Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 04:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe
-
Size
453KB
-
MD5
7c7243f1cd951620cf2b5616abf235a0
-
SHA1
1e4c886c293c7ae342f7208394da69ae36fee06e
-
SHA256
b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5
-
SHA512
cc47d0d6321af8bd88707db03125e4c07d8bb4627741198d5e7aa4b1bf0fc4502b50f379e9bbaedc6aee67435749394f4ee7016529d87b43a90fbc6dac8c6467
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeu:q7Tc2NYHUrAwfMp3CDu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2128-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1104-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-146-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/840-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-281-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3060-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-359-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2480-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/980-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-474-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-533-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2624-558-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2076-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-603-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2668-646-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2256-750-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-760-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1712-872-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1528-885-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1712-891-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2508-919-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-932-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-984-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1348-1035-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2596-1116-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1628-1123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-1136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-1205-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2140 xrflrll.exe 1236 e84624.exe 2096 268028.exe 2452 pjddv.exe 2788 1jppv.exe 2912 264680.exe 2480 082406.exe 2960 vpdpp.exe 2892 7bnhnt.exe 2672 tbbnbt.exe 2204 o606668.exe 1104 hbhthn.exe 1868 lxffxxf.exe 1568 9rflxfl.exe 1984 5htbhh.exe 840 c822406.exe 1072 3vpvd.exe 2964 200086.exe 2408 nhtbnn.exe 2084 086682.exe 1620 888244.exe 448 nbnttt.exe 2272 0804000.exe 1312 04628.exe 1888 jvppp.exe 1864 42402.exe 1692 20266.exe 2304 pjvjj.exe 1628 e48288.exe 2532 4828224.exe 2580 pjpvd.exe 888 080060.exe 3060 268066.exe 2076 dvjjv.exe 2080 bbhntt.exe 796 fxlxlrx.exe 1520 6428446.exe 2352 6024246.exe 2508 8862408.exe 2808 nnbnnn.exe 2860 868066.exe 2928 3xfxxrx.exe 2260 4844266.exe 2480 080066.exe 2684 w24844.exe 2920 lxrrffl.exe 2732 nthbtt.exe 2032 8640228.exe 1732 2602484.exe 980 3nbhnh.exe 2728 pjjpd.exe 2320 rrlrffr.exe 2420 pjvvd.exe 620 820622.exe 2012 20446.exe 1720 nnbntb.exe 2908 0422484.exe 2964 468402.exe 2748 vvjjp.exe 1700 9lrrrxf.exe 2992 7bthtb.exe 560 w46228.exe 2268 3hthnn.exe 3044 042404.exe -
resource yara_rule behavioral1/memory/2128-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-533-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1424-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-571-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2076-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-760-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1696-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-932-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-945-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-952-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-997-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-1123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-1136-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lffrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u044442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2140 2128 b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe 30 PID 2128 wrote to memory of 2140 2128 b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe 30 PID 2128 wrote to memory of 2140 2128 b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe 30 PID 2128 wrote to memory of 2140 2128 b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe 30 PID 2140 wrote to memory of 1236 2140 xrflrll.exe 31 PID 2140 wrote to memory of 1236 2140 xrflrll.exe 31 PID 2140 wrote to memory of 1236 2140 xrflrll.exe 31 PID 2140 wrote to memory of 1236 2140 xrflrll.exe 31 PID 1236 wrote to memory of 2096 1236 e84624.exe 32 PID 1236 wrote to memory of 2096 1236 e84624.exe 32 PID 1236 wrote to memory of 2096 1236 e84624.exe 32 PID 1236 wrote to memory of 2096 1236 e84624.exe 32 PID 2096 wrote to memory of 2452 2096 268028.exe 33 PID 2096 wrote to memory of 2452 2096 268028.exe 33 PID 2096 wrote to memory of 2452 2096 268028.exe 33 PID 2096 wrote to memory of 2452 2096 268028.exe 33 PID 2452 wrote to memory of 2788 2452 pjddv.exe 34 PID 2452 wrote to memory of 2788 2452 pjddv.exe 34 PID 2452 wrote to memory of 2788 2452 pjddv.exe 34 PID 2452 wrote to memory of 2788 2452 pjddv.exe 34 PID 2788 wrote to memory of 2912 2788 1jppv.exe 35 PID 2788 wrote to memory of 2912 2788 1jppv.exe 35 PID 2788 wrote to memory of 2912 2788 1jppv.exe 35 PID 2788 wrote to memory of 2912 2788 1jppv.exe 35 PID 2912 wrote to memory of 2480 2912 264680.exe 36 PID 2912 wrote to memory of 2480 2912 264680.exe 36 PID 2912 wrote to memory of 2480 2912 264680.exe 36 PID 2912 wrote to memory of 2480 2912 264680.exe 36 PID 2480 wrote to memory of 2960 2480 082406.exe 37 PID 2480 wrote to memory of 2960 2480 082406.exe 37 PID 2480 wrote to memory of 2960 2480 082406.exe 37 PID 2480 wrote to memory of 2960 2480 082406.exe 37 PID 2960 wrote to memory of 2892 2960 vpdpp.exe 38 PID 2960 wrote to memory of 2892 2960 vpdpp.exe 38 PID 2960 wrote to memory of 2892 2960 vpdpp.exe 38 PID 2960 wrote to memory of 2892 2960 vpdpp.exe 38 PID 2892 wrote to memory of 2672 2892 7bnhnt.exe 39 PID 2892 wrote to memory of 2672 2892 7bnhnt.exe 39 PID 2892 wrote to memory of 2672 2892 7bnhnt.exe 39 PID 2892 wrote to memory of 2672 2892 7bnhnt.exe 39 PID 2672 wrote to memory of 2204 2672 tbbnbt.exe 40 PID 2672 wrote to memory of 2204 2672 tbbnbt.exe 40 PID 2672 wrote to memory of 2204 2672 tbbnbt.exe 40 PID 2672 wrote to memory of 2204 2672 tbbnbt.exe 40 PID 2204 wrote to memory of 1104 2204 o606668.exe 41 PID 2204 wrote to memory of 1104 2204 o606668.exe 41 PID 2204 wrote to memory of 1104 2204 o606668.exe 41 PID 2204 wrote to memory of 1104 2204 o606668.exe 41 PID 1104 wrote to memory of 1868 1104 hbhthn.exe 42 PID 1104 wrote to memory of 1868 1104 hbhthn.exe 42 PID 1104 wrote to memory of 1868 1104 hbhthn.exe 42 PID 1104 wrote to memory of 1868 1104 hbhthn.exe 42 PID 1868 wrote to memory of 1568 1868 lxffxxf.exe 43 PID 1868 wrote to memory of 1568 1868 lxffxxf.exe 43 PID 1868 wrote to memory of 1568 1868 lxffxxf.exe 43 PID 1868 wrote to memory of 1568 1868 lxffxxf.exe 43 PID 1568 wrote to memory of 1984 1568 9rflxfl.exe 44 PID 1568 wrote to memory of 1984 1568 9rflxfl.exe 44 PID 1568 wrote to memory of 1984 1568 9rflxfl.exe 44 PID 1568 wrote to memory of 1984 1568 9rflxfl.exe 44 PID 1984 wrote to memory of 840 1984 5htbhh.exe 45 PID 1984 wrote to memory of 840 1984 5htbhh.exe 45 PID 1984 wrote to memory of 840 1984 5htbhh.exe 45 PID 1984 wrote to memory of 840 1984 5htbhh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe"C:\Users\Admin\AppData\Local\Temp\b3a9bd7c30d768366289a88cc48f6bdca4ae97b33b46ad9343cd3a14c6dc48b5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\xrflrll.exec:\xrflrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\e84624.exec:\e84624.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\268028.exec:\268028.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\pjddv.exec:\pjddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\1jppv.exec:\1jppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\264680.exec:\264680.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\082406.exec:\082406.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\vpdpp.exec:\vpdpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\7bnhnt.exec:\7bnhnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\tbbnbt.exec:\tbbnbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\o606668.exec:\o606668.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\hbhthn.exec:\hbhthn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\lxffxxf.exec:\lxffxxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\9rflxfl.exec:\9rflxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\5htbhh.exec:\5htbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\c822406.exec:\c822406.exe17⤵
- Executes dropped EXE
PID:840 -
\??\c:\3vpvd.exec:\3vpvd.exe18⤵
- Executes dropped EXE
PID:1072 -
\??\c:\200086.exec:\200086.exe19⤵
- Executes dropped EXE
PID:2964 -
\??\c:\nhtbnn.exec:\nhtbnn.exe20⤵
- Executes dropped EXE
PID:2408 -
\??\c:\086682.exec:\086682.exe21⤵
- Executes dropped EXE
PID:2084 -
\??\c:\888244.exec:\888244.exe22⤵
- Executes dropped EXE
PID:1620 -
\??\c:\nbnttt.exec:\nbnttt.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\0804000.exec:\0804000.exe24⤵
- Executes dropped EXE
PID:2272 -
\??\c:\04628.exec:\04628.exe25⤵
- Executes dropped EXE
PID:1312 -
\??\c:\jvppp.exec:\jvppp.exe26⤵
- Executes dropped EXE
PID:1888 -
\??\c:\42402.exec:\42402.exe27⤵
- Executes dropped EXE
PID:1864 -
\??\c:\20266.exec:\20266.exe28⤵
- Executes dropped EXE
PID:1692 -
\??\c:\pjvjj.exec:\pjvjj.exe29⤵
- Executes dropped EXE
PID:2304 -
\??\c:\e48288.exec:\e48288.exe30⤵
- Executes dropped EXE
PID:1628 -
\??\c:\4828224.exec:\4828224.exe31⤵
- Executes dropped EXE
PID:2532 -
\??\c:\pjpvd.exec:\pjpvd.exe32⤵
- Executes dropped EXE
PID:2580 -
\??\c:\080060.exec:\080060.exe33⤵
- Executes dropped EXE
PID:888 -
\??\c:\268066.exec:\268066.exe34⤵
- Executes dropped EXE
PID:3060 -
\??\c:\dvjjv.exec:\dvjjv.exe35⤵
- Executes dropped EXE
PID:2076 -
\??\c:\bbhntt.exec:\bbhntt.exe36⤵
- Executes dropped EXE
PID:2080 -
\??\c:\fxlxlrx.exec:\fxlxlrx.exe37⤵
- Executes dropped EXE
PID:796 -
\??\c:\6428446.exec:\6428446.exe38⤵
- Executes dropped EXE
PID:1520 -
\??\c:\6024246.exec:\6024246.exe39⤵
- Executes dropped EXE
PID:2352 -
\??\c:\8862408.exec:\8862408.exe40⤵
- Executes dropped EXE
PID:2508 -
\??\c:\nnbnnn.exec:\nnbnnn.exe41⤵
- Executes dropped EXE
PID:2808 -
\??\c:\868066.exec:\868066.exe42⤵
- Executes dropped EXE
PID:2860 -
\??\c:\3xfxxrx.exec:\3xfxxrx.exe43⤵
- Executes dropped EXE
PID:2928 -
\??\c:\4844266.exec:\4844266.exe44⤵
- Executes dropped EXE
PID:2260 -
\??\c:\080066.exec:\080066.exe45⤵
- Executes dropped EXE
PID:2480 -
\??\c:\w24844.exec:\w24844.exe46⤵
- Executes dropped EXE
PID:2684 -
\??\c:\lxrrffl.exec:\lxrrffl.exe47⤵
- Executes dropped EXE
PID:2920 -
\??\c:\nthbtt.exec:\nthbtt.exe48⤵
- Executes dropped EXE
PID:2732 -
\??\c:\8640228.exec:\8640228.exe49⤵
- Executes dropped EXE
PID:2032 -
\??\c:\2602484.exec:\2602484.exe50⤵
- Executes dropped EXE
PID:1732 -
\??\c:\3nbhnh.exec:\3nbhnh.exe51⤵
- Executes dropped EXE
PID:980 -
\??\c:\pjjpd.exec:\pjjpd.exe52⤵
- Executes dropped EXE
PID:2728 -
\??\c:\rrlrffr.exec:\rrlrffr.exe53⤵
- Executes dropped EXE
PID:2320 -
\??\c:\pjvvd.exec:\pjvvd.exe54⤵
- Executes dropped EXE
PID:2420 -
\??\c:\820622.exec:\820622.exe55⤵
- Executes dropped EXE
PID:620 -
\??\c:\20446.exec:\20446.exe56⤵
- Executes dropped EXE
PID:2012 -
\??\c:\nnbntb.exec:\nnbntb.exe57⤵
- Executes dropped EXE
PID:1720 -
\??\c:\0422484.exec:\0422484.exe58⤵
- Executes dropped EXE
PID:2908 -
\??\c:\468402.exec:\468402.exe59⤵
- Executes dropped EXE
PID:2964 -
\??\c:\vvjjp.exec:\vvjjp.exe60⤵
- Executes dropped EXE
PID:2748 -
\??\c:\9lrrrxf.exec:\9lrrrxf.exe61⤵
- Executes dropped EXE
PID:1700 -
\??\c:\7bthtb.exec:\7bthtb.exe62⤵
- Executes dropped EXE
PID:2992 -
\??\c:\w46228.exec:\w46228.exe63⤵
- Executes dropped EXE
PID:560 -
\??\c:\3hthnn.exec:\3hthnn.exe64⤵
- Executes dropped EXE
PID:2268 -
\??\c:\042404.exec:\042404.exe65⤵
- Executes dropped EXE
PID:3044 -
\??\c:\820688.exec:\820688.exe66⤵PID:1852
-
\??\c:\jdpvd.exec:\jdpvd.exe67⤵PID:2252
-
\??\c:\5rlxxxl.exec:\5rlxxxl.exe68⤵PID:1472
-
\??\c:\640066.exec:\640066.exe69⤵PID:1864
-
\??\c:\68040.exec:\68040.exe70⤵PID:1872
-
\??\c:\68866.exec:\68866.exe71⤵PID:2516
-
\??\c:\u282884.exec:\u282884.exe72⤵PID:2424
-
\??\c:\llxxxll.exec:\llxxxll.exe73⤵PID:2624
-
\??\c:\28006.exec:\28006.exe74⤵PID:2740
-
\??\c:\e60646.exec:\e60646.exe75⤵PID:972
-
\??\c:\3vddd.exec:\3vddd.exe76⤵PID:1424
-
\??\c:\1xrflrl.exec:\1xrflrl.exe77⤵PID:2344
-
\??\c:\7flfrrf.exec:\7flfrrf.exe78⤵
- System Location Discovery: System Language Discovery
PID:2092 -
\??\c:\2640224.exec:\2640224.exe79⤵PID:2076
-
\??\c:\6462846.exec:\6462846.exe80⤵PID:1496
-
\??\c:\86846.exec:\86846.exe81⤵PID:1236
-
\??\c:\4806288.exec:\4806288.exe82⤵PID:1520
-
\??\c:\1rflllx.exec:\1rflllx.exe83⤵PID:2496
-
\??\c:\20880.exec:\20880.exe84⤵PID:2508
-
\??\c:\hbtbhh.exec:\hbtbhh.exe85⤵PID:2524
-
\??\c:\btbhtn.exec:\btbhtn.exe86⤵PID:2912
-
\??\c:\hbtbnn.exec:\hbtbnn.exe87⤵PID:2668
-
\??\c:\048068.exec:\048068.exe88⤵PID:2940
-
\??\c:\ddvvd.exec:\ddvvd.exe89⤵PID:2832
-
\??\c:\fxrrxrf.exec:\fxrrxrf.exe90⤵PID:2852
-
\??\c:\3xllrrf.exec:\3xllrrf.exe91⤵PID:1840
-
\??\c:\3ththh.exec:\3ththh.exe92⤵PID:2724
-
\??\c:\608422.exec:\608422.exe93⤵PID:672
-
\??\c:\hbhnbt.exec:\hbhnbt.exe94⤵PID:1744
-
\??\c:\hhbbbb.exec:\hhbbbb.exe95⤵PID:1508
-
\??\c:\s2008.exec:\s2008.exe96⤵PID:328
-
\??\c:\w80240.exec:\w80240.exe97⤵PID:536
-
\??\c:\lxfxffr.exec:\lxfxffr.exe98⤵PID:2112
-
\??\c:\08624.exec:\08624.exe99⤵PID:1664
-
\??\c:\ttbbnh.exec:\ttbbnh.exe100⤵PID:1560
-
\??\c:\u464062.exec:\u464062.exe101⤵PID:2012
-
\??\c:\xlfxfxx.exec:\xlfxfxx.exe102⤵PID:1072
-
\??\c:\pjvvj.exec:\pjvvj.exe103⤵PID:2256
-
\??\c:\2066840.exec:\2066840.exe104⤵PID:2276
-
\??\c:\vvppd.exec:\vvppd.exe105⤵PID:2748
-
\??\c:\6062822.exec:\6062822.exe106⤵PID:2536
-
\??\c:\fxflxrx.exec:\fxflxrx.exe107⤵PID:2988
-
\??\c:\a8002.exec:\a8002.exe108⤵PID:448
-
\??\c:\a6222.exec:\a6222.exe109⤵PID:1564
-
\??\c:\440228.exec:\440228.exe110⤵PID:1716
-
\??\c:\jdvjp.exec:\jdvjp.exe111⤵PID:1696
-
\??\c:\8006824.exec:\8006824.exe112⤵PID:2252
-
\??\c:\lflffxf.exec:\lflffxf.exe113⤵PID:1788
-
\??\c:\dvpjp.exec:\dvpjp.exe114⤵PID:1864
-
\??\c:\5htbnn.exec:\5htbnn.exe115⤵PID:2236
-
\??\c:\bntntt.exec:\bntntt.exe116⤵PID:1012
-
\??\c:\q66460.exec:\q66460.exe117⤵PID:2340
-
\??\c:\c088044.exec:\c088044.exe118⤵PID:3012
-
\??\c:\8244662.exec:\8244662.exe119⤵PID:584
-
\??\c:\bnbtth.exec:\bnbtth.exe120⤵PID:2580
-
\??\c:\8688062.exec:\8688062.exe121⤵PID:680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-