Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe
-
Size
454KB
-
MD5
0d9208739f24bbddee36bedc4e9dca9c
-
SHA1
7cd4f54060fbca47a9494d8ae5ce1a6767877f23
-
SHA256
9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85
-
SHA512
4c1d30dfa91456b85087c4e64b6a9dabcd1a1b7a15553dec5337594b1f4cf97fd36a5b6d69063a3ea450b2035497a4c755d89fe8966b2205eae581c2e3510ca1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/3000-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-55-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2636-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/552-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/308-275-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2000-284-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2000-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-456-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2192-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-534-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1484-657-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-979-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2908-1124-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1708-1184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-1222-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2384-1355-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2420 ppjvd.exe 2220 xrfrxfx.exe 3008 hhbntb.exe 2304 5ddjj.exe 2904 nnbhbh.exe 2756 lrxxflf.exe 2936 3tthtn.exe 2768 pvpvd.exe 2636 9fxxlrx.exe 2708 5jppd.exe 2252 7lffrrf.exe 552 7tbnbn.exe 2204 djpdj.exe 1964 3rffxfr.exe 2812 jdpdp.exe 2952 nbtbbh.exe 2016 bthtbh.exe 2020 vpjpd.exe 2604 nnhntt.exe 1728 dvppd.exe 2984 bttthn.exe 1352 fxxfrrx.exe 1556 thtbtb.exe 3040 nhnhtt.exe 1804 nhbbhn.exe 2460 1bbnth.exe 780 5pdjv.exe 2424 flflxfr.exe 308 rxrxlxr.exe 2000 vpjpd.exe 3000 rlflfrf.exe 3068 lflrffl.exe 2380 ddvjv.exe 2148 dvjpd.exe 2880 tnhhbh.exe 2896 9pjpj.exe 2884 xxrrxfr.exe 2764 xrlrffl.exe 2152 9tbbtb.exe 2748 ppjvp.exe 2236 lfxlxfx.exe 2652 lrxflrf.exe 2636 hbbbbb.exe 2752 3vpvj.exe 2592 ppjjd.exe 1812 rrrxflx.exe 800 nnntht.exe 2700 hhnnhh.exe 1732 ddvpj.exe 2848 xlflxfx.exe 2812 rxrfrxr.exe 1768 ttnnbb.exe 2028 ddvdp.exe 2540 vppvd.exe 2020 frrxlrx.exe 2268 hhhnbh.exe 572 5thhht.exe 1728 ppjvj.exe 2192 xffrflx.exe 2348 9nntbn.exe 444 hnnbnt.exe 3044 djjpd.exe 304 rrflrxr.exe 932 btbhnt.exe -
resource yara_rule behavioral1/memory/3000-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/552-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-164-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2604-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-943-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-995-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-1014-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-1084-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-1121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-1124-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/1708-1184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-1235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-1355-0x00000000002A0000-0x00000000002CA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2420 3000 9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe 30 PID 3000 wrote to memory of 2420 3000 9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe 30 PID 3000 wrote to memory of 2420 3000 9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe 30 PID 3000 wrote to memory of 2420 3000 9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe 30 PID 2420 wrote to memory of 2220 2420 ppjvd.exe 31 PID 2420 wrote to memory of 2220 2420 ppjvd.exe 31 PID 2420 wrote to memory of 2220 2420 ppjvd.exe 31 PID 2420 wrote to memory of 2220 2420 ppjvd.exe 31 PID 2220 wrote to memory of 3008 2220 xrfrxfx.exe 32 PID 2220 wrote to memory of 3008 2220 xrfrxfx.exe 32 PID 2220 wrote to memory of 3008 2220 xrfrxfx.exe 32 PID 2220 wrote to memory of 3008 2220 xrfrxfx.exe 32 PID 3008 wrote to memory of 2304 3008 hhbntb.exe 33 PID 3008 wrote to memory of 2304 3008 hhbntb.exe 33 PID 3008 wrote to memory of 2304 3008 hhbntb.exe 33 PID 3008 wrote to memory of 2304 3008 hhbntb.exe 33 PID 2304 wrote to memory of 2904 2304 5ddjj.exe 34 PID 2304 wrote to memory of 2904 2304 5ddjj.exe 34 PID 2304 wrote to memory of 2904 2304 5ddjj.exe 34 PID 2304 wrote to memory of 2904 2304 5ddjj.exe 34 PID 2904 wrote to memory of 2756 2904 nnbhbh.exe 35 PID 2904 wrote to memory of 2756 2904 nnbhbh.exe 35 PID 2904 wrote to memory of 2756 2904 nnbhbh.exe 35 PID 2904 wrote to memory of 2756 2904 nnbhbh.exe 35 PID 2756 wrote to memory of 2936 2756 lrxxflf.exe 36 PID 2756 wrote to memory of 2936 2756 lrxxflf.exe 36 PID 2756 wrote to memory of 2936 2756 lrxxflf.exe 36 PID 2756 wrote to memory of 2936 2756 lrxxflf.exe 36 PID 2936 wrote to memory of 2768 2936 3tthtn.exe 37 PID 2936 wrote to memory of 2768 2936 3tthtn.exe 37 PID 2936 wrote to memory of 2768 2936 3tthtn.exe 37 PID 2936 wrote to memory of 2768 2936 3tthtn.exe 37 PID 2768 wrote to memory of 2636 2768 pvpvd.exe 38 PID 2768 wrote to memory of 2636 2768 pvpvd.exe 38 PID 2768 wrote to memory of 2636 2768 pvpvd.exe 38 PID 2768 wrote to memory of 2636 2768 pvpvd.exe 38 PID 2636 wrote to memory of 2708 2636 9fxxlrx.exe 39 PID 2636 wrote to memory of 2708 2636 9fxxlrx.exe 39 PID 2636 wrote to memory of 2708 2636 9fxxlrx.exe 39 PID 2636 wrote to memory of 2708 2636 9fxxlrx.exe 39 PID 2708 wrote to memory of 2252 2708 5jppd.exe 40 PID 2708 wrote to memory of 2252 2708 5jppd.exe 40 PID 2708 wrote to memory of 2252 2708 5jppd.exe 40 PID 2708 wrote to memory of 2252 2708 5jppd.exe 40 PID 2252 wrote to memory of 552 2252 7lffrrf.exe 41 PID 2252 wrote to memory of 552 2252 7lffrrf.exe 41 PID 2252 wrote to memory of 552 2252 7lffrrf.exe 41 PID 2252 wrote to memory of 552 2252 7lffrrf.exe 41 PID 552 wrote to memory of 2204 552 7tbnbn.exe 42 PID 552 wrote to memory of 2204 552 7tbnbn.exe 42 PID 552 wrote to memory of 2204 552 7tbnbn.exe 42 PID 552 wrote to memory of 2204 552 7tbnbn.exe 42 PID 2204 wrote to memory of 1964 2204 djpdj.exe 43 PID 2204 wrote to memory of 1964 2204 djpdj.exe 43 PID 2204 wrote to memory of 1964 2204 djpdj.exe 43 PID 2204 wrote to memory of 1964 2204 djpdj.exe 43 PID 1964 wrote to memory of 2812 1964 3rffxfr.exe 44 PID 1964 wrote to memory of 2812 1964 3rffxfr.exe 44 PID 1964 wrote to memory of 2812 1964 3rffxfr.exe 44 PID 1964 wrote to memory of 2812 1964 3rffxfr.exe 44 PID 2812 wrote to memory of 2952 2812 jdpdp.exe 45 PID 2812 wrote to memory of 2952 2812 jdpdp.exe 45 PID 2812 wrote to memory of 2952 2812 jdpdp.exe 45 PID 2812 wrote to memory of 2952 2812 jdpdp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe"C:\Users\Admin\AppData\Local\Temp\9ac8ec84bf0512a3e8afe82315d8c65977604c1fc873dd46b4fcc0bc97ad1f85.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\ppjvd.exec:\ppjvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\xrfrxfx.exec:\xrfrxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\hhbntb.exec:\hhbntb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\5ddjj.exec:\5ddjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\nnbhbh.exec:\nnbhbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\lrxxflf.exec:\lrxxflf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\3tthtn.exec:\3tthtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\pvpvd.exec:\pvpvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\9fxxlrx.exec:\9fxxlrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\5jppd.exec:\5jppd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\7lffrrf.exec:\7lffrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\7tbnbn.exec:\7tbnbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\djpdj.exec:\djpdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\3rffxfr.exec:\3rffxfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\jdpdp.exec:\jdpdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\nbtbbh.exec:\nbtbbh.exe17⤵
- Executes dropped EXE
PID:2952 -
\??\c:\bthtbh.exec:\bthtbh.exe18⤵
- Executes dropped EXE
PID:2016 -
\??\c:\vpjpd.exec:\vpjpd.exe19⤵
- Executes dropped EXE
PID:2020 -
\??\c:\nnhntt.exec:\nnhntt.exe20⤵
- Executes dropped EXE
PID:2604 -
\??\c:\dvppd.exec:\dvppd.exe21⤵
- Executes dropped EXE
PID:1728 -
\??\c:\bttthn.exec:\bttthn.exe22⤵
- Executes dropped EXE
PID:2984 -
\??\c:\fxxfrrx.exec:\fxxfrrx.exe23⤵
- Executes dropped EXE
PID:1352 -
\??\c:\thtbtb.exec:\thtbtb.exe24⤵
- Executes dropped EXE
PID:1556 -
\??\c:\nhnhtt.exec:\nhnhtt.exe25⤵
- Executes dropped EXE
PID:3040 -
\??\c:\nhbbhn.exec:\nhbbhn.exe26⤵
- Executes dropped EXE
PID:1804 -
\??\c:\1bbnth.exec:\1bbnth.exe27⤵
- Executes dropped EXE
PID:2460 -
\??\c:\5pdjv.exec:\5pdjv.exe28⤵
- Executes dropped EXE
PID:780 -
\??\c:\flflxfr.exec:\flflxfr.exe29⤵
- Executes dropped EXE
PID:2424 -
\??\c:\rxrxlxr.exec:\rxrxlxr.exe30⤵
- Executes dropped EXE
PID:308 -
\??\c:\vpjpd.exec:\vpjpd.exe31⤵
- Executes dropped EXE
PID:2000 -
\??\c:\rlflfrf.exec:\rlflfrf.exe32⤵
- Executes dropped EXE
PID:3000 -
\??\c:\lflrffl.exec:\lflrffl.exe33⤵
- Executes dropped EXE
PID:3068 -
\??\c:\ddvjv.exec:\ddvjv.exe34⤵
- Executes dropped EXE
PID:2380 -
\??\c:\dvjpd.exec:\dvjpd.exe35⤵
- Executes dropped EXE
PID:2148 -
\??\c:\tnhhbh.exec:\tnhhbh.exe36⤵
- Executes dropped EXE
PID:2880 -
\??\c:\9pjpj.exec:\9pjpj.exe37⤵
- Executes dropped EXE
PID:2896 -
\??\c:\xxrrxfr.exec:\xxrrxfr.exe38⤵
- Executes dropped EXE
PID:2884 -
\??\c:\xrlrffl.exec:\xrlrffl.exe39⤵
- Executes dropped EXE
PID:2764 -
\??\c:\9tbbtb.exec:\9tbbtb.exe40⤵
- Executes dropped EXE
PID:2152 -
\??\c:\ppjvp.exec:\ppjvp.exe41⤵
- Executes dropped EXE
PID:2748 -
\??\c:\lfxlxfx.exec:\lfxlxfx.exe42⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lrxflrf.exec:\lrxflrf.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\hbbbbb.exec:\hbbbbb.exe44⤵
- Executes dropped EXE
PID:2636 -
\??\c:\3vpvj.exec:\3vpvj.exe45⤵
- Executes dropped EXE
PID:2752 -
\??\c:\ppjjd.exec:\ppjjd.exe46⤵
- Executes dropped EXE
PID:2592 -
\??\c:\rrrxflx.exec:\rrrxflx.exe47⤵
- Executes dropped EXE
PID:1812 -
\??\c:\nnntht.exec:\nnntht.exe48⤵
- Executes dropped EXE
PID:800 -
\??\c:\hhnnhh.exec:\hhnnhh.exe49⤵
- Executes dropped EXE
PID:2700 -
\??\c:\ddvpj.exec:\ddvpj.exe50⤵
- Executes dropped EXE
PID:1732 -
\??\c:\xlflxfx.exec:\xlflxfx.exe51⤵
- Executes dropped EXE
PID:2848 -
\??\c:\rxrfrxr.exec:\rxrfrxr.exe52⤵
- Executes dropped EXE
PID:2812 -
\??\c:\ttnnbb.exec:\ttnnbb.exe53⤵
- Executes dropped EXE
PID:1768 -
\??\c:\ddvdp.exec:\ddvdp.exe54⤵
- Executes dropped EXE
PID:2028 -
\??\c:\vppvd.exec:\vppvd.exe55⤵
- Executes dropped EXE
PID:2540 -
\??\c:\frrxlrx.exec:\frrxlrx.exe56⤵
- Executes dropped EXE
PID:2020 -
\??\c:\hhhnbh.exec:\hhhnbh.exe57⤵
- Executes dropped EXE
PID:2268 -
\??\c:\5thhht.exec:\5thhht.exe58⤵
- Executes dropped EXE
PID:572 -
\??\c:\ppjvj.exec:\ppjvj.exe59⤵
- Executes dropped EXE
PID:1728 -
\??\c:\xffrflx.exec:\xffrflx.exe60⤵
- Executes dropped EXE
PID:2192 -
\??\c:\9nntbn.exec:\9nntbn.exe61⤵
- Executes dropped EXE
PID:2348 -
\??\c:\hnnbnt.exec:\hnnbnt.exe62⤵
- Executes dropped EXE
PID:444 -
\??\c:\djjpd.exec:\djjpd.exe63⤵
- Executes dropped EXE
PID:3044 -
\??\c:\rrflrxr.exec:\rrflrxr.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:304 -
\??\c:\btbhnt.exec:\btbhnt.exe65⤵
- Executes dropped EXE
PID:932 -
\??\c:\hbthnt.exec:\hbthnt.exe66⤵PID:2248
-
\??\c:\1pjpp.exec:\1pjpp.exe67⤵PID:1676
-
\??\c:\1xrxffr.exec:\1xrxffr.exe68⤵PID:2052
-
\??\c:\lfxfxxl.exec:\lfxfxxl.exe69⤵PID:780
-
\??\c:\nnbbht.exec:\nnbbht.exe70⤵PID:2100
-
\??\c:\vpppp.exec:\vpppp.exe71⤵PID:860
-
\??\c:\5jdjp.exec:\5jdjp.exe72⤵PID:2240
-
\??\c:\lfllrrf.exec:\lfllrrf.exe73⤵PID:1616
-
\??\c:\tnhhtt.exec:\tnhhtt.exe74⤵PID:544
-
\??\c:\vjdjp.exec:\vjdjp.exe75⤵PID:2368
-
\??\c:\dpjdv.exec:\dpjdv.exe76⤵PID:1824
-
\??\c:\3xrrrxl.exec:\3xrrrxl.exe77⤵PID:2364
-
\??\c:\9bhbhn.exec:\9bhbhn.exe78⤵PID:1656
-
\??\c:\jdppd.exec:\jdppd.exe79⤵PID:2908
-
\??\c:\rfrrxxl.exec:\rfrrxxl.exe80⤵PID:2064
-
\??\c:\rfxxflx.exec:\rfxxflx.exe81⤵PID:2928
-
\??\c:\tbthbh.exec:\tbthbh.exe82⤵PID:2792
-
\??\c:\vvjpd.exec:\vvjpd.exe83⤵PID:2680
-
\??\c:\ppjjv.exec:\ppjjv.exe84⤵PID:2796
-
\??\c:\1rllrxl.exec:\1rllrxl.exe85⤵PID:2236
-
\??\c:\nnnthh.exec:\nnnthh.exe86⤵PID:2652
-
\??\c:\5tnttt.exec:\5tnttt.exe87⤵PID:2104
-
\??\c:\1djdj.exec:\1djdj.exe88⤵PID:2708
-
\??\c:\pjpvv.exec:\pjpvv.exe89⤵PID:1484
-
\??\c:\rrllrxf.exec:\rrllrxf.exe90⤵PID:2216
-
\??\c:\bbntbh.exec:\bbntbh.exe91⤵PID:800
-
\??\c:\vvjdd.exec:\vvjdd.exe92⤵PID:3004
-
\??\c:\3vppv.exec:\3vppv.exe93⤵PID:1732
-
\??\c:\flxrlfx.exec:\flxrlfx.exe94⤵PID:2180
-
\??\c:\7hbhnt.exec:\7hbhnt.exe95⤵PID:2812
-
\??\c:\9pppd.exec:\9pppd.exe96⤵PID:1768
-
\??\c:\7ddjv.exec:\7ddjv.exe97⤵PID:1040
-
\??\c:\7lfrxrr.exec:\7lfrxrr.exe98⤵PID:2124
-
\??\c:\3tthtb.exec:\3tthtb.exe99⤵PID:564
-
\??\c:\tbtbtt.exec:\tbtbtt.exe100⤵PID:2024
-
\??\c:\7ddjp.exec:\7ddjp.exe101⤵PID:1952
-
\??\c:\fxxlxxf.exec:\fxxlxxf.exe102⤵PID:2616
-
\??\c:\xxrxllr.exec:\xxrxllr.exe103⤵PID:1352
-
\??\c:\nnhnbh.exec:\nnhnbh.exe104⤵PID:916
-
\??\c:\vvvdj.exec:\vvvdj.exe105⤵PID:1556
-
\??\c:\jdjdj.exec:\jdjdj.exe106⤵PID:1404
-
\??\c:\xfrrfxl.exec:\xfrrfxl.exe107⤵PID:1804
-
\??\c:\ntnbnt.exec:\ntnbnt.exe108⤵PID:2208
-
\??\c:\hbtthn.exec:\hbtthn.exe109⤵PID:1944
-
\??\c:\jdpdj.exec:\jdpdj.exe110⤵PID:2536
-
\??\c:\1lxxffr.exec:\1lxxffr.exe111⤵PID:2156
-
\??\c:\7frrffr.exec:\7frrffr.exe112⤵PID:1316
-
\??\c:\thtthn.exec:\thtthn.exe113⤵PID:308
-
\??\c:\vdvdp.exec:\vdvdp.exe114⤵PID:1604
-
\??\c:\vvjpv.exec:\vvjpv.exe115⤵PID:2384
-
\??\c:\rrlrflf.exec:\rrlrflf.exe116⤵PID:2428
-
\??\c:\flfxllr.exec:\flfxllr.exe117⤵PID:2608
-
\??\c:\bhhnbh.exec:\bhhnbh.exe118⤵PID:2116
-
\??\c:\pvdvp.exec:\pvdvp.exe119⤵PID:2780
-
\??\c:\xlxxllx.exec:\xlxxllx.exe120⤵PID:2772
-
\??\c:\fffrrlf.exec:\fffrrlf.exe121⤵PID:2896
-
\??\c:\tnhnbh.exec:\tnhnbh.exe122⤵PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-