Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 19:49
Behavioral task
behavioral1
Sample
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe
Resource
win7-20240729-en
6 signatures
150 seconds
General
-
Target
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe
-
Size
343KB
-
MD5
5082415ef661e85e83e37fde8ac6e570
-
SHA1
028e1bae6569ad5c2f655ff5fc00153cc403e3cf
-
SHA256
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536
-
SHA512
0688b46fd9ef72ed0fb2f24bcb9dfa22b558bd6b846565e5e6ccc5fda4a4764c833133f1931655510b73a056e8c428c2961ba91560054bc31d9d95c4a9f6c487
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAc:R4wFHoS3WXZshJX2VGdc
Malware Config
Signatures
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2744-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2344-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2172-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-34-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1448-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3012-58-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2840-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2672-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/840-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1080-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/304-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2116-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1036-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3048-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2064-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1444-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2164-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2088-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/876-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1664-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2904-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1952-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1680-370-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1884-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2136-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1060-486-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1868-498-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2220-511-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2220-510-0x00000000003D0000-0x00000000003F7000-memory.dmp family_blackmoon behavioral1/memory/2784-640-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1064-658-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1760-7886-0x0000000076FE0000-0x00000000770FF000-memory.dmp family_blackmoon behavioral1/memory/1760-14687-0x0000000076FE0000-0x00000000770FF000-memory.dmp family_blackmoon behavioral1/memory/1760-20748-0x0000000077100000-0x00000000771FA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2344 tnhnhh.exe 2172 pvjdd.exe 2900 nbhtbb.exe 2812 jddjv.exe 1448 lfxlfxr.exe 3012 5hhbnn.exe 2840 1lxrxfr.exe 2672 vpddj.exe 840 rrrfxll.exe 1080 9bbhtt.exe 304 jjddv.exe 2116 lfxfrxl.exe 1036 tnhhtt.exe 3048 1lfrfrx.exe 2856 bnbhtb.exe 2204 pppvv.exe 2064 xxfrrxf.exe 2404 nhtthn.exe 1444 5vvjd.exe 3060 bbbnhh.exe 2164 3jvvd.exe 2844 9rrrrxl.exe 2340 nttbnt.exe 2088 pjpdv.exe 1384 xxxlflx.exe 1104 bthhnn.exe 1524 pddjp.exe 3024 tnnthn.exe 2824 ddvpj.exe 2376 ffxfrxl.exe 2656 ttnhbt.exe 1816 djppv.exe 3036 9ffrxlx.exe 876 7tbbbh.exe 1664 bbttht.exe 1724 9ddpd.exe 2216 3rlxxfl.exe 1692 nnbnbb.exe 2772 jvdvv.exe 2904 djjvp.exe 2900 7lfrlrf.exe 2820 bbbhbb.exe 2876 ppjpp.exe 2668 pppvv.exe 1952 xxrlrfl.exe 2776 hnnnbh.exe 2652 jjddj.exe 2672 dddpv.exe 2784 fxxlxfr.exe 1680 hnhtbn.exe 1080 ppjpd.exe 2268 dpjjp.exe 2504 5hhbtt.exe 1204 9tnbnb.exe 2596 jpjdp.exe 1036 xfrxxxl.exe 2764 ffxxffr.exe 2368 hhbbnt.exe 2732 pjjjv.exe 2724 3dppv.exe 1452 lfrfllr.exe 1884 nnnbth.exe 772 vjdpd.exe 588 rfflxlr.exe -
resource yara_rule behavioral1/memory/2744-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000120fd-7.dat upx behavioral1/memory/2744-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000186d9-18.dat upx behavioral1/memory/2344-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2172-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2900-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000186dd-26.dat upx behavioral1/files/0x0006000000018710-35.dat upx behavioral1/memory/1448-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018718-42.dat upx behavioral1/files/0x0006000000018766-51.dat upx behavioral1/files/0x0008000000018780-59.dat upx behavioral1/memory/2840-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000018b62-66.dat upx behavioral1/memory/2672-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001933b-76.dat upx behavioral1/memory/2672-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001960c-83.dat upx behavioral1/memory/840-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001961c-92.dat upx behavioral1/memory/1080-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001961e-100.dat upx behavioral1/memory/2116-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/304-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019667-110.dat upx behavioral1/memory/2116-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000196a1-118.dat upx behavioral1/memory/3048-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1036-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019926-128.dat upx behavioral1/memory/3048-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c34-135.dat upx behavioral1/memory/2204-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c3c-143.dat upx behavioral1/files/0x0005000000019c3e-152.dat upx behavioral1/memory/2064-150-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2064-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c57-160.dat upx behavioral1/files/0x002f000000017530-167.dat upx behavioral1/memory/3060-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1444-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019cba-176.dat upx behavioral1/files/0x0005000000019cca-184.dat upx behavioral1/memory/2844-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2164-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d8e-193.dat upx behavioral1/files/0x0005000000019dbf-201.dat upx behavioral1/memory/2088-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019f8a-209.dat upx behavioral1/files/0x0005000000019f94-217.dat upx behavioral1/files/0x000500000001a075-223.dat upx behavioral1/files/0x000500000001a07e-231.dat upx behavioral1/files/0x000500000001a09e-238.dat upx behavioral1/memory/2824-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a307-246.dat upx behavioral1/files/0x000500000001a359-253.dat upx behavioral1/files/0x000500000001a41b-260.dat upx behavioral1/memory/3036-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/876-278-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1664-284-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2216-292-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1724-290-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2772-308-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xllrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2344 2744 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 30 PID 2744 wrote to memory of 2344 2744 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 30 PID 2744 wrote to memory of 2344 2744 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 30 PID 2744 wrote to memory of 2344 2744 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 30 PID 2344 wrote to memory of 2172 2344 tnhnhh.exe 31 PID 2344 wrote to memory of 2172 2344 tnhnhh.exe 31 PID 2344 wrote to memory of 2172 2344 tnhnhh.exe 31 PID 2344 wrote to memory of 2172 2344 tnhnhh.exe 31 PID 2172 wrote to memory of 2900 2172 pvjdd.exe 32 PID 2172 wrote to memory of 2900 2172 pvjdd.exe 32 PID 2172 wrote to memory of 2900 2172 pvjdd.exe 32 PID 2172 wrote to memory of 2900 2172 pvjdd.exe 32 PID 2900 wrote to memory of 2812 2900 nbhtbb.exe 33 PID 2900 wrote to memory of 2812 2900 nbhtbb.exe 33 PID 2900 wrote to memory of 2812 2900 nbhtbb.exe 33 PID 2900 wrote to memory of 2812 2900 nbhtbb.exe 33 PID 2812 wrote to memory of 1448 2812 jddjv.exe 34 PID 2812 wrote to memory of 1448 2812 jddjv.exe 34 PID 2812 wrote to memory of 1448 2812 jddjv.exe 34 PID 2812 wrote to memory of 1448 2812 jddjv.exe 34 PID 1448 wrote to memory of 3012 1448 lfxlfxr.exe 35 PID 1448 wrote to memory of 3012 1448 lfxlfxr.exe 35 PID 1448 wrote to memory of 3012 1448 lfxlfxr.exe 35 PID 1448 wrote to memory of 3012 1448 lfxlfxr.exe 35 PID 3012 wrote to memory of 2840 3012 5hhbnn.exe 36 PID 3012 wrote to memory of 2840 3012 5hhbnn.exe 36 PID 3012 wrote to memory of 2840 3012 5hhbnn.exe 36 PID 3012 wrote to memory of 2840 3012 5hhbnn.exe 36 PID 2840 wrote to memory of 2672 2840 1lxrxfr.exe 37 PID 2840 wrote to memory of 2672 2840 1lxrxfr.exe 37 PID 2840 wrote to memory of 2672 2840 1lxrxfr.exe 37 PID 2840 wrote to memory of 2672 2840 1lxrxfr.exe 37 PID 2672 wrote to memory of 840 2672 vpddj.exe 38 PID 2672 wrote to memory of 840 2672 vpddj.exe 38 PID 2672 wrote to memory of 840 2672 vpddj.exe 38 PID 2672 wrote to memory of 840 2672 vpddj.exe 38 PID 840 wrote to memory of 1080 840 rrrfxll.exe 39 PID 840 wrote to memory of 1080 840 rrrfxll.exe 39 PID 840 wrote to memory of 1080 840 rrrfxll.exe 39 PID 840 wrote to memory of 1080 840 rrrfxll.exe 39 PID 1080 wrote to memory of 304 1080 9bbhtt.exe 40 PID 1080 wrote to memory of 304 1080 9bbhtt.exe 40 PID 1080 wrote to memory of 304 1080 9bbhtt.exe 40 PID 1080 wrote to memory of 304 1080 9bbhtt.exe 40 PID 304 wrote to memory of 2116 304 jjddv.exe 41 PID 304 wrote to memory of 2116 304 jjddv.exe 41 PID 304 wrote to memory of 2116 304 jjddv.exe 41 PID 304 wrote to memory of 2116 304 jjddv.exe 41 PID 2116 wrote to memory of 1036 2116 lfxfrxl.exe 42 PID 2116 wrote to memory of 1036 2116 lfxfrxl.exe 42 PID 2116 wrote to memory of 1036 2116 lfxfrxl.exe 42 PID 2116 wrote to memory of 1036 2116 lfxfrxl.exe 42 PID 1036 wrote to memory of 3048 1036 tnhhtt.exe 43 PID 1036 wrote to memory of 3048 1036 tnhhtt.exe 43 PID 1036 wrote to memory of 3048 1036 tnhhtt.exe 43 PID 1036 wrote to memory of 3048 1036 tnhhtt.exe 43 PID 3048 wrote to memory of 2856 3048 1lfrfrx.exe 44 PID 3048 wrote to memory of 2856 3048 1lfrfrx.exe 44 PID 3048 wrote to memory of 2856 3048 1lfrfrx.exe 44 PID 3048 wrote to memory of 2856 3048 1lfrfrx.exe 44 PID 2856 wrote to memory of 2204 2856 bnbhtb.exe 45 PID 2856 wrote to memory of 2204 2856 bnbhtb.exe 45 PID 2856 wrote to memory of 2204 2856 bnbhtb.exe 45 PID 2856 wrote to memory of 2204 2856 bnbhtb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe"C:\Users\Admin\AppData\Local\Temp\367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\tnhnhh.exec:\tnhnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\pvjdd.exec:\pvjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\nbhtbb.exec:\nbhtbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\jddjv.exec:\jddjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\lfxlfxr.exec:\lfxlfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\5hhbnn.exec:\5hhbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\1lxrxfr.exec:\1lxrxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\vpddj.exec:\vpddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\rrrfxll.exec:\rrrfxll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\9bbhtt.exec:\9bbhtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\jjddv.exec:\jjddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:304 -
\??\c:\lfxfrxl.exec:\lfxfrxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\tnhhtt.exec:\tnhhtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\1lfrfrx.exec:\1lfrfrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\bnbhtb.exec:\bnbhtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\pppvv.exec:\pppvv.exe17⤵
- Executes dropped EXE
PID:2204 -
\??\c:\xxfrrxf.exec:\xxfrrxf.exe18⤵
- Executes dropped EXE
PID:2064 -
\??\c:\nhtthn.exec:\nhtthn.exe19⤵
- Executes dropped EXE
PID:2404 -
\??\c:\5vvjd.exec:\5vvjd.exe20⤵
- Executes dropped EXE
PID:1444 -
\??\c:\bbbnhh.exec:\bbbnhh.exe21⤵
- Executes dropped EXE
PID:3060 -
\??\c:\3jvvd.exec:\3jvvd.exe22⤵
- Executes dropped EXE
PID:2164 -
\??\c:\9rrrrxl.exec:\9rrrrxl.exe23⤵
- Executes dropped EXE
PID:2844 -
\??\c:\nttbnt.exec:\nttbnt.exe24⤵
- Executes dropped EXE
PID:2340 -
\??\c:\pjpdv.exec:\pjpdv.exe25⤵
- Executes dropped EXE
PID:2088 -
\??\c:\xxxlflx.exec:\xxxlflx.exe26⤵
- Executes dropped EXE
PID:1384 -
\??\c:\bthhnn.exec:\bthhnn.exe27⤵
- Executes dropped EXE
PID:1104 -
\??\c:\pddjp.exec:\pddjp.exe28⤵
- Executes dropped EXE
PID:1524 -
\??\c:\tnnthn.exec:\tnnthn.exe29⤵
- Executes dropped EXE
PID:3024 -
\??\c:\ddvpj.exec:\ddvpj.exe30⤵
- Executes dropped EXE
PID:2824 -
\??\c:\ffxfrxl.exec:\ffxfrxl.exe31⤵
- Executes dropped EXE
PID:2376 -
\??\c:\ttnhbt.exec:\ttnhbt.exe32⤵
- Executes dropped EXE
PID:2656 -
\??\c:\djppv.exec:\djppv.exe33⤵
- Executes dropped EXE
PID:1816 -
\??\c:\9ffrxlx.exec:\9ffrxlx.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036 -
\??\c:\7tbbbh.exec:\7tbbbh.exe35⤵
- Executes dropped EXE
PID:876 -
\??\c:\bbttht.exec:\bbttht.exe36⤵
- Executes dropped EXE
PID:1664 -
\??\c:\9ddpd.exec:\9ddpd.exe37⤵
- Executes dropped EXE
PID:1724 -
\??\c:\3rlxxfl.exec:\3rlxxfl.exe38⤵
- Executes dropped EXE
PID:2216 -
\??\c:\nnbnbb.exec:\nnbnbb.exe39⤵
- Executes dropped EXE
PID:1692 -
\??\c:\jvdvv.exec:\jvdvv.exe40⤵
- Executes dropped EXE
PID:2772 -
\??\c:\djjvp.exec:\djjvp.exe41⤵
- Executes dropped EXE
PID:2904 -
\??\c:\7lfrlrf.exec:\7lfrlrf.exe42⤵
- Executes dropped EXE
PID:2900 -
\??\c:\bbbhbb.exec:\bbbhbb.exe43⤵
- Executes dropped EXE
PID:2820 -
\??\c:\ppjpp.exec:\ppjpp.exe44⤵
- Executes dropped EXE
PID:2876 -
\??\c:\pppvv.exec:\pppvv.exe45⤵
- Executes dropped EXE
PID:2668 -
\??\c:\xxrlrfl.exec:\xxrlrfl.exe46⤵
- Executes dropped EXE
PID:1952 -
\??\c:\hnnnbh.exec:\hnnnbh.exe47⤵
- Executes dropped EXE
PID:2776 -
\??\c:\jjddj.exec:\jjddj.exe48⤵
- Executes dropped EXE
PID:2652 -
\??\c:\dddpv.exec:\dddpv.exe49⤵
- Executes dropped EXE
PID:2672 -
\??\c:\fxxlxfr.exec:\fxxlxfr.exe50⤵
- Executes dropped EXE
PID:2784 -
\??\c:\hnhtbn.exec:\hnhtbn.exe51⤵
- Executes dropped EXE
PID:1680 -
\??\c:\ppjpd.exec:\ppjpd.exe52⤵
- Executes dropped EXE
PID:1080 -
\??\c:\dpjjp.exec:\dpjjp.exe53⤵
- Executes dropped EXE
PID:2268 -
\??\c:\5hhbtt.exec:\5hhbtt.exe54⤵
- Executes dropped EXE
PID:2504 -
\??\c:\9tnbnb.exec:\9tnbnb.exe55⤵
- Executes dropped EXE
PID:1204 -
\??\c:\jpjdp.exec:\jpjdp.exe56⤵
- Executes dropped EXE
PID:2596 -
\??\c:\xfrxxxl.exec:\xfrxxxl.exe57⤵
- Executes dropped EXE
PID:1036 -
\??\c:\ffxxffr.exec:\ffxxffr.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764 -
\??\c:\hhbbnt.exec:\hhbbnt.exe59⤵
- Executes dropped EXE
PID:2368 -
\??\c:\pjjjv.exec:\pjjjv.exe60⤵
- Executes dropped EXE
PID:2732 -
\??\c:\3dppv.exec:\3dppv.exe61⤵
- Executes dropped EXE
PID:2724 -
\??\c:\lfrfllr.exec:\lfrfllr.exe62⤵
- Executes dropped EXE
PID:1452 -
\??\c:\nnnbth.exec:\nnnbth.exe63⤵
- Executes dropped EXE
PID:1884 -
\??\c:\vjdpd.exec:\vjdpd.exe64⤵
- Executes dropped EXE
PID:772 -
\??\c:\rfflxlr.exec:\rfflxlr.exe65⤵
- Executes dropped EXE
PID:588 -
\??\c:\fxxxlrx.exec:\fxxxlrx.exe66⤵PID:272
-
\??\c:\bthhhh.exec:\bthhhh.exe67⤵PID:768
-
\??\c:\ddpjv.exec:\ddpjv.exe68⤵PID:2156
-
\??\c:\5xxllrf.exec:\5xxllrf.exe69⤵PID:2844
-
\??\c:\xlrxlxf.exec:\xlrxlxf.exe70⤵PID:2360
-
\??\c:\3hbbbn.exec:\3hbbbn.exe71⤵PID:2136
-
\??\c:\jdppv.exec:\jdppv.exe72⤵PID:1060
-
\??\c:\rflrlrf.exec:\rflrlrf.exe73⤵PID:940
-
\??\c:\3rrrxxf.exec:\3rrrxxf.exe74⤵PID:1868
-
\??\c:\9hbhhn.exec:\9hbhhn.exe75⤵PID:2176
-
\??\c:\jjdjp.exec:\jjdjp.exe76⤵PID:2220
-
\??\c:\rrllxfr.exec:\rrllxfr.exe77⤵PID:1948
-
\??\c:\9rrxxxx.exec:\9rrxxxx.exe78⤵PID:1900
-
\??\c:\hhnhhn.exec:\hhnhhn.exe79⤵
- System Location Discovery: System Language Discovery
PID:2436 -
\??\c:\vjpvd.exec:\vjpvd.exe80⤵PID:1628
-
\??\c:\ppvvd.exec:\ppvvd.exe81⤵PID:3068
-
\??\c:\xrlrxlx.exec:\xrlrxlx.exe82⤵PID:672
-
\??\c:\htntbb.exec:\htntbb.exe83⤵PID:1076
-
\??\c:\jjddv.exec:\jjddv.exe84⤵PID:1072
-
\??\c:\5pjdj.exec:\5pjdj.exe85⤵PID:2744
-
\??\c:\9lxxllx.exec:\9lxxllx.exe86⤵PID:2076
-
\??\c:\3nbbth.exec:\3nbbth.exe87⤵PID:2852
-
\??\c:\hnhbnb.exec:\hnhbnb.exe88⤵PID:2356
-
\??\c:\ddjpj.exec:\ddjpj.exe89⤵PID:2912
-
\??\c:\rxlxflf.exec:\rxlxflf.exe90⤵PID:3032
-
\??\c:\bbnttt.exec:\bbnttt.exe91⤵PID:2900
-
\??\c:\3nnbtb.exec:\3nnbtb.exe92⤵PID:2780
-
\??\c:\jjpvv.exec:\jjpvv.exe93⤵PID:2876
-
\??\c:\xrxxxxl.exec:\xrxxxxl.exe94⤵PID:2668
-
\??\c:\3nbhnt.exec:\3nbhnt.exe95⤵
- System Location Discovery: System Language Discovery
PID:2708 -
\??\c:\djjdv.exec:\djjdv.exe96⤵PID:2840
-
\??\c:\vpppd.exec:\vpppd.exe97⤵PID:2664
-
\??\c:\ffrxlxr.exec:\ffrxlxr.exe98⤵PID:2728
-
\??\c:\hhbntb.exec:\hhbntb.exe99⤵PID:2784
-
\??\c:\vvdjp.exec:\vvdjp.exe100⤵PID:1680
-
\??\c:\rlrfxrr.exec:\rlrfxrr.exe101⤵PID:304
-
\??\c:\xrrlrrf.exec:\xrrlrrf.exe102⤵PID:1064
-
\??\c:\5tbbnb.exec:\5tbbnb.exe103⤵PID:2504
-
\??\c:\ppjpd.exec:\ppjpd.exe104⤵PID:2400
-
\??\c:\ffxrfrf.exec:\ffxrfrf.exe105⤵PID:2976
-
\??\c:\xrfrfll.exec:\xrfrfll.exe106⤵PID:2984
-
\??\c:\thnnnn.exec:\thnnnn.exe107⤵PID:2920
-
\??\c:\hbtbhh.exec:\hbtbhh.exe108⤵PID:2204
-
\??\c:\vvpvj.exec:\vvpvj.exe109⤵PID:2616
-
\??\c:\xxllxlx.exec:\xxllxlx.exe110⤵PID:2404
-
\??\c:\btnhnt.exec:\btnhnt.exe111⤵PID:2380
-
\??\c:\tththn.exec:\tththn.exe112⤵PID:1380
-
\??\c:\7vddd.exec:\7vddd.exe113⤵PID:984
-
\??\c:\pjpjp.exec:\pjpjp.exe114⤵PID:1744
-
\??\c:\1lxlllr.exec:\1lxlllr.exe115⤵PID:2304
-
\??\c:\hthtbh.exec:\hthtbh.exe116⤵PID:1876
-
\??\c:\nnhbbb.exec:\nnhbbb.exe117⤵PID:2364
-
\??\c:\1dvvj.exec:\1dvvj.exe118⤵PID:2412
-
\??\c:\7xrxrxl.exec:\7xrxrxl.exe119⤵PID:988
-
\??\c:\tbthtt.exec:\tbthtt.exe120⤵PID:2088
-
\??\c:\nnhhth.exec:\nnhhth.exe121⤵PID:756
-
\??\c:\pjvdd.exec:\pjvdd.exe122⤵PID:1908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-