Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 15:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe
-
Size
452KB
-
MD5
d4b1b44d56dd69e24e55635c0a5094a9
-
SHA1
3c8fc3f42c8ebdea7e6c452a191e2b9eb5f864a9
-
SHA256
90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34
-
SHA512
3f6057f28e128189ef72d84c7e72a76a4ab58ca1c0bafe1a86efd57735d109c34c4a6bb522459d45cae9f0fd7c17daa15826a8db9be94bdcd8701de7d30b4a25
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2600-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-77-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2468-67-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2872-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-136-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2932-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-191-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2496-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-286-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1360-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-311-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1960-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-357-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2808-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/668-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1328-425-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/548-438-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-445-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1840-469-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1840-467-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/404-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1292-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-627-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1508-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1320-789-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1704-841-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/3012-928-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1816 3llfxxl.exe 2084 dpppp.exe 2508 5dppp.exe 2884 xxlrffr.exe 2752 jdvjv.exe 2468 1lxxxxx.exe 3012 5thhnt.exe 2872 7jjjv.exe 2708 rrxfllx.exe 2456 ttnnnn.exe 1324 fxflxxl.exe 1240 hbnthh.exe 696 jvppd.exe 2932 btntnb.exe 2704 5jjdd.exe 2148 3nbnbt.exe 2372 xlllrxr.exe 784 dvvvj.exe 1764 ppdvd.exe 2348 ttnthh.exe 3056 btbhnt.exe 684 fxlflrx.exe 1876 lxllxxl.exe 1692 tnbbbb.exe 304 jvjjp.exe 1556 ffrxfrl.exe 1924 tnbbhh.exe 1800 1jvpp.exe 2496 lfxxffl.exe 1856 hthbhb.exe 1520 vjpjv.exe 1360 rrfllfr.exe 1612 hbbhbb.exe 1960 vppvv.exe 2500 jjdvd.exe 2164 lfrxllx.exe 2268 bbntbb.exe 2948 dpddj.exe 2672 dvjjp.exe 2936 7rfffxf.exe 2812 3rxfflf.exe 2648 nhtbnn.exe 1728 pjpjp.exe 2808 jvddj.exe 1164 xrfxffl.exe 576 tntttb.exe 668 9httbh.exe 3004 5pvdd.exe 1016 7lxxlrf.exe 1328 thbbnn.exe 332 hbnthn.exe 548 vpjjp.exe 2964 frfxllr.exe 2052 bbnttb.exe 2004 bbbntt.exe 1840 dpdvv.exe 784 fxrxrrf.exe 1764 9tbbnt.exe 912 nhnnnn.exe 404 jdvpv.exe 1372 1lxflrr.exe 1292 7rflrxf.exe 344 nnbbbb.exe 2972 5pddp.exe -
resource yara_rule behavioral1/memory/2600-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-357-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2808-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/668-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-467-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/404-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-789-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1984-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2600 wrote to memory of 1816 2600 90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe 30 PID 2600 wrote to memory of 1816 2600 90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe 30 PID 2600 wrote to memory of 1816 2600 90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe 30 PID 2600 wrote to memory of 1816 2600 90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe 30 PID 1816 wrote to memory of 2084 1816 3llfxxl.exe 31 PID 1816 wrote to memory of 2084 1816 3llfxxl.exe 31 PID 1816 wrote to memory of 2084 1816 3llfxxl.exe 31 PID 1816 wrote to memory of 2084 1816 3llfxxl.exe 31 PID 2084 wrote to memory of 2508 2084 dpppp.exe 32 PID 2084 wrote to memory of 2508 2084 dpppp.exe 32 PID 2084 wrote to memory of 2508 2084 dpppp.exe 32 PID 2084 wrote to memory of 2508 2084 dpppp.exe 32 PID 2508 wrote to memory of 2884 2508 5dppp.exe 33 PID 2508 wrote to memory of 2884 2508 5dppp.exe 33 PID 2508 wrote to memory of 2884 2508 5dppp.exe 33 PID 2508 wrote to memory of 2884 2508 5dppp.exe 33 PID 2884 wrote to memory of 2752 2884 xxlrffr.exe 34 PID 2884 wrote to memory of 2752 2884 xxlrffr.exe 34 PID 2884 wrote to memory of 2752 2884 xxlrffr.exe 34 PID 2884 wrote to memory of 2752 2884 xxlrffr.exe 34 PID 2752 wrote to memory of 2468 2752 jdvjv.exe 35 PID 2752 wrote to memory of 2468 2752 jdvjv.exe 35 PID 2752 wrote to memory of 2468 2752 jdvjv.exe 35 PID 2752 wrote to memory of 2468 2752 jdvjv.exe 35 PID 2468 wrote to memory of 3012 2468 1lxxxxx.exe 36 PID 2468 wrote to memory of 3012 2468 1lxxxxx.exe 36 PID 2468 wrote to memory of 3012 2468 1lxxxxx.exe 36 PID 2468 wrote to memory of 3012 2468 1lxxxxx.exe 36 PID 3012 wrote to memory of 2872 3012 5thhnt.exe 37 PID 3012 wrote to memory of 2872 3012 5thhnt.exe 37 PID 3012 wrote to memory of 2872 3012 5thhnt.exe 37 PID 3012 wrote to memory of 2872 3012 5thhnt.exe 37 PID 2872 wrote to memory of 2708 2872 7jjjv.exe 38 PID 2872 wrote to memory of 2708 2872 7jjjv.exe 38 PID 2872 wrote to memory of 2708 2872 7jjjv.exe 38 PID 2872 wrote to memory of 2708 2872 7jjjv.exe 38 PID 2708 wrote to memory of 2456 2708 rrxfllx.exe 39 PID 2708 wrote to memory of 2456 2708 rrxfllx.exe 39 PID 2708 wrote to memory of 2456 2708 rrxfllx.exe 39 PID 2708 wrote to memory of 2456 2708 rrxfllx.exe 39 PID 2456 wrote to memory of 1324 2456 ttnnnn.exe 40 PID 2456 wrote to memory of 1324 2456 ttnnnn.exe 40 PID 2456 wrote to memory of 1324 2456 ttnnnn.exe 40 PID 2456 wrote to memory of 1324 2456 ttnnnn.exe 40 PID 1324 wrote to memory of 1240 1324 fxflxxl.exe 41 PID 1324 wrote to memory of 1240 1324 fxflxxl.exe 41 PID 1324 wrote to memory of 1240 1324 fxflxxl.exe 41 PID 1324 wrote to memory of 1240 1324 fxflxxl.exe 41 PID 1240 wrote to memory of 696 1240 hbnthh.exe 42 PID 1240 wrote to memory of 696 1240 hbnthh.exe 42 PID 1240 wrote to memory of 696 1240 hbnthh.exe 42 PID 1240 wrote to memory of 696 1240 hbnthh.exe 42 PID 696 wrote to memory of 2932 696 jvppd.exe 43 PID 696 wrote to memory of 2932 696 jvppd.exe 43 PID 696 wrote to memory of 2932 696 jvppd.exe 43 PID 696 wrote to memory of 2932 696 jvppd.exe 43 PID 2932 wrote to memory of 2704 2932 btntnb.exe 44 PID 2932 wrote to memory of 2704 2932 btntnb.exe 44 PID 2932 wrote to memory of 2704 2932 btntnb.exe 44 PID 2932 wrote to memory of 2704 2932 btntnb.exe 44 PID 2704 wrote to memory of 2148 2704 5jjdd.exe 45 PID 2704 wrote to memory of 2148 2704 5jjdd.exe 45 PID 2704 wrote to memory of 2148 2704 5jjdd.exe 45 PID 2704 wrote to memory of 2148 2704 5jjdd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe"C:\Users\Admin\AppData\Local\Temp\90b01c76699f37bafa1f57ddad8d9ea64d3ba0f35a3d28f71500c4417dcc2e34.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\3llfxxl.exec:\3llfxxl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\dpppp.exec:\dpppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\5dppp.exec:\5dppp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\xxlrffr.exec:\xxlrffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\jdvjv.exec:\jdvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\1lxxxxx.exec:\1lxxxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\5thhnt.exec:\5thhnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\7jjjv.exec:\7jjjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\rrxfllx.exec:\rrxfllx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\ttnnnn.exec:\ttnnnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\fxflxxl.exec:\fxflxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\hbnthh.exec:\hbnthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\jvppd.exec:\jvppd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\btntnb.exec:\btntnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\5jjdd.exec:\5jjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\3nbnbt.exec:\3nbnbt.exe17⤵
- Executes dropped EXE
PID:2148 -
\??\c:\xlllrxr.exec:\xlllrxr.exe18⤵
- Executes dropped EXE
PID:2372 -
\??\c:\dvvvj.exec:\dvvvj.exe19⤵
- Executes dropped EXE
PID:784 -
\??\c:\ppdvd.exec:\ppdvd.exe20⤵
- Executes dropped EXE
PID:1764 -
\??\c:\ttnthh.exec:\ttnthh.exe21⤵
- Executes dropped EXE
PID:2348 -
\??\c:\btbhnt.exec:\btbhnt.exe22⤵
- Executes dropped EXE
PID:3056 -
\??\c:\fxlflrx.exec:\fxlflrx.exe23⤵
- Executes dropped EXE
PID:684 -
\??\c:\lxllxxl.exec:\lxllxxl.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1876 -
\??\c:\tnbbbb.exec:\tnbbbb.exe25⤵
- Executes dropped EXE
PID:1692 -
\??\c:\jvjjp.exec:\jvjjp.exe26⤵
- Executes dropped EXE
PID:304 -
\??\c:\ffrxfrl.exec:\ffrxfrl.exe27⤵
- Executes dropped EXE
PID:1556 -
\??\c:\tnbbhh.exec:\tnbbhh.exe28⤵
- Executes dropped EXE
PID:1924 -
\??\c:\1jvpp.exec:\1jvpp.exe29⤵
- Executes dropped EXE
PID:1800 -
\??\c:\lfxxffl.exec:\lfxxffl.exe30⤵
- Executes dropped EXE
PID:2496 -
\??\c:\hthbhb.exec:\hthbhb.exe31⤵
- Executes dropped EXE
PID:1856 -
\??\c:\vjpjv.exec:\vjpjv.exe32⤵
- Executes dropped EXE
PID:1520 -
\??\c:\rrfllfr.exec:\rrfllfr.exe33⤵
- Executes dropped EXE
PID:1360 -
\??\c:\hbbhbb.exec:\hbbhbb.exe34⤵
- Executes dropped EXE
PID:1612 -
\??\c:\vppvv.exec:\vppvv.exe35⤵
- Executes dropped EXE
PID:1960 -
\??\c:\jjdvd.exec:\jjdvd.exe36⤵
- Executes dropped EXE
PID:2500 -
\??\c:\lfrxllx.exec:\lfrxllx.exe37⤵
- Executes dropped EXE
PID:2164 -
\??\c:\bbntbb.exec:\bbntbb.exe38⤵
- Executes dropped EXE
PID:2268 -
\??\c:\dpddj.exec:\dpddj.exe39⤵
- Executes dropped EXE
PID:2948 -
\??\c:\dvjjp.exec:\dvjjp.exe40⤵
- Executes dropped EXE
PID:2672 -
\??\c:\7rfffxf.exec:\7rfffxf.exe41⤵
- Executes dropped EXE
PID:2936 -
\??\c:\3rxfflf.exec:\3rxfflf.exe42⤵
- Executes dropped EXE
PID:2812 -
\??\c:\nhtbnn.exec:\nhtbnn.exe43⤵
- Executes dropped EXE
PID:2648 -
\??\c:\pjpjp.exec:\pjpjp.exe44⤵
- Executes dropped EXE
PID:1728 -
\??\c:\jvddj.exec:\jvddj.exe45⤵
- Executes dropped EXE
PID:2808 -
\??\c:\xrfxffl.exec:\xrfxffl.exe46⤵
- Executes dropped EXE
PID:1164 -
\??\c:\tntttb.exec:\tntttb.exe47⤵
- Executes dropped EXE
PID:576 -
\??\c:\9httbh.exec:\9httbh.exe48⤵
- Executes dropped EXE
PID:668 -
\??\c:\5pvdd.exec:\5pvdd.exe49⤵
- Executes dropped EXE
PID:3004 -
\??\c:\7lxxlrf.exec:\7lxxlrf.exe50⤵
- Executes dropped EXE
PID:1016 -
\??\c:\thbbnn.exec:\thbbnn.exe51⤵
- Executes dropped EXE
PID:1328 -
\??\c:\hbnthn.exec:\hbnthn.exe52⤵
- Executes dropped EXE
PID:332 -
\??\c:\vpjjp.exec:\vpjjp.exe53⤵
- Executes dropped EXE
PID:548 -
\??\c:\frfxllr.exec:\frfxllr.exe54⤵
- Executes dropped EXE
PID:2964 -
\??\c:\bbnttb.exec:\bbnttb.exe55⤵
- Executes dropped EXE
PID:2052 -
\??\c:\bbbntt.exec:\bbbntt.exe56⤵
- Executes dropped EXE
PID:2004 -
\??\c:\dpdvv.exec:\dpdvv.exe57⤵
- Executes dropped EXE
PID:1840 -
\??\c:\fxrxrrf.exec:\fxrxrrf.exe58⤵
- Executes dropped EXE
PID:784 -
\??\c:\9tbbnt.exec:\9tbbnt.exe59⤵
- Executes dropped EXE
PID:1764 -
\??\c:\nhnnnn.exec:\nhnnnn.exe60⤵
- Executes dropped EXE
PID:912 -
\??\c:\jdvpv.exec:\jdvpv.exe61⤵
- Executes dropped EXE
PID:404 -
\??\c:\1lxflrr.exec:\1lxflrr.exe62⤵
- Executes dropped EXE
PID:1372 -
\??\c:\7rflrxf.exec:\7rflrxf.exe63⤵
- Executes dropped EXE
PID:1292 -
\??\c:\nnbbbb.exec:\nnbbbb.exe64⤵
- Executes dropped EXE
PID:344 -
\??\c:\5pddp.exec:\5pddp.exe65⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vjvvv.exec:\vjvvv.exe66⤵PID:2292
-
\??\c:\rlxxflr.exec:\rlxxflr.exe67⤵PID:2516
-
\??\c:\tnhhnn.exec:\tnhhnn.exe68⤵PID:2560
-
\??\c:\bntbhh.exec:\bntbhh.exe69⤵PID:1924
-
\??\c:\dpdpj.exec:\dpdpj.exe70⤵PID:2168
-
\??\c:\9fllfff.exec:\9fllfff.exe71⤵PID:2236
-
\??\c:\frfflll.exec:\frfflll.exe72⤵PID:2396
-
\??\c:\9btttb.exec:\9btttb.exe73⤵PID:2088
-
\??\c:\dpdjv.exec:\dpdjv.exe74⤵PID:2212
-
\??\c:\xrlxflx.exec:\xrlxflx.exe75⤵PID:3028
-
\??\c:\bbtbhn.exec:\bbtbhn.exe76⤵PID:2080
-
\??\c:\bbttbb.exec:\bbttbb.exe77⤵PID:2520
-
\??\c:\jvddp.exec:\jvddp.exe78⤵PID:2388
-
\??\c:\7frrxrf.exec:\7frrxrf.exe79⤵PID:2500
-
\??\c:\rlflffr.exec:\rlflffr.exe80⤵PID:2912
-
\??\c:\bnhbnn.exec:\bnhbnn.exe81⤵PID:3036
-
\??\c:\ddpvj.exec:\ddpvj.exe82⤵PID:2868
-
\??\c:\pdpdd.exec:\pdpdd.exe83⤵PID:2440
-
\??\c:\xxrxlxl.exec:\xxrxlxl.exe84⤵PID:3032
-
\??\c:\3hbbbh.exec:\3hbbbh.exe85⤵PID:2836
-
\??\c:\ttntbt.exec:\ttntbt.exe86⤵PID:2636
-
\??\c:\pjvpv.exec:\pjvpv.exe87⤵PID:2340
-
\??\c:\5frlllr.exec:\5frlllr.exe88⤵PID:2604
-
\??\c:\lxllrrx.exec:\lxllrrx.exe89⤵PID:1720
-
\??\c:\tnbbhn.exec:\tnbbhn.exe90⤵PID:1608
-
\??\c:\vdvvd.exec:\vdvvd.exe91⤵PID:2952
-
\??\c:\ddjdj.exec:\ddjdj.exe92⤵PID:1508
-
\??\c:\xxrlrrf.exec:\xxrlrrf.exe93⤵
- System Location Discovery: System Language Discovery
PID:2744 -
\??\c:\flxxffr.exec:\flxxffr.exe94⤵PID:696
-
\??\c:\btnttt.exec:\btnttt.exe95⤵PID:2932
-
\??\c:\jdjdd.exec:\jdjdd.exe96⤵PID:484
-
\??\c:\rlllfxf.exec:\rlllfxf.exe97⤵PID:2704
-
\??\c:\xxrrflr.exec:\xxrrflr.exe98⤵PID:2260
-
\??\c:\thnttb.exec:\thnttb.exe99⤵PID:1932
-
\??\c:\dvjjv.exec:\dvjjv.exe100⤵PID:1752
-
\??\c:\9dvvv.exec:\9dvvv.exe101⤵PID:1840
-
\??\c:\rfxrffl.exec:\rfxrffl.exe102⤵PID:2136
-
\??\c:\rlxfllr.exec:\rlxfllr.exe103⤵PID:800
-
\??\c:\tnbhtb.exec:\tnbhtb.exe104⤵PID:1140
-
\??\c:\dvpjp.exec:\dvpjp.exe105⤵PID:1708
-
\??\c:\jjvvj.exec:\jjvvj.exe106⤵PID:2408
-
\??\c:\lxxxffl.exec:\lxxxffl.exe107⤵PID:1320
-
\??\c:\bnbhtt.exec:\bnbhtt.exe108⤵PID:1032
-
\??\c:\ddppj.exec:\ddppj.exe109⤵PID:2972
-
\??\c:\jvvvd.exec:\jvvvd.exe110⤵PID:1812
-
\??\c:\fxlrffl.exec:\fxlrffl.exe111⤵PID:2216
-
\??\c:\nhtttt.exec:\nhtttt.exe112⤵PID:1824
-
\??\c:\hththb.exec:\hththb.exe113⤵PID:608
-
\??\c:\pjvvj.exec:\pjvvj.exe114⤵PID:2168
-
\??\c:\xlllrxf.exec:\xlllrxf.exe115⤵PID:1704
-
\??\c:\lflfrxf.exec:\lflfrxf.exe116⤵PID:1668
-
\??\c:\ttnthh.exec:\ttnthh.exe117⤵PID:1100
-
\??\c:\nnhbbb.exec:\nnhbbb.exe118⤵PID:2212
-
\??\c:\7djjv.exec:\7djjv.exe119⤵PID:2728
-
\??\c:\lxxxffr.exec:\lxxxffr.exe120⤵PID:2532
-
\??\c:\lfllrxf.exec:\lfllrxf.exe121⤵PID:1816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-