Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/11/2024, 23:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe
-
Size
346KB
-
MD5
ccabd7100dc60875227597623cdc2fa0
-
SHA1
9eb9f45714a2d36d8afe80771c7a543c9c58d54b
-
SHA256
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066
-
SHA512
f384f24db710ae947abfd1b4f472f87049ff5a5483d6c3add1f5991217257a7231b884148edbf9c5b30a33bcf97889862d95d98a3c5eca0d439a6002c2541f2e
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAa:l7TcbWXZshJX2VGda
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2400-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1328-8-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1160-31-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2500-27-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2908-47-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2844-61-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/692-59-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/692-57-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/488-71-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2756-96-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2452-114-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2284-122-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/384-155-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2348-166-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1428-183-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1980-200-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1808-209-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1792-226-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2600-259-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2600-261-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1816-270-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/540-314-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/308-327-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2744-347-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/692-355-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2940-377-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/288-409-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/856-430-0x0000000000430000-0x0000000000458000-memory.dmp family_blackmoon behavioral1/memory/2036-450-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/856-453-0x0000000000430000-0x0000000000458000-memory.dmp family_blackmoon behavioral1/memory/2532-476-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2092-483-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/356-490-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1984-497-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1596-586-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2460-620-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2772-631-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2252-668-0x00000000001C0000-0x00000000001E8000-memory.dmp family_blackmoon behavioral1/memory/856-707-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/384-714-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2332-749-0x00000000002D0000-0x00000000002F8000-memory.dmp family_blackmoon behavioral1/memory/572-809-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1656-834-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2380-857-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2380-861-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1340-1016-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2400 dvjjd.exe 2500 llxrrxr.exe 1160 3ddjv.exe 2908 xrlffff.exe 692 jvjvd.exe 2844 hbtthh.exe 488 djpvp.exe 2800 rfxxxrr.exe 2756 9bbnhh.exe 2620 lrflxlx.exe 2452 nttnbh.exe 2284 xlxxfxf.exe 2960 thbtbt.exe 1724 dvjjv.exe 1568 xfxrllr.exe 384 ddjdd.exe 2348 xxrlllr.exe 2328 thhhtt.exe 1428 jjpjj.exe 2532 hhnntb.exe 1980 ddpvj.exe 1808 fffrxlf.exe 912 nnbhht.exe 1792 vdvjv.exe 1936 ffxlxrl.exe 920 ntbtnb.exe 1556 vjvpd.exe 2600 1bthth.exe 1816 nbnhnn.exe 3056 xxrflxx.exe 1732 ttbhtb.exe 1496 djjvv.exe 1708 frlxfrx.exe 1688 1bhtbh.exe 540 pvpdp.exe 2460 llflxxr.exe 308 llfllrr.exe 2488 nbnttn.exe 1312 pppjd.exe 2744 ppjjv.exe 692 rxfrlxr.exe 2740 hbnnbh.exe 2872 jppjd.exe 2940 lllffxr.exe 2672 lfxxlfr.exe 2648 nhttbb.exe 2176 vdpdv.exe 2016 xxlxllx.exe 288 tthtbn.exe 2972 bnnntn.exe 1724 7pvpv.exe 856 rffxlxx.exe 1616 hhtnbn.exe 860 7pdvv.exe 2036 3djdd.exe 2052 9ffrfrl.exe 2144 ntnbhh.exe 2164 pjjpp.exe 2532 rflrxlf.exe 2092 xlrrffl.exe 356 hbhbbb.exe 1984 jvdvd.exe 1508 xxxlxrl.exe 1908 hhtbnh.exe -
resource yara_rule behavioral1/memory/2400-11-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1328-8-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2500-19-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1160-31-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2500-27-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1160-36-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/2908-47-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2844-61-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/692-59-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/488-71-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2800-78-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2756-96-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2452-114-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2284-122-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/384-155-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2348-166-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1428-183-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1980-200-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1808-209-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1792-226-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/920-236-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1816-270-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/540-314-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/308-327-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2488-328-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2744-347-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/692-355-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2872-363-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2016-396-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/288-409-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2972-410-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/856-423-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/860-437-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2036-450-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2092-483-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/356-490-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1984-497-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2592-530-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1644-556-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1596-579-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1596-586-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2460-593-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1724-693-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/384-714-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1140-742-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/936-782-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/572-809-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1656-834-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2904-847-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2380-861-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/860-991-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1984-1037-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1328 wrote to memory of 2400 1328 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 30 PID 1328 wrote to memory of 2400 1328 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 30 PID 1328 wrote to memory of 2400 1328 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 30 PID 1328 wrote to memory of 2400 1328 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 30 PID 2400 wrote to memory of 2500 2400 dvjjd.exe 31 PID 2400 wrote to memory of 2500 2400 dvjjd.exe 31 PID 2400 wrote to memory of 2500 2400 dvjjd.exe 31 PID 2400 wrote to memory of 2500 2400 dvjjd.exe 31 PID 2500 wrote to memory of 1160 2500 llxrrxr.exe 32 PID 2500 wrote to memory of 1160 2500 llxrrxr.exe 32 PID 2500 wrote to memory of 1160 2500 llxrrxr.exe 32 PID 2500 wrote to memory of 1160 2500 llxrrxr.exe 32 PID 1160 wrote to memory of 2908 1160 3ddjv.exe 33 PID 1160 wrote to memory of 2908 1160 3ddjv.exe 33 PID 1160 wrote to memory of 2908 1160 3ddjv.exe 33 PID 1160 wrote to memory of 2908 1160 3ddjv.exe 33 PID 2908 wrote to memory of 692 2908 xrlffff.exe 34 PID 2908 wrote to memory of 692 2908 xrlffff.exe 34 PID 2908 wrote to memory of 692 2908 xrlffff.exe 34 PID 2908 wrote to memory of 692 2908 xrlffff.exe 34 PID 692 wrote to memory of 2844 692 jvjvd.exe 35 PID 692 wrote to memory of 2844 692 jvjvd.exe 35 PID 692 wrote to memory of 2844 692 jvjvd.exe 35 PID 692 wrote to memory of 2844 692 jvjvd.exe 35 PID 2844 wrote to memory of 488 2844 hbtthh.exe 36 PID 2844 wrote to memory of 488 2844 hbtthh.exe 36 PID 2844 wrote to memory of 488 2844 hbtthh.exe 36 PID 2844 wrote to memory of 488 2844 hbtthh.exe 36 PID 488 wrote to memory of 2800 488 djpvp.exe 37 PID 488 wrote to memory of 2800 488 djpvp.exe 37 PID 488 wrote to memory of 2800 488 djpvp.exe 37 PID 488 wrote to memory of 2800 488 djpvp.exe 37 PID 2800 wrote to memory of 2756 2800 rfxxxrr.exe 38 PID 2800 wrote to memory of 2756 2800 rfxxxrr.exe 38 PID 2800 wrote to memory of 2756 2800 rfxxxrr.exe 38 PID 2800 wrote to memory of 2756 2800 rfxxxrr.exe 38 PID 2756 wrote to memory of 2620 2756 9bbnhh.exe 39 PID 2756 wrote to memory of 2620 2756 9bbnhh.exe 39 PID 2756 wrote to memory of 2620 2756 9bbnhh.exe 39 PID 2756 wrote to memory of 2620 2756 9bbnhh.exe 39 PID 2620 wrote to memory of 2452 2620 lrflxlx.exe 40 PID 2620 wrote to memory of 2452 2620 lrflxlx.exe 40 PID 2620 wrote to memory of 2452 2620 lrflxlx.exe 40 PID 2620 wrote to memory of 2452 2620 lrflxlx.exe 40 PID 2452 wrote to memory of 2284 2452 nttnbh.exe 41 PID 2452 wrote to memory of 2284 2452 nttnbh.exe 41 PID 2452 wrote to memory of 2284 2452 nttnbh.exe 41 PID 2452 wrote to memory of 2284 2452 nttnbh.exe 41 PID 2284 wrote to memory of 2960 2284 xlxxfxf.exe 42 PID 2284 wrote to memory of 2960 2284 xlxxfxf.exe 42 PID 2284 wrote to memory of 2960 2284 xlxxfxf.exe 42 PID 2284 wrote to memory of 2960 2284 xlxxfxf.exe 42 PID 2960 wrote to memory of 1724 2960 thbtbt.exe 43 PID 2960 wrote to memory of 1724 2960 thbtbt.exe 43 PID 2960 wrote to memory of 1724 2960 thbtbt.exe 43 PID 2960 wrote to memory of 1724 2960 thbtbt.exe 43 PID 1724 wrote to memory of 1568 1724 dvjjv.exe 44 PID 1724 wrote to memory of 1568 1724 dvjjv.exe 44 PID 1724 wrote to memory of 1568 1724 dvjjv.exe 44 PID 1724 wrote to memory of 1568 1724 dvjjv.exe 44 PID 1568 wrote to memory of 384 1568 xfxrllr.exe 45 PID 1568 wrote to memory of 384 1568 xfxrllr.exe 45 PID 1568 wrote to memory of 384 1568 xfxrllr.exe 45 PID 1568 wrote to memory of 384 1568 xfxrllr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe"C:\Users\Admin\AppData\Local\Temp\69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\dvjjd.exec:\dvjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\llxrrxr.exec:\llxrrxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\3ddjv.exec:\3ddjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\xrlffff.exec:\xrlffff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\jvjvd.exec:\jvjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\hbtthh.exec:\hbtthh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\djpvp.exec:\djpvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:488 -
\??\c:\rfxxxrr.exec:\rfxxxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\9bbnhh.exec:\9bbnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\lrflxlx.exec:\lrflxlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\nttnbh.exec:\nttnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\xlxxfxf.exec:\xlxxfxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\thbtbt.exec:\thbtbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\dvjjv.exec:\dvjjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\xfxrllr.exec:\xfxrllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\ddjdd.exec:\ddjdd.exe17⤵
- Executes dropped EXE
PID:384 -
\??\c:\xxrlllr.exec:\xxrlllr.exe18⤵
- Executes dropped EXE
PID:2348 -
\??\c:\thhhtt.exec:\thhhtt.exe19⤵
- Executes dropped EXE
PID:2328 -
\??\c:\jjpjj.exec:\jjpjj.exe20⤵
- Executes dropped EXE
PID:1428 -
\??\c:\hhnntb.exec:\hhnntb.exe21⤵
- Executes dropped EXE
PID:2532 -
\??\c:\ddpvj.exec:\ddpvj.exe22⤵
- Executes dropped EXE
PID:1980 -
\??\c:\fffrxlf.exec:\fffrxlf.exe23⤵
- Executes dropped EXE
PID:1808 -
\??\c:\nnbhht.exec:\nnbhht.exe24⤵
- Executes dropped EXE
PID:912 -
\??\c:\vdvjv.exec:\vdvjv.exe25⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ffxlxrl.exec:\ffxlxrl.exe26⤵
- Executes dropped EXE
PID:1936 -
\??\c:\ntbtnb.exec:\ntbtnb.exe27⤵
- Executes dropped EXE
PID:920 -
\??\c:\vjvpd.exec:\vjvpd.exe28⤵
- Executes dropped EXE
PID:1556 -
\??\c:\1bthth.exec:\1bthth.exe29⤵
- Executes dropped EXE
PID:2600 -
\??\c:\nbnhnn.exec:\nbnhnn.exe30⤵
- Executes dropped EXE
PID:1816 -
\??\c:\xxrflxx.exec:\xxrflxx.exe31⤵
- Executes dropped EXE
PID:3056 -
\??\c:\ttbhtb.exec:\ttbhtb.exe32⤵
- Executes dropped EXE
PID:1732 -
\??\c:\djjvv.exec:\djjvv.exe33⤵
- Executes dropped EXE
PID:1496 -
\??\c:\frlxfrx.exec:\frlxfrx.exe34⤵
- Executes dropped EXE
PID:1708 -
\??\c:\1bhtbh.exec:\1bhtbh.exe35⤵
- Executes dropped EXE
PID:1688 -
\??\c:\pvpdp.exec:\pvpdp.exe36⤵
- Executes dropped EXE
PID:540 -
\??\c:\llflxxr.exec:\llflxxr.exe37⤵
- Executes dropped EXE
PID:2460 -
\??\c:\llfllrr.exec:\llfllrr.exe38⤵
- Executes dropped EXE
PID:308 -
\??\c:\nbnttn.exec:\nbnttn.exe39⤵
- Executes dropped EXE
PID:2488 -
\??\c:\pppjd.exec:\pppjd.exe40⤵
- Executes dropped EXE
PID:1312 -
\??\c:\ppjjv.exec:\ppjjv.exe41⤵
- Executes dropped EXE
PID:2744 -
\??\c:\rxfrlxr.exec:\rxfrlxr.exe42⤵
- Executes dropped EXE
PID:692 -
\??\c:\hbnnbh.exec:\hbnnbh.exe43⤵
- Executes dropped EXE
PID:2740 -
\??\c:\jppjd.exec:\jppjd.exe44⤵
- Executes dropped EXE
PID:2872 -
\??\c:\lllffxr.exec:\lllffxr.exe45⤵
- Executes dropped EXE
PID:2940 -
\??\c:\lfxxlfr.exec:\lfxxlfr.exe46⤵
- Executes dropped EXE
PID:2672 -
\??\c:\nhttbb.exec:\nhttbb.exe47⤵
- Executes dropped EXE
PID:2648 -
\??\c:\vdpdv.exec:\vdpdv.exe48⤵
- Executes dropped EXE
PID:2176 -
\??\c:\xxlxllx.exec:\xxlxllx.exe49⤵
- Executes dropped EXE
PID:2016 -
\??\c:\tthtbn.exec:\tthtbn.exe50⤵
- Executes dropped EXE
PID:288 -
\??\c:\bnnntn.exec:\bnnntn.exe51⤵
- Executes dropped EXE
PID:2972 -
\??\c:\7pvpv.exec:\7pvpv.exe52⤵
- Executes dropped EXE
PID:1724 -
\??\c:\rffxlxx.exec:\rffxlxx.exe53⤵
- Executes dropped EXE
PID:856 -
\??\c:\hhtnbn.exec:\hhtnbn.exe54⤵
- Executes dropped EXE
PID:1616 -
\??\c:\7pdvv.exec:\7pdvv.exe55⤵
- Executes dropped EXE
PID:860 -
\??\c:\3djdd.exec:\3djdd.exe56⤵
- Executes dropped EXE
PID:2036 -
\??\c:\9ffrfrl.exec:\9ffrfrl.exe57⤵
- Executes dropped EXE
PID:2052 -
\??\c:\ntnbhh.exec:\ntnbhh.exe58⤵
- Executes dropped EXE
PID:2144 -
\??\c:\pjjpp.exec:\pjjpp.exe59⤵
- Executes dropped EXE
PID:2164 -
\??\c:\rflrxlf.exec:\rflrxlf.exe60⤵
- Executes dropped EXE
PID:2532 -
\??\c:\xlrrffl.exec:\xlrrffl.exe61⤵
- Executes dropped EXE
PID:2092 -
\??\c:\hbhbbb.exec:\hbhbbb.exe62⤵
- Executes dropped EXE
PID:356 -
\??\c:\jvdvd.exec:\jvdvd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\xxxlxrl.exec:\xxxlxrl.exe64⤵
- Executes dropped EXE
PID:1508 -
\??\c:\hhtbnh.exec:\hhtbnh.exe65⤵
- Executes dropped EXE
PID:1908 -
\??\c:\tbhhbb.exec:\tbhhbb.exe66⤵PID:2168
-
\??\c:\dvvdj.exec:\dvvdj.exe67⤵PID:920
-
\??\c:\llfxxrl.exec:\llfxxrl.exe68⤵PID:1768
-
\??\c:\frxfxlr.exec:\frxfxlr.exe69⤵PID:2592
-
\??\c:\ntnhnn.exec:\ntnhnn.exe70⤵PID:2360
-
\??\c:\dpjvp.exec:\dpjvp.exe71⤵PID:2180
-
\??\c:\vjdjp.exec:\vjdjp.exe72⤵PID:1648
-
\??\c:\ffrfrlx.exec:\ffrfrlx.exe73⤵PID:1644
-
\??\c:\nhtbhb.exec:\nhtbhb.exe74⤵PID:3016
-
\??\c:\9bbhnt.exec:\9bbhnt.exe75⤵PID:2356
-
\??\c:\jppjj.exec:\jppjj.exe76⤵PID:3012
-
\??\c:\rxlxffx.exec:\rxlxffx.exe77⤵PID:1596
-
\??\c:\xflxflf.exec:\xflxflf.exe78⤵PID:540
-
\??\c:\bnnhtn.exec:\bnnhtn.exe79⤵PID:2460
-
\??\c:\dddvd.exec:\dddvd.exe80⤵PID:308
-
\??\c:\lxlxffl.exec:\lxlxffl.exe81⤵PID:2256
-
\??\c:\7nhhtb.exec:\7nhhtb.exe82⤵PID:332
-
\??\c:\nnnhht.exec:\nnnhht.exe83⤵PID:2744
-
\??\c:\jpvdp.exec:\jpvdp.exe84⤵PID:2772
-
\??\c:\ffxxllx.exec:\ffxxllx.exe85⤵PID:2764
-
\??\c:\9hthht.exec:\9hthht.exe86⤵PID:2192
-
\??\c:\nntnht.exec:\nntnht.exe87⤵PID:2160
-
\??\c:\jpvpp.exec:\jpvpp.exe88⤵PID:2628
-
\??\c:\fxlxlrl.exec:\fxlxlrl.exe89⤵PID:2680
-
\??\c:\lfxfrlf.exec:\lfxfrlf.exe90⤵PID:2252
-
\??\c:\5nnhtb.exec:\5nnhtb.exe91⤵PID:1924
-
\??\c:\ppjjd.exec:\ppjjd.exe92⤵PID:2964
-
\??\c:\jjjdp.exec:\jjjdp.exe93⤵PID:2364
-
\??\c:\lrrfrfr.exec:\lrrfrfr.exe94⤵PID:2972
-
\??\c:\nnnbth.exec:\nnnbth.exe95⤵PID:1724
-
\??\c:\bbbtht.exec:\bbbtht.exe96⤵PID:856
-
\??\c:\dpdvd.exec:\dpdvd.exe97⤵PID:384
-
\??\c:\rfrllrr.exec:\rfrllrr.exe98⤵PID:860
-
\??\c:\9rfxflf.exec:\9rfxflf.exe99⤵PID:2332
-
\??\c:\nbnntt.exec:\nbnntt.exe100⤵PID:2076
-
\??\c:\jpjjd.exec:\jpjjd.exe101⤵PID:2144
-
\??\c:\lrxfrlf.exec:\lrxfrlf.exe102⤵PID:1140
-
\??\c:\xrxlxlx.exec:\xrxlxlx.exe103⤵PID:1580
-
\??\c:\nbbbht.exec:\nbbbht.exe104⤵PID:1472
-
\??\c:\3pvjj.exec:\3pvjj.exe105⤵PID:1264
-
\??\c:\flffrxr.exec:\flffrxr.exe106⤵PID:2276
-
\??\c:\rxlrffx.exec:\rxlrffx.exe107⤵PID:1508
-
\??\c:\bbbtbh.exec:\bbbtbh.exe108⤵PID:936
-
\??\c:\djvdp.exec:\djvdp.exe109⤵PID:792
-
\??\c:\dddjd.exec:\dddjd.exe110⤵PID:1244
-
\??\c:\lxxfllr.exec:\lxxfllr.exe111⤵PID:2220
-
\??\c:\9ttnht.exec:\9ttnht.exe112⤵PID:572
-
\??\c:\djjdd.exec:\djjdd.exe113⤵PID:992
-
\??\c:\xrfxrff.exec:\xrfxrff.exe114⤵PID:1500
-
\??\c:\frrflff.exec:\frrflff.exe115⤵PID:1656
-
\??\c:\ttbnht.exec:\ttbnht.exe116⤵PID:1496
-
\??\c:\vpvvv.exec:\vpvvv.exe117⤵PID:1564
-
\??\c:\fflfrxr.exec:\fflfrxr.exe118⤵PID:2904
-
\??\c:\9llflxl.exec:\9llflxl.exe119⤵PID:2380
-
\??\c:\nbhttn.exec:\nbhttn.exe120⤵PID:2520
-
\??\c:\dvpvp.exec:\dvpvp.exe121⤵PID:2264
-
\??\c:\xffllrl.exec:\xffllrl.exe122⤵PID:1252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-