Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 05:22
Behavioral task
behavioral1
Sample
b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe
-
Size
328KB
-
MD5
e3f92e0a47a3073006269a7e42e77f12
-
SHA1
9c75aee026fed5ab8e7048faa97ac4dad3796846
-
SHA256
b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47
-
SHA512
be4685b3e57a05c9b73727696de82ac8aa6ce2bc54c796456d108ec76e9282b9e8b27723433b7c9dc21fa9407a86b97996f1090a596af304fd55925cde65759c
-
SSDEEP
6144:9cm4FmowdHoS4BftapTs8Hoo+6MjTVhRD4:/4wFHoS4d0G8HoljTVhRD4
Malware Config
Signatures
-
Detect Blackmoon payload 47 IoCs
Processes:
resource yara_rule behavioral1/memory/2804-1-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2204-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3016-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3064-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2700-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2340-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2348-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1092-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1308-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1428-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1920-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2288-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1656-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/764-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2320-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2120-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2960-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1816-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/436-281-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/368-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3008-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-99-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2784-97-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2940-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1900-317-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1692-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2148-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2148-340-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2424-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2868-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1056-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/680-407-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/372-413-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1488-451-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1152-460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1916-472-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1916-477-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1276-520-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-524-0x00000000001C0000-0x00000000001E7000-memory.dmp family_blackmoon behavioral1/memory/908-571-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1088-597-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-635-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2192-764-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/1832-768-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1160-845-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2208-872-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2092-924-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral1/memory/2804-1-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2804-3-0x0000000000220000-0x0000000000247000-memory.dmp UPX C:\rtlhp.exe UPX \??\c:\jfdjrpr.exe UPX behavioral1/memory/2204-18-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\hltlnp.exe UPX behavioral1/memory/3016-28-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2204-27-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/3064-38-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/3016-37-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\lfftl.exe UPX C:\vfbdvt.exe UPX behavioral1/memory/3064-47-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\rxfvvbf.exe UPX behavioral1/memory/2700-56-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\jjxnfn.exe UPX behavioral1/memory/2340-63-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\hdnpd.exe UPX C:\hhtdxh.exe UPX behavioral1/memory/2348-80-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\nbrvrhv.exe UPX C:\jlvfx.exe UPX behavioral1/memory/2340-103-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\phdjldl.exe UPX behavioral1/memory/1092-108-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/1428-118-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\nhxllhd.exe UPX behavioral1/memory/1308-117-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\thtxb.exe UPX behavioral1/memory/1428-126-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\xblvfnn.exe UPX behavioral1/memory/1920-136-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\fppvh.exe UPX behavioral1/memory/2288-146-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\dvlhl.exe UPX behavioral1/memory/1656-157-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\vdpvxr.exe UPX \??\c:\fjnvp.exe UPX C:\fdhlv.exe UPX behavioral1/memory/764-181-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\tblxvpp.exe UPX behavioral1/memory/2320-199-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\tdfhvtn.exe UPX \??\c:\bvjtl.exe UPX C:\tlljltl.exe UPX C:\jtlbnp.exe UPX behavioral1/memory/2120-226-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2960-207-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\fjjvddx.exe UPX behavioral1/memory/1816-237-0x0000000000400000-0x0000000000427000-memory.dmp UPX C:\jvfffpv.exe UPX behavioral1/memory/1816-246-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\xbvftlf.exe UPX C:\rvtpxh.exe UPX behavioral1/memory/368-271-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\lpjtbl.exe UPX behavioral1/memory/3008-282-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\dnfdn.exe UPX behavioral1/memory/368-280-0x0000000000400000-0x0000000000427000-memory.dmp UPX \??\c:\vxhnfl.exe UPX behavioral1/memory/3008-291-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2940-17-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/1692-327-0x0000000000400000-0x0000000000427000-memory.dmp UPX behavioral1/memory/2148-341-0x0000000000400000-0x0000000000427000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
rtlhp.exejfdjrpr.exehltlnp.exelfftl.exevfbdvt.exerxfvvbf.exejjxnfn.exehdnpd.exehhtdxh.exenbrvrhv.exejlvfx.exephdjldl.exenhxllhd.exethtxb.exexblvfnn.exefppvh.exedvlhl.exevdpvxr.exefjnvp.exefdhlv.exetblxvpp.exetdfhvtn.exebvjtl.exetlljltl.exejtlbnp.exefjjvddx.exejvfffpv.exexbvftlf.exervtpxh.exelpjtbl.exednfdn.exevxhnfl.exexvxpb.exebjbbrxr.exejfhfhn.exernnnrh.exenvnnj.exevhdjvxl.exejprbj.exelfxnddl.exeftpfr.exetrhpxpx.exebjxpnbb.exefxxldp.exerttxnt.exevpbnf.exenlxtxd.exetrltv.exefnvpjlt.exetdlhhjv.exedjbftrx.exerlldnj.exejnrvlrn.exejxdtpj.exehdhfvrx.exerltdvll.exeblvxxnh.exelfddd.exepdrvb.exevrdlpf.exedtljbd.exextbtxj.exehpxfpn.exeprfnhp.exepid process 2940 rtlhp.exe 2204 jfdjrpr.exe 3016 hltlnp.exe 3064 lfftl.exe 2700 vfbdvt.exe 2340 rxfvvbf.exe 2548 jjxnfn.exe 2348 hdnpd.exe 2764 hhtdxh.exe 2784 nbrvrhv.exe 1092 jlvfx.exe 1308 phdjldl.exe 1428 nhxllhd.exe 1920 thtxb.exe 2288 xblvfnn.exe 1832 fppvh.exe 1656 dvlhl.exe 2280 vdpvxr.exe 764 fjnvp.exe 1592 fdhlv.exe 2320 tblxvpp.exe 2960 tdfhvtn.exe 2420 bvjtl.exe 2120 tlljltl.exe 436 jtlbnp.exe 1816 fjjvddx.exe 1988 jvfffpv.exe 2512 xbvftlf.exe 2984 rvtpxh.exe 368 lpjtbl.exe 3008 dnfdn.exe 1752 vxhnfl.exe 2824 xvxpb.exe 1732 bjbbrxr.exe 1900 jfhfhn.exe 2992 rnnnrh.exe 1692 nvnnj.exe 2148 vhdjvxl.exe 2816 jprbj.exe 2424 lfxnddl.exe 2868 ftpfr.exe 2560 trhpxpx.exe 2492 bjxpnbb.exe 1556 fxxldp.exe 2620 rttxnt.exe 1540 vpbnf.exe 1056 nlxtxd.exe 680 trltv.exe 372 fnvpjlt.exe 112 tdlhhjv.exe 1424 djbftrx.exe 1096 rlldnj.exe 2144 jnrvlrn.exe 1920 jxdtpj.exe 1488 hdhfvrx.exe 1152 rltdvll.exe 1936 blvxxnh.exe 1916 lfddd.exe 2044 pdrvb.exe 1756 vrdlpf.exe 1780 dtljbd.exe 2384 xtbtxj.exe 2400 hpxfpn.exe 2244 prfnhp.exe -
Processes:
resource yara_rule behavioral1/memory/2804-1-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2804-3-0x0000000000220000-0x0000000000247000-memory.dmp upx C:\rtlhp.exe upx \??\c:\jfdjrpr.exe upx behavioral1/memory/2204-18-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hltlnp.exe upx behavioral1/memory/3016-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2204-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3064-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3016-37-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\lfftl.exe upx C:\vfbdvt.exe upx behavioral1/memory/3064-47-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\rxfvvbf.exe upx behavioral1/memory/2700-56-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jjxnfn.exe upx behavioral1/memory/2340-63-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\hdnpd.exe upx C:\hhtdxh.exe upx behavioral1/memory/2348-80-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\nbrvrhv.exe upx C:\jlvfx.exe upx behavioral1/memory/2340-103-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\phdjldl.exe upx behavioral1/memory/1092-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1428-118-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\nhxllhd.exe upx behavioral1/memory/1308-117-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\thtxb.exe upx behavioral1/memory/1428-126-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\xblvfnn.exe upx behavioral1/memory/1920-136-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\fppvh.exe upx behavioral1/memory/2288-146-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\dvlhl.exe upx behavioral1/memory/1656-157-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\vdpvxr.exe upx \??\c:\fjnvp.exe upx C:\fdhlv.exe upx behavioral1/memory/764-181-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\tblxvpp.exe upx behavioral1/memory/2320-199-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\tdfhvtn.exe upx \??\c:\bvjtl.exe upx C:\tlljltl.exe upx C:\jtlbnp.exe upx behavioral1/memory/2120-226-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2960-207-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\fjjvddx.exe upx behavioral1/memory/1816-237-0x0000000000400000-0x0000000000427000-memory.dmp upx C:\jvfffpv.exe upx behavioral1/memory/1816-246-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\xbvftlf.exe upx C:\rvtpxh.exe upx behavioral1/memory/368-271-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\lpjtbl.exe upx behavioral1/memory/3008-282-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\dnfdn.exe upx behavioral1/memory/368-280-0x0000000000400000-0x0000000000427000-memory.dmp upx \??\c:\vxhnfl.exe upx behavioral1/memory/3008-291-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2940-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1692-327-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2148-341-0x0000000000400000-0x0000000000427000-memory.dmp upx -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exertlhp.exejfdjrpr.exehltlnp.exelfftl.exevfbdvt.exerxfvvbf.exejjxnfn.exehdnpd.exehhtdxh.exenbrvrhv.exejlvfx.exephdjldl.exenhxllhd.exethtxb.exexblvfnn.exedescription pid process target process PID 2804 wrote to memory of 2940 2804 b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe rtlhp.exe PID 2804 wrote to memory of 2940 2804 b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe rtlhp.exe PID 2804 wrote to memory of 2940 2804 b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe rtlhp.exe PID 2804 wrote to memory of 2940 2804 b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe rtlhp.exe PID 2940 wrote to memory of 2204 2940 rtlhp.exe jfdjrpr.exe PID 2940 wrote to memory of 2204 2940 rtlhp.exe jfdjrpr.exe PID 2940 wrote to memory of 2204 2940 rtlhp.exe jfdjrpr.exe PID 2940 wrote to memory of 2204 2940 rtlhp.exe jfdjrpr.exe PID 2204 wrote to memory of 3016 2204 jfdjrpr.exe hltlnp.exe PID 2204 wrote to memory of 3016 2204 jfdjrpr.exe hltlnp.exe PID 2204 wrote to memory of 3016 2204 jfdjrpr.exe hltlnp.exe PID 2204 wrote to memory of 3016 2204 jfdjrpr.exe hltlnp.exe PID 3016 wrote to memory of 3064 3016 hltlnp.exe lfftl.exe PID 3016 wrote to memory of 3064 3016 hltlnp.exe lfftl.exe PID 3016 wrote to memory of 3064 3016 hltlnp.exe lfftl.exe PID 3016 wrote to memory of 3064 3016 hltlnp.exe lfftl.exe PID 3064 wrote to memory of 2700 3064 lfftl.exe vfbdvt.exe PID 3064 wrote to memory of 2700 3064 lfftl.exe vfbdvt.exe PID 3064 wrote to memory of 2700 3064 lfftl.exe vfbdvt.exe PID 3064 wrote to memory of 2700 3064 lfftl.exe vfbdvt.exe PID 2700 wrote to memory of 2340 2700 vfbdvt.exe rxfvvbf.exe PID 2700 wrote to memory of 2340 2700 vfbdvt.exe rxfvvbf.exe PID 2700 wrote to memory of 2340 2700 vfbdvt.exe rxfvvbf.exe PID 2700 wrote to memory of 2340 2700 vfbdvt.exe rxfvvbf.exe PID 2340 wrote to memory of 2548 2340 rxfvvbf.exe jjxnfn.exe PID 2340 wrote to memory of 2548 2340 rxfvvbf.exe jjxnfn.exe PID 2340 wrote to memory of 2548 2340 rxfvvbf.exe jjxnfn.exe PID 2340 wrote to memory of 2548 2340 rxfvvbf.exe jjxnfn.exe PID 2548 wrote to memory of 2348 2548 jjxnfn.exe hdnpd.exe PID 2548 wrote to memory of 2348 2548 jjxnfn.exe hdnpd.exe PID 2548 wrote to memory of 2348 2548 jjxnfn.exe hdnpd.exe PID 2548 wrote to memory of 2348 2548 jjxnfn.exe hdnpd.exe PID 2348 wrote to memory of 2764 2348 hdnpd.exe hhtdxh.exe PID 2348 wrote to memory of 2764 2348 hdnpd.exe hhtdxh.exe PID 2348 wrote to memory of 2764 2348 hdnpd.exe hhtdxh.exe PID 2348 wrote to memory of 2764 2348 hdnpd.exe hhtdxh.exe PID 2764 wrote to memory of 2784 2764 hhtdxh.exe nbrvrhv.exe PID 2764 wrote to memory of 2784 2764 hhtdxh.exe nbrvrhv.exe PID 2764 wrote to memory of 2784 2764 hhtdxh.exe nbrvrhv.exe PID 2764 wrote to memory of 2784 2764 hhtdxh.exe nbrvrhv.exe PID 2784 wrote to memory of 1092 2784 nbrvrhv.exe jlvfx.exe PID 2784 wrote to memory of 1092 2784 nbrvrhv.exe jlvfx.exe PID 2784 wrote to memory of 1092 2784 nbrvrhv.exe jlvfx.exe PID 2784 wrote to memory of 1092 2784 nbrvrhv.exe jlvfx.exe PID 1092 wrote to memory of 1308 1092 jlvfx.exe phdjldl.exe PID 1092 wrote to memory of 1308 1092 jlvfx.exe phdjldl.exe PID 1092 wrote to memory of 1308 1092 jlvfx.exe phdjldl.exe PID 1092 wrote to memory of 1308 1092 jlvfx.exe phdjldl.exe PID 1308 wrote to memory of 1428 1308 phdjldl.exe nhxllhd.exe PID 1308 wrote to memory of 1428 1308 phdjldl.exe nhxllhd.exe PID 1308 wrote to memory of 1428 1308 phdjldl.exe nhxllhd.exe PID 1308 wrote to memory of 1428 1308 phdjldl.exe nhxllhd.exe PID 1428 wrote to memory of 1920 1428 nhxllhd.exe thtxb.exe PID 1428 wrote to memory of 1920 1428 nhxllhd.exe thtxb.exe PID 1428 wrote to memory of 1920 1428 nhxllhd.exe thtxb.exe PID 1428 wrote to memory of 1920 1428 nhxllhd.exe thtxb.exe PID 1920 wrote to memory of 2288 1920 thtxb.exe xblvfnn.exe PID 1920 wrote to memory of 2288 1920 thtxb.exe xblvfnn.exe PID 1920 wrote to memory of 2288 1920 thtxb.exe xblvfnn.exe PID 1920 wrote to memory of 2288 1920 thtxb.exe xblvfnn.exe PID 2288 wrote to memory of 1832 2288 xblvfnn.exe fppvh.exe PID 2288 wrote to memory of 1832 2288 xblvfnn.exe fppvh.exe PID 2288 wrote to memory of 1832 2288 xblvfnn.exe fppvh.exe PID 2288 wrote to memory of 1832 2288 xblvfnn.exe fppvh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe"C:\Users\Admin\AppData\Local\Temp\b949ecc27ed821f4cde077e6d667fc2a489dd66b8d5ac981dfc92ad4852f2a47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\rtlhp.exec:\rtlhp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\jfdjrpr.exec:\jfdjrpr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\hltlnp.exec:\hltlnp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\lfftl.exec:\lfftl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\vfbdvt.exec:\vfbdvt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\rxfvvbf.exec:\rxfvvbf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\jjxnfn.exec:\jjxnfn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\hdnpd.exec:\hdnpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\hhtdxh.exec:\hhtdxh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\nbrvrhv.exec:\nbrvrhv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\jlvfx.exec:\jlvfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\phdjldl.exec:\phdjldl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\nhxllhd.exec:\nhxllhd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\thtxb.exec:\thtxb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\xblvfnn.exec:\xblvfnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\fppvh.exec:\fppvh.exe17⤵
- Executes dropped EXE
PID:1832 -
\??\c:\dvlhl.exec:\dvlhl.exe18⤵
- Executes dropped EXE
PID:1656 -
\??\c:\vdpvxr.exec:\vdpvxr.exe19⤵
- Executes dropped EXE
PID:2280 -
\??\c:\fjnvp.exec:\fjnvp.exe20⤵
- Executes dropped EXE
PID:764 -
\??\c:\fdhlv.exec:\fdhlv.exe21⤵
- Executes dropped EXE
PID:1592 -
\??\c:\tblxvpp.exec:\tblxvpp.exe22⤵
- Executes dropped EXE
PID:2320 -
\??\c:\tdfhvtn.exec:\tdfhvtn.exe23⤵
- Executes dropped EXE
PID:2960 -
\??\c:\bvjtl.exec:\bvjtl.exe24⤵
- Executes dropped EXE
PID:2420 -
\??\c:\tlljltl.exec:\tlljltl.exe25⤵
- Executes dropped EXE
PID:2120 -
\??\c:\jtlbnp.exec:\jtlbnp.exe26⤵
- Executes dropped EXE
PID:436 -
\??\c:\fjjvddx.exec:\fjjvddx.exe27⤵
- Executes dropped EXE
PID:1816 -
\??\c:\jvfffpv.exec:\jvfffpv.exe28⤵
- Executes dropped EXE
PID:1988 -
\??\c:\xbvftlf.exec:\xbvftlf.exe29⤵
- Executes dropped EXE
PID:2512 -
\??\c:\rvtpxh.exec:\rvtpxh.exe30⤵
- Executes dropped EXE
PID:2984 -
\??\c:\lpjtbl.exec:\lpjtbl.exe31⤵
- Executes dropped EXE
PID:368 -
\??\c:\dnfdn.exec:\dnfdn.exe32⤵
- Executes dropped EXE
PID:3008 -
\??\c:\vxhnfl.exec:\vxhnfl.exe33⤵
- Executes dropped EXE
PID:1752 -
\??\c:\xvxpb.exec:\xvxpb.exe34⤵
- Executes dropped EXE
PID:2824 -
\??\c:\bjbbrxr.exec:\bjbbrxr.exe35⤵
- Executes dropped EXE
PID:1732 -
\??\c:\jfhfhn.exec:\jfhfhn.exe36⤵
- Executes dropped EXE
PID:1900 -
\??\c:\rnnnrh.exec:\rnnnrh.exe37⤵
- Executes dropped EXE
PID:2992 -
\??\c:\nvnnj.exec:\nvnnj.exe38⤵
- Executes dropped EXE
PID:1692 -
\??\c:\vhdjvxl.exec:\vhdjvxl.exe39⤵
- Executes dropped EXE
PID:2148 -
\??\c:\jprbj.exec:\jprbj.exe40⤵
- Executes dropped EXE
PID:2816 -
\??\c:\lfxnddl.exec:\lfxnddl.exe41⤵
- Executes dropped EXE
PID:2424 -
\??\c:\ftpfr.exec:\ftpfr.exe42⤵
- Executes dropped EXE
PID:2868 -
\??\c:\trhpxpx.exec:\trhpxpx.exe43⤵
- Executes dropped EXE
PID:2560 -
\??\c:\bjxpnbb.exec:\bjxpnbb.exe44⤵
- Executes dropped EXE
PID:2492 -
\??\c:\fxxldp.exec:\fxxldp.exe45⤵
- Executes dropped EXE
PID:1556 -
\??\c:\rttxnt.exec:\rttxnt.exe46⤵
- Executes dropped EXE
PID:2620 -
\??\c:\vpbnf.exec:\vpbnf.exe47⤵
- Executes dropped EXE
PID:1540 -
\??\c:\nlxtxd.exec:\nlxtxd.exe48⤵
- Executes dropped EXE
PID:1056 -
\??\c:\trltv.exec:\trltv.exe49⤵
- Executes dropped EXE
PID:680 -
\??\c:\fnvpjlt.exec:\fnvpjlt.exe50⤵
- Executes dropped EXE
PID:372 -
\??\c:\tdlhhjv.exec:\tdlhhjv.exe51⤵
- Executes dropped EXE
PID:112 -
\??\c:\djbftrx.exec:\djbftrx.exe52⤵
- Executes dropped EXE
PID:1424 -
\??\c:\rlldnj.exec:\rlldnj.exe53⤵
- Executes dropped EXE
PID:1096 -
\??\c:\jnrvlrn.exec:\jnrvlrn.exe54⤵
- Executes dropped EXE
PID:2144 -
\??\c:\jxdtpj.exec:\jxdtpj.exe55⤵
- Executes dropped EXE
PID:1920 -
\??\c:\hdhfvrx.exec:\hdhfvrx.exe56⤵
- Executes dropped EXE
PID:1488 -
\??\c:\rltdvll.exec:\rltdvll.exe57⤵
- Executes dropped EXE
PID:1152 -
\??\c:\blvxxnh.exec:\blvxxnh.exe58⤵
- Executes dropped EXE
PID:1936 -
\??\c:\lfddd.exec:\lfddd.exe59⤵
- Executes dropped EXE
PID:1916 -
\??\c:\pdrvb.exec:\pdrvb.exe60⤵
- Executes dropped EXE
PID:2044 -
\??\c:\vrdlpf.exec:\vrdlpf.exe61⤵
- Executes dropped EXE
PID:1756 -
\??\c:\dtljbd.exec:\dtljbd.exe62⤵
- Executes dropped EXE
PID:1780 -
\??\c:\xtbtxj.exec:\xtbtxj.exe63⤵
- Executes dropped EXE
PID:2384 -
\??\c:\hpxfpn.exec:\hpxfpn.exe64⤵
- Executes dropped EXE
PID:2400 -
\??\c:\prfnhp.exec:\prfnhp.exe65⤵
- Executes dropped EXE
PID:2244 -
\??\c:\hjjtffh.exec:\hjjtffh.exe66⤵PID:1276
-
\??\c:\nbrlj.exec:\nbrlj.exe67⤵PID:2576
-
\??\c:\xffllfv.exec:\xffllfv.exe68⤵PID:2028
-
\??\c:\ddfdpbn.exec:\ddfdpbn.exe69⤵PID:1048
-
\??\c:\rjtrt.exec:\rjtrt.exe70⤵PID:1844
-
\??\c:\tttbfh.exec:\tttbfh.exe71⤵PID:1208
-
\??\c:\drxllrb.exec:\drxllrb.exe72⤵PID:1988
-
\??\c:\nhxxnxd.exec:\nhxxnxd.exe73⤵PID:1620
-
\??\c:\tvdbtrd.exec:\tvdbtrd.exe74⤵PID:908
-
\??\c:\prhjv.exec:\prhjv.exe75⤵PID:2060
-
\??\c:\ljllnlb.exec:\ljllnlb.exe76⤵PID:3000
-
\??\c:\ljjhj.exec:\ljjhj.exe77⤵PID:2852
-
\??\c:\tftll.exec:\tftll.exe78⤵PID:1088
-
\??\c:\tdbhf.exec:\tdbhf.exe79⤵PID:240
-
\??\c:\llvld.exec:\llvld.exe80⤵PID:2824
-
\??\c:\vxxjb.exec:\vxxjb.exe81⤵PID:2092
-
\??\c:\vbxdxj.exec:\vbxdxj.exe82⤵PID:2236
-
\??\c:\fbnhjj.exec:\fbnhjj.exe83⤵PID:2216
-
\??\c:\rvpbjx.exec:\rvpbjx.exe84⤵PID:1392
-
\??\c:\dnrlbb.exec:\dnrlbb.exe85⤵PID:2932
-
\??\c:\ttdrddf.exec:\ttdrddf.exe86⤵PID:2520
-
\??\c:\jdnhf.exec:\jdnhf.exe87⤵PID:3016
-
\??\c:\bnjrnx.exec:\bnjrnx.exe88⤵PID:2460
-
\??\c:\ftbff.exec:\ftbff.exe89⤵PID:2472
-
\??\c:\vvfljlr.exec:\vvfljlr.exe90⤵PID:2640
-
\??\c:\prjdbr.exec:\prjdbr.exe91⤵PID:1748
-
\??\c:\vxflh.exec:\vxflh.exe92⤵PID:2552
-
\??\c:\tjddr.exec:\tjddr.exe93⤵PID:2408
-
\??\c:\bnlxvvv.exec:\bnlxvvv.exe94⤵PID:2348
-
\??\c:\jbhnln.exec:\jbhnln.exe95⤵PID:2764
-
\??\c:\xtjptvh.exec:\xtjptvh.exe96⤵PID:2780
-
\??\c:\thltj.exec:\thltj.exe97⤵PID:576
-
\??\c:\fblvpp.exec:\fblvpp.exe98⤵PID:812
-
\??\c:\prnhx.exec:\prnhx.exe99⤵PID:2316
-
\??\c:\ntvtxt.exec:\ntvtxt.exe100⤵PID:1312
-
\??\c:\hdllr.exec:\hdllr.exe101⤵PID:2184
-
\??\c:\hdnfrvf.exec:\hdnfrvf.exe102⤵PID:1476
-
\??\c:\dhndr.exec:\dhndr.exe103⤵PID:2008
-
\??\c:\trpfdr.exec:\trpfdr.exe104⤵PID:2192
-
\??\c:\vrtpnrt.exec:\vrtpnrt.exe105⤵PID:1832
-
\??\c:\tdjlvjr.exec:\tdjlvjr.exe106⤵PID:2000
-
\??\c:\tjpdpbf.exec:\tjpdpbf.exe107⤵PID:952
-
\??\c:\vtrjl.exec:\vtrjl.exe108⤵PID:1596
-
\??\c:\ntvvftb.exec:\ntvvftb.exe109⤵PID:2160
-
\??\c:\jrlpt.exec:\jrlpt.exe110⤵PID:1956
-
\??\c:\nbldbvt.exec:\nbldbvt.exe111⤵PID:1944
-
\??\c:\hxbnnll.exec:\hxbnnll.exe112⤵PID:2320
-
\??\c:\npljjxp.exec:\npljjxp.exe113⤵PID:2664
-
\??\c:\vhtbfr.exec:\vhtbfr.exe114⤵PID:2644
-
\??\c:\lbvbbd.exec:\lbvbbd.exe115⤵PID:2576
-
\??\c:\dbxlxrp.exec:\dbxlxrp.exe116⤵PID:2668
-
\??\c:\bvlvpl.exec:\bvlvpl.exe117⤵PID:632
-
\??\c:\nnrrd.exec:\nnrrd.exe118⤵PID:1160
-
\??\c:\nhrflhd.exec:\nhrflhd.exe119⤵PID:832
-
\??\c:\bdfdt.exec:\bdfdt.exe120⤵PID:976
-
\??\c:\vnldtr.exec:\vnldtr.exe121⤵PID:2208
-
\??\c:\tlprd.exec:\tlprd.exe122⤵PID:908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-