Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:11
Behavioral task
behavioral1
Sample
206b60a881461dac235fd19fd67f749b67add813a056708283ebd34f4afb117bN.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
206b60a881461dac235fd19fd67f749b67add813a056708283ebd34f4afb117bN.exe
-
Size
333KB
-
MD5
2aa6a0a44f9e60b3209ce5d3ce14ba40
-
SHA1
2022c5c3f7d6c7ae16c417c9318c0d7f622dbfbd
-
SHA256
206b60a881461dac235fd19fd67f749b67add813a056708283ebd34f4afb117b
-
SHA512
41d83cb41dbf58fe734b528eb98ab153b5c68e306175766e19f03d43846a3456e12acdd7bc63648975fba7a3a8f5dc2461d1078d414920bebef20917d76d4f9f
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeV:R4wFHoSHYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2284-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2192-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2844-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2844-47-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2828-56-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2828-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2804-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2792-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2192-65-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2636-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-100-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1828-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/836-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2696-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2956-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3020-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3060-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1876-190-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2536-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2540-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1084-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1804-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2292-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2216-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2952-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2660-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2648-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1868-359-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2584-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-420-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1884-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2428-463-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1608-536-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1376-552-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2700-614-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2404-680-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1456-729-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1136-770-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1724-777-0x0000000077260000-0x000000007737F000-memory.dmp family_blackmoon behavioral1/memory/2792-876-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2032-912-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/372-974-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1080-1065-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2364 hnbthn.exe 2492 7dppv.exe 2192 nthnbt.exe 2772 dpjjv.exe 2844 xxflxfr.exe 2828 1ddpv.exe 2880 9rrlxxr.exe 2804 jddvv.exe 2792 pvppd.exe 2636 rfrxrll.exe 2748 dvdjd.exe 1828 ffxfffx.exe 836 ddpvd.exe 2992 lrfllrr.exe 2696 rrxxrxf.exe 2956 bhhbnb.exe 2016 jvjvj.exe 3020 hnbthn.exe 2036 jjppd.exe 376 9nhbnh.exe 3060 ttttbb.exe 1876 vdjpv.exe 2536 rrxllrx.exe 2516 pvpjv.exe 1096 3flxfll.exe 1744 pvvpj.exe 276 5rxfllr.exe 544 rllfrxx.exe 2280 jdjjp.exe 2540 1lrxlrx.exe 780 bbnbtn.exe 2712 3pppp.exe 1084 vjpjj.exe 2292 5flrfxx.exe 1804 1bnhnb.exe 1632 ppvvv.exe 2324 xxfflrr.exe 2216 rlrrxrx.exe 2952 tnnnbh.exe 2812 jdjdp.exe 2836 pjpjv.exe 2856 llflrxf.exe 2768 fflllxf.exe 2744 tnttbb.exe 2660 jddvp.exe 2880 jdjjp.exe 2648 7xfrxfl.exe 2628 fxrflrf.exe 1868 5btthh.exe 1252 1vvjv.exe 2584 7vdpv.exe 352 lrrrlxl.exe 596 5hbhnt.exe 2380 5vppd.exe 2816 9vpvj.exe 2960 5xffrxf.exe 2688 7bbbnn.exe 2032 bhnhtt.exe 2920 ddjpd.exe 3000 1jdjp.exe 2404 3xrfrlr.exe 3024 bbnnbh.exe 1624 vdpdp.exe 3056 djvvj.exe -
resource yara_rule behavioral1/memory/2284-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a0000000122d0-5.dat upx behavioral1/memory/2364-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2284-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2492-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000186ca-15.dat upx behavioral1/files/0x00060000000186d9-24.dat upx behavioral1/memory/2492-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000186dd-32.dat upx behavioral1/memory/2192-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018710-40.dat upx behavioral1/memory/2772-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2844-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000018718-48.dat upx behavioral1/memory/2844-47-0x00000000002B0000-0x00000000002D7000-memory.dmp upx behavioral1/memory/2828-56-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0007000000018766-57.dat upx behavioral1/memory/2828-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2804-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001932d-69.dat upx behavioral1/memory/2792-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019606-77.dat upx behavioral1/files/0x0005000000019608-86.dat upx behavioral1/files/0x000500000001960a-93.dat upx behavioral1/memory/2636-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2748-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001960c-101.dat upx behavioral1/memory/1828-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001961c-110.dat upx behavioral1/files/0x000500000001961e-120.dat upx behavioral1/memory/836-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2696-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019667-127.dat upx behavioral1/files/0x00050000000196a1-135.dat upx behavioral1/files/0x0005000000019926-142.dat upx behavioral1/memory/2956-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3020-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a0000000122d0-151.dat upx behavioral1/files/0x0005000000019c34-160.dat upx behavioral1/files/0x000900000001727e-168.dat upx behavioral1/files/0x0005000000019c3c-175.dat upx behavioral1/memory/3060-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c3e-184.dat upx behavioral1/files/0x0005000000019c57-191.dat upx behavioral1/files/0x0005000000019cba-200.dat upx behavioral1/memory/2536-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019cca-208.dat upx behavioral1/files/0x0005000000019d8e-215.dat upx behavioral1/files/0x0005000000019dbf-222.dat upx behavioral1/files/0x0005000000019f8a-229.dat upx behavioral1/files/0x0005000000019f94-237.dat upx behavioral1/files/0x000500000001a075-243.dat upx behavioral1/memory/2540-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a07e-251.dat upx behavioral1/files/0x000500000001a09e-259.dat upx behavioral1/memory/1084-270-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1804-277-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2292-276-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2216-298-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2952-299-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2660-335-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2880-341-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2648-347-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1868-358-0x00000000002A0000-0x00000000002C7000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2364 2284 206b60a881461dac235fd19fd67f749b67add813a056708283ebd34f4afb117bN.exe 30 PID 2284 wrote to memory of 2364 2284 206b60a881461dac235fd19fd67f749b67add813a056708283ebd34f4afb117bN.exe 30 PID 2284 wrote to memory of 2364 2284 206b60a881461dac235fd19fd67f749b67add813a056708283ebd34f4afb117bN.exe 30 PID 2284 wrote to memory of 2364 2284 206b60a881461dac235fd19fd67f749b67add813a056708283ebd34f4afb117bN.exe 30 PID 2364 wrote to memory of 2492 2364 hnbthn.exe 31 PID 2364 wrote to memory of 2492 2364 hnbthn.exe 31 PID 2364 wrote to memory of 2492 2364 hnbthn.exe 31 PID 2364 wrote to memory of 2492 2364 hnbthn.exe 31 PID 2492 wrote to memory of 2192 2492 7dppv.exe 32 PID 2492 wrote to memory of 2192 2492 7dppv.exe 32 PID 2492 wrote to memory of 2192 2492 7dppv.exe 32 PID 2492 wrote to memory of 2192 2492 7dppv.exe 32 PID 2192 wrote to memory of 2772 2192 nthnbt.exe 33 PID 2192 wrote to memory of 2772 2192 nthnbt.exe 33 PID 2192 wrote to memory of 2772 2192 nthnbt.exe 33 PID 2192 wrote to memory of 2772 2192 nthnbt.exe 33 PID 2772 wrote to memory of 2844 2772 dpjjv.exe 34 PID 2772 wrote to memory of 2844 2772 dpjjv.exe 34 PID 2772 wrote to memory of 2844 2772 dpjjv.exe 34 PID 2772 wrote to memory of 2844 2772 dpjjv.exe 34 PID 2844 wrote to memory of 2828 2844 xxflxfr.exe 35 PID 2844 wrote to memory of 2828 2844 xxflxfr.exe 35 PID 2844 wrote to memory of 2828 2844 xxflxfr.exe 35 PID 2844 wrote to memory of 2828 2844 xxflxfr.exe 35 PID 2828 wrote to memory of 2880 2828 1ddpv.exe 36 PID 2828 wrote to memory of 2880 2828 1ddpv.exe 36 PID 2828 wrote to memory of 2880 2828 1ddpv.exe 36 PID 2828 wrote to memory of 2880 2828 1ddpv.exe 36 PID 2880 wrote to memory of 2804 2880 9rrlxxr.exe 37 PID 2880 wrote to memory of 2804 2880 9rrlxxr.exe 37 PID 2880 wrote to memory of 2804 2880 9rrlxxr.exe 37 PID 2880 wrote to memory of 2804 2880 9rrlxxr.exe 37 PID 2804 wrote to memory of 2792 2804 jddvv.exe 38 PID 2804 wrote to memory of 2792 2804 jddvv.exe 38 PID 2804 wrote to memory of 2792 2804 jddvv.exe 38 PID 2804 wrote to memory of 2792 2804 jddvv.exe 38 PID 2792 wrote to memory of 2636 2792 pvppd.exe 39 PID 2792 wrote to memory of 2636 2792 pvppd.exe 39 PID 2792 wrote to memory of 2636 2792 pvppd.exe 39 PID 2792 wrote to memory of 2636 2792 pvppd.exe 39 PID 2636 wrote to memory of 2748 2636 rfrxrll.exe 40 PID 2636 wrote to memory of 2748 2636 rfrxrll.exe 40 PID 2636 wrote to memory of 2748 2636 rfrxrll.exe 40 PID 2636 wrote to memory of 2748 2636 rfrxrll.exe 40 PID 2748 wrote to memory of 1828 2748 dvdjd.exe 41 PID 2748 wrote to memory of 1828 2748 dvdjd.exe 41 PID 2748 wrote to memory of 1828 2748 dvdjd.exe 41 PID 2748 wrote to memory of 1828 2748 dvdjd.exe 41 PID 1828 wrote to memory of 836 1828 ffxfffx.exe 42 PID 1828 wrote to memory of 836 1828 ffxfffx.exe 42 PID 1828 wrote to memory of 836 1828 ffxfffx.exe 42 PID 1828 wrote to memory of 836 1828 ffxfffx.exe 42 PID 836 wrote to memory of 2992 836 ddpvd.exe 43 PID 836 wrote to memory of 2992 836 ddpvd.exe 43 PID 836 wrote to memory of 2992 836 ddpvd.exe 43 PID 836 wrote to memory of 2992 836 ddpvd.exe 43 PID 2992 wrote to memory of 2696 2992 lrfllrr.exe 44 PID 2992 wrote to memory of 2696 2992 lrfllrr.exe 44 PID 2992 wrote to memory of 2696 2992 lrfllrr.exe 44 PID 2992 wrote to memory of 2696 2992 lrfllrr.exe 44 PID 2696 wrote to memory of 2956 2696 rrxxrxf.exe 45 PID 2696 wrote to memory of 2956 2696 rrxxrxf.exe 45 PID 2696 wrote to memory of 2956 2696 rrxxrxf.exe 45 PID 2696 wrote to memory of 2956 2696 rrxxrxf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\206b60a881461dac235fd19fd67f749b67add813a056708283ebd34f4afb117bN.exe"C:\Users\Admin\AppData\Local\Temp\206b60a881461dac235fd19fd67f749b67add813a056708283ebd34f4afb117bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\hnbthn.exec:\hnbthn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\7dppv.exec:\7dppv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\nthnbt.exec:\nthnbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\dpjjv.exec:\dpjjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\xxflxfr.exec:\xxflxfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\1ddpv.exec:\1ddpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\9rrlxxr.exec:\9rrlxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\jddvv.exec:\jddvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\pvppd.exec:\pvppd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\rfrxrll.exec:\rfrxrll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\dvdjd.exec:\dvdjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\ffxfffx.exec:\ffxfffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\ddpvd.exec:\ddpvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\lrfllrr.exec:\lrfllrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\rrxxrxf.exec:\rrxxrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\bhhbnb.exec:\bhhbnb.exe17⤵
- Executes dropped EXE
PID:2956 -
\??\c:\jvjvj.exec:\jvjvj.exe18⤵
- Executes dropped EXE
PID:2016 -
\??\c:\hnbthn.exec:\hnbthn.exe19⤵
- Executes dropped EXE
PID:3020 -
\??\c:\jjppd.exec:\jjppd.exe20⤵
- Executes dropped EXE
PID:2036 -
\??\c:\9nhbnh.exec:\9nhbnh.exe21⤵
- Executes dropped EXE
PID:376 -
\??\c:\ttttbb.exec:\ttttbb.exe22⤵
- Executes dropped EXE
PID:3060 -
\??\c:\vdjpv.exec:\vdjpv.exe23⤵
- Executes dropped EXE
PID:1876 -
\??\c:\rrxllrx.exec:\rrxllrx.exe24⤵
- Executes dropped EXE
PID:2536 -
\??\c:\pvpjv.exec:\pvpjv.exe25⤵
- Executes dropped EXE
PID:2516 -
\??\c:\3flxfll.exec:\3flxfll.exe26⤵
- Executes dropped EXE
PID:1096 -
\??\c:\pvvpj.exec:\pvvpj.exe27⤵
- Executes dropped EXE
PID:1744 -
\??\c:\5rxfllr.exec:\5rxfllr.exe28⤵
- Executes dropped EXE
PID:276 -
\??\c:\rllfrxx.exec:\rllfrxx.exe29⤵
- Executes dropped EXE
PID:544 -
\??\c:\jdjjp.exec:\jdjjp.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\1lrxlrx.exec:\1lrxlrx.exe31⤵
- Executes dropped EXE
PID:2540 -
\??\c:\bbnbtn.exec:\bbnbtn.exe32⤵
- Executes dropped EXE
PID:780 -
\??\c:\3pppp.exec:\3pppp.exe33⤵
- Executes dropped EXE
PID:2712 -
\??\c:\vjpjj.exec:\vjpjj.exe34⤵
- Executes dropped EXE
PID:1084 -
\??\c:\5flrfxx.exec:\5flrfxx.exe35⤵
- Executes dropped EXE
PID:2292 -
\??\c:\1bnhnb.exec:\1bnhnb.exe36⤵
- Executes dropped EXE
PID:1804 -
\??\c:\ppvvv.exec:\ppvvv.exe37⤵
- Executes dropped EXE
PID:1632 -
\??\c:\xxfflrr.exec:\xxfflrr.exe38⤵
- Executes dropped EXE
PID:2324 -
\??\c:\rlrrxrx.exec:\rlrrxrx.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
\??\c:\tnnnbh.exec:\tnnnbh.exe40⤵
- Executes dropped EXE
PID:2952 -
\??\c:\jdjdp.exec:\jdjdp.exe41⤵
- Executes dropped EXE
PID:2812 -
\??\c:\pjpjv.exec:\pjpjv.exe42⤵
- Executes dropped EXE
PID:2836 -
\??\c:\llflrxf.exec:\llflrxf.exe43⤵
- Executes dropped EXE
PID:2856 -
\??\c:\fflllxf.exec:\fflllxf.exe44⤵
- Executes dropped EXE
PID:2768 -
\??\c:\tnttbb.exec:\tnttbb.exe45⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jddvp.exec:\jddvp.exe46⤵
- Executes dropped EXE
PID:2660 -
\??\c:\jdjjp.exec:\jdjjp.exe47⤵
- Executes dropped EXE
PID:2880 -
\??\c:\7xfrxfl.exec:\7xfrxfl.exe48⤵
- Executes dropped EXE
PID:2648 -
\??\c:\fxrflrf.exec:\fxrflrf.exe49⤵
- Executes dropped EXE
PID:2628 -
\??\c:\5btthh.exec:\5btthh.exe50⤵
- Executes dropped EXE
PID:1868 -
\??\c:\1vvjv.exec:\1vvjv.exe51⤵
- Executes dropped EXE
PID:1252 -
\??\c:\7vdpv.exec:\7vdpv.exe52⤵
- Executes dropped EXE
PID:2584 -
\??\c:\lrrrlxl.exec:\lrrrlxl.exe53⤵
- Executes dropped EXE
PID:352 -
\??\c:\5hbhnt.exec:\5hbhnt.exe54⤵
- Executes dropped EXE
PID:596 -
\??\c:\5vppd.exec:\5vppd.exe55⤵
- Executes dropped EXE
PID:2380 -
\??\c:\9vpvj.exec:\9vpvj.exe56⤵
- Executes dropped EXE
PID:2816 -
\??\c:\5xffrxf.exec:\5xffrxf.exe57⤵
- Executes dropped EXE
PID:2960 -
\??\c:\7bbbnn.exec:\7bbbnn.exe58⤵
- Executes dropped EXE
PID:2688 -
\??\c:\bhnhtt.exec:\bhnhtt.exe59⤵
- Executes dropped EXE
PID:2032 -
\??\c:\ddjpd.exec:\ddjpd.exe60⤵
- Executes dropped EXE
PID:2920 -
\??\c:\1jdjp.exec:\1jdjp.exe61⤵
- Executes dropped EXE
PID:3000 -
\??\c:\3xrfrlr.exec:\3xrfrlr.exe62⤵
- Executes dropped EXE
PID:2404 -
\??\c:\bbnnbh.exec:\bbnnbh.exe63⤵
- Executes dropped EXE
PID:3024 -
\??\c:\vdpdp.exec:\vdpdp.exe64⤵
- Executes dropped EXE
PID:1624 -
\??\c:\djvvj.exec:\djvvj.exe65⤵
- Executes dropped EXE
PID:3056 -
\??\c:\rxlxfxf.exec:\rxlxfxf.exe66⤵PID:2160
-
\??\c:\5fxxffr.exec:\5fxxffr.exe67⤵PID:2564
-
\??\c:\htnnth.exec:\htnnth.exe68⤵PID:1884
-
\??\c:\3hbbnn.exec:\3hbbnn.exe69⤵PID:2428
-
\??\c:\jvdjd.exec:\jvdjd.exe70⤵PID:2516
-
\??\c:\rrxlrrf.exec:\rrxlrrf.exe71⤵PID:236
-
\??\c:\frflxlr.exec:\frflxlr.exe72⤵PID:2096
-
\??\c:\hhthnt.exec:\hhthnt.exe73⤵
- System Location Discovery: System Language Discovery
PID:1060 -
\??\c:\vdppj.exec:\vdppj.exe74⤵PID:1572
-
\??\c:\1dpvd.exec:\1dpvd.exe75⤵PID:2312
-
\??\c:\lrrxllr.exec:\lrrxllr.exe76⤵PID:1980
-
\??\c:\lrflrrf.exec:\lrflrrf.exe77⤵PID:2100
-
\??\c:\bhhnhn.exec:\bhhnhn.exe78⤵PID:1908
-
\??\c:\pvjjv.exec:\pvjjv.exe79⤵PID:780
-
\??\c:\djjjp.exec:\djjjp.exe80⤵PID:2712
-
\??\c:\rxflfrx.exec:\rxflfrx.exe81⤵PID:2232
-
\??\c:\ffxxflr.exec:\ffxxflr.exe82⤵PID:2340
-
\??\c:\thtbht.exec:\thtbht.exe83⤵PID:1608
-
\??\c:\djvjp.exec:\djvjp.exe84⤵PID:1612
-
\??\c:\pjvdp.exec:\pjvdp.exe85⤵PID:1632
-
\??\c:\lxlxffr.exec:\lxlxffr.exe86⤵PID:1376
-
\??\c:\3rxxfrf.exec:\3rxxfrf.exe87⤵PID:2192
-
\??\c:\bhbbnt.exec:\bhbbnt.exe88⤵PID:2472
-
\??\c:\vvvvj.exec:\vvvvj.exe89⤵PID:2812
-
\??\c:\vjjpd.exec:\vjjpd.exe90⤵PID:2204
-
\??\c:\lflflrx.exec:\lflflrx.exe91⤵PID:2752
-
\??\c:\ttnbth.exec:\ttnbth.exe92⤵PID:1948
-
\??\c:\dvjvj.exec:\dvjvj.exe93⤵PID:2876
-
\??\c:\xfrxrlr.exec:\xfrxrlr.exe94⤵PID:320
-
\??\c:\rlrfrxf.exec:\rlrfrxf.exe95⤵PID:1752
-
\??\c:\3httth.exec:\3httth.exe96⤵PID:2796
-
\??\c:\hhnhbh.exec:\hhnhbh.exe97⤵PID:2700
-
\??\c:\jdjpv.exec:\jdjpv.exe98⤵PID:2692
-
\??\c:\3xrflxr.exec:\3xrflxr.exe99⤵PID:2932
-
\??\c:\xrxfrfl.exec:\xrxfrfl.exe100⤵PID:1828
-
\??\c:\hbntbn.exec:\hbntbn.exe101⤵PID:352
-
\??\c:\bnbnbb.exec:\bnbnbb.exe102⤵PID:596
-
\??\c:\djjdj.exec:\djjdj.exe103⤵PID:2380
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe104⤵PID:2612
-
\??\c:\rrxlrlr.exec:\rrxlrlr.exe105⤵PID:2960
-
\??\c:\hntbbb.exec:\hntbbb.exe106⤵PID:2688
-
\??\c:\5dvvd.exec:\5dvvd.exe107⤵PID:1528
-
\??\c:\pdjpp.exec:\pdjpp.exe108⤵PID:1988
-
\??\c:\lffflll.exec:\lffflll.exe109⤵PID:3020
-
\??\c:\ffxllxf.exec:\ffxllxf.exe110⤵PID:2404
-
\??\c:\3bbhht.exec:\3bbhht.exe111⤵PID:1772
-
\??\c:\3ddjv.exec:\3ddjv.exe112⤵PID:1624
-
\??\c:\rxfxlrx.exec:\rxfxlrx.exe113⤵PID:3060
-
\??\c:\ffffllr.exec:\ffffllr.exe114⤵PID:2332
-
\??\c:\tnnnnn.exec:\tnnnnn.exe115⤵PID:1116
-
\??\c:\jjjdd.exec:\jjjdd.exe116⤵PID:2164
-
\??\c:\jjvpj.exec:\jjvpj.exe117⤵PID:2708
-
\??\c:\9xrrlrf.exec:\9xrrlrf.exe118⤵PID:1824
-
\??\c:\bbhtht.exec:\bbhtht.exe119⤵PID:1768
-
\??\c:\nhhntb.exec:\nhhntb.exe120⤵PID:1456
-
\??\c:\pvvvv.exec:\pvvvv.exe121⤵PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-