Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe
-
Size
454KB
-
MD5
1c977ccb5393f8f5cff03b6ce0871d9f
-
SHA1
bc0d6f2e5733d0192033a4a1a6f543443a5cf2b1
-
SHA256
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b
-
SHA512
91fbe701f28ae8552ad002b1e2219708b451aeb3048d42346bb3b5edd10cd6c569004290c0a85396464dd9512054909bfadb40b428f6e7b5395686d0b82bce0b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe83:q7Tc2NYHUrAwfMp3CD83
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2352-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-38-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1576-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-70-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2668-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1172-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/948-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/588-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1472-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1120-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-442-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2820-451-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3004-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-520-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1980-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-561-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/376-565-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1600-577-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2116-647-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2680-664-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/756-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/916-759-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2352 pxrdhhb.exe 2036 vrvlbx.exe 1080 jxjxhp.exe 1576 vflvdtd.exe 2848 tprllxd.exe 2640 rxjdf.exe 2668 fnvxnn.exe 2768 bxvlllt.exe 2280 vddnn.exe 2612 ppxbjx.exe 2960 xftfvt.exe 1172 pfvbrd.exe 2692 rhnddp.exe 2836 prbxpd.exe 948 lbtxp.exe 1900 bllvlrb.exe 3008 ltjllnl.exe 1120 tfdvnx.exe 1944 bldptbb.exe 1828 jdhvx.exe 2072 bnxrv.exe 956 rpdjbld.exe 960 ltjpvf.exe 1476 dphrp.exe 900 xntdr.exe 1492 jhfvbrt.exe 1472 lvbptrd.exe 584 rhhnn.exe 2328 dpxpvnr.exe 1716 fdjlbv.exe 2484 xhnpbbd.exe 2564 bjjrdtv.exe 2568 hbrnx.exe 1636 vfxdb.exe 2476 blhpf.exe 2844 txbvjrp.exe 588 xdrnp.exe 2492 dxbtbb.exe 2872 ldrfl.exe 2232 ftbdb.exe 1688 nhhrdv.exe 2828 vpffrfl.exe 2396 vjnbjf.exe 2264 vxbrlv.exe 1572 bxxtrl.exe 2300 txxjhj.exe 1992 flxhbb.exe 1456 bvjhxnh.exe 2096 nbdlnl.exe 1296 nntdlb.exe 2700 phppvjd.exe 2840 ljtdhr.exe 2820 drpnpf.exe 3008 jvjvn.exe 1120 xtvvbf.exe 1484 frxvnjn.exe 1884 tllpff.exe 3004 dfbpn.exe 1680 nnfvr.exe 1836 lpbfv.exe 960 vvfdp.exe 1476 jjvjrf.exe 880 pflxf.exe 1980 tltvntr.exe -
resource yara_rule behavioral1/memory/2352-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/756-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-719-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hpfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tftjrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvhlhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lnpxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjxjtx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtdrldb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvdvvbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjbdhvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfjfv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnbjpx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvrtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvtllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvjhxnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rldlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvhvjrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxdnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxnbhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rttxtfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbjxfjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldjftl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djldjnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvhhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvbdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhnddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rnlpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfdfxbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fjxfhlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhnpbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffpjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtjlvpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhdhnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfxnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jnjblt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnjrxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfltnpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjvdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpdxbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rndvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phfxhpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbfpfd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2352 3032 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 31 PID 3032 wrote to memory of 2352 3032 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 31 PID 3032 wrote to memory of 2352 3032 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 31 PID 3032 wrote to memory of 2352 3032 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 31 PID 2352 wrote to memory of 2036 2352 pxrdhhb.exe 32 PID 2352 wrote to memory of 2036 2352 pxrdhhb.exe 32 PID 2352 wrote to memory of 2036 2352 pxrdhhb.exe 32 PID 2352 wrote to memory of 2036 2352 pxrdhhb.exe 32 PID 2036 wrote to memory of 1080 2036 vrvlbx.exe 33 PID 2036 wrote to memory of 1080 2036 vrvlbx.exe 33 PID 2036 wrote to memory of 1080 2036 vrvlbx.exe 33 PID 2036 wrote to memory of 1080 2036 vrvlbx.exe 33 PID 1080 wrote to memory of 1576 1080 jxjxhp.exe 34 PID 1080 wrote to memory of 1576 1080 jxjxhp.exe 34 PID 1080 wrote to memory of 1576 1080 jxjxhp.exe 34 PID 1080 wrote to memory of 1576 1080 jxjxhp.exe 34 PID 1576 wrote to memory of 2848 1576 vflvdtd.exe 35 PID 1576 wrote to memory of 2848 1576 vflvdtd.exe 35 PID 1576 wrote to memory of 2848 1576 vflvdtd.exe 35 PID 1576 wrote to memory of 2848 1576 vflvdtd.exe 35 PID 2848 wrote to memory of 2640 2848 tprllxd.exe 36 PID 2848 wrote to memory of 2640 2848 tprllxd.exe 36 PID 2848 wrote to memory of 2640 2848 tprllxd.exe 36 PID 2848 wrote to memory of 2640 2848 tprllxd.exe 36 PID 2640 wrote to memory of 2668 2640 rxjdf.exe 37 PID 2640 wrote to memory of 2668 2640 rxjdf.exe 37 PID 2640 wrote to memory of 2668 2640 rxjdf.exe 37 PID 2640 wrote to memory of 2668 2640 rxjdf.exe 37 PID 2668 wrote to memory of 2768 2668 fnvxnn.exe 38 PID 2668 wrote to memory of 2768 2668 fnvxnn.exe 38 PID 2668 wrote to memory of 2768 2668 fnvxnn.exe 38 PID 2668 wrote to memory of 2768 2668 fnvxnn.exe 38 PID 2768 wrote to memory of 2280 2768 bxvlllt.exe 39 PID 2768 wrote to memory of 2280 2768 bxvlllt.exe 39 PID 2768 wrote to memory of 2280 2768 bxvlllt.exe 39 PID 2768 wrote to memory of 2280 2768 bxvlllt.exe 39 PID 2280 wrote to memory of 2612 2280 vddnn.exe 40 PID 2280 wrote to memory of 2612 2280 vddnn.exe 40 PID 2280 wrote to memory of 2612 2280 vddnn.exe 40 PID 2280 wrote to memory of 2612 2280 vddnn.exe 40 PID 2612 wrote to memory of 2960 2612 ppxbjx.exe 41 PID 2612 wrote to memory of 2960 2612 ppxbjx.exe 41 PID 2612 wrote to memory of 2960 2612 ppxbjx.exe 41 PID 2612 wrote to memory of 2960 2612 ppxbjx.exe 41 PID 2960 wrote to memory of 1172 2960 xftfvt.exe 42 PID 2960 wrote to memory of 1172 2960 xftfvt.exe 42 PID 2960 wrote to memory of 1172 2960 xftfvt.exe 42 PID 2960 wrote to memory of 1172 2960 xftfvt.exe 42 PID 1172 wrote to memory of 2692 1172 pfvbrd.exe 43 PID 1172 wrote to memory of 2692 1172 pfvbrd.exe 43 PID 1172 wrote to memory of 2692 1172 pfvbrd.exe 43 PID 1172 wrote to memory of 2692 1172 pfvbrd.exe 43 PID 2692 wrote to memory of 2836 2692 rhnddp.exe 44 PID 2692 wrote to memory of 2836 2692 rhnddp.exe 44 PID 2692 wrote to memory of 2836 2692 rhnddp.exe 44 PID 2692 wrote to memory of 2836 2692 rhnddp.exe 44 PID 2836 wrote to memory of 948 2836 prbxpd.exe 45 PID 2836 wrote to memory of 948 2836 prbxpd.exe 45 PID 2836 wrote to memory of 948 2836 prbxpd.exe 45 PID 2836 wrote to memory of 948 2836 prbxpd.exe 45 PID 948 wrote to memory of 1900 948 lbtxp.exe 46 PID 948 wrote to memory of 1900 948 lbtxp.exe 46 PID 948 wrote to memory of 1900 948 lbtxp.exe 46 PID 948 wrote to memory of 1900 948 lbtxp.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe"C:\Users\Admin\AppData\Local\Temp\efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\pxrdhhb.exec:\pxrdhhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\vrvlbx.exec:\vrvlbx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\jxjxhp.exec:\jxjxhp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\vflvdtd.exec:\vflvdtd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\tprllxd.exec:\tprllxd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\rxjdf.exec:\rxjdf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\fnvxnn.exec:\fnvxnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\bxvlllt.exec:\bxvlllt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\vddnn.exec:\vddnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\ppxbjx.exec:\ppxbjx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\xftfvt.exec:\xftfvt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\pfvbrd.exec:\pfvbrd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\rhnddp.exec:\rhnddp.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\prbxpd.exec:\prbxpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\lbtxp.exec:\lbtxp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\bllvlrb.exec:\bllvlrb.exe17⤵
- Executes dropped EXE
PID:1900 -
\??\c:\ltjllnl.exec:\ltjllnl.exe18⤵
- Executes dropped EXE
PID:3008 -
\??\c:\tfdvnx.exec:\tfdvnx.exe19⤵
- Executes dropped EXE
PID:1120 -
\??\c:\bldptbb.exec:\bldptbb.exe20⤵
- Executes dropped EXE
PID:1944 -
\??\c:\jdhvx.exec:\jdhvx.exe21⤵
- Executes dropped EXE
PID:1828 -
\??\c:\bnxrv.exec:\bnxrv.exe22⤵
- Executes dropped EXE
PID:2072 -
\??\c:\rpdjbld.exec:\rpdjbld.exe23⤵
- Executes dropped EXE
PID:956 -
\??\c:\ltjpvf.exec:\ltjpvf.exe24⤵
- Executes dropped EXE
PID:960 -
\??\c:\dphrp.exec:\dphrp.exe25⤵
- Executes dropped EXE
PID:1476 -
\??\c:\xntdr.exec:\xntdr.exe26⤵
- Executes dropped EXE
PID:900 -
\??\c:\jhfvbrt.exec:\jhfvbrt.exe27⤵
- Executes dropped EXE
PID:1492 -
\??\c:\lvbptrd.exec:\lvbptrd.exe28⤵
- Executes dropped EXE
PID:1472 -
\??\c:\rhhnn.exec:\rhhnn.exe29⤵
- Executes dropped EXE
PID:584 -
\??\c:\dpxpvnr.exec:\dpxpvnr.exe30⤵
- Executes dropped EXE
PID:2328 -
\??\c:\fdjlbv.exec:\fdjlbv.exe31⤵
- Executes dropped EXE
PID:1716 -
\??\c:\xhnpbbd.exec:\xhnpbbd.exe32⤵
- Executes dropped EXE
PID:2484 -
\??\c:\bjjrdtv.exec:\bjjrdtv.exe33⤵
- Executes dropped EXE
PID:2564 -
\??\c:\hbrnx.exec:\hbrnx.exe34⤵
- Executes dropped EXE
PID:2568 -
\??\c:\vfxdb.exec:\vfxdb.exe35⤵
- Executes dropped EXE
PID:1636 -
\??\c:\blhpf.exec:\blhpf.exe36⤵
- Executes dropped EXE
PID:2476 -
\??\c:\txbvjrp.exec:\txbvjrp.exe37⤵
- Executes dropped EXE
PID:2844 -
\??\c:\xdrnp.exec:\xdrnp.exe38⤵
- Executes dropped EXE
PID:588 -
\??\c:\dxbtbb.exec:\dxbtbb.exe39⤵
- Executes dropped EXE
PID:2492 -
\??\c:\ldrfl.exec:\ldrfl.exe40⤵
- Executes dropped EXE
PID:2872 -
\??\c:\ftbdb.exec:\ftbdb.exe41⤵
- Executes dropped EXE
PID:2232 -
\??\c:\nhhrdv.exec:\nhhrdv.exe42⤵
- Executes dropped EXE
PID:1688 -
\??\c:\vpffrfl.exec:\vpffrfl.exe43⤵
- Executes dropped EXE
PID:2828 -
\??\c:\vjnbjf.exec:\vjnbjf.exe44⤵
- Executes dropped EXE
PID:2396 -
\??\c:\vxbrlv.exec:\vxbrlv.exe45⤵
- Executes dropped EXE
PID:2264 -
\??\c:\bxxtrl.exec:\bxxtrl.exe46⤵
- Executes dropped EXE
PID:1572 -
\??\c:\txxjhj.exec:\txxjhj.exe47⤵
- Executes dropped EXE
PID:2300 -
\??\c:\flxhbb.exec:\flxhbb.exe48⤵
- Executes dropped EXE
PID:1992 -
\??\c:\bvjhxnh.exec:\bvjhxnh.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456 -
\??\c:\nbdlnl.exec:\nbdlnl.exe50⤵
- Executes dropped EXE
PID:2096 -
\??\c:\nntdlb.exec:\nntdlb.exe51⤵
- Executes dropped EXE
PID:1296 -
\??\c:\phppvjd.exec:\phppvjd.exe52⤵
- Executes dropped EXE
PID:2700 -
\??\c:\ljtdhr.exec:\ljtdhr.exe53⤵
- Executes dropped EXE
PID:2840 -
\??\c:\drpnpf.exec:\drpnpf.exe54⤵
- Executes dropped EXE
PID:2820 -
\??\c:\jvjvn.exec:\jvjvn.exe55⤵
- Executes dropped EXE
PID:3008 -
\??\c:\xtvvbf.exec:\xtvvbf.exe56⤵
- Executes dropped EXE
PID:1120 -
\??\c:\frxvnjn.exec:\frxvnjn.exe57⤵
- Executes dropped EXE
PID:1484 -
\??\c:\tllpff.exec:\tllpff.exe58⤵
- Executes dropped EXE
PID:1884 -
\??\c:\dfbpn.exec:\dfbpn.exe59⤵
- Executes dropped EXE
PID:3004 -
\??\c:\nnfvr.exec:\nnfvr.exe60⤵
- Executes dropped EXE
PID:1680 -
\??\c:\lpbfv.exec:\lpbfv.exe61⤵
- Executes dropped EXE
PID:1836 -
\??\c:\vvfdp.exec:\vvfdp.exe62⤵
- Executes dropped EXE
PID:960 -
\??\c:\jjvjrf.exec:\jjvjrf.exe63⤵
- Executes dropped EXE
PID:1476 -
\??\c:\pflxf.exec:\pflxf.exe64⤵
- Executes dropped EXE
PID:880 -
\??\c:\tltvntr.exec:\tltvntr.exe65⤵
- Executes dropped EXE
PID:1980 -
\??\c:\rffpjr.exec:\rffpjr.exe66⤵PID:2520
-
\??\c:\btfvp.exec:\btfvp.exe67⤵PID:376
-
\??\c:\lblxrd.exec:\lblxrd.exe68⤵PID:264
-
\??\c:\lxxrhvt.exec:\lxxrhvt.exe69⤵PID:2316
-
\??\c:\jxpvnp.exec:\jxpvnp.exe70⤵PID:1532
-
\??\c:\rrlft.exec:\rrlft.exe71⤵PID:2420
-
\??\c:\thxvff.exec:\thxvff.exe72⤵PID:1600
-
\??\c:\lrjvh.exec:\lrjvh.exe73⤵PID:1724
-
\??\c:\ptllj.exec:\ptllj.exe74⤵PID:524
-
\??\c:\hvdvvbn.exec:\hvdvvbn.exe75⤵
- System Location Discovery: System Language Discovery
PID:2324 -
\??\c:\hdvrjf.exec:\hdvrjf.exe76⤵PID:2476
-
\??\c:\lxtlvht.exec:\lxtlvht.exe77⤵PID:2844
-
\??\c:\jvhtdh.exec:\jvhtdh.exe78⤵PID:2580
-
\??\c:\pnppnrr.exec:\pnppnrr.exe79⤵PID:2904
-
\??\c:\btlfjr.exec:\btlfjr.exe80⤵PID:2748
-
\??\c:\dpbvrr.exec:\dpbvrr.exe81⤵PID:2736
-
\??\c:\fjrfr.exec:\fjrfr.exe82⤵PID:2680
-
\??\c:\tdnrr.exec:\tdnrr.exe83⤵PID:2116
-
\??\c:\xltxvl.exec:\xltxvl.exe84⤵PID:1144
-
\??\c:\vjtbhr.exec:\vjtbhr.exe85⤵PID:2912
-
\??\c:\xfjfv.exec:\xfjfv.exe86⤵
- System Location Discovery: System Language Discovery
PID:2752 -
\??\c:\ffrll.exec:\ffrll.exe87⤵PID:756
-
\??\c:\bthxtp.exec:\bthxtp.exe88⤵PID:1908
-
\??\c:\phdpjf.exec:\phdpjf.exe89⤵PID:1992
-
\??\c:\vvfrltn.exec:\vvfrltn.exe90⤵PID:1172
-
\??\c:\xxthtbn.exec:\xxthtbn.exe91⤵PID:2808
-
\??\c:\frhnr.exec:\frhnr.exe92⤵PID:1652
-
\??\c:\vhntr.exec:\vhntr.exe93⤵PID:1176
-
\??\c:\hdhbl.exec:\hdhbl.exe94⤵PID:1900
-
\??\c:\ddlnvtp.exec:\ddlnvtp.exe95⤵PID:2988
-
\??\c:\jtbpllx.exec:\jtbpllx.exe96⤵PID:2080
-
\??\c:\xjjpbnh.exec:\xjjpbnh.exe97⤵PID:2592
-
\??\c:\xfthn.exec:\xfthn.exe98⤵PID:2248
-
\??\c:\nljrxxh.exec:\nljrxxh.exe99⤵PID:1484
-
\??\c:\rrlhl.exec:\rrlhl.exe100⤵PID:916
-
\??\c:\tlrfv.exec:\tlrfv.exe101⤵PID:1620
-
\??\c:\hldbln.exec:\hldbln.exe102⤵PID:2088
-
\??\c:\btbbx.exec:\btbbx.exe103⤵PID:1732
-
\??\c:\hnbhpp.exec:\hnbhpp.exe104⤵PID:1528
-
\??\c:\tjbpl.exec:\tjbpl.exe105⤵PID:1488
-
\??\c:\rjldh.exec:\rjldh.exe106⤵PID:1796
-
\??\c:\drlljdh.exec:\drlljdh.exe107⤵PID:2288
-
\??\c:\lxrpf.exec:\lxrpf.exe108⤵PID:584
-
\??\c:\bphxrn.exec:\bphxrn.exe109⤵PID:1768
-
\??\c:\prhvl.exec:\prhvl.exe110⤵PID:2332
-
\??\c:\nhdlp.exec:\nhdlp.exe111⤵PID:568
-
\??\c:\xtbxnv.exec:\xtbxnv.exe112⤵PID:2344
-
\??\c:\xrdfjnb.exec:\xrdfjnb.exe113⤵PID:1596
-
\??\c:\vnbhfvv.exec:\vnbhfvv.exe114⤵PID:2608
-
\??\c:\jfxvfj.exec:\jfxvfj.exe115⤵PID:2236
-
\??\c:\dxvpb.exec:\dxvpb.exe116⤵PID:2760
-
\??\c:\rpjrn.exec:\rpjrn.exe117⤵PID:1080
-
\??\c:\bphtr.exec:\bphtr.exe118⤵PID:1628
-
\??\c:\vdblth.exec:\vdblth.exe119⤵PID:3052
-
\??\c:\nblbrd.exec:\nblbrd.exe120⤵PID:2844
-
\??\c:\lbvdhj.exec:\lbvdhj.exe121⤵PID:2848
-
\??\c:\fnpbdtp.exec:\fnpbdtp.exe122⤵PID:2468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-