Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 01:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe
-
Size
456KB
-
MD5
6fd11f5640c34e69c87b0ba5cc4be046
-
SHA1
22462831a8df18193ba38945011dcd8ff380682a
-
SHA256
8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc
-
SHA512
7674ad501a7ca745de5c92cb35d909126508076149b555fcec56b9bdb56415ca97fb530c656383b9213ca1dc02c079d2121fad3426e5497c0521391fcd738ce3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRc:q7Tc2NYHUrAwfMp3CDRc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2224-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-64-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2828-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-158-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1500-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-257-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/264-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-327-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2944-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/920-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-630-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2156-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/352-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-847-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1660-944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-1158-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2704-1182-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2760-1275-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/928-1289-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2336 vdvdd.exe 2752 llrrrrr.exe 2788 7ffflrf.exe 2816 bbhhnn.exe 2664 rxflrxr.exe 2976 pdjjj.exe 2828 llflxxr.exe 2700 djdvj.exe 1688 fflxlrf.exe 1324 tbnnbb.exe 1044 lllrrrr.exe 2056 7fxxffr.exe 772 rrflrxr.exe 2316 hntbnh.exe 3000 lxlxrrf.exe 1312 fxffrrr.exe 1500 vvddj.exe 1596 nnttbh.exe 1540 flrxxlr.exe 2300 9bbthn.exe 3056 xfrxllf.exe 2292 ntnbnb.exe 764 lrffxfr.exe 2324 nthntt.exe 2356 vddjp.exe 1008 lrrxlxx.exe 2020 bbntht.exe 264 pdvvj.exe 1032 1lllxff.exe 2428 dpjpd.exe 1028 jjvdp.exe 2588 pdpvp.exe 1580 7rlrxfl.exe 2348 1pdpd.exe 2296 9jddp.exe 2848 ffrlxfx.exe 2960 1nnbbt.exe 2944 bhtbhh.exe 3044 pvjjp.exe 2680 frxflll.exe 2976 nnhhnb.exe 2660 djdvj.exe 2688 1vvdv.exe 1468 flxxfrx.exe 1560 bbntbh.exe 1656 nnhhnn.exe 1324 vvdjj.exe 1044 flrlrxf.exe 2508 bhhnhn.exe 1408 djpvj.exe 2468 vvdjd.exe 2748 frxfrxx.exe 2892 lxflrxx.exe 1528 thbbnb.exe 1436 vvddj.exe 2524 lflrllr.exe 1168 lrfflrx.exe 440 tthhtt.exe 2456 ppvdj.exe 2484 xflxfrf.exe 3056 lrlrxfl.exe 2344 bhtthn.exe 1636 tbnhnt.exe 1516 3vpjd.exe -
resource yara_rule behavioral1/memory/2224-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-481-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2344-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-969-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-1182-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/828-1209-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2336 2224 8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe 29 PID 2224 wrote to memory of 2336 2224 8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe 29 PID 2224 wrote to memory of 2336 2224 8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe 29 PID 2224 wrote to memory of 2336 2224 8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe 29 PID 2336 wrote to memory of 2752 2336 vdvdd.exe 30 PID 2336 wrote to memory of 2752 2336 vdvdd.exe 30 PID 2336 wrote to memory of 2752 2336 vdvdd.exe 30 PID 2336 wrote to memory of 2752 2336 vdvdd.exe 30 PID 2752 wrote to memory of 2788 2752 llrrrrr.exe 31 PID 2752 wrote to memory of 2788 2752 llrrrrr.exe 31 PID 2752 wrote to memory of 2788 2752 llrrrrr.exe 31 PID 2752 wrote to memory of 2788 2752 llrrrrr.exe 31 PID 2788 wrote to memory of 2816 2788 7ffflrf.exe 32 PID 2788 wrote to memory of 2816 2788 7ffflrf.exe 32 PID 2788 wrote to memory of 2816 2788 7ffflrf.exe 32 PID 2788 wrote to memory of 2816 2788 7ffflrf.exe 32 PID 2816 wrote to memory of 2664 2816 bbhhnn.exe 33 PID 2816 wrote to memory of 2664 2816 bbhhnn.exe 33 PID 2816 wrote to memory of 2664 2816 bbhhnn.exe 33 PID 2816 wrote to memory of 2664 2816 bbhhnn.exe 33 PID 2664 wrote to memory of 2976 2664 rxflrxr.exe 34 PID 2664 wrote to memory of 2976 2664 rxflrxr.exe 34 PID 2664 wrote to memory of 2976 2664 rxflrxr.exe 34 PID 2664 wrote to memory of 2976 2664 rxflrxr.exe 34 PID 2976 wrote to memory of 2828 2976 pdjjj.exe 35 PID 2976 wrote to memory of 2828 2976 pdjjj.exe 35 PID 2976 wrote to memory of 2828 2976 pdjjj.exe 35 PID 2976 wrote to memory of 2828 2976 pdjjj.exe 35 PID 2828 wrote to memory of 2700 2828 llflxxr.exe 36 PID 2828 wrote to memory of 2700 2828 llflxxr.exe 36 PID 2828 wrote to memory of 2700 2828 llflxxr.exe 36 PID 2828 wrote to memory of 2700 2828 llflxxr.exe 36 PID 2700 wrote to memory of 1688 2700 djdvj.exe 37 PID 2700 wrote to memory of 1688 2700 djdvj.exe 37 PID 2700 wrote to memory of 1688 2700 djdvj.exe 37 PID 2700 wrote to memory of 1688 2700 djdvj.exe 37 PID 1688 wrote to memory of 1324 1688 fflxlrf.exe 38 PID 1688 wrote to memory of 1324 1688 fflxlrf.exe 38 PID 1688 wrote to memory of 1324 1688 fflxlrf.exe 38 PID 1688 wrote to memory of 1324 1688 fflxlrf.exe 38 PID 1324 wrote to memory of 1044 1324 tbnnbb.exe 39 PID 1324 wrote to memory of 1044 1324 tbnnbb.exe 39 PID 1324 wrote to memory of 1044 1324 tbnnbb.exe 39 PID 1324 wrote to memory of 1044 1324 tbnnbb.exe 39 PID 1044 wrote to memory of 2056 1044 lllrrrr.exe 40 PID 1044 wrote to memory of 2056 1044 lllrrrr.exe 40 PID 1044 wrote to memory of 2056 1044 lllrrrr.exe 40 PID 1044 wrote to memory of 2056 1044 lllrrrr.exe 40 PID 2056 wrote to memory of 772 2056 7fxxffr.exe 41 PID 2056 wrote to memory of 772 2056 7fxxffr.exe 41 PID 2056 wrote to memory of 772 2056 7fxxffr.exe 41 PID 2056 wrote to memory of 772 2056 7fxxffr.exe 41 PID 772 wrote to memory of 2316 772 rrflrxr.exe 42 PID 772 wrote to memory of 2316 772 rrflrxr.exe 42 PID 772 wrote to memory of 2316 772 rrflrxr.exe 42 PID 772 wrote to memory of 2316 772 rrflrxr.exe 42 PID 2316 wrote to memory of 3000 2316 hntbnh.exe 43 PID 2316 wrote to memory of 3000 2316 hntbnh.exe 43 PID 2316 wrote to memory of 3000 2316 hntbnh.exe 43 PID 2316 wrote to memory of 3000 2316 hntbnh.exe 43 PID 3000 wrote to memory of 1312 3000 lxlxrrf.exe 44 PID 3000 wrote to memory of 1312 3000 lxlxrrf.exe 44 PID 3000 wrote to memory of 1312 3000 lxlxrrf.exe 44 PID 3000 wrote to memory of 1312 3000 lxlxrrf.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe"C:\Users\Admin\AppData\Local\Temp\8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\vdvdd.exec:\vdvdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\llrrrrr.exec:\llrrrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\7ffflrf.exec:\7ffflrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\bbhhnn.exec:\bbhhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\rxflrxr.exec:\rxflrxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\pdjjj.exec:\pdjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\llflxxr.exec:\llflxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\djdvj.exec:\djdvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\fflxlrf.exec:\fflxlrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\tbnnbb.exec:\tbnnbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\lllrrrr.exec:\lllrrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\7fxxffr.exec:\7fxxffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\rrflrxr.exec:\rrflrxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\hntbnh.exec:\hntbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\lxlxrrf.exec:\lxlxrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\fxffrrr.exec:\fxffrrr.exe17⤵
- Executes dropped EXE
PID:1312 -
\??\c:\vvddj.exec:\vvddj.exe18⤵
- Executes dropped EXE
PID:1500 -
\??\c:\nnttbh.exec:\nnttbh.exe19⤵
- Executes dropped EXE
PID:1596 -
\??\c:\flrxxlr.exec:\flrxxlr.exe20⤵
- Executes dropped EXE
PID:1540 -
\??\c:\9bbthn.exec:\9bbthn.exe21⤵
- Executes dropped EXE
PID:2300 -
\??\c:\xfrxllf.exec:\xfrxllf.exe22⤵
- Executes dropped EXE
PID:3056 -
\??\c:\ntnbnb.exec:\ntnbnb.exe23⤵
- Executes dropped EXE
PID:2292 -
\??\c:\lrffxfr.exec:\lrffxfr.exe24⤵
- Executes dropped EXE
PID:764 -
\??\c:\nthntt.exec:\nthntt.exe25⤵
- Executes dropped EXE
PID:2324 -
\??\c:\vddjp.exec:\vddjp.exe26⤵
- Executes dropped EXE
PID:2356 -
\??\c:\lrrxlxx.exec:\lrrxlxx.exe27⤵
- Executes dropped EXE
PID:1008 -
\??\c:\bbntht.exec:\bbntht.exe28⤵
- Executes dropped EXE
PID:2020 -
\??\c:\pdvvj.exec:\pdvvj.exe29⤵
- Executes dropped EXE
PID:264 -
\??\c:\1lllxff.exec:\1lllxff.exe30⤵
- Executes dropped EXE
PID:1032 -
\??\c:\dpjpd.exec:\dpjpd.exe31⤵
- Executes dropped EXE
PID:2428 -
\??\c:\jjvdp.exec:\jjvdp.exe32⤵
- Executes dropped EXE
PID:1028 -
\??\c:\pdpvp.exec:\pdpvp.exe33⤵
- Executes dropped EXE
PID:2588 -
\??\c:\7rlrxfl.exec:\7rlrxfl.exe34⤵
- Executes dropped EXE
PID:1580 -
\??\c:\1pdpd.exec:\1pdpd.exe35⤵
- Executes dropped EXE
PID:2348 -
\??\c:\9jddp.exec:\9jddp.exe36⤵
- Executes dropped EXE
PID:2296 -
\??\c:\ffrlxfx.exec:\ffrlxfx.exe37⤵
- Executes dropped EXE
PID:2848 -
\??\c:\1nnbbt.exec:\1nnbbt.exe38⤵
- Executes dropped EXE
PID:2960 -
\??\c:\bhtbhh.exec:\bhtbhh.exe39⤵
- Executes dropped EXE
PID:2944 -
\??\c:\pvjjp.exec:\pvjjp.exe40⤵
- Executes dropped EXE
PID:3044 -
\??\c:\frxflll.exec:\frxflll.exe41⤵
- Executes dropped EXE
PID:2680 -
\??\c:\nnhhnb.exec:\nnhhnb.exe42⤵
- Executes dropped EXE
PID:2976 -
\??\c:\djdvj.exec:\djdvj.exe43⤵
- Executes dropped EXE
PID:2660 -
\??\c:\1vvdv.exec:\1vvdv.exe44⤵
- Executes dropped EXE
PID:2688 -
\??\c:\flxxfrx.exec:\flxxfrx.exe45⤵
- Executes dropped EXE
PID:1468 -
\??\c:\bbntbh.exec:\bbntbh.exe46⤵
- Executes dropped EXE
PID:1560 -
\??\c:\nnhhnn.exec:\nnhhnn.exe47⤵
- Executes dropped EXE
PID:1656 -
\??\c:\vvdjj.exec:\vvdjj.exe48⤵
- Executes dropped EXE
PID:1324 -
\??\c:\flrlrxf.exec:\flrlrxf.exe49⤵
- Executes dropped EXE
PID:1044 -
\??\c:\bhhnhn.exec:\bhhnhn.exe50⤵
- Executes dropped EXE
PID:2508 -
\??\c:\djpvj.exec:\djpvj.exe51⤵
- Executes dropped EXE
PID:1408 -
\??\c:\vvdjd.exec:\vvdjd.exe52⤵
- Executes dropped EXE
PID:2468 -
\??\c:\frxfrxx.exec:\frxfrxx.exe53⤵
- Executes dropped EXE
PID:2748 -
\??\c:\lxflrxx.exec:\lxflrxx.exe54⤵
- Executes dropped EXE
PID:2892 -
\??\c:\thbbnb.exec:\thbbnb.exe55⤵
- Executes dropped EXE
PID:1528 -
\??\c:\vvddj.exec:\vvddj.exe56⤵
- Executes dropped EXE
PID:1436 -
\??\c:\lflrllr.exec:\lflrllr.exe57⤵
- Executes dropped EXE
PID:2524 -
\??\c:\lrfflrx.exec:\lrfflrx.exe58⤵
- Executes dropped EXE
PID:1168 -
\??\c:\tthhtt.exec:\tthhtt.exe59⤵
- Executes dropped EXE
PID:440 -
\??\c:\ppvdj.exec:\ppvdj.exe60⤵
- Executes dropped EXE
PID:2456 -
\??\c:\xflxfrf.exec:\xflxfrf.exe61⤵
- Executes dropped EXE
PID:2484 -
\??\c:\lrlrxfl.exec:\lrlrxfl.exe62⤵
- Executes dropped EXE
PID:3056 -
\??\c:\bhtthn.exec:\bhtthn.exe63⤵
- Executes dropped EXE
PID:2344 -
\??\c:\tbnhnt.exec:\tbnhnt.exe64⤵
- Executes dropped EXE
PID:1636 -
\??\c:\3vpjd.exec:\3vpjd.exe65⤵
- Executes dropped EXE
PID:1516 -
\??\c:\7fxxflr.exec:\7fxxflr.exe66⤵PID:1620
-
\??\c:\7fxflfr.exec:\7fxflfr.exe67⤵PID:2124
-
\??\c:\1thttt.exec:\1thttt.exe68⤵PID:1532
-
\??\c:\vvjvd.exec:\vvjvd.exe69⤵PID:1668
-
\??\c:\ppvdd.exec:\ppvdd.exe70⤵PID:920
-
\??\c:\flxfllx.exec:\flxfllx.exe71⤵
- System Location Discovery: System Language Discovery
PID:1172 -
\??\c:\3nhhnn.exec:\3nhhnn.exe72⤵PID:1632
-
\??\c:\pvppd.exec:\pvppd.exe73⤵PID:1844
-
\??\c:\pdpvp.exec:\pdpvp.exe74⤵PID:2428
-
\??\c:\rrlrffx.exec:\rrlrffx.exe75⤵PID:2328
-
\??\c:\thbtbb.exec:\thbtbb.exe76⤵PID:2380
-
\??\c:\ntbhth.exec:\ntbhth.exe77⤵PID:1684
-
\??\c:\vjvdj.exec:\vjvdj.exe78⤵PID:944
-
\??\c:\ffffxfl.exec:\ffffxfl.exe79⤵PID:2804
-
\??\c:\xfllxxf.exec:\xfllxxf.exe80⤵PID:2864
-
\??\c:\ntttbn.exec:\ntttbn.exe81⤵PID:3048
-
\??\c:\vvdpv.exec:\vvdpv.exe82⤵PID:2852
-
\??\c:\vdvpp.exec:\vdvpp.exe83⤵PID:2944
-
\??\c:\xfxxlfr.exec:\xfxxlfr.exe84⤵PID:3044
-
\??\c:\7httnt.exec:\7httnt.exe85⤵PID:2680
-
\??\c:\hhnnbh.exec:\hhnnbh.exe86⤵PID:2652
-
\??\c:\djppv.exec:\djppv.exe87⤵PID:1084
-
\??\c:\rrxxfll.exec:\rrxxfll.exe88⤵PID:2688
-
\??\c:\7lrxflx.exec:\7lrxflx.exe89⤵PID:828
-
\??\c:\9ttbhn.exec:\9ttbhn.exe90⤵PID:752
-
\??\c:\dpvdj.exec:\dpvdj.exe91⤵PID:1656
-
\??\c:\9dddp.exec:\9dddp.exe92⤵PID:2156
-
\??\c:\rxlrffx.exec:\rxlrffx.exe93⤵PID:2424
-
\??\c:\htthhn.exec:\htthhn.exe94⤵PID:2508
-
\??\c:\tbnnbh.exec:\tbnnbh.exe95⤵PID:2496
-
\??\c:\1dddd.exec:\1dddd.exe96⤵PID:2468
-
\??\c:\lrfxllx.exec:\lrfxllx.exe97⤵PID:2500
-
\??\c:\9xrxllx.exec:\9xrxllx.exe98⤵PID:840
-
\??\c:\hthhnn.exec:\hthhnn.exe99⤵PID:2640
-
\??\c:\tthnbb.exec:\tthnbb.exe100⤵PID:2464
-
\??\c:\dpddj.exec:\dpddj.exe101⤵PID:1456
-
\??\c:\5xlrxfl.exec:\5xlrxfl.exe102⤵PID:352
-
\??\c:\llfrxlx.exec:\llfrxlx.exe103⤵PID:2444
-
\??\c:\7bhhnn.exec:\7bhhnn.exe104⤵PID:2456
-
\??\c:\7vjdv.exec:\7vjdv.exe105⤵PID:2484
-
\??\c:\lrflffr.exec:\lrflffr.exe106⤵PID:2604
-
\??\c:\flxflrr.exec:\flxflrr.exe107⤵PID:1092
-
\??\c:\ntnthn.exec:\ntnthn.exe108⤵PID:844
-
\??\c:\jpvpv.exec:\jpvpv.exe109⤵PID:2448
-
\??\c:\xfrrflr.exec:\xfrrflr.exe110⤵PID:1724
-
\??\c:\xlrlfll.exec:\xlrlfll.exe111⤵PID:2016
-
\??\c:\7hhtbn.exec:\7hhtbn.exe112⤵PID:836
-
\??\c:\nnnnbb.exec:\nnnnbb.exe113⤵PID:1292
-
\??\c:\dvpdv.exec:\dvpdv.exe114⤵PID:2612
-
\??\c:\frxlfxl.exec:\frxlfxl.exe115⤵PID:1984
-
\??\c:\rrxrxxl.exec:\rrxrxxl.exe116⤵PID:1172
-
\??\c:\1bnttb.exec:\1bnttb.exe117⤵PID:336
-
\??\c:\ppdjp.exec:\ppdjp.exe118⤵PID:1512
-
\??\c:\5dvdj.exec:\5dvdj.exe119⤵PID:2164
-
\??\c:\rrxffll.exec:\rrxffll.exe120⤵PID:1980
-
\??\c:\5btbht.exec:\5btbht.exe121⤵PID:1964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-