Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 19:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe
-
Size
454KB
-
MD5
2c730cd47a602fc4d13a2686a9dd5bd9
-
SHA1
be734adb93753935dca282c4fd06dd90c4fbfb60
-
SHA256
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0
-
SHA512
00a5897997e1432b76af169e9d9f65311a001155cac62670992a4424fb6035a9474a6065b5ea1a5d7383ac04d8080cb3cd2c50754a17bc2daf194bc43db8ed7f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7W:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2368-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-56-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2452-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-113-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1984-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-234-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2140-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-430-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/660-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-531-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2680-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-663-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2680-681-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1960-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-695-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1656-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-755-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1016-789-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1300 vjvxlp.exe 2620 nthppnr.exe 1980 ljxjp.exe 2124 jfxrbn.exe 2452 flvtxd.exe 2900 dftrtpr.exe 2788 jhxbx.exe 1276 ldthdxh.exe 2824 lpbndpl.exe 2728 jnbbv.exe 2412 fnntt.exe 1984 bvrdr.exe 1548 fbjhvrv.exe 2884 hhhpjd.exe 2112 ldhrr.exe 2540 brhjxx.exe 1148 htpbt.exe 3044 pxhphnd.exe 3020 flrntlj.exe 2360 jfjbxt.exe 3040 fvfxt.exe 1864 hfdhp.exe 616 lvfvtb.exe 1744 jldltxx.exe 1752 bhlhvj.exe 2140 hdrpnfd.exe 1364 txjlfdn.exe 760 tplvx.exe 2316 xvxlxf.exe 1824 jdfddt.exe 2116 ddfxrl.exe 1236 hdxdtp.exe 1564 dpnrx.exe 2584 vrjltn.exe 1796 jhtljfx.exe 2508 fjflpxn.exe 3060 dxlpll.exe 2440 xjfvdj.exe 2188 xhprh.exe 2928 txrlr.exe 3056 rtpfx.exe 2904 rfjfvl.exe 2816 xpxpv.exe 2656 hxrdfrf.exe 2716 tdjrh.exe 1868 dfrhxxf.exe 1960 bjjfrr.exe 2296 hhtrdfd.exe 2840 jhfdvt.exe 2892 lnxfhxd.exe 1992 djnbl.exe 1008 lljjnd.exe 660 dpjvxh.exe 2012 tlpbjb.exe 2040 hvdphf.exe 1148 bxdjjnv.exe 3044 bdljvx.exe 2420 pjntdh.exe 2072 jnjtnf.exe 916 hrbtl.exe 3040 npnbjd.exe 1864 xtjlvb.exe 3016 nxjttdn.exe 2548 rtbbj.exe -
resource yara_rule behavioral1/memory/2368-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-430-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/660-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-695-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1656-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-781-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfbrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hfjlnfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlxpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhjprd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djfhlvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvfvvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjxrnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxtntp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnjvxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nxhxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ljnjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvfxnvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brnjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrtjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njdddl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldnlpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trlfdrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lddxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxvfbxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blffrpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ltfvb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hfdhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tljlddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhhhvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfbhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 1300 2368 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 30 PID 2368 wrote to memory of 1300 2368 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 30 PID 2368 wrote to memory of 1300 2368 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 30 PID 2368 wrote to memory of 1300 2368 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 30 PID 1300 wrote to memory of 2620 1300 vjvxlp.exe 31 PID 1300 wrote to memory of 2620 1300 vjvxlp.exe 31 PID 1300 wrote to memory of 2620 1300 vjvxlp.exe 31 PID 1300 wrote to memory of 2620 1300 vjvxlp.exe 31 PID 2620 wrote to memory of 1980 2620 nthppnr.exe 32 PID 2620 wrote to memory of 1980 2620 nthppnr.exe 32 PID 2620 wrote to memory of 1980 2620 nthppnr.exe 32 PID 2620 wrote to memory of 1980 2620 nthppnr.exe 32 PID 1980 wrote to memory of 2124 1980 ljxjp.exe 33 PID 1980 wrote to memory of 2124 1980 ljxjp.exe 33 PID 1980 wrote to memory of 2124 1980 ljxjp.exe 33 PID 1980 wrote to memory of 2124 1980 ljxjp.exe 33 PID 2124 wrote to memory of 2452 2124 jfxrbn.exe 34 PID 2124 wrote to memory of 2452 2124 jfxrbn.exe 34 PID 2124 wrote to memory of 2452 2124 jfxrbn.exe 34 PID 2124 wrote to memory of 2452 2124 jfxrbn.exe 34 PID 2452 wrote to memory of 2900 2452 flvtxd.exe 35 PID 2452 wrote to memory of 2900 2452 flvtxd.exe 35 PID 2452 wrote to memory of 2900 2452 flvtxd.exe 35 PID 2452 wrote to memory of 2900 2452 flvtxd.exe 35 PID 2900 wrote to memory of 2788 2900 dftrtpr.exe 36 PID 2900 wrote to memory of 2788 2900 dftrtpr.exe 36 PID 2900 wrote to memory of 2788 2900 dftrtpr.exe 36 PID 2900 wrote to memory of 2788 2900 dftrtpr.exe 36 PID 2788 wrote to memory of 1276 2788 jhxbx.exe 37 PID 2788 wrote to memory of 1276 2788 jhxbx.exe 37 PID 2788 wrote to memory of 1276 2788 jhxbx.exe 37 PID 2788 wrote to memory of 1276 2788 jhxbx.exe 37 PID 1276 wrote to memory of 2824 1276 ldthdxh.exe 38 PID 1276 wrote to memory of 2824 1276 ldthdxh.exe 38 PID 1276 wrote to memory of 2824 1276 ldthdxh.exe 38 PID 1276 wrote to memory of 2824 1276 ldthdxh.exe 38 PID 2824 wrote to memory of 2728 2824 lpbndpl.exe 39 PID 2824 wrote to memory of 2728 2824 lpbndpl.exe 39 PID 2824 wrote to memory of 2728 2824 lpbndpl.exe 39 PID 2824 wrote to memory of 2728 2824 lpbndpl.exe 39 PID 2728 wrote to memory of 2412 2728 jnbbv.exe 40 PID 2728 wrote to memory of 2412 2728 jnbbv.exe 40 PID 2728 wrote to memory of 2412 2728 jnbbv.exe 40 PID 2728 wrote to memory of 2412 2728 jnbbv.exe 40 PID 2412 wrote to memory of 1984 2412 fnntt.exe 41 PID 2412 wrote to memory of 1984 2412 fnntt.exe 41 PID 2412 wrote to memory of 1984 2412 fnntt.exe 41 PID 2412 wrote to memory of 1984 2412 fnntt.exe 41 PID 1984 wrote to memory of 1548 1984 bvrdr.exe 42 PID 1984 wrote to memory of 1548 1984 bvrdr.exe 42 PID 1984 wrote to memory of 1548 1984 bvrdr.exe 42 PID 1984 wrote to memory of 1548 1984 bvrdr.exe 42 PID 1548 wrote to memory of 2884 1548 fbjhvrv.exe 43 PID 1548 wrote to memory of 2884 1548 fbjhvrv.exe 43 PID 1548 wrote to memory of 2884 1548 fbjhvrv.exe 43 PID 1548 wrote to memory of 2884 1548 fbjhvrv.exe 43 PID 2884 wrote to memory of 2112 2884 hhhpjd.exe 44 PID 2884 wrote to memory of 2112 2884 hhhpjd.exe 44 PID 2884 wrote to memory of 2112 2884 hhhpjd.exe 44 PID 2884 wrote to memory of 2112 2884 hhhpjd.exe 44 PID 2112 wrote to memory of 2540 2112 ldhrr.exe 45 PID 2112 wrote to memory of 2540 2112 ldhrr.exe 45 PID 2112 wrote to memory of 2540 2112 ldhrr.exe 45 PID 2112 wrote to memory of 2540 2112 ldhrr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe"C:\Users\Admin\AppData\Local\Temp\0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\vjvxlp.exec:\vjvxlp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\nthppnr.exec:\nthppnr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\ljxjp.exec:\ljxjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\jfxrbn.exec:\jfxrbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\flvtxd.exec:\flvtxd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\dftrtpr.exec:\dftrtpr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\jhxbx.exec:\jhxbx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\ldthdxh.exec:\ldthdxh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\lpbndpl.exec:\lpbndpl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\jnbbv.exec:\jnbbv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\fnntt.exec:\fnntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\bvrdr.exec:\bvrdr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\fbjhvrv.exec:\fbjhvrv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\hhhpjd.exec:\hhhpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\ldhrr.exec:\ldhrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\brhjxx.exec:\brhjxx.exe17⤵
- Executes dropped EXE
PID:2540 -
\??\c:\htpbt.exec:\htpbt.exe18⤵
- Executes dropped EXE
PID:1148 -
\??\c:\pxhphnd.exec:\pxhphnd.exe19⤵
- Executes dropped EXE
PID:3044 -
\??\c:\flrntlj.exec:\flrntlj.exe20⤵
- Executes dropped EXE
PID:3020 -
\??\c:\jfjbxt.exec:\jfjbxt.exe21⤵
- Executes dropped EXE
PID:2360 -
\??\c:\fvfxt.exec:\fvfxt.exe22⤵
- Executes dropped EXE
PID:3040 -
\??\c:\hfdhp.exec:\hfdhp.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
\??\c:\lvfvtb.exec:\lvfvtb.exe24⤵
- Executes dropped EXE
PID:616 -
\??\c:\jldltxx.exec:\jldltxx.exe25⤵
- Executes dropped EXE
PID:1744 -
\??\c:\bhlhvj.exec:\bhlhvj.exe26⤵
- Executes dropped EXE
PID:1752 -
\??\c:\hdrpnfd.exec:\hdrpnfd.exe27⤵
- Executes dropped EXE
PID:2140 -
\??\c:\txjlfdn.exec:\txjlfdn.exe28⤵
- Executes dropped EXE
PID:1364 -
\??\c:\tplvx.exec:\tplvx.exe29⤵
- Executes dropped EXE
PID:760 -
\??\c:\xvxlxf.exec:\xvxlxf.exe30⤵
- Executes dropped EXE
PID:2316 -
\??\c:\jdfddt.exec:\jdfddt.exe31⤵
- Executes dropped EXE
PID:1824 -
\??\c:\ddfxrl.exec:\ddfxrl.exe32⤵
- Executes dropped EXE
PID:2116 -
\??\c:\hdxdtp.exec:\hdxdtp.exe33⤵
- Executes dropped EXE
PID:1236 -
\??\c:\dpnrx.exec:\dpnrx.exe34⤵
- Executes dropped EXE
PID:1564 -
\??\c:\vrjltn.exec:\vrjltn.exe35⤵
- Executes dropped EXE
PID:2584 -
\??\c:\jhtljfx.exec:\jhtljfx.exe36⤵
- Executes dropped EXE
PID:1796 -
\??\c:\fjflpxn.exec:\fjflpxn.exe37⤵
- Executes dropped EXE
PID:2508 -
\??\c:\dxlpll.exec:\dxlpll.exe38⤵
- Executes dropped EXE
PID:3060 -
\??\c:\xjfvdj.exec:\xjfvdj.exe39⤵
- Executes dropped EXE
PID:2440 -
\??\c:\xhprh.exec:\xhprh.exe40⤵
- Executes dropped EXE
PID:2188 -
\??\c:\txrlr.exec:\txrlr.exe41⤵
- Executes dropped EXE
PID:2928 -
\??\c:\rtpfx.exec:\rtpfx.exe42⤵
- Executes dropped EXE
PID:3056 -
\??\c:\rfjfvl.exec:\rfjfvl.exe43⤵
- Executes dropped EXE
PID:2904 -
\??\c:\xpxpv.exec:\xpxpv.exe44⤵
- Executes dropped EXE
PID:2816 -
\??\c:\hxrdfrf.exec:\hxrdfrf.exe45⤵
- Executes dropped EXE
PID:2656 -
\??\c:\tdjrh.exec:\tdjrh.exe46⤵
- Executes dropped EXE
PID:2716 -
\??\c:\dfrhxxf.exec:\dfrhxxf.exe47⤵
- Executes dropped EXE
PID:1868 -
\??\c:\bjjfrr.exec:\bjjfrr.exe48⤵
- Executes dropped EXE
PID:1960 -
\??\c:\hhtrdfd.exec:\hhtrdfd.exe49⤵
- Executes dropped EXE
PID:2296 -
\??\c:\jhfdvt.exec:\jhfdvt.exe50⤵
- Executes dropped EXE
PID:2840 -
\??\c:\lnxfhxd.exec:\lnxfhxd.exe51⤵
- Executes dropped EXE
PID:2892 -
\??\c:\djnbl.exec:\djnbl.exe52⤵
- Executes dropped EXE
PID:1992 -
\??\c:\lljjnd.exec:\lljjnd.exe53⤵
- Executes dropped EXE
PID:1008 -
\??\c:\dpjvxh.exec:\dpjvxh.exe54⤵
- Executes dropped EXE
PID:660 -
\??\c:\tlpbjb.exec:\tlpbjb.exe55⤵
- Executes dropped EXE
PID:2012 -
\??\c:\hvdphf.exec:\hvdphf.exe56⤵
- Executes dropped EXE
PID:2040 -
\??\c:\bxdjjnv.exec:\bxdjjnv.exe57⤵
- Executes dropped EXE
PID:1148 -
\??\c:\bdljvx.exec:\bdljvx.exe58⤵
- Executes dropped EXE
PID:3044 -
\??\c:\pjntdh.exec:\pjntdh.exe59⤵
- Executes dropped EXE
PID:2420 -
\??\c:\jnjtnf.exec:\jnjtnf.exe60⤵
- Executes dropped EXE
PID:2072 -
\??\c:\hrbtl.exec:\hrbtl.exe61⤵
- Executes dropped EXE
PID:916 -
\??\c:\npnbjd.exec:\npnbjd.exe62⤵
- Executes dropped EXE
PID:3040 -
\??\c:\xtjlvb.exec:\xtjlvb.exe63⤵
- Executes dropped EXE
PID:1864 -
\??\c:\nxjttdn.exec:\nxjttdn.exe64⤵
- Executes dropped EXE
PID:3016 -
\??\c:\rtbbj.exec:\rtbbj.exe65⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jrdxb.exec:\jrdxb.exe66⤵PID:1048
-
\??\c:\ttdphd.exec:\ttdphd.exe67⤵PID:3000
-
\??\c:\lrbjtxp.exec:\lrbjtxp.exe68⤵PID:1044
-
\??\c:\bhvdtr.exec:\bhvdtr.exe69⤵PID:1368
-
\??\c:\fhxbtrx.exec:\fhxbtrx.exe70⤵PID:544
-
\??\c:\bjpnhvh.exec:\bjpnhvh.exe71⤵PID:2260
-
\??\c:\jhrnd.exec:\jhrnd.exe72⤵PID:1580
-
\??\c:\nxxlb.exec:\nxxlb.exe73⤵PID:2488
-
\??\c:\vnlpr.exec:\vnlpr.exe74⤵PID:308
-
\??\c:\fvpfrb.exec:\fvpfrb.exe75⤵PID:2128
-
\??\c:\jthldvl.exec:\jthldvl.exe76⤵PID:1636
-
\??\c:\xvfjtf.exec:\xvfjtf.exe77⤵PID:1660
-
\??\c:\tdrrfp.exec:\tdrrfp.exe78⤵PID:1972
-
\??\c:\bxtflj.exec:\bxtflj.exe79⤵PID:832
-
\??\c:\pvrbxfd.exec:\pvrbxfd.exe80⤵PID:2500
-
\??\c:\bblbn.exec:\bblbn.exe81⤵PID:2744
-
\??\c:\jrhhpd.exec:\jrhhpd.exe82⤵PID:2212
-
\??\c:\jlpplj.exec:\jlpplj.exe83⤵PID:2796
-
\??\c:\xdfdrpt.exec:\xdfdrpt.exe84⤵PID:2900
-
\??\c:\bpjrtt.exec:\bpjrtt.exe85⤵PID:2768
-
\??\c:\lrltrp.exec:\lrltrp.exe86⤵PID:2680
-
\??\c:\dftnl.exec:\dftnl.exe87⤵PID:2844
-
\??\c:\rvrnxdx.exec:\rvrnxdx.exe88⤵PID:2684
-
\??\c:\lxvtldd.exec:\lxvtldd.exe89⤵PID:1388
-
\??\c:\xhtbrth.exec:\xhtbrth.exe90⤵PID:1960
-
\??\c:\bnpbh.exec:\bnpbh.exe91⤵PID:2832
-
\??\c:\nhpdh.exec:\nhpdh.exe92⤵PID:1036
-
\??\c:\phhnxb.exec:\phhnxb.exe93⤵PID:1784
-
\??\c:\txlhxv.exec:\txlhxv.exe94⤵PID:2560
-
\??\c:\tlxpxt.exec:\tlxpxt.exe95⤵PID:1600
-
\??\c:\jtjxtf.exec:\jtjxtf.exe96⤵PID:1656
-
\??\c:\vtxhft.exec:\vtxhft.exe97⤵PID:1764
-
\??\c:\bdppn.exec:\bdppn.exe98⤵PID:2144
-
\??\c:\hffxfl.exec:\hffxfl.exe99⤵PID:2284
-
\??\c:\fjtfhj.exec:\fjtfhj.exe100⤵PID:3020
-
\??\c:\rrhdr.exec:\rrhdr.exe101⤵PID:3028
-
\??\c:\fhvvhdn.exec:\fhvvhdn.exe102⤵PID:772
-
\??\c:\htlttlj.exec:\htlttlj.exe103⤵PID:788
-
\??\c:\tnpnd.exec:\tnpnd.exe104⤵PID:3040
-
\??\c:\bnpbht.exec:\bnpbht.exe105⤵PID:1016
-
\??\c:\bpbvtjv.exec:\bpbvtjv.exe106⤵PID:1340
-
\??\c:\dlrdv.exec:\dlrdv.exe107⤵PID:1872
-
\??\c:\ndfrdhf.exec:\ndfrdhf.exe108⤵PID:1752
-
\??\c:\drvbrjh.exec:\drvbrjh.exe109⤵PID:1672
-
\??\c:\tnjvxl.exec:\tnjvxl.exe110⤵
- System Location Discovery: System Language Discovery
PID:1528 -
\??\c:\ptlttv.exec:\ptlttv.exe111⤵PID:2240
-
\??\c:\ddrtlpj.exec:\ddrtlpj.exe112⤵PID:272
-
\??\c:\hjjhlrn.exec:\hjjhlrn.exe113⤵PID:1620
-
\??\c:\xjhbhph.exec:\xjhbhph.exe114⤵PID:2576
-
\??\c:\xvjth.exec:\xvjth.exe115⤵PID:2732
-
\??\c:\bdvrjlb.exec:\bdvrjlb.exe116⤵PID:2368
-
\??\c:\pxddlr.exec:\pxddlr.exe117⤵PID:2348
-
\??\c:\rpxbrrr.exec:\rpxbrrr.exe118⤵PID:2624
-
\??\c:\jfvdlt.exec:\jfvdlt.exe119⤵PID:2584
-
\??\c:\pldddh.exec:\pldddh.exe120⤵PID:1972
-
\??\c:\fjpff.exec:\fjpff.exe121⤵PID:2136
-
\??\c:\tbfxvpp.exec:\tbfxvpp.exe122⤵PID:2156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-