Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-02-2025 07:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe
-
Size
454KB
-
MD5
e8ac4fe267ecfde930016dc7fbbd77e6
-
SHA1
d6a2c62afb1dfef5ff211421e6ad4b771dea16b2
-
SHA256
e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac
-
SHA512
bd3075ff5b6cbb156c848971fe659412b0310876d107648cb1d48dc63c943c3844282e026c79f7ba70511295fe42fca1a44091e74fbcf1ac657974328e06e168
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2100-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/624-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-425-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1744-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-500-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2020-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-577-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1968-592-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2084-711-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2232-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-939-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-1141-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1964-1226-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/740-1293-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2548-1325-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2184-1328-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2176 3jvpp.exe 2060 7lrfllf.exe 2340 3nbbhh.exe 2808 tnttht.exe 2944 xrflrlx.exe 2452 vpdjv.exe 2856 tnhhnt.exe 2608 9bnnbt.exe 3028 lfxfrrr.exe 3036 3hnnnn.exe 668 tthntt.exe 2844 hbhbhb.exe 2024 ffxxxfr.exe 2896 xrffrrl.exe 1692 htttht.exe 2088 1rfflxf.exe 1904 tntbbb.exe 2284 jjdvd.exe 2516 5ntbbt.exe 624 thtntt.exe 1300 dpvpv.exe 2116 htnnhb.exe 1684 rlxrxxx.exe 1656 jjpdj.exe 2636 bhtnth.exe 2384 lfxlflr.exe 556 9nbnhn.exe 1056 3bthnn.exe 1728 rlrrlrr.exe 1908 7hnntn.exe 2500 frfxxfl.exe 1568 9bnbbt.exe 1932 flrxffr.exe 1968 rrlrffl.exe 2868 nhthhn.exe 2736 5jvpd.exe 2752 ddpdd.exe 2880 xlrflff.exe 2732 hnbbbb.exe 1772 pdpvv.exe 1264 dpdjj.exe 1688 xlxxxrr.exe 988 thnnbt.exe 1980 nbbbhb.exe 1472 5vddj.exe 2584 lfrlrrx.exe 3016 frxflll.exe 1700 hbnbbb.exe 2364 pjdvd.exe 2916 vjvvv.exe 1952 rlxxxrx.exe 1060 lflfffl.exe 1512 hbntnt.exe 1744 vpdjp.exe 2256 jvddd.exe 928 5lrlrxf.exe 2580 5hnnnn.exe 2964 1nhbhh.exe 2444 pjvvd.exe 1136 lxllllx.exe 1740 rfllxxf.exe 1528 1nttbb.exe 340 dvvjp.exe 2376 vpddp.exe -
resource yara_rule behavioral1/memory/2100-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-26-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2340-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-97-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/3036-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-500-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2020-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-939-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/928-995-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-1287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-1351-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2176 2100 e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe 30 PID 2100 wrote to memory of 2176 2100 e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe 30 PID 2100 wrote to memory of 2176 2100 e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe 30 PID 2100 wrote to memory of 2176 2100 e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe 30 PID 2176 wrote to memory of 2060 2176 3jvpp.exe 31 PID 2176 wrote to memory of 2060 2176 3jvpp.exe 31 PID 2176 wrote to memory of 2060 2176 3jvpp.exe 31 PID 2176 wrote to memory of 2060 2176 3jvpp.exe 31 PID 2060 wrote to memory of 2340 2060 7lrfllf.exe 32 PID 2060 wrote to memory of 2340 2060 7lrfllf.exe 32 PID 2060 wrote to memory of 2340 2060 7lrfllf.exe 32 PID 2060 wrote to memory of 2340 2060 7lrfllf.exe 32 PID 2340 wrote to memory of 2808 2340 3nbbhh.exe 33 PID 2340 wrote to memory of 2808 2340 3nbbhh.exe 33 PID 2340 wrote to memory of 2808 2340 3nbbhh.exe 33 PID 2340 wrote to memory of 2808 2340 3nbbhh.exe 33 PID 2808 wrote to memory of 2944 2808 tnttht.exe 34 PID 2808 wrote to memory of 2944 2808 tnttht.exe 34 PID 2808 wrote to memory of 2944 2808 tnttht.exe 34 PID 2808 wrote to memory of 2944 2808 tnttht.exe 34 PID 2944 wrote to memory of 2452 2944 xrflrlx.exe 35 PID 2944 wrote to memory of 2452 2944 xrflrlx.exe 35 PID 2944 wrote to memory of 2452 2944 xrflrlx.exe 35 PID 2944 wrote to memory of 2452 2944 xrflrlx.exe 35 PID 2452 wrote to memory of 2856 2452 vpdjv.exe 36 PID 2452 wrote to memory of 2856 2452 vpdjv.exe 36 PID 2452 wrote to memory of 2856 2452 vpdjv.exe 36 PID 2452 wrote to memory of 2856 2452 vpdjv.exe 36 PID 2856 wrote to memory of 2608 2856 tnhhnt.exe 37 PID 2856 wrote to memory of 2608 2856 tnhhnt.exe 37 PID 2856 wrote to memory of 2608 2856 tnhhnt.exe 37 PID 2856 wrote to memory of 2608 2856 tnhhnt.exe 37 PID 2608 wrote to memory of 3028 2608 9bnnbt.exe 38 PID 2608 wrote to memory of 3028 2608 9bnnbt.exe 38 PID 2608 wrote to memory of 3028 2608 9bnnbt.exe 38 PID 2608 wrote to memory of 3028 2608 9bnnbt.exe 38 PID 3028 wrote to memory of 3036 3028 lfxfrrr.exe 39 PID 3028 wrote to memory of 3036 3028 lfxfrrr.exe 39 PID 3028 wrote to memory of 3036 3028 lfxfrrr.exe 39 PID 3028 wrote to memory of 3036 3028 lfxfrrr.exe 39 PID 3036 wrote to memory of 668 3036 3hnnnn.exe 40 PID 3036 wrote to memory of 668 3036 3hnnnn.exe 40 PID 3036 wrote to memory of 668 3036 3hnnnn.exe 40 PID 3036 wrote to memory of 668 3036 3hnnnn.exe 40 PID 668 wrote to memory of 2844 668 tthntt.exe 41 PID 668 wrote to memory of 2844 668 tthntt.exe 41 PID 668 wrote to memory of 2844 668 tthntt.exe 41 PID 668 wrote to memory of 2844 668 tthntt.exe 41 PID 2844 wrote to memory of 2024 2844 hbhbhb.exe 42 PID 2844 wrote to memory of 2024 2844 hbhbhb.exe 42 PID 2844 wrote to memory of 2024 2844 hbhbhb.exe 42 PID 2844 wrote to memory of 2024 2844 hbhbhb.exe 42 PID 2024 wrote to memory of 2896 2024 ffxxxfr.exe 43 PID 2024 wrote to memory of 2896 2024 ffxxxfr.exe 43 PID 2024 wrote to memory of 2896 2024 ffxxxfr.exe 43 PID 2024 wrote to memory of 2896 2024 ffxxxfr.exe 43 PID 2896 wrote to memory of 1692 2896 xrffrrl.exe 44 PID 2896 wrote to memory of 1692 2896 xrffrrl.exe 44 PID 2896 wrote to memory of 1692 2896 xrffrrl.exe 44 PID 2896 wrote to memory of 1692 2896 xrffrrl.exe 44 PID 1692 wrote to memory of 2088 1692 htttht.exe 45 PID 1692 wrote to memory of 2088 1692 htttht.exe 45 PID 1692 wrote to memory of 2088 1692 htttht.exe 45 PID 1692 wrote to memory of 2088 1692 htttht.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe"C:\Users\Admin\AppData\Local\Temp\e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\3jvpp.exec:\3jvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\7lrfllf.exec:\7lrfllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\3nbbhh.exec:\3nbbhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\tnttht.exec:\tnttht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\xrflrlx.exec:\xrflrlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\vpdjv.exec:\vpdjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\tnhhnt.exec:\tnhhnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\9bnnbt.exec:\9bnnbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\lfxfrrr.exec:\lfxfrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\3hnnnn.exec:\3hnnnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\tthntt.exec:\tthntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\hbhbhb.exec:\hbhbhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\ffxxxfr.exec:\ffxxxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\xrffrrl.exec:\xrffrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\htttht.exec:\htttht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\1rfflxf.exec:\1rfflxf.exe17⤵
- Executes dropped EXE
PID:2088 -
\??\c:\tntbbb.exec:\tntbbb.exe18⤵
- Executes dropped EXE
PID:1904 -
\??\c:\jjdvd.exec:\jjdvd.exe19⤵
- Executes dropped EXE
PID:2284 -
\??\c:\5ntbbt.exec:\5ntbbt.exe20⤵
- Executes dropped EXE
PID:2516 -
\??\c:\thtntt.exec:\thtntt.exe21⤵
- Executes dropped EXE
PID:624 -
\??\c:\dpvpv.exec:\dpvpv.exe22⤵
- Executes dropped EXE
PID:1300 -
\??\c:\htnnhb.exec:\htnnhb.exe23⤵
- Executes dropped EXE
PID:2116 -
\??\c:\rlxrxxx.exec:\rlxrxxx.exe24⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jjpdj.exec:\jjpdj.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1656 -
\??\c:\bhtnth.exec:\bhtnth.exe26⤵
- Executes dropped EXE
PID:2636 -
\??\c:\lfxlflr.exec:\lfxlflr.exe27⤵
- Executes dropped EXE
PID:2384 -
\??\c:\9nbnhn.exec:\9nbnhn.exe28⤵
- Executes dropped EXE
PID:556 -
\??\c:\3bthnn.exec:\3bthnn.exe29⤵
- Executes dropped EXE
PID:1056 -
\??\c:\rlrrlrr.exec:\rlrrlrr.exe30⤵
- Executes dropped EXE
PID:1728 -
\??\c:\7hnntn.exec:\7hnntn.exe31⤵
- Executes dropped EXE
PID:1908 -
\??\c:\frfxxfl.exec:\frfxxfl.exe32⤵
- Executes dropped EXE
PID:2500 -
\??\c:\9bnbbt.exec:\9bnbbt.exe33⤵
- Executes dropped EXE
PID:1568 -
\??\c:\flrxffr.exec:\flrxffr.exe34⤵
- Executes dropped EXE
PID:1932 -
\??\c:\rrlrffl.exec:\rrlrffl.exe35⤵
- Executes dropped EXE
PID:1968 -
\??\c:\nhthhn.exec:\nhthhn.exe36⤵
- Executes dropped EXE
PID:2868 -
\??\c:\5jvpd.exec:\5jvpd.exe37⤵
- Executes dropped EXE
PID:2736 -
\??\c:\ddpdd.exec:\ddpdd.exe38⤵
- Executes dropped EXE
PID:2752 -
\??\c:\xlrflff.exec:\xlrflff.exe39⤵
- Executes dropped EXE
PID:2880 -
\??\c:\hnbbbb.exec:\hnbbbb.exe40⤵
- Executes dropped EXE
PID:2732 -
\??\c:\pdpvv.exec:\pdpvv.exe41⤵
- Executes dropped EXE
PID:1772 -
\??\c:\dpdjj.exec:\dpdjj.exe42⤵
- Executes dropped EXE
PID:1264 -
\??\c:\xlxxxrr.exec:\xlxxxrr.exe43⤵
- Executes dropped EXE
PID:1688 -
\??\c:\thnnbt.exec:\thnnbt.exe44⤵
- Executes dropped EXE
PID:988 -
\??\c:\nbbbhb.exec:\nbbbhb.exe45⤵
- Executes dropped EXE
PID:1980 -
\??\c:\5vddj.exec:\5vddj.exe46⤵
- Executes dropped EXE
PID:1472 -
\??\c:\lfrlrrx.exec:\lfrlrrx.exe47⤵
- Executes dropped EXE
PID:2584 -
\??\c:\frxflll.exec:\frxflll.exe48⤵
- Executes dropped EXE
PID:3016 -
\??\c:\hbnbbb.exec:\hbnbbb.exe49⤵
- Executes dropped EXE
PID:1700 -
\??\c:\pjdvd.exec:\pjdvd.exe50⤵
- Executes dropped EXE
PID:2364 -
\??\c:\vjvvv.exec:\vjvvv.exe51⤵
- Executes dropped EXE
PID:2916 -
\??\c:\rlxxxrx.exec:\rlxxxrx.exe52⤵
- Executes dropped EXE
PID:1952 -
\??\c:\lflfffl.exec:\lflfffl.exe53⤵
- Executes dropped EXE
PID:1060 -
\??\c:\hbntnt.exec:\hbntnt.exe54⤵
- Executes dropped EXE
PID:1512 -
\??\c:\vpdjp.exec:\vpdjp.exe55⤵
- Executes dropped EXE
PID:1744 -
\??\c:\jvddd.exec:\jvddd.exe56⤵
- Executes dropped EXE
PID:2256 -
\??\c:\5lrlrxf.exec:\5lrlrxf.exe57⤵
- Executes dropped EXE
PID:928 -
\??\c:\5hnnnn.exec:\5hnnnn.exe58⤵
- Executes dropped EXE
PID:2580 -
\??\c:\1nhbhh.exec:\1nhbhh.exe59⤵
- Executes dropped EXE
PID:2964 -
\??\c:\pjvvd.exec:\pjvvd.exe60⤵
- Executes dropped EXE
PID:2444 -
\??\c:\lxllllx.exec:\lxllllx.exe61⤵
- Executes dropped EXE
PID:1136 -
\??\c:\rfllxxf.exec:\rfllxxf.exe62⤵
- Executes dropped EXE
PID:1740 -
\??\c:\1nttbb.exec:\1nttbb.exe63⤵
- Executes dropped EXE
PID:1528 -
\??\c:\dvvjp.exec:\dvvjp.exe64⤵
- Executes dropped EXE
PID:340 -
\??\c:\vpddp.exec:\vpddp.exe65⤵
- Executes dropped EXE
PID:2376 -
\??\c:\lfxxfll.exec:\lfxxfll.exe66⤵PID:1768
-
\??\c:\hthhtt.exec:\hthhtt.exe67⤵PID:2552
-
\??\c:\9thhhb.exec:\9thhhb.exe68⤵PID:3048
-
\??\c:\dppvv.exec:\dppvv.exe69⤵PID:1052
-
\??\c:\xflffxr.exec:\xflffxr.exe70⤵PID:292
-
\??\c:\thtbbb.exec:\thtbbb.exe71⤵PID:872
-
\??\c:\nhttbb.exec:\nhttbb.exe72⤵PID:2020
-
\??\c:\dpddd.exec:\dpddd.exe73⤵PID:1708
-
\??\c:\9jvvd.exec:\9jvvd.exe74⤵PID:2536
-
\??\c:\rflflrx.exec:\rflflrx.exe75⤵PID:2776
-
\??\c:\9tnnbt.exec:\9tnnbt.exe76⤵PID:2060
-
\??\c:\tnnntt.exec:\tnnntt.exe77⤵PID:2440
-
\??\c:\dpjjv.exec:\dpjjv.exe78⤵PID:1968
-
\??\c:\5frlfff.exec:\5frlfff.exe79⤵PID:2952
-
\??\c:\tnbbhh.exec:\tnbbhh.exe80⤵PID:2728
-
\??\c:\thbhhh.exec:\thbhhh.exe81⤵PID:2752
-
\??\c:\vvjvj.exec:\vvjvj.exe82⤵PID:2784
-
\??\c:\frlflfr.exec:\frlflfr.exe83⤵PID:2732
-
\??\c:\ffrxfxf.exec:\ffrxfxf.exe84⤵PID:2856
-
\??\c:\1bntbb.exec:\1bntbb.exe85⤵PID:1264
-
\??\c:\1pddj.exec:\1pddj.exe86⤵PID:3020
-
\??\c:\xlrlrlr.exec:\xlrlrlr.exe87⤵PID:2080
-
\??\c:\lrllrxf.exec:\lrllrxf.exe88⤵PID:1412
-
\??\c:\bnbbhn.exec:\bnbbhn.exe89⤵PID:2696
-
\??\c:\vpdjp.exec:\vpdjp.exe90⤵PID:1860
-
\??\c:\3vjdj.exec:\3vjdj.exe91⤵PID:2040
-
\??\c:\fxrxxxf.exec:\fxrxxxf.exe92⤵PID:2000
-
\??\c:\tnhttb.exec:\tnhttb.exe93⤵PID:1992
-
\??\c:\bthhnh.exec:\bthhnh.exe94⤵PID:288
-
\??\c:\5djdj.exec:\5djdj.exe95⤵PID:1836
-
\??\c:\xrfxlrf.exec:\xrfxlrf.exe96⤵PID:2196
-
\??\c:\xlxxxxf.exec:\xlxxxxf.exe97⤵PID:2084
-
\??\c:\7tnnnn.exec:\7tnnnn.exe98⤵PID:2276
-
\??\c:\dvvdj.exec:\dvvdj.exe99⤵PID:568
-
\??\c:\rfrxflf.exec:\rfrxflf.exe100⤵PID:2236
-
\??\c:\5lrrxff.exec:\5lrrxff.exe101⤵PID:2576
-
\??\c:\3bbhnn.exec:\3bbhnn.exe102⤵PID:2232
-
\??\c:\vppvv.exec:\vppvv.exe103⤵PID:680
-
\??\c:\3pddd.exec:\3pddd.exe104⤵PID:2252
-
\??\c:\lfxflfl.exec:\lfxflfl.exe105⤵PID:2216
-
\??\c:\7tbttt.exec:\7tbttt.exe106⤵PID:1684
-
\??\c:\nhtntb.exec:\nhtntb.exe107⤵PID:752
-
\??\c:\5vjdj.exec:\5vjdj.exe108⤵PID:1104
-
\??\c:\rlflrrx.exec:\rlflrrx.exe109⤵PID:2264
-
\??\c:\btnthh.exec:\btnthh.exe110⤵PID:2016
-
\??\c:\7nthhb.exec:\7nthhb.exe111⤵PID:2508
-
\??\c:\pjjdj.exec:\pjjdj.exe112⤵PID:836
-
\??\c:\xrffllx.exec:\xrffllx.exe113⤵PID:2064
-
\??\c:\frxxffl.exec:\frxxffl.exe114⤵PID:1732
-
\??\c:\hbnntt.exec:\hbnntt.exe115⤵PID:2884
-
\??\c:\pjdvv.exec:\pjdvv.exe116⤵PID:2372
-
\??\c:\pdpvd.exec:\pdpvd.exe117⤵PID:1564
-
\??\c:\lfxrxrf.exec:\lfxrxrf.exe118⤵PID:2500
-
\??\c:\tnbbnn.exec:\tnbbnn.exe119⤵PID:2292
-
\??\c:\tntttn.exec:\tntttn.exe120⤵PID:2816
-
\??\c:\vpjjj.exec:\vpjjj.exe121⤵PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-