Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 22:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe
-
Size
454KB
-
MD5
3924eb19bd5c7b2164c4345dd65e67b1
-
SHA1
7acc0f02067e34a48d1d0d558e963104ff951037
-
SHA256
80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b
-
SHA512
49a916105cfa1bb61247a5a72953b69e4c9565c324b9bbd3e41efee670443320ff0e4b4a5ae54fb4b79032150b460644e2cfac2f8fce3f44f2e7c4593e18099e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2500-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-53-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/676-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-140-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2856-153-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1668-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-181-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2148-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-286-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1576-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-296-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1696-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-351-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2660-354-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2612-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-406-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2876-444-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2944-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1840-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-544-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3020-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-681-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1652-811-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2956-833-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2688-885-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2580-927-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2800-964-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2876-983-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-1048-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/808-1061-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1548-1074-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2616-1115-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2112 7htttt.exe 2472 hbbbnh.exe 1504 7xffrxl.exe 2756 5xlllrx.exe 2636 flrxxrx.exe 2772 3fxlrxl.exe 2984 1xrxflf.exe 2592 1fxflrr.exe 2588 jjdjd.exe 2204 7tnhtb.exe 676 xxrrrrr.exe 2864 tnhnht.exe 1440 lfllrrf.exe 1960 hhntnt.exe 2856 rrrlrlr.exe 1408 bhtthn.exe 1668 3frxfrr.exe 2632 tbhnbn.exe 2148 9xlfflx.exe 2264 htnntb.exe 640 nthhnn.exe 1624 3pdpd.exe 1068 bhbhtt.exe 1460 vdvjv.exe 2036 hhthtb.exe 1548 jdpjp.exe 3028 5tnnnn.exe 700 vjpvp.exe 1444 hbtbnb.exe 1576 nnhnth.exe 2952 hhttnn.exe 1696 1jvdj.exe 2452 tbhnnh.exe 2892 jdddv.exe 2196 lrxlrfl.exe 2660 bbbbbb.exe 1504 7btbnh.exe 2756 1vjjp.exe 2760 rlxxflx.exe 2784 btbttt.exe 2668 jdjdj.exe 2984 lfxxflx.exe 2612 hnthht.exe 2996 tnhnbh.exe 2484 9vpvd.exe 2204 rrffxlx.exe 2872 7ntntt.exe 2016 pvjpj.exe 1184 xfxxlxl.exe 2380 hhhbbb.exe 2852 hnnttt.exe 1628 vdvdp.exe 2876 xffflll.exe 1448 nhhnnn.exe 2176 3dvdv.exe 2944 xxlrxfx.exe 1840 fffflfx.exe 1148 7thbbh.exe 496 7pvdd.exe 1608 3rflffl.exe 2240 hnhntt.exe 2208 vvpdd.exe 1780 dvjvd.exe 1536 fxlfllr.exe -
resource yara_rule behavioral1/memory/2500-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-406-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2876-444-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2944-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/496-486-0x00000000001C0000-0x00000000001EA000-memory.dmp upx behavioral1/memory/2596-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-544-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3020-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-689-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2372-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-833-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2688-885-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2580-927-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2800-964-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2876-983-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-1048-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/808-1061-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1548-1074-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2616-1115-0x0000000000320000-0x000000000034A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xllrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2112 2500 80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe 31 PID 2500 wrote to memory of 2112 2500 80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe 31 PID 2500 wrote to memory of 2112 2500 80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe 31 PID 2500 wrote to memory of 2112 2500 80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe 31 PID 2112 wrote to memory of 2472 2112 7htttt.exe 32 PID 2112 wrote to memory of 2472 2112 7htttt.exe 32 PID 2112 wrote to memory of 2472 2112 7htttt.exe 32 PID 2112 wrote to memory of 2472 2112 7htttt.exe 32 PID 2472 wrote to memory of 1504 2472 hbbbnh.exe 33 PID 2472 wrote to memory of 1504 2472 hbbbnh.exe 33 PID 2472 wrote to memory of 1504 2472 hbbbnh.exe 33 PID 2472 wrote to memory of 1504 2472 hbbbnh.exe 33 PID 1504 wrote to memory of 2756 1504 7xffrxl.exe 34 PID 1504 wrote to memory of 2756 1504 7xffrxl.exe 34 PID 1504 wrote to memory of 2756 1504 7xffrxl.exe 34 PID 1504 wrote to memory of 2756 1504 7xffrxl.exe 34 PID 2756 wrote to memory of 2636 2756 5xlllrx.exe 35 PID 2756 wrote to memory of 2636 2756 5xlllrx.exe 35 PID 2756 wrote to memory of 2636 2756 5xlllrx.exe 35 PID 2756 wrote to memory of 2636 2756 5xlllrx.exe 35 PID 2636 wrote to memory of 2772 2636 flrxxrx.exe 36 PID 2636 wrote to memory of 2772 2636 flrxxrx.exe 36 PID 2636 wrote to memory of 2772 2636 flrxxrx.exe 36 PID 2636 wrote to memory of 2772 2636 flrxxrx.exe 36 PID 2772 wrote to memory of 2984 2772 3fxlrxl.exe 37 PID 2772 wrote to memory of 2984 2772 3fxlrxl.exe 37 PID 2772 wrote to memory of 2984 2772 3fxlrxl.exe 37 PID 2772 wrote to memory of 2984 2772 3fxlrxl.exe 37 PID 2984 wrote to memory of 2592 2984 1xrxflf.exe 38 PID 2984 wrote to memory of 2592 2984 1xrxflf.exe 38 PID 2984 wrote to memory of 2592 2984 1xrxflf.exe 38 PID 2984 wrote to memory of 2592 2984 1xrxflf.exe 38 PID 2592 wrote to memory of 2588 2592 1fxflrr.exe 39 PID 2592 wrote to memory of 2588 2592 1fxflrr.exe 39 PID 2592 wrote to memory of 2588 2592 1fxflrr.exe 39 PID 2592 wrote to memory of 2588 2592 1fxflrr.exe 39 PID 2588 wrote to memory of 2204 2588 jjdjd.exe 40 PID 2588 wrote to memory of 2204 2588 jjdjd.exe 40 PID 2588 wrote to memory of 2204 2588 jjdjd.exe 40 PID 2588 wrote to memory of 2204 2588 jjdjd.exe 40 PID 2204 wrote to memory of 676 2204 7tnhtb.exe 41 PID 2204 wrote to memory of 676 2204 7tnhtb.exe 41 PID 2204 wrote to memory of 676 2204 7tnhtb.exe 41 PID 2204 wrote to memory of 676 2204 7tnhtb.exe 41 PID 676 wrote to memory of 2864 676 xxrrrrr.exe 42 PID 676 wrote to memory of 2864 676 xxrrrrr.exe 42 PID 676 wrote to memory of 2864 676 xxrrrrr.exe 42 PID 676 wrote to memory of 2864 676 xxrrrrr.exe 42 PID 2864 wrote to memory of 1440 2864 tnhnht.exe 43 PID 2864 wrote to memory of 1440 2864 tnhnht.exe 43 PID 2864 wrote to memory of 1440 2864 tnhnht.exe 43 PID 2864 wrote to memory of 1440 2864 tnhnht.exe 43 PID 1440 wrote to memory of 1960 1440 lfllrrf.exe 44 PID 1440 wrote to memory of 1960 1440 lfllrrf.exe 44 PID 1440 wrote to memory of 1960 1440 lfllrrf.exe 44 PID 1440 wrote to memory of 1960 1440 lfllrrf.exe 44 PID 1960 wrote to memory of 2856 1960 hhntnt.exe 45 PID 1960 wrote to memory of 2856 1960 hhntnt.exe 45 PID 1960 wrote to memory of 2856 1960 hhntnt.exe 45 PID 1960 wrote to memory of 2856 1960 hhntnt.exe 45 PID 2856 wrote to memory of 1408 2856 rrrlrlr.exe 46 PID 2856 wrote to memory of 1408 2856 rrrlrlr.exe 46 PID 2856 wrote to memory of 1408 2856 rrrlrlr.exe 46 PID 2856 wrote to memory of 1408 2856 rrrlrlr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe"C:\Users\Admin\AppData\Local\Temp\80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\7htttt.exec:\7htttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\hbbbnh.exec:\hbbbnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\7xffrxl.exec:\7xffrxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\5xlllrx.exec:\5xlllrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\flrxxrx.exec:\flrxxrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\3fxlrxl.exec:\3fxlrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\1xrxflf.exec:\1xrxflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\1fxflrr.exec:\1fxflrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\jjdjd.exec:\jjdjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\7tnhtb.exec:\7tnhtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\xxrrrrr.exec:\xxrrrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\tnhnht.exec:\tnhnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\lfllrrf.exec:\lfllrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\hhntnt.exec:\hhntnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\rrrlrlr.exec:\rrrlrlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\bhtthn.exec:\bhtthn.exe17⤵
- Executes dropped EXE
PID:1408 -
\??\c:\3frxfrr.exec:\3frxfrr.exe18⤵
- Executes dropped EXE
PID:1668 -
\??\c:\tbhnbn.exec:\tbhnbn.exe19⤵
- Executes dropped EXE
PID:2632 -
\??\c:\9xlfflx.exec:\9xlfflx.exe20⤵
- Executes dropped EXE
PID:2148 -
\??\c:\htnntb.exec:\htnntb.exe21⤵
- Executes dropped EXE
PID:2264 -
\??\c:\nthhnn.exec:\nthhnn.exe22⤵
- Executes dropped EXE
PID:640 -
\??\c:\3pdpd.exec:\3pdpd.exe23⤵
- Executes dropped EXE
PID:1624 -
\??\c:\bhbhtt.exec:\bhbhtt.exe24⤵
- Executes dropped EXE
PID:1068 -
\??\c:\vdvjv.exec:\vdvjv.exe25⤵
- Executes dropped EXE
PID:1460 -
\??\c:\hhthtb.exec:\hhthtb.exe26⤵
- Executes dropped EXE
PID:2036 -
\??\c:\jdpjp.exec:\jdpjp.exe27⤵
- Executes dropped EXE
PID:1548 -
\??\c:\5tnnnn.exec:\5tnnnn.exe28⤵
- Executes dropped EXE
PID:3028 -
\??\c:\vjpvp.exec:\vjpvp.exe29⤵
- Executes dropped EXE
PID:700 -
\??\c:\hbtbnb.exec:\hbtbnb.exe30⤵
- Executes dropped EXE
PID:1444 -
\??\c:\nnhnth.exec:\nnhnth.exe31⤵
- Executes dropped EXE
PID:1576 -
\??\c:\hhttnn.exec:\hhttnn.exe32⤵
- Executes dropped EXE
PID:2952 -
\??\c:\1jvdj.exec:\1jvdj.exe33⤵
- Executes dropped EXE
PID:1696 -
\??\c:\tbhnnh.exec:\tbhnnh.exe34⤵
- Executes dropped EXE
PID:2452 -
\??\c:\jdddv.exec:\jdddv.exe35⤵
- Executes dropped EXE
PID:2892 -
\??\c:\lrxlrfl.exec:\lrxlrfl.exe36⤵
- Executes dropped EXE
PID:2196 -
\??\c:\bbbbbb.exec:\bbbbbb.exe37⤵
- Executes dropped EXE
PID:2660 -
\??\c:\7btbnh.exec:\7btbnh.exe38⤵
- Executes dropped EXE
PID:1504 -
\??\c:\1vjjp.exec:\1vjjp.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756 -
\??\c:\rlxxflx.exec:\rlxxflx.exe40⤵
- Executes dropped EXE
PID:2760 -
\??\c:\btbttt.exec:\btbttt.exe41⤵
- Executes dropped EXE
PID:2784 -
\??\c:\jdjdj.exec:\jdjdj.exe42⤵
- Executes dropped EXE
PID:2668 -
\??\c:\lfxxflx.exec:\lfxxflx.exe43⤵
- Executes dropped EXE
PID:2984 -
\??\c:\hnthht.exec:\hnthht.exe44⤵
- Executes dropped EXE
PID:2612 -
\??\c:\tnhnbh.exec:\tnhnbh.exe45⤵
- Executes dropped EXE
PID:2996 -
\??\c:\9vpvd.exec:\9vpvd.exe46⤵
- Executes dropped EXE
PID:2484 -
\??\c:\rrffxlx.exec:\rrffxlx.exe47⤵
- Executes dropped EXE
PID:2204 -
\??\c:\7ntntt.exec:\7ntntt.exe48⤵
- Executes dropped EXE
PID:2872 -
\??\c:\pvjpj.exec:\pvjpj.exe49⤵
- Executes dropped EXE
PID:2016 -
\??\c:\xfxxlxl.exec:\xfxxlxl.exe50⤵
- Executes dropped EXE
PID:1184 -
\??\c:\hhhbbb.exec:\hhhbbb.exe51⤵
- Executes dropped EXE
PID:2380 -
\??\c:\hnnttt.exec:\hnnttt.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2852 -
\??\c:\vdvdp.exec:\vdvdp.exe53⤵
- Executes dropped EXE
PID:1628 -
\??\c:\xffflll.exec:\xffflll.exe54⤵
- Executes dropped EXE
PID:2876 -
\??\c:\nhhnnn.exec:\nhhnnn.exe55⤵
- Executes dropped EXE
PID:1448 -
\??\c:\3dvdv.exec:\3dvdv.exe56⤵
- Executes dropped EXE
PID:2176 -
\??\c:\xxlrxfx.exec:\xxlrxfx.exe57⤵
- Executes dropped EXE
PID:2944 -
\??\c:\fffflfx.exec:\fffflfx.exe58⤵
- Executes dropped EXE
PID:1840 -
\??\c:\7thbbh.exec:\7thbbh.exe59⤵
- Executes dropped EXE
PID:1148 -
\??\c:\7pvdd.exec:\7pvdd.exe60⤵
- Executes dropped EXE
PID:496 -
\??\c:\3rflffl.exec:\3rflffl.exe61⤵
- Executes dropped EXE
PID:1608 -
\??\c:\hnhntt.exec:\hnhntt.exe62⤵
- Executes dropped EXE
PID:2240 -
\??\c:\vvpdd.exec:\vvpdd.exe63⤵
- Executes dropped EXE
PID:2208 -
\??\c:\dvjvd.exec:\dvjvd.exe64⤵
- Executes dropped EXE
PID:1780 -
\??\c:\fxlfllr.exec:\fxlfllr.exe65⤵
- Executes dropped EXE
PID:1536 -
\??\c:\nthnth.exec:\nthnth.exe66⤵PID:2596
-
\??\c:\jdpvd.exec:\jdpvd.exe67⤵PID:3036
-
\??\c:\xxlxfrf.exec:\xxlxfrf.exe68⤵PID:2212
-
\??\c:\rrrlxff.exec:\rrrlxff.exe69⤵PID:3020
-
\??\c:\hnbbnn.exec:\hnbbnn.exe70⤵PID:2276
-
\??\c:\ppjpv.exec:\ppjpv.exe71⤵PID:1000
-
\??\c:\7rfrxlx.exec:\7rfrxlx.exe72⤵PID:1432
-
\??\c:\llxflrf.exec:\llxflrf.exe73⤵PID:2932
-
\??\c:\1tbnnb.exec:\1tbnnb.exe74⤵PID:1600
-
\??\c:\7dvdp.exec:\7dvdp.exe75⤵PID:2152
-
\??\c:\jpvdd.exec:\jpvdd.exe76⤵PID:2448
-
\??\c:\lrflrrx.exec:\lrflrrx.exe77⤵PID:2168
-
\??\c:\thbnbh.exec:\thbnbh.exe78⤵PID:876
-
\??\c:\3dpvj.exec:\3dpvj.exe79⤵PID:2680
-
\??\c:\pvjpd.exec:\pvjpd.exe80⤵
- System Location Discovery: System Language Discovery
PID:2660 -
\??\c:\rrxlxfr.exec:\rrxlxfr.exe81⤵PID:2544
-
\??\c:\hhnnbb.exec:\hhnnbb.exe82⤵PID:2756
-
\??\c:\jvdjv.exec:\jvdjv.exe83⤵PID:2760
-
\??\c:\jppvd.exec:\jppvd.exe84⤵PID:3040
-
\??\c:\fxlxlfl.exec:\fxlxlfl.exe85⤵PID:2560
-
\??\c:\9hhnbh.exec:\9hhnbh.exe86⤵PID:2532
-
\??\c:\pvjvj.exec:\pvjvj.exe87⤵PID:3000
-
\??\c:\ppppd.exec:\ppppd.exe88⤵PID:2504
-
\??\c:\5lflxfr.exec:\5lflxfr.exe89⤵PID:1952
-
\??\c:\1hbtth.exec:\1hbtth.exe90⤵PID:1732
-
\??\c:\hbtbtb.exec:\hbtbtb.exe91⤵PID:1636
-
\??\c:\7jvdv.exec:\7jvdv.exe92⤵PID:1892
-
\??\c:\5flxlrl.exec:\5flxlrl.exe93⤵PID:2360
-
\??\c:\bhbthn.exec:\bhbthn.exe94⤵PID:1584
-
\??\c:\vvpvd.exec:\vvpvd.exe95⤵PID:1372
-
\??\c:\flfxlxr.exec:\flfxlxr.exe96⤵PID:1940
-
\??\c:\llfrlrf.exec:\llfrlrf.exe97⤵PID:964
-
\??\c:\3bhnnb.exec:\3bhnnb.exe98⤵PID:536
-
\??\c:\vjvjp.exec:\vjvjp.exe99⤵PID:2940
-
\??\c:\9xllxll.exec:\9xllxll.exe100⤵PID:2632
-
\??\c:\xfrfxfx.exec:\xfrfxfx.exe101⤵PID:2024
-
\??\c:\bbnttt.exec:\bbnttt.exe102⤵PID:348
-
\??\c:\jjpvj.exec:\jjpvj.exe103⤵PID:744
-
\??\c:\3ddpj.exec:\3ddpj.exe104⤵PID:960
-
\??\c:\tbtbtt.exec:\tbtbtt.exe105⤵PID:988
-
\??\c:\jjvdd.exec:\jjvdd.exe106⤵PID:1624
-
\??\c:\flrxlrl.exec:\flrxlrl.exe107⤵PID:1700
-
\??\c:\3nbhbt.exec:\3nbhbt.exe108⤵PID:1640
-
\??\c:\djpvj.exec:\djpvj.exe109⤵PID:1652
-
\??\c:\llffrfl.exec:\llffrfl.exe110⤵PID:292
-
\??\c:\rrflrxx.exec:\rrflrxx.exe111⤵PID:2976
-
\??\c:\hntbnt.exec:\hntbnt.exe112⤵PID:2372
-
\??\c:\pvpvp.exec:\pvpvp.exe113⤵PID:2268
-
\??\c:\jpvdj.exec:\jpvdj.exe114⤵PID:700
-
\??\c:\llrrflr.exec:\llrrflr.exe115⤵PID:636
-
\??\c:\nnhnhn.exec:\nnhnhn.exe116⤵PID:2956
-
\??\c:\5nhtbh.exec:\5nhtbh.exe117⤵PID:2096
-
\??\c:\ddpjv.exec:\ddpjv.exe118⤵PID:1596
-
\??\c:\xxlrxxf.exec:\xxlrxxf.exe119⤵PID:1296
-
\??\c:\nthnbh.exec:\nthnbh.exe120⤵PID:2248
-
\??\c:\ddvdv.exec:\ddvdv.exe121⤵PID:2628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-