Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 16:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe
-
Size
453KB
-
MD5
16ce2693bdbe4b4dda738ed5981cee10
-
SHA1
d6904c0471e33c952b983dc8c178fb4187e85b63
-
SHA256
98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0
-
SHA512
bccc3761e7e22ce0072c4819a1fc1a4de7d5aede33b0013403af9c81faf2c645bf3b8ecc2afad554ba76ebbea7fc50ce3404fc07e4b7bcfa53eec237653cbffb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2280-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-29-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2784-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-96-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2820-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/712-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-136-0x0000000000270000-0x000000000029A000-memory.dmp family_blackmoon behavioral1/memory/1684-138-0x0000000000270000-0x000000000029A000-memory.dmp family_blackmoon behavioral1/memory/2956-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-205-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1324-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-358-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2828-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-372-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2156-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/712-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/992-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-464-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1860-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-540-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2036-692-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2256-790-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2268-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-880-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1632-905-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1936-1000-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-1146-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2560-1202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2300 5fllflx.exe 2464 3hhhnb.exe 2376 llrxrrf.exe 2784 vvpdp.exe 2712 hnnhtb.exe 2800 ppvdp.exe 2868 btnbnt.exe 2508 vvvjv.exe 2588 nnbbnt.exe 2820 9pjdd.exe 1552 7jjjp.exe 712 ppddj.exe 2044 hbntbb.exe 1684 bbtnhb.exe 1072 llxfrrl.exe 2956 tbhhhb.exe 580 nnnbtb.exe 1668 vpdpp.exe 2176 hhbhnt.exe 448 bhbtht.exe 2596 rxrxrlf.exe 1324 nhtbbh.exe 1040 ddppv.exe 584 7fflffr.exe 1768 jdpdp.exe 1524 rlxfllx.exe 2332 7vddj.exe 3008 ffxflrl.exe 2224 5bhthn.exe 620 jpddp.exe 380 5ttbnt.exe 1804 jddjv.exe 2280 hhhnbh.exe 2840 tbtnbn.exe 2336 3ppvd.exe 1588 lfrrxfl.exe 2480 5nbhbb.exe 2788 hbtbnn.exe 2768 jjjpj.exe 2688 xrllrlr.exe 2760 xrlxrrx.exe 2988 nnbnbh.exe 2828 5vpjd.exe 2556 rlffrxr.exe 2676 rxxxflr.exe 2156 hnnnbt.exe 540 jddjv.exe 2312 xrllrxr.exe 2016 fxllfrf.exe 712 bnnnhn.exe 1088 9pdjv.exe 2316 fxrxrxl.exe 992 bthnbh.exe 1932 9tthtt.exe 2836 djjpd.exe 2204 rlxfrfl.exe 2132 rlfrrxr.exe 1668 hbbnbb.exe 328 vppvj.exe 2744 xllrxlx.exe 2436 1nhnbh.exe 1860 htnbnh.exe 1920 ppvjv.exe 1824 rlxflrf.exe -
resource yara_rule behavioral1/memory/2280-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/712-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-136-0x0000000000270000-0x000000000029A000-memory.dmp upx behavioral1/memory/1684-138-0x0000000000270000-0x000000000029A000-memory.dmp upx behavioral1/memory/1072-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-205-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1324-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-227-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/620-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/712-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-540-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2036-692-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2316-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-930-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-1146-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2560-1202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-1360-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllllr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2300 2280 98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe 31 PID 2280 wrote to memory of 2300 2280 98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe 31 PID 2280 wrote to memory of 2300 2280 98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe 31 PID 2280 wrote to memory of 2300 2280 98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe 31 PID 2300 wrote to memory of 2464 2300 5fllflx.exe 32 PID 2300 wrote to memory of 2464 2300 5fllflx.exe 32 PID 2300 wrote to memory of 2464 2300 5fllflx.exe 32 PID 2300 wrote to memory of 2464 2300 5fllflx.exe 32 PID 2464 wrote to memory of 2376 2464 3hhhnb.exe 33 PID 2464 wrote to memory of 2376 2464 3hhhnb.exe 33 PID 2464 wrote to memory of 2376 2464 3hhhnb.exe 33 PID 2464 wrote to memory of 2376 2464 3hhhnb.exe 33 PID 2376 wrote to memory of 2784 2376 llrxrrf.exe 34 PID 2376 wrote to memory of 2784 2376 llrxrrf.exe 34 PID 2376 wrote to memory of 2784 2376 llrxrrf.exe 34 PID 2376 wrote to memory of 2784 2376 llrxrrf.exe 34 PID 2784 wrote to memory of 2712 2784 vvpdp.exe 35 PID 2784 wrote to memory of 2712 2784 vvpdp.exe 35 PID 2784 wrote to memory of 2712 2784 vvpdp.exe 35 PID 2784 wrote to memory of 2712 2784 vvpdp.exe 35 PID 2712 wrote to memory of 2800 2712 hnnhtb.exe 36 PID 2712 wrote to memory of 2800 2712 hnnhtb.exe 36 PID 2712 wrote to memory of 2800 2712 hnnhtb.exe 36 PID 2712 wrote to memory of 2800 2712 hnnhtb.exe 36 PID 2800 wrote to memory of 2868 2800 ppvdp.exe 37 PID 2800 wrote to memory of 2868 2800 ppvdp.exe 37 PID 2800 wrote to memory of 2868 2800 ppvdp.exe 37 PID 2800 wrote to memory of 2868 2800 ppvdp.exe 37 PID 2868 wrote to memory of 2508 2868 btnbnt.exe 38 PID 2868 wrote to memory of 2508 2868 btnbnt.exe 38 PID 2868 wrote to memory of 2508 2868 btnbnt.exe 38 PID 2868 wrote to memory of 2508 2868 btnbnt.exe 38 PID 2508 wrote to memory of 2588 2508 vvvjv.exe 39 PID 2508 wrote to memory of 2588 2508 vvvjv.exe 39 PID 2508 wrote to memory of 2588 2508 vvvjv.exe 39 PID 2508 wrote to memory of 2588 2508 vvvjv.exe 39 PID 2588 wrote to memory of 2820 2588 nnbbnt.exe 40 PID 2588 wrote to memory of 2820 2588 nnbbnt.exe 40 PID 2588 wrote to memory of 2820 2588 nnbbnt.exe 40 PID 2588 wrote to memory of 2820 2588 nnbbnt.exe 40 PID 2820 wrote to memory of 1552 2820 9pjdd.exe 41 PID 2820 wrote to memory of 1552 2820 9pjdd.exe 41 PID 2820 wrote to memory of 1552 2820 9pjdd.exe 41 PID 2820 wrote to memory of 1552 2820 9pjdd.exe 41 PID 1552 wrote to memory of 712 1552 7jjjp.exe 42 PID 1552 wrote to memory of 712 1552 7jjjp.exe 42 PID 1552 wrote to memory of 712 1552 7jjjp.exe 42 PID 1552 wrote to memory of 712 1552 7jjjp.exe 42 PID 712 wrote to memory of 2044 712 ppddj.exe 43 PID 712 wrote to memory of 2044 712 ppddj.exe 43 PID 712 wrote to memory of 2044 712 ppddj.exe 43 PID 712 wrote to memory of 2044 712 ppddj.exe 43 PID 2044 wrote to memory of 1684 2044 hbntbb.exe 44 PID 2044 wrote to memory of 1684 2044 hbntbb.exe 44 PID 2044 wrote to memory of 1684 2044 hbntbb.exe 44 PID 2044 wrote to memory of 1684 2044 hbntbb.exe 44 PID 1684 wrote to memory of 1072 1684 bbtnhb.exe 45 PID 1684 wrote to memory of 1072 1684 bbtnhb.exe 45 PID 1684 wrote to memory of 1072 1684 bbtnhb.exe 45 PID 1684 wrote to memory of 1072 1684 bbtnhb.exe 45 PID 1072 wrote to memory of 2956 1072 llxfrrl.exe 46 PID 1072 wrote to memory of 2956 1072 llxfrrl.exe 46 PID 1072 wrote to memory of 2956 1072 llxfrrl.exe 46 PID 1072 wrote to memory of 2956 1072 llxfrrl.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe"C:\Users\Admin\AppData\Local\Temp\98b967d9224bec45c6379f113d932e53f7bc7317f877a287c9f108b40017b4e0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\5fllflx.exec:\5fllflx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\3hhhnb.exec:\3hhhnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\llrxrrf.exec:\llrxrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\vvpdp.exec:\vvpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\hnnhtb.exec:\hnnhtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\ppvdp.exec:\ppvdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\btnbnt.exec:\btnbnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\vvvjv.exec:\vvvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\nnbbnt.exec:\nnbbnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\9pjdd.exec:\9pjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\7jjjp.exec:\7jjjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\ppddj.exec:\ppddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\hbntbb.exec:\hbntbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\bbtnhb.exec:\bbtnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\llxfrrl.exec:\llxfrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\tbhhhb.exec:\tbhhhb.exe17⤵
- Executes dropped EXE
PID:2956 -
\??\c:\nnnbtb.exec:\nnnbtb.exe18⤵
- Executes dropped EXE
PID:580 -
\??\c:\vpdpp.exec:\vpdpp.exe19⤵
- Executes dropped EXE
PID:1668 -
\??\c:\hhbhnt.exec:\hhbhnt.exe20⤵
- Executes dropped EXE
PID:2176 -
\??\c:\bhbtht.exec:\bhbtht.exe21⤵
- Executes dropped EXE
PID:448 -
\??\c:\rxrxrlf.exec:\rxrxrlf.exe22⤵
- Executes dropped EXE
PID:2596 -
\??\c:\nhtbbh.exec:\nhtbbh.exe23⤵
- Executes dropped EXE
PID:1324 -
\??\c:\ddppv.exec:\ddppv.exe24⤵
- Executes dropped EXE
PID:1040 -
\??\c:\7fflffr.exec:\7fflffr.exe25⤵
- Executes dropped EXE
PID:584 -
\??\c:\jdpdp.exec:\jdpdp.exe26⤵
- Executes dropped EXE
PID:1768 -
\??\c:\rlxfllx.exec:\rlxfllx.exe27⤵
- Executes dropped EXE
PID:1524 -
\??\c:\7vddj.exec:\7vddj.exe28⤵
- Executes dropped EXE
PID:2332 -
\??\c:\ffxflrl.exec:\ffxflrl.exe29⤵
- Executes dropped EXE
PID:3008 -
\??\c:\5bhthn.exec:\5bhthn.exe30⤵
- Executes dropped EXE
PID:2224 -
\??\c:\jpddp.exec:\jpddp.exe31⤵
- Executes dropped EXE
PID:620 -
\??\c:\5ttbnt.exec:\5ttbnt.exe32⤵
- Executes dropped EXE
PID:380 -
\??\c:\jddjv.exec:\jddjv.exe33⤵
- Executes dropped EXE
PID:1804 -
\??\c:\hhhnbh.exec:\hhhnbh.exe34⤵
- Executes dropped EXE
PID:2280 -
\??\c:\tbtnbn.exec:\tbtnbn.exe35⤵
- Executes dropped EXE
PID:2840 -
\??\c:\3ppvd.exec:\3ppvd.exe36⤵
- Executes dropped EXE
PID:2336 -
\??\c:\lfrrxfl.exec:\lfrrxfl.exe37⤵
- Executes dropped EXE
PID:1588 -
\??\c:\5nbhbb.exec:\5nbhbb.exe38⤵
- Executes dropped EXE
PID:2480 -
\??\c:\hbtbnn.exec:\hbtbnn.exe39⤵
- Executes dropped EXE
PID:2788 -
\??\c:\jjjpj.exec:\jjjpj.exe40⤵
- Executes dropped EXE
PID:2768 -
\??\c:\xrllrlr.exec:\xrllrlr.exe41⤵
- Executes dropped EXE
PID:2688 -
\??\c:\xrlxrrx.exec:\xrlxrrx.exe42⤵
- Executes dropped EXE
PID:2760 -
\??\c:\nnbnbh.exec:\nnbnbh.exe43⤵
- Executes dropped EXE
PID:2988 -
\??\c:\5vpjd.exec:\5vpjd.exe44⤵
- Executes dropped EXE
PID:2828 -
\??\c:\rlffrxr.exec:\rlffrxr.exe45⤵
- Executes dropped EXE
PID:2556 -
\??\c:\rxxxflr.exec:\rxxxflr.exe46⤵
- Executes dropped EXE
PID:2676 -
\??\c:\hnnnbt.exec:\hnnnbt.exe47⤵
- Executes dropped EXE
PID:2156 -
\??\c:\jddjv.exec:\jddjv.exe48⤵
- Executes dropped EXE
PID:540 -
\??\c:\xrllrxr.exec:\xrllrxr.exe49⤵
- Executes dropped EXE
PID:2312 -
\??\c:\fxllfrf.exec:\fxllfrf.exe50⤵
- Executes dropped EXE
PID:2016 -
\??\c:\bnnnhn.exec:\bnnnhn.exe51⤵
- Executes dropped EXE
PID:712 -
\??\c:\9pdjv.exec:\9pdjv.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1088 -
\??\c:\fxrxrxl.exec:\fxrxrxl.exe53⤵
- Executes dropped EXE
PID:2316 -
\??\c:\bthnbh.exec:\bthnbh.exe54⤵
- Executes dropped EXE
PID:992 -
\??\c:\9tthtt.exec:\9tthtt.exe55⤵
- Executes dropped EXE
PID:1932 -
\??\c:\djjpd.exec:\djjpd.exe56⤵
- Executes dropped EXE
PID:2836 -
\??\c:\rlxfrfl.exec:\rlxfrfl.exe57⤵
- Executes dropped EXE
PID:2204 -
\??\c:\rlfrrxr.exec:\rlfrrxr.exe58⤵
- Executes dropped EXE
PID:2132 -
\??\c:\hbbnbb.exec:\hbbnbb.exe59⤵
- Executes dropped EXE
PID:1668 -
\??\c:\vppvj.exec:\vppvj.exe60⤵
- Executes dropped EXE
PID:328 -
\??\c:\xllrxlx.exec:\xllrxlx.exe61⤵
- Executes dropped EXE
PID:2744 -
\??\c:\1nhnbh.exec:\1nhnbh.exe62⤵
- Executes dropped EXE
PID:2436 -
\??\c:\htnbnh.exec:\htnbnh.exe63⤵
- Executes dropped EXE
PID:1860 -
\??\c:\ppvjv.exec:\ppvjv.exe64⤵
- Executes dropped EXE
PID:1920 -
\??\c:\rlxflrf.exec:\rlxflrf.exe65⤵
- Executes dropped EXE
PID:1824 -
\??\c:\bbhhtb.exec:\bbhhtb.exe66⤵PID:1752
-
\??\c:\ttthnh.exec:\ttthnh.exe67⤵PID:1080
-
\??\c:\5ddpv.exec:\5ddpv.exe68⤵PID:2528
-
\??\c:\rrxfllf.exec:\rrxfllf.exe69⤵PID:1536
-
\??\c:\5rfxflr.exec:\5rfxflr.exe70⤵PID:3012
-
\??\c:\bbtbtb.exec:\bbtbtb.exe71⤵PID:2380
-
\??\c:\jdvdj.exec:\jdvdj.exe72⤵PID:2184
-
\??\c:\frrfrlx.exec:\frrfrlx.exe73⤵PID:2168
-
\??\c:\xxrfrfl.exec:\xxrfrfl.exe74⤵PID:2652
-
\??\c:\bhbnbn.exec:\bhbnbn.exe75⤵PID:380
-
\??\c:\ppjpj.exec:\ppjpj.exe76⤵PID:1984
-
\??\c:\3vdjp.exec:\3vdjp.exe77⤵PID:2456
-
\??\c:\fffrxrf.exec:\fffrxrf.exe78⤵PID:2352
-
\??\c:\bhntbb.exec:\bhntbb.exe79⤵PID:1592
-
\??\c:\hnhbhn.exec:\hnhbhn.exe80⤵PID:2880
-
\??\c:\vpjvp.exec:\vpjvp.exe81⤵PID:2684
-
\??\c:\xrfflrx.exec:\xrfflrx.exe82⤵PID:2480
-
\??\c:\lrxlflr.exec:\lrxlflr.exe83⤵PID:2708
-
\??\c:\1ntttb.exec:\1ntttb.exe84⤵PID:2660
-
\??\c:\vdvdv.exec:\vdvdv.exe85⤵PID:2564
-
\??\c:\5pjjv.exec:\5pjjv.exe86⤵PID:2748
-
\??\c:\xfxxlxl.exec:\xfxxlxl.exe87⤵PID:2672
-
\??\c:\bbbhnh.exec:\bbbhnh.exe88⤵PID:2720
-
\??\c:\hhthnt.exec:\hhthnt.exe89⤵PID:2508
-
\??\c:\dddvj.exec:\dddvj.exe90⤵PID:2260
-
\??\c:\3djdj.exec:\3djdj.exe91⤵PID:1604
-
\??\c:\fxxxflr.exec:\fxxxflr.exe92⤵PID:1112
-
\??\c:\hhtbnt.exec:\hhtbnt.exe93⤵PID:2524
-
\??\c:\jjpjd.exec:\jjpjd.exe94⤵PID:1180
-
\??\c:\vdddp.exec:\vdddp.exe95⤵PID:1192
-
\??\c:\rrllflf.exec:\rrllflf.exe96⤵PID:2036
-
\??\c:\bbbnhn.exec:\bbbnhn.exe97⤵PID:1684
-
\??\c:\hbtbnt.exec:\hbtbnt.exe98⤵PID:2316
-
\??\c:\jppvp.exec:\jppvp.exe99⤵PID:2872
-
\??\c:\rlfrxfx.exec:\rlfrxfx.exe100⤵PID:1932
-
\??\c:\3llfxrf.exec:\3llfxrf.exe101⤵PID:2212
-
\??\c:\9bnnbn.exec:\9bnnbn.exe102⤵PID:2204
-
\??\c:\7ppvj.exec:\7ppvj.exe103⤵PID:2132
-
\??\c:\flxlfxr.exec:\flxlfxr.exe104⤵PID:1668
-
\??\c:\fffrlfr.exec:\fffrlfr.exe105⤵PID:1044
-
\??\c:\bbbnbh.exec:\bbbnbh.exe106⤵PID:948
-
\??\c:\djdjd.exec:\djdjd.exe107⤵PID:828
-
\??\c:\jjvvv.exec:\jjvvv.exe108⤵PID:1704
-
\??\c:\lfrxffx.exec:\lfrxffx.exe109⤵PID:1716
-
\??\c:\7nbhth.exec:\7nbhth.exe110⤵PID:784
-
\??\c:\7jjvd.exec:\7jjvd.exe111⤵PID:1328
-
\??\c:\jdddp.exec:\jdddp.exe112⤵PID:2256
-
\??\c:\rrflflf.exec:\rrflflf.exe113⤵PID:1852
-
\??\c:\btnttb.exec:\btnttb.exe114⤵PID:2272
-
\??\c:\5nnhtb.exec:\5nnhtb.exe115⤵PID:2268
-
\??\c:\5jjjp.exec:\5jjjp.exe116⤵PID:3008
-
\??\c:\xfxflxf.exec:\xfxflxf.exe117⤵PID:872
-
\??\c:\bbtnhn.exec:\bbtnhn.exe118⤵PID:1664
-
\??\c:\hbtbnn.exec:\hbtbnn.exe119⤵PID:1748
-
\??\c:\djdjd.exec:\djdjd.exe120⤵PID:2952
-
\??\c:\lrrxrxl.exec:\lrrxrxl.exe121⤵PID:2960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-