Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe
-
Size
454KB
-
MD5
7274e150b5a85a41a35089bfa50cc790
-
SHA1
1bad12e134c8fa99c5ebbdb0ad8ee67e38506485
-
SHA256
a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a
-
SHA512
b7b9ba5dd8eb6d184dea0afd972c4d052a2dd1286e160207aa5692d31ad2913b027e980f3d43502236d33347d00e7531dc999c444e54866afb1503da64c07fab
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/1156-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/868-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/992-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-27-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2340-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/680-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-257-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2120-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-284-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1724-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-326-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/2348-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1384-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-613-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2020-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-690-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2368-728-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/808-736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/948-792-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2220-830-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2180-850-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2496 nppxxvx.exe 2340 dbtpt.exe 2888 fjrvbx.exe 2784 xrxjlh.exe 2856 bpbnn.exe 1856 vxvxrh.exe 2724 pjnlfll.exe 1032 dlphhr.exe 2380 bjfpvp.exe 1676 ldxdpp.exe 2360 dxrjjnr.exe 2948 brvnlp.exe 2460 prvdb.exe 992 lnbnlf.exe 868 pxllh.exe 584 vbdddx.exe 2144 flnph.exe 2832 hplxj.exe 2156 rdfvfdf.exe 1156 rvlfl.exe 2564 bjbhrlv.exe 1624 xxvtljp.exe 680 dhbjnj.exe 1584 vfhnrj.exe 1060 jfhrx.exe 2100 dbprdvf.exe 1804 llhnh.exe 1860 vdxtx.exe 1008 npxtlr.exe 2120 dplndh.exe 1932 btjxrft.exe 1724 xhhbt.exe 2292 dfbhxhf.exe 2944 vpvtrr.exe 2276 vtjfvbp.exe 1504 frjlllv.exe 2896 pftjlr.exe 3064 vdpjdn.exe 2776 vvvlf.exe 2828 xhbnxfd.exe 3016 jvrbt.exe 2704 jllrl.exe 2348 xvfvhdv.exe 2820 xrhrnpx.exe 2628 bhthvfp.exe 2544 rtxtjpn.exe 2588 tjrhllp.exe 2592 xtldn.exe 2296 xdtrdt.exe 2992 hflxjrv.exe 988 lhltb.exe 2952 hbxvn.exe 2016 hnflbr.exe 2384 hfdpxdb.exe 1384 fftnl.exe 584 dnjhlfh.exe 2176 bhtrbrx.exe 2160 xvrvddd.exe 2472 bbtpb.exe 2476 xtbfr.exe 1944 bnfvjbd.exe 2564 rrhrvd.exe 2492 nptpvlh.exe 692 xxndllt.exe -
resource yara_rule behavioral1/memory/1156-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-48-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2888-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/664-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-877-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvrlhxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ltbfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbhjxbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbnbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjbhrlv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fthrplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlvvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrphp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jtnhffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbdtjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfdjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prdxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrphbdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtbrhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljxthv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdhdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lbtjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxvdtx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbdddx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jlbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxvtnnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldjpfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htvbrb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlnvvdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbrfld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brvtr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfvxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvxhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vtjfvbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bpxhllt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbxrplx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2496 2208 a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe 30 PID 2208 wrote to memory of 2496 2208 a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe 30 PID 2208 wrote to memory of 2496 2208 a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe 30 PID 2208 wrote to memory of 2496 2208 a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe 30 PID 2496 wrote to memory of 2340 2496 nppxxvx.exe 31 PID 2496 wrote to memory of 2340 2496 nppxxvx.exe 31 PID 2496 wrote to memory of 2340 2496 nppxxvx.exe 31 PID 2496 wrote to memory of 2340 2496 nppxxvx.exe 31 PID 2340 wrote to memory of 2888 2340 dbtpt.exe 32 PID 2340 wrote to memory of 2888 2340 dbtpt.exe 32 PID 2340 wrote to memory of 2888 2340 dbtpt.exe 32 PID 2340 wrote to memory of 2888 2340 dbtpt.exe 32 PID 2888 wrote to memory of 2784 2888 fjrvbx.exe 33 PID 2888 wrote to memory of 2784 2888 fjrvbx.exe 33 PID 2888 wrote to memory of 2784 2888 fjrvbx.exe 33 PID 2888 wrote to memory of 2784 2888 fjrvbx.exe 33 PID 2784 wrote to memory of 2856 2784 xrxjlh.exe 34 PID 2784 wrote to memory of 2856 2784 xrxjlh.exe 34 PID 2784 wrote to memory of 2856 2784 xrxjlh.exe 34 PID 2784 wrote to memory of 2856 2784 xrxjlh.exe 34 PID 2856 wrote to memory of 1856 2856 bpbnn.exe 35 PID 2856 wrote to memory of 1856 2856 bpbnn.exe 35 PID 2856 wrote to memory of 1856 2856 bpbnn.exe 35 PID 2856 wrote to memory of 1856 2856 bpbnn.exe 35 PID 1856 wrote to memory of 2724 1856 vxvxrh.exe 36 PID 1856 wrote to memory of 2724 1856 vxvxrh.exe 36 PID 1856 wrote to memory of 2724 1856 vxvxrh.exe 36 PID 1856 wrote to memory of 2724 1856 vxvxrh.exe 36 PID 2724 wrote to memory of 1032 2724 pjnlfll.exe 37 PID 2724 wrote to memory of 1032 2724 pjnlfll.exe 37 PID 2724 wrote to memory of 1032 2724 pjnlfll.exe 37 PID 2724 wrote to memory of 1032 2724 pjnlfll.exe 37 PID 1032 wrote to memory of 2380 1032 dlphhr.exe 38 PID 1032 wrote to memory of 2380 1032 dlphhr.exe 38 PID 1032 wrote to memory of 2380 1032 dlphhr.exe 38 PID 1032 wrote to memory of 2380 1032 dlphhr.exe 38 PID 2380 wrote to memory of 1676 2380 bjfpvp.exe 39 PID 2380 wrote to memory of 1676 2380 bjfpvp.exe 39 PID 2380 wrote to memory of 1676 2380 bjfpvp.exe 39 PID 2380 wrote to memory of 1676 2380 bjfpvp.exe 39 PID 1676 wrote to memory of 2360 1676 ldxdpp.exe 40 PID 1676 wrote to memory of 2360 1676 ldxdpp.exe 40 PID 1676 wrote to memory of 2360 1676 ldxdpp.exe 40 PID 1676 wrote to memory of 2360 1676 ldxdpp.exe 40 PID 2360 wrote to memory of 2948 2360 dxrjjnr.exe 41 PID 2360 wrote to memory of 2948 2360 dxrjjnr.exe 41 PID 2360 wrote to memory of 2948 2360 dxrjjnr.exe 41 PID 2360 wrote to memory of 2948 2360 dxrjjnr.exe 41 PID 2948 wrote to memory of 2460 2948 brvnlp.exe 42 PID 2948 wrote to memory of 2460 2948 brvnlp.exe 42 PID 2948 wrote to memory of 2460 2948 brvnlp.exe 42 PID 2948 wrote to memory of 2460 2948 brvnlp.exe 42 PID 2460 wrote to memory of 992 2460 prvdb.exe 43 PID 2460 wrote to memory of 992 2460 prvdb.exe 43 PID 2460 wrote to memory of 992 2460 prvdb.exe 43 PID 2460 wrote to memory of 992 2460 prvdb.exe 43 PID 992 wrote to memory of 868 992 lnbnlf.exe 44 PID 992 wrote to memory of 868 992 lnbnlf.exe 44 PID 992 wrote to memory of 868 992 lnbnlf.exe 44 PID 992 wrote to memory of 868 992 lnbnlf.exe 44 PID 868 wrote to memory of 584 868 pxllh.exe 45 PID 868 wrote to memory of 584 868 pxllh.exe 45 PID 868 wrote to memory of 584 868 pxllh.exe 45 PID 868 wrote to memory of 584 868 pxllh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe"C:\Users\Admin\AppData\Local\Temp\a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\nppxxvx.exec:\nppxxvx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\dbtpt.exec:\dbtpt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\fjrvbx.exec:\fjrvbx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\xrxjlh.exec:\xrxjlh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\bpbnn.exec:\bpbnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\vxvxrh.exec:\vxvxrh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\pjnlfll.exec:\pjnlfll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\dlphhr.exec:\dlphhr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\bjfpvp.exec:\bjfpvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\ldxdpp.exec:\ldxdpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\dxrjjnr.exec:\dxrjjnr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\brvnlp.exec:\brvnlp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\prvdb.exec:\prvdb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\lnbnlf.exec:\lnbnlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\pxllh.exec:\pxllh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\vbdddx.exec:\vbdddx.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:584 -
\??\c:\flnph.exec:\flnph.exe18⤵
- Executes dropped EXE
PID:2144 -
\??\c:\hplxj.exec:\hplxj.exe19⤵
- Executes dropped EXE
PID:2832 -
\??\c:\rdfvfdf.exec:\rdfvfdf.exe20⤵
- Executes dropped EXE
PID:2156 -
\??\c:\rvlfl.exec:\rvlfl.exe21⤵
- Executes dropped EXE
PID:1156 -
\??\c:\bjbhrlv.exec:\bjbhrlv.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564 -
\??\c:\xxvtljp.exec:\xxvtljp.exe23⤵
- Executes dropped EXE
PID:1624 -
\??\c:\dhbjnj.exec:\dhbjnj.exe24⤵
- Executes dropped EXE
PID:680 -
\??\c:\vfhnrj.exec:\vfhnrj.exe25⤵
- Executes dropped EXE
PID:1584 -
\??\c:\jfhrx.exec:\jfhrx.exe26⤵
- Executes dropped EXE
PID:1060 -
\??\c:\dbprdvf.exec:\dbprdvf.exe27⤵
- Executes dropped EXE
PID:2100 -
\??\c:\llhnh.exec:\llhnh.exe28⤵
- Executes dropped EXE
PID:1804 -
\??\c:\vdxtx.exec:\vdxtx.exe29⤵
- Executes dropped EXE
PID:1860 -
\??\c:\npxtlr.exec:\npxtlr.exe30⤵
- Executes dropped EXE
PID:1008 -
\??\c:\dplndh.exec:\dplndh.exe31⤵
- Executes dropped EXE
PID:2120 -
\??\c:\btjxrft.exec:\btjxrft.exe32⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xhhbt.exec:\xhhbt.exe33⤵
- Executes dropped EXE
PID:1724 -
\??\c:\dfbhxhf.exec:\dfbhxhf.exe34⤵
- Executes dropped EXE
PID:2292 -
\??\c:\vpvtrr.exec:\vpvtrr.exe35⤵
- Executes dropped EXE
PID:2944 -
\??\c:\vtjfvbp.exec:\vtjfvbp.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
\??\c:\frjlllv.exec:\frjlllv.exe37⤵
- Executes dropped EXE
PID:1504 -
\??\c:\pftjlr.exec:\pftjlr.exe38⤵
- Executes dropped EXE
PID:2896 -
\??\c:\vdpjdn.exec:\vdpjdn.exe39⤵
- Executes dropped EXE
PID:3064 -
\??\c:\vvvlf.exec:\vvvlf.exe40⤵
- Executes dropped EXE
PID:2776 -
\??\c:\xhbnxfd.exec:\xhbnxfd.exe41⤵
- Executes dropped EXE
PID:2828 -
\??\c:\jvrbt.exec:\jvrbt.exe42⤵
- Executes dropped EXE
PID:3016 -
\??\c:\jllrl.exec:\jllrl.exe43⤵
- Executes dropped EXE
PID:2704 -
\??\c:\xvfvhdv.exec:\xvfvhdv.exe44⤵
- Executes dropped EXE
PID:2348 -
\??\c:\xrhrnpx.exec:\xrhrnpx.exe45⤵
- Executes dropped EXE
PID:2820 -
\??\c:\bhthvfp.exec:\bhthvfp.exe46⤵
- Executes dropped EXE
PID:2628 -
\??\c:\rtxtjpn.exec:\rtxtjpn.exe47⤵
- Executes dropped EXE
PID:2544 -
\??\c:\tjrhllp.exec:\tjrhllp.exe48⤵
- Executes dropped EXE
PID:2588 -
\??\c:\xtldn.exec:\xtldn.exe49⤵
- Executes dropped EXE
PID:2592 -
\??\c:\xdtrdt.exec:\xdtrdt.exe50⤵
- Executes dropped EXE
PID:2296 -
\??\c:\hflxjrv.exec:\hflxjrv.exe51⤵
- Executes dropped EXE
PID:2992 -
\??\c:\lhltb.exec:\lhltb.exe52⤵
- Executes dropped EXE
PID:988 -
\??\c:\hbxvn.exec:\hbxvn.exe53⤵
- Executes dropped EXE
PID:2952 -
\??\c:\hnflbr.exec:\hnflbr.exe54⤵
- Executes dropped EXE
PID:2016 -
\??\c:\hfdpxdb.exec:\hfdpxdb.exe55⤵
- Executes dropped EXE
PID:2384 -
\??\c:\fftnl.exec:\fftnl.exe56⤵
- Executes dropped EXE
PID:1384 -
\??\c:\dnjhlfh.exec:\dnjhlfh.exe57⤵
- Executes dropped EXE
PID:584 -
\??\c:\bhtrbrx.exec:\bhtrbrx.exe58⤵
- Executes dropped EXE
PID:2176 -
\??\c:\xvrvddd.exec:\xvrvddd.exe59⤵
- Executes dropped EXE
PID:2160 -
\??\c:\bbtpb.exec:\bbtpb.exe60⤵
- Executes dropped EXE
PID:2472 -
\??\c:\xtbfr.exec:\xtbfr.exe61⤵
- Executes dropped EXE
PID:2476 -
\??\c:\bnfvjbd.exec:\bnfvjbd.exe62⤵
- Executes dropped EXE
PID:1944 -
\??\c:\rrhrvd.exec:\rrhrvd.exe63⤵
- Executes dropped EXE
PID:2564 -
\??\c:\nptpvlh.exec:\nptpvlh.exe64⤵
- Executes dropped EXE
PID:2492 -
\??\c:\xxndllt.exec:\xxndllt.exe65⤵
- Executes dropped EXE
PID:692 -
\??\c:\fthhlx.exec:\fthhlx.exe66⤵PID:924
-
\??\c:\djfnhj.exec:\djfnhj.exe67⤵PID:1868
-
\??\c:\nphff.exec:\nphff.exe68⤵PID:1060
-
\??\c:\lbfrhn.exec:\lbfrhn.exe69⤵PID:1356
-
\??\c:\xfbhbvj.exec:\xfbhbvj.exe70⤵PID:2184
-
\??\c:\bhdjddr.exec:\bhdjddr.exe71⤵PID:2092
-
\??\c:\xpphb.exec:\xpphb.exe72⤵PID:2916
-
\??\c:\fvlhhhx.exec:\fvlhhhx.exe73⤵PID:508
-
\??\c:\bpxhllt.exec:\bpxhllt.exe74⤵
- System Location Discovery: System Language Discovery
PID:2508 -
\??\c:\xnphv.exec:\xnphv.exe75⤵PID:2108
-
\??\c:\dfpjx.exec:\dfpjx.exe76⤵PID:2308
-
\??\c:\hvxjnrl.exec:\hvxjnrl.exe77⤵PID:1884
-
\??\c:\npxtd.exec:\npxtd.exe78⤵PID:2448
-
\??\c:\prdxx.exec:\prdxx.exe79⤵
- System Location Discovery: System Language Discovery
PID:2944 -
\??\c:\nbvbxrt.exec:\nbvbxrt.exe80⤵PID:2796
-
\??\c:\nbdbxhr.exec:\nbdbxhr.exe81⤵PID:2892
-
\??\c:\hvxtjrx.exec:\hvxtjrx.exe82⤵PID:2804
-
\??\c:\lrxphtx.exec:\lrxphtx.exe83⤵PID:3048
-
\??\c:\vvjhn.exec:\vvjhn.exe84⤵PID:2684
-
\??\c:\hhpjj.exec:\hhpjj.exe85⤵PID:1160
-
\??\c:\bpvxtrl.exec:\bpvxtrl.exe86⤵PID:2904
-
\??\c:\fbnbnrr.exec:\fbnbnrr.exe87⤵PID:2664
-
\??\c:\txvlbf.exec:\txvlbf.exe88⤵PID:2644
-
\??\c:\fbpvhb.exec:\fbpvhb.exe89⤵PID:2632
-
\??\c:\pxntjtd.exec:\pxntjtd.exe90⤵PID:1168
-
\??\c:\ljrxx.exec:\ljrxx.exe91⤵PID:2020
-
\??\c:\dnbhf.exec:\dnbhf.exe92⤵PID:2580
-
\??\c:\vjdnn.exec:\vjdnn.exe93⤵PID:1676
-
\??\c:\rppnrhv.exec:\rppnrhv.exe94⤵PID:2360
-
\??\c:\vnnltpj.exec:\vnnltpj.exe95⤵PID:3020
-
\??\c:\hflbt.exec:\hflbt.exe96⤵PID:2996
-
\??\c:\rpndd.exec:\rpndd.exe97⤵PID:2988
-
\??\c:\jrdfj.exec:\jrdfj.exe98⤵PID:2368
-
\??\c:\llthfdd.exec:\llthfdd.exe99⤵PID:2384
-
\??\c:\jhxtxj.exec:\jhxtxj.exe100⤵PID:808
-
\??\c:\pfhll.exec:\pfhll.exe101⤵PID:664
-
\??\c:\jnrprh.exec:\jnrprh.exe102⤵PID:2076
-
\??\c:\fhpvbl.exec:\fhpvbl.exe103⤵PID:2416
-
\??\c:\ndndlf.exec:\ndndlf.exe104⤵PID:1612
-
\??\c:\nvtnd.exec:\nvtnd.exe105⤵PID:2424
-
\??\c:\jlvlhxf.exec:\jlvlhxf.exe106⤵PID:2068
-
\??\c:\jlbfh.exec:\jlbfh.exe107⤵
- System Location Discovery: System Language Discovery
PID:948 -
\??\c:\vrtrffx.exec:\vrtrffx.exe108⤵PID:1904
-
\??\c:\tlhbph.exec:\tlhbph.exe109⤵PID:692
-
\??\c:\xhtvh.exec:\xhtvh.exe110⤵PID:2612
-
\??\c:\xxpfjd.exec:\xxpfjd.exe111⤵PID:1868
-
\??\c:\ffxtv.exec:\ffxtv.exe112⤵PID:1080
-
\??\c:\lnhfntl.exec:\lnhfntl.exe113⤵PID:2220
-
\??\c:\bjtvx.exec:\bjtvx.exe114⤵PID:1604
-
\??\c:\hhvtf.exec:\hhvtf.exe115⤵PID:2092
-
\??\c:\vtnld.exec:\vtnld.exe116⤵PID:2180
-
\??\c:\xdpfvr.exec:\xdpfvr.exe117⤵PID:2264
-
\??\c:\nxvnnh.exec:\nxvnnh.exe118⤵PID:1708
-
\??\c:\bhdbr.exec:\bhdbr.exe119⤵PID:2108
-
\??\c:\tfhvf.exec:\tfhvf.exe120⤵PID:1272
-
\??\c:\hvjjx.exec:\hvjjx.exe121⤵PID:2736
-
\??\c:\bjhvdph.exec:\bjhvdph.exe122⤵PID:2456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-