Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 18:25
Behavioral task
behavioral1
Sample
09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe
-
Size
382KB
-
MD5
41b41bb39cc14987e25f883578701fdb
-
SHA1
080f53e8ec01524becdbbb4302f170289726bf8f
-
SHA256
09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3
-
SHA512
e19426bf673f900a0a7102bd742200481bc627de5e0b4ba499005096ab5a7c37ba1bb4779f07dcc52a3dd7d5502b8a6ccfb6a2f0fd87facf755a54dabb9de96e
-
SSDEEP
6144:9cm4FmowdHoS4WEkMawdHoSbdwqGw+tw+ttidCy13:/4wFHoS4WEkMTHoSbG++tw+tYYy9
Malware Config
Signatures
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2828-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2212-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2368-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2140-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2168-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2692-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2432-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2544-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1736-152-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1736-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1256-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1500-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1500-187-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/864-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1708-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1880-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/444-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1936-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2080-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1328-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3036-356-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3036-376-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2592-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2764-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2604-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2400-470-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/1500-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1084-539-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1912-559-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2212-598-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-653-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-666-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2524-693-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1684-708-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1632-749-0x0000000000320000-0x0000000000347000-memory.dmp family_blackmoon behavioral1/memory/2104-787-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2064-840-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1912-853-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1912-854-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2644-926-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2432-963-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1548-1006-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2804-1072-0x00000000003D0000-0x00000000003F7000-memory.dmp family_blackmoon behavioral1/memory/912-1101-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/856-1277-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2212 jdvdd.exe 2368 lfrlrrx.exe 2932 7bnhnn.exe 2140 lrrlfrl.exe 2780 9btbnt.exe 2168 fxrrffr.exe 2692 nhttbh.exe 2648 pppjd.exe 2772 7fxlrfl.exe 2668 djvvj.exe 2432 jdpdp.exe 2544 btntht.exe 2252 bnhhbb.exe 856 xrffrrf.exe 1736 nhhbtn.exe 1548 3frrxfl.exe 1632 lflrrff.exe 1256 dddpd.exe 1500 dvpvj.exe 864 hhbnnt.exe 1708 ddpdd.exe 2940 nnhnht.exe 2588 5ddjv.exe 1880 rrrxxfx.exe 444 btnbnn.exe 1936 jdvdp.exe 836 nhbbhn.exe 2404 5vppp.exe 3020 lfxxffr.exe 1812 hhbnth.exe 880 dvpvj.exe 2080 xfxxfxl.exe 1328 nthbbb.exe 1604 vvpvp.exe 2884 xrllxfx.exe 1052 rlflrlx.exe 2824 tnnbnh.exe 1988 vpdpv.exe 2916 ppddv.exe 3036 rlxfffx.exe 2620 tttbbb.exe 2736 pvpjv.exe 2700 jjddp.exe 2636 7frxxxx.exe 2592 btnhtb.exe 2764 vvjvp.exe 2604 djpvp.exe 2524 xrllffx.exe 2556 rrlrffl.exe 1356 ntbhbh.exe 1148 5jppp.exe 2320 xfrrflx.exe 2276 5frflrx.exe 1736 bbthbn.exe 296 7bbnhh.exe 1260 ppdvj.exe 1632 xllfxrl.exe 2400 nnbbnb.exe 2396 bnthnn.exe 1500 jdpdp.exe 864 llrrxlf.exe 2816 1hhntb.exe 2176 pjjpj.exe 2804 jvpjd.exe -
resource yara_rule behavioral1/memory/2828-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b000000012029-8.dat upx behavioral1/memory/2828-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2212-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015d0d-19.dat upx behavioral1/memory/2368-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000015d2e-28.dat upx behavioral1/memory/2368-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015d50-38.dat upx behavioral1/memory/2932-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015d5c-47.dat upx behavioral1/memory/2140-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015d64-55.dat upx behavioral1/memory/2168-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000015d6d-66.dat upx behavioral1/memory/2168-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016858-73.dat upx behavioral1/memory/2692-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000186de-83.dat upx behavioral1/files/0x00050000000186ee-95.dat upx behavioral1/memory/2668-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2772-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2432-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2668-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001875d-102.dat upx behavioral1/files/0x0005000000018761-116.dat upx behavioral1/memory/2432-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018bcd-124.dat upx behavioral1/memory/2544-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018d63-135.dat upx behavioral1/memory/2252-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018d68-143.dat upx behavioral1/memory/1736-150-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0006000000019030-155.dat upx behavioral1/memory/1736-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001903d-162.dat upx behavioral1/files/0x000500000001920f-172.dat upx behavioral1/files/0x0005000000019228-180.dat upx behavioral1/memory/1256-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1500-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000015cdb-189.dat upx behavioral1/memory/1500-187-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/memory/864-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019234-199.dat upx behavioral1/memory/1708-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019241-206.dat upx behavioral1/files/0x000500000001925c-216.dat upx behavioral1/memory/2940-215-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019273-223.dat upx behavioral1/memory/1880-232-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000192f0-233.dat upx behavioral1/memory/444-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001932a-242.dat upx behavioral1/files/0x000500000001933e-254.dat upx behavioral1/memory/1936-253-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1936-251-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/files/0x0005000000019346-263.dat upx behavioral1/files/0x0005000000019384-271.dat upx behavioral1/files/0x00050000000193a2-279.dat upx behavioral1/files/0x0005000000019228-287.dat upx behavioral1/files/0x00050000000193af-295.dat upx behavioral1/memory/2080-296-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2080-304-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1328-311-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2828 wrote to memory of 2212 2828 09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe 28 PID 2828 wrote to memory of 2212 2828 09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe 28 PID 2828 wrote to memory of 2212 2828 09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe 28 PID 2828 wrote to memory of 2212 2828 09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe 28 PID 2212 wrote to memory of 2368 2212 jdvdd.exe 29 PID 2212 wrote to memory of 2368 2212 jdvdd.exe 29 PID 2212 wrote to memory of 2368 2212 jdvdd.exe 29 PID 2212 wrote to memory of 2368 2212 jdvdd.exe 29 PID 2368 wrote to memory of 2932 2368 lfrlrrx.exe 30 PID 2368 wrote to memory of 2932 2368 lfrlrrx.exe 30 PID 2368 wrote to memory of 2932 2368 lfrlrrx.exe 30 PID 2368 wrote to memory of 2932 2368 lfrlrrx.exe 30 PID 2932 wrote to memory of 2140 2932 7bnhnn.exe 31 PID 2932 wrote to memory of 2140 2932 7bnhnn.exe 31 PID 2932 wrote to memory of 2140 2932 7bnhnn.exe 31 PID 2932 wrote to memory of 2140 2932 7bnhnn.exe 31 PID 2140 wrote to memory of 2780 2140 lrrlfrl.exe 32 PID 2140 wrote to memory of 2780 2140 lrrlfrl.exe 32 PID 2140 wrote to memory of 2780 2140 lrrlfrl.exe 32 PID 2140 wrote to memory of 2780 2140 lrrlfrl.exe 32 PID 2780 wrote to memory of 2168 2780 9btbnt.exe 33 PID 2780 wrote to memory of 2168 2780 9btbnt.exe 33 PID 2780 wrote to memory of 2168 2780 9btbnt.exe 33 PID 2780 wrote to memory of 2168 2780 9btbnt.exe 33 PID 2168 wrote to memory of 2692 2168 fxrrffr.exe 34 PID 2168 wrote to memory of 2692 2168 fxrrffr.exe 34 PID 2168 wrote to memory of 2692 2168 fxrrffr.exe 34 PID 2168 wrote to memory of 2692 2168 fxrrffr.exe 34 PID 2692 wrote to memory of 2648 2692 nhttbh.exe 35 PID 2692 wrote to memory of 2648 2692 nhttbh.exe 35 PID 2692 wrote to memory of 2648 2692 nhttbh.exe 35 PID 2692 wrote to memory of 2648 2692 nhttbh.exe 35 PID 2648 wrote to memory of 2772 2648 pppjd.exe 36 PID 2648 wrote to memory of 2772 2648 pppjd.exe 36 PID 2648 wrote to memory of 2772 2648 pppjd.exe 36 PID 2648 wrote to memory of 2772 2648 pppjd.exe 36 PID 2772 wrote to memory of 2668 2772 7fxlrfl.exe 37 PID 2772 wrote to memory of 2668 2772 7fxlrfl.exe 37 PID 2772 wrote to memory of 2668 2772 7fxlrfl.exe 37 PID 2772 wrote to memory of 2668 2772 7fxlrfl.exe 37 PID 2668 wrote to memory of 2432 2668 djvvj.exe 38 PID 2668 wrote to memory of 2432 2668 djvvj.exe 38 PID 2668 wrote to memory of 2432 2668 djvvj.exe 38 PID 2668 wrote to memory of 2432 2668 djvvj.exe 38 PID 2432 wrote to memory of 2544 2432 jdpdp.exe 39 PID 2432 wrote to memory of 2544 2432 jdpdp.exe 39 PID 2432 wrote to memory of 2544 2432 jdpdp.exe 39 PID 2432 wrote to memory of 2544 2432 jdpdp.exe 39 PID 2544 wrote to memory of 2252 2544 btntht.exe 40 PID 2544 wrote to memory of 2252 2544 btntht.exe 40 PID 2544 wrote to memory of 2252 2544 btntht.exe 40 PID 2544 wrote to memory of 2252 2544 btntht.exe 40 PID 2252 wrote to memory of 856 2252 bnhhbb.exe 41 PID 2252 wrote to memory of 856 2252 bnhhbb.exe 41 PID 2252 wrote to memory of 856 2252 bnhhbb.exe 41 PID 2252 wrote to memory of 856 2252 bnhhbb.exe 41 PID 856 wrote to memory of 1736 856 xrffrrf.exe 42 PID 856 wrote to memory of 1736 856 xrffrrf.exe 42 PID 856 wrote to memory of 1736 856 xrffrrf.exe 42 PID 856 wrote to memory of 1736 856 xrffrrf.exe 42 PID 1736 wrote to memory of 1548 1736 nhhbtn.exe 43 PID 1736 wrote to memory of 1548 1736 nhhbtn.exe 43 PID 1736 wrote to memory of 1548 1736 nhhbtn.exe 43 PID 1736 wrote to memory of 1548 1736 nhhbtn.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe"C:\Users\Admin\AppData\Local\Temp\09a3b34fe56240a128fae1d49124ca0c50cb1bc2f1e98777e29f28f667882fc3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\jdvdd.exec:\jdvdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\lfrlrrx.exec:\lfrlrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\7bnhnn.exec:\7bnhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\lrrlfrl.exec:\lrrlfrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\9btbnt.exec:\9btbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\fxrrffr.exec:\fxrrffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\nhttbh.exec:\nhttbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\pppjd.exec:\pppjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\7fxlrfl.exec:\7fxlrfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\djvvj.exec:\djvvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\jdpdp.exec:\jdpdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\btntht.exec:\btntht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\bnhhbb.exec:\bnhhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\xrffrrf.exec:\xrffrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\nhhbtn.exec:\nhhbtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\3frrxfl.exec:\3frrxfl.exe17⤵
- Executes dropped EXE
PID:1548 -
\??\c:\lflrrff.exec:\lflrrff.exe18⤵
- Executes dropped EXE
PID:1632 -
\??\c:\dddpd.exec:\dddpd.exe19⤵
- Executes dropped EXE
PID:1256 -
\??\c:\dvpvj.exec:\dvpvj.exe20⤵
- Executes dropped EXE
PID:1500 -
\??\c:\hhbnnt.exec:\hhbnnt.exe21⤵
- Executes dropped EXE
PID:864 -
\??\c:\ddpdd.exec:\ddpdd.exe22⤵
- Executes dropped EXE
PID:1708 -
\??\c:\nnhnht.exec:\nnhnht.exe23⤵
- Executes dropped EXE
PID:2940 -
\??\c:\5ddjv.exec:\5ddjv.exe24⤵
- Executes dropped EXE
PID:2588 -
\??\c:\rrrxxfx.exec:\rrrxxfx.exe25⤵
- Executes dropped EXE
PID:1880 -
\??\c:\btnbnn.exec:\btnbnn.exe26⤵
- Executes dropped EXE
PID:444 -
\??\c:\jdvdp.exec:\jdvdp.exe27⤵
- Executes dropped EXE
PID:1936 -
\??\c:\nhbbhn.exec:\nhbbhn.exe28⤵
- Executes dropped EXE
PID:836 -
\??\c:\5vppp.exec:\5vppp.exe29⤵
- Executes dropped EXE
PID:2404 -
\??\c:\lfxxffr.exec:\lfxxffr.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020 -
\??\c:\hhbnth.exec:\hhbnth.exe31⤵
- Executes dropped EXE
PID:1812 -
\??\c:\dvpvj.exec:\dvpvj.exe32⤵
- Executes dropped EXE
PID:880 -
\??\c:\xfxxfxl.exec:\xfxxfxl.exe33⤵
- Executes dropped EXE
PID:2080 -
\??\c:\nthbbb.exec:\nthbbb.exe34⤵
- Executes dropped EXE
PID:1328 -
\??\c:\vvpvp.exec:\vvpvp.exe35⤵
- Executes dropped EXE
PID:1604 -
\??\c:\xrllxfx.exec:\xrllxfx.exe36⤵
- Executes dropped EXE
PID:2884 -
\??\c:\rlflrlx.exec:\rlflrlx.exe37⤵
- Executes dropped EXE
PID:1052 -
\??\c:\tnnbnh.exec:\tnnbnh.exe38⤵
- Executes dropped EXE
PID:2824 -
\??\c:\vpdpv.exec:\vpdpv.exe39⤵
- Executes dropped EXE
PID:1988 -
\??\c:\ppddv.exec:\ppddv.exe40⤵
- Executes dropped EXE
PID:2916 -
\??\c:\rlxfffx.exec:\rlxfffx.exe41⤵
- Executes dropped EXE
PID:3036 -
\??\c:\tttbbb.exec:\tttbbb.exe42⤵
- Executes dropped EXE
PID:2620 -
\??\c:\pvpjv.exec:\pvpjv.exe43⤵
- Executes dropped EXE
PID:2736 -
\??\c:\jjddp.exec:\jjddp.exe44⤵
- Executes dropped EXE
PID:2700 -
\??\c:\7frxxxx.exec:\7frxxxx.exe45⤵
- Executes dropped EXE
PID:2636 -
\??\c:\btnhtb.exec:\btnhtb.exe46⤵
- Executes dropped EXE
PID:2592 -
\??\c:\vvjvp.exec:\vvjvp.exe47⤵
- Executes dropped EXE
PID:2764 -
\??\c:\djpvp.exec:\djpvp.exe48⤵
- Executes dropped EXE
PID:2604 -
\??\c:\xrllffx.exec:\xrllffx.exe49⤵
- Executes dropped EXE
PID:2524 -
\??\c:\rrlrffl.exec:\rrlrffl.exe50⤵
- Executes dropped EXE
PID:2556 -
\??\c:\ntbhbh.exec:\ntbhbh.exe51⤵
- Executes dropped EXE
PID:1356 -
\??\c:\5jppp.exec:\5jppp.exe52⤵
- Executes dropped EXE
PID:1148 -
\??\c:\xfrrflx.exec:\xfrrflx.exe53⤵
- Executes dropped EXE
PID:2320 -
\??\c:\5frflrx.exec:\5frflrx.exe54⤵
- Executes dropped EXE
PID:2276 -
\??\c:\bbthbn.exec:\bbthbn.exe55⤵
- Executes dropped EXE
PID:1736 -
\??\c:\7bbnhh.exec:\7bbnhh.exe56⤵
- Executes dropped EXE
PID:296 -
\??\c:\ppdvj.exec:\ppdvj.exe57⤵
- Executes dropped EXE
PID:1260 -
\??\c:\xllfxrl.exec:\xllfxrl.exe58⤵
- Executes dropped EXE
PID:1632 -
\??\c:\nnbbnb.exec:\nnbbnb.exe59⤵
- Executes dropped EXE
PID:2400 -
\??\c:\bnthnn.exec:\bnthnn.exe60⤵
- Executes dropped EXE
PID:2396 -
\??\c:\jdpdp.exec:\jdpdp.exe61⤵
- Executes dropped EXE
PID:1500 -
\??\c:\llrrxlf.exec:\llrrxlf.exe62⤵
- Executes dropped EXE
PID:864 -
\??\c:\1hhntb.exec:\1hhntb.exe63⤵
- Executes dropped EXE
PID:2816 -
\??\c:\pjjpj.exec:\pjjpj.exe64⤵
- Executes dropped EXE
PID:2176 -
\??\c:\jvpjd.exec:\jvpjd.exe65⤵
- Executes dropped EXE
PID:2804 -
\??\c:\rffxlfr.exec:\rffxlfr.exe66⤵PID:2588
-
\??\c:\tnnthn.exec:\tnnthn.exe67⤵PID:908
-
\??\c:\tbntbh.exec:\tbntbh.exe68⤵PID:340
-
\??\c:\jdppd.exec:\jdppd.exe69⤵PID:1928
-
\??\c:\llflrrf.exec:\llflrrf.exe70⤵PID:1084
-
\??\c:\xrrxxxf.exec:\xrrxxxf.exe71⤵PID:564
-
\??\c:\hhntbn.exec:\hhntbn.exe72⤵PID:3024
-
\??\c:\hbntbh.exec:\hbntbh.exe73⤵PID:3012
-
\??\c:\ddddp.exec:\ddddp.exe74⤵PID:1912
-
\??\c:\rxxllrx.exec:\rxxllrx.exe75⤵PID:888
-
\??\c:\hhnhtb.exec:\hhnhtb.exe76⤵PID:1940
-
\??\c:\vvvjv.exec:\vvvjv.exe77⤵PID:1032
-
\??\c:\9jvjj.exec:\9jvjj.exe78⤵PID:1576
-
\??\c:\rlllrxl.exec:\rlllrxl.exe79⤵PID:2212
-
\??\c:\hhnbnn.exec:\hhnbnn.exe80⤵PID:2840
-
\??\c:\nbnnbn.exec:\nbnnbn.exe81⤵PID:2884
-
\??\c:\3dpvd.exec:\3dpvd.exe82⤵PID:1952
-
\??\c:\rlrxlrf.exec:\rlrxlrf.exe83⤵PID:2824
-
\??\c:\1lrlrrr.exec:\1lrlrrr.exe84⤵PID:2072
-
\??\c:\hhbnbb.exec:\hhbnbb.exe85⤵PID:2684
-
\??\c:\jdvvp.exec:\jdvvp.exe86⤵PID:3036
-
\??\c:\dpppj.exec:\dpppj.exe87⤵PID:2740
-
\??\c:\rrrxxfr.exec:\rrrxxfr.exe88⤵PID:2748
-
\??\c:\nbnbhn.exec:\nbnbhn.exe89⤵PID:2608
-
\??\c:\1nhbnn.exec:\1nhbnn.exe90⤵PID:2688
-
\??\c:\vvvjp.exec:\vvvjp.exe91⤵PID:2656
-
\??\c:\llfxlll.exec:\llfxlll.exe92⤵PID:2764
-
\??\c:\bbthht.exec:\bbthht.exe93⤵PID:2492
-
\??\c:\htbbhh.exec:\htbbhh.exe94⤵PID:2524
-
\??\c:\ppjpv.exec:\ppjpv.exe95⤵PID:2908
-
\??\c:\rlxxlrf.exec:\rlxxlrf.exe96⤵PID:1356
-
\??\c:\9xrxxff.exec:\9xrxxff.exe97⤵PID:1684
-
\??\c:\thntnn.exec:\thntnn.exe98⤵PID:2320
-
\??\c:\5jvvp.exec:\5jvvp.exe99⤵PID:2276
-
\??\c:\pjpvj.exec:\pjpvj.exe100⤵PID:752
-
\??\c:\xxrxlxl.exec:\xxrxlxl.exe101⤵PID:296
-
\??\c:\7bnntt.exec:\7bnntt.exe102⤵PID:1260
-
\??\c:\bthnbb.exec:\bthnbb.exe103⤵PID:1632
-
\??\c:\pjddp.exec:\pjddp.exe104⤵PID:2400
-
\??\c:\rlfrfll.exec:\rlfrfll.exe105⤵PID:2396
-
\??\c:\tnnbbn.exec:\tnnbbn.exe106⤵PID:2256
-
\??\c:\ddjjd.exec:\ddjjd.exe107⤵PID:2788
-
\??\c:\pdpdj.exec:\pdpdj.exe108⤵PID:2808
-
\??\c:\1lxxlxx.exec:\1lxxlxx.exe109⤵PID:2104
-
\??\c:\xlffxxr.exec:\xlffxxr.exe110⤵PID:2804
-
\??\c:\pjdjd.exec:\pjdjd.exe111⤵PID:2588
-
\??\c:\7pppv.exec:\7pppv.exe112⤵PID:1384
-
\??\c:\9lxllll.exec:\9lxllll.exe113⤵PID:340
-
\??\c:\bttbnt.exec:\bttbnt.exe114⤵PID:280
-
\??\c:\1dpvd.exec:\1dpvd.exe115⤵PID:872
-
\??\c:\jjdjp.exec:\jjdjp.exe116⤵PID:3056
-
\??\c:\fxrfrxf.exec:\fxrfrxf.exe117⤵PID:2064
-
\??\c:\bbhhtt.exec:\bbhhtt.exe118⤵PID:3012
-
\??\c:\1ttbht.exec:\1ttbht.exe119⤵PID:1912
-
\??\c:\5pdvd.exec:\5pdvd.exe120⤵PID:2240
-
\??\c:\lrlffxr.exec:\lrlffxr.exe121⤵PID:2080
-
\??\c:\bnhtht.exec:\bnhtht.exe122⤵PID:1720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-