Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 03:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe
-
Size
453KB
-
MD5
dc519d9781599fcd6b5b4c387f01cad1
-
SHA1
d1d4bdaf8eed52ecc01feae94cc5a60888c1df2e
-
SHA256
b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26
-
SHA512
780a8b53c5f43feec16eefa3db8c29030ede7e2cb4c8caeaf9b102a1b99288a052a2d414ff35596e01f73042dab0435fb419d296e26e4282b8c0a434c0da579d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/1740-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-77-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-86-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-113-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1384-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/304-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1124-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1368-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-191-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2672-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-226-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1068-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1168-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-256-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2168-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-347-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/2260-369-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2260-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-396-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2516-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-460-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2044-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-520-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1064-527-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/864-541-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/568-562-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2168-594-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2008-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1740 bnbttn.exe 2052 hhtnhh.exe 1660 7pjpd.exe 2944 1xxfrxr.exe 2932 pjjjd.exe 2408 7fxfxxl.exe 2680 pjvvd.exe 2600 rrflxlx.exe 2648 llffllr.exe 2808 5rlfxfl.exe 3008 rrlxflx.exe 2668 nntbht.exe 2568 9xllrrx.exe 304 3xxfxfl.exe 1384 vpjpv.exe 1368 1lrlxfr.exe 1124 ddjpd.exe 628 9frrflf.exe 1948 frlrrrr.exe 2012 flffxfr.exe 2672 xrfxxfl.exe 2876 lfrrrrx.exe 2132 1vpvd.exe 1168 ffxlxxl.exe 1068 ddpvj.exe 3060 7flxllx.exe 916 lfrlllx.exe 2372 fxxfxfr.exe 1256 lrflxxl.exe 2168 fxrlxfx.exe 2080 pjjdv.exe 2276 lxrxllr.exe 1720 dvjpv.exe 1604 rxrxffr.exe 2052 hbnnbb.exe 2940 bbttnn.exe 3024 5jdvd.exe 2416 xxrfrxl.exe 2260 tnbbhh.exe 3056 3nhbnt.exe 2640 7dddj.exe 2680 ffxrrxl.exe 2600 xrffxfr.exe 2656 bnhhtt.exe 2796 ddvdp.exe 2808 1djdd.exe 2500 llxxlff.exe 2516 3btnbn.exe 3012 tthnht.exe 2724 ddjjp.exe 1764 9llrrxf.exe 1052 3xrrrrx.exe 2320 tthnbh.exe 1076 dvpdp.exe 1524 pjjdj.exe 1436 rfrllff.exe 2028 ttnnbb.exe 2044 ddppv.exe 2752 7dvjv.exe 2564 llfrxfr.exe 2740 tthhtb.exe 2156 5nhnbb.exe 1064 pjdpd.exe 1884 pjdjd.exe -
resource yara_rule behavioral1/memory/1740-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-98-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2808-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1124-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1068-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-369-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2260-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-396-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2516-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-460-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1764-467-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/1524-470-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1436-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-520-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1064-527-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1396-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-594-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2008-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-732-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1740 1636 b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe 28 PID 1636 wrote to memory of 1740 1636 b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe 28 PID 1636 wrote to memory of 1740 1636 b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe 28 PID 1636 wrote to memory of 1740 1636 b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe 28 PID 1740 wrote to memory of 2052 1740 bnbttn.exe 29 PID 1740 wrote to memory of 2052 1740 bnbttn.exe 29 PID 1740 wrote to memory of 2052 1740 bnbttn.exe 29 PID 1740 wrote to memory of 2052 1740 bnbttn.exe 29 PID 2052 wrote to memory of 1660 2052 hhtnhh.exe 30 PID 2052 wrote to memory of 1660 2052 hhtnhh.exe 30 PID 2052 wrote to memory of 1660 2052 hhtnhh.exe 30 PID 2052 wrote to memory of 1660 2052 hhtnhh.exe 30 PID 1660 wrote to memory of 2944 1660 7pjpd.exe 31 PID 1660 wrote to memory of 2944 1660 7pjpd.exe 31 PID 1660 wrote to memory of 2944 1660 7pjpd.exe 31 PID 1660 wrote to memory of 2944 1660 7pjpd.exe 31 PID 2944 wrote to memory of 2932 2944 1xxfrxr.exe 32 PID 2944 wrote to memory of 2932 2944 1xxfrxr.exe 32 PID 2944 wrote to memory of 2932 2944 1xxfrxr.exe 32 PID 2944 wrote to memory of 2932 2944 1xxfrxr.exe 32 PID 2932 wrote to memory of 2408 2932 pjjjd.exe 33 PID 2932 wrote to memory of 2408 2932 pjjjd.exe 33 PID 2932 wrote to memory of 2408 2932 pjjjd.exe 33 PID 2932 wrote to memory of 2408 2932 pjjjd.exe 33 PID 2408 wrote to memory of 2680 2408 7fxfxxl.exe 34 PID 2408 wrote to memory of 2680 2408 7fxfxxl.exe 34 PID 2408 wrote to memory of 2680 2408 7fxfxxl.exe 34 PID 2408 wrote to memory of 2680 2408 7fxfxxl.exe 34 PID 2680 wrote to memory of 2600 2680 pjvvd.exe 35 PID 2680 wrote to memory of 2600 2680 pjvvd.exe 35 PID 2680 wrote to memory of 2600 2680 pjvvd.exe 35 PID 2680 wrote to memory of 2600 2680 pjvvd.exe 35 PID 2600 wrote to memory of 2648 2600 rrflxlx.exe 36 PID 2600 wrote to memory of 2648 2600 rrflxlx.exe 36 PID 2600 wrote to memory of 2648 2600 rrflxlx.exe 36 PID 2600 wrote to memory of 2648 2600 rrflxlx.exe 36 PID 2648 wrote to memory of 2808 2648 llffllr.exe 37 PID 2648 wrote to memory of 2808 2648 llffllr.exe 37 PID 2648 wrote to memory of 2808 2648 llffllr.exe 37 PID 2648 wrote to memory of 2808 2648 llffllr.exe 37 PID 2808 wrote to memory of 3008 2808 5rlfxfl.exe 38 PID 2808 wrote to memory of 3008 2808 5rlfxfl.exe 38 PID 2808 wrote to memory of 3008 2808 5rlfxfl.exe 38 PID 2808 wrote to memory of 3008 2808 5rlfxfl.exe 38 PID 3008 wrote to memory of 2668 3008 rrlxflx.exe 39 PID 3008 wrote to memory of 2668 3008 rrlxflx.exe 39 PID 3008 wrote to memory of 2668 3008 rrlxflx.exe 39 PID 3008 wrote to memory of 2668 3008 rrlxflx.exe 39 PID 2668 wrote to memory of 2568 2668 nntbht.exe 40 PID 2668 wrote to memory of 2568 2668 nntbht.exe 40 PID 2668 wrote to memory of 2568 2668 nntbht.exe 40 PID 2668 wrote to memory of 2568 2668 nntbht.exe 40 PID 2568 wrote to memory of 304 2568 9xllrrx.exe 41 PID 2568 wrote to memory of 304 2568 9xllrrx.exe 41 PID 2568 wrote to memory of 304 2568 9xllrrx.exe 41 PID 2568 wrote to memory of 304 2568 9xllrrx.exe 41 PID 304 wrote to memory of 1384 304 3xxfxfl.exe 42 PID 304 wrote to memory of 1384 304 3xxfxfl.exe 42 PID 304 wrote to memory of 1384 304 3xxfxfl.exe 42 PID 304 wrote to memory of 1384 304 3xxfxfl.exe 42 PID 1384 wrote to memory of 1368 1384 vpjpv.exe 43 PID 1384 wrote to memory of 1368 1384 vpjpv.exe 43 PID 1384 wrote to memory of 1368 1384 vpjpv.exe 43 PID 1384 wrote to memory of 1368 1384 vpjpv.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe"C:\Users\Admin\AppData\Local\Temp\b3e706a0ac136da12b80e0e94051e656a3c4bd88999b62c3bb4763cf0794fc26.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\bnbttn.exec:\bnbttn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\hhtnhh.exec:\hhtnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\7pjpd.exec:\7pjpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\1xxfrxr.exec:\1xxfrxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\pjjjd.exec:\pjjjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\7fxfxxl.exec:\7fxfxxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\pjvvd.exec:\pjvvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\rrflxlx.exec:\rrflxlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\llffllr.exec:\llffllr.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\5rlfxfl.exec:\5rlfxfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\rrlxflx.exec:\rrlxflx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\nntbht.exec:\nntbht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\9xllrrx.exec:\9xllrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\3xxfxfl.exec:\3xxfxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:304 -
\??\c:\vpjpv.exec:\vpjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\1lrlxfr.exec:\1lrlxfr.exe17⤵
- Executes dropped EXE
PID:1368 -
\??\c:\ddjpd.exec:\ddjpd.exe18⤵
- Executes dropped EXE
PID:1124 -
\??\c:\9frrflf.exec:\9frrflf.exe19⤵
- Executes dropped EXE
PID:628 -
\??\c:\frlrrrr.exec:\frlrrrr.exe20⤵
- Executes dropped EXE
PID:1948 -
\??\c:\flffxfr.exec:\flffxfr.exe21⤵
- Executes dropped EXE
PID:2012 -
\??\c:\xrfxxfl.exec:\xrfxxfl.exe22⤵
- Executes dropped EXE
PID:2672 -
\??\c:\lfrrrrx.exec:\lfrrrrx.exe23⤵
- Executes dropped EXE
PID:2876 -
\??\c:\1vpvd.exec:\1vpvd.exe24⤵
- Executes dropped EXE
PID:2132 -
\??\c:\ffxlxxl.exec:\ffxlxxl.exe25⤵
- Executes dropped EXE
PID:1168 -
\??\c:\ddpvj.exec:\ddpvj.exe26⤵
- Executes dropped EXE
PID:1068 -
\??\c:\7flxllx.exec:\7flxllx.exe27⤵
- Executes dropped EXE
PID:3060 -
\??\c:\lfrlllx.exec:\lfrlllx.exe28⤵
- Executes dropped EXE
PID:916 -
\??\c:\fxxfxfr.exec:\fxxfxfr.exe29⤵
- Executes dropped EXE
PID:2372 -
\??\c:\lrflxxl.exec:\lrflxxl.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1256 -
\??\c:\fxrlxfx.exec:\fxrlxfx.exe31⤵
- Executes dropped EXE
PID:2168 -
\??\c:\pjjdv.exec:\pjjdv.exe32⤵
- Executes dropped EXE
PID:2080 -
\??\c:\lxrxllr.exec:\lxrxllr.exe33⤵
- Executes dropped EXE
PID:2276 -
\??\c:\dvjpv.exec:\dvjpv.exe34⤵
- Executes dropped EXE
PID:1720 -
\??\c:\rxrxffr.exec:\rxrxffr.exe35⤵
- Executes dropped EXE
PID:1604 -
\??\c:\hbnnbb.exec:\hbnnbb.exe36⤵
- Executes dropped EXE
PID:2052 -
\??\c:\bbttnn.exec:\bbttnn.exe37⤵
- Executes dropped EXE
PID:2940 -
\??\c:\5jdvd.exec:\5jdvd.exe38⤵
- Executes dropped EXE
PID:3024 -
\??\c:\xxrfrxl.exec:\xxrfrxl.exe39⤵
- Executes dropped EXE
PID:2416 -
\??\c:\tnbbhh.exec:\tnbbhh.exe40⤵
- Executes dropped EXE
PID:2260 -
\??\c:\3nhbnt.exec:\3nhbnt.exe41⤵
- Executes dropped EXE
PID:3056 -
\??\c:\7dddj.exec:\7dddj.exe42⤵
- Executes dropped EXE
PID:2640 -
\??\c:\ffxrrxl.exec:\ffxrrxl.exe43⤵
- Executes dropped EXE
PID:2680 -
\??\c:\xrffxfr.exec:\xrffxfr.exe44⤵
- Executes dropped EXE
PID:2600 -
\??\c:\bnhhtt.exec:\bnhhtt.exe45⤵
- Executes dropped EXE
PID:2656 -
\??\c:\ddvdp.exec:\ddvdp.exe46⤵
- Executes dropped EXE
PID:2796 -
\??\c:\1djdd.exec:\1djdd.exe47⤵
- Executes dropped EXE
PID:2808 -
\??\c:\llxxlff.exec:\llxxlff.exe48⤵
- Executes dropped EXE
PID:2500 -
\??\c:\3btnbn.exec:\3btnbn.exe49⤵
- Executes dropped EXE
PID:2516 -
\??\c:\tthnht.exec:\tthnht.exe50⤵
- Executes dropped EXE
PID:3012 -
\??\c:\ddjjp.exec:\ddjjp.exe51⤵
- Executes dropped EXE
PID:2724 -
\??\c:\9llrrxf.exec:\9llrrxf.exe52⤵
- Executes dropped EXE
PID:1764 -
\??\c:\3xrrrrx.exec:\3xrrrrx.exe53⤵
- Executes dropped EXE
PID:1052 -
\??\c:\tthnbh.exec:\tthnbh.exe54⤵
- Executes dropped EXE
PID:2320 -
\??\c:\dvpdp.exec:\dvpdp.exe55⤵
- Executes dropped EXE
PID:1076 -
\??\c:\pjjdj.exec:\pjjdj.exe56⤵
- Executes dropped EXE
PID:1524 -
\??\c:\rfrllff.exec:\rfrllff.exe57⤵
- Executes dropped EXE
PID:1436 -
\??\c:\ttnnbb.exec:\ttnnbb.exe58⤵
- Executes dropped EXE
PID:2028 -
\??\c:\ddppv.exec:\ddppv.exe59⤵
- Executes dropped EXE
PID:2044 -
\??\c:\7dvjv.exec:\7dvjv.exe60⤵
- Executes dropped EXE
PID:2752 -
\??\c:\llfrxfr.exec:\llfrxfr.exe61⤵
- Executes dropped EXE
PID:2564 -
\??\c:\tthhtb.exec:\tthhtb.exe62⤵
- Executes dropped EXE
PID:2740 -
\??\c:\5nhnbb.exec:\5nhnbb.exe63⤵
- Executes dropped EXE
PID:2156 -
\??\c:\pjdpd.exec:\pjdpd.exe64⤵
- Executes dropped EXE
PID:1064 -
\??\c:\pjdjd.exec:\pjdjd.exe65⤵
- Executes dropped EXE
PID:1884 -
\??\c:\5lxfrrx.exec:\5lxfrrx.exe66⤵PID:864
-
\??\c:\tbbbnn.exec:\tbbbnn.exe67⤵PID:1928
-
\??\c:\nhthbh.exec:\nhthbh.exe68⤵PID:1396
-
\??\c:\rxfxxrx.exec:\rxfxxrx.exe69⤵PID:568
-
\??\c:\fxffllf.exec:\fxffllf.exe70⤵PID:876
-
\??\c:\5bnntt.exec:\5bnntt.exe71⤵PID:2128
-
\??\c:\1jvvp.exec:\1jvvp.exe72⤵PID:608
-
\??\c:\dvpjd.exec:\dvpjd.exe73⤵PID:1708
-
\??\c:\xxxflrx.exec:\xxxflrx.exe74⤵PID:2168
-
\??\c:\xlffrrr.exec:\xlffrrr.exe75⤵PID:1804
-
\??\c:\5hnbtb.exec:\5hnbtb.exe76⤵PID:1652
-
\??\c:\9pjpj.exec:\9pjpj.exe77⤵PID:2008
-
\??\c:\3jvvj.exec:\3jvvj.exe78⤵PID:1720
-
\??\c:\1llflrf.exec:\1llflrf.exe79⤵PID:1828
-
\??\c:\bbnnbh.exec:\bbnnbh.exe80⤵PID:2956
-
\??\c:\hhbhhn.exec:\hhbhhn.exe81⤵PID:1660
-
\??\c:\ppjvd.exec:\ppjvd.exe82⤵PID:2420
-
\??\c:\1lflxxf.exec:\1lflxxf.exe83⤵PID:1276
-
\??\c:\xlrxllx.exec:\xlrxllx.exe84⤵PID:1976
-
\??\c:\hbthtt.exec:\hbthtt.exe85⤵PID:1548
-
\??\c:\7jdvj.exec:\7jdvj.exe86⤵PID:2708
-
\??\c:\jdpdp.exec:\jdpdp.exe87⤵PID:2716
-
\??\c:\rxxfrxl.exec:\rxxfrxl.exe88⤵PID:2072
-
\??\c:\9hbbbh.exec:\9hbbbh.exe89⤵PID:2600
-
\??\c:\nhtbnh.exec:\nhtbnh.exe90⤵PID:2532
-
\??\c:\vpvdj.exec:\vpvdj.exe91⤵PID:2796
-
\??\c:\5rffflr.exec:\5rffflr.exe92⤵PID:2808
-
\??\c:\tnbhbb.exec:\tnbhbb.exe93⤵PID:2540
-
\??\c:\tbnhnb.exec:\tbnhnb.exe94⤵PID:2516
-
\??\c:\5pjpv.exec:\5pjpv.exe95⤵PID:2572
-
\??\c:\lrfrrfr.exec:\lrfrrfr.exe96⤵PID:676
-
\??\c:\rrrlxxl.exec:\rrrlxxl.exe97⤵PID:1144
-
\??\c:\hhbnbn.exec:\hhbnbn.exe98⤵PID:380
-
\??\c:\vdjpd.exec:\vdjpd.exe99⤵PID:1616
-
\??\c:\pjdvd.exec:\pjdvd.exe100⤵PID:1620
-
\??\c:\xrrlrxl.exec:\xrrlrxl.exe101⤵PID:1524
-
\??\c:\nnbbhn.exec:\nnbbhn.exe102⤵PID:1436
-
\??\c:\9nttnt.exec:\9nttnt.exe103⤵PID:1208
-
\??\c:\dvjvd.exec:\dvjvd.exe104⤵PID:1992
-
\??\c:\vdvpp.exec:\vdvpp.exe105⤵PID:692
-
\??\c:\7rxrxrx.exec:\7rxrxrx.exe106⤵PID:2564
-
\??\c:\tnttbh.exec:\tnttbh.exe107⤵PID:2876
-
\??\c:\tnbhnn.exec:\tnbhnn.exe108⤵PID:1800
-
\??\c:\9ppvj.exec:\9ppvj.exe109⤵PID:1716
-
\??\c:\ppdjj.exec:\ppdjj.exe110⤵PID:1152
-
\??\c:\xrffrrr.exec:\xrffrrr.exe111⤵PID:2404
-
\??\c:\hbhhtt.exec:\hbhhtt.exe112⤵PID:1392
-
\??\c:\bnhnnh.exec:\bnhnnh.exe113⤵PID:1396
-
\??\c:\5vppv.exec:\5vppv.exe114⤵PID:2384
-
\??\c:\dvddd.exec:\dvddd.exe115⤵PID:1324
-
\??\c:\7xxflrr.exec:\7xxflrr.exe116⤵PID:560
-
\??\c:\9hhhhn.exec:\9hhhhn.exe117⤵PID:1792
-
\??\c:\7bbhth.exec:\7bbhth.exe118⤵PID:708
-
\??\c:\dvjvd.exec:\dvjvd.exe119⤵PID:2080
-
\??\c:\lrxflrf.exec:\lrxflrf.exe120⤵PID:2280
-
\??\c:\7rrrxfl.exec:\7rrrxfl.exe121⤵PID:1880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-