Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 21:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe
-
Size
454KB
-
MD5
7cc502f989f0798313678c1cf6a34300
-
SHA1
af9a0d095778ab15757bb1867680fef820d394cb
-
SHA256
f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45
-
SHA512
5874cd7eb802f4fa72825f6405e81ee2bf5bf385041a9de07ac60c6ad56b052cc49aeb07666ead1091a24aa30ad72a2ef6acc1ac00e95dba7d1c41c7e40a86b4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbePY:q7Tc2NYHUrAwfMp3CDPY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2188-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-54-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2644-74-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2632-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-91-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1872-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/292-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-153-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1976-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-166-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2452-178-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2332-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/940-223-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1664-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-399-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1588-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-446-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1532-452-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2320-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-578-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2264-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-628-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2076-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-812-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-916-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1532-1027-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1636-1040-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1636-1057-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2232 hbntnt.exe 2780 3tttnh.exe 2716 rrflflf.exe 2444 fxrxrxl.exe 3020 3tnbtb.exe 1940 jpjdj.exe 2644 llxfrxl.exe 2632 nnbhth.exe 2280 1frrflx.exe 1872 jjjjj.exe 2216 9xxxllr.exe 584 ddppd.exe 292 lflrxfr.exe 2840 ntthhb.exe 2932 rrrxflx.exe 1976 hhttbh.exe 1636 jjdpj.exe 2452 jjvdj.exe 340 7xrxxfr.exe 2332 vvdjp.exe 2008 fflxlxf.exe 2368 3djvj.exe 940 9lflxlr.exe 1432 pvjpj.exe 1700 lxlrxxl.exe 1608 djjvj.exe 2312 frfrlxf.exe 2252 vvpjp.exe 2492 lrllflx.exe 2508 rlflrxx.exe 1220 jdpjp.exe 1664 3xxfrlr.exe 2520 tntbhn.exe 2376 lllxrrf.exe 2184 frxflrx.exe 2732 ttbbnt.exe 3048 djppv.exe 2740 3rffffr.exe 2808 nhhhnn.exe 2748 nththt.exe 2988 xrxxxff.exe 2696 lrxflrx.exe 1980 thnnnt.exe 2644 vvdpp.exe 900 jjjjj.exe 2424 3llllfl.exe 3064 1nhhhn.exe 1240 ppjpj.exe 1588 jjppv.exe 1936 rlrlrrx.exe 2824 hhnbhn.exe 448 ddddv.exe 2948 rffxffx.exe 2956 xfllxxl.exe 1532 bnttbn.exe 536 djvdj.exe 1636 7frrrrr.exe 2320 ttthnt.exe 2024 nttbtb.exe 2372 vpdjv.exe 2488 1rfflxx.exe 2092 3nhntt.exe 856 hhtbnt.exe 1668 jvdpp.exe -
resource yara_rule behavioral1/memory/2232-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-13-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2780-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-628-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2076-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-1027-0x00000000003C0000-0x00000000003EA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2232 2188 f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe 30 PID 2188 wrote to memory of 2232 2188 f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe 30 PID 2188 wrote to memory of 2232 2188 f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe 30 PID 2188 wrote to memory of 2232 2188 f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe 30 PID 2232 wrote to memory of 2780 2232 hbntnt.exe 31 PID 2232 wrote to memory of 2780 2232 hbntnt.exe 31 PID 2232 wrote to memory of 2780 2232 hbntnt.exe 31 PID 2232 wrote to memory of 2780 2232 hbntnt.exe 31 PID 2780 wrote to memory of 2716 2780 3tttnh.exe 32 PID 2780 wrote to memory of 2716 2780 3tttnh.exe 32 PID 2780 wrote to memory of 2716 2780 3tttnh.exe 32 PID 2780 wrote to memory of 2716 2780 3tttnh.exe 32 PID 2716 wrote to memory of 2444 2716 rrflflf.exe 33 PID 2716 wrote to memory of 2444 2716 rrflflf.exe 33 PID 2716 wrote to memory of 2444 2716 rrflflf.exe 33 PID 2716 wrote to memory of 2444 2716 rrflflf.exe 33 PID 2444 wrote to memory of 3020 2444 fxrxrxl.exe 34 PID 2444 wrote to memory of 3020 2444 fxrxrxl.exe 34 PID 2444 wrote to memory of 3020 2444 fxrxrxl.exe 34 PID 2444 wrote to memory of 3020 2444 fxrxrxl.exe 34 PID 3020 wrote to memory of 1940 3020 3tnbtb.exe 35 PID 3020 wrote to memory of 1940 3020 3tnbtb.exe 35 PID 3020 wrote to memory of 1940 3020 3tnbtb.exe 35 PID 3020 wrote to memory of 1940 3020 3tnbtb.exe 35 PID 1940 wrote to memory of 2644 1940 jpjdj.exe 36 PID 1940 wrote to memory of 2644 1940 jpjdj.exe 36 PID 1940 wrote to memory of 2644 1940 jpjdj.exe 36 PID 1940 wrote to memory of 2644 1940 jpjdj.exe 36 PID 2644 wrote to memory of 2632 2644 llxfrxl.exe 37 PID 2644 wrote to memory of 2632 2644 llxfrxl.exe 37 PID 2644 wrote to memory of 2632 2644 llxfrxl.exe 37 PID 2644 wrote to memory of 2632 2644 llxfrxl.exe 37 PID 2632 wrote to memory of 2280 2632 nnbhth.exe 38 PID 2632 wrote to memory of 2280 2632 nnbhth.exe 38 PID 2632 wrote to memory of 2280 2632 nnbhth.exe 38 PID 2632 wrote to memory of 2280 2632 nnbhth.exe 38 PID 2280 wrote to memory of 1872 2280 1frrflx.exe 39 PID 2280 wrote to memory of 1872 2280 1frrflx.exe 39 PID 2280 wrote to memory of 1872 2280 1frrflx.exe 39 PID 2280 wrote to memory of 1872 2280 1frrflx.exe 39 PID 1872 wrote to memory of 2216 1872 jjjjj.exe 40 PID 1872 wrote to memory of 2216 1872 jjjjj.exe 40 PID 1872 wrote to memory of 2216 1872 jjjjj.exe 40 PID 1872 wrote to memory of 2216 1872 jjjjj.exe 40 PID 2216 wrote to memory of 584 2216 9xxxllr.exe 41 PID 2216 wrote to memory of 584 2216 9xxxllr.exe 41 PID 2216 wrote to memory of 584 2216 9xxxllr.exe 41 PID 2216 wrote to memory of 584 2216 9xxxllr.exe 41 PID 584 wrote to memory of 292 584 ddppd.exe 42 PID 584 wrote to memory of 292 584 ddppd.exe 42 PID 584 wrote to memory of 292 584 ddppd.exe 42 PID 584 wrote to memory of 292 584 ddppd.exe 42 PID 292 wrote to memory of 2840 292 lflrxfr.exe 43 PID 292 wrote to memory of 2840 292 lflrxfr.exe 43 PID 292 wrote to memory of 2840 292 lflrxfr.exe 43 PID 292 wrote to memory of 2840 292 lflrxfr.exe 43 PID 2840 wrote to memory of 2932 2840 ntthhb.exe 44 PID 2840 wrote to memory of 2932 2840 ntthhb.exe 44 PID 2840 wrote to memory of 2932 2840 ntthhb.exe 44 PID 2840 wrote to memory of 2932 2840 ntthhb.exe 44 PID 2932 wrote to memory of 1976 2932 rrrxflx.exe 45 PID 2932 wrote to memory of 1976 2932 rrrxflx.exe 45 PID 2932 wrote to memory of 1976 2932 rrrxflx.exe 45 PID 2932 wrote to memory of 1976 2932 rrrxflx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe"C:\Users\Admin\AppData\Local\Temp\f110b5dc2f035a848a635712291274140e4aaa7edcf7454a96c9c1136f3ebd45N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\hbntnt.exec:\hbntnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\3tttnh.exec:\3tttnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\rrflflf.exec:\rrflflf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\fxrxrxl.exec:\fxrxrxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\3tnbtb.exec:\3tnbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\jpjdj.exec:\jpjdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\llxfrxl.exec:\llxfrxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\nnbhth.exec:\nnbhth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\1frrflx.exec:\1frrflx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\jjjjj.exec:\jjjjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\9xxxllr.exec:\9xxxllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\ddppd.exec:\ddppd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\lflrxfr.exec:\lflrxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:292 -
\??\c:\ntthhb.exec:\ntthhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\rrrxflx.exec:\rrrxflx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\hhttbh.exec:\hhttbh.exe17⤵
- Executes dropped EXE
PID:1976 -
\??\c:\jjdpj.exec:\jjdpj.exe18⤵
- Executes dropped EXE
PID:1636 -
\??\c:\jjvdj.exec:\jjvdj.exe19⤵
- Executes dropped EXE
PID:2452 -
\??\c:\7xrxxfr.exec:\7xrxxfr.exe20⤵
- Executes dropped EXE
PID:340 -
\??\c:\vvdjp.exec:\vvdjp.exe21⤵
- Executes dropped EXE
PID:2332 -
\??\c:\fflxlxf.exec:\fflxlxf.exe22⤵
- Executes dropped EXE
PID:2008 -
\??\c:\3djvj.exec:\3djvj.exe23⤵
- Executes dropped EXE
PID:2368 -
\??\c:\9lflxlr.exec:\9lflxlr.exe24⤵
- Executes dropped EXE
PID:940 -
\??\c:\pvjpj.exec:\pvjpj.exe25⤵
- Executes dropped EXE
PID:1432 -
\??\c:\lxlrxxl.exec:\lxlrxxl.exe26⤵
- Executes dropped EXE
PID:1700 -
\??\c:\djjvj.exec:\djjvj.exe27⤵
- Executes dropped EXE
PID:1608 -
\??\c:\frfrlxf.exec:\frfrlxf.exe28⤵
- Executes dropped EXE
PID:2312 -
\??\c:\vvpjp.exec:\vvpjp.exe29⤵
- Executes dropped EXE
PID:2252 -
\??\c:\lrllflx.exec:\lrllflx.exe30⤵
- Executes dropped EXE
PID:2492 -
\??\c:\rlflrxx.exec:\rlflrxx.exe31⤵
- Executes dropped EXE
PID:2508 -
\??\c:\jdpjp.exec:\jdpjp.exe32⤵
- Executes dropped EXE
PID:1220 -
\??\c:\3xxfrlr.exec:\3xxfrlr.exe33⤵
- Executes dropped EXE
PID:1664 -
\??\c:\tntbhn.exec:\tntbhn.exe34⤵
- Executes dropped EXE
PID:2520 -
\??\c:\lllxrrf.exec:\lllxrrf.exe35⤵
- Executes dropped EXE
PID:2376 -
\??\c:\frxflrx.exec:\frxflrx.exe36⤵
- Executes dropped EXE
PID:2184 -
\??\c:\ttbbnt.exec:\ttbbnt.exe37⤵
- Executes dropped EXE
PID:2732 -
\??\c:\djppv.exec:\djppv.exe38⤵
- Executes dropped EXE
PID:3048 -
\??\c:\3rffffr.exec:\3rffffr.exe39⤵
- Executes dropped EXE
PID:2740 -
\??\c:\nhhhnn.exec:\nhhhnn.exe40⤵
- Executes dropped EXE
PID:2808 -
\??\c:\nththt.exec:\nththt.exe41⤵
- Executes dropped EXE
PID:2748 -
\??\c:\xrxxxff.exec:\xrxxxff.exe42⤵
- Executes dropped EXE
PID:2988 -
\??\c:\lrxflrx.exec:\lrxflrx.exe43⤵
- Executes dropped EXE
PID:2696 -
\??\c:\thnnnt.exec:\thnnnt.exe44⤵
- Executes dropped EXE
PID:1980 -
\??\c:\vvdpp.exec:\vvdpp.exe45⤵
- Executes dropped EXE
PID:2644 -
\??\c:\jjjjj.exec:\jjjjj.exe46⤵
- Executes dropped EXE
PID:900 -
\??\c:\3llllfl.exec:\3llllfl.exe47⤵
- Executes dropped EXE
PID:2424 -
\??\c:\1nhhhn.exec:\1nhhhn.exe48⤵
- Executes dropped EXE
PID:3064 -
\??\c:\ppjpj.exec:\ppjpj.exe49⤵
- Executes dropped EXE
PID:1240 -
\??\c:\jjppv.exec:\jjppv.exe50⤵
- Executes dropped EXE
PID:1588 -
\??\c:\rlrlrrx.exec:\rlrlrrx.exe51⤵
- Executes dropped EXE
PID:1936 -
\??\c:\hhnbhn.exec:\hhnbhn.exe52⤵
- Executes dropped EXE
PID:2824 -
\??\c:\ddddv.exec:\ddddv.exe53⤵
- Executes dropped EXE
PID:448 -
\??\c:\rffxffx.exec:\rffxffx.exe54⤵
- Executes dropped EXE
PID:2948 -
\??\c:\xfllxxl.exec:\xfllxxl.exe55⤵
- Executes dropped EXE
PID:2956 -
\??\c:\bnttbn.exec:\bnttbn.exe56⤵
- Executes dropped EXE
PID:1532 -
\??\c:\djvdj.exec:\djvdj.exe57⤵
- Executes dropped EXE
PID:536 -
\??\c:\7frrrrr.exec:\7frrrrr.exe58⤵
- Executes dropped EXE
PID:1636 -
\??\c:\ttthnt.exec:\ttthnt.exe59⤵
- Executes dropped EXE
PID:2320 -
\??\c:\nttbtb.exec:\nttbtb.exe60⤵
- Executes dropped EXE
PID:2024 -
\??\c:\vpdjv.exec:\vpdjv.exe61⤵
- Executes dropped EXE
PID:2372 -
\??\c:\1rfflxx.exec:\1rfflxx.exe62⤵
- Executes dropped EXE
PID:2488 -
\??\c:\3nhntt.exec:\3nhntt.exe63⤵
- Executes dropped EXE
PID:2092 -
\??\c:\hhtbnt.exec:\hhtbnt.exe64⤵
- Executes dropped EXE
PID:856 -
\??\c:\jvdpp.exec:\jvdpp.exe65⤵
- Executes dropped EXE
PID:1668 -
\??\c:\ffxxlrl.exec:\ffxxlrl.exe66⤵PID:940
-
\??\c:\tthbht.exec:\tthbht.exe67⤵PID:764
-
\??\c:\ddpdp.exec:\ddpdp.exe68⤵PID:2928
-
\??\c:\vddpd.exec:\vddpd.exe69⤵PID:1612
-
\??\c:\5frrxxf.exec:\5frrxxf.exe70⤵PID:1204
-
\??\c:\1bttbb.exec:\1bttbb.exe71⤵PID:2312
-
\??\c:\ddpdv.exec:\ddpdv.exe72⤵PID:380
-
\??\c:\djjpv.exec:\djjpv.exe73⤵PID:976
-
\??\c:\5fxflxl.exec:\5fxflxl.exe74⤵PID:1284
-
\??\c:\nnbbnt.exec:\nnbbnt.exe75⤵PID:2164
-
\??\c:\3djpv.exec:\3djpv.exe76⤵PID:2396
-
\??\c:\9jvdj.exec:\9jvdj.exe77⤵PID:2264
-
\??\c:\5fflflr.exec:\5fflflr.exe78⤵PID:2520
-
\??\c:\9bbnbb.exec:\9bbnbb.exe79⤵PID:1492
-
\??\c:\ttntnt.exec:\ttntnt.exe80⤵PID:2184
-
\??\c:\pdppv.exec:\pdppv.exe81⤵PID:1364
-
\??\c:\rxrrlrf.exec:\rxrrlrf.exe82⤵PID:3060
-
\??\c:\5xxxlrf.exec:\5xxxlrf.exe83⤵PID:2740
-
\??\c:\hhtbbh.exec:\hhtbbh.exe84⤵PID:2604
-
\??\c:\9vvdj.exec:\9vvdj.exe85⤵PID:2748
-
\??\c:\xxflxxf.exec:\xxflxxf.exe86⤵PID:2612
-
\??\c:\nnhtnt.exec:\nnhtnt.exe87⤵PID:1940
-
\??\c:\tthnnt.exec:\tthnnt.exe88⤵PID:2652
-
\??\c:\jjpjv.exec:\jjpjv.exe89⤵PID:1228
-
\??\c:\flfrflr.exec:\flfrflr.exe90⤵PID:1516
-
\??\c:\lrrfxlx.exec:\lrrfxlx.exe91⤵PID:1356
-
\??\c:\nbntht.exec:\nbntht.exe92⤵PID:3056
-
\??\c:\7jdjv.exec:\7jdjv.exe93⤵PID:1564
-
\??\c:\vjvjp.exec:\vjvjp.exe94⤵PID:1260
-
\??\c:\3fxflxl.exec:\3fxflxl.exe95⤵PID:1588
-
\??\c:\7tnbht.exec:\7tnbht.exe96⤵PID:1652
-
\??\c:\9bthnt.exec:\9bthnt.exe97⤵PID:2832
-
\??\c:\pjdpd.exec:\pjdpd.exe98⤵PID:448
-
\??\c:\rxxlfrl.exec:\rxxlfrl.exe99⤵PID:2940
-
\??\c:\lrlrflr.exec:\lrlrflr.exe100⤵PID:2932
-
\??\c:\nntbnt.exec:\nntbnt.exe101⤵PID:680
-
\??\c:\ddpvd.exec:\ddpvd.exe102⤵PID:332
-
\??\c:\vddjj.exec:\vddjj.exe103⤵PID:2328
-
\??\c:\xllrlfr.exec:\xllrlfr.exe104⤵PID:2452
-
\??\c:\httbht.exec:\httbht.exe105⤵PID:884
-
\??\c:\hbbntb.exec:\hbbntb.exe106⤵PID:2076
-
\??\c:\7jdpj.exec:\7jdpj.exe107⤵PID:1276
-
\??\c:\rrxllrf.exec:\rrxllrf.exe108⤵PID:1012
-
\??\c:\rrrlxfl.exec:\rrrlxfl.exe109⤵PID:1016
-
\??\c:\nnnnbn.exec:\nnnnbn.exe110⤵PID:1088
-
\??\c:\1jdjp.exec:\1jdjp.exe111⤵PID:824
-
\??\c:\xxrxflx.exec:\xxrxflx.exe112⤵PID:2540
-
\??\c:\xfxrxlr.exec:\xfxrxlr.exe113⤵
- System Location Discovery: System Language Discovery
PID:1724 -
\??\c:\nnhhtt.exec:\nnhhtt.exe114⤵PID:1676
-
\??\c:\vddjj.exec:\vddjj.exe115⤵PID:2272
-
\??\c:\jdjvj.exec:\jdjvj.exe116⤵PID:3052
-
\??\c:\llxflxf.exec:\llxflxf.exe117⤵PID:2224
-
\??\c:\3nhnhn.exec:\3nhnhn.exe118⤵PID:2212
-
\??\c:\dpdvj.exec:\dpdvj.exe119⤵PID:880
-
\??\c:\ffxfrxl.exec:\ffxfrxl.exe120⤵PID:544
-
\??\c:\7xlrxxl.exec:\7xlrxxl.exe121⤵PID:2148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-