Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 15:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe
-
Size
454KB
-
MD5
91b83f548e6ff4e1aafa1da5ec7ea0f7
-
SHA1
2dad9079c4200d8a47abeabf148ba9486b4ced37
-
SHA256
ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479
-
SHA512
9fe3a8b586bcc65d2a6dd3305090f38fcb4faeba0263f41e5f8e69de76fe4c6ccace3e9880b031ba9c6f673b5273146e37de19c355299e29368257837fd7bd61
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 36 IoCs
resource yara_rule behavioral1/memory/2708-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/976-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-333-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1836-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-361-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1928-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1376-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-465-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1140-484-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1596-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1448-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1108-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2756 ddvvd.exe 2704 xlxllff.exe 2908 9tnbhn.exe 2620 xxrxflf.exe 2816 tnntbb.exe 2664 pdpvd.exe 2192 rrxxlff.exe 2968 pjvvd.exe 2516 rfxxxrx.exe 2512 vjppv.exe 1432 9jdjv.exe 2988 nbnnth.exe 1508 jjjpp.exe 2836 nbtbbh.exe 2104 ddvjv.exe 2872 lrlrffx.exe 1904 7nttbh.exe 1624 rlrffxx.exe 1272 nnbntb.exe 2176 3dvjp.exe 2220 rlflxfr.exe 1496 7pjpp.exe 1952 pdpjv.exe 976 bthhtn.exe 2292 vpjvj.exe 2120 rlxflfl.exe 2500 nnntht.exe 1964 bnthhh.exe 1636 vpjpv.exe 1744 1xllrrx.exe 2740 1thbbb.exe 1684 llxfrxf.exe 2792 bnhnnn.exe 2716 jdpvd.exe 3024 fflrflx.exe 1628 rrflxxl.exe 2592 httthn.exe 2676 dddvd.exe 1836 rlfrrxl.exe 2612 bnhhtt.exe 1776 5bnnnt.exe 2004 vjpvd.exe 1928 lxlfffx.exe 1944 htnntt.exe 2168 3pppp.exe 1432 lfrxrlx.exe 2864 ttnnhh.exe 2144 7jvpv.exe 1376 1xllxrf.exe 1316 tnbnbn.exe 2104 hthtbt.exe 1148 djjdd.exe 1752 xrflrxf.exe 1140 thtntb.exe 2284 vjvvd.exe 2208 lfxllxf.exe 2160 rlxfrlr.exe 3048 7hbbtb.exe 2576 7vjdj.exe 1936 lfxfffl.exe 1448 1xxxxxx.exe 1596 hhbnhh.exe 2468 pdvvd.exe 2188 frxffxl.exe -
resource yara_rule behavioral1/memory/2708-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/976-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/976-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1108-750-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lllxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2756 2708 ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe 30 PID 2708 wrote to memory of 2756 2708 ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe 30 PID 2708 wrote to memory of 2756 2708 ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe 30 PID 2708 wrote to memory of 2756 2708 ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe 30 PID 2756 wrote to memory of 2704 2756 ddvvd.exe 31 PID 2756 wrote to memory of 2704 2756 ddvvd.exe 31 PID 2756 wrote to memory of 2704 2756 ddvvd.exe 31 PID 2756 wrote to memory of 2704 2756 ddvvd.exe 31 PID 2704 wrote to memory of 2908 2704 xlxllff.exe 32 PID 2704 wrote to memory of 2908 2704 xlxllff.exe 32 PID 2704 wrote to memory of 2908 2704 xlxllff.exe 32 PID 2704 wrote to memory of 2908 2704 xlxllff.exe 32 PID 2908 wrote to memory of 2620 2908 9tnbhn.exe 33 PID 2908 wrote to memory of 2620 2908 9tnbhn.exe 33 PID 2908 wrote to memory of 2620 2908 9tnbhn.exe 33 PID 2908 wrote to memory of 2620 2908 9tnbhn.exe 33 PID 2620 wrote to memory of 2816 2620 xxrxflf.exe 34 PID 2620 wrote to memory of 2816 2620 xxrxflf.exe 34 PID 2620 wrote to memory of 2816 2620 xxrxflf.exe 34 PID 2620 wrote to memory of 2816 2620 xxrxflf.exe 34 PID 2816 wrote to memory of 2664 2816 tnntbb.exe 35 PID 2816 wrote to memory of 2664 2816 tnntbb.exe 35 PID 2816 wrote to memory of 2664 2816 tnntbb.exe 35 PID 2816 wrote to memory of 2664 2816 tnntbb.exe 35 PID 2664 wrote to memory of 2192 2664 pdpvd.exe 36 PID 2664 wrote to memory of 2192 2664 pdpvd.exe 36 PID 2664 wrote to memory of 2192 2664 pdpvd.exe 36 PID 2664 wrote to memory of 2192 2664 pdpvd.exe 36 PID 2192 wrote to memory of 2968 2192 rrxxlff.exe 37 PID 2192 wrote to memory of 2968 2192 rrxxlff.exe 37 PID 2192 wrote to memory of 2968 2192 rrxxlff.exe 37 PID 2192 wrote to memory of 2968 2192 rrxxlff.exe 37 PID 2968 wrote to memory of 2516 2968 pjvvd.exe 38 PID 2968 wrote to memory of 2516 2968 pjvvd.exe 38 PID 2968 wrote to memory of 2516 2968 pjvvd.exe 38 PID 2968 wrote to memory of 2516 2968 pjvvd.exe 38 PID 2516 wrote to memory of 2512 2516 rfxxxrx.exe 39 PID 2516 wrote to memory of 2512 2516 rfxxxrx.exe 39 PID 2516 wrote to memory of 2512 2516 rfxxxrx.exe 39 PID 2516 wrote to memory of 2512 2516 rfxxxrx.exe 39 PID 2512 wrote to memory of 1432 2512 vjppv.exe 40 PID 2512 wrote to memory of 1432 2512 vjppv.exe 40 PID 2512 wrote to memory of 1432 2512 vjppv.exe 40 PID 2512 wrote to memory of 1432 2512 vjppv.exe 40 PID 1432 wrote to memory of 2988 1432 9jdjv.exe 41 PID 1432 wrote to memory of 2988 1432 9jdjv.exe 41 PID 1432 wrote to memory of 2988 1432 9jdjv.exe 41 PID 1432 wrote to memory of 2988 1432 9jdjv.exe 41 PID 2988 wrote to memory of 1508 2988 nbnnth.exe 42 PID 2988 wrote to memory of 1508 2988 nbnnth.exe 42 PID 2988 wrote to memory of 1508 2988 nbnnth.exe 42 PID 2988 wrote to memory of 1508 2988 nbnnth.exe 42 PID 1508 wrote to memory of 2836 1508 jjjpp.exe 43 PID 1508 wrote to memory of 2836 1508 jjjpp.exe 43 PID 1508 wrote to memory of 2836 1508 jjjpp.exe 43 PID 1508 wrote to memory of 2836 1508 jjjpp.exe 43 PID 2836 wrote to memory of 2104 2836 nbtbbh.exe 44 PID 2836 wrote to memory of 2104 2836 nbtbbh.exe 44 PID 2836 wrote to memory of 2104 2836 nbtbbh.exe 44 PID 2836 wrote to memory of 2104 2836 nbtbbh.exe 44 PID 2104 wrote to memory of 2872 2104 ddvjv.exe 45 PID 2104 wrote to memory of 2872 2104 ddvjv.exe 45 PID 2104 wrote to memory of 2872 2104 ddvjv.exe 45 PID 2104 wrote to memory of 2872 2104 ddvjv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe"C:\Users\Admin\AppData\Local\Temp\ca12f97433b71ed2da84202b44ade4dc0d70ed3ff3aaa748151cd50c275ff479.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\ddvvd.exec:\ddvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\xlxllff.exec:\xlxllff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\9tnbhn.exec:\9tnbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\xxrxflf.exec:\xxrxflf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\tnntbb.exec:\tnntbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\pdpvd.exec:\pdpvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\rrxxlff.exec:\rrxxlff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\pjvvd.exec:\pjvvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\rfxxxrx.exec:\rfxxxrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\vjppv.exec:\vjppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\9jdjv.exec:\9jdjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\nbnnth.exec:\nbnnth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\jjjpp.exec:\jjjpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\nbtbbh.exec:\nbtbbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\ddvjv.exec:\ddvjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\lrlrffx.exec:\lrlrffx.exe17⤵
- Executes dropped EXE
PID:2872 -
\??\c:\7nttbh.exec:\7nttbh.exe18⤵
- Executes dropped EXE
PID:1904 -
\??\c:\rlrffxx.exec:\rlrffxx.exe19⤵
- Executes dropped EXE
PID:1624 -
\??\c:\nnbntb.exec:\nnbntb.exe20⤵
- Executes dropped EXE
PID:1272 -
\??\c:\3dvjp.exec:\3dvjp.exe21⤵
- Executes dropped EXE
PID:2176 -
\??\c:\rlflxfr.exec:\rlflxfr.exe22⤵
- Executes dropped EXE
PID:2220 -
\??\c:\7pjpp.exec:\7pjpp.exe23⤵
- Executes dropped EXE
PID:1496 -
\??\c:\pdpjv.exec:\pdpjv.exe24⤵
- Executes dropped EXE
PID:1952 -
\??\c:\bthhtn.exec:\bthhtn.exe25⤵
- Executes dropped EXE
PID:976 -
\??\c:\vpjvj.exec:\vpjvj.exe26⤵
- Executes dropped EXE
PID:2292 -
\??\c:\rlxflfl.exec:\rlxflfl.exe27⤵
- Executes dropped EXE
PID:2120 -
\??\c:\nnntht.exec:\nnntht.exe28⤵
- Executes dropped EXE
PID:2500 -
\??\c:\bnthhh.exec:\bnthhh.exe29⤵
- Executes dropped EXE
PID:1964 -
\??\c:\vpjpv.exec:\vpjpv.exe30⤵
- Executes dropped EXE
PID:1636 -
\??\c:\1xllrrx.exec:\1xllrrx.exe31⤵
- Executes dropped EXE
PID:1744 -
\??\c:\1thbbb.exec:\1thbbb.exe32⤵
- Executes dropped EXE
PID:2740 -
\??\c:\llxfrxf.exec:\llxfrxf.exe33⤵
- Executes dropped EXE
PID:1684 -
\??\c:\bnhnnn.exec:\bnhnnn.exe34⤵
- Executes dropped EXE
PID:2792 -
\??\c:\jdpvd.exec:\jdpvd.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716 -
\??\c:\fflrflx.exec:\fflrflx.exe36⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rrflxxl.exec:\rrflxxl.exe37⤵
- Executes dropped EXE
PID:1628 -
\??\c:\httthn.exec:\httthn.exe38⤵
- Executes dropped EXE
PID:2592 -
\??\c:\dddvd.exec:\dddvd.exe39⤵
- Executes dropped EXE
PID:2676 -
\??\c:\rlfrrxl.exec:\rlfrrxl.exe40⤵
- Executes dropped EXE
PID:1836 -
\??\c:\bnhhtt.exec:\bnhhtt.exe41⤵
- Executes dropped EXE
PID:2612 -
\??\c:\5bnnnt.exec:\5bnnnt.exe42⤵
- Executes dropped EXE
PID:1776 -
\??\c:\vjpvd.exec:\vjpvd.exe43⤵
- Executes dropped EXE
PID:2004 -
\??\c:\lxlfffx.exec:\lxlfffx.exe44⤵
- Executes dropped EXE
PID:1928 -
\??\c:\htnntt.exec:\htnntt.exe45⤵
- Executes dropped EXE
PID:1944 -
\??\c:\3pppp.exec:\3pppp.exe46⤵
- Executes dropped EXE
PID:2168 -
\??\c:\lfrxrlx.exec:\lfrxrlx.exe47⤵
- Executes dropped EXE
PID:1432 -
\??\c:\ttnnhh.exec:\ttnnhh.exe48⤵
- Executes dropped EXE
PID:2864 -
\??\c:\7jvpv.exec:\7jvpv.exe49⤵
- Executes dropped EXE
PID:2144 -
\??\c:\1xllxrf.exec:\1xllxrf.exe50⤵
- Executes dropped EXE
PID:1376 -
\??\c:\tnbnbn.exec:\tnbnbn.exe51⤵
- Executes dropped EXE
PID:1316 -
\??\c:\hthtbt.exec:\hthtbt.exe52⤵
- Executes dropped EXE
PID:2104 -
\??\c:\djjdd.exec:\djjdd.exe53⤵
- Executes dropped EXE
PID:1148 -
\??\c:\xrflrxf.exec:\xrflrxf.exe54⤵
- Executes dropped EXE
PID:1752 -
\??\c:\thtntb.exec:\thtntb.exe55⤵
- Executes dropped EXE
PID:1140 -
\??\c:\vjvvd.exec:\vjvvd.exe56⤵
- Executes dropped EXE
PID:2284 -
\??\c:\lfxllxf.exec:\lfxllxf.exe57⤵
- Executes dropped EXE
PID:2208 -
\??\c:\rlxfrlr.exec:\rlxfrlr.exe58⤵
- Executes dropped EXE
PID:2160 -
\??\c:\7hbbtb.exec:\7hbbtb.exe59⤵
- Executes dropped EXE
PID:3048 -
\??\c:\7vjdj.exec:\7vjdj.exe60⤵
- Executes dropped EXE
PID:2576 -
\??\c:\lfxfffl.exec:\lfxfffl.exe61⤵
- Executes dropped EXE
PID:1936 -
\??\c:\1xxxxxx.exec:\1xxxxxx.exe62⤵
- Executes dropped EXE
PID:1448 -
\??\c:\hhbnhh.exec:\hhbnhh.exe63⤵
- Executes dropped EXE
PID:1596 -
\??\c:\pdvvd.exec:\pdvvd.exe64⤵
- Executes dropped EXE
PID:2468 -
\??\c:\frxffxl.exec:\frxffxl.exe65⤵
- Executes dropped EXE
PID:2188 -
\??\c:\7ffrrrx.exec:\7ffrrrx.exe66⤵PID:2360
-
\??\c:\bnbnnh.exec:\bnbnnh.exe67⤵PID:2376
-
\??\c:\jjdjd.exec:\jjdjd.exe68⤵PID:2500
-
\??\c:\pdpvd.exec:\pdpvd.exe69⤵PID:2492
-
\??\c:\1xrxffl.exec:\1xrxffl.exe70⤵PID:1636
-
\??\c:\bntthh.exec:\bntthh.exe71⤵PID:2748
-
\??\c:\vpjjp.exec:\vpjjp.exe72⤵PID:3012
-
\??\c:\dvjjj.exec:\dvjjj.exe73⤵PID:2808
-
\??\c:\rrfrxfl.exec:\rrfrxfl.exe74⤵PID:2268
-
\??\c:\tnbhtt.exec:\tnbhtt.exe75⤵PID:2728
-
\??\c:\bbtnbb.exec:\bbtnbb.exe76⤵PID:2940
-
\??\c:\jjjjp.exec:\jjjjp.exe77⤵PID:2900
-
\??\c:\9xllxfl.exec:\9xllxfl.exe78⤵PID:2596
-
\??\c:\nhbbtt.exec:\nhbbtt.exe79⤵PID:2592
-
\??\c:\nbnthh.exec:\nbnthh.exe80⤵PID:2672
-
\??\c:\vpjpv.exec:\vpjpv.exe81⤵PID:2308
-
\??\c:\rllrrrx.exec:\rllrrrx.exe82⤵PID:2012
-
\??\c:\3ntnbn.exec:\3ntnbn.exe83⤵PID:2968
-
\??\c:\3bnnth.exec:\3bnnth.exe84⤵PID:2996
-
\??\c:\5ddvd.exec:\5ddvd.exe85⤵PID:2512
-
\??\c:\rfrxffl.exec:\rfrxffl.exe86⤵PID:2932
-
\??\c:\htnttt.exec:\htnttt.exe87⤵PID:2952
-
\??\c:\tnhthn.exec:\tnhthn.exe88⤵PID:2316
-
\??\c:\jdppj.exec:\jdppj.exe89⤵PID:2148
-
\??\c:\9rrrffr.exec:\9rrrffr.exe90⤵PID:2876
-
\??\c:\xlrlrxf.exec:\xlrlrxf.exe91⤵PID:2836
-
\??\c:\9btbht.exec:\9btbht.exe92⤵PID:492
-
\??\c:\5jjpv.exec:\5jjpv.exe93⤵PID:620
-
\??\c:\ffxxlrx.exec:\ffxxlrx.exe94⤵PID:1900
-
\??\c:\xrrrffr.exec:\xrrrffr.exe95⤵PID:848
-
\??\c:\nbnthn.exec:\nbnthn.exe96⤵PID:980
-
\??\c:\3jdjp.exec:\3jdjp.exe97⤵PID:2152
-
\??\c:\jddjv.exec:\jddjv.exe98⤵PID:1272
-
\??\c:\rllfxll.exec:\rllfxll.exe99⤵
- System Location Discovery: System Language Discovery
PID:1048 -
\??\c:\nbbbhb.exec:\nbbbhb.exe100⤵PID:1108
-
\??\c:\3jppp.exec:\3jppp.exe101⤵PID:1208
-
\??\c:\jdpvj.exec:\jdpvj.exe102⤵PID:2576
-
\??\c:\lfxrffl.exec:\lfxrffl.exe103⤵PID:1336
-
\??\c:\bnhhnt.exec:\bnhhnt.exe104⤵PID:1252
-
\??\c:\jjjpp.exec:\jjjpp.exe105⤵PID:1856
-
\??\c:\dvdvj.exec:\dvdvj.exe106⤵PID:1060
-
\??\c:\3fxxllx.exec:\3fxxllx.exe107⤵PID:564
-
\??\c:\5hbhnn.exec:\5hbhnn.exe108⤵PID:2384
-
\??\c:\hbnnhh.exec:\hbnnhh.exe109⤵PID:3064
-
\??\c:\7jvpv.exec:\7jvpv.exe110⤵PID:2196
-
\??\c:\frlflxl.exec:\frlflxl.exe111⤵PID:2464
-
\??\c:\xrflrrf.exec:\xrflrrf.exe112⤵PID:1580
-
\??\c:\bntbnt.exec:\bntbnt.exe113⤵PID:888
-
\??\c:\dvpjv.exec:\dvpjv.exe114⤵PID:1556
-
\??\c:\3pjjp.exec:\3pjjp.exe115⤵PID:2752
-
\??\c:\ffrfrrx.exec:\ffrfrrx.exe116⤵PID:2892
-
\??\c:\7tntbh.exec:\7tntbh.exe117⤵PID:2824
-
\??\c:\1tbhnh.exec:\1tbhnh.exe118⤵PID:3024
-
\??\c:\9jpjv.exec:\9jpjv.exe119⤵PID:2764
-
\??\c:\1rfxflr.exec:\1rfxflr.exe120⤵PID:2832
-
\??\c:\fxlfllr.exec:\fxlfllr.exe121⤵
- System Location Discovery: System Language Discovery
PID:2720 -
\??\c:\9ttnbh.exec:\9ttnbh.exe122⤵PID:580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-