Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 08:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20c050df03743fe6f8841a7819e33a3b5a7d766f7c330c4d3e3b06584c00898d.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
20c050df03743fe6f8841a7819e33a3b5a7d766f7c330c4d3e3b06584c00898d.exe
-
Size
454KB
-
MD5
d979acfd01299acc4cedbe53d2b0d8f4
-
SHA1
ea080a4f0a7745e8876ed623ec9caa876595e744
-
SHA256
20c050df03743fe6f8841a7819e33a3b5a7d766f7c330c4d3e3b06584c00898d
-
SHA512
574301038f44efcee1429c13f4f3b222104aa378059021dc86c3e4e03a9407792b59b617891c74ea11b4c0a463743d96e8b90de4539ea7c91bcdb2c24caea4ae
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetn:q7Tc2NYHUrAwfMp3CDtn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral1/memory/2668-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-26-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2736-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-97-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1740-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-135-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/108-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-168-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2812-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-194-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1836-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/952-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/296-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-264-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2172-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-282-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1776-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-290-0x0000000077410000-0x000000007752F000-memory.dmp family_blackmoon behavioral1/memory/2104-291-0x0000000077310000-0x000000007740A000-memory.dmp family_blackmoon behavioral1/memory/2252-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-320-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2196-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-367-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1744-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-426-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1992-425-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1772-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-446-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2188-466-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1056-465-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2688-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1328-481-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1876-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-497-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2028-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-504-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2396-523-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1592-591-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2744-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-673-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1980-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-696-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1072-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-791-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/940-828-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2228-867-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1808-939-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1028-1002-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2280 xlrllff.exe 2328 nhbbnt.exe 2900 dvvpv.exe 2736 vddpv.exe 2864 jjjpp.exe 2872 lrxlfxx.exe 2788 hnnhht.exe 2632 xfxxllr.exe 2604 1fxfrll.exe 1352 nbhhnt.exe 1740 thtbhh.exe 1804 1bhhth.exe 1828 xxllrxl.exe 1680 nhhbth.exe 1284 lfrrxrx.exe 108 rfxrrrx.exe 1056 bnbhbh.exe 2812 3jppj.exe 972 5tbtnb.exe 1132 dvjpj.exe 2912 vjpvj.exe 956 frflrll.exe 1836 vvjjj.exe 1612 rrllrxl.exe 952 lfflfrl.exe 496 nhtnth.exe 296 hnhbtn.exe 1768 pjdjv.exe 2288 9vdpj.exe 2172 rflrllr.exe 1776 vdvjv.exe 2104 3nhtbt.exe 2252 xrffflr.exe 1588 ffrfrlx.exe 2328 hbttbb.exe 2304 pppjj.exe 2860 5rfffxl.exe 2716 nthbbb.exe 2704 3dvvj.exe 2196 xllxlxr.exe 2928 3hnhhb.exe 2752 ppjjj.exe 2632 rxllrll.exe 2444 nbthbh.exe 1744 pjdjp.exe 1076 xllfllx.exe 536 bhnnbn.exe 1992 3jppv.exe 1828 ppvpd.exe 1800 xxlrrrf.exe 1772 bhnnnb.exe 1284 vjjdd.exe 2780 flfrlxx.exe 1056 5xfxxxr.exe 2808 bbhtnb.exe 2156 5dvpv.exe 2188 rxlrlxl.exe 2688 btthth.exe 1328 9pdpj.exe 1876 xxfxlll.exe 2028 tbnbtb.exe 1316 tntbhn.exe 1544 pjdvp.exe 2136 xlfxxxf.exe -
resource yara_rule behavioral1/memory/2280-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-154-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/108-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-264-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2172-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-367-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2444-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-426-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1772-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-591-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2744-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-673-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1980-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-703-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1840-710-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/1072-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-791-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/940-828-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2968-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-867-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2752-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-936-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-1002-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2800-1013-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2688-1014-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2280 2668 20c050df03743fe6f8841a7819e33a3b5a7d766f7c330c4d3e3b06584c00898d.exe 31 PID 2668 wrote to memory of 2280 2668 20c050df03743fe6f8841a7819e33a3b5a7d766f7c330c4d3e3b06584c00898d.exe 31 PID 2668 wrote to memory of 2280 2668 20c050df03743fe6f8841a7819e33a3b5a7d766f7c330c4d3e3b06584c00898d.exe 31 PID 2668 wrote to memory of 2280 2668 20c050df03743fe6f8841a7819e33a3b5a7d766f7c330c4d3e3b06584c00898d.exe 31 PID 2280 wrote to memory of 2328 2280 xlrllff.exe 32 PID 2280 wrote to memory of 2328 2280 xlrllff.exe 32 PID 2280 wrote to memory of 2328 2280 xlrllff.exe 32 PID 2280 wrote to memory of 2328 2280 xlrllff.exe 32 PID 2328 wrote to memory of 2900 2328 nhbbnt.exe 33 PID 2328 wrote to memory of 2900 2328 nhbbnt.exe 33 PID 2328 wrote to memory of 2900 2328 nhbbnt.exe 33 PID 2328 wrote to memory of 2900 2328 nhbbnt.exe 33 PID 2900 wrote to memory of 2736 2900 dvvpv.exe 34 PID 2900 wrote to memory of 2736 2900 dvvpv.exe 34 PID 2900 wrote to memory of 2736 2900 dvvpv.exe 34 PID 2900 wrote to memory of 2736 2900 dvvpv.exe 34 PID 2736 wrote to memory of 2864 2736 vddpv.exe 35 PID 2736 wrote to memory of 2864 2736 vddpv.exe 35 PID 2736 wrote to memory of 2864 2736 vddpv.exe 35 PID 2736 wrote to memory of 2864 2736 vddpv.exe 35 PID 2864 wrote to memory of 2872 2864 jjjpp.exe 36 PID 2864 wrote to memory of 2872 2864 jjjpp.exe 36 PID 2864 wrote to memory of 2872 2864 jjjpp.exe 36 PID 2864 wrote to memory of 2872 2864 jjjpp.exe 36 PID 2872 wrote to memory of 2788 2872 lrxlfxx.exe 37 PID 2872 wrote to memory of 2788 2872 lrxlfxx.exe 37 PID 2872 wrote to memory of 2788 2872 lrxlfxx.exe 37 PID 2872 wrote to memory of 2788 2872 lrxlfxx.exe 37 PID 2788 wrote to memory of 2632 2788 hnnhht.exe 38 PID 2788 wrote to memory of 2632 2788 hnnhht.exe 38 PID 2788 wrote to memory of 2632 2788 hnnhht.exe 38 PID 2788 wrote to memory of 2632 2788 hnnhht.exe 38 PID 2632 wrote to memory of 2604 2632 xfxxllr.exe 39 PID 2632 wrote to memory of 2604 2632 xfxxllr.exe 39 PID 2632 wrote to memory of 2604 2632 xfxxllr.exe 39 PID 2632 wrote to memory of 2604 2632 xfxxllr.exe 39 PID 2604 wrote to memory of 1352 2604 1fxfrll.exe 40 PID 2604 wrote to memory of 1352 2604 1fxfrll.exe 40 PID 2604 wrote to memory of 1352 2604 1fxfrll.exe 40 PID 2604 wrote to memory of 1352 2604 1fxfrll.exe 40 PID 1352 wrote to memory of 1740 1352 nbhhnt.exe 41 PID 1352 wrote to memory of 1740 1352 nbhhnt.exe 41 PID 1352 wrote to memory of 1740 1352 nbhhnt.exe 41 PID 1352 wrote to memory of 1740 1352 nbhhnt.exe 41 PID 1740 wrote to memory of 1804 1740 thtbhh.exe 42 PID 1740 wrote to memory of 1804 1740 thtbhh.exe 42 PID 1740 wrote to memory of 1804 1740 thtbhh.exe 42 PID 1740 wrote to memory of 1804 1740 thtbhh.exe 42 PID 1804 wrote to memory of 1828 1804 1bhhth.exe 43 PID 1804 wrote to memory of 1828 1804 1bhhth.exe 43 PID 1804 wrote to memory of 1828 1804 1bhhth.exe 43 PID 1804 wrote to memory of 1828 1804 1bhhth.exe 43 PID 1828 wrote to memory of 1680 1828 xxllrxl.exe 44 PID 1828 wrote to memory of 1680 1828 xxllrxl.exe 44 PID 1828 wrote to memory of 1680 1828 xxllrxl.exe 44 PID 1828 wrote to memory of 1680 1828 xxllrxl.exe 44 PID 1680 wrote to memory of 1284 1680 nhhbth.exe 45 PID 1680 wrote to memory of 1284 1680 nhhbth.exe 45 PID 1680 wrote to memory of 1284 1680 nhhbth.exe 45 PID 1680 wrote to memory of 1284 1680 nhhbth.exe 45 PID 1284 wrote to memory of 108 1284 lfrrxrx.exe 46 PID 1284 wrote to memory of 108 1284 lfrrxrx.exe 46 PID 1284 wrote to memory of 108 1284 lfrrxrx.exe 46 PID 1284 wrote to memory of 108 1284 lfrrxrx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\20c050df03743fe6f8841a7819e33a3b5a7d766f7c330c4d3e3b06584c00898d.exe"C:\Users\Admin\AppData\Local\Temp\20c050df03743fe6f8841a7819e33a3b5a7d766f7c330c4d3e3b06584c00898d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\xlrllff.exec:\xlrllff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\nhbbnt.exec:\nhbbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\dvvpv.exec:\dvvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\vddpv.exec:\vddpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\jjjpp.exec:\jjjpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\lrxlfxx.exec:\lrxlfxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\hnnhht.exec:\hnnhht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\xfxxllr.exec:\xfxxllr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\1fxfrll.exec:\1fxfrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\nbhhnt.exec:\nbhhnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\thtbhh.exec:\thtbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\1bhhth.exec:\1bhhth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\xxllrxl.exec:\xxllrxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\nhhbth.exec:\nhhbth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\lfrrxrx.exec:\lfrrxrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\rfxrrrx.exec:\rfxrrrx.exe17⤵
- Executes dropped EXE
PID:108 -
\??\c:\bnbhbh.exec:\bnbhbh.exe18⤵
- Executes dropped EXE
PID:1056 -
\??\c:\3jppj.exec:\3jppj.exe19⤵
- Executes dropped EXE
PID:2812 -
\??\c:\5tbtnb.exec:\5tbtnb.exe20⤵
- Executes dropped EXE
PID:972 -
\??\c:\dvjpj.exec:\dvjpj.exe21⤵
- Executes dropped EXE
PID:1132 -
\??\c:\vjpvj.exec:\vjpvj.exe22⤵
- Executes dropped EXE
PID:2912 -
\??\c:\frflrll.exec:\frflrll.exe23⤵
- Executes dropped EXE
PID:956 -
\??\c:\vvjjj.exec:\vvjjj.exe24⤵
- Executes dropped EXE
PID:1836 -
\??\c:\rrllrxl.exec:\rrllrxl.exe25⤵
- Executes dropped EXE
PID:1612 -
\??\c:\lfflfrl.exec:\lfflfrl.exe26⤵
- Executes dropped EXE
PID:952 -
\??\c:\nhtnth.exec:\nhtnth.exe27⤵
- Executes dropped EXE
PID:496 -
\??\c:\hnhbtn.exec:\hnhbtn.exe28⤵
- Executes dropped EXE
PID:296 -
\??\c:\pjdjv.exec:\pjdjv.exe29⤵
- Executes dropped EXE
PID:1768 -
\??\c:\9vdpj.exec:\9vdpj.exe30⤵
- Executes dropped EXE
PID:2288 -
\??\c:\rflrllr.exec:\rflrllr.exe31⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vdvjv.exec:\vdvjv.exe32⤵
- Executes dropped EXE
PID:1776 -
\??\c:\3nhtbt.exec:\3nhtbt.exe33⤵
- Executes dropped EXE
PID:2104 -
\??\c:\jjjdv.exec:\jjjdv.exe34⤵PID:2112
-
\??\c:\xrffflr.exec:\xrffflr.exe35⤵
- Executes dropped EXE
PID:2252 -
\??\c:\ffrfrlx.exec:\ffrfrlx.exe36⤵
- Executes dropped EXE
PID:1588 -
\??\c:\hbttbb.exec:\hbttbb.exe37⤵
- Executes dropped EXE
PID:2328 -
\??\c:\pppjj.exec:\pppjj.exe38⤵
- Executes dropped EXE
PID:2304 -
\??\c:\5rfffxl.exec:\5rfffxl.exe39⤵
- Executes dropped EXE
PID:2860 -
\??\c:\nthbbb.exec:\nthbbb.exe40⤵
- Executes dropped EXE
PID:2716 -
\??\c:\3dvvj.exec:\3dvvj.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704 -
\??\c:\xllxlxr.exec:\xllxlxr.exe42⤵
- Executes dropped EXE
PID:2196 -
\??\c:\3hnhhb.exec:\3hnhhb.exe43⤵
- Executes dropped EXE
PID:2928 -
\??\c:\ppjjj.exec:\ppjjj.exe44⤵
- Executes dropped EXE
PID:2752 -
\??\c:\rxllrll.exec:\rxllrll.exe45⤵
- Executes dropped EXE
PID:2632 -
\??\c:\nbthbh.exec:\nbthbh.exe46⤵
- Executes dropped EXE
PID:2444 -
\??\c:\pjdjp.exec:\pjdjp.exe47⤵
- Executes dropped EXE
PID:1744 -
\??\c:\xllfllx.exec:\xllfllx.exe48⤵
- Executes dropped EXE
PID:1076 -
\??\c:\bhnnbn.exec:\bhnnbn.exe49⤵
- Executes dropped EXE
PID:536 -
\??\c:\3jppv.exec:\3jppv.exe50⤵
- Executes dropped EXE
PID:1992 -
\??\c:\ppvpd.exec:\ppvpd.exe51⤵
- Executes dropped EXE
PID:1828 -
\??\c:\xxlrrrf.exec:\xxlrrrf.exe52⤵
- Executes dropped EXE
PID:1800 -
\??\c:\bhnnnb.exec:\bhnnnb.exe53⤵
- Executes dropped EXE
PID:1772 -
\??\c:\vjjdd.exec:\vjjdd.exe54⤵
- Executes dropped EXE
PID:1284 -
\??\c:\flfrlxx.exec:\flfrlxx.exe55⤵
- Executes dropped EXE
PID:2780 -
\??\c:\5xfxxxr.exec:\5xfxxxr.exe56⤵
- Executes dropped EXE
PID:1056 -
\??\c:\bbhtnb.exec:\bbhtnb.exe57⤵
- Executes dropped EXE
PID:2808 -
\??\c:\5dvpv.exec:\5dvpv.exe58⤵
- Executes dropped EXE
PID:2156 -
\??\c:\rxlrlxl.exec:\rxlrlxl.exe59⤵
- Executes dropped EXE
PID:2188 -
\??\c:\btthth.exec:\btthth.exe60⤵
- Executes dropped EXE
PID:2688 -
\??\c:\9pdpj.exec:\9pdpj.exe61⤵
- Executes dropped EXE
PID:1328 -
\??\c:\xxfxlll.exec:\xxfxlll.exe62⤵
- Executes dropped EXE
PID:1876 -
\??\c:\tbnbtb.exec:\tbnbtb.exe63⤵
- Executes dropped EXE
PID:2028 -
\??\c:\tntbhn.exec:\tntbhn.exe64⤵
- Executes dropped EXE
PID:1316 -
\??\c:\pjdvp.exec:\pjdvp.exe65⤵
- Executes dropped EXE
PID:1544 -
\??\c:\xlfxxxf.exec:\xlfxxxf.exe66⤵
- Executes dropped EXE
PID:2136 -
\??\c:\ttthtb.exec:\ttthtb.exe67⤵PID:2396
-
\??\c:\dddjd.exec:\dddjd.exe68⤵PID:2496
-
\??\c:\vpvvd.exec:\vpvvd.exe69⤵PID:2148
-
\??\c:\fffrfrl.exec:\fffrfrl.exe70⤵PID:1700
-
\??\c:\7hbbnb.exec:\7hbbnb.exe71⤵PID:980
-
\??\c:\pvvpd.exec:\pvvpd.exe72⤵PID:2380
-
\??\c:\rxrrfxf.exec:\rxrrfxf.exe73⤵PID:2100
-
\??\c:\7nnbnt.exec:\7nnbnt.exe74⤵PID:2316
-
\??\c:\bbhtnt.exec:\bbhtnt.exe75⤵PID:1332
-
\??\c:\pjpdp.exec:\pjpdp.exe76⤵PID:588
-
\??\c:\flfrlrr.exec:\flfrlrr.exe77⤵PID:2264
-
\??\c:\nhtbnb.exec:\nhtbnb.exe78⤵PID:1592
-
\??\c:\hbnbnt.exec:\hbnbnt.exe79⤵PID:2900
-
\??\c:\jjvpv.exec:\jjvpv.exe80⤵PID:2732
-
\??\c:\1lrrrrl.exec:\1lrrrrl.exe81⤵PID:2744
-
\??\c:\tnhnbh.exec:\tnhnbh.exe82⤵PID:2864
-
\??\c:\vvvpj.exec:\vvvpj.exe83⤵PID:2620
-
\??\c:\7rlfxxr.exec:\7rlfxxr.exe84⤵PID:2608
-
\??\c:\flfllrl.exec:\flfllrl.exe85⤵PID:2500
-
\??\c:\tnhhnh.exec:\tnhhnh.exe86⤵PID:2580
-
\??\c:\dvddj.exec:\dvddj.exe87⤵PID:2636
-
\??\c:\xflflll.exec:\xflflll.exe88⤵PID:3048
-
\??\c:\bttttn.exec:\bttttn.exe89⤵PID:3052
-
\??\c:\pjppp.exec:\pjppp.exe90⤵PID:848
-
\??\c:\frfxffr.exec:\frfxffr.exe91⤵PID:2408
-
\??\c:\tnhhhb.exec:\tnhhhb.exe92⤵PID:2472
-
\??\c:\dddpp.exec:\dddpp.exe93⤵PID:1980
-
\??\c:\5rfrxfl.exec:\5rfrxfl.exe94⤵PID:1680
-
\??\c:\htnbnb.exec:\htnbnb.exe95⤵PID:1676
-
\??\c:\7xrllxx.exec:\7xrllxx.exe96⤵PID:1840
-
\??\c:\btbnht.exec:\btbnht.exe97⤵PID:2800
-
\??\c:\jdvdj.exec:\jdvdj.exe98⤵PID:2192
-
\??\c:\lrrfrfx.exec:\lrrfrfx.exe99⤵PID:2212
-
\??\c:\nhnntt.exec:\nhnntt.exe100⤵PID:2916
-
\??\c:\vpjdj.exec:\vpjdj.exe101⤵PID:1072
-
\??\c:\9xllxfl.exec:\9xllxfl.exe102⤵PID:1304
-
\??\c:\nnbhhn.exec:\nnbhhn.exe103⤵PID:1760
-
\??\c:\dddvp.exec:\dddvp.exe104⤵PID:2008
-
\??\c:\3pvpv.exec:\3pvpv.exe105⤵PID:344
-
\??\c:\fxxlrll.exec:\fxxlrll.exe106⤵PID:1612
-
\??\c:\bbhtnn.exec:\bbhtnn.exe107⤵PID:952
-
\??\c:\pjvpp.exec:\pjvpp.exe108⤵PID:1532
-
\??\c:\xllfxxf.exec:\xllfxxf.exe109⤵PID:2516
-
\??\c:\ttbnbn.exec:\ttbnbn.exe110⤵PID:1736
-
\??\c:\nhhnhh.exec:\nhhnhh.exe111⤵PID:580
-
\??\c:\9jjvj.exec:\9jjvj.exe112⤵PID:540
-
\??\c:\llrfrlf.exec:\llrfrlf.exe113⤵PID:992
-
\??\c:\bttnnh.exec:\bttnnh.exe114⤵PID:940
-
\??\c:\pvdvp.exec:\pvdvp.exe115⤵PID:1776
-
\??\c:\lxfrrff.exec:\lxfrrff.exe116⤵PID:2376
-
\??\c:\rrxrlfr.exec:\rrxrlfr.exe117⤵PID:2968
-
\??\c:\btnttt.exec:\btnttt.exe118⤵PID:2772
-
\??\c:\djdpd.exec:\djdpd.exe119⤵PID:1712
-
\??\c:\frxrrrx.exec:\frxrrrx.exe120⤵PID:2228
-
\??\c:\hnnhbh.exec:\hnnhbh.exe121⤵PID:2840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-