Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 01:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe
-
Size
453KB
-
MD5
82b621c3b330f9263a847ed8bcf6e2ef
-
SHA1
e406e62e1e15012c52d2dfc6027e9e0498adeaa2
-
SHA256
a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c
-
SHA512
a25c39abec151e031fce45c4d10724da9adfd48a3c8bd04b0644886ee8ef62106a290657c4a0683225c3a1606461552d2e728308bcd50f41bdb256dd56368adc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeh:q7Tc2NYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2080-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/604-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-52-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2892-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-91-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2692-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1160-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/960-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-214-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/760-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-259-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/708-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-267-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1584-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/556-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-619-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2936-628-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-661-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2848-693-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1340-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-798-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2164-807-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1816-1040-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2548 9thnth.exe 2528 bbntnn.exe 2996 rflffxx.exe 604 rrflxrr.exe 2892 9nthnb.exe 2772 7flfrxf.exe 2624 7lflfrr.exe 2808 pjvdd.exe 1500 7xxllxr.exe 2692 9nhhhh.exe 2176 9lllxfl.exe 1048 3rlxlrf.exe 1288 5nbbnh.exe 1656 lxrrrrr.exe 1720 bnnhnt.exe 2856 llflrlf.exe 1908 9tnbht.exe 1160 xxlrxfl.exe 2284 fxxxlrx.exe 444 jjdpj.exe 3064 rllxlrl.exe 960 lfxxffr.exe 760 3frrffr.exe 2216 xfrxxxl.exe 1664 fxlrfrx.exe 2484 9frrxfr.exe 2256 9nhntb.exe 708 xxxxlxr.exe 580 tbnbtb.exe 268 xrrflxr.exe 2248 hnbntb.exe 2556 dvpdv.exe 2348 xrffrrr.exe 1584 httbnb.exe 2396 ddvjv.exe 2592 lffxrll.exe 2060 1tnthn.exe 2768 jjjpj.exe 2928 1pjvv.exe 2888 xfxfrfx.exe 3004 bhhtnn.exe 2976 pvjdv.exe 2816 xrxlrrx.exe 2628 9xrrxfx.exe 2660 bnhnbn.exe 2692 vvjpj.exe 2180 rrrxlll.exe 2496 ffxfrfx.exe 1048 bhbhbh.exe 1404 pjpdv.exe 1028 pdvdp.exe 2032 9tntnn.exe 2520 nbtbtb.exe 1428 ppjjd.exe 2008 lrlxlfr.exe 2980 9btbtt.exe 2336 3jvdj.exe 1516 ddvpd.exe 556 xfxlxfr.exe 1384 7tbntb.exe 1032 ddvdv.exe 1728 vdpdv.exe 2068 9rflxfl.exe 468 1tthtb.exe -
resource yara_rule behavioral1/memory/2080-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-661-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1340-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-1012-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-1040-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1048-1199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-1236-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1192-1243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/660-1256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-1287-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxfxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2548 2080 a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe 31 PID 2080 wrote to memory of 2548 2080 a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe 31 PID 2080 wrote to memory of 2548 2080 a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe 31 PID 2080 wrote to memory of 2548 2080 a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe 31 PID 2548 wrote to memory of 2528 2548 9thnth.exe 32 PID 2548 wrote to memory of 2528 2548 9thnth.exe 32 PID 2548 wrote to memory of 2528 2548 9thnth.exe 32 PID 2548 wrote to memory of 2528 2548 9thnth.exe 32 PID 2528 wrote to memory of 2996 2528 bbntnn.exe 33 PID 2528 wrote to memory of 2996 2528 bbntnn.exe 33 PID 2528 wrote to memory of 2996 2528 bbntnn.exe 33 PID 2528 wrote to memory of 2996 2528 bbntnn.exe 33 PID 2996 wrote to memory of 604 2996 rflffxx.exe 34 PID 2996 wrote to memory of 604 2996 rflffxx.exe 34 PID 2996 wrote to memory of 604 2996 rflffxx.exe 34 PID 2996 wrote to memory of 604 2996 rflffxx.exe 34 PID 604 wrote to memory of 2892 604 rrflxrr.exe 35 PID 604 wrote to memory of 2892 604 rrflxrr.exe 35 PID 604 wrote to memory of 2892 604 rrflxrr.exe 35 PID 604 wrote to memory of 2892 604 rrflxrr.exe 35 PID 2892 wrote to memory of 2772 2892 9nthnb.exe 36 PID 2892 wrote to memory of 2772 2892 9nthnb.exe 36 PID 2892 wrote to memory of 2772 2892 9nthnb.exe 36 PID 2892 wrote to memory of 2772 2892 9nthnb.exe 36 PID 2772 wrote to memory of 2624 2772 7flfrxf.exe 37 PID 2772 wrote to memory of 2624 2772 7flfrxf.exe 37 PID 2772 wrote to memory of 2624 2772 7flfrxf.exe 37 PID 2772 wrote to memory of 2624 2772 7flfrxf.exe 37 PID 2624 wrote to memory of 2808 2624 7lflfrr.exe 38 PID 2624 wrote to memory of 2808 2624 7lflfrr.exe 38 PID 2624 wrote to memory of 2808 2624 7lflfrr.exe 38 PID 2624 wrote to memory of 2808 2624 7lflfrr.exe 38 PID 2808 wrote to memory of 1500 2808 pjvdd.exe 39 PID 2808 wrote to memory of 1500 2808 pjvdd.exe 39 PID 2808 wrote to memory of 1500 2808 pjvdd.exe 39 PID 2808 wrote to memory of 1500 2808 pjvdd.exe 39 PID 1500 wrote to memory of 2692 1500 7xxllxr.exe 40 PID 1500 wrote to memory of 2692 1500 7xxllxr.exe 40 PID 1500 wrote to memory of 2692 1500 7xxllxr.exe 40 PID 1500 wrote to memory of 2692 1500 7xxllxr.exe 40 PID 2692 wrote to memory of 2176 2692 9nhhhh.exe 41 PID 2692 wrote to memory of 2176 2692 9nhhhh.exe 41 PID 2692 wrote to memory of 2176 2692 9nhhhh.exe 41 PID 2692 wrote to memory of 2176 2692 9nhhhh.exe 41 PID 2176 wrote to memory of 1048 2176 9lllxfl.exe 42 PID 2176 wrote to memory of 1048 2176 9lllxfl.exe 42 PID 2176 wrote to memory of 1048 2176 9lllxfl.exe 42 PID 2176 wrote to memory of 1048 2176 9lllxfl.exe 42 PID 1048 wrote to memory of 1288 1048 3rlxlrf.exe 43 PID 1048 wrote to memory of 1288 1048 3rlxlrf.exe 43 PID 1048 wrote to memory of 1288 1048 3rlxlrf.exe 43 PID 1048 wrote to memory of 1288 1048 3rlxlrf.exe 43 PID 1288 wrote to memory of 1656 1288 5nbbnh.exe 44 PID 1288 wrote to memory of 1656 1288 5nbbnh.exe 44 PID 1288 wrote to memory of 1656 1288 5nbbnh.exe 44 PID 1288 wrote to memory of 1656 1288 5nbbnh.exe 44 PID 1656 wrote to memory of 1720 1656 lxrrrrr.exe 45 PID 1656 wrote to memory of 1720 1656 lxrrrrr.exe 45 PID 1656 wrote to memory of 1720 1656 lxrrrrr.exe 45 PID 1656 wrote to memory of 1720 1656 lxrrrrr.exe 45 PID 1720 wrote to memory of 2856 1720 bnnhnt.exe 46 PID 1720 wrote to memory of 2856 1720 bnnhnt.exe 46 PID 1720 wrote to memory of 2856 1720 bnnhnt.exe 46 PID 1720 wrote to memory of 2856 1720 bnnhnt.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe"C:\Users\Admin\AppData\Local\Temp\a6fe6c5900e969f0ef5df3fd62e3708675abef8d6496900943bbf3bb8b0b6e2c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\9thnth.exec:\9thnth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\bbntnn.exec:\bbntnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\rflffxx.exec:\rflffxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\rrflxrr.exec:\rrflxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:604 -
\??\c:\9nthnb.exec:\9nthnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\7flfrxf.exec:\7flfrxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\7lflfrr.exec:\7lflfrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\pjvdd.exec:\pjvdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\7xxllxr.exec:\7xxllxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\9nhhhh.exec:\9nhhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\9lllxfl.exec:\9lllxfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\3rlxlrf.exec:\3rlxlrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\5nbbnh.exec:\5nbbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\lxrrrrr.exec:\lxrrrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\bnnhnt.exec:\bnnhnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\llflrlf.exec:\llflrlf.exe17⤵
- Executes dropped EXE
PID:2856 -
\??\c:\9tnbht.exec:\9tnbht.exe18⤵
- Executes dropped EXE
PID:1908 -
\??\c:\xxlrxfl.exec:\xxlrxfl.exe19⤵
- Executes dropped EXE
PID:1160 -
\??\c:\fxxxlrx.exec:\fxxxlrx.exe20⤵
- Executes dropped EXE
PID:2284 -
\??\c:\jjdpj.exec:\jjdpj.exe21⤵
- Executes dropped EXE
PID:444 -
\??\c:\rllxlrl.exec:\rllxlrl.exe22⤵
- Executes dropped EXE
PID:3064 -
\??\c:\lfxxffr.exec:\lfxxffr.exe23⤵
- Executes dropped EXE
PID:960 -
\??\c:\3frrffr.exec:\3frrffr.exe24⤵
- Executes dropped EXE
PID:760 -
\??\c:\xfrxxxl.exec:\xfrxxxl.exe25⤵
- Executes dropped EXE
PID:2216 -
\??\c:\fxlrfrx.exec:\fxlrfrx.exe26⤵
- Executes dropped EXE
PID:1664 -
\??\c:\9frrxfr.exec:\9frrxfr.exe27⤵
- Executes dropped EXE
PID:2484 -
\??\c:\9nhntb.exec:\9nhntb.exe28⤵
- Executes dropped EXE
PID:2256 -
\??\c:\xxxxlxr.exec:\xxxxlxr.exe29⤵
- Executes dropped EXE
PID:708 -
\??\c:\tbnbtb.exec:\tbnbtb.exe30⤵
- Executes dropped EXE
PID:580 -
\??\c:\xrrflxr.exec:\xrrflxr.exe31⤵
- Executes dropped EXE
PID:268 -
\??\c:\hnbntb.exec:\hnbntb.exe32⤵
- Executes dropped EXE
PID:2248 -
\??\c:\dvpdv.exec:\dvpdv.exe33⤵
- Executes dropped EXE
PID:2556 -
\??\c:\xrffrrr.exec:\xrffrrr.exe34⤵
- Executes dropped EXE
PID:2348 -
\??\c:\httbnb.exec:\httbnb.exe35⤵
- Executes dropped EXE
PID:1584 -
\??\c:\ddvjv.exec:\ddvjv.exe36⤵
- Executes dropped EXE
PID:2396 -
\??\c:\lffxrll.exec:\lffxrll.exe37⤵
- Executes dropped EXE
PID:2592 -
\??\c:\1tnthn.exec:\1tnthn.exe38⤵
- Executes dropped EXE
PID:2060 -
\??\c:\jjjpj.exec:\jjjpj.exe39⤵
- Executes dropped EXE
PID:2768 -
\??\c:\1pjvv.exec:\1pjvv.exe40⤵
- Executes dropped EXE
PID:2928 -
\??\c:\xfxfrfx.exec:\xfxfrfx.exe41⤵
- Executes dropped EXE
PID:2888 -
\??\c:\bhhtnn.exec:\bhhtnn.exe42⤵
- Executes dropped EXE
PID:3004 -
\??\c:\pvjdv.exec:\pvjdv.exe43⤵
- Executes dropped EXE
PID:2976 -
\??\c:\xrxlrrx.exec:\xrxlrrx.exe44⤵
- Executes dropped EXE
PID:2816 -
\??\c:\9xrrxfx.exec:\9xrrxfx.exe45⤵
- Executes dropped EXE
PID:2628 -
\??\c:\bnhnbn.exec:\bnhnbn.exe46⤵
- Executes dropped EXE
PID:2660 -
\??\c:\vvjpj.exec:\vvjpj.exe47⤵
- Executes dropped EXE
PID:2692 -
\??\c:\rrrxlll.exec:\rrrxlll.exe48⤵
- Executes dropped EXE
PID:2180 -
\??\c:\ffxfrfx.exec:\ffxfrfx.exe49⤵
- Executes dropped EXE
PID:2496 -
\??\c:\bhbhbh.exec:\bhbhbh.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1048 -
\??\c:\pjpdv.exec:\pjpdv.exe51⤵
- Executes dropped EXE
PID:1404 -
\??\c:\pdvdp.exec:\pdvdp.exe52⤵
- Executes dropped EXE
PID:1028 -
\??\c:\9tntnn.exec:\9tntnn.exe53⤵
- Executes dropped EXE
PID:2032 -
\??\c:\nbtbtb.exec:\nbtbtb.exe54⤵
- Executes dropped EXE
PID:2520 -
\??\c:\ppjjd.exec:\ppjjd.exe55⤵
- Executes dropped EXE
PID:1428 -
\??\c:\lrlxlfr.exec:\lrlxlfr.exe56⤵
- Executes dropped EXE
PID:2008 -
\??\c:\9btbtt.exec:\9btbtt.exe57⤵
- Executes dropped EXE
PID:2980 -
\??\c:\3jvdj.exec:\3jvdj.exe58⤵
- Executes dropped EXE
PID:2336 -
\??\c:\ddvpd.exec:\ddvpd.exe59⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xfxlxfr.exec:\xfxlxfr.exe60⤵
- Executes dropped EXE
PID:556 -
\??\c:\7tbntb.exec:\7tbntb.exe61⤵
- Executes dropped EXE
PID:1384 -
\??\c:\ddvdv.exec:\ddvdv.exe62⤵
- Executes dropped EXE
PID:1032 -
\??\c:\vdpdv.exec:\vdpdv.exe63⤵
- Executes dropped EXE
PID:1728 -
\??\c:\9rflxfl.exec:\9rflxfl.exe64⤵
- Executes dropped EXE
PID:2068 -
\??\c:\1tthtb.exec:\1tthtb.exe65⤵
- Executes dropped EXE
PID:468 -
\??\c:\pppdj.exec:\pppdj.exe66⤵PID:1372
-
\??\c:\3rlfrxr.exec:\3rlfrxr.exe67⤵PID:1920
-
\??\c:\lflrfxl.exec:\lflrfxl.exe68⤵PID:2340
-
\??\c:\hbnnnt.exec:\hbnnnt.exe69⤵PID:1368
-
\??\c:\pjpdp.exec:\pjpdp.exe70⤵PID:708
-
\??\c:\xfxlrlf.exec:\xfxlrlf.exe71⤵PID:2468
-
\??\c:\tnhhhh.exec:\tnhhhh.exe72⤵PID:2572
-
\??\c:\1tntht.exec:\1tntht.exe73⤵PID:2052
-
\??\c:\3jjvj.exec:\3jjvj.exe74⤵PID:2264
-
\??\c:\5xxfxfl.exec:\5xxfxfl.exe75⤵PID:2560
-
\??\c:\bbbbnt.exec:\bbbbnt.exe76⤵PID:2408
-
\??\c:\vpjjp.exec:\vpjjp.exe77⤵PID:1688
-
\??\c:\pvjdj.exec:\pvjdj.exe78⤵PID:352
-
\??\c:\rrflllr.exec:\rrflllr.exe79⤵PID:2396
-
\??\c:\hhhnhn.exec:\hhhnhn.exe80⤵PID:832
-
\??\c:\jpvjv.exec:\jpvjv.exe81⤵PID:2996
-
\??\c:\jdjvj.exec:\jdjvj.exe82⤵PID:2768
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe83⤵PID:2872
-
\??\c:\hbbbtb.exec:\hbbbtb.exe84⤵PID:2780
-
\??\c:\btttbb.exec:\btttbb.exe85⤵PID:2936
-
\??\c:\1pjpv.exec:\1pjpv.exe86⤵PID:2808
-
\??\c:\9fxxlrf.exec:\9fxxlrf.exe87⤵PID:2684
-
\??\c:\5btbhn.exec:\5btbhn.exe88⤵PID:1696
-
\??\c:\7pvdj.exec:\7pvdj.exe89⤵PID:2344
-
\??\c:\dvdjp.exec:\dvdjp.exe90⤵PID:900
-
\??\c:\xfrffrl.exec:\xfrffrl.exe91⤵PID:2604
-
\??\c:\bhhnth.exec:\bhhnth.exe92⤵PID:2828
-
\??\c:\jjdjd.exec:\jjdjd.exe93⤵PID:796
-
\??\c:\rrrlrrx.exec:\rrrlrrx.exe94⤵PID:1912
-
\??\c:\rrfxlrf.exec:\rrfxlrf.exe95⤵PID:2848
-
\??\c:\hbnhhb.exec:\hbnhhb.exe96⤵PID:1276
-
\??\c:\vppjp.exec:\vppjp.exe97⤵PID:2852
-
\??\c:\5fxlxlf.exec:\5fxlxlf.exe98⤵PID:1192
-
\??\c:\nnhnbn.exec:\nnhnbn.exe99⤵PID:2984
-
\??\c:\9vpvd.exec:\9vpvd.exe100⤵PID:2280
-
\??\c:\fffrxfx.exec:\fffrxfx.exe101⤵PID:944
-
\??\c:\rxxfrxx.exec:\rxxfrxx.exe102⤵PID:996
-
\??\c:\bbtnbh.exec:\bbtnbh.exe103⤵PID:688
-
\??\c:\3ppdp.exec:\3ppdp.exe104⤵PID:960
-
\??\c:\fxlrxfr.exec:\fxlrxfr.exe105⤵PID:1340
-
\??\c:\xflflfl.exec:\xflflfl.exe106⤵PID:1728
-
\??\c:\nhbbbn.exec:\nhbbbn.exe107⤵PID:2068
-
\??\c:\ddvdj.exec:\ddvdj.exe108⤵PID:928
-
\??\c:\xxfrffl.exec:\xxfrffl.exe109⤵PID:1372
-
\??\c:\3xrfrxx.exec:\3xrfrxx.exe110⤵PID:1920
-
\??\c:\vppjp.exec:\vppjp.exe111⤵PID:2324
-
\??\c:\fllrflf.exec:\fllrflf.exe112⤵PID:1672
-
\??\c:\bhbnhb.exec:\bhbnhb.exe113⤵PID:2164
-
\??\c:\ttbnnt.exec:\ttbnnt.exe114⤵
- System Location Discovery: System Language Discovery
PID:1004 -
\??\c:\djpjp.exec:\djpjp.exe115⤵
- System Location Discovery: System Language Discovery
PID:1436 -
\??\c:\xrlxfrx.exec:\xrlxfrx.exe116⤵PID:1344
-
\??\c:\pppvd.exec:\pppvd.exe117⤵PID:1708
-
\??\c:\rrlxfxl.exec:\rrlxfxl.exe118⤵PID:2560
-
\??\c:\hnnbnn.exec:\hnnbnn.exe119⤵PID:792
-
\??\c:\hbtbbh.exec:\hbtbbh.exe120⤵PID:2948
-
\??\c:\pjvjp.exec:\pjvjp.exe121⤵PID:2500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-