Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe
-
Size
455KB
-
MD5
27af1e866dc33ed6156be79eb42abd62
-
SHA1
37aec31e70b5c1669f07ad942de43e14ca099ef7
-
SHA256
a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e
-
SHA512
10cfb50ee94b68923ab681e136620d607f41f19e6502ab12502724e06ffd4009b58859e00d99c7202001182c215636e902f4bc26532eaa77926b7133b99ee8dd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTk:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1720-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2568-132-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1648-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1384-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1064-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-396-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2584-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-469-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2744-519-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2796-690-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2984-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-725-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1380-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-758-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1436-756-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2160-797-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2160-817-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2776-820-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1540-850-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1720 xxlrxfl.exe 2264 hbbttt.exe 2392 5vvjd.exe 2956 9rxfrxr.exe 2260 jdvvj.exe 2180 lxffxfx.exe 2588 nbtbth.exe 2688 jdvjp.exe 2648 tnnhtb.exe 2808 tnbbtb.exe 2524 1ddpj.exe 2496 djjdv.exe 2568 jpdpd.exe 1648 pdvjd.exe 1384 jdvjp.exe 1224 frrrrxf.exe 2396 ttntht.exe 1996 llfrrfr.exe 2236 pjvdj.exe 2032 5xllflf.exe 2824 jdvvp.exe 1008 lrfrxlr.exe 1872 lfrxflf.exe 1064 hbtnbh.exe 1612 xrllrrr.exe 1556 nnbhbt.exe 288 rxrlxxl.exe 876 jpjdp.exe 988 xlflrrf.exe 1084 ttnbtb.exe 1792 rfflxlf.exe 3048 1nbnbb.exe 2084 frfxrff.exe 1572 pvvdp.exe 2272 9xrfxfr.exe 2312 lxxfxll.exe 2892 djpjj.exe 2820 jjdjv.exe 2420 1xrrxxf.exe 2248 bbnbnt.exe 2332 rxfrrlf.exe 2888 flxrrlr.exe 2704 bbntbb.exe 2716 vdvjv.exe 2624 frrxxxf.exe 2620 xxrxlxr.exe 2584 5bthnb.exe 2684 vpjjv.exe 2508 3rfxlll.exe 2548 xfxlffx.exe 2664 nnntnn.exe 1760 3vppp.exe 1648 fxrxlrx.exe 1144 hbtnnb.exe 1148 7dvdd.exe 2000 frrlrfx.exe 1576 lrfrxrr.exe 2040 bttbnb.exe 1088 pppdd.exe 2756 7rlfxxl.exe 2744 llxfrrl.exe 2824 nhbnnb.exe 2268 dpvjv.exe 2156 lrxxfxr.exe -
resource yara_rule behavioral1/memory/1720-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-86-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2524-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-132-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1648-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-396-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2584-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-554-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2252-635-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2720-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-804-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hththn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lffflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1720 1636 a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe 28 PID 1636 wrote to memory of 1720 1636 a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe 28 PID 1636 wrote to memory of 1720 1636 a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe 28 PID 1636 wrote to memory of 1720 1636 a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe 28 PID 1720 wrote to memory of 2264 1720 xxlrxfl.exe 29 PID 1720 wrote to memory of 2264 1720 xxlrxfl.exe 29 PID 1720 wrote to memory of 2264 1720 xxlrxfl.exe 29 PID 1720 wrote to memory of 2264 1720 xxlrxfl.exe 29 PID 2264 wrote to memory of 2392 2264 hbbttt.exe 30 PID 2264 wrote to memory of 2392 2264 hbbttt.exe 30 PID 2264 wrote to memory of 2392 2264 hbbttt.exe 30 PID 2264 wrote to memory of 2392 2264 hbbttt.exe 30 PID 2392 wrote to memory of 2956 2392 5vvjd.exe 31 PID 2392 wrote to memory of 2956 2392 5vvjd.exe 31 PID 2392 wrote to memory of 2956 2392 5vvjd.exe 31 PID 2392 wrote to memory of 2956 2392 5vvjd.exe 31 PID 2956 wrote to memory of 2260 2956 9rxfrxr.exe 32 PID 2956 wrote to memory of 2260 2956 9rxfrxr.exe 32 PID 2956 wrote to memory of 2260 2956 9rxfrxr.exe 32 PID 2956 wrote to memory of 2260 2956 9rxfrxr.exe 32 PID 2260 wrote to memory of 2180 2260 jdvvj.exe 33 PID 2260 wrote to memory of 2180 2260 jdvvj.exe 33 PID 2260 wrote to memory of 2180 2260 jdvvj.exe 33 PID 2260 wrote to memory of 2180 2260 jdvvj.exe 33 PID 2180 wrote to memory of 2588 2180 lxffxfx.exe 34 PID 2180 wrote to memory of 2588 2180 lxffxfx.exe 34 PID 2180 wrote to memory of 2588 2180 lxffxfx.exe 34 PID 2180 wrote to memory of 2588 2180 lxffxfx.exe 34 PID 2588 wrote to memory of 2688 2588 nbtbth.exe 35 PID 2588 wrote to memory of 2688 2588 nbtbth.exe 35 PID 2588 wrote to memory of 2688 2588 nbtbth.exe 35 PID 2588 wrote to memory of 2688 2588 nbtbth.exe 35 PID 2688 wrote to memory of 2648 2688 jdvjp.exe 36 PID 2688 wrote to memory of 2648 2688 jdvjp.exe 36 PID 2688 wrote to memory of 2648 2688 jdvjp.exe 36 PID 2688 wrote to memory of 2648 2688 jdvjp.exe 36 PID 2648 wrote to memory of 2808 2648 tnnhtb.exe 37 PID 2648 wrote to memory of 2808 2648 tnnhtb.exe 37 PID 2648 wrote to memory of 2808 2648 tnnhtb.exe 37 PID 2648 wrote to memory of 2808 2648 tnnhtb.exe 37 PID 2808 wrote to memory of 2524 2808 tnbbtb.exe 38 PID 2808 wrote to memory of 2524 2808 tnbbtb.exe 38 PID 2808 wrote to memory of 2524 2808 tnbbtb.exe 38 PID 2808 wrote to memory of 2524 2808 tnbbtb.exe 38 PID 2524 wrote to memory of 2496 2524 1ddpj.exe 39 PID 2524 wrote to memory of 2496 2524 1ddpj.exe 39 PID 2524 wrote to memory of 2496 2524 1ddpj.exe 39 PID 2524 wrote to memory of 2496 2524 1ddpj.exe 39 PID 2496 wrote to memory of 2568 2496 djjdv.exe 40 PID 2496 wrote to memory of 2568 2496 djjdv.exe 40 PID 2496 wrote to memory of 2568 2496 djjdv.exe 40 PID 2496 wrote to memory of 2568 2496 djjdv.exe 40 PID 2568 wrote to memory of 1648 2568 jpdpd.exe 41 PID 2568 wrote to memory of 1648 2568 jpdpd.exe 41 PID 2568 wrote to memory of 1648 2568 jpdpd.exe 41 PID 2568 wrote to memory of 1648 2568 jpdpd.exe 41 PID 1648 wrote to memory of 1384 1648 pdvjd.exe 42 PID 1648 wrote to memory of 1384 1648 pdvjd.exe 42 PID 1648 wrote to memory of 1384 1648 pdvjd.exe 42 PID 1648 wrote to memory of 1384 1648 pdvjd.exe 42 PID 1384 wrote to memory of 1224 1384 jdvjp.exe 43 PID 1384 wrote to memory of 1224 1384 jdvjp.exe 43 PID 1384 wrote to memory of 1224 1384 jdvjp.exe 43 PID 1384 wrote to memory of 1224 1384 jdvjp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe"C:\Users\Admin\AppData\Local\Temp\a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\xxlrxfl.exec:\xxlrxfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\hbbttt.exec:\hbbttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\5vvjd.exec:\5vvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\9rxfrxr.exec:\9rxfrxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\jdvvj.exec:\jdvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\lxffxfx.exec:\lxffxfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\nbtbth.exec:\nbtbth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\jdvjp.exec:\jdvjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\tnnhtb.exec:\tnnhtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\tnbbtb.exec:\tnbbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\1ddpj.exec:\1ddpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\djjdv.exec:\djjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\jpdpd.exec:\jpdpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\pdvjd.exec:\pdvjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\jdvjp.exec:\jdvjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\frrrrxf.exec:\frrrrxf.exe17⤵
- Executes dropped EXE
PID:1224 -
\??\c:\ttntht.exec:\ttntht.exe18⤵
- Executes dropped EXE
PID:2396 -
\??\c:\llfrrfr.exec:\llfrrfr.exe19⤵
- Executes dropped EXE
PID:1996 -
\??\c:\pjvdj.exec:\pjvdj.exe20⤵
- Executes dropped EXE
PID:2236 -
\??\c:\5xllflf.exec:\5xllflf.exe21⤵
- Executes dropped EXE
PID:2032 -
\??\c:\jdvvp.exec:\jdvvp.exe22⤵
- Executes dropped EXE
PID:2824 -
\??\c:\lrfrxlr.exec:\lrfrxlr.exe23⤵
- Executes dropped EXE
PID:1008 -
\??\c:\lfrxflf.exec:\lfrxflf.exe24⤵
- Executes dropped EXE
PID:1872 -
\??\c:\hbtnbh.exec:\hbtnbh.exe25⤵
- Executes dropped EXE
PID:1064 -
\??\c:\xrllrrr.exec:\xrllrrr.exe26⤵
- Executes dropped EXE
PID:1612 -
\??\c:\nnbhbt.exec:\nnbhbt.exe27⤵
- Executes dropped EXE
PID:1556 -
\??\c:\rxrlxxl.exec:\rxrlxxl.exe28⤵
- Executes dropped EXE
PID:288 -
\??\c:\jpjdp.exec:\jpjdp.exe29⤵
- Executes dropped EXE
PID:876 -
\??\c:\xlflrrf.exec:\xlflrrf.exe30⤵
- Executes dropped EXE
PID:988 -
\??\c:\ttnbtb.exec:\ttnbtb.exe31⤵
- Executes dropped EXE
PID:1084 -
\??\c:\rfflxlf.exec:\rfflxlf.exe32⤵
- Executes dropped EXE
PID:1792 -
\??\c:\1nbnbb.exec:\1nbnbb.exe33⤵
- Executes dropped EXE
PID:3048 -
\??\c:\frfxrff.exec:\frfxrff.exe34⤵
- Executes dropped EXE
PID:2084 -
\??\c:\pvvdp.exec:\pvvdp.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572 -
\??\c:\9xrfxfr.exec:\9xrfxfr.exe36⤵
- Executes dropped EXE
PID:2272 -
\??\c:\lxxfxll.exec:\lxxfxll.exe37⤵
- Executes dropped EXE
PID:2312 -
\??\c:\djpjj.exec:\djpjj.exe38⤵
- Executes dropped EXE
PID:2892 -
\??\c:\jjdjv.exec:\jjdjv.exe39⤵
- Executes dropped EXE
PID:2820 -
\??\c:\1xrrxxf.exec:\1xrrxxf.exe40⤵
- Executes dropped EXE
PID:2420 -
\??\c:\bbnbnt.exec:\bbnbnt.exe41⤵
- Executes dropped EXE
PID:2248 -
\??\c:\rxfrrlf.exec:\rxfrrlf.exe42⤵
- Executes dropped EXE
PID:2332 -
\??\c:\flxrrlr.exec:\flxrrlr.exe43⤵
- Executes dropped EXE
PID:2888 -
\??\c:\bbntbb.exec:\bbntbb.exe44⤵
- Executes dropped EXE
PID:2704 -
\??\c:\vdvjv.exec:\vdvjv.exe45⤵
- Executes dropped EXE
PID:2716 -
\??\c:\frrxxxf.exec:\frrxxxf.exe46⤵
- Executes dropped EXE
PID:2624 -
\??\c:\xxrxlxr.exec:\xxrxlxr.exe47⤵
- Executes dropped EXE
PID:2620 -
\??\c:\5bthnb.exec:\5bthnb.exe48⤵
- Executes dropped EXE
PID:2584 -
\??\c:\vpjjv.exec:\vpjjv.exe49⤵
- Executes dropped EXE
PID:2684 -
\??\c:\3rfxlll.exec:\3rfxlll.exe50⤵
- Executes dropped EXE
PID:2508 -
\??\c:\xfxlffx.exec:\xfxlffx.exe51⤵
- Executes dropped EXE
PID:2548 -
\??\c:\nnntnn.exec:\nnntnn.exe52⤵
- Executes dropped EXE
PID:2664 -
\??\c:\3vppp.exec:\3vppp.exe53⤵
- Executes dropped EXE
PID:1760 -
\??\c:\fxrxlrx.exec:\fxrxlrx.exe54⤵
- Executes dropped EXE
PID:1648 -
\??\c:\hbtnnb.exec:\hbtnnb.exe55⤵
- Executes dropped EXE
PID:1144 -
\??\c:\7dvdd.exec:\7dvdd.exe56⤵
- Executes dropped EXE
PID:1148 -
\??\c:\frrlrfx.exec:\frrlrfx.exe57⤵
- Executes dropped EXE
PID:2000 -
\??\c:\lrfrxrr.exec:\lrfrxrr.exe58⤵
- Executes dropped EXE
PID:1576 -
\??\c:\bttbnb.exec:\bttbnb.exe59⤵
- Executes dropped EXE
PID:2040 -
\??\c:\pppdd.exec:\pppdd.exe60⤵
- Executes dropped EXE
PID:1088 -
\??\c:\7rlfxxl.exec:\7rlfxxl.exe61⤵
- Executes dropped EXE
PID:2756 -
\??\c:\llxfrrl.exec:\llxfrrl.exe62⤵
- Executes dropped EXE
PID:2744 -
\??\c:\nhbnnb.exec:\nhbnnb.exe63⤵
- Executes dropped EXE
PID:2824 -
\??\c:\dpvjv.exec:\dpvjv.exe64⤵
- Executes dropped EXE
PID:2268 -
\??\c:\lrxxfxr.exec:\lrxxfxr.exe65⤵
- Executes dropped EXE
PID:2156 -
\??\c:\bbbhbn.exec:\bbbhbn.exe66⤵PID:1872
-
\??\c:\7jdpp.exec:\7jdpp.exe67⤵PID:1884
-
\??\c:\vpdpv.exec:\vpdpv.exe68⤵PID:1668
-
\??\c:\ffxrfrl.exec:\ffxrfrl.exe69⤵PID:1392
-
\??\c:\hhbbhn.exec:\hhbbhn.exe70⤵PID:1212
-
\??\c:\vpddv.exec:\vpddv.exe71⤵PID:908
-
\??\c:\rffxffr.exec:\rffxffr.exe72⤵PID:884
-
\??\c:\hnntbb.exec:\hnntbb.exe73⤵PID:988
-
\??\c:\pppvj.exec:\pppvj.exe74⤵PID:2848
-
\??\c:\ffxxrrl.exec:\ffxxrrl.exe75⤵PID:1888
-
\??\c:\7nbbbh.exec:\7nbbbh.exe76⤵PID:2368
-
\??\c:\vpddv.exec:\vpddv.exe77⤵PID:1860
-
\??\c:\jjdjj.exec:\jjdjj.exe78⤵PID:1432
-
\??\c:\3fllxrx.exec:\3fllxrx.exe79⤵PID:1720
-
\??\c:\bbntbb.exec:\bbntbb.exe80⤵PID:2252
-
\??\c:\hnhhbt.exec:\hnhhbt.exe81⤵PID:1660
-
\??\c:\dddpd.exec:\dddpd.exe82⤵PID:2312
-
\??\c:\rxrlxfx.exec:\rxrlxfx.exe83⤵PID:2960
-
\??\c:\rrrffxf.exec:\rrrffxf.exe84⤵PID:3028
-
\??\c:\5jpvv.exec:\5jpvv.exe85⤵PID:2420
-
\??\c:\vdjvp.exec:\vdjvp.exe86⤵PID:2200
-
\??\c:\fflrllx.exec:\fflrllx.exe87⤵PID:1236
-
\??\c:\bhtnnt.exec:\bhtnnt.exe88⤵PID:2680
-
\??\c:\3pdjv.exec:\3pdjv.exe89⤵PID:2708
-
\??\c:\lrlxlrr.exec:\lrlxlrr.exe90⤵PID:2688
-
\??\c:\9llrlxr.exec:\9llrlxr.exe91⤵PID:2532
-
\??\c:\9tbbtb.exec:\9tbbtb.exe92⤵PID:2796
-
\??\c:\djdpv.exec:\djdpv.exe93⤵PID:2808
-
\??\c:\ffllxlx.exec:\ffllxlx.exe94⤵PID:2720
-
\??\c:\3flrfrl.exec:\3flrfrl.exe95⤵PID:2528
-
\??\c:\hhtbtb.exec:\hhtbtb.exe96⤵PID:2984
-
\??\c:\5vpdj.exec:\5vpdj.exe97⤵PID:3000
-
\??\c:\lrlxlrf.exec:\lrlxlrf.exe98⤵PID:2284
-
\??\c:\htnthn.exec:\htnthn.exe99⤵PID:1380
-
\??\c:\hbnbtn.exec:\hbnbtn.exe100⤵PID:1368
-
\??\c:\5dvjd.exec:\5dvjd.exe101⤵PID:1076
-
\??\c:\frflxxl.exec:\frflxxl.exe102⤵PID:1436
-
\??\c:\pjjpd.exec:\pjjpd.exe103⤵PID:1776
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe104⤵PID:1948
-
\??\c:\bhhbbn.exec:\bhhbbn.exe105⤵PID:2040
-
\??\c:\ppjvj.exec:\ppjvj.exe106⤵PID:2836
-
\??\c:\5bbbht.exec:\5bbbht.exe107⤵PID:2864
-
\??\c:\hnthnb.exec:\hnthnb.exe108⤵PID:2160
-
\??\c:\pjjvp.exec:\pjjvp.exe109⤵PID:1160
-
\??\c:\flrrfll.exec:\flrrfll.exe110⤵PID:448
-
\??\c:\7tnhnt.exec:\7tnhnt.exe111⤵PID:956
-
\??\c:\jdppd.exec:\jdppd.exe112⤵PID:2776
-
\??\c:\xfrxrlr.exec:\xfrxrlr.exe113⤵PID:1552
-
\??\c:\1xlxlfr.exec:\1xlxlfr.exe114⤵PID:1556
-
\??\c:\bhbthn.exec:\bhbthn.exe115⤵PID:288
-
\??\c:\jdjvp.exec:\jdjvp.exe116⤵PID:1540
-
\??\c:\rrrfxlr.exec:\rrrfxlr.exe117⤵PID:2128
-
\??\c:\nbnntb.exec:\nbnntb.exe118⤵PID:1172
-
\??\c:\ddjpv.exec:\ddjpv.exe119⤵PID:2212
-
\??\c:\5fffxfl.exec:\5fffxfl.exe120⤵PID:2080
-
\??\c:\fxlrrfl.exec:\fxlrrfl.exe121⤵PID:3068
-
\??\c:\3nntbh.exec:\3nntbh.exe122⤵PID:1596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-