Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 01:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe
-
Size
453KB
-
MD5
5c608f30b7ae2164e8b1670a1e1bd270
-
SHA1
f861e7ec850942d6b6ffca7f5f4b7774b415f12d
-
SHA256
a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6
-
SHA512
c1ee64d60172d901adc7e88a6c34a59d0d0df6c6d6a14b98f1f3f02b3f7a113ec15948c654594c5dbdb0f3533d998ac5ff6aaf944699be25d9676598677a87c1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2336-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-26-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2304-15-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2216-38-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2684-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-114-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1780-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-133-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1948-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-131-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1948-152-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1816-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-189-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-244-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1508-242-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1256-297-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2312-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-366-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2592-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1380-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/304-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-740-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2200-841-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1996-898-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1548-1378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2304 9ththn.exe 1544 rfrrxfr.exe 2216 tnhhhh.exe 2684 3lflfff.exe 2692 tntnbt.exe 2824 htnnbh.exe 2808 tthhnb.exe 2580 rxflxff.exe 2608 9bnhnt.exe 1700 tttbbb.exe 1488 9hhnbh.exe 1252 bntnbt.exe 1780 lfxxflx.exe 1588 lrlrrrf.exe 1948 xxrxlrf.exe 1816 bnttht.exe 768 rfrxffl.exe 2128 9xxrfrf.exe 1820 ttnnbb.exe 2472 vvjpv.exe 1672 vdppv.exe 2904 5dvpv.exe 1208 xxfrrrl.exe 696 jdppv.exe 1508 fxxxflr.exe 2252 dvvvv.exe 1688 9vvdv.exe 2332 xxlxxxl.exe 2280 pjppv.exe 896 hbtttt.exe 1256 3vdvv.exe 2296 xxrfxlf.exe 2312 hbnthn.exe 1776 lrfxfrx.exe 320 fflrxxl.exe 2072 hhthhh.exe 2176 vvjdj.exe 2788 xrlrxfl.exe 2668 nttnhn.exe 1920 thbhtt.exe 2572 ppjpd.exe 2672 rlrffrl.exe 2592 xlxxflr.exe 2532 tnbbhn.exe 2192 pjdjp.exe 2608 xlxrllr.exe 1668 3rlrrrr.exe 1380 thtbbb.exe 2720 9vjjp.exe 2852 5fxrlrf.exe 1780 xrxfllx.exe 2840 7thntt.exe 2636 3jpjp.exe 1928 ppddp.exe 2020 xrlxlrf.exe 2960 9nhntb.exe 3028 tnbnbh.exe 2124 vvpvv.exe 2120 lxxrffl.exe 2632 xxrfrlx.exe 408 hbnnbh.exe 764 jjjpd.exe 1608 ddddd.exe 1956 9xflxfr.exe -
resource yara_rule behavioral1/memory/2336-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-242-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/2312-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-386-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2608-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-841-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2896-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-1096-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-1133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/396-1290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-1327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-1340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-1378-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9htntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflfrl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2304 2336 a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe 31 PID 2336 wrote to memory of 2304 2336 a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe 31 PID 2336 wrote to memory of 2304 2336 a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe 31 PID 2336 wrote to memory of 2304 2336 a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe 31 PID 2304 wrote to memory of 1544 2304 9ththn.exe 32 PID 2304 wrote to memory of 1544 2304 9ththn.exe 32 PID 2304 wrote to memory of 1544 2304 9ththn.exe 32 PID 2304 wrote to memory of 1544 2304 9ththn.exe 32 PID 1544 wrote to memory of 2216 1544 rfrrxfr.exe 33 PID 1544 wrote to memory of 2216 1544 rfrrxfr.exe 33 PID 1544 wrote to memory of 2216 1544 rfrrxfr.exe 33 PID 1544 wrote to memory of 2216 1544 rfrrxfr.exe 33 PID 2216 wrote to memory of 2684 2216 tnhhhh.exe 34 PID 2216 wrote to memory of 2684 2216 tnhhhh.exe 34 PID 2216 wrote to memory of 2684 2216 tnhhhh.exe 34 PID 2216 wrote to memory of 2684 2216 tnhhhh.exe 34 PID 2684 wrote to memory of 2692 2684 3lflfff.exe 35 PID 2684 wrote to memory of 2692 2684 3lflfff.exe 35 PID 2684 wrote to memory of 2692 2684 3lflfff.exe 35 PID 2684 wrote to memory of 2692 2684 3lflfff.exe 35 PID 2692 wrote to memory of 2824 2692 tntnbt.exe 36 PID 2692 wrote to memory of 2824 2692 tntnbt.exe 36 PID 2692 wrote to memory of 2824 2692 tntnbt.exe 36 PID 2692 wrote to memory of 2824 2692 tntnbt.exe 36 PID 2824 wrote to memory of 2808 2824 htnnbh.exe 37 PID 2824 wrote to memory of 2808 2824 htnnbh.exe 37 PID 2824 wrote to memory of 2808 2824 htnnbh.exe 37 PID 2824 wrote to memory of 2808 2824 htnnbh.exe 37 PID 2808 wrote to memory of 2580 2808 tthhnb.exe 38 PID 2808 wrote to memory of 2580 2808 tthhnb.exe 38 PID 2808 wrote to memory of 2580 2808 tthhnb.exe 38 PID 2808 wrote to memory of 2580 2808 tthhnb.exe 38 PID 2580 wrote to memory of 2608 2580 rxflxff.exe 39 PID 2580 wrote to memory of 2608 2580 rxflxff.exe 39 PID 2580 wrote to memory of 2608 2580 rxflxff.exe 39 PID 2580 wrote to memory of 2608 2580 rxflxff.exe 39 PID 2608 wrote to memory of 1700 2608 9bnhnt.exe 40 PID 2608 wrote to memory of 1700 2608 9bnhnt.exe 40 PID 2608 wrote to memory of 1700 2608 9bnhnt.exe 40 PID 2608 wrote to memory of 1700 2608 9bnhnt.exe 40 PID 1700 wrote to memory of 1488 1700 tttbbb.exe 41 PID 1700 wrote to memory of 1488 1700 tttbbb.exe 41 PID 1700 wrote to memory of 1488 1700 tttbbb.exe 41 PID 1700 wrote to memory of 1488 1700 tttbbb.exe 41 PID 1488 wrote to memory of 1252 1488 9hhnbh.exe 42 PID 1488 wrote to memory of 1252 1488 9hhnbh.exe 42 PID 1488 wrote to memory of 1252 1488 9hhnbh.exe 42 PID 1488 wrote to memory of 1252 1488 9hhnbh.exe 42 PID 1252 wrote to memory of 1780 1252 bntnbt.exe 43 PID 1252 wrote to memory of 1780 1252 bntnbt.exe 43 PID 1252 wrote to memory of 1780 1252 bntnbt.exe 43 PID 1252 wrote to memory of 1780 1252 bntnbt.exe 43 PID 1780 wrote to memory of 1588 1780 lfxxflx.exe 44 PID 1780 wrote to memory of 1588 1780 lfxxflx.exe 44 PID 1780 wrote to memory of 1588 1780 lfxxflx.exe 44 PID 1780 wrote to memory of 1588 1780 lfxxflx.exe 44 PID 1588 wrote to memory of 1948 1588 lrlrrrf.exe 45 PID 1588 wrote to memory of 1948 1588 lrlrrrf.exe 45 PID 1588 wrote to memory of 1948 1588 lrlrrrf.exe 45 PID 1588 wrote to memory of 1948 1588 lrlrrrf.exe 45 PID 1948 wrote to memory of 1816 1948 xxrxlrf.exe 46 PID 1948 wrote to memory of 1816 1948 xxrxlrf.exe 46 PID 1948 wrote to memory of 1816 1948 xxrxlrf.exe 46 PID 1948 wrote to memory of 1816 1948 xxrxlrf.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe"C:\Users\Admin\AppData\Local\Temp\a1c7bcdbea7d4a27c3bb4c254cbe7fb2a93937e2ee812fdd8a255b3c15e3eef6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\9ththn.exec:\9ththn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\rfrrxfr.exec:\rfrrxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\tnhhhh.exec:\tnhhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\3lflfff.exec:\3lflfff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\tntnbt.exec:\tntnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\htnnbh.exec:\htnnbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\tthhnb.exec:\tthhnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\rxflxff.exec:\rxflxff.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\9bnhnt.exec:\9bnhnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\tttbbb.exec:\tttbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\9hhnbh.exec:\9hhnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\bntnbt.exec:\bntnbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\lfxxflx.exec:\lfxxflx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\lrlrrrf.exec:\lrlrrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\xxrxlrf.exec:\xxrxlrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\bnttht.exec:\bnttht.exe17⤵
- Executes dropped EXE
PID:1816 -
\??\c:\rfrxffl.exec:\rfrxffl.exe18⤵
- Executes dropped EXE
PID:768 -
\??\c:\9xxrfrf.exec:\9xxrfrf.exe19⤵
- Executes dropped EXE
PID:2128 -
\??\c:\ttnnbb.exec:\ttnnbb.exe20⤵
- Executes dropped EXE
PID:1820 -
\??\c:\vvjpv.exec:\vvjpv.exe21⤵
- Executes dropped EXE
PID:2472 -
\??\c:\vdppv.exec:\vdppv.exe22⤵
- Executes dropped EXE
PID:1672 -
\??\c:\5dvpv.exec:\5dvpv.exe23⤵
- Executes dropped EXE
PID:2904 -
\??\c:\xxfrrrl.exec:\xxfrrrl.exe24⤵
- Executes dropped EXE
PID:1208 -
\??\c:\jdppv.exec:\jdppv.exe25⤵
- Executes dropped EXE
PID:696 -
\??\c:\fxxxflr.exec:\fxxxflr.exe26⤵
- Executes dropped EXE
PID:1508 -
\??\c:\dvvvv.exec:\dvvvv.exe27⤵
- Executes dropped EXE
PID:2252 -
\??\c:\9vvdv.exec:\9vvdv.exe28⤵
- Executes dropped EXE
PID:1688 -
\??\c:\xxlxxxl.exec:\xxlxxxl.exe29⤵
- Executes dropped EXE
PID:2332 -
\??\c:\pjppv.exec:\pjppv.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\hbtttt.exec:\hbtttt.exe31⤵
- Executes dropped EXE
PID:896 -
\??\c:\3vdvv.exec:\3vdvv.exe32⤵
- Executes dropped EXE
PID:1256 -
\??\c:\xxrfxlf.exec:\xxrfxlf.exe33⤵
- Executes dropped EXE
PID:2296 -
\??\c:\hbnthn.exec:\hbnthn.exe34⤵
- Executes dropped EXE
PID:2312 -
\??\c:\lrfxfrx.exec:\lrfxfrx.exe35⤵
- Executes dropped EXE
PID:1776 -
\??\c:\fflrxxl.exec:\fflrxxl.exe36⤵
- Executes dropped EXE
PID:320 -
\??\c:\hhthhh.exec:\hhthhh.exe37⤵
- Executes dropped EXE
PID:2072 -
\??\c:\vvjdj.exec:\vvjdj.exe38⤵
- Executes dropped EXE
PID:2176 -
\??\c:\xrlrxfl.exec:\xrlrxfl.exe39⤵
- Executes dropped EXE
PID:2788 -
\??\c:\nttnhn.exec:\nttnhn.exe40⤵
- Executes dropped EXE
PID:2668 -
\??\c:\thbhtt.exec:\thbhtt.exe41⤵
- Executes dropped EXE
PID:1920 -
\??\c:\ppjpd.exec:\ppjpd.exe42⤵
- Executes dropped EXE
PID:2572 -
\??\c:\rlrffrl.exec:\rlrffrl.exe43⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xlxxflr.exec:\xlxxflr.exe44⤵
- Executes dropped EXE
PID:2592 -
\??\c:\tnbbhn.exec:\tnbbhn.exe45⤵
- Executes dropped EXE
PID:2532 -
\??\c:\pjdjp.exec:\pjdjp.exe46⤵
- Executes dropped EXE
PID:2192 -
\??\c:\xlxrllr.exec:\xlxrllr.exe47⤵
- Executes dropped EXE
PID:2608 -
\??\c:\3rlrrrr.exec:\3rlrrrr.exe48⤵
- Executes dropped EXE
PID:1668 -
\??\c:\thtbbb.exec:\thtbbb.exe49⤵
- Executes dropped EXE
PID:1380 -
\??\c:\9vjjp.exec:\9vjjp.exe50⤵
- Executes dropped EXE
PID:2720 -
\??\c:\5fxrlrf.exec:\5fxrlrf.exe51⤵
- Executes dropped EXE
PID:2852 -
\??\c:\xrxfllx.exec:\xrxfllx.exe52⤵
- Executes dropped EXE
PID:1780 -
\??\c:\7thntt.exec:\7thntt.exe53⤵
- Executes dropped EXE
PID:2840 -
\??\c:\3jpjp.exec:\3jpjp.exe54⤵
- Executes dropped EXE
PID:2636 -
\??\c:\ppddp.exec:\ppddp.exe55⤵
- Executes dropped EXE
PID:1928 -
\??\c:\xrlxlrf.exec:\xrlxlrf.exe56⤵
- Executes dropped EXE
PID:2020 -
\??\c:\9nhntb.exec:\9nhntb.exe57⤵
- Executes dropped EXE
PID:2960 -
\??\c:\tnbnbh.exec:\tnbnbh.exe58⤵
- Executes dropped EXE
PID:3028 -
\??\c:\vvpvv.exec:\vvpvv.exe59⤵
- Executes dropped EXE
PID:2124 -
\??\c:\lxxrffl.exec:\lxxrffl.exe60⤵
- Executes dropped EXE
PID:2120 -
\??\c:\xxrfrlx.exec:\xxrfrlx.exe61⤵
- Executes dropped EXE
PID:2632 -
\??\c:\hbnnbh.exec:\hbnnbh.exe62⤵
- Executes dropped EXE
PID:408 -
\??\c:\jjjpd.exec:\jjjpd.exe63⤵
- Executes dropped EXE
PID:764 -
\??\c:\ddddd.exec:\ddddd.exe64⤵
- Executes dropped EXE
PID:1608 -
\??\c:\9xflxfr.exec:\9xflxfr.exe65⤵
- Executes dropped EXE
PID:1956 -
\??\c:\bbntbh.exec:\bbntbh.exe66⤵PID:1300
-
\??\c:\7vpvp.exec:\7vpvp.exe67⤵PID:1748
-
\??\c:\pjjjd.exec:\pjjjd.exe68⤵PID:1680
-
\??\c:\3rrfrxl.exec:\3rrfrxl.exe69⤵PID:944
-
\??\c:\bhhtbh.exec:\bhhtbh.exe70⤵PID:1684
-
\??\c:\bbbnhn.exec:\bbbnhn.exe71⤵PID:2424
-
\??\c:\1jddj.exec:\1jddj.exe72⤵PID:2012
-
\??\c:\1xlrflf.exec:\1xlrflf.exe73⤵PID:2184
-
\??\c:\rlllrrf.exec:\rlllrrf.exe74⤵PID:1052
-
\??\c:\tntnbb.exec:\tntnbb.exe75⤵PID:2952
-
\??\c:\5dpdj.exec:\5dpdj.exe76⤵PID:1752
-
\??\c:\1vjjv.exec:\1vjjv.exe77⤵PID:2344
-
\??\c:\fxlflfr.exec:\fxlflfr.exe78⤵PID:2620
-
\??\c:\3bbhtb.exec:\3bbhtb.exe79⤵PID:304
-
\??\c:\9btbtb.exec:\9btbtb.exe80⤵PID:1972
-
\??\c:\dvjjv.exec:\dvjjv.exe81⤵PID:320
-
\??\c:\frffrrf.exec:\frffrrf.exe82⤵PID:2072
-
\??\c:\3rxxlrx.exec:\3rxxlrx.exe83⤵PID:2744
-
\??\c:\bbhbhn.exec:\bbhbhn.exe84⤵PID:2892
-
\??\c:\1ddpv.exec:\1ddpv.exe85⤵PID:2736
-
\??\c:\9lfflrx.exec:\9lfflrx.exe86⤵PID:2372
-
\??\c:\xrlrxlf.exec:\xrlrxlf.exe87⤵PID:2864
-
\??\c:\nhthtb.exec:\nhthtb.exe88⤵PID:1316
-
\??\c:\1jvdj.exec:\1jvdj.exe89⤵PID:2540
-
\??\c:\pvvvp.exec:\pvvvp.exe90⤵PID:2992
-
\??\c:\3fxfrrf.exec:\3fxfrrf.exe91⤵PID:1960
-
\??\c:\hbhhtn.exec:\hbhhtn.exe92⤵PID:1368
-
\??\c:\jjpvp.exec:\jjpvp.exe93⤵PID:1560
-
\??\c:\ppppd.exec:\ppppd.exe94⤵PID:1032
-
\??\c:\fxxlxxl.exec:\fxxlxxl.exe95⤵PID:1164
-
\??\c:\fxxxlrx.exec:\fxxxlrx.exe96⤵PID:276
-
\??\c:\nhbntt.exec:\nhbntt.exe97⤵PID:2596
-
\??\c:\vjdvv.exec:\vjdvv.exe98⤵PID:2364
-
\??\c:\fxlflfr.exec:\fxlflfr.exe99⤵PID:1764
-
\??\c:\fxllfxf.exec:\fxllfxf.exe100⤵PID:2964
-
\??\c:\bbnthn.exec:\bbnthn.exe101⤵PID:1928
-
\??\c:\3djpv.exec:\3djpv.exe102⤵PID:3036
-
\??\c:\xrfllrx.exec:\xrfllrx.exe103⤵PID:2968
-
\??\c:\bthntt.exec:\bthntt.exe104⤵PID:2716
-
\??\c:\7dvdd.exec:\7dvdd.exe105⤵PID:1940
-
\??\c:\7dpdv.exec:\7dpdv.exe106⤵PID:2092
-
\??\c:\3frrxfr.exec:\3frrxfr.exe107⤵PID:1672
-
\??\c:\tnthtt.exec:\tnthtt.exe108⤵
- System Location Discovery: System Language Discovery
PID:2520 -
\??\c:\hthhhn.exec:\hthhhn.exe109⤵PID:1324
-
\??\c:\dvddp.exec:\dvddp.exe110⤵PID:916
-
\??\c:\rllrfrf.exec:\rllrfrf.exe111⤵PID:2248
-
\??\c:\5fxflfl.exec:\5fxflfl.exe112⤵PID:1156
-
\??\c:\hhbhth.exec:\hhbhth.exe113⤵PID:1964
-
\??\c:\7jpjj.exec:\7jpjj.exe114⤵PID:1004
-
\??\c:\llrxlrf.exec:\llrxlrf.exe115⤵PID:2412
-
\??\c:\3rxxflf.exec:\3rxxflf.exe116⤵PID:1688
-
\??\c:\hhbtbb.exec:\hhbtbb.exe117⤵PID:2200
-
\??\c:\3djpd.exec:\3djpd.exe118⤵PID:924
-
\??\c:\ddvjv.exec:\ddvjv.exe119⤵PID:1076
-
\??\c:\7fffxlx.exec:\7fffxlx.exe120⤵PID:1028
-
\??\c:\hbhhhh.exec:\hbhhhh.exe121⤵PID:2488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-