Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 00:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe
-
Size
453KB
-
MD5
14c4bd223137e543ac8225897d2cdf2e
-
SHA1
4c63173acc329cab56355f18bcf172ab529e1367
-
SHA256
9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482
-
SHA512
aa79e0f27e99a3347a163499814908cb23b6dba214b78856300ba6ffaab3bcf5f315634897dce448a2651f1cc812c02a8db38fa69bdb2fe2d7ec0f5337ef0ca2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2204-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-38-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3004-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-63-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/848-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-494-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/588-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-500-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2272-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-261-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2516-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-227-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/544-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/644-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-135-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2968-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-101-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2800-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-696-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1372-751-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2036-779-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2024-939-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-946-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/356-1032-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1992-1072-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-1083-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2244-1095-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2628 5bhnht.exe 1928 vppvd.exe 592 xxrfxfx.exe 3004 nthbbb.exe 2688 djjvd.exe 2804 ttbbth.exe 2800 pvpvj.exe 2592 lllrlrl.exe 2564 xrxlrxl.exe 2968 nhnttb.exe 2316 3vdjv.exe 1648 rxrrlrr.exe 2460 nhnnnh.exe 1680 rxfrrrl.exe 644 bbbtbn.exe 1720 xffxrfl.exe 2348 xxxfflf.exe 2028 7tnthh.exe 2836 1vjpj.exe 544 rxrxlxr.exe 1004 5bthbn.exe 444 ttntbh.exe 2080 flffflf.exe 1668 jdvjv.exe 2516 fxrfflf.exe 1208 nnbntt.exe 1792 pvdjv.exe 3036 frxrfff.exe 1472 hhnhtn.exe 2404 ddvjv.exe 2624 rrllfrx.exe 2628 5ddpv.exe 536 jddvv.exe 592 fxllrxf.exe 2684 5nbbhh.exe 2740 jvjpv.exe 2692 xlrlxxx.exe 2660 rlflrfr.exe 3000 5hbhnt.exe 2548 pvjdd.exe 2608 jjdpj.exe 2552 frfrlrf.exe 2968 hhnnnb.exe 268 jjpjd.exe 2452 9vvvd.exe 2664 lfxlllx.exe 1200 lfxllrf.exe 2332 bbhnbh.exe 2008 1jjjd.exe 2556 rrfrfxr.exe 2272 9fxflrl.exe 1852 bhtnnn.exe 668 3vppd.exe 1128 ppjdp.exe 848 rlxxxfl.exe 2376 nhbhbh.exe 1112 nbbbhh.exe 2456 pdpdj.exe 1940 vpdjj.exe 1864 xrrfrxx.exe 1556 3xflrxl.exe 1592 bttbnb.exe 1512 9dvdd.exe 2036 vvpdv.exe -
resource yara_rule behavioral1/memory/2204-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-696-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1512-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-777-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2688-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-932-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-939-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/356-1025-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/356-1032-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2808-1069-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-1072-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-1095-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2576-1134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-1147-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/444-1266-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2628 2204 9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe 62 PID 2204 wrote to memory of 2628 2204 9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe 62 PID 2204 wrote to memory of 2628 2204 9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe 62 PID 2204 wrote to memory of 2628 2204 9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe 62 PID 2628 wrote to memory of 1928 2628 5bhnht.exe 31 PID 2628 wrote to memory of 1928 2628 5bhnht.exe 31 PID 2628 wrote to memory of 1928 2628 5bhnht.exe 31 PID 2628 wrote to memory of 1928 2628 5bhnht.exe 31 PID 1928 wrote to memory of 592 1928 vppvd.exe 32 PID 1928 wrote to memory of 592 1928 vppvd.exe 32 PID 1928 wrote to memory of 592 1928 vppvd.exe 32 PID 1928 wrote to memory of 592 1928 vppvd.exe 32 PID 592 wrote to memory of 3004 592 xxrfxfx.exe 33 PID 592 wrote to memory of 3004 592 xxrfxfx.exe 33 PID 592 wrote to memory of 3004 592 xxrfxfx.exe 33 PID 592 wrote to memory of 3004 592 xxrfxfx.exe 33 PID 3004 wrote to memory of 2688 3004 nthbbb.exe 34 PID 3004 wrote to memory of 2688 3004 nthbbb.exe 34 PID 3004 wrote to memory of 2688 3004 nthbbb.exe 34 PID 3004 wrote to memory of 2688 3004 nthbbb.exe 34 PID 2688 wrote to memory of 2804 2688 djjvd.exe 35 PID 2688 wrote to memory of 2804 2688 djjvd.exe 35 PID 2688 wrote to memory of 2804 2688 djjvd.exe 35 PID 2688 wrote to memory of 2804 2688 djjvd.exe 35 PID 2804 wrote to memory of 2800 2804 ttbbth.exe 37 PID 2804 wrote to memory of 2800 2804 ttbbth.exe 37 PID 2804 wrote to memory of 2800 2804 ttbbth.exe 37 PID 2804 wrote to memory of 2800 2804 ttbbth.exe 37 PID 2800 wrote to memory of 2592 2800 pvpvj.exe 38 PID 2800 wrote to memory of 2592 2800 pvpvj.exe 38 PID 2800 wrote to memory of 2592 2800 pvpvj.exe 38 PID 2800 wrote to memory of 2592 2800 pvpvj.exe 38 PID 2592 wrote to memory of 2564 2592 lllrlrl.exe 39 PID 2592 wrote to memory of 2564 2592 lllrlrl.exe 39 PID 2592 wrote to memory of 2564 2592 lllrlrl.exe 39 PID 2592 wrote to memory of 2564 2592 lllrlrl.exe 39 PID 2564 wrote to memory of 2968 2564 xrxlrxl.exe 40 PID 2564 wrote to memory of 2968 2564 xrxlrxl.exe 40 PID 2564 wrote to memory of 2968 2564 xrxlrxl.exe 40 PID 2564 wrote to memory of 2968 2564 xrxlrxl.exe 40 PID 2968 wrote to memory of 2316 2968 nhnttb.exe 41 PID 2968 wrote to memory of 2316 2968 nhnttb.exe 41 PID 2968 wrote to memory of 2316 2968 nhnttb.exe 41 PID 2968 wrote to memory of 2316 2968 nhnttb.exe 41 PID 2316 wrote to memory of 1648 2316 3vdjv.exe 117 PID 2316 wrote to memory of 1648 2316 3vdjv.exe 117 PID 2316 wrote to memory of 1648 2316 3vdjv.exe 117 PID 2316 wrote to memory of 1648 2316 3vdjv.exe 117 PID 1648 wrote to memory of 2460 1648 rxrrlrr.exe 43 PID 1648 wrote to memory of 2460 1648 rxrrlrr.exe 43 PID 1648 wrote to memory of 2460 1648 rxrrlrr.exe 43 PID 1648 wrote to memory of 2460 1648 rxrrlrr.exe 43 PID 2460 wrote to memory of 1680 2460 nhnnnh.exe 44 PID 2460 wrote to memory of 1680 2460 nhnnnh.exe 44 PID 2460 wrote to memory of 1680 2460 nhnnnh.exe 44 PID 2460 wrote to memory of 1680 2460 nhnnnh.exe 44 PID 1680 wrote to memory of 644 1680 rxfrrrl.exe 45 PID 1680 wrote to memory of 644 1680 rxfrrrl.exe 45 PID 1680 wrote to memory of 644 1680 rxfrrrl.exe 45 PID 1680 wrote to memory of 644 1680 rxfrrrl.exe 45 PID 644 wrote to memory of 1720 644 bbbtbn.exe 46 PID 644 wrote to memory of 1720 644 bbbtbn.exe 46 PID 644 wrote to memory of 1720 644 bbbtbn.exe 46 PID 644 wrote to memory of 1720 644 bbbtbn.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe"C:\Users\Admin\AppData\Local\Temp\9b0936b7c12d2d1556bad2f716c04154731f9672596dec5c92af96c2eb2c5482.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\5bhnht.exec:\5bhnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\vppvd.exec:\vppvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\xxrfxfx.exec:\xxrfxfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\nthbbb.exec:\nthbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\djjvd.exec:\djjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\ttbbth.exec:\ttbbth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\pvpvj.exec:\pvpvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\lllrlrl.exec:\lllrlrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\xrxlrxl.exec:\xrxlrxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\nhnttb.exec:\nhnttb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\3vdjv.exec:\3vdjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\rxrrlrr.exec:\rxrrlrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\nhnnnh.exec:\nhnnnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\rxfrrrl.exec:\rxfrrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\bbbtbn.exec:\bbbtbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\xffxrfl.exec:\xffxrfl.exe17⤵
- Executes dropped EXE
PID:1720 -
\??\c:\xxxfflf.exec:\xxxfflf.exe18⤵
- Executes dropped EXE
PID:2348 -
\??\c:\7tnthh.exec:\7tnthh.exe19⤵
- Executes dropped EXE
PID:2028 -
\??\c:\1vjpj.exec:\1vjpj.exe20⤵
- Executes dropped EXE
PID:2836 -
\??\c:\rxrxlxr.exec:\rxrxlxr.exe21⤵
- Executes dropped EXE
PID:544 -
\??\c:\5bthbn.exec:\5bthbn.exe22⤵
- Executes dropped EXE
PID:1004 -
\??\c:\ttntbh.exec:\ttntbh.exe23⤵
- Executes dropped EXE
PID:444 -
\??\c:\flffflf.exec:\flffflf.exe24⤵
- Executes dropped EXE
PID:2080 -
\??\c:\jdvjv.exec:\jdvjv.exe25⤵
- Executes dropped EXE
PID:1668 -
\??\c:\fxrfflf.exec:\fxrfflf.exe26⤵
- Executes dropped EXE
PID:2516 -
\??\c:\nnbntt.exec:\nnbntt.exe27⤵
- Executes dropped EXE
PID:1208 -
\??\c:\pvdjv.exec:\pvdjv.exe28⤵
- Executes dropped EXE
PID:1792 -
\??\c:\frxrfff.exec:\frxrfff.exe29⤵
- Executes dropped EXE
PID:3036 -
\??\c:\hhnhtn.exec:\hhnhtn.exe30⤵
- Executes dropped EXE
PID:1472 -
\??\c:\ddvjv.exec:\ddvjv.exe31⤵
- Executes dropped EXE
PID:2404 -
\??\c:\rrllfrx.exec:\rrllfrx.exe32⤵
- Executes dropped EXE
PID:2624 -
\??\c:\5ddpv.exec:\5ddpv.exe33⤵
- Executes dropped EXE
PID:2628 -
\??\c:\jddvv.exec:\jddvv.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536 -
\??\c:\fxllrxf.exec:\fxllrxf.exe35⤵
- Executes dropped EXE
PID:592 -
\??\c:\5nbbhh.exec:\5nbbhh.exe36⤵
- Executes dropped EXE
PID:2684 -
\??\c:\jvjpv.exec:\jvjpv.exe37⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xlrlxxx.exec:\xlrlxxx.exe38⤵
- Executes dropped EXE
PID:2692 -
\??\c:\rlflrfr.exec:\rlflrfr.exe39⤵
- Executes dropped EXE
PID:2660 -
\??\c:\5hbhnt.exec:\5hbhnt.exe40⤵
- Executes dropped EXE
PID:3000 -
\??\c:\pvjdd.exec:\pvjdd.exe41⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jjdpj.exec:\jjdpj.exe42⤵
- Executes dropped EXE
PID:2608 -
\??\c:\frfrlrf.exec:\frfrlrf.exe43⤵
- Executes dropped EXE
PID:2552 -
\??\c:\hhnnnb.exec:\hhnnnb.exe44⤵
- Executes dropped EXE
PID:2968 -
\??\c:\jjpjd.exec:\jjpjd.exe45⤵
- Executes dropped EXE
PID:268 -
\??\c:\9vvvd.exec:\9vvvd.exe46⤵
- Executes dropped EXE
PID:2452 -
\??\c:\lfxlllx.exec:\lfxlllx.exe47⤵
- Executes dropped EXE
PID:2664 -
\??\c:\lfxllrf.exec:\lfxllrf.exe48⤵
- Executes dropped EXE
PID:1200 -
\??\c:\bbhnbh.exec:\bbhnbh.exe49⤵
- Executes dropped EXE
PID:2332 -
\??\c:\1jjjd.exec:\1jjjd.exe50⤵
- Executes dropped EXE
PID:2008 -
\??\c:\rrfrfxr.exec:\rrfrfxr.exe51⤵
- Executes dropped EXE
PID:2556 -
\??\c:\9fxflrl.exec:\9fxflrl.exe52⤵
- Executes dropped EXE
PID:2272 -
\??\c:\bhtnnn.exec:\bhtnnn.exe53⤵
- Executes dropped EXE
PID:1852 -
\??\c:\3vppd.exec:\3vppd.exe54⤵
- Executes dropped EXE
PID:668 -
\??\c:\ppjdp.exec:\ppjdp.exe55⤵
- Executes dropped EXE
PID:1128 -
\??\c:\rlxxxfl.exec:\rlxxxfl.exe56⤵
- Executes dropped EXE
PID:848 -
\??\c:\nhbhbh.exec:\nhbhbh.exe57⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nbbbhh.exec:\nbbbhh.exe58⤵
- Executes dropped EXE
PID:1112 -
\??\c:\pdpdj.exec:\pdpdj.exe59⤵
- Executes dropped EXE
PID:2456 -
\??\c:\vpdjj.exec:\vpdjj.exe60⤵
- Executes dropped EXE
PID:1940 -
\??\c:\xrrfrxx.exec:\xrrfrxx.exe61⤵
- Executes dropped EXE
PID:1864 -
\??\c:\3xflrxl.exec:\3xflrxl.exe62⤵
- Executes dropped EXE
PID:1556 -
\??\c:\bttbnb.exec:\bttbnb.exe63⤵
- Executes dropped EXE
PID:1592 -
\??\c:\9dvdd.exec:\9dvdd.exe64⤵
- Executes dropped EXE
PID:1512 -
\??\c:\vvpdv.exec:\vvpdv.exe65⤵
- Executes dropped EXE
PID:2036 -
\??\c:\fxrlrrr.exec:\fxrlrrr.exe66⤵PID:716
-
\??\c:\7tntbh.exec:\7tntbh.exe67⤵PID:1436
-
\??\c:\9hbtbb.exec:\9hbtbb.exe68⤵PID:948
-
\??\c:\1vjjp.exec:\1vjjp.exe69⤵PID:2184
-
\??\c:\pjvvj.exec:\pjvvj.exe70⤵PID:3060
-
\??\c:\llxfllx.exec:\llxfllx.exe71⤵PID:1740
-
\??\c:\7tthnt.exec:\7tthnt.exe72⤵PID:2956
-
\??\c:\btntnn.exec:\btntnn.exe73⤵PID:608
-
\??\c:\jpddj.exec:\jpddj.exe74⤵PID:2044
-
\??\c:\jjvpj.exec:\jjvpj.exe75⤵PID:2736
-
\??\c:\ffrlrrf.exec:\ffrlrrf.exe76⤵PID:2188
-
\??\c:\tthnbh.exec:\tthnbh.exe77⤵PID:2060
-
\??\c:\jjppj.exec:\jjppj.exe78⤵PID:796
-
\??\c:\vjppv.exec:\vjppv.exe79⤵PID:588
-
\??\c:\rxlflrr.exec:\rxlflrr.exe80⤵PID:2784
-
\??\c:\rlxxffx.exec:\rlxxffx.exe81⤵PID:1736
-
\??\c:\hnnbbn.exec:\hnnbbn.exe82⤵PID:2768
-
\??\c:\dvpdd.exec:\dvpdd.exe83⤵PID:580
-
\??\c:\vpjpp.exec:\vpjpp.exe84⤵PID:2088
-
\??\c:\llfrxfr.exec:\llfrxfr.exe85⤵PID:3068
-
\??\c:\rxlfxlf.exec:\rxlfxlf.exe86⤵PID:2440
-
\??\c:\tthnhh.exec:\tthnhh.exe87⤵PID:2716
-
\??\c:\9jpvj.exec:\9jpvj.exe88⤵PID:1648
-
\??\c:\1tbbhb.exec:\1tbbhb.exe89⤵PID:2308
-
\??\c:\dvvdp.exec:\dvvdp.exe90⤵PID:2952
-
\??\c:\1lrrlrf.exec:\1lrrlrf.exe91⤵PID:2000
-
\??\c:\dvvjp.exec:\dvvjp.exe92⤵PID:1744
-
\??\c:\5ththb.exec:\5ththb.exe93⤵PID:2500
-
\??\c:\pjjdv.exec:\pjjdv.exe94⤵PID:2468
-
\??\c:\7lxfllx.exec:\7lxfllx.exe95⤵PID:1612
-
\??\c:\hbbthh.exec:\hbbthh.exe96⤵PID:2792
-
\??\c:\vpppv.exec:\vpppv.exe97⤵PID:1520
-
\??\c:\5nttbh.exec:\5nttbh.exe98⤵PID:1260
-
\??\c:\jdvdp.exec:\jdvdp.exe99⤵PID:408
-
\??\c:\llfrflf.exec:\llfrflf.exe100⤵PID:1360
-
\??\c:\1tnbnt.exec:\1tnbnt.exe101⤵PID:2284
-
\??\c:\lfxrxfl.exec:\lfxrxfl.exe102⤵PID:444
-
\??\c:\9hhhbb.exec:\9hhhbb.exe103⤵PID:2080
-
\??\c:\frxlfxx.exec:\frxlfxx.exe104⤵PID:1372
-
\??\c:\thhtnb.exec:\thhtnb.exe105⤵PID:1440
-
\??\c:\hnthbt.exec:\hnthbt.exe106⤵PID:1684
-
\??\c:\9xfrxfr.exec:\9xfrxfr.exe107⤵PID:1512
-
\??\c:\nnbtnh.exec:\nnbtnh.exe108⤵PID:2036
-
\??\c:\1vppd.exec:\1vppd.exe109⤵PID:716
-
\??\c:\lfflxxl.exec:\lfflxxl.exe110⤵PID:2416
-
\??\c:\9bnhnh.exec:\9bnhnh.exe111⤵PID:948
-
\??\c:\3jjvp.exec:\3jjvp.exe112⤵PID:2848
-
\??\c:\9xffllr.exec:\9xffllr.exe113⤵PID:2404
-
\??\c:\rlxfrxl.exec:\rlxfrxl.exe114⤵PID:1420
-
\??\c:\1thhnh.exec:\1thhnh.exe115⤵PID:2168
-
\??\c:\jvddp.exec:\jvddp.exe116⤵PID:2148
-
\??\c:\rlxlfll.exec:\rlxlfll.exe117⤵PID:2636
-
\??\c:\xlxrrff.exec:\xlxrrff.exe118⤵PID:1544
-
\??\c:\3hbhtb.exec:\3hbhtb.exe119⤵PID:2688
-
\??\c:\vpjjd.exec:\vpjjd.exe120⤵PID:2864
-
\??\c:\pppvj.exec:\pppvj.exe121⤵PID:3056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-