Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 15:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe
-
Size
456KB
-
MD5
abed52bcf7e9b6a5cd98366774dd7756
-
SHA1
cf91cca3799be7682904cb8c8a76214ffa404ebd
-
SHA256
37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf
-
SHA512
975bc889da80d784fd93634eb3ced70c025b9108476c830300965003f332703564e56965fb8984bbbf74ccf1a877d1dcc5754ec1c26e0044f51e31f13bbc500b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRq:q7Tc2NYHUrAwfMp3CDRq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/1924-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1404-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-191-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/112-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-401-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2032-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1348-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-475-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/840-482-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1956-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-575-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2732-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-1000-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/316-1071-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2064 pvvjv.exe 1404 1rflflx.exe 2924 tntbhn.exe 2736 rrfrflx.exe 2856 bnhhnt.exe 2872 fxlrxfr.exe 3056 7fxlxxl.exe 2016 dvjpv.exe 2644 xrllxxr.exe 2396 bthnbb.exe 1624 pvjjv.exe 1904 rlxfrrx.exe 2980 nnhntt.exe 2880 vpdvv.exe 1280 9nhbhh.exe 2044 vvvjd.exe 1900 xrllrxx.exe 2052 1httbh.exe 2668 jdvvj.exe 1656 thbhtt.exe 2496 jddjj.exe 112 fxlfffl.exe 2812 jdvdj.exe 1984 flxxxrf.exe 2484 3nbbtb.exe 2264 5nbbbb.exe 1704 xfrffrr.exe 2508 thtbnt.exe 2092 3dpjp.exe 1908 hbnnbh.exe 852 1vjpv.exe 2560 jvpvd.exe 1720 nbntbb.exe 2020 pdjpj.exe 2720 lxlflrx.exe 2768 tnhbhh.exe 2324 nhtbnn.exe 2228 pjvdp.exe 2856 rrfxffl.exe 2796 xlxxffl.exe 2664 nbttbt.exe 2672 vjpjj.exe 2640 9ppdv.exe 2628 fxllxfl.exe 2056 btbhnh.exe 1684 pjpjp.exe 1048 rfxrrrx.exe 2632 lfxflxf.exe 2032 7tbttn.exe 2696 9jppp.exe 2952 vpjpj.exe 1348 fxrrrrr.exe 2976 xflxxxf.exe 1964 nbttbn.exe 1580 pdvpp.exe 2360 llxfllx.exe 2168 lxxxxxf.exe 2424 bthnbh.exe 840 hthhbb.exe 1712 pjdpp.exe 1956 7llfxrr.exe 2284 7bhhtt.exe 1384 tnthnn.exe 276 vdpdp.exe -
resource yara_rule behavioral1/memory/1924-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-427-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1348-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-440-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2424-475-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1712-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-519-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/276-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-955-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-1020-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-1033-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-1071-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2064 1924 37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe 30 PID 1924 wrote to memory of 2064 1924 37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe 30 PID 1924 wrote to memory of 2064 1924 37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe 30 PID 1924 wrote to memory of 2064 1924 37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe 30 PID 2064 wrote to memory of 1404 2064 pvvjv.exe 31 PID 2064 wrote to memory of 1404 2064 pvvjv.exe 31 PID 2064 wrote to memory of 1404 2064 pvvjv.exe 31 PID 2064 wrote to memory of 1404 2064 pvvjv.exe 31 PID 1404 wrote to memory of 2924 1404 1rflflx.exe 32 PID 1404 wrote to memory of 2924 1404 1rflflx.exe 32 PID 1404 wrote to memory of 2924 1404 1rflflx.exe 32 PID 1404 wrote to memory of 2924 1404 1rflflx.exe 32 PID 2924 wrote to memory of 2736 2924 tntbhn.exe 33 PID 2924 wrote to memory of 2736 2924 tntbhn.exe 33 PID 2924 wrote to memory of 2736 2924 tntbhn.exe 33 PID 2924 wrote to memory of 2736 2924 tntbhn.exe 33 PID 2736 wrote to memory of 2856 2736 rrfrflx.exe 34 PID 2736 wrote to memory of 2856 2736 rrfrflx.exe 34 PID 2736 wrote to memory of 2856 2736 rrfrflx.exe 34 PID 2736 wrote to memory of 2856 2736 rrfrflx.exe 34 PID 2856 wrote to memory of 2872 2856 bnhhnt.exe 35 PID 2856 wrote to memory of 2872 2856 bnhhnt.exe 35 PID 2856 wrote to memory of 2872 2856 bnhhnt.exe 35 PID 2856 wrote to memory of 2872 2856 bnhhnt.exe 35 PID 2872 wrote to memory of 3056 2872 fxlrxfr.exe 36 PID 2872 wrote to memory of 3056 2872 fxlrxfr.exe 36 PID 2872 wrote to memory of 3056 2872 fxlrxfr.exe 36 PID 2872 wrote to memory of 3056 2872 fxlrxfr.exe 36 PID 3056 wrote to memory of 2016 3056 7fxlxxl.exe 37 PID 3056 wrote to memory of 2016 3056 7fxlxxl.exe 37 PID 3056 wrote to memory of 2016 3056 7fxlxxl.exe 37 PID 3056 wrote to memory of 2016 3056 7fxlxxl.exe 37 PID 2016 wrote to memory of 2644 2016 dvjpv.exe 38 PID 2016 wrote to memory of 2644 2016 dvjpv.exe 38 PID 2016 wrote to memory of 2644 2016 dvjpv.exe 38 PID 2016 wrote to memory of 2644 2016 dvjpv.exe 38 PID 2644 wrote to memory of 2396 2644 xrllxxr.exe 39 PID 2644 wrote to memory of 2396 2644 xrllxxr.exe 39 PID 2644 wrote to memory of 2396 2644 xrllxxr.exe 39 PID 2644 wrote to memory of 2396 2644 xrllxxr.exe 39 PID 2396 wrote to memory of 1624 2396 bthnbb.exe 40 PID 2396 wrote to memory of 1624 2396 bthnbb.exe 40 PID 2396 wrote to memory of 1624 2396 bthnbb.exe 40 PID 2396 wrote to memory of 1624 2396 bthnbb.exe 40 PID 1624 wrote to memory of 1904 1624 pvjjv.exe 41 PID 1624 wrote to memory of 1904 1624 pvjjv.exe 41 PID 1624 wrote to memory of 1904 1624 pvjjv.exe 41 PID 1624 wrote to memory of 1904 1624 pvjjv.exe 41 PID 1904 wrote to memory of 2980 1904 rlxfrrx.exe 42 PID 1904 wrote to memory of 2980 1904 rlxfrrx.exe 42 PID 1904 wrote to memory of 2980 1904 rlxfrrx.exe 42 PID 1904 wrote to memory of 2980 1904 rlxfrrx.exe 42 PID 2980 wrote to memory of 2880 2980 nnhntt.exe 43 PID 2980 wrote to memory of 2880 2980 nnhntt.exe 43 PID 2980 wrote to memory of 2880 2980 nnhntt.exe 43 PID 2980 wrote to memory of 2880 2980 nnhntt.exe 43 PID 2880 wrote to memory of 1280 2880 vpdvv.exe 44 PID 2880 wrote to memory of 1280 2880 vpdvv.exe 44 PID 2880 wrote to memory of 1280 2880 vpdvv.exe 44 PID 2880 wrote to memory of 1280 2880 vpdvv.exe 44 PID 1280 wrote to memory of 2044 1280 9nhbhh.exe 45 PID 1280 wrote to memory of 2044 1280 9nhbhh.exe 45 PID 1280 wrote to memory of 2044 1280 9nhbhh.exe 45 PID 1280 wrote to memory of 2044 1280 9nhbhh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe"C:\Users\Admin\AppData\Local\Temp\37cdeea0b8a68e0bd5274f3909fdeaf264e189df86c18d59ce4c470f34e2ddcf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\pvvjv.exec:\pvvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\1rflflx.exec:\1rflflx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\tntbhn.exec:\tntbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\rrfrflx.exec:\rrfrflx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\bnhhnt.exec:\bnhhnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\fxlrxfr.exec:\fxlrxfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\7fxlxxl.exec:\7fxlxxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\dvjpv.exec:\dvjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\xrllxxr.exec:\xrllxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\bthnbb.exec:\bthnbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\pvjjv.exec:\pvjjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\rlxfrrx.exec:\rlxfrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\nnhntt.exec:\nnhntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\vpdvv.exec:\vpdvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\9nhbhh.exec:\9nhbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\vvvjd.exec:\vvvjd.exe17⤵
- Executes dropped EXE
PID:2044 -
\??\c:\xrllrxx.exec:\xrllrxx.exe18⤵
- Executes dropped EXE
PID:1900 -
\??\c:\1httbh.exec:\1httbh.exe19⤵
- Executes dropped EXE
PID:2052 -
\??\c:\jdvvj.exec:\jdvvj.exe20⤵
- Executes dropped EXE
PID:2668 -
\??\c:\thbhtt.exec:\thbhtt.exe21⤵
- Executes dropped EXE
PID:1656 -
\??\c:\jddjj.exec:\jddjj.exe22⤵
- Executes dropped EXE
PID:2496 -
\??\c:\fxlfffl.exec:\fxlfffl.exe23⤵
- Executes dropped EXE
PID:112 -
\??\c:\jdvdj.exec:\jdvdj.exe24⤵
- Executes dropped EXE
PID:2812 -
\??\c:\flxxxrf.exec:\flxxxrf.exe25⤵
- Executes dropped EXE
PID:1984 -
\??\c:\3nbbtb.exec:\3nbbtb.exe26⤵
- Executes dropped EXE
PID:2484 -
\??\c:\5nbbbb.exec:\5nbbbb.exe27⤵
- Executes dropped EXE
PID:2264 -
\??\c:\xfrffrr.exec:\xfrffrr.exe28⤵
- Executes dropped EXE
PID:1704 -
\??\c:\thtbnt.exec:\thtbnt.exe29⤵
- Executes dropped EXE
PID:2508 -
\??\c:\3dpjp.exec:\3dpjp.exe30⤵
- Executes dropped EXE
PID:2092 -
\??\c:\hbnnbh.exec:\hbnnbh.exe31⤵
- Executes dropped EXE
PID:1908 -
\??\c:\1vjpv.exec:\1vjpv.exe32⤵
- Executes dropped EXE
PID:852 -
\??\c:\jvpvd.exec:\jvpvd.exe33⤵
- Executes dropped EXE
PID:2560 -
\??\c:\nbntbb.exec:\nbntbb.exe34⤵
- Executes dropped EXE
PID:1720 -
\??\c:\pdjpj.exec:\pdjpj.exe35⤵
- Executes dropped EXE
PID:2020 -
\??\c:\lxlflrx.exec:\lxlflrx.exe36⤵
- Executes dropped EXE
PID:2720 -
\??\c:\tnhbhh.exec:\tnhbhh.exe37⤵
- Executes dropped EXE
PID:2768 -
\??\c:\nhtbnn.exec:\nhtbnn.exe38⤵
- Executes dropped EXE
PID:2324 -
\??\c:\pjvdp.exec:\pjvdp.exe39⤵
- Executes dropped EXE
PID:2228 -
\??\c:\rrfxffl.exec:\rrfxffl.exe40⤵
- Executes dropped EXE
PID:2856 -
\??\c:\xlxxffl.exec:\xlxxffl.exe41⤵
- Executes dropped EXE
PID:2796 -
\??\c:\nbttbt.exec:\nbttbt.exe42⤵
- Executes dropped EXE
PID:2664 -
\??\c:\vjpjj.exec:\vjpjj.exe43⤵
- Executes dropped EXE
PID:2672 -
\??\c:\9ppdv.exec:\9ppdv.exe44⤵
- Executes dropped EXE
PID:2640 -
\??\c:\fxllxfl.exec:\fxllxfl.exe45⤵
- Executes dropped EXE
PID:2628 -
\??\c:\btbhnh.exec:\btbhnh.exe46⤵
- Executes dropped EXE
PID:2056 -
\??\c:\pjpjp.exec:\pjpjp.exe47⤵
- Executes dropped EXE
PID:1684 -
\??\c:\rfxrrrx.exec:\rfxrrrx.exe48⤵
- Executes dropped EXE
PID:1048 -
\??\c:\lfxflxf.exec:\lfxflxf.exe49⤵
- Executes dropped EXE
PID:2632 -
\??\c:\7tbttn.exec:\7tbttn.exe50⤵
- Executes dropped EXE
PID:2032 -
\??\c:\9jppp.exec:\9jppp.exe51⤵
- Executes dropped EXE
PID:2696 -
\??\c:\vpjpj.exec:\vpjpj.exe52⤵
- Executes dropped EXE
PID:2952 -
\??\c:\fxrrrrr.exec:\fxrrrrr.exe53⤵
- Executes dropped EXE
PID:1348 -
\??\c:\xflxxxf.exec:\xflxxxf.exe54⤵
- Executes dropped EXE
PID:2976 -
\??\c:\nbttbn.exec:\nbttbn.exe55⤵
- Executes dropped EXE
PID:1964 -
\??\c:\pdvpp.exec:\pdvpp.exe56⤵
- Executes dropped EXE
PID:1580 -
\??\c:\llxfllx.exec:\llxfllx.exe57⤵
- Executes dropped EXE
PID:2360 -
\??\c:\lxxxxxf.exec:\lxxxxxf.exe58⤵
- Executes dropped EXE
PID:2168 -
\??\c:\bthnbh.exec:\bthnbh.exe59⤵
- Executes dropped EXE
PID:2424 -
\??\c:\hthhbb.exec:\hthhbb.exe60⤵
- Executes dropped EXE
PID:840 -
\??\c:\pjdpp.exec:\pjdpp.exe61⤵
- Executes dropped EXE
PID:1712 -
\??\c:\7llfxrr.exec:\7llfxrr.exe62⤵
- Executes dropped EXE
PID:1956 -
\??\c:\7bhhtt.exec:\7bhhtt.exe63⤵
- Executes dropped EXE
PID:2284 -
\??\c:\tnthnn.exec:\tnthnn.exe64⤵
- Executes dropped EXE
PID:1384 -
\??\c:\vdpdp.exec:\vdpdp.exe65⤵
- Executes dropped EXE
PID:276 -
\??\c:\xxxrxfr.exec:\xxxrxfr.exe66⤵PID:1872
-
\??\c:\frffrrx.exec:\frffrrx.exe67⤵PID:2516
-
\??\c:\bnttth.exec:\bnttth.exe68⤵PID:1268
-
\??\c:\ppdjv.exec:\ppdjv.exe69⤵PID:2220
-
\??\c:\jdppv.exec:\jdppv.exe70⤵PID:2368
-
\??\c:\xlffrrx.exec:\xlffrrx.exe71⤵PID:1608
-
\??\c:\3thhnh.exec:\3thhnh.exe72⤵PID:1912
-
\??\c:\hhnnhb.exec:\hhnnhb.exe73⤵PID:1748
-
\??\c:\jdpvd.exec:\jdpvd.exe74⤵PID:1584
-
\??\c:\fxffllx.exec:\fxffllx.exe75⤵PID:2560
-
\??\c:\7bhbtt.exec:\7bhbtt.exe76⤵PID:1716
-
\??\c:\9ttbnb.exec:\9ttbnb.exe77⤵PID:624
-
\??\c:\djpdd.exec:\djpdd.exe78⤵PID:2076
-
\??\c:\3xrffff.exec:\3xrffff.exe79⤵PID:2732
-
\??\c:\5xxxrrx.exec:\5xxxrrx.exe80⤵PID:2844
-
\??\c:\nbtbhh.exec:\nbtbhh.exe81⤵PID:3068
-
\??\c:\5dppj.exec:\5dppj.exe82⤵PID:2912
-
\??\c:\rxllrrf.exec:\rxllrrf.exe83⤵PID:2992
-
\??\c:\nbnttn.exec:\nbnttn.exe84⤵PID:2892
-
\??\c:\nhbbhn.exec:\nhbbhn.exe85⤵PID:2656
-
\??\c:\3dvdd.exec:\3dvdd.exe86⤵PID:2684
-
\??\c:\xrlrffx.exec:\xrlrffx.exe87⤵PID:2704
-
\??\c:\frxrrrr.exec:\frxrrrr.exe88⤵PID:1812
-
\??\c:\5nbtbh.exec:\5nbtbh.exe89⤵PID:1296
-
\??\c:\hnnhtn.exec:\hnnhtn.exe90⤵PID:1140
-
\??\c:\dvddj.exec:\dvddj.exe91⤵PID:3012
-
\??\c:\1lrfxrr.exec:\1lrfxrr.exe92⤵PID:2896
-
\??\c:\bntttt.exec:\bntttt.exe93⤵PID:2944
-
\??\c:\3htttt.exec:\3htttt.exe94⤵PID:1504
-
\??\c:\jjvdp.exec:\jjvdp.exe95⤵PID:1348
-
\??\c:\xlxxxxx.exec:\xlxxxxx.exe96⤵PID:2932
-
\??\c:\flflrrx.exec:\flflrrx.exe97⤵PID:3024
-
\??\c:\thtnnh.exec:\thtnnh.exe98⤵PID:1532
-
\??\c:\5dppp.exec:\5dppp.exe99⤵PID:1900
-
\??\c:\7vpjp.exec:\7vpjp.exe100⤵PID:2360
-
\??\c:\lfflxlf.exec:\lfflxlf.exe101⤵PID:2140
-
\??\c:\1hnnnt.exec:\1hnnnt.exe102⤵PID:2100
-
\??\c:\nbttbb.exec:\nbttbb.exe103⤵PID:1060
-
\??\c:\jdjjj.exec:\jdjjj.exe104⤵PID:2112
-
\??\c:\rlxxxlr.exec:\rlxxxlr.exe105⤵PID:1096
-
\??\c:\btnbbh.exec:\btnbbh.exe106⤵PID:956
-
\??\c:\jdvvj.exec:\jdvvj.exe107⤵PID:272
-
\??\c:\5jpjd.exec:\5jpjd.exe108⤵PID:1884
-
\??\c:\xlxxxxf.exec:\xlxxxxf.exe109⤵PID:304
-
\??\c:\tnhhhh.exec:\tnhhhh.exe110⤵PID:708
-
\??\c:\tntnth.exec:\tntnth.exe111⤵PID:2612
-
\??\c:\pjppp.exec:\pjppp.exe112⤵PID:1704
-
\??\c:\9frffxf.exec:\9frffxf.exe113⤵PID:2128
-
\??\c:\frffffr.exec:\frffffr.exe114⤵PID:1892
-
\??\c:\hbnntn.exec:\hbnntn.exe115⤵PID:2544
-
\??\c:\jvvvv.exec:\jvvvv.exe116⤵PID:2576
-
\??\c:\ddpvd.exec:\ddpvd.exe117⤵PID:1748
-
\??\c:\9xfrxxx.exec:\9xfrxxx.exe118⤵PID:1744
-
\??\c:\bhtnbh.exec:\bhtnbh.exe119⤵PID:2560
-
\??\c:\9htnnn.exec:\9htnnn.exe120⤵PID:2064
-
\??\c:\pjvvd.exec:\pjvvd.exe121⤵PID:2080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-