Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe
Resource
win7-20241023-en
7 signatures
120 seconds
General
-
Target
3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe
-
Size
454KB
-
MD5
5dcce293c8672d539d9464cb4464c0db
-
SHA1
f838a4a67d133146356d901a3c26edd3f327cf4b
-
SHA256
3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7
-
SHA512
dcf7400a8b29f2dd60102595374e2182541552895bb840d2aad22302c1ca36286a6d4b363084213cbc8d93408751505afb801a02384e686061f1d517cc68a0a4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeg:q7Tc2NYHUrAwfMp3CDg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2408-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-70-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2860-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-72-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2708-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1132-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/972-218-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/352-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/824-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-414-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1992-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-520-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2212-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/988-560-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1972-593-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2296-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-702-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1940-721-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2172-746-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2260-824-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2748-946-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2184-1003-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-1023-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2192-1030-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1556-1069-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1644 lxlffff.exe 1948 3vdpp.exe 2032 pddvv.exe 800 202844.exe 2800 ntbtnn.exe 2984 644426.exe 2820 e06488.exe 2992 jdpjj.exe 2860 5rxrrff.exe 2708 3pvpp.exe 2588 2626600.exe 1032 64222.exe 2604 640404.exe 1672 a2446.exe 1636 htnnbb.exe 1916 048062.exe 1132 lxrrxrx.exe 3068 1htbbt.exe 2440 486888.exe 2600 480684.exe 1900 42064.exe 1612 082028.exe 972 nhtbhn.exe 352 1xrxflr.exe 1584 pjvdd.exe 1480 3nnnhb.exe 1624 rlxflrx.exe 572 dpvjj.exe 1904 lfrrxxr.exe 2320 rfrlrrr.exe 1412 02000.exe 888 dvddd.exe 1860 k82288.exe 2580 82028.exe 1256 pdppd.exe 1572 420404.exe 2372 8648044.exe 2200 4240228.exe 2112 rfllfxf.exe 2976 rfrllll.exe 824 dpvdj.exe 2840 jdpvj.exe 2348 o022266.exe 2812 xrlxxrr.exe 2752 82280.exe 2716 7djdv.exe 2816 3vjvv.exe 2596 642844.exe 1564 5bnntn.exe 1032 086262.exe 1632 8222002.exe 1992 hbbhnt.exe 1984 048860.exe 1244 3hbbhn.exe 868 jjddj.exe 1560 tbhntt.exe 2340 64224.exe 2124 hnhntn.exe 1432 424888.exe 1052 c644220.exe 2248 208844.exe 1280 m2444.exe 684 606288.exe 1944 tthhnn.exe -
resource yara_rule behavioral1/memory/2408-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-70-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2860-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/824-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-520-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2432-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-746-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1124-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-990-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1124-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-1083-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-1193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-1230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-1279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-1292-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u224624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k02840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2408 wrote to memory of 1644 2408 3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe 30 PID 2408 wrote to memory of 1644 2408 3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe 30 PID 2408 wrote to memory of 1644 2408 3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe 30 PID 2408 wrote to memory of 1644 2408 3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe 30 PID 1644 wrote to memory of 1948 1644 lxlffff.exe 31 PID 1644 wrote to memory of 1948 1644 lxlffff.exe 31 PID 1644 wrote to memory of 1948 1644 lxlffff.exe 31 PID 1644 wrote to memory of 1948 1644 lxlffff.exe 31 PID 1948 wrote to memory of 2032 1948 3vdpp.exe 32 PID 1948 wrote to memory of 2032 1948 3vdpp.exe 32 PID 1948 wrote to memory of 2032 1948 3vdpp.exe 32 PID 1948 wrote to memory of 2032 1948 3vdpp.exe 32 PID 2032 wrote to memory of 800 2032 pddvv.exe 33 PID 2032 wrote to memory of 800 2032 pddvv.exe 33 PID 2032 wrote to memory of 800 2032 pddvv.exe 33 PID 2032 wrote to memory of 800 2032 pddvv.exe 33 PID 800 wrote to memory of 2800 800 202844.exe 34 PID 800 wrote to memory of 2800 800 202844.exe 34 PID 800 wrote to memory of 2800 800 202844.exe 34 PID 800 wrote to memory of 2800 800 202844.exe 34 PID 2800 wrote to memory of 2984 2800 ntbtnn.exe 35 PID 2800 wrote to memory of 2984 2800 ntbtnn.exe 35 PID 2800 wrote to memory of 2984 2800 ntbtnn.exe 35 PID 2800 wrote to memory of 2984 2800 ntbtnn.exe 35 PID 2984 wrote to memory of 2820 2984 644426.exe 36 PID 2984 wrote to memory of 2820 2984 644426.exe 36 PID 2984 wrote to memory of 2820 2984 644426.exe 36 PID 2984 wrote to memory of 2820 2984 644426.exe 36 PID 2820 wrote to memory of 2992 2820 e06488.exe 37 PID 2820 wrote to memory of 2992 2820 e06488.exe 37 PID 2820 wrote to memory of 2992 2820 e06488.exe 37 PID 2820 wrote to memory of 2992 2820 e06488.exe 37 PID 2992 wrote to memory of 2860 2992 jdpjj.exe 38 PID 2992 wrote to memory of 2860 2992 jdpjj.exe 38 PID 2992 wrote to memory of 2860 2992 jdpjj.exe 38 PID 2992 wrote to memory of 2860 2992 jdpjj.exe 38 PID 2860 wrote to memory of 2708 2860 5rxrrff.exe 39 PID 2860 wrote to memory of 2708 2860 5rxrrff.exe 39 PID 2860 wrote to memory of 2708 2860 5rxrrff.exe 39 PID 2860 wrote to memory of 2708 2860 5rxrrff.exe 39 PID 2708 wrote to memory of 2588 2708 3pvpp.exe 40 PID 2708 wrote to memory of 2588 2708 3pvpp.exe 40 PID 2708 wrote to memory of 2588 2708 3pvpp.exe 40 PID 2708 wrote to memory of 2588 2708 3pvpp.exe 40 PID 2588 wrote to memory of 1032 2588 2626600.exe 41 PID 2588 wrote to memory of 1032 2588 2626600.exe 41 PID 2588 wrote to memory of 1032 2588 2626600.exe 41 PID 2588 wrote to memory of 1032 2588 2626600.exe 41 PID 1032 wrote to memory of 2604 1032 64222.exe 42 PID 1032 wrote to memory of 2604 1032 64222.exe 42 PID 1032 wrote to memory of 2604 1032 64222.exe 42 PID 1032 wrote to memory of 2604 1032 64222.exe 42 PID 2604 wrote to memory of 1672 2604 640404.exe 43 PID 2604 wrote to memory of 1672 2604 640404.exe 43 PID 2604 wrote to memory of 1672 2604 640404.exe 43 PID 2604 wrote to memory of 1672 2604 640404.exe 43 PID 1672 wrote to memory of 1636 1672 a2446.exe 44 PID 1672 wrote to memory of 1636 1672 a2446.exe 44 PID 1672 wrote to memory of 1636 1672 a2446.exe 44 PID 1672 wrote to memory of 1636 1672 a2446.exe 44 PID 1636 wrote to memory of 1916 1636 htnnbb.exe 45 PID 1636 wrote to memory of 1916 1636 htnnbb.exe 45 PID 1636 wrote to memory of 1916 1636 htnnbb.exe 45 PID 1636 wrote to memory of 1916 1636 htnnbb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe"C:\Users\Admin\AppData\Local\Temp\3e277da8a2e0b327d8a362453b8c10899e7ed2194a24f82c56e429508413bfd7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\lxlffff.exec:\lxlffff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\3vdpp.exec:\3vdpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\pddvv.exec:\pddvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\202844.exec:\202844.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\ntbtnn.exec:\ntbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\644426.exec:\644426.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\e06488.exec:\e06488.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\jdpjj.exec:\jdpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\5rxrrff.exec:\5rxrrff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\3pvpp.exec:\3pvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\2626600.exec:\2626600.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\64222.exec:\64222.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\640404.exec:\640404.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\a2446.exec:\a2446.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\htnnbb.exec:\htnnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\048062.exec:\048062.exe17⤵
- Executes dropped EXE
PID:1916 -
\??\c:\lxrrxrx.exec:\lxrrxrx.exe18⤵
- Executes dropped EXE
PID:1132 -
\??\c:\1htbbt.exec:\1htbbt.exe19⤵
- Executes dropped EXE
PID:3068 -
\??\c:\486888.exec:\486888.exe20⤵
- Executes dropped EXE
PID:2440 -
\??\c:\480684.exec:\480684.exe21⤵
- Executes dropped EXE
PID:2600 -
\??\c:\42064.exec:\42064.exe22⤵
- Executes dropped EXE
PID:1900 -
\??\c:\082028.exec:\082028.exe23⤵
- Executes dropped EXE
PID:1612 -
\??\c:\nhtbhn.exec:\nhtbhn.exe24⤵
- Executes dropped EXE
PID:972 -
\??\c:\1xrxflr.exec:\1xrxflr.exe25⤵
- Executes dropped EXE
PID:352 -
\??\c:\pjvdd.exec:\pjvdd.exe26⤵
- Executes dropped EXE
PID:1584 -
\??\c:\3nnnhb.exec:\3nnnhb.exe27⤵
- Executes dropped EXE
PID:1480 -
\??\c:\rlxflrx.exec:\rlxflrx.exe28⤵
- Executes dropped EXE
PID:1624 -
\??\c:\dpvjj.exec:\dpvjj.exe29⤵
- Executes dropped EXE
PID:572 -
\??\c:\lfrrxxr.exec:\lfrrxxr.exe30⤵
- Executes dropped EXE
PID:1904 -
\??\c:\rfrlrrr.exec:\rfrlrrr.exe31⤵
- Executes dropped EXE
PID:2320 -
\??\c:\02000.exec:\02000.exe32⤵
- Executes dropped EXE
PID:1412 -
\??\c:\dvddd.exec:\dvddd.exe33⤵
- Executes dropped EXE
PID:888 -
\??\c:\k82288.exec:\k82288.exe34⤵
- Executes dropped EXE
PID:1860 -
\??\c:\82028.exec:\82028.exe35⤵
- Executes dropped EXE
PID:2580 -
\??\c:\pdppd.exec:\pdppd.exe36⤵
- Executes dropped EXE
PID:1256 -
\??\c:\420404.exec:\420404.exe37⤵
- Executes dropped EXE
PID:1572 -
\??\c:\8648044.exec:\8648044.exe38⤵
- Executes dropped EXE
PID:2372 -
\??\c:\4240228.exec:\4240228.exe39⤵
- Executes dropped EXE
PID:2200 -
\??\c:\rfllfxf.exec:\rfllfxf.exe40⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rfrllll.exec:\rfrllll.exe41⤵
- Executes dropped EXE
PID:2976 -
\??\c:\dpvdj.exec:\dpvdj.exe42⤵
- Executes dropped EXE
PID:824 -
\??\c:\jdpvj.exec:\jdpvj.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\o022266.exec:\o022266.exe44⤵
- Executes dropped EXE
PID:2348 -
\??\c:\xrlxxrr.exec:\xrlxxrr.exe45⤵
- Executes dropped EXE
PID:2812 -
\??\c:\82280.exec:\82280.exe46⤵
- Executes dropped EXE
PID:2752 -
\??\c:\7djdv.exec:\7djdv.exe47⤵
- Executes dropped EXE
PID:2716 -
\??\c:\3vjvv.exec:\3vjvv.exe48⤵
- Executes dropped EXE
PID:2816 -
\??\c:\642844.exec:\642844.exe49⤵
- Executes dropped EXE
PID:2596 -
\??\c:\5bnntn.exec:\5bnntn.exe50⤵
- Executes dropped EXE
PID:1564 -
\??\c:\086262.exec:\086262.exe51⤵
- Executes dropped EXE
PID:1032 -
\??\c:\8222002.exec:\8222002.exe52⤵
- Executes dropped EXE
PID:1632 -
\??\c:\hbbhnt.exec:\hbbhnt.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992 -
\??\c:\048860.exec:\048860.exe54⤵
- Executes dropped EXE
PID:1984 -
\??\c:\3hbbhn.exec:\3hbbhn.exe55⤵
- Executes dropped EXE
PID:1244 -
\??\c:\jjddj.exec:\jjddj.exe56⤵
- Executes dropped EXE
PID:868 -
\??\c:\tbhntt.exec:\tbhntt.exe57⤵
- Executes dropped EXE
PID:1560 -
\??\c:\64224.exec:\64224.exe58⤵
- Executes dropped EXE
PID:2340 -
\??\c:\hnhntn.exec:\hnhntn.exe59⤵
- Executes dropped EXE
PID:2124 -
\??\c:\424888.exec:\424888.exe60⤵
- Executes dropped EXE
PID:1432 -
\??\c:\c644220.exec:\c644220.exe61⤵
- Executes dropped EXE
PID:1052 -
\??\c:\208844.exec:\208844.exe62⤵
- Executes dropped EXE
PID:2248 -
\??\c:\m2444.exec:\m2444.exe63⤵
- Executes dropped EXE
PID:1280 -
\??\c:\606288.exec:\606288.exe64⤵
- Executes dropped EXE
PID:684 -
\??\c:\tthhnn.exec:\tthhnn.exe65⤵
- Executes dropped EXE
PID:1944 -
\??\c:\btntbn.exec:\btntbn.exe66⤵PID:1268
-
\??\c:\o422228.exec:\o422228.exe67⤵PID:896
-
\??\c:\vpjpd.exec:\vpjpd.exe68⤵PID:1288
-
\??\c:\2642062.exec:\2642062.exe69⤵PID:616
-
\??\c:\vpddj.exec:\vpddj.exe70⤵PID:1704
-
\??\c:\9pjpp.exec:\9pjpp.exe71⤵PID:2432
-
\??\c:\20880.exec:\20880.exe72⤵PID:2212
-
\??\c:\m4220.exec:\m4220.exe73⤵PID:988
-
\??\c:\k80284.exec:\k80284.exe74⤵PID:2324
-
\??\c:\jdpvj.exec:\jdpvj.exe75⤵PID:1596
-
\??\c:\426688.exec:\426688.exe76⤵PID:2408
-
\??\c:\1tnthh.exec:\1tnthh.exe77⤵PID:1540
-
\??\c:\bbnthh.exec:\bbnthh.exe78⤵PID:1972
-
\??\c:\q46282.exec:\q46282.exe79⤵PID:1256
-
\??\c:\0804068.exec:\0804068.exe80⤵PID:264
-
\??\c:\260680.exec:\260680.exe81⤵PID:2296
-
\??\c:\086066.exec:\086066.exe82⤵PID:2844
-
\??\c:\ppjdj.exec:\ppjdj.exe83⤵PID:2060
-
\??\c:\o862880.exec:\o862880.exe84⤵PID:2988
-
\??\c:\jdjdp.exec:\jdjdp.exe85⤵PID:2704
-
\??\c:\7pddj.exec:\7pddj.exe86⤵PID:2312
-
\??\c:\82402.exec:\82402.exe87⤵PID:2992
-
\??\c:\0484668.exec:\0484668.exe88⤵PID:2724
-
\??\c:\bbthnn.exec:\bbthnn.exe89⤵PID:2728
-
\??\c:\6080622.exec:\6080622.exe90⤵PID:2284
-
\??\c:\rfxxllr.exec:\rfxxllr.exe91⤵PID:1956
-
\??\c:\2606824.exec:\2606824.exe92⤵PID:2936
-
\??\c:\8606284.exec:\8606284.exe93⤵PID:1796
-
\??\c:\hbntbt.exec:\hbntbt.exe94⤵PID:1980
-
\??\c:\3pddd.exec:\3pddd.exe95⤵PID:1632
-
\??\c:\0426662.exec:\0426662.exe96⤵PID:2908
-
\??\c:\2646840.exec:\2646840.exe97⤵PID:848
-
\??\c:\djvjp.exec:\djvjp.exe98⤵PID:1940
-
\??\c:\pjvdj.exec:\pjvdj.exe99⤵PID:2880
-
\??\c:\u268446.exec:\u268446.exe100⤵PID:2164
-
\??\c:\42662.exec:\42662.exe101⤵PID:2436
-
\??\c:\jdvjp.exec:\jdvjp.exe102⤵PID:2172
-
\??\c:\264022.exec:\264022.exe103⤵
- System Location Discovery: System Language Discovery
PID:2792 -
\??\c:\6044624.exec:\6044624.exe104⤵PID:1124
-
\??\c:\1jdpj.exec:\1jdpj.exe105⤵PID:2332
-
\??\c:\0826402.exec:\0826402.exe106⤵PID:1612
-
\??\c:\nthtbt.exec:\nthtbt.exe107⤵PID:2008
-
\??\c:\4288040.exec:\4288040.exe108⤵PID:1736
-
\??\c:\9xfxlrx.exec:\9xfxlrx.exe109⤵PID:912
-
\??\c:\i400844.exec:\i400844.exe110⤵PID:1464
-
\??\c:\60440.exec:\60440.exe111⤵PID:2464
-
\??\c:\64280.exec:\64280.exe112⤵PID:2292
-
\??\c:\xlffxxl.exec:\xlffxxl.exe113⤵PID:600
-
\??\c:\o680224.exec:\o680224.exe114⤵PID:2260
-
\??\c:\044268.exec:\044268.exe115⤵PID:1904
-
\??\c:\04228.exec:\04228.exe116⤵PID:1004
-
\??\c:\llflrxl.exec:\llflrxl.exe117⤵PID:2512
-
\??\c:\e42640.exec:\e42640.exe118⤵PID:2524
-
\??\c:\482428.exec:\482428.exe119⤵PID:2120
-
\??\c:\s0628.exec:\s0628.exe120⤵PID:1532
-
\??\c:\9frlrfl.exec:\9frlrfl.exe121⤵PID:1640
-
\??\c:\60068.exec:\60068.exe122⤵PID:2428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-