Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/10/2024, 19:47
Behavioral task
behavioral1
Sample
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe
-
Size
343KB
-
MD5
5082415ef661e85e83e37fde8ac6e570
-
SHA1
028e1bae6569ad5c2f655ff5fc00153cc403e3cf
-
SHA256
367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536
-
SHA512
0688b46fd9ef72ed0fb2f24bcb9dfa22b558bd6b846565e5e6ccc5fda4a4764c833133f1931655510b73a056e8c428c2961ba91560054bc31d9d95c4a9f6c487
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAc:R4wFHoS3WXZshJX2VGdc
Malware Config
Signatures
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2692-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2496-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1240-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2300-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2300-31-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1564-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2768-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2816-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2876-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2632-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-82-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2432-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1184-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2008-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1920-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/604-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-172-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2968-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/944-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2284-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1196-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/920-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/348-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/880-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2104-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2340-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2192-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2680-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3024-373-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1852-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2036-401-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/1404-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2448-449-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2920-457-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/824-471-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1640-493-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1596-502-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1988-521-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-871-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1764-912-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/800-933-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/280-954-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1224-965-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/944-1007-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/332-1203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2692 jppvv.exe 1240 jdpjv.exe 2300 djvjp.exe 1564 7lxlrfl.exe 2816 tnbbhh.exe 2768 fxflxfr.exe 2876 rlxfxfl.exe 2632 pjdjv.exe 2664 frllrxx.exe 2652 3ddpd.exe 3028 rfllrxf.exe 1992 ddvdp.exe 2432 llrflxx.exe 1184 3hhnbb.exe 1704 rffrxrr.exe 2008 ntnnht.exe 1920 vvvdp.exe 604 5bthht.exe 2668 pjjpd.exe 2704 lfxxfrf.exe 2556 7tthnt.exe 1284 dvvvp.exe 1716 fffrffr.exe 2968 ttnnht.exe 944 jjvjv.exe 1120 xxrfrrl.exe 608 btnntn.exe 2284 rlxfrrf.exe 1196 tnnnht.exe 920 vvjjv.exe 2532 rfxxxll.exe 1392 3vpjp.exe 3052 rrlrlrf.exe 348 xrxlrfr.exe 880 5nhbhh.exe 1108 3pvvv.exe 2272 fxrxffr.exe 1480 lfrxrxr.exe 2104 3tnnbt.exe 2340 pjdjj.exe 2192 jvpvp.exe 2472 flfxlxr.exe 1564 bnhnbb.exe 2756 9tbhtt.exe 2812 vjppv.exe 2740 rfxfrxl.exe 2328 fllfxll.exe 2860 hbbhnn.exe 2632 9ddpv.exe 2656 ddvdj.exe 2680 lfxlxlr.exe 3024 9lrrxfr.exe 2500 ntnbtb.exe 284 vvvdv.exe 1852 5lfrffr.exe 2360 rlffrrx.exe 2036 bnbthh.exe 444 hbtthh.exe 476 dvjpj.exe 332 3rlrxfl.exe 2268 7bbtht.exe 1736 bhhhnt.exe 1260 9vdvj.exe 1404 lxllxlx.exe -
resource yara_rule behavioral1/memory/2496-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a00000001227e-8.dat upx behavioral1/memory/2692-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2496-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016c4a-15.dat upx behavioral1/memory/1240-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016c51-24.dat upx behavioral1/memory/1240-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016cc8-33.dat upx behavioral1/memory/2300-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016cec-41.dat upx behavioral1/memory/1564-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2768-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d06-51.dat upx behavioral1/memory/2816-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016d0e-58.dat upx behavioral1/memory/2876-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d18-68.dat upx behavioral1/files/0x00060000000171a8-75.dat upx behavioral1/memory/2632-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2664-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000173a7-83.dat upx behavioral1/files/0x00060000000173a9-92.dat upx behavioral1/files/0x0006000000017488-99.dat upx behavioral1/files/0x0006000000017492-106.dat upx behavioral1/files/0x00060000000174cc-117.dat upx behavioral1/memory/1184-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2432-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000d000000018676-123.dat upx behavioral1/memory/1704-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1184-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2008-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018683-132.dat upx behavioral1/files/0x00050000000186e4-141.dat upx behavioral1/memory/1920-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2008-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1920-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016814-150.dat upx behavioral1/files/0x00050000000186ea-158.dat upx behavioral1/memory/604-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186ee-165.dat upx behavioral1/files/0x00050000000186fd-173.dat upx behavioral1/memory/2704-172-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000018728-180.dat upx behavioral1/files/0x000500000001873d-187.dat upx behavioral1/files/0x0005000000018784-194.dat upx behavioral1/files/0x000500000001878f-202.dat upx behavioral1/memory/2968-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/944-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000187a5-210.dat upx behavioral1/files/0x0006000000019023-217.dat upx behavioral1/files/0x000500000001925e-224.dat upx behavioral1/files/0x0005000000019261-232.dat upx behavioral1/memory/2284-231-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019282-239.dat upx behavioral1/memory/920-241-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1196-240-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019334-251.dat upx behavioral1/memory/920-250-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019350-258.dat upx behavioral1/memory/348-276-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/880-282-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2104-303-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2340-304-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2692 2496 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 30 PID 2496 wrote to memory of 2692 2496 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 30 PID 2496 wrote to memory of 2692 2496 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 30 PID 2496 wrote to memory of 2692 2496 367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe 30 PID 2692 wrote to memory of 1240 2692 jppvv.exe 31 PID 2692 wrote to memory of 1240 2692 jppvv.exe 31 PID 2692 wrote to memory of 1240 2692 jppvv.exe 31 PID 2692 wrote to memory of 1240 2692 jppvv.exe 31 PID 1240 wrote to memory of 2300 1240 jdpjv.exe 32 PID 1240 wrote to memory of 2300 1240 jdpjv.exe 32 PID 1240 wrote to memory of 2300 1240 jdpjv.exe 32 PID 1240 wrote to memory of 2300 1240 jdpjv.exe 32 PID 2300 wrote to memory of 1564 2300 djvjp.exe 33 PID 2300 wrote to memory of 1564 2300 djvjp.exe 33 PID 2300 wrote to memory of 1564 2300 djvjp.exe 33 PID 2300 wrote to memory of 1564 2300 djvjp.exe 33 PID 1564 wrote to memory of 2816 1564 7lxlrfl.exe 34 PID 1564 wrote to memory of 2816 1564 7lxlrfl.exe 34 PID 1564 wrote to memory of 2816 1564 7lxlrfl.exe 34 PID 1564 wrote to memory of 2816 1564 7lxlrfl.exe 34 PID 2816 wrote to memory of 2768 2816 tnbbhh.exe 35 PID 2816 wrote to memory of 2768 2816 tnbbhh.exe 35 PID 2816 wrote to memory of 2768 2816 tnbbhh.exe 35 PID 2816 wrote to memory of 2768 2816 tnbbhh.exe 35 PID 2768 wrote to memory of 2876 2768 fxflxfr.exe 36 PID 2768 wrote to memory of 2876 2768 fxflxfr.exe 36 PID 2768 wrote to memory of 2876 2768 fxflxfr.exe 36 PID 2768 wrote to memory of 2876 2768 fxflxfr.exe 36 PID 2876 wrote to memory of 2632 2876 rlxfxfl.exe 37 PID 2876 wrote to memory of 2632 2876 rlxfxfl.exe 37 PID 2876 wrote to memory of 2632 2876 rlxfxfl.exe 37 PID 2876 wrote to memory of 2632 2876 rlxfxfl.exe 37 PID 2632 wrote to memory of 2664 2632 pjdjv.exe 38 PID 2632 wrote to memory of 2664 2632 pjdjv.exe 38 PID 2632 wrote to memory of 2664 2632 pjdjv.exe 38 PID 2632 wrote to memory of 2664 2632 pjdjv.exe 38 PID 2664 wrote to memory of 2652 2664 frllrxx.exe 39 PID 2664 wrote to memory of 2652 2664 frllrxx.exe 39 PID 2664 wrote to memory of 2652 2664 frllrxx.exe 39 PID 2664 wrote to memory of 2652 2664 frllrxx.exe 39 PID 2652 wrote to memory of 3028 2652 3ddpd.exe 40 PID 2652 wrote to memory of 3028 2652 3ddpd.exe 40 PID 2652 wrote to memory of 3028 2652 3ddpd.exe 40 PID 2652 wrote to memory of 3028 2652 3ddpd.exe 40 PID 3028 wrote to memory of 1992 3028 rfllrxf.exe 41 PID 3028 wrote to memory of 1992 3028 rfllrxf.exe 41 PID 3028 wrote to memory of 1992 3028 rfllrxf.exe 41 PID 3028 wrote to memory of 1992 3028 rfllrxf.exe 41 PID 1992 wrote to memory of 2432 1992 ddvdp.exe 42 PID 1992 wrote to memory of 2432 1992 ddvdp.exe 42 PID 1992 wrote to memory of 2432 1992 ddvdp.exe 42 PID 1992 wrote to memory of 2432 1992 ddvdp.exe 42 PID 2432 wrote to memory of 1184 2432 llrflxx.exe 43 PID 2432 wrote to memory of 1184 2432 llrflxx.exe 43 PID 2432 wrote to memory of 1184 2432 llrflxx.exe 43 PID 2432 wrote to memory of 1184 2432 llrflxx.exe 43 PID 1184 wrote to memory of 1704 1184 3hhnbb.exe 44 PID 1184 wrote to memory of 1704 1184 3hhnbb.exe 44 PID 1184 wrote to memory of 1704 1184 3hhnbb.exe 44 PID 1184 wrote to memory of 1704 1184 3hhnbb.exe 44 PID 1704 wrote to memory of 2008 1704 rffrxrr.exe 45 PID 1704 wrote to memory of 2008 1704 rffrxrr.exe 45 PID 1704 wrote to memory of 2008 1704 rffrxrr.exe 45 PID 1704 wrote to memory of 2008 1704 rffrxrr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe"C:\Users\Admin\AppData\Local\Temp\367c4f134c58c7809ec208b620f604a3cb884e33b8fe5b82aae950f53168e536N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\jppvv.exec:\jppvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\jdpjv.exec:\jdpjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\djvjp.exec:\djvjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\7lxlrfl.exec:\7lxlrfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\tnbbhh.exec:\tnbbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\fxflxfr.exec:\fxflxfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\rlxfxfl.exec:\rlxfxfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\pjdjv.exec:\pjdjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\frllrxx.exec:\frllrxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\3ddpd.exec:\3ddpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\rfllrxf.exec:\rfllrxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\ddvdp.exec:\ddvdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\llrflxx.exec:\llrflxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\3hhnbb.exec:\3hhnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\rffrxrr.exec:\rffrxrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\ntnnht.exec:\ntnnht.exe17⤵
- Executes dropped EXE
PID:2008 -
\??\c:\vvvdp.exec:\vvvdp.exe18⤵
- Executes dropped EXE
PID:1920 -
\??\c:\5bthht.exec:\5bthht.exe19⤵
- Executes dropped EXE
PID:604 -
\??\c:\pjjpd.exec:\pjjpd.exe20⤵
- Executes dropped EXE
PID:2668 -
\??\c:\lfxxfrf.exec:\lfxxfrf.exe21⤵
- Executes dropped EXE
PID:2704 -
\??\c:\7tthnt.exec:\7tthnt.exe22⤵
- Executes dropped EXE
PID:2556 -
\??\c:\dvvvp.exec:\dvvvp.exe23⤵
- Executes dropped EXE
PID:1284 -
\??\c:\fffrffr.exec:\fffrffr.exe24⤵
- Executes dropped EXE
PID:1716 -
\??\c:\ttnnht.exec:\ttnnht.exe25⤵
- Executes dropped EXE
PID:2968 -
\??\c:\jjvjv.exec:\jjvjv.exe26⤵
- Executes dropped EXE
PID:944 -
\??\c:\xxrfrrl.exec:\xxrfrrl.exe27⤵
- Executes dropped EXE
PID:1120 -
\??\c:\btnntn.exec:\btnntn.exe28⤵
- Executes dropped EXE
PID:608 -
\??\c:\rlxfrrf.exec:\rlxfrrf.exe29⤵
- Executes dropped EXE
PID:2284 -
\??\c:\tnnnht.exec:\tnnnht.exe30⤵
- Executes dropped EXE
PID:1196 -
\??\c:\vvjjv.exec:\vvjjv.exe31⤵
- Executes dropped EXE
PID:920 -
\??\c:\rfxxxll.exec:\rfxxxll.exe32⤵
- Executes dropped EXE
PID:2532 -
\??\c:\3vpjp.exec:\3vpjp.exe33⤵
- Executes dropped EXE
PID:1392 -
\??\c:\rrlrlrf.exec:\rrlrlrf.exe34⤵
- Executes dropped EXE
PID:3052 -
\??\c:\xrxlrfr.exec:\xrxlrfr.exe35⤵
- Executes dropped EXE
PID:348 -
\??\c:\5nhbhh.exec:\5nhbhh.exe36⤵
- Executes dropped EXE
PID:880 -
\??\c:\3pvvv.exec:\3pvvv.exe37⤵
- Executes dropped EXE
PID:1108 -
\??\c:\fxrxffr.exec:\fxrxffr.exe38⤵
- Executes dropped EXE
PID:2272 -
\??\c:\lfrxrxr.exec:\lfrxrxr.exe39⤵
- Executes dropped EXE
PID:1480 -
\??\c:\3tnnbt.exec:\3tnnbt.exe40⤵
- Executes dropped EXE
PID:2104 -
\??\c:\pjdjj.exec:\pjdjj.exe41⤵
- Executes dropped EXE
PID:2340 -
\??\c:\jvpvp.exec:\jvpvp.exe42⤵
- Executes dropped EXE
PID:2192 -
\??\c:\flfxlxr.exec:\flfxlxr.exe43⤵
- Executes dropped EXE
PID:2472 -
\??\c:\bnhnbb.exec:\bnhnbb.exe44⤵
- Executes dropped EXE
PID:1564 -
\??\c:\9tbhtt.exec:\9tbhtt.exe45⤵
- Executes dropped EXE
PID:2756 -
\??\c:\vjppv.exec:\vjppv.exe46⤵
- Executes dropped EXE
PID:2812 -
\??\c:\rfxfrxl.exec:\rfxfrxl.exe47⤵
- Executes dropped EXE
PID:2740 -
\??\c:\fllfxll.exec:\fllfxll.exe48⤵
- Executes dropped EXE
PID:2328 -
\??\c:\hbbhnn.exec:\hbbhnn.exe49⤵
- Executes dropped EXE
PID:2860 -
\??\c:\9ddpv.exec:\9ddpv.exe50⤵
- Executes dropped EXE
PID:2632 -
\??\c:\ddvdj.exec:\ddvdj.exe51⤵
- Executes dropped EXE
PID:2656 -
\??\c:\lfxlxlr.exec:\lfxlxlr.exe52⤵
- Executes dropped EXE
PID:2680 -
\??\c:\9lrrxfr.exec:\9lrrxfr.exe53⤵
- Executes dropped EXE
PID:3024 -
\??\c:\ntnbtb.exec:\ntnbtb.exe54⤵
- Executes dropped EXE
PID:2500 -
\??\c:\vvvdv.exec:\vvvdv.exe55⤵
- Executes dropped EXE
PID:284 -
\??\c:\5lfrffr.exec:\5lfrffr.exe56⤵
- Executes dropped EXE
PID:1852 -
\??\c:\rlffrrx.exec:\rlffrrx.exe57⤵
- Executes dropped EXE
PID:2360 -
\??\c:\bnbthh.exec:\bnbthh.exe58⤵
- Executes dropped EXE
PID:2036 -
\??\c:\hbtthh.exec:\hbtthh.exe59⤵
- Executes dropped EXE
PID:444 -
\??\c:\dvjpj.exec:\dvjpj.exe60⤵
- Executes dropped EXE
PID:476 -
\??\c:\3rlrxfl.exec:\3rlrxfl.exe61⤵
- Executes dropped EXE
PID:332 -
\??\c:\7bbtht.exec:\7bbtht.exe62⤵
- Executes dropped EXE
PID:2268 -
\??\c:\bhhhnt.exec:\bhhhnt.exe63⤵
- Executes dropped EXE
PID:1736 -
\??\c:\9vdvj.exec:\9vdvj.exe64⤵
- Executes dropped EXE
PID:1260 -
\??\c:\lxllxlx.exec:\lxllxlx.exe65⤵
- Executes dropped EXE
PID:1404 -
\??\c:\xxrxlxl.exec:\xxrxlxl.exe66⤵PID:2668
-
\??\c:\hbnntb.exec:\hbnntb.exe67⤵PID:2448
-
\??\c:\tbhntb.exec:\tbhntb.exe68⤵PID:1660
-
\??\c:\jdvdj.exec:\jdvdj.exe69⤵PID:2920
-
\??\c:\9frxxxf.exec:\9frxxxf.exe70⤵PID:1084
-
\??\c:\bthnbh.exec:\bthnbh.exe71⤵PID:824
-
\??\c:\5nhbbb.exec:\5nhbbb.exe72⤵PID:2968
-
\??\c:\ddvjd.exec:\ddvjd.exe73⤵PID:1664
-
\??\c:\llflxlr.exec:\llflxlr.exe74⤵PID:2696
-
\??\c:\xxrlflx.exec:\xxrlflx.exe75⤵PID:1640
-
\??\c:\hthnhn.exec:\hthnhn.exe76⤵PID:1448
-
\??\c:\vdpdp.exec:\vdpdp.exe77⤵PID:1596
-
\??\c:\fxrlxfl.exec:\fxrlxfl.exe78⤵PID:572
-
\??\c:\llfxfxx.exec:\llfxfxx.exe79⤵PID:1004
-
\??\c:\thbnnb.exec:\thbnnb.exe80⤵PID:1988
-
\??\c:\pjvdj.exec:\pjvdj.exe81⤵PID:2368
-
\??\c:\jjdjv.exec:\jjdjv.exe82⤵PID:1172
-
\??\c:\xxxfrfl.exec:\xxxfrfl.exe83⤵PID:316
-
\??\c:\5tttbt.exec:\5tttbt.exe84⤵PID:804
-
\??\c:\hbnhtt.exec:\hbnhtt.exe85⤵PID:348
-
\??\c:\jjjvd.exec:\jjjvd.exe86⤵PID:868
-
\??\c:\lxllrfl.exec:\lxllrfl.exe87⤵PID:2888
-
\??\c:\rlfxxfx.exec:\rlfxxfx.exe88⤵PID:1504
-
\??\c:\hhbnbb.exec:\hhbnbb.exe89⤵PID:2400
-
\??\c:\9dpjd.exec:\9dpjd.exe90⤵PID:2476
-
\??\c:\jddjd.exec:\jddjd.exe91⤵PID:2156
-
\??\c:\lxllllr.exec:\lxllllr.exe92⤵PID:2376
-
\??\c:\7nhbht.exec:\7nhbht.exe93⤵PID:2332
-
\??\c:\vdvjd.exec:\vdvjd.exe94⤵PID:2472
-
\??\c:\pjddp.exec:\pjddp.exe95⤵PID:2964
-
\??\c:\rllfflx.exec:\rllfflx.exe96⤵PID:2744
-
\??\c:\bbthtt.exec:\bbthtt.exe97⤵PID:2812
-
\??\c:\9hhttb.exec:\9hhttb.exe98⤵PID:2952
-
\??\c:\jdvpd.exec:\jdvpd.exe99⤵PID:2796
-
\??\c:\fxrlrlx.exec:\fxrlrlx.exe100⤵PID:2784
-
\??\c:\7llrflr.exec:\7llrflr.exe101⤵PID:2632
-
\??\c:\tnbhtb.exec:\tnbhtb.exe102⤵PID:2656
-
\??\c:\ddvjp.exec:\ddvjp.exe103⤵PID:2680
-
\??\c:\pjjdp.exec:\pjjdp.exe104⤵PID:3024
-
\??\c:\rrrfrxf.exec:\rrrfrxf.exe105⤵PID:3032
-
\??\c:\nnhnbn.exec:\nnhnbn.exe106⤵PID:668
-
\??\c:\vvpvj.exec:\vvpvj.exe107⤵PID:1636
-
\??\c:\vpjvv.exec:\vpjvv.exe108⤵PID:376
-
\??\c:\ffxflxl.exec:\ffxflxl.exe109⤵PID:992
-
\??\c:\hbtntt.exec:\hbtntt.exe110⤵PID:2036
-
\??\c:\5ppdd.exec:\5ppdd.exe111⤵PID:1876
-
\??\c:\vpddj.exec:\vpddj.exe112⤵PID:476
-
\??\c:\1fxllrx.exec:\1fxllrx.exe113⤵PID:280
-
\??\c:\nnbthb.exec:\nnbthb.exe114⤵PID:2836
-
\??\c:\hbthbb.exec:\hbthbb.exe115⤵PID:2916
-
\??\c:\jdvjv.exec:\jdvjv.exe116⤵PID:1552
-
\??\c:\5rrxxfr.exec:\5rrxxfr.exe117⤵PID:2236
-
\??\c:\rrlfrfx.exec:\rrlfrfx.exe118⤵PID:3012
-
\??\c:\1tnnth.exec:\1tnnth.exe119⤵PID:2704
-
\??\c:\jdvvj.exec:\jdvvj.exe120⤵PID:2556
-
\??\c:\jvpdj.exec:\jvpdj.exe121⤵PID:2920
-
\??\c:\lfrxflr.exec:\lfrxflr.exe122⤵PID:2380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-