Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 19:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe
-
Size
454KB
-
MD5
2c730cd47a602fc4d13a2686a9dd5bd9
-
SHA1
be734adb93753935dca282c4fd06dd90c4fbfb60
-
SHA256
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0
-
SHA512
00a5897997e1432b76af169e9d9f65311a001155cac62670992a4424fb6035a9474a6065b5ea1a5d7383ac04d8080cb3cd2c50754a17bc2daf194bc43db8ed7f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7W:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1636-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-118-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2508-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/608-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-376-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2588-378-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2364-399-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2548-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1472-463-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2672-490-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-717-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1388-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/288-809-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1084-835-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1548-934-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2792-947-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1056-999-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-1135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1720 nhbthb.exe 2008 5dddj.exe 1660 7hbhhn.exe 2816 5dppv.exe 3020 tttnbh.exe 1732 1pvpv.exe 2332 5frrxrf.exe 2072 htbnnb.exe 2708 3lfrrrr.exe 2504 rfrrrrf.exe 2784 lfrlrrf.exe 2660 htbhnh.exe 2508 rlxlllr.exe 2976 9lrxxxx.exe 3004 5jjpd.exe 1224 xxlxllx.exe 2320 5jvjp.exe 1996 flllrrl.exe 1808 vjvdj.exe 2032 lfrxlfr.exe 2756 hbntnt.exe 2484 1rxflrr.exe 2832 1nhnhn.exe 2840 dvjdd.exe 544 nhtbnt.exe 1516 ddpdj.exe 1704 nhtbhh.exe 1540 nbtnth.exe 2232 rlrrflr.exe 608 nhbttt.exe 1744 lfllrlx.exe 2084 frllrlr.exe 1720 btbhnt.exe 2272 lfrrxff.exe 1780 nnbhnh.exe 1828 3dppp.exe 2944 vjpjv.exe 3032 9lffrll.exe 3028 hbnntt.exe 2248 btntnn.exe 2680 vjpvd.exe 2604 rlrrxfl.exe 2588 5tnnnn.exe 2648 hhbbnh.exe 2620 vpjpv.exe 2364 lfrxxfr.exe 2632 bhbnhb.exe 2552 bthbhb.exe 2548 pjdjd.exe 2616 jdvdd.exe 2572 lxrllrf.exe 1764 bnttbt.exe 1144 5thttt.exe 1736 pjpvd.exe 1656 jvddv.exe 1472 5rrxxrr.exe 2240 btntnn.exe 1676 pdvvd.exe 2044 vpddj.exe 308 llffrrx.exe 2672 5xxfrxf.exe 2992 3ntbbh.exe 2596 9pdjp.exe 1008 vpvdj.exe -
resource yara_rule behavioral1/memory/1636-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/608-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-490-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2596-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-717-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1388-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-809-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2264-870-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-908-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-966-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-969-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-999-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-1036-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-1122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-1135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-1221-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1720 1636 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 28 PID 1636 wrote to memory of 1720 1636 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 28 PID 1636 wrote to memory of 1720 1636 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 28 PID 1636 wrote to memory of 1720 1636 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 28 PID 1720 wrote to memory of 2008 1720 nhbthb.exe 29 PID 1720 wrote to memory of 2008 1720 nhbthb.exe 29 PID 1720 wrote to memory of 2008 1720 nhbthb.exe 29 PID 1720 wrote to memory of 2008 1720 nhbthb.exe 29 PID 2008 wrote to memory of 1660 2008 5dddj.exe 30 PID 2008 wrote to memory of 1660 2008 5dddj.exe 30 PID 2008 wrote to memory of 1660 2008 5dddj.exe 30 PID 2008 wrote to memory of 1660 2008 5dddj.exe 30 PID 1660 wrote to memory of 2816 1660 7hbhhn.exe 31 PID 1660 wrote to memory of 2816 1660 7hbhhn.exe 31 PID 1660 wrote to memory of 2816 1660 7hbhhn.exe 31 PID 1660 wrote to memory of 2816 1660 7hbhhn.exe 31 PID 2816 wrote to memory of 3020 2816 5dppv.exe 32 PID 2816 wrote to memory of 3020 2816 5dppv.exe 32 PID 2816 wrote to memory of 3020 2816 5dppv.exe 32 PID 2816 wrote to memory of 3020 2816 5dppv.exe 32 PID 3020 wrote to memory of 1732 3020 tttnbh.exe 33 PID 3020 wrote to memory of 1732 3020 tttnbh.exe 33 PID 3020 wrote to memory of 1732 3020 tttnbh.exe 33 PID 3020 wrote to memory of 1732 3020 tttnbh.exe 33 PID 1732 wrote to memory of 2332 1732 1pvpv.exe 34 PID 1732 wrote to memory of 2332 1732 1pvpv.exe 34 PID 1732 wrote to memory of 2332 1732 1pvpv.exe 34 PID 1732 wrote to memory of 2332 1732 1pvpv.exe 34 PID 2332 wrote to memory of 2072 2332 5frrxrf.exe 35 PID 2332 wrote to memory of 2072 2332 5frrxrf.exe 35 PID 2332 wrote to memory of 2072 2332 5frrxrf.exe 35 PID 2332 wrote to memory of 2072 2332 5frrxrf.exe 35 PID 2072 wrote to memory of 2708 2072 htbnnb.exe 36 PID 2072 wrote to memory of 2708 2072 htbnnb.exe 36 PID 2072 wrote to memory of 2708 2072 htbnnb.exe 36 PID 2072 wrote to memory of 2708 2072 htbnnb.exe 36 PID 2708 wrote to memory of 2504 2708 3lfrrrr.exe 37 PID 2708 wrote to memory of 2504 2708 3lfrrrr.exe 37 PID 2708 wrote to memory of 2504 2708 3lfrrrr.exe 37 PID 2708 wrote to memory of 2504 2708 3lfrrrr.exe 37 PID 2504 wrote to memory of 2784 2504 rfrrrrf.exe 38 PID 2504 wrote to memory of 2784 2504 rfrrrrf.exe 38 PID 2504 wrote to memory of 2784 2504 rfrrrrf.exe 38 PID 2504 wrote to memory of 2784 2504 rfrrrrf.exe 38 PID 2784 wrote to memory of 2660 2784 lfrlrrf.exe 39 PID 2784 wrote to memory of 2660 2784 lfrlrrf.exe 39 PID 2784 wrote to memory of 2660 2784 lfrlrrf.exe 39 PID 2784 wrote to memory of 2660 2784 lfrlrrf.exe 39 PID 2660 wrote to memory of 2508 2660 htbhnh.exe 40 PID 2660 wrote to memory of 2508 2660 htbhnh.exe 40 PID 2660 wrote to memory of 2508 2660 htbhnh.exe 40 PID 2660 wrote to memory of 2508 2660 htbhnh.exe 40 PID 2508 wrote to memory of 2976 2508 rlxlllr.exe 41 PID 2508 wrote to memory of 2976 2508 rlxlllr.exe 41 PID 2508 wrote to memory of 2976 2508 rlxlllr.exe 41 PID 2508 wrote to memory of 2976 2508 rlxlllr.exe 41 PID 2976 wrote to memory of 3004 2976 9lrxxxx.exe 42 PID 2976 wrote to memory of 3004 2976 9lrxxxx.exe 42 PID 2976 wrote to memory of 3004 2976 9lrxxxx.exe 42 PID 2976 wrote to memory of 3004 2976 9lrxxxx.exe 42 PID 3004 wrote to memory of 1224 3004 5jjpd.exe 43 PID 3004 wrote to memory of 1224 3004 5jjpd.exe 43 PID 3004 wrote to memory of 1224 3004 5jjpd.exe 43 PID 3004 wrote to memory of 1224 3004 5jjpd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe"C:\Users\Admin\AppData\Local\Temp\0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\nhbthb.exec:\nhbthb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\5dddj.exec:\5dddj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\7hbhhn.exec:\7hbhhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\5dppv.exec:\5dppv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\tttnbh.exec:\tttnbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\1pvpv.exec:\1pvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\5frrxrf.exec:\5frrxrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\htbnnb.exec:\htbnnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\3lfrrrr.exec:\3lfrrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\rfrrrrf.exec:\rfrrrrf.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\lfrlrrf.exec:\lfrlrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\htbhnh.exec:\htbhnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\rlxlllr.exec:\rlxlllr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\9lrxxxx.exec:\9lrxxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\5jjpd.exec:\5jjpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\xxlxllx.exec:\xxlxllx.exe17⤵
- Executes dropped EXE
PID:1224 -
\??\c:\5jvjp.exec:\5jvjp.exe18⤵
- Executes dropped EXE
PID:2320 -
\??\c:\flllrrl.exec:\flllrrl.exe19⤵
- Executes dropped EXE
PID:1996 -
\??\c:\vjvdj.exec:\vjvdj.exe20⤵
- Executes dropped EXE
PID:1808 -
\??\c:\lfrxlfr.exec:\lfrxlfr.exe21⤵
- Executes dropped EXE
PID:2032 -
\??\c:\hbntnt.exec:\hbntnt.exe22⤵
- Executes dropped EXE
PID:2756 -
\??\c:\1rxflrr.exec:\1rxflrr.exe23⤵
- Executes dropped EXE
PID:2484 -
\??\c:\1nhnhn.exec:\1nhnhn.exe24⤵
- Executes dropped EXE
PID:2832 -
\??\c:\dvjdd.exec:\dvjdd.exe25⤵
- Executes dropped EXE
PID:2840 -
\??\c:\nhtbnt.exec:\nhtbnt.exe26⤵
- Executes dropped EXE
PID:544 -
\??\c:\ddpdj.exec:\ddpdj.exe27⤵
- Executes dropped EXE
PID:1516 -
\??\c:\nhtbhh.exec:\nhtbhh.exe28⤵
- Executes dropped EXE
PID:1704 -
\??\c:\nbtnth.exec:\nbtnth.exe29⤵
- Executes dropped EXE
PID:1540 -
\??\c:\rlrrflr.exec:\rlrrflr.exe30⤵
- Executes dropped EXE
PID:2232 -
\??\c:\nhbttt.exec:\nhbttt.exe31⤵
- Executes dropped EXE
PID:608 -
\??\c:\lfllrlx.exec:\lfllrlx.exe32⤵
- Executes dropped EXE
PID:1744 -
\??\c:\frllrlr.exec:\frllrlr.exe33⤵
- Executes dropped EXE
PID:2084 -
\??\c:\btbhnt.exec:\btbhnt.exe34⤵
- Executes dropped EXE
PID:1720 -
\??\c:\lfrrxff.exec:\lfrrxff.exe35⤵
- Executes dropped EXE
PID:2272 -
\??\c:\nnbhnh.exec:\nnbhnh.exe36⤵
- Executes dropped EXE
PID:1780 -
\??\c:\3dppp.exec:\3dppp.exe37⤵
- Executes dropped EXE
PID:1828 -
\??\c:\vjpjv.exec:\vjpjv.exe38⤵
- Executes dropped EXE
PID:2944 -
\??\c:\9lffrll.exec:\9lffrll.exe39⤵
- Executes dropped EXE
PID:3032 -
\??\c:\hbnntt.exec:\hbnntt.exe40⤵
- Executes dropped EXE
PID:3028 -
\??\c:\btntnn.exec:\btntnn.exe41⤵
- Executes dropped EXE
PID:2248 -
\??\c:\vjpvd.exec:\vjpvd.exe42⤵
- Executes dropped EXE
PID:2680 -
\??\c:\rlrrxfl.exec:\rlrrxfl.exe43⤵
- Executes dropped EXE
PID:2604 -
\??\c:\5tnnnn.exec:\5tnnnn.exe44⤵
- Executes dropped EXE
PID:2588 -
\??\c:\hhbbnh.exec:\hhbbnh.exe45⤵
- Executes dropped EXE
PID:2648 -
\??\c:\vpjpv.exec:\vpjpv.exe46⤵
- Executes dropped EXE
PID:2620 -
\??\c:\lfrxxfr.exec:\lfrxxfr.exe47⤵
- Executes dropped EXE
PID:2364 -
\??\c:\bhbnhb.exec:\bhbnhb.exe48⤵
- Executes dropped EXE
PID:2632 -
\??\c:\bthbhb.exec:\bthbhb.exe49⤵
- Executes dropped EXE
PID:2552 -
\??\c:\pjdjd.exec:\pjdjd.exe50⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jdvdd.exec:\jdvdd.exe51⤵
- Executes dropped EXE
PID:2616 -
\??\c:\lxrllrf.exec:\lxrllrf.exe52⤵
- Executes dropped EXE
PID:2572 -
\??\c:\bnttbt.exec:\bnttbt.exe53⤵
- Executes dropped EXE
PID:1764 -
\??\c:\5thttt.exec:\5thttt.exe54⤵
- Executes dropped EXE
PID:1144 -
\??\c:\pjpvd.exec:\pjpvd.exe55⤵
- Executes dropped EXE
PID:1736 -
\??\c:\jvddv.exec:\jvddv.exe56⤵
- Executes dropped EXE
PID:1656 -
\??\c:\5rrxxrr.exec:\5rrxxrr.exe57⤵
- Executes dropped EXE
PID:1472 -
\??\c:\btntnn.exec:\btntnn.exe58⤵
- Executes dropped EXE
PID:2240 -
\??\c:\pdvvd.exec:\pdvvd.exe59⤵
- Executes dropped EXE
PID:1676 -
\??\c:\vpddj.exec:\vpddj.exe60⤵
- Executes dropped EXE
PID:2044 -
\??\c:\llffrrx.exec:\llffrrx.exe61⤵
- Executes dropped EXE
PID:308 -
\??\c:\5xxfrxf.exec:\5xxfrxf.exe62⤵
- Executes dropped EXE
PID:2672 -
\??\c:\3ntbbh.exec:\3ntbbh.exe63⤵
- Executes dropped EXE
PID:2992 -
\??\c:\9pdjp.exec:\9pdjp.exe64⤵
- Executes dropped EXE
PID:2596 -
\??\c:\vpvdj.exec:\vpvdj.exe65⤵
- Executes dropped EXE
PID:1008 -
\??\c:\frxxlfl.exec:\frxxlfl.exe66⤵PID:2348
-
\??\c:\bthhtb.exec:\bthhtb.exe67⤵PID:596
-
\??\c:\bhtbhn.exec:\bhtbhn.exe68⤵PID:2268
-
\??\c:\jdpdd.exec:\jdpdd.exe69⤵PID:916
-
\??\c:\3xrrxff.exec:\3xrrxff.exe70⤵PID:1704
-
\??\c:\1htttt.exec:\1htttt.exe71⤵PID:1100
-
\??\c:\7tttnn.exec:\7tttnn.exe72⤵PID:1256
-
\??\c:\dvpvv.exec:\dvpvv.exe73⤵PID:2368
-
\??\c:\flfxrlr.exec:\flfxrlr.exe74⤵PID:2168
-
\??\c:\lrflflf.exec:\lrflflf.exe75⤵PID:2080
-
\??\c:\nhhntt.exec:\nhhntt.exe76⤵PID:2280
-
\??\c:\dvjpj.exec:\dvjpj.exe77⤵PID:2252
-
\??\c:\5vvpv.exec:\5vvpv.exe78⤵PID:1608
-
\??\c:\1lflrlr.exec:\1lflrlr.exe79⤵PID:1652
-
\??\c:\hnbttt.exec:\hnbttt.exe80⤵PID:2208
-
\??\c:\5nhnhh.exec:\5nhnhh.exe81⤵PID:2956
-
\??\c:\vvppj.exec:\vvppj.exe82⤵PID:2948
-
\??\c:\lrfxrrf.exec:\lrfxrrf.exe83⤵PID:3032
-
\??\c:\rfrrfxl.exec:\rfrrfxl.exe84⤵PID:3020
-
\??\c:\hbtbnn.exec:\hbtbnn.exe85⤵PID:1732
-
\??\c:\vpjvd.exec:\vpjvd.exe86⤵PID:1548
-
\??\c:\pvpdp.exec:\pvpdp.exe87⤵PID:2696
-
\??\c:\frlrxxx.exec:\frlrxxx.exe88⤵PID:2692
-
\??\c:\bbtbnn.exec:\bbtbnn.exe89⤵PID:2712
-
\??\c:\ddpdj.exec:\ddpdj.exe90⤵PID:2104
-
\??\c:\9ppvv.exec:\9ppvv.exe91⤵PID:2584
-
\??\c:\7lxxfrl.exec:\7lxxfrl.exe92⤵PID:860
-
\??\c:\llllxrx.exec:\llllxrx.exe93⤵PID:2500
-
\??\c:\bttbnh.exec:\bttbnh.exe94⤵PID:2528
-
\??\c:\jvddj.exec:\jvddj.exe95⤵PID:2980
-
\??\c:\9jjdd.exec:\9jjdd.exe96⤵PID:2976
-
\??\c:\5xlrrrx.exec:\5xlrrrx.exe97⤵PID:2444
-
\??\c:\tthnhh.exec:\tthnhh.exe98⤵PID:1080
-
\??\c:\3tbthh.exec:\3tbthh.exe99⤵PID:1224
-
\??\c:\3dppv.exec:\3dppv.exe100⤵PID:1252
-
\??\c:\dvjjv.exec:\dvjjv.exe101⤵PID:1524
-
\??\c:\xrlrrlr.exec:\xrlrrlr.exe102⤵PID:1388
-
\??\c:\tnhtnb.exec:\tnhtnb.exe103⤵PID:2040
-
\??\c:\hhbbhb.exec:\hhbbhb.exe104⤵PID:1992
-
\??\c:\5jdjj.exec:\5jdjj.exe105⤵PID:2780
-
\??\c:\rflfllx.exec:\rflfllx.exe106⤵PID:2828
-
\??\c:\xlxxllx.exec:\xlxxllx.exe107⤵PID:2884
-
\??\c:\hhtbhh.exec:\hhtbhh.exe108⤵PID:2992
-
\??\c:\thnnbb.exec:\thnnbb.exe109⤵PID:1756
-
\??\c:\5jjjj.exec:\5jjjj.exe110⤵PID:2852
-
\??\c:\rfllrlr.exec:\rfllrlr.exe111⤵PID:1672
-
\??\c:\nhnhtb.exec:\nhnhtb.exe112⤵PID:288
-
\??\c:\ttnnbb.exec:\ttnnbb.exe113⤵PID:544
-
\??\c:\jdppv.exec:\jdppv.exe114⤵PID:2920
-
\??\c:\1xxxflx.exec:\1xxxflx.exe115⤵PID:1540
-
\??\c:\rrflrxl.exec:\rrflrxl.exe116⤵PID:1084
-
\??\c:\tnhnbb.exec:\tnhnbb.exe117⤵PID:2216
-
\??\c:\tntbhh.exec:\tntbhh.exe118⤵PID:1708
-
\??\c:\ddvjp.exec:\ddvjp.exe119⤵PID:1868
-
\??\c:\fxffllx.exec:\fxffllx.exe120⤵PID:2080
-
\??\c:\nhthbb.exec:\nhthbb.exe121⤵PID:2304
-
\??\c:\nhbhtb.exec:\nhbhtb.exe122⤵PID:2264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-