Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 12:17
Behavioral task
behavioral1
Sample
8e2eb20149da338ff4e8e6effa4d312b5f92f1691b73733b2422b845c1c2fa2e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8e2eb20149da338ff4e8e6effa4d312b5f92f1691b73733b2422b845c1c2fa2e.exe
-
Size
335KB
-
MD5
91eabb4abe843a2b22a227c507e1ed48
-
SHA1
7dc8dc60a5fc92b89b600dfbaa2f4ce357ad33f7
-
SHA256
8e2eb20149da338ff4e8e6effa4d312b5f92f1691b73733b2422b845c1c2fa2e
-
SHA512
98472cf0c56b52836cf7f16f6b42c9c9227dd7977019b492db9af2788a7fedc445b686011783ce11ab2e69f69357ef14823678d034c63258feebcc1ed7d2adfb
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRr:R4wFHoSHYHUrAwfMp3CDRr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/3064-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2060-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2536-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/596-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2328-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2848-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/748-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2736-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3000-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/352-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1812-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2312-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2232-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/900-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2984-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2200-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2952-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/800-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1260-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/336-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1612-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2412-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/588-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2756-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2764-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2428-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2076-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/596-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-595-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/2064-715-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1684-808-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2568-880-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/1808-963-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2520-1047-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-1127-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1800-1195-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2164-1222-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1732-6562-0x0000000076DB0000-0x0000000076EAA000-memory.dmp family_blackmoon behavioral1/memory/1732-18156-0x0000000076C90000-0x0000000076DAF000-memory.dmp family_blackmoon behavioral1/memory/1732-20627-0x0000000076C90000-0x0000000076DAF000-memory.dmp family_blackmoon behavioral1/memory/1732-21454-0x0000000076C90000-0x0000000076DAF000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3064 rrflxrx.exe 2060 7nbhnh.exe 596 btnbhn.exe 2328 lfxfrxx.exe 748 llfrflf.exe 2848 3thbbt.exe 2736 nhbhnn.exe 2780 dvpdj.exe 2692 dpjpp.exe 2756 rrlxlrx.exe 2588 rlfxlrf.exe 2712 7hnttn.exe 588 jdpvv.exe 2412 pjdjp.exe 1612 lxrxllx.exe 336 3fffrxf.exe 1644 hbthtt.exe 1260 bbthnn.exe 800 dvpvd.exe 2796 vpjjp.exe 1528 fllffrr.exe 2800 hbthnn.exe 2952 7hhbbb.exe 2200 pjpjj.exe 2984 5rflrxf.exe 1176 rlfflfl.exe 1252 jvdjp.exe 3044 pjpvv.exe 900 fxfxxrf.exe 1992 rfrxlfr.exe 3040 1hbttb.exe 2232 btntbh.exe 2312 vpjjv.exe 1600 rrfxxrx.exe 1812 1xfxffr.exe 352 7btbhh.exe 3060 7bnthb.exe 3068 7vvdj.exe 3000 3pddv.exe 1624 5xrxllx.exe 1704 bnnbbh.exe 1920 dvvpv.exe 2248 dvvpd.exe 1912 9rlrxfl.exe 2868 5fxxxrx.exe 2112 5thttt.exe 2876 hhtttt.exe 2964 nhtbnn.exe 2880 5dpvd.exe 2764 xxrflrf.exe 2428 9fxrxxl.exe 2156 htnnnh.exe 2636 dvjdd.exe 2412 hbnntt.exe 768 1btthn.exe 860 dvpdj.exe 2148 7xrflrf.exe 2040 thtntb.exe 1896 tnbnnh.exe 288 9jppp.exe 2796 rlflxxf.exe 2900 7bnttt.exe 692 dppdd.exe 1808 9nhhtb.exe -
resource yara_rule behavioral1/memory/2536-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000012116-5.dat upx behavioral1/memory/3064-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2060-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d29-17.dat upx behavioral1/memory/3064-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2536-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/596-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d31-25.dat upx behavioral1/files/0x0008000000016d3a-33.dat upx behavioral1/memory/2328-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d4a-40.dat upx behavioral1/memory/2848-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d5e-49.dat upx behavioral1/memory/748-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d64-57.dat upx behavioral1/memory/2780-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d6d-65.dat upx behavioral1/memory/2736-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3000-287-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/352-271-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1812-264-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2312-253-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001950c-239.dat upx behavioral1/memory/2232-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019582-246.dat upx behavioral1/memory/900-225-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001944f-224.dat upx behavioral1/files/0x0005000000019461-232.dat upx behavioral1/files/0x0005000000019431-210.dat upx behavioral1/files/0x0005000000019441-217.dat upx behavioral1/files/0x0005000000019427-203.dat upx behavioral1/memory/2984-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001941e-195.dat upx behavioral1/memory/2200-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193e1-187.dat upx behavioral1/memory/2952-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193c2-179.dat upx behavioral1/memory/2112-322-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193b4-172.dat upx behavioral1/files/0x0005000000019350-165.dat upx behavioral1/memory/2796-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019334-157.dat upx behavioral1/memory/800-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019282-149.dat upx behavioral1/memory/1260-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019261-141.dat upx behavioral1/files/0x000500000001925e-134.dat upx behavioral1/memory/336-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019023-126.dat upx behavioral1/memory/1612-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000187a5-118.dat upx behavioral1/memory/2412-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001878f-110.dat upx behavioral1/memory/588-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018784-102.dat upx behavioral1/files/0x000500000001873d-95.dat upx behavioral1/files/0x0005000000018728-88.dat upx behavioral1/memory/2756-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186fd-80.dat upx behavioral1/files/0x00050000000186ee-73.dat upx behavioral1/memory/2764-344-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2428-354-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2148-380-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2536 wrote to memory of 3064 2536 8e2eb20149da338ff4e8e6effa4d312b5f92f1691b73733b2422b845c1c2fa2e.exe 30 PID 2536 wrote to memory of 3064 2536 8e2eb20149da338ff4e8e6effa4d312b5f92f1691b73733b2422b845c1c2fa2e.exe 30 PID 2536 wrote to memory of 3064 2536 8e2eb20149da338ff4e8e6effa4d312b5f92f1691b73733b2422b845c1c2fa2e.exe 30 PID 2536 wrote to memory of 3064 2536 8e2eb20149da338ff4e8e6effa4d312b5f92f1691b73733b2422b845c1c2fa2e.exe 30 PID 3064 wrote to memory of 2060 3064 rrflxrx.exe 31 PID 3064 wrote to memory of 2060 3064 rrflxrx.exe 31 PID 3064 wrote to memory of 2060 3064 rrflxrx.exe 31 PID 3064 wrote to memory of 2060 3064 rrflxrx.exe 31 PID 2060 wrote to memory of 596 2060 7nbhnh.exe 32 PID 2060 wrote to memory of 596 2060 7nbhnh.exe 32 PID 2060 wrote to memory of 596 2060 7nbhnh.exe 32 PID 2060 wrote to memory of 596 2060 7nbhnh.exe 32 PID 596 wrote to memory of 2328 596 btnbhn.exe 33 PID 596 wrote to memory of 2328 596 btnbhn.exe 33 PID 596 wrote to memory of 2328 596 btnbhn.exe 33 PID 596 wrote to memory of 2328 596 btnbhn.exe 33 PID 2328 wrote to memory of 748 2328 lfxfrxx.exe 34 PID 2328 wrote to memory of 748 2328 lfxfrxx.exe 34 PID 2328 wrote to memory of 748 2328 lfxfrxx.exe 34 PID 2328 wrote to memory of 748 2328 lfxfrxx.exe 34 PID 748 wrote to memory of 2848 748 llfrflf.exe 35 PID 748 wrote to memory of 2848 748 llfrflf.exe 35 PID 748 wrote to memory of 2848 748 llfrflf.exe 35 PID 748 wrote to memory of 2848 748 llfrflf.exe 35 PID 2848 wrote to memory of 2736 2848 3thbbt.exe 36 PID 2848 wrote to memory of 2736 2848 3thbbt.exe 36 PID 2848 wrote to memory of 2736 2848 3thbbt.exe 36 PID 2848 wrote to memory of 2736 2848 3thbbt.exe 36 PID 2736 wrote to memory of 2780 2736 nhbhnn.exe 37 PID 2736 wrote to memory of 2780 2736 nhbhnn.exe 37 PID 2736 wrote to memory of 2780 2736 nhbhnn.exe 37 PID 2736 wrote to memory of 2780 2736 nhbhnn.exe 37 PID 2780 wrote to memory of 2692 2780 dvpdj.exe 38 PID 2780 wrote to memory of 2692 2780 dvpdj.exe 38 PID 2780 wrote to memory of 2692 2780 dvpdj.exe 38 PID 2780 wrote to memory of 2692 2780 dvpdj.exe 38 PID 2692 wrote to memory of 2756 2692 dpjpp.exe 39 PID 2692 wrote to memory of 2756 2692 dpjpp.exe 39 PID 2692 wrote to memory of 2756 2692 dpjpp.exe 39 PID 2692 wrote to memory of 2756 2692 dpjpp.exe 39 PID 2756 wrote to memory of 2588 2756 rrlxlrx.exe 40 PID 2756 wrote to memory of 2588 2756 rrlxlrx.exe 40 PID 2756 wrote to memory of 2588 2756 rrlxlrx.exe 40 PID 2756 wrote to memory of 2588 2756 rrlxlrx.exe 40 PID 2588 wrote to memory of 2712 2588 rlfxlrf.exe 41 PID 2588 wrote to memory of 2712 2588 rlfxlrf.exe 41 PID 2588 wrote to memory of 2712 2588 rlfxlrf.exe 41 PID 2588 wrote to memory of 2712 2588 rlfxlrf.exe 41 PID 2712 wrote to memory of 588 2712 7hnttn.exe 42 PID 2712 wrote to memory of 588 2712 7hnttn.exe 42 PID 2712 wrote to memory of 588 2712 7hnttn.exe 42 PID 2712 wrote to memory of 588 2712 7hnttn.exe 42 PID 588 wrote to memory of 2412 588 jdpvv.exe 43 PID 588 wrote to memory of 2412 588 jdpvv.exe 43 PID 588 wrote to memory of 2412 588 jdpvv.exe 43 PID 588 wrote to memory of 2412 588 jdpvv.exe 43 PID 2412 wrote to memory of 1612 2412 pjdjp.exe 44 PID 2412 wrote to memory of 1612 2412 pjdjp.exe 44 PID 2412 wrote to memory of 1612 2412 pjdjp.exe 44 PID 2412 wrote to memory of 1612 2412 pjdjp.exe 44 PID 1612 wrote to memory of 336 1612 lxrxllx.exe 45 PID 1612 wrote to memory of 336 1612 lxrxllx.exe 45 PID 1612 wrote to memory of 336 1612 lxrxllx.exe 45 PID 1612 wrote to memory of 336 1612 lxrxllx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e2eb20149da338ff4e8e6effa4d312b5f92f1691b73733b2422b845c1c2fa2e.exe"C:\Users\Admin\AppData\Local\Temp\8e2eb20149da338ff4e8e6effa4d312b5f92f1691b73733b2422b845c1c2fa2e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\rrflxrx.exec:\rrflxrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\7nbhnh.exec:\7nbhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\btnbhn.exec:\btnbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:596 -
\??\c:\lfxfrxx.exec:\lfxfrxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\llfrflf.exec:\llfrflf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\3thbbt.exec:\3thbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\nhbhnn.exec:\nhbhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\dvpdj.exec:\dvpdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\dpjpp.exec:\dpjpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\rrlxlrx.exec:\rrlxlrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\rlfxlrf.exec:\rlfxlrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\7hnttn.exec:\7hnttn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\jdpvv.exec:\jdpvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588 -
\??\c:\pjdjp.exec:\pjdjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\lxrxllx.exec:\lxrxllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\3fffrxf.exec:\3fffrxf.exe17⤵
- Executes dropped EXE
PID:336 -
\??\c:\hbthtt.exec:\hbthtt.exe18⤵
- Executes dropped EXE
PID:1644 -
\??\c:\bbthnn.exec:\bbthnn.exe19⤵
- Executes dropped EXE
PID:1260 -
\??\c:\dvpvd.exec:\dvpvd.exe20⤵
- Executes dropped EXE
PID:800 -
\??\c:\vpjjp.exec:\vpjjp.exe21⤵
- Executes dropped EXE
PID:2796 -
\??\c:\fllffrr.exec:\fllffrr.exe22⤵
- Executes dropped EXE
PID:1528 -
\??\c:\hbthnn.exec:\hbthnn.exe23⤵
- Executes dropped EXE
PID:2800 -
\??\c:\7hhbbb.exec:\7hhbbb.exe24⤵
- Executes dropped EXE
PID:2952 -
\??\c:\pjpjj.exec:\pjpjj.exe25⤵
- Executes dropped EXE
PID:2200 -
\??\c:\5rflrxf.exec:\5rflrxf.exe26⤵
- Executes dropped EXE
PID:2984 -
\??\c:\rlfflfl.exec:\rlfflfl.exe27⤵
- Executes dropped EXE
PID:1176 -
\??\c:\jvdjp.exec:\jvdjp.exe28⤵
- Executes dropped EXE
PID:1252 -
\??\c:\pjpvv.exec:\pjpvv.exe29⤵
- Executes dropped EXE
PID:3044 -
\??\c:\fxfxxrf.exec:\fxfxxrf.exe30⤵
- Executes dropped EXE
PID:900 -
\??\c:\rfrxlfr.exec:\rfrxlfr.exe31⤵
- Executes dropped EXE
PID:1992 -
\??\c:\1hbttb.exec:\1hbttb.exe32⤵
- Executes dropped EXE
PID:3040 -
\??\c:\btntbh.exec:\btntbh.exe33⤵
- Executes dropped EXE
PID:2232 -
\??\c:\vpjjv.exec:\vpjjv.exe34⤵
- Executes dropped EXE
PID:2312 -
\??\c:\rrfxxrx.exec:\rrfxxrx.exe35⤵
- Executes dropped EXE
PID:1600 -
\??\c:\1xfxffr.exec:\1xfxffr.exe36⤵
- Executes dropped EXE
PID:1812 -
\??\c:\7btbhh.exec:\7btbhh.exe37⤵
- Executes dropped EXE
PID:352 -
\??\c:\7bnthb.exec:\7bnthb.exe38⤵
- Executes dropped EXE
PID:3060 -
\??\c:\7vvdj.exec:\7vvdj.exe39⤵
- Executes dropped EXE
PID:3068 -
\??\c:\3pddv.exec:\3pddv.exe40⤵
- Executes dropped EXE
PID:3000 -
\??\c:\5xrxllx.exec:\5xrxllx.exe41⤵
- Executes dropped EXE
PID:1624 -
\??\c:\bnnbbh.exec:\bnnbbh.exe42⤵
- Executes dropped EXE
PID:1704 -
\??\c:\dvvpv.exec:\dvvpv.exe43⤵
- Executes dropped EXE
PID:1920 -
\??\c:\dvvpd.exec:\dvvpd.exe44⤵
- Executes dropped EXE
PID:2248 -
\??\c:\9rlrxfl.exec:\9rlrxfl.exe45⤵
- Executes dropped EXE
PID:1912 -
\??\c:\5fxxxrx.exec:\5fxxxrx.exe46⤵
- Executes dropped EXE
PID:2868 -
\??\c:\5thttt.exec:\5thttt.exe47⤵
- Executes dropped EXE
PID:2112 -
\??\c:\hhtttt.exec:\hhtttt.exe48⤵
- Executes dropped EXE
PID:2876 -
\??\c:\nhtbnn.exec:\nhtbnn.exe49⤵
- Executes dropped EXE
PID:2964 -
\??\c:\5dpvd.exec:\5dpvd.exe50⤵
- Executes dropped EXE
PID:2880 -
\??\c:\xxrflrf.exec:\xxrflrf.exe51⤵
- Executes dropped EXE
PID:2764 -
\??\c:\9fxrxxl.exec:\9fxrxxl.exe52⤵
- Executes dropped EXE
PID:2428 -
\??\c:\htnnnh.exec:\htnnnh.exe53⤵
- Executes dropped EXE
PID:2156 -
\??\c:\dvjdd.exec:\dvjdd.exe54⤵
- Executes dropped EXE
PID:2636 -
\??\c:\hbnntt.exec:\hbnntt.exe55⤵
- Executes dropped EXE
PID:2412 -
\??\c:\1btthn.exec:\1btthn.exe56⤵
- Executes dropped EXE
PID:768 -
\??\c:\dvpdj.exec:\dvpdj.exe57⤵
- Executes dropped EXE
PID:860 -
\??\c:\7xrflrf.exec:\7xrflrf.exe58⤵
- Executes dropped EXE
PID:2148 -
\??\c:\thtntb.exec:\thtntb.exe59⤵
- Executes dropped EXE
PID:2040 -
\??\c:\tnbnnh.exec:\tnbnnh.exe60⤵
- Executes dropped EXE
PID:1896 -
\??\c:\9jppp.exec:\9jppp.exe61⤵
- Executes dropped EXE
PID:288 -
\??\c:\rlflxxf.exec:\rlflxxf.exe62⤵
- Executes dropped EXE
PID:2796 -
\??\c:\7bnttt.exec:\7bnttt.exe63⤵
- Executes dropped EXE
PID:2900 -
\??\c:\dppdd.exec:\dppdd.exe64⤵
- Executes dropped EXE
PID:692 -
\??\c:\9nhhtb.exec:\9nhhtb.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
\??\c:\tnhnnn.exec:\tnhnnn.exe66⤵PID:2836
-
\??\c:\vjvvv.exec:\vjvvv.exe67⤵PID:2976
-
\??\c:\rlxxfxf.exec:\rlxxfxf.exe68⤵PID:2076
-
\??\c:\lfrrflr.exec:\lfrrflr.exe69⤵PID:2116
-
\??\c:\7htbbt.exec:\7htbbt.exe70⤵PID:1176
-
\??\c:\1vjpp.exec:\1vjpp.exe71⤵PID:284
-
\??\c:\dvjjd.exec:\dvjjd.exe72⤵PID:616
-
\??\c:\frflrrf.exec:\frflrrf.exe73⤵PID:900
-
\??\c:\5hbnbb.exec:\5hbnbb.exe74⤵PID:1120
-
\??\c:\jdjjd.exec:\jdjjd.exe75⤵PID:1012
-
\??\c:\dvppp.exec:\dvppp.exe76⤵PID:2204
-
\??\c:\lflllff.exec:\lflllff.exe77⤵PID:1200
-
\??\c:\lfrxxfl.exec:\lfrxxfl.exe78⤵PID:2312
-
\??\c:\thhntn.exec:\thhntn.exe79⤵PID:2988
-
\??\c:\vvppp.exec:\vvppp.exe80⤵PID:2000
-
\??\c:\1dpjj.exec:\1dpjj.exe81⤵PID:1788
-
\??\c:\lrxrxxf.exec:\lrxrxxf.exe82⤵PID:2832
-
\??\c:\1rrxxxf.exec:\1rrxxxf.exe83⤵PID:2688
-
\??\c:\bthbbb.exec:\bthbbb.exe84⤵PID:2088
-
\??\c:\1ddjd.exec:\1ddjd.exe85⤵PID:1420
-
\??\c:\vpdjp.exec:\vpdjp.exe86⤵PID:2300
-
\??\c:\7fxrlrx.exec:\7fxrlrx.exe87⤵PID:2536
-
\??\c:\fxlrxxf.exec:\fxlrxxf.exe88⤵PID:1704
-
\??\c:\1bhbnh.exec:\1bhbnh.exe89⤵PID:2324
-
\??\c:\dvdjp.exec:\dvdjp.exe90⤵PID:2044
-
\??\c:\jvpjj.exec:\jvpjj.exe91⤵PID:596
-
\??\c:\xlxffxf.exec:\xlxffxf.exe92⤵PID:1932
-
\??\c:\3lxxfxr.exec:\3lxxfxr.exe93⤵PID:2908
-
\??\c:\tnhhnn.exec:\tnhhnn.exe94⤵PID:2032
-
\??\c:\tnttbb.exec:\tnttbb.exe95⤵PID:484
-
\??\c:\1dppv.exec:\1dppv.exe96⤵PID:2684
-
\??\c:\lxrrrlr.exec:\lxrrrlr.exe97⤵PID:2500
-
\??\c:\lxfxlfr.exec:\lxfxlfr.exe98⤵PID:2600
-
\??\c:\tnbbhb.exec:\tnbbhb.exe99⤵PID:2780
-
\??\c:\3hbttt.exec:\3hbttt.exe100⤵PID:2692
-
\??\c:\ppjvp.exec:\ppjvp.exe101⤵PID:2856
-
\??\c:\xrlxrxf.exec:\xrlxrxf.exe102⤵PID:2728
-
\??\c:\frfxffr.exec:\frfxffr.exe103⤵PID:2712
-
\??\c:\tbhbbt.exec:\tbhbbt.exe104⤵PID:2624
-
\??\c:\9hhhnn.exec:\9hhhnn.exe105⤵PID:2152
-
\??\c:\3jjvd.exec:\3jjvd.exe106⤵PID:2408
-
\??\c:\rlfrxxl.exec:\rlfrxxl.exe107⤵PID:524
-
\??\c:\lfrrllr.exec:\lfrrllr.exe108⤵PID:2332
-
\??\c:\hbnnnt.exec:\hbnnnt.exe109⤵PID:2120
-
\??\c:\hhbthh.exec:\hhbthh.exe110⤵PID:2040
-
\??\c:\djdvd.exec:\djdvd.exe111⤵PID:2012
-
\??\c:\7lfxfff.exec:\7lfxfff.exe112⤵PID:288
-
\??\c:\5xxfllx.exec:\5xxfllx.exe113⤵PID:1800
-
\??\c:\3ntnnb.exec:\3ntnnb.exe114⤵PID:2900
-
\??\c:\tnhtbh.exec:\tnhtbh.exe115⤵PID:2820
-
\??\c:\ppvvj.exec:\ppvvj.exe116⤵PID:1808
-
\??\c:\5rlrlrr.exec:\5rlrlrr.exe117⤵PID:2200
-
\??\c:\rlflxfr.exec:\rlflxfr.exe118⤵PID:2976
-
\??\c:\bnnnnt.exec:\bnnnnt.exe119⤵PID:2948
-
\??\c:\bnbbtt.exec:\bnbbtt.exe120⤵PID:1716
-
\??\c:\pdpvd.exec:\pdpvd.exe121⤵PID:1176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-