Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 04:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe
-
Size
454KB
-
MD5
cb4056c9e5c23957acee0948c044000b
-
SHA1
959b04a402d162153895bc73e01f1d831eb81ed6
-
SHA256
29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce
-
SHA512
35bab2530a68303252e7522750f930f2e48e3f828ebd20203db939b55dcd3bd3cfc0b9cc3fa2557a88fc95f2a639c2223b466910f182b3b021522df7c5faddeb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2136-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/740-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/740-70-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1752-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-96-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1900-114-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1900-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-134-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3004-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-172-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2536-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1388-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/616-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-422-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2984-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-449-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1980-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-527-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2832-597-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2876-620-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-645-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1044-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1180-716-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1876-994-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1960-1025-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/904-1032-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1572-1302-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2404 btbtnh.exe 740 hbbbbb.exe 2192 xfxxxxf.exe 2244 rrxrrrr.exe 2856 1bbhtn.exe 2632 pjdvd.exe 2820 1xflllf.exe 1752 httnhn.exe 2620 ffxllff.exe 2748 btbttt.exe 1900 ffllfff.exe 1476 9pdvd.exe 2924 rxflrll.exe 2940 xxllxrf.exe 3004 dddvv.exe 2032 7bnnbn.exe 2544 vdjvv.exe 1784 vpjjv.exe 3044 7vjjp.exe 2388 7bhnnn.exe 2536 vvvpp.exe 2176 1vvvd.exe 1176 nnnnnn.exe 1388 ppppj.exe 616 5lxllfx.exe 1736 rrxlxlx.exe 1720 xxfllrf.exe 1488 5tbbbt.exe 2712 lffrxxf.exe 1504 bttnbb.exe 2124 vvjjv.exe 1616 xffxxfl.exe 2308 vpvpp.exe 696 7lxrxxx.exe 2772 1btttn.exe 2836 tbbtbb.exe 2204 vvppv.exe 2184 9pvvv.exe 2880 flrxxlr.exe 2972 bbbtbb.exe 320 ddppp.exe 2792 3vpjj.exe 2644 lllfrxx.exe 2700 9bhhhb.exe 1252 ppvvv.exe 2468 1jvdj.exe 1172 flxlrrf.exe 2960 ntbbhb.exe 2728 3dvvd.exe 2936 jjjpv.exe 2984 rxflrxl.exe 1664 7htbbt.exe 1896 7jjjj.exe 1988 1rllrfl.exe 1028 9lxfrxx.exe 3068 bbhbbh.exe 3040 ddvvd.exe 2160 vdppv.exe 2056 rrxxffr.exe 2608 bbbnhb.exe 644 9httnt.exe 1960 pjppv.exe 1568 llxfxff.exe 2476 rfllxxf.exe -
resource yara_rule behavioral1/memory/2136-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-114-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1900-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/616-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-527-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2832-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-802-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2464-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-907-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-1315-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2404 2136 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 30 PID 2136 wrote to memory of 2404 2136 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 30 PID 2136 wrote to memory of 2404 2136 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 30 PID 2136 wrote to memory of 2404 2136 29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe 30 PID 2404 wrote to memory of 740 2404 btbtnh.exe 31 PID 2404 wrote to memory of 740 2404 btbtnh.exe 31 PID 2404 wrote to memory of 740 2404 btbtnh.exe 31 PID 2404 wrote to memory of 740 2404 btbtnh.exe 31 PID 740 wrote to memory of 2192 740 hbbbbb.exe 32 PID 740 wrote to memory of 2192 740 hbbbbb.exe 32 PID 740 wrote to memory of 2192 740 hbbbbb.exe 32 PID 740 wrote to memory of 2192 740 hbbbbb.exe 32 PID 2192 wrote to memory of 2244 2192 xfxxxxf.exe 33 PID 2192 wrote to memory of 2244 2192 xfxxxxf.exe 33 PID 2192 wrote to memory of 2244 2192 xfxxxxf.exe 33 PID 2192 wrote to memory of 2244 2192 xfxxxxf.exe 33 PID 2244 wrote to memory of 2856 2244 rrxrrrr.exe 34 PID 2244 wrote to memory of 2856 2244 rrxrrrr.exe 34 PID 2244 wrote to memory of 2856 2244 rrxrrrr.exe 34 PID 2244 wrote to memory of 2856 2244 rrxrrrr.exe 34 PID 2856 wrote to memory of 2632 2856 1bbhtn.exe 35 PID 2856 wrote to memory of 2632 2856 1bbhtn.exe 35 PID 2856 wrote to memory of 2632 2856 1bbhtn.exe 35 PID 2856 wrote to memory of 2632 2856 1bbhtn.exe 35 PID 2632 wrote to memory of 2820 2632 pjdvd.exe 36 PID 2632 wrote to memory of 2820 2632 pjdvd.exe 36 PID 2632 wrote to memory of 2820 2632 pjdvd.exe 36 PID 2632 wrote to memory of 2820 2632 pjdvd.exe 36 PID 2820 wrote to memory of 1752 2820 1xflllf.exe 37 PID 2820 wrote to memory of 1752 2820 1xflllf.exe 37 PID 2820 wrote to memory of 1752 2820 1xflllf.exe 37 PID 2820 wrote to memory of 1752 2820 1xflllf.exe 37 PID 1752 wrote to memory of 2620 1752 httnhn.exe 38 PID 1752 wrote to memory of 2620 1752 httnhn.exe 38 PID 1752 wrote to memory of 2620 1752 httnhn.exe 38 PID 1752 wrote to memory of 2620 1752 httnhn.exe 38 PID 2620 wrote to memory of 2748 2620 ffxllff.exe 39 PID 2620 wrote to memory of 2748 2620 ffxllff.exe 39 PID 2620 wrote to memory of 2748 2620 ffxllff.exe 39 PID 2620 wrote to memory of 2748 2620 ffxllff.exe 39 PID 2748 wrote to memory of 1900 2748 btbttt.exe 40 PID 2748 wrote to memory of 1900 2748 btbttt.exe 40 PID 2748 wrote to memory of 1900 2748 btbttt.exe 40 PID 2748 wrote to memory of 1900 2748 btbttt.exe 40 PID 1900 wrote to memory of 1476 1900 ffllfff.exe 41 PID 1900 wrote to memory of 1476 1900 ffllfff.exe 41 PID 1900 wrote to memory of 1476 1900 ffllfff.exe 41 PID 1900 wrote to memory of 1476 1900 ffllfff.exe 41 PID 1476 wrote to memory of 2924 1476 9pdvd.exe 42 PID 1476 wrote to memory of 2924 1476 9pdvd.exe 42 PID 1476 wrote to memory of 2924 1476 9pdvd.exe 42 PID 1476 wrote to memory of 2924 1476 9pdvd.exe 42 PID 2924 wrote to memory of 2940 2924 rxflrll.exe 43 PID 2924 wrote to memory of 2940 2924 rxflrll.exe 43 PID 2924 wrote to memory of 2940 2924 rxflrll.exe 43 PID 2924 wrote to memory of 2940 2924 rxflrll.exe 43 PID 2940 wrote to memory of 3004 2940 xxllxrf.exe 44 PID 2940 wrote to memory of 3004 2940 xxllxrf.exe 44 PID 2940 wrote to memory of 3004 2940 xxllxrf.exe 44 PID 2940 wrote to memory of 3004 2940 xxllxrf.exe 44 PID 3004 wrote to memory of 2032 3004 dddvv.exe 45 PID 3004 wrote to memory of 2032 3004 dddvv.exe 45 PID 3004 wrote to memory of 2032 3004 dddvv.exe 45 PID 3004 wrote to memory of 2032 3004 dddvv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe"C:\Users\Admin\AppData\Local\Temp\29247424e08e62318364b0548843fb971f25009475db92845a29959de83d22ce.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\btbtnh.exec:\btbtnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\hbbbbb.exec:\hbbbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\xfxxxxf.exec:\xfxxxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\rrxrrrr.exec:\rrxrrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\1bbhtn.exec:\1bbhtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\pjdvd.exec:\pjdvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\1xflllf.exec:\1xflllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\httnhn.exec:\httnhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\ffxllff.exec:\ffxllff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\btbttt.exec:\btbttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\ffllfff.exec:\ffllfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\9pdvd.exec:\9pdvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\rxflrll.exec:\rxflrll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\xxllxrf.exec:\xxllxrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\dddvv.exec:\dddvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\7bnnbn.exec:\7bnnbn.exe17⤵
- Executes dropped EXE
PID:2032 -
\??\c:\vdjvv.exec:\vdjvv.exe18⤵
- Executes dropped EXE
PID:2544 -
\??\c:\vpjjv.exec:\vpjjv.exe19⤵
- Executes dropped EXE
PID:1784 -
\??\c:\7vjjp.exec:\7vjjp.exe20⤵
- Executes dropped EXE
PID:3044 -
\??\c:\7bhnnn.exec:\7bhnnn.exe21⤵
- Executes dropped EXE
PID:2388 -
\??\c:\vvvpp.exec:\vvvpp.exe22⤵
- Executes dropped EXE
PID:2536 -
\??\c:\1vvvd.exec:\1vvvd.exe23⤵
- Executes dropped EXE
PID:2176 -
\??\c:\nnnnnn.exec:\nnnnnn.exe24⤵
- Executes dropped EXE
PID:1176 -
\??\c:\ppppj.exec:\ppppj.exe25⤵
- Executes dropped EXE
PID:1388 -
\??\c:\5lxllfx.exec:\5lxllfx.exe26⤵
- Executes dropped EXE
PID:616 -
\??\c:\rrxlxlx.exec:\rrxlxlx.exe27⤵
- Executes dropped EXE
PID:1736 -
\??\c:\xxfllrf.exec:\xxfllrf.exe28⤵
- Executes dropped EXE
PID:1720 -
\??\c:\5tbbbt.exec:\5tbbbt.exe29⤵
- Executes dropped EXE
PID:1488 -
\??\c:\lffrxxf.exec:\lffrxxf.exe30⤵
- Executes dropped EXE
PID:2712 -
\??\c:\bttnbb.exec:\bttnbb.exe31⤵
- Executes dropped EXE
PID:1504 -
\??\c:\vvjjv.exec:\vvjjv.exe32⤵
- Executes dropped EXE
PID:2124 -
\??\c:\xffxxfl.exec:\xffxxfl.exe33⤵
- Executes dropped EXE
PID:1616 -
\??\c:\vpvpp.exec:\vpvpp.exe34⤵
- Executes dropped EXE
PID:2308 -
\??\c:\7lxrxxx.exec:\7lxrxxx.exe35⤵
- Executes dropped EXE
PID:696 -
\??\c:\1btttn.exec:\1btttn.exe36⤵
- Executes dropped EXE
PID:2772 -
\??\c:\tbbtbb.exec:\tbbtbb.exe37⤵
- Executes dropped EXE
PID:2836 -
\??\c:\vvppv.exec:\vvppv.exe38⤵
- Executes dropped EXE
PID:2204 -
\??\c:\9pvvv.exec:\9pvvv.exe39⤵
- Executes dropped EXE
PID:2184 -
\??\c:\flrxxlr.exec:\flrxxlr.exe40⤵
- Executes dropped EXE
PID:2880 -
\??\c:\bbbtbb.exec:\bbbtbb.exe41⤵
- Executes dropped EXE
PID:2972 -
\??\c:\ddppp.exec:\ddppp.exe42⤵
- Executes dropped EXE
PID:320 -
\??\c:\3vpjj.exec:\3vpjj.exe43⤵
- Executes dropped EXE
PID:2792 -
\??\c:\lllfrxx.exec:\lllfrxx.exe44⤵
- Executes dropped EXE
PID:2644 -
\??\c:\9bhhhb.exec:\9bhhhb.exe45⤵
- Executes dropped EXE
PID:2700 -
\??\c:\ppvvv.exec:\ppvvv.exe46⤵
- Executes dropped EXE
PID:1252 -
\??\c:\1jvdj.exec:\1jvdj.exe47⤵
- Executes dropped EXE
PID:2468 -
\??\c:\flxlrrf.exec:\flxlrrf.exe48⤵
- Executes dropped EXE
PID:1172 -
\??\c:\ntbbhb.exec:\ntbbhb.exe49⤵
- Executes dropped EXE
PID:2960 -
\??\c:\3dvvd.exec:\3dvvd.exe50⤵
- Executes dropped EXE
PID:2728 -
\??\c:\jjjpv.exec:\jjjpv.exe51⤵
- Executes dropped EXE
PID:2936 -
\??\c:\rxflrxl.exec:\rxflrxl.exe52⤵
- Executes dropped EXE
PID:2984 -
\??\c:\7htbbt.exec:\7htbbt.exe53⤵
- Executes dropped EXE
PID:1664 -
\??\c:\7jjjj.exec:\7jjjj.exe54⤵
- Executes dropped EXE
PID:1896 -
\??\c:\1rllrfl.exec:\1rllrfl.exe55⤵
- Executes dropped EXE
PID:1988 -
\??\c:\9lxfrxx.exec:\9lxfrxx.exe56⤵
- Executes dropped EXE
PID:1028 -
\??\c:\bbhbbh.exec:\bbhbbh.exe57⤵
- Executes dropped EXE
PID:3068 -
\??\c:\ddvvd.exec:\ddvvd.exe58⤵
- Executes dropped EXE
PID:3040 -
\??\c:\vdppv.exec:\vdppv.exe59⤵
- Executes dropped EXE
PID:2160 -
\??\c:\rrxxffr.exec:\rrxxffr.exe60⤵
- Executes dropped EXE
PID:2056 -
\??\c:\bbbnhb.exec:\bbbnhb.exe61⤵
- Executes dropped EXE
PID:2608 -
\??\c:\9httnt.exec:\9httnt.exe62⤵
- Executes dropped EXE
PID:644 -
\??\c:\pjppv.exec:\pjppv.exe63⤵
- Executes dropped EXE
PID:1960 -
\??\c:\llxfxff.exec:\llxfxff.exe64⤵
- Executes dropped EXE
PID:1568 -
\??\c:\rfllxxf.exec:\rfllxxf.exe65⤵
- Executes dropped EXE
PID:2476 -
\??\c:\9htttt.exec:\9htttt.exe66⤵PID:2280
-
\??\c:\vpvvp.exec:\vpvvp.exe67⤵PID:1980
-
\??\c:\dvvpj.exec:\dvvpj.exe68⤵PID:2240
-
\??\c:\xrrlrrr.exec:\xrrlrrr.exe69⤵PID:1908
-
\??\c:\5hnbhh.exec:\5hnbhh.exe70⤵PID:1132
-
\??\c:\5nbntn.exec:\5nbntn.exe71⤵PID:2044
-
\??\c:\7jjjd.exec:\7jjjd.exe72⤵PID:1504
-
\??\c:\rlfllll.exec:\rlfllll.exe73⤵PID:2124
-
\??\c:\fflfxlr.exec:\fflfxlr.exe74⤵PID:1644
-
\??\c:\tnhbtn.exec:\tnhbtn.exe75⤵PID:1904
-
\??\c:\ttbttn.exec:\ttbttn.exe76⤵PID:2348
-
\??\c:\vvpjj.exec:\vvpjj.exe77⤵PID:2720
-
\??\c:\rlrlrll.exec:\rlrlrll.exe78⤵PID:1484
-
\??\c:\lflfxrr.exec:\lflfxrr.exe79⤵PID:2780
-
\??\c:\hbtbbh.exec:\hbtbbh.exe80⤵PID:2832
-
\??\c:\bttntn.exec:\bttntn.exe81⤵PID:2744
-
\??\c:\9pvpj.exec:\9pvpj.exe82⤵PID:2880
-
\??\c:\fxfxfll.exec:\fxfxfll.exe83⤵PID:2876
-
\??\c:\rlrlrll.exec:\rlrlrll.exe84⤵PID:2676
-
\??\c:\9nhhbb.exec:\9nhhbb.exe85⤵PID:2796
-
\??\c:\5jjpv.exec:\5jjpv.exe86⤵PID:1868
-
\??\c:\xxllxrf.exec:\xxllxrf.exe87⤵PID:2636
-
\??\c:\fflllll.exec:\fflllll.exe88⤵PID:684
-
\??\c:\ththnt.exec:\ththnt.exe89⤵PID:1972
-
\??\c:\tbthbh.exec:\tbthbh.exe90⤵PID:1044
-
\??\c:\7dddp.exec:\7dddp.exe91⤵
- System Location Discovery: System Language Discovery
PID:2872 -
\??\c:\rrflrrx.exec:\rrflrrx.exe92⤵PID:2728
-
\??\c:\xflrflr.exec:\xflrflr.exe93⤵PID:1424
-
\??\c:\1hnnnt.exec:\1hnnnt.exe94⤵PID:2008
-
\??\c:\vjvdp.exec:\vjvdp.exe95⤵PID:3020
-
\??\c:\vvdpv.exec:\vvdpv.exe96⤵PID:2520
-
\??\c:\xrflrxl.exec:\xrflrxl.exe97⤵PID:2020
-
\??\c:\bhtbnt.exec:\bhtbnt.exe98⤵PID:1180
-
\??\c:\bttthb.exec:\bttthb.exe99⤵PID:3064
-
\??\c:\7pddp.exec:\7pddp.exe100⤵PID:3044
-
\??\c:\ffxrflr.exec:\ffxrflr.exe101⤵PID:808
-
\??\c:\xfrxflx.exec:\xfrxflx.exe102⤵PID:2428
-
\??\c:\7bntbh.exec:\7bntbh.exe103⤵PID:1116
-
\??\c:\pvvvj.exec:\pvvvj.exe104⤵PID:2304
-
\??\c:\5dvdj.exec:\5dvdj.exe105⤵PID:932
-
\??\c:\ffxxxfr.exec:\ffxxxfr.exe106⤵PID:544
-
\??\c:\tnthnt.exec:\tnthnt.exe107⤵PID:1456
-
\??\c:\3nnttt.exec:\3nnttt.exe108⤵PID:2264
-
\??\c:\djvvj.exec:\djvvj.exe109⤵PID:2100
-
\??\c:\jvpvd.exec:\jvpvd.exe110⤵PID:1592
-
\??\c:\3lxxxfl.exec:\3lxxxfl.exe111⤵PID:2240
-
\??\c:\bnbbtt.exec:\bnbbtt.exe112⤵PID:2552
-
\??\c:\bhtbnt.exec:\bhtbnt.exe113⤵PID:2560
-
\??\c:\vvjjd.exec:\vvjjd.exe114⤵PID:2104
-
\??\c:\5frxlrr.exec:\5frxlrr.exe115⤵PID:2532
-
\??\c:\rfrlrlr.exec:\rfrlrlr.exe116⤵PID:2124
-
\??\c:\tbnthn.exec:\tbnthn.exe117⤵PID:1804
-
\??\c:\ppdjj.exec:\ppdjj.exe118⤵PID:2464
-
\??\c:\vvjpv.exec:\vvjpv.exe119⤵PID:696
-
\??\c:\xfrlflr.exec:\xfrlflr.exe120⤵PID:2844
-
\??\c:\7hbbhn.exec:\7hbbhn.exe121⤵PID:2860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-