Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 18:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe
-
Size
454KB
-
MD5
528f84480d653807a0f2394988ef0b00
-
SHA1
096ce2e11ffa53ce35075caad39f4ba11c76e820
-
SHA256
3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54
-
SHA512
eed86ae51c72f36a54c2ac4f7443dc070ba94d834d491db0d768bda66dd60064ced7873fa9c25c4f5d9b07d9f0461e97bf964f800bd2b83a901a85082c4ae874
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/1952-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-157-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1936-156-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2004-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-465-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1592-643-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2196-861-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1516-1047-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2016-1116-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1596-1054-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/776-1015-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3036-935-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2516-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-650-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1268-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/376-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-1218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1060-1373-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1952 3vddp.exe 2504 xxlrxlf.exe 3064 1bhnbb.exe 2864 1xxrrxx.exe 2712 tbnnbb.exe 2960 jjvdv.exe 2820 9lfffll.exe 2852 1nbhnt.exe 2792 pjvvd.exe 2576 hhbbhh.exe 2648 pjvdp.exe 580 jvjjd.exe 2756 xxrxfff.exe 2472 jjdvj.exe 888 3ffxffr.exe 1936 9xrxflx.exe 2004 nnhntt.exe 2268 fxffllx.exe 2224 5vpdp.exe 1108 5htthn.exe 2972 9thhnn.exe 988 dvjpp.exe 1628 rlxrxxf.exe 1196 nhhntt.exe 1708 5ppjj.exe 620 htnttn.exe 1800 jjvdv.exe 2360 rfxxfll.exe 1520 9bttnn.exe 2448 tthhnb.exe 1812 dvpvj.exe 2376 thbhbh.exe 2532 hbtthh.exe 2860 pjvvj.exe 2276 fxrxllx.exe 1656 bbbthn.exe 3000 1tnntb.exe 3052 pjdjp.exe 1056 rxrlllx.exe 2800 fxxlrxf.exe 2764 bhtnht.exe 2948 hhtbnn.exe 2736 jvdvv.exe 2304 pdpvj.exe 2620 5frrfrx.exe 2692 1btbbb.exe 1028 9htnnh.exe 2816 pjjjp.exe 3028 pppvv.exe 1648 lxxlxxx.exe 1732 rxxrfll.exe 376 nhbbnt.exe 1992 pjppp.exe 2900 pdvvd.exe 2892 3rxffxl.exe 2260 xrrffll.exe 1760 nbnhnb.exe 1864 3vdvd.exe 2560 1djpv.exe 776 xrllxxr.exe 2976 fxrflrf.exe 956 thbbbb.exe 1324 tnttth.exe 1268 dvjpp.exe -
resource yara_rule behavioral1/memory/1952-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-1180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-1199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-1067-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-1218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-1231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-1344-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/592-1354-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3frlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1952 2364 3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe 30 PID 2364 wrote to memory of 1952 2364 3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe 30 PID 2364 wrote to memory of 1952 2364 3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe 30 PID 2364 wrote to memory of 1952 2364 3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe 30 PID 1952 wrote to memory of 2504 1952 3vddp.exe 31 PID 1952 wrote to memory of 2504 1952 3vddp.exe 31 PID 1952 wrote to memory of 2504 1952 3vddp.exe 31 PID 1952 wrote to memory of 2504 1952 3vddp.exe 31 PID 2504 wrote to memory of 3064 2504 xxlrxlf.exe 32 PID 2504 wrote to memory of 3064 2504 xxlrxlf.exe 32 PID 2504 wrote to memory of 3064 2504 xxlrxlf.exe 32 PID 2504 wrote to memory of 3064 2504 xxlrxlf.exe 32 PID 3064 wrote to memory of 2864 3064 1bhnbb.exe 33 PID 3064 wrote to memory of 2864 3064 1bhnbb.exe 33 PID 3064 wrote to memory of 2864 3064 1bhnbb.exe 33 PID 3064 wrote to memory of 2864 3064 1bhnbb.exe 33 PID 2864 wrote to memory of 2712 2864 1xxrrxx.exe 34 PID 2864 wrote to memory of 2712 2864 1xxrrxx.exe 34 PID 2864 wrote to memory of 2712 2864 1xxrrxx.exe 34 PID 2864 wrote to memory of 2712 2864 1xxrrxx.exe 34 PID 2712 wrote to memory of 2960 2712 tbnnbb.exe 35 PID 2712 wrote to memory of 2960 2712 tbnnbb.exe 35 PID 2712 wrote to memory of 2960 2712 tbnnbb.exe 35 PID 2712 wrote to memory of 2960 2712 tbnnbb.exe 35 PID 2960 wrote to memory of 2820 2960 jjvdv.exe 36 PID 2960 wrote to memory of 2820 2960 jjvdv.exe 36 PID 2960 wrote to memory of 2820 2960 jjvdv.exe 36 PID 2960 wrote to memory of 2820 2960 jjvdv.exe 36 PID 2820 wrote to memory of 2852 2820 9lfffll.exe 158 PID 2820 wrote to memory of 2852 2820 9lfffll.exe 158 PID 2820 wrote to memory of 2852 2820 9lfffll.exe 158 PID 2820 wrote to memory of 2852 2820 9lfffll.exe 158 PID 2852 wrote to memory of 2792 2852 1nbhnt.exe 38 PID 2852 wrote to memory of 2792 2852 1nbhnt.exe 38 PID 2852 wrote to memory of 2792 2852 1nbhnt.exe 38 PID 2852 wrote to memory of 2792 2852 1nbhnt.exe 38 PID 2792 wrote to memory of 2576 2792 pjvvd.exe 119 PID 2792 wrote to memory of 2576 2792 pjvvd.exe 119 PID 2792 wrote to memory of 2576 2792 pjvvd.exe 119 PID 2792 wrote to memory of 2576 2792 pjvvd.exe 119 PID 2576 wrote to memory of 2648 2576 hhbbhh.exe 40 PID 2576 wrote to memory of 2648 2576 hhbbhh.exe 40 PID 2576 wrote to memory of 2648 2576 hhbbhh.exe 40 PID 2576 wrote to memory of 2648 2576 hhbbhh.exe 40 PID 2648 wrote to memory of 580 2648 pjvdp.exe 121 PID 2648 wrote to memory of 580 2648 pjvdp.exe 121 PID 2648 wrote to memory of 580 2648 pjvdp.exe 121 PID 2648 wrote to memory of 580 2648 pjvdp.exe 121 PID 580 wrote to memory of 2756 580 jvjjd.exe 42 PID 580 wrote to memory of 2756 580 jvjjd.exe 42 PID 580 wrote to memory of 2756 580 jvjjd.exe 42 PID 580 wrote to memory of 2756 580 jvjjd.exe 42 PID 2756 wrote to memory of 2472 2756 xxrxfff.exe 43 PID 2756 wrote to memory of 2472 2756 xxrxfff.exe 43 PID 2756 wrote to memory of 2472 2756 xxrxfff.exe 43 PID 2756 wrote to memory of 2472 2756 xxrxfff.exe 43 PID 2472 wrote to memory of 888 2472 jjdvj.exe 168 PID 2472 wrote to memory of 888 2472 jjdvj.exe 168 PID 2472 wrote to memory of 888 2472 jjdvj.exe 168 PID 2472 wrote to memory of 888 2472 jjdvj.exe 168 PID 888 wrote to memory of 1936 888 3ffxffr.exe 126 PID 888 wrote to memory of 1936 888 3ffxffr.exe 126 PID 888 wrote to memory of 1936 888 3ffxffr.exe 126 PID 888 wrote to memory of 1936 888 3ffxffr.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe"C:\Users\Admin\AppData\Local\Temp\3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\3vddp.exec:\3vddp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\xxlrxlf.exec:\xxlrxlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\1bhnbb.exec:\1bhnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\1xxrrxx.exec:\1xxrrxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\tbnnbb.exec:\tbnnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\jjvdv.exec:\jjvdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\9lfffll.exec:\9lfffll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\1nbhnt.exec:\1nbhnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\pjvvd.exec:\pjvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\hhbbhh.exec:\hhbbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\pjvdp.exec:\pjvdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\jvjjd.exec:\jvjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\xxrxfff.exec:\xxrxfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\jjdvj.exec:\jjdvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\3ffxffr.exec:\3ffxffr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
\??\c:\9xrxflx.exec:\9xrxflx.exe17⤵
- Executes dropped EXE
PID:1936 -
\??\c:\nnhntt.exec:\nnhntt.exe18⤵
- Executes dropped EXE
PID:2004 -
\??\c:\fxffllx.exec:\fxffllx.exe19⤵
- Executes dropped EXE
PID:2268 -
\??\c:\5vpdp.exec:\5vpdp.exe20⤵
- Executes dropped EXE
PID:2224 -
\??\c:\5htthn.exec:\5htthn.exe21⤵
- Executes dropped EXE
PID:1108 -
\??\c:\9thhnn.exec:\9thhnn.exe22⤵
- Executes dropped EXE
PID:2972 -
\??\c:\dvjpp.exec:\dvjpp.exe23⤵
- Executes dropped EXE
PID:988 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe24⤵
- Executes dropped EXE
PID:1628 -
\??\c:\nhhntt.exec:\nhhntt.exe25⤵
- Executes dropped EXE
PID:1196 -
\??\c:\5ppjj.exec:\5ppjj.exe26⤵
- Executes dropped EXE
PID:1708 -
\??\c:\htnttn.exec:\htnttn.exe27⤵
- Executes dropped EXE
PID:620 -
\??\c:\jjvdv.exec:\jjvdv.exe28⤵
- Executes dropped EXE
PID:1800 -
\??\c:\rfxxfll.exec:\rfxxfll.exe29⤵
- Executes dropped EXE
PID:2360 -
\??\c:\9bttnn.exec:\9bttnn.exe30⤵
- Executes dropped EXE
PID:1520 -
\??\c:\tthhnb.exec:\tthhnb.exe31⤵
- Executes dropped EXE
PID:2448 -
\??\c:\dvpvj.exec:\dvpvj.exe32⤵
- Executes dropped EXE
PID:1812 -
\??\c:\thbhbh.exec:\thbhbh.exe33⤵
- Executes dropped EXE
PID:2376 -
\??\c:\hbtthh.exec:\hbtthh.exe34⤵
- Executes dropped EXE
PID:2532 -
\??\c:\pjvvj.exec:\pjvvj.exe35⤵
- Executes dropped EXE
PID:2860 -
\??\c:\fxrxllx.exec:\fxrxllx.exe36⤵
- Executes dropped EXE
PID:2276 -
\??\c:\bbbthn.exec:\bbbthn.exe37⤵
- Executes dropped EXE
PID:1656 -
\??\c:\1tnntb.exec:\1tnntb.exe38⤵
- Executes dropped EXE
PID:3000 -
\??\c:\pjdjp.exec:\pjdjp.exe39⤵
- Executes dropped EXE
PID:3052 -
\??\c:\rxrlllx.exec:\rxrlllx.exe40⤵
- Executes dropped EXE
PID:1056 -
\??\c:\fxxlrxf.exec:\fxxlrxf.exe41⤵
- Executes dropped EXE
PID:2800 -
\??\c:\bhtnht.exec:\bhtnht.exe42⤵
- Executes dropped EXE
PID:2764 -
\??\c:\hhtbnn.exec:\hhtbnn.exe43⤵
- Executes dropped EXE
PID:2948 -
\??\c:\jvdvv.exec:\jvdvv.exe44⤵
- Executes dropped EXE
PID:2736 -
\??\c:\pdpvj.exec:\pdpvj.exe45⤵
- Executes dropped EXE
PID:2304 -
\??\c:\5frrfrx.exec:\5frrfrx.exe46⤵
- Executes dropped EXE
PID:2620 -
\??\c:\1btbbb.exec:\1btbbb.exe47⤵
- Executes dropped EXE
PID:2692 -
\??\c:\9htnnh.exec:\9htnnh.exe48⤵
- Executes dropped EXE
PID:1028 -
\??\c:\pjjjp.exec:\pjjjp.exe49⤵
- Executes dropped EXE
PID:2816 -
\??\c:\pppvv.exec:\pppvv.exe50⤵
- Executes dropped EXE
PID:3028 -
\??\c:\lxxlxxx.exec:\lxxlxxx.exe51⤵
- Executes dropped EXE
PID:1648 -
\??\c:\rxxrfll.exec:\rxxrfll.exe52⤵
- Executes dropped EXE
PID:1732 -
\??\c:\nhbbnt.exec:\nhbbnt.exe53⤵
- Executes dropped EXE
PID:376 -
\??\c:\pjppp.exec:\pjppp.exe54⤵
- Executes dropped EXE
PID:1992 -
\??\c:\pdvvd.exec:\pdvvd.exe55⤵
- Executes dropped EXE
PID:2900 -
\??\c:\3rxffxl.exec:\3rxffxl.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
\??\c:\xrrffll.exec:\xrrffll.exe57⤵
- Executes dropped EXE
PID:2260 -
\??\c:\nbnhnb.exec:\nbnhnb.exe58⤵
- Executes dropped EXE
PID:1760 -
\??\c:\3vdvd.exec:\3vdvd.exe59⤵
- Executes dropped EXE
PID:1864 -
\??\c:\1djpv.exec:\1djpv.exe60⤵
- Executes dropped EXE
PID:2560 -
\??\c:\xrllxxr.exec:\xrllxxr.exe61⤵
- Executes dropped EXE
PID:776 -
\??\c:\fxrflrf.exec:\fxrflrf.exe62⤵
- Executes dropped EXE
PID:2976 -
\??\c:\thbbbb.exec:\thbbbb.exe63⤵
- Executes dropped EXE
PID:956 -
\??\c:\tnttth.exec:\tnttth.exe64⤵
- Executes dropped EXE
PID:1324 -
\??\c:\dvjpp.exec:\dvjpp.exe65⤵
- Executes dropped EXE
PID:1268 -
\??\c:\jvjdd.exec:\jvjdd.exe66⤵PID:1124
-
\??\c:\3rxxrxx.exec:\3rxxrxx.exe67⤵PID:568
-
\??\c:\5btnnn.exec:\5btnnn.exe68⤵PID:620
-
\??\c:\3btttb.exec:\3btttb.exe69⤵PID:1800
-
\??\c:\3vjvd.exec:\3vjvd.exe70⤵PID:2968
-
\??\c:\vpdjp.exec:\vpdjp.exe71⤵PID:1924
-
\??\c:\7rflllr.exec:\7rflllr.exe72⤵PID:2108
-
\??\c:\bnbhhh.exec:\bnbhhh.exe73⤵PID:1672
-
\??\c:\hbnnnn.exec:\hbnnnn.exe74⤵PID:884
-
\??\c:\jvjdd.exec:\jvjdd.exe75⤵PID:2056
-
\??\c:\ddpvd.exec:\ddpvd.exe76⤵PID:1724
-
\??\c:\xlxrrrl.exec:\xlxrrrl.exe77⤵PID:2320
-
\??\c:\rrflrxr.exec:\rrflrxr.exe78⤵PID:2992
-
\??\c:\nbntbt.exec:\nbntbt.exe79⤵PID:1752
-
\??\c:\3bbbhn.exec:\3bbbhn.exe80⤵PID:1788
-
\??\c:\dvppp.exec:\dvppp.exe81⤵PID:2780
-
\??\c:\1flflfl.exec:\1flflfl.exe82⤵PID:2728
-
\??\c:\flxfllr.exec:\flxfllr.exe83⤵PID:2844
-
\??\c:\bthnbb.exec:\bthnbb.exe84⤵PID:2796
-
\??\c:\nnhntn.exec:\nnhntn.exe85⤵PID:2748
-
\??\c:\vvjvv.exec:\vvjvv.exe86⤵PID:2156
-
\??\c:\vvvjp.exec:\vvvjp.exe87⤵PID:2328
-
\??\c:\xlrlrrx.exec:\xlrlrrx.exe88⤵PID:1592
-
\??\c:\btthtb.exec:\btthtb.exe89⤵PID:2920
-
\??\c:\btnntb.exec:\btnntb.exe90⤵PID:2576
-
\??\c:\5dddv.exec:\5dddv.exe91⤵PID:1440
-
\??\c:\vjjdd.exec:\vjjdd.exe92⤵PID:580
-
\??\c:\frflrrx.exec:\frflrrx.exe93⤵PID:1068
-
\??\c:\fxlrrxf.exec:\fxlrrxf.exe94⤵PID:1632
-
\??\c:\btnntt.exec:\btnntt.exe95⤵PID:1648
-
\??\c:\nhbbhh.exec:\nhbbhh.exe96⤵PID:2888
-
\??\c:\9pddd.exec:\9pddd.exe97⤵PID:1936
-
\??\c:\vpjjv.exec:\vpjjv.exe98⤵PID:2316
-
\??\c:\9xlfxrl.exec:\9xlfxrl.exe99⤵PID:2900
-
\??\c:\xxxxrxf.exec:\xxxxrxf.exe100⤵PID:2892
-
\??\c:\3nhttt.exec:\3nhttt.exe101⤵PID:2260
-
\??\c:\jpvjj.exec:\jpvjj.exe102⤵PID:1760
-
\??\c:\dpvvd.exec:\dpvvd.exe103⤵PID:2964
-
\??\c:\xrlrxfl.exec:\xrlrxfl.exe104⤵PID:1480
-
\??\c:\lfrxlll.exec:\lfrxlll.exe105⤵PID:632
-
\??\c:\hbhttt.exec:\hbhttt.exe106⤵PID:2180
-
\??\c:\7bhbbt.exec:\7bhbbt.exe107⤵PID:2428
-
\??\c:\1pdjv.exec:\1pdjv.exe108⤵PID:1364
-
\??\c:\vvpvv.exec:\vvpvv.exe109⤵PID:1004
-
\??\c:\lxlrrrf.exec:\lxlrrrf.exe110⤵PID:1596
-
\??\c:\9xfxxrr.exec:\9xfxxrr.exe111⤵PID:1776
-
\??\c:\5tbthh.exec:\5tbthh.exe112⤵PID:2516
-
\??\c:\bntntt.exec:\bntntt.exe113⤵PID:1320
-
\??\c:\1pddv.exec:\1pddv.exe114⤵PID:2248
-
\??\c:\vdvjd.exec:\vdvjd.exe115⤵PID:896
-
\??\c:\3rxrxrf.exec:\3rxrxrf.exe116⤵PID:592
-
\??\c:\9xllfff.exec:\9xllfff.exe117⤵PID:1916
-
\??\c:\hnbbhh.exec:\hnbbhh.exe118⤵PID:1508
-
\??\c:\9thbtb.exec:\9thbtb.exe119⤵PID:2932
-
\??\c:\pdddj.exec:\pdddj.exe120⤵PID:2016
-
\??\c:\jvdpp.exec:\jvdpp.exe121⤵PID:2072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-