Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe
-
Size
454KB
-
MD5
bf23a4b63186a191b3a9c48695803290
-
SHA1
5368199573132895dc66ba1c69e76e39423f30e7
-
SHA256
8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4fa
-
SHA512
06d2c72fef456c7509f5a5fd7a1741379ccddffb637145f42cb283e5ac73f789a4ec254f5034b4e828e63a6bda788f4c629cc360cfc8605bf4fde57877efff0d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/1904-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-94-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2600-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/672-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-228-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1520-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-309-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1552-300-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/876-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-452-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/3008-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-556-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2600-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-664-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2964-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-724-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1248-733-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1544-758-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2140-784-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2384-810-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2040-960-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-967-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-993-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1484-1014-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2056-1046-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2412 5llrffl.exe 1736 hbtbnb.exe 2516 pdpvj.exe 2184 7jjdp.exe 2892 3vpdj.exe 3060 bbhntb.exe 2620 bbbtht.exe 2860 xfxffxl.exe 2600 nnnhnn.exe 2332 3rrflxl.exe 672 rrffxrf.exe 1464 pjpvj.exe 2944 ffxrflf.exe 2816 bbbhbb.exe 536 jjvvp.exe 264 lllxlrl.exe 1032 9hhhbh.exe 1740 hnthtt.exe 2328 5llxllr.exe 2064 jdpvv.exe 2316 3lxlrlr.exe 1052 bhbthb.exe 2152 ppdpv.exe 1520 9lffrxx.exe 2448 dvjjd.exe 3068 xxllfrx.exe 2352 hbnhnt.exe 1144 fxllxlr.exe 1704 1tttbt.exe 1104 jvjdd.exe 1552 9xlrrrr.exe 2412 rxllrrf.exe 1252 vvpvp.exe 876 lfxxffr.exe 2724 9bnntn.exe 2740 pdvdd.exe 2688 xrfflfl.exe 2708 3lxflfl.exe 3028 tnhhnh.exe 2620 pdpvv.exe 2860 1vjpv.exe 2580 1rffflr.exe 2504 3tbtbb.exe 1832 nhttbt.exe 2084 jdppp.exe 2964 1jdvv.exe 1464 5rlxlrx.exe 2776 nbnttn.exe 2920 9jvdp.exe 2816 jdvdd.exe 2768 9rlllll.exe 656 hhttbb.exe 2960 hbnnnh.exe 1512 dvddv.exe 3008 ffrxflr.exe 2060 nhbnbb.exe 1716 hhbthh.exe 2380 7jvdp.exe 2948 3xllrll.exe 2316 9frrlfr.exe 604 bnhbhh.exe 1680 dvpdd.exe 904 1lflfrl.exe 1652 nbtbbh.exe -
resource yara_rule behavioral1/memory/1904-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/672-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-649-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2964-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-724-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1248-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-758-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2140-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-960-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-1021-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2412 1904 8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe 30 PID 1904 wrote to memory of 2412 1904 8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe 30 PID 1904 wrote to memory of 2412 1904 8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe 30 PID 1904 wrote to memory of 2412 1904 8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe 30 PID 2412 wrote to memory of 1736 2412 5llrffl.exe 31 PID 2412 wrote to memory of 1736 2412 5llrffl.exe 31 PID 2412 wrote to memory of 1736 2412 5llrffl.exe 31 PID 2412 wrote to memory of 1736 2412 5llrffl.exe 31 PID 1736 wrote to memory of 2516 1736 hbtbnb.exe 32 PID 1736 wrote to memory of 2516 1736 hbtbnb.exe 32 PID 1736 wrote to memory of 2516 1736 hbtbnb.exe 32 PID 1736 wrote to memory of 2516 1736 hbtbnb.exe 32 PID 2516 wrote to memory of 2184 2516 pdpvj.exe 33 PID 2516 wrote to memory of 2184 2516 pdpvj.exe 33 PID 2516 wrote to memory of 2184 2516 pdpvj.exe 33 PID 2516 wrote to memory of 2184 2516 pdpvj.exe 33 PID 2184 wrote to memory of 2892 2184 7jjdp.exe 34 PID 2184 wrote to memory of 2892 2184 7jjdp.exe 34 PID 2184 wrote to memory of 2892 2184 7jjdp.exe 34 PID 2184 wrote to memory of 2892 2184 7jjdp.exe 34 PID 2892 wrote to memory of 3060 2892 3vpdj.exe 35 PID 2892 wrote to memory of 3060 2892 3vpdj.exe 35 PID 2892 wrote to memory of 3060 2892 3vpdj.exe 35 PID 2892 wrote to memory of 3060 2892 3vpdj.exe 35 PID 3060 wrote to memory of 2620 3060 bbhntb.exe 36 PID 3060 wrote to memory of 2620 3060 bbhntb.exe 36 PID 3060 wrote to memory of 2620 3060 bbhntb.exe 36 PID 3060 wrote to memory of 2620 3060 bbhntb.exe 36 PID 2620 wrote to memory of 2860 2620 bbbtht.exe 37 PID 2620 wrote to memory of 2860 2620 bbbtht.exe 37 PID 2620 wrote to memory of 2860 2620 bbbtht.exe 37 PID 2620 wrote to memory of 2860 2620 bbbtht.exe 37 PID 2860 wrote to memory of 2600 2860 xfxffxl.exe 38 PID 2860 wrote to memory of 2600 2860 xfxffxl.exe 38 PID 2860 wrote to memory of 2600 2860 xfxffxl.exe 38 PID 2860 wrote to memory of 2600 2860 xfxffxl.exe 38 PID 2600 wrote to memory of 2332 2600 nnnhnn.exe 39 PID 2600 wrote to memory of 2332 2600 nnnhnn.exe 39 PID 2600 wrote to memory of 2332 2600 nnnhnn.exe 39 PID 2600 wrote to memory of 2332 2600 nnnhnn.exe 39 PID 2332 wrote to memory of 672 2332 3rrflxl.exe 40 PID 2332 wrote to memory of 672 2332 3rrflxl.exe 40 PID 2332 wrote to memory of 672 2332 3rrflxl.exe 40 PID 2332 wrote to memory of 672 2332 3rrflxl.exe 40 PID 672 wrote to memory of 1464 672 rrffxrf.exe 41 PID 672 wrote to memory of 1464 672 rrffxrf.exe 41 PID 672 wrote to memory of 1464 672 rrffxrf.exe 41 PID 672 wrote to memory of 1464 672 rrffxrf.exe 41 PID 1464 wrote to memory of 2944 1464 pjpvj.exe 42 PID 1464 wrote to memory of 2944 1464 pjpvj.exe 42 PID 1464 wrote to memory of 2944 1464 pjpvj.exe 42 PID 1464 wrote to memory of 2944 1464 pjpvj.exe 42 PID 2944 wrote to memory of 2816 2944 ffxrflf.exe 43 PID 2944 wrote to memory of 2816 2944 ffxrflf.exe 43 PID 2944 wrote to memory of 2816 2944 ffxrflf.exe 43 PID 2944 wrote to memory of 2816 2944 ffxrflf.exe 43 PID 2816 wrote to memory of 536 2816 bbbhbb.exe 44 PID 2816 wrote to memory of 536 2816 bbbhbb.exe 44 PID 2816 wrote to memory of 536 2816 bbbhbb.exe 44 PID 2816 wrote to memory of 536 2816 bbbhbb.exe 44 PID 536 wrote to memory of 264 536 jjvvp.exe 45 PID 536 wrote to memory of 264 536 jjvvp.exe 45 PID 536 wrote to memory of 264 536 jjvvp.exe 45 PID 536 wrote to memory of 264 536 jjvvp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe"C:\Users\Admin\AppData\Local\Temp\8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\5llrffl.exec:\5llrffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\hbtbnb.exec:\hbtbnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\pdpvj.exec:\pdpvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\7jjdp.exec:\7jjdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\3vpdj.exec:\3vpdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\bbhntb.exec:\bbhntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\bbbtht.exec:\bbbtht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\xfxffxl.exec:\xfxffxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\nnnhnn.exec:\nnnhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\3rrflxl.exec:\3rrflxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\rrffxrf.exec:\rrffxrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\pjpvj.exec:\pjpvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\ffxrflf.exec:\ffxrflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\bbbhbb.exec:\bbbhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\jjvvp.exec:\jjvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\lllxlrl.exec:\lllxlrl.exe17⤵
- Executes dropped EXE
PID:264 -
\??\c:\9hhhbh.exec:\9hhhbh.exe18⤵
- Executes dropped EXE
PID:1032 -
\??\c:\hnthtt.exec:\hnthtt.exe19⤵
- Executes dropped EXE
PID:1740 -
\??\c:\5llxllr.exec:\5llxllr.exe20⤵
- Executes dropped EXE
PID:2328 -
\??\c:\jdpvv.exec:\jdpvv.exe21⤵
- Executes dropped EXE
PID:2064 -
\??\c:\3lxlrlr.exec:\3lxlrlr.exe22⤵
- Executes dropped EXE
PID:2316 -
\??\c:\bhbthb.exec:\bhbthb.exe23⤵
- Executes dropped EXE
PID:1052 -
\??\c:\ppdpv.exec:\ppdpv.exe24⤵
- Executes dropped EXE
PID:2152 -
\??\c:\9lffrxx.exec:\9lffrxx.exe25⤵
- Executes dropped EXE
PID:1520 -
\??\c:\dvjjd.exec:\dvjjd.exe26⤵
- Executes dropped EXE
PID:2448 -
\??\c:\xxllfrx.exec:\xxllfrx.exe27⤵
- Executes dropped EXE
PID:3068 -
\??\c:\hbnhnt.exec:\hbnhnt.exe28⤵
- Executes dropped EXE
PID:2352 -
\??\c:\fxllxlr.exec:\fxllxlr.exe29⤵
- Executes dropped EXE
PID:1144 -
\??\c:\1tttbt.exec:\1tttbt.exe30⤵
- Executes dropped EXE
PID:1704 -
\??\c:\jvjdd.exec:\jvjdd.exe31⤵
- Executes dropped EXE
PID:1104 -
\??\c:\9xlrrrr.exec:\9xlrrrr.exe32⤵
- Executes dropped EXE
PID:1552 -
\??\c:\rxllrrf.exec:\rxllrrf.exe33⤵
- Executes dropped EXE
PID:2412 -
\??\c:\vvpvp.exec:\vvpvp.exe34⤵
- Executes dropped EXE
PID:1252 -
\??\c:\lfxxffr.exec:\lfxxffr.exe35⤵
- Executes dropped EXE
PID:876 -
\??\c:\9bnntn.exec:\9bnntn.exe36⤵
- Executes dropped EXE
PID:2724 -
\??\c:\pdvdd.exec:\pdvdd.exe37⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xrfflfl.exec:\xrfflfl.exe38⤵
- Executes dropped EXE
PID:2688 -
\??\c:\3lxflfl.exec:\3lxflfl.exe39⤵
- Executes dropped EXE
PID:2708 -
\??\c:\tnhhnh.exec:\tnhhnh.exe40⤵
- Executes dropped EXE
PID:3028 -
\??\c:\pdpvv.exec:\pdpvv.exe41⤵
- Executes dropped EXE
PID:2620 -
\??\c:\1vjpv.exec:\1vjpv.exe42⤵
- Executes dropped EXE
PID:2860 -
\??\c:\1rffflr.exec:\1rffflr.exe43⤵
- Executes dropped EXE
PID:2580 -
\??\c:\3tbtbb.exec:\3tbtbb.exe44⤵
- Executes dropped EXE
PID:2504 -
\??\c:\nhttbt.exec:\nhttbt.exe45⤵
- Executes dropped EXE
PID:1832 -
\??\c:\jdppp.exec:\jdppp.exe46⤵
- Executes dropped EXE
PID:2084 -
\??\c:\1jdvv.exec:\1jdvv.exe47⤵
- Executes dropped EXE
PID:2964 -
\??\c:\5rlxlrx.exec:\5rlxlrx.exe48⤵
- Executes dropped EXE
PID:1464 -
\??\c:\nbnttn.exec:\nbnttn.exe49⤵
- Executes dropped EXE
PID:2776 -
\??\c:\9jvdp.exec:\9jvdp.exe50⤵
- Executes dropped EXE
PID:2920 -
\??\c:\jdvdd.exec:\jdvdd.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
\??\c:\9rlllll.exec:\9rlllll.exe52⤵
- Executes dropped EXE
PID:2768 -
\??\c:\hhttbb.exec:\hhttbb.exe53⤵
- Executes dropped EXE
PID:656 -
\??\c:\hbnnnh.exec:\hbnnnh.exe54⤵
- Executes dropped EXE
PID:2960 -
\??\c:\dvddv.exec:\dvddv.exe55⤵
- Executes dropped EXE
PID:1512 -
\??\c:\ffrxflr.exec:\ffrxflr.exe56⤵
- Executes dropped EXE
PID:3008 -
\??\c:\nhbnbb.exec:\nhbnbb.exe57⤵
- Executes dropped EXE
PID:2060 -
\??\c:\hhbthh.exec:\hhbthh.exe58⤵
- Executes dropped EXE
PID:1716 -
\??\c:\7jvdp.exec:\7jvdp.exe59⤵
- Executes dropped EXE
PID:2380 -
\??\c:\3xllrll.exec:\3xllrll.exe60⤵
- Executes dropped EXE
PID:2948 -
\??\c:\9frrlfr.exec:\9frrlfr.exe61⤵
- Executes dropped EXE
PID:2316 -
\??\c:\bnhbhh.exec:\bnhbhh.exe62⤵
- Executes dropped EXE
PID:604 -
\??\c:\dvpdd.exec:\dvpdd.exe63⤵
- Executes dropped EXE
PID:1680 -
\??\c:\1lflfrl.exec:\1lflfrl.exe64⤵
- Executes dropped EXE
PID:904 -
\??\c:\nbtbbh.exec:\nbtbbh.exe65⤵
- Executes dropped EXE
PID:1652 -
\??\c:\nhthbh.exec:\nhthbh.exe66⤵PID:2448
-
\??\c:\dvpvd.exec:\dvpvd.exe67⤵PID:828
-
\??\c:\7rxxxrx.exec:\7rxxxrx.exe68⤵PID:2044
-
\??\c:\9lxrlfl.exec:\9lxrlfl.exe69⤵PID:2216
-
\??\c:\1hnntn.exec:\1hnntn.exe70⤵PID:1712
-
\??\c:\1vvjd.exec:\1vvjd.exe71⤵PID:884
-
\??\c:\5vppp.exec:\5vppp.exe72⤵PID:1704
-
\??\c:\lxllrxf.exec:\lxllrxf.exe73⤵PID:1692
-
\??\c:\bnbbtt.exec:\bnbbtt.exe74⤵PID:1708
-
\??\c:\nhbhtt.exec:\nhbhtt.exe75⤵PID:2412
-
\??\c:\1vvvv.exec:\1vvvv.exe76⤵
- System Location Discovery: System Language Discovery
PID:2416 -
\??\c:\vpdvv.exec:\vpdvv.exe77⤵PID:2368
-
\??\c:\xrflrrx.exec:\xrflrrx.exe78⤵PID:876
-
\??\c:\hbhnnn.exec:\hbhnnn.exe79⤵PID:2184
-
\??\c:\btbbbt.exec:\btbbbt.exe80⤵PID:2884
-
\??\c:\vpjjv.exec:\vpjjv.exe81⤵PID:2716
-
\??\c:\3xxxxfr.exec:\3xxxxfr.exe82⤵PID:2744
-
\??\c:\rrflxxf.exec:\rrflxxf.exe83⤵PID:2700
-
\??\c:\5nnnnt.exec:\5nnnnt.exe84⤵PID:1596
-
\??\c:\djvvd.exec:\djvvd.exe85⤵PID:2588
-
\??\c:\vjppp.exec:\vjppp.exe86⤵PID:2580
-
\??\c:\3llrllx.exec:\3llrllx.exe87⤵PID:2600
-
\??\c:\ttnthn.exec:\ttnthn.exe88⤵PID:2364
-
\??\c:\3nbhhh.exec:\3nbhhh.exe89⤵PID:2752
-
\??\c:\vjppv.exec:\vjppv.exe90⤵PID:2964
-
\??\c:\fffxrlx.exec:\fffxrlx.exe91⤵PID:1464
-
\??\c:\btnhhh.exec:\btnhhh.exe92⤵PID:2792
-
\??\c:\pdddj.exec:\pdddj.exe93⤵PID:2820
-
\??\c:\dvpvd.exec:\dvpvd.exe94⤵PID:536
-
\??\c:\rxrfxxf.exec:\rxrfxxf.exe95⤵PID:264
-
\??\c:\hbtthn.exec:\hbtthn.exe96⤵PID:300
-
\??\c:\5hbbhb.exec:\5hbbhb.exe97⤵PID:1032
-
\??\c:\jvjdd.exec:\jvjdd.exe98⤵PID:1740
-
\??\c:\frrflfl.exec:\frrflfl.exe99⤵PID:1248
-
\??\c:\rlflxfr.exec:\rlflxfr.exe100⤵PID:2052
-
\??\c:\bthbht.exec:\bthbht.exe101⤵PID:2320
-
\??\c:\pvdvj.exec:\pvdvj.exe102⤵PID:3032
-
\??\c:\9xxfffl.exec:\9xxfffl.exe103⤵PID:1544
-
\??\c:\5lrrfff.exec:\5lrrfff.exe104⤵PID:2540
-
\??\c:\3hnntn.exec:\3hnntn.exe105⤵PID:1304
-
\??\c:\9vjdj.exec:\9vjdj.exe106⤵PID:2152
-
\??\c:\jdpjj.exec:\jdpjj.exe107⤵PID:2140
-
\??\c:\xrflrrf.exec:\xrflrrf.exe108⤵PID:2456
-
\??\c:\tnntht.exec:\tnntht.exe109⤵PID:584
-
\??\c:\tbnhhn.exec:\tbnhhn.exe110⤵PID:2272
-
\??\c:\vvvdd.exec:\vvvdd.exe111⤵PID:2384
-
\??\c:\rfrxfrl.exec:\rfrxfrl.exe112⤵PID:1940
-
\??\c:\hnhhnn.exec:\hnhhnn.exe113⤵PID:1988
-
\??\c:\nhbbnt.exec:\nhbbnt.exe114⤵PID:1584
-
\??\c:\vddpd.exec:\vddpd.exe115⤵PID:2356
-
\??\c:\rrlfrlr.exec:\rrlfrlr.exe116⤵PID:1708
-
\??\c:\5xrffrx.exec:\5xrffrx.exe117⤵PID:2376
-
\??\c:\ttthtb.exec:\ttthtb.exe118⤵PID:2416
-
\??\c:\pjpdp.exec:\pjpdp.exe119⤵PID:2732
-
\??\c:\pddvd.exec:\pddvd.exe120⤵PID:876
-
\??\c:\3lxxffl.exec:\3lxxffl.exe121⤵PID:2728
-
\??\c:\1nbthh.exec:\1nbthh.exe122⤵PID:2552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-