Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 15:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe
-
Size
452KB
-
MD5
38b65b6cf884d0d8023cb5ad8350c902
-
SHA1
b2b9431fe8d9cc5f4d6333f6e9341e9347e1be4c
-
SHA256
7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d
-
SHA512
617441695e5e866039484b93ef240397f17fca637fdee67cae27b90370195468ac512bfe4901b3f89623c07eb409a7f1df5a05944bd89477a3ec4fade693a5b6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2364-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1064-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1120-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-206-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2480-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-335-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2248-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-428-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1088-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-450-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/1480-457-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/3000-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-555-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2708-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-680-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/632-679-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2976-695-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/1852-729-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2028-743-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2236-782-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1956 5djpj.exe 2584 hthhnh.exe 2160 1vvvv.exe 2104 lxflrrr.exe 2872 hbhbbb.exe 2780 vjpjv.exe 2812 flxfllr.exe 2912 hthbbb.exe 2668 dpjdd.exe 2684 xlxlrrl.exe 2076 nhhhtn.exe 676 3xlllrr.exe 2824 rrfxfxf.exe 2924 djvpv.exe 1064 5dvpj.exe 580 nhtthn.exe 1900 dvdvp.exe 2000 7lrlfxf.exe 1120 1bbbbh.exe 2092 xrffffr.exe 2416 nthbhb.exe 2480 pdppp.exe 1152 5frlffl.exe 3048 7vjvv.exe 1888 7xffxxx.exe 2840 thtnnn.exe 2484 vppvd.exe 1748 ttbntt.exe 352 5djdv.exe 2464 rfrlllf.exe 1992 5lxxlfl.exe 1544 3vjpp.exe 1212 7fllffx.exe 2348 hbnnnn.exe 1724 1hhbbt.exe 2540 pdjjp.exe 2888 lxllrll.exe 2872 3nbbhn.exe 2852 vjvdp.exe 2248 vpddd.exe 2520 xlxrxxx.exe 2676 tnbhnn.exe 2668 jpdvv.exe 2688 7vppv.exe 2356 3flrrrr.exe 1512 bhtttn.exe 2808 hnnbbn.exe 2972 vvjdj.exe 2916 7jvvp.exe 2820 frxrxrx.exe 2836 tnttth.exe 1088 vjvvp.exe 996 1llllfr.exe 1480 frfxffl.exe 2308 btbhbh.exe 3000 5jppp.exe 3008 3djjj.exe 2068 lfrrrrr.exe 2416 bnbttn.exe 408 nbthnh.exe 2336 vdpjp.exe 708 frrlffx.exe 3048 3xxrrlr.exe 2268 nnnbnt.exe -
resource yara_rule behavioral1/memory/2364-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-206-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2480-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-384-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2916-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-679-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1480-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-743-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3000-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-775-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1956 2364 7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe 30 PID 2364 wrote to memory of 1956 2364 7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe 30 PID 2364 wrote to memory of 1956 2364 7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe 30 PID 2364 wrote to memory of 1956 2364 7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe 30 PID 1956 wrote to memory of 2584 1956 5djpj.exe 31 PID 1956 wrote to memory of 2584 1956 5djpj.exe 31 PID 1956 wrote to memory of 2584 1956 5djpj.exe 31 PID 1956 wrote to memory of 2584 1956 5djpj.exe 31 PID 2584 wrote to memory of 2160 2584 hthhnh.exe 32 PID 2584 wrote to memory of 2160 2584 hthhnh.exe 32 PID 2584 wrote to memory of 2160 2584 hthhnh.exe 32 PID 2584 wrote to memory of 2160 2584 hthhnh.exe 32 PID 2160 wrote to memory of 2104 2160 1vvvv.exe 33 PID 2160 wrote to memory of 2104 2160 1vvvv.exe 33 PID 2160 wrote to memory of 2104 2160 1vvvv.exe 33 PID 2160 wrote to memory of 2104 2160 1vvvv.exe 33 PID 2104 wrote to memory of 2872 2104 lxflrrr.exe 34 PID 2104 wrote to memory of 2872 2104 lxflrrr.exe 34 PID 2104 wrote to memory of 2872 2104 lxflrrr.exe 34 PID 2104 wrote to memory of 2872 2104 lxflrrr.exe 34 PID 2872 wrote to memory of 2780 2872 hbhbbb.exe 35 PID 2872 wrote to memory of 2780 2872 hbhbbb.exe 35 PID 2872 wrote to memory of 2780 2872 hbhbbb.exe 35 PID 2872 wrote to memory of 2780 2872 hbhbbb.exe 35 PID 2780 wrote to memory of 2812 2780 vjpjv.exe 36 PID 2780 wrote to memory of 2812 2780 vjpjv.exe 36 PID 2780 wrote to memory of 2812 2780 vjpjv.exe 36 PID 2780 wrote to memory of 2812 2780 vjpjv.exe 36 PID 2812 wrote to memory of 2912 2812 flxfllr.exe 37 PID 2812 wrote to memory of 2912 2812 flxfllr.exe 37 PID 2812 wrote to memory of 2912 2812 flxfllr.exe 37 PID 2812 wrote to memory of 2912 2812 flxfllr.exe 37 PID 2912 wrote to memory of 2668 2912 hthbbb.exe 38 PID 2912 wrote to memory of 2668 2912 hthbbb.exe 38 PID 2912 wrote to memory of 2668 2912 hthbbb.exe 38 PID 2912 wrote to memory of 2668 2912 hthbbb.exe 38 PID 2668 wrote to memory of 2684 2668 dpjdd.exe 39 PID 2668 wrote to memory of 2684 2668 dpjdd.exe 39 PID 2668 wrote to memory of 2684 2668 dpjdd.exe 39 PID 2668 wrote to memory of 2684 2668 dpjdd.exe 39 PID 2684 wrote to memory of 2076 2684 xlxlrrl.exe 40 PID 2684 wrote to memory of 2076 2684 xlxlrrl.exe 40 PID 2684 wrote to memory of 2076 2684 xlxlrrl.exe 40 PID 2684 wrote to memory of 2076 2684 xlxlrrl.exe 40 PID 2076 wrote to memory of 676 2076 nhhhtn.exe 41 PID 2076 wrote to memory of 676 2076 nhhhtn.exe 41 PID 2076 wrote to memory of 676 2076 nhhhtn.exe 41 PID 2076 wrote to memory of 676 2076 nhhhtn.exe 41 PID 676 wrote to memory of 2824 676 3xlllrr.exe 42 PID 676 wrote to memory of 2824 676 3xlllrr.exe 42 PID 676 wrote to memory of 2824 676 3xlllrr.exe 42 PID 676 wrote to memory of 2824 676 3xlllrr.exe 42 PID 2824 wrote to memory of 2924 2824 rrfxfxf.exe 43 PID 2824 wrote to memory of 2924 2824 rrfxfxf.exe 43 PID 2824 wrote to memory of 2924 2824 rrfxfxf.exe 43 PID 2824 wrote to memory of 2924 2824 rrfxfxf.exe 43 PID 2924 wrote to memory of 1064 2924 djvpv.exe 44 PID 2924 wrote to memory of 1064 2924 djvpv.exe 44 PID 2924 wrote to memory of 1064 2924 djvpv.exe 44 PID 2924 wrote to memory of 1064 2924 djvpv.exe 44 PID 1064 wrote to memory of 580 1064 5dvpj.exe 45 PID 1064 wrote to memory of 580 1064 5dvpj.exe 45 PID 1064 wrote to memory of 580 1064 5dvpj.exe 45 PID 1064 wrote to memory of 580 1064 5dvpj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe"C:\Users\Admin\AppData\Local\Temp\7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\5djpj.exec:\5djpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\hthhnh.exec:\hthhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\1vvvv.exec:\1vvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\lxflrrr.exec:\lxflrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\hbhbbb.exec:\hbhbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\vjpjv.exec:\vjpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\flxfllr.exec:\flxfllr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\hthbbb.exec:\hthbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\dpjdd.exec:\dpjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\xlxlrrl.exec:\xlxlrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\nhhhtn.exec:\nhhhtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\3xlllrr.exec:\3xlllrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\rrfxfxf.exec:\rrfxfxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\djvpv.exec:\djvpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\5dvpj.exec:\5dvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\nhtthn.exec:\nhtthn.exe17⤵
- Executes dropped EXE
PID:580 -
\??\c:\dvdvp.exec:\dvdvp.exe18⤵
- Executes dropped EXE
PID:1900 -
\??\c:\7lrlfxf.exec:\7lrlfxf.exe19⤵
- Executes dropped EXE
PID:2000 -
\??\c:\1bbbbh.exec:\1bbbbh.exe20⤵
- Executes dropped EXE
PID:1120 -
\??\c:\xrffffr.exec:\xrffffr.exe21⤵
- Executes dropped EXE
PID:2092 -
\??\c:\nthbhb.exec:\nthbhb.exe22⤵
- Executes dropped EXE
PID:2416 -
\??\c:\pdppp.exec:\pdppp.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2480 -
\??\c:\5frlffl.exec:\5frlffl.exe24⤵
- Executes dropped EXE
PID:1152 -
\??\c:\7vjvv.exec:\7vjvv.exe25⤵
- Executes dropped EXE
PID:3048 -
\??\c:\7xffxxx.exec:\7xffxxx.exe26⤵
- Executes dropped EXE
PID:1888 -
\??\c:\thtnnn.exec:\thtnnn.exe27⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vppvd.exec:\vppvd.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2484 -
\??\c:\ttbntt.exec:\ttbntt.exe29⤵
- Executes dropped EXE
PID:1748 -
\??\c:\5djdv.exec:\5djdv.exe30⤵
- Executes dropped EXE
PID:352 -
\??\c:\rfrlllf.exec:\rfrlllf.exe31⤵
- Executes dropped EXE
PID:2464 -
\??\c:\5lxxlfl.exec:\5lxxlfl.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992 -
\??\c:\3vjpp.exec:\3vjpp.exe33⤵
- Executes dropped EXE
PID:1544 -
\??\c:\7fllffx.exec:\7fllffx.exe34⤵
- Executes dropped EXE
PID:1212 -
\??\c:\hbnnnn.exec:\hbnnnn.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
\??\c:\1hhbbt.exec:\1hhbbt.exe36⤵
- Executes dropped EXE
PID:1724 -
\??\c:\pdjjp.exec:\pdjjp.exe37⤵
- Executes dropped EXE
PID:2540 -
\??\c:\lxllrll.exec:\lxllrll.exe38⤵
- Executes dropped EXE
PID:2888 -
\??\c:\3nbbhn.exec:\3nbbhn.exe39⤵
- Executes dropped EXE
PID:2872 -
\??\c:\vjvdp.exec:\vjvdp.exe40⤵
- Executes dropped EXE
PID:2852 -
\??\c:\vpddd.exec:\vpddd.exe41⤵
- Executes dropped EXE
PID:2248 -
\??\c:\xlxrxxx.exec:\xlxrxxx.exe42⤵
- Executes dropped EXE
PID:2520 -
\??\c:\tnbhnn.exec:\tnbhnn.exe43⤵
- Executes dropped EXE
PID:2676 -
\??\c:\jpdvv.exec:\jpdvv.exe44⤵
- Executes dropped EXE
PID:2668 -
\??\c:\7vppv.exec:\7vppv.exe45⤵
- Executes dropped EXE
PID:2688 -
\??\c:\3flrrrr.exec:\3flrrrr.exe46⤵
- Executes dropped EXE
PID:2356 -
\??\c:\bhtttn.exec:\bhtttn.exe47⤵
- Executes dropped EXE
PID:1512 -
\??\c:\hnnbbn.exec:\hnnbbn.exe48⤵
- Executes dropped EXE
PID:2808 -
\??\c:\vvjdj.exec:\vvjdj.exe49⤵
- Executes dropped EXE
PID:2972 -
\??\c:\7jvvp.exec:\7jvvp.exe50⤵
- Executes dropped EXE
PID:2916 -
\??\c:\frxrxrx.exec:\frxrxrx.exe51⤵
- Executes dropped EXE
PID:2820 -
\??\c:\tnttth.exec:\tnttth.exe52⤵
- Executes dropped EXE
PID:2836 -
\??\c:\vjvvp.exec:\vjvvp.exe53⤵
- Executes dropped EXE
PID:1088 -
\??\c:\1llllfr.exec:\1llllfr.exe54⤵
- Executes dropped EXE
PID:996 -
\??\c:\frfxffl.exec:\frfxffl.exe55⤵
- Executes dropped EXE
PID:1480 -
\??\c:\btbhbh.exec:\btbhbh.exe56⤵
- Executes dropped EXE
PID:2308 -
\??\c:\5jppp.exec:\5jppp.exe57⤵
- Executes dropped EXE
PID:3000 -
\??\c:\3djjj.exec:\3djjj.exe58⤵
- Executes dropped EXE
PID:3008 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe59⤵
- Executes dropped EXE
PID:2068 -
\??\c:\bnbttn.exec:\bnbttn.exe60⤵
- Executes dropped EXE
PID:2416 -
\??\c:\nbthnh.exec:\nbthnh.exe61⤵
- Executes dropped EXE
PID:408 -
\??\c:\vdpjp.exec:\vdpjp.exe62⤵
- Executes dropped EXE
PID:2336 -
\??\c:\frrlffx.exec:\frrlffx.exe63⤵
- Executes dropped EXE
PID:708 -
\??\c:\3xxrrlr.exec:\3xxrrlr.exe64⤵
- Executes dropped EXE
PID:3048 -
\??\c:\nnnbnt.exec:\nnnbnt.exe65⤵
- Executes dropped EXE
PID:2268 -
\??\c:\jvpjj.exec:\jvpjj.exe66⤵PID:1552
-
\??\c:\jpvjj.exec:\jpvjj.exe67⤵PID:764
-
\??\c:\xffxfrr.exec:\xffxfrr.exe68⤵PID:2052
-
\??\c:\nhtnnh.exec:\nhtnnh.exe69⤵PID:2436
-
\??\c:\hthbbh.exec:\hthbbh.exe70⤵PID:1804
-
\??\c:\dpdvv.exec:\dpdvv.exe71⤵PID:2024
-
\??\c:\lrrlfxx.exec:\lrrlfxx.exe72⤵PID:2464
-
\??\c:\lxxrrxr.exec:\lxxrrxr.exe73⤵PID:276
-
\??\c:\5nhttt.exec:\5nhttt.exe74⤵PID:1532
-
\??\c:\dpvpv.exec:\dpvpv.exe75⤵PID:2708
-
\??\c:\dpddd.exec:\dpddd.exe76⤵PID:348
-
\??\c:\xlxrrrx.exec:\xlxrrrx.exe77⤵PID:2716
-
\??\c:\hthhnn.exec:\hthhnn.exe78⤵PID:2272
-
\??\c:\1thnnn.exec:\1thnnn.exe79⤵PID:2764
-
\??\c:\3jpjj.exec:\3jpjj.exe80⤵PID:2628
-
\??\c:\dpjvv.exec:\dpjvv.exe81⤵PID:2780
-
\??\c:\5rxxrll.exec:\5rxxrll.exe82⤵PID:2860
-
\??\c:\7htntn.exec:\7htntn.exe83⤵PID:3020
-
\??\c:\htbnnh.exec:\htbnnh.exe84⤵PID:2912
-
\??\c:\pdjjd.exec:\pdjjd.exe85⤵PID:2844
-
\??\c:\7lxxfff.exec:\7lxxfff.exe86⤵PID:2696
-
\??\c:\nbnnnn.exec:\nbnnnn.exe87⤵PID:2672
-
\??\c:\hnttbb.exec:\hnttbb.exe88⤵PID:2492
-
\??\c:\dvddv.exec:\dvddv.exe89⤵PID:632
-
\??\c:\rffflff.exec:\rffflff.exe90⤵PID:1764
-
\??\c:\hhbtbt.exec:\hhbtbt.exe91⤵PID:2976
-
\??\c:\nnbbhb.exec:\nnbbhb.exe92⤵PID:2916
-
\??\c:\9jvjd.exec:\9jvjd.exe93⤵PID:2832
-
\??\c:\xlllrll.exec:\xlllrll.exe94⤵PID:1896
-
\??\c:\tbhhhb.exec:\tbhhhb.exe95⤵PID:2028
-
\??\c:\djjdd.exec:\djjdd.exe96⤵PID:1852
-
\??\c:\9vddv.exec:\9vddv.exe97⤵PID:1480
-
\??\c:\rfxxxfr.exec:\rfxxxfr.exe98⤵PID:2144
-
\??\c:\fxlrrxl.exec:\fxlrrxl.exe99⤵PID:3000
-
\??\c:\nbnbbt.exec:\nbnbbt.exe100⤵PID:3008
-
\??\c:\5jvvv.exec:\5jvvv.exe101⤵
- System Location Discovery: System Language Discovery
PID:2208 -
\??\c:\pdvvd.exec:\pdvvd.exe102⤵PID:2388
-
\??\c:\lrxrrrx.exec:\lrxrrrx.exe103⤵PID:2404
-
\??\c:\htbbht.exec:\htbbht.exe104⤵PID:2236
-
\??\c:\tnbhbt.exec:\tnbhbt.exe105⤵PID:2216
-
\??\c:\5pvvp.exec:\5pvvp.exe106⤵PID:992
-
\??\c:\5lxrrlr.exec:\5lxrrlr.exe107⤵PID:1448
-
\??\c:\flrlrrx.exec:\flrlrrx.exe108⤵PID:1552
-
\??\c:\5tttnn.exec:\5tttnn.exe109⤵PID:2840
-
\??\c:\dpvpp.exec:\dpvpp.exe110⤵PID:892
-
\??\c:\dvjdj.exec:\dvjdj.exe111⤵PID:2508
-
\??\c:\7rlllfl.exec:\7rlllfl.exe112⤵PID:2476
-
\??\c:\bnbbbt.exec:\bnbbbt.exe113⤵PID:1652
-
\??\c:\jvdvv.exec:\jvdvv.exe114⤵PID:1752
-
\??\c:\dvvjp.exec:\dvvjp.exe115⤵PID:2568
-
\??\c:\1rfxrrx.exec:\1rfxrrx.exe116⤵PID:2704
-
\??\c:\hbnhhh.exec:\hbnhhh.exe117⤵PID:2592
-
\??\c:\tnbbnn.exec:\tnbbnn.exe118⤵PID:2528
-
\??\c:\dpjpp.exec:\dpjpp.exe119⤵PID:2552
-
\??\c:\lxffrxf.exec:\lxffrxf.exe120⤵PID:2752
-
\??\c:\flrlrll.exec:\flrlrll.exe121⤵PID:2772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-