Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 11:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17a1e2c8786c3182606b4c28fadd915e9d0a618b8f3d1e5dd22f02dddbd1202fN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
17a1e2c8786c3182606b4c28fadd915e9d0a618b8f3d1e5dd22f02dddbd1202fN.exe
-
Size
453KB
-
MD5
05f8260b67b540c6cefdf2f93d2efee0
-
SHA1
3cdd15baeca04448957aaae33b9e2f6ac79ec196
-
SHA256
17a1e2c8786c3182606b4c28fadd915e9d0a618b8f3d1e5dd22f02dddbd1202f
-
SHA512
f0d750df373e75986210b6e484b71f9774dc50450784733c92a598c3e63650e5f7d4f016dab05fa01366dab817cdc662bb97e3bbc15f37059591648823fb6ec2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2552-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-91-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-119-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2372-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-138-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1448-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-251-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/564-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-525-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2128-544-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1096-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-947-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2908-960-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2908-981-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3020-1008-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-1270-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2540-1286-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1644-1325-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/2456-1382-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2548 5rlflrl.exe 1708 9dddd.exe 872 fflrxfr.exe 3060 pjjpj.exe 2708 fflxxlf.exe 2832 thhhht.exe 2868 pjdpj.exe 2860 nnhnhh.exe 2864 pvpdj.exe 2596 ntbtbt.exe 1648 dvpvp.exe 2372 fllfrfl.exe 1968 9htthh.exe 1912 llxlrxl.exe 2820 xrlxxfl.exe 1448 jjvjd.exe 3052 thtbth.exe 2332 rrlfrxr.exe 1996 llffrxf.exe 1992 jdppd.exe 884 rflflxr.exe 2060 btbhht.exe 1980 htbtht.exe 1608 bbthtb.exe 1232 httttt.exe 1632 ffxfxlx.exe 564 3hhnth.exe 2284 ppvjv.exe 1668 7nbnbh.exe 2456 vjjjv.exe 1972 ppvpd.exe 2476 ttthth.exe 2396 pvvvp.exe 1520 xxrfrfr.exe 1636 flllffr.exe 2108 bnhbbt.exe 2780 jjddp.exe 264 frrfrff.exe 2796 lxrlxlr.exe 2836 tthbtb.exe 2876 pppjd.exe 2856 dvvjv.exe 2920 rxxlrfx.exe 1780 7nntnh.exe 2620 ppvdd.exe 2596 djdjv.exe 2676 lffllxl.exe 2772 htbnbh.exe 2996 thtntn.exe 352 djpjv.exe 2828 djjvp.exe 2956 5lfrxfl.exe 1432 hhntbh.exe 344 ddjvv.exe 3012 3pppp.exe 3036 xrlrlrl.exe 2332 btthnb.exe 2696 9hbbhn.exe 1028 pvpdp.exe 440 jvvpv.exe 308 lrrrflx.exe 1244 bbbnth.exe 596 dvvjj.exe 1980 9dpvd.exe -
resource yara_rule behavioral1/memory/2552-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-334-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2796-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/440-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-1008-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-1094-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-1198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-1260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-1287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-1312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-1326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-1375-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2552 wrote to memory of 2548 2552 17a1e2c8786c3182606b4c28fadd915e9d0a618b8f3d1e5dd22f02dddbd1202fN.exe 30 PID 2552 wrote to memory of 2548 2552 17a1e2c8786c3182606b4c28fadd915e9d0a618b8f3d1e5dd22f02dddbd1202fN.exe 30 PID 2552 wrote to memory of 2548 2552 17a1e2c8786c3182606b4c28fadd915e9d0a618b8f3d1e5dd22f02dddbd1202fN.exe 30 PID 2552 wrote to memory of 2548 2552 17a1e2c8786c3182606b4c28fadd915e9d0a618b8f3d1e5dd22f02dddbd1202fN.exe 30 PID 2548 wrote to memory of 1708 2548 5rlflrl.exe 31 PID 2548 wrote to memory of 1708 2548 5rlflrl.exe 31 PID 2548 wrote to memory of 1708 2548 5rlflrl.exe 31 PID 2548 wrote to memory of 1708 2548 5rlflrl.exe 31 PID 1708 wrote to memory of 872 1708 9dddd.exe 32 PID 1708 wrote to memory of 872 1708 9dddd.exe 32 PID 1708 wrote to memory of 872 1708 9dddd.exe 32 PID 1708 wrote to memory of 872 1708 9dddd.exe 32 PID 872 wrote to memory of 3060 872 fflrxfr.exe 33 PID 872 wrote to memory of 3060 872 fflrxfr.exe 33 PID 872 wrote to memory of 3060 872 fflrxfr.exe 33 PID 872 wrote to memory of 3060 872 fflrxfr.exe 33 PID 3060 wrote to memory of 2708 3060 pjjpj.exe 34 PID 3060 wrote to memory of 2708 3060 pjjpj.exe 34 PID 3060 wrote to memory of 2708 3060 pjjpj.exe 34 PID 3060 wrote to memory of 2708 3060 pjjpj.exe 34 PID 2708 wrote to memory of 2832 2708 fflxxlf.exe 35 PID 2708 wrote to memory of 2832 2708 fflxxlf.exe 35 PID 2708 wrote to memory of 2832 2708 fflxxlf.exe 35 PID 2708 wrote to memory of 2832 2708 fflxxlf.exe 35 PID 2832 wrote to memory of 2868 2832 thhhht.exe 36 PID 2832 wrote to memory of 2868 2832 thhhht.exe 36 PID 2832 wrote to memory of 2868 2832 thhhht.exe 36 PID 2832 wrote to memory of 2868 2832 thhhht.exe 36 PID 2868 wrote to memory of 2860 2868 pjdpj.exe 37 PID 2868 wrote to memory of 2860 2868 pjdpj.exe 37 PID 2868 wrote to memory of 2860 2868 pjdpj.exe 37 PID 2868 wrote to memory of 2860 2868 pjdpj.exe 37 PID 2860 wrote to memory of 2864 2860 nnhnhh.exe 38 PID 2860 wrote to memory of 2864 2860 nnhnhh.exe 38 PID 2860 wrote to memory of 2864 2860 nnhnhh.exe 38 PID 2860 wrote to memory of 2864 2860 nnhnhh.exe 38 PID 2864 wrote to memory of 2596 2864 pvpdj.exe 39 PID 2864 wrote to memory of 2596 2864 pvpdj.exe 39 PID 2864 wrote to memory of 2596 2864 pvpdj.exe 39 PID 2864 wrote to memory of 2596 2864 pvpdj.exe 39 PID 2596 wrote to memory of 1648 2596 ntbtbt.exe 40 PID 2596 wrote to memory of 1648 2596 ntbtbt.exe 40 PID 2596 wrote to memory of 1648 2596 ntbtbt.exe 40 PID 2596 wrote to memory of 1648 2596 ntbtbt.exe 40 PID 1648 wrote to memory of 2372 1648 dvpvp.exe 41 PID 1648 wrote to memory of 2372 1648 dvpvp.exe 41 PID 1648 wrote to memory of 2372 1648 dvpvp.exe 41 PID 1648 wrote to memory of 2372 1648 dvpvp.exe 41 PID 2372 wrote to memory of 1968 2372 fllfrfl.exe 42 PID 2372 wrote to memory of 1968 2372 fllfrfl.exe 42 PID 2372 wrote to memory of 1968 2372 fllfrfl.exe 42 PID 2372 wrote to memory of 1968 2372 fllfrfl.exe 42 PID 1968 wrote to memory of 1912 1968 9htthh.exe 43 PID 1968 wrote to memory of 1912 1968 9htthh.exe 43 PID 1968 wrote to memory of 1912 1968 9htthh.exe 43 PID 1968 wrote to memory of 1912 1968 9htthh.exe 43 PID 1912 wrote to memory of 2820 1912 llxlrxl.exe 44 PID 1912 wrote to memory of 2820 1912 llxlrxl.exe 44 PID 1912 wrote to memory of 2820 1912 llxlrxl.exe 44 PID 1912 wrote to memory of 2820 1912 llxlrxl.exe 44 PID 2820 wrote to memory of 1448 2820 xrlxxfl.exe 45 PID 2820 wrote to memory of 1448 2820 xrlxxfl.exe 45 PID 2820 wrote to memory of 1448 2820 xrlxxfl.exe 45 PID 2820 wrote to memory of 1448 2820 xrlxxfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a1e2c8786c3182606b4c28fadd915e9d0a618b8f3d1e5dd22f02dddbd1202fN.exe"C:\Users\Admin\AppData\Local\Temp\17a1e2c8786c3182606b4c28fadd915e9d0a618b8f3d1e5dd22f02dddbd1202fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\5rlflrl.exec:\5rlflrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\9dddd.exec:\9dddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\fflrxfr.exec:\fflrxfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\pjjpj.exec:\pjjpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\fflxxlf.exec:\fflxxlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\thhhht.exec:\thhhht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\pjdpj.exec:\pjdpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\nnhnhh.exec:\nnhnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\pvpdj.exec:\pvpdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\ntbtbt.exec:\ntbtbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\dvpvp.exec:\dvpvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\fllfrfl.exec:\fllfrfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\9htthh.exec:\9htthh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\llxlrxl.exec:\llxlrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\xrlxxfl.exec:\xrlxxfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\jjvjd.exec:\jjvjd.exe17⤵
- Executes dropped EXE
PID:1448 -
\??\c:\thtbth.exec:\thtbth.exe18⤵
- Executes dropped EXE
PID:3052 -
\??\c:\rrlfrxr.exec:\rrlfrxr.exe19⤵
- Executes dropped EXE
PID:2332 -
\??\c:\llffrxf.exec:\llffrxf.exe20⤵
- Executes dropped EXE
PID:1996 -
\??\c:\jdppd.exec:\jdppd.exe21⤵
- Executes dropped EXE
PID:1992 -
\??\c:\rflflxr.exec:\rflflxr.exe22⤵
- Executes dropped EXE
PID:884 -
\??\c:\btbhht.exec:\btbhht.exe23⤵
- Executes dropped EXE
PID:2060 -
\??\c:\htbtht.exec:\htbtht.exe24⤵
- Executes dropped EXE
PID:1980 -
\??\c:\bbthtb.exec:\bbthtb.exe25⤵
- Executes dropped EXE
PID:1608 -
\??\c:\httttt.exec:\httttt.exe26⤵
- Executes dropped EXE
PID:1232 -
\??\c:\ffxfxlx.exec:\ffxfxlx.exe27⤵
- Executes dropped EXE
PID:1632 -
\??\c:\3hhnth.exec:\3hhnth.exe28⤵
- Executes dropped EXE
PID:564 -
\??\c:\ppvjv.exec:\ppvjv.exe29⤵
- Executes dropped EXE
PID:2284 -
\??\c:\7nbnbh.exec:\7nbnbh.exe30⤵
- Executes dropped EXE
PID:1668 -
\??\c:\vjjjv.exec:\vjjjv.exe31⤵
- Executes dropped EXE
PID:2456 -
\??\c:\ppvpd.exec:\ppvpd.exe32⤵
- Executes dropped EXE
PID:1972 -
\??\c:\ttthth.exec:\ttthth.exe33⤵
- Executes dropped EXE
PID:2476 -
\??\c:\pvvvp.exec:\pvvvp.exe34⤵
- Executes dropped EXE
PID:2396 -
\??\c:\xxrfrfr.exec:\xxrfrfr.exe35⤵
- Executes dropped EXE
PID:1520 -
\??\c:\flllffr.exec:\flllffr.exe36⤵
- Executes dropped EXE
PID:1636 -
\??\c:\bnhbbt.exec:\bnhbbt.exe37⤵
- Executes dropped EXE
PID:2108 -
\??\c:\jjddp.exec:\jjddp.exe38⤵
- Executes dropped EXE
PID:2780 -
\??\c:\frrfrff.exec:\frrfrff.exe39⤵
- Executes dropped EXE
PID:264 -
\??\c:\lxrlxlr.exec:\lxrlxlr.exe40⤵
- Executes dropped EXE
PID:2796 -
\??\c:\tthbtb.exec:\tthbtb.exe41⤵
- Executes dropped EXE
PID:2836 -
\??\c:\pppjd.exec:\pppjd.exe42⤵
- Executes dropped EXE
PID:2876 -
\??\c:\dvvjv.exec:\dvvjv.exe43⤵
- Executes dropped EXE
PID:2856 -
\??\c:\rxxlrfx.exec:\rxxlrfx.exe44⤵
- Executes dropped EXE
PID:2920 -
\??\c:\7nntnh.exec:\7nntnh.exe45⤵
- Executes dropped EXE
PID:1780 -
\??\c:\ppvdd.exec:\ppvdd.exe46⤵
- Executes dropped EXE
PID:2620 -
\??\c:\djdjv.exec:\djdjv.exe47⤵
- Executes dropped EXE
PID:2596 -
\??\c:\lffllxl.exec:\lffllxl.exe48⤵
- Executes dropped EXE
PID:2676 -
\??\c:\htbnbh.exec:\htbnbh.exe49⤵
- Executes dropped EXE
PID:2772 -
\??\c:\thtntn.exec:\thtntn.exe50⤵
- Executes dropped EXE
PID:2996 -
\??\c:\djpjv.exec:\djpjv.exe51⤵
- Executes dropped EXE
PID:352 -
\??\c:\djjvp.exec:\djjvp.exe52⤵
- Executes dropped EXE
PID:2828 -
\??\c:\5lfrxfl.exec:\5lfrxfl.exe53⤵
- Executes dropped EXE
PID:2956 -
\??\c:\hhntbh.exec:\hhntbh.exe54⤵
- Executes dropped EXE
PID:1432 -
\??\c:\ddjvv.exec:\ddjvv.exe55⤵
- Executes dropped EXE
PID:344 -
\??\c:\3pppp.exec:\3pppp.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012 -
\??\c:\xrlrlrl.exec:\xrlrlrl.exe57⤵
- Executes dropped EXE
PID:3036 -
\??\c:\btthnb.exec:\btthnb.exe58⤵
- Executes dropped EXE
PID:2332 -
\??\c:\9hbbhn.exec:\9hbbhn.exe59⤵
- Executes dropped EXE
PID:2696 -
\??\c:\pvpdp.exec:\pvpdp.exe60⤵
- Executes dropped EXE
PID:1028 -
\??\c:\jvvpv.exec:\jvvpv.exe61⤵
- Executes dropped EXE
PID:440 -
\??\c:\lrrrflx.exec:\lrrrflx.exe62⤵
- Executes dropped EXE
PID:308 -
\??\c:\bbbnth.exec:\bbbnth.exe63⤵
- Executes dropped EXE
PID:1244 -
\??\c:\dvvjj.exec:\dvvjj.exe64⤵
- Executes dropped EXE
PID:596 -
\??\c:\9dpvd.exec:\9dpvd.exe65⤵
- Executes dropped EXE
PID:1980 -
\??\c:\lrrxrrl.exec:\lrrxrrl.exe66⤵PID:2464
-
\??\c:\ttthbh.exec:\ttthbh.exe67⤵PID:832
-
\??\c:\vdjjv.exec:\vdjjv.exe68⤵PID:1632
-
\??\c:\dvddp.exec:\dvddp.exe69⤵PID:1468
-
\??\c:\ffflxfr.exec:\ffflxfr.exe70⤵PID:564
-
\??\c:\tttthn.exec:\tttthn.exe71⤵PID:2128
-
\??\c:\3ddjd.exec:\3ddjd.exe72⤵PID:2032
-
\??\c:\pvvvj.exec:\pvvvj.exe73⤵PID:556
-
\??\c:\fxrlxfr.exec:\fxrlxfr.exe74⤵PID:880
-
\??\c:\7llrlxr.exec:\7llrlxr.exe75⤵PID:1420
-
\??\c:\bbtbhn.exec:\bbtbhn.exe76⤵PID:1840
-
\??\c:\vvvpp.exec:\vvvpp.exe77⤵PID:1852
-
\??\c:\vvvjd.exec:\vvvjd.exe78⤵PID:2536
-
\??\c:\fxxfrrl.exec:\fxxfrrl.exe79⤵PID:1836
-
\??\c:\bbbnbt.exec:\bbbnbt.exe80⤵PID:2096
-
\??\c:\ttthbn.exec:\ttthbn.exe81⤵PID:2528
-
\??\c:\ppdjv.exec:\ppdjv.exe82⤵PID:2756
-
\??\c:\fxrfrxx.exec:\fxrfrxx.exe83⤵PID:264
-
\??\c:\rlflxfr.exec:\rlflxfr.exe84⤵PID:2796
-
\??\c:\3nnnhn.exec:\3nnnhn.exe85⤵PID:2836
-
\??\c:\3nbhnh.exec:\3nbhnh.exe86⤵PID:2876
-
\??\c:\jdjjv.exec:\jdjjv.exe87⤵PID:2900
-
\??\c:\xrfllrf.exec:\xrfllrf.exe88⤵PID:2656
-
\??\c:\bnhttn.exec:\bnhttn.exe89⤵PID:1780
-
\??\c:\ttntnt.exec:\ttntnt.exe90⤵PID:1224
-
\??\c:\fxrrlfx.exec:\fxrrlfx.exe91⤵PID:2720
-
\??\c:\tbthbh.exec:\tbthbh.exe92⤵PID:2908
-
\??\c:\btnnhn.exec:\btnnhn.exe93⤵PID:1872
-
\??\c:\vvjdj.exec:\vvjdj.exe94⤵PID:1540
-
\??\c:\rrlrxfx.exec:\rrlrxfx.exe95⤵PID:3008
-
\??\c:\rxrlfrf.exec:\rxrlfrf.exe96⤵PID:2932
-
\??\c:\bhbtbb.exec:\bhbtbb.exe97⤵PID:2956
-
\??\c:\ddjjj.exec:\ddjjj.exe98⤵PID:2000
-
\??\c:\jjvdp.exec:\jjvdp.exe99⤵PID:2504
-
\??\c:\3rxrfrx.exec:\3rxrfrx.exe100⤵PID:480
-
\??\c:\bnnbth.exec:\bnnbth.exe101⤵PID:3036
-
\??\c:\7pjjv.exec:\7pjjv.exe102⤵PID:2640
-
\??\c:\dpjjp.exec:\dpjjp.exe103⤵PID:2412
-
\??\c:\rlllxxl.exec:\rlllxxl.exe104⤵PID:1096
-
\??\c:\3nbbnn.exec:\3nbbnn.exe105⤵PID:440
-
\??\c:\3nthtb.exec:\3nthtb.exe106⤵PID:2060
-
\??\c:\ddjvp.exec:\ddjvp.exe107⤵PID:1244
-
\??\c:\3ffrlrl.exec:\3ffrlrl.exe108⤵PID:824
-
\??\c:\bhhnht.exec:\bhhnht.exe109⤵PID:1980
-
\??\c:\ttnhbn.exec:\ttnhbn.exe110⤵PID:1936
-
\??\c:\jjjjd.exec:\jjjjd.exe111⤵PID:896
-
\??\c:\flrrfxx.exec:\flrrfxx.exe112⤵PID:1212
-
\??\c:\hhbhtn.exec:\hhbhtn.exe113⤵PID:1500
-
\??\c:\bbhhhb.exec:\bbhhhb.exe114⤵PID:272
-
\??\c:\djdjv.exec:\djdjv.exe115⤵PID:2428
-
\??\c:\frflrxx.exec:\frflrxx.exe116⤵PID:2392
-
\??\c:\rxxllrl.exec:\rxxllrl.exe117⤵PID:2032
-
\??\c:\nhtbtb.exec:\nhtbtb.exe118⤵PID:556
-
\??\c:\jpvpp.exec:\jpvpp.exe119⤵PID:880
-
\??\c:\1xxlrfl.exec:\1xxlrfl.exe120⤵PID:1704
-
\??\c:\5lfrlfx.exec:\5lfrlfx.exe121⤵PID:1840
-
\??\c:\hbnbnb.exec:\hbnbnb.exe122⤵PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-