Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe
-
Size
454KB
-
MD5
ff66c05c67cbc07b66df48078073eee2
-
SHA1
daf4e9ee6e5c1500715b45ed593534b138cbc251
-
SHA256
408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa
-
SHA512
9f1685cd01388d93a3b7f7f9d975bb8cba664dcc31691108b6f1133e74465beb65e9d2d621db2b7be5383ea1b142d0f818950d804b667fff5470cf6d9959c574
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2340-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-35-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2984-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-46-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2412-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/112-92-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3040-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-190-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/320-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1880-233-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1880-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-323-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2444-345-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2444-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-364-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2580-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-427-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1320-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/964-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/964-513-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/772-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-567-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/1148-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-647-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2436-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1184-753-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1184-752-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2572 jldfp.exe 1148 tdfpd.exe 2444 nrnlv.exe 2984 djdvb.exe 2972 pltppn.exe 2412 pbdht.exe 1740 flhln.exe 2736 tffhtlj.exe 112 lttxph.exe 2356 rdjjx.exe 1496 hdjfrtp.exe 3040 bxblt.exe 2148 pnjdtt.exe 1788 dpfnvv.exe 2560 xhvhjh.exe 2044 rrtxbp.exe 1760 tdxdlnf.exe 2424 jpxlnj.exe 2256 vfdft.exe 2700 dbvjhd.exe 1756 fxvxh.exe 320 vdbbrb.exe 2696 pjtxtt.exe 236 hnnppbx.exe 1880 hjtjdln.exe 1556 bpxpx.exe 2500 pbpbdrj.exe 1504 nfhbx.exe 1696 pvfnb.exe 2252 lrvdpv.exe 2072 jpldtr.exe 884 rfjtvb.exe 2384 xnxxrd.exe 1588 xhjxl.exe 1704 xljtr.exe 2932 dbpjvl.exe 2268 llpbjlv.exe 2444 vlflrr.exe 3016 nflhlp.exe 332 rvlxvjr.exe 2580 rpvpt.exe 2796 pbdvt.exe 2576 dvtntn.exe 2644 flpttn.exe 940 hxbtxhn.exe 2228 btrhbh.exe 1500 drdjnt.exe 2832 vjhjhpn.exe 3040 hflnf.exe 2844 hvbxxph.exe 2840 npntlvl.exe 1040 ttbvf.exe 1900 thfpd.exe 2044 nbrrpn.exe 1320 ddxfbx.exe 2672 xndbdx.exe 2456 rtpbtl.exe 2388 thvhlr.exe 2532 vtfnr.exe 964 xpvdjl.exe 612 hnvvtl.exe 2536 ltnbf.exe 1532 rlxxtfx.exe 2152 lvvrj.exe -
resource yara_rule behavioral1/memory/2340-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/964-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-732-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prndfrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbvjdhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xljfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxdvrvt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlbphxh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrrrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlphlt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldhfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnjlhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phpxllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhddr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xljtr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxtfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnhpx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjrrvlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfvvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfvnll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tfvlvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljvvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvjxnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjrvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flpxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrtddl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fhfvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvhpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhfnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvvvrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjjvndh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdndpth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnxjvt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnplr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljjlptn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njrnjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjtbthr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llldj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjtjdln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rnlltb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfjpxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxtptlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2572 2340 408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe 29 PID 2340 wrote to memory of 2572 2340 408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe 29 PID 2340 wrote to memory of 2572 2340 408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe 29 PID 2340 wrote to memory of 2572 2340 408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe 29 PID 2572 wrote to memory of 1148 2572 jldfp.exe 30 PID 2572 wrote to memory of 1148 2572 jldfp.exe 30 PID 2572 wrote to memory of 1148 2572 jldfp.exe 30 PID 2572 wrote to memory of 1148 2572 jldfp.exe 30 PID 1148 wrote to memory of 2444 1148 tdfpd.exe 31 PID 1148 wrote to memory of 2444 1148 tdfpd.exe 31 PID 1148 wrote to memory of 2444 1148 tdfpd.exe 31 PID 1148 wrote to memory of 2444 1148 tdfpd.exe 31 PID 2444 wrote to memory of 2984 2444 nrnlv.exe 32 PID 2444 wrote to memory of 2984 2444 nrnlv.exe 32 PID 2444 wrote to memory of 2984 2444 nrnlv.exe 32 PID 2444 wrote to memory of 2984 2444 nrnlv.exe 32 PID 2984 wrote to memory of 2972 2984 djdvb.exe 33 PID 2984 wrote to memory of 2972 2984 djdvb.exe 33 PID 2984 wrote to memory of 2972 2984 djdvb.exe 33 PID 2984 wrote to memory of 2972 2984 djdvb.exe 33 PID 2972 wrote to memory of 2412 2972 pltppn.exe 34 PID 2972 wrote to memory of 2412 2972 pltppn.exe 34 PID 2972 wrote to memory of 2412 2972 pltppn.exe 34 PID 2972 wrote to memory of 2412 2972 pltppn.exe 34 PID 2412 wrote to memory of 1740 2412 pbdht.exe 35 PID 2412 wrote to memory of 1740 2412 pbdht.exe 35 PID 2412 wrote to memory of 1740 2412 pbdht.exe 35 PID 2412 wrote to memory of 1740 2412 pbdht.exe 35 PID 1740 wrote to memory of 2736 1740 flhln.exe 36 PID 1740 wrote to memory of 2736 1740 flhln.exe 36 PID 1740 wrote to memory of 2736 1740 flhln.exe 36 PID 1740 wrote to memory of 2736 1740 flhln.exe 36 PID 2736 wrote to memory of 112 2736 tffhtlj.exe 37 PID 2736 wrote to memory of 112 2736 tffhtlj.exe 37 PID 2736 wrote to memory of 112 2736 tffhtlj.exe 37 PID 2736 wrote to memory of 112 2736 tffhtlj.exe 37 PID 112 wrote to memory of 2356 112 lttxph.exe 38 PID 112 wrote to memory of 2356 112 lttxph.exe 38 PID 112 wrote to memory of 2356 112 lttxph.exe 38 PID 112 wrote to memory of 2356 112 lttxph.exe 38 PID 2356 wrote to memory of 1496 2356 rdjjx.exe 39 PID 2356 wrote to memory of 1496 2356 rdjjx.exe 39 PID 2356 wrote to memory of 1496 2356 rdjjx.exe 39 PID 2356 wrote to memory of 1496 2356 rdjjx.exe 39 PID 1496 wrote to memory of 3040 1496 hdjfrtp.exe 40 PID 1496 wrote to memory of 3040 1496 hdjfrtp.exe 40 PID 1496 wrote to memory of 3040 1496 hdjfrtp.exe 40 PID 1496 wrote to memory of 3040 1496 hdjfrtp.exe 40 PID 3040 wrote to memory of 2148 3040 bxblt.exe 41 PID 3040 wrote to memory of 2148 3040 bxblt.exe 41 PID 3040 wrote to memory of 2148 3040 bxblt.exe 41 PID 3040 wrote to memory of 2148 3040 bxblt.exe 41 PID 2148 wrote to memory of 1788 2148 pnjdtt.exe 42 PID 2148 wrote to memory of 1788 2148 pnjdtt.exe 42 PID 2148 wrote to memory of 1788 2148 pnjdtt.exe 42 PID 2148 wrote to memory of 1788 2148 pnjdtt.exe 42 PID 1788 wrote to memory of 2560 1788 dpfnvv.exe 43 PID 1788 wrote to memory of 2560 1788 dpfnvv.exe 43 PID 1788 wrote to memory of 2560 1788 dpfnvv.exe 43 PID 1788 wrote to memory of 2560 1788 dpfnvv.exe 43 PID 2560 wrote to memory of 2044 2560 xhvhjh.exe 44 PID 2560 wrote to memory of 2044 2560 xhvhjh.exe 44 PID 2560 wrote to memory of 2044 2560 xhvhjh.exe 44 PID 2560 wrote to memory of 2044 2560 xhvhjh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe"C:\Users\Admin\AppData\Local\Temp\408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\jldfp.exec:\jldfp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\tdfpd.exec:\tdfpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\nrnlv.exec:\nrnlv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\djdvb.exec:\djdvb.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\pltppn.exec:\pltppn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\pbdht.exec:\pbdht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\flhln.exec:\flhln.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\tffhtlj.exec:\tffhtlj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\lttxph.exec:\lttxph.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\rdjjx.exec:\rdjjx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\hdjfrtp.exec:\hdjfrtp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\bxblt.exec:\bxblt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\pnjdtt.exec:\pnjdtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\dpfnvv.exec:\dpfnvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\xhvhjh.exec:\xhvhjh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\rrtxbp.exec:\rrtxbp.exe17⤵
- Executes dropped EXE
PID:2044 -
\??\c:\tdxdlnf.exec:\tdxdlnf.exe18⤵
- Executes dropped EXE
PID:1760 -
\??\c:\jpxlnj.exec:\jpxlnj.exe19⤵
- Executes dropped EXE
PID:2424 -
\??\c:\vfdft.exec:\vfdft.exe20⤵
- Executes dropped EXE
PID:2256 -
\??\c:\dbvjhd.exec:\dbvjhd.exe21⤵
- Executes dropped EXE
PID:2700 -
\??\c:\fxvxh.exec:\fxvxh.exe22⤵
- Executes dropped EXE
PID:1756 -
\??\c:\vdbbrb.exec:\vdbbrb.exe23⤵
- Executes dropped EXE
PID:320 -
\??\c:\pjtxtt.exec:\pjtxtt.exe24⤵
- Executes dropped EXE
PID:2696 -
\??\c:\hnnppbx.exec:\hnnppbx.exe25⤵
- Executes dropped EXE
PID:236 -
\??\c:\hjtjdln.exec:\hjtjdln.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1880 -
\??\c:\bpxpx.exec:\bpxpx.exe27⤵
- Executes dropped EXE
PID:1556 -
\??\c:\pbpbdrj.exec:\pbpbdrj.exe28⤵
- Executes dropped EXE
PID:2500 -
\??\c:\nfhbx.exec:\nfhbx.exe29⤵
- Executes dropped EXE
PID:1504 -
\??\c:\pvfnb.exec:\pvfnb.exe30⤵
- Executes dropped EXE
PID:1696 -
\??\c:\lrvdpv.exec:\lrvdpv.exe31⤵
- Executes dropped EXE
PID:2252 -
\??\c:\jpldtr.exec:\jpldtr.exe32⤵
- Executes dropped EXE
PID:2072 -
\??\c:\rfjtvb.exec:\rfjtvb.exe33⤵
- Executes dropped EXE
PID:884 -
\??\c:\xnxxrd.exec:\xnxxrd.exe34⤵
- Executes dropped EXE
PID:2384 -
\??\c:\xhjxl.exec:\xhjxl.exe35⤵
- Executes dropped EXE
PID:1588 -
\??\c:\xljtr.exec:\xljtr.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
\??\c:\dbpjvl.exec:\dbpjvl.exe37⤵
- Executes dropped EXE
PID:2932 -
\??\c:\llpbjlv.exec:\llpbjlv.exe38⤵
- Executes dropped EXE
PID:2268 -
\??\c:\vlflrr.exec:\vlflrr.exe39⤵
- Executes dropped EXE
PID:2444 -
\??\c:\nflhlp.exec:\nflhlp.exe40⤵
- Executes dropped EXE
PID:3016 -
\??\c:\rvlxvjr.exec:\rvlxvjr.exe41⤵
- Executes dropped EXE
PID:332 -
\??\c:\rpvpt.exec:\rpvpt.exe42⤵
- Executes dropped EXE
PID:2580 -
\??\c:\pbdvt.exec:\pbdvt.exe43⤵
- Executes dropped EXE
PID:2796 -
\??\c:\dvtntn.exec:\dvtntn.exe44⤵
- Executes dropped EXE
PID:2576 -
\??\c:\flpttn.exec:\flpttn.exe45⤵
- Executes dropped EXE
PID:2644 -
\??\c:\hxbtxhn.exec:\hxbtxhn.exe46⤵
- Executes dropped EXE
PID:940 -
\??\c:\btrhbh.exec:\btrhbh.exe47⤵
- Executes dropped EXE
PID:2228 -
\??\c:\drdjnt.exec:\drdjnt.exe48⤵
- Executes dropped EXE
PID:1500 -
\??\c:\vjhjhpn.exec:\vjhjhpn.exe49⤵
- Executes dropped EXE
PID:2832 -
\??\c:\hflnf.exec:\hflnf.exe50⤵
- Executes dropped EXE
PID:3040 -
\??\c:\hvbxxph.exec:\hvbxxph.exe51⤵
- Executes dropped EXE
PID:2844 -
\??\c:\npntlvl.exec:\npntlvl.exe52⤵
- Executes dropped EXE
PID:2840 -
\??\c:\ttbvf.exec:\ttbvf.exe53⤵
- Executes dropped EXE
PID:1040 -
\??\c:\thfpd.exec:\thfpd.exe54⤵
- Executes dropped EXE
PID:1900 -
\??\c:\nbrrpn.exec:\nbrrpn.exe55⤵
- Executes dropped EXE
PID:2044 -
\??\c:\ddxfbx.exec:\ddxfbx.exe56⤵
- Executes dropped EXE
PID:1320 -
\??\c:\xndbdx.exec:\xndbdx.exe57⤵
- Executes dropped EXE
PID:2672 -
\??\c:\rtpbtl.exec:\rtpbtl.exe58⤵
- Executes dropped EXE
PID:2456 -
\??\c:\thvhlr.exec:\thvhlr.exe59⤵
- Executes dropped EXE
PID:2388 -
\??\c:\vtfnr.exec:\vtfnr.exe60⤵
- Executes dropped EXE
PID:2532 -
\??\c:\xpvdjl.exec:\xpvdjl.exe61⤵
- Executes dropped EXE
PID:964 -
\??\c:\hnvvtl.exec:\hnvvtl.exe62⤵
- Executes dropped EXE
PID:612 -
\??\c:\ltnbf.exec:\ltnbf.exe63⤵
- Executes dropped EXE
PID:2536 -
\??\c:\rlxxtfx.exec:\rlxxtfx.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532 -
\??\c:\lvvrj.exec:\lvvrj.exe65⤵
- Executes dropped EXE
PID:2152 -
\??\c:\nrpdvd.exec:\nrpdvd.exe66⤵
- System Location Discovery: System Language Discovery
PID:1600 -
\??\c:\lddhtpn.exec:\lddhtpn.exe67⤵PID:772
-
\??\c:\xlhpf.exec:\xlhpf.exe68⤵PID:1556
-
\??\c:\btrbt.exec:\btrbt.exe69⤵PID:596
-
\??\c:\htrrvnt.exec:\htrrvnt.exe70⤵PID:1172
-
\??\c:\ffnnl.exec:\ffnnl.exe71⤵PID:1676
-
\??\c:\hvvxrx.exec:\hvvxrx.exe72⤵PID:932
-
\??\c:\blllh.exec:\blllh.exe73⤵PID:2220
-
\??\c:\xvtdhbj.exec:\xvtdhbj.exe74⤵PID:1520
-
\??\c:\jlhrnvb.exec:\jlhrnvb.exe75⤵PID:2076
-
\??\c:\tjjfb.exec:\tjjfb.exe76⤵PID:884
-
\??\c:\pttdl.exec:\pttdl.exe77⤵PID:2340
-
\??\c:\hrrjf.exec:\hrrjf.exe78⤵PID:1624
-
\??\c:\npxfldp.exec:\npxfldp.exe79⤵PID:1148
-
\??\c:\txbjnhb.exec:\txbjnhb.exe80⤵PID:572
-
\??\c:\ldnvhfx.exec:\ldnvhfx.exe81⤵PID:2204
-
\??\c:\jvhltbp.exec:\jvhltbp.exe82⤵PID:2444
-
\??\c:\xfpxfrh.exec:\xfpxfrh.exe83⤵PID:2960
-
\??\c:\lhtvlnx.exec:\lhtvlnx.exe84⤵PID:2876
-
\??\c:\nvvnll.exec:\nvvnll.exe85⤵PID:2776
-
\??\c:\vpdfpj.exec:\vpdfpj.exe86⤵PID:2760
-
\??\c:\xttff.exec:\xttff.exe87⤵PID:2012
-
\??\c:\rvhpj.exec:\rvhpj.exe88⤵PID:2816
-
\??\c:\vjjbth.exec:\vjjbth.exe89⤵PID:2232
-
\??\c:\rhdnlj.exec:\rhdnlj.exe90⤵PID:2228
-
\??\c:\fxrdrh.exec:\fxrdrh.exe91⤵PID:1068
-
\??\c:\ljphp.exec:\ljphp.exe92⤵PID:2832
-
\??\c:\rrvnltv.exec:\rrvnltv.exe93⤵PID:2436
-
\??\c:\xrrbtr.exec:\xrrbtr.exe94⤵PID:2844
-
\??\c:\nhnvn.exec:\nhnvn.exe95⤵PID:2396
-
\??\c:\txvnndv.exec:\txvnndv.exe96⤵PID:892
-
\??\c:\xrxxdbf.exec:\xrxxdbf.exe97⤵PID:1692
-
\??\c:\hxlnx.exec:\hxlnx.exe98⤵PID:2120
-
\??\c:\hnvpf.exec:\hnvpf.exe99⤵PID:1184
-
\??\c:\dxfvd.exec:\dxfvd.exe100⤵PID:2672
-
\??\c:\flprh.exec:\flprh.exe101⤵PID:2416
-
\??\c:\tthhxh.exec:\tthhxh.exe102⤵PID:1784
-
\??\c:\nxdnp.exec:\nxdnp.exe103⤵PID:600
-
\??\c:\xjpjh.exec:\xjpjh.exe104⤵PID:1672
-
\??\c:\lrvtn.exec:\lrvtn.exe105⤵PID:700
-
\??\c:\bbfnvf.exec:\bbfnvf.exe106⤵PID:2696
-
\??\c:\frpxpv.exec:\frpxpv.exe107⤵PID:1340
-
\??\c:\fxfnjxn.exec:\fxfnjxn.exe108⤵PID:2152
-
\??\c:\plvpj.exec:\plvpj.exe109⤵PID:848
-
\??\c:\rrjhpt.exec:\rrjhpt.exe110⤵PID:812
-
\??\c:\lpvplp.exec:\lpvplp.exe111⤵PID:1556
-
\??\c:\dtfjjp.exec:\dtfjjp.exe112⤵PID:776
-
\??\c:\rnbvr.exec:\rnbvr.exe113⤵PID:2008
-
\??\c:\flpxb.exec:\flpxb.exe114⤵
- System Location Discovery: System Language Discovery
PID:972 -
\??\c:\jlprjtx.exec:\jlprjtx.exe115⤵PID:932
-
\??\c:\xntlhn.exec:\xntlhn.exe116⤵PID:2620
-
\??\c:\rnxhf.exec:\rnxhf.exe117⤵PID:1520
-
\??\c:\pxxfv.exec:\pxxfv.exe118⤵PID:1824
-
\??\c:\vbrhj.exec:\vbrhj.exe119⤵PID:884
-
\??\c:\bnbfpl.exec:\bnbfpl.exe120⤵PID:2636
-
\??\c:\tdjjb.exec:\tdjjb.exe121⤵PID:2476
-
\??\c:\rlflhr.exec:\rlflhr.exe122⤵PID:3008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-