Analysis
-
max time kernel
149s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 01:15
Behavioral task
behavioral1
Sample
816cf026b79a8709e2b6f032c67ceb77eecfc31a6bf8e47951af040da2270962.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
General
-
Target
816cf026b79a8709e2b6f032c67ceb77eecfc31a6bf8e47951af040da2270962.exe
-
Size
3.7MB
-
MD5
e4e25488fbc309a598599b07328b7861
-
SHA1
3bc74d4780b35f828faeba895ab308ce7de225a2
-
SHA256
816cf026b79a8709e2b6f032c67ceb77eecfc31a6bf8e47951af040da2270962
-
SHA512
cf531951a0bac8205761d0cdf63bd46f88c4c9b189453b22dc8d541c5438fef53d490b5b03548228d2d6ffbdce8400921ebc77c003e6d7a277116c10935b11f8
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98z:U6XLq/qPPslzKx/dJg1ErmNM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
Processes:
resource yara_rule behavioral1/memory/1968-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2556-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/756-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1124-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1968-49-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/644-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2872-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2972-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2052-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2448-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2968-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2216-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1672-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/396-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2148-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2320-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1044-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2536-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/112-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1004-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/756-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/816-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/296-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1144-490-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1564-501-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1564-504-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/700-541-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2568-598-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1620-605-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/756-630-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1632-675-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/296-725-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1748-745-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2276-752-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/856-774-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2504-842-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1684-849-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1684-855-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2456-975-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
rxvtr.exebvlrxbh.exejrvpplp.exerbbtd.exedtdntpr.exehdjpffr.exenrhfrbd.exebbjhj.exedddxpvp.exexhnrlx.exerpbjjtl.exefbldd.exexjjhbb.exebpjhxn.exejnxbf.exejjfxjv.exehvpnpjj.exenfxrdj.exefxdtd.exelxlrthb.exeppxpxn.exepvxtxx.exehhjttxp.exenrlpb.exebxjjrt.exentthnrr.exedfxfb.exeddvtf.exefnbftf.exebtnxj.exephjxr.exehhjtrv.exeprbdvf.exellprr.exevtvxl.exepjdbnfv.exehjrvb.exevnptv.exenfnjfn.exevbxhh.exenbhfff.exetfvbrh.exenfjnvrr.exedhphx.exexhvff.exetldhxjj.exexvfbljv.exenxtdbd.exedflrxfp.exelpfddr.exejrxnhbr.exetjvxr.exeldrbtjl.exexhfxxxj.exeldffbx.exerftxfrx.exenbllhbt.exelrjttlx.exepvfhj.exevxhfj.exexvnbbhp.exejrjjpf.exelvlntrv.exedlttf.exepid Process 2556 rxvtr.exe 756 bvlrxbh.exe 1124 jrvpplp.exe 2872 rbbtd.exe 644 dtdntpr.exe 2972 hdjpffr.exe 2052 nrhfrbd.exe 2896 bbjhj.exe 2796 dddxpvp.exe 2448 xhnrlx.exe 2784 rpbjjtl.exe 2420 fbldd.exe 2968 xjjhbb.exe 2092 bpjhxn.exe 1672 jnxbf.exe 2216 jjfxjv.exe 396 hvpnpjj.exe 2304 nfxrdj.exe 2148 fxdtd.exe 2144 lxlrthb.exe 2320 ppxpxn.exe 2244 pvxtxx.exe 1044 hhjttxp.exe 1440 nrlpb.exe 2536 bxjjrt.exe 1704 ntthnrr.exe 1004 dfxfb.exe 112 ddvtf.exe 1608 fnbftf.exe 2476 btnxj.exe 1020 phjxr.exe 2164 hhjtrv.exe 1528 prbdvf.exe 1480 llprr.exe 2060 vtvxl.exe 2396 pjdbnfv.exe 756 hjrvb.exe 2940 vnptv.exe 2856 nfnjfn.exe 3020 vbxhh.exe 2680 nbhfff.exe 816 tfvbrh.exe 2740 nfjnvrr.exe 2844 dhphx.exe 2992 xhvff.exe 1344 tldhxjj.exe 2080 xvfbljv.exe 2324 nxtdbd.exe 2792 dflrxfp.exe 2548 lpfddr.exe 296 jrxnhbr.exe 2288 tjvxr.exe 2216 ldrbtjl.exe 1840 xhfxxxj.exe 1648 ldffbx.exe 2276 rftxfrx.exe 836 nbllhbt.exe 1932 lrjttlx.exe 2296 pvfhj.exe 1276 vxhfj.exe 1144 xvnbbhp.exe 1564 jrjjpf.exe 888 lvlntrv.exe 2492 dlttf.exe -
Processes:
resource yara_rule behavioral1/memory/1968-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a000000012262-5.dat upx behavioral1/memory/1968-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/756-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2556-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b0000000195c5-16.dat upx behavioral1/files/0x000800000001960c-28.dat upx behavioral1/memory/756-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1124-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019820-40.dat upx behavioral1/memory/2872-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001998d-50.dat upx behavioral1/memory/644-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2872-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2972-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019bf6-61.dat upx behavioral1/memory/2052-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019bf9-70.dat upx behavioral1/files/0x0006000000019c3c-78.dat upx behavioral1/files/0x0008000000019d62-85.dat upx behavioral1/memory/2896-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001a438-95.dat upx behavioral1/files/0x000500000001a44d-106.dat upx behavioral1/memory/2448-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a44f-115.dat upx behavioral1/memory/2784-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a457-122.dat upx behavioral1/memory/2968-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a459-132.dat upx behavioral1/files/0x000500000001a463-139.dat upx behavioral1/files/0x000500000001a469-149.dat upx behavioral1/memory/2216-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1672-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a46b-159.dat upx behavioral1/memory/396-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/396-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a46d-168.dat upx behavioral1/files/0x000500000001a46f-175.dat upx behavioral1/files/0x000500000001a471-184.dat upx behavioral1/memory/2148-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a473-192.dat upx behavioral1/memory/2320-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a475-203.dat upx behavioral1/files/0x000500000001a477-211.dat upx behavioral1/memory/1044-212-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a479-221.dat upx behavioral1/memory/1440-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2536-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a47b-229.dat upx behavioral1/files/0x000500000001a47d-237.dat upx behavioral1/files/0x000500000001a480-247.dat upx behavioral1/files/0x000500000001a482-259.dat upx behavioral1/memory/112-260-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1004-258-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a484-267.dat upx behavioral1/files/0x000500000001a486-275.dat upx behavioral1/files/0x000500000001a488-285.dat upx behavioral1/files/0x000500000001a48a-293.dat upx behavioral1/memory/1480-314-0x00000000002C0000-0x00000000002E7000-memory.dmp upx behavioral1/memory/2396-321-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/756-328-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2940-335-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2940-343-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2856-350-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
tbrhfx.exepxrtb.exepbbbx.exedhrrd.exetlnhr.exelpbnjf.exenvfpf.exepjntl.exeffnjpll.exellnbhvb.exerprflv.exedvjdjnl.exefbldd.exentxnvfx.exebfvrb.exehxvpr.exehfbbfnt.exedtvhr.exelljhr.exebrjjb.exebbjhj.exexvfbljv.exefpptxdx.exetpnbxt.exejrxftnn.exexvxhbvh.exevvjlvn.exebbbdhtb.exeptpthx.exetrvnx.exefjnfht.exerrbjnfr.exenrhfrbd.exerpbjjtl.exehnrrx.exetvvxfn.exefvxtrjl.exevjpxvh.exetxdxbtb.exejvfdf.exedtdntpr.exedfxfb.exejpdfn.exeblfpnxb.exevjbfhhd.exebdxrtpj.exevrvljlp.exehrxxd.exefxdtd.exejbhldf.exenbfjv.exevdhrfp.exepfpndpf.exexxvtlnx.exexjjhbb.exexblvxvj.exetrfxvhb.exebdfdnp.exexhbhlt.exejjrbffb.exertnrnfn.exefbrpvd.exepvxbdjx.exehlxtrlb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbrhfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pxrtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbbbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhrrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlnhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpbnjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvfpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjntl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffnjpll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llnbhvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rprflv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdjnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntxnvfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfvrb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxvpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hfbbfnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtvhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lljhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brjjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbjhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvfbljv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpptxdx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tpnbxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrxftnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvxhbvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjlvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbdhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ptpthx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trvnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fjnfht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrbjnfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrhfrbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rpbjjtl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvvxfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fvxtrjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpxvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language txdxbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvfdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dtdntpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfxfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blfpnxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjbfhhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdxrtpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrvljlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrxxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxdtd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbhldf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbfjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdhrfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pfpndpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxvtlnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjjhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xblvxvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trfxvhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdfdnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xhbhlt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjrbffb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtnrnfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbrpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvxbdjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlxtrlb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
816cf026b79a8709e2b6f032c67ceb77eecfc31a6bf8e47951af040da2270962.exerxvtr.exebvlrxbh.exejrvpplp.exerbbtd.exedtdntpr.exehdjpffr.exenrhfrbd.exebbjhj.exedddxpvp.exexhnrlx.exerpbjjtl.exefbldd.exexjjhbb.exebpjhxn.exejnxbf.exedescription pid Process procid_target PID 1968 wrote to memory of 2556 1968 816cf026b79a8709e2b6f032c67ceb77eecfc31a6bf8e47951af040da2270962.exe 30 PID 1968 wrote to memory of 2556 1968 816cf026b79a8709e2b6f032c67ceb77eecfc31a6bf8e47951af040da2270962.exe 30 PID 1968 wrote to memory of 2556 1968 816cf026b79a8709e2b6f032c67ceb77eecfc31a6bf8e47951af040da2270962.exe 30 PID 1968 wrote to memory of 2556 1968 816cf026b79a8709e2b6f032c67ceb77eecfc31a6bf8e47951af040da2270962.exe 30 PID 2556 wrote to memory of 756 2556 rxvtr.exe 31 PID 2556 wrote to memory of 756 2556 rxvtr.exe 31 PID 2556 wrote to memory of 756 2556 rxvtr.exe 31 PID 2556 wrote to memory of 756 2556 rxvtr.exe 31 PID 756 wrote to memory of 1124 756 bvlrxbh.exe 32 PID 756 wrote to memory of 1124 756 bvlrxbh.exe 32 PID 756 wrote to memory of 1124 756 bvlrxbh.exe 32 PID 756 wrote to memory of 1124 756 bvlrxbh.exe 32 PID 1124 wrote to memory of 2872 1124 jrvpplp.exe 33 PID 1124 wrote to memory of 2872 1124 jrvpplp.exe 33 PID 1124 wrote to memory of 2872 1124 jrvpplp.exe 33 PID 1124 wrote to memory of 2872 1124 jrvpplp.exe 33 PID 2872 wrote to memory of 644 2872 rbbtd.exe 34 PID 2872 wrote to memory of 644 2872 rbbtd.exe 34 PID 2872 wrote to memory of 644 2872 rbbtd.exe 34 PID 2872 wrote to memory of 644 2872 rbbtd.exe 34 PID 644 wrote to memory of 2972 644 dtdntpr.exe 35 PID 644 wrote to memory of 2972 644 dtdntpr.exe 35 PID 644 wrote to memory of 2972 644 dtdntpr.exe 35 PID 644 wrote to memory of 2972 644 dtdntpr.exe 35 PID 2972 wrote to memory of 2052 2972 hdjpffr.exe 36 PID 2972 wrote to memory of 2052 2972 hdjpffr.exe 36 PID 2972 wrote to memory of 2052 2972 hdjpffr.exe 36 PID 2972 wrote to memory of 2052 2972 hdjpffr.exe 36 PID 2052 wrote to memory of 2896 2052 nrhfrbd.exe 37 PID 2052 wrote to memory of 2896 2052 nrhfrbd.exe 37 PID 2052 wrote to memory of 2896 2052 nrhfrbd.exe 37 PID 2052 wrote to memory of 2896 2052 nrhfrbd.exe 37 PID 2896 wrote to memory of 2796 2896 bbjhj.exe 38 PID 2896 wrote to memory of 2796 2896 bbjhj.exe 38 PID 2896 wrote to memory of 2796 2896 bbjhj.exe 38 PID 2896 wrote to memory of 2796 2896 bbjhj.exe 38 PID 2796 wrote to memory of 2448 2796 dddxpvp.exe 39 PID 2796 wrote to memory of 2448 2796 dddxpvp.exe 39 PID 2796 wrote to memory of 2448 2796 dddxpvp.exe 39 PID 2796 wrote to memory of 2448 2796 dddxpvp.exe 39 PID 2448 wrote to memory of 2784 2448 xhnrlx.exe 40 PID 2448 wrote to memory of 2784 2448 xhnrlx.exe 40 PID 2448 wrote to memory of 2784 2448 xhnrlx.exe 40 PID 2448 wrote to memory of 2784 2448 xhnrlx.exe 40 PID 2784 wrote to memory of 2420 2784 rpbjjtl.exe 41 PID 2784 wrote to memory of 2420 2784 rpbjjtl.exe 41 PID 2784 wrote to memory of 2420 2784 rpbjjtl.exe 41 PID 2784 wrote to memory of 2420 2784 rpbjjtl.exe 41 PID 2420 wrote to memory of 2968 2420 fbldd.exe 42 PID 2420 wrote to memory of 2968 2420 fbldd.exe 42 PID 2420 wrote to memory of 2968 2420 fbldd.exe 42 PID 2420 wrote to memory of 2968 2420 fbldd.exe 42 PID 2968 wrote to memory of 2092 2968 xjjhbb.exe 43 PID 2968 wrote to memory of 2092 2968 xjjhbb.exe 43 PID 2968 wrote to memory of 2092 2968 xjjhbb.exe 43 PID 2968 wrote to memory of 2092 2968 xjjhbb.exe 43 PID 2092 wrote to memory of 1672 2092 bpjhxn.exe 44 PID 2092 wrote to memory of 1672 2092 bpjhxn.exe 44 PID 2092 wrote to memory of 1672 2092 bpjhxn.exe 44 PID 2092 wrote to memory of 1672 2092 bpjhxn.exe 44 PID 1672 wrote to memory of 2216 1672 jnxbf.exe 45 PID 1672 wrote to memory of 2216 1672 jnxbf.exe 45 PID 1672 wrote to memory of 2216 1672 jnxbf.exe 45 PID 1672 wrote to memory of 2216 1672 jnxbf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\816cf026b79a8709e2b6f032c67ceb77eecfc31a6bf8e47951af040da2270962.exe"C:\Users\Admin\AppData\Local\Temp\816cf026b79a8709e2b6f032c67ceb77eecfc31a6bf8e47951af040da2270962.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\rxvtr.exec:\rxvtr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\bvlrxbh.exec:\bvlrxbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\jrvpplp.exec:\jrvpplp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\rbbtd.exec:\rbbtd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\dtdntpr.exec:\dtdntpr.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\hdjpffr.exec:\hdjpffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\nrhfrbd.exec:\nrhfrbd.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\bbjhj.exec:\bbjhj.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\dddxpvp.exec:\dddxpvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\xhnrlx.exec:\xhnrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\rpbjjtl.exec:\rpbjjtl.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\fbldd.exec:\fbldd.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\xjjhbb.exec:\xjjhbb.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\bpjhxn.exec:\bpjhxn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\jnxbf.exec:\jnxbf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\jjfxjv.exec:\jjfxjv.exe17⤵
- Executes dropped EXE
PID:2216 -
\??\c:\hvpnpjj.exec:\hvpnpjj.exe18⤵
- Executes dropped EXE
PID:396 -
\??\c:\nfxrdj.exec:\nfxrdj.exe19⤵
- Executes dropped EXE
PID:2304 -
\??\c:\fxdtd.exec:\fxdtd.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
\??\c:\lxlrthb.exec:\lxlrthb.exe21⤵
- Executes dropped EXE
PID:2144 -
\??\c:\ppxpxn.exec:\ppxpxn.exe22⤵
- Executes dropped EXE
PID:2320 -
\??\c:\pvxtxx.exec:\pvxtxx.exe23⤵
- Executes dropped EXE
PID:2244 -
\??\c:\hhjttxp.exec:\hhjttxp.exe24⤵
- Executes dropped EXE
PID:1044 -
\??\c:\nrlpb.exec:\nrlpb.exe25⤵
- Executes dropped EXE
PID:1440 -
\??\c:\bxjjrt.exec:\bxjjrt.exe26⤵
- Executes dropped EXE
PID:2536 -
\??\c:\ntthnrr.exec:\ntthnrr.exe27⤵
- Executes dropped EXE
PID:1704 -
\??\c:\dfxfb.exec:\dfxfb.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004 -
\??\c:\ddvtf.exec:\ddvtf.exe29⤵
- Executes dropped EXE
PID:112 -
\??\c:\fnbftf.exec:\fnbftf.exe30⤵
- Executes dropped EXE
PID:1608 -
\??\c:\btnxj.exec:\btnxj.exe31⤵
- Executes dropped EXE
PID:2476 -
\??\c:\phjxr.exec:\phjxr.exe32⤵
- Executes dropped EXE
PID:1020 -
\??\c:\hhjtrv.exec:\hhjtrv.exe33⤵
- Executes dropped EXE
PID:2164 -
\??\c:\prbdvf.exec:\prbdvf.exe34⤵
- Executes dropped EXE
PID:1528 -
\??\c:\llprr.exec:\llprr.exe35⤵
- Executes dropped EXE
PID:1480 -
\??\c:\vtvxl.exec:\vtvxl.exe36⤵
- Executes dropped EXE
PID:2060 -
\??\c:\pjdbnfv.exec:\pjdbnfv.exe37⤵
- Executes dropped EXE
PID:2396 -
\??\c:\hjrvb.exec:\hjrvb.exe38⤵
- Executes dropped EXE
PID:756 -
\??\c:\vnptv.exec:\vnptv.exe39⤵
- Executes dropped EXE
PID:2940 -
\??\c:\nfnjfn.exec:\nfnjfn.exe40⤵
- Executes dropped EXE
PID:2856 -
\??\c:\vbxhh.exec:\vbxhh.exe41⤵
- Executes dropped EXE
PID:3020 -
\??\c:\nbhfff.exec:\nbhfff.exe42⤵
- Executes dropped EXE
PID:2680 -
\??\c:\tfvbrh.exec:\tfvbrh.exe43⤵
- Executes dropped EXE
PID:816 -
\??\c:\nfjnvrr.exec:\nfjnvrr.exe44⤵
- Executes dropped EXE
PID:2740 -
\??\c:\dhphx.exec:\dhphx.exe45⤵
- Executes dropped EXE
PID:2844 -
\??\c:\xhvff.exec:\xhvff.exe46⤵
- Executes dropped EXE
PID:2992 -
\??\c:\tldhxjj.exec:\tldhxjj.exe47⤵
- Executes dropped EXE
PID:1344 -
\??\c:\xvfbljv.exec:\xvfbljv.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080 -
\??\c:\nxtdbd.exec:\nxtdbd.exe49⤵
- Executes dropped EXE
PID:2324 -
\??\c:\dflrxfp.exec:\dflrxfp.exe50⤵
- Executes dropped EXE
PID:2792 -
\??\c:\lpfddr.exec:\lpfddr.exe51⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jrxnhbr.exec:\jrxnhbr.exe52⤵
- Executes dropped EXE
PID:296 -
\??\c:\tjvxr.exec:\tjvxr.exe53⤵
- Executes dropped EXE
PID:2288 -
\??\c:\ldrbtjl.exec:\ldrbtjl.exe54⤵
- Executes dropped EXE
PID:2216 -
\??\c:\xhfxxxj.exec:\xhfxxxj.exe55⤵
- Executes dropped EXE
PID:1840 -
\??\c:\ldffbx.exec:\ldffbx.exe56⤵
- Executes dropped EXE
PID:1648 -
\??\c:\rftxfrx.exec:\rftxfrx.exe57⤵
- Executes dropped EXE
PID:2276 -
\??\c:\nbllhbt.exec:\nbllhbt.exe58⤵
- Executes dropped EXE
PID:836 -
\??\c:\lrjttlx.exec:\lrjttlx.exe59⤵
- Executes dropped EXE
PID:1932 -
\??\c:\pvfhj.exec:\pvfhj.exe60⤵
- Executes dropped EXE
PID:2296 -
\??\c:\vxhfj.exec:\vxhfj.exe61⤵
- Executes dropped EXE
PID:1276 -
\??\c:\xvnbbhp.exec:\xvnbbhp.exe62⤵
- Executes dropped EXE
PID:1144 -
\??\c:\jrjjpf.exec:\jrjjpf.exe63⤵
- Executes dropped EXE
PID:1564 -
\??\c:\lvlntrv.exec:\lvlntrv.exe64⤵
- Executes dropped EXE
PID:888 -
\??\c:\dlttf.exec:\dlttf.exe65⤵
- Executes dropped EXE
PID:2492 -
\??\c:\rrxttvl.exec:\rrxttvl.exe66⤵PID:2436
-
\??\c:\xvxhbvh.exec:\xvxhbvh.exe67⤵
- System Location Discovery: System Language Discovery
PID:1432 -
\??\c:\ppxxjhx.exec:\ppxxjhx.exe68⤵PID:1372
-
\??\c:\hhxjrtx.exec:\hhxjrtx.exe69⤵PID:796
-
\??\c:\rvvnddn.exec:\rvvnddn.exe70⤵PID:700
-
\??\c:\prxpbnt.exec:\prxpbnt.exe71⤵PID:1548
-
\??\c:\pvlhr.exec:\pvlhr.exe72⤵PID:940
-
\??\c:\bdxrtpj.exec:\bdxrtpj.exe73⤵
- System Location Discovery: System Language Discovery
PID:1972 -
\??\c:\nhjvrfn.exec:\nhjvrfn.exe74⤵PID:2208
-
\??\c:\vjnvj.exec:\vjnvj.exe75⤵PID:1032
-
\??\c:\fhfxrfb.exec:\fhfxrfb.exe76⤵PID:892
-
\??\c:\fnjlbv.exec:\fnjlbv.exe77⤵PID:896
-
\??\c:\vjplfjt.exec:\vjplfjt.exe78⤵PID:2568
-
\??\c:\bttnh.exec:\bttnh.exe79⤵PID:1620
-
\??\c:\fddfltx.exec:\fddfltx.exe80⤵PID:924
-
\??\c:\hfbrn.exec:\hfbrn.exe81⤵PID:2104
-
\??\c:\plttx.exec:\plttx.exe82⤵PID:1272
-
\??\c:\btbhn.exec:\btbhn.exe83⤵PID:756
-
\??\c:\ntxnvfx.exec:\ntxnvfx.exe84⤵
- System Location Discovery: System Language Discovery
PID:2732 -
\??\c:\vrbdd.exec:\vrbdd.exe85⤵PID:2924
-
\??\c:\jhpxdl.exec:\jhpxdl.exe86⤵PID:2840
-
\??\c:\drjxfjr.exec:\drjxfjr.exe87⤵PID:2960
-
\??\c:\nvdfbr.exec:\nvdfbr.exe88⤵PID:2780
-
\??\c:\pdvjl.exec:\pdvjl.exe89⤵PID:2896
-
\??\c:\htpntbd.exec:\htpntbd.exe90⤵PID:2948
-
\??\c:\nphlr.exec:\nphlr.exe91⤵PID:1632
-
\??\c:\hpjpln.exec:\hpjpln.exe92⤵PID:2508
-
\??\c:\fjvvxth.exec:\fjvvxth.exe93⤵PID:3028
-
\??\c:\tjffv.exec:\tjffv.exe94⤵PID:1884
-
\??\c:\fvrxjxb.exec:\fvrxjxb.exe95⤵PID:1660
-
\??\c:\hnrjx.exec:\hnrjx.exe96⤵PID:2348
-
\??\c:\lrdvtrj.exec:\lrdvtrj.exe97⤵PID:2548
-
\??\c:\hbrdbb.exec:\hbrdbb.exe98⤵PID:296
-
\??\c:\nvvlp.exec:\nvvlp.exe99⤵PID:1900
-
\??\c:\btdbxbj.exec:\btdbxbj.exe100⤵PID:2268
-
\??\c:\pfnxbtp.exec:\pfnxbtp.exe101⤵PID:1908
-
\??\c:\rfhfjbr.exec:\rfhfjbr.exe102⤵PID:1748
-
\??\c:\jjtjt.exec:\jjtjt.exe103⤵PID:2276
-
\??\c:\xxjlrh.exec:\xxjlrh.exe104⤵PID:2148
-
\??\c:\bptft.exec:\bptft.exe105⤵PID:1932
-
\??\c:\xjlnxhf.exec:\xjlnxhf.exe106⤵PID:856
-
\??\c:\xhlhrbd.exec:\xhlhrbd.exe107⤵PID:1276
-
\??\c:\rfrbd.exec:\rfrbd.exe108⤵PID:2248
-
\??\c:\xfvrp.exec:\xfvrp.exe109⤵PID:2520
-
\??\c:\lpfhtj.exec:\lpfhtj.exe110⤵PID:1708
-
\??\c:\rtxrvth.exec:\rtxrvth.exe111⤵PID:2492
-
\??\c:\vlxrb.exec:\vlxrb.exe112⤵PID:2436
-
\??\c:\ljrxvtt.exec:\ljrxvtt.exe113⤵PID:1432
-
\??\c:\nvdbrbf.exec:\nvdbrbf.exe114⤵PID:2700
-
\??\c:\lpxnl.exec:\lpxnl.exe115⤵PID:1664
-
\??\c:\jpdfn.exec:\jpdfn.exe116⤵
- System Location Discovery: System Language Discovery
PID:2504 -
\??\c:\nnxbhxb.exec:\nnxbhxb.exe117⤵PID:1548
-
\??\c:\nlblt.exec:\nlblt.exe118⤵PID:1684
-
\??\c:\brbjbbb.exec:\brbjbbb.exe119⤵PID:2620
-
\??\c:\ttlth.exec:\ttlth.exe120⤵PID:2208
-
\??\c:\rdhllf.exec:\rdhllf.exe121⤵PID:1072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-