Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 13:06
Behavioral task
behavioral1
Sample
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe
Resource
win7-20240729-en
6 signatures
150 seconds
General
-
Target
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe
-
Size
279KB
-
MD5
face18af5f70087e9fbf92c2ee116a20
-
SHA1
39ea6bb8cc8dfab8dc8229b7112765dbc2470ad0
-
SHA256
d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bff
-
SHA512
b3e1cc83fbbf7fde920ace2599653336f1de8168a1e408e9ee135335670ea9ff96ad2cd5a664544eb606b7e2e15686418dc97fa7ecc9efb402f0540a1f62cfee
-
SSDEEP
6144:ncm4FmowdHoS6rW3NNTvBu6wo2J4JAgNXkArR/rtXOLtu4J6KvvLp3OKtUuuuTEl:14wFHoSeM/Tpu6w14JAOkIRhOBu4Jhv4
Malware Config
Signatures
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/1760-7-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2368-30-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1436-26-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2792-38-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2044-47-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2784-57-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2592-83-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2732-75-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/2732-74-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2552-104-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2552-103-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2552-102-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2732-109-0x00000000001B0000-0x00000000001D9000-memory.dmp family_blackmoon behavioral1/memory/1944-115-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1512-123-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2324-134-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2292-146-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1704-144-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2480-162-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2576-171-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3028-189-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2536-379-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2224-386-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1316-520-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1640-533-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2320-577-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2844-603-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2580-726-0x0000000000430000-0x0000000000459000-memory.dmp family_blackmoon behavioral1/memory/1984-938-0x00000000005C0000-0x00000000005E9000-memory.dmp family_blackmoon behavioral1/memory/624-1035-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2524-1320-0x0000000000280000-0x00000000002A9000-memory.dmp family_blackmoon behavioral1/memory/1136-1347-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/3044-1175-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2068-1148-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1696-1016-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/920-1009-0x0000000000250000-0x0000000000279000-memory.dmp family_blackmoon behavioral1/memory/2292-945-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2952-808-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2360-758-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1872-687-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/2532-636-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/1872-427-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1728-419-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/1676-393-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2384-371-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2744-321-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2776-308-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2508-268-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2396-216-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon behavioral1/memory/348-207-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/3028-187-0x0000000000220000-0x0000000000249000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1496 9llrflr.exe 1436 1hhnbh.exe 2368 1nnhbh.exe 2792 jjjpj.exe 2044 xrrffrf.exe 2784 hthnht.exe 2732 ttbhnh.exe 2592 jjvjd.exe 2068 9vjpv.exe 2552 rlflrxf.exe 1944 1jvdj.exe 1512 flrxxlx.exe 2324 hbhhnb.exe 1704 dvvvv.exe 2292 xrrxxlr.exe 2480 7htntb.exe 2576 vpvdj.exe 264 fxlrxxx.exe 3028 hhtbhh.exe 2388 ddvjp.exe 348 frfffff.exe 2396 5ttbhn.exe 2176 3tttbb.exe 756 1jdpd.exe 1028 rrlxlrx.exe 624 llfxrlx.exe 2064 5jjjv.exe 2508 dvpdp.exe 2524 frxxlrf.exe 2296 btbhtb.exe 1760 1hbnth.exe 1720 pjjpv.exe 2776 lfrlflr.exe 2788 nnbtht.exe 2744 5jddd.exe 2868 jdvdv.exe 2624 rrflffr.exe 2880 rrlrfrl.exe 2604 bnhntt.exe 2272 5tbhnn.exe 2760 pdpvj.exe 2096 1dpjj.exe 2384 llflllr.exe 2536 fxlxlrx.exe 2224 9btthh.exe 1676 9tbnbh.exe 804 pdvpv.exe 1952 3xrxfll.exe 2160 rlxlrxf.exe 1728 nbnnnn.exe 1872 3nhbnt.exe 1980 dvdjv.exe 572 dddjd.exe 1616 llffflr.exe 2992 rlxxlrf.exe 3040 nbnnbb.exe 2496 nhbbhn.exe 2040 jjjvd.exe 2016 ppjjp.exe 1940 1xffffr.exe 2232 rllxxrx.exe 2852 1nbbnn.exe 980 7tnntt.exe 2204 dvpdp.exe -
resource yara_rule behavioral1/memory/1760-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1760-8-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/files/0x000b00000001225e-9.dat upx behavioral1/memory/1760-7-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1436-19-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x00060000000186c6-18.dat upx behavioral1/memory/2368-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x00070000000186ca-28.dat upx behavioral1/memory/1436-26-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2792-38-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x00060000000186d9-37.dat upx behavioral1/memory/2044-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x00060000000186dd-46.dat upx behavioral1/files/0x0006000000018710-54.dat upx behavioral1/memory/2732-64-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0009000000018718-63.dat upx behavioral1/memory/2784-57-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0005000000019605-86.dat upx behavioral1/memory/2068-85-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2592-83-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0007000000019240-76.dat upx behavioral1/memory/2732-74-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0005000000019606-95.dat upx behavioral1/files/0x0005000000019608-105.dat upx behavioral1/memory/2552-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1944-115-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x000500000001960a-114.dat upx behavioral1/files/0x000500000001960c-124.dat upx behavioral1/memory/1512-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x000500000001961c-135.dat upx behavioral1/memory/2324-134-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x000500000001961e-143.dat upx behavioral1/memory/2292-146-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1704-144-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0005000000019667-153.dat upx behavioral1/memory/2480-162-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x00050000000196a1-161.dat upx behavioral1/files/0x0005000000019926-172.dat upx behavioral1/memory/2576-171-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0005000000019c34-179.dat upx behavioral1/memory/3028-189-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x0005000000019c3c-190.dat upx behavioral1/files/0x0005000000019c3e-197.dat upx behavioral1/files/0x0005000000019cca-233.dat upx behavioral1/files/0x0005000000019dbf-251.dat upx behavioral1/files/0x0005000000019f94-270.dat upx behavioral1/files/0x000500000001a07e-286.dat upx behavioral1/memory/2536-379-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2224-386-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1316-520-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1640-533-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2320-577-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-596-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2844-603-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2580-1248-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2744-1361-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/556-1348-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2700-1334-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2684-1103-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/2436-977-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/2952-808-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2360-758-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/1916-733-0x0000000000220000-0x0000000000249000-memory.dmp upx behavioral1/memory/2988-622-0x0000000000220000-0x0000000000249000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1496 1760 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 30 PID 1760 wrote to memory of 1496 1760 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 30 PID 1760 wrote to memory of 1496 1760 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 30 PID 1760 wrote to memory of 1496 1760 d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe 30 PID 1496 wrote to memory of 1436 1496 9llrflr.exe 31 PID 1496 wrote to memory of 1436 1496 9llrflr.exe 31 PID 1496 wrote to memory of 1436 1496 9llrflr.exe 31 PID 1496 wrote to memory of 1436 1496 9llrflr.exe 31 PID 1436 wrote to memory of 2368 1436 1hhnbh.exe 32 PID 1436 wrote to memory of 2368 1436 1hhnbh.exe 32 PID 1436 wrote to memory of 2368 1436 1hhnbh.exe 32 PID 1436 wrote to memory of 2368 1436 1hhnbh.exe 32 PID 2368 wrote to memory of 2792 2368 1nnhbh.exe 33 PID 2368 wrote to memory of 2792 2368 1nnhbh.exe 33 PID 2368 wrote to memory of 2792 2368 1nnhbh.exe 33 PID 2368 wrote to memory of 2792 2368 1nnhbh.exe 33 PID 2792 wrote to memory of 2044 2792 jjjpj.exe 34 PID 2792 wrote to memory of 2044 2792 jjjpj.exe 34 PID 2792 wrote to memory of 2044 2792 jjjpj.exe 34 PID 2792 wrote to memory of 2044 2792 jjjpj.exe 34 PID 2044 wrote to memory of 2784 2044 xrrffrf.exe 35 PID 2044 wrote to memory of 2784 2044 xrrffrf.exe 35 PID 2044 wrote to memory of 2784 2044 xrrffrf.exe 35 PID 2044 wrote to memory of 2784 2044 xrrffrf.exe 35 PID 2784 wrote to memory of 2732 2784 hthnht.exe 36 PID 2784 wrote to memory of 2732 2784 hthnht.exe 36 PID 2784 wrote to memory of 2732 2784 hthnht.exe 36 PID 2784 wrote to memory of 2732 2784 hthnht.exe 36 PID 2732 wrote to memory of 2592 2732 ttbhnh.exe 37 PID 2732 wrote to memory of 2592 2732 ttbhnh.exe 37 PID 2732 wrote to memory of 2592 2732 ttbhnh.exe 37 PID 2732 wrote to memory of 2592 2732 ttbhnh.exe 37 PID 2592 wrote to memory of 2068 2592 jjvjd.exe 38 PID 2592 wrote to memory of 2068 2592 jjvjd.exe 38 PID 2592 wrote to memory of 2068 2592 jjvjd.exe 38 PID 2592 wrote to memory of 2068 2592 jjvjd.exe 38 PID 2068 wrote to memory of 2552 2068 9vjpv.exe 39 PID 2068 wrote to memory of 2552 2068 9vjpv.exe 39 PID 2068 wrote to memory of 2552 2068 9vjpv.exe 39 PID 2068 wrote to memory of 2552 2068 9vjpv.exe 39 PID 2552 wrote to memory of 1944 2552 rlflrxf.exe 40 PID 2552 wrote to memory of 1944 2552 rlflrxf.exe 40 PID 2552 wrote to memory of 1944 2552 rlflrxf.exe 40 PID 2552 wrote to memory of 1944 2552 rlflrxf.exe 40 PID 1944 wrote to memory of 1512 1944 1jvdj.exe 41 PID 1944 wrote to memory of 1512 1944 1jvdj.exe 41 PID 1944 wrote to memory of 1512 1944 1jvdj.exe 41 PID 1944 wrote to memory of 1512 1944 1jvdj.exe 41 PID 1512 wrote to memory of 2324 1512 flrxxlx.exe 42 PID 1512 wrote to memory of 2324 1512 flrxxlx.exe 42 PID 1512 wrote to memory of 2324 1512 flrxxlx.exe 42 PID 1512 wrote to memory of 2324 1512 flrxxlx.exe 42 PID 2324 wrote to memory of 1704 2324 hbhhnb.exe 43 PID 2324 wrote to memory of 1704 2324 hbhhnb.exe 43 PID 2324 wrote to memory of 1704 2324 hbhhnb.exe 43 PID 2324 wrote to memory of 1704 2324 hbhhnb.exe 43 PID 1704 wrote to memory of 2292 1704 dvvvv.exe 163 PID 1704 wrote to memory of 2292 1704 dvvvv.exe 163 PID 1704 wrote to memory of 2292 1704 dvvvv.exe 163 PID 1704 wrote to memory of 2292 1704 dvvvv.exe 163 PID 2292 wrote to memory of 2480 2292 xrrxxlr.exe 123 PID 2292 wrote to memory of 2480 2292 xrrxxlr.exe 123 PID 2292 wrote to memory of 2480 2292 xrrxxlr.exe 123 PID 2292 wrote to memory of 2480 2292 xrrxxlr.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe"C:\Users\Admin\AppData\Local\Temp\d7e043c91ff79462a844fa113bdda9fb5b2da03ca5b56e7137c3c65522cf8bffN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\9llrflr.exec:\9llrflr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\1hhnbh.exec:\1hhnbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\1nnhbh.exec:\1nnhbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\jjjpj.exec:\jjjpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\xrrffrf.exec:\xrrffrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\hthnht.exec:\hthnht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\ttbhnh.exec:\ttbhnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\jjvjd.exec:\jjvjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\9vjpv.exec:\9vjpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\rlflrxf.exec:\rlflrxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\1jvdj.exec:\1jvdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\flrxxlx.exec:\flrxxlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\hbhhnb.exec:\hbhhnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\dvvvv.exec:\dvvvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\xrrxxlr.exec:\xrrxxlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\7htntb.exec:\7htntb.exe17⤵
- Executes dropped EXE
PID:2480 -
\??\c:\vpvdj.exec:\vpvdj.exe18⤵
- Executes dropped EXE
PID:2576 -
\??\c:\fxlrxxx.exec:\fxlrxxx.exe19⤵
- Executes dropped EXE
PID:264 -
\??\c:\hhtbhh.exec:\hhtbhh.exe20⤵
- Executes dropped EXE
PID:3028 -
\??\c:\ddvjp.exec:\ddvjp.exe21⤵
- Executes dropped EXE
PID:2388 -
\??\c:\frfffff.exec:\frfffff.exe22⤵
- Executes dropped EXE
PID:348 -
\??\c:\5ttbhn.exec:\5ttbhn.exe23⤵
- Executes dropped EXE
PID:2396 -
\??\c:\3tttbb.exec:\3tttbb.exe24⤵
- Executes dropped EXE
PID:2176 -
\??\c:\1jdpd.exec:\1jdpd.exe25⤵
- Executes dropped EXE
PID:756 -
\??\c:\rrlxlrx.exec:\rrlxlrx.exe26⤵
- Executes dropped EXE
PID:1028 -
\??\c:\llfxrlx.exec:\llfxrlx.exe27⤵
- Executes dropped EXE
PID:624 -
\??\c:\5jjjv.exec:\5jjjv.exe28⤵
- Executes dropped EXE
PID:2064 -
\??\c:\dvpdp.exec:\dvpdp.exe29⤵
- Executes dropped EXE
PID:2508 -
\??\c:\frxxlrf.exec:\frxxlrf.exe30⤵
- Executes dropped EXE
PID:2524 -
\??\c:\btbhtb.exec:\btbhtb.exe31⤵
- Executes dropped EXE
PID:2296 -
\??\c:\1hbnth.exec:\1hbnth.exe32⤵
- Executes dropped EXE
PID:1760 -
\??\c:\pjjpv.exec:\pjjpv.exe33⤵
- Executes dropped EXE
PID:1720 -
\??\c:\lfrlflr.exec:\lfrlflr.exe34⤵
- Executes dropped EXE
PID:2776 -
\??\c:\nnbtht.exec:\nnbtht.exe35⤵
- Executes dropped EXE
PID:2788 -
\??\c:\5jddd.exec:\5jddd.exe36⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jdvdv.exec:\jdvdv.exe37⤵
- Executes dropped EXE
PID:2868 -
\??\c:\rrflffr.exec:\rrflffr.exe38⤵
- Executes dropped EXE
PID:2624 -
\??\c:\rrlrfrl.exec:\rrlrfrl.exe39⤵
- Executes dropped EXE
PID:2880 -
\??\c:\bnhntt.exec:\bnhntt.exe40⤵
- Executes dropped EXE
PID:2604 -
\??\c:\5tbhnn.exec:\5tbhnn.exe41⤵
- Executes dropped EXE
PID:2272 -
\??\c:\pdpvj.exec:\pdpvj.exe42⤵
- Executes dropped EXE
PID:2760 -
\??\c:\1dpjj.exec:\1dpjj.exe43⤵
- Executes dropped EXE
PID:2096 -
\??\c:\llflllr.exec:\llflllr.exe44⤵
- Executes dropped EXE
PID:2384 -
\??\c:\fxlxlrx.exec:\fxlxlrx.exe45⤵
- Executes dropped EXE
PID:2536 -
\??\c:\9btthh.exec:\9btthh.exe46⤵
- Executes dropped EXE
PID:2224 -
\??\c:\9tbnbh.exec:\9tbnbh.exe47⤵
- Executes dropped EXE
PID:1676 -
\??\c:\pdvpv.exec:\pdvpv.exe48⤵
- Executes dropped EXE
PID:804 -
\??\c:\3xrxfll.exec:\3xrxfll.exe49⤵
- Executes dropped EXE
PID:1952 -
\??\c:\rlxlrxf.exec:\rlxlrxf.exe50⤵
- Executes dropped EXE
PID:2160 -
\??\c:\nbnnnn.exec:\nbnnnn.exe51⤵
- Executes dropped EXE
PID:1728 -
\??\c:\3nhbnt.exec:\3nhbnt.exe52⤵
- Executes dropped EXE
PID:1872 -
\??\c:\dvdjv.exec:\dvdjv.exe53⤵
- Executes dropped EXE
PID:1980 -
\??\c:\dddjd.exec:\dddjd.exe54⤵
- Executes dropped EXE
PID:572 -
\??\c:\llffflr.exec:\llffflr.exe55⤵
- Executes dropped EXE
PID:1616 -
\??\c:\rlxxlrf.exec:\rlxxlrf.exe56⤵
- Executes dropped EXE
PID:2992 -
\??\c:\nbnnbb.exec:\nbnnbb.exe57⤵
- Executes dropped EXE
PID:3040 -
\??\c:\nhbbhn.exec:\nhbbhn.exe58⤵
- Executes dropped EXE
PID:2496 -
\??\c:\jjjvd.exec:\jjjvd.exe59⤵
- Executes dropped EXE
PID:2040 -
\??\c:\ppjjp.exec:\ppjjp.exe60⤵
- Executes dropped EXE
PID:2016 -
\??\c:\1xffffr.exec:\1xffffr.exe61⤵
- Executes dropped EXE
PID:1940 -
\??\c:\rllxxrx.exec:\rllxxrx.exe62⤵
- Executes dropped EXE
PID:2232 -
\??\c:\1nbbnn.exec:\1nbbnn.exe63⤵
- Executes dropped EXE
PID:2852 -
\??\c:\7tnntt.exec:\7tnntt.exe64⤵
- Executes dropped EXE
PID:980 -
\??\c:\dvpdp.exec:\dvpdp.exe65⤵
- Executes dropped EXE
PID:2204 -
\??\c:\jjdjj.exec:\jjdjj.exe66⤵
- System Location Discovery: System Language Discovery
PID:2936 -
\??\c:\frxfxfr.exec:\frxfxfr.exe67⤵PID:1316
-
\??\c:\ffxxllr.exec:\ffxxllr.exe68⤵PID:2064
-
\??\c:\lfllffl.exec:\lfllffl.exe69⤵PID:1640
-
\??\c:\thtnnn.exec:\thtnnn.exe70⤵PID:1996
-
\??\c:\hhntbb.exec:\hhntbb.exe71⤵PID:1788
-
\??\c:\jddjd.exec:\jddjd.exe72⤵PID:1804
-
\??\c:\dppdj.exec:\dppdj.exe73⤵PID:2724
-
\??\c:\5lxfffl.exec:\5lxfffl.exe74⤵PID:2380
-
\??\c:\xffrxrx.exec:\xffrxrx.exe75⤵PID:2800
-
\??\c:\5bhtbn.exec:\5bhtbn.exe76⤵PID:2320
-
\??\c:\5htbnt.exec:\5htbnt.exe77⤵PID:2744
-
\??\c:\ddvjp.exec:\ddvjp.exe78⤵PID:2864
-
\??\c:\jdjjd.exec:\jdjjd.exe79⤵PID:2960
-
\??\c:\rlrlfxx.exec:\rlrlfxx.exe80⤵PID:2844
-
\??\c:\fxllxfr.exec:\fxllxfr.exe81⤵PID:2604
-
\??\c:\nbtbhb.exec:\nbtbhb.exe82⤵PID:2628
-
\??\c:\5nbbbb.exec:\5nbbbb.exe83⤵PID:2988
-
\??\c:\7vpjv.exec:\7vpjv.exe84⤵PID:2764
-
\??\c:\vjjdj.exec:\vjjdj.exe85⤵PID:2532
-
\??\c:\xrffrrr.exec:\xrffrrr.exe86⤵PID:1716
-
\??\c:\hbnthn.exec:\hbnthn.exe87⤵PID:2224
-
\??\c:\5hbttt.exec:\5hbttt.exe88⤵PID:1676
-
\??\c:\vvjjd.exec:\vvjjd.exe89⤵
- System Location Discovery: System Language Discovery
PID:1312 -
\??\c:\jdjdp.exec:\jdjdp.exe90⤵PID:2044
-
\??\c:\xrlxlrf.exec:\xrlxlrf.exe91⤵PID:1224
-
\??\c:\fxlrxxf.exec:\fxlrxxf.exe92⤵PID:2636
-
\??\c:\btnhnt.exec:\btnhnt.exe93⤵PID:2692
-
\??\c:\9nthtt.exec:\9nthtt.exe94⤵PID:1872
-
\??\c:\ddjjp.exec:\ddjjp.exe95⤵PID:2480
-
\??\c:\dvppv.exec:\dvppv.exe96⤵PID:1632
-
\??\c:\rllfflr.exec:\rllfflr.exe97⤵PID:2900
-
\??\c:\1xrxflr.exec:\1xrxflr.exe98⤵PID:1912
-
\??\c:\hbhhtt.exec:\hbhhtt.exe99⤵PID:3028
-
\??\c:\5tntbt.exec:\5tntbt.exe100⤵PID:2580
-
\??\c:\dvppv.exec:\dvppv.exe101⤵PID:1916
-
\??\c:\pjpvv.exec:\pjpvv.exe102⤵PID:1272
-
\??\c:\rrllrfl.exec:\rrllrfl.exe103⤵PID:2468
-
\??\c:\xrfrfll.exec:\xrfrfll.exe104⤵PID:2176
-
\??\c:\nnhhbt.exec:\nnhhbt.exe105⤵PID:2360
-
\??\c:\bthntt.exec:\bthntt.exe106⤵PID:2188
-
\??\c:\9djdj.exec:\9djdj.exe107⤵PID:1212
-
\??\c:\9vppv.exec:\9vppv.exe108⤵PID:3052
-
\??\c:\ddpjp.exec:\ddpjp.exe109⤵PID:2968
-
\??\c:\lxxrrrx.exec:\lxxrrrx.exe110⤵PID:2920
-
\??\c:\lfrrfll.exec:\lfrrfll.exe111⤵PID:2012
-
\??\c:\5thnbb.exec:\5thnbb.exe112⤵PID:464
-
\??\c:\nhttnn.exec:\nhttnn.exe113⤵PID:2952
-
\??\c:\9dpvd.exec:\9dpvd.exe114⤵PID:1908
-
\??\c:\9pjjj.exec:\9pjjj.exe115⤵PID:1136
-
\??\c:\fxrxllf.exec:\fxrxllf.exe116⤵PID:2368
-
\??\c:\lfllrfx.exec:\lfllrfx.exe117⤵PID:2164
-
\??\c:\nhnhth.exec:\nhnhth.exe118⤵PID:2792
-
\??\c:\htbbtt.exec:\htbbtt.exe119⤵PID:2820
-
\??\c:\dvdjj.exec:\dvdjj.exe120⤵PID:2996
-
\??\c:\5pdpv.exec:\5pdpv.exe121⤵PID:2828
-
\??\c:\1frxxlx.exec:\1frxxlx.exe122⤵PID:2860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-