Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe
-
Size
452KB
-
MD5
38b65b6cf884d0d8023cb5ad8350c902
-
SHA1
b2b9431fe8d9cc5f4d6333f6e9341e9347e1be4c
-
SHA256
7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d
-
SHA512
617441695e5e866039484b93ef240397f17fca637fdee67cae27b90370195468ac512bfe4901b3f89623c07eb409a7f1df5a05944bd89477a3ec4fade693a5b6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1212-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-1001-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-1284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-1509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1600 xrrlffx.exe 3256 pjjdv.exe 1864 9nnhtn.exe 1892 vjvpp.exe 2244 1rxxrrl.exe 2584 pvvjd.exe 2520 vpjjd.exe 4928 5nhbhh.exe 808 ddjjp.exe 4540 bbhbtn.exe 4188 jdvpp.exe 2496 rlrrrrx.exe 2144 djdvj.exe 2128 1fxlxfr.exe 4464 ttnthn.exe 4512 rxfrxlf.exe 4404 hhnbth.exe 1700 rffrlfx.exe 1692 frlfrxr.exe 2560 7nnnnn.exe 792 nnhbnt.exe 4616 nntnht.exe 3748 pddpj.exe 456 rffrfxl.exe 2512 3hhthb.exe 984 xxflxrx.exe 2440 hbbhbt.exe 3212 fxxlxrl.exe 3264 bnnnbt.exe 4792 dpvjv.exe 2240 xxfxlfr.exe 3708 ntbnhb.exe 4040 bnnbnh.exe 1636 5hnbht.exe 1544 xxlxlfx.exe 1504 1hnhtn.exe 1156 tnnbnh.exe 4460 djpdd.exe 708 rxxxlfx.exe 5052 bnhbtn.exe 3912 bhnbnh.exe 1748 pppjj.exe 4544 rfffrrl.exe 2792 httthb.exe 3904 9nthnt.exe 4564 pdddv.exe 4276 rffxrlx.exe 4904 nbbnbt.exe 1160 vpvvd.exe 1212 7jdpd.exe 1188 1xxrlfx.exe 5108 nhbttn.exe 4068 1jvpj.exe 4232 7rfxffx.exe 3312 htthbn.exe 1660 bnthhb.exe 640 jddvj.exe 1684 rlrfxrl.exe 3460 httnhb.exe 2312 tbbttn.exe 1644 jdjpd.exe 3548 fxlfxrl.exe 4948 nntnhn.exe 4044 5xrlxxr.exe -
resource yara_rule behavioral2/memory/1212-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-1284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-1303-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1600 1212 7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe 82 PID 1212 wrote to memory of 1600 1212 7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe 82 PID 1212 wrote to memory of 1600 1212 7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe 82 PID 1600 wrote to memory of 3256 1600 xrrlffx.exe 83 PID 1600 wrote to memory of 3256 1600 xrrlffx.exe 83 PID 1600 wrote to memory of 3256 1600 xrrlffx.exe 83 PID 3256 wrote to memory of 1864 3256 pjjdv.exe 84 PID 3256 wrote to memory of 1864 3256 pjjdv.exe 84 PID 3256 wrote to memory of 1864 3256 pjjdv.exe 84 PID 1864 wrote to memory of 1892 1864 9nnhtn.exe 85 PID 1864 wrote to memory of 1892 1864 9nnhtn.exe 85 PID 1864 wrote to memory of 1892 1864 9nnhtn.exe 85 PID 1892 wrote to memory of 2244 1892 vjvpp.exe 86 PID 1892 wrote to memory of 2244 1892 vjvpp.exe 86 PID 1892 wrote to memory of 2244 1892 vjvpp.exe 86 PID 2244 wrote to memory of 2584 2244 1rxxrrl.exe 87 PID 2244 wrote to memory of 2584 2244 1rxxrrl.exe 87 PID 2244 wrote to memory of 2584 2244 1rxxrrl.exe 87 PID 2584 wrote to memory of 2520 2584 pvvjd.exe 88 PID 2584 wrote to memory of 2520 2584 pvvjd.exe 88 PID 2584 wrote to memory of 2520 2584 pvvjd.exe 88 PID 2520 wrote to memory of 4928 2520 vpjjd.exe 89 PID 2520 wrote to memory of 4928 2520 vpjjd.exe 89 PID 2520 wrote to memory of 4928 2520 vpjjd.exe 89 PID 4928 wrote to memory of 808 4928 5nhbhh.exe 90 PID 4928 wrote to memory of 808 4928 5nhbhh.exe 90 PID 4928 wrote to memory of 808 4928 5nhbhh.exe 90 PID 808 wrote to memory of 4540 808 ddjjp.exe 91 PID 808 wrote to memory of 4540 808 ddjjp.exe 91 PID 808 wrote to memory of 4540 808 ddjjp.exe 91 PID 4540 wrote to memory of 4188 4540 bbhbtn.exe 92 PID 4540 wrote to memory of 4188 4540 bbhbtn.exe 92 PID 4540 wrote to memory of 4188 4540 bbhbtn.exe 92 PID 4188 wrote to memory of 2496 4188 jdvpp.exe 93 PID 4188 wrote to memory of 2496 4188 jdvpp.exe 93 PID 4188 wrote to memory of 2496 4188 jdvpp.exe 93 PID 2496 wrote to memory of 2144 2496 rlrrrrx.exe 94 PID 2496 wrote to memory of 2144 2496 rlrrrrx.exe 94 PID 2496 wrote to memory of 2144 2496 rlrrrrx.exe 94 PID 2144 wrote to memory of 2128 2144 djdvj.exe 95 PID 2144 wrote to memory of 2128 2144 djdvj.exe 95 PID 2144 wrote to memory of 2128 2144 djdvj.exe 95 PID 2128 wrote to memory of 4464 2128 1fxlxfr.exe 96 PID 2128 wrote to memory of 4464 2128 1fxlxfr.exe 96 PID 2128 wrote to memory of 4464 2128 1fxlxfr.exe 96 PID 4464 wrote to memory of 4512 4464 ttnthn.exe 97 PID 4464 wrote to memory of 4512 4464 ttnthn.exe 97 PID 4464 wrote to memory of 4512 4464 ttnthn.exe 97 PID 4512 wrote to memory of 4404 4512 rxfrxlf.exe 98 PID 4512 wrote to memory of 4404 4512 rxfrxlf.exe 98 PID 4512 wrote to memory of 4404 4512 rxfrxlf.exe 98 PID 4404 wrote to memory of 1700 4404 hhnbth.exe 99 PID 4404 wrote to memory of 1700 4404 hhnbth.exe 99 PID 4404 wrote to memory of 1700 4404 hhnbth.exe 99 PID 1700 wrote to memory of 1692 1700 rffrlfx.exe 100 PID 1700 wrote to memory of 1692 1700 rffrlfx.exe 100 PID 1700 wrote to memory of 1692 1700 rffrlfx.exe 100 PID 1692 wrote to memory of 2560 1692 frlfrxr.exe 101 PID 1692 wrote to memory of 2560 1692 frlfrxr.exe 101 PID 1692 wrote to memory of 2560 1692 frlfrxr.exe 101 PID 2560 wrote to memory of 792 2560 7nnnnn.exe 102 PID 2560 wrote to memory of 792 2560 7nnnnn.exe 102 PID 2560 wrote to memory of 792 2560 7nnnnn.exe 102 PID 792 wrote to memory of 4616 792 nnhbnt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe"C:\Users\Admin\AppData\Local\Temp\7def6588adcd250ab7dab0107e4f1a2c9d63726a24bd1a877f7e74ae50d5f80d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\xrrlffx.exec:\xrrlffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\pjjdv.exec:\pjjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\9nnhtn.exec:\9nnhtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\vjvpp.exec:\vjvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\1rxxrrl.exec:\1rxxrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\pvvjd.exec:\pvvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\vpjjd.exec:\vpjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\5nhbhh.exec:\5nhbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\ddjjp.exec:\ddjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\bbhbtn.exec:\bbhbtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\jdvpp.exec:\jdvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\rlrrrrx.exec:\rlrrrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\djdvj.exec:\djdvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\1fxlxfr.exec:\1fxlxfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\ttnthn.exec:\ttnthn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\rxfrxlf.exec:\rxfrxlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\hhnbth.exec:\hhnbth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\rffrlfx.exec:\rffrlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\frlfrxr.exec:\frlfrxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\7nnnnn.exec:\7nnnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\nnhbnt.exec:\nnhbnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\nntnht.exec:\nntnht.exe23⤵
- Executes dropped EXE
PID:4616 -
\??\c:\pddpj.exec:\pddpj.exe24⤵
- Executes dropped EXE
PID:3748 -
\??\c:\rffrfxl.exec:\rffrfxl.exe25⤵
- Executes dropped EXE
PID:456 -
\??\c:\3hhthb.exec:\3hhthb.exe26⤵
- Executes dropped EXE
PID:2512 -
\??\c:\xxflxrx.exec:\xxflxrx.exe27⤵
- Executes dropped EXE
PID:984 -
\??\c:\hbbhbt.exec:\hbbhbt.exe28⤵
- Executes dropped EXE
PID:2440 -
\??\c:\fxxlxrl.exec:\fxxlxrl.exe29⤵
- Executes dropped EXE
PID:3212 -
\??\c:\bnnnbt.exec:\bnnnbt.exe30⤵
- Executes dropped EXE
PID:3264 -
\??\c:\dpvjv.exec:\dpvjv.exe31⤵
- Executes dropped EXE
PID:4792 -
\??\c:\xxfxlfr.exec:\xxfxlfr.exe32⤵
- Executes dropped EXE
PID:2240 -
\??\c:\ntbnhb.exec:\ntbnhb.exe33⤵
- Executes dropped EXE
PID:3708 -
\??\c:\bnnbnh.exec:\bnnbnh.exe34⤵
- Executes dropped EXE
PID:4040 -
\??\c:\5hnbht.exec:\5hnbht.exe35⤵
- Executes dropped EXE
PID:1636 -
\??\c:\xxlxlfx.exec:\xxlxlfx.exe36⤵
- Executes dropped EXE
PID:1544 -
\??\c:\1hnhtn.exec:\1hnhtn.exe37⤵
- Executes dropped EXE
PID:1504 -
\??\c:\tnnbnh.exec:\tnnbnh.exe38⤵
- Executes dropped EXE
PID:1156 -
\??\c:\djpdd.exec:\djpdd.exe39⤵
- Executes dropped EXE
PID:4460 -
\??\c:\rxxxlfx.exec:\rxxxlfx.exe40⤵
- Executes dropped EXE
PID:708 -
\??\c:\bnhbtn.exec:\bnhbtn.exe41⤵
- Executes dropped EXE
PID:5052 -
\??\c:\bhnbnh.exec:\bhnbnh.exe42⤵
- Executes dropped EXE
PID:3912 -
\??\c:\pppjj.exec:\pppjj.exe43⤵
- Executes dropped EXE
PID:1748 -
\??\c:\rfffrrl.exec:\rfffrrl.exe44⤵
- Executes dropped EXE
PID:4544 -
\??\c:\httthb.exec:\httthb.exe45⤵
- Executes dropped EXE
PID:2792 -
\??\c:\9nthnt.exec:\9nthnt.exe46⤵
- Executes dropped EXE
PID:3904 -
\??\c:\pdddv.exec:\pdddv.exe47⤵
- Executes dropped EXE
PID:4564 -
\??\c:\rffxrlx.exec:\rffxrlx.exe48⤵
- Executes dropped EXE
PID:4276 -
\??\c:\nbbnbt.exec:\nbbnbt.exe49⤵
- Executes dropped EXE
PID:4904 -
\??\c:\vpvvd.exec:\vpvvd.exe50⤵
- Executes dropped EXE
PID:1160 -
\??\c:\7jdpd.exec:\7jdpd.exe51⤵
- Executes dropped EXE
PID:1212 -
\??\c:\1xxrlfx.exec:\1xxrlfx.exe52⤵
- Executes dropped EXE
PID:1188 -
\??\c:\nhbttn.exec:\nhbttn.exe53⤵
- Executes dropped EXE
PID:5108 -
\??\c:\1jvpj.exec:\1jvpj.exe54⤵
- Executes dropped EXE
PID:4068 -
\??\c:\7rfxffx.exec:\7rfxffx.exe55⤵
- Executes dropped EXE
PID:4232 -
\??\c:\htthbn.exec:\htthbn.exe56⤵
- Executes dropped EXE
PID:3312 -
\??\c:\bnthhb.exec:\bnthhb.exe57⤵
- Executes dropped EXE
PID:1660 -
\??\c:\jddvj.exec:\jddvj.exe58⤵
- Executes dropped EXE
PID:640 -
\??\c:\rlrfxrl.exec:\rlrfxrl.exe59⤵
- Executes dropped EXE
PID:1684 -
\??\c:\httnhb.exec:\httnhb.exe60⤵
- Executes dropped EXE
PID:3460 -
\??\c:\tbbttn.exec:\tbbttn.exe61⤵
- Executes dropped EXE
PID:2312 -
\??\c:\jdjpd.exec:\jdjpd.exe62⤵
- Executes dropped EXE
PID:1644 -
\??\c:\fxlfxrl.exec:\fxlfxrl.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3548 -
\??\c:\nntnhn.exec:\nntnhn.exe64⤵
- Executes dropped EXE
PID:4948 -
\??\c:\5xrlxxr.exec:\5xrlxxr.exe65⤵
- Executes dropped EXE
PID:4044 -
\??\c:\5xfrlfx.exec:\5xfrlfx.exe66⤵PID:2940
-
\??\c:\3nnhbt.exec:\3nnhbt.exe67⤵PID:4808
-
\??\c:\dvvpj.exec:\dvvpj.exe68⤵PID:3944
-
\??\c:\xfflxrl.exec:\xfflxrl.exe69⤵PID:5072
-
\??\c:\bhhbbt.exec:\bhhbbt.exe70⤵PID:2012
-
\??\c:\ttbnbt.exec:\ttbnbt.exe71⤵PID:3064
-
\??\c:\jvdvd.exec:\jvdvd.exe72⤵PID:972
-
\??\c:\3fxrlll.exec:\3fxrlll.exe73⤵PID:208
-
\??\c:\nbthnn.exec:\nbthnn.exe74⤵PID:4500
-
\??\c:\vjjdv.exec:\vjjdv.exe75⤵PID:3000
-
\??\c:\rlxlxxr.exec:\rlxlxxr.exe76⤵PID:1168
-
\??\c:\hbnhhb.exec:\hbnhhb.exe77⤵PID:2836
-
\??\c:\bntnhh.exec:\bntnhh.exe78⤵PID:5104
-
\??\c:\ddvvp.exec:\ddvvp.exe79⤵PID:4244
-
\??\c:\3fxxrrl.exec:\3fxxrrl.exe80⤵PID:4156
-
\??\c:\xlxrllf.exec:\xlxrllf.exe81⤵PID:4008
-
\??\c:\nnttbt.exec:\nnttbt.exe82⤵PID:1432
-
\??\c:\jddvj.exec:\jddvj.exe83⤵PID:2620
-
\??\c:\flxrrlf.exec:\flxrrlf.exe84⤵PID:4572
-
\??\c:\bthbbb.exec:\bthbbb.exe85⤵PID:2608
-
\??\c:\5hnhtt.exec:\5hnhtt.exe86⤵PID:1732
-
\??\c:\jpvpd.exec:\jpvpd.exe87⤵PID:3084
-
\??\c:\pjpdv.exec:\pjpdv.exe88⤵PID:3748
-
\??\c:\9lrlxll.exec:\9lrlxll.exe89⤵PID:464
-
\??\c:\hnbtht.exec:\hnbtht.exe90⤵PID:456
-
\??\c:\9pjdv.exec:\9pjdv.exe91⤵PID:1172
-
\??\c:\dpvjd.exec:\dpvjd.exe92⤵PID:432
-
\??\c:\5xxlfxr.exec:\5xxlfxr.exe93⤵PID:984
-
\??\c:\7btnhh.exec:\7btnhh.exe94⤵PID:3752
-
\??\c:\tnbttt.exec:\tnbttt.exe95⤵PID:3212
-
\??\c:\7pjdp.exec:\7pjdp.exe96⤵PID:3744
-
\??\c:\lrlflrl.exec:\lrlflrl.exe97⤵PID:4728
-
\??\c:\hntbtn.exec:\hntbtn.exe98⤵PID:3596
-
\??\c:\hhhbnn.exec:\hhhbnn.exe99⤵PID:5100
-
\??\c:\5vvjd.exec:\5vvjd.exe100⤵PID:512
-
\??\c:\lrlxrlf.exec:\lrlxrlf.exe101⤵PID:3348
-
\??\c:\7hbthh.exec:\7hbthh.exe102⤵PID:1964
-
\??\c:\ddjvp.exec:\ddjvp.exe103⤵PID:4224
-
\??\c:\9xxrffr.exec:\9xxrffr.exe104⤵PID:1544
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe105⤵PID:3048
-
\??\c:\bhtnhh.exec:\bhtnhh.exe106⤵
- System Location Discovery: System Language Discovery
PID:4972 -
\??\c:\pdjdd.exec:\pdjdd.exe107⤵PID:1752
-
\??\c:\jvvpj.exec:\jvvpj.exe108⤵PID:860
-
\??\c:\bbhbnn.exec:\bbhbnn.exe109⤵PID:5052
-
\??\c:\pddvj.exec:\pddvj.exe110⤵PID:4848
-
\??\c:\vjjdp.exec:\vjjdp.exe111⤵PID:1748
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe112⤵PID:4544
-
\??\c:\tttbnt.exec:\tttbnt.exe113⤵PID:2792
-
\??\c:\pjdvv.exec:\pjdvv.exe114⤵PID:928
-
\??\c:\7frrfxx.exec:\7frrfxx.exe115⤵PID:4752
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe116⤵PID:4324
-
\??\c:\tnbbbb.exec:\tnbbbb.exe117⤵PID:4292
-
\??\c:\jpvpd.exec:\jpvpd.exe118⤵PID:2528
-
\??\c:\1jpjp.exec:\1jpjp.exe119⤵PID:2192
-
\??\c:\fxllffx.exec:\fxllffx.exe120⤵PID:4228
-
\??\c:\nhnhnh.exec:\nhnhnh.exe121⤵PID:1000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-