Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 21:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2221f9a12f2f55b05d3d419131e81920cb217a8d634f53ccf77ebcc15ceb1370N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2221f9a12f2f55b05d3d419131e81920cb217a8d634f53ccf77ebcc15ceb1370N.exe
-
Size
454KB
-
MD5
5c65698d31e48b0dde13d747d14109b0
-
SHA1
02ac7ad9d6c045c9a9835a175f871dfb28fa1f2d
-
SHA256
2221f9a12f2f55b05d3d419131e81920cb217a8d634f53ccf77ebcc15ceb1370
-
SHA512
531af77d883fc650a7b6de753739cc018d3bcb2c0744d97cfcce3ece4d41f5ee26cbbecc8d56da13494ec4f1f7cd73c0e2767d4fd0826a7b2cf6de985b296bc2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2112-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-23-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1920-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-38-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2708-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-60-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2844-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-102-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2632-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-122-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/884-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-136-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/320-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/952-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1448-161-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1448-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-179-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1872-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/824-423-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1168-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-491-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2824-505-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1728-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-957-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2336 vjpvj.exe 1920 3rfllxf.exe 2464 dvdpd.exe 2924 9bbhht.exe 2912 pvjpv.exe 2708 dvvvj.exe 2904 lfllrrr.exe 2844 jdpvd.exe 1976 fxxxxxx.exe 2632 ddppp.exe 2224 pvvvv.exe 884 jjddp.exe 320 frffflf.exe 2820 ddjjp.exe 952 3rxlrll.exe 1448 9vjjp.exe 2212 rlrrxfl.exe 580 9bbbtb.exe 2144 dddjj.exe 1668 jjjpd.exe 3044 lflfllf.exe 1872 pvdjp.exe 1824 9jvdv.exe 2568 hbhbhh.exe 1784 vvdvv.exe 904 thnnbh.exe 2120 dvjjp.exe 1716 1frlrlr.exe 1628 9nhhnh.exe 3064 3xrrxfx.exe 896 nnnhnh.exe 1888 rrrxxlr.exe 2324 xrrrxrr.exe 1604 vvddj.exe 2368 1pvdp.exe 2332 7lffllr.exe 792 ffrlllx.exe 2856 nnbhnt.exe 2140 vpdvd.exe 2496 lrlflrx.exe 2344 7xfxxff.exe 2708 tbhhhn.exe 2964 7ppvd.exe 2712 pjjjj.exe 2604 7xrlrfr.exe 2672 3hnttb.exe 2652 pjvvv.exe 772 7xrrxxf.exe 536 xrxrxxx.exe 824 bbthnt.exe 1516 ttbttn.exe 1376 1jjdd.exe 2076 rrllxlr.exe 1168 ttbhhb.exe 1076 7ntbhn.exe 2696 pvdjj.exe 2216 vpvpj.exe 2428 rrfflrx.exe 560 5nbhnn.exe 2188 nthhhh.exe 636 dvvvj.exe 292 rrllflr.exe 2824 1xxfrfr.exe 1420 bbntnb.exe -
resource yara_rule behavioral1/memory/2112-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-505-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2320-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-856-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-862-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3016-925-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2336 2112 2221f9a12f2f55b05d3d419131e81920cb217a8d634f53ccf77ebcc15ceb1370N.exe 30 PID 2112 wrote to memory of 2336 2112 2221f9a12f2f55b05d3d419131e81920cb217a8d634f53ccf77ebcc15ceb1370N.exe 30 PID 2112 wrote to memory of 2336 2112 2221f9a12f2f55b05d3d419131e81920cb217a8d634f53ccf77ebcc15ceb1370N.exe 30 PID 2112 wrote to memory of 2336 2112 2221f9a12f2f55b05d3d419131e81920cb217a8d634f53ccf77ebcc15ceb1370N.exe 30 PID 2336 wrote to memory of 1920 2336 vjpvj.exe 31 PID 2336 wrote to memory of 1920 2336 vjpvj.exe 31 PID 2336 wrote to memory of 1920 2336 vjpvj.exe 31 PID 2336 wrote to memory of 1920 2336 vjpvj.exe 31 PID 1920 wrote to memory of 2464 1920 3rfllxf.exe 32 PID 1920 wrote to memory of 2464 1920 3rfllxf.exe 32 PID 1920 wrote to memory of 2464 1920 3rfllxf.exe 32 PID 1920 wrote to memory of 2464 1920 3rfllxf.exe 32 PID 2464 wrote to memory of 2924 2464 dvdpd.exe 33 PID 2464 wrote to memory of 2924 2464 dvdpd.exe 33 PID 2464 wrote to memory of 2924 2464 dvdpd.exe 33 PID 2464 wrote to memory of 2924 2464 dvdpd.exe 33 PID 2924 wrote to memory of 2912 2924 9bbhht.exe 34 PID 2924 wrote to memory of 2912 2924 9bbhht.exe 34 PID 2924 wrote to memory of 2912 2924 9bbhht.exe 34 PID 2924 wrote to memory of 2912 2924 9bbhht.exe 34 PID 2912 wrote to memory of 2708 2912 pvjpv.exe 35 PID 2912 wrote to memory of 2708 2912 pvjpv.exe 35 PID 2912 wrote to memory of 2708 2912 pvjpv.exe 35 PID 2912 wrote to memory of 2708 2912 pvjpv.exe 35 PID 2708 wrote to memory of 2904 2708 dvvvj.exe 36 PID 2708 wrote to memory of 2904 2708 dvvvj.exe 36 PID 2708 wrote to memory of 2904 2708 dvvvj.exe 36 PID 2708 wrote to memory of 2904 2708 dvvvj.exe 36 PID 2904 wrote to memory of 2844 2904 lfllrrr.exe 37 PID 2904 wrote to memory of 2844 2904 lfllrrr.exe 37 PID 2904 wrote to memory of 2844 2904 lfllrrr.exe 37 PID 2904 wrote to memory of 2844 2904 lfllrrr.exe 37 PID 2844 wrote to memory of 1976 2844 jdpvd.exe 38 PID 2844 wrote to memory of 1976 2844 jdpvd.exe 38 PID 2844 wrote to memory of 1976 2844 jdpvd.exe 38 PID 2844 wrote to memory of 1976 2844 jdpvd.exe 38 PID 1976 wrote to memory of 2632 1976 fxxxxxx.exe 39 PID 1976 wrote to memory of 2632 1976 fxxxxxx.exe 39 PID 1976 wrote to memory of 2632 1976 fxxxxxx.exe 39 PID 1976 wrote to memory of 2632 1976 fxxxxxx.exe 39 PID 2632 wrote to memory of 2224 2632 ddppp.exe 40 PID 2632 wrote to memory of 2224 2632 ddppp.exe 40 PID 2632 wrote to memory of 2224 2632 ddppp.exe 40 PID 2632 wrote to memory of 2224 2632 ddppp.exe 40 PID 2224 wrote to memory of 884 2224 pvvvv.exe 41 PID 2224 wrote to memory of 884 2224 pvvvv.exe 41 PID 2224 wrote to memory of 884 2224 pvvvv.exe 41 PID 2224 wrote to memory of 884 2224 pvvvv.exe 41 PID 884 wrote to memory of 320 884 jjddp.exe 42 PID 884 wrote to memory of 320 884 jjddp.exe 42 PID 884 wrote to memory of 320 884 jjddp.exe 42 PID 884 wrote to memory of 320 884 jjddp.exe 42 PID 320 wrote to memory of 2820 320 frffflf.exe 43 PID 320 wrote to memory of 2820 320 frffflf.exe 43 PID 320 wrote to memory of 2820 320 frffflf.exe 43 PID 320 wrote to memory of 2820 320 frffflf.exe 43 PID 2820 wrote to memory of 952 2820 ddjjp.exe 44 PID 2820 wrote to memory of 952 2820 ddjjp.exe 44 PID 2820 wrote to memory of 952 2820 ddjjp.exe 44 PID 2820 wrote to memory of 952 2820 ddjjp.exe 44 PID 952 wrote to memory of 1448 952 3rxlrll.exe 45 PID 952 wrote to memory of 1448 952 3rxlrll.exe 45 PID 952 wrote to memory of 1448 952 3rxlrll.exe 45 PID 952 wrote to memory of 1448 952 3rxlrll.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2221f9a12f2f55b05d3d419131e81920cb217a8d634f53ccf77ebcc15ceb1370N.exe"C:\Users\Admin\AppData\Local\Temp\2221f9a12f2f55b05d3d419131e81920cb217a8d634f53ccf77ebcc15ceb1370N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\vjpvj.exec:\vjpvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\3rfllxf.exec:\3rfllxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\dvdpd.exec:\dvdpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\9bbhht.exec:\9bbhht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\pvjpv.exec:\pvjpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\dvvvj.exec:\dvvvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\lfllrrr.exec:\lfllrrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\jdpvd.exec:\jdpvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\ddppp.exec:\ddppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\pvvvv.exec:\pvvvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\jjddp.exec:\jjddp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\frffflf.exec:\frffflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\ddjjp.exec:\ddjjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\3rxlrll.exec:\3rxlrll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\9vjjp.exec:\9vjjp.exe17⤵
- Executes dropped EXE
PID:1448 -
\??\c:\rlrrxfl.exec:\rlrrxfl.exe18⤵
- Executes dropped EXE
PID:2212 -
\??\c:\9bbbtb.exec:\9bbbtb.exe19⤵
- Executes dropped EXE
PID:580 -
\??\c:\dddjj.exec:\dddjj.exe20⤵
- Executes dropped EXE
PID:2144 -
\??\c:\jjjpd.exec:\jjjpd.exe21⤵
- Executes dropped EXE
PID:1668 -
\??\c:\lflfllf.exec:\lflfllf.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044 -
\??\c:\pvdjp.exec:\pvdjp.exe23⤵
- Executes dropped EXE
PID:1872 -
\??\c:\9jvdv.exec:\9jvdv.exe24⤵
- Executes dropped EXE
PID:1824 -
\??\c:\hbhbhh.exec:\hbhbhh.exe25⤵
- Executes dropped EXE
PID:2568 -
\??\c:\vvdvv.exec:\vvdvv.exe26⤵
- Executes dropped EXE
PID:1784 -
\??\c:\thnnbh.exec:\thnnbh.exe27⤵
- Executes dropped EXE
PID:904 -
\??\c:\dvjjp.exec:\dvjjp.exe28⤵
- Executes dropped EXE
PID:2120 -
\??\c:\1frlrlr.exec:\1frlrlr.exe29⤵
- Executes dropped EXE
PID:1716 -
\??\c:\9nhhnh.exec:\9nhhnh.exe30⤵
- Executes dropped EXE
PID:1628 -
\??\c:\3xrrxfx.exec:\3xrrxfx.exe31⤵
- Executes dropped EXE
PID:3064 -
\??\c:\nnnhnh.exec:\nnnhnh.exe32⤵
- Executes dropped EXE
PID:896 -
\??\c:\rrrxxlr.exec:\rrrxxlr.exe33⤵
- Executes dropped EXE
PID:1888 -
\??\c:\xrrrxrr.exec:\xrrrxrr.exe34⤵
- Executes dropped EXE
PID:2324 -
\??\c:\vvddj.exec:\vvddj.exe35⤵
- Executes dropped EXE
PID:1604 -
\??\c:\1pvdp.exec:\1pvdp.exe36⤵
- Executes dropped EXE
PID:2368 -
\??\c:\7lffllr.exec:\7lffllr.exe37⤵
- Executes dropped EXE
PID:2332 -
\??\c:\ffrlllx.exec:\ffrlllx.exe38⤵
- Executes dropped EXE
PID:792 -
\??\c:\nnbhnt.exec:\nnbhnt.exe39⤵
- Executes dropped EXE
PID:2856 -
\??\c:\vpdvd.exec:\vpdvd.exe40⤵
- Executes dropped EXE
PID:2140 -
\??\c:\lrlflrx.exec:\lrlflrx.exe41⤵
- Executes dropped EXE
PID:2496 -
\??\c:\7xfxxff.exec:\7xfxxff.exe42⤵
- Executes dropped EXE
PID:2344 -
\??\c:\tbhhhn.exec:\tbhhhn.exe43⤵
- Executes dropped EXE
PID:2708 -
\??\c:\7ppvd.exec:\7ppvd.exe44⤵
- Executes dropped EXE
PID:2964 -
\??\c:\pjjjj.exec:\pjjjj.exe45⤵
- Executes dropped EXE
PID:2712 -
\??\c:\7xrlrfr.exec:\7xrlrfr.exe46⤵
- Executes dropped EXE
PID:2604 -
\??\c:\3hnttb.exec:\3hnttb.exe47⤵
- Executes dropped EXE
PID:2672 -
\??\c:\pjvvv.exec:\pjvvv.exe48⤵
- Executes dropped EXE
PID:2652 -
\??\c:\7xrrxxf.exec:\7xrrxxf.exe49⤵
- Executes dropped EXE
PID:772 -
\??\c:\xrxrxxx.exec:\xrxrxxx.exe50⤵
- Executes dropped EXE
PID:536 -
\??\c:\bbthnt.exec:\bbthnt.exe51⤵
- Executes dropped EXE
PID:824 -
\??\c:\ttbttn.exec:\ttbttn.exe52⤵
- Executes dropped EXE
PID:1516 -
\??\c:\1jjdd.exec:\1jjdd.exe53⤵
- Executes dropped EXE
PID:1376 -
\??\c:\rrllxlr.exec:\rrllxlr.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2076 -
\??\c:\ttbhhb.exec:\ttbhhb.exe55⤵
- Executes dropped EXE
PID:1168 -
\??\c:\7ntbhn.exec:\7ntbhn.exe56⤵
- Executes dropped EXE
PID:1076 -
\??\c:\pvdjj.exec:\pvdjj.exe57⤵
- Executes dropped EXE
PID:2696 -
\??\c:\vpvpj.exec:\vpvpj.exe58⤵
- Executes dropped EXE
PID:2216 -
\??\c:\rrfflrx.exec:\rrfflrx.exe59⤵
- Executes dropped EXE
PID:2428 -
\??\c:\5nbhnn.exec:\5nbhnn.exe60⤵
- Executes dropped EXE
PID:560 -
\??\c:\nthhhh.exec:\nthhhh.exe61⤵
- Executes dropped EXE
PID:2188 -
\??\c:\dvvvj.exec:\dvvvj.exe62⤵
- Executes dropped EXE
PID:636 -
\??\c:\rrllflr.exec:\rrllflr.exe63⤵
- Executes dropped EXE
PID:292 -
\??\c:\1xxfrfr.exec:\1xxfrfr.exe64⤵
- Executes dropped EXE
PID:2824 -
\??\c:\bbntnb.exec:\bbntnb.exe65⤵
- Executes dropped EXE
PID:1420 -
\??\c:\9ntbhh.exec:\9ntbhh.exe66⤵PID:2320
-
\??\c:\ddddp.exec:\ddddp.exe67⤵PID:2568
-
\??\c:\3rrxxff.exec:\3rrxxff.exe68⤵PID:1532
-
\??\c:\rxfffff.exec:\rxfffff.exe69⤵PID:1988
-
\??\c:\tttttt.exec:\tttttt.exe70⤵PID:2208
-
\??\c:\1dppv.exec:\1dppv.exe71⤵PID:1728
-
\??\c:\7rlrrrx.exec:\7rlrrrx.exe72⤵PID:3012
-
\??\c:\hhhbhh.exec:\hhhbhh.exe73⤵PID:2792
-
\??\c:\3htnnn.exec:\3htnnn.exe74⤵PID:3064
-
\??\c:\ddjjp.exec:\ddjjp.exe75⤵PID:2408
-
\??\c:\lffxrll.exec:\lffxrll.exe76⤵PID:2564
-
\??\c:\frxfllx.exec:\frxfllx.exe77⤵PID:1596
-
\??\c:\hnttbt.exec:\hnttbt.exe78⤵PID:2920
-
\??\c:\dpjjp.exec:\dpjjp.exe79⤵PID:2256
-
\??\c:\djpjj.exec:\djpjj.exe80⤵PID:2000
-
\??\c:\rfrrrrx.exec:\rfrrrrx.exe81⤵PID:2796
-
\??\c:\tnthhb.exec:\tnthhb.exe82⤵PID:792
-
\??\c:\hhhbbb.exec:\hhhbbb.exe83⤵PID:2856
-
\??\c:\ddpvp.exec:\ddpvp.exe84⤵PID:2140
-
\??\c:\jjvvj.exec:\jjvvj.exe85⤵PID:2496
-
\??\c:\ffllrrx.exec:\ffllrrx.exe86⤵PID:2636
-
\??\c:\bbbbtn.exec:\bbbbtn.exe87⤵PID:2788
-
\??\c:\jjpjp.exec:\jjpjp.exe88⤵PID:2836
-
\??\c:\jpppv.exec:\jpppv.exe89⤵PID:2616
-
\??\c:\rrxrxff.exec:\rrxrxff.exe90⤵PID:2596
-
\??\c:\nnbbht.exec:\nnbbht.exe91⤵PID:2676
-
\??\c:\bhnhnn.exec:\bhnhnn.exe92⤵PID:2224
-
\??\c:\vpddv.exec:\vpddv.exe93⤵PID:2776
-
\??\c:\lfffllx.exec:\lfffllx.exe94⤵PID:536
-
\??\c:\frxrxlr.exec:\frxrxlr.exe95⤵PID:684
-
\??\c:\nnhbbt.exec:\nnhbbt.exe96⤵PID:1144
-
\??\c:\jpdvv.exec:\jpdvv.exe97⤵PID:1376
-
\??\c:\jjjdj.exec:\jjjdj.exe98⤵PID:1736
-
\??\c:\3rfxfff.exec:\3rfxfff.exe99⤵PID:2932
-
\??\c:\3tnnbh.exec:\3tnnbh.exe100⤵PID:1076
-
\??\c:\hnntth.exec:\hnntth.exe101⤵PID:2116
-
\??\c:\5jjjj.exec:\5jjjj.exe102⤵PID:2136
-
\??\c:\rrrrrrx.exec:\rrrrrrx.exe103⤵PID:2052
-
\??\c:\rrlffxx.exec:\rrlffxx.exe104⤵
- System Location Discovery: System Language Discovery
PID:2580 -
\??\c:\tnhnbh.exec:\tnhnbh.exe105⤵PID:448
-
\??\c:\3jdvv.exec:\3jdvv.exe106⤵PID:956
-
\??\c:\jjvvj.exec:\jjvvj.exe107⤵PID:1124
-
\??\c:\lfrfllf.exec:\lfrfllf.exe108⤵PID:1432
-
\??\c:\tthbbb.exec:\tthbbb.exe109⤵PID:1676
-
\??\c:\bnttbb.exec:\bnttbb.exe110⤵PID:2568
-
\??\c:\pvddj.exec:\pvddj.exe111⤵PID:1692
-
\??\c:\xxfrrxx.exec:\xxfrrxx.exe112⤵PID:996
-
\??\c:\bbnttt.exec:\bbnttt.exe113⤵PID:304
-
\??\c:\hbnnnn.exec:\hbnnnn.exe114⤵PID:1900
-
\??\c:\vdpvv.exec:\vdpvv.exe115⤵PID:2156
-
\??\c:\1jvvp.exec:\1jvvp.exe116⤵PID:1644
-
\??\c:\9xlxxxx.exec:\9xlxxxx.exe117⤵PID:1652
-
\??\c:\tnnttt.exec:\tnnttt.exe118⤵PID:1700
-
\??\c:\9nhhtb.exec:\9nhhtb.exe119⤵PID:1572
-
\??\c:\pvdvd.exec:\pvdvd.exe120⤵PID:2324
-
\??\c:\fffrxrr.exec:\fffrxrr.exe121⤵PID:880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-