Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 15:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe
-
Size
454KB
-
MD5
36422be938201fae0145f111592856c8
-
SHA1
742820e2b3a82262d4056ee19e53353191c3e31f
-
SHA256
8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8
-
SHA512
8138cc495f1dcb3baffd9013544d029857ddc5686950c2ca83918f86ab3d7a4a0e0238f2138b89df7e35f641d663728667b4ffb2bb3676dbed57fc330055086d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2832-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1108-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/396-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1988-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-217-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1800-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-255-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/288-273-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2632-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/848-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/676-432-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1960-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-556-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3020-589-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2108-602-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2756-611-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2240-628-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2568-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-693-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1960-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-750-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2724-757-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2072-790-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3004-839-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2836-881-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1640-957-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/784-964-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1036-977-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1036-999-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2932 xlxxxxr.exe 3020 ttnttt.exe 1404 5rlfrrl.exe 1700 tntbnn.exe 2756 xxlrrrr.exe 2700 1xlrrrx.exe 2780 jdpvp.exe 2728 xxxrffx.exe 2600 ttnbtb.exe 2608 ppjpv.exe 2976 xrrxllx.exe 1108 btntbh.exe 396 3ddjd.exe 1944 fxrrffx.exe 796 vppvj.exe 1936 3pjpj.exe 1988 7bnbnt.exe 1660 pvjpp.exe 332 1hhnbh.exe 2948 jdvvj.exe 2864 xrffllr.exe 2388 5nhnbh.exe 1800 xlfxxrx.exe 1044 ffxfllf.exe 1752 1dpjj.exe 2420 1fxlrxr.exe 1524 rlflxfx.exe 2452 pdvpd.exe 288 7nbhnt.exe 2632 vdvdp.exe 2448 xxxlffr.exe 2956 nhbbhh.exe 1620 vpjjj.exe 2148 3frxrff.exe 380 hbnnnn.exe 1404 5vjpv.exe 2244 ffrxlfl.exe 2756 rlllxrf.exe 2552 nhbbth.exe 2580 vjvvd.exe 2720 xrflrlr.exe 2728 lfxfrxf.exe 2668 bthntt.exe 2440 3pddj.exe 1056 vvdvv.exe 1796 lfxxxfl.exe 848 nbhhnb.exe 300 nhbbnn.exe 532 jdpvj.exe 2368 vvvpj.exe 676 5xrrxrr.exe 2032 hbnbbb.exe 1960 htnntn.exe 2532 1dpjv.exe 2996 fxrrxrl.exe 332 nhttbh.exe 2856 tbhhnh.exe 2960 ddpvj.exe 2144 rfrrxxx.exe 2436 xrxxfff.exe 1376 nthbhh.exe 2000 7jddd.exe 1736 5jvdd.exe 2196 fxxrxxf.exe -
resource yara_rule behavioral1/memory/2832-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1108-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/396-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-255-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2632-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-363-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2720-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-446-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/332-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-557-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2124-556-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2944-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-589-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2240-628-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2568-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-693-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1960-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-790-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3004-839-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2836-881-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/580-925-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-950-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-1004-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2832 wrote to memory of 2932 2832 8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe 31 PID 2832 wrote to memory of 2932 2832 8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe 31 PID 2832 wrote to memory of 2932 2832 8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe 31 PID 2832 wrote to memory of 2932 2832 8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe 31 PID 2932 wrote to memory of 3020 2932 xlxxxxr.exe 32 PID 2932 wrote to memory of 3020 2932 xlxxxxr.exe 32 PID 2932 wrote to memory of 3020 2932 xlxxxxr.exe 32 PID 2932 wrote to memory of 3020 2932 xlxxxxr.exe 32 PID 3020 wrote to memory of 1404 3020 ttnttt.exe 33 PID 3020 wrote to memory of 1404 3020 ttnttt.exe 33 PID 3020 wrote to memory of 1404 3020 ttnttt.exe 33 PID 3020 wrote to memory of 1404 3020 ttnttt.exe 33 PID 1404 wrote to memory of 1700 1404 5rlfrrl.exe 34 PID 1404 wrote to memory of 1700 1404 5rlfrrl.exe 34 PID 1404 wrote to memory of 1700 1404 5rlfrrl.exe 34 PID 1404 wrote to memory of 1700 1404 5rlfrrl.exe 34 PID 1700 wrote to memory of 2756 1700 tntbnn.exe 35 PID 1700 wrote to memory of 2756 1700 tntbnn.exe 35 PID 1700 wrote to memory of 2756 1700 tntbnn.exe 35 PID 1700 wrote to memory of 2756 1700 tntbnn.exe 35 PID 2756 wrote to memory of 2700 2756 xxlrrrr.exe 36 PID 2756 wrote to memory of 2700 2756 xxlrrrr.exe 36 PID 2756 wrote to memory of 2700 2756 xxlrrrr.exe 36 PID 2756 wrote to memory of 2700 2756 xxlrrrr.exe 36 PID 2700 wrote to memory of 2780 2700 1xlrrrx.exe 37 PID 2700 wrote to memory of 2780 2700 1xlrrrx.exe 37 PID 2700 wrote to memory of 2780 2700 1xlrrrx.exe 37 PID 2700 wrote to memory of 2780 2700 1xlrrrx.exe 37 PID 2780 wrote to memory of 2728 2780 jdpvp.exe 38 PID 2780 wrote to memory of 2728 2780 jdpvp.exe 38 PID 2780 wrote to memory of 2728 2780 jdpvp.exe 38 PID 2780 wrote to memory of 2728 2780 jdpvp.exe 38 PID 2728 wrote to memory of 2600 2728 xxxrffx.exe 39 PID 2728 wrote to memory of 2600 2728 xxxrffx.exe 39 PID 2728 wrote to memory of 2600 2728 xxxrffx.exe 39 PID 2728 wrote to memory of 2600 2728 xxxrffx.exe 39 PID 2600 wrote to memory of 2608 2600 ttnbtb.exe 40 PID 2600 wrote to memory of 2608 2600 ttnbtb.exe 40 PID 2600 wrote to memory of 2608 2600 ttnbtb.exe 40 PID 2600 wrote to memory of 2608 2600 ttnbtb.exe 40 PID 2608 wrote to memory of 2976 2608 ppjpv.exe 41 PID 2608 wrote to memory of 2976 2608 ppjpv.exe 41 PID 2608 wrote to memory of 2976 2608 ppjpv.exe 41 PID 2608 wrote to memory of 2976 2608 ppjpv.exe 41 PID 2976 wrote to memory of 1108 2976 xrrxllx.exe 42 PID 2976 wrote to memory of 1108 2976 xrrxllx.exe 42 PID 2976 wrote to memory of 1108 2976 xrrxllx.exe 42 PID 2976 wrote to memory of 1108 2976 xrrxllx.exe 42 PID 1108 wrote to memory of 396 1108 btntbh.exe 43 PID 1108 wrote to memory of 396 1108 btntbh.exe 43 PID 1108 wrote to memory of 396 1108 btntbh.exe 43 PID 1108 wrote to memory of 396 1108 btntbh.exe 43 PID 396 wrote to memory of 1944 396 3ddjd.exe 44 PID 396 wrote to memory of 1944 396 3ddjd.exe 44 PID 396 wrote to memory of 1944 396 3ddjd.exe 44 PID 396 wrote to memory of 1944 396 3ddjd.exe 44 PID 1944 wrote to memory of 796 1944 fxrrffx.exe 45 PID 1944 wrote to memory of 796 1944 fxrrffx.exe 45 PID 1944 wrote to memory of 796 1944 fxrrffx.exe 45 PID 1944 wrote to memory of 796 1944 fxrrffx.exe 45 PID 796 wrote to memory of 1936 796 vppvj.exe 46 PID 796 wrote to memory of 1936 796 vppvj.exe 46 PID 796 wrote to memory of 1936 796 vppvj.exe 46 PID 796 wrote to memory of 1936 796 vppvj.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe"C:\Users\Admin\AppData\Local\Temp\8916386f5eb402a829549ad1d53e2e7ccdbf55ba4b3eecd562e80ac28f9894a8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\xlxxxxr.exec:\xlxxxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\ttnttt.exec:\ttnttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\5rlfrrl.exec:\5rlfrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\tntbnn.exec:\tntbnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\xxlrrrr.exec:\xxlrrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\1xlrrrx.exec:\1xlrrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\jdpvp.exec:\jdpvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\xxxrffx.exec:\xxxrffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\ttnbtb.exec:\ttnbtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\ppjpv.exec:\ppjpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\xrrxllx.exec:\xrrxllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\btntbh.exec:\btntbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\3ddjd.exec:\3ddjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\fxrrffx.exec:\fxrrffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\vppvj.exec:\vppvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\3pjpj.exec:\3pjpj.exe17⤵
- Executes dropped EXE
PID:1936 -
\??\c:\7bnbnt.exec:\7bnbnt.exe18⤵
- Executes dropped EXE
PID:1988 -
\??\c:\pvjpp.exec:\pvjpp.exe19⤵
- Executes dropped EXE
PID:1660 -
\??\c:\1hhnbh.exec:\1hhnbh.exe20⤵
- Executes dropped EXE
PID:332 -
\??\c:\jdvvj.exec:\jdvvj.exe21⤵
- Executes dropped EXE
PID:2948 -
\??\c:\xrffllr.exec:\xrffllr.exe22⤵
- Executes dropped EXE
PID:2864 -
\??\c:\5nhnbh.exec:\5nhnbh.exe23⤵
- Executes dropped EXE
PID:2388 -
\??\c:\xlfxxrx.exec:\xlfxxrx.exe24⤵
- Executes dropped EXE
PID:1800 -
\??\c:\ffxfllf.exec:\ffxfllf.exe25⤵
- Executes dropped EXE
PID:1044 -
\??\c:\1dpjj.exec:\1dpjj.exe26⤵
- Executes dropped EXE
PID:1752 -
\??\c:\1fxlrxr.exec:\1fxlrxr.exe27⤵
- Executes dropped EXE
PID:2420 -
\??\c:\rlflxfx.exec:\rlflxfx.exe28⤵
- Executes dropped EXE
PID:1524 -
\??\c:\pdvpd.exec:\pdvpd.exe29⤵
- Executes dropped EXE
PID:2452 -
\??\c:\7nbhnt.exec:\7nbhnt.exe30⤵
- Executes dropped EXE
PID:288 -
\??\c:\vdvdp.exec:\vdvdp.exe31⤵
- Executes dropped EXE
PID:2632 -
\??\c:\xxxlffr.exec:\xxxlffr.exe32⤵
- Executes dropped EXE
PID:2448 -
\??\c:\nhbbhh.exec:\nhbbhh.exe33⤵
- Executes dropped EXE
PID:2956 -
\??\c:\vpjjj.exec:\vpjjj.exe34⤵
- Executes dropped EXE
PID:1620 -
\??\c:\3frxrff.exec:\3frxrff.exe35⤵
- Executes dropped EXE
PID:2148 -
\??\c:\hbnnnn.exec:\hbnnnn.exe36⤵
- Executes dropped EXE
PID:380 -
\??\c:\5vjpv.exec:\5vjpv.exe37⤵
- Executes dropped EXE
PID:1404 -
\??\c:\ffrxlfl.exec:\ffrxlfl.exe38⤵
- Executes dropped EXE
PID:2244 -
\??\c:\rlllxrf.exec:\rlllxrf.exe39⤵
- Executes dropped EXE
PID:2756 -
\??\c:\nhbbth.exec:\nhbbth.exe40⤵
- Executes dropped EXE
PID:2552 -
\??\c:\vjvvd.exec:\vjvvd.exe41⤵
- Executes dropped EXE
PID:2580 -
\??\c:\xrflrlr.exec:\xrflrlr.exe42⤵
- Executes dropped EXE
PID:2720 -
\??\c:\lfxfrxf.exec:\lfxfrxf.exe43⤵
- Executes dropped EXE
PID:2728 -
\??\c:\bthntt.exec:\bthntt.exe44⤵
- Executes dropped EXE
PID:2668 -
\??\c:\3pddj.exec:\3pddj.exe45⤵
- Executes dropped EXE
PID:2440 -
\??\c:\vvdvv.exec:\vvdvv.exe46⤵
- Executes dropped EXE
PID:1056 -
\??\c:\lfxxxfl.exec:\lfxxxfl.exe47⤵
- Executes dropped EXE
PID:1796 -
\??\c:\nbhhnb.exec:\nbhhnb.exe48⤵
- Executes dropped EXE
PID:848 -
\??\c:\nhbbnn.exec:\nhbbnn.exe49⤵
- Executes dropped EXE
PID:300 -
\??\c:\jdpvj.exec:\jdpvj.exe50⤵
- Executes dropped EXE
PID:532 -
\??\c:\vvvpj.exec:\vvvpj.exe51⤵
- Executes dropped EXE
PID:2368 -
\??\c:\5xrrxrr.exec:\5xrrxrr.exe52⤵
- Executes dropped EXE
PID:676 -
\??\c:\hbnbbb.exec:\hbnbbb.exe53⤵
- Executes dropped EXE
PID:2032 -
\??\c:\htnntn.exec:\htnntn.exe54⤵
- Executes dropped EXE
PID:1960 -
\??\c:\1dpjv.exec:\1dpjv.exe55⤵
- Executes dropped EXE
PID:2532 -
\??\c:\fxrrxrl.exec:\fxrrxrl.exe56⤵
- Executes dropped EXE
PID:2996 -
\??\c:\nhttbh.exec:\nhttbh.exe57⤵
- Executes dropped EXE
PID:332 -
\??\c:\tbhhnh.exec:\tbhhnh.exe58⤵
- Executes dropped EXE
PID:2856 -
\??\c:\ddpvj.exec:\ddpvj.exe59⤵
- Executes dropped EXE
PID:2960 -
\??\c:\rfrrxxx.exec:\rfrrxxx.exe60⤵
- Executes dropped EXE
PID:2144 -
\??\c:\xrxxfff.exec:\xrxxfff.exe61⤵
- Executes dropped EXE
PID:2436 -
\??\c:\nthbhh.exec:\nthbhh.exe62⤵
- Executes dropped EXE
PID:1376 -
\??\c:\7jddd.exec:\7jddd.exe63⤵
- Executes dropped EXE
PID:2000 -
\??\c:\5jvdd.exec:\5jvdd.exe64⤵
- Executes dropped EXE
PID:1736 -
\??\c:\fxxrxxf.exec:\fxxrxxf.exe65⤵
- Executes dropped EXE
PID:2196 -
\??\c:\bnnnhh.exec:\bnnnhh.exe66⤵PID:2072
-
\??\c:\nnhtht.exec:\nnhtht.exe67⤵PID:876
-
\??\c:\dvppv.exec:\dvppv.exe68⤵PID:3008
-
\??\c:\7fxfflr.exec:\7fxfflr.exe69⤵PID:1324
-
\??\c:\9htbhh.exec:\9htbhh.exe70⤵PID:1240
-
\??\c:\hhtbhh.exec:\hhtbhh.exe71⤵PID:2124
-
\??\c:\djvvv.exec:\djvvv.exe72⤵PID:2320
-
\??\c:\3ffflrf.exec:\3ffflrf.exe73⤵PID:2944
-
\??\c:\nhttbb.exec:\nhttbb.exe74⤵PID:3024
-
\??\c:\7nhntt.exec:\7nhntt.exe75⤵PID:1620
-
\??\c:\vjjdj.exec:\vjjdj.exe76⤵PID:3020
-
\??\c:\llxlxxx.exec:\llxlxxx.exe77⤵PID:2828
-
\??\c:\1xrrlrr.exec:\1xrrlrr.exe78⤵PID:2108
-
\??\c:\3hhhht.exec:\3hhhht.exe79⤵PID:2836
-
\??\c:\3pvjj.exec:\3pvjj.exe80⤵PID:2756
-
\??\c:\lrfrxrx.exec:\lrfrxrx.exe81⤵PID:2680
-
\??\c:\frfxllr.exec:\frfxllr.exe82⤵PID:2240
-
\??\c:\3thhnn.exec:\3thhnn.exe83⤵PID:2568
-
\??\c:\3pddj.exec:\3pddj.exe84⤵PID:2600
-
\??\c:\xrffllr.exec:\xrffllr.exe85⤵PID:2560
-
\??\c:\lxfffff.exec:\lxfffff.exe86⤵PID:2576
-
\??\c:\bnhbhn.exec:\bnhbhn.exe87⤵PID:2336
-
\??\c:\jpdpp.exec:\jpdpp.exe88⤵PID:1032
-
\??\c:\9dpvv.exec:\9dpvv.exe89⤵PID:1148
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe90⤵PID:1756
-
\??\c:\rlfxllr.exec:\rlfxllr.exe91⤵PID:1152
-
\??\c:\hthhnh.exec:\hthhnh.exe92⤵PID:796
-
\??\c:\vjpjj.exec:\vjpjj.exe93⤵PID:2368
-
\??\c:\lrrfxfl.exec:\lrrfxfl.exe94⤵PID:1712
-
\??\c:\9frrffl.exec:\9frrffl.exe95⤵PID:2032
-
\??\c:\bntnth.exec:\bntnth.exe96⤵PID:1960
-
\??\c:\jdvdp.exec:\jdvdp.exe97⤵PID:2604
-
\??\c:\jvjpv.exec:\jvjpv.exe98⤵PID:2136
-
\??\c:\fxffffl.exec:\fxffffl.exe99⤵PID:2432
-
\??\c:\tbnhnh.exec:\tbnhnh.exe100⤵PID:1648
-
\??\c:\1thhhn.exec:\1thhhn.exe101⤵PID:772
-
\??\c:\3jvpv.exec:\3jvpv.exe102⤵PID:2724
-
\??\c:\9jddv.exec:\9jddv.exe103⤵
- System Location Discovery: System Language Discovery
PID:1980 -
\??\c:\lxlxxrr.exec:\lxlxxrr.exe104⤵PID:1380
-
\??\c:\nbnbtn.exec:\nbnbtn.exe105⤵PID:1348
-
\??\c:\jvddj.exec:\jvddj.exe106⤵PID:1736
-
\??\c:\pjpvv.exec:\pjpvv.exe107⤵PID:896
-
\??\c:\3lflxlx.exec:\3lflxlx.exe108⤵PID:2072
-
\??\c:\tbbbtb.exec:\tbbbtb.exe109⤵PID:1696
-
\??\c:\ppjpp.exec:\ppjpp.exe110⤵PID:3008
-
\??\c:\vpjpd.exec:\vpjpd.exe111⤵PID:1324
-
\??\c:\flxffrl.exec:\flxffrl.exe112⤵PID:872
-
\??\c:\hbhtbh.exec:\hbhtbh.exe113⤵PID:2512
-
\??\c:\9hhtbh.exec:\9hhtbh.exe114⤵PID:2448
-
\??\c:\pdjpd.exec:\pdjpd.exe115⤵PID:1612
-
\??\c:\1rlfffr.exec:\1rlfffr.exe116⤵PID:3004
-
\??\c:\rlxfflr.exec:\rlxfflr.exe117⤵PID:3024
-
\??\c:\hbtttt.exec:\hbtttt.exe118⤵PID:1684
-
\??\c:\9vjjp.exec:\9vjjp.exe119⤵PID:2652
-
\??\c:\5vjdd.exec:\5vjdd.exe120⤵PID:2804
-
\??\c:\3frffxx.exec:\3frffxx.exe121⤵PID:2108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-