Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe
-
Size
455KB
-
MD5
dc0da22179df1a8de55c36c1449a4290
-
SHA1
0899d882b6d5e95197a552ec4e2f46a669e3aa67
-
SHA256
6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157
-
SHA512
7a1dde82ab034a2ab0a4130e93d9136dddbe663e4a34b7fc16a43c683061afee75906a95155284e4985ed8ea5f50831852c917e1b7fb78a676dcee9b3027374d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2312-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-54-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2812-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-287-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2312-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-484-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2028-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/272-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-642-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2460-808-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2072-863-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2464-870-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2716 lrdxv.exe 2872 dfhjrr.exe 2928 vppht.exe 2932 ffjnl.exe 2128 ljbhn.exe 2812 ndxtp.exe 2916 xtjfj.exe 2616 rvtjt.exe 2760 pbpljt.exe 1636 txvbxjt.exe 2968 nfjxl.exe 1260 jrlnl.exe 1484 hjfllvf.exe 2684 hhpdv.exe 1832 dbbvn.exe 2752 jjblnp.exe 660 pdfnbbj.exe 2192 pjhbl.exe 1976 nrfrrd.exe 2432 hnjrtft.exe 2416 pvvlj.exe 1940 xjnrxp.exe 1008 bvbfv.exe 596 hvxlrnf.exe 1496 dfbndhx.exe 2460 fhnlvrx.exe 2232 xvfdbrh.exe 1756 vdxtfd.exe 1604 pjxfd.exe 2748 jtdbvll.exe 2384 lvxtl.exe 472 rjfpvhp.exe 2312 rbljpr.exe 2724 ntdvlv.exe 2156 vtjbrb.exe 2212 xbtbv.exe 2924 htftfj.exe 2280 trlnhxb.exe 2992 ljndp.exe 3068 bpbjtl.exe 2164 fhtxh.exe 3052 nrrttp.exe 2916 fjvdbrp.exe 2204 rlbtd.exe 1160 tftvfvf.exe 1788 jptbt.exe 1444 tdjhn.exe 1692 xfhpvtf.exe 1260 lxnrl.exe 2040 bndldj.exe 2876 lfrbbhp.exe 2692 nxhtfln.exe 1264 xnnrtjb.exe 1724 txbvhpp.exe 1168 ldxbb.exe 1676 bfnphhr.exe 2208 jtvnnbf.exe 2216 hbhptbh.exe 2580 lbdhjtn.exe 2404 lnrddj.exe 1672 rrftffl.exe 2028 jvlbxd.exe 1800 prprd.exe 2516 vfhdvv.exe -
resource yara_rule behavioral1/memory/2716-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/660-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/272-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-827-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhrjdx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddnrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljpvthf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrvvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnbtdr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbhjddt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnblh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpbxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlxjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfbndhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtxfpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptdrxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhpvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfhhjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xphrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ltvtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndxtp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntxnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtvdrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnplr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language txddlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xphffrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rljxbxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tndflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blhxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvltjtj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtffvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldjfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxbtpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fplrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdndr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhxlrdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfxrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhldphh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfhprdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhdrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dntnnr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnvjxrl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2716 2312 6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe 30 PID 2312 wrote to memory of 2716 2312 6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe 30 PID 2312 wrote to memory of 2716 2312 6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe 30 PID 2312 wrote to memory of 2716 2312 6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe 30 PID 2716 wrote to memory of 2872 2716 lrdxv.exe 31 PID 2716 wrote to memory of 2872 2716 lrdxv.exe 31 PID 2716 wrote to memory of 2872 2716 lrdxv.exe 31 PID 2716 wrote to memory of 2872 2716 lrdxv.exe 31 PID 2872 wrote to memory of 2928 2872 dfhjrr.exe 32 PID 2872 wrote to memory of 2928 2872 dfhjrr.exe 32 PID 2872 wrote to memory of 2928 2872 dfhjrr.exe 32 PID 2872 wrote to memory of 2928 2872 dfhjrr.exe 32 PID 2928 wrote to memory of 2932 2928 vppht.exe 33 PID 2928 wrote to memory of 2932 2928 vppht.exe 33 PID 2928 wrote to memory of 2932 2928 vppht.exe 33 PID 2928 wrote to memory of 2932 2928 vppht.exe 33 PID 2932 wrote to memory of 2128 2932 ffjnl.exe 34 PID 2932 wrote to memory of 2128 2932 ffjnl.exe 34 PID 2932 wrote to memory of 2128 2932 ffjnl.exe 34 PID 2932 wrote to memory of 2128 2932 ffjnl.exe 34 PID 2128 wrote to memory of 2812 2128 ljbhn.exe 35 PID 2128 wrote to memory of 2812 2128 ljbhn.exe 35 PID 2128 wrote to memory of 2812 2128 ljbhn.exe 35 PID 2128 wrote to memory of 2812 2128 ljbhn.exe 35 PID 2812 wrote to memory of 2916 2812 ndxtp.exe 36 PID 2812 wrote to memory of 2916 2812 ndxtp.exe 36 PID 2812 wrote to memory of 2916 2812 ndxtp.exe 36 PID 2812 wrote to memory of 2916 2812 ndxtp.exe 36 PID 2916 wrote to memory of 2616 2916 xtjfj.exe 37 PID 2916 wrote to memory of 2616 2916 xtjfj.exe 37 PID 2916 wrote to memory of 2616 2916 xtjfj.exe 37 PID 2916 wrote to memory of 2616 2916 xtjfj.exe 37 PID 2616 wrote to memory of 2760 2616 rvtjt.exe 38 PID 2616 wrote to memory of 2760 2616 rvtjt.exe 38 PID 2616 wrote to memory of 2760 2616 rvtjt.exe 38 PID 2616 wrote to memory of 2760 2616 rvtjt.exe 38 PID 2760 wrote to memory of 1636 2760 pbpljt.exe 39 PID 2760 wrote to memory of 1636 2760 pbpljt.exe 39 PID 2760 wrote to memory of 1636 2760 pbpljt.exe 39 PID 2760 wrote to memory of 1636 2760 pbpljt.exe 39 PID 1636 wrote to memory of 2968 1636 txvbxjt.exe 40 PID 1636 wrote to memory of 2968 1636 txvbxjt.exe 40 PID 1636 wrote to memory of 2968 1636 txvbxjt.exe 40 PID 1636 wrote to memory of 2968 1636 txvbxjt.exe 40 PID 2968 wrote to memory of 1260 2968 nfjxl.exe 41 PID 2968 wrote to memory of 1260 2968 nfjxl.exe 41 PID 2968 wrote to memory of 1260 2968 nfjxl.exe 41 PID 2968 wrote to memory of 1260 2968 nfjxl.exe 41 PID 1260 wrote to memory of 1484 1260 jrlnl.exe 42 PID 1260 wrote to memory of 1484 1260 jrlnl.exe 42 PID 1260 wrote to memory of 1484 1260 jrlnl.exe 42 PID 1260 wrote to memory of 1484 1260 jrlnl.exe 42 PID 1484 wrote to memory of 2684 1484 hjfllvf.exe 43 PID 1484 wrote to memory of 2684 1484 hjfllvf.exe 43 PID 1484 wrote to memory of 2684 1484 hjfllvf.exe 43 PID 1484 wrote to memory of 2684 1484 hjfllvf.exe 43 PID 2684 wrote to memory of 1832 2684 hhpdv.exe 44 PID 2684 wrote to memory of 1832 2684 hhpdv.exe 44 PID 2684 wrote to memory of 1832 2684 hhpdv.exe 44 PID 2684 wrote to memory of 1832 2684 hhpdv.exe 44 PID 1832 wrote to memory of 2752 1832 dbbvn.exe 45 PID 1832 wrote to memory of 2752 1832 dbbvn.exe 45 PID 1832 wrote to memory of 2752 1832 dbbvn.exe 45 PID 1832 wrote to memory of 2752 1832 dbbvn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe"C:\Users\Admin\AppData\Local\Temp\6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\lrdxv.exec:\lrdxv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\dfhjrr.exec:\dfhjrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\vppht.exec:\vppht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\ffjnl.exec:\ffjnl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\ljbhn.exec:\ljbhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\ndxtp.exec:\ndxtp.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\xtjfj.exec:\xtjfj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\rvtjt.exec:\rvtjt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\pbpljt.exec:\pbpljt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\txvbxjt.exec:\txvbxjt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\nfjxl.exec:\nfjxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\jrlnl.exec:\jrlnl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\hjfllvf.exec:\hjfllvf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\hhpdv.exec:\hhpdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\dbbvn.exec:\dbbvn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\jjblnp.exec:\jjblnp.exe17⤵
- Executes dropped EXE
PID:2752 -
\??\c:\pdfnbbj.exec:\pdfnbbj.exe18⤵
- Executes dropped EXE
PID:660 -
\??\c:\pjhbl.exec:\pjhbl.exe19⤵
- Executes dropped EXE
PID:2192 -
\??\c:\nrfrrd.exec:\nrfrrd.exe20⤵
- Executes dropped EXE
PID:1976 -
\??\c:\hnjrtft.exec:\hnjrtft.exe21⤵
- Executes dropped EXE
PID:2432 -
\??\c:\pvvlj.exec:\pvvlj.exe22⤵
- Executes dropped EXE
PID:2416 -
\??\c:\xjnrxp.exec:\xjnrxp.exe23⤵
- Executes dropped EXE
PID:1940 -
\??\c:\bvbfv.exec:\bvbfv.exe24⤵
- Executes dropped EXE
PID:1008 -
\??\c:\hvxlrnf.exec:\hvxlrnf.exe25⤵
- Executes dropped EXE
PID:596 -
\??\c:\dfbndhx.exec:\dfbndhx.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496 -
\??\c:\fhnlvrx.exec:\fhnlvrx.exe27⤵
- Executes dropped EXE
PID:2460 -
\??\c:\xvfdbrh.exec:\xvfdbrh.exe28⤵
- Executes dropped EXE
PID:2232 -
\??\c:\vdxtfd.exec:\vdxtfd.exe29⤵
- Executes dropped EXE
PID:1756 -
\??\c:\pjxfd.exec:\pjxfd.exe30⤵
- Executes dropped EXE
PID:1604 -
\??\c:\jtdbvll.exec:\jtdbvll.exe31⤵
- Executes dropped EXE
PID:2748 -
\??\c:\lvxtl.exec:\lvxtl.exe32⤵
- Executes dropped EXE
PID:2384 -
\??\c:\rjfpvhp.exec:\rjfpvhp.exe33⤵
- Executes dropped EXE
PID:472 -
\??\c:\rbljpr.exec:\rbljpr.exe34⤵
- Executes dropped EXE
PID:2312 -
\??\c:\ntdvlv.exec:\ntdvlv.exe35⤵
- Executes dropped EXE
PID:2724 -
\??\c:\vtjbrb.exec:\vtjbrb.exe36⤵
- Executes dropped EXE
PID:2156 -
\??\c:\xbtbv.exec:\xbtbv.exe37⤵
- Executes dropped EXE
PID:2212 -
\??\c:\htftfj.exec:\htftfj.exe38⤵
- Executes dropped EXE
PID:2924 -
\??\c:\trlnhxb.exec:\trlnhxb.exe39⤵
- Executes dropped EXE
PID:2280 -
\??\c:\ljndp.exec:\ljndp.exe40⤵
- Executes dropped EXE
PID:2992 -
\??\c:\bpbjtl.exec:\bpbjtl.exe41⤵
- Executes dropped EXE
PID:3068 -
\??\c:\fhtxh.exec:\fhtxh.exe42⤵
- Executes dropped EXE
PID:2164 -
\??\c:\nrrttp.exec:\nrrttp.exe43⤵
- Executes dropped EXE
PID:3052 -
\??\c:\fjvdbrp.exec:\fjvdbrp.exe44⤵
- Executes dropped EXE
PID:2916 -
\??\c:\rlbtd.exec:\rlbtd.exe45⤵
- Executes dropped EXE
PID:2204 -
\??\c:\tftvfvf.exec:\tftvfvf.exe46⤵
- Executes dropped EXE
PID:1160 -
\??\c:\jptbt.exec:\jptbt.exe47⤵
- Executes dropped EXE
PID:1788 -
\??\c:\tdjhn.exec:\tdjhn.exe48⤵
- Executes dropped EXE
PID:1444 -
\??\c:\xfhpvtf.exec:\xfhpvtf.exe49⤵
- Executes dropped EXE
PID:1692 -
\??\c:\lxnrl.exec:\lxnrl.exe50⤵
- Executes dropped EXE
PID:1260 -
\??\c:\bndldj.exec:\bndldj.exe51⤵
- Executes dropped EXE
PID:2040 -
\??\c:\lfrbbhp.exec:\lfrbbhp.exe52⤵
- Executes dropped EXE
PID:2876 -
\??\c:\nxhtfln.exec:\nxhtfln.exe53⤵
- Executes dropped EXE
PID:2692 -
\??\c:\xnnrtjb.exec:\xnnrtjb.exe54⤵
- Executes dropped EXE
PID:1264 -
\??\c:\txbvhpp.exec:\txbvhpp.exe55⤵
- Executes dropped EXE
PID:1724 -
\??\c:\ldxbb.exec:\ldxbb.exe56⤵
- Executes dropped EXE
PID:1168 -
\??\c:\bfnphhr.exec:\bfnphhr.exe57⤵
- Executes dropped EXE
PID:1676 -
\??\c:\jtvnnbf.exec:\jtvnnbf.exe58⤵
- Executes dropped EXE
PID:2208 -
\??\c:\hbhptbh.exec:\hbhptbh.exe59⤵
- Executes dropped EXE
PID:2216 -
\??\c:\lbdhjtn.exec:\lbdhjtn.exe60⤵
- Executes dropped EXE
PID:2580 -
\??\c:\lnrddj.exec:\lnrddj.exe61⤵
- Executes dropped EXE
PID:2404 -
\??\c:\rrftffl.exec:\rrftffl.exe62⤵
- Executes dropped EXE
PID:1672 -
\??\c:\jvlbxd.exec:\jvlbxd.exe63⤵
- Executes dropped EXE
PID:2028 -
\??\c:\prprd.exec:\prprd.exe64⤵
- Executes dropped EXE
PID:1800 -
\??\c:\vfhdvv.exec:\vfhdvv.exe65⤵
- Executes dropped EXE
PID:2516 -
\??\c:\vbfjvn.exec:\vbfjvn.exe66⤵PID:272
-
\??\c:\jdjtnd.exec:\jdjtnd.exe67⤵PID:2080
-
\??\c:\rlhfdx.exec:\rlhfdx.exe68⤵PID:1656
-
\??\c:\rtttvfv.exec:\rtttvfv.exe69⤵PID:2232
-
\??\c:\jlftfnd.exec:\jlftfnd.exe70⤵PID:2344
-
\??\c:\lfxvh.exec:\lfxvh.exe71⤵PID:1756
-
\??\c:\lflflv.exec:\lflflv.exe72⤵PID:2072
-
\??\c:\dtldppb.exec:\dtldppb.exe73⤵PID:2364
-
\??\c:\vftjd.exec:\vftjd.exe74⤵PID:2384
-
\??\c:\pbrnjl.exec:\pbrnjl.exe75⤵PID:2728
-
\??\c:\ntbxnvd.exec:\ntbxnvd.exe76⤵PID:1644
-
\??\c:\hllbvx.exec:\hllbvx.exe77⤵PID:2980
-
\??\c:\vdfthd.exec:\vdfthd.exe78⤵PID:2656
-
\??\c:\rndvxd.exec:\rndvxd.exe79⤵PID:3012
-
\??\c:\hhldphh.exec:\hhldphh.exe80⤵
- System Location Discovery: System Language Discovery
PID:3024 -
\??\c:\btxrvl.exec:\btxrvl.exe81⤵PID:1452
-
\??\c:\ntrtn.exec:\ntrtn.exe82⤵PID:2964
-
\??\c:\jfplx.exec:\jfplx.exe83⤵PID:3032
-
\??\c:\xljtd.exec:\xljtd.exe84⤵PID:2812
-
\??\c:\rnxlnjh.exec:\rnxlnjh.exe85⤵PID:2816
-
\??\c:\xthdj.exec:\xthdj.exe86⤵PID:3052
-
\??\c:\jbjpdv.exec:\jbjpdv.exe87⤵PID:2776
-
\??\c:\fxthfp.exec:\fxthfp.exe88⤵PID:2756
-
\??\c:\fplrj.exec:\fplrj.exe89⤵
- System Location Discovery: System Language Discovery
PID:1160 -
\??\c:\xvvlfv.exec:\xvvlfv.exe90⤵PID:1788
-
\??\c:\vddnrd.exec:\vddnrd.exe91⤵
- System Location Discovery: System Language Discovery
PID:1044 -
\??\c:\lrrplj.exec:\lrrplj.exe92⤵PID:2180
-
\??\c:\tfrtdvh.exec:\tfrtdvh.exe93⤵PID:2088
-
\??\c:\lnrftt.exec:\lnrftt.exe94⤵PID:3048
-
\??\c:\jtxvhhd.exec:\jtxvhhd.exe95⤵PID:2880
-
\??\c:\nlbvrn.exec:\nlbvrn.exe96⤵PID:1996
-
\??\c:\lfptnrb.exec:\lfptnrb.exe97⤵PID:624
-
\??\c:\njfjtt.exec:\njfjtt.exe98⤵PID:1132
-
\??\c:\blhxx.exec:\blhxx.exe99⤵
- System Location Discovery: System Language Discovery
PID:1600 -
\??\c:\rdxhht.exec:\rdxhht.exe100⤵PID:2224
-
\??\c:\rbjdjbb.exec:\rbjdjbb.exe101⤵PID:1640
-
\??\c:\lflhjp.exec:\lflhjp.exe102⤵PID:2432
-
\??\c:\jdrphrn.exec:\jdrphrn.exe103⤵PID:2096
-
\??\c:\rfrnh.exec:\rfrnh.exe104⤵PID:1128
-
\??\c:\lrpvtv.exec:\lrpvtv.exe105⤵PID:2676
-
\??\c:\ffrbfn.exec:\ffrbfn.exe106⤵PID:672
-
\??\c:\njhhllb.exec:\njhhllb.exe107⤵PID:1460
-
\??\c:\vnrvrd.exec:\vnrvrd.exe108⤵PID:2516
-
\??\c:\fnnlll.exec:\fnnlll.exe109⤵PID:2460
-
\??\c:\lphthh.exec:\lphthh.exe110⤵PID:2332
-
\??\c:\ddfhnj.exec:\ddfhnj.exe111⤵PID:844
-
\??\c:\fltlxxv.exec:\fltlxxv.exe112⤵PID:2232
-
\??\c:\dnjtth.exec:\dnjtth.exe113⤵PID:2136
-
\??\c:\pvldd.exec:\pvldd.exe114⤵PID:1756
-
\??\c:\hxvjfjd.exec:\hxvjfjd.exe115⤵PID:2072
-
\??\c:\vtxfpn.exec:\vtxfpn.exe116⤵
- System Location Discovery: System Language Discovery
PID:876 -
\??\c:\bhphjdj.exec:\bhphjdj.exe117⤵PID:872
-
\??\c:\ldhdbh.exec:\ldhdbh.exe118⤵PID:2296
-
\??\c:\bhlrp.exec:\bhlrp.exe119⤵PID:2464
-
\??\c:\bnbnjnj.exec:\bnbnjnj.exe120⤵PID:2652
-
\??\c:\nbpbdtd.exec:\nbpbdtd.exe121⤵PID:3016
-
\??\c:\frfntrx.exec:\frfntrx.exe122⤵PID:3012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-