Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 00:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe
-
Size
453KB
-
MD5
8a455a6a7bb854e7e369d5eb6ec931c5
-
SHA1
06f45e7a87c7436b4332601af212dd7cd7d4c746
-
SHA256
9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf
-
SHA512
7c17fd0cce4f88854ea25251ec838c51616c4518b54e99265f27cef5ef7fdedeb6c9cf512efb08a502e756fa78232cb78f7f95400fd8aef3024251db603ff124
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbety:q7Tc2NYHUrAwfMp3CDty
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2312-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-122-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1280-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-302-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2892-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-328-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2664-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-406-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2044-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/740-509-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1344-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-610-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2312-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-630-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2064-699-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2132-739-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2132-738-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2452-746-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2296-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-957-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1804-1048-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2932-1238-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2444 lxxfrff.exe 2860 ntbnnh.exe 2756 fxxxfrl.exe 2928 btttbb.exe 2628 5vpvj.exe 2720 tbtttn.exe 2672 3vvpj.exe 2460 5hhnbn.exe 1196 pvvdp.exe 2304 ntthtt.exe 2572 pjddd.exe 1280 rrllfll.exe 2844 bhtbnn.exe 2508 xxlfflr.exe 1616 hnnhbt.exe 2972 rxlfllr.exe 356 bnbhtb.exe 2284 ppvdv.exe 2120 llfrflx.exe 2488 hbtbtb.exe 1816 9llxxlf.exe 1660 tntthh.exe 1244 1dpvp.exe 2500 xrlxflr.exe 3024 7jdjv.exe 1004 rfxxxrx.exe 1756 dppdv.exe 920 rxxfxlf.exe 2100 vpdvd.exe 1888 fxxfrxf.exe 2176 jdppj.exe 2984 tbnntn.exe 1284 1ffrllx.exe 2468 fffrllx.exe 2892 tnhtht.exe 1596 9jdpp.exe 2712 lllffff.exe 2740 ntnthh.exe 2820 tnhnth.exe 2968 djjpd.exe 2632 lflxxfl.exe 2908 nhhthn.exe 2664 1dppp.exe 2656 vvpvj.exe 1940 xlfllxx.exe 1784 bhbtth.exe 2208 dvdjj.exe 2144 rfrxfxr.exe 2848 hbbhnb.exe 1820 vdpvj.exe 2796 rrrfxfr.exe 2028 1lxxxfl.exe 2824 thttbt.exe 2132 pjvvd.exe 2452 rxrrrrr.exe 1476 7lrllll.exe 2972 1hnhhh.exe 1628 1djvj.exe 3004 xxrlrxl.exe 2560 xxrlxrf.exe 2044 3htttb.exe 2488 1ddjp.exe 2584 lxllxll.exe 740 3nbnbh.exe -
resource yara_rule behavioral1/memory/2312-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-509-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/320-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-699-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2296-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-864-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-929-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-1175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-1213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-1323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-1379-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2444 2312 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe 30 PID 2312 wrote to memory of 2444 2312 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe 30 PID 2312 wrote to memory of 2444 2312 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe 30 PID 2312 wrote to memory of 2444 2312 9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe 30 PID 2444 wrote to memory of 2860 2444 lxxfrff.exe 31 PID 2444 wrote to memory of 2860 2444 lxxfrff.exe 31 PID 2444 wrote to memory of 2860 2444 lxxfrff.exe 31 PID 2444 wrote to memory of 2860 2444 lxxfrff.exe 31 PID 2860 wrote to memory of 2756 2860 ntbnnh.exe 32 PID 2860 wrote to memory of 2756 2860 ntbnnh.exe 32 PID 2860 wrote to memory of 2756 2860 ntbnnh.exe 32 PID 2860 wrote to memory of 2756 2860 ntbnnh.exe 32 PID 2756 wrote to memory of 2928 2756 fxxxfrl.exe 33 PID 2756 wrote to memory of 2928 2756 fxxxfrl.exe 33 PID 2756 wrote to memory of 2928 2756 fxxxfrl.exe 33 PID 2756 wrote to memory of 2928 2756 fxxxfrl.exe 33 PID 2928 wrote to memory of 2628 2928 btttbb.exe 34 PID 2928 wrote to memory of 2628 2928 btttbb.exe 34 PID 2928 wrote to memory of 2628 2928 btttbb.exe 34 PID 2928 wrote to memory of 2628 2928 btttbb.exe 34 PID 2628 wrote to memory of 2720 2628 5vpvj.exe 35 PID 2628 wrote to memory of 2720 2628 5vpvj.exe 35 PID 2628 wrote to memory of 2720 2628 5vpvj.exe 35 PID 2628 wrote to memory of 2720 2628 5vpvj.exe 35 PID 2720 wrote to memory of 2672 2720 tbtttn.exe 36 PID 2720 wrote to memory of 2672 2720 tbtttn.exe 36 PID 2720 wrote to memory of 2672 2720 tbtttn.exe 36 PID 2720 wrote to memory of 2672 2720 tbtttn.exe 36 PID 2672 wrote to memory of 2460 2672 3vvpj.exe 37 PID 2672 wrote to memory of 2460 2672 3vvpj.exe 37 PID 2672 wrote to memory of 2460 2672 3vvpj.exe 37 PID 2672 wrote to memory of 2460 2672 3vvpj.exe 37 PID 2460 wrote to memory of 1196 2460 5hhnbn.exe 38 PID 2460 wrote to memory of 1196 2460 5hhnbn.exe 38 PID 2460 wrote to memory of 1196 2460 5hhnbn.exe 38 PID 2460 wrote to memory of 1196 2460 5hhnbn.exe 38 PID 1196 wrote to memory of 2304 1196 pvvdp.exe 39 PID 1196 wrote to memory of 2304 1196 pvvdp.exe 39 PID 1196 wrote to memory of 2304 1196 pvvdp.exe 39 PID 1196 wrote to memory of 2304 1196 pvvdp.exe 39 PID 2304 wrote to memory of 2572 2304 ntthtt.exe 40 PID 2304 wrote to memory of 2572 2304 ntthtt.exe 40 PID 2304 wrote to memory of 2572 2304 ntthtt.exe 40 PID 2304 wrote to memory of 2572 2304 ntthtt.exe 40 PID 2572 wrote to memory of 1280 2572 pjddd.exe 41 PID 2572 wrote to memory of 1280 2572 pjddd.exe 41 PID 2572 wrote to memory of 1280 2572 pjddd.exe 41 PID 2572 wrote to memory of 1280 2572 pjddd.exe 41 PID 1280 wrote to memory of 2844 1280 rrllfll.exe 42 PID 1280 wrote to memory of 2844 1280 rrllfll.exe 42 PID 1280 wrote to memory of 2844 1280 rrllfll.exe 42 PID 1280 wrote to memory of 2844 1280 rrllfll.exe 42 PID 2844 wrote to memory of 2508 2844 bhtbnn.exe 43 PID 2844 wrote to memory of 2508 2844 bhtbnn.exe 43 PID 2844 wrote to memory of 2508 2844 bhtbnn.exe 43 PID 2844 wrote to memory of 2508 2844 bhtbnn.exe 43 PID 2508 wrote to memory of 1616 2508 xxlfflr.exe 44 PID 2508 wrote to memory of 1616 2508 xxlfflr.exe 44 PID 2508 wrote to memory of 1616 2508 xxlfflr.exe 44 PID 2508 wrote to memory of 1616 2508 xxlfflr.exe 44 PID 1616 wrote to memory of 2972 1616 hnnhbt.exe 45 PID 1616 wrote to memory of 2972 1616 hnnhbt.exe 45 PID 1616 wrote to memory of 2972 1616 hnnhbt.exe 45 PID 1616 wrote to memory of 2972 1616 hnnhbt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe"C:\Users\Admin\AppData\Local\Temp\9239bac235588057c11e6b6a5990867e3b77c65bbae1dc312b014a08fe4367bf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\lxxfrff.exec:\lxxfrff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\ntbnnh.exec:\ntbnnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\fxxxfrl.exec:\fxxxfrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\btttbb.exec:\btttbb.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\5vpvj.exec:\5vpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\tbtttn.exec:\tbtttn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\3vvpj.exec:\3vvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\5hhnbn.exec:\5hhnbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\pvvdp.exec:\pvvdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\ntthtt.exec:\ntthtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\pjddd.exec:\pjddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\rrllfll.exec:\rrllfll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\bhtbnn.exec:\bhtbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\xxlfflr.exec:\xxlfflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\hnnhbt.exec:\hnnhbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\rxlfllr.exec:\rxlfllr.exe17⤵
- Executes dropped EXE
PID:2972 -
\??\c:\bnbhtb.exec:\bnbhtb.exe18⤵
- Executes dropped EXE
PID:356 -
\??\c:\ppvdv.exec:\ppvdv.exe19⤵
- Executes dropped EXE
PID:2284 -
\??\c:\llfrflx.exec:\llfrflx.exe20⤵
- Executes dropped EXE
PID:2120 -
\??\c:\hbtbtb.exec:\hbtbtb.exe21⤵
- Executes dropped EXE
PID:2488 -
\??\c:\9llxxlf.exec:\9llxxlf.exe22⤵
- Executes dropped EXE
PID:1816 -
\??\c:\tntthh.exec:\tntthh.exe23⤵
- Executes dropped EXE
PID:1660 -
\??\c:\1dpvp.exec:\1dpvp.exe24⤵
- Executes dropped EXE
PID:1244 -
\??\c:\xrlxflr.exec:\xrlxflr.exe25⤵
- Executes dropped EXE
PID:2500 -
\??\c:\7jdjv.exec:\7jdjv.exe26⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rfxxxrx.exec:\rfxxxrx.exe27⤵
- Executes dropped EXE
PID:1004 -
\??\c:\dppdv.exec:\dppdv.exe28⤵
- Executes dropped EXE
PID:1756 -
\??\c:\rxxfxlf.exec:\rxxfxlf.exe29⤵
- Executes dropped EXE
PID:920 -
\??\c:\vpdvd.exec:\vpdvd.exe30⤵
- Executes dropped EXE
PID:2100 -
\??\c:\fxxfrxf.exec:\fxxfrxf.exe31⤵
- Executes dropped EXE
PID:1888 -
\??\c:\jdppj.exec:\jdppj.exe32⤵
- Executes dropped EXE
PID:2176 -
\??\c:\tbnntn.exec:\tbnntn.exe33⤵
- Executes dropped EXE
PID:2984 -
\??\c:\1ffrllx.exec:\1ffrllx.exe34⤵
- Executes dropped EXE
PID:1284 -
\??\c:\fffrllx.exec:\fffrllx.exe35⤵
- Executes dropped EXE
PID:2468 -
\??\c:\tnhtht.exec:\tnhtht.exe36⤵
- Executes dropped EXE
PID:2892 -
\??\c:\9jdpp.exec:\9jdpp.exe37⤵
- Executes dropped EXE
PID:1596 -
\??\c:\lllffff.exec:\lllffff.exe38⤵
- Executes dropped EXE
PID:2712 -
\??\c:\ntnthh.exec:\ntnthh.exe39⤵
- Executes dropped EXE
PID:2740 -
\??\c:\tnhnth.exec:\tnhnth.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\djjpd.exec:\djjpd.exe41⤵
- Executes dropped EXE
PID:2968 -
\??\c:\lflxxfl.exec:\lflxxfl.exe42⤵
- Executes dropped EXE
PID:2632 -
\??\c:\nhhthn.exec:\nhhthn.exe43⤵
- Executes dropped EXE
PID:2908 -
\??\c:\1dppp.exec:\1dppp.exe44⤵
- Executes dropped EXE
PID:2664 -
\??\c:\vvpvj.exec:\vvpvj.exe45⤵
- Executes dropped EXE
PID:2656 -
\??\c:\xlfllxx.exec:\xlfllxx.exe46⤵
- Executes dropped EXE
PID:1940 -
\??\c:\bhbtth.exec:\bhbtth.exe47⤵
- Executes dropped EXE
PID:1784 -
\??\c:\dvdjj.exec:\dvdjj.exe48⤵
- Executes dropped EXE
PID:2208 -
\??\c:\rfrxfxr.exec:\rfrxfxr.exe49⤵
- Executes dropped EXE
PID:2144 -
\??\c:\hbbhnb.exec:\hbbhnb.exe50⤵
- Executes dropped EXE
PID:2848 -
\??\c:\vdpvj.exec:\vdpvj.exe51⤵
- Executes dropped EXE
PID:1820 -
\??\c:\rrrfxfr.exec:\rrrfxfr.exe52⤵
- Executes dropped EXE
PID:2796 -
\??\c:\1lxxxfl.exec:\1lxxxfl.exe53⤵
- Executes dropped EXE
PID:2028 -
\??\c:\thttbt.exec:\thttbt.exe54⤵
- Executes dropped EXE
PID:2824 -
\??\c:\pjvvd.exec:\pjvvd.exe55⤵
- Executes dropped EXE
PID:2132 -
\??\c:\rxrrrrr.exec:\rxrrrrr.exe56⤵
- Executes dropped EXE
PID:2452 -
\??\c:\7lrllll.exec:\7lrllll.exe57⤵
- Executes dropped EXE
PID:1476 -
\??\c:\1hnhhh.exec:\1hnhhh.exe58⤵
- Executes dropped EXE
PID:2972 -
\??\c:\1djvj.exec:\1djvj.exe59⤵
- Executes dropped EXE
PID:1628 -
\??\c:\xxrlrxl.exec:\xxrlrxl.exe60⤵
- Executes dropped EXE
PID:3004 -
\??\c:\xxrlxrf.exec:\xxrlxrf.exe61⤵
- Executes dropped EXE
PID:2560 -
\??\c:\3htttb.exec:\3htttb.exe62⤵
- Executes dropped EXE
PID:2044 -
\??\c:\1ddjp.exec:\1ddjp.exe63⤵
- Executes dropped EXE
PID:2488 -
\??\c:\lxllxll.exec:\lxllxll.exe64⤵
- Executes dropped EXE
PID:2584 -
\??\c:\3nbnbh.exec:\3nbnbh.exe65⤵
- Executes dropped EXE
PID:740 -
\??\c:\nbttht.exec:\nbttht.exe66⤵PID:2336
-
\??\c:\vpjjv.exec:\vpjjv.exe67⤵PID:1344
-
\??\c:\xlfrrxl.exec:\xlfrrxl.exe68⤵PID:320
-
\??\c:\bhbhth.exec:\bhbhth.exe69⤵PID:1524
-
\??\c:\pdpdj.exec:\pdpdj.exe70⤵PID:1336
-
\??\c:\ddvvd.exec:\ddvvd.exe71⤵PID:1004
-
\??\c:\ffxflxf.exec:\ffxflxf.exe72⤵PID:1752
-
\??\c:\thhhnn.exec:\thhhnn.exe73⤵PID:2088
-
\??\c:\vjjjv.exec:\vjjjv.exe74⤵PID:2936
-
\??\c:\vpvpp.exec:\vpvpp.exe75⤵PID:3020
-
\??\c:\3xrxxxf.exec:\3xrxxxf.exe76⤵PID:680
-
\??\c:\hhbtnt.exec:\hhbtnt.exe77⤵PID:2176
-
\??\c:\pvvpp.exec:\pvvpp.exe78⤵PID:2400
-
\??\c:\jpjjv.exec:\jpjjv.exe79⤵PID:2388
-
\??\c:\1fxfrxr.exec:\1fxfrxr.exe80⤵PID:2736
-
\??\c:\thtbhn.exec:\thtbhn.exe81⤵PID:2312
-
\??\c:\5djpv.exec:\5djpv.exe82⤵PID:2884
-
\??\c:\pjddj.exec:\pjddj.exe83⤵PID:2876
-
\??\c:\7fxxflx.exec:\7fxxflx.exe84⤵PID:2732
-
\??\c:\bthhnt.exec:\bthhnt.exe85⤵PID:2612
-
\??\c:\thttbb.exec:\thttbb.exe86⤵PID:2820
-
\??\c:\vpjjp.exec:\vpjjp.exe87⤵PID:2968
-
\??\c:\xfrxfff.exec:\xfrxfff.exe88⤵PID:2600
-
\??\c:\nhntnb.exec:\nhntnb.exe89⤵PID:2908
-
\??\c:\pvdpv.exec:\pvdpv.exe90⤵PID:2232
-
\??\c:\xrlrxlr.exec:\xrlrxlr.exe91⤵PID:2456
-
\??\c:\xlfrxxf.exec:\xlfrxxf.exe92⤵PID:824
-
\??\c:\nhbhnn.exec:\nhbhnn.exe93⤵PID:1784
-
\??\c:\pdjdj.exec:\pdjdj.exe94⤵PID:1896
-
\??\c:\xrlrflr.exec:\xrlrflr.exe95⤵PID:2064
-
\??\c:\nntnhn.exec:\nntnhn.exe96⤵PID:2848
-
\??\c:\ppjjv.exec:\ppjjv.exe97⤵PID:1820
-
\??\c:\ddpvj.exec:\ddpvj.exe98⤵PID:1736
-
\??\c:\1xlrxlx.exec:\1xlrxlx.exe99⤵PID:112
-
\??\c:\ntbtth.exec:\ntbtth.exe100⤵PID:2824
-
\??\c:\vdvjp.exec:\vdvjp.exe101⤵PID:2132
-
\??\c:\pjjpd.exec:\pjjpd.exe102⤵PID:2452
-
\??\c:\llfxrxr.exec:\llfxrxr.exe103⤵PID:1476
-
\??\c:\fxfrxrl.exec:\fxfrxrl.exe104⤵PID:1148
-
\??\c:\hnhhtn.exec:\hnhhtn.exe105⤵PID:1628
-
\??\c:\pvpjv.exec:\pvpjv.exe106⤵PID:3004
-
\??\c:\xfxrfrx.exec:\xfxrfrx.exe107⤵PID:2296
-
\??\c:\flffffr.exec:\flffffr.exe108⤵PID:348
-
\??\c:\thnhbn.exec:\thnhbn.exe109⤵PID:548
-
\??\c:\jddjd.exec:\jddjd.exe110⤵PID:1264
-
\??\c:\rfrflrx.exec:\rfrflrx.exe111⤵PID:448
-
\??\c:\hhbbnn.exec:\hhbbnn.exe112⤵PID:1132
-
\??\c:\nnthtn.exec:\nnthtn.exe113⤵PID:1244
-
\??\c:\9vjvp.exec:\9vjvp.exe114⤵PID:2272
-
\??\c:\1fflflf.exec:\1fflflf.exe115⤵PID:3024
-
\??\c:\bbntht.exec:\bbntht.exe116⤵PID:2528
-
\??\c:\lfxllrx.exec:\lfxllrx.exe117⤵PID:948
-
\??\c:\bbhntb.exec:\bbhntb.exe118⤵PID:600
-
\??\c:\pjjjv.exec:\pjjjv.exe119⤵PID:920
-
\??\c:\jpjvj.exec:\jpjvj.exe120⤵PID:524
-
\??\c:\xlrrxxl.exec:\xlrrxxl.exe121⤵PID:2936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-