Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 03:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe
-
Size
454KB
-
MD5
0513969b95472b1d9ee2914d3e128090
-
SHA1
9e53fbd23675a914872bf2fe064196e3e8c2ddc7
-
SHA256
902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09
-
SHA512
a362a1137e7f7d8891fce1aac34c0b96e542d0c5978fe16f4902ff5fef3198f00c99ad4e47cf453b594814abf25d77b14436b89870a7170a9bf23a62393cd86d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec4:q7Tc2NYHUrAwfMp3CDc4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2208-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/328-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-201-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2492-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-220-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1744-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-394-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2044-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-406-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2052-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-409-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2908-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-523-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2268-533-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2552-618-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2396-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-739-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1940-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1352 bhtbht.exe 2332 rrlxffl.exe 2952 rlxlxrf.exe 2504 tnnbhh.exe 2784 ppjpj.exe 2792 bbnnbt.exe 2748 jvvjv.exe 2764 xrflxfl.exe 2568 3tbbbn.exe 3044 pjvvd.exe 1492 7xxxxlr.exe 2940 thttbh.exe 1396 ppvpd.exe 2384 3xlrflr.exe 1828 thtbnn.exe 1508 vjjjd.exe 1224 rlflrrx.exe 2132 bhnttb.exe 328 3lxrxxf.exe 2492 1fffrlx.exe 236 pvjdv.exe 1476 lfllrrf.exe 972 thnnbh.exe 1744 jdjdp.exe 912 llfxfxf.exe 2036 btnbhh.exe 2160 ffrrxxl.exe 1656 lfrrlrx.exe 1484 jdpdp.exe 1576 rrrxflx.exe 2488 hhthnt.exe 2424 9httbh.exe 2264 9xllrxf.exe 2356 bthtnn.exe 2824 vpvdj.exe 2708 ppjjp.exe 2832 lllfxxf.exe 2788 hbnntt.exe 2604 jvpjv.exe 2576 ddppv.exe 2616 3llfffl.exe 2396 bnttbb.exe 1736 pjvdj.exe 2044 vvjjp.exe 1220 xrffrxf.exe 2864 nntbhh.exe 2052 hbhtnn.exe 2908 pjdpd.exe 1564 rrxfrlx.exe 860 rfrfflr.exe 1748 hbnthn.exe 3040 pjpvd.exe 2144 3vvpp.exe 2596 ffflrxf.exe 2200 7rfxlrx.exe 1620 nnhbhh.exe 112 vjddj.exe 2124 pddpd.exe 1476 llfxllx.exe 972 9tbbhh.exe 920 jvpvd.exe 2220 pdjjp.exe 1964 rlflrxf.exe 2228 frffxxx.exe -
resource yara_rule behavioral1/memory/2208-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-533-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2744-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-618-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2396-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-649-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2432-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-739-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/112-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-789-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1352 2208 902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe 31 PID 2208 wrote to memory of 1352 2208 902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe 31 PID 2208 wrote to memory of 1352 2208 902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe 31 PID 2208 wrote to memory of 1352 2208 902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe 31 PID 1352 wrote to memory of 2332 1352 bhtbht.exe 32 PID 1352 wrote to memory of 2332 1352 bhtbht.exe 32 PID 1352 wrote to memory of 2332 1352 bhtbht.exe 32 PID 1352 wrote to memory of 2332 1352 bhtbht.exe 32 PID 2332 wrote to memory of 2952 2332 rrlxffl.exe 33 PID 2332 wrote to memory of 2952 2332 rrlxffl.exe 33 PID 2332 wrote to memory of 2952 2332 rrlxffl.exe 33 PID 2332 wrote to memory of 2952 2332 rrlxffl.exe 33 PID 2952 wrote to memory of 2504 2952 rlxlxrf.exe 34 PID 2952 wrote to memory of 2504 2952 rlxlxrf.exe 34 PID 2952 wrote to memory of 2504 2952 rlxlxrf.exe 34 PID 2952 wrote to memory of 2504 2952 rlxlxrf.exe 34 PID 2504 wrote to memory of 2784 2504 tnnbhh.exe 35 PID 2504 wrote to memory of 2784 2504 tnnbhh.exe 35 PID 2504 wrote to memory of 2784 2504 tnnbhh.exe 35 PID 2504 wrote to memory of 2784 2504 tnnbhh.exe 35 PID 2784 wrote to memory of 2792 2784 ppjpj.exe 36 PID 2784 wrote to memory of 2792 2784 ppjpj.exe 36 PID 2784 wrote to memory of 2792 2784 ppjpj.exe 36 PID 2784 wrote to memory of 2792 2784 ppjpj.exe 36 PID 2792 wrote to memory of 2748 2792 bbnnbt.exe 37 PID 2792 wrote to memory of 2748 2792 bbnnbt.exe 37 PID 2792 wrote to memory of 2748 2792 bbnnbt.exe 37 PID 2792 wrote to memory of 2748 2792 bbnnbt.exe 37 PID 2748 wrote to memory of 2764 2748 jvvjv.exe 38 PID 2748 wrote to memory of 2764 2748 jvvjv.exe 38 PID 2748 wrote to memory of 2764 2748 jvvjv.exe 38 PID 2748 wrote to memory of 2764 2748 jvvjv.exe 38 PID 2764 wrote to memory of 2568 2764 xrflxfl.exe 39 PID 2764 wrote to memory of 2568 2764 xrflxfl.exe 39 PID 2764 wrote to memory of 2568 2764 xrflxfl.exe 39 PID 2764 wrote to memory of 2568 2764 xrflxfl.exe 39 PID 2568 wrote to memory of 3044 2568 3tbbbn.exe 40 PID 2568 wrote to memory of 3044 2568 3tbbbn.exe 40 PID 2568 wrote to memory of 3044 2568 3tbbbn.exe 40 PID 2568 wrote to memory of 3044 2568 3tbbbn.exe 40 PID 3044 wrote to memory of 1492 3044 pjvvd.exe 41 PID 3044 wrote to memory of 1492 3044 pjvvd.exe 41 PID 3044 wrote to memory of 1492 3044 pjvvd.exe 41 PID 3044 wrote to memory of 1492 3044 pjvvd.exe 41 PID 1492 wrote to memory of 2940 1492 7xxxxlr.exe 42 PID 1492 wrote to memory of 2940 1492 7xxxxlr.exe 42 PID 1492 wrote to memory of 2940 1492 7xxxxlr.exe 42 PID 1492 wrote to memory of 2940 1492 7xxxxlr.exe 42 PID 2940 wrote to memory of 1396 2940 thttbh.exe 43 PID 2940 wrote to memory of 1396 2940 thttbh.exe 43 PID 2940 wrote to memory of 1396 2940 thttbh.exe 43 PID 2940 wrote to memory of 1396 2940 thttbh.exe 43 PID 1396 wrote to memory of 2384 1396 ppvpd.exe 44 PID 1396 wrote to memory of 2384 1396 ppvpd.exe 44 PID 1396 wrote to memory of 2384 1396 ppvpd.exe 44 PID 1396 wrote to memory of 2384 1396 ppvpd.exe 44 PID 2384 wrote to memory of 1828 2384 3xlrflr.exe 45 PID 2384 wrote to memory of 1828 2384 3xlrflr.exe 45 PID 2384 wrote to memory of 1828 2384 3xlrflr.exe 45 PID 2384 wrote to memory of 1828 2384 3xlrflr.exe 45 PID 1828 wrote to memory of 1508 1828 thtbnn.exe 46 PID 1828 wrote to memory of 1508 1828 thtbnn.exe 46 PID 1828 wrote to memory of 1508 1828 thtbnn.exe 46 PID 1828 wrote to memory of 1508 1828 thtbnn.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe"C:\Users\Admin\AppData\Local\Temp\902719ccc5e30a3575db99ff0c3ca62f0fc7968400b835a7cf8949fd818aac09N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\bhtbht.exec:\bhtbht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\rrlxffl.exec:\rrlxffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\rlxlxrf.exec:\rlxlxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\tnnbhh.exec:\tnnbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\ppjpj.exec:\ppjpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\bbnnbt.exec:\bbnnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\jvvjv.exec:\jvvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\xrflxfl.exec:\xrflxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\3tbbbn.exec:\3tbbbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\pjvvd.exec:\pjvvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\7xxxxlr.exec:\7xxxxlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\thttbh.exec:\thttbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\ppvpd.exec:\ppvpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\3xlrflr.exec:\3xlrflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\thtbnn.exec:\thtbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\vjjjd.exec:\vjjjd.exe17⤵
- Executes dropped EXE
PID:1508 -
\??\c:\rlflrrx.exec:\rlflrrx.exe18⤵
- Executes dropped EXE
PID:1224 -
\??\c:\bhnttb.exec:\bhnttb.exe19⤵
- Executes dropped EXE
PID:2132 -
\??\c:\3lxrxxf.exec:\3lxrxxf.exe20⤵
- Executes dropped EXE
PID:328 -
\??\c:\1fffrlx.exec:\1fffrlx.exe21⤵
- Executes dropped EXE
PID:2492 -
\??\c:\pvjdv.exec:\pvjdv.exe22⤵
- Executes dropped EXE
PID:236 -
\??\c:\lfllrrf.exec:\lfllrrf.exe23⤵
- Executes dropped EXE
PID:1476 -
\??\c:\thnnbh.exec:\thnnbh.exe24⤵
- Executes dropped EXE
PID:972 -
\??\c:\jdjdp.exec:\jdjdp.exe25⤵
- Executes dropped EXE
PID:1744 -
\??\c:\llfxfxf.exec:\llfxfxf.exe26⤵
- Executes dropped EXE
PID:912 -
\??\c:\btnbhh.exec:\btnbhh.exe27⤵
- Executes dropped EXE
PID:2036 -
\??\c:\ffrrxxl.exec:\ffrrxxl.exe28⤵
- Executes dropped EXE
PID:2160 -
\??\c:\lfrrlrx.exec:\lfrrlrx.exe29⤵
- Executes dropped EXE
PID:1656 -
\??\c:\jdpdp.exec:\jdpdp.exe30⤵
- Executes dropped EXE
PID:1484 -
\??\c:\rrrxflx.exec:\rrrxflx.exe31⤵
- Executes dropped EXE
PID:1576 -
\??\c:\hhthnt.exec:\hhthnt.exe32⤵
- Executes dropped EXE
PID:2488 -
\??\c:\9httbh.exec:\9httbh.exe33⤵
- Executes dropped EXE
PID:2424 -
\??\c:\9xllrxf.exec:\9xllrxf.exe34⤵
- Executes dropped EXE
PID:2264 -
\??\c:\bthtnn.exec:\bthtnn.exe35⤵
- Executes dropped EXE
PID:2356 -
\??\c:\vpvdj.exec:\vpvdj.exe36⤵
- Executes dropped EXE
PID:2824 -
\??\c:\ppjjp.exec:\ppjjp.exe37⤵
- Executes dropped EXE
PID:2708 -
\??\c:\lllfxxf.exec:\lllfxxf.exe38⤵
- Executes dropped EXE
PID:2832 -
\??\c:\hbnntt.exec:\hbnntt.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788 -
\??\c:\jvpjv.exec:\jvpjv.exe40⤵
- Executes dropped EXE
PID:2604 -
\??\c:\ddppv.exec:\ddppv.exe41⤵
- Executes dropped EXE
PID:2576 -
\??\c:\3llfffl.exec:\3llfffl.exe42⤵
- Executes dropped EXE
PID:2616 -
\??\c:\bnttbb.exec:\bnttbb.exe43⤵
- Executes dropped EXE
PID:2396 -
\??\c:\pjvdj.exec:\pjvdj.exe44⤵
- Executes dropped EXE
PID:1736 -
\??\c:\vvjjp.exec:\vvjjp.exe45⤵
- Executes dropped EXE
PID:2044 -
\??\c:\xrffrxf.exec:\xrffrxf.exe46⤵
- Executes dropped EXE
PID:1220 -
\??\c:\nntbhh.exec:\nntbhh.exe47⤵
- Executes dropped EXE
PID:2864 -
\??\c:\hbhtnn.exec:\hbhtnn.exe48⤵
- Executes dropped EXE
PID:2052 -
\??\c:\pjdpd.exec:\pjdpd.exe49⤵
- Executes dropped EXE
PID:2908 -
\??\c:\rrxfrlx.exec:\rrxfrlx.exe50⤵
- Executes dropped EXE
PID:1564 -
\??\c:\rfrfflr.exec:\rfrfflr.exe51⤵
- Executes dropped EXE
PID:860 -
\??\c:\hbnthn.exec:\hbnthn.exe52⤵
- Executes dropped EXE
PID:1748 -
\??\c:\pjpvd.exec:\pjpvd.exe53⤵
- Executes dropped EXE
PID:3040 -
\??\c:\3vvpp.exec:\3vvpp.exe54⤵
- Executes dropped EXE
PID:2144 -
\??\c:\ffflrxf.exec:\ffflrxf.exe55⤵
- Executes dropped EXE
PID:2596 -
\??\c:\7rfxlrx.exec:\7rfxlrx.exe56⤵
- Executes dropped EXE
PID:2200 -
\??\c:\nnhbhh.exec:\nnhbhh.exe57⤵
- Executes dropped EXE
PID:1620 -
\??\c:\vjddj.exec:\vjddj.exe58⤵
- Executes dropped EXE
PID:112 -
\??\c:\pddpd.exec:\pddpd.exe59⤵
- Executes dropped EXE
PID:2124 -
\??\c:\llfxllx.exec:\llfxllx.exe60⤵
- Executes dropped EXE
PID:1476 -
\??\c:\9tbbhh.exec:\9tbbhh.exe61⤵
- Executes dropped EXE
PID:972 -
\??\c:\jvpvd.exec:\jvpvd.exe62⤵
- Executes dropped EXE
PID:920 -
\??\c:\pdjjp.exec:\pdjjp.exe63⤵
- Executes dropped EXE
PID:2220 -
\??\c:\rlflrxf.exec:\rlflrxf.exe64⤵
- Executes dropped EXE
PID:1964 -
\??\c:\frffxxx.exec:\frffxxx.exe65⤵
- Executes dropped EXE
PID:2228 -
\??\c:\1hhnhb.exec:\1hhnhb.exe66⤵PID:2268
-
\??\c:\pvdvj.exec:\pvdvj.exe67⤵PID:1760
-
\??\c:\rfllrrr.exec:\rfllrrr.exe68⤵PID:1696
-
\??\c:\lxlrxrx.exec:\lxlrxrx.exe69⤵PID:2096
-
\??\c:\bnhntt.exec:\bnhntt.exe70⤵PID:2324
-
\??\c:\jvdvj.exec:\jvdvj.exe71⤵PID:1352
-
\??\c:\vpvvd.exec:\vpvvd.exe72⤵PID:1800
-
\??\c:\rlxxxrr.exec:\rlxxxrr.exe73⤵PID:2744
-
\??\c:\1ntbht.exec:\1ntbht.exe74⤵PID:1976
-
\??\c:\5pvvd.exec:\5pvvd.exe75⤵PID:2668
-
\??\c:\ddpvd.exec:\ddpvd.exe76⤵PID:2976
-
\??\c:\frffxfx.exec:\frffxfx.exe77⤵PID:2564
-
\??\c:\frllrxl.exec:\frllrxl.exe78⤵PID:2768
-
\??\c:\bnnnbt.exec:\bnnnbt.exe79⤵PID:2772
-
\??\c:\jjvpv.exec:\jjvpv.exe80⤵PID:2552
-
\??\c:\vjpjj.exec:\vjpjj.exe81⤵PID:2764
-
\??\c:\xllxxlr.exec:\xllxxlr.exe82⤵PID:2576
-
\??\c:\lxffllx.exec:\lxffllx.exe83⤵PID:2608
-
\??\c:\1ttttt.exec:\1ttttt.exe84⤵PID:2396
-
\??\c:\9ppdp.exec:\9ppdp.exe85⤵PID:1736
-
\??\c:\lfllxxl.exec:\lfllxxl.exe86⤵PID:2044
-
\??\c:\3ntttn.exec:\3ntttn.exe87⤵PID:1220
-
\??\c:\hbthnn.exec:\hbthnn.exe88⤵PID:2544
-
\??\c:\jjvvv.exec:\jjvvv.exe89⤵PID:1180
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe90⤵PID:2384
-
\??\c:\frxffxl.exec:\frxffxl.exe91⤵PID:848
-
\??\c:\5nbntb.exec:\5nbntb.exe92⤵PID:1784
-
\??\c:\7djjd.exec:\7djjd.exe93⤵PID:2660
-
\??\c:\pdjdj.exec:\pdjdj.exe94⤵PID:2132
-
\??\c:\1lxlrlr.exec:\1lxlrlr.exe95⤵PID:2364
-
\??\c:\nbbhbb.exec:\nbbhbb.exe96⤵PID:2432
-
\??\c:\hthbtt.exec:\hthbtt.exe97⤵PID:1604
-
\??\c:\1dppv.exec:\1dppv.exe98⤵PID:3036
-
\??\c:\frfrlfl.exec:\frfrlfl.exe99⤵PID:112
-
\??\c:\hbntnn.exec:\hbntnn.exe100⤵PID:1244
-
\??\c:\htnhnn.exec:\htnhnn.exe101⤵PID:2440
-
\??\c:\7dvjd.exec:\7dvjd.exe102⤵PID:1772
-
\??\c:\7jpjd.exec:\7jpjd.exe103⤵PID:1728
-
\??\c:\lrxrrrr.exec:\lrxrrrr.exe104⤵PID:1776
-
\??\c:\bhnbhh.exec:\bhnbhh.exe105⤵PID:2960
-
\??\c:\bhtnhb.exec:\bhtnhb.exe106⤵PID:1940
-
\??\c:\ppjdv.exec:\ppjdv.exe107⤵PID:1008
-
\??\c:\5jjpj.exec:\5jjpj.exe108⤵PID:1084
-
\??\c:\lxfffrx.exec:\lxfffrx.exe109⤵PID:1676
-
\??\c:\nbnhhh.exec:\nbnhhh.exe110⤵PID:528
-
\??\c:\hbbtnh.exec:\hbbtnh.exe111⤵PID:2340
-
\??\c:\dvddd.exec:\dvddd.exe112⤵PID:1352
-
\??\c:\jvdvv.exec:\jvdvv.exe113⤵PID:2452
-
\??\c:\xrxllfx.exec:\xrxllfx.exe114⤵PID:2352
-
\??\c:\bntthh.exec:\bntthh.exe115⤵PID:2140
-
\??\c:\7vdvv.exec:\7vdvv.exe116⤵PID:2668
-
\??\c:\7pddd.exec:\7pddd.exe117⤵PID:2752
-
\??\c:\rrrfflf.exec:\rrrfflf.exe118⤵PID:2564
-
\??\c:\xlxxfll.exec:\xlxxfll.exe119⤵PID:2728
-
\??\c:\bnnbtn.exec:\bnnbtn.exe120⤵PID:2748
-
\??\c:\5dpvd.exec:\5dpvd.exe121⤵PID:2868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-