Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 07:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
843972cd00444c8b9eadd35fa9c56218065989065e0971f206c67476e4c2f6a2N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
843972cd00444c8b9eadd35fa9c56218065989065e0971f206c67476e4c2f6a2N.exe
-
Size
456KB
-
MD5
aba6579a3aa86bd40f9f834fed737200
-
SHA1
c521b9d28b269c2e957b149795548c54e9d46ef9
-
SHA256
843972cd00444c8b9eadd35fa9c56218065989065e0971f206c67476e4c2f6a2
-
SHA512
0eeff4734db86efee35817ddf8722e119e4defa275b4bbf7fd9655ef5a0a2402c031c900b763245bea199bcecf31a3792375c94439452e1bd6cffab64cc2b97e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRZ:q7Tc2NYHUrAwfMp3CDRZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2388-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-86-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2608-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-116-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/388-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1016-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-385-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3040-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-542-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1636-682-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2168-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-854-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-961-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1516-975-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2824-995-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/348-1014-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2532-1019-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1240-1055-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-1062-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1424-1115-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2320 5lflxxf.exe 2524 frxfrrf.exe 1200 thbhbb.exe 2296 xrfffrf.exe 2820 9lxxlrf.exe 2732 pjjpj.exe 2912 frlxffx.exe 2872 thtbbb.exe 2608 9djpp.exe 2768 hthhnh.exe 2648 vpdjp.exe 1888 fxfrxff.exe 2948 nnthtt.exe 388 lxrrxfx.exe 684 hhhntt.exe 2864 lfrxxxl.exe 1900 fxlrffl.exe 1016 1nbbtt.exe 2168 vjvpp.exe 1372 lflfllr.exe 1616 bthhtt.exe 1700 5rlrxlr.exe 1180 3rrrrrx.exe 1232 7pvvv.exe 1140 lxrrxrx.exe 2144 nbbbhb.exe 1780 flrlxxf.exe 2932 1dvjv.exe 2964 dpjjj.exe 896 1thntb.exe 2476 vjddv.exe 2552 hbnbnn.exe 2956 3nntbt.exe 2072 pvjvv.exe 2008 jdjpv.exe 2828 flxflxx.exe 2744 hnnbnt.exe 2820 dpppp.exe 2792 pjdvd.exe 2736 5xrrxlr.exe 2652 3bntnt.exe 2656 bbnbhh.exe 2600 vvjpv.exe 628 lfrflrl.exe 2328 hhnttb.exe 2648 btnhhn.exe 1888 dvjpp.exe 2848 lfxrllr.exe 2592 tnnhbn.exe 320 9thntt.exe 692 pjddv.exe 1764 rlrrflf.exe 1100 rrrlxrl.exe 2436 bbbhht.exe 1312 ppdjp.exe 3040 ddvjv.exe 2172 ffxfrrx.exe 1372 9bhbht.exe 1776 hbnnbt.exe 1572 pdvpd.exe 2996 1rlfflr.exe 448 rlllxrx.exe 996 tbbbnh.exe 1904 dvddd.exe -
resource yara_rule behavioral1/memory/2388-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/388-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-385-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1888-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1452-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-993-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1828-996-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-1035-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-1088-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2320 2388 843972cd00444c8b9eadd35fa9c56218065989065e0971f206c67476e4c2f6a2N.exe 30 PID 2388 wrote to memory of 2320 2388 843972cd00444c8b9eadd35fa9c56218065989065e0971f206c67476e4c2f6a2N.exe 30 PID 2388 wrote to memory of 2320 2388 843972cd00444c8b9eadd35fa9c56218065989065e0971f206c67476e4c2f6a2N.exe 30 PID 2388 wrote to memory of 2320 2388 843972cd00444c8b9eadd35fa9c56218065989065e0971f206c67476e4c2f6a2N.exe 30 PID 2320 wrote to memory of 2524 2320 5lflxxf.exe 31 PID 2320 wrote to memory of 2524 2320 5lflxxf.exe 31 PID 2320 wrote to memory of 2524 2320 5lflxxf.exe 31 PID 2320 wrote to memory of 2524 2320 5lflxxf.exe 31 PID 2524 wrote to memory of 1200 2524 frxfrrf.exe 32 PID 2524 wrote to memory of 1200 2524 frxfrrf.exe 32 PID 2524 wrote to memory of 1200 2524 frxfrrf.exe 32 PID 2524 wrote to memory of 1200 2524 frxfrrf.exe 32 PID 1200 wrote to memory of 2296 1200 thbhbb.exe 33 PID 1200 wrote to memory of 2296 1200 thbhbb.exe 33 PID 1200 wrote to memory of 2296 1200 thbhbb.exe 33 PID 1200 wrote to memory of 2296 1200 thbhbb.exe 33 PID 2296 wrote to memory of 2820 2296 xrfffrf.exe 34 PID 2296 wrote to memory of 2820 2296 xrfffrf.exe 34 PID 2296 wrote to memory of 2820 2296 xrfffrf.exe 34 PID 2296 wrote to memory of 2820 2296 xrfffrf.exe 34 PID 2820 wrote to memory of 2732 2820 9lxxlrf.exe 35 PID 2820 wrote to memory of 2732 2820 9lxxlrf.exe 35 PID 2820 wrote to memory of 2732 2820 9lxxlrf.exe 35 PID 2820 wrote to memory of 2732 2820 9lxxlrf.exe 35 PID 2732 wrote to memory of 2912 2732 pjjpj.exe 36 PID 2732 wrote to memory of 2912 2732 pjjpj.exe 36 PID 2732 wrote to memory of 2912 2732 pjjpj.exe 36 PID 2732 wrote to memory of 2912 2732 pjjpj.exe 36 PID 2912 wrote to memory of 2872 2912 frlxffx.exe 37 PID 2912 wrote to memory of 2872 2912 frlxffx.exe 37 PID 2912 wrote to memory of 2872 2912 frlxffx.exe 37 PID 2912 wrote to memory of 2872 2912 frlxffx.exe 37 PID 2872 wrote to memory of 2608 2872 thtbbb.exe 38 PID 2872 wrote to memory of 2608 2872 thtbbb.exe 38 PID 2872 wrote to memory of 2608 2872 thtbbb.exe 38 PID 2872 wrote to memory of 2608 2872 thtbbb.exe 38 PID 2608 wrote to memory of 2768 2608 9djpp.exe 39 PID 2608 wrote to memory of 2768 2608 9djpp.exe 39 PID 2608 wrote to memory of 2768 2608 9djpp.exe 39 PID 2608 wrote to memory of 2768 2608 9djpp.exe 39 PID 2768 wrote to memory of 2648 2768 hthhnh.exe 40 PID 2768 wrote to memory of 2648 2768 hthhnh.exe 40 PID 2768 wrote to memory of 2648 2768 hthhnh.exe 40 PID 2768 wrote to memory of 2648 2768 hthhnh.exe 40 PID 2648 wrote to memory of 1888 2648 vpdjp.exe 41 PID 2648 wrote to memory of 1888 2648 vpdjp.exe 41 PID 2648 wrote to memory of 1888 2648 vpdjp.exe 41 PID 2648 wrote to memory of 1888 2648 vpdjp.exe 41 PID 1888 wrote to memory of 2948 1888 fxfrxff.exe 42 PID 1888 wrote to memory of 2948 1888 fxfrxff.exe 42 PID 1888 wrote to memory of 2948 1888 fxfrxff.exe 42 PID 1888 wrote to memory of 2948 1888 fxfrxff.exe 42 PID 2948 wrote to memory of 388 2948 nnthtt.exe 43 PID 2948 wrote to memory of 388 2948 nnthtt.exe 43 PID 2948 wrote to memory of 388 2948 nnthtt.exe 43 PID 2948 wrote to memory of 388 2948 nnthtt.exe 43 PID 388 wrote to memory of 684 388 lxrrxfx.exe 44 PID 388 wrote to memory of 684 388 lxrrxfx.exe 44 PID 388 wrote to memory of 684 388 lxrrxfx.exe 44 PID 388 wrote to memory of 684 388 lxrrxfx.exe 44 PID 684 wrote to memory of 2864 684 hhhntt.exe 45 PID 684 wrote to memory of 2864 684 hhhntt.exe 45 PID 684 wrote to memory of 2864 684 hhhntt.exe 45 PID 684 wrote to memory of 2864 684 hhhntt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\843972cd00444c8b9eadd35fa9c56218065989065e0971f206c67476e4c2f6a2N.exe"C:\Users\Admin\AppData\Local\Temp\843972cd00444c8b9eadd35fa9c56218065989065e0971f206c67476e4c2f6a2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\5lflxxf.exec:\5lflxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\frxfrrf.exec:\frxfrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\thbhbb.exec:\thbhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\xrfffrf.exec:\xrfffrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\9lxxlrf.exec:\9lxxlrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\pjjpj.exec:\pjjpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\frlxffx.exec:\frlxffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\thtbbb.exec:\thtbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\9djpp.exec:\9djpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\hthhnh.exec:\hthhnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\vpdjp.exec:\vpdjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\fxfrxff.exec:\fxfrxff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\nnthtt.exec:\nnthtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\lxrrxfx.exec:\lxrrxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\hhhntt.exec:\hhhntt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\lfrxxxl.exec:\lfrxxxl.exe17⤵
- Executes dropped EXE
PID:2864 -
\??\c:\fxlrffl.exec:\fxlrffl.exe18⤵
- Executes dropped EXE
PID:1900 -
\??\c:\1nbbtt.exec:\1nbbtt.exe19⤵
- Executes dropped EXE
PID:1016 -
\??\c:\vjvpp.exec:\vjvpp.exe20⤵
- Executes dropped EXE
PID:2168 -
\??\c:\lflfllr.exec:\lflfllr.exe21⤵
- Executes dropped EXE
PID:1372 -
\??\c:\bthhtt.exec:\bthhtt.exe22⤵
- Executes dropped EXE
PID:1616 -
\??\c:\5rlrxlr.exec:\5rlrxlr.exe23⤵
- Executes dropped EXE
PID:1700 -
\??\c:\3rrrrrx.exec:\3rrrrrx.exe24⤵
- Executes dropped EXE
PID:1180 -
\??\c:\7pvvv.exec:\7pvvv.exe25⤵
- Executes dropped EXE
PID:1232 -
\??\c:\lxrrxrx.exec:\lxrrxrx.exe26⤵
- Executes dropped EXE
PID:1140 -
\??\c:\nbbbhb.exec:\nbbbhb.exe27⤵
- Executes dropped EXE
PID:2144 -
\??\c:\flrlxxf.exec:\flrlxxf.exe28⤵
- Executes dropped EXE
PID:1780 -
\??\c:\1dvjv.exec:\1dvjv.exe29⤵
- Executes dropped EXE
PID:2932 -
\??\c:\dpjjj.exec:\dpjjj.exe30⤵
- Executes dropped EXE
PID:2964 -
\??\c:\1thntb.exec:\1thntb.exe31⤵
- Executes dropped EXE
PID:896 -
\??\c:\vjddv.exec:\vjddv.exe32⤵
- Executes dropped EXE
PID:2476 -
\??\c:\xfrrxxl.exec:\xfrrxxl.exe33⤵PID:1524
-
\??\c:\hbnbnn.exec:\hbnbnn.exe34⤵
- Executes dropped EXE
PID:2552 -
\??\c:\3nntbt.exec:\3nntbt.exe35⤵
- Executes dropped EXE
PID:2956 -
\??\c:\pvjvv.exec:\pvjvv.exe36⤵
- Executes dropped EXE
PID:2072 -
\??\c:\jdjpv.exec:\jdjpv.exe37⤵
- Executes dropped EXE
PID:2008 -
\??\c:\flxflxx.exec:\flxflxx.exe38⤵
- Executes dropped EXE
PID:2828 -
\??\c:\hnnbnt.exec:\hnnbnt.exe39⤵
- Executes dropped EXE
PID:2744 -
\??\c:\dpppp.exec:\dpppp.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\pjdvd.exec:\pjdvd.exe41⤵
- Executes dropped EXE
PID:2792 -
\??\c:\5xrrxlr.exec:\5xrrxlr.exe42⤵
- Executes dropped EXE
PID:2736 -
\??\c:\3bntnt.exec:\3bntnt.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\bbnbhh.exec:\bbnbhh.exe44⤵
- Executes dropped EXE
PID:2656 -
\??\c:\vvjpv.exec:\vvjpv.exe45⤵
- Executes dropped EXE
PID:2600 -
\??\c:\lfrflrl.exec:\lfrflrl.exe46⤵
- Executes dropped EXE
PID:628 -
\??\c:\hhnttb.exec:\hhnttb.exe47⤵
- Executes dropped EXE
PID:2328 -
\??\c:\btnhhn.exec:\btnhhn.exe48⤵
- Executes dropped EXE
PID:2648 -
\??\c:\dvjpp.exec:\dvjpp.exe49⤵
- Executes dropped EXE
PID:1888 -
\??\c:\lfxrllr.exec:\lfxrllr.exe50⤵
- Executes dropped EXE
PID:2848 -
\??\c:\tnnhbn.exec:\tnnhbn.exe51⤵
- Executes dropped EXE
PID:2592 -
\??\c:\9thntt.exec:\9thntt.exe52⤵
- Executes dropped EXE
PID:320 -
\??\c:\pjddv.exec:\pjddv.exe53⤵
- Executes dropped EXE
PID:692 -
\??\c:\rlrrflf.exec:\rlrrflf.exe54⤵
- Executes dropped EXE
PID:1764 -
\??\c:\rrrlxrl.exec:\rrrlxrl.exe55⤵
- Executes dropped EXE
PID:1100 -
\??\c:\bbbhht.exec:\bbbhht.exe56⤵
- Executes dropped EXE
PID:2436 -
\??\c:\ppdjp.exec:\ppdjp.exe57⤵
- Executes dropped EXE
PID:1312 -
\??\c:\ddvjv.exec:\ddvjv.exe58⤵
- Executes dropped EXE
PID:3040 -
\??\c:\ffxfrrx.exec:\ffxfrrx.exe59⤵
- Executes dropped EXE
PID:2172 -
\??\c:\9bhbht.exec:\9bhbht.exe60⤵
- Executes dropped EXE
PID:1372 -
\??\c:\hbnnbt.exec:\hbnnbt.exe61⤵
- Executes dropped EXE
PID:1776 -
\??\c:\pdvpd.exec:\pdvpd.exe62⤵
- Executes dropped EXE
PID:1572 -
\??\c:\1rlfflr.exec:\1rlfflr.exe63⤵
- Executes dropped EXE
PID:2996 -
\??\c:\rlllxrx.exec:\rlllxrx.exe64⤵
- Executes dropped EXE
PID:448 -
\??\c:\tbbbnh.exec:\tbbbnh.exe65⤵
- Executes dropped EXE
PID:996 -
\??\c:\dvddd.exec:\dvddd.exe66⤵
- Executes dropped EXE
PID:1904 -
\??\c:\ffxxrrx.exec:\ffxxrrx.exe67⤵PID:2224
-
\??\c:\5rxrfff.exec:\5rxrfff.exe68⤵PID:2484
-
\??\c:\nnhntt.exec:\nnhntt.exe69⤵PID:2308
-
\??\c:\pjjjp.exec:\pjjjp.exe70⤵PID:2264
-
\??\c:\dpddj.exec:\dpddj.exe71⤵PID:1508
-
\??\c:\lxrrxfr.exec:\lxrrxfr.exe72⤵PID:376
-
\??\c:\rrfxffr.exec:\rrfxffr.exe73⤵PID:3012
-
\??\c:\btnnbt.exec:\btnnbt.exe74⤵
- System Location Discovery: System Language Discovery
PID:1520 -
\??\c:\vjvvv.exec:\vjvvv.exe75⤵PID:1620
-
\??\c:\fffrrfx.exec:\fffrrfx.exe76⤵PID:2400
-
\??\c:\xlxfrrf.exec:\xlxfrrf.exe77⤵PID:2524
-
\??\c:\ttnntb.exec:\ttnntb.exe78⤵PID:2928
-
\??\c:\pdpvv.exec:\pdpvv.exe79⤵PID:2040
-
\??\c:\1vdvv.exec:\1vdvv.exe80⤵PID:1972
-
\??\c:\rrffllx.exec:\rrffllx.exe81⤵PID:2876
-
\??\c:\tbttbb.exec:\tbttbb.exe82⤵PID:2024
-
\??\c:\5pjpj.exec:\5pjpj.exe83⤵PID:2612
-
\??\c:\3jvpj.exec:\3jvpj.exe84⤵PID:2820
-
\??\c:\fxrxflx.exec:\fxrxflx.exe85⤵PID:2892
-
\??\c:\nbnntt.exec:\nbnntt.exe86⤵PID:2772
-
\??\c:\5bhhhn.exec:\5bhhhn.exe87⤵PID:1932
-
\??\c:\9pvvv.exec:\9pvvv.exe88⤵PID:2604
-
\??\c:\frxxfrl.exec:\frxxfrl.exe89⤵PID:2668
-
\??\c:\lllxrrl.exec:\lllxrrl.exe90⤵PID:1548
-
\??\c:\thhhhn.exec:\thhhhn.exe91⤵PID:1396
-
\??\c:\tthhnb.exec:\tthhnb.exe92⤵PID:1412
-
\??\c:\9dppv.exec:\9dppv.exe93⤵PID:1636
-
\??\c:\llrfrrf.exec:\llrfrrf.exe94⤵PID:2948
-
\??\c:\thtnnt.exec:\thtnnt.exe95⤵PID:1452
-
\??\c:\pjdjv.exec:\pjdjv.exe96⤵PID:320
-
\??\c:\vvpvp.exec:\vvpvp.exe97⤵PID:684
-
\??\c:\lxlllfl.exec:\lxlllfl.exe98⤵PID:2824
-
\??\c:\bttbnt.exec:\bttbnt.exe99⤵PID:1440
-
\??\c:\3hbhtb.exec:\3hbhtb.exe100⤵PID:2944
-
\??\c:\jjvvd.exec:\jjvvd.exe101⤵PID:1312
-
\??\c:\lfrxxrx.exec:\lfrxxrx.exe102⤵PID:2276
-
\??\c:\5nhbnn.exec:\5nhbnn.exe103⤵PID:2168
-
\??\c:\bhnbhb.exec:\bhnbhb.exe104⤵PID:1656
-
\??\c:\9ppjd.exec:\9ppjd.exe105⤵PID:1776
-
\??\c:\3rfffxl.exec:\3rfffxl.exe106⤵PID:2940
-
\??\c:\htnthh.exec:\htnthh.exe107⤵PID:2800
-
\??\c:\bbnnbh.exec:\bbnnbh.exe108⤵PID:1988
-
\??\c:\ppdpj.exec:\ppdpj.exe109⤵PID:996
-
\??\c:\7lllrll.exec:\7lllrll.exe110⤵PID:1480
-
\??\c:\1lrxxxx.exec:\1lrxxxx.exe111⤵PID:1832
-
\??\c:\1nbtht.exec:\1nbtht.exe112⤵PID:2484
-
\??\c:\dppdj.exec:\dppdj.exe113⤵PID:3008
-
\??\c:\jdjjp.exec:\jdjjp.exe114⤵PID:1948
-
\??\c:\ffflrfl.exec:\ffflrfl.exe115⤵PID:3028
-
\??\c:\hbhhhb.exec:\hbhhhb.exe116⤵PID:2100
-
\??\c:\ntnbhn.exec:\ntnbhn.exe117⤵PID:1364
-
\??\c:\pjppp.exec:\pjppp.exe118⤵PID:1528
-
\??\c:\rfrrrlr.exec:\rfrrrlr.exe119⤵PID:2320
-
\??\c:\rfllxxf.exec:\rfllxxf.exe120⤵PID:2536
-
\??\c:\7hbhnn.exec:\7hbhnn.exe121⤵PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-