Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 19:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe
-
Size
456KB
-
MD5
c69e85961f6e2e796f842233210e437e
-
SHA1
34b164147a6e029de204ec0c1dc2dfd9ca5b9f87
-
SHA256
643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4
-
SHA512
814021b46f56ac366498583938420806651dbf8c28b33f6c7a919d3c51e0c0025919d855ed393342ff2acd47d645bd7fe2aa33fbb1b7048eec6459df6d09ad6f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRu:q7Tc2NYHUrAwfMp3CDRu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2128-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-74-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2652-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-100-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2116-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-167-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2908-178-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2908-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-216-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/956-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-236-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2300-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1428-280-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2760-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-369-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2776-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-342-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1696-206-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2356-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1412-421-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1648-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-533-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2208-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-559-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2432-587-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2696-600-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2948-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1840-729-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-762-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2520-769-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2216-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-892-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1248 nhhbhb.exe 2408 9xrrflf.exe 1664 nhnnbb.exe 2680 lfrxlrf.exe 2828 vjdvj.exe 3000 ppvpp.exe 2652 xlxlrlf.exe 2596 vpjpd.exe 2568 1hbbnn.exe 2116 9jppd.exe 1892 xxflxlf.exe 1008 3thhnn.exe 2928 rxxxxxr.exe 2792 rlffrxl.exe 2896 ddvpd.exe 1496 fxllrxx.exe 2956 bttnhb.exe 2908 vjddp.exe 2508 jjppp.exe 1608 tbnbnt.exe 1696 1pppd.exe 2088 tttnhb.exe 1644 3nbbbn.exe 956 5jvjj.exe 1632 3xrrlxl.exe 476 lfxfrxf.exe 2300 3lflfrx.exe 1784 7lfflxf.exe 1428 7nbbht.exe 2340 3jvvj.exe 2256 rlxxlll.exe 1248 nhbbnt.exe 2408 lfxfrrl.exe 2732 1nbbth.exe 2760 hthnbb.exe 2744 5dvpv.exe 2828 jvjjp.exe 2684 lfxfxxf.exe 2820 rrlxxlr.exe 2776 hbhnbt.exe 2548 nhttbh.exe 2560 jdvvj.exe 1048 vpvdp.exe 2860 fxrxxlr.exe 2352 vdvdj.exe 236 9xrlrxl.exe 2356 hbnnhb.exe 2928 5bhtbn.exe 336 lxflrlr.exe 1412 7httnn.exe 1440 3pjjd.exe 2960 9frxlrr.exe 2360 nhhntt.exe 2932 ttnbtb.exe 1952 pdpvp.exe 1260 rlflxxf.exe 1856 frfrxxr.exe 1416 htnntt.exe 2516 7jppv.exe 708 rfrlrlx.exe 1944 5xxfllr.exe 1648 9bnthb.exe 912 hthhnn.exe 1436 pjvpp.exe -
resource yara_rule behavioral1/memory/2128-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-421-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1440-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-533-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2208-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-559-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2696-600-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2668-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-769-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1312-776-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2216-801-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-839-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-885-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7httbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 1248 2128 643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe 31 PID 2128 wrote to memory of 1248 2128 643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe 31 PID 2128 wrote to memory of 1248 2128 643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe 31 PID 2128 wrote to memory of 1248 2128 643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe 31 PID 1248 wrote to memory of 2408 1248 nhhbhb.exe 32 PID 1248 wrote to memory of 2408 1248 nhhbhb.exe 32 PID 1248 wrote to memory of 2408 1248 nhhbhb.exe 32 PID 1248 wrote to memory of 2408 1248 nhhbhb.exe 32 PID 2408 wrote to memory of 1664 2408 9xrrflf.exe 33 PID 2408 wrote to memory of 1664 2408 9xrrflf.exe 33 PID 2408 wrote to memory of 1664 2408 9xrrflf.exe 33 PID 2408 wrote to memory of 1664 2408 9xrrflf.exe 33 PID 1664 wrote to memory of 2680 1664 nhnnbb.exe 34 PID 1664 wrote to memory of 2680 1664 nhnnbb.exe 34 PID 1664 wrote to memory of 2680 1664 nhnnbb.exe 34 PID 1664 wrote to memory of 2680 1664 nhnnbb.exe 34 PID 2680 wrote to memory of 2828 2680 lfrxlrf.exe 35 PID 2680 wrote to memory of 2828 2680 lfrxlrf.exe 35 PID 2680 wrote to memory of 2828 2680 lfrxlrf.exe 35 PID 2680 wrote to memory of 2828 2680 lfrxlrf.exe 35 PID 2828 wrote to memory of 3000 2828 vjdvj.exe 36 PID 2828 wrote to memory of 3000 2828 vjdvj.exe 36 PID 2828 wrote to memory of 3000 2828 vjdvj.exe 36 PID 2828 wrote to memory of 3000 2828 vjdvj.exe 36 PID 3000 wrote to memory of 2652 3000 ppvpp.exe 37 PID 3000 wrote to memory of 2652 3000 ppvpp.exe 37 PID 3000 wrote to memory of 2652 3000 ppvpp.exe 37 PID 3000 wrote to memory of 2652 3000 ppvpp.exe 37 PID 2652 wrote to memory of 2596 2652 xlxlrlf.exe 38 PID 2652 wrote to memory of 2596 2652 xlxlrlf.exe 38 PID 2652 wrote to memory of 2596 2652 xlxlrlf.exe 38 PID 2652 wrote to memory of 2596 2652 xlxlrlf.exe 38 PID 2596 wrote to memory of 2568 2596 vpjpd.exe 39 PID 2596 wrote to memory of 2568 2596 vpjpd.exe 39 PID 2596 wrote to memory of 2568 2596 vpjpd.exe 39 PID 2596 wrote to memory of 2568 2596 vpjpd.exe 39 PID 2568 wrote to memory of 2116 2568 1hbbnn.exe 40 PID 2568 wrote to memory of 2116 2568 1hbbnn.exe 40 PID 2568 wrote to memory of 2116 2568 1hbbnn.exe 40 PID 2568 wrote to memory of 2116 2568 1hbbnn.exe 40 PID 2116 wrote to memory of 1892 2116 9jppd.exe 41 PID 2116 wrote to memory of 1892 2116 9jppd.exe 41 PID 2116 wrote to memory of 1892 2116 9jppd.exe 41 PID 2116 wrote to memory of 1892 2116 9jppd.exe 41 PID 1892 wrote to memory of 1008 1892 xxflxlf.exe 42 PID 1892 wrote to memory of 1008 1892 xxflxlf.exe 42 PID 1892 wrote to memory of 1008 1892 xxflxlf.exe 42 PID 1892 wrote to memory of 1008 1892 xxflxlf.exe 42 PID 1008 wrote to memory of 2928 1008 3thhnn.exe 43 PID 1008 wrote to memory of 2928 1008 3thhnn.exe 43 PID 1008 wrote to memory of 2928 1008 3thhnn.exe 43 PID 1008 wrote to memory of 2928 1008 3thhnn.exe 43 PID 2928 wrote to memory of 2792 2928 rxxxxxr.exe 44 PID 2928 wrote to memory of 2792 2928 rxxxxxr.exe 44 PID 2928 wrote to memory of 2792 2928 rxxxxxr.exe 44 PID 2928 wrote to memory of 2792 2928 rxxxxxr.exe 44 PID 2792 wrote to memory of 2896 2792 rlffrxl.exe 45 PID 2792 wrote to memory of 2896 2792 rlffrxl.exe 45 PID 2792 wrote to memory of 2896 2792 rlffrxl.exe 45 PID 2792 wrote to memory of 2896 2792 rlffrxl.exe 45 PID 2896 wrote to memory of 1496 2896 ddvpd.exe 46 PID 2896 wrote to memory of 1496 2896 ddvpd.exe 46 PID 2896 wrote to memory of 1496 2896 ddvpd.exe 46 PID 2896 wrote to memory of 1496 2896 ddvpd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe"C:\Users\Admin\AppData\Local\Temp\643bac3fe789601be9d2ee7c0c89c5767136b9869a6b9bbb06d8123037563cc4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\nhhbhb.exec:\nhhbhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\9xrrflf.exec:\9xrrflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\nhnnbb.exec:\nhnnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\lfrxlrf.exec:\lfrxlrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\vjdvj.exec:\vjdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\ppvpp.exec:\ppvpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\xlxlrlf.exec:\xlxlrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\vpjpd.exec:\vpjpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\1hbbnn.exec:\1hbbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\9jppd.exec:\9jppd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\xxflxlf.exec:\xxflxlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\3thhnn.exec:\3thhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\rxxxxxr.exec:\rxxxxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\rlffrxl.exec:\rlffrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\ddvpd.exec:\ddvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\fxllrxx.exec:\fxllrxx.exe17⤵
- Executes dropped EXE
PID:1496 -
\??\c:\bttnhb.exec:\bttnhb.exe18⤵
- Executes dropped EXE
PID:2956 -
\??\c:\vjddp.exec:\vjddp.exe19⤵
- Executes dropped EXE
PID:2908 -
\??\c:\jjppp.exec:\jjppp.exe20⤵
- Executes dropped EXE
PID:2508 -
\??\c:\tbnbnt.exec:\tbnbnt.exe21⤵
- Executes dropped EXE
PID:1608 -
\??\c:\1pppd.exec:\1pppd.exe22⤵
- Executes dropped EXE
PID:1696 -
\??\c:\tttnhb.exec:\tttnhb.exe23⤵
- Executes dropped EXE
PID:2088 -
\??\c:\3nbbbn.exec:\3nbbbn.exe24⤵
- Executes dropped EXE
PID:1644 -
\??\c:\5jvjj.exec:\5jvjj.exe25⤵
- Executes dropped EXE
PID:956 -
\??\c:\3xrrlxl.exec:\3xrrlxl.exe26⤵
- Executes dropped EXE
PID:1632 -
\??\c:\lfxfrxf.exec:\lfxfrxf.exe27⤵
- Executes dropped EXE
PID:476 -
\??\c:\3lflfrx.exec:\3lflfrx.exe28⤵
- Executes dropped EXE
PID:2300 -
\??\c:\7lfflxf.exec:\7lfflxf.exe29⤵
- Executes dropped EXE
PID:1784 -
\??\c:\7nbbht.exec:\7nbbht.exe30⤵
- Executes dropped EXE
PID:1428 -
\??\c:\3jvvj.exec:\3jvvj.exe31⤵
- Executes dropped EXE
PID:2340 -
\??\c:\rlxxlll.exec:\rlxxlll.exe32⤵
- Executes dropped EXE
PID:2256 -
\??\c:\nhbbnt.exec:\nhbbnt.exe33⤵
- Executes dropped EXE
PID:1248 -
\??\c:\lfxfrrl.exec:\lfxfrrl.exe34⤵
- Executes dropped EXE
PID:2408 -
\??\c:\1nbbth.exec:\1nbbth.exe35⤵
- Executes dropped EXE
PID:2732 -
\??\c:\hthnbb.exec:\hthnbb.exe36⤵
- Executes dropped EXE
PID:2760 -
\??\c:\5dvpv.exec:\5dvpv.exe37⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jvjjp.exec:\jvjjp.exe38⤵
- Executes dropped EXE
PID:2828 -
\??\c:\lfxfxxf.exec:\lfxfxxf.exe39⤵
- Executes dropped EXE
PID:2684 -
\??\c:\rrlxxlr.exec:\rrlxxlr.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\hbhnbt.exec:\hbhnbt.exe41⤵
- Executes dropped EXE
PID:2776 -
\??\c:\nhttbh.exec:\nhttbh.exe42⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jdvvj.exec:\jdvvj.exe43⤵
- Executes dropped EXE
PID:2560 -
\??\c:\vpvdp.exec:\vpvdp.exe44⤵
- Executes dropped EXE
PID:1048 -
\??\c:\fxrxxlr.exec:\fxrxxlr.exe45⤵
- Executes dropped EXE
PID:2860 -
\??\c:\vdvdj.exec:\vdvdj.exe46⤵
- Executes dropped EXE
PID:2352 -
\??\c:\9xrlrxl.exec:\9xrlrxl.exe47⤵
- Executes dropped EXE
PID:236 -
\??\c:\hbnnhb.exec:\hbnnhb.exe48⤵
- Executes dropped EXE
PID:2356 -
\??\c:\5bhtbn.exec:\5bhtbn.exe49⤵
- Executes dropped EXE
PID:2928 -
\??\c:\lxflrlr.exec:\lxflrlr.exe50⤵
- Executes dropped EXE
PID:336 -
\??\c:\7httnn.exec:\7httnn.exe51⤵
- Executes dropped EXE
PID:1412 -
\??\c:\3pjjd.exec:\3pjjd.exe52⤵
- Executes dropped EXE
PID:1440 -
\??\c:\9frxlrr.exec:\9frxlrr.exe53⤵
- Executes dropped EXE
PID:2960 -
\??\c:\nhhntt.exec:\nhhntt.exe54⤵
- Executes dropped EXE
PID:2360 -
\??\c:\ttnbtb.exec:\ttnbtb.exe55⤵
- Executes dropped EXE
PID:2932 -
\??\c:\pdpvp.exec:\pdpvp.exe56⤵
- Executes dropped EXE
PID:1952 -
\??\c:\rlflxxf.exec:\rlflxxf.exe57⤵
- Executes dropped EXE
PID:1260 -
\??\c:\frfrxxr.exec:\frfrxxr.exe58⤵
- Executes dropped EXE
PID:1856 -
\??\c:\htnntt.exec:\htnntt.exe59⤵
- Executes dropped EXE
PID:1416 -
\??\c:\7jppv.exec:\7jppv.exe60⤵
- Executes dropped EXE
PID:2516 -
\??\c:\rfrlrlx.exec:\rfrlrlx.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:708 -
\??\c:\5xxfllr.exec:\5xxfllr.exe62⤵
- Executes dropped EXE
PID:1944 -
\??\c:\9bnthb.exec:\9bnthb.exe63⤵
- Executes dropped EXE
PID:1648 -
\??\c:\hthhnn.exec:\hthhnn.exe64⤵
- Executes dropped EXE
PID:912 -
\??\c:\pjvpp.exec:\pjvpp.exe65⤵
- Executes dropped EXE
PID:1436 -
\??\c:\rllflrf.exec:\rllflrf.exe66⤵PID:2780
-
\??\c:\hbbtnh.exec:\hbbtnh.exe67⤵PID:2380
-
\??\c:\nbbhbh.exec:\nbbhbh.exe68⤵PID:2208
-
\??\c:\pdjpv.exec:\pdjpv.exe69⤵PID:1012
-
\??\c:\7llxffr.exec:\7llxffr.exe70⤵PID:2328
-
\??\c:\7xllfxl.exec:\7xllfxl.exe71⤵PID:1564
-
\??\c:\ntthhn.exec:\ntthhn.exe72⤵PID:2340
-
\??\c:\5jdjv.exec:\5jdjv.exe73⤵PID:1420
-
\??\c:\fxrfrxf.exec:\fxrfrxf.exe74⤵PID:1864
-
\??\c:\rxxfxll.exec:\rxxfxll.exe75⤵PID:2708
-
\??\c:\7htbbb.exec:\7htbbb.exe76⤵PID:2432
-
\??\c:\jjddj.exec:\jjddj.exe77⤵PID:2128
-
\??\c:\pjvvd.exec:\pjvvd.exe78⤵PID:2696
-
\??\c:\rllfrlr.exec:\rllfrlr.exe79⤵PID:1372
-
\??\c:\bnbhnn.exec:\bnbhnn.exe80⤵PID:2668
-
\??\c:\thbttt.exec:\thbttt.exe81⤵PID:2588
-
\??\c:\5djjd.exec:\5djjd.exe82⤵PID:2576
-
\??\c:\jvjpv.exec:\jvjpv.exe83⤵PID:1636
-
\??\c:\lffrfxr.exec:\lffrfxr.exe84⤵PID:2240
-
\??\c:\bhnhht.exec:\bhnhht.exe85⤵PID:2160
-
\??\c:\jvjvp.exec:\jvjvp.exe86⤵PID:2132
-
\??\c:\vjpvj.exec:\vjpvj.exe87⤵PID:2936
-
\??\c:\xfxxxll.exec:\xfxxxll.exe88⤵PID:2440
-
\??\c:\nbtntn.exec:\nbtntn.exe89⤵PID:2880
-
\??\c:\nbtthh.exec:\nbtthh.exe90⤵PID:2356
-
\??\c:\vjvdj.exec:\vjvdj.exe91⤵PID:1456
-
\??\c:\1xfrrll.exec:\1xfrrll.exe92⤵PID:2808
-
\??\c:\3thhbb.exec:\3thhbb.exe93⤵PID:2288
-
\??\c:\htbhhh.exec:\htbhhh.exe94⤵PID:2948
-
\??\c:\dpvvv.exec:\dpvvv.exe95⤵PID:1628
-
\??\c:\xfflllr.exec:\xfflllr.exe96⤵PID:2908
-
\??\c:\tththb.exec:\tththb.exe97⤵PID:2648
-
\??\c:\7vjjj.exec:\7vjjj.exe98⤵PID:1840
-
\??\c:\pjvdp.exec:\pjvdp.exe99⤵PID:1260
-
\??\c:\3rfffxf.exec:\3rfffxf.exe100⤵PID:1696
-
\??\c:\9nttbh.exec:\9nttbh.exe101⤵PID:2056
-
\??\c:\9jddp.exec:\9jddp.exe102⤵PID:1312
-
\??\c:\jvppp.exec:\jvppp.exe103⤵PID:1644
-
\??\c:\rfxxxrx.exec:\rfxxxrx.exe104⤵PID:2520
-
\??\c:\bbntnt.exec:\bbntnt.exe105⤵PID:1500
-
\??\c:\5hhnbt.exec:\5hhnbt.exe106⤵PID:2476
-
\??\c:\3vjdd.exec:\3vjdd.exe107⤵PID:1052
-
\??\c:\lfrrrrf.exec:\lfrrrrf.exe108⤵PID:1584
-
\??\c:\5lflrrr.exec:\5lflrrr.exe109⤵PID:3008
-
\??\c:\bthntt.exec:\bthntt.exe110⤵PID:2216
-
\??\c:\5jdvv.exec:\5jdvv.exe111⤵PID:2992
-
\??\c:\dvddj.exec:\dvddj.exe112⤵PID:1880
-
\??\c:\lfrrllx.exec:\lfrrllx.exe113⤵PID:2412
-
\??\c:\3thbbt.exec:\3thbbt.exe114⤵PID:2184
-
\??\c:\hbnntb.exec:\hbnntb.exe115⤵PID:2424
-
\??\c:\vpddp.exec:\vpddp.exe116⤵PID:1896
-
\??\c:\fxlrffl.exec:\fxlrffl.exe117⤵PID:2140
-
\??\c:\rrxxxrf.exec:\rrxxxrf.exe118⤵PID:2824
-
\??\c:\bnnhnb.exec:\bnnhnb.exe119⤵PID:2128
-
\??\c:\dpdvj.exec:\dpdvj.exe120⤵PID:2308
-
\??\c:\vdpjp.exec:\vdpjp.exe121⤵PID:2904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-