Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 20:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe
-
Size
454KB
-
MD5
873ed953b77349630cabbfc03dc01e30
-
SHA1
94771f7a2cd63462f1c1433ac99be6c86f381933
-
SHA256
1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191
-
SHA512
b61816461d63ccfdb1c0ad64af29f7ce8dbc3f6f72e3c3b8433f1621fd9a176c9308d4a40657deb18e3d88aa1cb5e1c1c05511298513ca0d0558e590f8c41a03
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2348-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-38-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2760-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-84-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2732-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-142-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3004-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/960-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-235-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1596-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1320-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-353-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2588-379-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/3040-405-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3040-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-415-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1960-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1168-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-607-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-626-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3028-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-797-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2760-871-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1388-962-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2416-1041-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-1143-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2376 jjddp.exe 1984 fxrrffl.exe 3012 9nbbbh.exe 2760 pjjpv.exe 824 pjvjp.exe 2836 xxrrxfl.exe 2948 pjvvd.exe 2732 9vjjp.exe 2600 fxllllr.exe 2828 7tnntb.exe 2652 7llrffr.exe 3040 xrffflf.exe 2644 nhnntb.exe 1640 1jvdd.exe 2808 tthnnn.exe 2564 dvvvp.exe 1164 rxlxrlf.exe 1312 7dvpp.exe 3004 frxllfx.exe 2216 ffrrllr.exe 2264 bbntbh.exe 584 lrxflxr.exe 1140 btttbb.exe 640 vpjvd.exe 960 rlxxflx.exe 1596 bntttt.exe 1320 jdpjp.exe 764 lfxflfr.exe 1624 vjddd.exe 2108 tbtbhn.exe 1916 pvvvp.exe 1580 lfxflrf.exe 3008 htnhnn.exe 1752 7jdjp.exe 2668 vjjdj.exe 1056 xlflrxf.exe 2720 hbtnbb.exe 2404 btnbnn.exe 2836 ddvpv.exe 2612 5lxlrll.exe 2852 btnthn.exe 2304 tnhtbb.exe 2588 pjvpp.exe 1716 xxxfrxl.exe 2628 7lrxllx.exe 1212 nhbtbh.exe 3040 jjjdj.exe 1644 pdvdp.exe 1960 fxrrlrf.exe 1640 nhbhtt.exe 2808 pjjvd.exe 2564 ppvvj.exe 1168 llflrrx.exe 2528 lxlxxrx.exe 2868 hbbhnt.exe 1484 pjddj.exe 2268 ppppd.exe 2200 1rffllr.exe 1860 nnhntt.exe 328 1hnnnb.exe 448 9pjdd.exe 776 1vpjj.exe 352 lfxxflr.exe 1832 bttbnh.exe -
resource yara_rule behavioral1/memory/2376-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-340-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2836-353-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3040-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-415-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1960-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-864-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-896-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-1168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-1175-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2376 2348 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 30 PID 2348 wrote to memory of 2376 2348 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 30 PID 2348 wrote to memory of 2376 2348 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 30 PID 2348 wrote to memory of 2376 2348 1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe 30 PID 2376 wrote to memory of 1984 2376 jjddp.exe 31 PID 2376 wrote to memory of 1984 2376 jjddp.exe 31 PID 2376 wrote to memory of 1984 2376 jjddp.exe 31 PID 2376 wrote to memory of 1984 2376 jjddp.exe 31 PID 1984 wrote to memory of 3012 1984 fxrrffl.exe 32 PID 1984 wrote to memory of 3012 1984 fxrrffl.exe 32 PID 1984 wrote to memory of 3012 1984 fxrrffl.exe 32 PID 1984 wrote to memory of 3012 1984 fxrrffl.exe 32 PID 3012 wrote to memory of 2760 3012 9nbbbh.exe 33 PID 3012 wrote to memory of 2760 3012 9nbbbh.exe 33 PID 3012 wrote to memory of 2760 3012 9nbbbh.exe 33 PID 3012 wrote to memory of 2760 3012 9nbbbh.exe 33 PID 2760 wrote to memory of 824 2760 pjjpv.exe 34 PID 2760 wrote to memory of 824 2760 pjjpv.exe 34 PID 2760 wrote to memory of 824 2760 pjjpv.exe 34 PID 2760 wrote to memory of 824 2760 pjjpv.exe 34 PID 824 wrote to memory of 2836 824 pjvjp.exe 35 PID 824 wrote to memory of 2836 824 pjvjp.exe 35 PID 824 wrote to memory of 2836 824 pjvjp.exe 35 PID 824 wrote to memory of 2836 824 pjvjp.exe 35 PID 2836 wrote to memory of 2948 2836 xxrrxfl.exe 36 PID 2836 wrote to memory of 2948 2836 xxrrxfl.exe 36 PID 2836 wrote to memory of 2948 2836 xxrrxfl.exe 36 PID 2836 wrote to memory of 2948 2836 xxrrxfl.exe 36 PID 2948 wrote to memory of 2732 2948 pjvvd.exe 37 PID 2948 wrote to memory of 2732 2948 pjvvd.exe 37 PID 2948 wrote to memory of 2732 2948 pjvvd.exe 37 PID 2948 wrote to memory of 2732 2948 pjvvd.exe 37 PID 2732 wrote to memory of 2600 2732 9vjjp.exe 38 PID 2732 wrote to memory of 2600 2732 9vjjp.exe 38 PID 2732 wrote to memory of 2600 2732 9vjjp.exe 38 PID 2732 wrote to memory of 2600 2732 9vjjp.exe 38 PID 2600 wrote to memory of 2828 2600 fxllllr.exe 39 PID 2600 wrote to memory of 2828 2600 fxllllr.exe 39 PID 2600 wrote to memory of 2828 2600 fxllllr.exe 39 PID 2600 wrote to memory of 2828 2600 fxllllr.exe 39 PID 2828 wrote to memory of 2652 2828 7tnntb.exe 40 PID 2828 wrote to memory of 2652 2828 7tnntb.exe 40 PID 2828 wrote to memory of 2652 2828 7tnntb.exe 40 PID 2828 wrote to memory of 2652 2828 7tnntb.exe 40 PID 2652 wrote to memory of 3040 2652 7llrffr.exe 41 PID 2652 wrote to memory of 3040 2652 7llrffr.exe 41 PID 2652 wrote to memory of 3040 2652 7llrffr.exe 41 PID 2652 wrote to memory of 3040 2652 7llrffr.exe 41 PID 3040 wrote to memory of 2644 3040 xrffflf.exe 42 PID 3040 wrote to memory of 2644 3040 xrffflf.exe 42 PID 3040 wrote to memory of 2644 3040 xrffflf.exe 42 PID 3040 wrote to memory of 2644 3040 xrffflf.exe 42 PID 2644 wrote to memory of 1640 2644 nhnntb.exe 43 PID 2644 wrote to memory of 1640 2644 nhnntb.exe 43 PID 2644 wrote to memory of 1640 2644 nhnntb.exe 43 PID 2644 wrote to memory of 1640 2644 nhnntb.exe 43 PID 1640 wrote to memory of 2808 1640 1jvdd.exe 44 PID 1640 wrote to memory of 2808 1640 1jvdd.exe 44 PID 1640 wrote to memory of 2808 1640 1jvdd.exe 44 PID 1640 wrote to memory of 2808 1640 1jvdd.exe 44 PID 2808 wrote to memory of 2564 2808 tthnnn.exe 45 PID 2808 wrote to memory of 2564 2808 tthnnn.exe 45 PID 2808 wrote to memory of 2564 2808 tthnnn.exe 45 PID 2808 wrote to memory of 2564 2808 tthnnn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe"C:\Users\Admin\AppData\Local\Temp\1d699ebb75c597832197158d3aac4227919bfdbc84a603d3e5c2903723d24191.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\jjddp.exec:\jjddp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\fxrrffl.exec:\fxrrffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\9nbbbh.exec:\9nbbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\pjjpv.exec:\pjjpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\pjvjp.exec:\pjvjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\xxrrxfl.exec:\xxrrxfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\pjvvd.exec:\pjvvd.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\9vjjp.exec:\9vjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\fxllllr.exec:\fxllllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\7tnntb.exec:\7tnntb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\7llrffr.exec:\7llrffr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\xrffflf.exec:\xrffflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\nhnntb.exec:\nhnntb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\1jvdd.exec:\1jvdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\tthnnn.exec:\tthnnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\dvvvp.exec:\dvvvp.exe17⤵
- Executes dropped EXE
PID:2564 -
\??\c:\rxlxrlf.exec:\rxlxrlf.exe18⤵
- Executes dropped EXE
PID:1164 -
\??\c:\7dvpp.exec:\7dvpp.exe19⤵
- Executes dropped EXE
PID:1312 -
\??\c:\frxllfx.exec:\frxllfx.exe20⤵
- Executes dropped EXE
PID:3004 -
\??\c:\ffrrllr.exec:\ffrrllr.exe21⤵
- Executes dropped EXE
PID:2216 -
\??\c:\bbntbh.exec:\bbntbh.exe22⤵
- Executes dropped EXE
PID:2264 -
\??\c:\lrxflxr.exec:\lrxflxr.exe23⤵
- Executes dropped EXE
PID:584 -
\??\c:\btttbb.exec:\btttbb.exe24⤵
- Executes dropped EXE
PID:1140 -
\??\c:\vpjvd.exec:\vpjvd.exe25⤵
- Executes dropped EXE
PID:640 -
\??\c:\rlxxflx.exec:\rlxxflx.exe26⤵
- Executes dropped EXE
PID:960 -
\??\c:\bntttt.exec:\bntttt.exe27⤵
- Executes dropped EXE
PID:1596 -
\??\c:\jdpjp.exec:\jdpjp.exe28⤵
- Executes dropped EXE
PID:1320 -
\??\c:\lfxflfr.exec:\lfxflfr.exe29⤵
- Executes dropped EXE
PID:764 -
\??\c:\vjddd.exec:\vjddd.exe30⤵
- Executes dropped EXE
PID:1624 -
\??\c:\tbtbhn.exec:\tbtbhn.exe31⤵
- Executes dropped EXE
PID:2108 -
\??\c:\pvvvp.exec:\pvvvp.exe32⤵
- Executes dropped EXE
PID:1916 -
\??\c:\lfxflrf.exec:\lfxflrf.exe33⤵
- Executes dropped EXE
PID:1580 -
\??\c:\htnhnn.exec:\htnhnn.exe34⤵
- Executes dropped EXE
PID:3008 -
\??\c:\7jdjp.exec:\7jdjp.exe35⤵
- Executes dropped EXE
PID:1752 -
\??\c:\vjjdj.exec:\vjjdj.exe36⤵
- Executes dropped EXE
PID:2668 -
\??\c:\xlflrxf.exec:\xlflrxf.exe37⤵
- Executes dropped EXE
PID:1056 -
\??\c:\hbtnbb.exec:\hbtnbb.exe38⤵
- Executes dropped EXE
PID:2720 -
\??\c:\btnbnn.exec:\btnbnn.exe39⤵
- Executes dropped EXE
PID:2404 -
\??\c:\ddvpv.exec:\ddvpv.exe40⤵
- Executes dropped EXE
PID:2836 -
\??\c:\5lxlrll.exec:\5lxlrll.exe41⤵
- Executes dropped EXE
PID:2612 -
\??\c:\btnthn.exec:\btnthn.exe42⤵
- Executes dropped EXE
PID:2852 -
\??\c:\tnhtbb.exec:\tnhtbb.exe43⤵
- Executes dropped EXE
PID:2304 -
\??\c:\pjvpp.exec:\pjvpp.exe44⤵
- Executes dropped EXE
PID:2588 -
\??\c:\xxxfrxl.exec:\xxxfrxl.exe45⤵
- Executes dropped EXE
PID:1716 -
\??\c:\7lrxllx.exec:\7lrxllx.exe46⤵
- Executes dropped EXE
PID:2628 -
\??\c:\nhbtbh.exec:\nhbtbh.exe47⤵
- Executes dropped EXE
PID:1212 -
\??\c:\jjjdj.exec:\jjjdj.exe48⤵
- Executes dropped EXE
PID:3040 -
\??\c:\pdvdp.exec:\pdvdp.exe49⤵
- Executes dropped EXE
PID:1644 -
\??\c:\fxrrlrf.exec:\fxrrlrf.exe50⤵
- Executes dropped EXE
PID:1960 -
\??\c:\nhbhtt.exec:\nhbhtt.exe51⤵
- Executes dropped EXE
PID:1640 -
\??\c:\pjjvd.exec:\pjjvd.exe52⤵
- Executes dropped EXE
PID:2808 -
\??\c:\ppvvj.exec:\ppvvj.exe53⤵
- Executes dropped EXE
PID:2564 -
\??\c:\llflrrx.exec:\llflrrx.exe54⤵
- Executes dropped EXE
PID:1168 -
\??\c:\lxlxxrx.exec:\lxlxxrx.exe55⤵
- Executes dropped EXE
PID:2528 -
\??\c:\hbbhnt.exec:\hbbhnt.exe56⤵
- Executes dropped EXE
PID:2868 -
\??\c:\pjddj.exec:\pjddj.exe57⤵
- Executes dropped EXE
PID:1484 -
\??\c:\ppppd.exec:\ppppd.exe58⤵
- Executes dropped EXE
PID:2268 -
\??\c:\1rffllr.exec:\1rffllr.exe59⤵
- Executes dropped EXE
PID:2200 -
\??\c:\nnhntt.exec:\nnhntt.exe60⤵
- Executes dropped EXE
PID:1860 -
\??\c:\1hnnnb.exec:\1hnnnb.exe61⤵
- Executes dropped EXE
PID:328 -
\??\c:\9pjdd.exec:\9pjdd.exe62⤵
- Executes dropped EXE
PID:448 -
\??\c:\1vpjj.exec:\1vpjj.exe63⤵
- Executes dropped EXE
PID:776 -
\??\c:\lfxxflr.exec:\lfxxflr.exe64⤵
- Executes dropped EXE
PID:352 -
\??\c:\bttbnh.exec:\bttbnh.exe65⤵
- Executes dropped EXE
PID:1832 -
\??\c:\vjvdv.exec:\vjvdv.exe66⤵PID:1776
-
\??\c:\3pjpv.exec:\3pjpv.exe67⤵PID:2412
-
\??\c:\ffrffll.exec:\ffrffll.exe68⤵PID:760
-
\??\c:\thttbb.exec:\thttbb.exe69⤵PID:2452
-
\??\c:\9bnthn.exec:\9bnthn.exe70⤵PID:1508
-
\??\c:\pjddp.exec:\pjddp.exe71⤵PID:552
-
\??\c:\9flfrrr.exec:\9flfrrr.exe72⤵PID:2380
-
\??\c:\xxlllll.exec:\xxlllll.exe73⤵PID:2368
-
\??\c:\9ntttb.exec:\9ntttb.exe74⤵PID:1608
-
\??\c:\pjjpv.exec:\pjjpv.exe75⤵PID:1580
-
\??\c:\7pjpv.exec:\7pjpv.exe76⤵PID:2148
-
\??\c:\xrrlxfl.exec:\xrrlxfl.exe77⤵PID:2992
-
\??\c:\5thhnn.exec:\5thhnn.exe78⤵PID:3012
-
\??\c:\nnhbbh.exec:\nnhbbh.exe79⤵PID:2760
-
\??\c:\jjvvj.exec:\jjvvj.exe80⤵PID:2772
-
\??\c:\pjvvd.exec:\pjvvd.exe81⤵PID:2696
-
\??\c:\ffrrfxl.exec:\ffrrfxl.exe82⤵PID:2844
-
\??\c:\3nhnth.exec:\3nhnth.exe83⤵PID:2748
-
\??\c:\5djpp.exec:\5djpp.exe84⤵PID:1592
-
\??\c:\xfxxflr.exec:\xfxxflr.exe85⤵PID:2916
-
\??\c:\9lfffxl.exec:\9lfffxl.exe86⤵PID:2624
-
\??\c:\hhbtbb.exec:\hhbtbb.exe87⤵PID:3032
-
\??\c:\3dpjj.exec:\3dpjj.exe88⤵PID:2324
-
\??\c:\5xrrrxf.exec:\5xrrrxf.exe89⤵PID:868
-
\??\c:\fxllrrx.exec:\fxllrrx.exe90⤵PID:580
-
\??\c:\tbnthh.exec:\tbnthh.exe91⤵PID:3028
-
\??\c:\pjpjp.exec:\pjpjp.exe92⤵PID:888
-
\??\c:\xxrxxfl.exec:\xxrxxfl.exe93⤵PID:756
-
\??\c:\flllffr.exec:\flllffr.exe94⤵PID:1220
-
\??\c:\nnnbnt.exec:\nnnbnt.exe95⤵PID:2080
-
\??\c:\dvvvd.exec:\dvvvd.exe96⤵PID:1164
-
\??\c:\dpjpp.exec:\dpjpp.exe97⤵PID:2900
-
\??\c:\fxrfrxx.exec:\fxrfrxx.exe98⤵PID:2232
-
\??\c:\xxrxflx.exec:\xxrxflx.exe99⤵PID:2372
-
\??\c:\bbbhtt.exec:\bbbhtt.exe100⤵
- System Location Discovery: System Language Discovery
PID:1808 -
\??\c:\ddddp.exec:\ddddp.exe101⤵PID:2088
-
\??\c:\7jjvv.exec:\7jjvv.exe102⤵PID:2264
-
\??\c:\xxllrrr.exec:\xxllrrr.exe103⤵PID:1504
-
\??\c:\nnhhnh.exec:\nnhhnh.exe104⤵PID:408
-
\??\c:\bthtnn.exec:\bthtnn.exe105⤵PID:1996
-
\??\c:\dpjpv.exec:\dpjpv.exe106⤵PID:640
-
\??\c:\3rfflrf.exec:\3rfflrf.exe107⤵PID:2040
-
\??\c:\rlllxxr.exec:\rlllxxr.exe108⤵PID:1324
-
\??\c:\ttnnbb.exec:\ttnnbb.exe109⤵PID:2140
-
\??\c:\7pjpp.exec:\7pjpp.exe110⤵PID:2412
-
\??\c:\9vpvd.exec:\9vpvd.exe111⤵PID:764
-
\??\c:\9rlflrx.exec:\9rlflrx.exe112⤵PID:1512
-
\??\c:\5xxfxfr.exec:\5xxfxfr.exe113⤵PID:1508
-
\??\c:\9thhnt.exec:\9thhnt.exe114⤵PID:2072
-
\??\c:\ddppv.exec:\ddppv.exe115⤵PID:1724
-
\??\c:\rfrxxxf.exec:\rfrxxxf.exe116⤵PID:1932
-
\??\c:\1lffrxl.exec:\1lffrxl.exe117⤵PID:1608
-
\??\c:\7nhhnn.exec:\7nhhnn.exe118⤵PID:1580
-
\??\c:\7dppv.exec:\7dppv.exe119⤵PID:2520
-
\??\c:\xlrlfxf.exec:\xlrlfxf.exe120⤵PID:2992
-
\??\c:\lfxfrxl.exec:\lfxfrxl.exe121⤵PID:1056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-