Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 11:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe
-
Size
454KB
-
MD5
7ba5cf9ccf91971156e89587a374d2ef
-
SHA1
59df94ed6115acbb131c06be2da06ae8c96367d8
-
SHA256
824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7
-
SHA512
a261d1bcb548a05ba2906b4738aeff1b39e032ee2a441eb1ba6bb4d923598302aaaa9ea313818e139a56b9d6f190e7fb9efc4a0895c99c21d2592f574419f503
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRJ:q7Tc2NYHUrAwfMp3CDRJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/1172-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/288-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-280-0x0000000077210000-0x000000007732F000-memory.dmp family_blackmoon behavioral1/memory/2672-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-562-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2156-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/600-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/608-160-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1256-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-142-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2736-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/976-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-105-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2612-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-903-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1784-906-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2388-1225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-1239-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2644-1271-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2884-1356-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2512 llflxfx.exe 2464 nnbtht.exe 1928 vpjdp.exe 2692 xlfrlrf.exe 2864 jpppv.exe 2996 1xxrlfx.exe 2732 bbtbnt.exe 1760 fxxflrx.exe 2612 9tttnt.exe 1916 bhnntn.exe 2008 vjdpj.exe 976 btntht.exe 1620 jjdvj.exe 2736 lffrfll.exe 1256 dpvvp.exe 608 xffrfrf.exe 1888 nhbbtb.exe 2892 pjjpd.exe 1988 xffxrff.exe 2972 djpdv.exe 1636 rxllxxl.exe 2872 ffxrlrf.exe 600 9pjjv.exe 1592 1vvdd.exe 2372 1nntnt.exe 3048 9bhhtb.exe 1152 5nhhht.exe 3060 tnnhtn.exe 288 pppvp.exe 2356 ffxrlxl.exe 1572 tttbnb.exe 1560 jjdpj.exe 2080 flxxfxx.exe 2276 bhhbnt.exe 2672 jjjpd.exe 2792 xflfrxl.exe 2652 vvjjv.exe 2596 ffxlrxl.exe 2732 rlflflf.exe 2836 pppvj.exe 2620 5djvp.exe 2688 rlllxfx.exe 1520 lllflrl.exe 484 nttnbh.exe 2608 ppvjv.exe 1836 vvdpd.exe 2580 lxxrxrl.exe 1664 3hhnbb.exe 348 nhhttb.exe 300 jdvjv.exe 2768 jjdjd.exe 2984 ffllxfx.exe 1800 nhnttt.exe 2948 5hnbth.exe 2436 pjdpv.exe 1704 7ddpd.exe 1132 lrlxllx.exe 2916 ntnnnt.exe 1596 ttnntb.exe 2168 5vdpv.exe 868 7jvdj.exe 2156 lllxlrf.exe 2216 nnhhtb.exe 2424 tbtbbn.exe -
resource yara_rule behavioral1/memory/1172-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-280-0x0000000077210000-0x000000007732F000-memory.dmp upx behavioral1/memory/2672-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/976-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-883-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2132-903-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/600-997-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2652-1112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-1124-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/2388-1225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-1232-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1472-1290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-1316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-1343-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flffxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrfflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrrx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1172 wrote to memory of 2512 1172 824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe 31 PID 1172 wrote to memory of 2512 1172 824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe 31 PID 1172 wrote to memory of 2512 1172 824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe 31 PID 1172 wrote to memory of 2512 1172 824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe 31 PID 2512 wrote to memory of 2464 2512 llflxfx.exe 32 PID 2512 wrote to memory of 2464 2512 llflxfx.exe 32 PID 2512 wrote to memory of 2464 2512 llflxfx.exe 32 PID 2512 wrote to memory of 2464 2512 llflxfx.exe 32 PID 2464 wrote to memory of 1928 2464 nnbtht.exe 105 PID 2464 wrote to memory of 1928 2464 nnbtht.exe 105 PID 2464 wrote to memory of 1928 2464 nnbtht.exe 105 PID 2464 wrote to memory of 1928 2464 nnbtht.exe 105 PID 1928 wrote to memory of 2692 1928 vpjdp.exe 34 PID 1928 wrote to memory of 2692 1928 vpjdp.exe 34 PID 1928 wrote to memory of 2692 1928 vpjdp.exe 34 PID 1928 wrote to memory of 2692 1928 vpjdp.exe 34 PID 2692 wrote to memory of 2864 2692 xlfrlrf.exe 35 PID 2692 wrote to memory of 2864 2692 xlfrlrf.exe 35 PID 2692 wrote to memory of 2864 2692 xlfrlrf.exe 35 PID 2692 wrote to memory of 2864 2692 xlfrlrf.exe 35 PID 2864 wrote to memory of 2996 2864 jpppv.exe 36 PID 2864 wrote to memory of 2996 2864 jpppv.exe 36 PID 2864 wrote to memory of 2996 2864 jpppv.exe 36 PID 2864 wrote to memory of 2996 2864 jpppv.exe 36 PID 2996 wrote to memory of 2732 2996 1xxrlfx.exe 37 PID 2996 wrote to memory of 2732 2996 1xxrlfx.exe 37 PID 2996 wrote to memory of 2732 2996 1xxrlfx.exe 37 PID 2996 wrote to memory of 2732 2996 1xxrlfx.exe 37 PID 2732 wrote to memory of 1760 2732 bbtbnt.exe 38 PID 2732 wrote to memory of 1760 2732 bbtbnt.exe 38 PID 2732 wrote to memory of 1760 2732 bbtbnt.exe 38 PID 2732 wrote to memory of 1760 2732 bbtbnt.exe 38 PID 1760 wrote to memory of 2612 1760 fxxflrx.exe 39 PID 1760 wrote to memory of 2612 1760 fxxflrx.exe 39 PID 1760 wrote to memory of 2612 1760 fxxflrx.exe 39 PID 1760 wrote to memory of 2612 1760 fxxflrx.exe 39 PID 2612 wrote to memory of 1916 2612 9tttnt.exe 40 PID 2612 wrote to memory of 1916 2612 9tttnt.exe 40 PID 2612 wrote to memory of 1916 2612 9tttnt.exe 40 PID 2612 wrote to memory of 1916 2612 9tttnt.exe 40 PID 1916 wrote to memory of 2008 1916 bhnntn.exe 41 PID 1916 wrote to memory of 2008 1916 bhnntn.exe 41 PID 1916 wrote to memory of 2008 1916 bhnntn.exe 41 PID 1916 wrote to memory of 2008 1916 bhnntn.exe 41 PID 2008 wrote to memory of 976 2008 vjdpj.exe 42 PID 2008 wrote to memory of 976 2008 vjdpj.exe 42 PID 2008 wrote to memory of 976 2008 vjdpj.exe 42 PID 2008 wrote to memory of 976 2008 vjdpj.exe 42 PID 976 wrote to memory of 1620 976 btntht.exe 43 PID 976 wrote to memory of 1620 976 btntht.exe 43 PID 976 wrote to memory of 1620 976 btntht.exe 43 PID 976 wrote to memory of 1620 976 btntht.exe 43 PID 1620 wrote to memory of 2736 1620 jjdvj.exe 44 PID 1620 wrote to memory of 2736 1620 jjdvj.exe 44 PID 1620 wrote to memory of 2736 1620 jjdvj.exe 44 PID 1620 wrote to memory of 2736 1620 jjdvj.exe 44 PID 2736 wrote to memory of 1256 2736 lffrfll.exe 45 PID 2736 wrote to memory of 1256 2736 lffrfll.exe 45 PID 2736 wrote to memory of 1256 2736 lffrfll.exe 45 PID 2736 wrote to memory of 1256 2736 lffrfll.exe 45 PID 1256 wrote to memory of 608 1256 dpvvp.exe 46 PID 1256 wrote to memory of 608 1256 dpvvp.exe 46 PID 1256 wrote to memory of 608 1256 dpvvp.exe 46 PID 1256 wrote to memory of 608 1256 dpvvp.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe"C:\Users\Admin\AppData\Local\Temp\824010abf68bd802490d8720428a49a6a4a24260bfb9f54a47d5644add0183b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\llflxfx.exec:\llflxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\nnbtht.exec:\nnbtht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\vpjdp.exec:\vpjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\xlfrlrf.exec:\xlfrlrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\jpppv.exec:\jpppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\1xxrlfx.exec:\1xxrlfx.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\bbtbnt.exec:\bbtbnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\fxxflrx.exec:\fxxflrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\9tttnt.exec:\9tttnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\bhnntn.exec:\bhnntn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\vjdpj.exec:\vjdpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\btntht.exec:\btntht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\jjdvj.exec:\jjdvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\lffrfll.exec:\lffrfll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\dpvvp.exec:\dpvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\xffrfrf.exec:\xffrfrf.exe17⤵
- Executes dropped EXE
PID:608 -
\??\c:\nhbbtb.exec:\nhbbtb.exe18⤵
- Executes dropped EXE
PID:1888 -
\??\c:\pjjpd.exec:\pjjpd.exe19⤵
- Executes dropped EXE
PID:2892 -
\??\c:\xffxrff.exec:\xffxrff.exe20⤵
- Executes dropped EXE
PID:1988 -
\??\c:\djpdv.exec:\djpdv.exe21⤵
- Executes dropped EXE
PID:2972 -
\??\c:\rxllxxl.exec:\rxllxxl.exe22⤵
- Executes dropped EXE
PID:1636 -
\??\c:\ffxrlrf.exec:\ffxrlrf.exe23⤵
- Executes dropped EXE
PID:2872 -
\??\c:\9pjjv.exec:\9pjjv.exe24⤵
- Executes dropped EXE
PID:600 -
\??\c:\1vvdd.exec:\1vvdd.exe25⤵
- Executes dropped EXE
PID:1592 -
\??\c:\1nntnt.exec:\1nntnt.exe26⤵
- Executes dropped EXE
PID:2372 -
\??\c:\9bhhtb.exec:\9bhhtb.exe27⤵
- Executes dropped EXE
PID:3048 -
\??\c:\5nhhht.exec:\5nhhht.exe28⤵
- Executes dropped EXE
PID:1152 -
\??\c:\tnnhtn.exec:\tnnhtn.exe29⤵
- Executes dropped EXE
PID:3060 -
\??\c:\pppvp.exec:\pppvp.exe30⤵
- Executes dropped EXE
PID:288 -
\??\c:\ffxrlxl.exec:\ffxrlxl.exe31⤵
- Executes dropped EXE
PID:2356 -
\??\c:\nnnbnn.exec:\nnnbnn.exe32⤵PID:2244
-
\??\c:\tttbnb.exec:\tttbnb.exe33⤵
- Executes dropped EXE
PID:1572 -
\??\c:\jjdpj.exec:\jjdpj.exe34⤵
- Executes dropped EXE
PID:1560 -
\??\c:\flxxfxx.exec:\flxxfxx.exe35⤵
- Executes dropped EXE
PID:2080 -
\??\c:\bhhbnt.exec:\bhhbnt.exe36⤵
- Executes dropped EXE
PID:2276 -
\??\c:\jjjpd.exec:\jjjpd.exe37⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xflfrxl.exec:\xflfrxl.exe38⤵
- Executes dropped EXE
PID:2792 -
\??\c:\vvjjv.exec:\vvjjv.exe39⤵
- Executes dropped EXE
PID:2652 -
\??\c:\ffxlrxl.exec:\ffxlrxl.exe40⤵
- Executes dropped EXE
PID:2596 -
\??\c:\rlflflf.exec:\rlflflf.exe41⤵
- Executes dropped EXE
PID:2732 -
\??\c:\pppvj.exec:\pppvj.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836 -
\??\c:\5djvp.exec:\5djvp.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
\??\c:\rlllxfx.exec:\rlllxfx.exe44⤵
- Executes dropped EXE
PID:2688 -
\??\c:\lllflrl.exec:\lllflrl.exe45⤵
- Executes dropped EXE
PID:1520 -
\??\c:\nttnbh.exec:\nttnbh.exe46⤵
- Executes dropped EXE
PID:484 -
\??\c:\ppvjv.exec:\ppvjv.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2608 -
\??\c:\vvdpd.exec:\vvdpd.exe48⤵
- Executes dropped EXE
PID:1836 -
\??\c:\lxxrxrl.exec:\lxxrxrl.exe49⤵
- Executes dropped EXE
PID:2580 -
\??\c:\3hhnbb.exec:\3hhnbb.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664 -
\??\c:\nhhttb.exec:\nhhttb.exe51⤵
- Executes dropped EXE
PID:348 -
\??\c:\jdvjv.exec:\jdvjv.exe52⤵
- Executes dropped EXE
PID:300 -
\??\c:\jjdjd.exec:\jjdjd.exe53⤵
- Executes dropped EXE
PID:2768 -
\??\c:\ffllxfx.exec:\ffllxfx.exe54⤵
- Executes dropped EXE
PID:2984 -
\??\c:\nhnttt.exec:\nhnttt.exe55⤵
- Executes dropped EXE
PID:1800 -
\??\c:\5hnbth.exec:\5hnbth.exe56⤵
- Executes dropped EXE
PID:2948 -
\??\c:\pjdpv.exec:\pjdpv.exe57⤵
- Executes dropped EXE
PID:2436 -
\??\c:\7ddpd.exec:\7ddpd.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
\??\c:\lrlxllx.exec:\lrlxllx.exe59⤵
- Executes dropped EXE
PID:1132 -
\??\c:\ntnnnt.exec:\ntnnnt.exe60⤵
- Executes dropped EXE
PID:2916 -
\??\c:\ttnntb.exec:\ttnntb.exe61⤵
- Executes dropped EXE
PID:1596 -
\??\c:\5vdpv.exec:\5vdpv.exe62⤵
- Executes dropped EXE
PID:2168 -
\??\c:\7jvdj.exec:\7jvdj.exe63⤵
- Executes dropped EXE
PID:868 -
\??\c:\lllxlrf.exec:\lllxlrf.exe64⤵
- Executes dropped EXE
PID:2156 -
\??\c:\nnhhtb.exec:\nnhhtb.exe65⤵
- Executes dropped EXE
PID:2216 -
\??\c:\tbtbbn.exec:\tbtbbn.exe66⤵
- Executes dropped EXE
PID:2424 -
\??\c:\pjjpj.exec:\pjjpj.exe67⤵
- System Location Discovery: System Language Discovery
PID:1720 -
\??\c:\ddvjj.exec:\ddvjj.exe68⤵PID:1044
-
\??\c:\flrflrf.exec:\flrflrf.exe69⤵PID:3060
-
\??\c:\bbthnb.exec:\bbthnb.exe70⤵PID:288
-
\??\c:\5tnnbh.exec:\5tnnbh.exe71⤵PID:2512
-
\??\c:\pdvpd.exec:\pdvpd.exe72⤵PID:2244
-
\??\c:\7jdjv.exec:\7jdjv.exe73⤵PID:2640
-
\??\c:\3xrxrlr.exec:\3xrxrlr.exe74⤵PID:1560
-
\??\c:\lfxfxfr.exec:\lfxfxfr.exe75⤵PID:2120
-
\??\c:\nnttbb.exec:\nnttbb.exe76⤵PID:1928
-
\??\c:\vpjvd.exec:\vpjvd.exe77⤵PID:2856
-
\??\c:\5pjvj.exec:\5pjvj.exe78⤵PID:2476
-
\??\c:\9xrxllf.exec:\9xrxllf.exe79⤵PID:1276
-
\??\c:\rxxxrfx.exec:\rxxxrfx.exe80⤵PID:2652
-
\??\c:\nttbhn.exec:\nttbhn.exe81⤵PID:2172
-
\??\c:\tbthbt.exec:\tbthbt.exe82⤵PID:2128
-
\??\c:\vvpvd.exec:\vvpvd.exe83⤵PID:2092
-
\??\c:\5lrxrfx.exec:\5lrxrfx.exe84⤵PID:3008
-
\??\c:\ffxxflx.exec:\ffxxflx.exe85⤵PID:1916
-
\??\c:\bbbnnt.exec:\bbbnnt.exe86⤵PID:2008
-
\??\c:\nnhbnb.exec:\nnhbnb.exe87⤵PID:1608
-
\??\c:\ppdjv.exec:\ppdjv.exe88⤵PID:2536
-
\??\c:\frlrfll.exec:\frlrfll.exe89⤵PID:1620
-
\??\c:\3rllxfr.exec:\3rllxfr.exe90⤵PID:2648
-
\??\c:\tbbhtb.exec:\tbbhtb.exe91⤵PID:1600
-
\??\c:\3hbhth.exec:\3hbhth.exe92⤵PID:2876
-
\??\c:\pdddj.exec:\pdddj.exe93⤵PID:348
-
\??\c:\xxrrffl.exec:\xxrrffl.exe94⤵PID:300
-
\??\c:\lrlfllx.exec:\lrlfllx.exe95⤵PID:2056
-
\??\c:\hhhthb.exec:\hhhthb.exe96⤵PID:2984
-
\??\c:\tthhnn.exec:\tthhnn.exe97⤵PID:1800
-
\??\c:\vvpdp.exec:\vvpdp.exe98⤵PID:2308
-
\??\c:\ffxfxfr.exec:\ffxfxfr.exe99⤵PID:2436
-
\??\c:\ffxfxlx.exec:\ffxfxlx.exe100⤵PID:1636
-
\??\c:\tnbtbn.exec:\tnbtbn.exe101⤵PID:832
-
\??\c:\vvjdp.exec:\vvjdp.exe102⤵PID:2944
-
\??\c:\jjjvd.exec:\jjjvd.exe103⤵PID:2264
-
\??\c:\rrrflxr.exec:\rrrflxr.exe104⤵PID:2644
-
\??\c:\hnbhbn.exec:\hnbhbn.exe105⤵PID:2152
-
\??\c:\nhtbnt.exec:\nhtbnt.exe106⤵PID:3024
-
\??\c:\ppjdv.exec:\ppjdv.exe107⤵PID:892
-
\??\c:\dddvd.exec:\dddvd.exe108⤵PID:1472
-
\??\c:\rfrfffr.exec:\rfrfffr.exe109⤵
- System Location Discovery: System Language Discovery
PID:900 -
\??\c:\frlxrfx.exec:\frlxrfx.exe110⤵PID:1248
-
\??\c:\hntnbn.exec:\hntnbn.exe111⤵PID:2448
-
\??\c:\hhtnhn.exec:\hhtnhn.exe112⤵PID:1632
-
\??\c:\jjdjp.exec:\jjdjp.exe113⤵PID:2444
-
\??\c:\9xrxllr.exec:\9xrxllr.exe114⤵PID:1572
-
\??\c:\lfxrxfr.exec:\lfxrxfr.exe115⤵PID:1976
-
\??\c:\5tnbnn.exec:\5tnbnn.exe116⤵PID:1416
-
\??\c:\jvpjv.exec:\jvpjv.exe117⤵
- System Location Discovery: System Language Discovery
PID:2772 -
\??\c:\vvpvj.exec:\vvpvj.exe118⤵PID:1040
-
\??\c:\lflrxfr.exec:\lflrxfr.exe119⤵PID:2484
-
\??\c:\3rrrflf.exec:\3rrrflf.exe120⤵PID:2740
-
\??\c:\nhhnht.exec:\nhhnht.exe121⤵
- System Location Discovery: System Language Discovery
PID:2888 -
\??\c:\jjdvj.exec:\jjdvj.exe122⤵PID:2852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-