Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 01:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c2c7a57024071e3ec41e4b7a514779c6fc474dc18a66e8a5d127f72efbbfb971.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c2c7a57024071e3ec41e4b7a514779c6fc474dc18a66e8a5d127f72efbbfb971.exe
-
Size
335KB
-
MD5
c7e65263044b25374e11257a6d551e1e
-
SHA1
fb642cbbbcd2a2c74e6cbe5012e9be3bcfb66423
-
SHA256
c2c7a57024071e3ec41e4b7a514779c6fc474dc18a66e8a5d127f72efbbfb971
-
SHA512
7a6e24486a6cf1adda67fd072edffc23b689ed0e9be95d7a7bf306f34c973a808beb648891dd12c5722948b421b52a80180346ac81ee1f2ee7550fa6b2c2d5c1
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhR:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2712-586-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2860-578-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/396-520-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2992-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-459-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2560-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-413-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1576-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-268-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2284-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-249-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1284-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-194-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1020-175-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1836-158-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/868-131-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1416-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-113-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/3020-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-95-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2908-93-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2416-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-48-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2436-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1012-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-766-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/872-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-1009-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-1064-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2616-1153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1012 vvvpd.exe 2832 dpvvd.exe 2828 rlllrfl.exe 2436 bttthb.exe 2908 xffrxfx.exe 2568 dddjp.exe 2240 pjppp.exe 2616 llxrlxl.exe 2416 tbbhht.exe 3020 5pvdp.exe 2172 3xrrlll.exe 1416 tnbhnn.exe 868 vjvpp.exe 2916 1bhhhh.exe 2076 tntntn.exe 1836 9xlxfff.exe 1760 9tbbnb.exe 1020 ddjpj.exe 2244 5jjdd.exe 2468 hhnthh.exe 3004 1vpvd.exe 2236 3xllxfr.exe 1900 7httbb.exe 832 jdjvp.exe 1284 flrrrxf.exe 2324 bbntbh.exe 2284 1ntbhn.exe 2536 btttbb.exe 884 hhhtbh.exe 992 rlllfxf.exe 2708 lfllxff.exe 2684 nhnntt.exe 2848 ddpdd.exe 3012 fxxxrxr.exe 2828 1fffllr.exe 2752 tttbhb.exe 1748 5pdvd.exe 2620 1jpdp.exe 2592 3lfrxxf.exe 2632 tttttt.exe 2096 ttnnhn.exe 1808 9vvpj.exe 3032 fxfxlrf.exe 2416 rrllrll.exe 2132 tttbhb.exe 1576 tthbnn.exe 2560 jdddd.exe 2768 fxrxfff.exe 2912 rxflrlx.exe 2452 3ntttt.exe 2344 hhbhnn.exe 2036 5vpvv.exe 484 xrrlrlr.exe 284 xxflrfr.exe 2192 tnnbbt.exe 2180 ntbnnb.exe 2360 jvpdv.exe 2468 xxfffxf.exe 2272 flrfflr.exe 1280 ttnhtb.exe 1544 nhnnnt.exe 896 jdddj.exe 2992 ffxflll.exe 832 xfffflf.exe -
resource yara_rule behavioral1/memory/2992-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1012-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-764-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/872-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-950-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-1114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-1153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-1215-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rflrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1012 2412 c2c7a57024071e3ec41e4b7a514779c6fc474dc18a66e8a5d127f72efbbfb971.exe 30 PID 2412 wrote to memory of 1012 2412 c2c7a57024071e3ec41e4b7a514779c6fc474dc18a66e8a5d127f72efbbfb971.exe 30 PID 2412 wrote to memory of 1012 2412 c2c7a57024071e3ec41e4b7a514779c6fc474dc18a66e8a5d127f72efbbfb971.exe 30 PID 2412 wrote to memory of 1012 2412 c2c7a57024071e3ec41e4b7a514779c6fc474dc18a66e8a5d127f72efbbfb971.exe 30 PID 1012 wrote to memory of 2832 1012 vvvpd.exe 31 PID 1012 wrote to memory of 2832 1012 vvvpd.exe 31 PID 1012 wrote to memory of 2832 1012 vvvpd.exe 31 PID 1012 wrote to memory of 2832 1012 vvvpd.exe 31 PID 2832 wrote to memory of 2828 2832 dpvvd.exe 32 PID 2832 wrote to memory of 2828 2832 dpvvd.exe 32 PID 2832 wrote to memory of 2828 2832 dpvvd.exe 32 PID 2832 wrote to memory of 2828 2832 dpvvd.exe 32 PID 2828 wrote to memory of 2436 2828 rlllrfl.exe 33 PID 2828 wrote to memory of 2436 2828 rlllrfl.exe 33 PID 2828 wrote to memory of 2436 2828 rlllrfl.exe 33 PID 2828 wrote to memory of 2436 2828 rlllrfl.exe 33 PID 2436 wrote to memory of 2908 2436 bttthb.exe 34 PID 2436 wrote to memory of 2908 2436 bttthb.exe 34 PID 2436 wrote to memory of 2908 2436 bttthb.exe 34 PID 2436 wrote to memory of 2908 2436 bttthb.exe 34 PID 2908 wrote to memory of 2568 2908 xffrxfx.exe 35 PID 2908 wrote to memory of 2568 2908 xffrxfx.exe 35 PID 2908 wrote to memory of 2568 2908 xffrxfx.exe 35 PID 2908 wrote to memory of 2568 2908 xffrxfx.exe 35 PID 2568 wrote to memory of 2240 2568 dddjp.exe 36 PID 2568 wrote to memory of 2240 2568 dddjp.exe 36 PID 2568 wrote to memory of 2240 2568 dddjp.exe 36 PID 2568 wrote to memory of 2240 2568 dddjp.exe 36 PID 2240 wrote to memory of 2616 2240 pjppp.exe 37 PID 2240 wrote to memory of 2616 2240 pjppp.exe 37 PID 2240 wrote to memory of 2616 2240 pjppp.exe 37 PID 2240 wrote to memory of 2616 2240 pjppp.exe 37 PID 2616 wrote to memory of 2416 2616 llxrlxl.exe 38 PID 2616 wrote to memory of 2416 2616 llxrlxl.exe 38 PID 2616 wrote to memory of 2416 2616 llxrlxl.exe 38 PID 2616 wrote to memory of 2416 2616 llxrlxl.exe 38 PID 2416 wrote to memory of 3020 2416 tbbhht.exe 39 PID 2416 wrote to memory of 3020 2416 tbbhht.exe 39 PID 2416 wrote to memory of 3020 2416 tbbhht.exe 39 PID 2416 wrote to memory of 3020 2416 tbbhht.exe 39 PID 3020 wrote to memory of 2172 3020 5pvdp.exe 40 PID 3020 wrote to memory of 2172 3020 5pvdp.exe 40 PID 3020 wrote to memory of 2172 3020 5pvdp.exe 40 PID 3020 wrote to memory of 2172 3020 5pvdp.exe 40 PID 2172 wrote to memory of 1416 2172 3xrrlll.exe 41 PID 2172 wrote to memory of 1416 2172 3xrrlll.exe 41 PID 2172 wrote to memory of 1416 2172 3xrrlll.exe 41 PID 2172 wrote to memory of 1416 2172 3xrrlll.exe 41 PID 1416 wrote to memory of 868 1416 tnbhnn.exe 42 PID 1416 wrote to memory of 868 1416 tnbhnn.exe 42 PID 1416 wrote to memory of 868 1416 tnbhnn.exe 42 PID 1416 wrote to memory of 868 1416 tnbhnn.exe 42 PID 868 wrote to memory of 2916 868 vjvpp.exe 43 PID 868 wrote to memory of 2916 868 vjvpp.exe 43 PID 868 wrote to memory of 2916 868 vjvpp.exe 43 PID 868 wrote to memory of 2916 868 vjvpp.exe 43 PID 2916 wrote to memory of 2076 2916 1bhhhh.exe 44 PID 2916 wrote to memory of 2076 2916 1bhhhh.exe 44 PID 2916 wrote to memory of 2076 2916 1bhhhh.exe 44 PID 2916 wrote to memory of 2076 2916 1bhhhh.exe 44 PID 2076 wrote to memory of 1836 2076 tntntn.exe 124 PID 2076 wrote to memory of 1836 2076 tntntn.exe 124 PID 2076 wrote to memory of 1836 2076 tntntn.exe 124 PID 2076 wrote to memory of 1836 2076 tntntn.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2c7a57024071e3ec41e4b7a514779c6fc474dc18a66e8a5d127f72efbbfb971.exe"C:\Users\Admin\AppData\Local\Temp\c2c7a57024071e3ec41e4b7a514779c6fc474dc18a66e8a5d127f72efbbfb971.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\vvvpd.exec:\vvvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\dpvvd.exec:\dpvvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\rlllrfl.exec:\rlllrfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\bttthb.exec:\bttthb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\xffrxfx.exec:\xffrxfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\dddjp.exec:\dddjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\pjppp.exec:\pjppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\llxrlxl.exec:\llxrlxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\tbbhht.exec:\tbbhht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\5pvdp.exec:\5pvdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\3xrrlll.exec:\3xrrlll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\tnbhnn.exec:\tnbhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\vjvpp.exec:\vjvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\1bhhhh.exec:\1bhhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\tntntn.exec:\tntntn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\9xlxfff.exec:\9xlxfff.exe17⤵
- Executes dropped EXE
PID:1836 -
\??\c:\9tbbnb.exec:\9tbbnb.exe18⤵
- Executes dropped EXE
PID:1760 -
\??\c:\ddjpj.exec:\ddjpj.exe19⤵
- Executes dropped EXE
PID:1020 -
\??\c:\5jjdd.exec:\5jjdd.exe20⤵
- Executes dropped EXE
PID:2244 -
\??\c:\hhnthh.exec:\hhnthh.exe21⤵
- Executes dropped EXE
PID:2468 -
\??\c:\1vpvd.exec:\1vpvd.exe22⤵
- Executes dropped EXE
PID:3004 -
\??\c:\3xllxfr.exec:\3xllxfr.exe23⤵
- Executes dropped EXE
PID:2236 -
\??\c:\7httbb.exec:\7httbb.exe24⤵
- Executes dropped EXE
PID:1900 -
\??\c:\jdjvp.exec:\jdjvp.exe25⤵
- Executes dropped EXE
PID:832 -
\??\c:\flrrrxf.exec:\flrrrxf.exe26⤵
- Executes dropped EXE
PID:1284 -
\??\c:\bbntbh.exec:\bbntbh.exe27⤵
- Executes dropped EXE
PID:2324 -
\??\c:\1ntbhn.exec:\1ntbhn.exe28⤵
- Executes dropped EXE
PID:2284 -
\??\c:\btttbb.exec:\btttbb.exe29⤵
- Executes dropped EXE
PID:2536 -
\??\c:\hhhtbh.exec:\hhhtbh.exe30⤵
- Executes dropped EXE
PID:884 -
\??\c:\rlllfxf.exec:\rlllfxf.exe31⤵
- Executes dropped EXE
PID:992 -
\??\c:\lfllxff.exec:\lfllxff.exe32⤵
- Executes dropped EXE
PID:2708 -
\??\c:\nhnntt.exec:\nhnntt.exe33⤵
- Executes dropped EXE
PID:2684 -
\??\c:\ddpdd.exec:\ddpdd.exe34⤵
- Executes dropped EXE
PID:2848 -
\??\c:\fxxxrxr.exec:\fxxxrxr.exe35⤵
- Executes dropped EXE
PID:3012 -
\??\c:\1fffllr.exec:\1fffllr.exe36⤵
- Executes dropped EXE
PID:2828 -
\??\c:\tttbhb.exec:\tttbhb.exe37⤵
- Executes dropped EXE
PID:2752 -
\??\c:\5pdvd.exec:\5pdvd.exe38⤵
- Executes dropped EXE
PID:1748 -
\??\c:\1jpdp.exec:\1jpdp.exe39⤵
- Executes dropped EXE
PID:2620 -
\??\c:\3lfrxxf.exec:\3lfrxxf.exe40⤵
- Executes dropped EXE
PID:2592 -
\??\c:\tttttt.exec:\tttttt.exe41⤵
- Executes dropped EXE
PID:2632 -
\??\c:\ttnnhn.exec:\ttnnhn.exe42⤵
- Executes dropped EXE
PID:2096 -
\??\c:\9vvpj.exec:\9vvpj.exe43⤵
- Executes dropped EXE
PID:1808 -
\??\c:\fxfxlrf.exec:\fxfxlrf.exe44⤵
- Executes dropped EXE
PID:3032 -
\??\c:\rrllrll.exec:\rrllrll.exe45⤵
- Executes dropped EXE
PID:2416 -
\??\c:\tttbhb.exec:\tttbhb.exe46⤵
- Executes dropped EXE
PID:2132 -
\??\c:\tthbnn.exec:\tthbnn.exe47⤵
- Executes dropped EXE
PID:1576 -
\??\c:\jdddd.exec:\jdddd.exe48⤵
- Executes dropped EXE
PID:2560 -
\??\c:\fxrxfff.exec:\fxrxfff.exe49⤵
- Executes dropped EXE
PID:2768 -
\??\c:\rxflrlx.exec:\rxflrlx.exe50⤵
- Executes dropped EXE
PID:2912 -
\??\c:\3ntttt.exec:\3ntttt.exe51⤵
- Executes dropped EXE
PID:2452 -
\??\c:\hhbhnn.exec:\hhbhnn.exe52⤵
- Executes dropped EXE
PID:2344 -
\??\c:\5vpvv.exec:\5vpvv.exe53⤵
- Executes dropped EXE
PID:2036 -
\??\c:\xrrlrlr.exec:\xrrlrlr.exe54⤵
- Executes dropped EXE
PID:484 -
\??\c:\xxflrfr.exec:\xxflrfr.exe55⤵
- Executes dropped EXE
PID:284 -
\??\c:\tnnbbt.exec:\tnnbbt.exe56⤵
- Executes dropped EXE
PID:2192 -
\??\c:\ntbnnb.exec:\ntbnnb.exe57⤵
- Executes dropped EXE
PID:2180 -
\??\c:\jvpdv.exec:\jvpdv.exe58⤵
- Executes dropped EXE
PID:2360 -
\??\c:\xxfffxf.exec:\xxfffxf.exe59⤵
- Executes dropped EXE
PID:2468 -
\??\c:\flrfflr.exec:\flrfflr.exe60⤵
- Executes dropped EXE
PID:2272 -
\??\c:\ttnhtb.exec:\ttnhtb.exe61⤵
- Executes dropped EXE
PID:1280 -
\??\c:\nhnnnt.exec:\nhnnnt.exe62⤵
- Executes dropped EXE
PID:1544 -
\??\c:\jdddj.exec:\jdddj.exe63⤵
- Executes dropped EXE
PID:896 -
\??\c:\ffxflll.exec:\ffxflll.exe64⤵
- Executes dropped EXE
PID:2992 -
\??\c:\xfffflf.exec:\xfffflf.exe65⤵
- Executes dropped EXE
PID:832 -
\??\c:\ttbnth.exec:\ttbnth.exe66⤵PID:1284
-
\??\c:\nnhntt.exec:\nnhntt.exe67⤵PID:396
-
\??\c:\7pddj.exec:\7pddj.exe68⤵PID:844
-
\??\c:\9pddd.exec:\9pddd.exe69⤵PID:2504
-
\??\c:\rlrlrxl.exec:\rlrlrxl.exe70⤵PID:1876
-
\??\c:\rrrfffl.exec:\rrrfffl.exe71⤵PID:2276
-
\??\c:\nnbhbb.exec:\nnbhbb.exe72⤵PID:2268
-
\??\c:\nnnntt.exec:\nnnntt.exe73⤵PID:2720
-
\??\c:\jjddd.exec:\jjddd.exe74⤵PID:2728
-
\??\c:\ppppp.exec:\ppppp.exe75⤵PID:1636
-
\??\c:\llfflrx.exec:\llfflrx.exe76⤵PID:2860
-
\??\c:\btnnnh.exec:\btnnnh.exe77⤵PID:2712
-
\??\c:\hhttbb.exec:\hhttbb.exe78⤵PID:2740
-
\??\c:\ddvvv.exec:\ddvvv.exe79⤵PID:2696
-
\??\c:\fffxxfx.exec:\fffxxfx.exe80⤵PID:2572
-
\??\c:\3xfxffl.exec:\3xfxffl.exe81⤵PID:2652
-
\??\c:\hhttbb.exec:\hhttbb.exe82⤵PID:2156
-
\??\c:\tttttt.exec:\tttttt.exe83⤵PID:612
-
\??\c:\vdjpd.exec:\vdjpd.exe84⤵PID:904
-
\??\c:\5ppvd.exec:\5ppvd.exe85⤵PID:2556
-
\??\c:\jpdjp.exec:\jpdjp.exe86⤵PID:2208
-
\??\c:\rlfxxff.exec:\rlfxxff.exe87⤵PID:2112
-
\??\c:\rrfxlrr.exec:\rrfxlrr.exe88⤵PID:2756
-
\??\c:\7htnnh.exec:\7htnnh.exe89⤵
- System Location Discovery: System Language Discovery
PID:1740 -
\??\c:\nbhnbb.exec:\nbhnbb.exe90⤵PID:1416
-
\??\c:\9pppv.exec:\9pppv.exe91⤵PID:2560
-
\??\c:\dpddj.exec:\dpddj.exe92⤵
- System Location Discovery: System Language Discovery
PID:2768 -
\??\c:\xxffrfl.exec:\xxffrfl.exe93⤵PID:2912
-
\??\c:\bhhhhh.exec:\bhhhhh.exe94⤵PID:1192
-
\??\c:\bhhnnn.exec:\bhhnnn.exe95⤵PID:1780
-
\??\c:\pvvdp.exec:\pvvdp.exe96⤵PID:1836
-
\??\c:\bttttt.exec:\bttttt.exe97⤵PID:780
-
\??\c:\vpppj.exec:\vpppj.exe98⤵PID:2300
-
\??\c:\hbbbhh.exec:\hbbbhh.exe99⤵PID:2176
-
\??\c:\ntntbn.exec:\ntntbn.exe100⤵PID:2244
-
\??\c:\jdvvd.exec:\jdvvd.exe101⤵PID:3064
-
\??\c:\ffxrrll.exec:\ffxrrll.exe102⤵PID:1996
-
\??\c:\9dppp.exec:\9dppp.exe103⤵PID:1268
-
\??\c:\rfxxxxx.exec:\rfxxxxx.exe104⤵PID:1156
-
\??\c:\nnhbtn.exec:\nnhbtn.exe105⤵PID:824
-
\??\c:\jdjjp.exec:\jdjjp.exe106⤵PID:1716
-
\??\c:\dvvdj.exec:\dvvdj.exe107⤵PID:864
-
\??\c:\rllllll.exec:\rllllll.exe108⤵PID:2672
-
\??\c:\tthntb.exec:\tthntb.exe109⤵PID:2324
-
\??\c:\hbnhnn.exec:\hbnhnn.exe110⤵PID:2308
-
\??\c:\fxxxxxr.exec:\fxxxxxr.exe111⤵PID:1904
-
\??\c:\tnnntn.exec:\tnnntn.exe112⤵PID:872
-
\??\c:\nhnntb.exec:\nhnntb.exe113⤵PID:1240
-
\??\c:\jvvjj.exec:\jvvjj.exe114⤵PID:2488
-
\??\c:\lxxxxxr.exec:\lxxxxxr.exe115⤵PID:2268
-
\??\c:\5tbtbb.exec:\5tbtbb.exe116⤵PID:2720
-
\??\c:\thhhnn.exec:\thhhnn.exe117⤵PID:2728
-
\??\c:\pddvd.exec:\pddvd.exe118⤵PID:2704
-
\??\c:\lxfflll.exec:\lxfflll.exe119⤵PID:2216
-
\??\c:\3flxlll.exec:\3flxlll.exe120⤵PID:2828
-
\??\c:\thhhnn.exec:\thhhnn.exe121⤵PID:2820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-