Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe
-
Size
454KB
-
MD5
20b0b7432eb483956423590cb15b1b66
-
SHA1
9e52b1e41407bae74996d7376b3f7219e08a7b5b
-
SHA256
8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988
-
SHA512
3f176395a2540b683cb53367ec192eb1cd2d23f527ec675b449cb23a66685478eb3bced95a48789e34f48fb52e37e1f49a423d30aabe922b083f906d2de2f939
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2072-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-83-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2744-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-175-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1100-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1100-163-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2844-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-193-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/1712-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/788-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-352-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2300-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-404-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2308-417-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2996-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-453-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3000-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-510-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2564-518-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1572-541-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1936-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-592-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1192-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-640-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2788-674-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1532-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-861-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2072 xbjbvdb.exe 1952 jftdlld.exe 1192 nbjpd.exe 2520 vvxldn.exe 2872 rtjdrnv.exe 2808 lxrvv.exe 2692 nxpvl.exe 2924 thppv.exe 2744 tpfvp.exe 1632 tvbrj.exe 1372 dvlnf.exe 1040 drrjdvb.exe 1992 vttbxl.exe 2988 nxxfr.exe 2848 fdnlpp.exe 3008 hvjvffb.exe 1100 bfjxt.exe 236 jvddtt.exe 2456 jnltp.exe 2844 jdpxdx.exe 2408 pjhrvv.exe 1712 vvlhbvb.exe 2532 rxpxfd.exe 2296 vhddt.exe 2224 ntrpph.exe 1572 tjdxjj.exe 2196 htvbd.exe 2124 hxrpp.exe 788 lbldlr.exe 1548 fvrbjxv.exe 1420 tdjdt.exe 1540 btntp.exe 860 ntvxnt.exe 2180 rpjhfn.exe 1660 llbjf.exe 3016 jhpbvbv.exe 2856 xddjrdj.exe 2188 jtjppbt.exe 2796 nbpbvtb.exe 2824 bbdjjpj.exe 2940 xjbrdxn.exe 2300 fvtvrtl.exe 2928 ffpdhtv.exe 2684 xlxjpt.exe 2924 pffjp.exe 1388 hfhdvp.exe 772 xvphnd.exe 2708 lhhbhhd.exe 2308 pvbxrdv.exe 544 nrhlr.exe 1992 rxthj.exe 2996 xpnftvf.exe 2496 xrtlr.exe 3000 bplhff.exe 1656 jnltn.exe 2252 bflpfxd.exe 2080 htfdd.exe 2204 bhrbxnt.exe 2212 xtbpx.exe 2452 tvdrrn.exe 1888 hdxhrfj.exe 648 xnltrl.exe 2544 vrxtvfx.exe 2564 xbvbdj.exe -
resource yara_rule behavioral1/memory/2376-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-53-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2692-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-518-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/856-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-853-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-861-0x0000000000430000-0x000000000045A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lprpnrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nxpvl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frnnljt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbdxjrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpbhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjbrdxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtbff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjbft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lhhrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lnxtlrj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pnphh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflrt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdnjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvxldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfdlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vlhxh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hfhhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbldpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpnftvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtjhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvnvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xtjdrbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjrbtbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnjxbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrhhtd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jlflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxrpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrnbnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxljb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbtdlpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lltnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpfhnbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpxhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdxttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jrfrndv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlrjpvt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjntr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tdjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjhxrfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2072 2376 8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe 29 PID 2376 wrote to memory of 2072 2376 8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe 29 PID 2376 wrote to memory of 2072 2376 8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe 29 PID 2376 wrote to memory of 2072 2376 8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe 29 PID 2072 wrote to memory of 1952 2072 xbjbvdb.exe 30 PID 2072 wrote to memory of 1952 2072 xbjbvdb.exe 30 PID 2072 wrote to memory of 1952 2072 xbjbvdb.exe 30 PID 2072 wrote to memory of 1952 2072 xbjbvdb.exe 30 PID 1952 wrote to memory of 1192 1952 jftdlld.exe 31 PID 1952 wrote to memory of 1192 1952 jftdlld.exe 31 PID 1952 wrote to memory of 1192 1952 jftdlld.exe 31 PID 1952 wrote to memory of 1192 1952 jftdlld.exe 31 PID 1192 wrote to memory of 2520 1192 nbjpd.exe 32 PID 1192 wrote to memory of 2520 1192 nbjpd.exe 32 PID 1192 wrote to memory of 2520 1192 nbjpd.exe 32 PID 1192 wrote to memory of 2520 1192 nbjpd.exe 32 PID 2520 wrote to memory of 2872 2520 vvxldn.exe 33 PID 2520 wrote to memory of 2872 2520 vvxldn.exe 33 PID 2520 wrote to memory of 2872 2520 vvxldn.exe 33 PID 2520 wrote to memory of 2872 2520 vvxldn.exe 33 PID 2872 wrote to memory of 2808 2872 rtjdrnv.exe 34 PID 2872 wrote to memory of 2808 2872 rtjdrnv.exe 34 PID 2872 wrote to memory of 2808 2872 rtjdrnv.exe 34 PID 2872 wrote to memory of 2808 2872 rtjdrnv.exe 34 PID 2808 wrote to memory of 2692 2808 lxrvv.exe 35 PID 2808 wrote to memory of 2692 2808 lxrvv.exe 35 PID 2808 wrote to memory of 2692 2808 lxrvv.exe 35 PID 2808 wrote to memory of 2692 2808 lxrvv.exe 35 PID 2692 wrote to memory of 2924 2692 nxpvl.exe 36 PID 2692 wrote to memory of 2924 2692 nxpvl.exe 36 PID 2692 wrote to memory of 2924 2692 nxpvl.exe 36 PID 2692 wrote to memory of 2924 2692 nxpvl.exe 36 PID 2924 wrote to memory of 2744 2924 thppv.exe 37 PID 2924 wrote to memory of 2744 2924 thppv.exe 37 PID 2924 wrote to memory of 2744 2924 thppv.exe 37 PID 2924 wrote to memory of 2744 2924 thppv.exe 37 PID 2744 wrote to memory of 1632 2744 tpfvp.exe 38 PID 2744 wrote to memory of 1632 2744 tpfvp.exe 38 PID 2744 wrote to memory of 1632 2744 tpfvp.exe 38 PID 2744 wrote to memory of 1632 2744 tpfvp.exe 38 PID 1632 wrote to memory of 1372 1632 tvbrj.exe 39 PID 1632 wrote to memory of 1372 1632 tvbrj.exe 39 PID 1632 wrote to memory of 1372 1632 tvbrj.exe 39 PID 1632 wrote to memory of 1372 1632 tvbrj.exe 39 PID 1372 wrote to memory of 1040 1372 dvlnf.exe 40 PID 1372 wrote to memory of 1040 1372 dvlnf.exe 40 PID 1372 wrote to memory of 1040 1372 dvlnf.exe 40 PID 1372 wrote to memory of 1040 1372 dvlnf.exe 40 PID 1040 wrote to memory of 1992 1040 drrjdvb.exe 41 PID 1040 wrote to memory of 1992 1040 drrjdvb.exe 41 PID 1040 wrote to memory of 1992 1040 drrjdvb.exe 41 PID 1040 wrote to memory of 1992 1040 drrjdvb.exe 41 PID 1992 wrote to memory of 2988 1992 vttbxl.exe 42 PID 1992 wrote to memory of 2988 1992 vttbxl.exe 42 PID 1992 wrote to memory of 2988 1992 vttbxl.exe 42 PID 1992 wrote to memory of 2988 1992 vttbxl.exe 42 PID 2988 wrote to memory of 2848 2988 nxxfr.exe 43 PID 2988 wrote to memory of 2848 2988 nxxfr.exe 43 PID 2988 wrote to memory of 2848 2988 nxxfr.exe 43 PID 2988 wrote to memory of 2848 2988 nxxfr.exe 43 PID 2848 wrote to memory of 3008 2848 fdnlpp.exe 44 PID 2848 wrote to memory of 3008 2848 fdnlpp.exe 44 PID 2848 wrote to memory of 3008 2848 fdnlpp.exe 44 PID 2848 wrote to memory of 3008 2848 fdnlpp.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe"C:\Users\Admin\AppData\Local\Temp\8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\xbjbvdb.exec:\xbjbvdb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\jftdlld.exec:\jftdlld.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\nbjpd.exec:\nbjpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\vvxldn.exec:\vvxldn.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\rtjdrnv.exec:\rtjdrnv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\lxrvv.exec:\lxrvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\nxpvl.exec:\nxpvl.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\thppv.exec:\thppv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\tpfvp.exec:\tpfvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\tvbrj.exec:\tvbrj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\dvlnf.exec:\dvlnf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\drrjdvb.exec:\drrjdvb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\vttbxl.exec:\vttbxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\nxxfr.exec:\nxxfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\fdnlpp.exec:\fdnlpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\hvjvffb.exec:\hvjvffb.exe17⤵
- Executes dropped EXE
PID:3008 -
\??\c:\bfjxt.exec:\bfjxt.exe18⤵
- Executes dropped EXE
PID:1100 -
\??\c:\jvddtt.exec:\jvddtt.exe19⤵
- Executes dropped EXE
PID:236 -
\??\c:\jnltp.exec:\jnltp.exe20⤵
- Executes dropped EXE
PID:2456 -
\??\c:\jdpxdx.exec:\jdpxdx.exe21⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pjhrvv.exec:\pjhrvv.exe22⤵
- Executes dropped EXE
PID:2408 -
\??\c:\vvlhbvb.exec:\vvlhbvb.exe23⤵
- Executes dropped EXE
PID:1712 -
\??\c:\rxpxfd.exec:\rxpxfd.exe24⤵
- Executes dropped EXE
PID:2532 -
\??\c:\vhddt.exec:\vhddt.exe25⤵
- Executes dropped EXE
PID:2296 -
\??\c:\ntrpph.exec:\ntrpph.exe26⤵
- Executes dropped EXE
PID:2224 -
\??\c:\tjdxjj.exec:\tjdxjj.exe27⤵
- Executes dropped EXE
PID:1572 -
\??\c:\htvbd.exec:\htvbd.exe28⤵
- Executes dropped EXE
PID:2196 -
\??\c:\hxrpp.exec:\hxrpp.exe29⤵
- Executes dropped EXE
PID:2124 -
\??\c:\lbldlr.exec:\lbldlr.exe30⤵
- Executes dropped EXE
PID:788 -
\??\c:\fvrbjxv.exec:\fvrbjxv.exe31⤵
- Executes dropped EXE
PID:1548 -
\??\c:\tdjdt.exec:\tdjdt.exe32⤵
- Executes dropped EXE
PID:1420 -
\??\c:\btntp.exec:\btntp.exe33⤵
- Executes dropped EXE
PID:1540 -
\??\c:\ntvxnt.exec:\ntvxnt.exe34⤵
- Executes dropped EXE
PID:860 -
\??\c:\rpjhfn.exec:\rpjhfn.exe35⤵
- Executes dropped EXE
PID:2180 -
\??\c:\llbjf.exec:\llbjf.exe36⤵
- Executes dropped EXE
PID:1660 -
\??\c:\jhpbvbv.exec:\jhpbvbv.exe37⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xddjrdj.exec:\xddjrdj.exe38⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jtjppbt.exec:\jtjppbt.exe39⤵
- Executes dropped EXE
PID:2188 -
\??\c:\nbpbvtb.exec:\nbpbvtb.exe40⤵
- Executes dropped EXE
PID:2796 -
\??\c:\bbdjjpj.exec:\bbdjjpj.exe41⤵
- Executes dropped EXE
PID:2824 -
\??\c:\xjbrdxn.exec:\xjbrdxn.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940 -
\??\c:\fvtvrtl.exec:\fvtvrtl.exe43⤵
- Executes dropped EXE
PID:2300 -
\??\c:\ffpdhtv.exec:\ffpdhtv.exe44⤵
- Executes dropped EXE
PID:2928 -
\??\c:\xlxjpt.exec:\xlxjpt.exe45⤵
- Executes dropped EXE
PID:2684 -
\??\c:\pffjp.exec:\pffjp.exe46⤵
- Executes dropped EXE
PID:2924 -
\??\c:\hfhdvp.exec:\hfhdvp.exe47⤵
- Executes dropped EXE
PID:1388 -
\??\c:\xvphnd.exec:\xvphnd.exe48⤵
- Executes dropped EXE
PID:772 -
\??\c:\lhhbhhd.exec:\lhhbhhd.exe49⤵
- Executes dropped EXE
PID:2708 -
\??\c:\pvbxrdv.exec:\pvbxrdv.exe50⤵
- Executes dropped EXE
PID:2308 -
\??\c:\nrhlr.exec:\nrhlr.exe51⤵
- Executes dropped EXE
PID:544 -
\??\c:\rxthj.exec:\rxthj.exe52⤵
- Executes dropped EXE
PID:1992 -
\??\c:\xpnftvf.exec:\xpnftvf.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
\??\c:\xrtlr.exec:\xrtlr.exe54⤵
- Executes dropped EXE
PID:2496 -
\??\c:\bplhff.exec:\bplhff.exe55⤵
- Executes dropped EXE
PID:3000 -
\??\c:\jnltn.exec:\jnltn.exe56⤵
- Executes dropped EXE
PID:1656 -
\??\c:\bflpfxd.exec:\bflpfxd.exe57⤵
- Executes dropped EXE
PID:2252 -
\??\c:\htfdd.exec:\htfdd.exe58⤵
- Executes dropped EXE
PID:2080 -
\??\c:\bhrbxnt.exec:\bhrbxnt.exe59⤵
- Executes dropped EXE
PID:2204 -
\??\c:\xtbpx.exec:\xtbpx.exe60⤵
- Executes dropped EXE
PID:2212 -
\??\c:\tvdrrn.exec:\tvdrrn.exe61⤵
- Executes dropped EXE
PID:2452 -
\??\c:\hdxhrfj.exec:\hdxhrfj.exe62⤵
- Executes dropped EXE
PID:1888 -
\??\c:\xnltrl.exec:\xnltrl.exe63⤵
- Executes dropped EXE
PID:648 -
\??\c:\vrxtvfx.exec:\vrxtvfx.exe64⤵
- Executes dropped EXE
PID:2544 -
\??\c:\xbvbdj.exec:\xbvbdj.exe65⤵
- Executes dropped EXE
PID:2564 -
\??\c:\rhhhdj.exec:\rhhhdj.exe66⤵PID:2484
-
\??\c:\vffdr.exec:\vffdr.exe67⤵PID:1044
-
\??\c:\xfljn.exec:\xfljn.exe68⤵PID:1960
-
\??\c:\jvfbvr.exec:\jvfbvr.exe69⤵PID:1572
-
\??\c:\blnvj.exec:\blnvj.exe70⤵PID:2000
-
\??\c:\pllbblb.exec:\pllbblb.exe71⤵PID:856
-
\??\c:\dfdlj.exec:\dfdlj.exe72⤵
- System Location Discovery: System Language Discovery
PID:1936 -
\??\c:\htftjl.exec:\htftjl.exe73⤵PID:1332
-
\??\c:\rhhtt.exec:\rhhtt.exe74⤵PID:1204
-
\??\c:\pjrtrbl.exec:\pjrtrbl.exe75⤵PID:1964
-
\??\c:\nrdrxf.exec:\nrdrxf.exe76⤵PID:2556
-
\??\c:\tdvtr.exec:\tdvtr.exe77⤵PID:2616
-
\??\c:\jldxn.exec:\jldxn.exe78⤵PID:3020
-
\??\c:\hxtlp.exec:\hxtlp.exe79⤵PID:1668
-
\??\c:\fhbprr.exec:\fhbprr.exe80⤵PID:1952
-
\??\c:\vbhdx.exec:\vbhdx.exe81⤵PID:1144
-
\??\c:\jlflp.exec:\jlflp.exe82⤵
- System Location Discovery: System Language Discovery
PID:1192 -
\??\c:\hflrv.exec:\hflrv.exe83⤵PID:2908
-
\??\c:\rbdfj.exec:\rbdfj.exe84⤵PID:2872
-
\??\c:\rtnllhx.exec:\rtnllhx.exe85⤵PID:2804
-
\??\c:\jxhjvl.exec:\jxhjvl.exe86⤵PID:2528
-
\??\c:\lrltj.exec:\lrltj.exe87⤵PID:2664
-
\??\c:\lrxhb.exec:\lrxhb.exe88⤵PID:2788
-
\??\c:\xxlthf.exec:\xxlthf.exe89⤵PID:2700
-
\??\c:\bnhxjv.exec:\bnhxjv.exe90⤵PID:2652
-
\??\c:\rbfbdhh.exec:\rbfbdhh.exe91⤵PID:1836
-
\??\c:\lbvfrpx.exec:\lbvfrpx.exe92⤵PID:2708
-
\??\c:\bnjdvj.exec:\bnjdvj.exe93⤵PID:1508
-
\??\c:\jbhxp.exec:\jbhxp.exe94⤵PID:2656
-
\??\c:\jtljnlv.exec:\jtljnlv.exe95⤵PID:1532
-
\??\c:\hfvrhl.exec:\hfvrhl.exe96⤵PID:2968
-
\??\c:\ttnfjf.exec:\ttnfjf.exe97⤵PID:2912
-
\??\c:\xhpvp.exec:\xhpvp.exe98⤵PID:2096
-
\??\c:\ddfhrnd.exec:\ddfhrnd.exe99⤵PID:3000
-
\??\c:\plxdxl.exec:\plxdxl.exe100⤵PID:236
-
\??\c:\hrffrb.exec:\hrffrb.exe101⤵PID:2312
-
\??\c:\npxxj.exec:\npxxj.exe102⤵PID:2080
-
\??\c:\vbfll.exec:\vbfll.exe103⤵PID:2844
-
\??\c:\dhdhp.exec:\dhdhp.exe104⤵PID:2212
-
\??\c:\bfjdtrn.exec:\bfjdtrn.exe105⤵PID:2452
-
\??\c:\dtlth.exec:\dtlth.exe106⤵PID:2156
-
\??\c:\pxrjvxp.exec:\pxrjvxp.exe107⤵PID:2388
-
\??\c:\jxrhx.exec:\jxrhx.exe108⤵PID:604
-
\??\c:\pxnlnvv.exec:\pxnlnvv.exe109⤵PID:884
-
\??\c:\pddlp.exec:\pddlp.exe110⤵PID:2296
-
\??\c:\nxntrvp.exec:\nxntrvp.exe111⤵PID:1044
-
\??\c:\hhpfv.exec:\hhpfv.exe112⤵PID:2976
-
\??\c:\vldbrjh.exec:\vldbrjh.exe113⤵PID:2468
-
\??\c:\rntpn.exec:\rntpn.exe114⤵PID:2000
-
\??\c:\dnbxbbt.exec:\dnbxbbt.exe115⤵PID:2596
-
\??\c:\vnrtl.exec:\vnrtl.exe116⤵PID:2324
-
\??\c:\fdjlbnj.exec:\fdjlbnj.exe117⤵PID:2472
-
\??\c:\lhtjrfl.exec:\lhtjrfl.exe118⤵PID:2272
-
\??\c:\fxhdvnn.exec:\fxhdvnn.exe119⤵PID:1420
-
\??\c:\jvhdph.exec:\jvhdph.exe120⤵PID:816
-
\??\c:\hphdtbp.exec:\hphdtbp.exe121⤵PID:2644
-
\??\c:\tpjjh.exec:\tpjjh.exe122⤵PID:3020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-