Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 13:03
Behavioral task
behavioral1
Sample
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe
-
Size
279KB
-
MD5
face18af5f70087e9fbf92c2ee116a20
-
SHA1
39ea6bb8cc8dfab8dc8229b7112765dbc2470ad0
-
SHA256
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bff
-
SHA512
b3e1cc83fbbf7fde920ace2599653336f1de8168a1e408e9ee135335670ea9ff96ad2cd5a664544eb606b7e2e15686418dc97fa7ecc9efb402f0540a1f62cfee
-
SSDEEP
6144:ncm4FmowdHoS6rW3NNTvBu6wo2J4JAgNXkArR/rtXOLtu4J6KvvLp3OKtUuuuTEl:14wFHoSeM/Tpu6w14JAOkIRhOBu4Jhv4
Malware Config
Signatures
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/1984-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2008-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2928-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1932-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2440-45-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2868-55-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2908-72-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2708-80-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2708-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2132-100-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/592-102-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/544-118-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2496-138-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2144-159-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1644-174-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2924-195-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/568-190-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1608-211-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/880-219-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1684-230-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1104-257-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2408-290-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2020-294-0x00000000779B0000-0x0000000077ACF000-memory.dmp family_blackmoon behavioral1/memory/2788-317-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2540-324-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2952-337-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2620-359-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2652-365-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2672-388-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/1848-403-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2912-406-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/2912-411-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2252-498-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1092-524-0x00000000002C0000-0x00000000002E9000-memory.dmp family_blackmoon behavioral1/memory/1768-531-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2828-540-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2828-539-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/3024-659-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/2592-660-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1468-673-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1860-687-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/604-777-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/872-829-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1784-906-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1480-941-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2968-1271-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2576-1298-0x00000000002D0000-0x00000000002F9000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2008 7nbbnt.exe 1932 pjddp.exe 2928 7lxxffl.exe 2440 fxflrxf.exe 2868 lfxlffr.exe 2848 tntbtt.exe 2908 jvjdd.exe 2708 rfxrxrx.exe 2660 dvddd.exe 2132 vjjjj.exe 592 1tbttt.exe 544 nhbbnn.exe 3016 lxlrrrf.exe 2496 3xffrlx.exe 2896 vpvpd.exe 1224 dvppv.exe 2144 ffxrffl.exe 1644 nnbntn.exe 2084 9pdjp.exe 568 jjpvv.exe 2924 xxxxflr.exe 1608 jvdjp.exe 880 xlxfrrx.exe 1684 9nbhnt.exe 1892 3jdpv.exe 688 xrflrfl.exe 1104 1pjpp.exe 2036 1xlllrr.exe 2508 nbhnbb.exe 1052 pdvdd.exe 2408 9xffxxx.exe 2020 tnbhhn.exe 2320 9ppvj.exe 2788 xxrfrfl.exe 2540 jvjjp.exe 2312 lffxflx.exe 2792 bbnnbh.exe 2952 5hbtbt.exe 2604 ddvvj.exe 2620 xxrrrrx.exe 2652 1xxfxxf.exe 2672 tnnhhh.exe 3024 nnnthh.exe 2764 5vjpv.exe 2132 7lxrxxf.exe 1312 frxxxrx.exe 1848 1ntbnn.exe 2912 5jvjv.exe 1852 xlxrrrr.exe 1940 1lrfrrr.exe 2916 btnhnn.exe 2000 pjpvv.exe 1432 dpddj.exe 2192 lxxxxfr.exe 1160 5lfxflr.exe 2256 nbnbtn.exe 952 vvjpv.exe 768 dvppj.exe 2232 xrflxxf.exe 680 ttnbhn.exe 2252 1btbnn.exe 2216 dvjjp.exe 2240 pjpjv.exe 2180 xxlrlrx.exe -
resource yara_rule behavioral1/memory/1984-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1984-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x00080000000120f9-9.dat upx behavioral1/memory/2008-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x00080000000160da-18.dat upx behavioral1/memory/2928-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x00070000000162e4-36.dat upx behavioral1/files/0x0008000000016141-28.dat upx behavioral1/memory/1932-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0008000000016399-44.dat upx behavioral1/memory/2868-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2440-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2868-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0007000000016689-53.dat upx behavioral1/files/0x0007000000016890-62.dat upx behavioral1/memory/2908-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0008000000016b86-73.dat upx behavioral1/memory/2908-72-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0008000000016c89-82.dat upx behavioral1/memory/2708-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x000600000001707f-91.dat upx behavioral1/files/0x00060000000174b4-99.dat upx behavioral1/memory/2132-100-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/592-102-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x00060000000174f8-109.dat upx behavioral1/files/0x0006000000017570-120.dat upx behavioral1/files/0x00060000000175f1-127.dat upx behavioral1/files/0x00060000000175f7-139.dat upx behavioral1/memory/2496-138-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x000d000000018683-147.dat upx behavioral1/files/0x0005000000018706-166.dat upx behavioral1/memory/2144-159-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0005000000018697-157.dat upx behavioral1/files/0x000500000001870c-176.dat upx behavioral1/memory/1644-174-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x000500000001871c-184.dat upx behavioral1/files/0x0005000000018745-192.dat upx behavioral1/memory/2924-195-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/568-190-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/files/0x0006000000018be7-201.dat upx behavioral1/memory/1608-211-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0008000000015f38-208.dat upx behavioral1/files/0x0006000000018d7b-220.dat upx behavioral1/memory/880-219-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1684-230-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0006000000018d83-229.dat upx behavioral1/files/0x0006000000018fdf-237.dat upx behavioral1/files/0x0006000000019056-247.dat upx behavioral1/memory/1104-248-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1104-257-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0005000000019203-256.dat upx behavioral1/files/0x0005000000019237-266.dat upx behavioral1/files/0x000500000001924f-274.dat upx behavioral1/files/0x0005000000019261-282.dat upx behavioral1/files/0x0005000000019274-291.dat upx behavioral1/memory/2408-290-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0005000000019299-303.dat upx behavioral1/memory/2788-317-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2540-324-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2952-337-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-352-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2620-359-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2652-365-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2672-388-0x00000000001B0000-0x00000000001D9000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lflrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2008 1984 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 30 PID 1984 wrote to memory of 2008 1984 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 30 PID 1984 wrote to memory of 2008 1984 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 30 PID 1984 wrote to memory of 2008 1984 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 30 PID 2008 wrote to memory of 1932 2008 7nbbnt.exe 31 PID 2008 wrote to memory of 1932 2008 7nbbnt.exe 31 PID 2008 wrote to memory of 1932 2008 7nbbnt.exe 31 PID 2008 wrote to memory of 1932 2008 7nbbnt.exe 31 PID 1932 wrote to memory of 2928 1932 pjddp.exe 32 PID 1932 wrote to memory of 2928 1932 pjddp.exe 32 PID 1932 wrote to memory of 2928 1932 pjddp.exe 32 PID 1932 wrote to memory of 2928 1932 pjddp.exe 32 PID 2928 wrote to memory of 2440 2928 7lxxffl.exe 33 PID 2928 wrote to memory of 2440 2928 7lxxffl.exe 33 PID 2928 wrote to memory of 2440 2928 7lxxffl.exe 33 PID 2928 wrote to memory of 2440 2928 7lxxffl.exe 33 PID 2440 wrote to memory of 2868 2440 fxflrxf.exe 34 PID 2440 wrote to memory of 2868 2440 fxflrxf.exe 34 PID 2440 wrote to memory of 2868 2440 fxflrxf.exe 34 PID 2440 wrote to memory of 2868 2440 fxflrxf.exe 34 PID 2868 wrote to memory of 2848 2868 lfxlffr.exe 35 PID 2868 wrote to memory of 2848 2868 lfxlffr.exe 35 PID 2868 wrote to memory of 2848 2868 lfxlffr.exe 35 PID 2868 wrote to memory of 2848 2868 lfxlffr.exe 35 PID 2848 wrote to memory of 2908 2848 tntbtt.exe 36 PID 2848 wrote to memory of 2908 2848 tntbtt.exe 36 PID 2848 wrote to memory of 2908 2848 tntbtt.exe 36 PID 2848 wrote to memory of 2908 2848 tntbtt.exe 36 PID 2908 wrote to memory of 2708 2908 jvjdd.exe 37 PID 2908 wrote to memory of 2708 2908 jvjdd.exe 37 PID 2908 wrote to memory of 2708 2908 jvjdd.exe 37 PID 2908 wrote to memory of 2708 2908 jvjdd.exe 37 PID 2708 wrote to memory of 2660 2708 rfxrxrx.exe 38 PID 2708 wrote to memory of 2660 2708 rfxrxrx.exe 38 PID 2708 wrote to memory of 2660 2708 rfxrxrx.exe 38 PID 2708 wrote to memory of 2660 2708 rfxrxrx.exe 38 PID 2660 wrote to memory of 2132 2660 dvddd.exe 39 PID 2660 wrote to memory of 2132 2660 dvddd.exe 39 PID 2660 wrote to memory of 2132 2660 dvddd.exe 39 PID 2660 wrote to memory of 2132 2660 dvddd.exe 39 PID 2132 wrote to memory of 592 2132 vjjjj.exe 40 PID 2132 wrote to memory of 592 2132 vjjjj.exe 40 PID 2132 wrote to memory of 592 2132 vjjjj.exe 40 PID 2132 wrote to memory of 592 2132 vjjjj.exe 40 PID 592 wrote to memory of 544 592 1tbttt.exe 41 PID 592 wrote to memory of 544 592 1tbttt.exe 41 PID 592 wrote to memory of 544 592 1tbttt.exe 41 PID 592 wrote to memory of 544 592 1tbttt.exe 41 PID 544 wrote to memory of 3016 544 nhbbnn.exe 42 PID 544 wrote to memory of 3016 544 nhbbnn.exe 42 PID 544 wrote to memory of 3016 544 nhbbnn.exe 42 PID 544 wrote to memory of 3016 544 nhbbnn.exe 42 PID 3016 wrote to memory of 2496 3016 lxlrrrf.exe 43 PID 3016 wrote to memory of 2496 3016 lxlrrrf.exe 43 PID 3016 wrote to memory of 2496 3016 lxlrrrf.exe 43 PID 3016 wrote to memory of 2496 3016 lxlrrrf.exe 43 PID 2496 wrote to memory of 2896 2496 3xffrlx.exe 44 PID 2496 wrote to memory of 2896 2496 3xffrlx.exe 44 PID 2496 wrote to memory of 2896 2496 3xffrlx.exe 44 PID 2496 wrote to memory of 2896 2496 3xffrlx.exe 44 PID 2896 wrote to memory of 1224 2896 vpvpd.exe 45 PID 2896 wrote to memory of 1224 2896 vpvpd.exe 45 PID 2896 wrote to memory of 1224 2896 vpvpd.exe 45 PID 2896 wrote to memory of 1224 2896 vpvpd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe"C:\Users\Admin\AppData\Local\Temp\d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\7nbbnt.exec:\7nbbnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\pjddp.exec:\pjddp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\7lxxffl.exec:\7lxxffl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\fxflrxf.exec:\fxflrxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\lfxlffr.exec:\lfxlffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\tntbtt.exec:\tntbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\jvjdd.exec:\jvjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\rfxrxrx.exec:\rfxrxrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\dvddd.exec:\dvddd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\vjjjj.exec:\vjjjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\1tbttt.exec:\1tbttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\nhbbnn.exec:\nhbbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\lxlrrrf.exec:\lxlrrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\3xffrlx.exec:\3xffrlx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\vpvpd.exec:\vpvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\dvppv.exec:\dvppv.exe17⤵
- Executes dropped EXE
PID:1224 -
\??\c:\ffxrffl.exec:\ffxrffl.exe18⤵
- Executes dropped EXE
PID:2144 -
\??\c:\nnbntn.exec:\nnbntn.exe19⤵
- Executes dropped EXE
PID:1644 -
\??\c:\9pdjp.exec:\9pdjp.exe20⤵
- Executes dropped EXE
PID:2084 -
\??\c:\jjpvv.exec:\jjpvv.exe21⤵
- Executes dropped EXE
PID:568 -
\??\c:\xxxxflr.exec:\xxxxflr.exe22⤵
- Executes dropped EXE
PID:2924 -
\??\c:\jvdjp.exec:\jvdjp.exe23⤵
- Executes dropped EXE
PID:1608 -
\??\c:\xlxfrrx.exec:\xlxfrrx.exe24⤵
- Executes dropped EXE
PID:880 -
\??\c:\9nbhnt.exec:\9nbhnt.exe25⤵
- Executes dropped EXE
PID:1684 -
\??\c:\3jdpv.exec:\3jdpv.exe26⤵
- Executes dropped EXE
PID:1892 -
\??\c:\xrflrfl.exec:\xrflrfl.exe27⤵
- Executes dropped EXE
PID:688 -
\??\c:\1pjpp.exec:\1pjpp.exe28⤵
- Executes dropped EXE
PID:1104 -
\??\c:\1xlllrr.exec:\1xlllrr.exe29⤵
- Executes dropped EXE
PID:2036 -
\??\c:\nbhnbb.exec:\nbhnbb.exe30⤵
- Executes dropped EXE
PID:2508 -
\??\c:\pdvdd.exec:\pdvdd.exe31⤵
- Executes dropped EXE
PID:1052 -
\??\c:\9xffxxx.exec:\9xffxxx.exe32⤵
- Executes dropped EXE
PID:2408 -
\??\c:\tnbhhn.exec:\tnbhhn.exe33⤵
- Executes dropped EXE
PID:2020 -
\??\c:\5dpvj.exec:\5dpvj.exe34⤵PID:2372
-
\??\c:\9ppvj.exec:\9ppvj.exe35⤵
- Executes dropped EXE
PID:2320 -
\??\c:\xxrfrfl.exec:\xxrfrfl.exe36⤵
- Executes dropped EXE
PID:2788 -
\??\c:\jvjjp.exec:\jvjjp.exe37⤵
- Executes dropped EXE
PID:2540 -
\??\c:\lffxflx.exec:\lffxflx.exe38⤵
- Executes dropped EXE
PID:2312 -
\??\c:\bbnnbh.exec:\bbnnbh.exe39⤵
- Executes dropped EXE
PID:2792 -
\??\c:\5hbtbt.exec:\5hbtbt.exe40⤵
- Executes dropped EXE
PID:2952 -
\??\c:\ddvvj.exec:\ddvvj.exe41⤵
- Executes dropped EXE
PID:2604 -
\??\c:\xxrrrrx.exec:\xxrrrrx.exe42⤵
- Executes dropped EXE
PID:2620 -
\??\c:\1xxfxxf.exec:\1xxfxxf.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\tnnhhh.exec:\tnnhhh.exe44⤵
- Executes dropped EXE
PID:2672 -
\??\c:\nnnthh.exec:\nnnthh.exe45⤵
- Executes dropped EXE
PID:3024 -
\??\c:\5vjpv.exec:\5vjpv.exe46⤵
- Executes dropped EXE
PID:2764 -
\??\c:\7lxrxxf.exec:\7lxrxxf.exe47⤵
- Executes dropped EXE
PID:2132 -
\??\c:\frxxxrx.exec:\frxxxrx.exe48⤵
- Executes dropped EXE
PID:1312 -
\??\c:\1ntbnn.exec:\1ntbnn.exe49⤵
- Executes dropped EXE
PID:1848 -
\??\c:\5jvjv.exec:\5jvjv.exe50⤵
- Executes dropped EXE
PID:2912 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe51⤵
- Executes dropped EXE
PID:1852 -
\??\c:\1lrfrrr.exec:\1lrfrrr.exe52⤵
- Executes dropped EXE
PID:1940 -
\??\c:\btnhnn.exec:\btnhnn.exe53⤵
- Executes dropped EXE
PID:2916 -
\??\c:\pjpvv.exec:\pjpvv.exe54⤵
- Executes dropped EXE
PID:2000 -
\??\c:\dpddj.exec:\dpddj.exe55⤵
- Executes dropped EXE
PID:1432 -
\??\c:\lxxxxfr.exec:\lxxxxfr.exe56⤵
- Executes dropped EXE
PID:2192 -
\??\c:\5lfxflr.exec:\5lfxflr.exe57⤵
- Executes dropped EXE
PID:1160 -
\??\c:\nbnbtn.exec:\nbnbtn.exe58⤵
- Executes dropped EXE
PID:2256 -
\??\c:\vvjpv.exec:\vvjpv.exe59⤵
- Executes dropped EXE
PID:952 -
\??\c:\dvppj.exec:\dvppj.exe60⤵
- Executes dropped EXE
PID:768 -
\??\c:\xrflxxf.exec:\xrflxxf.exe61⤵
- Executes dropped EXE
PID:2232 -
\??\c:\ttnbhn.exec:\ttnbhn.exe62⤵
- Executes dropped EXE
PID:680 -
\??\c:\1btbnn.exec:\1btbnn.exe63⤵
- Executes dropped EXE
PID:2252 -
\??\c:\dvjjp.exec:\dvjjp.exe64⤵
- Executes dropped EXE
PID:2216 -
\??\c:\pjpjv.exec:\pjpjv.exe65⤵
- Executes dropped EXE
PID:2240 -
\??\c:\xxlrlrx.exec:\xxlrlrx.exe66⤵
- Executes dropped EXE
PID:2180 -
\??\c:\bthhtt.exec:\bthhtt.exe67⤵PID:1092
-
\??\c:\vpdpv.exec:\vpdpv.exe68⤵PID:1768
-
\??\c:\jvjpv.exec:\jvjpv.exe69⤵PID:2828
-
\??\c:\lffrxxf.exec:\lffrxxf.exe70⤵PID:2096
-
\??\c:\tnbnbt.exec:\tnbnbt.exe71⤵PID:292
-
\??\c:\vpvvd.exec:\vpvvd.exe72⤵PID:1944
-
\??\c:\jvppd.exec:\jvppd.exe73⤵PID:1908
-
\??\c:\lfxlrrx.exec:\lfxlrrx.exe74⤵PID:1984
-
\??\c:\1ntbhn.exec:\1ntbhn.exe75⤵
- System Location Discovery: System Language Discovery
PID:2188 -
\??\c:\tntnhh.exec:\tntnhh.exe76⤵PID:1708
-
\??\c:\jvdjv.exec:\jvdjv.exe77⤵PID:1192
-
\??\c:\dvpdj.exec:\dvpdj.exe78⤵PID:2500
-
\??\c:\fxlrxfr.exec:\fxlrxfr.exe79⤵PID:1680
-
\??\c:\bnbthh.exec:\bnbthh.exe80⤵PID:2700
-
\??\c:\3nhhbh.exec:\3nhhbh.exe81⤵PID:2748
-
\??\c:\jdpjv.exec:\jdpjv.exe82⤵PID:2872
-
\??\c:\jjvdp.exec:\jjvdp.exe83⤵PID:2452
-
\??\c:\lfrxfrf.exec:\lfrxfrf.exe84⤵PID:2920
-
\??\c:\xrxfffr.exec:\xrxfffr.exe85⤵PID:2592
-
\??\c:\htnhtt.exec:\htnhtt.exe86⤵PID:2628
-
\??\c:\djvpv.exec:\djvpv.exe87⤵PID:2616
-
\??\c:\dpjjv.exec:\dpjjv.exe88⤵PID:3024
-
\??\c:\rfllrff.exec:\rfllrff.exe89⤵PID:2764
-
\??\c:\7nbbhn.exec:\7nbbhn.exe90⤵PID:1468
-
\??\c:\1htbhn.exec:\1htbhn.exe91⤵PID:1636
-
\??\c:\jdjdj.exec:\jdjdj.exe92⤵PID:1860
-
\??\c:\rrrrlfx.exec:\rrrrlfx.exe93⤵PID:2024
-
\??\c:\btnnbn.exec:\btnnbn.exe94⤵PID:1916
-
\??\c:\nntttn.exec:\nntttn.exe95⤵PID:548
-
\??\c:\3pdpd.exec:\3pdpd.exe96⤵PID:2916
-
\??\c:\vppdp.exec:\vppdp.exe97⤵PID:1780
-
\??\c:\lfxrffl.exec:\lfxrffl.exe98⤵PID:1432
-
\??\c:\5lflrrf.exec:\5lflrrf.exe99⤵PID:2276
-
\??\c:\nhntbh.exec:\nhntbh.exe100⤵PID:908
-
\??\c:\9vjvj.exec:\9vjvj.exe101⤵PID:624
-
\??\c:\3vjdv.exec:\3vjdv.exe102⤵PID:2052
-
\??\c:\lfxrffl.exec:\lfxrffl.exe103⤵PID:1612
-
\??\c:\frxllfl.exec:\frxllfl.exe104⤵PID:576
-
\??\c:\bnhtnn.exec:\bnhtnn.exe105⤵PID:448
-
\??\c:\vpjjd.exec:\vpjjd.exe106⤵PID:2120
-
\??\c:\9pjjp.exec:\9pjjp.exe107⤵PID:604
-
\??\c:\xrxrxxl.exec:\xrxrxxl.exe108⤵PID:1856
-
\??\c:\1flllfl.exec:\1flllfl.exe109⤵PID:2240
-
\??\c:\bttbth.exec:\bttbth.exe110⤵PID:756
-
\??\c:\pddvd.exec:\pddvd.exe111⤵PID:2156
-
\??\c:\1pvvd.exec:\1pvvd.exe112⤵PID:2264
-
\??\c:\flxflll.exec:\flxflll.exe113⤵PID:2828
-
\??\c:\frfrxrr.exec:\frfrxrr.exe114⤵PID:2036
-
\??\c:\nbhnnn.exec:\nbhnnn.exe115⤵PID:1728
-
\??\c:\jdpvd.exec:\jdpvd.exe116⤵PID:872
-
\??\c:\jdjdv.exec:\jdjdv.exe117⤵PID:3004
-
\??\c:\fxlrxfr.exec:\fxlrxfr.exe118⤵PID:2056
-
\??\c:\rrxfrll.exec:\rrxfrll.exe119⤵PID:1356
-
\??\c:\btnthn.exec:\btnthn.exe120⤵PID:2688
-
\??\c:\jjdpd.exec:\jjdpd.exe121⤵PID:2928
-
\??\c:\dpvvd.exec:\dpvvd.exe122⤵PID:1564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-