Analysis
-
max time kernel
150s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe
-
Size
454KB
-
MD5
661ecbdac5ca53caafe72d893d4481ac
-
SHA1
51caeb0c04312b2077710d906d9e885ada34563d
-
SHA256
c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310
-
SHA512
796475a60c6d60a043a3907060e8e79c30ffc5cd124b45849402369615db2e00df994a2a1a1b7d18703aee88e3fc99e792ef6b4f5095502ff04071171aa93af3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/1480-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1116-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1116-190-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2492-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-207-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1500-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/108-263-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1312-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-271-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-280-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/532-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-304-0x0000000076F90000-0x000000007708A000-memory.dmp family_blackmoon behavioral1/memory/1692-303-0x0000000077090000-0x00000000771AF000-memory.dmp family_blackmoon behavioral1/memory/2284-312-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2572-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-347-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2972-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-546-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/940-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-598-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2240-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-666-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2884-673-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1224-711-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1592-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1480 xnjrh.exe 1620 lhphphf.exe 2068 nrdtx.exe 2832 tdhvpfx.exe 2848 pnlbdbd.exe 2760 jbfvn.exe 1656 fbjnrjr.exe 2956 bdrldjt.exe 2788 bjnhd.exe 2344 rdxjv.exe 1784 trdlv.exe 3036 ndnvl.exe 1520 vfjbb.exe 3044 pdvfx.exe 1672 tjpjll.exe 2216 rftfxb.exe 1964 jpxffnr.exe 1840 vlpffr.exe 2372 xfbxxbt.exe 1116 vnfpprb.exe 2492 xrhvbf.exe 1680 flpxd.exe 1912 rdjvjvt.exe 1500 rfjlrld.exe 2500 rjxbbfr.exe 2592 fnprjp.exe 2484 xfhrd.exe 108 vtljpnt.exe 1312 dxltj.exe 532 lrjlh.exe 1744 jpfddx.exe 2696 vbftp.exe 1692 jvnppx.exe 1532 nrrjrbf.exe 1476 tdlhjl.exe 2572 btrnpfv.exe 2068 xdtrnhr.exe 2196 dhxlh.exe 2732 thxrlxl.exe 2980 jrppbbb.exe 3020 rbfpflx.exe 2972 fbvdpr.exe 1656 tllhx.exe 2744 txdfntn.exe 2332 vphxjx.exe 2388 bjbfr.exe 2080 bllbprd.exe 2324 hflthb.exe 3032 fhvjfl.exe 1316 btxrrb.exe 1932 jlrhjh.exe 1584 xtrldrt.exe 3016 nllbvbb.exe 556 lrdtbbh.exe 2216 xvpdt.exe 1964 xnrhx.exe 2148 tjvrb.exe 640 ttbhdtl.exe 1052 nnxxnpp.exe 1116 pntfbj.exe 2488 thtxdlp.exe 960 nltbfht.exe 764 bnfpx.exe 272 vtrpxpj.exe -
resource yara_rule behavioral1/memory/1480-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-263-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/532-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/940-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-598-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2240-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-822-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbjrnlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfdrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdlhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxnrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftbddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rdhthfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hpbld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drftdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npxnnxh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fvtjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thxrnrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hpbpln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjrdjjt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvxh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llvnjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rjlnhlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlxjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fdnbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlthjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjjdrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language npjfv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljfrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljxjhvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nndrtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vllhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rbvvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnvnr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrnpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vfbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxhjfrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lldvpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvpjdhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hppfdrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxjlv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxnjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lnlbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language prprv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xnbndp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language txhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 1480 2104 c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe 30 PID 2104 wrote to memory of 1480 2104 c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe 30 PID 2104 wrote to memory of 1480 2104 c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe 30 PID 2104 wrote to memory of 1480 2104 c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe 30 PID 1480 wrote to memory of 1620 1480 xnjrh.exe 31 PID 1480 wrote to memory of 1620 1480 xnjrh.exe 31 PID 1480 wrote to memory of 1620 1480 xnjrh.exe 31 PID 1480 wrote to memory of 1620 1480 xnjrh.exe 31 PID 1620 wrote to memory of 2068 1620 lhphphf.exe 32 PID 1620 wrote to memory of 2068 1620 lhphphf.exe 32 PID 1620 wrote to memory of 2068 1620 lhphphf.exe 32 PID 1620 wrote to memory of 2068 1620 lhphphf.exe 32 PID 2068 wrote to memory of 2832 2068 nrdtx.exe 33 PID 2068 wrote to memory of 2832 2068 nrdtx.exe 33 PID 2068 wrote to memory of 2832 2068 nrdtx.exe 33 PID 2068 wrote to memory of 2832 2068 nrdtx.exe 33 PID 2832 wrote to memory of 2848 2832 tdhvpfx.exe 34 PID 2832 wrote to memory of 2848 2832 tdhvpfx.exe 34 PID 2832 wrote to memory of 2848 2832 tdhvpfx.exe 34 PID 2832 wrote to memory of 2848 2832 tdhvpfx.exe 34 PID 2848 wrote to memory of 2760 2848 pnlbdbd.exe 35 PID 2848 wrote to memory of 2760 2848 pnlbdbd.exe 35 PID 2848 wrote to memory of 2760 2848 pnlbdbd.exe 35 PID 2848 wrote to memory of 2760 2848 pnlbdbd.exe 35 PID 2760 wrote to memory of 1656 2760 jbfvn.exe 36 PID 2760 wrote to memory of 1656 2760 jbfvn.exe 36 PID 2760 wrote to memory of 1656 2760 jbfvn.exe 36 PID 2760 wrote to memory of 1656 2760 jbfvn.exe 36 PID 1656 wrote to memory of 2956 1656 fbjnrjr.exe 37 PID 1656 wrote to memory of 2956 1656 fbjnrjr.exe 37 PID 1656 wrote to memory of 2956 1656 fbjnrjr.exe 37 PID 1656 wrote to memory of 2956 1656 fbjnrjr.exe 37 PID 2956 wrote to memory of 2788 2956 bdrldjt.exe 38 PID 2956 wrote to memory of 2788 2956 bdrldjt.exe 38 PID 2956 wrote to memory of 2788 2956 bdrldjt.exe 38 PID 2956 wrote to memory of 2788 2956 bdrldjt.exe 38 PID 2788 wrote to memory of 2344 2788 bjnhd.exe 39 PID 2788 wrote to memory of 2344 2788 bjnhd.exe 39 PID 2788 wrote to memory of 2344 2788 bjnhd.exe 39 PID 2788 wrote to memory of 2344 2788 bjnhd.exe 39 PID 2344 wrote to memory of 1784 2344 rdxjv.exe 40 PID 2344 wrote to memory of 1784 2344 rdxjv.exe 40 PID 2344 wrote to memory of 1784 2344 rdxjv.exe 40 PID 2344 wrote to memory of 1784 2344 rdxjv.exe 40 PID 1784 wrote to memory of 3036 1784 trdlv.exe 41 PID 1784 wrote to memory of 3036 1784 trdlv.exe 41 PID 1784 wrote to memory of 3036 1784 trdlv.exe 41 PID 1784 wrote to memory of 3036 1784 trdlv.exe 41 PID 3036 wrote to memory of 1520 3036 ndnvl.exe 42 PID 3036 wrote to memory of 1520 3036 ndnvl.exe 42 PID 3036 wrote to memory of 1520 3036 ndnvl.exe 42 PID 3036 wrote to memory of 1520 3036 ndnvl.exe 42 PID 1520 wrote to memory of 3044 1520 vfjbb.exe 43 PID 1520 wrote to memory of 3044 1520 vfjbb.exe 43 PID 1520 wrote to memory of 3044 1520 vfjbb.exe 43 PID 1520 wrote to memory of 3044 1520 vfjbb.exe 43 PID 3044 wrote to memory of 1672 3044 pdvfx.exe 44 PID 3044 wrote to memory of 1672 3044 pdvfx.exe 44 PID 3044 wrote to memory of 1672 3044 pdvfx.exe 44 PID 3044 wrote to memory of 1672 3044 pdvfx.exe 44 PID 1672 wrote to memory of 2216 1672 tjpjll.exe 45 PID 1672 wrote to memory of 2216 1672 tjpjll.exe 45 PID 1672 wrote to memory of 2216 1672 tjpjll.exe 45 PID 1672 wrote to memory of 2216 1672 tjpjll.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe"C:\Users\Admin\AppData\Local\Temp\c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\xnjrh.exec:\xnjrh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\lhphphf.exec:\lhphphf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\nrdtx.exec:\nrdtx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\tdhvpfx.exec:\tdhvpfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\pnlbdbd.exec:\pnlbdbd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\jbfvn.exec:\jbfvn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\fbjnrjr.exec:\fbjnrjr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\bdrldjt.exec:\bdrldjt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\bjnhd.exec:\bjnhd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\rdxjv.exec:\rdxjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\trdlv.exec:\trdlv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\ndnvl.exec:\ndnvl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\vfjbb.exec:\vfjbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\pdvfx.exec:\pdvfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\tjpjll.exec:\tjpjll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\rftfxb.exec:\rftfxb.exe17⤵
- Executes dropped EXE
PID:2216 -
\??\c:\jpxffnr.exec:\jpxffnr.exe18⤵
- Executes dropped EXE
PID:1964 -
\??\c:\vlpffr.exec:\vlpffr.exe19⤵
- Executes dropped EXE
PID:1840 -
\??\c:\xfbxxbt.exec:\xfbxxbt.exe20⤵
- Executes dropped EXE
PID:2372 -
\??\c:\vnfpprb.exec:\vnfpprb.exe21⤵
- Executes dropped EXE
PID:1116 -
\??\c:\xrhvbf.exec:\xrhvbf.exe22⤵
- Executes dropped EXE
PID:2492 -
\??\c:\flpxd.exec:\flpxd.exe23⤵
- Executes dropped EXE
PID:1680 -
\??\c:\rdjvjvt.exec:\rdjvjvt.exe24⤵
- Executes dropped EXE
PID:1912 -
\??\c:\rfjlrld.exec:\rfjlrld.exe25⤵
- Executes dropped EXE
PID:1500 -
\??\c:\rjxbbfr.exec:\rjxbbfr.exe26⤵
- Executes dropped EXE
PID:2500 -
\??\c:\fnprjp.exec:\fnprjp.exe27⤵
- Executes dropped EXE
PID:2592 -
\??\c:\xfhrd.exec:\xfhrd.exe28⤵
- Executes dropped EXE
PID:2484 -
\??\c:\vtljpnt.exec:\vtljpnt.exe29⤵
- Executes dropped EXE
PID:108 -
\??\c:\dxltj.exec:\dxltj.exe30⤵
- Executes dropped EXE
PID:1312 -
\??\c:\lrjlh.exec:\lrjlh.exe31⤵
- Executes dropped EXE
PID:532 -
\??\c:\jpfddx.exec:\jpfddx.exe32⤵
- Executes dropped EXE
PID:1744 -
\??\c:\vbftp.exec:\vbftp.exe33⤵
- Executes dropped EXE
PID:2696 -
\??\c:\jvnppx.exec:\jvnppx.exe34⤵
- Executes dropped EXE
PID:1692 -
\??\c:\lhnjlrh.exec:\lhnjlrh.exe35⤵PID:2284
-
\??\c:\nrrjrbf.exec:\nrrjrbf.exe36⤵
- Executes dropped EXE
PID:1532 -
\??\c:\tdlhjl.exec:\tdlhjl.exe37⤵
- Executes dropped EXE
PID:1476 -
\??\c:\btrnpfv.exec:\btrnpfv.exe38⤵
- Executes dropped EXE
PID:2572 -
\??\c:\xdtrnhr.exec:\xdtrnhr.exe39⤵
- Executes dropped EXE
PID:2068 -
\??\c:\dhxlh.exec:\dhxlh.exe40⤵
- Executes dropped EXE
PID:2196 -
\??\c:\thxrlxl.exec:\thxrlxl.exe41⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jrppbbb.exec:\jrppbbb.exe42⤵
- Executes dropped EXE
PID:2980 -
\??\c:\rbfpflx.exec:\rbfpflx.exe43⤵
- Executes dropped EXE
PID:3020 -
\??\c:\fbvdpr.exec:\fbvdpr.exe44⤵
- Executes dropped EXE
PID:2972 -
\??\c:\tllhx.exec:\tllhx.exe45⤵
- Executes dropped EXE
PID:1656 -
\??\c:\txdfntn.exec:\txdfntn.exe46⤵
- Executes dropped EXE
PID:2744 -
\??\c:\vphxjx.exec:\vphxjx.exe47⤵
- Executes dropped EXE
PID:2332 -
\??\c:\bjbfr.exec:\bjbfr.exe48⤵
- Executes dropped EXE
PID:2388 -
\??\c:\bllbprd.exec:\bllbprd.exe49⤵
- Executes dropped EXE
PID:2080 -
\??\c:\hflthb.exec:\hflthb.exe50⤵
- Executes dropped EXE
PID:2324 -
\??\c:\fhvjfl.exec:\fhvjfl.exe51⤵
- Executes dropped EXE
PID:3032 -
\??\c:\btxrrb.exec:\btxrrb.exe52⤵
- Executes dropped EXE
PID:1316 -
\??\c:\jlrhjh.exec:\jlrhjh.exe53⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xtrldrt.exec:\xtrldrt.exe54⤵
- Executes dropped EXE
PID:1584 -
\??\c:\nllbvbb.exec:\nllbvbb.exe55⤵
- Executes dropped EXE
PID:3016 -
\??\c:\lrdtbbh.exec:\lrdtbbh.exe56⤵
- Executes dropped EXE
PID:556 -
\??\c:\xvpdt.exec:\xvpdt.exe57⤵
- Executes dropped EXE
PID:2216 -
\??\c:\xnrhx.exec:\xnrhx.exe58⤵
- Executes dropped EXE
PID:1964 -
\??\c:\tjvrb.exec:\tjvrb.exe59⤵
- Executes dropped EXE
PID:2148 -
\??\c:\ttbhdtl.exec:\ttbhdtl.exe60⤵
- Executes dropped EXE
PID:640 -
\??\c:\nnxxnpp.exec:\nnxxnpp.exe61⤵
- Executes dropped EXE
PID:1052 -
\??\c:\pntfbj.exec:\pntfbj.exe62⤵
- Executes dropped EXE
PID:1116 -
\??\c:\thtxdlp.exec:\thtxdlp.exe63⤵
- Executes dropped EXE
PID:2488 -
\??\c:\nltbfht.exec:\nltbfht.exe64⤵
- Executes dropped EXE
PID:960 -
\??\c:\bnfpx.exec:\bnfpx.exe65⤵
- Executes dropped EXE
PID:764 -
\??\c:\vtrpxpj.exec:\vtrpxpj.exe66⤵
- Executes dropped EXE
PID:272 -
\??\c:\jhbhp.exec:\jhbhp.exe67⤵PID:1500
-
\??\c:\lbnrht.exec:\lbnrht.exe68⤵PID:2600
-
\??\c:\jjjvlv.exec:\jjjvlv.exe69⤵PID:2688
-
\??\c:\rxnrnhb.exec:\rxnrnhb.exe70⤵PID:2036
-
\??\c:\jxxrt.exec:\jxxrt.exe71⤵PID:940
-
\??\c:\jfjpdv.exec:\jfjpdv.exe72⤵PID:2440
-
\??\c:\nflrvbt.exec:\nflrvbt.exe73⤵PID:1312
-
\??\c:\vbrvf.exec:\vbrvf.exe74⤵PID:2824
-
\??\c:\nfxnlhb.exec:\nfxnlhb.exe75⤵PID:532
-
\??\c:\nbfxd.exec:\nbfxd.exe76⤵PID:892
-
\??\c:\phtrrrj.exec:\phtrrrj.exe77⤵PID:2184
-
\??\c:\nndnhrv.exec:\nndnhrv.exe78⤵PID:2204
-
\??\c:\vjhbxjx.exec:\vjhbxjx.exe79⤵PID:2656
-
\??\c:\fdnbj.exec:\fdnbj.exe80⤵
- System Location Discovery: System Language Discovery
PID:1480 -
\??\c:\bfhndhx.exec:\bfhndhx.exe81⤵PID:2240
-
\??\c:\hlthjfd.exec:\hlthjfd.exe82⤵
- System Location Discovery: System Language Discovery
PID:2552 -
\??\c:\pjlbvvb.exec:\pjlbvvb.exe83⤵PID:2828
-
\??\c:\trtllhb.exec:\trtllhb.exe84⤵PID:3000
-
\??\c:\htdhd.exec:\htdhd.exe85⤵PID:3004
-
\??\c:\dtvptbv.exec:\dtvptbv.exe86⤵PID:2884
-
\??\c:\blhplth.exec:\blhplth.exe87⤵PID:2860
-
\??\c:\ptndtj.exec:\ptndtj.exe88⤵PID:2836
-
\??\c:\plppnh.exec:\plppnh.exe89⤵PID:2780
-
\??\c:\tbvvbn.exec:\tbvvbn.exe90⤵PID:2796
-
\??\c:\jvffthr.exec:\jvffthr.exe91⤵PID:2352
-
\??\c:\jrrphnf.exec:\jrrphnf.exe92⤵PID:1224
-
\??\c:\hnjdp.exec:\hnjdp.exe93⤵PID:2108
-
\??\c:\xbnjbx.exec:\xbnjbx.exe94⤵PID:1040
-
\??\c:\htnnjrx.exec:\htnnjrx.exe95⤵PID:2964
-
\??\c:\vxdfxtj.exec:\vxdfxtj.exe96⤵PID:3064
-
\??\c:\rbpnn.exec:\rbpnn.exe97⤵PID:972
-
\??\c:\lhbxp.exec:\lhbxp.exe98⤵PID:3044
-
\??\c:\rnfpf.exec:\rnfpf.exe99⤵PID:2288
-
\??\c:\vjrtf.exec:\vjrtf.exe100⤵PID:1556
-
\??\c:\xxnrl.exec:\xxnrl.exe101⤵
- System Location Discovery: System Language Discovery
PID:1592 -
\??\c:\hdtjf.exec:\hdtjf.exe102⤵PID:1688
-
\??\c:\pnvhfp.exec:\pnvhfp.exe103⤵PID:2276
-
\??\c:\rbhhhjf.exec:\rbhhhjf.exe104⤵PID:1612
-
\??\c:\jphtnth.exec:\jphtnth.exe105⤵PID:2512
-
\??\c:\vprnv.exec:\vprnv.exe106⤵PID:1116
-
\??\c:\nlphfvt.exec:\nlphfvt.exe107⤵PID:1144
-
\??\c:\rbvvx.exec:\rbvvx.exe108⤵
- System Location Discovery: System Language Discovery
PID:1880 -
\??\c:\bljdrlf.exec:\bljdrlf.exe109⤵PID:2028
-
\??\c:\dddltp.exec:\dddltp.exe110⤵PID:2536
-
\??\c:\hjnjtjr.exec:\hjnjtjr.exe111⤵PID:788
-
\??\c:\vtdpt.exec:\vtdpt.exe112⤵PID:1704
-
\??\c:\fhtflj.exec:\fhtflj.exe113⤵PID:1432
-
\??\c:\dhxjlln.exec:\dhxjlln.exe114⤵PID:944
-
\??\c:\vbbrtnf.exec:\vbbrtnf.exe115⤵PID:1800
-
\??\c:\bdntvbh.exec:\bdntvbh.exe116⤵PID:2440
-
\??\c:\ddvfl.exec:\ddvfl.exe117⤵PID:1928
-
\??\c:\jrfxf.exec:\jrfxf.exe118⤵PID:1596
-
\??\c:\bhdvvtf.exec:\bhdvvtf.exe119⤵PID:2176
-
\??\c:\npbhjdt.exec:\npbhjdt.exe120⤵PID:2104
-
\??\c:\jprxbv.exec:\jprxbv.exe121⤵PID:1524
-
\??\c:\hjtpxfn.exec:\hjtpxfn.exe122⤵PID:1892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-