Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 08:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe
-
Size
455KB
-
MD5
cbf08cd84d56825d88ef5811a63a1c30
-
SHA1
cef66491447a17ee2a67fae8c5c02ffc4f882887
-
SHA256
7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0f
-
SHA512
77fb4aa7436083fd72983bdf25397013a0a9170bb3741cadd7a47aa29c3713b43a671a2323408d90e6b5788c355df326c115a6af59d8884958b96d0bd496e107
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 59 IoCs
resource yara_rule behavioral1/memory/328-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1228-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-63-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2724-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-92-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2668-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-148-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/884-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1880-167-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1344-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-202-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2184-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/992-227-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/992-232-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1680-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-260-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/996-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-294-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2096-297-0x00000000771A0000-0x00000000772BF000-memory.dmp family_blackmoon behavioral1/memory/324-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-405-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/3056-413-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/3056-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-453-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2256-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-558-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2716-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1160-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-732-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2432-763-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1100-778-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2960-790-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2300-852-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2132-865-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2548-872-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2132-886-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2148-911-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-957-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1840-970-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2396-971-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2660-1151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-1170-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2552 ttnnnb.exe 1228 vpppd.exe 2084 lfrxllr.exe 2664 xxlfrrx.exe 2672 jvjpd.exe 2724 tttthn.exe 2864 jdjjv.exe 2712 3nbntt.exe 2668 ntthnn.exe 2744 5rllfrf.exe 2596 nhnntt.exe 3056 7rlrflf.exe 2420 bbttht.exe 2332 ppjjd.exe 884 fxflrlx.exe 1636 1hbntt.exe 1880 9nnntt.exe 1344 1dpjj.exe 1192 btbtth.exe 2784 pjvvj.exe 2184 xxlxlrx.exe 2468 5hbbbh.exe 1968 pjvdd.exe 992 htbnhh.exe 1836 vpdvd.exe 1680 nbnntt.exe 2284 nhtbnt.exe 2944 5vppp.exe 996 thtbtt.exe 1888 5pdjp.exe 1756 frlllrf.exe 2096 hbntbb.exe 324 rxlxlrf.exe 1512 ntnbnh.exe 1168 jjvvd.exe 2084 xrfrflr.exe 2664 hbthtt.exe 2768 tnbttt.exe 2816 3pppd.exe 2820 1rlrlxf.exe 2776 xrflxxr.exe 2160 bbtbhn.exe 2604 ddvpd.exe 2748 jdvdp.exe 2584 rlflflr.exe 2580 tnbhbh.exe 3020 1bnhbb.exe 3056 dpjjj.exe 1620 ffxrfrf.exe 1540 7rffllx.exe 1820 btnhhb.exe 1716 ddjpp.exe 2140 9pdvv.exe 2040 rfxrffl.exe 2640 btnhnh.exe 2904 btttbh.exe 2756 5dpvd.exe 2844 rlfffll.exe 2448 rfffrrx.exe 2176 htnthh.exe 2256 7pvvv.exe 1292 jvppp.exe 1704 xlrrlrx.exe 1856 hhbhnb.exe -
resource yara_rule behavioral1/memory/328-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-297-0x00000000771A0000-0x00000000772BF000-memory.dmp upx behavioral1/memory/324-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-384-0x0000000000260000-0x000000000028A000-memory.dmp upx behavioral1/memory/2584-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-453-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2256-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-925-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-990-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/336-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-1046-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-1107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-1151-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 328 wrote to memory of 2552 328 7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe 30 PID 328 wrote to memory of 2552 328 7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe 30 PID 328 wrote to memory of 2552 328 7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe 30 PID 328 wrote to memory of 2552 328 7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe 30 PID 2552 wrote to memory of 1228 2552 ttnnnb.exe 31 PID 2552 wrote to memory of 1228 2552 ttnnnb.exe 31 PID 2552 wrote to memory of 1228 2552 ttnnnb.exe 31 PID 2552 wrote to memory of 1228 2552 ttnnnb.exe 31 PID 1228 wrote to memory of 2084 1228 vpppd.exe 32 PID 1228 wrote to memory of 2084 1228 vpppd.exe 32 PID 1228 wrote to memory of 2084 1228 vpppd.exe 32 PID 1228 wrote to memory of 2084 1228 vpppd.exe 32 PID 2084 wrote to memory of 2664 2084 lfrxllr.exe 33 PID 2084 wrote to memory of 2664 2084 lfrxllr.exe 33 PID 2084 wrote to memory of 2664 2084 lfrxllr.exe 33 PID 2084 wrote to memory of 2664 2084 lfrxllr.exe 33 PID 2664 wrote to memory of 2672 2664 xxlfrrx.exe 34 PID 2664 wrote to memory of 2672 2664 xxlfrrx.exe 34 PID 2664 wrote to memory of 2672 2664 xxlfrrx.exe 34 PID 2664 wrote to memory of 2672 2664 xxlfrrx.exe 34 PID 2672 wrote to memory of 2724 2672 jvjpd.exe 35 PID 2672 wrote to memory of 2724 2672 jvjpd.exe 35 PID 2672 wrote to memory of 2724 2672 jvjpd.exe 35 PID 2672 wrote to memory of 2724 2672 jvjpd.exe 35 PID 2724 wrote to memory of 2864 2724 tttthn.exe 36 PID 2724 wrote to memory of 2864 2724 tttthn.exe 36 PID 2724 wrote to memory of 2864 2724 tttthn.exe 36 PID 2724 wrote to memory of 2864 2724 tttthn.exe 36 PID 2864 wrote to memory of 2712 2864 jdjjv.exe 37 PID 2864 wrote to memory of 2712 2864 jdjjv.exe 37 PID 2864 wrote to memory of 2712 2864 jdjjv.exe 37 PID 2864 wrote to memory of 2712 2864 jdjjv.exe 37 PID 2712 wrote to memory of 2668 2712 3nbntt.exe 38 PID 2712 wrote to memory of 2668 2712 3nbntt.exe 38 PID 2712 wrote to memory of 2668 2712 3nbntt.exe 38 PID 2712 wrote to memory of 2668 2712 3nbntt.exe 38 PID 2668 wrote to memory of 2744 2668 ntthnn.exe 39 PID 2668 wrote to memory of 2744 2668 ntthnn.exe 39 PID 2668 wrote to memory of 2744 2668 ntthnn.exe 39 PID 2668 wrote to memory of 2744 2668 ntthnn.exe 39 PID 2744 wrote to memory of 2596 2744 5rllfrf.exe 40 PID 2744 wrote to memory of 2596 2744 5rllfrf.exe 40 PID 2744 wrote to memory of 2596 2744 5rllfrf.exe 40 PID 2744 wrote to memory of 2596 2744 5rllfrf.exe 40 PID 2596 wrote to memory of 3056 2596 nhnntt.exe 41 PID 2596 wrote to memory of 3056 2596 nhnntt.exe 41 PID 2596 wrote to memory of 3056 2596 nhnntt.exe 41 PID 2596 wrote to memory of 3056 2596 nhnntt.exe 41 PID 3056 wrote to memory of 2420 3056 7rlrflf.exe 42 PID 3056 wrote to memory of 2420 3056 7rlrflf.exe 42 PID 3056 wrote to memory of 2420 3056 7rlrflf.exe 42 PID 3056 wrote to memory of 2420 3056 7rlrflf.exe 42 PID 2420 wrote to memory of 2332 2420 bbttht.exe 43 PID 2420 wrote to memory of 2332 2420 bbttht.exe 43 PID 2420 wrote to memory of 2332 2420 bbttht.exe 43 PID 2420 wrote to memory of 2332 2420 bbttht.exe 43 PID 2332 wrote to memory of 884 2332 ppjjd.exe 44 PID 2332 wrote to memory of 884 2332 ppjjd.exe 44 PID 2332 wrote to memory of 884 2332 ppjjd.exe 44 PID 2332 wrote to memory of 884 2332 ppjjd.exe 44 PID 884 wrote to memory of 1636 884 fxflrlx.exe 45 PID 884 wrote to memory of 1636 884 fxflrlx.exe 45 PID 884 wrote to memory of 1636 884 fxflrlx.exe 45 PID 884 wrote to memory of 1636 884 fxflrlx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe"C:\Users\Admin\AppData\Local\Temp\7d1eee2ca4eed2f26de65b9c0bbb0c6d4861513710ce3019101b004f5e2b7a0fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:328 -
\??\c:\ttnnnb.exec:\ttnnnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\vpppd.exec:\vpppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\lfrxllr.exec:\lfrxllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\xxlfrrx.exec:\xxlfrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\jvjpd.exec:\jvjpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\tttthn.exec:\tttthn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\jdjjv.exec:\jdjjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\3nbntt.exec:\3nbntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\ntthnn.exec:\ntthnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\5rllfrf.exec:\5rllfrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\nhnntt.exec:\nhnntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\7rlrflf.exec:\7rlrflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\bbttht.exec:\bbttht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\ppjjd.exec:\ppjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\fxflrlx.exec:\fxflrlx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\1hbntt.exec:\1hbntt.exe17⤵
- Executes dropped EXE
PID:1636 -
\??\c:\9nnntt.exec:\9nnntt.exe18⤵
- Executes dropped EXE
PID:1880 -
\??\c:\1dpjj.exec:\1dpjj.exe19⤵
- Executes dropped EXE
PID:1344 -
\??\c:\btbtth.exec:\btbtth.exe20⤵
- Executes dropped EXE
PID:1192 -
\??\c:\pjvvj.exec:\pjvvj.exe21⤵
- Executes dropped EXE
PID:2784 -
\??\c:\xxlxlrx.exec:\xxlxlrx.exe22⤵
- Executes dropped EXE
PID:2184 -
\??\c:\5hbbbh.exec:\5hbbbh.exe23⤵
- Executes dropped EXE
PID:2468 -
\??\c:\pjvdd.exec:\pjvdd.exe24⤵
- Executes dropped EXE
PID:1968 -
\??\c:\htbnhh.exec:\htbnhh.exe25⤵
- Executes dropped EXE
PID:992 -
\??\c:\vpdvd.exec:\vpdvd.exe26⤵
- Executes dropped EXE
PID:1836 -
\??\c:\nbnntt.exec:\nbnntt.exe27⤵
- Executes dropped EXE
PID:1680 -
\??\c:\nhtbnt.exec:\nhtbnt.exe28⤵
- Executes dropped EXE
PID:2284 -
\??\c:\5vppp.exec:\5vppp.exe29⤵
- Executes dropped EXE
PID:2944 -
\??\c:\thtbtt.exec:\thtbtt.exe30⤵
- Executes dropped EXE
PID:996 -
\??\c:\5pdjp.exec:\5pdjp.exe31⤵
- Executes dropped EXE
PID:1888 -
\??\c:\frlllrf.exec:\frlllrf.exe32⤵
- Executes dropped EXE
PID:1756 -
\??\c:\hbntbb.exec:\hbntbb.exe33⤵
- Executes dropped EXE
PID:2096 -
\??\c:\1pdjp.exec:\1pdjp.exe34⤵PID:2552
-
\??\c:\rxlxlrf.exec:\rxlxlrf.exe35⤵
- Executes dropped EXE
PID:324 -
\??\c:\ntnbnh.exec:\ntnbnh.exe36⤵
- Executes dropped EXE
PID:1512 -
\??\c:\jjvvd.exec:\jjvvd.exe37⤵
- Executes dropped EXE
PID:1168 -
\??\c:\xrfrflr.exec:\xrfrflr.exe38⤵
- Executes dropped EXE
PID:2084 -
\??\c:\hbthtt.exec:\hbthtt.exe39⤵
- Executes dropped EXE
PID:2664 -
\??\c:\tnbttt.exec:\tnbttt.exe40⤵
- Executes dropped EXE
PID:2768 -
\??\c:\3pppd.exec:\3pppd.exe41⤵
- Executes dropped EXE
PID:2816 -
\??\c:\1rlrlxf.exec:\1rlrlxf.exe42⤵
- Executes dropped EXE
PID:2820 -
\??\c:\xrflxxr.exec:\xrflxxr.exe43⤵
- Executes dropped EXE
PID:2776 -
\??\c:\bbtbhn.exec:\bbtbhn.exe44⤵
- Executes dropped EXE
PID:2160 -
\??\c:\ddvpd.exec:\ddvpd.exe45⤵
- Executes dropped EXE
PID:2604 -
\??\c:\jdvdp.exec:\jdvdp.exe46⤵
- Executes dropped EXE
PID:2748 -
\??\c:\rlflflr.exec:\rlflflr.exe47⤵
- Executes dropped EXE
PID:2584 -
\??\c:\tnbhbh.exec:\tnbhbh.exe48⤵
- Executes dropped EXE
PID:2580 -
\??\c:\1bnhbb.exec:\1bnhbb.exe49⤵
- Executes dropped EXE
PID:3020 -
\??\c:\dpjjj.exec:\dpjjj.exe50⤵
- Executes dropped EXE
PID:3056 -
\??\c:\ffxrfrf.exec:\ffxrfrf.exe51⤵
- Executes dropped EXE
PID:1620 -
\??\c:\7rffllx.exec:\7rffllx.exe52⤵
- Executes dropped EXE
PID:1540 -
\??\c:\btnhhb.exec:\btnhhb.exe53⤵
- Executes dropped EXE
PID:1820 -
\??\c:\ddjpp.exec:\ddjpp.exe54⤵
- Executes dropped EXE
PID:1716 -
\??\c:\9pdvv.exec:\9pdvv.exe55⤵
- Executes dropped EXE
PID:2140 -
\??\c:\rfxrffl.exec:\rfxrffl.exe56⤵
- Executes dropped EXE
PID:2040 -
\??\c:\btnhnh.exec:\btnhnh.exe57⤵
- Executes dropped EXE
PID:2640 -
\??\c:\btttbh.exec:\btttbh.exe58⤵
- Executes dropped EXE
PID:2904 -
\??\c:\5dpvd.exec:\5dpvd.exe59⤵
- Executes dropped EXE
PID:2756 -
\??\c:\rlfffll.exec:\rlfffll.exe60⤵
- Executes dropped EXE
PID:2844 -
\??\c:\rfffrrx.exec:\rfffrrx.exe61⤵
- Executes dropped EXE
PID:2448 -
\??\c:\htnthh.exec:\htnthh.exe62⤵
- Executes dropped EXE
PID:2176 -
\??\c:\7pvvv.exec:\7pvvv.exe63⤵
- Executes dropped EXE
PID:2256 -
\??\c:\jvppp.exec:\jvppp.exe64⤵
- Executes dropped EXE
PID:1292 -
\??\c:\xlrrlrx.exec:\xlrrlrx.exe65⤵
- Executes dropped EXE
PID:1704 -
\??\c:\hhbhnb.exec:\hhbhnb.exe66⤵
- Executes dropped EXE
PID:1856 -
\??\c:\vdpjj.exec:\vdpjj.exe67⤵PID:1816
-
\??\c:\9pvvp.exec:\9pvvp.exe68⤵PID:1644
-
\??\c:\xfffxxf.exec:\xfffxxf.exe69⤵PID:2404
-
\??\c:\tthhnn.exec:\tthhnn.exe70⤵PID:2280
-
\??\c:\3ttbbt.exec:\3ttbbt.exe71⤵PID:2240
-
\??\c:\jjjjd.exec:\jjjjd.exe72⤵PID:2324
-
\??\c:\lfffffl.exec:\lfffffl.exe73⤵PID:1872
-
\??\c:\5frlllr.exec:\5frlllr.exe74⤵PID:2364
-
\??\c:\htbhhb.exec:\htbhhb.exe75⤵PID:1848
-
\??\c:\7vvpv.exec:\7vvpv.exe76⤵PID:2972
-
\??\c:\xlxxxfr.exec:\xlxxxfr.exe77⤵PID:2064
-
\??\c:\3rrfllr.exec:\3rrfllr.exe78⤵PID:2232
-
\??\c:\nnhtbb.exec:\nnhtbb.exe79⤵PID:1480
-
\??\c:\dpvvd.exec:\dpvvd.exe80⤵PID:2248
-
\??\c:\fflrfxl.exec:\fflrfxl.exe81⤵PID:1668
-
\??\c:\5ntbth.exec:\5ntbth.exe82⤵PID:2224
-
\??\c:\7hbtnh.exec:\7hbtnh.exe83⤵PID:2228
-
\??\c:\vvpvj.exec:\vvpvj.exe84⤵PID:2148
-
\??\c:\vdvvv.exec:\vdvvv.exe85⤵PID:2684
-
\??\c:\xlxfllx.exec:\xlxfllx.exe86⤵PID:2860
-
\??\c:\nnbttt.exec:\nnbttt.exe87⤵PID:2696
-
\??\c:\htnnbb.exec:\htnnbb.exe88⤵PID:2892
-
\??\c:\dvvvv.exec:\dvvvv.exe89⤵PID:2376
-
\??\c:\1jpvv.exec:\1jpvv.exe90⤵PID:2716
-
\??\c:\rlxxxxf.exec:\rlxxxxf.exe91⤵PID:2824
-
\??\c:\1nbhnt.exec:\1nbhnt.exe92⤵PID:2384
-
\??\c:\tnhntn.exec:\tnhntn.exe93⤵PID:2580
-
\??\c:\1vpvd.exec:\1vpvd.exe94⤵PID:1160
-
\??\c:\3dpdj.exec:\3dpdj.exe95⤵PID:1544
-
\??\c:\llfrfrf.exec:\llfrfrf.exe96⤵PID:2332
-
\??\c:\nhtbhh.exec:\nhtbhh.exe97⤵PID:1640
-
\??\c:\1nnntt.exec:\1nnntt.exe98⤵PID:884
-
\??\c:\dvjjp.exec:\dvjjp.exe99⤵PID:1428
-
\??\c:\rrllffl.exec:\rrllffl.exe100⤵PID:1700
-
\??\c:\lrlxlrf.exec:\lrlxlrf.exe101⤵PID:1340
-
\??\c:\nhbhnt.exec:\nhbhnt.exe102⤵PID:1936
-
\??\c:\jdvdp.exec:\jdvdp.exe103⤵PID:1344
-
\??\c:\vppdj.exec:\vppdj.exe104⤵PID:2676
-
\??\c:\rfxrrrr.exec:\rfxrrrr.exe105⤵PID:2060
-
\??\c:\ttnbhn.exec:\ttnbhn.exe106⤵PID:2432
-
\??\c:\vpdvp.exec:\vpdvp.exe107⤵PID:1732
-
\??\c:\3xrxffl.exec:\3xrxffl.exe108⤵PID:1100
-
\??\c:\lfrxxff.exec:\lfrxxff.exe109⤵PID:1892
-
\??\c:\ppjpp.exec:\ppjpp.exe110⤵
- System Location Discovery: System Language Discovery
PID:2960 -
\??\c:\jpdvv.exec:\jpdvv.exe111⤵PID:856
-
\??\c:\llxrxxl.exec:\llxrxxl.exe112⤵PID:1648
-
\??\c:\7bbtbb.exec:\7bbtbb.exe113⤵PID:1720
-
\??\c:\bbnnbb.exec:\bbnnbb.exe114⤵PID:2284
-
\??\c:\1jddp.exec:\1jddp.exe115⤵PID:1420
-
\??\c:\7xrrxxl.exec:\7xrrxxl.exe116⤵PID:2112
-
\??\c:\9fxxxxf.exec:\9fxxxxf.exe117⤵PID:1304
-
\??\c:\9thhnn.exec:\9thhnn.exe118⤵PID:2436
-
\??\c:\jvjpv.exec:\jvjpv.exe119⤵PID:2300
-
\??\c:\pvvvj.exec:\pvvvj.exe120⤵PID:2068
-
\??\c:\7fxllxl.exec:\7fxllxl.exe121⤵PID:2132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-