Analysis
-
max time kernel
150s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 19:20
Behavioral task
behavioral1
Sample
e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe
-
Size
50KB
-
MD5
5b8fcc61f01923defa64b4cb5a1e076b
-
SHA1
c230a9f733d13a4a866891abe71c9b1a607d33b1
-
SHA256
e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105
-
SHA512
e137519deaf1b5214d440f7c6e645aef952a3cae18d23c6c5583b3c65502de53d24bd796c6a97dd1cc8f8c0b5e35af0073581fa79ef720b1280fe6f326b14ea0
-
SSDEEP
1536:LvQBeOGtrYS3srx93UBWfwC6Ggnouy8g5Uhub:LhOmTsF93UYfwC6GIoutg5Uha
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
Processes:
resource yara_rule behavioral1/memory/2608-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/952-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1260-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1260-24-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2520-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1192-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2820-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1260-58-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2068-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2300-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/772-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1836-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/912-121-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/912-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1980-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2360-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2280-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2296-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1584-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1740-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/936-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2324-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1744-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1744-267-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/892-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2640-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2816-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2632-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1552-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2072-544-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-607-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2556-809-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2664-878-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2152-894-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2152-915-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/1908-951-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-1047-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1644-1079-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2528-1115-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2096-1188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-1213-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2400-1232-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2100-1240-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
jfhfb.exedfnfvpp.exebhlvrd.exelxhbfv.exebhhfp.exexjlxr.exebbrjpdf.exejbxfht.exexdhfrh.exedpxfrtn.exehvjrn.exeprphlxx.exenhbdv.exepnnnbj.exeffrrrxd.exebhjnfjb.exevrnpr.exepbxvdj.exebfxdlf.exetljbdh.exejprnvd.exedvhflpr.exebbndjd.exenrfpnt.exeblxrfn.exevtthh.exebfvpb.exevpnvx.exelhplplt.exejlvjjb.exerxnnjr.exethtfjb.exerrlxjb.exeddlrx.exerrrlx.exeljppf.exedrvhf.exenrjpp.exefrpvp.exepljjrv.exenrdblpn.exejhfvl.exebtdntd.exejdvbdj.exeprhlrt.exepfjxhb.exenldbhf.exehjbbh.exejnlnx.exevrvnbbx.exejpdxv.exetbphpn.exeptdjxf.exepbnbjdl.exebblfb.exepbjfx.exerrhxj.exehdhtftd.exethfrl.exedjfvn.exevlvhtfj.exehtbbxr.exerpvjhh.exehjbvjx.exepid Process 952 jfhfb.exe 1260 dfnfvpp.exe 1192 bhlvrd.exe 2520 lxhbfv.exe 2880 bhhfp.exe 2820 xjlxr.exe 2144 bbrjpdf.exe 2068 jbxfht.exe 2300 xdhfrh.exe 2668 dpxfrtn.exe 2740 hvjrn.exe 772 prphlxx.exe 1836 nhbdv.exe 912 pnnnbj.exe 1980 ffrrrxd.exe 2916 bhjnfjb.exe 1900 vrnpr.exe 1400 pbxvdj.exe 2360 bfxdlf.exe 2236 tljbdh.exe 2844 jprnvd.exe 2424 dvhflpr.exe 824 bbndjd.exe 712 nrfpnt.exe 2280 blxrfn.exe 2296 vtthh.exe 1584 bfvpb.exe 1804 vpnvx.exe 1740 lhplplt.exe 936 jlvjjb.exe 1520 rxnnjr.exe 2324 thtfjb.exe 1744 rrlxjb.exe 1792 ddlrx.exe 892 rrrlx.exe 2640 ljppf.exe 636 drvhf.exe 2176 nrjpp.exe 2644 frpvp.exe 3016 pljjrv.exe 2284 nrdblpn.exe 2776 jhfvl.exe 2816 btdntd.exe 2920 jdvbdj.exe 2880 prhlrt.exe 2800 pfjxhb.exe 2828 nldbhf.exe 1664 hjbbh.exe 2068 jnlnx.exe 2724 vrvnbbx.exe 2688 jpdxv.exe 436 tbphpn.exe 1632 ptdjxf.exe 2632 pbnbjdl.exe 1080 bblfb.exe 1552 pbjfx.exe 1156 rrhxj.exe 1560 hdhtftd.exe 2996 thfrl.exe 2984 djfvn.exe 1416 vlvhtfj.exe 3000 htbbxr.exe 1908 rpvjhh.exe 2464 hjbvjx.exe -
Processes:
resource yara_rule behavioral1/memory/2608-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2608-6-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2608-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c00000001225c-5.dat upx behavioral1/memory/952-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016ace-16.dat upx behavioral1/memory/1260-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c10-25.dat upx behavioral1/memory/1260-24-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2520-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1192-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c1a-33.dat upx behavioral1/files/0x0007000000016c23-41.dat upx behavioral1/files/0x0009000000016fc9-48.dat upx behavioral1/memory/2880-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2820-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1260-58-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0002000000018334-57.dat upx behavioral1/files/0x00060000000193c7-65.dat upx behavioral1/memory/2068-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019470-73.dat upx behavioral1/files/0x0005000000019480-80.dat upx behavioral1/memory/2668-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2300-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019489-89.dat upx behavioral1/files/0x000500000001948c-98.dat upx behavioral1/memory/2740-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/772-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c000000016458-104.dat upx behavioral1/files/0x0005000000019490-114.dat upx behavioral1/memory/1836-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1836-112-0x00000000003C0000-0x00000000003E7000-memory.dmp upx behavioral1/memory/912-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194a3-123.dat upx behavioral1/files/0x00050000000194eb-131.dat upx behavioral1/memory/1980-130-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2916-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1980-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194ef-140.dat upx behavioral1/memory/1900-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001950f-148.dat upx behavioral1/files/0x0005000000019515-155.dat upx behavioral1/files/0x0005000000019547-163.dat upx behavioral1/memory/2360-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001957c-170.dat upx behavioral1/files/0x00050000000195a7-178.dat upx behavioral1/files/0x00050000000195a9-184.dat upx behavioral1/files/0x00050000000195ab-192.dat upx behavioral1/files/0x00050000000195ad-198.dat upx behavioral1/memory/2280-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195af-205.dat upx behavioral1/files/0x00050000000195b1-215.dat upx behavioral1/memory/2296-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195b3-224.dat upx behavioral1/memory/1584-222-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/712-231-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195b5-230.dat upx behavioral1/files/0x00050000000195b7-240.dat upx behavioral1/memory/1740-238-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/936-247-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195bb-246.dat upx behavioral1/files/0x00050000000195bd-255.dat upx behavioral1/memory/2324-261-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1744-268-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bhjnfjb.exehrvjtr.exenbpxlth.exenhfbbrx.exehtvvh.exennxjp.exelprvbph.exee486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exejdhtnb.exedbblfp.exedvjnx.exednljntt.exepjllrd.exednbhhx.exejtjbjr.exefprhv.exervjlxj.exejbvhr.exetlrlx.exedvhflpr.exenjbxn.exefxndpp.exenrfdpnv.exeppffpt.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhjnfjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrvjtr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbpxlth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhfbbrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htvvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnxjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lprvbph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbblfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjnx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnljntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjllrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnbhhx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jtjbjr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fprhv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvjlxj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbvhr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvhflpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language njbxn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxndpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nrfdpnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppffpt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exejfhfb.exedfnfvpp.exebhlvrd.exelxhbfv.exebhhfp.exexjlxr.exebbrjpdf.exejbxfht.exexdhfrh.exedpxfrtn.exehvjrn.exeprphlxx.exenhbdv.exepnnnbj.exeffrrrxd.exedescription pid Process procid_target PID 2608 wrote to memory of 952 2608 e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe 29 PID 2608 wrote to memory of 952 2608 e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe 29 PID 2608 wrote to memory of 952 2608 e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe 29 PID 2608 wrote to memory of 952 2608 e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe 29 PID 952 wrote to memory of 1260 952 jfhfb.exe 30 PID 952 wrote to memory of 1260 952 jfhfb.exe 30 PID 952 wrote to memory of 1260 952 jfhfb.exe 30 PID 952 wrote to memory of 1260 952 jfhfb.exe 30 PID 1260 wrote to memory of 1192 1260 dfnfvpp.exe 31 PID 1260 wrote to memory of 1192 1260 dfnfvpp.exe 31 PID 1260 wrote to memory of 1192 1260 dfnfvpp.exe 31 PID 1260 wrote to memory of 1192 1260 dfnfvpp.exe 31 PID 1192 wrote to memory of 2520 1192 bhlvrd.exe 32 PID 1192 wrote to memory of 2520 1192 bhlvrd.exe 32 PID 1192 wrote to memory of 2520 1192 bhlvrd.exe 32 PID 1192 wrote to memory of 2520 1192 bhlvrd.exe 32 PID 2520 wrote to memory of 2880 2520 lxhbfv.exe 33 PID 2520 wrote to memory of 2880 2520 lxhbfv.exe 33 PID 2520 wrote to memory of 2880 2520 lxhbfv.exe 33 PID 2520 wrote to memory of 2880 2520 lxhbfv.exe 33 PID 2880 wrote to memory of 2820 2880 bhhfp.exe 34 PID 2880 wrote to memory of 2820 2880 bhhfp.exe 34 PID 2880 wrote to memory of 2820 2880 bhhfp.exe 34 PID 2880 wrote to memory of 2820 2880 bhhfp.exe 34 PID 2820 wrote to memory of 2144 2820 xjlxr.exe 35 PID 2820 wrote to memory of 2144 2820 xjlxr.exe 35 PID 2820 wrote to memory of 2144 2820 xjlxr.exe 35 PID 2820 wrote to memory of 2144 2820 xjlxr.exe 35 PID 2144 wrote to memory of 2068 2144 bbrjpdf.exe 36 PID 2144 wrote to memory of 2068 2144 bbrjpdf.exe 36 PID 2144 wrote to memory of 2068 2144 bbrjpdf.exe 36 PID 2144 wrote to memory of 2068 2144 bbrjpdf.exe 36 PID 2068 wrote to memory of 2300 2068 jbxfht.exe 37 PID 2068 wrote to memory of 2300 2068 jbxfht.exe 37 PID 2068 wrote to memory of 2300 2068 jbxfht.exe 37 PID 2068 wrote to memory of 2300 2068 jbxfht.exe 37 PID 2300 wrote to memory of 2668 2300 xdhfrh.exe 38 PID 2300 wrote to memory of 2668 2300 xdhfrh.exe 38 PID 2300 wrote to memory of 2668 2300 xdhfrh.exe 38 PID 2300 wrote to memory of 2668 2300 xdhfrh.exe 38 PID 2668 wrote to memory of 2740 2668 dpxfrtn.exe 39 PID 2668 wrote to memory of 2740 2668 dpxfrtn.exe 39 PID 2668 wrote to memory of 2740 2668 dpxfrtn.exe 39 PID 2668 wrote to memory of 2740 2668 dpxfrtn.exe 39 PID 2740 wrote to memory of 772 2740 hvjrn.exe 40 PID 2740 wrote to memory of 772 2740 hvjrn.exe 40 PID 2740 wrote to memory of 772 2740 hvjrn.exe 40 PID 2740 wrote to memory of 772 2740 hvjrn.exe 40 PID 772 wrote to memory of 1836 772 prphlxx.exe 41 PID 772 wrote to memory of 1836 772 prphlxx.exe 41 PID 772 wrote to memory of 1836 772 prphlxx.exe 41 PID 772 wrote to memory of 1836 772 prphlxx.exe 41 PID 1836 wrote to memory of 912 1836 nhbdv.exe 42 PID 1836 wrote to memory of 912 1836 nhbdv.exe 42 PID 1836 wrote to memory of 912 1836 nhbdv.exe 42 PID 1836 wrote to memory of 912 1836 nhbdv.exe 42 PID 912 wrote to memory of 1980 912 pnnnbj.exe 43 PID 912 wrote to memory of 1980 912 pnnnbj.exe 43 PID 912 wrote to memory of 1980 912 pnnnbj.exe 43 PID 912 wrote to memory of 1980 912 pnnnbj.exe 43 PID 1980 wrote to memory of 2916 1980 ffrrrxd.exe 44 PID 1980 wrote to memory of 2916 1980 ffrrrxd.exe 44 PID 1980 wrote to memory of 2916 1980 ffrrrxd.exe 44 PID 1980 wrote to memory of 2916 1980 ffrrrxd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe"C:\Users\Admin\AppData\Local\Temp\e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\jfhfb.exec:\jfhfb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\dfnfvpp.exec:\dfnfvpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\bhlvrd.exec:\bhlvrd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\lxhbfv.exec:\lxhbfv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\bhhfp.exec:\bhhfp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\xjlxr.exec:\xjlxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\bbrjpdf.exec:\bbrjpdf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\jbxfht.exec:\jbxfht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\xdhfrh.exec:\xdhfrh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\dpxfrtn.exec:\dpxfrtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\hvjrn.exec:\hvjrn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\prphlxx.exec:\prphlxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\nhbdv.exec:\nhbdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\pnnnbj.exec:\pnnnbj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\ffrrrxd.exec:\ffrrrxd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\bhjnfjb.exec:\bhjnfjb.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
\??\c:\vrnpr.exec:\vrnpr.exe18⤵
- Executes dropped EXE
PID:1900 -
\??\c:\pbxvdj.exec:\pbxvdj.exe19⤵
- Executes dropped EXE
PID:1400 -
\??\c:\bfxdlf.exec:\bfxdlf.exe20⤵
- Executes dropped EXE
PID:2360 -
\??\c:\tljbdh.exec:\tljbdh.exe21⤵
- Executes dropped EXE
PID:2236 -
\??\c:\jprnvd.exec:\jprnvd.exe22⤵
- Executes dropped EXE
PID:2844 -
\??\c:\dvhflpr.exec:\dvhflpr.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424 -
\??\c:\bbndjd.exec:\bbndjd.exe24⤵
- Executes dropped EXE
PID:824 -
\??\c:\nrfpnt.exec:\nrfpnt.exe25⤵
- Executes dropped EXE
PID:712 -
\??\c:\blxrfn.exec:\blxrfn.exe26⤵
- Executes dropped EXE
PID:2280 -
\??\c:\vtthh.exec:\vtthh.exe27⤵
- Executes dropped EXE
PID:2296 -
\??\c:\bfvpb.exec:\bfvpb.exe28⤵
- Executes dropped EXE
PID:1584 -
\??\c:\vpnvx.exec:\vpnvx.exe29⤵
- Executes dropped EXE
PID:1804 -
\??\c:\lhplplt.exec:\lhplplt.exe30⤵
- Executes dropped EXE
PID:1740 -
\??\c:\jlvjjb.exec:\jlvjjb.exe31⤵
- Executes dropped EXE
PID:936 -
\??\c:\rxnnjr.exec:\rxnnjr.exe32⤵
- Executes dropped EXE
PID:1520 -
\??\c:\thtfjb.exec:\thtfjb.exe33⤵
- Executes dropped EXE
PID:2324 -
\??\c:\rrlxjb.exec:\rrlxjb.exe34⤵
- Executes dropped EXE
PID:1744 -
\??\c:\ddlrx.exec:\ddlrx.exe35⤵
- Executes dropped EXE
PID:1792 -
\??\c:\rrrlx.exec:\rrrlx.exe36⤵
- Executes dropped EXE
PID:892 -
\??\c:\ljppf.exec:\ljppf.exe37⤵
- Executes dropped EXE
PID:2640 -
\??\c:\drvhf.exec:\drvhf.exe38⤵
- Executes dropped EXE
PID:636 -
\??\c:\nrjpp.exec:\nrjpp.exe39⤵
- Executes dropped EXE
PID:2176 -
\??\c:\frpvp.exec:\frpvp.exe40⤵
- Executes dropped EXE
PID:2644 -
\??\c:\pljjrv.exec:\pljjrv.exe41⤵
- Executes dropped EXE
PID:3016 -
\??\c:\nrdblpn.exec:\nrdblpn.exe42⤵
- Executes dropped EXE
PID:2284 -
\??\c:\jhfvl.exec:\jhfvl.exe43⤵
- Executes dropped EXE
PID:2776 -
\??\c:\btdntd.exec:\btdntd.exe44⤵
- Executes dropped EXE
PID:2816 -
\??\c:\jdvbdj.exec:\jdvbdj.exe45⤵
- Executes dropped EXE
PID:2920 -
\??\c:\prhlrt.exec:\prhlrt.exe46⤵
- Executes dropped EXE
PID:2880 -
\??\c:\pfjxhb.exec:\pfjxhb.exe47⤵
- Executes dropped EXE
PID:2800 -
\??\c:\nldbhf.exec:\nldbhf.exe48⤵
- Executes dropped EXE
PID:2828 -
\??\c:\hjbbh.exec:\hjbbh.exe49⤵
- Executes dropped EXE
PID:1664 -
\??\c:\jnlnx.exec:\jnlnx.exe50⤵
- Executes dropped EXE
PID:2068 -
\??\c:\vrvnbbx.exec:\vrvnbbx.exe51⤵
- Executes dropped EXE
PID:2724 -
\??\c:\jpdxv.exec:\jpdxv.exe52⤵
- Executes dropped EXE
PID:2688 -
\??\c:\tbphpn.exec:\tbphpn.exe53⤵
- Executes dropped EXE
PID:436 -
\??\c:\ptdjxf.exec:\ptdjxf.exe54⤵
- Executes dropped EXE
PID:1632 -
\??\c:\pbnbjdl.exec:\pbnbjdl.exe55⤵
- Executes dropped EXE
PID:2632 -
\??\c:\bblfb.exec:\bblfb.exe56⤵
- Executes dropped EXE
PID:1080 -
\??\c:\pbjfx.exec:\pbjfx.exe57⤵
- Executes dropped EXE
PID:1552 -
\??\c:\rrhxj.exec:\rrhxj.exe58⤵
- Executes dropped EXE
PID:1156 -
\??\c:\hdhtftd.exec:\hdhtftd.exe59⤵
- Executes dropped EXE
PID:1560 -
\??\c:\thfrl.exec:\thfrl.exe60⤵
- Executes dropped EXE
PID:2996 -
\??\c:\djfvn.exec:\djfvn.exe61⤵
- Executes dropped EXE
PID:2984 -
\??\c:\vlvhtfj.exec:\vlvhtfj.exe62⤵
- Executes dropped EXE
PID:1416 -
\??\c:\htbbxr.exec:\htbbxr.exe63⤵
- Executes dropped EXE
PID:3000 -
\??\c:\rpvjhh.exec:\rpvjhh.exe64⤵
- Executes dropped EXE
PID:1908 -
\??\c:\hjbvjx.exec:\hjbvjx.exe65⤵
- Executes dropped EXE
PID:2464 -
\??\c:\tfrlv.exec:\tfrlv.exe66⤵PID:584
-
\??\c:\bfdfj.exec:\bfdfj.exe67⤵PID:2236
-
\??\c:\blhbb.exec:\blhbb.exe68⤵PID:2416
-
\??\c:\fnxpxhn.exec:\fnxpxhn.exe69⤵PID:980
-
\??\c:\bptjf.exec:\bptjf.exe70⤵PID:2316
-
\??\c:\lrxph.exec:\lrxph.exe71⤵PID:2112
-
\??\c:\rrjbl.exec:\rrjbl.exe72⤵PID:1068
-
\??\c:\hjrxjjv.exec:\hjrxjjv.exe73⤵PID:960
-
\??\c:\vllhvnf.exec:\vllhvnf.exe74⤵PID:1492
-
\??\c:\jnbvbj.exec:\jnbvbj.exe75⤵PID:1840
-
\??\c:\jflrbf.exec:\jflrbf.exe76⤵PID:2088
-
\??\c:\brtphr.exec:\brtphr.exe77⤵PID:1572
-
\??\c:\nvdjt.exec:\nvdjt.exe78⤵PID:1772
-
\??\c:\fprhv.exec:\fprhv.exe79⤵
- System Location Discovery: System Language Discovery
PID:1740 -
\??\c:\pvrtflr.exec:\pvrtflr.exe80⤵PID:2024
-
\??\c:\hphtj.exec:\hphtj.exe81⤵PID:1028
-
\??\c:\ddtrl.exec:\ddtrl.exe82⤵PID:1204
-
\??\c:\bhlllb.exec:\bhlllb.exe83⤵PID:1764
-
\??\c:\tjdbxv.exec:\tjdbxv.exe84⤵PID:1744
-
\??\c:\xthlrj.exec:\xthlrj.exe85⤵PID:2420
-
\??\c:\bflnlnn.exec:\bflnlnn.exe86⤵PID:2072
-
\??\c:\dbrtxj.exec:\dbrtxj.exe87⤵PID:2180
-
\??\c:\fbhpbvb.exec:\fbhpbvb.exe88⤵PID:1592
-
\??\c:\ttrxn.exec:\ttrxn.exe89⤵PID:1660
-
\??\c:\xbrpjbj.exec:\xbrpjbj.exe90⤵PID:1952
-
\??\c:\bbpfj.exec:\bbpfj.exe91⤵PID:2148
-
\??\c:\hjthhnj.exec:\hjthhnj.exe92⤵PID:2512
-
\??\c:\ppbbp.exec:\ppbbp.exe93⤵PID:1476
-
\??\c:\fvnrjv.exec:\fvnrjv.exe94⤵PID:2864
-
\??\c:\btdrpx.exec:\btdrpx.exe95⤵PID:2816
-
\??\c:\bfbfvjv.exec:\bfbfvjv.exe96⤵PID:2940
-
\??\c:\jlftb.exec:\jlftb.exe97⤵PID:2880
-
\??\c:\hjvltdb.exec:\hjvltdb.exe98⤵PID:2892
-
\??\c:\llfdfrb.exec:\llfdfrb.exe99⤵PID:2828
-
\??\c:\pxnln.exec:\pxnln.exe100⤵PID:2972
-
\??\c:\vjphff.exec:\vjphff.exe101⤵PID:2300
-
\??\c:\bfhll.exec:\bfhll.exe102⤵PID:268
-
\??\c:\jrrfnvt.exec:\jrrfnvt.exe103⤵PID:2152
-
\??\c:\bbxjt.exec:\bbxjt.exe104⤵PID:436
-
\??\c:\dhltx.exec:\dhltx.exe105⤵PID:1372
-
\??\c:\bhnrbb.exec:\bhnrbb.exe106⤵PID:2708
-
\??\c:\tnnrl.exec:\tnnrl.exe107⤵PID:1080
-
\??\c:\rxxlv.exec:\rxxlv.exe108⤵PID:2308
-
\??\c:\blbbn.exec:\blbbn.exe109⤵PID:308
-
\??\c:\pxhvt.exec:\pxhvt.exe110⤵PID:1176
-
\??\c:\nrbxfbp.exec:\nrbxfbp.exe111⤵PID:2076
-
\??\c:\tdhvt.exec:\tdhvt.exe112⤵PID:1636
-
\??\c:\prlft.exec:\prlft.exe113⤵PID:236
-
\??\c:\hbhdblv.exec:\hbhdblv.exe114⤵PID:968
-
\??\c:\rlbhd.exec:\rlbhd.exe115⤵PID:2456
-
\??\c:\ppdvj.exec:\ppdvj.exe116⤵PID:2552
-
\??\c:\fxbxbp.exec:\fxbxbp.exe117⤵PID:3048
-
\??\c:\njrfrnp.exec:\njrfrnp.exe118⤵PID:2404
-
\??\c:\dbxfl.exec:\dbxfl.exe119⤵PID:460
-
\??\c:\frfjtbd.exec:\frfjtbd.exe120⤵PID:824
-
\??\c:\ljdnvf.exec:\ljdnvf.exe121⤵PID:2156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-