Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 16:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c4f9104fa72e4b33730906c9de6020a1f5f26df66af099c5d0bb24cac06fe4b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3c4f9104fa72e4b33730906c9de6020a1f5f26df66af099c5d0bb24cac06fe4b.exe
-
Size
454KB
-
MD5
4a708c5f273a8507099a1ac209af1405
-
SHA1
cd746a14c31b2543c2bf46c1edce499b13e76f85
-
SHA256
3c4f9104fa72e4b33730906c9de6020a1f5f26df66af099c5d0bb24cac06fe4b
-
SHA512
b2bbbc21a0777896976654489e4a3762fd9fd50c43ce6a540fbb1c97671584a3aaae3d5da7f6e446217fc9d610ac78c41201fc4141354831f4233af85b2e9e86
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2128-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-30-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1944-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-45-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2660-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-126-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/576-142-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-191-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2864-190-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1496-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-235-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/568-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-270-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2452-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-289-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1956-287-0x00000000776A0000-0x00000000777BF000-memory.dmp family_blackmoon behavioral1/memory/2040-304-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1956-313-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/3064-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-353-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2696-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-361-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2996-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-408-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1948-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-515-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1156-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-572-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2908-638-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1840-657-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2036-696-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2128 xrlrflx.exe 2224 hbbhbh.exe 1944 pjvpv.exe 2660 5btntb.exe 2736 hbhbth.exe 2752 nnbnnh.exe 2860 tttthn.exe 2576 ppvdj.exe 2604 bbthth.exe 1960 dvjjv.exe 576 1hntnt.exe 2760 rlxlrfx.exe 2432 pvjpd.exe 2780 5jvdp.exe 1320 1nhnbh.exe 1912 xrlrflx.exe 2864 tnbbtt.exe 2092 9vjjp.exe 2708 fxxflfx.exe 2124 hhhthn.exe 2216 3frrxff.exe 1644 tthhtt.exe 1496 nhthtb.exe 1636 nthhtn.exe 1660 hhbnbh.exe 2032 pjdjp.exe 568 1bbtbh.exe 992 dvjvd.exe 2204 hthbbb.exe 2452 9pppp.exe 1956 nnhtnb.exe 2040 ttnbth.exe 2168 7djvj.exe 3064 3tbnbn.exe 2756 7jpjp.exe 2688 rxxxlxr.exe 2684 ffrfrxl.exe 2404 nhthth.exe 1992 7ddjv.exe 2696 rffrlrl.exe 2564 7xxlxlx.exe 2716 hbthth.exe 2984 jjvdj.exe 2996 7fxxffr.exe 2632 1frxlrx.exe 2776 hnhhbh.exe 1948 ppvjd.exe 1524 9frxlrf.exe 2612 lfxxflf.exe 264 nnttbh.exe 1976 dvvdv.exe 1160 xfxlrrx.exe 2968 thbbhh.exe 2028 bbbhbb.exe 672 7rflxfr.exe 2100 rrrxlrx.exe 1016 tnbthn.exe 1092 1vjjv.exe 1728 lllxrxr.exe 2268 nnbnht.exe 1304 bbnthn.exe 1636 jdvpv.exe 2956 lllxrxl.exe 2960 hbthtb.exe -
resource yara_rule behavioral1/memory/2128-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-287-0x00000000776A0000-0x00000000777BF000-memory.dmp upx behavioral1/memory/3064-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-657-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1484-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-724-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/672-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-768-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2128 2024 3c4f9104fa72e4b33730906c9de6020a1f5f26df66af099c5d0bb24cac06fe4b.exe 31 PID 2024 wrote to memory of 2128 2024 3c4f9104fa72e4b33730906c9de6020a1f5f26df66af099c5d0bb24cac06fe4b.exe 31 PID 2024 wrote to memory of 2128 2024 3c4f9104fa72e4b33730906c9de6020a1f5f26df66af099c5d0bb24cac06fe4b.exe 31 PID 2024 wrote to memory of 2128 2024 3c4f9104fa72e4b33730906c9de6020a1f5f26df66af099c5d0bb24cac06fe4b.exe 31 PID 2128 wrote to memory of 2224 2128 xrlrflx.exe 32 PID 2128 wrote to memory of 2224 2128 xrlrflx.exe 32 PID 2128 wrote to memory of 2224 2128 xrlrflx.exe 32 PID 2128 wrote to memory of 2224 2128 xrlrflx.exe 32 PID 2224 wrote to memory of 1944 2224 hbbhbh.exe 33 PID 2224 wrote to memory of 1944 2224 hbbhbh.exe 33 PID 2224 wrote to memory of 1944 2224 hbbhbh.exe 33 PID 2224 wrote to memory of 1944 2224 hbbhbh.exe 33 PID 1944 wrote to memory of 2660 1944 pjvpv.exe 34 PID 1944 wrote to memory of 2660 1944 pjvpv.exe 34 PID 1944 wrote to memory of 2660 1944 pjvpv.exe 34 PID 1944 wrote to memory of 2660 1944 pjvpv.exe 34 PID 2660 wrote to memory of 2736 2660 5btntb.exe 35 PID 2660 wrote to memory of 2736 2660 5btntb.exe 35 PID 2660 wrote to memory of 2736 2660 5btntb.exe 35 PID 2660 wrote to memory of 2736 2660 5btntb.exe 35 PID 2736 wrote to memory of 2752 2736 hbhbth.exe 36 PID 2736 wrote to memory of 2752 2736 hbhbth.exe 36 PID 2736 wrote to memory of 2752 2736 hbhbth.exe 36 PID 2736 wrote to memory of 2752 2736 hbhbth.exe 36 PID 2752 wrote to memory of 2860 2752 nnbnnh.exe 37 PID 2752 wrote to memory of 2860 2752 nnbnnh.exe 37 PID 2752 wrote to memory of 2860 2752 nnbnnh.exe 37 PID 2752 wrote to memory of 2860 2752 nnbnnh.exe 37 PID 2860 wrote to memory of 2576 2860 tttthn.exe 38 PID 2860 wrote to memory of 2576 2860 tttthn.exe 38 PID 2860 wrote to memory of 2576 2860 tttthn.exe 38 PID 2860 wrote to memory of 2576 2860 tttthn.exe 38 PID 2576 wrote to memory of 2604 2576 ppvdj.exe 39 PID 2576 wrote to memory of 2604 2576 ppvdj.exe 39 PID 2576 wrote to memory of 2604 2576 ppvdj.exe 39 PID 2576 wrote to memory of 2604 2576 ppvdj.exe 39 PID 2604 wrote to memory of 1960 2604 bbthth.exe 40 PID 2604 wrote to memory of 1960 2604 bbthth.exe 40 PID 2604 wrote to memory of 1960 2604 bbthth.exe 40 PID 2604 wrote to memory of 1960 2604 bbthth.exe 40 PID 1960 wrote to memory of 576 1960 dvjjv.exe 41 PID 1960 wrote to memory of 576 1960 dvjjv.exe 41 PID 1960 wrote to memory of 576 1960 dvjjv.exe 41 PID 1960 wrote to memory of 576 1960 dvjjv.exe 41 PID 576 wrote to memory of 2760 576 1hntnt.exe 42 PID 576 wrote to memory of 2760 576 1hntnt.exe 42 PID 576 wrote to memory of 2760 576 1hntnt.exe 42 PID 576 wrote to memory of 2760 576 1hntnt.exe 42 PID 2760 wrote to memory of 2432 2760 rlxlrfx.exe 43 PID 2760 wrote to memory of 2432 2760 rlxlrfx.exe 43 PID 2760 wrote to memory of 2432 2760 rlxlrfx.exe 43 PID 2760 wrote to memory of 2432 2760 rlxlrfx.exe 43 PID 2432 wrote to memory of 2780 2432 pvjpd.exe 44 PID 2432 wrote to memory of 2780 2432 pvjpd.exe 44 PID 2432 wrote to memory of 2780 2432 pvjpd.exe 44 PID 2432 wrote to memory of 2780 2432 pvjpd.exe 44 PID 2780 wrote to memory of 1320 2780 5jvdp.exe 45 PID 2780 wrote to memory of 1320 2780 5jvdp.exe 45 PID 2780 wrote to memory of 1320 2780 5jvdp.exe 45 PID 2780 wrote to memory of 1320 2780 5jvdp.exe 45 PID 1320 wrote to memory of 1912 1320 1nhnbh.exe 46 PID 1320 wrote to memory of 1912 1320 1nhnbh.exe 46 PID 1320 wrote to memory of 1912 1320 1nhnbh.exe 46 PID 1320 wrote to memory of 1912 1320 1nhnbh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c4f9104fa72e4b33730906c9de6020a1f5f26df66af099c5d0bb24cac06fe4b.exe"C:\Users\Admin\AppData\Local\Temp\3c4f9104fa72e4b33730906c9de6020a1f5f26df66af099c5d0bb24cac06fe4b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\xrlrflx.exec:\xrlrflx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\hbbhbh.exec:\hbbhbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\pjvpv.exec:\pjvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\5btntb.exec:\5btntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\hbhbth.exec:\hbhbth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\nnbnnh.exec:\nnbnnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\tttthn.exec:\tttthn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\ppvdj.exec:\ppvdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\bbthth.exec:\bbthth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\dvjjv.exec:\dvjjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\1hntnt.exec:\1hntnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
\??\c:\rlxlrfx.exec:\rlxlrfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\pvjpd.exec:\pvjpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\5jvdp.exec:\5jvdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\1nhnbh.exec:\1nhnbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\xrlrflx.exec:\xrlrflx.exe17⤵
- Executes dropped EXE
PID:1912 -
\??\c:\tnbbtt.exec:\tnbbtt.exe18⤵
- Executes dropped EXE
PID:2864 -
\??\c:\9vjjp.exec:\9vjjp.exe19⤵
- Executes dropped EXE
PID:2092 -
\??\c:\fxxflfx.exec:\fxxflfx.exe20⤵
- Executes dropped EXE
PID:2708 -
\??\c:\hhhthn.exec:\hhhthn.exe21⤵
- Executes dropped EXE
PID:2124 -
\??\c:\3frrxff.exec:\3frrxff.exe22⤵
- Executes dropped EXE
PID:2216 -
\??\c:\tthhtt.exec:\tthhtt.exe23⤵
- Executes dropped EXE
PID:1644 -
\??\c:\nhthtb.exec:\nhthtb.exe24⤵
- Executes dropped EXE
PID:1496 -
\??\c:\nthhtn.exec:\nthhtn.exe25⤵
- Executes dropped EXE
PID:1636 -
\??\c:\hhbnbh.exec:\hhbnbh.exe26⤵
- Executes dropped EXE
PID:1660 -
\??\c:\pjdjp.exec:\pjdjp.exe27⤵
- Executes dropped EXE
PID:2032 -
\??\c:\1bbtbh.exec:\1bbtbh.exe28⤵
- Executes dropped EXE
PID:568 -
\??\c:\dvjvd.exec:\dvjvd.exe29⤵
- Executes dropped EXE
PID:992 -
\??\c:\hthbbb.exec:\hthbbb.exe30⤵
- Executes dropped EXE
PID:2204 -
\??\c:\9pppp.exec:\9pppp.exe31⤵
- Executes dropped EXE
PID:2452 -
\??\c:\nnhtnb.exec:\nnhtnb.exe32⤵
- Executes dropped EXE
PID:1956 -
\??\c:\hnnbnn.exec:\hnnbnn.exe33⤵PID:280
-
\??\c:\ttnbth.exec:\ttnbth.exe34⤵
- Executes dropped EXE
PID:2040 -
\??\c:\7djvj.exec:\7djvj.exe35⤵
- Executes dropped EXE
PID:2168 -
\??\c:\3tbnbn.exec:\3tbnbn.exe36⤵
- Executes dropped EXE
PID:3064 -
\??\c:\7jpjp.exec:\7jpjp.exe37⤵
- Executes dropped EXE
PID:2756 -
\??\c:\rxxxlxr.exec:\rxxxlxr.exe38⤵
- Executes dropped EXE
PID:2688 -
\??\c:\ffrfrxl.exec:\ffrfrxl.exe39⤵
- Executes dropped EXE
PID:2684 -
\??\c:\nhthth.exec:\nhthth.exe40⤵
- Executes dropped EXE
PID:2404 -
\??\c:\7ddjv.exec:\7ddjv.exe41⤵
- Executes dropped EXE
PID:1992 -
\??\c:\rffrlrl.exec:\rffrlrl.exe42⤵
- Executes dropped EXE
PID:2696 -
\??\c:\7xxlxlx.exec:\7xxlxlx.exe43⤵
- Executes dropped EXE
PID:2564 -
\??\c:\hbthth.exec:\hbthth.exe44⤵
- Executes dropped EXE
PID:2716 -
\??\c:\jjvdj.exec:\jjvdj.exe45⤵
- Executes dropped EXE
PID:2984 -
\??\c:\7fxxffr.exec:\7fxxffr.exe46⤵
- Executes dropped EXE
PID:2996 -
\??\c:\1frxlrx.exec:\1frxlrx.exe47⤵
- Executes dropped EXE
PID:2632 -
\??\c:\hnhhbh.exec:\hnhhbh.exe48⤵
- Executes dropped EXE
PID:2776 -
\??\c:\ppvjd.exec:\ppvjd.exe49⤵
- Executes dropped EXE
PID:1948 -
\??\c:\9frxlrf.exec:\9frxlrf.exe50⤵
- Executes dropped EXE
PID:1524 -
\??\c:\lfxxflf.exec:\lfxxflf.exe51⤵
- Executes dropped EXE
PID:2612 -
\??\c:\nnttbh.exec:\nnttbh.exe52⤵
- Executes dropped EXE
PID:264 -
\??\c:\dvvdv.exec:\dvvdv.exe53⤵
- Executes dropped EXE
PID:1976 -
\??\c:\xfxlrrx.exec:\xfxlrrx.exe54⤵
- Executes dropped EXE
PID:1160 -
\??\c:\thbbhh.exec:\thbbhh.exe55⤵
- Executes dropped EXE
PID:2968 -
\??\c:\bbbhbb.exec:\bbbhbb.exe56⤵
- Executes dropped EXE
PID:2028 -
\??\c:\7rflxfr.exec:\7rflxfr.exe57⤵
- Executes dropped EXE
PID:672 -
\??\c:\rrrxlrx.exec:\rrrxlrx.exe58⤵
- Executes dropped EXE
PID:2100 -
\??\c:\tnbthn.exec:\tnbthn.exe59⤵
- Executes dropped EXE
PID:1016 -
\??\c:\1vjjv.exec:\1vjjv.exe60⤵
- Executes dropped EXE
PID:1092 -
\??\c:\lllxrxr.exec:\lllxrxr.exe61⤵
- Executes dropped EXE
PID:1728 -
\??\c:\nnbnht.exec:\nnbnht.exe62⤵
- Executes dropped EXE
PID:2268 -
\??\c:\bbnthn.exec:\bbnthn.exe63⤵
- Executes dropped EXE
PID:1304 -
\??\c:\jdvpv.exec:\jdvpv.exe64⤵
- Executes dropped EXE
PID:1636 -
\??\c:\lllxrxl.exec:\lllxrxl.exe65⤵
- Executes dropped EXE
PID:2956 -
\??\c:\hbthtb.exec:\hbthtb.exe66⤵
- Executes dropped EXE
PID:2960 -
\??\c:\ntttbn.exec:\ntttbn.exe67⤵PID:544
-
\??\c:\pdvvj.exec:\pdvvj.exe68⤵PID:2412
-
\??\c:\3xflrxr.exec:\3xflrxr.exe69⤵PID:992
-
\??\c:\ttnhnt.exec:\ttnhnt.exe70⤵PID:1856
-
\??\c:\7pjpp.exec:\7pjpp.exe71⤵PID:1156
-
\??\c:\flfxlrr.exec:\flfxlrr.exe72⤵PID:1760
-
\??\c:\lrrffxr.exec:\lrrffxr.exe73⤵PID:2316
-
\??\c:\hhbnhn.exec:\hhbnhn.exe74⤵PID:2156
-
\??\c:\pjdjp.exec:\pjdjp.exe75⤵PID:1736
-
\??\c:\rllxlrx.exec:\rllxlrx.exe76⤵PID:1944
-
\??\c:\9xxfxfr.exec:\9xxfxfr.exe77⤵PID:2796
-
\??\c:\9bhnhh.exec:\9bhnhh.exe78⤵PID:2912
-
\??\c:\1vvjp.exec:\1vvjp.exe79⤵PID:2648
-
\??\c:\rlxfffr.exec:\rlxfffr.exe80⤵PID:2908
-
\??\c:\ttnntb.exec:\ttnntb.exe81⤵PID:2704
-
\??\c:\jpddd.exec:\jpddd.exe82⤵PID:2528
-
\??\c:\pvdvv.exec:\pvdvv.exe83⤵PID:2576
-
\??\c:\xffxxfx.exec:\xffxxfx.exe84⤵PID:1720
-
\??\c:\thhbtb.exec:\thhbtb.exe85⤵PID:652
-
\??\c:\djppv.exec:\djppv.exe86⤵PID:1840
-
\??\c:\dvpvj.exec:\dvpvj.exe87⤵PID:2764
-
\??\c:\ffxlrxl.exec:\ffxlrxl.exe88⤵PID:776
-
\??\c:\1bnbnh.exec:\1bnbnh.exe89⤵PID:1652
-
\??\c:\vppvj.exec:\vppvj.exe90⤵PID:1248
-
\??\c:\ppjvv.exec:\ppjvv.exe91⤵PID:1524
-
\??\c:\fxlxrrl.exec:\fxlxrrl.exe92⤵PID:2036
-
\??\c:\3hbhbb.exec:\3hbhbb.exe93⤵PID:1764
-
\??\c:\3dpvd.exec:\3dpvd.exe94⤵PID:1272
-
\??\c:\5vjjj.exec:\5vjjj.exe95⤵PID:1768
-
\??\c:\7rrfflx.exec:\7rrfflx.exe96⤵PID:1484
-
\??\c:\3tnntb.exec:\3tnntb.exe97⤵PID:2152
-
\??\c:\jdvvd.exec:\jdvvd.exe98⤵PID:672
-
\??\c:\llrfxlf.exec:\llrfxlf.exe99⤵PID:1672
-
\??\c:\rxfrlfx.exec:\rxfrlfx.exe100⤵PID:2248
-
\??\c:\5bthnt.exec:\5bthnt.exe101⤵PID:1092
-
\??\c:\vpjpd.exec:\vpjpd.exe102⤵PID:1496
-
\??\c:\vvppv.exec:\vvppv.exe103⤵PID:1036
-
\??\c:\ffffxxl.exec:\ffffxxl.exe104⤵PID:1028
-
\??\c:\hhhnbb.exec:\hhhnbb.exe105⤵PID:1852
-
\??\c:\ppjpj.exec:\ppjpj.exe106⤵PID:2140
-
\??\c:\9dppv.exec:\9dppv.exe107⤵PID:2424
-
\??\c:\lflxxll.exec:\lflxxll.exe108⤵PID:568
-
\??\c:\jdpvj.exec:\jdpvj.exe109⤵PID:876
-
\??\c:\xrflrxl.exec:\xrflrxl.exe110⤵PID:880
-
\??\c:\lrlfllf.exec:\lrlfllf.exe111⤵PID:2944
-
\??\c:\hbnntt.exec:\hbnntt.exe112⤵PID:1856
-
\??\c:\vdpvd.exec:\vdpvd.exe113⤵PID:2128
-
\??\c:\fllxrfl.exec:\fllxrfl.exe114⤵PID:2320
-
\??\c:\1rlxxfr.exec:\1rlxxfr.exe115⤵PID:1792
-
\??\c:\btthbb.exec:\btthbb.exe116⤵PID:2732
-
\??\c:\5dvdp.exec:\5dvdp.exe117⤵PID:2748
-
\??\c:\ppvdj.exec:\ppvdj.exe118⤵PID:2660
-
\??\c:\1lfrxlr.exec:\1lfrxlr.exe119⤵PID:2824
-
\??\c:\btnhhn.exec:\btnhhn.exe120⤵PID:2568
-
\??\c:\9vpvd.exec:\9vpvd.exe121⤵PID:2648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-