Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe
-
Size
455KB
-
MD5
d303d53e89b9dc18750207f05355fd61
-
SHA1
0c36b04dcef3f836c37f9a8d2f432afa1e37cd14
-
SHA256
b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca
-
SHA512
68fa61f864263a2c512d4bf0f50b40ee2fa36d9878e58098f96a26508b85606b7dec174d176603f05e2ba0d506178d51f0baeca2f46c884191f50ae65eff2710
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTSB:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2188-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-76-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2376-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1176-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1368-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-238-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1788-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-266-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1724-271-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/672-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/672-316-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1192-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-363-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1692-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-403-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2860-422-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2944-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/528-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-489-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1704-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-538-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1588-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-620-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2844-683-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1948-708-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2820-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2552 nfbnnl.exe 2964 rjfjtph.exe 2492 xvxfrb.exe 2936 tthvxh.exe 1192 rxddb.exe 2164 nxxjh.exe 2732 vxdhbr.exe 2672 frjdhpv.exe 2376 jftdpjt.exe 2680 ldbrn.exe 2952 jftbbr.exe 1868 thrxrj.exe 1984 ppxthl.exe 1176 jdbnh.exe 1884 fftbxnr.exe 2232 jxjvp.exe 2076 dtvnftn.exe 2248 xppbpx.exe 2176 hnbtdbt.exe 1812 xfvbhf.exe 1632 xpjxrdp.exe 276 jdtlp.exe 1368 xlfdn.exe 1736 rhljhx.exe 1724 hjbpht.exe 1788 lhxpnr.exe 1512 vnjlnv.exe 1660 pfbtnl.exe 836 nhpxv.exe 672 tddjrl.exe 864 fpllr.exe 536 rpndljl.exe 2548 hjnhr.exe 1516 jhdnl.exe 1988 llpdbv.exe 2456 lnttxl.exe 2880 bjbnltt.exe 2764 htnlvhx.exe 3040 vhnfjlr.exe 1192 rpflvh.exe 2648 frrfrv.exe 2624 lfntd.exe 2740 njtjp.exe 2324 ltfxp.exe 2664 bldfhvd.exe 1692 hhlxpdv.exe 2800 hxfjrv.exe 340 pptrxf.exe 740 vbjdlrf.exe 2860 xfptvfx.exe 1980 pxxbtvf.exe 2944 jhvvbrv.exe 3008 dvhprx.exe 2100 ttjtl.exe 1628 ttpjthj.exe 2084 jjvdbf.exe 2344 npvvp.exe 528 jxttnjb.exe 2224 jtbfj.exe 1268 fnpvd.exe 1704 hjvppr.exe 968 ttxpnpj.exe 2864 xbpxv.exe 2856 lfjjpj.exe -
resource yara_rule behavioral1/memory/2188-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1176-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/672-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/528-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/528-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-873-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlvdpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rtxhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvpth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjxjhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language blpvjfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trjhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjvdxd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttjfxfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flvlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvdprn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lnvjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jtfhbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hvhdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tvftftn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldbfjhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hjlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlnbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvhfjbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfhxdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xhlpbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbhlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dptnbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xhfrld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnpjx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjlnv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppbrrlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxpfrpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hxlllb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pphblr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnxppb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlvbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxjhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllrtv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trpjtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nppldv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2552 2188 b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe 31 PID 2188 wrote to memory of 2552 2188 b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe 31 PID 2188 wrote to memory of 2552 2188 b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe 31 PID 2188 wrote to memory of 2552 2188 b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe 31 PID 2552 wrote to memory of 2964 2552 nfbnnl.exe 32 PID 2552 wrote to memory of 2964 2552 nfbnnl.exe 32 PID 2552 wrote to memory of 2964 2552 nfbnnl.exe 32 PID 2552 wrote to memory of 2964 2552 nfbnnl.exe 32 PID 2964 wrote to memory of 2492 2964 rjfjtph.exe 33 PID 2964 wrote to memory of 2492 2964 rjfjtph.exe 33 PID 2964 wrote to memory of 2492 2964 rjfjtph.exe 33 PID 2964 wrote to memory of 2492 2964 rjfjtph.exe 33 PID 2492 wrote to memory of 2936 2492 xvxfrb.exe 34 PID 2492 wrote to memory of 2936 2492 xvxfrb.exe 34 PID 2492 wrote to memory of 2936 2492 xvxfrb.exe 34 PID 2492 wrote to memory of 2936 2492 xvxfrb.exe 34 PID 2936 wrote to memory of 1192 2936 tthvxh.exe 35 PID 2936 wrote to memory of 1192 2936 tthvxh.exe 35 PID 2936 wrote to memory of 1192 2936 tthvxh.exe 35 PID 2936 wrote to memory of 1192 2936 tthvxh.exe 35 PID 1192 wrote to memory of 2164 1192 rxddb.exe 36 PID 1192 wrote to memory of 2164 1192 rxddb.exe 36 PID 1192 wrote to memory of 2164 1192 rxddb.exe 36 PID 1192 wrote to memory of 2164 1192 rxddb.exe 36 PID 2164 wrote to memory of 2732 2164 nxxjh.exe 37 PID 2164 wrote to memory of 2732 2164 nxxjh.exe 37 PID 2164 wrote to memory of 2732 2164 nxxjh.exe 37 PID 2164 wrote to memory of 2732 2164 nxxjh.exe 37 PID 2732 wrote to memory of 2672 2732 vxdhbr.exe 38 PID 2732 wrote to memory of 2672 2732 vxdhbr.exe 38 PID 2732 wrote to memory of 2672 2732 vxdhbr.exe 38 PID 2732 wrote to memory of 2672 2732 vxdhbr.exe 38 PID 2672 wrote to memory of 2376 2672 frjdhpv.exe 39 PID 2672 wrote to memory of 2376 2672 frjdhpv.exe 39 PID 2672 wrote to memory of 2376 2672 frjdhpv.exe 39 PID 2672 wrote to memory of 2376 2672 frjdhpv.exe 39 PID 2376 wrote to memory of 2680 2376 jftdpjt.exe 40 PID 2376 wrote to memory of 2680 2376 jftdpjt.exe 40 PID 2376 wrote to memory of 2680 2376 jftdpjt.exe 40 PID 2376 wrote to memory of 2680 2376 jftdpjt.exe 40 PID 2680 wrote to memory of 2952 2680 ldbrn.exe 41 PID 2680 wrote to memory of 2952 2680 ldbrn.exe 41 PID 2680 wrote to memory of 2952 2680 ldbrn.exe 41 PID 2680 wrote to memory of 2952 2680 ldbrn.exe 41 PID 2952 wrote to memory of 1868 2952 jftbbr.exe 42 PID 2952 wrote to memory of 1868 2952 jftbbr.exe 42 PID 2952 wrote to memory of 1868 2952 jftbbr.exe 42 PID 2952 wrote to memory of 1868 2952 jftbbr.exe 42 PID 1868 wrote to memory of 1984 1868 thrxrj.exe 43 PID 1868 wrote to memory of 1984 1868 thrxrj.exe 43 PID 1868 wrote to memory of 1984 1868 thrxrj.exe 43 PID 1868 wrote to memory of 1984 1868 thrxrj.exe 43 PID 1984 wrote to memory of 1176 1984 ppxthl.exe 44 PID 1984 wrote to memory of 1176 1984 ppxthl.exe 44 PID 1984 wrote to memory of 1176 1984 ppxthl.exe 44 PID 1984 wrote to memory of 1176 1984 ppxthl.exe 44 PID 1176 wrote to memory of 1884 1176 jdbnh.exe 45 PID 1176 wrote to memory of 1884 1176 jdbnh.exe 45 PID 1176 wrote to memory of 1884 1176 jdbnh.exe 45 PID 1176 wrote to memory of 1884 1176 jdbnh.exe 45 PID 1884 wrote to memory of 2232 1884 fftbxnr.exe 46 PID 1884 wrote to memory of 2232 1884 fftbxnr.exe 46 PID 1884 wrote to memory of 2232 1884 fftbxnr.exe 46 PID 1884 wrote to memory of 2232 1884 fftbxnr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe"C:\Users\Admin\AppData\Local\Temp\b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\nfbnnl.exec:\nfbnnl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\rjfjtph.exec:\rjfjtph.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\xvxfrb.exec:\xvxfrb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\tthvxh.exec:\tthvxh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\rxddb.exec:\rxddb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\nxxjh.exec:\nxxjh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\vxdhbr.exec:\vxdhbr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\frjdhpv.exec:\frjdhpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\jftdpjt.exec:\jftdpjt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\ldbrn.exec:\ldbrn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\jftbbr.exec:\jftbbr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\thrxrj.exec:\thrxrj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\ppxthl.exec:\ppxthl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\jdbnh.exec:\jdbnh.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\fftbxnr.exec:\fftbxnr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\jxjvp.exec:\jxjvp.exe17⤵
- Executes dropped EXE
PID:2232 -
\??\c:\dtvnftn.exec:\dtvnftn.exe18⤵
- Executes dropped EXE
PID:2076 -
\??\c:\xppbpx.exec:\xppbpx.exe19⤵
- Executes dropped EXE
PID:2248 -
\??\c:\hnbtdbt.exec:\hnbtdbt.exe20⤵
- Executes dropped EXE
PID:2176 -
\??\c:\xfvbhf.exec:\xfvbhf.exe21⤵
- Executes dropped EXE
PID:1812 -
\??\c:\xpjxrdp.exec:\xpjxrdp.exe22⤵
- Executes dropped EXE
PID:1632 -
\??\c:\jdtlp.exec:\jdtlp.exe23⤵
- Executes dropped EXE
PID:276 -
\??\c:\xlfdn.exec:\xlfdn.exe24⤵
- Executes dropped EXE
PID:1368 -
\??\c:\rhljhx.exec:\rhljhx.exe25⤵
- Executes dropped EXE
PID:1736 -
\??\c:\hjbpht.exec:\hjbpht.exe26⤵
- Executes dropped EXE
PID:1724 -
\??\c:\lhxpnr.exec:\lhxpnr.exe27⤵
- Executes dropped EXE
PID:1788 -
\??\c:\vnjlnv.exec:\vnjlnv.exe28⤵
- Executes dropped EXE
PID:1512 -
\??\c:\pfbtnl.exec:\pfbtnl.exe29⤵
- Executes dropped EXE
PID:1660 -
\??\c:\nhpxv.exec:\nhpxv.exe30⤵
- Executes dropped EXE
PID:836 -
\??\c:\tddjrl.exec:\tddjrl.exe31⤵
- Executes dropped EXE
PID:672 -
\??\c:\fpllr.exec:\fpllr.exe32⤵
- Executes dropped EXE
PID:864 -
\??\c:\rpndljl.exec:\rpndljl.exe33⤵
- Executes dropped EXE
PID:536 -
\??\c:\hjnhr.exec:\hjnhr.exe34⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jhdnl.exec:\jhdnl.exe35⤵
- Executes dropped EXE
PID:1516 -
\??\c:\llpdbv.exec:\llpdbv.exe36⤵
- Executes dropped EXE
PID:1988 -
\??\c:\lnttxl.exec:\lnttxl.exe37⤵
- Executes dropped EXE
PID:2456 -
\??\c:\bjbnltt.exec:\bjbnltt.exe38⤵
- Executes dropped EXE
PID:2880 -
\??\c:\htnlvhx.exec:\htnlvhx.exe39⤵
- Executes dropped EXE
PID:2764 -
\??\c:\vhnfjlr.exec:\vhnfjlr.exe40⤵
- Executes dropped EXE
PID:3040 -
\??\c:\rpflvh.exec:\rpflvh.exe41⤵
- Executes dropped EXE
PID:1192 -
\??\c:\frrfrv.exec:\frrfrv.exe42⤵
- Executes dropped EXE
PID:2648 -
\??\c:\lfntd.exec:\lfntd.exe43⤵
- Executes dropped EXE
PID:2624 -
\??\c:\njtjp.exec:\njtjp.exe44⤵
- Executes dropped EXE
PID:2740 -
\??\c:\ltfxp.exec:\ltfxp.exe45⤵
- Executes dropped EXE
PID:2324 -
\??\c:\bldfhvd.exec:\bldfhvd.exe46⤵
- Executes dropped EXE
PID:2664 -
\??\c:\hhlxpdv.exec:\hhlxpdv.exe47⤵
- Executes dropped EXE
PID:1692 -
\??\c:\hxfjrv.exec:\hxfjrv.exe48⤵
- Executes dropped EXE
PID:2800 -
\??\c:\pptrxf.exec:\pptrxf.exe49⤵
- Executes dropped EXE
PID:340 -
\??\c:\vbjdlrf.exec:\vbjdlrf.exe50⤵
- Executes dropped EXE
PID:740 -
\??\c:\xfptvfx.exec:\xfptvfx.exe51⤵
- Executes dropped EXE
PID:2860 -
\??\c:\pxxbtvf.exec:\pxxbtvf.exe52⤵
- Executes dropped EXE
PID:1980 -
\??\c:\jhvvbrv.exec:\jhvvbrv.exe53⤵
- Executes dropped EXE
PID:2944 -
\??\c:\dvhprx.exec:\dvhprx.exe54⤵
- Executes dropped EXE
PID:3008 -
\??\c:\ttjtl.exec:\ttjtl.exe55⤵
- Executes dropped EXE
PID:2100 -
\??\c:\ttpjthj.exec:\ttpjthj.exe56⤵
- Executes dropped EXE
PID:1628 -
\??\c:\jjvdbf.exec:\jjvdbf.exe57⤵
- Executes dropped EXE
PID:2084 -
\??\c:\npvvp.exec:\npvvp.exe58⤵
- Executes dropped EXE
PID:2344 -
\??\c:\jxttnjb.exec:\jxttnjb.exe59⤵
- Executes dropped EXE
PID:528 -
\??\c:\jtbfj.exec:\jtbfj.exe60⤵
- Executes dropped EXE
PID:2224 -
\??\c:\fnpvd.exec:\fnpvd.exe61⤵
- Executes dropped EXE
PID:1268 -
\??\c:\hjvppr.exec:\hjvppr.exe62⤵
- Executes dropped EXE
PID:1704 -
\??\c:\ttxpnpj.exec:\ttxpnpj.exe63⤵
- Executes dropped EXE
PID:968 -
\??\c:\xbpxv.exec:\xbpxv.exe64⤵
- Executes dropped EXE
PID:2864 -
\??\c:\lfjjpj.exec:\lfjjpj.exe65⤵
- Executes dropped EXE
PID:2856 -
\??\c:\hjlfr.exec:\hjlfr.exe66⤵
- System Location Discovery: System Language Discovery
PID:1724 -
\??\c:\nvlhb.exec:\nvlhb.exe67⤵PID:572
-
\??\c:\phvbb.exec:\phvbb.exe68⤵PID:1588
-
\??\c:\vfppfnf.exec:\vfppfnf.exe69⤵PID:2700
-
\??\c:\xbdfhdf.exec:\xbdfhdf.exe70⤵PID:1976
-
\??\c:\bjlvbvn.exec:\bjlvbvn.exe71⤵PID:1012
-
\??\c:\hrldpvd.exec:\hrldpvd.exe72⤵PID:2360
-
\??\c:\hpnlxlj.exec:\hpnlxlj.exe73⤵PID:1952
-
\??\c:\hflvb.exec:\hflvb.exe74⤵PID:3032
-
\??\c:\tdlrtxt.exec:\tdlrtxt.exe75⤵PID:2556
-
\??\c:\xbjhdrt.exec:\xbjhdrt.exe76⤵PID:2208
-
\??\c:\ndltj.exec:\ndltj.exe77⤵PID:1700
-
\??\c:\lfrfrd.exec:\lfrfrd.exe78⤵PID:1988
-
\??\c:\vhxvfr.exec:\vhxvfr.exe79⤵PID:2900
-
\??\c:\vxvdrtl.exec:\vxvdrtl.exe80⤵PID:2880
-
\??\c:\hxdxjjv.exec:\hxdxjjv.exe81⤵PID:2752
-
\??\c:\bxhhf.exec:\bxhhf.exe82⤵PID:2756
-
\??\c:\tlfhddn.exec:\tlfhddn.exe83⤵PID:3012
-
\??\c:\thjvnbh.exec:\thjvnbh.exe84⤵PID:2896
-
\??\c:\vjhxnd.exec:\vjhxnd.exe85⤵PID:2640
-
\??\c:\dffrr.exec:\dffrr.exe86⤵PID:2740
-
\??\c:\nlvpnvf.exec:\nlvpnvf.exe87⤵PID:1580
-
\??\c:\xpdvhf.exec:\xpdvhf.exe88⤵PID:2104
-
\??\c:\xlnvxpj.exec:\xlnvxpj.exe89⤵PID:2844
-
\??\c:\xbdjdd.exec:\xbdjdd.exe90⤵PID:2916
-
\??\c:\phfhxv.exec:\phfhxv.exe91⤵PID:2836
-
\??\c:\hlrfjbd.exec:\hlrfjbd.exe92⤵PID:1152
-
\??\c:\tjvdxd.exec:\tjvdxd.exe93⤵
- System Location Discovery: System Language Discovery
PID:1948 -
\??\c:\pxtltnt.exec:\pxtltnt.exe94⤵PID:2820
-
\??\c:\rdrjpp.exec:\rdrjpp.exe95⤵PID:1888
-
\??\c:\bhvpt.exec:\bhvpt.exe96⤵PID:2384
-
\??\c:\dnjxxdx.exec:\dnjxxdx.exe97⤵PID:1752
-
\??\c:\pvxlvr.exec:\pvxlvr.exe98⤵PID:2024
-
\??\c:\nnbxb.exec:\nnbxb.exe99⤵PID:1628
-
\??\c:\xbfntf.exec:\xbfntf.exe100⤵PID:1504
-
\??\c:\rlhthtn.exec:\rlhthtn.exe101⤵PID:2248
-
\??\c:\hppbjtv.exec:\hppbjtv.exe102⤵PID:2288
-
\??\c:\blpvjfx.exec:\blpvjfx.exe103⤵
- System Location Discovery: System Language Discovery
PID:928 -
\??\c:\txpvfp.exec:\txpvfp.exe104⤵PID:640
-
\??\c:\hhhlt.exec:\hhhlt.exe105⤵PID:952
-
\??\c:\flhvln.exec:\flhvln.exe106⤵PID:1824
-
\??\c:\fnppfjf.exec:\fnppfjf.exe107⤵PID:2420
-
\??\c:\vhdrlt.exec:\vhdrlt.exe108⤵PID:2308
-
\??\c:\rlnbf.exec:\rlnbf.exe109⤵
- System Location Discovery: System Language Discovery
PID:676 -
\??\c:\trpjtt.exec:\trpjtt.exe110⤵
- System Location Discovery: System Language Discovery
PID:1828 -
\??\c:\rxlrfbl.exec:\rxlrfbl.exe111⤵PID:1512
-
\??\c:\blrtxjh.exec:\blrtxjh.exe112⤵PID:2044
-
\??\c:\vhlxbd.exec:\vhlxbd.exe113⤵PID:2352
-
\??\c:\bfvbvh.exec:\bfvbvh.exe114⤵PID:2428
-
\??\c:\nbvrd.exec:\nbvrd.exe115⤵PID:1360
-
\??\c:\bnhddvr.exec:\bnhddvr.exe116⤵PID:872
-
\??\c:\rfrvnd.exec:\rfrvnd.exe117⤵PID:864
-
\??\c:\rtldh.exec:\rtldh.exe118⤵PID:1592
-
\??\c:\vtvthx.exec:\vtvthx.exe119⤵PID:2188
-
\??\c:\vrlhvft.exec:\vrlhvft.exe120⤵PID:2812
-
\??\c:\xntnp.exec:\xntnp.exe121⤵PID:2036
-
\??\c:\xrbnx.exec:\xrbnx.exe122⤵PID:2888
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-