Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 21:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe
-
Size
453KB
-
MD5
826da557ee188a7d9dd44b7cef36d42f
-
SHA1
210866eac5ebf2569c6e403484f990f8b17ef7aa
-
SHA256
2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2
-
SHA512
236dd1be386fb737724d4f7fda08866c2138a014a8978ce7b972659bea581f9057978158ae452d653171c658975da080b719e2044edfbe7e130fa6552d6c8285
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1860-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/308-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-48-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-71-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1444-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-91-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1632-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-221-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1260-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-321-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1028-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-425-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/588-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-463-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1556-510-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2448-523-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1556-530-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1664-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-603-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2712-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-741-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2580 1nbbhn.exe 2332 ddppj.exe 308 hbnthh.exe 2736 5djdp.exe 2988 7fxxflx.exe 2840 hhbhtn.exe 2632 llrrflf.exe 2780 nhnthb.exe 1444 rlxfllx.exe 1796 tnhbtt.exe 2708 7frxrxl.exe 1632 rlllrxf.exe 2024 pjjvp.exe 2824 7jvvp.exe 2016 jjppj.exe 1752 nttthh.exe 588 jdpvv.exe 1492 1lflflx.exe 764 ppjvp.exe 1296 rrlrfxr.exe 1044 hbbhhn.exe 1088 jjddp.exe 1764 nnnbbb.exe 1500 3ddvj.exe 1720 lfllxlr.exe 2480 ttnbnb.exe 1260 3jvdv.exe 2412 thbthh.exe 2076 5jpjj.exe 1736 1tnnbb.exe 1768 7vjvd.exe 1684 lfxxrff.exe 1600 ddpvv.exe 2356 fxxxrxf.exe 1028 rlxxffr.exe 2856 tnbhtt.exe 2764 3pddp.exe 2112 3vpjj.exe 2988 5frlrrx.exe 2640 nbhhnn.exe 2772 bnbbhh.exe 2888 vpjdd.exe 2680 3rxflfr.exe 2232 xrxxxff.exe 2188 tnbhnn.exe 2796 5djvp.exe 2728 dpjvp.exe 2672 xrfxfff.exe 2928 7fxfffl.exe 2824 hthnbb.exe 1748 dddjp.exe 1936 ffrxllx.exe 2052 htbbtt.exe 588 5pvvd.exe 2108 dvppv.exe 1032 3lfxxxx.exe 920 nnbntt.exe 3000 tnntnh.exe 1428 dpdjp.exe 956 rfxrxrx.exe 1880 1lxllrf.exe 1556 htbbhh.exe 1700 1vvvd.exe 2448 7xllllr.exe -
resource yara_rule behavioral1/memory/1860-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-129-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1752-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-219-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1260-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-443-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/588-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-468-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1428-487-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/956-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-682-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2024-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-790-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-854-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxfxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fffflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2580 1860 2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe 30 PID 1860 wrote to memory of 2580 1860 2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe 30 PID 1860 wrote to memory of 2580 1860 2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe 30 PID 1860 wrote to memory of 2580 1860 2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe 30 PID 2580 wrote to memory of 2332 2580 1nbbhn.exe 31 PID 2580 wrote to memory of 2332 2580 1nbbhn.exe 31 PID 2580 wrote to memory of 2332 2580 1nbbhn.exe 31 PID 2580 wrote to memory of 2332 2580 1nbbhn.exe 31 PID 2332 wrote to memory of 308 2332 ddppj.exe 32 PID 2332 wrote to memory of 308 2332 ddppj.exe 32 PID 2332 wrote to memory of 308 2332 ddppj.exe 32 PID 2332 wrote to memory of 308 2332 ddppj.exe 32 PID 308 wrote to memory of 2736 308 hbnthh.exe 33 PID 308 wrote to memory of 2736 308 hbnthh.exe 33 PID 308 wrote to memory of 2736 308 hbnthh.exe 33 PID 308 wrote to memory of 2736 308 hbnthh.exe 33 PID 2736 wrote to memory of 2988 2736 5djdp.exe 34 PID 2736 wrote to memory of 2988 2736 5djdp.exe 34 PID 2736 wrote to memory of 2988 2736 5djdp.exe 34 PID 2736 wrote to memory of 2988 2736 5djdp.exe 34 PID 2988 wrote to memory of 2840 2988 7fxxflx.exe 35 PID 2988 wrote to memory of 2840 2988 7fxxflx.exe 35 PID 2988 wrote to memory of 2840 2988 7fxxflx.exe 35 PID 2988 wrote to memory of 2840 2988 7fxxflx.exe 35 PID 2840 wrote to memory of 2632 2840 hhbhtn.exe 36 PID 2840 wrote to memory of 2632 2840 hhbhtn.exe 36 PID 2840 wrote to memory of 2632 2840 hhbhtn.exe 36 PID 2840 wrote to memory of 2632 2840 hhbhtn.exe 36 PID 2632 wrote to memory of 2780 2632 llrrflf.exe 37 PID 2632 wrote to memory of 2780 2632 llrrflf.exe 37 PID 2632 wrote to memory of 2780 2632 llrrflf.exe 37 PID 2632 wrote to memory of 2780 2632 llrrflf.exe 37 PID 2780 wrote to memory of 1444 2780 nhnthb.exe 38 PID 2780 wrote to memory of 1444 2780 nhnthb.exe 38 PID 2780 wrote to memory of 1444 2780 nhnthb.exe 38 PID 2780 wrote to memory of 1444 2780 nhnthb.exe 38 PID 1444 wrote to memory of 1796 1444 rlxfllx.exe 39 PID 1444 wrote to memory of 1796 1444 rlxfllx.exe 39 PID 1444 wrote to memory of 1796 1444 rlxfllx.exe 39 PID 1444 wrote to memory of 1796 1444 rlxfllx.exe 39 PID 1796 wrote to memory of 2708 1796 tnhbtt.exe 40 PID 1796 wrote to memory of 2708 1796 tnhbtt.exe 40 PID 1796 wrote to memory of 2708 1796 tnhbtt.exe 40 PID 1796 wrote to memory of 2708 1796 tnhbtt.exe 40 PID 2708 wrote to memory of 1632 2708 7frxrxl.exe 41 PID 2708 wrote to memory of 1632 2708 7frxrxl.exe 41 PID 2708 wrote to memory of 1632 2708 7frxrxl.exe 41 PID 2708 wrote to memory of 1632 2708 7frxrxl.exe 41 PID 1632 wrote to memory of 2024 1632 rlllrxf.exe 42 PID 1632 wrote to memory of 2024 1632 rlllrxf.exe 42 PID 1632 wrote to memory of 2024 1632 rlllrxf.exe 42 PID 1632 wrote to memory of 2024 1632 rlllrxf.exe 42 PID 2024 wrote to memory of 2824 2024 pjjvp.exe 43 PID 2024 wrote to memory of 2824 2024 pjjvp.exe 43 PID 2024 wrote to memory of 2824 2024 pjjvp.exe 43 PID 2024 wrote to memory of 2824 2024 pjjvp.exe 43 PID 2824 wrote to memory of 2016 2824 7jvvp.exe 44 PID 2824 wrote to memory of 2016 2824 7jvvp.exe 44 PID 2824 wrote to memory of 2016 2824 7jvvp.exe 44 PID 2824 wrote to memory of 2016 2824 7jvvp.exe 44 PID 2016 wrote to memory of 1752 2016 jjppj.exe 45 PID 2016 wrote to memory of 1752 2016 jjppj.exe 45 PID 2016 wrote to memory of 1752 2016 jjppj.exe 45 PID 2016 wrote to memory of 1752 2016 jjppj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe"C:\Users\Admin\AppData\Local\Temp\2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\1nbbhn.exec:\1nbbhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\ddppj.exec:\ddppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\hbnthh.exec:\hbnthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:308 -
\??\c:\5djdp.exec:\5djdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\7fxxflx.exec:\7fxxflx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\hhbhtn.exec:\hhbhtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\llrrflf.exec:\llrrflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\nhnthb.exec:\nhnthb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\rlxfllx.exec:\rlxfllx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\tnhbtt.exec:\tnhbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\7frxrxl.exec:\7frxrxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\rlllrxf.exec:\rlllrxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\pjjvp.exec:\pjjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\7jvvp.exec:\7jvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\jjppj.exec:\jjppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\nttthh.exec:\nttthh.exe17⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jdpvv.exec:\jdpvv.exe18⤵
- Executes dropped EXE
PID:588 -
\??\c:\1lflflx.exec:\1lflflx.exe19⤵
- Executes dropped EXE
PID:1492 -
\??\c:\ppjvp.exec:\ppjvp.exe20⤵
- Executes dropped EXE
PID:764 -
\??\c:\rrlrfxr.exec:\rrlrfxr.exe21⤵
- Executes dropped EXE
PID:1296 -
\??\c:\hbbhhn.exec:\hbbhhn.exe22⤵
- Executes dropped EXE
PID:1044 -
\??\c:\jjddp.exec:\jjddp.exe23⤵
- Executes dropped EXE
PID:1088 -
\??\c:\nnnbbb.exec:\nnnbbb.exe24⤵
- Executes dropped EXE
PID:1764 -
\??\c:\3ddvj.exec:\3ddvj.exe25⤵
- Executes dropped EXE
PID:1500 -
\??\c:\lfllxlr.exec:\lfllxlr.exe26⤵
- Executes dropped EXE
PID:1720 -
\??\c:\ttnbnb.exec:\ttnbnb.exe27⤵
- Executes dropped EXE
PID:2480 -
\??\c:\3jvdv.exec:\3jvdv.exe28⤵
- Executes dropped EXE
PID:1260 -
\??\c:\thbthh.exec:\thbthh.exe29⤵
- Executes dropped EXE
PID:2412 -
\??\c:\5jpjj.exec:\5jpjj.exe30⤵
- Executes dropped EXE
PID:2076 -
\??\c:\1tnnbb.exec:\1tnnbb.exe31⤵
- Executes dropped EXE
PID:1736 -
\??\c:\7vjvd.exec:\7vjvd.exe32⤵
- Executes dropped EXE
PID:1768 -
\??\c:\lfxxrff.exec:\lfxxrff.exe33⤵
- Executes dropped EXE
PID:1684 -
\??\c:\ddpvv.exec:\ddpvv.exe34⤵
- Executes dropped EXE
PID:1600 -
\??\c:\fxxxrxf.exec:\fxxxrxf.exe35⤵
- Executes dropped EXE
PID:2356 -
\??\c:\rlxxffr.exec:\rlxxffr.exe36⤵
- Executes dropped EXE
PID:1028 -
\??\c:\tnbhtt.exec:\tnbhtt.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
\??\c:\3pddp.exec:\3pddp.exe38⤵
- Executes dropped EXE
PID:2764 -
\??\c:\3vpjj.exec:\3vpjj.exe39⤵
- Executes dropped EXE
PID:2112 -
\??\c:\5frlrrx.exec:\5frlrrx.exe40⤵
- Executes dropped EXE
PID:2988 -
\??\c:\nbhhnn.exec:\nbhhnn.exe41⤵
- Executes dropped EXE
PID:2640 -
\??\c:\bnbbhh.exec:\bnbbhh.exe42⤵
- Executes dropped EXE
PID:2772 -
\??\c:\vpjdd.exec:\vpjdd.exe43⤵
- Executes dropped EXE
PID:2888 -
\??\c:\3rxflfr.exec:\3rxflfr.exe44⤵
- Executes dropped EXE
PID:2680 -
\??\c:\xrxxxff.exec:\xrxxxff.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
\??\c:\tnbhnn.exec:\tnbhnn.exe46⤵
- Executes dropped EXE
PID:2188 -
\??\c:\5djvp.exec:\5djvp.exe47⤵
- Executes dropped EXE
PID:2796 -
\??\c:\dpjvp.exec:\dpjvp.exe48⤵
- Executes dropped EXE
PID:2728 -
\??\c:\xrfxfff.exec:\xrfxfff.exe49⤵
- Executes dropped EXE
PID:2672 -
\??\c:\7fxfffl.exec:\7fxfffl.exe50⤵
- Executes dropped EXE
PID:2928 -
\??\c:\hthnbb.exec:\hthnbb.exe51⤵
- Executes dropped EXE
PID:2824 -
\??\c:\dddjp.exec:\dddjp.exe52⤵
- Executes dropped EXE
PID:1748 -
\??\c:\ffrxllx.exec:\ffrxllx.exe53⤵
- Executes dropped EXE
PID:1936 -
\??\c:\htbbtt.exec:\htbbtt.exe54⤵
- Executes dropped EXE
PID:2052 -
\??\c:\5pvvd.exec:\5pvvd.exe55⤵
- Executes dropped EXE
PID:588 -
\??\c:\dvppv.exec:\dvppv.exe56⤵
- Executes dropped EXE
PID:2108 -
\??\c:\3lfxxxx.exec:\3lfxxxx.exe57⤵
- Executes dropped EXE
PID:1032 -
\??\c:\nnbntt.exec:\nnbntt.exe58⤵
- Executes dropped EXE
PID:920 -
\??\c:\tnntnh.exec:\tnntnh.exe59⤵
- Executes dropped EXE
PID:3000 -
\??\c:\dpdjp.exec:\dpdjp.exe60⤵
- Executes dropped EXE
PID:1428 -
\??\c:\rfxrxrx.exec:\rfxrxrx.exe61⤵
- Executes dropped EXE
PID:956 -
\??\c:\1lxllrf.exec:\1lxllrf.exe62⤵
- Executes dropped EXE
PID:1880 -
\??\c:\htbbhh.exec:\htbbhh.exe63⤵
- Executes dropped EXE
PID:1556 -
\??\c:\1vvvd.exec:\1vvvd.exe64⤵
- Executes dropped EXE
PID:1700 -
\??\c:\7xllllr.exec:\7xllllr.exe65⤵
- Executes dropped EXE
PID:2448 -
\??\c:\3fxrrrr.exec:\3fxrrrr.exe66⤵PID:2480
-
\??\c:\nbbhnh.exec:\nbbhnh.exe67⤵PID:1664
-
\??\c:\dpjpd.exec:\dpjpd.exe68⤵PID:1336
-
\??\c:\3llrlff.exec:\3llrlff.exe69⤵PID:1792
-
\??\c:\rflfllr.exec:\rflfllr.exe70⤵PID:2076
-
\??\c:\bnhntt.exec:\bnhntt.exe71⤵PID:2556
-
\??\c:\jdvjp.exec:\jdvjp.exe72⤵PID:888
-
\??\c:\vvpjp.exec:\vvpjp.exe73⤵PID:2580
-
\??\c:\xllxfxx.exec:\xllxfxx.exe74⤵PID:1684
-
\??\c:\tntbnt.exec:\tntbnt.exe75⤵PID:3024
-
\??\c:\httthn.exec:\httthn.exe76⤵PID:2696
-
\??\c:\ddvdj.exec:\ddvdj.exe77⤵PID:2788
-
\??\c:\jpjjv.exec:\jpjjv.exe78⤵PID:2712
-
\??\c:\3lfxxrr.exec:\3lfxxrr.exe79⤵PID:2896
-
\??\c:\nbnhtn.exec:\nbnhtn.exe80⤵PID:2436
-
\??\c:\thhbbh.exec:\thhbbh.exe81⤵PID:2768
-
\??\c:\pjddp.exec:\pjddp.exe82⤵PID:2868
-
\??\c:\xrlxrxf.exec:\xrlxrxf.exe83⤵PID:2660
-
\??\c:\9lffxrf.exec:\9lffxrf.exe84⤵PID:2652
-
\??\c:\bbnntt.exec:\bbnntt.exe85⤵PID:2224
-
\??\c:\dpvvd.exec:\dpvvd.exe86⤵PID:2472
-
\??\c:\jvppv.exec:\jvppv.exe87⤵PID:560
-
\??\c:\rlxxlfr.exec:\rlxxlfr.exe88⤵PID:1796
-
\??\c:\1nbbhh.exec:\1nbbhh.exe89⤵PID:1632
-
\??\c:\hhhbnt.exec:\hhhbnt.exe90⤵PID:2836
-
\??\c:\3djdd.exec:\3djdd.exe91⤵PID:2024
-
\??\c:\fxxrrlr.exec:\fxxrrlr.exe92⤵PID:2928
-
\??\c:\9hnnnn.exec:\9hnnnn.exe93⤵PID:532
-
\??\c:\btnntn.exec:\btnntn.exe94⤵PID:1520
-
\??\c:\1vdjp.exec:\1vdjp.exe95⤵PID:568
-
\??\c:\ppdjv.exec:\ppdjv.exe96⤵PID:2116
-
\??\c:\lxrllll.exec:\lxrllll.exe97⤵PID:576
-
\??\c:\bthntn.exec:\bthntn.exe98⤵PID:2996
-
\??\c:\thnttt.exec:\thnttt.exe99⤵PID:2208
-
\??\c:\vjppp.exec:\vjppp.exe100⤵PID:2200
-
\??\c:\rrrfrxf.exec:\rrrfrxf.exe101⤵PID:2508
-
\??\c:\7lxxrlr.exec:\7lxxrlr.exe102⤵
- System Location Discovery: System Language Discovery
PID:1616 -
\??\c:\htntbb.exec:\htntbb.exe103⤵PID:1844
-
\??\c:\bntnnh.exec:\bntnnh.exe104⤵PID:956
-
\??\c:\7pddj.exec:\7pddj.exe105⤵PID:1880
-
\??\c:\xxlllrx.exec:\xxlllrx.exe106⤵PID:2004
-
\??\c:\llxrrxx.exec:\llxrrxx.exe107⤵PID:2000
-
\??\c:\9tntbb.exec:\9tntbb.exe108⤵PID:2172
-
\??\c:\bnhnhb.exec:\bnhnhb.exe109⤵PID:2956
-
\??\c:\jdpvj.exec:\jdpvj.exe110⤵PID:2412
-
\??\c:\3lrlrrr.exec:\3lrlrrr.exe111⤵PID:2520
-
\??\c:\7rffxff.exec:\7rffxff.exe112⤵PID:1956
-
\??\c:\3tnttt.exec:\3tnttt.exe113⤵PID:1736
-
\??\c:\jdjpj.exec:\jdjpj.exe114⤵PID:1056
-
\??\c:\vpjpp.exec:\vpjpp.exe115⤵PID:1860
-
\??\c:\3rrxllx.exec:\3rrxllx.exe116⤵PID:3012
-
\??\c:\frrlxxf.exec:\frrlxxf.exe117⤵PID:1312
-
\??\c:\5tnhnn.exec:\5tnhnn.exe118⤵PID:2968
-
\??\c:\jpvdv.exec:\jpvdv.exe119⤵PID:308
-
\??\c:\dpvvj.exec:\dpvvj.exe120⤵PID:2964
-
\??\c:\1htnbh.exec:\1htnbh.exe121⤵PID:2752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-