Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe
-
Size
453KB
-
MD5
4ad9576f008b10da688ab637f2807b70
-
SHA1
5842fce613b82b93e14a46fda4bdb6a37a8fecb1
-
SHA256
0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccf
-
SHA512
0a7b786655aa61b6fd4d808807a4e9be7fcd0a15f2c3f170d51e392d2036ad121cdb00351ef22f72b749c43d0623f6b22bf3680d5250f501997fa94adabd6115
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/3024-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-44-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2724-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-100-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2588-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-153-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1640-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/712-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1336-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-635-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1056-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/672-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-770-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2724-876-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2724-874-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1812-1039-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/884-1230-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2808-1256-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3020 nhhbhn.exe 2004 5xrllfl.exe 2156 nbhbtt.exe 2524 3vpjj.exe 2724 1tnnnn.exe 2772 dvddj.exe 2824 5rfxxxx.exe 2756 3rrrlfl.exe 2736 ddjvd.exe 2588 rfrffxf.exe 3012 jjvvd.exe 1940 9xrfrrx.exe 1676 5bnntb.exe 1712 bbhhnn.exe 2096 xrfrrfr.exe 1640 9ntthh.exe 772 pvvpv.exe 1924 lxfffff.exe 1856 7tnhhh.exe 2808 rlrlrlr.exe 2272 ttnhtn.exe 2964 pdjdv.exe 444 1frlrfl.exe 708 bhnbtn.exe 1868 vdpjj.exe 712 1rfxrll.exe 1724 vpvvv.exe 2128 vdjvv.exe 2312 7tbttn.exe 2936 5pvpp.exe 2896 rlrlfxf.exe 1580 3flffxx.exe 3020 jdjdd.exe 2220 9vjjj.exe 2480 frfxxrx.exe 2212 bthbbt.exe 2760 5hnhtt.exe 2784 pvddd.exe 2768 9llxxxr.exe 2720 9rxrrll.exe 2764 bnbbbt.exe 2344 hnhhnh.exe 2960 dpddj.exe 2584 fxflrrx.exe 2688 fllxxrx.exe 1776 bhnhbb.exe 1700 dvpjp.exe 1936 jvjdj.exe 1672 frxrlfx.exe 2508 nbbtnh.exe 1040 vpddd.exe 1632 pdvpv.exe 1444 9frrlff.exe 772 htthnn.exe 864 thnhht.exe 2044 dpjdd.exe 1980 3ffxxxr.exe 2264 rxlfxrl.exe 2856 5thhht.exe 952 jvjvp.exe 2628 jdppv.exe 1956 frfffrr.exe 1364 bntttt.exe 1668 3nthbt.exe -
resource yara_rule behavioral1/memory/3024-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/712-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-277-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2720-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1336-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/672-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-874-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1148-926-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1704-927-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-1026-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-1083-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-1090-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2968-1166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-1204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-1213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-1243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-1257-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3024 wrote to memory of 3020 3024 0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe 31 PID 3024 wrote to memory of 3020 3024 0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe 31 PID 3024 wrote to memory of 3020 3024 0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe 31 PID 3024 wrote to memory of 3020 3024 0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe 31 PID 3020 wrote to memory of 2004 3020 nhhbhn.exe 32 PID 3020 wrote to memory of 2004 3020 nhhbhn.exe 32 PID 3020 wrote to memory of 2004 3020 nhhbhn.exe 32 PID 3020 wrote to memory of 2004 3020 nhhbhn.exe 32 PID 2004 wrote to memory of 2156 2004 5xrllfl.exe 33 PID 2004 wrote to memory of 2156 2004 5xrllfl.exe 33 PID 2004 wrote to memory of 2156 2004 5xrllfl.exe 33 PID 2004 wrote to memory of 2156 2004 5xrllfl.exe 33 PID 2156 wrote to memory of 2524 2156 nbhbtt.exe 34 PID 2156 wrote to memory of 2524 2156 nbhbtt.exe 34 PID 2156 wrote to memory of 2524 2156 nbhbtt.exe 34 PID 2156 wrote to memory of 2524 2156 nbhbtt.exe 34 PID 2524 wrote to memory of 2724 2524 3vpjj.exe 35 PID 2524 wrote to memory of 2724 2524 3vpjj.exe 35 PID 2524 wrote to memory of 2724 2524 3vpjj.exe 35 PID 2524 wrote to memory of 2724 2524 3vpjj.exe 35 PID 2724 wrote to memory of 2772 2724 1tnnnn.exe 36 PID 2724 wrote to memory of 2772 2724 1tnnnn.exe 36 PID 2724 wrote to memory of 2772 2724 1tnnnn.exe 36 PID 2724 wrote to memory of 2772 2724 1tnnnn.exe 36 PID 2772 wrote to memory of 2824 2772 dvddj.exe 37 PID 2772 wrote to memory of 2824 2772 dvddj.exe 37 PID 2772 wrote to memory of 2824 2772 dvddj.exe 37 PID 2772 wrote to memory of 2824 2772 dvddj.exe 37 PID 2824 wrote to memory of 2756 2824 5rfxxxx.exe 38 PID 2824 wrote to memory of 2756 2824 5rfxxxx.exe 38 PID 2824 wrote to memory of 2756 2824 5rfxxxx.exe 38 PID 2824 wrote to memory of 2756 2824 5rfxxxx.exe 38 PID 2756 wrote to memory of 2736 2756 3rrrlfl.exe 39 PID 2756 wrote to memory of 2736 2756 3rrrlfl.exe 39 PID 2756 wrote to memory of 2736 2756 3rrrlfl.exe 39 PID 2756 wrote to memory of 2736 2756 3rrrlfl.exe 39 PID 2736 wrote to memory of 2588 2736 ddjvd.exe 40 PID 2736 wrote to memory of 2588 2736 ddjvd.exe 40 PID 2736 wrote to memory of 2588 2736 ddjvd.exe 40 PID 2736 wrote to memory of 2588 2736 ddjvd.exe 40 PID 2588 wrote to memory of 3012 2588 rfrffxf.exe 41 PID 2588 wrote to memory of 3012 2588 rfrffxf.exe 41 PID 2588 wrote to memory of 3012 2588 rfrffxf.exe 41 PID 2588 wrote to memory of 3012 2588 rfrffxf.exe 41 PID 3012 wrote to memory of 1940 3012 jjvvd.exe 42 PID 3012 wrote to memory of 1940 3012 jjvvd.exe 42 PID 3012 wrote to memory of 1940 3012 jjvvd.exe 42 PID 3012 wrote to memory of 1940 3012 jjvvd.exe 42 PID 1940 wrote to memory of 1676 1940 9xrfrrx.exe 43 PID 1940 wrote to memory of 1676 1940 9xrfrrx.exe 43 PID 1940 wrote to memory of 1676 1940 9xrfrrx.exe 43 PID 1940 wrote to memory of 1676 1940 9xrfrrx.exe 43 PID 1676 wrote to memory of 1712 1676 5bnntb.exe 44 PID 1676 wrote to memory of 1712 1676 5bnntb.exe 44 PID 1676 wrote to memory of 1712 1676 5bnntb.exe 44 PID 1676 wrote to memory of 1712 1676 5bnntb.exe 44 PID 1712 wrote to memory of 2096 1712 bbhhnn.exe 45 PID 1712 wrote to memory of 2096 1712 bbhhnn.exe 45 PID 1712 wrote to memory of 2096 1712 bbhhnn.exe 45 PID 1712 wrote to memory of 2096 1712 bbhhnn.exe 45 PID 2096 wrote to memory of 1640 2096 xrfrrfr.exe 46 PID 2096 wrote to memory of 1640 2096 xrfrrfr.exe 46 PID 2096 wrote to memory of 1640 2096 xrfrrfr.exe 46 PID 2096 wrote to memory of 1640 2096 xrfrrfr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe"C:\Users\Admin\AppData\Local\Temp\0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\nhhbhn.exec:\nhhbhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\5xrllfl.exec:\5xrllfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\nbhbtt.exec:\nbhbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\3vpjj.exec:\3vpjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\1tnnnn.exec:\1tnnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\dvddj.exec:\dvddj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\5rfxxxx.exec:\5rfxxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\3rrrlfl.exec:\3rrrlfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\ddjvd.exec:\ddjvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\rfrffxf.exec:\rfrffxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\jjvvd.exec:\jjvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\9xrfrrx.exec:\9xrfrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\5bnntb.exec:\5bnntb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\bbhhnn.exec:\bbhhnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\xrfrrfr.exec:\xrfrrfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\9ntthh.exec:\9ntthh.exe17⤵
- Executes dropped EXE
PID:1640 -
\??\c:\pvvpv.exec:\pvvpv.exe18⤵
- Executes dropped EXE
PID:772 -
\??\c:\lxfffff.exec:\lxfffff.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
\??\c:\7tnhhh.exec:\7tnhhh.exe20⤵
- Executes dropped EXE
PID:1856 -
\??\c:\rlrlrlr.exec:\rlrlrlr.exe21⤵
- Executes dropped EXE
PID:2808 -
\??\c:\ttnhtn.exec:\ttnhtn.exe22⤵
- Executes dropped EXE
PID:2272 -
\??\c:\pdjdv.exec:\pdjdv.exe23⤵
- Executes dropped EXE
PID:2964 -
\??\c:\1frlrfl.exec:\1frlrfl.exe24⤵
- Executes dropped EXE
PID:444 -
\??\c:\bhnbtn.exec:\bhnbtn.exe25⤵
- Executes dropped EXE
PID:708 -
\??\c:\vdpjj.exec:\vdpjj.exe26⤵
- Executes dropped EXE
PID:1868 -
\??\c:\1rfxrll.exec:\1rfxrll.exe27⤵
- Executes dropped EXE
PID:712 -
\??\c:\vpvvv.exec:\vpvvv.exe28⤵
- Executes dropped EXE
PID:1724 -
\??\c:\vdjvv.exec:\vdjvv.exe29⤵
- Executes dropped EXE
PID:2128 -
\??\c:\7tbttn.exec:\7tbttn.exe30⤵
- Executes dropped EXE
PID:2312 -
\??\c:\5pvpp.exec:\5pvpp.exe31⤵
- Executes dropped EXE
PID:2936 -
\??\c:\rlrlfxf.exec:\rlrlfxf.exe32⤵
- Executes dropped EXE
PID:2896 -
\??\c:\3flffxx.exec:\3flffxx.exe33⤵
- Executes dropped EXE
PID:1580 -
\??\c:\jdjdd.exec:\jdjdd.exe34⤵
- Executes dropped EXE
PID:3020 -
\??\c:\9vjjj.exec:\9vjjj.exe35⤵
- Executes dropped EXE
PID:2220 -
\??\c:\frfxxrx.exec:\frfxxrx.exe36⤵
- Executes dropped EXE
PID:2480 -
\??\c:\bthbbt.exec:\bthbbt.exe37⤵
- Executes dropped EXE
PID:2212 -
\??\c:\5hnhtt.exec:\5hnhtt.exe38⤵
- Executes dropped EXE
PID:2760 -
\??\c:\pvddd.exec:\pvddd.exe39⤵
- Executes dropped EXE
PID:2784 -
\??\c:\9llxxxr.exec:\9llxxxr.exe40⤵
- Executes dropped EXE
PID:2768 -
\??\c:\9rxrrll.exec:\9rxrrll.exe41⤵
- Executes dropped EXE
PID:2720 -
\??\c:\bnbbbt.exec:\bnbbbt.exe42⤵
- Executes dropped EXE
PID:2764 -
\??\c:\hnhhnh.exec:\hnhhnh.exe43⤵
- Executes dropped EXE
PID:2344 -
\??\c:\dpddj.exec:\dpddj.exe44⤵
- Executes dropped EXE
PID:2960 -
\??\c:\fxflrrx.exec:\fxflrrx.exe45⤵
- Executes dropped EXE
PID:2584 -
\??\c:\fllxxrx.exec:\fllxxrx.exe46⤵
- Executes dropped EXE
PID:2688 -
\??\c:\bhnhbb.exec:\bhnhbb.exe47⤵
- Executes dropped EXE
PID:1776 -
\??\c:\dvpjp.exec:\dvpjp.exe48⤵
- Executes dropped EXE
PID:1700 -
\??\c:\jvjdj.exec:\jvjdj.exe49⤵
- Executes dropped EXE
PID:1936 -
\??\c:\frxrlfx.exec:\frxrlfx.exe50⤵
- Executes dropped EXE
PID:1672 -
\??\c:\nbbtnh.exec:\nbbtnh.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508 -
\??\c:\vpddd.exec:\vpddd.exe52⤵
- Executes dropped EXE
PID:1040 -
\??\c:\pdvpv.exec:\pdvpv.exe53⤵
- Executes dropped EXE
PID:1632 -
\??\c:\9frrlff.exec:\9frrlff.exe54⤵
- Executes dropped EXE
PID:1444 -
\??\c:\htthnn.exec:\htthnn.exe55⤵
- Executes dropped EXE
PID:772 -
\??\c:\thnhht.exec:\thnhht.exe56⤵
- Executes dropped EXE
PID:864 -
\??\c:\dpjdd.exec:\dpjdd.exe57⤵
- Executes dropped EXE
PID:2044 -
\??\c:\3ffxxxr.exec:\3ffxxxr.exe58⤵
- Executes dropped EXE
PID:1980 -
\??\c:\rxlfxrl.exec:\rxlfxrl.exe59⤵
- Executes dropped EXE
PID:2264 -
\??\c:\5thhht.exec:\5thhht.exe60⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jvjvp.exec:\jvjvp.exe61⤵
- Executes dropped EXE
PID:952 -
\??\c:\jdppv.exec:\jdppv.exe62⤵
- Executes dropped EXE
PID:2628 -
\??\c:\frfffrr.exec:\frfffrr.exe63⤵
- Executes dropped EXE
PID:1956 -
\??\c:\bntttt.exec:\bntttt.exe64⤵
- Executes dropped EXE
PID:1364 -
\??\c:\3nthbt.exec:\3nthbt.exe65⤵
- Executes dropped EXE
PID:1668 -
\??\c:\1jpdv.exec:\1jpdv.exe66⤵PID:2076
-
\??\c:\pdjdj.exec:\pdjdj.exe67⤵PID:2544
-
\??\c:\lrrffxx.exec:\lrrffxx.exe68⤵PID:1724
-
\??\c:\frxflff.exec:\frxflff.exe69⤵PID:2056
-
\??\c:\thhbbb.exec:\thhbbb.exe70⤵PID:2928
-
\??\c:\vjdvj.exec:\vjdvj.exe71⤵PID:1932
-
\??\c:\jvdjj.exec:\jvdjj.exe72⤵PID:2384
-
\??\c:\3xlfxrf.exec:\3xlfxrf.exe73⤵PID:936
-
\??\c:\hbhnnh.exec:\hbhnnh.exe74⤵PID:2000
-
\??\c:\hbbnhn.exec:\hbbnhn.exe75⤵PID:572
-
\??\c:\1jpjd.exec:\1jpjd.exe76⤵PID:1336
-
\??\c:\pdjpv.exec:\pdjpv.exe77⤵PID:2848
-
\??\c:\lxffffl.exec:\lxffffl.exe78⤵PID:2120
-
\??\c:\3bhnth.exec:\3bhnth.exe79⤵PID:2760
-
\??\c:\bhnbth.exec:\bhnbth.exe80⤵PID:2780
-
\??\c:\jvvpp.exec:\jvvpp.exe81⤵PID:2684
-
\??\c:\rlrxxlr.exec:\rlrxxlr.exe82⤵PID:2792
-
\??\c:\1xfflll.exec:\1xfflll.exe83⤵PID:2604
-
\??\c:\nbnhhb.exec:\nbnhhb.exe84⤵PID:2832
-
\??\c:\5vddd.exec:\5vddd.exe85⤵PID:2960
-
\??\c:\vdpdj.exec:\vdpdj.exe86⤵PID:2968
-
\??\c:\lfrffrr.exec:\lfrffrr.exe87⤵PID:1056
-
\??\c:\3xxrrxx.exec:\3xxrrxx.exe88⤵PID:2224
-
\??\c:\5bnnnh.exec:\5bnnnh.exe89⤵PID:1716
-
\??\c:\dvjdv.exec:\dvjdv.exe90⤵PID:1940
-
\??\c:\dpvjd.exec:\dpvjd.exe91⤵PID:1604
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe92⤵PID:1952
-
\??\c:\9lfffxx.exec:\9lfffxx.exe93⤵PID:2388
-
\??\c:\1bttnh.exec:\1bttnh.exe94⤵PID:672
-
\??\c:\pjvjd.exec:\pjvjd.exe95⤵PID:1320
-
\??\c:\djvjv.exec:\djvjv.exe96⤵PID:1984
-
\??\c:\3rxrrrx.exec:\3rxrrrx.exe97⤵PID:1144
-
\??\c:\rflrxxx.exec:\rflrxxx.exe98⤵PID:2012
-
\??\c:\nhhhhh.exec:\nhhhhh.exe99⤵PID:2248
-
\??\c:\pdppp.exec:\pdppp.exe100⤵PID:2400
-
\??\c:\pdjdp.exec:\pdjdp.exe101⤵PID:680
-
\??\c:\fxfrrrr.exec:\fxfrrrr.exe102⤵PID:1516
-
\??\c:\nthhbn.exec:\nthhbn.exe103⤵PID:1720
-
\??\c:\7nthbt.exec:\7nthbt.exe104⤵PID:1504
-
\??\c:\vjpjp.exec:\vjpjp.exe105⤵PID:1828
-
\??\c:\lxrlfxr.exec:\lxrlfxr.exe106⤵PID:2068
-
\??\c:\rfrrxrr.exec:\rfrrxrr.exe107⤵PID:1404
-
\??\c:\bnnnnh.exec:\bnnnnh.exe108⤵PID:400
-
\??\c:\1jpjd.exec:\1jpjd.exe109⤵PID:2184
-
\??\c:\jvjdv.exec:\jvjdv.exe110⤵PID:2296
-
\??\c:\llfrflx.exec:\llfrflx.exe111⤵PID:1592
-
\??\c:\1tbtbb.exec:\1tbtbb.exe112⤵PID:2460
-
\??\c:\tnbbtt.exec:\tnbbtt.exe113⤵PID:3024
-
\??\c:\9pdvp.exec:\9pdvp.exe114⤵PID:2308
-
\??\c:\lflrxxl.exec:\lflrxxl.exe115⤵PID:1580
-
\??\c:\fxlrffr.exec:\fxlrffr.exe116⤵PID:1512
-
\??\c:\nhbhnb.exec:\nhbhnb.exe117⤵
- System Location Discovery: System Language Discovery
PID:2844 -
\??\c:\pvpdp.exec:\pvpdp.exe118⤵PID:2216
-
\??\c:\vjjvv.exec:\vjjvv.exe119⤵PID:2848
-
\??\c:\xxrlxxf.exec:\xxrlxxf.exe120⤵PID:2120
-
\??\c:\5tthnt.exec:\5tthnt.exe121⤵PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-