Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 18:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe
-
Size
456KB
-
MD5
46c337bdd40d51b105801753017cabed
-
SHA1
5d8bda2facb4d8c7e4ef37aa8598f9c1d0820186
-
SHA256
744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d
-
SHA512
546f8a904c8f2ecd3b520c5e6065937013452b716464698e78eb8f1a6e7f21ba271ccc0075e727d561ac90aba9c6be77643c587102b1e9fc6a128c4d956d9ba6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRs:q7Tc2NYHUrAwfMp3CDRs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/3048-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/812-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-102-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/2888-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-158-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1448-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/960-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-253-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2632-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-304-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1604-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/664-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-418-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2000-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1292-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1292-453-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2404-460-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2172-467-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2936-471-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2172-489-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2632-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-573-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1600-600-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2604-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-704-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2296-710-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2232 jjddp.exe 2776 5lllffl.exe 2656 bttbnt.exe 2668 rflfxrr.exe 2688 xrxfxfl.exe 2560 dvppd.exe 3024 dvpvp.exe 1696 ntntnb.exe 812 3vjvd.exe 2788 bnhbbb.exe 2888 jjdjd.exe 1548 9thnnt.exe 1620 jjvvp.exe 532 xrfxxrl.exe 1432 3jpvj.exe 2488 bnbbnn.exe 1396 dpdvv.exe 1448 3ttbth.exe 2276 ddppj.exe 2120 nhtbhn.exe 964 bbntnt.exe 1312 bnhntb.exe 960 bbhnbh.exe 1540 rrllrlx.exe 2968 dvpvd.exe 1556 5rlxxlr.exe 2636 5hhthn.exe 2068 fxxlxxr.exe 2632 tnbntt.exe 2036 ffxxflf.exe 1988 1htthn.exe 1792 1rllxfr.exe 2700 5lfrlrf.exe 1604 pjvvj.exe 2752 9fxxrxf.exe 2836 hbtttb.exe 2820 nhbntb.exe 2656 ddjvj.exe 2664 rlflrxl.exe 2688 hhhttt.exe 2564 9vdjp.exe 2992 rxrfrxl.exe 1944 nhbbnt.exe 2620 hnthbt.exe 2728 vvpvd.exe 1700 xfxlffx.exe 664 3tthtb.exe 2000 pvpvj.exe 2020 dddjv.exe 1292 7fxfrxr.exe 532 bbntnn.exe 1248 vpvdd.exe 2072 fflxxrr.exe 2404 1bnnhh.exe 2172 tnhntb.exe 2936 1jvdj.exe 1080 1lrxflx.exe 1628 hthntt.exe 1140 9dvvj.exe 1648 5fxflfl.exe 848 rlllrxf.exe 2940 tntthb.exe 1672 jdpvd.exe 1584 jpvvd.exe -
resource yara_rule behavioral1/memory/3048-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/812-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/664-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-467-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1660-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-685-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlxxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2232 3048 744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe 30 PID 3048 wrote to memory of 2232 3048 744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe 30 PID 3048 wrote to memory of 2232 3048 744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe 30 PID 3048 wrote to memory of 2232 3048 744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe 30 PID 2232 wrote to memory of 2776 2232 jjddp.exe 31 PID 2232 wrote to memory of 2776 2232 jjddp.exe 31 PID 2232 wrote to memory of 2776 2232 jjddp.exe 31 PID 2232 wrote to memory of 2776 2232 jjddp.exe 31 PID 2776 wrote to memory of 2656 2776 5lllffl.exe 32 PID 2776 wrote to memory of 2656 2776 5lllffl.exe 32 PID 2776 wrote to memory of 2656 2776 5lllffl.exe 32 PID 2776 wrote to memory of 2656 2776 5lllffl.exe 32 PID 2656 wrote to memory of 2668 2656 bttbnt.exe 33 PID 2656 wrote to memory of 2668 2656 bttbnt.exe 33 PID 2656 wrote to memory of 2668 2656 bttbnt.exe 33 PID 2656 wrote to memory of 2668 2656 bttbnt.exe 33 PID 2668 wrote to memory of 2688 2668 rflfxrr.exe 34 PID 2668 wrote to memory of 2688 2668 rflfxrr.exe 34 PID 2668 wrote to memory of 2688 2668 rflfxrr.exe 34 PID 2668 wrote to memory of 2688 2668 rflfxrr.exe 34 PID 2688 wrote to memory of 2560 2688 xrxfxfl.exe 35 PID 2688 wrote to memory of 2560 2688 xrxfxfl.exe 35 PID 2688 wrote to memory of 2560 2688 xrxfxfl.exe 35 PID 2688 wrote to memory of 2560 2688 xrxfxfl.exe 35 PID 2560 wrote to memory of 3024 2560 dvppd.exe 36 PID 2560 wrote to memory of 3024 2560 dvppd.exe 36 PID 2560 wrote to memory of 3024 2560 dvppd.exe 36 PID 2560 wrote to memory of 3024 2560 dvppd.exe 36 PID 3024 wrote to memory of 1696 3024 dvpvp.exe 37 PID 3024 wrote to memory of 1696 3024 dvpvp.exe 37 PID 3024 wrote to memory of 1696 3024 dvpvp.exe 37 PID 3024 wrote to memory of 1696 3024 dvpvp.exe 37 PID 1696 wrote to memory of 812 1696 ntntnb.exe 38 PID 1696 wrote to memory of 812 1696 ntntnb.exe 38 PID 1696 wrote to memory of 812 1696 ntntnb.exe 38 PID 1696 wrote to memory of 812 1696 ntntnb.exe 38 PID 812 wrote to memory of 2788 812 3vjvd.exe 39 PID 812 wrote to memory of 2788 812 3vjvd.exe 39 PID 812 wrote to memory of 2788 812 3vjvd.exe 39 PID 812 wrote to memory of 2788 812 3vjvd.exe 39 PID 2788 wrote to memory of 2888 2788 bnhbbb.exe 40 PID 2788 wrote to memory of 2888 2788 bnhbbb.exe 40 PID 2788 wrote to memory of 2888 2788 bnhbbb.exe 40 PID 2788 wrote to memory of 2888 2788 bnhbbb.exe 40 PID 2888 wrote to memory of 1548 2888 jjdjd.exe 41 PID 2888 wrote to memory of 1548 2888 jjdjd.exe 41 PID 2888 wrote to memory of 1548 2888 jjdjd.exe 41 PID 2888 wrote to memory of 1548 2888 jjdjd.exe 41 PID 1548 wrote to memory of 1620 1548 9thnnt.exe 42 PID 1548 wrote to memory of 1620 1548 9thnnt.exe 42 PID 1548 wrote to memory of 1620 1548 9thnnt.exe 42 PID 1548 wrote to memory of 1620 1548 9thnnt.exe 42 PID 1620 wrote to memory of 532 1620 jjvvp.exe 43 PID 1620 wrote to memory of 532 1620 jjvvp.exe 43 PID 1620 wrote to memory of 532 1620 jjvvp.exe 43 PID 1620 wrote to memory of 532 1620 jjvvp.exe 43 PID 532 wrote to memory of 1432 532 xrfxxrl.exe 44 PID 532 wrote to memory of 1432 532 xrfxxrl.exe 44 PID 532 wrote to memory of 1432 532 xrfxxrl.exe 44 PID 532 wrote to memory of 1432 532 xrfxxrl.exe 44 PID 1432 wrote to memory of 2488 1432 3jpvj.exe 45 PID 1432 wrote to memory of 2488 1432 3jpvj.exe 45 PID 1432 wrote to memory of 2488 1432 3jpvj.exe 45 PID 1432 wrote to memory of 2488 1432 3jpvj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe"C:\Users\Admin\AppData\Local\Temp\744c0547c80d08f578001c3442eac16a7e76ca1c3e2210b5324443379d1d5b1d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\jjddp.exec:\jjddp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\5lllffl.exec:\5lllffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\bttbnt.exec:\bttbnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\rflfxrr.exec:\rflfxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\xrxfxfl.exec:\xrxfxfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\dvppd.exec:\dvppd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\dvpvp.exec:\dvpvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\ntntnb.exec:\ntntnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\3vjvd.exec:\3vjvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\bnhbbb.exec:\bnhbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\jjdjd.exec:\jjdjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\9thnnt.exec:\9thnnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\jjvvp.exec:\jjvvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\xrfxxrl.exec:\xrfxxrl.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\3jpvj.exec:\3jpvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\bnbbnn.exec:\bnbbnn.exe17⤵
- Executes dropped EXE
PID:2488 -
\??\c:\dpdvv.exec:\dpdvv.exe18⤵
- Executes dropped EXE
PID:1396 -
\??\c:\3ttbth.exec:\3ttbth.exe19⤵
- Executes dropped EXE
PID:1448 -
\??\c:\ddppj.exec:\ddppj.exe20⤵
- Executes dropped EXE
PID:2276 -
\??\c:\nhtbhn.exec:\nhtbhn.exe21⤵
- Executes dropped EXE
PID:2120 -
\??\c:\bbntnt.exec:\bbntnt.exe22⤵
- Executes dropped EXE
PID:964 -
\??\c:\bnhntb.exec:\bnhntb.exe23⤵
- Executes dropped EXE
PID:1312 -
\??\c:\bbhnbh.exec:\bbhnbh.exe24⤵
- Executes dropped EXE
PID:960 -
\??\c:\rrllrlx.exec:\rrllrlx.exe25⤵
- Executes dropped EXE
PID:1540 -
\??\c:\dvpvd.exec:\dvpvd.exe26⤵
- Executes dropped EXE
PID:2968 -
\??\c:\5rlxxlr.exec:\5rlxxlr.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
\??\c:\5hhthn.exec:\5hhthn.exe28⤵
- Executes dropped EXE
PID:2636 -
\??\c:\fxxlxxr.exec:\fxxlxxr.exe29⤵
- Executes dropped EXE
PID:2068 -
\??\c:\tnbntt.exec:\tnbntt.exe30⤵
- Executes dropped EXE
PID:2632 -
\??\c:\ffxxflf.exec:\ffxxflf.exe31⤵
- Executes dropped EXE
PID:2036 -
\??\c:\1htthn.exec:\1htthn.exe32⤵
- Executes dropped EXE
PID:1988 -
\??\c:\1rllxfr.exec:\1rllxfr.exe33⤵
- Executes dropped EXE
PID:1792 -
\??\c:\5lfrlrf.exec:\5lfrlrf.exe34⤵
- Executes dropped EXE
PID:2700 -
\??\c:\pjvvj.exec:\pjvvj.exe35⤵
- Executes dropped EXE
PID:1604 -
\??\c:\9fxxrxf.exec:\9fxxrxf.exe36⤵
- Executes dropped EXE
PID:2752 -
\??\c:\hbtttb.exec:\hbtttb.exe37⤵
- Executes dropped EXE
PID:2836 -
\??\c:\nhbntb.exec:\nhbntb.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
\??\c:\ddjvj.exec:\ddjvj.exe39⤵
- Executes dropped EXE
PID:2656 -
\??\c:\rlflrxl.exec:\rlflrxl.exe40⤵
- Executes dropped EXE
PID:2664 -
\??\c:\hhhttt.exec:\hhhttt.exe41⤵
- Executes dropped EXE
PID:2688 -
\??\c:\9vdjp.exec:\9vdjp.exe42⤵
- Executes dropped EXE
PID:2564 -
\??\c:\rxrfrxl.exec:\rxrfrxl.exe43⤵
- Executes dropped EXE
PID:2992 -
\??\c:\nhbbnt.exec:\nhbbnt.exe44⤵
- Executes dropped EXE
PID:1944 -
\??\c:\hnthbt.exec:\hnthbt.exe45⤵
- Executes dropped EXE
PID:2620 -
\??\c:\vvpvd.exec:\vvpvd.exe46⤵
- Executes dropped EXE
PID:2728 -
\??\c:\xfxlffx.exec:\xfxlffx.exe47⤵
- Executes dropped EXE
PID:1700 -
\??\c:\3tthtb.exec:\3tthtb.exe48⤵
- Executes dropped EXE
PID:664 -
\??\c:\pvpvj.exec:\pvpvj.exe49⤵
- Executes dropped EXE
PID:2000 -
\??\c:\dddjv.exec:\dddjv.exe50⤵
- Executes dropped EXE
PID:2020 -
\??\c:\7fxfrxr.exec:\7fxfrxr.exe51⤵
- Executes dropped EXE
PID:1292 -
\??\c:\bbntnn.exec:\bbntnn.exe52⤵
- Executes dropped EXE
PID:532 -
\??\c:\vpvdd.exec:\vpvdd.exe53⤵
- Executes dropped EXE
PID:1248 -
\??\c:\fflxxrr.exec:\fflxxrr.exe54⤵
- Executes dropped EXE
PID:2072 -
\??\c:\1bnnhh.exec:\1bnnhh.exe55⤵
- Executes dropped EXE
PID:2404 -
\??\c:\tnhntb.exec:\tnhntb.exe56⤵
- Executes dropped EXE
PID:2172 -
\??\c:\1jvdj.exec:\1jvdj.exe57⤵
- Executes dropped EXE
PID:2936 -
\??\c:\1lrxflx.exec:\1lrxflx.exe58⤵
- Executes dropped EXE
PID:1080 -
\??\c:\hthntt.exec:\hthntt.exe59⤵
- Executes dropped EXE
PID:1628 -
\??\c:\9dvvj.exec:\9dvvj.exe60⤵
- Executes dropped EXE
PID:1140 -
\??\c:\5fxflfl.exec:\5fxflfl.exe61⤵
- Executes dropped EXE
PID:1648 -
\??\c:\rlllrxf.exec:\rlllrxf.exe62⤵
- Executes dropped EXE
PID:848 -
\??\c:\tntthb.exec:\tntthb.exe63⤵
- Executes dropped EXE
PID:2940 -
\??\c:\jdpvd.exec:\jdpvd.exe64⤵
- Executes dropped EXE
PID:1672 -
\??\c:\jpvvd.exec:\jpvvd.exe65⤵
- Executes dropped EXE
PID:1584 -
\??\c:\xrlrrrr.exec:\xrlrrrr.exe66⤵PID:1720
-
\??\c:\1bthtb.exec:\1bthtb.exe67⤵PID:1660
-
\??\c:\pjvdj.exec:\pjvdj.exe68⤵PID:3008
-
\??\c:\frffxlr.exec:\frffxlr.exe69⤵PID:1844
-
\??\c:\7xrrxxl.exec:\7xrrxxl.exe70⤵PID:1624
-
\??\c:\ttthtb.exec:\ttthtb.exe71⤵PID:1492
-
\??\c:\7dpjp.exec:\7dpjp.exe72⤵PID:2632
-
\??\c:\lfrxfxf.exec:\lfrxfxf.exe73⤵PID:1224
-
\??\c:\9tttbb.exec:\9tttbb.exe74⤵PID:1280
-
\??\c:\1hhntn.exec:\1hhntn.exe75⤵PID:2680
-
\??\c:\dvjvd.exec:\dvjvd.exe76⤵PID:1600
-
\??\c:\3xxxlrl.exec:\3xxxlrl.exe77⤵PID:2704
-
\??\c:\ttthth.exec:\ttthth.exe78⤵PID:2696
-
\??\c:\pjvdp.exec:\pjvdp.exe79⤵PID:2380
-
\??\c:\7pvdd.exec:\7pvdd.exe80⤵PID:2856
-
\??\c:\3fffxxf.exec:\3fffxxf.exe81⤵PID:2668
-
\??\c:\hbnthn.exec:\hbnthn.exe82⤵PID:2604
-
\??\c:\vjdjv.exec:\vjdjv.exe83⤵PID:2624
-
\??\c:\9vddj.exec:\9vddj.exe84⤵PID:2628
-
\??\c:\lxlrfff.exec:\lxlrfff.exe85⤵PID:1744
-
\??\c:\9nnbtb.exec:\9nnbtb.exe86⤵PID:880
-
\??\c:\vvjvv.exec:\vvjvv.exe87⤵PID:2844
-
\??\c:\vddpj.exec:\vddpj.exe88⤵PID:1320
-
\??\c:\rrlxlrl.exec:\rrlxlrl.exe89⤵PID:1784
-
\??\c:\thnbnb.exec:\thnbnb.exe90⤵PID:1708
-
\??\c:\5dvdj.exec:\5dvdj.exe91⤵PID:2004
-
\??\c:\jjjpd.exec:\jjjpd.exe92⤵
- System Location Discovery: System Language Discovery
PID:2296 -
\??\c:\7fxflrf.exec:\7fxflrf.exe93⤵PID:320
-
\??\c:\hnhthh.exec:\hnhthh.exe94⤵PID:1756
-
\??\c:\ttbntb.exec:\ttbntb.exe95⤵PID:1432
-
\??\c:\7dvdj.exec:\7dvdj.exe96⤵PID:1992
-
\??\c:\ffxlxlr.exec:\ffxlxlr.exe97⤵PID:2156
-
\??\c:\thbbtb.exec:\thbbtb.exe98⤵PID:2384
-
\??\c:\hththn.exec:\hththn.exe99⤵PID:1448
-
\??\c:\vpdpv.exec:\vpdpv.exe100⤵PID:1776
-
\??\c:\fxrrrlx.exec:\fxrrrlx.exe101⤵PID:2120
-
\??\c:\lxlxrrl.exec:\lxlxrrl.exe102⤵PID:1400
-
\??\c:\1hbnhh.exec:\1hbnhh.exe103⤵PID:964
-
\??\c:\5djvj.exec:\5djvj.exe104⤵PID:1960
-
\??\c:\dvjpv.exec:\dvjpv.exe105⤵PID:1340
-
\??\c:\rxxxxrl.exec:\rxxxxrl.exe106⤵PID:1552
-
\??\c:\nbtnnn.exec:\nbtnnn.exe107⤵PID:1728
-
\??\c:\1nhbtb.exec:\1nhbtb.exe108⤵PID:1352
-
\??\c:\1pjvj.exec:\1pjvj.exe109⤵PID:3012
-
\??\c:\lxxxllf.exec:\lxxxllf.exe110⤵PID:1556
-
\??\c:\xxrfrxl.exec:\xxrfrxl.exe111⤵PID:536
-
\??\c:\tnnhnn.exec:\tnnhnn.exe112⤵PID:2440
-
\??\c:\vvpjd.exec:\vvpjd.exe113⤵PID:1120
-
\??\c:\rrlxffx.exec:\rrlxffx.exe114⤵PID:892
-
\??\c:\7nnbnt.exec:\7nnbnt.exe115⤵PID:3056
-
\??\c:\jjdvj.exec:\jjdvj.exe116⤵PID:2996
-
\??\c:\rrlrflx.exec:\rrlrflx.exe117⤵PID:2732
-
\??\c:\btnbnn.exec:\btnbnn.exe118⤵PID:2700
-
\??\c:\1dppp.exec:\1dppp.exe119⤵PID:2816
-
\??\c:\dpjpd.exec:\dpjpd.exe120⤵PID:2660
-
\??\c:\rffrxxx.exec:\rffrxxx.exe121⤵PID:2224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-