Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 05:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe
-
Size
454KB
-
MD5
1c46f433d5bc771d0de821f7832ac6b8
-
SHA1
052f91b495772a532b78742ee2a534a024286ca4
-
SHA256
95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288
-
SHA512
64bfccdb5aba6c5ef87c9c9006ce5369d36b40e616d9306dce50e082dfa646d716488f15f0dc5bd94618b315081d6644282d5700fd6234b320d50c7bdfea49a1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2872-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-52-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/572-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-72-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3044-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-149-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3000-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1392-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-222-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2380-244-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2052-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-306-0x00000000779B0000-0x0000000077ACF000-memory.dmp family_blackmoon behavioral1/memory/2320-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1016-411-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1620-480-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2452-485-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2532-503-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1620-502-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2532-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-541-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2028-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-631-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2144-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-655-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2876 pddpllh.exe 2832 vvxdt.exe 2796 xlhlp.exe 2808 rxrjnt.exe 2900 rtvfpll.exe 572 pvbjbrr.exe 1972 nrvlbj.exe 2676 pxdntf.exe 3044 ptdftff.exe 1944 thvxbp.exe 2704 pbjfrff.exe 2920 hbtjn.exe 1440 djvxtrl.exe 1736 fljhnrp.exe 3000 vvbjpvh.exe 320 drtthlp.exe 1052 xllvpph.exe 2248 phxhfhl.exe 2452 lnlnxbv.exe 2172 xjpthtv.exe 760 nfjljpf.exe 1592 fxdnv.exe 1980 rxxdhtd.exe 1392 vrprhx.exe 2380 jvhjd.exe 1288 hrvxf.exe 2052 fxfhvvj.exe 884 rtrvp.exe 1920 vbrvvb.exe 580 bfdbr.exe 1712 hxrnxf.exe 1716 hrlbv.exe 2320 fhdhfv.exe 1672 bnjrldj.exe 2644 pxfhvn.exe 2940 rfrfvv.exe 2952 vrrvjbf.exe 2948 xvrfhbn.exe 2684 hpnxfbb.exe 2476 nphrptv.exe 1928 vnjhl.exe 1996 jnlrbjv.exe 2176 bfrrnj.exe 2256 nltrt.exe 2932 xbjrf.exe 1944 jpdtjhl.exe 1016 dtnprp.exe 1208 pppjj.exe 2500 jfvll.exe 1976 xllhfbv.exe 2992 pvpfrpx.exe 1632 fxrxrl.exe 568 rvnrbl.exe 2516 fprnttx.exe 2188 bfvxv.exe 368 pnvjvt.exe 1620 ftnpd.exe 2452 hfntjrl.exe 1792 dxfttj.exe 2532 ptpxf.exe 980 xxxnf.exe 1628 dnptrt.exe 1700 bbrdtlb.exe 1724 lhtld.exe -
resource yara_rule behavioral1/memory/2872-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-646-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrnfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxrpnpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfvljtp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvhnjlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvxfpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjnljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbntl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbnddpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxvlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbvbvrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbbnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhdjdtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbhhxvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvjdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbjlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtxhbvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhphfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vxtlrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndjndv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nljfnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpbdxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrdldb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljxnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdjbltb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnpxllb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdnlhtx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdlpfnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttdlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhvjnnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpjdnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jtdlndb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvhrffv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rnnbbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrbfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rnnfp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2876 2872 95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe 30 PID 2872 wrote to memory of 2876 2872 95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe 30 PID 2872 wrote to memory of 2876 2872 95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe 30 PID 2872 wrote to memory of 2876 2872 95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe 30 PID 2876 wrote to memory of 2832 2876 pddpllh.exe 31 PID 2876 wrote to memory of 2832 2876 pddpllh.exe 31 PID 2876 wrote to memory of 2832 2876 pddpllh.exe 31 PID 2876 wrote to memory of 2832 2876 pddpllh.exe 31 PID 2832 wrote to memory of 2796 2832 vvxdt.exe 32 PID 2832 wrote to memory of 2796 2832 vvxdt.exe 32 PID 2832 wrote to memory of 2796 2832 vvxdt.exe 32 PID 2832 wrote to memory of 2796 2832 vvxdt.exe 32 PID 2796 wrote to memory of 2808 2796 xlhlp.exe 33 PID 2796 wrote to memory of 2808 2796 xlhlp.exe 33 PID 2796 wrote to memory of 2808 2796 xlhlp.exe 33 PID 2796 wrote to memory of 2808 2796 xlhlp.exe 33 PID 2808 wrote to memory of 2900 2808 rxrjnt.exe 34 PID 2808 wrote to memory of 2900 2808 rxrjnt.exe 34 PID 2808 wrote to memory of 2900 2808 rxrjnt.exe 34 PID 2808 wrote to memory of 2900 2808 rxrjnt.exe 34 PID 2900 wrote to memory of 572 2900 rtvfpll.exe 35 PID 2900 wrote to memory of 572 2900 rtvfpll.exe 35 PID 2900 wrote to memory of 572 2900 rtvfpll.exe 35 PID 2900 wrote to memory of 572 2900 rtvfpll.exe 35 PID 572 wrote to memory of 1972 572 pvbjbrr.exe 36 PID 572 wrote to memory of 1972 572 pvbjbrr.exe 36 PID 572 wrote to memory of 1972 572 pvbjbrr.exe 36 PID 572 wrote to memory of 1972 572 pvbjbrr.exe 36 PID 1972 wrote to memory of 2676 1972 nrvlbj.exe 37 PID 1972 wrote to memory of 2676 1972 nrvlbj.exe 37 PID 1972 wrote to memory of 2676 1972 nrvlbj.exe 37 PID 1972 wrote to memory of 2676 1972 nrvlbj.exe 37 PID 2676 wrote to memory of 3044 2676 pxdntf.exe 38 PID 2676 wrote to memory of 3044 2676 pxdntf.exe 38 PID 2676 wrote to memory of 3044 2676 pxdntf.exe 38 PID 2676 wrote to memory of 3044 2676 pxdntf.exe 38 PID 3044 wrote to memory of 1944 3044 ptdftff.exe 39 PID 3044 wrote to memory of 1944 3044 ptdftff.exe 39 PID 3044 wrote to memory of 1944 3044 ptdftff.exe 39 PID 3044 wrote to memory of 1944 3044 ptdftff.exe 39 PID 1944 wrote to memory of 2704 1944 thvxbp.exe 40 PID 1944 wrote to memory of 2704 1944 thvxbp.exe 40 PID 1944 wrote to memory of 2704 1944 thvxbp.exe 40 PID 1944 wrote to memory of 2704 1944 thvxbp.exe 40 PID 2704 wrote to memory of 2920 2704 pbjfrff.exe 41 PID 2704 wrote to memory of 2920 2704 pbjfrff.exe 41 PID 2704 wrote to memory of 2920 2704 pbjfrff.exe 41 PID 2704 wrote to memory of 2920 2704 pbjfrff.exe 41 PID 2920 wrote to memory of 1440 2920 hbtjn.exe 42 PID 2920 wrote to memory of 1440 2920 hbtjn.exe 42 PID 2920 wrote to memory of 1440 2920 hbtjn.exe 42 PID 2920 wrote to memory of 1440 2920 hbtjn.exe 42 PID 1440 wrote to memory of 1736 1440 djvxtrl.exe 43 PID 1440 wrote to memory of 1736 1440 djvxtrl.exe 43 PID 1440 wrote to memory of 1736 1440 djvxtrl.exe 43 PID 1440 wrote to memory of 1736 1440 djvxtrl.exe 43 PID 1736 wrote to memory of 3000 1736 fljhnrp.exe 44 PID 1736 wrote to memory of 3000 1736 fljhnrp.exe 44 PID 1736 wrote to memory of 3000 1736 fljhnrp.exe 44 PID 1736 wrote to memory of 3000 1736 fljhnrp.exe 44 PID 3000 wrote to memory of 320 3000 vvbjpvh.exe 45 PID 3000 wrote to memory of 320 3000 vvbjpvh.exe 45 PID 3000 wrote to memory of 320 3000 vvbjpvh.exe 45 PID 3000 wrote to memory of 320 3000 vvbjpvh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe"C:\Users\Admin\AppData\Local\Temp\95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\pddpllh.exec:\pddpllh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\vvxdt.exec:\vvxdt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\xlhlp.exec:\xlhlp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\rxrjnt.exec:\rxrjnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\rtvfpll.exec:\rtvfpll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\pvbjbrr.exec:\pvbjbrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\nrvlbj.exec:\nrvlbj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\pxdntf.exec:\pxdntf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\ptdftff.exec:\ptdftff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\thvxbp.exec:\thvxbp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\pbjfrff.exec:\pbjfrff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\hbtjn.exec:\hbtjn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\djvxtrl.exec:\djvxtrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\fljhnrp.exec:\fljhnrp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\vvbjpvh.exec:\vvbjpvh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\drtthlp.exec:\drtthlp.exe17⤵
- Executes dropped EXE
PID:320 -
\??\c:\xllvpph.exec:\xllvpph.exe18⤵
- Executes dropped EXE
PID:1052 -
\??\c:\phxhfhl.exec:\phxhfhl.exe19⤵
- Executes dropped EXE
PID:2248 -
\??\c:\lnlnxbv.exec:\lnlnxbv.exe20⤵
- Executes dropped EXE
PID:2452 -
\??\c:\xjpthtv.exec:\xjpthtv.exe21⤵
- Executes dropped EXE
PID:2172 -
\??\c:\nfjljpf.exec:\nfjljpf.exe22⤵
- Executes dropped EXE
PID:760 -
\??\c:\fxdnv.exec:\fxdnv.exe23⤵
- Executes dropped EXE
PID:1592 -
\??\c:\rxxdhtd.exec:\rxxdhtd.exe24⤵
- Executes dropped EXE
PID:1980 -
\??\c:\vrprhx.exec:\vrprhx.exe25⤵
- Executes dropped EXE
PID:1392 -
\??\c:\jvhjd.exec:\jvhjd.exe26⤵
- Executes dropped EXE
PID:2380 -
\??\c:\hrvxf.exec:\hrvxf.exe27⤵
- Executes dropped EXE
PID:1288 -
\??\c:\fxfhvvj.exec:\fxfhvvj.exe28⤵
- Executes dropped EXE
PID:2052 -
\??\c:\rtrvp.exec:\rtrvp.exe29⤵
- Executes dropped EXE
PID:884 -
\??\c:\vbrvvb.exec:\vbrvvb.exe30⤵
- Executes dropped EXE
PID:1920 -
\??\c:\bfdbr.exec:\bfdbr.exe31⤵
- Executes dropped EXE
PID:580 -
\??\c:\hxrnxf.exec:\hxrnxf.exe32⤵
- Executes dropped EXE
PID:1712 -
\??\c:\hrlbv.exec:\hrlbv.exe33⤵
- Executes dropped EXE
PID:1716 -
\??\c:\fhdhfv.exec:\fhdhfv.exe34⤵
- Executes dropped EXE
PID:2320 -
\??\c:\ltrpf.exec:\ltrpf.exe35⤵PID:2856
-
\??\c:\bnjrldj.exec:\bnjrldj.exe36⤵
- Executes dropped EXE
PID:1672 -
\??\c:\pxfhvn.exec:\pxfhvn.exe37⤵
- Executes dropped EXE
PID:2644 -
\??\c:\rfrfvv.exec:\rfrfvv.exe38⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vrrvjbf.exec:\vrrvjbf.exe39⤵
- Executes dropped EXE
PID:2952 -
\??\c:\xvrfhbn.exec:\xvrfhbn.exe40⤵
- Executes dropped EXE
PID:2948 -
\??\c:\hpnxfbb.exec:\hpnxfbb.exe41⤵
- Executes dropped EXE
PID:2684 -
\??\c:\nphrptv.exec:\nphrptv.exe42⤵
- Executes dropped EXE
PID:2476 -
\??\c:\vnjhl.exec:\vnjhl.exe43⤵
- Executes dropped EXE
PID:1928 -
\??\c:\jnlrbjv.exec:\jnlrbjv.exe44⤵
- Executes dropped EXE
PID:1996 -
\??\c:\bfrrnj.exec:\bfrrnj.exe45⤵
- Executes dropped EXE
PID:2176 -
\??\c:\nltrt.exec:\nltrt.exe46⤵
- Executes dropped EXE
PID:2256 -
\??\c:\xbjrf.exec:\xbjrf.exe47⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jpdtjhl.exec:\jpdtjhl.exe48⤵
- Executes dropped EXE
PID:1944 -
\??\c:\dtnprp.exec:\dtnprp.exe49⤵
- Executes dropped EXE
PID:1016 -
\??\c:\pppjj.exec:\pppjj.exe50⤵
- Executes dropped EXE
PID:1208 -
\??\c:\jfvll.exec:\jfvll.exe51⤵
- Executes dropped EXE
PID:2500 -
\??\c:\xllhfbv.exec:\xllhfbv.exe52⤵
- Executes dropped EXE
PID:1976 -
\??\c:\pvpfrpx.exec:\pvpfrpx.exe53⤵
- Executes dropped EXE
PID:2992 -
\??\c:\fxrxrl.exec:\fxrxrl.exe54⤵
- Executes dropped EXE
PID:1632 -
\??\c:\rvnrbl.exec:\rvnrbl.exe55⤵
- Executes dropped EXE
PID:568 -
\??\c:\fprnttx.exec:\fprnttx.exe56⤵
- Executes dropped EXE
PID:2516 -
\??\c:\bfvxv.exec:\bfvxv.exe57⤵
- Executes dropped EXE
PID:2188 -
\??\c:\pnvjvt.exec:\pnvjvt.exe58⤵
- Executes dropped EXE
PID:368 -
\??\c:\ftnpd.exec:\ftnpd.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
\??\c:\hfntjrl.exec:\hfntjrl.exe60⤵
- Executes dropped EXE
PID:2452 -
\??\c:\dxfttj.exec:\dxfttj.exe61⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ptpxf.exec:\ptpxf.exe62⤵
- Executes dropped EXE
PID:2532 -
\??\c:\xxxnf.exec:\xxxnf.exe63⤵
- Executes dropped EXE
PID:980 -
\??\c:\dnptrt.exec:\dnptrt.exe64⤵
- Executes dropped EXE
PID:1628 -
\??\c:\bbrdtlb.exec:\bbrdtlb.exe65⤵
- Executes dropped EXE
PID:1700 -
\??\c:\lhtld.exec:\lhtld.exe66⤵
- Executes dropped EXE
PID:1724 -
\??\c:\dlfrl.exec:\dlfrl.exe67⤵PID:1568
-
\??\c:\vxtlrt.exec:\vxtlrt.exe68⤵
- System Location Discovery: System Language Discovery
PID:2612 -
\??\c:\xrxbb.exec:\xrxbb.exe69⤵PID:2432
-
\??\c:\phfrvd.exec:\phfrvd.exe70⤵PID:288
-
\??\c:\bhrbd.exec:\bhrbd.exe71⤵PID:2528
-
\??\c:\rfbdtd.exec:\rfbdtd.exe72⤵PID:1756
-
\??\c:\bnlhp.exec:\bnlhp.exe73⤵PID:2040
-
\??\c:\phnfr.exec:\phnfr.exe74⤵PID:580
-
\??\c:\hjvjjff.exec:\hjvjjff.exe75⤵PID:2484
-
\??\c:\tldlbr.exec:\tldlbr.exe76⤵PID:2284
-
\??\c:\vblfvvn.exec:\vblfvvn.exe77⤵PID:2028
-
\??\c:\bxhpv.exec:\bxhpv.exe78⤵PID:1584
-
\??\c:\nthnrdp.exec:\nthnrdp.exe79⤵PID:2892
-
\??\c:\vrbxr.exec:\vrbxr.exe80⤵PID:2672
-
\??\c:\htdtnbh.exec:\htdtnbh.exe81⤵PID:2220
-
\??\c:\rdvtf.exec:\rdvtf.exe82⤵PID:2060
-
\??\c:\pfdprbb.exec:\pfdprbb.exe83⤵PID:2144
-
\??\c:\nplxhp.exec:\nplxhp.exe84⤵PID:2340
-
\??\c:\dljvrrt.exec:\dljvrrt.exe85⤵PID:2868
-
\??\c:\jjbvp.exec:\jjbvp.exe86⤵PID:1972
-
\??\c:\pntjrj.exec:\pntjrj.exe87⤵PID:2768
-
\??\c:\bffdplh.exec:\bffdplh.exe88⤵PID:2596
-
\??\c:\jdrlx.exec:\jdrlx.exe89⤵PID:2256
-
\??\c:\xrrhv.exec:\xrrhv.exe90⤵PID:700
-
\??\c:\dtvvv.exec:\dtvvv.exe91⤵PID:2968
-
\??\c:\fbllff.exec:\fbllff.exe92⤵PID:544
-
\??\c:\hxphjnf.exec:\hxphjnf.exe93⤵PID:2036
-
\??\c:\xtdlj.exec:\xtdlj.exe94⤵PID:1492
-
\??\c:\vlxxnt.exec:\vlxxnt.exe95⤵PID:2140
-
\??\c:\rnbnb.exec:\rnbnb.exe96⤵PID:332
-
\??\c:\ttrphvh.exec:\ttrphvh.exe97⤵PID:1556
-
\??\c:\jrrnrx.exec:\jrrnrx.exe98⤵PID:2504
-
\??\c:\ftxdx.exec:\ftxdx.exe99⤵PID:1264
-
\??\c:\ftbjvb.exec:\ftbjvb.exe100⤵PID:1124
-
\??\c:\jjjlljn.exec:\jjjlljn.exe101⤵PID:3060
-
\??\c:\nvpdjfl.exec:\nvpdjfl.exe102⤵PID:1964
-
\??\c:\nfvljtp.exec:\nfvljtp.exe103⤵
- System Location Discovery: System Language Discovery
PID:2452 -
\??\c:\dlnhplp.exec:\dlnhplp.exe104⤵PID:2552
-
\??\c:\bdnlhtx.exec:\bdnlhtx.exe105⤵
- System Location Discovery: System Language Discovery
PID:2232 -
\??\c:\tftjtj.exec:\tftjtj.exe106⤵PID:1028
-
\??\c:\ljjvv.exec:\ljjvv.exe107⤵PID:916
-
\??\c:\vrphnpn.exec:\vrphnpn.exe108⤵PID:1460
-
\??\c:\plbjpft.exec:\plbjpft.exe109⤵PID:2368
-
\??\c:\fjfbjh.exec:\fjfbjh.exe110⤵PID:2016
-
\??\c:\lbhfnl.exec:\lbhfnl.exe111⤵PID:1108
-
\??\c:\nfvxn.exec:\nfvxn.exe112⤵PID:2084
-
\??\c:\xbfvr.exec:\xbfvr.exe113⤵PID:1072
-
\??\c:\bblfxpj.exec:\bblfxpj.exe114⤵PID:960
-
\??\c:\tfdpd.exec:\tfdpd.exe115⤵PID:2520
-
\??\c:\jljnb.exec:\jljnb.exe116⤵PID:2040
-
\??\c:\lrnpfrh.exec:\lrnpfrh.exe117⤵PID:580
-
\??\c:\dvxddbl.exec:\dvxddbl.exe118⤵PID:2484
-
\??\c:\phrfxj.exec:\phrfxj.exe119⤵PID:2284
-
\??\c:\rrrdrdl.exec:\rrrdrdl.exe120⤵PID:2876
-
\??\c:\trtxlp.exec:\trtxlp.exe121⤵PID:2760
-
\??\c:\lvtprfr.exec:\lvtprfr.exe122⤵PID:2828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-