Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
02-08-2024 07:43
Behavioral task
behavioral1
Sample
74c0295862e574261493b65132fa2060N.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
120 seconds
General
-
Target
74c0295862e574261493b65132fa2060N.exe
-
Size
152KB
-
MD5
74c0295862e574261493b65132fa2060
-
SHA1
1098392078e51dc08b3c410a2f72db212be1c601
-
SHA256
ce6c80aa9d944bee0b803c62bd0f8ac305af9d0106ab9cf6ed2d19477d9c7f3b
-
SHA512
3f86c3d24970030b08a7f10740061255675c54fedcc9cda9edaf9a2b9b2ede1465ed44086421a3736c5fa0e45b5e4ce0246ba6a24e83a38158f49284b2562853
-
SSDEEP
3072:chOmTsF93UYfwC6GIoutieyhC2lbgGi5yLI:ccm4FmowdHoSi9Ep
Malware Config
Signatures
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/1984-1-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2360-10-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2052-25-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2936-29-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2828-43-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2960-54-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2212-57-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2788-72-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2692-76-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2896-91-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2896-90-0x00000000002A0000-0x00000000002D6000-memory.dmp family_blackmoon behavioral1/memory/2336-108-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/2008-111-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2964-128-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2964-135-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3032-145-0x00000000002D0000-0x0000000000306000-memory.dmp family_blackmoon behavioral1/memory/3032-144-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1816-171-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1816-172-0x00000000003B0000-0x00000000003E6000-memory.dmp family_blackmoon behavioral1/memory/1320-181-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2736-185-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2364-200-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1072-209-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/1072-207-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/2908-243-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/920-247-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1696-295-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3008-302-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1972-309-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2112-310-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1080-335-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2728-368-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/964-387-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2300-394-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/1980-402-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3060-435-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2712-442-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2700-622-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2256-655-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2164-663-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/1676-689-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/2248-708-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2188-752-0x00000000003C0000-0x00000000003F6000-memory.dmp family_blackmoon behavioral1/memory/2140-778-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2144-782-0x00000000001B0000-0x00000000001E6000-memory.dmp family_blackmoon behavioral1/memory/2512-882-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/2796-914-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon behavioral1/memory/3032-994-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/3032-995-0x0000000000220000-0x0000000000256000-memory.dmp family_blackmoon behavioral1/memory/896-1084-0x0000000000400000-0x0000000000436000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2360 dpvvd.exe 2052 rlfrxlx.exe 2936 frllxxf.exe 2828 9tbbht.exe 2960 rlxlffr.exe 2212 thbhnn.exe 2788 5pddp.exe 2692 3pjpd.exe 2896 rrffllr.exe 2380 5hbhnn.exe 2336 vvjdp.exe 2008 fxllxxf.exe 2520 fxxllrx.exe 2964 5tbbhn.exe 3032 vdjvd.exe 2196 frffrrx.exe 548 nhhhth.exe 1816 pjvvj.exe 1320 pjdpp.exe 2736 xlxfllx.exe 2364 tntbhh.exe 1072 dvddj.exe 2900 3jdpd.exe 2132 xrflfxr.exe 924 hbhthn.exe 2908 thhhnn.exe 920 bntbhh.exe 1504 lfrrllx.exe 2628 rflffxf.exe 592 thtbbb.exe 2096 1vjpj.exe 1696 dvjdj.exe 3008 9rlxllr.exe 1972 hbtbbb.exe 2112 5nhbnn.exe 1548 1pvdd.exe 2940 lxlflfl.exe 2936 xrxrflr.exe 1080 5btbnh.exe 2272 pjvdp.exe 2932 9jdvd.exe 2672 ffrfrrx.exe 2728 fxllxrf.exe 2524 bnhhtt.exe 2844 bntbnn.exe 964 1ddvj.exe 2300 jdjpp.exe 2516 lxxxlrr.exe 1980 1jvdd.exe 1332 7vvdd.exe 2356 5xlrfll.exe 2988 flrxlff.exe 3060 7thhhn.exe 2712 1ntttb.exe 2500 1dpjv.exe 1492 dpvjp.exe 1508 xrfxffr.exe 2116 3btbhn.exe 1476 bnbbbh.exe 2176 vjvvv.exe 676 lxfflrf.exe 604 1lfffll.exe 768 bnbtbt.exe 912 bththn.exe -
resource yara_rule behavioral1/memory/1984-1-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x00080000000120f9-7.dat upx behavioral1/memory/2360-10-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2052-19-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0009000000016433-17.dat upx behavioral1/memory/2936-31-0x0000000000220000-0x0000000000256000-memory.dmp upx behavioral1/files/0x0008000000016527-27.dat upx behavioral1/memory/2052-25-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2936-29-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x000700000001659d-37.dat upx behavioral1/files/0x00080000000167b4-45.dat upx behavioral1/memory/2828-43-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0007000000016a93-52.dat upx behavioral1/memory/2960-54-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2212-57-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0007000000016c49-63.dat upx behavioral1/files/0x0007000000016c51-73.dat upx behavioral1/memory/2788-72-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0009000000016c5a-81.dat upx behavioral1/memory/2692-76-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2896-91-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x00050000000193bb-88.dat upx behavioral1/files/0x00050000000193c5-99.dat upx behavioral1/memory/2336-100-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2336-108-0x0000000000220000-0x0000000000256000-memory.dmp upx behavioral1/files/0x00050000000193df-110.dat upx behavioral1/memory/2008-111-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0005000000019409-118.dat upx behavioral1/files/0x000500000001940b-125.dat upx behavioral1/memory/2964-128-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0005000000019427-136.dat upx behavioral1/memory/2964-135-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/3032-144-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0005000000019452-143.dat upx behavioral1/files/0x000500000001945a-154.dat upx behavioral1/memory/548-155-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x00050000000194f7-162.dat upx behavioral1/memory/1816-171-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x000500000001950b-173.dat upx behavioral1/memory/1320-181-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0005000000019585-183.dat upx behavioral1/memory/2736-185-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x00050000000195d8-191.dat upx behavioral1/files/0x0005000000019607-198.dat upx behavioral1/memory/2364-200-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0005000000019609-210.dat upx behavioral1/files/0x000500000001960b-217.dat upx behavioral1/files/0x000500000001960d-226.dat upx behavioral1/files/0x000500000001960f-236.dat upx behavioral1/files/0x0005000000019613-244.dat upx behavioral1/memory/2908-243-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2908-235-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/920-247-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0005000000019615-253.dat upx behavioral1/memory/1504-255-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x0005000000019619-262.dat upx behavioral1/files/0x0037000000015fd2-270.dat upx behavioral1/files/0x000500000001961b-278.dat upx behavioral1/memory/2096-279-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/files/0x000500000001961d-285.dat upx behavioral1/memory/1696-295-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/3008-302-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/1972-309-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2112-310-0x0000000000400000-0x0000000000436000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2360 1984 74c0295862e574261493b65132fa2060N.exe 30 PID 1984 wrote to memory of 2360 1984 74c0295862e574261493b65132fa2060N.exe 30 PID 1984 wrote to memory of 2360 1984 74c0295862e574261493b65132fa2060N.exe 30 PID 1984 wrote to memory of 2360 1984 74c0295862e574261493b65132fa2060N.exe 30 PID 2360 wrote to memory of 2052 2360 dpvvd.exe 31 PID 2360 wrote to memory of 2052 2360 dpvvd.exe 31 PID 2360 wrote to memory of 2052 2360 dpvvd.exe 31 PID 2360 wrote to memory of 2052 2360 dpvvd.exe 31 PID 2052 wrote to memory of 2936 2052 rlfrxlx.exe 32 PID 2052 wrote to memory of 2936 2052 rlfrxlx.exe 32 PID 2052 wrote to memory of 2936 2052 rlfrxlx.exe 32 PID 2052 wrote to memory of 2936 2052 rlfrxlx.exe 32 PID 2936 wrote to memory of 2828 2936 frllxxf.exe 33 PID 2936 wrote to memory of 2828 2936 frllxxf.exe 33 PID 2936 wrote to memory of 2828 2936 frllxxf.exe 33 PID 2936 wrote to memory of 2828 2936 frllxxf.exe 33 PID 2828 wrote to memory of 2960 2828 9tbbht.exe 34 PID 2828 wrote to memory of 2960 2828 9tbbht.exe 34 PID 2828 wrote to memory of 2960 2828 9tbbht.exe 34 PID 2828 wrote to memory of 2960 2828 9tbbht.exe 34 PID 2960 wrote to memory of 2212 2960 rlxlffr.exe 35 PID 2960 wrote to memory of 2212 2960 rlxlffr.exe 35 PID 2960 wrote to memory of 2212 2960 rlxlffr.exe 35 PID 2960 wrote to memory of 2212 2960 rlxlffr.exe 35 PID 2212 wrote to memory of 2788 2212 thbhnn.exe 36 PID 2212 wrote to memory of 2788 2212 thbhnn.exe 36 PID 2212 wrote to memory of 2788 2212 thbhnn.exe 36 PID 2212 wrote to memory of 2788 2212 thbhnn.exe 36 PID 2788 wrote to memory of 2692 2788 5pddp.exe 37 PID 2788 wrote to memory of 2692 2788 5pddp.exe 37 PID 2788 wrote to memory of 2692 2788 5pddp.exe 37 PID 2788 wrote to memory of 2692 2788 5pddp.exe 37 PID 2692 wrote to memory of 2896 2692 3pjpd.exe 38 PID 2692 wrote to memory of 2896 2692 3pjpd.exe 38 PID 2692 wrote to memory of 2896 2692 3pjpd.exe 38 PID 2692 wrote to memory of 2896 2692 3pjpd.exe 38 PID 2896 wrote to memory of 2380 2896 rrffllr.exe 39 PID 2896 wrote to memory of 2380 2896 rrffllr.exe 39 PID 2896 wrote to memory of 2380 2896 rrffllr.exe 39 PID 2896 wrote to memory of 2380 2896 rrffllr.exe 39 PID 2380 wrote to memory of 2336 2380 5hbhnn.exe 40 PID 2380 wrote to memory of 2336 2380 5hbhnn.exe 40 PID 2380 wrote to memory of 2336 2380 5hbhnn.exe 40 PID 2380 wrote to memory of 2336 2380 5hbhnn.exe 40 PID 2336 wrote to memory of 2008 2336 vvjdp.exe 41 PID 2336 wrote to memory of 2008 2336 vvjdp.exe 41 PID 2336 wrote to memory of 2008 2336 vvjdp.exe 41 PID 2336 wrote to memory of 2008 2336 vvjdp.exe 41 PID 2008 wrote to memory of 2520 2008 fxllxxf.exe 42 PID 2008 wrote to memory of 2520 2008 fxllxxf.exe 42 PID 2008 wrote to memory of 2520 2008 fxllxxf.exe 42 PID 2008 wrote to memory of 2520 2008 fxllxxf.exe 42 PID 2520 wrote to memory of 2964 2520 fxxllrx.exe 43 PID 2520 wrote to memory of 2964 2520 fxxllrx.exe 43 PID 2520 wrote to memory of 2964 2520 fxxllrx.exe 43 PID 2520 wrote to memory of 2964 2520 fxxllrx.exe 43 PID 2964 wrote to memory of 3032 2964 5tbbhn.exe 44 PID 2964 wrote to memory of 3032 2964 5tbbhn.exe 44 PID 2964 wrote to memory of 3032 2964 5tbbhn.exe 44 PID 2964 wrote to memory of 3032 2964 5tbbhn.exe 44 PID 3032 wrote to memory of 2196 3032 vdjvd.exe 45 PID 3032 wrote to memory of 2196 3032 vdjvd.exe 45 PID 3032 wrote to memory of 2196 3032 vdjvd.exe 45 PID 3032 wrote to memory of 2196 3032 vdjvd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\74c0295862e574261493b65132fa2060N.exe"C:\Users\Admin\AppData\Local\Temp\74c0295862e574261493b65132fa2060N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\dpvvd.exec:\dpvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\rlfrxlx.exec:\rlfrxlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\frllxxf.exec:\frllxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\9tbbht.exec:\9tbbht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\rlxlffr.exec:\rlxlffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\thbhnn.exec:\thbhnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\5pddp.exec:\5pddp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\3pjpd.exec:\3pjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\rrffllr.exec:\rrffllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\5hbhnn.exec:\5hbhnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\vvjdp.exec:\vvjdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\fxllxxf.exec:\fxllxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\fxxllrx.exec:\fxxllrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\5tbbhn.exec:\5tbbhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\vdjvd.exec:\vdjvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\frffrrx.exec:\frffrrx.exe17⤵
- Executes dropped EXE
PID:2196 -
\??\c:\nhhhth.exec:\nhhhth.exe18⤵
- Executes dropped EXE
PID:548 -
\??\c:\pjvvj.exec:\pjvvj.exe19⤵
- Executes dropped EXE
PID:1816 -
\??\c:\pjdpp.exec:\pjdpp.exe20⤵
- Executes dropped EXE
PID:1320 -
\??\c:\xlxfllx.exec:\xlxfllx.exe21⤵
- Executes dropped EXE
PID:2736 -
\??\c:\tntbhh.exec:\tntbhh.exe22⤵
- Executes dropped EXE
PID:2364 -
\??\c:\dvddj.exec:\dvddj.exe23⤵
- Executes dropped EXE
PID:1072 -
\??\c:\3jdpd.exec:\3jdpd.exe24⤵
- Executes dropped EXE
PID:2900 -
\??\c:\xrflfxr.exec:\xrflfxr.exe25⤵
- Executes dropped EXE
PID:2132 -
\??\c:\hbhthn.exec:\hbhthn.exe26⤵
- Executes dropped EXE
PID:924 -
\??\c:\thhhnn.exec:\thhhnn.exe27⤵
- Executes dropped EXE
PID:2908 -
\??\c:\bntbhh.exec:\bntbhh.exe28⤵
- Executes dropped EXE
PID:920 -
\??\c:\lfrrllx.exec:\lfrrllx.exe29⤵
- Executes dropped EXE
PID:1504 -
\??\c:\rflffxf.exec:\rflffxf.exe30⤵
- Executes dropped EXE
PID:2628 -
\??\c:\thtbbb.exec:\thtbbb.exe31⤵
- Executes dropped EXE
PID:592 -
\??\c:\1vjpj.exec:\1vjpj.exe32⤵
- Executes dropped EXE
PID:2096 -
\??\c:\dvjdj.exec:\dvjdj.exe33⤵
- Executes dropped EXE
PID:1696 -
\??\c:\9rlxllr.exec:\9rlxllr.exe34⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hbtbbb.exec:\hbtbbb.exe35⤵
- Executes dropped EXE
PID:1972 -
\??\c:\5nhbnn.exec:\5nhbnn.exe36⤵
- Executes dropped EXE
PID:2112 -
\??\c:\1pvdd.exec:\1pvdd.exe37⤵
- Executes dropped EXE
PID:1548 -
\??\c:\lxlflfl.exec:\lxlflfl.exe38⤵
- Executes dropped EXE
PID:2940 -
\??\c:\xrxrflr.exec:\xrxrflr.exe39⤵
- Executes dropped EXE
PID:2936 -
\??\c:\5btbnh.exec:\5btbnh.exe40⤵
- Executes dropped EXE
PID:1080 -
\??\c:\pjvdp.exec:\pjvdp.exe41⤵
- Executes dropped EXE
PID:2272 -
\??\c:\9jdvd.exec:\9jdvd.exe42⤵
- Executes dropped EXE
PID:2932 -
\??\c:\ffrfrrx.exec:\ffrfrrx.exe43⤵
- Executes dropped EXE
PID:2672 -
\??\c:\fxllxrf.exec:\fxllxrf.exe44⤵
- Executes dropped EXE
PID:2728 -
\??\c:\bnhhtt.exec:\bnhhtt.exe45⤵
- Executes dropped EXE
PID:2524 -
\??\c:\bntbnn.exec:\bntbnn.exe46⤵
- Executes dropped EXE
PID:2844 -
\??\c:\1ddvj.exec:\1ddvj.exe47⤵
- Executes dropped EXE
PID:964 -
\??\c:\jdjpp.exec:\jdjpp.exe48⤵
- Executes dropped EXE
PID:2300 -
\??\c:\lxxxlrr.exec:\lxxxlrr.exe49⤵
- Executes dropped EXE
PID:2516 -
\??\c:\1jvdd.exec:\1jvdd.exe50⤵
- Executes dropped EXE
PID:1980 -
\??\c:\7vvdd.exec:\7vvdd.exe51⤵
- Executes dropped EXE
PID:1332 -
\??\c:\5xlrfll.exec:\5xlrfll.exe52⤵
- Executes dropped EXE
PID:2356 -
\??\c:\flrxlff.exec:\flrxlff.exe53⤵
- Executes dropped EXE
PID:2988 -
\??\c:\7thhhn.exec:\7thhhn.exe54⤵
- Executes dropped EXE
PID:3060 -
\??\c:\1ntttb.exec:\1ntttb.exe55⤵
- Executes dropped EXE
PID:2712 -
\??\c:\1dpjv.exec:\1dpjv.exe56⤵
- Executes dropped EXE
PID:2500 -
\??\c:\dpvjp.exec:\dpvjp.exe57⤵
- Executes dropped EXE
PID:1492 -
\??\c:\xrfxffr.exec:\xrfxffr.exe58⤵
- Executes dropped EXE
PID:1508 -
\??\c:\3btbhn.exec:\3btbhn.exe59⤵
- Executes dropped EXE
PID:2116 -
\??\c:\bnbbbh.exec:\bnbbbh.exe60⤵
- Executes dropped EXE
PID:1476 -
\??\c:\vjvvv.exec:\vjvvv.exe61⤵
- Executes dropped EXE
PID:2176 -
\??\c:\lxfflrf.exec:\lxfflrf.exe62⤵
- Executes dropped EXE
PID:676 -
\??\c:\1lfffll.exec:\1lfffll.exe63⤵
- Executes dropped EXE
PID:604 -
\??\c:\bnbtbt.exec:\bnbtbt.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768 -
\??\c:\bththn.exec:\bththn.exe65⤵
- Executes dropped EXE
PID:912 -
\??\c:\1vpvd.exec:\1vpvd.exe66⤵PID:2476
-
\??\c:\1dppv.exec:\1dppv.exe67⤵PID:1416
-
\??\c:\1lrrfrr.exec:\1lrrfrr.exe68⤵PID:1688
-
\??\c:\xrlllfl.exec:\xrlllfl.exe69⤵PID:1396
-
\??\c:\hthhtb.exec:\hthhtb.exe70⤵PID:1756
-
\??\c:\nhnttn.exec:\nhnttn.exe71⤵PID:1732
-
\??\c:\pjjjp.exec:\pjjjp.exe72⤵PID:2756
-
\??\c:\7fllxrf.exec:\7fllxrf.exe73⤵PID:2496
-
\??\c:\1frxxrx.exec:\1frxxrx.exe74⤵PID:2760
-
\??\c:\5nbttb.exec:\5nbttb.exe75⤵PID:1496
-
\??\c:\nhnbbh.exec:\nhnbbh.exe76⤵PID:1696
-
\??\c:\pdddj.exec:\pdddj.exe77⤵PID:1592
-
\??\c:\7dvpp.exec:\7dvpp.exe78⤵PID:1964
-
\??\c:\rrlrflx.exec:\rrlrflx.exe79⤵PID:2804
-
\??\c:\rlxlxfl.exec:\rlxlxfl.exe80⤵PID:2956
-
\??\c:\1nntbb.exec:\1nntbb.exe81⤵PID:1648
-
\??\c:\nhthhh.exec:\nhthhh.exe82⤵PID:2808
-
\??\c:\jvjdj.exec:\jvjdj.exe83⤵PID:2700
-
\??\c:\dppvj.exec:\dppvj.exe84⤵PID:2696
-
\??\c:\rllrrlf.exec:\rllrrlf.exe85⤵PID:2676
-
\??\c:\hbtbnn.exec:\hbtbnn.exe86⤵PID:2740
-
\??\c:\1bhbbb.exec:\1bhbbb.exe87⤵PID:2240
-
\??\c:\dpddp.exec:\dpddp.exe88⤵PID:2256
-
\??\c:\jjpvp.exec:\jjpvp.exe89⤵PID:2164
-
\??\c:\rflrffl.exec:\rflrffl.exe90⤵PID:1948
-
\??\c:\1bbhnn.exec:\1bbhnn.exe91⤵
- System Location Discovery: System Language Discovery
PID:772 -
\??\c:\1nhnbb.exec:\1nhnbb.exe92⤵PID:1932
-
\??\c:\9vpvp.exec:\9vpvp.exe93⤵PID:1676
-
\??\c:\pjvvp.exec:\pjvvp.exe94⤵PID:2168
-
\??\c:\llrrrrr.exec:\llrrrrr.exe95⤵PID:2972
-
\??\c:\lfrrfxl.exec:\lfrrfxl.exe96⤵PID:2192
-
\??\c:\thttnt.exec:\thttnt.exe97⤵PID:2248
-
\??\c:\bnbhnh.exec:\bnbhnh.exe98⤵PID:2196
-
\??\c:\jpvpd.exec:\jpvpd.exe99⤵PID:2652
-
\??\c:\lfrrrrf.exec:\lfrrrrf.exe100⤵PID:1328
-
\??\c:\5lxfrrx.exec:\5lxfrrx.exe101⤵PID:1644
-
\??\c:\hbtbtb.exec:\hbtbtb.exe102⤵PID:2144
-
\??\c:\nhhbth.exec:\nhhbth.exe103⤵PID:2188
-
\??\c:\dvvjp.exec:\dvvjp.exe104⤵PID:2532
-
\??\c:\vjjjv.exec:\vjjjv.exe105⤵PID:2412
-
\??\c:\lxlrlfr.exec:\lxlrlfr.exe106⤵PID:484
-
\??\c:\rlfrfrf.exec:\rlfrfrf.exe107⤵PID:2140
-
\??\c:\3htnbb.exec:\3htnbb.exe108⤵PID:616
-
\??\c:\tnnnth.exec:\tnnnth.exe109⤵PID:884
-
\??\c:\vpdpd.exec:\vpdpd.exe110⤵PID:1940
-
\??\c:\3vdjd.exec:\3vdjd.exe111⤵PID:2608
-
\??\c:\fxlrflf.exec:\fxlrflf.exe112⤵PID:1396
-
\??\c:\bnbhnn.exec:\bnbhnn.exe113⤵PID:812
-
\??\c:\ththtt.exec:\ththtt.exe114⤵PID:1732
-
\??\c:\dvjpd.exec:\dvjpd.exe115⤵PID:1212
-
\??\c:\jvdjp.exec:\jvdjp.exe116⤵PID:2260
-
\??\c:\frxfrlr.exec:\frxfrlr.exe117⤵PID:2228
-
\??\c:\5lfrxfl.exec:\5lfrxfl.exe118⤵PID:2084
-
\??\c:\bbnhnn.exec:\bbnhnn.exe119⤵PID:2408
-
\??\c:\7htbhh.exec:\7htbhh.exe120⤵PID:2768
-
\??\c:\dvjjp.exec:\dvjjp.exe121⤵PID:1588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-