Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 23:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe
-
Size
453KB
-
MD5
1e3bb767d7287c1473fb2d9b9529736f
-
SHA1
86f3675f465380c75eebcbe98eeb10128bef3e40
-
SHA256
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47
-
SHA512
4f91bf2aacb4174b6794ba2c186fb522ff31789e45ab6ebc407c60fa1418811b14a4243823b9679acb5f6c75ff40448b8c93e0d07e18798f7cdd8e3831ceec90
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 58 IoCs
resource yara_rule behavioral1/memory/1480-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-102-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/624-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/272-120-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1636-130-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1636-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-168-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1764-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-184-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/980-219-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/980-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-235-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/980-247-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/656-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-257-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1748-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-321-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2832-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/284-479-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2004-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-512-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2192-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-545-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2136-565-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/888-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-584-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3068-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-659-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2268-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-722-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2256-748-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1708-781-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1712-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-810-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1700-817-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/2420-824-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2028-831-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2932-871-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2740-917-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2268-955-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2996 lllrlxr.exe 2092 1nhnht.exe 532 ddvjd.exe 2696 rrrxflx.exe 2820 hhtnnb.exe 2208 7vvjv.exe 2332 1hhnht.exe 2632 9rlxrfx.exe 2816 1nthbn.exe 2676 vdvdj.exe 624 bnhtnb.exe 272 djjdv.exe 1636 httnht.exe 1664 jjjdv.exe 1352 lllxxrl.exe 2388 dpppj.exe 1764 5ttbtb.exe 1496 vjjdp.exe 3016 fffrrxx.exe 2200 ntntbb.exe 2972 nttnhn.exe 1068 vpjpp.exe 980 nbhbtb.exe 1824 9vdpj.exe 1724 hhnbth.exe 656 jjppj.exe 780 hbbnbn.exe 2172 dpdpj.exe 1748 hhbnbt.exe 1688 pppdv.exe 884 bhhbht.exe 2544 nnhbbh.exe 2996 3fllxrl.exe 1576 tbtbnb.exe 3068 7pjpj.exe 480 xxlfrll.exe 768 9nhhht.exe 2760 hnthtb.exe 2832 vdpdp.exe 2820 rrxlxfx.exe 2752 bhbnht.exe 2264 bhhbtn.exe 2776 jddjj.exe 2604 9xfffll.exe 2816 hnttnb.exe 2268 7nthht.exe 664 dddjd.exe 1172 xlrlfrl.exe 1892 nbhbtn.exe 1868 jjdjp.exe 1532 jjjvd.exe 1148 9lflxxr.exe 1352 tnnbth.exe 1200 bttbtt.exe 616 dppjv.exe 1320 xxxffxx.exe 2924 nhhnbn.exe 2552 tbhbth.exe 284 jdddp.exe 2968 fxxflrx.exe 2004 hnnhbh.exe 1908 btthbn.exe 1948 jjvvj.exe 1712 rxxlrxr.exe -
resource yara_rule behavioral1/memory/1480-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/656-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-321-0x0000000000350000-0x000000000037A000-memory.dmp upx behavioral1/memory/2832-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/664-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-410-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1532-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-479-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2004-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-512-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2192-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-584-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3068-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-659-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2268-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/616-755-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1708-781-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1712-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-857-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2308-872-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-910-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-917-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/2268-955-0x0000000000320000-0x000000000034A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1480 wrote to memory of 2996 1480 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 30 PID 1480 wrote to memory of 2996 1480 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 30 PID 1480 wrote to memory of 2996 1480 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 30 PID 1480 wrote to memory of 2996 1480 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 30 PID 2996 wrote to memory of 2092 2996 lllrlxr.exe 31 PID 2996 wrote to memory of 2092 2996 lllrlxr.exe 31 PID 2996 wrote to memory of 2092 2996 lllrlxr.exe 31 PID 2996 wrote to memory of 2092 2996 lllrlxr.exe 31 PID 2092 wrote to memory of 532 2092 1nhnht.exe 32 PID 2092 wrote to memory of 532 2092 1nhnht.exe 32 PID 2092 wrote to memory of 532 2092 1nhnht.exe 32 PID 2092 wrote to memory of 532 2092 1nhnht.exe 32 PID 532 wrote to memory of 2696 532 ddvjd.exe 33 PID 532 wrote to memory of 2696 532 ddvjd.exe 33 PID 532 wrote to memory of 2696 532 ddvjd.exe 33 PID 532 wrote to memory of 2696 532 ddvjd.exe 33 PID 2696 wrote to memory of 2820 2696 rrrxflx.exe 34 PID 2696 wrote to memory of 2820 2696 rrrxflx.exe 34 PID 2696 wrote to memory of 2820 2696 rrrxflx.exe 34 PID 2696 wrote to memory of 2820 2696 rrrxflx.exe 34 PID 2820 wrote to memory of 2208 2820 hhtnnb.exe 35 PID 2820 wrote to memory of 2208 2820 hhtnnb.exe 35 PID 2820 wrote to memory of 2208 2820 hhtnnb.exe 35 PID 2820 wrote to memory of 2208 2820 hhtnnb.exe 35 PID 2208 wrote to memory of 2332 2208 7vvjv.exe 36 PID 2208 wrote to memory of 2332 2208 7vvjv.exe 36 PID 2208 wrote to memory of 2332 2208 7vvjv.exe 36 PID 2208 wrote to memory of 2332 2208 7vvjv.exe 36 PID 2332 wrote to memory of 2632 2332 1hhnht.exe 37 PID 2332 wrote to memory of 2632 2332 1hhnht.exe 37 PID 2332 wrote to memory of 2632 2332 1hhnht.exe 37 PID 2332 wrote to memory of 2632 2332 1hhnht.exe 37 PID 2632 wrote to memory of 2816 2632 9rlxrfx.exe 38 PID 2632 wrote to memory of 2816 2632 9rlxrfx.exe 38 PID 2632 wrote to memory of 2816 2632 9rlxrfx.exe 38 PID 2632 wrote to memory of 2816 2632 9rlxrfx.exe 38 PID 2816 wrote to memory of 2676 2816 1nthbn.exe 39 PID 2816 wrote to memory of 2676 2816 1nthbn.exe 39 PID 2816 wrote to memory of 2676 2816 1nthbn.exe 39 PID 2816 wrote to memory of 2676 2816 1nthbn.exe 39 PID 2676 wrote to memory of 624 2676 vdvdj.exe 40 PID 2676 wrote to memory of 624 2676 vdvdj.exe 40 PID 2676 wrote to memory of 624 2676 vdvdj.exe 40 PID 2676 wrote to memory of 624 2676 vdvdj.exe 40 PID 624 wrote to memory of 272 624 bnhtnb.exe 41 PID 624 wrote to memory of 272 624 bnhtnb.exe 41 PID 624 wrote to memory of 272 624 bnhtnb.exe 41 PID 624 wrote to memory of 272 624 bnhtnb.exe 41 PID 272 wrote to memory of 1636 272 djjdv.exe 42 PID 272 wrote to memory of 1636 272 djjdv.exe 42 PID 272 wrote to memory of 1636 272 djjdv.exe 42 PID 272 wrote to memory of 1636 272 djjdv.exe 42 PID 1636 wrote to memory of 1664 1636 httnht.exe 43 PID 1636 wrote to memory of 1664 1636 httnht.exe 43 PID 1636 wrote to memory of 1664 1636 httnht.exe 43 PID 1636 wrote to memory of 1664 1636 httnht.exe 43 PID 1664 wrote to memory of 1352 1664 jjjdv.exe 44 PID 1664 wrote to memory of 1352 1664 jjjdv.exe 44 PID 1664 wrote to memory of 1352 1664 jjjdv.exe 44 PID 1664 wrote to memory of 1352 1664 jjjdv.exe 44 PID 1352 wrote to memory of 2388 1352 lllxxrl.exe 45 PID 1352 wrote to memory of 2388 1352 lllxxrl.exe 45 PID 1352 wrote to memory of 2388 1352 lllxxrl.exe 45 PID 1352 wrote to memory of 2388 1352 lllxxrl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe"C:\Users\Admin\AppData\Local\Temp\8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\lllrlxr.exec:\lllrlxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\1nhnht.exec:\1nhnht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\ddvjd.exec:\ddvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\rrrxflx.exec:\rrrxflx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\hhtnnb.exec:\hhtnnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\7vvjv.exec:\7vvjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\1hhnht.exec:\1hhnht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\9rlxrfx.exec:\9rlxrfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\1nthbn.exec:\1nthbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\vdvdj.exec:\vdvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\bnhtnb.exec:\bnhtnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\djjdv.exec:\djjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:272 -
\??\c:\httnht.exec:\httnht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\jjjdv.exec:\jjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\lllxxrl.exec:\lllxxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\dpppj.exec:\dpppj.exe17⤵
- Executes dropped EXE
PID:2388 -
\??\c:\5ttbtb.exec:\5ttbtb.exe18⤵
- Executes dropped EXE
PID:1764 -
\??\c:\vjjdp.exec:\vjjdp.exe19⤵
- Executes dropped EXE
PID:1496 -
\??\c:\fffrrxx.exec:\fffrrxx.exe20⤵
- Executes dropped EXE
PID:3016 -
\??\c:\ntntbb.exec:\ntntbb.exe21⤵
- Executes dropped EXE
PID:2200 -
\??\c:\nttnhn.exec:\nttnhn.exe22⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vpjpp.exec:\vpjpp.exe23⤵
- Executes dropped EXE
PID:1068 -
\??\c:\nbhbtb.exec:\nbhbtb.exe24⤵
- Executes dropped EXE
PID:980 -
\??\c:\9vdpj.exec:\9vdpj.exe25⤵
- Executes dropped EXE
PID:1824 -
\??\c:\hhnbth.exec:\hhnbth.exe26⤵
- Executes dropped EXE
PID:1724 -
\??\c:\jjppj.exec:\jjppj.exe27⤵
- Executes dropped EXE
PID:656 -
\??\c:\hbbnbn.exec:\hbbnbn.exe28⤵
- Executes dropped EXE
PID:780 -
\??\c:\dpdpj.exec:\dpdpj.exe29⤵
- Executes dropped EXE
PID:2172 -
\??\c:\hhbnbt.exec:\hhbnbt.exe30⤵
- Executes dropped EXE
PID:1748 -
\??\c:\pppdv.exec:\pppdv.exe31⤵
- Executes dropped EXE
PID:1688 -
\??\c:\bhhbht.exec:\bhhbht.exe32⤵
- Executes dropped EXE
PID:884 -
\??\c:\nnhbbh.exec:\nnhbbh.exe33⤵
- Executes dropped EXE
PID:2544 -
\??\c:\3fllxrl.exec:\3fllxrl.exe34⤵
- Executes dropped EXE
PID:2996 -
\??\c:\tbtbnb.exec:\tbtbnb.exe35⤵
- Executes dropped EXE
PID:1576 -
\??\c:\7pjpj.exec:\7pjpj.exe36⤵
- Executes dropped EXE
PID:3068 -
\??\c:\xxlfrll.exec:\xxlfrll.exe37⤵
- Executes dropped EXE
PID:480 -
\??\c:\9nhhht.exec:\9nhhht.exe38⤵
- Executes dropped EXE
PID:768 -
\??\c:\hnthtb.exec:\hnthtb.exe39⤵
- Executes dropped EXE
PID:2760 -
\??\c:\vdpdp.exec:\vdpdp.exe40⤵
- Executes dropped EXE
PID:2832 -
\??\c:\rrxlxfx.exec:\rrxlxfx.exe41⤵
- Executes dropped EXE
PID:2820 -
\??\c:\bhbnht.exec:\bhbnht.exe42⤵
- Executes dropped EXE
PID:2752 -
\??\c:\bhhbtn.exec:\bhhbtn.exe43⤵
- Executes dropped EXE
PID:2264 -
\??\c:\jddjj.exec:\jddjj.exe44⤵
- Executes dropped EXE
PID:2776 -
\??\c:\9xfffll.exec:\9xfffll.exe45⤵
- Executes dropped EXE
PID:2604 -
\??\c:\hnttnb.exec:\hnttnb.exe46⤵
- Executes dropped EXE
PID:2816 -
\??\c:\7nthht.exec:\7nthht.exe47⤵
- Executes dropped EXE
PID:2268 -
\??\c:\dddjd.exec:\dddjd.exe48⤵
- Executes dropped EXE
PID:664 -
\??\c:\xlrlfrl.exec:\xlrlfrl.exe49⤵
- Executes dropped EXE
PID:1172 -
\??\c:\nbhbtn.exec:\nbhbtn.exe50⤵
- Executes dropped EXE
PID:1892 -
\??\c:\jjdjp.exec:\jjdjp.exe51⤵
- Executes dropped EXE
PID:1868 -
\??\c:\jjjvd.exec:\jjjvd.exe52⤵
- Executes dropped EXE
PID:1532 -
\??\c:\9lflxxr.exec:\9lflxxr.exe53⤵
- Executes dropped EXE
PID:1148 -
\??\c:\tnnbth.exec:\tnnbth.exe54⤵
- Executes dropped EXE
PID:1352 -
\??\c:\bttbtt.exec:\bttbtt.exe55⤵
- Executes dropped EXE
PID:1200 -
\??\c:\dppjv.exec:\dppjv.exe56⤵
- Executes dropped EXE
PID:616 -
\??\c:\xxxffxx.exec:\xxxffxx.exe57⤵
- Executes dropped EXE
PID:1320 -
\??\c:\nhhnbn.exec:\nhhnbn.exe58⤵
- Executes dropped EXE
PID:2924 -
\??\c:\tbhbth.exec:\tbhbth.exe59⤵
- Executes dropped EXE
PID:2552 -
\??\c:\jdddp.exec:\jdddp.exe60⤵
- Executes dropped EXE
PID:284 -
\??\c:\fxxflrx.exec:\fxxflrx.exe61⤵
- Executes dropped EXE
PID:2968 -
\??\c:\hnnhbh.exec:\hnnhbh.exe62⤵
- Executes dropped EXE
PID:2004 -
\??\c:\btthbn.exec:\btthbn.exe63⤵
- Executes dropped EXE
PID:1908 -
\??\c:\jjvvj.exec:\jjvvj.exe64⤵
- Executes dropped EXE
PID:1948 -
\??\c:\rxxlrxr.exec:\rxxlrxr.exe65⤵
- Executes dropped EXE
PID:1712 -
\??\c:\bhbhth.exec:\bhbhth.exe66⤵PID:1700
-
\??\c:\bhnhtb.exec:\bhnhtb.exe67⤵PID:1512
-
\??\c:\pvvdj.exec:\pvvdj.exe68⤵PID:2192
-
\??\c:\3lflxxl.exec:\3lflxxl.exe69⤵PID:1524
-
\??\c:\rfxrlxr.exec:\rfxrlxr.exe70⤵PID:2136
-
\??\c:\nnhntn.exec:\nnhntn.exe71⤵PID:2436
-
\??\c:\dvpvd.exec:\dvpvd.exe72⤵PID:1748
-
\??\c:\7rllrxl.exec:\7rllrxl.exe73⤵PID:888
-
\??\c:\ffflrxl.exec:\ffflrxl.exe74⤵PID:1740
-
\??\c:\hntnnb.exec:\hntnnb.exe75⤵PID:3008
-
\??\c:\vpjpv.exec:\vpjpv.exe76⤵PID:2320
-
\??\c:\jddjv.exec:\jddjv.exe77⤵PID:1628
-
\??\c:\lrxflrl.exec:\lrxflrl.exe78⤵PID:1576
-
\??\c:\tnnbtb.exec:\tnnbtb.exe79⤵PID:3068
-
\??\c:\ddddp.exec:\ddddp.exe80⤵PID:2744
-
\??\c:\jjvjp.exec:\jjvjp.exe81⤵PID:532
-
\??\c:\rxxrlfr.exec:\rxxrlfr.exe82⤵PID:2808
-
\??\c:\ttnbnb.exec:\ttnbnb.exe83⤵PID:2832
-
\??\c:\vppvj.exec:\vppvj.exe84⤵PID:2940
-
\??\c:\9vvjp.exec:\9vvjp.exe85⤵PID:2692
-
\??\c:\1fxflfl.exec:\1fxflfl.exe86⤵PID:2828
-
\??\c:\bthnhn.exec:\bthnhn.exe87⤵PID:2652
-
\??\c:\jjddv.exec:\jjddv.exe88⤵PID:2624
-
\??\c:\vdjpd.exec:\vdjpd.exe89⤵
- System Location Discovery: System Language Discovery
PID:2604 -
\??\c:\fxrrxrf.exec:\fxrrxrf.exe90⤵PID:3052
-
\??\c:\thnbnh.exec:\thnbnh.exe91⤵PID:2268
-
\??\c:\hhbttb.exec:\hhbttb.exe92⤵PID:664
-
\??\c:\jddjv.exec:\jddjv.exe93⤵PID:1172
-
\??\c:\xfrxlrf.exec:\xfrxlrf.exe94⤵PID:844
-
\??\c:\ttntbn.exec:\ttntbn.exe95⤵PID:2664
-
\??\c:\9nthnn.exec:\9nthnn.exe96⤵PID:1620
-
\??\c:\5vvpd.exec:\5vvpd.exe97⤵PID:2500
-
\??\c:\lfxxflx.exec:\lfxxflx.exe98⤵PID:2388
-
\??\c:\bbtnht.exec:\bbtnht.exe99⤵PID:1356
-
\??\c:\5bbhtt.exec:\5bbhtt.exe100⤵PID:616
-
\??\c:\7jjvp.exec:\7jjvp.exe101⤵PID:1320
-
\??\c:\lrlxflx.exec:\lrlxflx.exe102⤵PID:2256
-
\??\c:\llflxxf.exec:\llflxxf.exe103⤵PID:2552
-
\??\c:\tbbhht.exec:\tbbhht.exe104⤵PID:2784
-
\??\c:\pppjd.exec:\pppjd.exe105⤵PID:2504
-
\??\c:\xrrrxfx.exec:\xrrrxfx.exe106⤵PID:1908
-
\??\c:\llffxrl.exec:\llffxrl.exe107⤵PID:1708
-
\??\c:\bnnhth.exec:\bnnhth.exe108⤵PID:1712
-
\??\c:\djjjv.exec:\djjjv.exe109⤵PID:1700
-
\??\c:\vpvdp.exec:\vpvdp.exe110⤵PID:1332
-
\??\c:\bthtbn.exec:\bthtbn.exe111⤵
- System Location Discovery: System Language Discovery
PID:2028 -
\??\c:\1nnbbt.exec:\1nnbbt.exe112⤵PID:1556
-
\??\c:\vvpdd.exec:\vvpdd.exe113⤵PID:2420
-
\??\c:\rrlrrfl.exec:\rrlrrfl.exe114⤵PID:1056
-
\??\c:\tbbnbn.exec:\tbbnbn.exe115⤵PID:1852
-
\??\c:\jppdp.exec:\jppdp.exe116⤵PID:2992
-
\??\c:\vvpvj.exec:\vvpvj.exe117⤵PID:2932
-
\??\c:\lflrlrf.exec:\lflrlrf.exe118⤵PID:1540
-
\??\c:\bbntht.exec:\bbntht.exe119⤵PID:1788
-
\??\c:\vjdvj.exec:\vjdvj.exe120⤵PID:1804
-
\??\c:\rllfrxl.exec:\rllfrxl.exe121⤵PID:2308
-
\??\c:\ffxlflx.exec:\ffxlflx.exe122⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-