memory of 1584 2812 blndd.exe 43 PID 2812 wrote to memory of 1584 2812 blndd.exe 43 PID 2812 wrote to memory of 1584 2812 blndd.exe 43 PID 1584 wrote to memory of 2140 1584 dlvpj.exe 44 PID 1584 wrote to memory of 2140 1584 dlvpj.exe 44 PID 1584 wrote to memory of 2140 1584 dlvpj.exe 44 PID 1584 wrote to memory of 2140 1584 dlvpj.exe 44 PID 2140 wrote to memory of 1944 2140 fpdbt.exe 45 PID 2140 wrote to memory of 1944 2140 fpdbt.exe 45 PID 2140 wrote to memory of 1944 2140 fpdbt.exe 45 PID 2140 wrote to memory of 1944 2140 fpdbt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe"C:\Users\Admin\AppData\Local\Temp\bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\ljfdfx.exec:\ljfdfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\fhvfj.exec:\fhvfj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\hvlxxnl.exec:\hvlxxnl.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\hljjp.exec:\hljjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\dxjpjxb.exec:\dxjpjxb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\tbnfbh.exec:\tbnfbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\tbhtxhp.exec:\tbhtxhp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\brxlt.exec:\brxlt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\rvlfj.exec:\rvlfj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\hnnpppr.exec:\hnnpppr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\fbvlr.exec:\fbvlr.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\nphlpdv.exec:\nphlpdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\blndd.exec:\blndd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\dlvpj.exec:\dlvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\fpdbt.exec:\fpdbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\npbbp.exec:\npbbp.exe17⤵
- Executes dropped EXE
PID:1944 -
\??\c:\tlnpvtv.exec:\tlnpvtv.exe18⤵
- Executes dropped EXE
PID:848 -
\??\c:\pvnhbb.exec:\pvnhbb.exe19⤵
- Executes dropped EXE
PID:2248 -
\??\c:\htrfdlt.exec:\htrfdlt.exe20⤵
- Executes dropped EXE
PID:2264 -
\??\c:\xfdblf.exec:\xfdblf.exe21⤵
- Executes dropped EXE
PID:2520 -
\??\c:\ptltjhd.exec:\ptltjhd.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:904 -
\??\c:\drfdf.exec:\drfdf.exe23⤵
- Executes dropped EXE
PID:2028 -
\??\c:\ljlvb.exec:\ljlvb.exe24⤵
- Executes dropped EXE
PID:1500 -
\??\c:\prflb.exec:\prflb.exe25⤵
- Executes dropped EXE
PID:2412 -
\??\c:\bvrtb.exec:\bvrtb.exe26⤵
- Executes dropped EXE
PID:2600 -
\??\c:\ddvdtn.exec:\ddvdtn.exe27⤵
- Executes dropped EXE
PID:1004 -
\??\c:\ffbht.exec:\ffbht.exe28⤵
- Executes dropped EXE
PID:940 -
\??\c:\tvpth.exec:\tvpth.exe29⤵
- Executes dropped EXE
PID:2252 -
\??\c:\rlthlhd.exec:\rlthlhd.exe30⤵
- Executes dropped EXE
PID:236 -
\??\c:\brppn.exec:\brppn.exe31⤵
- Executes dropped EXE
PID:2384 -
\??\c:\rdlpbl.exec:\rdlpbl.exe32⤵
- Executes dropped EXE
PID:1736 -
\??\c:\lptdljt.exec:\lptdljt.exe33⤵
- Executes dropped EXE
PID:1236 -
\??\c:\bdhlv.exec:\bdhlv.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300 -
\??\c:\hprxj.exec:\hprxj.exe35⤵
- Executes dropped EXE
PID:2804 -
\??\c:\vhhhh.exec:\vhhhh.exe36⤵
- Executes dropped EXE
PID:3012 -
\??\c:\vpdjb.exec:\vpdjb.exe37⤵
- Executes dropped EXE
PID:2444 -
\??\c:\njhjhxx.exec:\njhjhxx.exe38⤵
- Executes dropped EXE
PID:2868 -
\??\c:\bxflj.exec:\bxflj.exe39⤵
- Executes dropped EXE
PID:2996 -
\??\c:\hblrdh.exec:\hblrdh.exe40⤵
- Executes dropped EXE
PID:2136 -
\??\c:\bltbb.exec:\bltbb.exe41⤵
- Executes dropped EXE
PID:2972 -
\??\c:\pvttlb.exec:\pvttlb.exe42⤵
- Executes dropped EXE
PID:2760 -
\??\c:\pxnttp.exec:\pxnttp.exe43⤵
- Executes dropped EXE
PID:2772 -
\??\c:\fbhntrh.exec:\fbhntrh.exe44⤵
- Executes dropped EXE
PID:2348 -
\??\c:\pthjhf.exec:\pthjhf.exe45⤵
- Executes dropped EXE
PID:2388 -
\??\c:\vrddt.exec:\vrddt.exe46⤵
- Executes dropped EXE
PID:2604 -
\??\c:\ldxljlh.exec:\ldxljlh.exe47⤵
- Executes dropped EXE
PID:1632 -
\??\c:\bfhrhpt.exec:\bfhrhpt.exe48⤵
- Executes dropped EXE
PID:3040 -
\??\c:\tlvdt.exec:\tlvdt.exe49⤵
- Executes dropped EXE
PID:2968 -
\??\c:\hdvfrj.exec:\hdvfrj.exe50⤵
- Executes dropped EXE
PID:1040 -
\??\c:\tvbthv.exec:\tvbthv.exe51⤵
- Executes dropped EXE
PID:2812 -
\??\c:\fxpprfv.exec:\fxpprfv.exe52⤵
- Executes dropped EXE
PID:1576 -
\??\c:\vnllv.exec:\vnllv.exe53⤵
- Executes dropped EXE
PID:2340 -
\??\c:\pfhxdv.exec:\pfhxdv.exe54⤵
- Executes dropped EXE
PID:1676 -
\??\c:\fddfr.exec:\fddfr.exe55⤵
- Executes dropped EXE
PID:320 -
\??\c:\tvtvthp.exec:\tvtvthp.exe56⤵
- Executes dropped EXE
PID:760 -
\??\c:\ntdnvv.exec:\ntdnvv.exe57⤵
- Executes dropped EXE
PID:2148 -
\??\c:\ljlbht.exec:\ljlbht.exe58⤵
- Executes dropped EXE
PID:2372 -
\??\c:\bbxdb.exec:\bbxdb.exe59⤵
- Executes dropped EXE
PID:2496 -
\??\c:\hpprjnf.exec:\hpprjnf.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
\??\c:\bvhdx.exec:\bvhdx.exe61⤵
- Executes dropped EXE
PID:600 -
\??\c:\rhhtjp.exec:\rhhtjp.exe62⤵
- Executes dropped EXE
PID:1564 -
\??\c:\vtjrf.exec:\vtjrf.exe63⤵
- Executes dropped EXE
PID:2028 -
\??\c:\pptbhnb.exec:\pptbhnb.exe64⤵
- Executes dropped EXE
PID:1972 -
\??\c:\rllfj.exec:\rllfj.exe65⤵
- Executes dropped EXE
PID:1280 -
\??\c:\dpvjl.exec:\dpvjl.exe66⤵PID:472
-
\??\c:\lbfnb.exec:\lbfnb.exe67⤵PID:2600
-
\??\c:\hdxnf.exec:\hdxnf.exe68⤵PID:1724
-
\??\c:\hjptnn.exec:\hjptnn.exe69⤵PID:2504
-
\??\c:\bpdfv.exec:\bpdfv.exe70⤵
- System Location Discovery: System Language Discovery
PID:2620 -
\??\c:\thtrff.exec:\thtrff.exe71⤵PID:2032
-
\??\c:\nprjd.exec:\nprjd.exe72⤵PID:2672
-
\??\c:\tnvtdv.exec:\tnvtdv.exe73⤵PID:1036
-
\??\c:\xrhdn.exec:\xrhdn.exe74⤵PID:1544
-
\??\c:\hnnjfd.exec:\hnnjfd.exe75⤵PID:2204
-
\??\c:\lnpxl.exec:\lnpxl.exe76⤵PID:1236
-
\??\c:\dhjfjrb.exec:\dhjfjrb.exe77⤵PID:2396
-
\??\c:\dltpvfh.exec:\dltpvfh.exe78⤵PID:1020
-
\??\c:\xxftfp.exec:\xxftfp.exe79⤵PID:2624
-
\??\c:\hdtnltn.exec:\hdtnltn.exe80⤵PID:2852
-
\??\c:\fttxdfl.exec:\fttxdfl.exe81⤵PID:2616
-
\??\c:\xpdvt.exec:\xpdvt.exe82⤵PID:2940
-
\??\c:\tjtpvr.exec:\tjtpvr.exe83⤵PID:2840
-
\??\c:\xpjrdpf.exec:\xpjrdpf.exe84⤵PID:2980
-
\??\c:\xtbtlv.exec:\xtbtlv.exe85⤵PID:2860
-
\??\c:\jvjrp.exec:\jvjrp.exe86⤵PID:2836
-
\??\c:\dpxnbj.exec:\dpxnbj.exe87⤵PID:2332
-
\??\c:\ptdvrhl.exec:\ptdvrhl.exe88⤵PID:2344
-
\??\c:\rrtjj.exec:\rrtjj.exe89⤵PID:1784
-
\??\c:\xprnvhf.exec:\xprnvhf.exe90⤵PID:1884
-
\??\c:\xrvnp.exec:\xrvnp.exe91⤵PID:2420
-
\??\c:\njblhh.exec:\njblhh.exe92⤵PID:924
-
\??\c:\pxjjptn.exec:\pxjjptn.exe93⤵PID:3044
-
\??\c:\rntvrtt.exec:\rntvrtt.exe94⤵PID:2548
-
\??\c:\hjxfj.exec:\hjxfj.exe95⤵PID:1584
-
\??\c:\jhdxtbx.exec:\jhdxtbx.exe96⤵PID:2140
-
\??\c:\fbhfxrf.exec:\fbhfxrf.exe97⤵PID:1496
-
\??\c:\dlfdlv.exec:\dlfdlv.exe98⤵PID:1592
-
\??\c:\xptbjr.exec:\xptbjr.exe99⤵PID:848
-
\??\c:\ddtnv.exec:\ddtnv.exe100⤵PID:1612
-
\??\c:\lxndlt.exec:\lxndlt.exe101⤵PID:2056
-
\??\c:\nvlfl.exec:\nvlfl.exe102⤵PID:2232
-
\??\c:\nllnd.exec:\nllnd.exe103⤵PID:744
-
\??\c:\ljhjh.exec:\ljhjh.exe104⤵PID:856
-
\??\c:\rnxbtj.exec:\rnxbtj.exe105⤵PID:1144
-
\??\c:\vbbnt.exec:\vbbnt.exe106⤵PID:2128
-
\??\c:\plbxb.exec:\plbxb.exe107⤵PID:2596
-
\??\c:\bjffvld.exec:\bjffvld.exe108⤵PID:2584
-
\??\c:\tfvftxb.exec:\tfvftxb.exe109⤵PID:1704
-
\??\c:\jtppjf.exec:\jtppjf.exe110⤵PID:796
-
\??\c:\hrtxnx.exec:\hrtxnx.exe111⤵PID:2036
-
\??\c:\ttdpb.exec:\ttdpb.exe112⤵PID:1608
-
\??\c:\lvffbb.exec:\lvffbb.exe113⤵PID:2392
-
\??\c:\ltrdrrp.exec:\ltrdrrp.exe114⤵PID:2252
-
\??\c:\pxjldhr.exec:\pxjldhr.exe115⤵PID:2464
-
\??\c:\xdbpljv.exec:\xdbpljv.exe116⤵PID:2672
-
\??\c:\ttvpph.exec:\ttvpph.exe117⤵PID:2176
-
\??\c:\bdldlh.exec:\bdldlh.exe118⤵PID:1736
-
\??\c:\lbtbht.exec:\lbtbht.exe119⤵PID:1532
-
\??\c:\ndrvhd.exec:\ndrvhd.exe120⤵PID:2560
-
\??\c:\nrjnrdj.exec:\nrjnrdj.exe121⤵PID:3008
-
\??\c:\ntpftdv.exec:\ntpftdv.exe122⤵PID:1212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-