Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 21:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe
-
Size
454KB
-
MD5
cb8b26870b10c039c882fc9f5ff98db9
-
SHA1
a3677c5a249272134da6b6b59be0fb24b9184344
-
SHA256
593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9
-
SHA512
81a6c3b0e9d436319461afdba47e4dfc3b5c1d9b25e18ef1d3c67f420f75398262fc02ccb89cc60fd4073f25d04cf5c69e97c59703ce3c1f0afd5afb8fd2837b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2544-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/916-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-53-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2424-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-17-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2064-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-319-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2220-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-466-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1496-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/916-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-521-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1620-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/308-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-649-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3056-744-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2144-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1268 vblnx.exe 1684 vpplf.exe 2528 vlxfll.exe 2424 hnldrv.exe 2188 tnjpvdf.exe 2936 fljvdpr.exe 2076 tfjbpj.exe 3056 nbfnd.exe 2816 pbnnjhj.exe 2664 vhbll.exe 1700 jdjxx.exe 1040 vrpndn.exe 1256 pvhtbh.exe 1996 hrphp.exe 660 jvbln.exe 1484 hlfflbn.exe 2880 ppvjbxr.exe 2956 fxvtvt.exe 852 jxbjft.exe 2224 dnbrxbn.exe 916 ddltj.exe 2180 fhlflr.exe 2544 jhxfjn.exe 1392 hxbxv.exe 1736 jjfnlx.exe 580 vbvvpl.exe 1364 xnpdn.exe 760 dnphx.exe 2260 fvnjt.exe 1824 xbftjnd.exe 276 vhnhbl.exe 1236 tfjhj.exe 1660 bjjtjvt.exe 768 fhhpbv.exe 2448 bhvtpj.exe 2836 jhphdtd.exe 2528 pvbhbft.exe 2744 tffrjnr.exe 2520 jjvvflf.exe 2188 xnrdl.exe 2936 fjbtdlv.exe 2220 fdjllfh.exe 2952 jplrjrj.exe 1276 rdtpdj.exe 2696 frbhhh.exe 2664 xtxfphj.exe 2832 tjhfln.exe 1036 pjlxd.exe 1152 xbdvlp.exe 1716 nppvfj.exe 1656 tpdpf.exe 2752 hflxtd.exe 1952 pdhtnb.exe 2960 vjhpjl.exe 2420 vtjvxrv.exe 2516 pbdnndj.exe 3028 drnnhp.exe 772 bnhlt.exe 916 ldpnthx.exe 1496 jdvth.exe 1340 nrrbn.exe 1872 rdptl.exe 1752 ldhnr.exe 2428 nrtvjll.exe -
resource yara_rule behavioral1/memory/2544-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/660-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-53-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/2424-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-789-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rltjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldpnthx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phbpbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrvtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnlbpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnfpdr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vnjvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnxfdvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldlnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvrlvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rpppnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pttxbpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxhbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbbpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljvhhpx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnpvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdvpfxh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbrntv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frdrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfdxrn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndhbjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntjhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpfbfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrpbfrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndtlbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fftdpbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfnrp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbxnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxvtvt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtpfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttlvnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxhbxrp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnjbxth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhfvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjrnbvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 1268 2064 593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe 30 PID 2064 wrote to memory of 1268 2064 593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe 30 PID 2064 wrote to memory of 1268 2064 593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe 30 PID 2064 wrote to memory of 1268 2064 593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe 30 PID 1268 wrote to memory of 1684 1268 vblnx.exe 31 PID 1268 wrote to memory of 1684 1268 vblnx.exe 31 PID 1268 wrote to memory of 1684 1268 vblnx.exe 31 PID 1268 wrote to memory of 1684 1268 vblnx.exe 31 PID 1684 wrote to memory of 2528 1684 vpplf.exe 32 PID 1684 wrote to memory of 2528 1684 vpplf.exe 32 PID 1684 wrote to memory of 2528 1684 vpplf.exe 32 PID 1684 wrote to memory of 2528 1684 vpplf.exe 32 PID 2528 wrote to memory of 2424 2528 vlxfll.exe 33 PID 2528 wrote to memory of 2424 2528 vlxfll.exe 33 PID 2528 wrote to memory of 2424 2528 vlxfll.exe 33 PID 2528 wrote to memory of 2424 2528 vlxfll.exe 33 PID 2424 wrote to memory of 2188 2424 hnldrv.exe 34 PID 2424 wrote to memory of 2188 2424 hnldrv.exe 34 PID 2424 wrote to memory of 2188 2424 hnldrv.exe 34 PID 2424 wrote to memory of 2188 2424 hnldrv.exe 34 PID 2188 wrote to memory of 2936 2188 tnjpvdf.exe 35 PID 2188 wrote to memory of 2936 2188 tnjpvdf.exe 35 PID 2188 wrote to memory of 2936 2188 tnjpvdf.exe 35 PID 2188 wrote to memory of 2936 2188 tnjpvdf.exe 35 PID 2936 wrote to memory of 2076 2936 fljvdpr.exe 36 PID 2936 wrote to memory of 2076 2936 fljvdpr.exe 36 PID 2936 wrote to memory of 2076 2936 fljvdpr.exe 36 PID 2936 wrote to memory of 2076 2936 fljvdpr.exe 36 PID 2076 wrote to memory of 3056 2076 tfjbpj.exe 37 PID 2076 wrote to memory of 3056 2076 tfjbpj.exe 37 PID 2076 wrote to memory of 3056 2076 tfjbpj.exe 37 PID 2076 wrote to memory of 3056 2076 tfjbpj.exe 37 PID 3056 wrote to memory of 2816 3056 nbfnd.exe 38 PID 3056 wrote to memory of 2816 3056 nbfnd.exe 38 PID 3056 wrote to memory of 2816 3056 nbfnd.exe 38 PID 3056 wrote to memory of 2816 3056 nbfnd.exe 38 PID 2816 wrote to memory of 2664 2816 pbnnjhj.exe 39 PID 2816 wrote to memory of 2664 2816 pbnnjhj.exe 39 PID 2816 wrote to memory of 2664 2816 pbnnjhj.exe 39 PID 2816 wrote to memory of 2664 2816 pbnnjhj.exe 39 PID 2664 wrote to memory of 1700 2664 vhbll.exe 40 PID 2664 wrote to memory of 1700 2664 vhbll.exe 40 PID 2664 wrote to memory of 1700 2664 vhbll.exe 40 PID 2664 wrote to memory of 1700 2664 vhbll.exe 40 PID 1700 wrote to memory of 1040 1700 jdjxx.exe 41 PID 1700 wrote to memory of 1040 1700 jdjxx.exe 41 PID 1700 wrote to memory of 1040 1700 jdjxx.exe 41 PID 1700 wrote to memory of 1040 1700 jdjxx.exe 41 PID 1040 wrote to memory of 1256 1040 vrpndn.exe 42 PID 1040 wrote to memory of 1256 1040 vrpndn.exe 42 PID 1040 wrote to memory of 1256 1040 vrpndn.exe 42 PID 1040 wrote to memory of 1256 1040 vrpndn.exe 42 PID 1256 wrote to memory of 1996 1256 pvhtbh.exe 43 PID 1256 wrote to memory of 1996 1256 pvhtbh.exe 43 PID 1256 wrote to memory of 1996 1256 pvhtbh.exe 43 PID 1256 wrote to memory of 1996 1256 pvhtbh.exe 43 PID 1996 wrote to memory of 660 1996 hrphp.exe 44 PID 1996 wrote to memory of 660 1996 hrphp.exe 44 PID 1996 wrote to memory of 660 1996 hrphp.exe 44 PID 1996 wrote to memory of 660 1996 hrphp.exe 44 PID 660 wrote to memory of 1484 660 jvbln.exe 45 PID 660 wrote to memory of 1484 660 jvbln.exe 45 PID 660 wrote to memory of 1484 660 jvbln.exe 45 PID 660 wrote to memory of 1484 660 jvbln.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe"C:\Users\Admin\AppData\Local\Temp\593531001023132100789e165af32776bdcc32377d6fc7f215756e4e8519c4d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\vblnx.exec:\vblnx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\vpplf.exec:\vpplf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\vlxfll.exec:\vlxfll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\hnldrv.exec:\hnldrv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\tnjpvdf.exec:\tnjpvdf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\fljvdpr.exec:\fljvdpr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\tfjbpj.exec:\tfjbpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\nbfnd.exec:\nbfnd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\pbnnjhj.exec:\pbnnjhj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\vhbll.exec:\vhbll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\jdjxx.exec:\jdjxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\vrpndn.exec:\vrpndn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\pvhtbh.exec:\pvhtbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\hrphp.exec:\hrphp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\jvbln.exec:\jvbln.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
\??\c:\hlfflbn.exec:\hlfflbn.exe17⤵
- Executes dropped EXE
PID:1484 -
\??\c:\ppvjbxr.exec:\ppvjbxr.exe18⤵
- Executes dropped EXE
PID:2880 -
\??\c:\fxvtvt.exec:\fxvtvt.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
\??\c:\jxbjft.exec:\jxbjft.exe20⤵
- Executes dropped EXE
PID:852 -
\??\c:\dnbrxbn.exec:\dnbrxbn.exe21⤵
- Executes dropped EXE
PID:2224 -
\??\c:\ddltj.exec:\ddltj.exe22⤵
- Executes dropped EXE
PID:916 -
\??\c:\fhlflr.exec:\fhlflr.exe23⤵
- Executes dropped EXE
PID:2180 -
\??\c:\jhxfjn.exec:\jhxfjn.exe24⤵
- Executes dropped EXE
PID:2544 -
\??\c:\hxbxv.exec:\hxbxv.exe25⤵
- Executes dropped EXE
PID:1392 -
\??\c:\jjfnlx.exec:\jjfnlx.exe26⤵
- Executes dropped EXE
PID:1736 -
\??\c:\vbvvpl.exec:\vbvvpl.exe27⤵
- Executes dropped EXE
PID:580 -
\??\c:\xnpdn.exec:\xnpdn.exe28⤵
- Executes dropped EXE
PID:1364 -
\??\c:\dnphx.exec:\dnphx.exe29⤵
- Executes dropped EXE
PID:760 -
\??\c:\fvnjt.exec:\fvnjt.exe30⤵
- Executes dropped EXE
PID:2260 -
\??\c:\xbftjnd.exec:\xbftjnd.exe31⤵
- Executes dropped EXE
PID:1824 -
\??\c:\vhnhbl.exec:\vhnhbl.exe32⤵
- Executes dropped EXE
PID:276 -
\??\c:\tfjhj.exec:\tfjhj.exe33⤵
- Executes dropped EXE
PID:1236 -
\??\c:\bjjtjvt.exec:\bjjtjvt.exe34⤵
- Executes dropped EXE
PID:1660 -
\??\c:\fhhpbv.exec:\fhhpbv.exe35⤵
- Executes dropped EXE
PID:768 -
\??\c:\bhvtpj.exec:\bhvtpj.exe36⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jhphdtd.exec:\jhphdtd.exe37⤵
- Executes dropped EXE
PID:2836 -
\??\c:\pvbhbft.exec:\pvbhbft.exe38⤵
- Executes dropped EXE
PID:2528 -
\??\c:\tffrjnr.exec:\tffrjnr.exe39⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jjvvflf.exec:\jjvvflf.exe40⤵
- Executes dropped EXE
PID:2520 -
\??\c:\xnrdl.exec:\xnrdl.exe41⤵
- Executes dropped EXE
PID:2188 -
\??\c:\fjbtdlv.exec:\fjbtdlv.exe42⤵
- Executes dropped EXE
PID:2936 -
\??\c:\fdjllfh.exec:\fdjllfh.exe43⤵
- Executes dropped EXE
PID:2220 -
\??\c:\jplrjrj.exec:\jplrjrj.exe44⤵
- Executes dropped EXE
PID:2952 -
\??\c:\rdtpdj.exec:\rdtpdj.exe45⤵
- Executes dropped EXE
PID:1276 -
\??\c:\frbhhh.exec:\frbhhh.exe46⤵
- Executes dropped EXE
PID:2696 -
\??\c:\xtxfphj.exec:\xtxfphj.exe47⤵
- Executes dropped EXE
PID:2664 -
\??\c:\tjhfln.exec:\tjhfln.exe48⤵
- Executes dropped EXE
PID:2832 -
\??\c:\pjlxd.exec:\pjlxd.exe49⤵
- Executes dropped EXE
PID:1036 -
\??\c:\xbdvlp.exec:\xbdvlp.exe50⤵
- Executes dropped EXE
PID:1152 -
\??\c:\nppvfj.exec:\nppvfj.exe51⤵
- Executes dropped EXE
PID:1716 -
\??\c:\tpdpf.exec:\tpdpf.exe52⤵
- Executes dropped EXE
PID:1656 -
\??\c:\hflxtd.exec:\hflxtd.exe53⤵
- Executes dropped EXE
PID:2752 -
\??\c:\pdhtnb.exec:\pdhtnb.exe54⤵
- Executes dropped EXE
PID:1952 -
\??\c:\vjhpjl.exec:\vjhpjl.exe55⤵
- Executes dropped EXE
PID:2960 -
\??\c:\vtjvxrv.exec:\vtjvxrv.exe56⤵
- Executes dropped EXE
PID:2420 -
\??\c:\pbdnndj.exec:\pbdnndj.exe57⤵
- Executes dropped EXE
PID:2516 -
\??\c:\drnnhp.exec:\drnnhp.exe58⤵
- Executes dropped EXE
PID:3028 -
\??\c:\bnhlt.exec:\bnhlt.exe59⤵
- Executes dropped EXE
PID:772 -
\??\c:\ldpnthx.exec:\ldpnthx.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:916 -
\??\c:\jdvth.exec:\jdvth.exe61⤵
- Executes dropped EXE
PID:1496 -
\??\c:\nrrbn.exec:\nrrbn.exe62⤵
- Executes dropped EXE
PID:1340 -
\??\c:\rdptl.exec:\rdptl.exe63⤵
- Executes dropped EXE
PID:1872 -
\??\c:\ldhnr.exec:\ldhnr.exe64⤵
- Executes dropped EXE
PID:1752 -
\??\c:\nrtvjll.exec:\nrtvjll.exe65⤵
- Executes dropped EXE
PID:2428 -
\??\c:\pnntb.exec:\pnntb.exe66⤵PID:680
-
\??\c:\brfpjxf.exec:\brfpjxf.exe67⤵PID:264
-
\??\c:\hvhdx.exec:\hvhdx.exe68⤵PID:2300
-
\??\c:\vbtrdr.exec:\vbtrdr.exe69⤵PID:1620
-
\??\c:\jlldt.exec:\jlldt.exe70⤵PID:308
-
\??\c:\djhtr.exec:\djhtr.exe71⤵PID:2228
-
\??\c:\bdntlrb.exec:\bdntlrb.exe72⤵PID:276
-
\??\c:\pjvfhx.exec:\pjvfhx.exe73⤵PID:1572
-
\??\c:\vtlbl.exec:\vtlbl.exe74⤵PID:1568
-
\??\c:\vjlhlpl.exec:\vjlhlpl.exe75⤵PID:1268
-
\??\c:\lttnvb.exec:\lttnvb.exe76⤵PID:2016
-
\??\c:\vxdnltp.exec:\vxdnltp.exe77⤵PID:2396
-
\??\c:\njrnjd.exec:\njrnjd.exe78⤵PID:2156
-
\??\c:\pndjrlp.exec:\pndjrlp.exe79⤵PID:2900
-
\??\c:\xhrdpxr.exec:\xhrdpxr.exe80⤵PID:2784
-
\??\c:\lrbfbv.exec:\lrbfbv.exe81⤵PID:2928
-
\??\c:\pxtbt.exec:\pxtbt.exe82⤵PID:2904
-
\??\c:\pxxntt.exec:\pxxntt.exe83⤵PID:2740
-
\??\c:\plnrxlj.exec:\plnrxlj.exe84⤵PID:2708
-
\??\c:\jjbtblb.exec:\jjbtblb.exe85⤵PID:2944
-
\??\c:\hnpjjnp.exec:\hnpjjnp.exe86⤵PID:2652
-
\??\c:\nltnr.exec:\nltnr.exe87⤵PID:2408
-
\??\c:\jlnjrb.exec:\jlnjrb.exe88⤵PID:1920
-
\??\c:\jbffl.exec:\jbffl.exe89⤵PID:2720
-
\??\c:\vjdrtx.exec:\vjdrtx.exe90⤵PID:1140
-
\??\c:\jvthpt.exec:\jvthpt.exe91⤵PID:1264
-
\??\c:\ltvrrrn.exec:\ltvrrrn.exe92⤵PID:1784
-
\??\c:\nxrnhx.exec:\nxrnhx.exe93⤵PID:660
-
\??\c:\fbdjpp.exec:\fbdjpp.exe94⤵PID:2752
-
\??\c:\fdnphfn.exec:\fdnphfn.exe95⤵PID:3056
-
\??\c:\tpjfh.exec:\tpjfh.exe96⤵PID:2856
-
\??\c:\ldfjthr.exec:\ldfjthr.exe97⤵PID:2852
-
\??\c:\jxjjnrl.exec:\jxjjnrl.exe98⤵PID:2144
-
\??\c:\fdvpn.exec:\fdvpn.exe99⤵PID:2172
-
\??\c:\phfvvrd.exec:\phfvvrd.exe100⤵PID:1124
-
\??\c:\nnflr.exec:\nnflr.exe101⤵PID:1748
-
\??\c:\vljbnxv.exec:\vljbnxv.exe102⤵PID:1104
-
\??\c:\fjjbnbn.exec:\fjjbnbn.exe103⤵PID:3012
-
\??\c:\btpjvl.exec:\btpjvl.exe104⤵PID:1728
-
\??\c:\phjxhxj.exec:\phjxhxj.exe105⤵PID:1752
-
\??\c:\fblvn.exec:\fblvn.exe106⤵PID:1368
-
\??\c:\jhplnn.exec:\jhplnn.exe107⤵PID:1968
-
\??\c:\xdndh.exec:\xdndh.exe108⤵PID:264
-
\??\c:\dpjhbf.exec:\dpjhbf.exe109⤵PID:1020
-
\??\c:\prfphb.exec:\prfphb.exe110⤵PID:2060
-
\??\c:\bhntj.exec:\bhntj.exe111⤵PID:316
-
\??\c:\drptpnh.exec:\drptpnh.exe112⤵PID:2280
-
\??\c:\vdpfjrv.exec:\vdpfjrv.exe113⤵PID:2536
-
\??\c:\tvfvdj.exec:\tvfvdj.exe114⤵PID:2308
-
\??\c:\flxbfj.exec:\flxbfj.exe115⤵PID:2500
-
\??\c:\nvxjh.exec:\nvxjh.exe116⤵PID:2464
-
\??\c:\pfdrdl.exec:\pfdrdl.exe117⤵PID:2448
-
\??\c:\pbbpp.exec:\pbbpp.exe118⤵
- System Location Discovery: System Language Discovery
PID:2836 -
\??\c:\rnxrjh.exec:\rnxrjh.exe119⤵PID:2528
-
\??\c:\xjrnbvh.exec:\xjrnbvh.exe120⤵
- System Location Discovery: System Language Discovery
PID:2756 -
\??\c:\rdnhhp.exec:\rdnhhp.exe121⤵PID:2900
-
\??\c:\fhbdjbl.exec:\fhbdjbl.exe122⤵PID:2804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-