Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eb9eeb3891190ef94f68e8919ff3c3bc3245bec907e5135f0999097fdb9aacd6.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
eb9eeb3891190ef94f68e8919ff3c3bc3245bec907e5135f0999097fdb9aacd6.exe
-
Size
454KB
-
MD5
8f03764f6dcee305019066c09f9fbd5a
-
SHA1
02167e8756476b49a9b7e3dd9398c0677480fe69
-
SHA256
eb9eeb3891190ef94f68e8919ff3c3bc3245bec907e5135f0999097fdb9aacd6
-
SHA512
8f98d3ff80cca20700d0cd001b6c140d3ace3aa3c63b350174a758ab8e987aa20c235c0f7b83ed9d3fd5e864a9919b037310d1deade788ac23607e30e9c22a42
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6y:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2328-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1448-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-183-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2192-188-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2128-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-207-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1652-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-293-0x0000000077480000-0x000000007759F000-memory.dmp family_blackmoon behavioral1/memory/984-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-395-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2800-416-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2960-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-485-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1988-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1220-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-571-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2228-570-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1700-711-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1616-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-738-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1896-834-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/484-928-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/484-947-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2020-998-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2212 xxrxlrf.exe 2084 tthhtt.exe 2596 vjpvj.exe 2036 fflrrrx.exe 2736 ppjpp.exe 2876 bhtntt.exe 2252 nbhhnn.exe 2840 llllllr.exe 2764 hthntb.exe 2640 lxlllll.exe 380 ffxllfl.exe 1432 5pdpv.exe 2200 7rxxxxf.exe 2940 hbnhnb.exe 2264 pjjjp.exe 2716 thbbhn.exe 2728 3thnnt.exe 1448 7rlrrxf.exe 2192 nbntbt.exe 2128 pvddp.exe 1256 lxlllrx.exe 848 3hhnth.exe 1404 ddpdp.exe 1512 9nhntt.exe 1692 1vpjj.exe 2580 xrlrffx.exe 1652 ttthth.exe 2476 frlrflf.exe 1296 tbthtt.exe 2372 bnhntb.exe 2520 rxlrlrr.exe 2460 jdvdj.exe 2256 nnbnbh.exe 2528 7pjjj.exe 984 1frffxf.exe 2280 lfxflfl.exe 2732 9hhbnh.exe 2880 vpdjj.exe 2928 fxfxfxf.exe 1992 rfxxxlx.exe 2652 thttbb.exe 2628 pppvj.exe 2672 rlxlxxl.exe 2800 7nhnbh.exe 976 9thntb.exe 1432 vjdpv.exe 1804 rrlxfrx.exe 2200 3fllllf.exe 2960 bbnthh.exe 1452 ppvpd.exe 3004 pjppj.exe 3056 7lrlrrl.exe 1880 btbbhn.exe 1996 ttnntb.exe 3068 pjdvv.exe 2192 lfrrxxr.exe 2128 llxlxxl.exe 1832 thtbhh.exe 1068 vvdpp.exe 2216 jdvjp.exe 1988 ffrxffx.exe 1960 lflxllf.exe 1460 9bbhtb.exe 2584 9pppj.exe -
resource yara_rule behavioral1/memory/2328-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-54-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2252-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-131-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2264-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/984-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-498-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1988-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1220-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-570-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2420-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-841-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2752-896-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-921-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-986-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rllrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2212 2328 eb9eeb3891190ef94f68e8919ff3c3bc3245bec907e5135f0999097fdb9aacd6.exe 30 PID 2328 wrote to memory of 2212 2328 eb9eeb3891190ef94f68e8919ff3c3bc3245bec907e5135f0999097fdb9aacd6.exe 30 PID 2328 wrote to memory of 2212 2328 eb9eeb3891190ef94f68e8919ff3c3bc3245bec907e5135f0999097fdb9aacd6.exe 30 PID 2328 wrote to memory of 2212 2328 eb9eeb3891190ef94f68e8919ff3c3bc3245bec907e5135f0999097fdb9aacd6.exe 30 PID 2212 wrote to memory of 2084 2212 xxrxlrf.exe 31 PID 2212 wrote to memory of 2084 2212 xxrxlrf.exe 31 PID 2212 wrote to memory of 2084 2212 xxrxlrf.exe 31 PID 2212 wrote to memory of 2084 2212 xxrxlrf.exe 31 PID 2084 wrote to memory of 2596 2084 tthhtt.exe 32 PID 2084 wrote to memory of 2596 2084 tthhtt.exe 32 PID 2084 wrote to memory of 2596 2084 tthhtt.exe 32 PID 2084 wrote to memory of 2596 2084 tthhtt.exe 32 PID 2596 wrote to memory of 2036 2596 vjpvj.exe 33 PID 2596 wrote to memory of 2036 2596 vjpvj.exe 33 PID 2596 wrote to memory of 2036 2596 vjpvj.exe 33 PID 2596 wrote to memory of 2036 2596 vjpvj.exe 33 PID 2036 wrote to memory of 2736 2036 fflrrrx.exe 34 PID 2036 wrote to memory of 2736 2036 fflrrrx.exe 34 PID 2036 wrote to memory of 2736 2036 fflrrrx.exe 34 PID 2036 wrote to memory of 2736 2036 fflrrrx.exe 34 PID 2736 wrote to memory of 2876 2736 ppjpp.exe 35 PID 2736 wrote to memory of 2876 2736 ppjpp.exe 35 PID 2736 wrote to memory of 2876 2736 ppjpp.exe 35 PID 2736 wrote to memory of 2876 2736 ppjpp.exe 35 PID 2876 wrote to memory of 2252 2876 bhtntt.exe 36 PID 2876 wrote to memory of 2252 2876 bhtntt.exe 36 PID 2876 wrote to memory of 2252 2876 bhtntt.exe 36 PID 2876 wrote to memory of 2252 2876 bhtntt.exe 36 PID 2252 wrote to memory of 2840 2252 nbhhnn.exe 37 PID 2252 wrote to memory of 2840 2252 nbhhnn.exe 37 PID 2252 wrote to memory of 2840 2252 nbhhnn.exe 37 PID 2252 wrote to memory of 2840 2252 nbhhnn.exe 37 PID 2840 wrote to memory of 2764 2840 llllllr.exe 38 PID 2840 wrote to memory of 2764 2840 llllllr.exe 38 PID 2840 wrote to memory of 2764 2840 llllllr.exe 38 PID 2840 wrote to memory of 2764 2840 llllllr.exe 38 PID 2764 wrote to memory of 2640 2764 hthntb.exe 39 PID 2764 wrote to memory of 2640 2764 hthntb.exe 39 PID 2764 wrote to memory of 2640 2764 hthntb.exe 39 PID 2764 wrote to memory of 2640 2764 hthntb.exe 39 PID 2640 wrote to memory of 380 2640 lxlllll.exe 40 PID 2640 wrote to memory of 380 2640 lxlllll.exe 40 PID 2640 wrote to memory of 380 2640 lxlllll.exe 40 PID 2640 wrote to memory of 380 2640 lxlllll.exe 40 PID 380 wrote to memory of 1432 380 ffxllfl.exe 41 PID 380 wrote to memory of 1432 380 ffxllfl.exe 41 PID 380 wrote to memory of 1432 380 ffxllfl.exe 41 PID 380 wrote to memory of 1432 380 ffxllfl.exe 41 PID 1432 wrote to memory of 2200 1432 5pdpv.exe 42 PID 1432 wrote to memory of 2200 1432 5pdpv.exe 42 PID 1432 wrote to memory of 2200 1432 5pdpv.exe 42 PID 1432 wrote to memory of 2200 1432 5pdpv.exe 42 PID 2200 wrote to memory of 2940 2200 7rxxxxf.exe 43 PID 2200 wrote to memory of 2940 2200 7rxxxxf.exe 43 PID 2200 wrote to memory of 2940 2200 7rxxxxf.exe 43 PID 2200 wrote to memory of 2940 2200 7rxxxxf.exe 43 PID 2940 wrote to memory of 2264 2940 hbnhnb.exe 44 PID 2940 wrote to memory of 2264 2940 hbnhnb.exe 44 PID 2940 wrote to memory of 2264 2940 hbnhnb.exe 44 PID 2940 wrote to memory of 2264 2940 hbnhnb.exe 44 PID 2264 wrote to memory of 2716 2264 pjjjp.exe 45 PID 2264 wrote to memory of 2716 2264 pjjjp.exe 45 PID 2264 wrote to memory of 2716 2264 pjjjp.exe 45 PID 2264 wrote to memory of 2716 2264 pjjjp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb9eeb3891190ef94f68e8919ff3c3bc3245bec907e5135f0999097fdb9aacd6.exe"C:\Users\Admin\AppData\Local\Temp\eb9eeb3891190ef94f68e8919ff3c3bc3245bec907e5135f0999097fdb9aacd6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\xxrxlrf.exec:\xxrxlrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\tthhtt.exec:\tthhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\vjpvj.exec:\vjpvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\fflrrrx.exec:\fflrrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\ppjpp.exec:\ppjpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\bhtntt.exec:\bhtntt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\nbhhnn.exec:\nbhhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\llllllr.exec:\llllllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\hthntb.exec:\hthntb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\lxlllll.exec:\lxlllll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\ffxllfl.exec:\ffxllfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\5pdpv.exec:\5pdpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\7rxxxxf.exec:\7rxxxxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\hbnhnb.exec:\hbnhnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\pjjjp.exec:\pjjjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\thbbhn.exec:\thbbhn.exe17⤵
- Executes dropped EXE
PID:2716 -
\??\c:\3thnnt.exec:\3thnnt.exe18⤵
- Executes dropped EXE
PID:2728 -
\??\c:\7rlrrxf.exec:\7rlrrxf.exe19⤵
- Executes dropped EXE
PID:1448 -
\??\c:\nbntbt.exec:\nbntbt.exe20⤵
- Executes dropped EXE
PID:2192 -
\??\c:\pvddp.exec:\pvddp.exe21⤵
- Executes dropped EXE
PID:2128 -
\??\c:\lxlllrx.exec:\lxlllrx.exe22⤵
- Executes dropped EXE
PID:1256 -
\??\c:\3hhnth.exec:\3hhnth.exe23⤵
- Executes dropped EXE
PID:848 -
\??\c:\ddpdp.exec:\ddpdp.exe24⤵
- Executes dropped EXE
PID:1404 -
\??\c:\9nhntt.exec:\9nhntt.exe25⤵
- Executes dropped EXE
PID:1512 -
\??\c:\1vpjj.exec:\1vpjj.exe26⤵
- Executes dropped EXE
PID:1692 -
\??\c:\xrlrffx.exec:\xrlrffx.exe27⤵
- Executes dropped EXE
PID:2580 -
\??\c:\ttthth.exec:\ttthth.exe28⤵
- Executes dropped EXE
PID:1652 -
\??\c:\frlrflf.exec:\frlrflf.exe29⤵
- Executes dropped EXE
PID:2476 -
\??\c:\tbthtt.exec:\tbthtt.exe30⤵
- Executes dropped EXE
PID:1296 -
\??\c:\bnhntb.exec:\bnhntb.exe31⤵
- Executes dropped EXE
PID:2372 -
\??\c:\rxlrlrr.exec:\rxlrlrr.exe32⤵
- Executes dropped EXE
PID:2520 -
\??\c:\hbhhnt.exec:\hbhhnt.exe33⤵PID:1496
-
\??\c:\jdvdj.exec:\jdvdj.exe34⤵
- Executes dropped EXE
PID:2460 -
\??\c:\nnbnbh.exec:\nnbnbh.exe35⤵
- Executes dropped EXE
PID:2256 -
\??\c:\7pjjj.exec:\7pjjj.exe36⤵
- Executes dropped EXE
PID:2528 -
\??\c:\1frffxf.exec:\1frffxf.exe37⤵
- Executes dropped EXE
PID:984 -
\??\c:\lfxflfl.exec:\lfxflfl.exe38⤵
- Executes dropped EXE
PID:2280 -
\??\c:\9hhbnh.exec:\9hhbnh.exe39⤵
- Executes dropped EXE
PID:2732 -
\??\c:\vpdjj.exec:\vpdjj.exe40⤵
- Executes dropped EXE
PID:2880 -
\??\c:\fxfxfxf.exec:\fxfxfxf.exe41⤵
- Executes dropped EXE
PID:2928 -
\??\c:\rfxxxlx.exec:\rfxxxlx.exe42⤵
- Executes dropped EXE
PID:1992 -
\??\c:\thttbb.exec:\thttbb.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\pppvj.exec:\pppvj.exe44⤵
- Executes dropped EXE
PID:2628 -
\??\c:\rlxlxxl.exec:\rlxlxxl.exe45⤵
- Executes dropped EXE
PID:2672 -
\??\c:\7nhnbh.exec:\7nhnbh.exe46⤵
- Executes dropped EXE
PID:2800 -
\??\c:\9thntb.exec:\9thntb.exe47⤵
- Executes dropped EXE
PID:976 -
\??\c:\vjdpv.exec:\vjdpv.exe48⤵
- Executes dropped EXE
PID:1432 -
\??\c:\rrlxfrx.exec:\rrlxfrx.exe49⤵
- Executes dropped EXE
PID:1804 -
\??\c:\3fllllf.exec:\3fllllf.exe50⤵
- Executes dropped EXE
PID:2200 -
\??\c:\bbnthh.exec:\bbnthh.exe51⤵
- Executes dropped EXE
PID:2960 -
\??\c:\ppvpd.exec:\ppvpd.exe52⤵
- Executes dropped EXE
PID:1452 -
\??\c:\pjppj.exec:\pjppj.exe53⤵
- Executes dropped EXE
PID:3004 -
\??\c:\7lrlrrl.exec:\7lrlrrl.exe54⤵
- Executes dropped EXE
PID:3056 -
\??\c:\btbbhn.exec:\btbbhn.exe55⤵
- Executes dropped EXE
PID:1880 -
\??\c:\ttnntb.exec:\ttnntb.exe56⤵
- Executes dropped EXE
PID:1996 -
\??\c:\pjdvv.exec:\pjdvv.exe57⤵
- Executes dropped EXE
PID:3068 -
\??\c:\lfrrxxr.exec:\lfrrxxr.exe58⤵
- Executes dropped EXE
PID:2192 -
\??\c:\llxlxxl.exec:\llxlxxl.exe59⤵
- Executes dropped EXE
PID:2128 -
\??\c:\thtbhh.exec:\thtbhh.exe60⤵
- Executes dropped EXE
PID:1832 -
\??\c:\vvdpp.exec:\vvdpp.exe61⤵
- Executes dropped EXE
PID:1068 -
\??\c:\jdvjp.exec:\jdvjp.exe62⤵
- Executes dropped EXE
PID:2216 -
\??\c:\ffrxffx.exec:\ffrxffx.exe63⤵
- Executes dropped EXE
PID:1988 -
\??\c:\lflxllf.exec:\lflxllf.exe64⤵
- Executes dropped EXE
PID:1960 -
\??\c:\9bbhtb.exec:\9bbhtb.exe65⤵
- Executes dropped EXE
PID:1460 -
\??\c:\9pppj.exec:\9pppj.exe66⤵
- Executes dropped EXE
PID:2584 -
\??\c:\jpjpj.exec:\jpjpj.exe67⤵PID:1612
-
\??\c:\7xfxlll.exec:\7xfxlll.exe68⤵PID:2024
-
\??\c:\thnttt.exec:\thnttt.exe69⤵PID:2560
-
\??\c:\hnbhhh.exec:\hnbhhh.exe70⤵PID:1220
-
\??\c:\dpvpj.exec:\dpvpj.exe71⤵PID:2172
-
\??\c:\fxxxfxf.exec:\fxxxfxf.exe72⤵PID:1604
-
\??\c:\xxlrxxf.exec:\xxlrxxf.exe73⤵PID:2228
-
\??\c:\bttbbb.exec:\bttbbb.exe74⤵PID:2520
-
\??\c:\dpjpv.exec:\dpjpv.exe75⤵PID:2556
-
\??\c:\jvpjd.exec:\jvpjd.exe76⤵PID:2332
-
\??\c:\llxfllx.exec:\llxfllx.exe77⤵PID:2420
-
\??\c:\hbnhnn.exec:\hbnhnn.exe78⤵PID:2240
-
\??\c:\bnnhhb.exec:\bnnhhb.exe79⤵PID:2392
-
\??\c:\dpvdp.exec:\dpvdp.exe80⤵PID:2260
-
\??\c:\3lxxfrx.exec:\3lxxfrx.exe81⤵PID:2780
-
\??\c:\llxlrrf.exec:\llxlrrf.exe82⤵PID:2852
-
\??\c:\hthbhb.exec:\hthbhb.exe83⤵PID:3008
-
\??\c:\5bhntn.exec:\5bhntn.exe84⤵PID:2888
-
\??\c:\jdpdv.exec:\jdpdv.exe85⤵PID:2740
-
\??\c:\lrxrfrx.exec:\lrxrfrx.exe86⤵PID:2632
-
\??\c:\llrrffl.exec:\llrrffl.exe87⤵PID:2236
-
\??\c:\tntthh.exec:\tntthh.exe88⤵PID:1468
-
\??\c:\vpjdp.exec:\vpjdp.exe89⤵PID:2980
-
\??\c:\pjvdj.exec:\pjvdj.exe90⤵PID:2984
-
\??\c:\9xllfxf.exec:\9xllfxf.exe91⤵PID:2992
-
\??\c:\nhbhnn.exec:\nhbhnn.exe92⤵PID:2816
-
\??\c:\5nbbnt.exec:\5nbbnt.exe93⤵PID:2688
-
\??\c:\vvjjj.exec:\vvjjj.exe94⤵PID:2264
-
\??\c:\1lxlfff.exec:\1lxlfff.exe95⤵PID:1452
-
\??\c:\fxxflrx.exec:\fxxflrx.exe96⤵PID:1700
-
\??\c:\bthbnn.exec:\bthbnn.exe97⤵PID:3056
-
\??\c:\pdpjp.exec:\pdpjp.exe98⤵PID:1440
-
\??\c:\jddjj.exec:\jddjj.exe99⤵PID:2588
-
\??\c:\rlflxfx.exec:\rlflxfx.exe100⤵PID:1616
-
\??\c:\thbbtt.exec:\thbbtt.exe101⤵PID:2056
-
\??\c:\1djjj.exec:\1djjj.exe102⤵PID:1816
-
\??\c:\dvdjj.exec:\dvdjj.exe103⤵PID:2484
-
\??\c:\rxfrxll.exec:\rxfrxll.exe104⤵PID:1152
-
\??\c:\3xlflrr.exec:\3xlflrr.exe105⤵PID:2612
-
\??\c:\bbnnbb.exec:\bbnnbb.exe106⤵PID:1512
-
\??\c:\9pppv.exec:\9pppv.exe107⤵PID:1960
-
\??\c:\pjdpp.exec:\pjdpp.exe108⤵PID:1588
-
\??\c:\xrlfrrf.exec:\xrlfrrf.exe109⤵PID:2444
-
\??\c:\bnbbbh.exec:\bnbbbh.exe110⤵PID:1612
-
\??\c:\nbbbnh.exec:\nbbbnh.exe111⤵PID:2024
-
\??\c:\dpddj.exec:\dpddj.exe112⤵PID:1896
-
\??\c:\rfrrllr.exec:\rfrrllr.exe113⤵
- System Location Discovery: System Language Discovery
PID:2016 -
\??\c:\bhthhb.exec:\bhthhb.exe114⤵PID:2124
-
\??\c:\7httnh.exec:\7httnh.exe115⤵PID:2328
-
\??\c:\3pjpp.exec:\3pjpp.exe116⤵PID:1496
-
\??\c:\xxrllrr.exec:\xxrllrr.exe117⤵PID:2708
-
\??\c:\rrfrxlx.exec:\rrfrxlx.exe118⤵PID:1664
-
\??\c:\1tnhhb.exec:\1tnhhb.exe119⤵PID:2596
-
\??\c:\jdpvj.exec:\jdpvj.exe120⤵PID:1504
-
\??\c:\jdjjj.exec:\jdjjj.exe121⤵PID:2756
-
\??\c:\xxffrlx.exec:\xxffrlx.exe122⤵PID:2392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-