Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 06:26
Behavioral task
behavioral1
Sample
05e8e031d4f5fcf02c1c6a1f8f823d67271b3f36e3e091f147cd53c87ac015b1N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
05e8e031d4f5fcf02c1c6a1f8f823d67271b3f36e3e091f147cd53c87ac015b1N.exe
-
Size
283KB
-
MD5
5fa29f749455d87eaebdf09837c124a0
-
SHA1
9f5102b3280a473e0d2cbd004e801471d026511b
-
SHA256
05e8e031d4f5fcf02c1c6a1f8f823d67271b3f36e3e091f147cd53c87ac015b1
-
SHA512
f484bdb38c489286485e5f2749deb685e20c5eefcb91608b0d4074c5658a91f3c0c74aa4c6c25a8558fe47f1b2de52506c91f6b20b375c0e74669795210811c7
-
SSDEEP
6144:7cm4FmowdHoSoXSBcm4Vcm4FmowdHoSphra+cm4FMhraHcpOaKHpz:B4wFHoSoXW434wFHoS3eg4aeFaKHpz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-8-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2580-19-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2600-32-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2604-54-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2616-66-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/1120-86-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/1152-76-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2488-109-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2964-121-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2640-133-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/1248-130-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2408-146-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2640-144-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2640-141-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/1240-156-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2408-155-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2408-153-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2264-98-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2376-221-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/992-231-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/804-241-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/1936-252-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/624-262-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/624-257-0x00000000002A0000-0x00000000002ED000-memory.dmp family_blackmoon behavioral1/memory/3048-295-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/392-296-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/392-305-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/604-309-0x0000000000220000-0x000000000026D000-memory.dmp family_blackmoon behavioral1/memory/1008-314-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/1008-313-0x0000000000220000-0x000000000026D000-memory.dmp family_blackmoon behavioral1/memory/1008-312-0x0000000076C40000-0x0000000076D3A000-memory.dmp family_blackmoon behavioral1/memory/2092-323-0x0000000000220000-0x000000000026D000-memory.dmp family_blackmoon behavioral1/memory/2884-334-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2092-322-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/672-378-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/3048-290-0x0000000000220000-0x000000000026D000-memory.dmp family_blackmoon behavioral1/memory/604-282-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/604-281-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2516-274-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2516-272-0x0000000000220000-0x000000000026D000-memory.dmp family_blackmoon behavioral1/memory/1788-207-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2392-197-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2140-186-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2140-185-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/1704-176-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/1704-175-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/1240-164-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2736-40-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2872-446-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/1188-463-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2940-490-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2112-579-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/868-596-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral1/memory/2296-612-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
bntbnn.exevpvjd.exepjddp.exe3jvdv.exellrrxlx.exetnnhhb.exe7frxflx.exebthnbb.exe3rrflrx.exexllxflx.exe7vjdd.exexxrrxxl.exefxlrfrx.exetnbhbb.exelfxxllx.exenhhthh.exe5httbb.exevvdpp.exebthbtt.exe1vppp.exelrffrrx.exelffrrxl.exejjvvp.exevjvpp.exe1thbhb.exepjvpj.exe3lxxxrx.exevddvv.exe7vdpj.exepdjjp.exe3xlllfr.exevvjvp.exe9vvvd.exe9frllrx.exethttth.exejvvvp.exe7djdj.exe3lfrfxl.exeffrrxlr.exenhbnnn.exevvjjp.exepjdpv.exerlxxxrr.exe3frlrrr.exehbthbh.exe9nhhnt.exe5dvdd.exexlxxrrr.exenbhhnn.exe9xrlxfl.exe7tbhhh.exetbthbh.exedpdvj.exenhhnhb.exejdddv.exexlfxfff.exe3rrlllr.exebntbbb.exe9pdvv.exejvdpv.exerflffrx.exetnnbnt.exebttbbh.exedjvjj.exepid Process 2580 bntbnn.exe 2600 vpvjd.exe 2736 pjddp.exe 2604 3jvdv.exe 2616 llrrxlx.exe 1152 tnnhhb.exe 1120 7frxflx.exe 2264 bthnbb.exe 2488 3rrflrx.exe 2964 xllxflx.exe 1248 7vjdd.exe 2640 xxrrxxl.exe 2408 fxlrfrx.exe 1240 tnbhbb.exe 1704 lfxxllx.exe 2140 nhhthh.exe 2392 5httbb.exe 1788 vvdpp.exe 2376 bthbtt.exe 992 1vppp.exe 804 lrffrrx.exe 1936 lffrrxl.exe 624 jjvvp.exe 2516 vjvpp.exe 604 1thbhb.exe 3048 pjvpj.exe 392 3lxxxrx.exe 1008 vddvv.exe 2884 7vdpj.exe 2600 pdjjp.exe 2816 3xlllfr.exe 3012 vvjvp.exe 672 9vvvd.exe 1852 9frllrx.exe 1120 thttth.exe 2264 jvvvp.exe 2960 7djdj.exe 2324 3lfrfxl.exe 2632 ffrrxlr.exe 2660 nhbnnn.exe 2872 vvjjp.exe 1420 pjdpv.exe 1188 rlxxxrr.exe 2060 3frlrrr.exe 1704 hbthbh.exe 2940 9nhhnt.exe 1688 5dvdd.exe 1364 xlxxrrr.exe 3064 nbhhnn.exe 2500 9xrlxfl.exe 992 7tbhhh.exe 1564 tbthbh.exe 1780 dpdvj.exe 596 nhhnhb.exe 2432 jdddv.exe 2112 xlfxfff.exe 1648 3rrlllr.exe 868 bntbbb.exe 2800 9pdvv.exe 2296 jvdpv.exe 2580 rflffrx.exe 2860 tnnbnt.exe 2744 bttbbh.exe 2576 djvjj.exe -
Processes:
resource yara_rule behavioral1/memory/2728-0-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2728-3-0x0000000000250000-0x000000000029D000-memory.dmp upx behavioral1/memory/2728-8-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x000b000000012259-10.dat upx behavioral1/memory/2580-12-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2728-7-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2600-21-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x0008000000015d75-20.dat upx behavioral1/memory/2580-19-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2600-25-0x0000000000220000-0x000000000026D000-memory.dmp upx behavioral1/memory/2600-32-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x0008000000015d7f-33.dat upx behavioral1/files/0x0008000000015dc3-44.dat upx behavioral1/memory/2604-47-0x0000000000220000-0x000000000026D000-memory.dmp upx behavioral1/files/0x0007000000015e47-56.dat upx behavioral1/memory/2616-55-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2604-54-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/1152-67-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x0007000000015f1b-68.dat upx behavioral1/memory/2616-66-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/1120-78-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x0007000000015f2a-77.dat upx behavioral1/memory/2264-87-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x00080000000160d5-85.dat upx behavioral1/memory/1152-76-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2264-91-0x0000000000220000-0x000000000026D000-memory.dmp upx behavioral1/memory/2964-110-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2488-109-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x000600000001903d-108.dat upx behavioral1/memory/2488-103-0x00000000001B0000-0x00000000001FD000-memory.dmp upx behavioral1/memory/1120-118-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x000500000001920f-123.dat upx behavioral1/memory/1248-122-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2964-121-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x0005000000019228-134.dat upx behavioral1/memory/2640-133-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/1248-130-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2964-114-0x0000000000250000-0x000000000029D000-memory.dmp upx behavioral1/memory/2408-146-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x0005000000019234-145.dat upx behavioral1/memory/2408-149-0x0000000000220000-0x000000000026D000-memory.dmp upx behavioral1/memory/2640-144-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2640-141-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/1240-156-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2408-155-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x0005000000019241-154.dat upx behavioral1/memory/2640-137-0x0000000001BB0000-0x0000000001BFD000-memory.dmp upx behavioral1/files/0x0006000000019030-100.dat upx behavioral1/memory/2488-99-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2264-98-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2140-178-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x0005000000019273-177.dat upx behavioral1/files/0x00050000000192f0-189.dat upx behavioral1/files/0x0031000000015d5c-200.dat upx behavioral1/files/0x000500000001932a-209.dat upx behavioral1/memory/2376-210-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/992-222-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/files/0x000500000001933e-223.dat upx behavioral1/memory/2376-221-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/2376-214-0x0000000000220000-0x000000000026D000-memory.dmp upx behavioral1/files/0x0005000000019346-233.dat upx behavioral1/memory/992-231-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/992-230-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral1/memory/1936-243-0x0000000000400000-0x000000000044D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1rllxfl.exenhtbnn.exerlrlflr.exelxffrlr.exe9nhbbn.exenbntbn.exerxflrfx.exe3pppj.exebthntn.exerflffrx.exebtbhnh.exetbbtnn.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rllxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05e8e031d4f5fcf02c1c6a1f8f823d67271b3f36e3e091f147cd53c87ac015b1N.exebntbnn.exevpvjd.exepjddp.exe3jvdv.exellrrxlx.exetnnhhb.exe7frxflx.exebthnbb.exe3rrflrx.exexllxflx.exe7vjdd.exexxrrxxl.exefxlrfrx.exetnbhbb.exelfxxllx.exedescription pid Process procid_target PID 2728 wrote to memory of 2580 2728 05e8e031d4f5fcf02c1c6a1f8f823d67271b3f36e3e091f147cd53c87ac015b1N.exe 30 PID 2728 wrote to memory of 2580 2728 05e8e031d4f5fcf02c1c6a1f8f823d67271b3f36e3e091f147cd53c87ac015b1N.exe 30 PID 2728 wrote to memory of 2580 2728 05e8e031d4f5fcf02c1c6a1f8f823d67271b3f36e3e091f147cd53c87ac015b1N.exe 30 PID 2728 wrote to memory of 2580 2728 05e8e031d4f5fcf02c1c6a1f8f823d67271b3f36e3e091f147cd53c87ac015b1N.exe 30 PID 2580 wrote to memory of 2600 2580 bntbnn.exe 60 PID 2580 wrote to memory of 2600 2580 bntbnn.exe 60 PID 2580 wrote to memory of 2600 2580 bntbnn.exe 60 PID 2580 wrote to memory of 2600 2580 bntbnn.exe 60 PID 2600 wrote to memory of 2736 2600 vpvjd.exe 32 PID 2600 wrote to memory of 2736 2600 vpvjd.exe 32 PID 2600 wrote to memory of 2736 2600 vpvjd.exe 32 PID 2600 wrote to memory of 2736 2600 vpvjd.exe 32 PID 2736 wrote to memory of 2604 2736 pjddp.exe 33 PID 2736 wrote to memory of 2604 2736 pjddp.exe 33 PID 2736 wrote to memory of 2604 2736 pjddp.exe 33 PID 2736 wrote to memory of 2604 2736 pjddp.exe 33 PID 2604 wrote to memory of 2616 2604 3jvdv.exe 34 PID 2604 wrote to memory of 2616 2604 3jvdv.exe 34 PID 2604 wrote to memory of 2616 2604 3jvdv.exe 34 PID 2604 wrote to memory of 2616 2604 3jvdv.exe 34 PID 2616 wrote to memory of 1152 2616 llrrxlx.exe 35 PID 2616 wrote to memory of 1152 2616 llrrxlx.exe 35 PID 2616 wrote to memory of 1152 2616 llrrxlx.exe 35 PID 2616 wrote to memory of 1152 2616 llrrxlx.exe 35 PID 1152 wrote to memory of 1120 1152 tnnhhb.exe 65 PID 1152 wrote to memory of 1120 1152 tnnhhb.exe 65 PID 1152 wrote to memory of 1120 1152 tnnhhb.exe 65 PID 1152 wrote to memory of 1120 1152 tnnhhb.exe 65 PID 1120 wrote to memory of 2264 1120 7frxflx.exe 66 PID 1120 wrote to memory of 2264 1120 7frxflx.exe 66 PID 1120 wrote to memory of 2264 1120 7frxflx.exe 66 PID 1120 wrote to memory of 2264 1120 7frxflx.exe 66 PID 2264 wrote to memory of 2488 2264 bthnbb.exe 38 PID 2264 wrote to memory of 2488 2264 bthnbb.exe 38 PID 2264 wrote to memory of 2488 2264 bthnbb.exe 38 PID 2264 wrote to memory of 2488 2264 bthnbb.exe 38 PID 2488 wrote to memory of 2964 2488 3rrflrx.exe 39 PID 2488 wrote to memory of 2964 2488 3rrflrx.exe 39 PID 2488 wrote to memory of 2964 2488 3rrflrx.exe 39 PID 2488 wrote to memory of 2964 2488 3rrflrx.exe 39 PID 2964 wrote to memory of 1248 2964 xllxflx.exe 40 PID 2964 wrote to memory of 1248 2964 xllxflx.exe 40 PID 2964 wrote to memory of 1248 2964 xllxflx.exe 40 PID 2964 wrote to memory of 1248 2964 xllxflx.exe 40 PID 1248 wrote to memory of 2640 1248 7vjdd.exe 41 PID 1248 wrote to memory of 2640 1248 7vjdd.exe 41 PID 1248 wrote to memory of 2640 1248 7vjdd.exe 41 PID 1248 wrote to memory of 2640 1248 7vjdd.exe 41 PID 2640 wrote to memory of 2408 2640 xxrrxxl.exe 42 PID 2640 wrote to memory of 2408 2640 xxrrxxl.exe 42 PID 2640 wrote to memory of 2408 2640 xxrrxxl.exe 42 PID 2640 wrote to memory of 2408 2640 xxrrxxl.exe 42 PID 2408 wrote to memory of 1240 2408 fxlrfrx.exe 43 PID 2408 wrote to memory of 1240 2408 fxlrfrx.exe 43 PID 2408 wrote to memory of 1240 2408 fxlrfrx.exe 43 PID 2408 wrote to memory of 1240 2408 fxlrfrx.exe 43 PID 1240 wrote to memory of 1704 1240 tnbhbb.exe 75 PID 1240 wrote to memory of 1704 1240 tnbhbb.exe 75 PID 1240 wrote to memory of 1704 1240 tnbhbb.exe 75 PID 1240 wrote to memory of 1704 1240 tnbhbb.exe 75 PID 1704 wrote to memory of 2140 1704 lfxxllx.exe 45 PID 1704 wrote to memory of 2140 1704 lfxxllx.exe 45 PID 1704 wrote to memory of 2140 1704 lfxxllx.exe 45 PID 1704 wrote to memory of 2140 1704 lfxxllx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\05e8e031d4f5fcf02c1c6a1f8f823d67271b3f36e3e091f147cd53c87ac015b1N.exe"C:\Users\Admin\AppData\Local\Temp\05e8e031d4f5fcf02c1c6a1f8f823d67271b3f36e3e091f147cd53c87ac015b1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\bntbnn.exec:\bntbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\vpvjd.exec:\vpvjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\pjddp.exec:\pjddp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\3jvdv.exec:\3jvdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\llrrxlx.exec:\llrrxlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\tnnhhb.exec:\tnnhhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\7frxflx.exec:\7frxflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\bthnbb.exec:\bthnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\3rrflrx.exec:\3rrflrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\xllxflx.exec:\xllxflx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\7vjdd.exec:\7vjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\xxrrxxl.exec:\xxrrxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\fxlrfrx.exec:\fxlrfrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\tnbhbb.exec:\tnbhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\lfxxllx.exec:\lfxxllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\nhhthh.exec:\nhhthh.exe17⤵
- Executes dropped EXE
PID:2140 -
\??\c:\5httbb.exec:\5httbb.exe18⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vvdpp.exec:\vvdpp.exe19⤵
- Executes dropped EXE
PID:1788 -
\??\c:\bthbtt.exec:\bthbtt.exe20⤵
- Executes dropped EXE
PID:2376 -
\??\c:\1vppp.exec:\1vppp.exe21⤵
- Executes dropped EXE
PID:992 -
\??\c:\lrffrrx.exec:\lrffrrx.exe22⤵
- Executes dropped EXE
PID:804 -
\??\c:\lffrrxl.exec:\lffrrxl.exe23⤵
- Executes dropped EXE
PID:1936 -
\??\c:\jjvvp.exec:\jjvvp.exe24⤵
- Executes dropped EXE
PID:624 -
\??\c:\vjvpp.exec:\vjvpp.exe25⤵
- Executes dropped EXE
PID:2516 -
\??\c:\1thbhb.exec:\1thbhb.exe26⤵
- Executes dropped EXE
PID:604 -
\??\c:\pjvpj.exec:\pjvpj.exe27⤵
- Executes dropped EXE
PID:3048 -
\??\c:\3lxxxrx.exec:\3lxxxrx.exe28⤵
- Executes dropped EXE
PID:392 -
\??\c:\vddvv.exec:\vddvv.exe29⤵
- Executes dropped EXE
PID:1008 -
\??\c:\nhntbb.exec:\nhntbb.exe30⤵PID:2092
-
\??\c:\7vdpj.exec:\7vdpj.exe31⤵
- Executes dropped EXE
PID:2884 -
\??\c:\pdjjp.exec:\pdjjp.exe32⤵
- Executes dropped EXE
PID:2600 -
\??\c:\3xlllfr.exec:\3xlllfr.exe33⤵
- Executes dropped EXE
PID:2816 -
\??\c:\vvjvp.exec:\vvjvp.exe34⤵
- Executes dropped EXE
PID:3012 -
\??\c:\9vvvd.exec:\9vvvd.exe35⤵
- Executes dropped EXE
PID:672 -
\??\c:\9frllrx.exec:\9frllrx.exe36⤵
- Executes dropped EXE
PID:1852 -
\??\c:\thttth.exec:\thttth.exe37⤵
- Executes dropped EXE
PID:1120 -
\??\c:\jvvvp.exec:\jvvvp.exe38⤵
- Executes dropped EXE
PID:2264 -
\??\c:\7djdj.exec:\7djdj.exe39⤵
- Executes dropped EXE
PID:2960 -
\??\c:\3lfrfxl.exec:\3lfrfxl.exe40⤵
- Executes dropped EXE
PID:2324 -
\??\c:\ffrrxlr.exec:\ffrrxlr.exe41⤵
- Executes dropped EXE
PID:2632 -
\??\c:\nhbnnn.exec:\nhbnnn.exe42⤵
- Executes dropped EXE
PID:2660 -
\??\c:\vvjjp.exec:\vvjjp.exe43⤵
- Executes dropped EXE
PID:2872 -
\??\c:\pjdpv.exec:\pjdpv.exe44⤵
- Executes dropped EXE
PID:1420 -
\??\c:\rlxxxrr.exec:\rlxxxrr.exe45⤵
- Executes dropped EXE
PID:1188 -
\??\c:\3frlrrr.exec:\3frlrrr.exe46⤵
- Executes dropped EXE
PID:2060 -
\??\c:\hbthbh.exec:\hbthbh.exe47⤵
- Executes dropped EXE
PID:1704 -
\??\c:\9nhhnt.exec:\9nhhnt.exe48⤵
- Executes dropped EXE
PID:2940 -
\??\c:\5dvdd.exec:\5dvdd.exe49⤵
- Executes dropped EXE
PID:1688 -
\??\c:\xlxxrrr.exec:\xlxxrrr.exe50⤵
- Executes dropped EXE
PID:1364 -
\??\c:\nbhhnn.exec:\nbhhnn.exe51⤵
- Executes dropped EXE
PID:3064 -
\??\c:\9xrlxfl.exec:\9xrlxfl.exe52⤵
- Executes dropped EXE
PID:2500 -
\??\c:\7tbhhh.exec:\7tbhhh.exe53⤵
- Executes dropped EXE
PID:992 -
\??\c:\tbthbh.exec:\tbthbh.exe54⤵
- Executes dropped EXE
PID:1564 -
\??\c:\dpdvj.exec:\dpdvj.exe55⤵
- Executes dropped EXE
PID:1780 -
\??\c:\nhhnhb.exec:\nhhnhb.exe56⤵
- Executes dropped EXE
PID:596 -
\??\c:\jdddv.exec:\jdddv.exe57⤵
- Executes dropped EXE
PID:2432 -
\??\c:\xlfxfff.exec:\xlfxfff.exe58⤵
- Executes dropped EXE
PID:2112 -
\??\c:\3rrlllr.exec:\3rrlllr.exe59⤵
- Executes dropped EXE
PID:1648 -
\??\c:\bntbbb.exec:\bntbbb.exe60⤵
- Executes dropped EXE
PID:868 -
\??\c:\9pdvv.exec:\9pdvv.exe61⤵
- Executes dropped EXE
PID:2800 -
\??\c:\jvdpv.exec:\jvdpv.exe62⤵
- Executes dropped EXE
PID:2296 -
\??\c:\rflffrx.exec:\rflffrx.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580 -
\??\c:\tnnbnt.exec:\tnnbnt.exe64⤵
- Executes dropped EXE
PID:2860 -
\??\c:\bttbbh.exec:\bttbbh.exe65⤵
- Executes dropped EXE
PID:2744 -
\??\c:\djvjj.exec:\djvjj.exe66⤵
- Executes dropped EXE
PID:2576 -
\??\c:\lfxrxfx.exec:\lfxrxfx.exe67⤵PID:2816
-
\??\c:\9frxxxx.exec:\9frxxxx.exe68⤵PID:800
-
\??\c:\nbbbhh.exec:\nbbbhh.exe69⤵PID:776
-
\??\c:\dvjdp.exec:\dvjdp.exe70⤵PID:1260
-
\??\c:\jdppj.exec:\jdppj.exe71⤵PID:1096
-
\??\c:\xlrlrlr.exec:\xlrlrlr.exe72⤵PID:2052
-
\??\c:\nbhhhh.exec:\nbhhhh.exe73⤵PID:2488
-
\??\c:\bnbnbt.exec:\bnbnbt.exe74⤵PID:2260
-
\??\c:\5pvvv.exec:\5pvvv.exe75⤵PID:2404
-
\??\c:\pdvdd.exec:\pdvdd.exe76⤵PID:2632
-
\??\c:\1xrrrrr.exec:\1xrrrrr.exe77⤵PID:2804
-
\??\c:\frrrrrr.exec:\frrrrrr.exe78⤵PID:2872
-
\??\c:\bhtnnh.exec:\bhtnnh.exe79⤵PID:2848
-
\??\c:\vvvvv.exec:\vvvvv.exe80⤵PID:2952
-
\??\c:\jvvpv.exec:\jvvpv.exe81⤵PID:1264
-
\??\c:\rrrrxxr.exec:\rrrrxxr.exe82⤵PID:1704
-
\??\c:\3xfllff.exec:\3xfllff.exe83⤵PID:2236
-
\??\c:\nbntbt.exec:\nbntbt.exe84⤵PID:1688
-
\??\c:\dvddd.exec:\dvddd.exe85⤵PID:2004
-
\??\c:\7pjvj.exec:\7pjvj.exe86⤵PID:2528
-
\??\c:\xrllllr.exec:\xrllllr.exe87⤵PID:2808
-
\??\c:\xxffrrr.exec:\xxffrrr.exe88⤵PID:804
-
\??\c:\hhttbt.exec:\hhttbt.exe89⤵PID:1636
-
\??\c:\ppjdj.exec:\ppjdj.exe90⤵PID:1664
-
\??\c:\7rxlfxf.exec:\7rxlfxf.exe91⤵PID:760
-
\??\c:\rlrxflr.exec:\rlrxflr.exe92⤵PID:896
-
\??\c:\htbbbb.exec:\htbbbb.exe93⤵PID:1908
-
\??\c:\1vddj.exec:\1vddj.exe94⤵PID:340
-
\??\c:\vpdjd.exec:\vpdjd.exe95⤵PID:2820
-
\??\c:\frxllll.exec:\frxllll.exe96⤵PID:1512
-
\??\c:\frxxxrx.exec:\frxxxrx.exe97⤵PID:2448
-
\??\c:\bntbbb.exec:\bntbbb.exe98⤵PID:2092
-
\??\c:\nbtnhh.exec:\nbtnhh.exe99⤵PID:2860
-
\??\c:\djddd.exec:\djddd.exe100⤵PID:2628
-
\??\c:\pjvvp.exec:\pjvvp.exe101⤵PID:2568
-
\??\c:\1fxrxxx.exec:\1fxrxxx.exe102⤵PID:2592
-
\??\c:\lfxxfxf.exec:\lfxxfxf.exe103⤵PID:1184
-
\??\c:\tthhnn.exec:\tthhnn.exe104⤵PID:672
-
\??\c:\jvjdd.exec:\jvjdd.exe105⤵PID:1852
-
\??\c:\pdvvd.exec:\pdvvd.exe106⤵PID:2180
-
\??\c:\fxfxfff.exec:\fxfxfff.exe107⤵PID:2672
-
\??\c:\hbnhtt.exec:\hbnhtt.exe108⤵PID:1992
-
\??\c:\bthbth.exec:\bthbth.exe109⤵PID:2488
-
\??\c:\jvdpd.exec:\jvdpd.exe110⤵PID:2028
-
\??\c:\pjpdj.exec:\pjpdj.exe111⤵PID:2888
-
\??\c:\9lfrxfr.exec:\9lfrxfr.exe112⤵PID:1340
-
\??\c:\3tbtbb.exec:\3tbtbb.exe113⤵PID:1424
-
\??\c:\9tnhth.exec:\9tnhth.exe114⤵PID:1768
-
\??\c:\dppjv.exec:\dppjv.exe115⤵PID:1220
-
\??\c:\pjjpp.exec:\pjjpp.exe116⤵PID:2256
-
\??\c:\xlllrxf.exec:\xlllrxf.exe117⤵PID:2280
-
\??\c:\nhtbnn.exec:\nhtbnn.exe118⤵
- System Location Discovery: System Language Discovery
PID:2440 -
\??\c:\nbhhhb.exec:\nbhhhb.exe119⤵PID:1704
-
\??\c:\9pddv.exec:\9pddv.exe120⤵PID:2312
-
\??\c:\9pjdp.exec:\9pjdp.exe121⤵PID:984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-