Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 14:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe
-
Size
454KB
-
MD5
b3f0595ea78694aa53a7a9c4f9329dc0
-
SHA1
c2350c0a196d6afeb33bdab026e9035d9500fa0b
-
SHA256
c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5d
-
SHA512
563b66abd8b97a786905aecb2a6cbcef8bf677df548df886fbb1c51c1774b253f3d1d4d09aad240adc8bcc5c98fed139bd875db67720f3e0ca4c6f3366873dd5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2096-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-63-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2792-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-102-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1220-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1400-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-330-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2712-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-371-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1828-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1076-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-742-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-824-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/572-937-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-950-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2012-988-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1976-1115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-1178-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/640-1192-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1312-1293-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1500-1310-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2480 tnbtth.exe 2328 1jpjp.exe 2840 htbhhb.exe 2700 xlxlfxf.exe 2784 thtttb.exe 2792 vjdpd.exe 2748 lxlrxrf.exe 2724 nhttth.exe 2552 lrfflfr.exe 3044 nbnhnh.exe 1492 dvddp.exe 2940 lxrllrx.exe 1220 9hnttt.exe 2848 vvjjp.exe 1564 1thhhh.exe 1400 htnhhh.exe 2912 rrffllr.exe 2016 rlxfxrf.exe 328 jjvdj.exe 1664 lflllrx.exe 1604 1bhbnn.exe 3036 rlrxffl.exe 1312 9nhnnb.exe 1056 bhnntt.exe 1208 rlxrxrf.exe 2112 7lxrrrr.exe 2960 jdpdd.exe 2416 1lxxrrx.exe 1076 5jppp.exe 3004 pjddj.exe 2484 tbttbt.exe 2336 9vpdd.exe 2640 lfrrffl.exe 2140 btnntt.exe 1976 btbbhh.exe 2704 3ppvd.exe 2968 xlxxxxr.exe 2712 xrllrxl.exe 2792 bthntt.exe 2696 dpddj.exe 2284 7dvvv.exe 2600 rrfxfxx.exe 2396 9nbhhh.exe 1028 pdjdv.exe 1404 7dvpp.exe 2884 lxxrfxf.exe 2388 9thbtn.exe 2872 hhhhhn.exe 2804 vvjjj.exe 1828 xrfxfxl.exe 2920 ttnhnt.exe 1504 5nnhhn.exe 880 dvjjp.exe 3024 5rxfrrr.exe 2152 fxxxxlf.exe 1820 thttnn.exe 1944 vjvjp.exe 2020 ppvdp.exe 1876 xrffflx.exe 2124 bbnttn.exe 3036 hbnhtt.exe 972 1jpjp.exe 1724 rlxrxrr.exe 2192 frlrxrf.exe -
resource yara_rule behavioral1/memory/2096-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-102-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1220-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-503-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/904-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-710-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2020-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-875-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-950-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/3036-1015-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-1115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-1166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-1293-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2480 2096 c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe 31 PID 2096 wrote to memory of 2480 2096 c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe 31 PID 2096 wrote to memory of 2480 2096 c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe 31 PID 2096 wrote to memory of 2480 2096 c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe 31 PID 2480 wrote to memory of 2328 2480 tnbtth.exe 32 PID 2480 wrote to memory of 2328 2480 tnbtth.exe 32 PID 2480 wrote to memory of 2328 2480 tnbtth.exe 32 PID 2480 wrote to memory of 2328 2480 tnbtth.exe 32 PID 2328 wrote to memory of 2840 2328 1jpjp.exe 33 PID 2328 wrote to memory of 2840 2328 1jpjp.exe 33 PID 2328 wrote to memory of 2840 2328 1jpjp.exe 33 PID 2328 wrote to memory of 2840 2328 1jpjp.exe 33 PID 2840 wrote to memory of 2700 2840 htbhhb.exe 34 PID 2840 wrote to memory of 2700 2840 htbhhb.exe 34 PID 2840 wrote to memory of 2700 2840 htbhhb.exe 34 PID 2840 wrote to memory of 2700 2840 htbhhb.exe 34 PID 2700 wrote to memory of 2784 2700 xlxlfxf.exe 35 PID 2700 wrote to memory of 2784 2700 xlxlfxf.exe 35 PID 2700 wrote to memory of 2784 2700 xlxlfxf.exe 35 PID 2700 wrote to memory of 2784 2700 xlxlfxf.exe 35 PID 2784 wrote to memory of 2792 2784 thtttb.exe 36 PID 2784 wrote to memory of 2792 2784 thtttb.exe 36 PID 2784 wrote to memory of 2792 2784 thtttb.exe 36 PID 2784 wrote to memory of 2792 2784 thtttb.exe 36 PID 2792 wrote to memory of 2748 2792 vjdpd.exe 37 PID 2792 wrote to memory of 2748 2792 vjdpd.exe 37 PID 2792 wrote to memory of 2748 2792 vjdpd.exe 37 PID 2792 wrote to memory of 2748 2792 vjdpd.exe 37 PID 2748 wrote to memory of 2724 2748 lxlrxrf.exe 38 PID 2748 wrote to memory of 2724 2748 lxlrxrf.exe 38 PID 2748 wrote to memory of 2724 2748 lxlrxrf.exe 38 PID 2748 wrote to memory of 2724 2748 lxlrxrf.exe 38 PID 2724 wrote to memory of 2552 2724 nhttth.exe 39 PID 2724 wrote to memory of 2552 2724 nhttth.exe 39 PID 2724 wrote to memory of 2552 2724 nhttth.exe 39 PID 2724 wrote to memory of 2552 2724 nhttth.exe 39 PID 2552 wrote to memory of 3044 2552 lrfflfr.exe 40 PID 2552 wrote to memory of 3044 2552 lrfflfr.exe 40 PID 2552 wrote to memory of 3044 2552 lrfflfr.exe 40 PID 2552 wrote to memory of 3044 2552 lrfflfr.exe 40 PID 3044 wrote to memory of 1492 3044 nbnhnh.exe 41 PID 3044 wrote to memory of 1492 3044 nbnhnh.exe 41 PID 3044 wrote to memory of 1492 3044 nbnhnh.exe 41 PID 3044 wrote to memory of 1492 3044 nbnhnh.exe 41 PID 1492 wrote to memory of 2940 1492 dvddp.exe 42 PID 1492 wrote to memory of 2940 1492 dvddp.exe 42 PID 1492 wrote to memory of 2940 1492 dvddp.exe 42 PID 1492 wrote to memory of 2940 1492 dvddp.exe 42 PID 2940 wrote to memory of 1220 2940 lxrllrx.exe 43 PID 2940 wrote to memory of 1220 2940 lxrllrx.exe 43 PID 2940 wrote to memory of 1220 2940 lxrllrx.exe 43 PID 2940 wrote to memory of 1220 2940 lxrllrx.exe 43 PID 1220 wrote to memory of 2848 1220 9hnttt.exe 44 PID 1220 wrote to memory of 2848 1220 9hnttt.exe 44 PID 1220 wrote to memory of 2848 1220 9hnttt.exe 44 PID 1220 wrote to memory of 2848 1220 9hnttt.exe 44 PID 2848 wrote to memory of 1564 2848 vvjjp.exe 45 PID 2848 wrote to memory of 1564 2848 vvjjp.exe 45 PID 2848 wrote to memory of 1564 2848 vvjjp.exe 45 PID 2848 wrote to memory of 1564 2848 vvjjp.exe 45 PID 1564 wrote to memory of 1400 1564 1thhhh.exe 46 PID 1564 wrote to memory of 1400 1564 1thhhh.exe 46 PID 1564 wrote to memory of 1400 1564 1thhhh.exe 46 PID 1564 wrote to memory of 1400 1564 1thhhh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe"C:\Users\Admin\AppData\Local\Temp\c96ffff06d7cf6cc2ed55bd1bc986901bed816ca30d59df7c7b1168262a3bc5dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\tnbtth.exec:\tnbtth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\1jpjp.exec:\1jpjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\htbhhb.exec:\htbhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\xlxlfxf.exec:\xlxlfxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\thtttb.exec:\thtttb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\vjdpd.exec:\vjdpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\lxlrxrf.exec:\lxlrxrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\nhttth.exec:\nhttth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\lrfflfr.exec:\lrfflfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\nbnhnh.exec:\nbnhnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\dvddp.exec:\dvddp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\lxrllrx.exec:\lxrllrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\9hnttt.exec:\9hnttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\vvjjp.exec:\vvjjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\1thhhh.exec:\1thhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\htnhhh.exec:\htnhhh.exe17⤵
- Executes dropped EXE
PID:1400 -
\??\c:\rrffllr.exec:\rrffllr.exe18⤵
- Executes dropped EXE
PID:2912 -
\??\c:\rlxfxrf.exec:\rlxfxrf.exe19⤵
- Executes dropped EXE
PID:2016 -
\??\c:\jjvdj.exec:\jjvdj.exe20⤵
- Executes dropped EXE
PID:328 -
\??\c:\lflllrx.exec:\lflllrx.exe21⤵
- Executes dropped EXE
PID:1664 -
\??\c:\1bhbnn.exec:\1bhbnn.exe22⤵
- Executes dropped EXE
PID:1604 -
\??\c:\rlrxffl.exec:\rlrxffl.exe23⤵
- Executes dropped EXE
PID:3036 -
\??\c:\9nhnnb.exec:\9nhnnb.exe24⤵
- Executes dropped EXE
PID:1312 -
\??\c:\bhnntt.exec:\bhnntt.exe25⤵
- Executes dropped EXE
PID:1056 -
\??\c:\rlxrxrf.exec:\rlxrxrf.exe26⤵
- Executes dropped EXE
PID:1208 -
\??\c:\7lxrrrr.exec:\7lxrrrr.exe27⤵
- Executes dropped EXE
PID:2112 -
\??\c:\jdpdd.exec:\jdpdd.exe28⤵
- Executes dropped EXE
PID:2960 -
\??\c:\1lxxrrx.exec:\1lxxrrx.exe29⤵
- Executes dropped EXE
PID:2416 -
\??\c:\5jppp.exec:\5jppp.exe30⤵
- Executes dropped EXE
PID:1076 -
\??\c:\pjddj.exec:\pjddj.exe31⤵
- Executes dropped EXE
PID:3004 -
\??\c:\tbttbt.exec:\tbttbt.exe32⤵
- Executes dropped EXE
PID:2484 -
\??\c:\9vpdd.exec:\9vpdd.exe33⤵
- Executes dropped EXE
PID:2336 -
\??\c:\lfrrffl.exec:\lfrrffl.exe34⤵
- Executes dropped EXE
PID:2640 -
\??\c:\btnntt.exec:\btnntt.exe35⤵
- Executes dropped EXE
PID:2140 -
\??\c:\btbbhh.exec:\btbbhh.exe36⤵
- Executes dropped EXE
PID:1976 -
\??\c:\3ppvd.exec:\3ppvd.exe37⤵
- Executes dropped EXE
PID:2704 -
\??\c:\xlxxxxr.exec:\xlxxxxr.exe38⤵
- Executes dropped EXE
PID:2968 -
\??\c:\xrllrxl.exec:\xrllrxl.exe39⤵
- Executes dropped EXE
PID:2712 -
\??\c:\bthntt.exec:\bthntt.exe40⤵
- Executes dropped EXE
PID:2792 -
\??\c:\dpddj.exec:\dpddj.exe41⤵
- Executes dropped EXE
PID:2696 -
\??\c:\7dvvv.exec:\7dvvv.exe42⤵
- Executes dropped EXE
PID:2284 -
\??\c:\rrfxfxx.exec:\rrfxfxx.exe43⤵
- Executes dropped EXE
PID:2600 -
\??\c:\9nbhhh.exec:\9nbhhh.exe44⤵
- Executes dropped EXE
PID:2396 -
\??\c:\pdjdv.exec:\pdjdv.exe45⤵
- Executes dropped EXE
PID:1028 -
\??\c:\7dvpp.exec:\7dvpp.exe46⤵
- Executes dropped EXE
PID:1404 -
\??\c:\lxxrfxf.exec:\lxxrfxf.exe47⤵
- Executes dropped EXE
PID:2884 -
\??\c:\9thbtn.exec:\9thbtn.exe48⤵
- Executes dropped EXE
PID:2388 -
\??\c:\hhhhhn.exec:\hhhhhn.exe49⤵
- Executes dropped EXE
PID:2872 -
\??\c:\vvjjj.exec:\vvjjj.exe50⤵
- Executes dropped EXE
PID:2804 -
\??\c:\xrfxfxl.exec:\xrfxfxl.exe51⤵
- Executes dropped EXE
PID:1828 -
\??\c:\ttnhnt.exec:\ttnhnt.exe52⤵
- Executes dropped EXE
PID:2920 -
\??\c:\5nnhhn.exec:\5nnhhn.exe53⤵
- Executes dropped EXE
PID:1504 -
\??\c:\dvjjp.exec:\dvjjp.exe54⤵
- Executes dropped EXE
PID:880 -
\??\c:\5rxfrrr.exec:\5rxfrrr.exe55⤵
- Executes dropped EXE
PID:3024 -
\??\c:\fxxxxlf.exec:\fxxxxlf.exe56⤵
- Executes dropped EXE
PID:2152 -
\??\c:\thttnn.exec:\thttnn.exe57⤵
- Executes dropped EXE
PID:1820 -
\??\c:\vjvjp.exec:\vjvjp.exe58⤵
- Executes dropped EXE
PID:1944 -
\??\c:\ppvdp.exec:\ppvdp.exe59⤵
- Executes dropped EXE
PID:2020 -
\??\c:\xrffflx.exec:\xrffflx.exe60⤵
- Executes dropped EXE
PID:1876 -
\??\c:\bbnttn.exec:\bbnttn.exe61⤵
- Executes dropped EXE
PID:2124 -
\??\c:\hbnhtt.exec:\hbnhtt.exe62⤵
- Executes dropped EXE
PID:3036 -
\??\c:\1jpjp.exec:\1jpjp.exe63⤵
- Executes dropped EXE
PID:972 -
\??\c:\rlxrxrr.exec:\rlxrxrr.exe64⤵
- Executes dropped EXE
PID:1724 -
\??\c:\frlrxrf.exec:\frlrxrf.exe65⤵
- Executes dropped EXE
PID:2192 -
\??\c:\htnnth.exec:\htnnth.exe66⤵PID:904
-
\??\c:\1jpjj.exec:\1jpjj.exe67⤵PID:2112
-
\??\c:\3xlffff.exec:\3xlffff.exe68⤵PID:2160
-
\??\c:\lxfflrf.exec:\lxfflrf.exe69⤵PID:1776
-
\??\c:\btntbt.exec:\btntbt.exe70⤵PID:1760
-
\??\c:\hthbbb.exec:\hthbbb.exe71⤵PID:1076
-
\??\c:\3vvvp.exec:\3vvvp.exe72⤵PID:1484
-
\??\c:\1ffxllx.exec:\1ffxllx.exe73⤵PID:1576
-
\??\c:\5flxlff.exec:\5flxlff.exe74⤵PID:2100
-
\??\c:\thnnnn.exec:\thnnnn.exe75⤵PID:604
-
\??\c:\vjddj.exec:\vjddj.exe76⤵PID:2488
-
\??\c:\vjpjd.exec:\vjpjd.exe77⤵PID:2664
-
\??\c:\7rllfff.exec:\7rllfff.exe78⤵PID:2752
-
\??\c:\bbhtnb.exec:\bbhtnb.exe79⤵PID:2824
-
\??\c:\hhnnnh.exec:\hhnnnh.exe80⤵PID:2716
-
\??\c:\pvvpj.exec:\pvvpj.exe81⤵PID:2676
-
\??\c:\3lxrxll.exec:\3lxrxll.exe82⤵PID:2720
-
\??\c:\xfxxfll.exec:\xfxxfll.exe83⤵PID:2672
-
\??\c:\bhtttn.exec:\bhtttn.exe84⤵PID:2560
-
\??\c:\hhtbbb.exec:\hhtbbb.exe85⤵PID:2624
-
\??\c:\lxfxxrx.exec:\lxfxxrx.exe86⤵PID:2632
-
\??\c:\5rlrrrr.exec:\5rlrrrr.exe87⤵PID:1984
-
\??\c:\nbtttt.exec:\nbtttt.exe88⤵PID:3052
-
\??\c:\htbhnn.exec:\htbhnn.exe89⤵PID:1404
-
\??\c:\pvjdd.exec:\pvjdd.exe90⤵PID:1956
-
\??\c:\vjdvv.exec:\vjdvv.exe91⤵PID:2388
-
\??\c:\rxxlrrx.exec:\rxxlrrx.exe92⤵PID:2872
-
\??\c:\hhnthh.exec:\hhnthh.exe93⤵PID:2856
-
\??\c:\nbbtbh.exec:\nbbtbh.exe94⤵PID:2916
-
\??\c:\5jvpp.exec:\5jvpp.exe95⤵PID:2920
-
\??\c:\lxfxffl.exec:\lxfxffl.exe96⤵PID:860
-
\??\c:\bnbhbb.exec:\bnbhbb.exe97⤵PID:2116
-
\??\c:\hbhntt.exec:\hbhntt.exe98⤵PID:1264
-
\??\c:\vdpjd.exec:\vdpjd.exe99⤵PID:2492
-
\??\c:\3xfrlfx.exec:\3xfrlfx.exe100⤵PID:1820
-
\??\c:\5fllrrx.exec:\5fllrrx.exe101⤵PID:1664
-
\??\c:\7hbhnn.exec:\7hbhnn.exe102⤵PID:2020
-
\??\c:\hhttbn.exec:\hhttbn.exe103⤵PID:696
-
\??\c:\pdppd.exec:\pdppd.exe104⤵PID:1600
-
\??\c:\9rfxllx.exec:\9rfxllx.exe105⤵PID:1728
-
\??\c:\xrflrrr.exec:\xrflrrr.exe106⤵PID:1384
-
\??\c:\hbtbnn.exec:\hbtbnn.exe107⤵PID:1596
-
\??\c:\vpvvd.exec:\vpvvd.exe108⤵PID:1500
-
\??\c:\jdjdv.exec:\jdjdv.exe109⤵PID:904
-
\??\c:\rflfxrr.exec:\rflfxrr.exe110⤵PID:2240
-
\??\c:\hthhnn.exec:\hthhnn.exe111⤵PID:2268
-
\??\c:\9bhhhh.exec:\9bhhhh.exe112⤵PID:1776
-
\??\c:\7vdpv.exec:\7vdpv.exe113⤵PID:1696
-
\??\c:\rlxrrlr.exec:\rlxrrlr.exe114⤵
- System Location Discovery: System Language Discovery
PID:1076 -
\??\c:\xlxflll.exec:\xlxflll.exe115⤵PID:1484
-
\??\c:\htbbhh.exec:\htbbhh.exe116⤵PID:1576
-
\??\c:\3vdvv.exec:\3vdvv.exe117⤵PID:2336
-
\??\c:\1pdvp.exec:\1pdvp.exe118⤵PID:604
-
\??\c:\xlxxllr.exec:\xlxxllr.exe119⤵PID:2504
-
\??\c:\nhhbhh.exec:\nhhbhh.exe120⤵PID:2828
-
\??\c:\hbhhhh.exec:\hbhhhh.exe121⤵PID:2688
-
\??\c:\jjvpv.exec:\jjvpv.exe122⤵PID:2824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-