Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe
-
Size
454KB
-
MD5
14212bad49ca961294ff529352ce04d0
-
SHA1
11075a36e992b186eb30523e16cf418909060db2
-
SHA256
3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4
-
SHA512
f5efcc2b1161c94f99bec35897a16558a3e3a735588b8ac064d308e8c6fc99c7ee4027066c186b1b847487be73f8a291a7a6be0892023b5002f2f9e76b6da291
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2084-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/804-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1180-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/944-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1184-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/648-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-452-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2996-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-481-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/960-487-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/960-510-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1748-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-639-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/556-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-752-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2968-949-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1512-1204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-1247-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 804 bbnnth.exe 2264 1pdvv.exe 2812 thtbhb.exe 2892 pdjjp.exe 2788 rrflxlr.exe 2740 7nhnnt.exe 2668 vjvdj.exe 2392 1flflff.exe 2804 9rfxxfx.exe 2456 thtttt.exe 2444 jvjjp.exe 556 tnbbhh.exe 1520 dvvvd.exe 600 3nhntt.exe 2868 hbhnnn.exe 1180 5vjjj.exe 448 btntbb.exe 1148 vpjvp.exe 3024 5bnnnn.exe 3056 vvpvd.exe 2612 xlfffxl.exe 1560 3dpdj.exe 1932 fxlxrrx.exe 1168 pvpvd.exe 1340 7rfflrr.exe 944 pjdjv.exe 2480 7vjjp.exe 3044 tnbhhh.exe 2288 1vpdd.exe 1792 1tnnnn.exe 900 ddvjp.exe 348 btnbnn.exe 1620 7jddd.exe 2308 9frrlll.exe 2512 5thtbt.exe 2468 5vjdd.exe 2812 3vdvp.exe 2932 rllffxx.exe 2784 bthhnh.exe 2216 3btbnn.exe 2948 1vjvv.exe 2828 xlrllfl.exe 2744 9xllrxl.exe 2928 htbbbb.exe 2632 9ppvd.exe 2492 9fllrlr.exe 328 rfflxrx.exe 1208 5nbnnt.exe 2964 vjpjv.exe 1532 7rflrlr.exe 1516 fxffllr.exe 808 tnnhtb.exe 1184 vdpdp.exe 648 dpdjp.exe 1668 xlxllll.exe 1700 7tthnt.exe 1148 dvjdd.exe 2996 9rfflxx.exe 3056 9fflrxr.exe 780 bttnbh.exe 960 pjdjp.exe 1548 lllrxxl.exe 2128 7lfxxrr.exe 1800 nhbbnt.exe -
resource yara_rule behavioral1/memory/2084-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/804-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1180-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/648-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-487-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1748-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-752-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2600-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-939-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-990-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-1036-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-1204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-1260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-1285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-1329-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lflrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9htbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 804 2084 3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe 30 PID 2084 wrote to memory of 804 2084 3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe 30 PID 2084 wrote to memory of 804 2084 3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe 30 PID 2084 wrote to memory of 804 2084 3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe 30 PID 804 wrote to memory of 2264 804 bbnnth.exe 31 PID 804 wrote to memory of 2264 804 bbnnth.exe 31 PID 804 wrote to memory of 2264 804 bbnnth.exe 31 PID 804 wrote to memory of 2264 804 bbnnth.exe 31 PID 2264 wrote to memory of 2812 2264 1pdvv.exe 32 PID 2264 wrote to memory of 2812 2264 1pdvv.exe 32 PID 2264 wrote to memory of 2812 2264 1pdvv.exe 32 PID 2264 wrote to memory of 2812 2264 1pdvv.exe 32 PID 2812 wrote to memory of 2892 2812 thtbhb.exe 33 PID 2812 wrote to memory of 2892 2812 thtbhb.exe 33 PID 2812 wrote to memory of 2892 2812 thtbhb.exe 33 PID 2812 wrote to memory of 2892 2812 thtbhb.exe 33 PID 2892 wrote to memory of 2788 2892 pdjjp.exe 34 PID 2892 wrote to memory of 2788 2892 pdjjp.exe 34 PID 2892 wrote to memory of 2788 2892 pdjjp.exe 34 PID 2892 wrote to memory of 2788 2892 pdjjp.exe 34 PID 2788 wrote to memory of 2740 2788 rrflxlr.exe 35 PID 2788 wrote to memory of 2740 2788 rrflxlr.exe 35 PID 2788 wrote to memory of 2740 2788 rrflxlr.exe 35 PID 2788 wrote to memory of 2740 2788 rrflxlr.exe 35 PID 2740 wrote to memory of 2668 2740 7nhnnt.exe 36 PID 2740 wrote to memory of 2668 2740 7nhnnt.exe 36 PID 2740 wrote to memory of 2668 2740 7nhnnt.exe 36 PID 2740 wrote to memory of 2668 2740 7nhnnt.exe 36 PID 2668 wrote to memory of 2392 2668 vjvdj.exe 37 PID 2668 wrote to memory of 2392 2668 vjvdj.exe 37 PID 2668 wrote to memory of 2392 2668 vjvdj.exe 37 PID 2668 wrote to memory of 2392 2668 vjvdj.exe 37 PID 2392 wrote to memory of 2804 2392 1flflff.exe 38 PID 2392 wrote to memory of 2804 2392 1flflff.exe 38 PID 2392 wrote to memory of 2804 2392 1flflff.exe 38 PID 2392 wrote to memory of 2804 2392 1flflff.exe 38 PID 2804 wrote to memory of 2456 2804 9rfxxfx.exe 39 PID 2804 wrote to memory of 2456 2804 9rfxxfx.exe 39 PID 2804 wrote to memory of 2456 2804 9rfxxfx.exe 39 PID 2804 wrote to memory of 2456 2804 9rfxxfx.exe 39 PID 2456 wrote to memory of 2444 2456 thtttt.exe 40 PID 2456 wrote to memory of 2444 2456 thtttt.exe 40 PID 2456 wrote to memory of 2444 2456 thtttt.exe 40 PID 2456 wrote to memory of 2444 2456 thtttt.exe 40 PID 2444 wrote to memory of 556 2444 jvjjp.exe 41 PID 2444 wrote to memory of 556 2444 jvjjp.exe 41 PID 2444 wrote to memory of 556 2444 jvjjp.exe 41 PID 2444 wrote to memory of 556 2444 jvjjp.exe 41 PID 556 wrote to memory of 1520 556 tnbbhh.exe 42 PID 556 wrote to memory of 1520 556 tnbbhh.exe 42 PID 556 wrote to memory of 1520 556 tnbbhh.exe 42 PID 556 wrote to memory of 1520 556 tnbbhh.exe 42 PID 1520 wrote to memory of 600 1520 dvvvd.exe 43 PID 1520 wrote to memory of 600 1520 dvvvd.exe 43 PID 1520 wrote to memory of 600 1520 dvvvd.exe 43 PID 1520 wrote to memory of 600 1520 dvvvd.exe 43 PID 600 wrote to memory of 2868 600 3nhntt.exe 44 PID 600 wrote to memory of 2868 600 3nhntt.exe 44 PID 600 wrote to memory of 2868 600 3nhntt.exe 44 PID 600 wrote to memory of 2868 600 3nhntt.exe 44 PID 2868 wrote to memory of 1180 2868 hbhnnn.exe 45 PID 2868 wrote to memory of 1180 2868 hbhnnn.exe 45 PID 2868 wrote to memory of 1180 2868 hbhnnn.exe 45 PID 2868 wrote to memory of 1180 2868 hbhnnn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe"C:\Users\Admin\AppData\Local\Temp\3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\bbnnth.exec:\bbnnth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\1pdvv.exec:\1pdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\thtbhb.exec:\thtbhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\pdjjp.exec:\pdjjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\rrflxlr.exec:\rrflxlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\7nhnnt.exec:\7nhnnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\vjvdj.exec:\vjvdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\1flflff.exec:\1flflff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\9rfxxfx.exec:\9rfxxfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\thtttt.exec:\thtttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\jvjjp.exec:\jvjjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\tnbbhh.exec:\tnbbhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\dvvvd.exec:\dvvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\3nhntt.exec:\3nhntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:600 -
\??\c:\hbhnnn.exec:\hbhnnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\5vjjj.exec:\5vjjj.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1180 -
\??\c:\btntbb.exec:\btntbb.exe18⤵
- Executes dropped EXE
PID:448 -
\??\c:\vpjvp.exec:\vpjvp.exe19⤵
- Executes dropped EXE
PID:1148 -
\??\c:\5bnnnn.exec:\5bnnnn.exe20⤵
- Executes dropped EXE
PID:3024 -
\??\c:\vvpvd.exec:\vvpvd.exe21⤵
- Executes dropped EXE
PID:3056 -
\??\c:\xlfffxl.exec:\xlfffxl.exe22⤵
- Executes dropped EXE
PID:2612 -
\??\c:\3dpdj.exec:\3dpdj.exe23⤵
- Executes dropped EXE
PID:1560 -
\??\c:\fxlxrrx.exec:\fxlxrrx.exe24⤵
- Executes dropped EXE
PID:1932 -
\??\c:\pvpvd.exec:\pvpvd.exe25⤵
- Executes dropped EXE
PID:1168 -
\??\c:\7rfflrr.exec:\7rfflrr.exe26⤵
- Executes dropped EXE
PID:1340 -
\??\c:\pjdjv.exec:\pjdjv.exe27⤵
- Executes dropped EXE
PID:944 -
\??\c:\7vjjp.exec:\7vjjp.exe28⤵
- Executes dropped EXE
PID:2480 -
\??\c:\tnbhhh.exec:\tnbhhh.exe29⤵
- Executes dropped EXE
PID:3044 -
\??\c:\1vpdd.exec:\1vpdd.exe30⤵
- Executes dropped EXE
PID:2288 -
\??\c:\1tnnnn.exec:\1tnnnn.exe31⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ddvjp.exec:\ddvjp.exe32⤵
- Executes dropped EXE
PID:900 -
\??\c:\btnbnn.exec:\btnbnn.exe33⤵
- Executes dropped EXE
PID:348 -
\??\c:\7jddd.exec:\7jddd.exe34⤵
- Executes dropped EXE
PID:1620 -
\??\c:\9frrlll.exec:\9frrlll.exe35⤵
- Executes dropped EXE
PID:2308 -
\??\c:\5thtbt.exec:\5thtbt.exe36⤵
- Executes dropped EXE
PID:2512 -
\??\c:\5vjdd.exec:\5vjdd.exe37⤵
- Executes dropped EXE
PID:2468 -
\??\c:\3vdvp.exec:\3vdvp.exe38⤵
- Executes dropped EXE
PID:2812 -
\??\c:\rllffxx.exec:\rllffxx.exe39⤵
- Executes dropped EXE
PID:2932 -
\??\c:\bthhnh.exec:\bthhnh.exe40⤵
- Executes dropped EXE
PID:2784 -
\??\c:\3btbnn.exec:\3btbnn.exe41⤵
- Executes dropped EXE
PID:2216 -
\??\c:\1vjvv.exec:\1vjvv.exe42⤵
- Executes dropped EXE
PID:2948 -
\??\c:\xlrllfl.exec:\xlrllfl.exe43⤵
- Executes dropped EXE
PID:2828 -
\??\c:\9xllrxl.exec:\9xllrxl.exe44⤵
- Executes dropped EXE
PID:2744 -
\??\c:\htbbbb.exec:\htbbbb.exe45⤵
- Executes dropped EXE
PID:2928 -
\??\c:\9ppvd.exec:\9ppvd.exe46⤵
- Executes dropped EXE
PID:2632 -
\??\c:\9fllrlr.exec:\9fllrlr.exe47⤵
- Executes dropped EXE
PID:2492 -
\??\c:\rfflxrx.exec:\rfflxrx.exe48⤵
- Executes dropped EXE
PID:328 -
\??\c:\5nbnnt.exec:\5nbnnt.exe49⤵
- Executes dropped EXE
PID:1208 -
\??\c:\vjpjv.exec:\vjpjv.exe50⤵
- Executes dropped EXE
PID:2964 -
\??\c:\7rflrlr.exec:\7rflrlr.exe51⤵
- Executes dropped EXE
PID:1532 -
\??\c:\fxffllr.exec:\fxffllr.exe52⤵
- Executes dropped EXE
PID:1516 -
\??\c:\tnnhtb.exec:\tnnhtb.exe53⤵
- Executes dropped EXE
PID:808 -
\??\c:\vdpdp.exec:\vdpdp.exe54⤵
- Executes dropped EXE
PID:1184 -
\??\c:\dpdjp.exec:\dpdjp.exe55⤵
- Executes dropped EXE
PID:648 -
\??\c:\xlxllll.exec:\xlxllll.exe56⤵
- Executes dropped EXE
PID:1668 -
\??\c:\7tthnt.exec:\7tthnt.exe57⤵
- Executes dropped EXE
PID:1700 -
\??\c:\dvjdd.exec:\dvjdd.exe58⤵
- Executes dropped EXE
PID:1148 -
\??\c:\9rfflxx.exec:\9rfflxx.exe59⤵
- Executes dropped EXE
PID:2996 -
\??\c:\9fflrxr.exec:\9fflrxr.exe60⤵
- Executes dropped EXE
PID:3056 -
\??\c:\bttnbh.exec:\bttnbh.exe61⤵
- Executes dropped EXE
PID:780 -
\??\c:\pjdjp.exec:\pjdjp.exe62⤵
- Executes dropped EXE
PID:960 -
\??\c:\lllrxxl.exec:\lllrxxl.exe63⤵
- Executes dropped EXE
PID:1548 -
\??\c:\7lfxxrr.exec:\7lfxxrr.exe64⤵
- Executes dropped EXE
PID:2128 -
\??\c:\nhbbnt.exec:\nhbbnt.exe65⤵
- Executes dropped EXE
PID:1800 -
\??\c:\ddpdj.exec:\ddpdj.exe66⤵PID:236
-
\??\c:\llfxfxr.exec:\llfxfxr.exe67⤵PID:1824
-
\??\c:\tnhbnh.exec:\tnhbnh.exe68⤵PID:1748
-
\??\c:\3tnntt.exec:\3tnntt.exe69⤵PID:1860
-
\??\c:\9pddj.exec:\9pddj.exe70⤵PID:2116
-
\??\c:\rxrxflr.exec:\rxrxflr.exe71⤵PID:1004
-
\??\c:\5bbttn.exec:\5bbttn.exe72⤵PID:1916
-
\??\c:\jdvvj.exec:\jdvvj.exe73⤵PID:2600
-
\??\c:\pdvpp.exec:\pdvpp.exe74⤵PID:1704
-
\??\c:\lxflxrf.exec:\lxflxrf.exe75⤵PID:1628
-
\??\c:\5htbtt.exec:\5htbtt.exe76⤵PID:2332
-
\??\c:\9bbtnn.exec:\9bbtnn.exe77⤵PID:2476
-
\??\c:\5dppd.exec:\5dppd.exe78⤵PID:2524
-
\??\c:\rlfrrlf.exec:\rlfrrlf.exe79⤵PID:2724
-
\??\c:\htnnnh.exec:\htnnnh.exe80⤵PID:2776
-
\??\c:\dvdvd.exec:\dvdvd.exe81⤵PID:1636
-
\??\c:\3pjdp.exec:\3pjdp.exe82⤵PID:2764
-
\??\c:\rfrrrrx.exec:\rfrrrrx.exe83⤵PID:2108
-
\??\c:\1hbhhn.exec:\1hbhhn.exe84⤵
- System Location Discovery: System Language Discovery
PID:2792 -
\??\c:\pjdpv.exec:\pjdpv.exe85⤵PID:2768
-
\??\c:\7jppv.exec:\7jppv.exe86⤵PID:2628
-
\??\c:\3rllllx.exec:\3rllllx.exe87⤵PID:2744
-
\??\c:\nhthbh.exec:\nhthbh.exe88⤵PID:2352
-
\??\c:\ppddj.exec:\ppddj.exe89⤵PID:1276
-
\??\c:\pjvdj.exec:\pjvdj.exe90⤵PID:912
-
\??\c:\fxxflrf.exec:\fxxflrf.exe91⤵PID:556
-
\??\c:\1ttttn.exec:\1ttttn.exe92⤵PID:2824
-
\??\c:\vpjpj.exec:\vpjpj.exe93⤵PID:956
-
\??\c:\vpdpp.exec:\vpdpp.exe94⤵PID:1532
-
\??\c:\xlxrfff.exec:\xlxrfff.exe95⤵PID:1516
-
\??\c:\tnbtbt.exec:\tnbtbt.exe96⤵PID:808
-
\??\c:\dvjpd.exec:\dvjpd.exe97⤵PID:2976
-
\??\c:\pjddd.exec:\pjddd.exe98⤵PID:2972
-
\??\c:\1rflrrx.exec:\1rflrrx.exe99⤵PID:1980
-
\??\c:\1bttbh.exec:\1bttbh.exe100⤵PID:1776
-
\??\c:\7dpvp.exec:\7dpvp.exe101⤵PID:2388
-
\??\c:\fxlrlxx.exec:\fxlrlxx.exe102⤵PID:2296
-
\??\c:\7bbhhh.exec:\7bbhhh.exe103⤵PID:2720
-
\??\c:\7thhbb.exec:\7thhbb.exe104⤵PID:2208
-
\??\c:\djvpv.exec:\djvpv.exe105⤵PID:1640
-
\??\c:\9xrxffl.exec:\9xrxffl.exe106⤵PID:2420
-
\??\c:\7xlfllx.exec:\7xlfllx.exe107⤵PID:772
-
\??\c:\bnbbhh.exec:\bnbbhh.exe108⤵PID:1784
-
\??\c:\7pdjp.exec:\7pdjp.exe109⤵PID:1556
-
\??\c:\1xrrrxx.exec:\1xrrrxx.exe110⤵PID:236
-
\??\c:\lrfxxxl.exec:\lrfxxxl.exe111⤵PID:2568
-
\??\c:\1thbtt.exec:\1thbtt.exe112⤵PID:1748
-
\??\c:\vvjdj.exec:\vvjdj.exe113⤵PID:620
-
\??\c:\3jdjj.exec:\3jdjj.exe114⤵PID:832
-
\??\c:\xrfxflf.exec:\xrfxflf.exe115⤵PID:1004
-
\??\c:\1ttbbh.exec:\1ttbbh.exe116⤵PID:2072
-
\??\c:\3vpvj.exec:\3vpvj.exe117⤵PID:2600
-
\??\c:\dpjjp.exec:\dpjjp.exe118⤵PID:1704
-
\??\c:\rxlfllr.exec:\rxlfllr.exe119⤵PID:1164
-
\??\c:\hthttt.exec:\hthttt.exe120⤵PID:2332
-
\??\c:\vvjpp.exec:\vvjpp.exe121⤵PID:2476
-
\??\c:\5xllrrf.exec:\5xllrrf.exe122⤵PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-