Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe
-
Size
457KB
-
MD5
25029de0b4256da56b35603faa91535f
-
SHA1
ace652cc47eefe0e0410fb4873484bb0344fa942
-
SHA256
96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074
-
SHA512
ff0003e2397c64299385d93b07958b020d876704658bae9d15648a624ef73f3066fe49aaf3302213cc1b345bc1b7e2ed09c63b55109b0eb249565d74fa210613
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRK:q7Tc2NYHUrAwfMp3CDRK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2188-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1188-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/296-264-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/296-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-300-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/264-298-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2108-331-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2828-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-384-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2740-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-537-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1192-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-610-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3000-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-785-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1560 phjvtv.exe 2304 lbnpd.exe 2140 lrbjbnj.exe 2228 bnrbb.exe 2888 phhfdf.exe 2788 pppvlb.exe 2908 drhhdp.exe 2700 hlnbphp.exe 2728 ldlhl.exe 2748 pxhldt.exe 2044 xxxdthx.exe 2012 fftrn.exe 1664 rdbvn.exe 1188 fdphfnn.exe 1208 bfrxpl.exe 1636 vjtdft.exe 1972 pnnvnn.exe 836 plvhp.exe 612 ltjphdn.exe 1696 ndlhjjr.exe 2484 jbjdrfr.exe 1700 lvxjdlx.exe 2124 dhtjxtt.exe 1516 pvvrrn.exe 968 dhxhrj.exe 2088 pdfjx.exe 296 flhrbhb.exe 1820 djplhdn.exe 1768 lhbbpfx.exe 2160 xlrjp.exe 264 phblbn.exe 2308 lpbtb.exe 1756 dltnp.exe 1596 tnrpr.exe 2108 xnpth.exe 3040 lljrxdx.exe 2964 frnfdlb.exe 2828 jvvln.exe 3068 lnvlxrx.exe 2824 fvdvblr.exe 2840 xjvfxpb.exe 3000 rxblxh.exe 2816 ljbxjl.exe 2700 hljlt.exe 2740 pvrtj.exe 2192 dhfnv.exe 2660 hhppxjp.exe 2496 jnnlt.exe 2736 dbdrf.exe 1948 jtlnvd.exe 1888 jbnxh.exe 1080 hpvlp.exe 2008 xdbrnpn.exe 2996 vrldntl.exe 2968 dpxxv.exe 3004 vtvthbx.exe 2052 rntvh.exe 2636 xhhxjx.exe 1908 hnrfdd.exe 2772 lhvfp.exe 1492 dpvdxv.exe 1700 rxtjffd.exe 1512 xlvfhf.exe 1068 vhrxbhb.exe -
resource yara_rule behavioral1/memory/2188-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1188-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-439-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2996-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-785-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1064-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-843-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfptj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dflhppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jlplp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dftddr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrlbprr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpxlxlv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fhvlv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlhrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhrhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjnbnvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rldll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbjldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpfftpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrvftn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlnbtlt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thlpnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttfxvlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrhhdr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvdhdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfhnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhlrxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hpdhrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rttxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhxdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhnbvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lljrxdx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfbvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 1560 2188 96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe 30 PID 2188 wrote to memory of 1560 2188 96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe 30 PID 2188 wrote to memory of 1560 2188 96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe 30 PID 2188 wrote to memory of 1560 2188 96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe 30 PID 1560 wrote to memory of 2304 1560 phjvtv.exe 31 PID 1560 wrote to memory of 2304 1560 phjvtv.exe 31 PID 1560 wrote to memory of 2304 1560 phjvtv.exe 31 PID 1560 wrote to memory of 2304 1560 phjvtv.exe 31 PID 2304 wrote to memory of 2140 2304 lbnpd.exe 32 PID 2304 wrote to memory of 2140 2304 lbnpd.exe 32 PID 2304 wrote to memory of 2140 2304 lbnpd.exe 32 PID 2304 wrote to memory of 2140 2304 lbnpd.exe 32 PID 2140 wrote to memory of 2228 2140 lrbjbnj.exe 33 PID 2140 wrote to memory of 2228 2140 lrbjbnj.exe 33 PID 2140 wrote to memory of 2228 2140 lrbjbnj.exe 33 PID 2140 wrote to memory of 2228 2140 lrbjbnj.exe 33 PID 2228 wrote to memory of 2888 2228 bnrbb.exe 34 PID 2228 wrote to memory of 2888 2228 bnrbb.exe 34 PID 2228 wrote to memory of 2888 2228 bnrbb.exe 34 PID 2228 wrote to memory of 2888 2228 bnrbb.exe 34 PID 2888 wrote to memory of 2788 2888 phhfdf.exe 35 PID 2888 wrote to memory of 2788 2888 phhfdf.exe 35 PID 2888 wrote to memory of 2788 2888 phhfdf.exe 35 PID 2888 wrote to memory of 2788 2888 phhfdf.exe 35 PID 2788 wrote to memory of 2908 2788 pppvlb.exe 36 PID 2788 wrote to memory of 2908 2788 pppvlb.exe 36 PID 2788 wrote to memory of 2908 2788 pppvlb.exe 36 PID 2788 wrote to memory of 2908 2788 pppvlb.exe 36 PID 2908 wrote to memory of 2700 2908 drhhdp.exe 37 PID 2908 wrote to memory of 2700 2908 drhhdp.exe 37 PID 2908 wrote to memory of 2700 2908 drhhdp.exe 37 PID 2908 wrote to memory of 2700 2908 drhhdp.exe 37 PID 2700 wrote to memory of 2728 2700 hlnbphp.exe 38 PID 2700 wrote to memory of 2728 2700 hlnbphp.exe 38 PID 2700 wrote to memory of 2728 2700 hlnbphp.exe 38 PID 2700 wrote to memory of 2728 2700 hlnbphp.exe 38 PID 2728 wrote to memory of 2748 2728 ldlhl.exe 39 PID 2728 wrote to memory of 2748 2728 ldlhl.exe 39 PID 2728 wrote to memory of 2748 2728 ldlhl.exe 39 PID 2728 wrote to memory of 2748 2728 ldlhl.exe 39 PID 2748 wrote to memory of 2044 2748 pxhldt.exe 40 PID 2748 wrote to memory of 2044 2748 pxhldt.exe 40 PID 2748 wrote to memory of 2044 2748 pxhldt.exe 40 PID 2748 wrote to memory of 2044 2748 pxhldt.exe 40 PID 2044 wrote to memory of 2012 2044 xxxdthx.exe 41 PID 2044 wrote to memory of 2012 2044 xxxdthx.exe 41 PID 2044 wrote to memory of 2012 2044 xxxdthx.exe 41 PID 2044 wrote to memory of 2012 2044 xxxdthx.exe 41 PID 2012 wrote to memory of 1664 2012 fftrn.exe 42 PID 2012 wrote to memory of 1664 2012 fftrn.exe 42 PID 2012 wrote to memory of 1664 2012 fftrn.exe 42 PID 2012 wrote to memory of 1664 2012 fftrn.exe 42 PID 1664 wrote to memory of 1188 1664 rdbvn.exe 43 PID 1664 wrote to memory of 1188 1664 rdbvn.exe 43 PID 1664 wrote to memory of 1188 1664 rdbvn.exe 43 PID 1664 wrote to memory of 1188 1664 rdbvn.exe 43 PID 1188 wrote to memory of 1208 1188 fdphfnn.exe 44 PID 1188 wrote to memory of 1208 1188 fdphfnn.exe 44 PID 1188 wrote to memory of 1208 1188 fdphfnn.exe 44 PID 1188 wrote to memory of 1208 1188 fdphfnn.exe 44 PID 1208 wrote to memory of 1636 1208 bfrxpl.exe 45 PID 1208 wrote to memory of 1636 1208 bfrxpl.exe 45 PID 1208 wrote to memory of 1636 1208 bfrxpl.exe 45 PID 1208 wrote to memory of 1636 1208 bfrxpl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe"C:\Users\Admin\AppData\Local\Temp\96e9fe16f81f59fd4c5415e28ce45c67902d9a356b0c82dc84996ef309a58074.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\phjvtv.exec:\phjvtv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\lbnpd.exec:\lbnpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\lrbjbnj.exec:\lrbjbnj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\bnrbb.exec:\bnrbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\phhfdf.exec:\phhfdf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\pppvlb.exec:\pppvlb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\drhhdp.exec:\drhhdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\hlnbphp.exec:\hlnbphp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\ldlhl.exec:\ldlhl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\pxhldt.exec:\pxhldt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\xxxdthx.exec:\xxxdthx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\fftrn.exec:\fftrn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\rdbvn.exec:\rdbvn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\fdphfnn.exec:\fdphfnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\bfrxpl.exec:\bfrxpl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\vjtdft.exec:\vjtdft.exe17⤵
- Executes dropped EXE
PID:1636 -
\??\c:\pnnvnn.exec:\pnnvnn.exe18⤵
- Executes dropped EXE
PID:1972 -
\??\c:\plvhp.exec:\plvhp.exe19⤵
- Executes dropped EXE
PID:836 -
\??\c:\ltjphdn.exec:\ltjphdn.exe20⤵
- Executes dropped EXE
PID:612 -
\??\c:\ndlhjjr.exec:\ndlhjjr.exe21⤵
- Executes dropped EXE
PID:1696 -
\??\c:\jbjdrfr.exec:\jbjdrfr.exe22⤵
- Executes dropped EXE
PID:2484 -
\??\c:\lvxjdlx.exec:\lvxjdlx.exe23⤵
- Executes dropped EXE
PID:1700 -
\??\c:\dhtjxtt.exec:\dhtjxtt.exe24⤵
- Executes dropped EXE
PID:2124 -
\??\c:\pvvrrn.exec:\pvvrrn.exe25⤵
- Executes dropped EXE
PID:1516 -
\??\c:\dhxhrj.exec:\dhxhrj.exe26⤵
- Executes dropped EXE
PID:968 -
\??\c:\pdfjx.exec:\pdfjx.exe27⤵
- Executes dropped EXE
PID:2088 -
\??\c:\flhrbhb.exec:\flhrbhb.exe28⤵
- Executes dropped EXE
PID:296 -
\??\c:\djplhdn.exec:\djplhdn.exe29⤵
- Executes dropped EXE
PID:1820 -
\??\c:\lhbbpfx.exec:\lhbbpfx.exe30⤵
- Executes dropped EXE
PID:1768 -
\??\c:\xlrjp.exec:\xlrjp.exe31⤵
- Executes dropped EXE
PID:2160 -
\??\c:\phblbn.exec:\phblbn.exe32⤵
- Executes dropped EXE
PID:264 -
\??\c:\lpbtb.exec:\lpbtb.exe33⤵
- Executes dropped EXE
PID:2308 -
\??\c:\dltnp.exec:\dltnp.exe34⤵
- Executes dropped EXE
PID:1756 -
\??\c:\tnrpr.exec:\tnrpr.exe35⤵
- Executes dropped EXE
PID:1596 -
\??\c:\xnpth.exec:\xnpth.exe36⤵
- Executes dropped EXE
PID:2108 -
\??\c:\lljrxdx.exec:\lljrxdx.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
\??\c:\frnfdlb.exec:\frnfdlb.exe38⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jvvln.exec:\jvvln.exe39⤵
- Executes dropped EXE
PID:2828 -
\??\c:\lnvlxrx.exec:\lnvlxrx.exe40⤵
- Executes dropped EXE
PID:3068 -
\??\c:\fvdvblr.exec:\fvdvblr.exe41⤵
- Executes dropped EXE
PID:2824 -
\??\c:\xjvfxpb.exec:\xjvfxpb.exe42⤵
- Executes dropped EXE
PID:2840 -
\??\c:\rxblxh.exec:\rxblxh.exe43⤵
- Executes dropped EXE
PID:3000 -
\??\c:\ljbxjl.exec:\ljbxjl.exe44⤵
- Executes dropped EXE
PID:2816 -
\??\c:\hljlt.exec:\hljlt.exe45⤵
- Executes dropped EXE
PID:2700 -
\??\c:\pvrtj.exec:\pvrtj.exe46⤵
- Executes dropped EXE
PID:2740 -
\??\c:\dhfnv.exec:\dhfnv.exe47⤵
- Executes dropped EXE
PID:2192 -
\??\c:\hhppxjp.exec:\hhppxjp.exe48⤵
- Executes dropped EXE
PID:2660 -
\??\c:\jnnlt.exec:\jnnlt.exe49⤵
- Executes dropped EXE
PID:2496 -
\??\c:\dbdrf.exec:\dbdrf.exe50⤵
- Executes dropped EXE
PID:2736 -
\??\c:\jtlnvd.exec:\jtlnvd.exe51⤵
- Executes dropped EXE
PID:1948 -
\??\c:\jbnxh.exec:\jbnxh.exe52⤵
- Executes dropped EXE
PID:1888 -
\??\c:\hpvlp.exec:\hpvlp.exe53⤵
- Executes dropped EXE
PID:1080 -
\??\c:\xdbrnpn.exec:\xdbrnpn.exe54⤵
- Executes dropped EXE
PID:2008 -
\??\c:\vrldntl.exec:\vrldntl.exe55⤵
- Executes dropped EXE
PID:2996 -
\??\c:\dpxxv.exec:\dpxxv.exe56⤵
- Executes dropped EXE
PID:2968 -
\??\c:\vtvthbx.exec:\vtvthbx.exe57⤵
- Executes dropped EXE
PID:3004 -
\??\c:\rntvh.exec:\rntvh.exe58⤵
- Executes dropped EXE
PID:2052 -
\??\c:\xhhxjx.exec:\xhhxjx.exe59⤵
- Executes dropped EXE
PID:2636 -
\??\c:\hnrfdd.exec:\hnrfdd.exe60⤵
- Executes dropped EXE
PID:1908 -
\??\c:\lhvfp.exec:\lhvfp.exe61⤵
- Executes dropped EXE
PID:2772 -
\??\c:\dpvdxv.exec:\dpvdxv.exe62⤵
- Executes dropped EXE
PID:1492 -
\??\c:\rxtjffd.exec:\rxtjffd.exe63⤵
- Executes dropped EXE
PID:1700 -
\??\c:\xlvfhf.exec:\xlvfhf.exe64⤵
- Executes dropped EXE
PID:1512 -
\??\c:\vhrxbhb.exec:\vhrxbhb.exe65⤵
- Executes dropped EXE
PID:1068 -
\??\c:\xlnhjbj.exec:\xlnhjbj.exe66⤵PID:1728
-
\??\c:\bptjfl.exec:\bptjfl.exe67⤵PID:1968
-
\??\c:\pxbrtx.exec:\pxbrtx.exe68⤵PID:1192
-
\??\c:\xjvjp.exec:\xjvjp.exe69⤵PID:1540
-
\??\c:\vltvlpr.exec:\vltvlpr.exe70⤵PID:2504
-
\??\c:\pfptrt.exec:\pfptrt.exe71⤵PID:2172
-
\??\c:\lxnxth.exec:\lxnxth.exe72⤵PID:1016
-
\??\c:\hhhbjl.exec:\hhhbjl.exe73⤵PID:896
-
\??\c:\fhjfdlp.exec:\fhjfdlp.exe74⤵PID:2492
-
\??\c:\lfndxxf.exec:\lfndxxf.exe75⤵PID:1576
-
\??\c:\plxxhft.exec:\plxxhft.exe76⤵PID:2112
-
\??\c:\vxpfp.exec:\vxpfp.exe77⤵PID:1708
-
\??\c:\fpfftpj.exec:\fpfftpj.exe78⤵
- System Location Discovery: System Language Discovery
PID:2084 -
\??\c:\xfddjlv.exec:\xfddjlv.exe79⤵PID:2108
-
\??\c:\jdjtpxn.exec:\jdjtpxn.exe80⤵PID:1920
-
\??\c:\dpxfjf.exec:\dpxfjf.exe81⤵PID:2068
-
\??\c:\ntppntx.exec:\ntppntx.exe82⤵PID:2804
-
\??\c:\nftnrbh.exec:\nftnrbh.exe83⤵PID:2232
-
\??\c:\phjdx.exec:\phjdx.exe84⤵PID:2824
-
\??\c:\txhlfjl.exec:\txhlfjl.exe85⤵PID:1264
-
\??\c:\frhhb.exec:\frhhb.exe86⤵PID:3000
-
\??\c:\bbjrv.exec:\bbjrv.exe87⤵PID:2680
-
\??\c:\fpfldl.exec:\fpfldl.exe88⤵PID:2672
-
\??\c:\frfjx.exec:\frfjx.exe89⤵PID:2724
-
\??\c:\ljxpjp.exec:\ljxpjp.exe90⤵PID:2656
-
\??\c:\ptddnh.exec:\ptddnh.exe91⤵PID:2972
-
\??\c:\nlntplr.exec:\nlntplr.exe92⤵PID:1496
-
\??\c:\rddxp.exec:\rddxp.exe93⤵PID:2028
-
\??\c:\fdnxfhb.exec:\fdnxfhb.exe94⤵PID:1328
-
\??\c:\lxndb.exec:\lxndb.exe95⤵PID:1640
-
\??\c:\lpndplt.exec:\lpndplt.exe96⤵PID:2576
-
\??\c:\tvxhvx.exec:\tvxhvx.exe97⤵PID:2988
-
\??\c:\htbbt.exec:\htbbt.exe98⤵PID:1988
-
\??\c:\fjhhr.exec:\fjhhr.exe99⤵PID:3028
-
\??\c:\nhnxbtj.exec:\nhnxbtj.exe100⤵PID:2280
-
\??\c:\ptppj.exec:\ptppj.exe101⤵PID:3004
-
\??\c:\tbhhntd.exec:\tbhhntd.exe102⤵PID:2236
-
\??\c:\jffbl.exec:\jffbl.exe103⤵PID:2636
-
\??\c:\vlxrpld.exec:\vlxrpld.exe104⤵PID:1908
-
\??\c:\hftnhdn.exec:\hftnhdn.exe105⤵PID:2772
-
\??\c:\fvhnjp.exec:\fvhnjp.exe106⤵PID:1064
-
\??\c:\nnfddp.exec:\nnfddp.exe107⤵PID:1788
-
\??\c:\xldrl.exec:\xldrl.exe108⤵PID:2328
-
\??\c:\lpjvt.exec:\lpjvt.exe109⤵PID:968
-
\??\c:\vpfhrrl.exec:\vpfhrrl.exe110⤵PID:1728
-
\??\c:\phhfjdr.exec:\phhfjdr.exe111⤵PID:1432
-
\??\c:\nhrfhj.exec:\nhrfhj.exe112⤵PID:1584
-
\??\c:\tjhxtv.exec:\tjhxtv.exe113⤵PID:1892
-
\??\c:\xfxplf.exec:\xfxplf.exe114⤵PID:572
-
\??\c:\jhxln.exec:\jhxln.exe115⤵PID:1720
-
\??\c:\tvxhf.exec:\tvxhf.exe116⤵PID:1016
-
\??\c:\djhvn.exec:\djhvn.exe117⤵PID:2452
-
\??\c:\pfljb.exec:\pfljb.exe118⤵PID:2468
-
\??\c:\njvrxxv.exec:\njvrxxv.exe119⤵PID:2384
-
\??\c:\txfpfv.exec:\txfpfv.exe120⤵PID:2092
-
\??\c:\djrjntn.exec:\djrjntn.exe121⤵PID:3044
-
\??\c:\dlnhl.exec:\dlnhl.exe122⤵PID:2196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-