Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 04:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe
-
Size
456KB
-
MD5
24350ba08163567ec63cd309c58e589d
-
SHA1
e9152a58dce4d2c24ee3b28761c8f98063dc0be4
-
SHA256
d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566
-
SHA512
e32bcb23d953be145151ffd06c79908aa778af1416d5152605509dfec977af64da2040704d15688e5e9be2975376d02a66133594fb997232a7041a09bce75f8b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2672-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-52-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2532-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-95-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2668-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/524-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-216-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1472-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-362-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2568-404-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1092-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/960-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/992-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1460-806-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2052-825-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2080-832-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2604-917-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2712-932-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2712-931-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/376-947-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2120-961-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-960-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1720-968-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1896-981-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-1005-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2036-1028-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/340-1053-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2196-1341-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3068 9bnbhn.exe 3000 pdpvv.exe 2292 bthnnn.exe 2684 htnhbb.exe 2884 jvdjv.exe 2532 rlxxllx.exe 2876 hthhtn.exe 2276 1vppj.exe 2704 lxlrxxf.exe 2668 btbtbh.exe 1556 1rflllx.exe 524 thhthb.exe 1720 5vddd.exe 2148 9djdd.exe 1620 1pvjp.exe 1144 bbntbt.exe 2824 9fxflff.exe 2164 rflrrrf.exe 2116 7bnnhn.exe 2372 pdvvd.exe 2448 5rxrxxf.exe 2924 5frxxxx.exe 1832 dvvvv.exe 1472 rfrxxrf.exe 2044 vjddj.exe 1684 5rfrfxf.exe 1408 jdjjj.exe 2232 frrrrll.exe 2476 tthnbb.exe 2052 frfxxxl.exe 880 ffxxxfr.exe 2108 7frlxrf.exe 2384 3xrxlrl.exe 2060 vjdjv.exe 2244 jdjdv.exe 532 lllxllr.exe 3004 nnbhhn.exe 2868 bbttnh.exe 2720 djvpj.exe 2892 1frrrxr.exe 2420 lfllxrr.exe 2860 9hhbhh.exe 2728 9jjjp.exe 2596 lxrfrrf.exe 2656 lfxflrf.exe 2180 nbthbn.exe 676 5vjvj.exe 840 jpddj.exe 2568 lfrxfxl.exe 1484 rrllxxl.exe 1220 hbtbnt.exe 2340 jdvvp.exe 1896 3jdjd.exe 2212 fxlrflr.exe 2836 bnnntt.exe 2824 1dpvj.exe 2980 vpdpj.exe 2416 llfxffr.exe 1884 tnhnbb.exe 1092 9tntbh.exe 1824 pjjvd.exe 2924 rxrflrf.exe 1316 3xrrflx.exe 1120 tntthh.exe -
resource yara_rule behavioral1/memory/2672-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-95-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2668-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/524-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-783-0x0000000000530000-0x000000000055A000-memory.dmp upx behavioral1/memory/688-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1460-806-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3068-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-909-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-939-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-961-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-981-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-1020-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-1060-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-1106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-1133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-1182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-1207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-1310-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxlrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rflllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frflxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 3068 2672 d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe 30 PID 2672 wrote to memory of 3068 2672 d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe 30 PID 2672 wrote to memory of 3068 2672 d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe 30 PID 2672 wrote to memory of 3068 2672 d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe 30 PID 3068 wrote to memory of 3000 3068 9bnbhn.exe 31 PID 3068 wrote to memory of 3000 3068 9bnbhn.exe 31 PID 3068 wrote to memory of 3000 3068 9bnbhn.exe 31 PID 3068 wrote to memory of 3000 3068 9bnbhn.exe 31 PID 3000 wrote to memory of 2292 3000 pdpvv.exe 32 PID 3000 wrote to memory of 2292 3000 pdpvv.exe 32 PID 3000 wrote to memory of 2292 3000 pdpvv.exe 32 PID 3000 wrote to memory of 2292 3000 pdpvv.exe 32 PID 2292 wrote to memory of 2684 2292 bthnnn.exe 33 PID 2292 wrote to memory of 2684 2292 bthnnn.exe 33 PID 2292 wrote to memory of 2684 2292 bthnnn.exe 33 PID 2292 wrote to memory of 2684 2292 bthnnn.exe 33 PID 2684 wrote to memory of 2884 2684 htnhbb.exe 34 PID 2684 wrote to memory of 2884 2684 htnhbb.exe 34 PID 2684 wrote to memory of 2884 2684 htnhbb.exe 34 PID 2684 wrote to memory of 2884 2684 htnhbb.exe 34 PID 2884 wrote to memory of 2532 2884 jvdjv.exe 35 PID 2884 wrote to memory of 2532 2884 jvdjv.exe 35 PID 2884 wrote to memory of 2532 2884 jvdjv.exe 35 PID 2884 wrote to memory of 2532 2884 jvdjv.exe 35 PID 2532 wrote to memory of 2876 2532 rlxxllx.exe 36 PID 2532 wrote to memory of 2876 2532 rlxxllx.exe 36 PID 2532 wrote to memory of 2876 2532 rlxxllx.exe 36 PID 2532 wrote to memory of 2876 2532 rlxxllx.exe 36 PID 2876 wrote to memory of 2276 2876 hthhtn.exe 37 PID 2876 wrote to memory of 2276 2876 hthhtn.exe 37 PID 2876 wrote to memory of 2276 2876 hthhtn.exe 37 PID 2876 wrote to memory of 2276 2876 hthhtn.exe 37 PID 2276 wrote to memory of 2704 2276 1vppj.exe 38 PID 2276 wrote to memory of 2704 2276 1vppj.exe 38 PID 2276 wrote to memory of 2704 2276 1vppj.exe 38 PID 2276 wrote to memory of 2704 2276 1vppj.exe 38 PID 2704 wrote to memory of 2668 2704 lxlrxxf.exe 39 PID 2704 wrote to memory of 2668 2704 lxlrxxf.exe 39 PID 2704 wrote to memory of 2668 2704 lxlrxxf.exe 39 PID 2704 wrote to memory of 2668 2704 lxlrxxf.exe 39 PID 2668 wrote to memory of 1556 2668 btbtbh.exe 40 PID 2668 wrote to memory of 1556 2668 btbtbh.exe 40 PID 2668 wrote to memory of 1556 2668 btbtbh.exe 40 PID 2668 wrote to memory of 1556 2668 btbtbh.exe 40 PID 1556 wrote to memory of 524 1556 1rflllx.exe 41 PID 1556 wrote to memory of 524 1556 1rflllx.exe 41 PID 1556 wrote to memory of 524 1556 1rflllx.exe 41 PID 1556 wrote to memory of 524 1556 1rflllx.exe 41 PID 524 wrote to memory of 1720 524 thhthb.exe 42 PID 524 wrote to memory of 1720 524 thhthb.exe 42 PID 524 wrote to memory of 1720 524 thhthb.exe 42 PID 524 wrote to memory of 1720 524 thhthb.exe 42 PID 1720 wrote to memory of 2148 1720 5vddd.exe 43 PID 1720 wrote to memory of 2148 1720 5vddd.exe 43 PID 1720 wrote to memory of 2148 1720 5vddd.exe 43 PID 1720 wrote to memory of 2148 1720 5vddd.exe 43 PID 2148 wrote to memory of 1620 2148 9djdd.exe 44 PID 2148 wrote to memory of 1620 2148 9djdd.exe 44 PID 2148 wrote to memory of 1620 2148 9djdd.exe 44 PID 2148 wrote to memory of 1620 2148 9djdd.exe 44 PID 1620 wrote to memory of 1144 1620 1pvjp.exe 45 PID 1620 wrote to memory of 1144 1620 1pvjp.exe 45 PID 1620 wrote to memory of 1144 1620 1pvjp.exe 45 PID 1620 wrote to memory of 1144 1620 1pvjp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe"C:\Users\Admin\AppData\Local\Temp\d7a136da2670cd89b0983ddb38196fb5f4c79cdcab36c1aab40552eab7835566.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\9bnbhn.exec:\9bnbhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\pdpvv.exec:\pdpvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\bthnnn.exec:\bthnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\htnhbb.exec:\htnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\jvdjv.exec:\jvdjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\rlxxllx.exec:\rlxxllx.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\hthhtn.exec:\hthhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\1vppj.exec:\1vppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\lxlrxxf.exec:\lxlrxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\btbtbh.exec:\btbtbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\1rflllx.exec:\1rflllx.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\thhthb.exec:\thhthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
\??\c:\5vddd.exec:\5vddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\9djdd.exec:\9djdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\1pvjp.exec:\1pvjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\bbntbt.exec:\bbntbt.exe17⤵
- Executes dropped EXE
PID:1144 -
\??\c:\9fxflff.exec:\9fxflff.exe18⤵
- Executes dropped EXE
PID:2824 -
\??\c:\rflrrrf.exec:\rflrrrf.exe19⤵
- Executes dropped EXE
PID:2164 -
\??\c:\7bnnhn.exec:\7bnnhn.exe20⤵
- Executes dropped EXE
PID:2116 -
\??\c:\pdvvd.exec:\pdvvd.exe21⤵
- Executes dropped EXE
PID:2372 -
\??\c:\5rxrxxf.exec:\5rxrxxf.exe22⤵
- Executes dropped EXE
PID:2448 -
\??\c:\5frxxxx.exec:\5frxxxx.exe23⤵
- Executes dropped EXE
PID:2924 -
\??\c:\dvvvv.exec:\dvvvv.exe24⤵
- Executes dropped EXE
PID:1832 -
\??\c:\rfrxxrf.exec:\rfrxxrf.exe25⤵
- Executes dropped EXE
PID:1472 -
\??\c:\vjddj.exec:\vjddj.exe26⤵
- Executes dropped EXE
PID:2044 -
\??\c:\5rfrfxf.exec:\5rfrfxf.exe27⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jdjjj.exec:\jdjjj.exe28⤵
- Executes dropped EXE
PID:1408 -
\??\c:\frrrrll.exec:\frrrrll.exe29⤵
- Executes dropped EXE
PID:2232 -
\??\c:\tthnbb.exec:\tthnbb.exe30⤵
- Executes dropped EXE
PID:2476 -
\??\c:\frfxxxl.exec:\frfxxxl.exe31⤵
- Executes dropped EXE
PID:2052 -
\??\c:\ffxxxfr.exec:\ffxxxfr.exe32⤵
- Executes dropped EXE
PID:880 -
\??\c:\7frlxrf.exec:\7frlxrf.exe33⤵
- Executes dropped EXE
PID:2108 -
\??\c:\3xrxlrl.exec:\3xrxlrl.exe34⤵
- Executes dropped EXE
PID:2384 -
\??\c:\vjdjv.exec:\vjdjv.exe35⤵
- Executes dropped EXE
PID:2060 -
\??\c:\jdjdv.exec:\jdjdv.exe36⤵
- Executes dropped EXE
PID:2244 -
\??\c:\lllxllr.exec:\lllxllr.exe37⤵
- Executes dropped EXE
PID:532 -
\??\c:\nnbhhn.exec:\nnbhhn.exe38⤵
- Executes dropped EXE
PID:3004 -
\??\c:\bbttnh.exec:\bbttnh.exe39⤵
- Executes dropped EXE
PID:2868 -
\??\c:\djvpj.exec:\djvpj.exe40⤵
- Executes dropped EXE
PID:2720 -
\??\c:\1frrrxr.exec:\1frrrxr.exe41⤵
- Executes dropped EXE
PID:2892 -
\??\c:\lfllxrr.exec:\lfllxrr.exe42⤵
- Executes dropped EXE
PID:2420 -
\??\c:\9hhbhh.exec:\9hhbhh.exe43⤵
- Executes dropped EXE
PID:2860 -
\??\c:\9jjjp.exec:\9jjjp.exe44⤵
- Executes dropped EXE
PID:2728 -
\??\c:\lxrfrrf.exec:\lxrfrrf.exe45⤵
- Executes dropped EXE
PID:2596 -
\??\c:\lfxflrf.exec:\lfxflrf.exe46⤵
- Executes dropped EXE
PID:2656 -
\??\c:\nbthbn.exec:\nbthbn.exe47⤵
- Executes dropped EXE
PID:2180 -
\??\c:\5vjvj.exec:\5vjvj.exe48⤵
- Executes dropped EXE
PID:676 -
\??\c:\jpddj.exec:\jpddj.exe49⤵
- Executes dropped EXE
PID:840 -
\??\c:\lfrxfxl.exec:\lfrxfxl.exe50⤵
- Executes dropped EXE
PID:2568 -
\??\c:\rrllxxl.exec:\rrllxxl.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
\??\c:\hbtbnt.exec:\hbtbnt.exe52⤵
- Executes dropped EXE
PID:1220 -
\??\c:\jdvvp.exec:\jdvvp.exe53⤵
- Executes dropped EXE
PID:2340 -
\??\c:\3jdjd.exec:\3jdjd.exe54⤵
- Executes dropped EXE
PID:1896 -
\??\c:\fxlrflr.exec:\fxlrflr.exe55⤵
- Executes dropped EXE
PID:2212 -
\??\c:\bnnntt.exec:\bnnntt.exe56⤵
- Executes dropped EXE
PID:2836 -
\??\c:\1dpvj.exec:\1dpvj.exe57⤵
- Executes dropped EXE
PID:2824 -
\??\c:\vpdpj.exec:\vpdpj.exe58⤵
- Executes dropped EXE
PID:2980 -
\??\c:\llfxffr.exec:\llfxffr.exe59⤵
- Executes dropped EXE
PID:2416 -
\??\c:\tnhnbb.exec:\tnhnbb.exe60⤵
- Executes dropped EXE
PID:1884 -
\??\c:\9tntbh.exec:\9tntbh.exe61⤵
- Executes dropped EXE
PID:1092 -
\??\c:\pjjvd.exec:\pjjvd.exe62⤵
- Executes dropped EXE
PID:1824 -
\??\c:\rxrflrf.exec:\rxrflrf.exe63⤵
- Executes dropped EXE
PID:2924 -
\??\c:\3xrrflx.exec:\3xrrflx.exe64⤵
- Executes dropped EXE
PID:1316 -
\??\c:\tntthh.exec:\tntthh.exe65⤵
- Executes dropped EXE
PID:1120 -
\??\c:\jpjvv.exec:\jpjvv.exe66⤵PID:1696
-
\??\c:\7jdjp.exec:\7jdjp.exe67⤵PID:1200
-
\??\c:\lrflxfl.exec:\lrflxfl.exe68⤵
- System Location Discovery: System Language Discovery
PID:960 -
\??\c:\hhtbht.exec:\hhtbht.exe69⤵PID:696
-
\??\c:\nhbhnt.exec:\nhbhnt.exe70⤵
- System Location Discovery: System Language Discovery
PID:2100 -
\??\c:\dvvdj.exec:\dvvdj.exe71⤵PID:2092
-
\??\c:\xllrxxf.exec:\xllrxxf.exe72⤵PID:2312
-
\??\c:\hbtbnt.exec:\hbtbnt.exe73⤵PID:2356
-
\??\c:\bttntt.exec:\bttntt.exe74⤵PID:2548
-
\??\c:\vpjpd.exec:\vpjpd.exe75⤵PID:1940
-
\??\c:\ffxxffl.exec:\ffxxffl.exe76⤵PID:2304
-
\??\c:\1lfflrr.exec:\1lfflrr.exe77⤵PID:1704
-
\??\c:\7hbbnn.exec:\7hbbnn.exe78⤵PID:2172
-
\??\c:\dvvvp.exec:\dvvvp.exe79⤵PID:2060
-
\??\c:\vvdpd.exec:\vvdpd.exe80⤵PID:1912
-
\??\c:\xlxxflx.exec:\xlxxflx.exe81⤵PID:2252
-
\??\c:\ttthtb.exec:\ttthtb.exe82⤵PID:2264
-
\??\c:\bhnnth.exec:\bhnnth.exe83⤵PID:2888
-
\??\c:\3pdjp.exec:\3pdjp.exe84⤵PID:2744
-
\??\c:\1xlllxf.exec:\1xlllxf.exe85⤵PID:2912
-
\??\c:\xrflflf.exec:\xrflflf.exe86⤵PID:2628
-
\??\c:\tnhnbh.exec:\tnhnbh.exe87⤵PID:2528
-
\??\c:\vpjvd.exec:\vpjvd.exe88⤵PID:2616
-
\??\c:\pjddj.exec:\pjddj.exe89⤵PID:2640
-
\??\c:\rlffxfx.exec:\rlffxfx.exe90⤵PID:2636
-
\??\c:\bbtbbn.exec:\bbtbbn.exe91⤵PID:2152
-
\??\c:\9dvvj.exec:\9dvvj.exe92⤵PID:992
-
\??\c:\9lxxfrf.exec:\9lxxfrf.exe93⤵PID:860
-
\??\c:\lfxxllx.exec:\lfxxllx.exe94⤵PID:2120
-
\??\c:\7ttttt.exec:\7ttttt.exe95⤵PID:2332
-
\??\c:\jdppv.exec:\jdppv.exe96⤵PID:2128
-
\??\c:\5pddd.exec:\5pddd.exe97⤵PID:288
-
\??\c:\lffrfll.exec:\lffrfll.exe98⤵PID:1944
-
\??\c:\nhbnbb.exec:\nhbnbb.exe99⤵PID:2788
-
\??\c:\tbnthn.exec:\tbnthn.exe100⤵PID:380
-
\??\c:\pdvvj.exec:\pdvvj.exe101⤵PID:2160
-
\??\c:\3vvvd.exec:\3vvvd.exe102⤵PID:2948
-
\??\c:\3flrflf.exec:\3flrflf.exe103⤵PID:2688
-
\??\c:\hhhtnh.exec:\hhhtnh.exe104⤵PID:1392
-
\??\c:\dvpvp.exec:\dvpvp.exe105⤵PID:2784
-
\??\c:\jdpvv.exec:\jdpvv.exe106⤵
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\fxlrxff.exec:\fxlrxff.exe107⤵PID:1532
-
\??\c:\1ntbht.exec:\1ntbht.exe108⤵PID:1208
-
\??\c:\5bnthn.exec:\5bnthn.exe109⤵PID:340
-
\??\c:\pdvdj.exec:\pdvdj.exe110⤵PID:912
-
\??\c:\ddvvv.exec:\ddvvv.exe111⤵PID:1608
-
\??\c:\frfxllr.exec:\frfxllr.exe112⤵PID:1584
-
\??\c:\btbtbb.exec:\btbtbb.exe113⤵PID:688
-
\??\c:\jvpdp.exec:\jvpdp.exe114⤵PID:1460
-
\??\c:\3jppv.exec:\3jppv.exe115⤵PID:892
-
\??\c:\ffrflrf.exec:\ffrflrf.exe116⤵PID:2476
-
\??\c:\tnhtbh.exec:\tnhtbh.exe117⤵PID:2052
-
\??\c:\tnnnbt.exec:\tnnnbt.exe118⤵PID:2080
-
\??\c:\pjpvj.exec:\pjpvj.exe119⤵PID:2672
-
\??\c:\9lxrrxr.exec:\9lxrrxr.exe120⤵PID:1520
-
\??\c:\7nbbhb.exec:\7nbbhb.exe121⤵PID:1664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-