Analysis
-
max time kernel
120s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 19:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3a03493a96952580d1486b20474ea77c4ff9c978c95cad1b024ab2d529ca432c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3a03493a96952580d1486b20474ea77c4ff9c978c95cad1b024ab2d529ca432c.exe
-
Size
456KB
-
MD5
e2a2cf56cfcb80df26911a8507bb91e4
-
SHA1
278a45a78451dee93a7a071c222dcd2cc902b084
-
SHA256
3a03493a96952580d1486b20474ea77c4ff9c978c95cad1b024ab2d529ca432c
-
SHA512
ad2bf454c1b4f56ffce5c449497a9db3a4fd02e75fefb01b827c0cbe42329839c033ed931b207817475ebf472feffc9cd0a8ece689c9d88f67f50c5f4dea66a5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRX:q7Tc2NYHUrAwfMp3CDRX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2316-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-25-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1608-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1380-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-138-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/776-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-160-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2736-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-295-0x0000000077A70000-0x0000000077B6A000-memory.dmp family_blackmoon behavioral1/memory/1608-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/344-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/304-494-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2368-559-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2548-639-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2588-650-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2036-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-702-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2744-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1292-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-964-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1500-987-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2116-1018-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/916-1044-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1328-1049-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2700-1203-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2268-1265-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2776-1357-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2316 1fxxlrl.exe 1608 5bnntt.exe 1380 5ppjv.exe 2660 dvpdp.exe 2856 7nhnbt.exe 2804 7dddv.exe 2860 tnbnbh.exe 2700 djdpd.exe 2528 bnnttn.exe 3016 ffrlxrr.exe 3032 nhttbn.exe 900 jdvjp.exe 1560 1bnthh.exe 596 rrxlflf.exe 776 ttthth.exe 2736 ppdpd.exe 2752 vpdjp.exe 2084 llxfrxl.exe 2572 5xrxrxl.exe 552 lfllrrl.exe 2144 htbhbb.exe 1316 lxrfllr.exe 1900 hbnntn.exe 1784 dvdvd.exe 2024 nhthnb.exe 2136 dvjvj.exe 2776 btnntt.exe 2260 ddvpv.exe 2368 flxlfrl.exe 1000 vjvvd.exe 876 nnhtbn.exe 2424 vdvjv.exe 1580 rlrxlrf.exe 2056 bbntht.exe 1608 jjjvj.exe 2252 9xlrfll.exe 2672 btnbth.exe 2656 hhhtnt.exe 2640 3dpvj.exe 2692 rllrflf.exe 2556 bnbbbb.exe 2580 vvdpp.exe 2700 rlfrxxr.exe 2544 ttbhnt.exe 3028 vddvp.exe 3024 dpvjv.exe 344 9rlrxxl.exe 1904 nnhnbh.exe 2308 vvpdd.exe 2292 xrflxxf.exe 1500 tthhtb.exe 2600 hthnhn.exe 2768 vpjpd.exe 3036 3rlrflx.exe 2476 3nhthn.exe 2912 btnnhh.exe 2988 jvvdj.exe 444 5frxflx.exe 552 1hbhnb.exe 676 tnbbnt.exe 304 jjdpj.exe 2164 1fxfrfr.exe 1352 rlflxlx.exe 348 nhbhtb.exe -
resource yara_rule behavioral1/memory/2316-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-295-0x0000000077A70000-0x0000000077B6A000-memory.dmp upx behavioral1/memory/1608-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-375-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/344-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-531-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2548-639-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/2036-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-771-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-964-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/916-1044-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2268-1258-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2316 1996 3a03493a96952580d1486b20474ea77c4ff9c978c95cad1b024ab2d529ca432c.exe 31 PID 1996 wrote to memory of 2316 1996 3a03493a96952580d1486b20474ea77c4ff9c978c95cad1b024ab2d529ca432c.exe 31 PID 1996 wrote to memory of 2316 1996 3a03493a96952580d1486b20474ea77c4ff9c978c95cad1b024ab2d529ca432c.exe 31 PID 1996 wrote to memory of 2316 1996 3a03493a96952580d1486b20474ea77c4ff9c978c95cad1b024ab2d529ca432c.exe 31 PID 2316 wrote to memory of 1608 2316 1fxxlrl.exe 32 PID 2316 wrote to memory of 1608 2316 1fxxlrl.exe 32 PID 2316 wrote to memory of 1608 2316 1fxxlrl.exe 32 PID 2316 wrote to memory of 1608 2316 1fxxlrl.exe 32 PID 1608 wrote to memory of 1380 1608 5bnntt.exe 33 PID 1608 wrote to memory of 1380 1608 5bnntt.exe 33 PID 1608 wrote to memory of 1380 1608 5bnntt.exe 33 PID 1608 wrote to memory of 1380 1608 5bnntt.exe 33 PID 1380 wrote to memory of 2660 1380 5ppjv.exe 34 PID 1380 wrote to memory of 2660 1380 5ppjv.exe 34 PID 1380 wrote to memory of 2660 1380 5ppjv.exe 34 PID 1380 wrote to memory of 2660 1380 5ppjv.exe 34 PID 2660 wrote to memory of 2856 2660 dvpdp.exe 35 PID 2660 wrote to memory of 2856 2660 dvpdp.exe 35 PID 2660 wrote to memory of 2856 2660 dvpdp.exe 35 PID 2660 wrote to memory of 2856 2660 dvpdp.exe 35 PID 2856 wrote to memory of 2804 2856 7nhnbt.exe 36 PID 2856 wrote to memory of 2804 2856 7nhnbt.exe 36 PID 2856 wrote to memory of 2804 2856 7nhnbt.exe 36 PID 2856 wrote to memory of 2804 2856 7nhnbt.exe 36 PID 2804 wrote to memory of 2860 2804 7dddv.exe 37 PID 2804 wrote to memory of 2860 2804 7dddv.exe 37 PID 2804 wrote to memory of 2860 2804 7dddv.exe 37 PID 2804 wrote to memory of 2860 2804 7dddv.exe 37 PID 2860 wrote to memory of 2700 2860 tnbnbh.exe 38 PID 2860 wrote to memory of 2700 2860 tnbnbh.exe 38 PID 2860 wrote to memory of 2700 2860 tnbnbh.exe 38 PID 2860 wrote to memory of 2700 2860 tnbnbh.exe 38 PID 2700 wrote to memory of 2528 2700 djdpd.exe 39 PID 2700 wrote to memory of 2528 2700 djdpd.exe 39 PID 2700 wrote to memory of 2528 2700 djdpd.exe 39 PID 2700 wrote to memory of 2528 2700 djdpd.exe 39 PID 2528 wrote to memory of 3016 2528 bnnttn.exe 40 PID 2528 wrote to memory of 3016 2528 bnnttn.exe 40 PID 2528 wrote to memory of 3016 2528 bnnttn.exe 40 PID 2528 wrote to memory of 3016 2528 bnnttn.exe 40 PID 3016 wrote to memory of 3032 3016 ffrlxrr.exe 41 PID 3016 wrote to memory of 3032 3016 ffrlxrr.exe 41 PID 3016 wrote to memory of 3032 3016 ffrlxrr.exe 41 PID 3016 wrote to memory of 3032 3016 ffrlxrr.exe 41 PID 3032 wrote to memory of 900 3032 nhttbn.exe 42 PID 3032 wrote to memory of 900 3032 nhttbn.exe 42 PID 3032 wrote to memory of 900 3032 nhttbn.exe 42 PID 3032 wrote to memory of 900 3032 nhttbn.exe 42 PID 900 wrote to memory of 1560 900 jdvjp.exe 43 PID 900 wrote to memory of 1560 900 jdvjp.exe 43 PID 900 wrote to memory of 1560 900 jdvjp.exe 43 PID 900 wrote to memory of 1560 900 jdvjp.exe 43 PID 1560 wrote to memory of 596 1560 1bnthh.exe 44 PID 1560 wrote to memory of 596 1560 1bnthh.exe 44 PID 1560 wrote to memory of 596 1560 1bnthh.exe 44 PID 1560 wrote to memory of 596 1560 1bnthh.exe 44 PID 596 wrote to memory of 776 596 rrxlflf.exe 45 PID 596 wrote to memory of 776 596 rrxlflf.exe 45 PID 596 wrote to memory of 776 596 rrxlflf.exe 45 PID 596 wrote to memory of 776 596 rrxlflf.exe 45 PID 776 wrote to memory of 2736 776 ttthth.exe 46 PID 776 wrote to memory of 2736 776 ttthth.exe 46 PID 776 wrote to memory of 2736 776 ttthth.exe 46 PID 776 wrote to memory of 2736 776 ttthth.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a03493a96952580d1486b20474ea77c4ff9c978c95cad1b024ab2d529ca432c.exe"C:\Users\Admin\AppData\Local\Temp\3a03493a96952580d1486b20474ea77c4ff9c978c95cad1b024ab2d529ca432c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\1fxxlrl.exec:\1fxxlrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\5bnntt.exec:\5bnntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\5ppjv.exec:\5ppjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\dvpdp.exec:\dvpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\7nhnbt.exec:\7nhnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\7dddv.exec:\7dddv.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\tnbnbh.exec:\tnbnbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\djdpd.exec:\djdpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\bnnttn.exec:\bnnttn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\ffrlxrr.exec:\ffrlxrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\nhttbn.exec:\nhttbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\jdvjp.exec:\jdvjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\1bnthh.exec:\1bnthh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\rrxlflf.exec:\rrxlflf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:596 -
\??\c:\ttthth.exec:\ttthth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\ppdpd.exec:\ppdpd.exe17⤵
- Executes dropped EXE
PID:2736 -
\??\c:\vpdjp.exec:\vpdjp.exe18⤵
- Executes dropped EXE
PID:2752 -
\??\c:\llxfrxl.exec:\llxfrxl.exe19⤵
- Executes dropped EXE
PID:2084 -
\??\c:\5xrxrxl.exec:\5xrxrxl.exe20⤵
- Executes dropped EXE
PID:2572 -
\??\c:\lfllrrl.exec:\lfllrrl.exe21⤵
- Executes dropped EXE
PID:552 -
\??\c:\htbhbb.exec:\htbhbb.exe22⤵
- Executes dropped EXE
PID:2144 -
\??\c:\lxrfllr.exec:\lxrfllr.exe23⤵
- Executes dropped EXE
PID:1316 -
\??\c:\hbnntn.exec:\hbnntn.exe24⤵
- Executes dropped EXE
PID:1900 -
\??\c:\dvdvd.exec:\dvdvd.exe25⤵
- Executes dropped EXE
PID:1784 -
\??\c:\nhthnb.exec:\nhthnb.exe26⤵
- Executes dropped EXE
PID:2024 -
\??\c:\dvjvj.exec:\dvjvj.exe27⤵
- Executes dropped EXE
PID:2136 -
\??\c:\btnntt.exec:\btnntt.exe28⤵
- Executes dropped EXE
PID:2776 -
\??\c:\ddvpv.exec:\ddvpv.exe29⤵
- Executes dropped EXE
PID:2260 -
\??\c:\flxlfrl.exec:\flxlfrl.exe30⤵
- Executes dropped EXE
PID:2368 -
\??\c:\vjvvd.exec:\vjvvd.exe31⤵
- Executes dropped EXE
PID:1000 -
\??\c:\nnhtbn.exec:\nnhtbn.exe32⤵
- Executes dropped EXE
PID:876 -
\??\c:\vdvjv.exec:\vdvjv.exe33⤵
- Executes dropped EXE
PID:2424 -
\??\c:\lrrrffr.exec:\lrrrffr.exe34⤵PID:1552
-
\??\c:\rlrxlrf.exec:\rlrxlrf.exe35⤵
- Executes dropped EXE
PID:1580 -
\??\c:\bbntht.exec:\bbntht.exe36⤵
- Executes dropped EXE
PID:2056 -
\??\c:\jjjvj.exec:\jjjvj.exe37⤵
- Executes dropped EXE
PID:1608 -
\??\c:\9xlrfll.exec:\9xlrfll.exe38⤵
- Executes dropped EXE
PID:2252 -
\??\c:\btnbth.exec:\btnbth.exe39⤵
- Executes dropped EXE
PID:2672 -
\??\c:\hhhtnt.exec:\hhhtnt.exe40⤵
- Executes dropped EXE
PID:2656 -
\??\c:\3dpvj.exec:\3dpvj.exe41⤵
- Executes dropped EXE
PID:2640 -
\??\c:\rllrflf.exec:\rllrflf.exe42⤵
- Executes dropped EXE
PID:2692 -
\??\c:\bnbbbb.exec:\bnbbbb.exe43⤵
- Executes dropped EXE
PID:2556 -
\??\c:\vvdpp.exec:\vvdpp.exe44⤵
- Executes dropped EXE
PID:2580 -
\??\c:\rlfrxxr.exec:\rlfrxxr.exe45⤵
- Executes dropped EXE
PID:2700 -
\??\c:\ttbhnt.exec:\ttbhnt.exe46⤵
- Executes dropped EXE
PID:2544 -
\??\c:\vddvp.exec:\vddvp.exe47⤵
- Executes dropped EXE
PID:3028 -
\??\c:\dpvjv.exec:\dpvjv.exe48⤵
- Executes dropped EXE
PID:3024 -
\??\c:\9rlrxxl.exec:\9rlrxxl.exe49⤵
- Executes dropped EXE
PID:344 -
\??\c:\nnhnbh.exec:\nnhnbh.exe50⤵
- Executes dropped EXE
PID:1904 -
\??\c:\vvpdd.exec:\vvpdd.exe51⤵
- Executes dropped EXE
PID:2308 -
\??\c:\xrflxxf.exec:\xrflxxf.exe52⤵
- Executes dropped EXE
PID:2292 -
\??\c:\tthhtb.exec:\tthhtb.exe53⤵
- Executes dropped EXE
PID:1500 -
\??\c:\hthnhn.exec:\hthnhn.exe54⤵
- Executes dropped EXE
PID:2600 -
\??\c:\vpjpd.exec:\vpjpd.exe55⤵
- Executes dropped EXE
PID:2768 -
\??\c:\3rlrflx.exec:\3rlrflx.exe56⤵
- Executes dropped EXE
PID:3036 -
\??\c:\3nhthn.exec:\3nhthn.exe57⤵
- Executes dropped EXE
PID:2476 -
\??\c:\btnnhh.exec:\btnnhh.exe58⤵
- Executes dropped EXE
PID:2912 -
\??\c:\jvvdj.exec:\jvvdj.exe59⤵
- Executes dropped EXE
PID:2988 -
\??\c:\5frxflx.exec:\5frxflx.exe60⤵
- Executes dropped EXE
PID:444 -
\??\c:\1hbhnb.exec:\1hbhnb.exe61⤵
- Executes dropped EXE
PID:552 -
\??\c:\tnbbnt.exec:\tnbbnt.exe62⤵
- Executes dropped EXE
PID:676 -
\??\c:\jjdpj.exec:\jjdpj.exe63⤵
- Executes dropped EXE
PID:304 -
\??\c:\1fxfrfr.exec:\1fxfrfr.exe64⤵
- Executes dropped EXE
PID:2164 -
\??\c:\rlflxlx.exec:\rlflxlx.exe65⤵
- Executes dropped EXE
PID:1352 -
\??\c:\nhbhtb.exec:\nhbhtb.exe66⤵
- Executes dropped EXE
PID:348 -
\??\c:\jppdd.exec:\jppdd.exe67⤵PID:1520
-
\??\c:\xxlxflx.exec:\xxlxflx.exe68⤵PID:1320
-
\??\c:\xrxxflf.exec:\xrxxflf.exe69⤵PID:3048
-
\??\c:\nnhnnh.exec:\nnhnnh.exe70⤵PID:2380
-
\??\c:\dvpvp.exec:\dvpvp.exe71⤵PID:2192
-
\??\c:\rrrxllx.exec:\rrrxllx.exe72⤵PID:1060
-
\??\c:\ttbbnt.exec:\ttbbnt.exe73⤵PID:2368
-
\??\c:\bbttnt.exec:\bbttnt.exe74⤵PID:2972
-
\??\c:\vddvp.exec:\vddvp.exe75⤵PID:1992
-
\??\c:\5xfrxlr.exec:\5xfrxlr.exe76⤵PID:1684
-
\??\c:\bttthn.exec:\bttthn.exe77⤵PID:3008
-
\??\c:\jdvdp.exec:\jdvdp.exe78⤵PID:2724
-
\??\c:\frfrrlx.exec:\frfrrlx.exe79⤵PID:2436
-
\??\c:\9xlrxll.exec:\9xlrxll.exe80⤵PID:1380
-
\??\c:\bttbnt.exec:\bttbnt.exe81⤵PID:2868
-
\??\c:\jjvdj.exec:\jjvdj.exe82⤵PID:2680
-
\??\c:\lfrxlrl.exec:\lfrxlrl.exe83⤵PID:2656
-
\??\c:\1lflrfr.exec:\1lflrfr.exe84⤵PID:2664
-
\??\c:\bhnhhb.exec:\bhnhhb.exe85⤵PID:2704
-
\??\c:\ddvjv.exec:\ddvjv.exe86⤵PID:2548
-
\??\c:\1xrxlrl.exec:\1xrxlrl.exe87⤵PID:2588
-
\??\c:\3thnbn.exec:\3thnbn.exe88⤵PID:2584
-
\??\c:\dpjdp.exec:\dpjdp.exe89⤵PID:2352
-
\??\c:\jjddp.exec:\jjddp.exe90⤵PID:1452
-
\??\c:\llxxxfr.exec:\llxxxfr.exe91⤵PID:2036
-
\??\c:\tbtbnb.exec:\tbtbnb.exe92⤵PID:1556
-
\??\c:\3jvdj.exec:\3jvdj.exe93⤵PID:1868
-
\??\c:\ppddj.exec:\ppddj.exe94⤵PID:2052
-
\??\c:\rfflxll.exec:\rfflxll.exe95⤵PID:2292
-
\??\c:\nhtbtb.exec:\nhtbtb.exe96⤵PID:1660
-
\??\c:\pjvdp.exec:\pjvdp.exe97⤵PID:2744
-
\??\c:\7dvpd.exec:\7dvpd.exe98⤵PID:2420
-
\??\c:\xlflfrl.exec:\xlflfrl.exe99⤵PID:2888
-
\??\c:\nbtbtt.exec:\nbtbtt.exe100⤵PID:2312
-
\??\c:\vvddv.exec:\vvddv.exe101⤵PID:2412
-
\??\c:\rrlxflf.exec:\rrlxflf.exe102⤵PID:616
-
\??\c:\rrffrfx.exec:\rrffrfx.exe103⤵PID:2516
-
\??\c:\bbbhbn.exec:\bbbhbn.exe104⤵PID:952
-
\??\c:\ddvjv.exec:\ddvjv.exe105⤵PID:1804
-
\??\c:\hbthtb.exec:\hbthtb.exe106⤵PID:1292
-
\??\c:\nnhtnn.exec:\nnhtnn.exe107⤵PID:904
-
\??\c:\ddpdv.exec:\ddpdv.exe108⤵PID:1200
-
\??\c:\xrlrxfr.exec:\xrlrxfr.exe109⤵PID:1432
-
\??\c:\7nnnhn.exec:\7nnnhn.exe110⤵PID:2376
-
\??\c:\9dvpv.exec:\9dvpv.exe111⤵PID:2208
-
\??\c:\1dpvd.exec:\1dpvd.exe112⤵PID:1712
-
\??\c:\9rfxxfl.exec:\9rfxxfl.exe113⤵PID:2384
-
\??\c:\bttthn.exec:\bttthn.exe114⤵PID:2236
-
\??\c:\pvjjj.exec:\pvjjj.exe115⤵PID:2184
-
\??\c:\1ddpd.exec:\1ddpd.exe116⤵PID:1632
-
\??\c:\fllrlrr.exec:\fllrlrr.exe117⤵PID:2368
-
\??\c:\nbbhtt.exec:\nbbhtt.exe118⤵PID:2972
-
\??\c:\1dvpv.exec:\1dvpv.exe119⤵PID:1996
-
\??\c:\rllrflx.exec:\rllrflx.exe120⤵PID:2064
-
\??\c:\3rlrxxf.exec:\3rlrxxf.exe121⤵PID:1580
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-