Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 23:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe
-
Size
453KB
-
MD5
1e3bb767d7287c1473fb2d9b9529736f
-
SHA1
86f3675f465380c75eebcbe98eeb10128bef3e40
-
SHA256
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47
-
SHA512
4f91bf2aacb4174b6794ba2c186fb522ff31789e45ab6ebc407c60fa1418811b14a4243823b9679acb5f6c75ff40448b8c93e0d07e18798f7cdd8e3831ceec90
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2420-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-71-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2732-92-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2732-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-94-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/632-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-113-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1420-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1124-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-266-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2144-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-358-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2040-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/820-496-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1912-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-627-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2688-653-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2632-660-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3020-783-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1688-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/988-839-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2280-885-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2280-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-912-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2580-1048-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2720-1149-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1784-1304-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3020-1335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1908 llflxxf.exe 2396 rllffff.exe 2284 dpjjj.exe 2812 vvpvp.exe 2768 xrlxffl.exe 2728 1frllll.exe 2636 1hbbhh.exe 2668 fxllxxf.exe 2732 fxrxllr.exe 2216 7httnn.exe 632 thbbhb.exe 3004 1vppv.exe 1420 7hnnnh.exe 3028 htbbbb.exe 2940 hbntbt.exe 1348 pjjjp.exe 2056 thttbh.exe 2024 rlxlrrr.exe 1612 tnbbnn.exe 2120 vjppp.exe 2300 lfxxlrl.exe 1268 rlrrfff.exe 1792 jjdvv.exe 1120 nhtbbh.exe 2132 7bhbhh.exe 1592 jdpvv.exe 1124 bbbttn.exe 2144 rlrrrxf.exe 2000 nnbhbb.exe 348 9jppd.exe 1240 7tnttt.exe 1648 9pjjj.exe 2060 hhbntt.exe 2460 5jvdp.exe 2396 llrxlrf.exe 2752 rrlrxfl.exe 2812 hthbhh.exe 2736 jddpj.exe 2704 flrrfxl.exe 2716 xrlxllx.exe 2772 tnbhth.exe 2784 vjvdj.exe 2892 vpdpp.exe 2040 rlxrxfl.exe 2644 hbbbhh.exe 1776 9pddd.exe 868 vjddd.exe 1148 frxrrxx.exe 2956 5tntnn.exe 2936 5djjj.exe 1420 pjvvd.exe 2964 5xrrrrx.exe 2948 7lxxrxr.exe 1552 nhbnhn.exe 2268 vvjpp.exe 1620 9xllrrf.exe 2344 7frlrlf.exe 2404 5bthnn.exe 1548 9btttt.exe 2580 vjvvv.exe 444 rfllrlx.exe 820 nthtth.exe 1880 hbhnhh.exe 1912 jdpdj.exe -
resource yara_rule behavioral1/memory/2420-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-73-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2732-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-94-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/632-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-238-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1124-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-660-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2680-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-790-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-839-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2460-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-885-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2280-884-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-1017-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-1142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-1184-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3020-1335-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 1908 2420 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 30 PID 2420 wrote to memory of 1908 2420 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 30 PID 2420 wrote to memory of 1908 2420 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 30 PID 2420 wrote to memory of 1908 2420 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 30 PID 1908 wrote to memory of 2396 1908 llflxxf.exe 31 PID 1908 wrote to memory of 2396 1908 llflxxf.exe 31 PID 1908 wrote to memory of 2396 1908 llflxxf.exe 31 PID 1908 wrote to memory of 2396 1908 llflxxf.exe 31 PID 2396 wrote to memory of 2284 2396 rllffff.exe 32 PID 2396 wrote to memory of 2284 2396 rllffff.exe 32 PID 2396 wrote to memory of 2284 2396 rllffff.exe 32 PID 2396 wrote to memory of 2284 2396 rllffff.exe 32 PID 2284 wrote to memory of 2812 2284 dpjjj.exe 33 PID 2284 wrote to memory of 2812 2284 dpjjj.exe 33 PID 2284 wrote to memory of 2812 2284 dpjjj.exe 33 PID 2284 wrote to memory of 2812 2284 dpjjj.exe 33 PID 2812 wrote to memory of 2768 2812 vvpvp.exe 34 PID 2812 wrote to memory of 2768 2812 vvpvp.exe 34 PID 2812 wrote to memory of 2768 2812 vvpvp.exe 34 PID 2812 wrote to memory of 2768 2812 vvpvp.exe 34 PID 2768 wrote to memory of 2728 2768 xrlxffl.exe 35 PID 2768 wrote to memory of 2728 2768 xrlxffl.exe 35 PID 2768 wrote to memory of 2728 2768 xrlxffl.exe 35 PID 2768 wrote to memory of 2728 2768 xrlxffl.exe 35 PID 2728 wrote to memory of 2636 2728 1frllll.exe 36 PID 2728 wrote to memory of 2636 2728 1frllll.exe 36 PID 2728 wrote to memory of 2636 2728 1frllll.exe 36 PID 2728 wrote to memory of 2636 2728 1frllll.exe 36 PID 2636 wrote to memory of 2668 2636 1hbbhh.exe 37 PID 2636 wrote to memory of 2668 2636 1hbbhh.exe 37 PID 2636 wrote to memory of 2668 2636 1hbbhh.exe 37 PID 2636 wrote to memory of 2668 2636 1hbbhh.exe 37 PID 2668 wrote to memory of 2732 2668 fxllxxf.exe 38 PID 2668 wrote to memory of 2732 2668 fxllxxf.exe 38 PID 2668 wrote to memory of 2732 2668 fxllxxf.exe 38 PID 2668 wrote to memory of 2732 2668 fxllxxf.exe 38 PID 2732 wrote to memory of 2216 2732 fxrxllr.exe 39 PID 2732 wrote to memory of 2216 2732 fxrxllr.exe 39 PID 2732 wrote to memory of 2216 2732 fxrxllr.exe 39 PID 2732 wrote to memory of 2216 2732 fxrxllr.exe 39 PID 2216 wrote to memory of 632 2216 7httnn.exe 40 PID 2216 wrote to memory of 632 2216 7httnn.exe 40 PID 2216 wrote to memory of 632 2216 7httnn.exe 40 PID 2216 wrote to memory of 632 2216 7httnn.exe 40 PID 632 wrote to memory of 3004 632 thbbhb.exe 41 PID 632 wrote to memory of 3004 632 thbbhb.exe 41 PID 632 wrote to memory of 3004 632 thbbhb.exe 41 PID 632 wrote to memory of 3004 632 thbbhb.exe 41 PID 3004 wrote to memory of 1420 3004 1vppv.exe 42 PID 3004 wrote to memory of 1420 3004 1vppv.exe 42 PID 3004 wrote to memory of 1420 3004 1vppv.exe 42 PID 3004 wrote to memory of 1420 3004 1vppv.exe 42 PID 1420 wrote to memory of 3028 1420 7hnnnh.exe 43 PID 1420 wrote to memory of 3028 1420 7hnnnh.exe 43 PID 1420 wrote to memory of 3028 1420 7hnnnh.exe 43 PID 1420 wrote to memory of 3028 1420 7hnnnh.exe 43 PID 3028 wrote to memory of 2940 3028 htbbbb.exe 44 PID 3028 wrote to memory of 2940 3028 htbbbb.exe 44 PID 3028 wrote to memory of 2940 3028 htbbbb.exe 44 PID 3028 wrote to memory of 2940 3028 htbbbb.exe 44 PID 2940 wrote to memory of 1348 2940 hbntbt.exe 45 PID 2940 wrote to memory of 1348 2940 hbntbt.exe 45 PID 2940 wrote to memory of 1348 2940 hbntbt.exe 45 PID 2940 wrote to memory of 1348 2940 hbntbt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe"C:\Users\Admin\AppData\Local\Temp\8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\llflxxf.exec:\llflxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\rllffff.exec:\rllffff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\dpjjj.exec:\dpjjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\vvpvp.exec:\vvpvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\xrlxffl.exec:\xrlxffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\1frllll.exec:\1frllll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\1hbbhh.exec:\1hbbhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\fxllxxf.exec:\fxllxxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\fxrxllr.exec:\fxrxllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\7httnn.exec:\7httnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\thbbhb.exec:\thbbhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\1vppv.exec:\1vppv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\7hnnnh.exec:\7hnnnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\htbbbb.exec:\htbbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\hbntbt.exec:\hbntbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\pjjjp.exec:\pjjjp.exe17⤵
- Executes dropped EXE
PID:1348 -
\??\c:\thttbh.exec:\thttbh.exe18⤵
- Executes dropped EXE
PID:2056 -
\??\c:\rlxlrrr.exec:\rlxlrrr.exe19⤵
- Executes dropped EXE
PID:2024 -
\??\c:\tnbbnn.exec:\tnbbnn.exe20⤵
- Executes dropped EXE
PID:1612 -
\??\c:\vjppp.exec:\vjppp.exe21⤵
- Executes dropped EXE
PID:2120 -
\??\c:\lfxxlrl.exec:\lfxxlrl.exe22⤵
- Executes dropped EXE
PID:2300 -
\??\c:\rlrrfff.exec:\rlrrfff.exe23⤵
- Executes dropped EXE
PID:1268 -
\??\c:\jjdvv.exec:\jjdvv.exe24⤵
- Executes dropped EXE
PID:1792 -
\??\c:\nhtbbh.exec:\nhtbbh.exe25⤵
- Executes dropped EXE
PID:1120 -
\??\c:\7bhbhh.exec:\7bhbhh.exe26⤵
- Executes dropped EXE
PID:2132 -
\??\c:\jdpvv.exec:\jdpvv.exe27⤵
- Executes dropped EXE
PID:1592 -
\??\c:\bbbttn.exec:\bbbttn.exe28⤵
- Executes dropped EXE
PID:1124 -
\??\c:\rlrrrxf.exec:\rlrrrxf.exe29⤵
- Executes dropped EXE
PID:2144 -
\??\c:\nnbhbb.exec:\nnbhbb.exe30⤵
- Executes dropped EXE
PID:2000 -
\??\c:\9jppd.exec:\9jppd.exe31⤵
- Executes dropped EXE
PID:348 -
\??\c:\7tnttt.exec:\7tnttt.exe32⤵
- Executes dropped EXE
PID:1240 -
\??\c:\9pjjj.exec:\9pjjj.exe33⤵
- Executes dropped EXE
PID:1648 -
\??\c:\hhbntt.exec:\hhbntt.exe34⤵
- Executes dropped EXE
PID:2060 -
\??\c:\5jvdp.exec:\5jvdp.exe35⤵
- Executes dropped EXE
PID:2460 -
\??\c:\llrxlrf.exec:\llrxlrf.exe36⤵
- Executes dropped EXE
PID:2396 -
\??\c:\rrlrxfl.exec:\rrlrxfl.exe37⤵
- Executes dropped EXE
PID:2752 -
\??\c:\hthbhh.exec:\hthbhh.exe38⤵
- Executes dropped EXE
PID:2812 -
\??\c:\jddpj.exec:\jddpj.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\flrrfxl.exec:\flrrfxl.exe40⤵
- Executes dropped EXE
PID:2704 -
\??\c:\xrlxllx.exec:\xrlxllx.exe41⤵
- Executes dropped EXE
PID:2716 -
\??\c:\tnbhth.exec:\tnbhth.exe42⤵
- Executes dropped EXE
PID:2772 -
\??\c:\vjvdj.exec:\vjvdj.exe43⤵
- Executes dropped EXE
PID:2784 -
\??\c:\vpdpp.exec:\vpdpp.exe44⤵
- Executes dropped EXE
PID:2892 -
\??\c:\rlxrxfl.exec:\rlxrxfl.exe45⤵
- Executes dropped EXE
PID:2040 -
\??\c:\hbbbhh.exec:\hbbbhh.exe46⤵
- Executes dropped EXE
PID:2644 -
\??\c:\9pddd.exec:\9pddd.exe47⤵
- Executes dropped EXE
PID:1776 -
\??\c:\vjddd.exec:\vjddd.exe48⤵
- Executes dropped EXE
PID:868 -
\??\c:\frxrrxx.exec:\frxrrxx.exe49⤵
- Executes dropped EXE
PID:1148 -
\??\c:\5tntnn.exec:\5tntnn.exe50⤵
- Executes dropped EXE
PID:2956 -
\??\c:\5djjj.exec:\5djjj.exe51⤵
- Executes dropped EXE
PID:2936 -
\??\c:\pjvvd.exec:\pjvvd.exe52⤵
- Executes dropped EXE
PID:1420 -
\??\c:\5xrrrrx.exec:\5xrrrrx.exe53⤵
- Executes dropped EXE
PID:2964 -
\??\c:\7lxxrxr.exec:\7lxxrxr.exe54⤵
- Executes dropped EXE
PID:2948 -
\??\c:\nhbnhn.exec:\nhbnhn.exe55⤵
- Executes dropped EXE
PID:1552 -
\??\c:\vvjpp.exec:\vvjpp.exe56⤵
- Executes dropped EXE
PID:2268 -
\??\c:\9xllrrf.exec:\9xllrrf.exe57⤵
- Executes dropped EXE
PID:1620 -
\??\c:\7frlrlf.exec:\7frlrlf.exe58⤵
- Executes dropped EXE
PID:2344 -
\??\c:\5bthnn.exec:\5bthnn.exe59⤵
- Executes dropped EXE
PID:2404 -
\??\c:\9btttt.exec:\9btttt.exe60⤵
- Executes dropped EXE
PID:1548 -
\??\c:\vjvvv.exec:\vjvvv.exe61⤵
- Executes dropped EXE
PID:2580 -
\??\c:\rfllrlx.exec:\rfllrlx.exe62⤵
- Executes dropped EXE
PID:444 -
\??\c:\nthtth.exec:\nthtth.exe63⤵
- Executes dropped EXE
PID:820 -
\??\c:\hbhnhh.exec:\hbhnhh.exe64⤵
- Executes dropped EXE
PID:1880 -
\??\c:\jdpdj.exec:\jdpdj.exe65⤵
- Executes dropped EXE
PID:1912 -
\??\c:\lxrrxxx.exec:\lxrrxxx.exe66⤵PID:1608
-
\??\c:\hhttbb.exec:\hhttbb.exe67⤵PID:1464
-
\??\c:\bbntht.exec:\bbntht.exe68⤵PID:2132
-
\??\c:\vvddj.exec:\vvddj.exe69⤵PID:764
-
\??\c:\rlxxffl.exec:\rlxxffl.exe70⤵PID:2252
-
\??\c:\xlxxllr.exec:\xlxxllr.exe71⤵PID:1668
-
\??\c:\9hbhnn.exec:\9hbhnn.exe72⤵PID:1204
-
\??\c:\3dpvv.exec:\3dpvv.exe73⤵PID:2368
-
\??\c:\vpddd.exec:\vpddd.exe74⤵PID:1408
-
\??\c:\ffxxxxf.exec:\ffxxxxf.exe75⤵PID:1428
-
\??\c:\5hbntt.exec:\5hbntt.exe76⤵PID:1752
-
\??\c:\ddddj.exec:\ddddj.exe77⤵PID:1648
-
\??\c:\vjvvd.exec:\vjvvd.exe78⤵PID:2572
-
\??\c:\llrrffl.exec:\llrrffl.exe79⤵PID:1528
-
\??\c:\rlxxflx.exec:\rlxxflx.exe80⤵PID:2280
-
\??\c:\nnhtbb.exec:\nnhtbb.exe81⤵PID:2824
-
\??\c:\pjdjj.exec:\pjdjj.exe82⤵PID:2760
-
\??\c:\xrffrxf.exec:\xrffrxf.exe83⤵PID:2376
-
\??\c:\ffffrxf.exec:\ffffrxf.exe84⤵PID:2888
-
\??\c:\5httbb.exec:\5httbb.exe85⤵PID:2844
-
\??\c:\pdjdd.exec:\pdjdd.exe86⤵PID:2828
-
\??\c:\lfxxllr.exec:\lfxxllr.exe87⤵PID:2988
-
\??\c:\1fflrrr.exec:\1fflrrr.exe88⤵PID:2688
-
\??\c:\ntnnbb.exec:\ntnnbb.exe89⤵PID:2632
-
\??\c:\jvjpd.exec:\jvjpd.exe90⤵PID:2896
-
\??\c:\3jdpp.exec:\3jdpp.exe91⤵PID:1224
-
\??\c:\3xrlllr.exec:\3xrlllr.exe92⤵PID:2672
-
\??\c:\nhbhth.exec:\nhbhth.exe93⤵PID:2904
-
\??\c:\ththtb.exec:\ththtb.exe94⤵PID:1404
-
\??\c:\ddvdj.exec:\ddvdj.exe95⤵PID:1248
-
\??\c:\frxrxrl.exec:\frxrxrl.exe96⤵PID:2680
-
\??\c:\fxxflrf.exec:\fxxflrf.exe97⤵PID:1420
-
\??\c:\hbtbht.exec:\hbtbht.exe98⤵PID:2964
-
\??\c:\vjdpv.exec:\vjdpv.exe99⤵PID:2948
-
\??\c:\pppvv.exec:\pppvv.exe100⤵PID:2108
-
\??\c:\xrlrfrf.exec:\xrlrfrf.exe101⤵PID:2268
-
\??\c:\bbbtbt.exec:\bbbtbt.exe102⤵PID:1300
-
\??\c:\7jjjj.exec:\7jjjj.exe103⤵PID:1784
-
\??\c:\9jdjj.exec:\9jdjj.exe104⤵PID:2104
-
\??\c:\fxrrxxl.exec:\fxrrxxl.exe105⤵PID:1548
-
\??\c:\1rfflrx.exec:\1rfflrx.exe106⤵PID:2580
-
\??\c:\1bbhtt.exec:\1bbhtt.exe107⤵PID:1312
-
\??\c:\vpddj.exec:\vpddj.exe108⤵PID:1284
-
\??\c:\flfrfll.exec:\flfrfll.exe109⤵PID:3020
-
\??\c:\9lrrrxf.exec:\9lrrrxf.exe110⤵PID:1120
-
\??\c:\ttnbnt.exec:\ttnbnt.exe111⤵PID:1216
-
\??\c:\vpppd.exec:\vpppd.exe112⤵PID:1592
-
\??\c:\fxllrxf.exec:\fxllrxf.exe113⤵PID:380
-
\??\c:\9thtbb.exec:\9thtbb.exe114⤵PID:2168
-
\??\c:\nnthnb.exec:\nnthnb.exe115⤵PID:2440
-
\??\c:\pjpjp.exec:\pjpjp.exe116⤵PID:604
-
\??\c:\xxrxllx.exec:\xxrxllx.exe117⤵PID:1688
-
\??\c:\3rrrrrr.exec:\3rrrrrr.exe118⤵PID:988
-
\??\c:\7nhthh.exec:\7nhthh.exe119⤵PID:1432
-
\??\c:\jvppv.exec:\jvppv.exe120⤵PID:1428
-
\??\c:\1xfrxfl.exec:\1xfrxfl.exe121⤵PID:1240
-
\??\c:\xxllxxf.exec:\xxllxxf.exe122⤵PID:1648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-