Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9a5d2a80283f2b5f431b4ea918075424e7caed42fe866903ff24b7b2198fc6f9N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9a5d2a80283f2b5f431b4ea918075424e7caed42fe866903ff24b7b2198fc6f9N.exe
-
Size
454KB
-
MD5
4e3224c64103e0b34bbbd4732fd545c0
-
SHA1
925ba74b0c649816b154a7efd3eb2c7374229c94
-
SHA256
9a5d2a80283f2b5f431b4ea918075424e7caed42fe866903ff24b7b2198fc6f9
-
SHA512
0d9462e5e4febc57f344951ce72eed9df8e1a6790993f332b31f18def35bd93b3c13732836a737f3748787577c1fcc32e043f66e3321658ee611f480876ecb1f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeae:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
resource yara_rule behavioral1/memory/2124-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-56-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3020-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1284-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-142-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/840-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-165-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1212-164-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2264-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/108-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/828-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/352-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/744-252-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2232-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-298-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2172-297-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2296-333-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2260-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-452-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-469-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2248-477-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2200-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-493-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1856-528-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1872-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-548-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2400-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-595-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2860-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-677-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2720-698-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2984-743-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1420-793-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1996-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-888-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1148-994-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1064-1059-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2076 rlxxrxr.exe 2116 424060.exe 2564 400264.exe 2164 nhbhth.exe 2864 pvvdj.exe 3020 5pvdd.exe 2696 a0820.exe 2796 lfrlfrr.exe 1832 3jdjp.exe 2724 9httbb.exe 2032 2024624.exe 2728 2028840.exe 1212 o626224.exe 1284 824022.exe 1984 dvjpp.exe 840 3vdvv.exe 2948 vdppp.exe 2908 7rfffrx.exe 2264 nbbhtn.exe 2628 82402.exe 108 5pvvv.exe 828 04068.exe 1476 6040624.exe 1144 86884.exe 352 262286.exe 3028 3hnhth.exe 744 04622.exe 2232 c800666.exe 2424 g4666.exe 1972 pjddj.exe 1228 vpvvv.exe 2172 frxrxxx.exe 2744 26406.exe 2348 frxrrlr.exe 1636 g8624.exe 796 868888.exe 1188 e02400.exe 2296 3pjjv.exe 2260 rfxxllx.exe 2876 42062.exe 2872 i080284.exe 2804 9jppp.exe 2900 tbtttb.exe 2284 48028.exe 2664 6466262.exe 2680 g2642.exe 2780 rlllfrf.exe 1732 a2002.exe 1408 664066.exe 1512 7dppp.exe 484 86402.exe 1656 bbhhth.exe 2020 tnbhnt.exe 2944 628082.exe 1600 bbnnbb.exe 2956 rfllllr.exe 1072 jdvdp.exe 2748 vjpjj.exe 2248 i206442.exe 2156 1pjvj.exe 2200 jdvpj.exe 824 ttnnbt.exe 1016 602248.exe 600 42068.exe -
resource yara_rule behavioral1/memory/2124-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-56-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/3020-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-142-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/840-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/828-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-469-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2248-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-678-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1832-677-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2032-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/824-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-793-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1996-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-888-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2452-908-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-921-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2684468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4246266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q64066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60002.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2076 2124 9a5d2a80283f2b5f431b4ea918075424e7caed42fe866903ff24b7b2198fc6f9N.exe 30 PID 2124 wrote to memory of 2076 2124 9a5d2a80283f2b5f431b4ea918075424e7caed42fe866903ff24b7b2198fc6f9N.exe 30 PID 2124 wrote to memory of 2076 2124 9a5d2a80283f2b5f431b4ea918075424e7caed42fe866903ff24b7b2198fc6f9N.exe 30 PID 2124 wrote to memory of 2076 2124 9a5d2a80283f2b5f431b4ea918075424e7caed42fe866903ff24b7b2198fc6f9N.exe 30 PID 2076 wrote to memory of 2116 2076 rlxxrxr.exe 31 PID 2076 wrote to memory of 2116 2076 rlxxrxr.exe 31 PID 2076 wrote to memory of 2116 2076 rlxxrxr.exe 31 PID 2076 wrote to memory of 2116 2076 rlxxrxr.exe 31 PID 2116 wrote to memory of 2564 2116 424060.exe 32 PID 2116 wrote to memory of 2564 2116 424060.exe 32 PID 2116 wrote to memory of 2564 2116 424060.exe 32 PID 2116 wrote to memory of 2564 2116 424060.exe 32 PID 2564 wrote to memory of 2164 2564 400264.exe 33 PID 2564 wrote to memory of 2164 2564 400264.exe 33 PID 2564 wrote to memory of 2164 2564 400264.exe 33 PID 2564 wrote to memory of 2164 2564 400264.exe 33 PID 2164 wrote to memory of 2864 2164 nhbhth.exe 34 PID 2164 wrote to memory of 2864 2164 nhbhth.exe 34 PID 2164 wrote to memory of 2864 2164 nhbhth.exe 34 PID 2164 wrote to memory of 2864 2164 nhbhth.exe 34 PID 2864 wrote to memory of 3020 2864 pvvdj.exe 35 PID 2864 wrote to memory of 3020 2864 pvvdj.exe 35 PID 2864 wrote to memory of 3020 2864 pvvdj.exe 35 PID 2864 wrote to memory of 3020 2864 pvvdj.exe 35 PID 3020 wrote to memory of 2696 3020 5pvdd.exe 36 PID 3020 wrote to memory of 2696 3020 5pvdd.exe 36 PID 3020 wrote to memory of 2696 3020 5pvdd.exe 36 PID 3020 wrote to memory of 2696 3020 5pvdd.exe 36 PID 2696 wrote to memory of 2796 2696 a0820.exe 37 PID 2696 wrote to memory of 2796 2696 a0820.exe 37 PID 2696 wrote to memory of 2796 2696 a0820.exe 37 PID 2696 wrote to memory of 2796 2696 a0820.exe 37 PID 2796 wrote to memory of 1832 2796 lfrlfrr.exe 38 PID 2796 wrote to memory of 1832 2796 lfrlfrr.exe 38 PID 2796 wrote to memory of 1832 2796 lfrlfrr.exe 38 PID 2796 wrote to memory of 1832 2796 lfrlfrr.exe 38 PID 1832 wrote to memory of 2724 1832 3jdjp.exe 39 PID 1832 wrote to memory of 2724 1832 3jdjp.exe 39 PID 1832 wrote to memory of 2724 1832 3jdjp.exe 39 PID 1832 wrote to memory of 2724 1832 3jdjp.exe 39 PID 2724 wrote to memory of 2032 2724 9httbb.exe 40 PID 2724 wrote to memory of 2032 2724 9httbb.exe 40 PID 2724 wrote to memory of 2032 2724 9httbb.exe 40 PID 2724 wrote to memory of 2032 2724 9httbb.exe 40 PID 2032 wrote to memory of 2728 2032 2024624.exe 41 PID 2032 wrote to memory of 2728 2032 2024624.exe 41 PID 2032 wrote to memory of 2728 2032 2024624.exe 41 PID 2032 wrote to memory of 2728 2032 2024624.exe 41 PID 2728 wrote to memory of 1212 2728 2028840.exe 42 PID 2728 wrote to memory of 1212 2728 2028840.exe 42 PID 2728 wrote to memory of 1212 2728 2028840.exe 42 PID 2728 wrote to memory of 1212 2728 2028840.exe 42 PID 1212 wrote to memory of 1284 1212 o626224.exe 43 PID 1212 wrote to memory of 1284 1212 o626224.exe 43 PID 1212 wrote to memory of 1284 1212 o626224.exe 43 PID 1212 wrote to memory of 1284 1212 o626224.exe 43 PID 1284 wrote to memory of 1984 1284 824022.exe 44 PID 1284 wrote to memory of 1984 1284 824022.exe 44 PID 1284 wrote to memory of 1984 1284 824022.exe 44 PID 1284 wrote to memory of 1984 1284 824022.exe 44 PID 1984 wrote to memory of 840 1984 dvjpp.exe 45 PID 1984 wrote to memory of 840 1984 dvjpp.exe 45 PID 1984 wrote to memory of 840 1984 dvjpp.exe 45 PID 1984 wrote to memory of 840 1984 dvjpp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a5d2a80283f2b5f431b4ea918075424e7caed42fe866903ff24b7b2198fc6f9N.exe"C:\Users\Admin\AppData\Local\Temp\9a5d2a80283f2b5f431b4ea918075424e7caed42fe866903ff24b7b2198fc6f9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\rlxxrxr.exec:\rlxxrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\424060.exec:\424060.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\400264.exec:\400264.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\nhbhth.exec:\nhbhth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\pvvdj.exec:\pvvdj.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\5pvdd.exec:\5pvdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\a0820.exec:\a0820.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\lfrlfrr.exec:\lfrlfrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\3jdjp.exec:\3jdjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\9httbb.exec:\9httbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\2024624.exec:\2024624.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\2028840.exec:\2028840.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\o626224.exec:\o626224.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\824022.exec:\824022.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\dvjpp.exec:\dvjpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\3vdvv.exec:\3vdvv.exe17⤵
- Executes dropped EXE
PID:840 -
\??\c:\vdppp.exec:\vdppp.exe18⤵
- Executes dropped EXE
PID:2948 -
\??\c:\7rfffrx.exec:\7rfffrx.exe19⤵
- Executes dropped EXE
PID:2908 -
\??\c:\nbbhtn.exec:\nbbhtn.exe20⤵
- Executes dropped EXE
PID:2264 -
\??\c:\82402.exec:\82402.exe21⤵
- Executes dropped EXE
PID:2628 -
\??\c:\5pvvv.exec:\5pvvv.exe22⤵
- Executes dropped EXE
PID:108 -
\??\c:\04068.exec:\04068.exe23⤵
- Executes dropped EXE
PID:828 -
\??\c:\6040624.exec:\6040624.exe24⤵
- Executes dropped EXE
PID:1476 -
\??\c:\86884.exec:\86884.exe25⤵
- Executes dropped EXE
PID:1144 -
\??\c:\262286.exec:\262286.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:352 -
\??\c:\3hnhth.exec:\3hnhth.exe27⤵
- Executes dropped EXE
PID:3028 -
\??\c:\04622.exec:\04622.exe28⤵
- Executes dropped EXE
PID:744 -
\??\c:\c800666.exec:\c800666.exe29⤵
- Executes dropped EXE
PID:2232 -
\??\c:\g4666.exec:\g4666.exe30⤵
- Executes dropped EXE
PID:2424 -
\??\c:\pjddj.exec:\pjddj.exe31⤵
- Executes dropped EXE
PID:1972 -
\??\c:\vpvvv.exec:\vpvvv.exe32⤵
- Executes dropped EXE
PID:1228 -
\??\c:\frxrxxx.exec:\frxrxxx.exe33⤵
- Executes dropped EXE
PID:2172 -
\??\c:\26406.exec:\26406.exe34⤵
- Executes dropped EXE
PID:2744 -
\??\c:\frxrrlr.exec:\frxrrlr.exe35⤵
- Executes dropped EXE
PID:2348 -
\??\c:\g8624.exec:\g8624.exe36⤵
- Executes dropped EXE
PID:1636 -
\??\c:\868888.exec:\868888.exe37⤵
- Executes dropped EXE
PID:796 -
\??\c:\e02400.exec:\e02400.exe38⤵
- Executes dropped EXE
PID:1188 -
\??\c:\3pjjv.exec:\3pjjv.exe39⤵
- Executes dropped EXE
PID:2296 -
\??\c:\rfxxllx.exec:\rfxxllx.exe40⤵
- Executes dropped EXE
PID:2260 -
\??\c:\42062.exec:\42062.exe41⤵
- Executes dropped EXE
PID:2876 -
\??\c:\i080284.exec:\i080284.exe42⤵
- Executes dropped EXE
PID:2872 -
\??\c:\9jppp.exec:\9jppp.exe43⤵
- Executes dropped EXE
PID:2804 -
\??\c:\tbtttb.exec:\tbtttb.exe44⤵
- Executes dropped EXE
PID:2900 -
\??\c:\48028.exec:\48028.exe45⤵
- Executes dropped EXE
PID:2284 -
\??\c:\6466262.exec:\6466262.exe46⤵
- Executes dropped EXE
PID:2664 -
\??\c:\g2642.exec:\g2642.exe47⤵
- Executes dropped EXE
PID:2680 -
\??\c:\rlllfrf.exec:\rlllfrf.exe48⤵
- Executes dropped EXE
PID:2780 -
\??\c:\a2002.exec:\a2002.exe49⤵
- Executes dropped EXE
PID:1732 -
\??\c:\664066.exec:\664066.exe50⤵
- Executes dropped EXE
PID:1408 -
\??\c:\7dppp.exec:\7dppp.exe51⤵
- Executes dropped EXE
PID:1512 -
\??\c:\86402.exec:\86402.exe52⤵
- Executes dropped EXE
PID:484 -
\??\c:\bbhhth.exec:\bbhhth.exe53⤵
- Executes dropped EXE
PID:1656 -
\??\c:\tnbhnt.exec:\tnbhnt.exe54⤵
- Executes dropped EXE
PID:2020 -
\??\c:\628082.exec:\628082.exe55⤵
- Executes dropped EXE
PID:2944 -
\??\c:\bbnnbb.exec:\bbnnbb.exe56⤵
- Executes dropped EXE
PID:1600 -
\??\c:\rfllllr.exec:\rfllllr.exe57⤵
- Executes dropped EXE
PID:2956 -
\??\c:\jdvdp.exec:\jdvdp.exe58⤵
- Executes dropped EXE
PID:1072 -
\??\c:\vjpjj.exec:\vjpjj.exe59⤵
- Executes dropped EXE
PID:2748 -
\??\c:\i206442.exec:\i206442.exe60⤵
- Executes dropped EXE
PID:2248 -
\??\c:\1pjvj.exec:\1pjvj.exe61⤵
- Executes dropped EXE
PID:2156 -
\??\c:\jdvpj.exec:\jdvpj.exe62⤵
- Executes dropped EXE
PID:2200 -
\??\c:\ttnnbt.exec:\ttnnbt.exe63⤵
- Executes dropped EXE
PID:824 -
\??\c:\602248.exec:\602248.exe64⤵
- Executes dropped EXE
PID:1016 -
\??\c:\42068.exec:\42068.exe65⤵
- Executes dropped EXE
PID:600 -
\??\c:\086844.exec:\086844.exe66⤵PID:1296
-
\??\c:\88002.exec:\88002.exe67⤵PID:1856
-
\??\c:\rlffllr.exec:\rlffllr.exe68⤵PID:1872
-
\??\c:\6062828.exec:\6062828.exe69⤵PID:2316
-
\??\c:\xxllxxl.exec:\xxllxxl.exe70⤵PID:3036
-
\??\c:\9htnnh.exec:\9htnnh.exe71⤵PID:2336
-
\??\c:\4246266.exec:\4246266.exe72⤵
- System Location Discovery: System Language Discovery
PID:2340 -
\??\c:\xflxlxl.exec:\xflxlxl.exe73⤵PID:2400
-
\??\c:\jdvdp.exec:\jdvdp.exe74⤵PID:3012
-
\??\c:\rxxrfrr.exec:\rxxrfrr.exe75⤵PID:1988
-
\??\c:\pjvdp.exec:\pjvdp.exe76⤵PID:2100
-
\??\c:\bbbntb.exec:\bbbntb.exe77⤵PID:2080
-
\??\c:\bbnbnt.exec:\bbnbnt.exe78⤵PID:1528
-
\??\c:\7tnbnh.exec:\7tnbnh.exe79⤵PID:2368
-
\??\c:\3lfxfxf.exec:\3lfxfxf.exe80⤵PID:796
-
\??\c:\5pjdj.exec:\5pjdj.exe81⤵PID:908
-
\??\c:\826800.exec:\826800.exe82⤵PID:2464
-
\??\c:\0222284.exec:\0222284.exe83⤵PID:2868
-
\??\c:\48062.exec:\48062.exe84⤵
- System Location Discovery: System Language Discovery
PID:2808 -
\??\c:\xfxxrfx.exec:\xfxxrfx.exe85⤵PID:2860
-
\??\c:\044026.exec:\044026.exe86⤵PID:3016
-
\??\c:\e64624.exec:\e64624.exe87⤵PID:2852
-
\??\c:\c080240.exec:\c080240.exe88⤵PID:2820
-
\??\c:\bthnbb.exec:\bthnbb.exe89⤵PID:2716
-
\??\c:\ttthtt.exec:\ttthtt.exe90⤵PID:1832
-
\??\c:\lrlfxrx.exec:\lrlfxrx.exe91⤵PID:2504
-
\??\c:\xxrxrxr.exec:\xxrxrxr.exe92⤵PID:2032
-
\??\c:\086022.exec:\086022.exe93⤵PID:2720
-
\??\c:\xxlxfxl.exec:\xxlxfxl.exe94⤵PID:264
-
\??\c:\c868686.exec:\c868686.exe95⤵PID:764
-
\??\c:\60464.exec:\60464.exe96⤵PID:536
-
\??\c:\ffrfxrf.exec:\ffrfxrf.exe97⤵PID:2556
-
\??\c:\4268264.exec:\4268264.exe98⤵PID:2012
-
\??\c:\08224.exec:\08224.exe99⤵PID:2004
-
\??\c:\ffxfrxl.exec:\ffxfrxl.exe100⤵PID:2984
-
\??\c:\4004422.exec:\4004422.exe101⤵PID:2976
-
\??\c:\a8680.exec:\a8680.exe102⤵PID:2168
-
\??\c:\7pddj.exec:\7pddj.exe103⤵PID:2264
-
\??\c:\e00088.exec:\e00088.exe104⤵PID:1776
-
\??\c:\g2280.exec:\g2280.exe105⤵PID:448
-
\??\c:\tbnhhh.exec:\tbnhhh.exe106⤵PID:2640
-
\??\c:\5pjdj.exec:\5pjdj.exe107⤵PID:824
-
\??\c:\1rllflx.exec:\1rllflx.exe108⤵PID:1420
-
\??\c:\jdpvj.exec:\jdpvj.exe109⤵PID:1996
-
\??\c:\60284.exec:\60284.exe110⤵PID:1788
-
\??\c:\426622.exec:\426622.exe111⤵PID:1884
-
\??\c:\rlflflx.exec:\rlflflx.exe112⤵PID:3028
-
\??\c:\rrxfrxf.exec:\rrxfrxf.exe113⤵PID:688
-
\??\c:\3fxfflx.exec:\3fxfflx.exe114⤵PID:1460
-
\??\c:\82800.exec:\82800.exe115⤵PID:1612
-
\??\c:\2664440.exec:\2664440.exe116⤵PID:2424
-
\??\c:\20288.exec:\20288.exe117⤵PID:680
-
\??\c:\c004606.exec:\c004606.exe118⤵PID:880
-
\??\c:\604066.exec:\604066.exe119⤵PID:3012
-
\??\c:\04224.exec:\04224.exe120⤵PID:1988
-
\??\c:\5hbttt.exec:\5hbttt.exe121⤵PID:2100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-