Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe
-
Size
454KB
-
MD5
077a90a0acacb4e6ae62b1f89f6a5a9c
-
SHA1
a40c636cb09249a0e5ea47909dd52c95cdd228f5
-
SHA256
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59
-
SHA512
d23d7773dddbd7e2e3f9da9ef4ae8e5031493b3243e02219af35d4ceababa70dab1f445099f5e6cfbd877223de4c42f99c4db4731f8c3b0ed9ae2941ead07069
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2508-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-64-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2660-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-130-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2632-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-159-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1192-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1840-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1000-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-326-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2156-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-404-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/848-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-444-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/888-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-467-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2236-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-505-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/624-537-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3012-562-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2012-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-702-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2064-750-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2064-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-1007-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2372-1021-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2912-1029-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1896-1037-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2076-1101-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2960-1294-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2508 7ppjj.exe 2288 llrrfxx.exe 2308 nhhbbb.exe 340 xrrfxrx.exe 2740 thbbhh.exe 2660 fxllxxl.exe 2664 ttnbbh.exe 2872 jvdjj.exe 2668 9nttbt.exe 2528 9djpj.exe 2196 9lxlrrx.exe 2004 tnhbtt.exe 2632 dpvvd.exe 2052 bnbthb.exe 2796 dvjpv.exe 2708 xrlxffl.exe 1192 tntttt.exe 1840 jvdjp.exe 2960 rfxxfrx.exe 3048 dpdjj.exe 2628 1lxflrx.exe 1908 bthhhh.exe 956 frffllr.exe 1592 3bhhnh.exe 596 vpjjp.exe 1000 lfrrrrx.exe 784 nbhhnb.exe 1740 dpppp.exe 2300 hbhtnb.exe 2128 5pddj.exe 1888 lxllrrx.exe 1392 hhtttn.exe 2440 jpdjj.exe 1544 1xffxrx.exe 1268 htbthh.exe 2156 9jjpp.exe 2976 3xxxfrx.exe 2680 btbbbb.exe 2812 nhnhhb.exe 2088 vjdvv.exe 2140 rrflxxf.exe 2692 fxrrxxl.exe 2560 hbhhnh.exe 2580 pjvdd.exe 2668 9rrrlfx.exe 2608 lflfllx.exe 1864 bthnnn.exe 1952 9dvvp.exe 1288 7vddj.exe 1380 fxxrfff.exe 2908 7bhhbh.exe 2436 bnbtbb.exe 2924 1djjj.exe 848 dpvjp.exe 2432 9lfllfx.exe 888 3ntntn.exe 1768 bbtttb.exe 2236 dppdj.exe 1612 lxfflxf.exe 2020 5xlfffx.exe 3068 7nttnh.exe 1932 nbhhhh.exe 1564 jddjd.exe 1580 1llllfx.exe -
resource yara_rule behavioral1/memory/2508-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1000-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-444-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/888-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-702-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2600-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-1028-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1272-1064-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/820-1177-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1240-1213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-1226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-1269-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2508 2348 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 30 PID 2348 wrote to memory of 2508 2348 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 30 PID 2348 wrote to memory of 2508 2348 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 30 PID 2348 wrote to memory of 2508 2348 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 30 PID 2508 wrote to memory of 2288 2508 7ppjj.exe 31 PID 2508 wrote to memory of 2288 2508 7ppjj.exe 31 PID 2508 wrote to memory of 2288 2508 7ppjj.exe 31 PID 2508 wrote to memory of 2288 2508 7ppjj.exe 31 PID 2288 wrote to memory of 2308 2288 llrrfxx.exe 32 PID 2288 wrote to memory of 2308 2288 llrrfxx.exe 32 PID 2288 wrote to memory of 2308 2288 llrrfxx.exe 32 PID 2288 wrote to memory of 2308 2288 llrrfxx.exe 32 PID 2308 wrote to memory of 340 2308 nhhbbb.exe 33 PID 2308 wrote to memory of 340 2308 nhhbbb.exe 33 PID 2308 wrote to memory of 340 2308 nhhbbb.exe 33 PID 2308 wrote to memory of 340 2308 nhhbbb.exe 33 PID 340 wrote to memory of 2740 340 xrrfxrx.exe 34 PID 340 wrote to memory of 2740 340 xrrfxrx.exe 34 PID 340 wrote to memory of 2740 340 xrrfxrx.exe 34 PID 340 wrote to memory of 2740 340 xrrfxrx.exe 34 PID 2740 wrote to memory of 2660 2740 thbbhh.exe 35 PID 2740 wrote to memory of 2660 2740 thbbhh.exe 35 PID 2740 wrote to memory of 2660 2740 thbbhh.exe 35 PID 2740 wrote to memory of 2660 2740 thbbhh.exe 35 PID 2660 wrote to memory of 2664 2660 fxllxxl.exe 36 PID 2660 wrote to memory of 2664 2660 fxllxxl.exe 36 PID 2660 wrote to memory of 2664 2660 fxllxxl.exe 36 PID 2660 wrote to memory of 2664 2660 fxllxxl.exe 36 PID 2664 wrote to memory of 2872 2664 ttnbbh.exe 37 PID 2664 wrote to memory of 2872 2664 ttnbbh.exe 37 PID 2664 wrote to memory of 2872 2664 ttnbbh.exe 37 PID 2664 wrote to memory of 2872 2664 ttnbbh.exe 37 PID 2872 wrote to memory of 2668 2872 jvdjj.exe 38 PID 2872 wrote to memory of 2668 2872 jvdjj.exe 38 PID 2872 wrote to memory of 2668 2872 jvdjj.exe 38 PID 2872 wrote to memory of 2668 2872 jvdjj.exe 38 PID 2668 wrote to memory of 2528 2668 9nttbt.exe 39 PID 2668 wrote to memory of 2528 2668 9nttbt.exe 39 PID 2668 wrote to memory of 2528 2668 9nttbt.exe 39 PID 2668 wrote to memory of 2528 2668 9nttbt.exe 39 PID 2528 wrote to memory of 2196 2528 9djpj.exe 40 PID 2528 wrote to memory of 2196 2528 9djpj.exe 40 PID 2528 wrote to memory of 2196 2528 9djpj.exe 40 PID 2528 wrote to memory of 2196 2528 9djpj.exe 40 PID 2196 wrote to memory of 2004 2196 9lxlrrx.exe 41 PID 2196 wrote to memory of 2004 2196 9lxlrrx.exe 41 PID 2196 wrote to memory of 2004 2196 9lxlrrx.exe 41 PID 2196 wrote to memory of 2004 2196 9lxlrrx.exe 41 PID 2004 wrote to memory of 2632 2004 tnhbtt.exe 42 PID 2004 wrote to memory of 2632 2004 tnhbtt.exe 42 PID 2004 wrote to memory of 2632 2004 tnhbtt.exe 42 PID 2004 wrote to memory of 2632 2004 tnhbtt.exe 42 PID 2632 wrote to memory of 2052 2632 dpvvd.exe 43 PID 2632 wrote to memory of 2052 2632 dpvvd.exe 43 PID 2632 wrote to memory of 2052 2632 dpvvd.exe 43 PID 2632 wrote to memory of 2052 2632 dpvvd.exe 43 PID 2052 wrote to memory of 2796 2052 bnbthb.exe 44 PID 2052 wrote to memory of 2796 2052 bnbthb.exe 44 PID 2052 wrote to memory of 2796 2052 bnbthb.exe 44 PID 2052 wrote to memory of 2796 2052 bnbthb.exe 44 PID 2796 wrote to memory of 2708 2796 dvjpv.exe 45 PID 2796 wrote to memory of 2708 2796 dvjpv.exe 45 PID 2796 wrote to memory of 2708 2796 dvjpv.exe 45 PID 2796 wrote to memory of 2708 2796 dvjpv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe"C:\Users\Admin\AppData\Local\Temp\be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\7ppjj.exec:\7ppjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\llrrfxx.exec:\llrrfxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\nhhbbb.exec:\nhhbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\xrrfxrx.exec:\xrrfxrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:340 -
\??\c:\thbbhh.exec:\thbbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\fxllxxl.exec:\fxllxxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\ttnbbh.exec:\ttnbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\jvdjj.exec:\jvdjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\9nttbt.exec:\9nttbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\9djpj.exec:\9djpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\9lxlrrx.exec:\9lxlrrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\tnhbtt.exec:\tnhbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\dpvvd.exec:\dpvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\bnbthb.exec:\bnbthb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\dvjpv.exec:\dvjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\xrlxffl.exec:\xrlxffl.exe17⤵
- Executes dropped EXE
PID:2708 -
\??\c:\tntttt.exec:\tntttt.exe18⤵
- Executes dropped EXE
PID:1192 -
\??\c:\jvdjp.exec:\jvdjp.exe19⤵
- Executes dropped EXE
PID:1840 -
\??\c:\rfxxfrx.exec:\rfxxfrx.exe20⤵
- Executes dropped EXE
PID:2960 -
\??\c:\dpdjj.exec:\dpdjj.exe21⤵
- Executes dropped EXE
PID:3048 -
\??\c:\1lxflrx.exec:\1lxflrx.exe22⤵
- Executes dropped EXE
PID:2628 -
\??\c:\bthhhh.exec:\bthhhh.exe23⤵
- Executes dropped EXE
PID:1908 -
\??\c:\frffllr.exec:\frffllr.exe24⤵
- Executes dropped EXE
PID:956 -
\??\c:\3bhhnh.exec:\3bhhnh.exe25⤵
- Executes dropped EXE
PID:1592 -
\??\c:\vpjjp.exec:\vpjjp.exe26⤵
- Executes dropped EXE
PID:596 -
\??\c:\lfrrrrx.exec:\lfrrrrx.exe27⤵
- Executes dropped EXE
PID:1000 -
\??\c:\nbhhnb.exec:\nbhhnb.exe28⤵
- Executes dropped EXE
PID:784 -
\??\c:\dpppp.exec:\dpppp.exe29⤵
- Executes dropped EXE
PID:1740 -
\??\c:\hbhtnb.exec:\hbhtnb.exe30⤵
- Executes dropped EXE
PID:2300 -
\??\c:\5pddj.exec:\5pddj.exe31⤵
- Executes dropped EXE
PID:2128 -
\??\c:\lxllrrx.exec:\lxllrrx.exe32⤵
- Executes dropped EXE
PID:1888 -
\??\c:\hhtttn.exec:\hhtttn.exe33⤵
- Executes dropped EXE
PID:1392 -
\??\c:\jpdjj.exec:\jpdjj.exe34⤵
- Executes dropped EXE
PID:2440 -
\??\c:\1xffxrx.exec:\1xffxrx.exe35⤵
- Executes dropped EXE
PID:1544 -
\??\c:\htbthh.exec:\htbthh.exe36⤵
- Executes dropped EXE
PID:1268 -
\??\c:\9jjpp.exec:\9jjpp.exe37⤵
- Executes dropped EXE
PID:2156 -
\??\c:\3xxxfrx.exec:\3xxxfrx.exe38⤵
- Executes dropped EXE
PID:2976 -
\??\c:\btbbbb.exec:\btbbbb.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
\??\c:\nhnhhb.exec:\nhnhhb.exe40⤵
- Executes dropped EXE
PID:2812 -
\??\c:\vjdvv.exec:\vjdvv.exe41⤵
- Executes dropped EXE
PID:2088 -
\??\c:\rrflxxf.exec:\rrflxxf.exe42⤵
- Executes dropped EXE
PID:2140 -
\??\c:\fxrrxxl.exec:\fxrrxxl.exe43⤵
- Executes dropped EXE
PID:2692 -
\??\c:\hbhhnh.exec:\hbhhnh.exe44⤵
- Executes dropped EXE
PID:2560 -
\??\c:\pjvdd.exec:\pjvdd.exe45⤵
- Executes dropped EXE
PID:2580 -
\??\c:\9rrrlfx.exec:\9rrrlfx.exe46⤵
- Executes dropped EXE
PID:2668 -
\??\c:\lflfllx.exec:\lflfllx.exe47⤵
- Executes dropped EXE
PID:2608 -
\??\c:\bthnnn.exec:\bthnnn.exe48⤵
- Executes dropped EXE
PID:1864 -
\??\c:\9dvvp.exec:\9dvvp.exe49⤵
- Executes dropped EXE
PID:1952 -
\??\c:\7vddj.exec:\7vddj.exe50⤵
- Executes dropped EXE
PID:1288 -
\??\c:\fxxrfff.exec:\fxxrfff.exe51⤵
- Executes dropped EXE
PID:1380 -
\??\c:\7bhhbh.exec:\7bhhbh.exe52⤵
- Executes dropped EXE
PID:2908 -
\??\c:\bnbtbb.exec:\bnbtbb.exe53⤵
- Executes dropped EXE
PID:2436 -
\??\c:\1djjj.exec:\1djjj.exe54⤵
- Executes dropped EXE
PID:2924 -
\??\c:\dpvjp.exec:\dpvjp.exe55⤵
- Executes dropped EXE
PID:848 -
\??\c:\9lfllfx.exec:\9lfllfx.exe56⤵
- Executes dropped EXE
PID:2432 -
\??\c:\3ntntn.exec:\3ntntn.exe57⤵
- Executes dropped EXE
PID:888 -
\??\c:\bbtttb.exec:\bbtttb.exe58⤵
- Executes dropped EXE
PID:1768 -
\??\c:\dppdj.exec:\dppdj.exe59⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lxfflxf.exec:\lxfflxf.exe60⤵
- Executes dropped EXE
PID:1612 -
\??\c:\5xlfffx.exec:\5xlfffx.exe61⤵
- Executes dropped EXE
PID:2020 -
\??\c:\7nttnh.exec:\7nttnh.exe62⤵
- Executes dropped EXE
PID:3068 -
\??\c:\nbhhhh.exec:\nbhhhh.exe63⤵
- Executes dropped EXE
PID:1932 -
\??\c:\jddjd.exec:\jddjd.exe64⤵
- Executes dropped EXE
PID:1564 -
\??\c:\1llllfx.exec:\1llllfx.exe65⤵
- Executes dropped EXE
PID:1580 -
\??\c:\lflllll.exec:\lflllll.exe66⤵PID:1592
-
\??\c:\1bhtbt.exec:\1bhtbt.exe67⤵PID:596
-
\??\c:\vpddj.exec:\vpddj.exe68⤵PID:1596
-
\??\c:\pjvvv.exec:\pjvvv.exe69⤵PID:624
-
\??\c:\xrlllrx.exec:\xrlllrx.exe70⤵PID:2212
-
\??\c:\tntttn.exec:\tntttn.exe71⤵PID:1740
-
\??\c:\hbnntn.exec:\hbnntn.exe72⤵PID:2300
-
\??\c:\vdpjj.exec:\vdpjj.exe73⤵PID:3012
-
\??\c:\1rxxxxr.exec:\1rxxxxr.exe74⤵
- System Location Discovery: System Language Discovery
PID:884 -
\??\c:\xfrlrxx.exec:\xfrlrxx.exe75⤵PID:2348
-
\??\c:\tbnhbb.exec:\tbnhbb.exe76⤵PID:1392
-
\??\c:\jvvpp.exec:\jvvpp.exe77⤵PID:2440
-
\??\c:\pjjjp.exec:\pjjjp.exe78⤵PID:1424
-
\??\c:\lrfllfl.exec:\lrfllfl.exe79⤵PID:2000
-
\??\c:\9tnhnb.exec:\9tnhnb.exe80⤵PID:2012
-
\??\c:\1pdvd.exec:\1pdvd.exe81⤵PID:2308
-
\??\c:\vppjp.exec:\vppjp.exe82⤵PID:2276
-
\??\c:\rfrrxrr.exec:\rfrrxrr.exe83⤵PID:3000
-
\??\c:\bbnntt.exec:\bbnntt.exe84⤵PID:1852
-
\??\c:\1pvvv.exec:\1pvvv.exe85⤵PID:2636
-
\??\c:\pvdjj.exec:\pvdjj.exe86⤵PID:2540
-
\??\c:\fxlllff.exec:\fxlllff.exe87⤵PID:1972
-
\??\c:\ntbttn.exec:\ntbttn.exe88⤵PID:2352
-
\??\c:\btnnnn.exec:\btnnnn.exe89⤵PID:2580
-
\??\c:\5vjjj.exec:\5vjjj.exe90⤵PID:2668
-
\??\c:\5pjvv.exec:\5pjvv.exe91⤵PID:2608
-
\??\c:\frxlfxx.exec:\frxlfxx.exe92⤵PID:1588
-
\??\c:\bnnnnn.exec:\bnnnnn.exe93⤵PID:2768
-
\??\c:\hbnthh.exec:\hbnthh.exe94⤵PID:1288
-
\??\c:\7pvvp.exec:\7pvvp.exe95⤵PID:2892
-
\??\c:\rrlrffl.exec:\rrlrffl.exe96⤵PID:2284
-
\??\c:\nbnbhn.exec:\nbnbhn.exe97⤵PID:1472
-
\??\c:\jddjv.exec:\jddjv.exe98⤵PID:2600
-
\??\c:\5dppp.exec:\5dppp.exe99⤵PID:2904
-
\??\c:\9fxrrrr.exec:\9fxrrrr.exe100⤵PID:1756
-
\??\c:\7httbb.exec:\7httbb.exe101⤵PID:2968
-
\??\c:\hbnnbb.exec:\hbnnbb.exe102⤵PID:2956
-
\??\c:\vvpvj.exec:\vvpvj.exe103⤵PID:2064
-
\??\c:\9xxlrfr.exec:\9xxlrfr.exe104⤵PID:1896
-
\??\c:\btbbbt.exec:\btbbbt.exe105⤵PID:1436
-
\??\c:\9btthn.exec:\9btthn.exe106⤵PID:1044
-
\??\c:\jvvvd.exec:\jvvvd.exe107⤵PID:2296
-
\??\c:\5lllrxl.exec:\5lllrxl.exe108⤵PID:956
-
\??\c:\7htbbh.exec:\7htbbh.exe109⤵PID:992
-
\??\c:\hhbbbb.exec:\hhbbbb.exe110⤵PID:108
-
\??\c:\5jvpd.exec:\5jvpd.exe111⤵PID:1608
-
\??\c:\dpvpp.exec:\dpvpp.exe112⤵PID:596
-
\??\c:\fxrrllr.exec:\fxrrllr.exe113⤵PID:1700
-
\??\c:\7hntnt.exec:\7hntnt.exe114⤵PID:2444
-
\??\c:\pdjjp.exec:\pdjjp.exe115⤵PID:1088
-
\??\c:\3jpjd.exec:\3jpjd.exe116⤵PID:2476
-
\??\c:\xlxrlrx.exec:\xlxrlrx.exe117⤵PID:1904
-
\??\c:\9tnhhh.exec:\9tnhhh.exe118⤵PID:3012
-
\??\c:\9nnbhh.exec:\9nnbhh.exe119⤵PID:2360
-
\??\c:\jvjjv.exec:\jvjjv.exe120⤵PID:1872
-
\??\c:\lfrxxxx.exec:\lfrxxxx.exe121⤵PID:1520
-
\??\c:\nbhtnh.exec:\nbhtnh.exe122⤵PID:2288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-