Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe
-
Size
454KB
-
MD5
a5931e7aba0778a843ed154001c8e704
-
SHA1
ecac23978227958fc9e1e2329b85601fc9175807
-
SHA256
39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66
-
SHA512
2ac24cae18528a7abf42f4606da36c73a17f4a5bfd4939276ed08239809e2011d3bc171a51e368038cdec9f841bec70e214c0b020e550fedae577f94e1b41d59
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2872-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-68-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2968-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-105-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2864-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-349-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2832-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-387-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1492-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1060-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1220-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-588-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2364-602-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2536-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-681-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2220-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-843-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-968-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-1100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3064 1tthnt.exe 2732 1jdpv.exe 2888 lfrxrrx.exe 2768 jddjd.exe 2644 7flfrff.exe 2528 5frfrlf.exe 2968 vppdv.exe 1744 3xxflxl.exe 2812 fffrrff.exe 2864 bbttnt.exe 2216 3vvjd.exe 1296 tthnbb.exe 1972 7dvjv.exe 1936 btbnbh.exe 1484 dddpj.exe 864 bhnthh.exe 1516 jpjdv.exe 2908 xxlrrxx.exe 840 bhhtth.exe 2140 vjdvj.exe 1080 3htthn.exe 2460 jjpvj.exe 1240 5hbhth.exe 2428 vvpdp.exe 1592 hhtnhn.exe 956 lxxlfrr.exe 784 ntbnhb.exe 2436 flrfxff.exe 2420 nbbbnh.exe 1980 lrrfrff.exe 1508 djjpd.exe 1812 lfrxrlf.exe 2656 bhtnbn.exe 2896 pvpdv.exe 1576 flrlflf.exe 2884 btntnt.exe 1708 hhnbnb.exe 2784 pdvpv.exe 2992 fffrlfx.exe 2508 tbbbtb.exe 2580 pdvvv.exe 3048 lflxrrl.exe 1232 1hbnbh.exe 2684 ttbnnb.exe 2832 vdpvj.exe 2840 5llrrxr.exe 1492 nhbnth.exe 1060 pdpvv.exe 2252 lllxrff.exe 2016 1frfxlf.exe 1220 tbhthb.exe 596 5jvjd.exe 2188 lfflxfr.exe 1484 hnhnnn.exe 1800 5dddp.exe 2848 5vjvj.exe 2232 1frxlfr.exe 2272 htnbnb.exe 2900 pjjvp.exe 916 flxxlrx.exe 616 1hthhb.exe 860 9jppd.exe 2284 vjjvv.exe 1816 3xxxlxr.exe -
resource yara_rule behavioral1/memory/2872-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-387-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/1492-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1220-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-521-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3040-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-588-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2536-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-949-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-968-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-987-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-1044-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-1113-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxfxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xflfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 3064 2872 39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe 30 PID 2872 wrote to memory of 3064 2872 39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe 30 PID 2872 wrote to memory of 3064 2872 39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe 30 PID 2872 wrote to memory of 3064 2872 39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe 30 PID 3064 wrote to memory of 2732 3064 1tthnt.exe 31 PID 3064 wrote to memory of 2732 3064 1tthnt.exe 31 PID 3064 wrote to memory of 2732 3064 1tthnt.exe 31 PID 3064 wrote to memory of 2732 3064 1tthnt.exe 31 PID 2732 wrote to memory of 2888 2732 1jdpv.exe 32 PID 2732 wrote to memory of 2888 2732 1jdpv.exe 32 PID 2732 wrote to memory of 2888 2732 1jdpv.exe 32 PID 2732 wrote to memory of 2888 2732 1jdpv.exe 32 PID 2888 wrote to memory of 2768 2888 lfrxrrx.exe 33 PID 2888 wrote to memory of 2768 2888 lfrxrrx.exe 33 PID 2888 wrote to memory of 2768 2888 lfrxrrx.exe 33 PID 2888 wrote to memory of 2768 2888 lfrxrrx.exe 33 PID 2768 wrote to memory of 2644 2768 jddjd.exe 34 PID 2768 wrote to memory of 2644 2768 jddjd.exe 34 PID 2768 wrote to memory of 2644 2768 jddjd.exe 34 PID 2768 wrote to memory of 2644 2768 jddjd.exe 34 PID 2644 wrote to memory of 2528 2644 7flfrff.exe 35 PID 2644 wrote to memory of 2528 2644 7flfrff.exe 35 PID 2644 wrote to memory of 2528 2644 7flfrff.exe 35 PID 2644 wrote to memory of 2528 2644 7flfrff.exe 35 PID 2528 wrote to memory of 2968 2528 5frfrlf.exe 36 PID 2528 wrote to memory of 2968 2528 5frfrlf.exe 36 PID 2528 wrote to memory of 2968 2528 5frfrlf.exe 36 PID 2528 wrote to memory of 2968 2528 5frfrlf.exe 36 PID 2968 wrote to memory of 1744 2968 vppdv.exe 37 PID 2968 wrote to memory of 1744 2968 vppdv.exe 37 PID 2968 wrote to memory of 1744 2968 vppdv.exe 37 PID 2968 wrote to memory of 1744 2968 vppdv.exe 37 PID 1744 wrote to memory of 2812 1744 3xxflxl.exe 38 PID 1744 wrote to memory of 2812 1744 3xxflxl.exe 38 PID 1744 wrote to memory of 2812 1744 3xxflxl.exe 38 PID 1744 wrote to memory of 2812 1744 3xxflxl.exe 38 PID 2812 wrote to memory of 2864 2812 fffrrff.exe 39 PID 2812 wrote to memory of 2864 2812 fffrrff.exe 39 PID 2812 wrote to memory of 2864 2812 fffrrff.exe 39 PID 2812 wrote to memory of 2864 2812 fffrrff.exe 39 PID 2864 wrote to memory of 2216 2864 bbttnt.exe 40 PID 2864 wrote to memory of 2216 2864 bbttnt.exe 40 PID 2864 wrote to memory of 2216 2864 bbttnt.exe 40 PID 2864 wrote to memory of 2216 2864 bbttnt.exe 40 PID 2216 wrote to memory of 1296 2216 3vvjd.exe 41 PID 2216 wrote to memory of 1296 2216 3vvjd.exe 41 PID 2216 wrote to memory of 1296 2216 3vvjd.exe 41 PID 2216 wrote to memory of 1296 2216 3vvjd.exe 41 PID 1296 wrote to memory of 1972 1296 tthnbb.exe 42 PID 1296 wrote to memory of 1972 1296 tthnbb.exe 42 PID 1296 wrote to memory of 1972 1296 tthnbb.exe 42 PID 1296 wrote to memory of 1972 1296 tthnbb.exe 42 PID 1972 wrote to memory of 1936 1972 7dvjv.exe 43 PID 1972 wrote to memory of 1936 1972 7dvjv.exe 43 PID 1972 wrote to memory of 1936 1972 7dvjv.exe 43 PID 1972 wrote to memory of 1936 1972 7dvjv.exe 43 PID 1936 wrote to memory of 1484 1936 btbnbh.exe 44 PID 1936 wrote to memory of 1484 1936 btbnbh.exe 44 PID 1936 wrote to memory of 1484 1936 btbnbh.exe 44 PID 1936 wrote to memory of 1484 1936 btbnbh.exe 44 PID 1484 wrote to memory of 864 1484 dddpj.exe 45 PID 1484 wrote to memory of 864 1484 dddpj.exe 45 PID 1484 wrote to memory of 864 1484 dddpj.exe 45 PID 1484 wrote to memory of 864 1484 dddpj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe"C:\Users\Admin\AppData\Local\Temp\39a9b6041d82b6192936ba8440bb56192040c46cc52bdf76077fdf8cf007ef66.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\1tthnt.exec:\1tthnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\1jdpv.exec:\1jdpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\lfrxrrx.exec:\lfrxrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\jddjd.exec:\jddjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\7flfrff.exec:\7flfrff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\5frfrlf.exec:\5frfrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\vppdv.exec:\vppdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\3xxflxl.exec:\3xxflxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\fffrrff.exec:\fffrrff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\bbttnt.exec:\bbttnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\3vvjd.exec:\3vvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\tthnbb.exec:\tthnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\7dvjv.exec:\7dvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\btbnbh.exec:\btbnbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\dddpj.exec:\dddpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\bhnthh.exec:\bhnthh.exe17⤵
- Executes dropped EXE
PID:864 -
\??\c:\jpjdv.exec:\jpjdv.exe18⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xxlrrxx.exec:\xxlrrxx.exe19⤵
- Executes dropped EXE
PID:2908 -
\??\c:\bhhtth.exec:\bhhtth.exe20⤵
- Executes dropped EXE
PID:840 -
\??\c:\vjdvj.exec:\vjdvj.exe21⤵
- Executes dropped EXE
PID:2140 -
\??\c:\3htthn.exec:\3htthn.exe22⤵
- Executes dropped EXE
PID:1080 -
\??\c:\jjpvj.exec:\jjpvj.exe23⤵
- Executes dropped EXE
PID:2460 -
\??\c:\5hbhth.exec:\5hbhth.exe24⤵
- Executes dropped EXE
PID:1240 -
\??\c:\vvpdp.exec:\vvpdp.exe25⤵
- Executes dropped EXE
PID:2428 -
\??\c:\hhtnhn.exec:\hhtnhn.exe26⤵
- Executes dropped EXE
PID:1592 -
\??\c:\lxxlfrr.exec:\lxxlfrr.exe27⤵
- Executes dropped EXE
PID:956 -
\??\c:\ntbnhb.exec:\ntbnhb.exe28⤵
- Executes dropped EXE
PID:784 -
\??\c:\flrfxff.exec:\flrfxff.exe29⤵
- Executes dropped EXE
PID:2436 -
\??\c:\nbbbnh.exec:\nbbbnh.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420 -
\??\c:\lrrfrff.exec:\lrrfrff.exe31⤵
- Executes dropped EXE
PID:1980 -
\??\c:\djjpd.exec:\djjpd.exe32⤵
- Executes dropped EXE
PID:1508 -
\??\c:\lfrxrlf.exec:\lfrxrlf.exe33⤵
- Executes dropped EXE
PID:1812 -
\??\c:\bhtnbn.exec:\bhtnbn.exe34⤵
- Executes dropped EXE
PID:2656 -
\??\c:\pvpdv.exec:\pvpdv.exe35⤵
- Executes dropped EXE
PID:2896 -
\??\c:\flrlflf.exec:\flrlflf.exe36⤵
- Executes dropped EXE
PID:1576 -
\??\c:\btntnt.exec:\btntnt.exe37⤵
- Executes dropped EXE
PID:2884 -
\??\c:\hhnbnb.exec:\hhnbnb.exe38⤵
- Executes dropped EXE
PID:1708 -
\??\c:\pdvpv.exec:\pdvpv.exe39⤵
- Executes dropped EXE
PID:2784 -
\??\c:\fffrlfx.exec:\fffrlfx.exe40⤵
- Executes dropped EXE
PID:2992 -
\??\c:\tbbbtb.exec:\tbbbtb.exe41⤵
- Executes dropped EXE
PID:2508 -
\??\c:\pdvvv.exec:\pdvvv.exe42⤵
- Executes dropped EXE
PID:2580 -
\??\c:\lflxrrl.exec:\lflxrrl.exe43⤵
- Executes dropped EXE
PID:3048 -
\??\c:\1hbnbh.exec:\1hbnbh.exe44⤵
- Executes dropped EXE
PID:1232 -
\??\c:\ttbnnb.exec:\ttbnnb.exe45⤵
- Executes dropped EXE
PID:2684 -
\??\c:\vdpvj.exec:\vdpvj.exe46⤵
- Executes dropped EXE
PID:2832 -
\??\c:\5llrrxr.exec:\5llrrxr.exe47⤵
- Executes dropped EXE
PID:2840 -
\??\c:\nhbnth.exec:\nhbnth.exe48⤵
- Executes dropped EXE
PID:1492 -
\??\c:\pdpvv.exec:\pdpvv.exe49⤵
- Executes dropped EXE
PID:1060 -
\??\c:\lllxrff.exec:\lllxrff.exe50⤵
- Executes dropped EXE
PID:2252 -
\??\c:\1frfxlf.exec:\1frfxlf.exe51⤵
- Executes dropped EXE
PID:2016 -
\??\c:\tbhthb.exec:\tbhthb.exe52⤵
- Executes dropped EXE
PID:1220 -
\??\c:\5jvjd.exec:\5jvjd.exe53⤵
- Executes dropped EXE
PID:596 -
\??\c:\lfflxfr.exec:\lfflxfr.exe54⤵
- Executes dropped EXE
PID:2188 -
\??\c:\hnhnnn.exec:\hnhnnn.exe55⤵
- Executes dropped EXE
PID:1484 -
\??\c:\5dddp.exec:\5dddp.exe56⤵
- Executes dropped EXE
PID:1800 -
\??\c:\5vjvj.exec:\5vjvj.exe57⤵
- Executes dropped EXE
PID:2848 -
\??\c:\1frxlfr.exec:\1frxlfr.exe58⤵
- Executes dropped EXE
PID:2232 -
\??\c:\htnbnb.exec:\htnbnb.exe59⤵
- Executes dropped EXE
PID:2272 -
\??\c:\pjjvp.exec:\pjjvp.exe60⤵
- Executes dropped EXE
PID:2900 -
\??\c:\flxxlrx.exec:\flxxlrx.exe61⤵
- Executes dropped EXE
PID:916 -
\??\c:\1hthhb.exec:\1hthhb.exe62⤵
- Executes dropped EXE
PID:616 -
\??\c:\9jppd.exec:\9jppd.exe63⤵
- Executes dropped EXE
PID:860 -
\??\c:\vjjvv.exec:\vjjvv.exe64⤵
- Executes dropped EXE
PID:2284 -
\??\c:\3xxxlxr.exec:\3xxxlxr.exe65⤵
- Executes dropped EXE
PID:1816 -
\??\c:\hhhtht.exec:\hhhtht.exe66⤵PID:2428
-
\??\c:\jvjjv.exec:\jvjjv.exe67⤵PID:1352
-
\??\c:\fxxxlrf.exec:\fxxxlrf.exe68⤵PID:908
-
\??\c:\bbbnhn.exec:\bbbnhn.exe69⤵PID:2288
-
\??\c:\vvvpd.exec:\vvvpd.exe70⤵PID:2416
-
\??\c:\vvpvv.exec:\vvpvv.exe71⤵PID:2340
-
\??\c:\llllxfr.exec:\llllxfr.exe72⤵PID:1760
-
\??\c:\hnntht.exec:\hnntht.exe73⤵PID:2408
-
\??\c:\jjjdj.exec:\jjjdj.exe74⤵PID:2076
-
\??\c:\7djpd.exec:\7djpd.exe75⤵PID:3040
-
\??\c:\lrrxlrf.exec:\lrrxlrf.exe76⤵PID:1812
-
\??\c:\hbtbnn.exec:\hbtbnn.exe77⤵PID:2660
-
\??\c:\pdppv.exec:\pdppv.exe78⤵PID:1604
-
\??\c:\3jvdj.exec:\3jvdj.exe79⤵PID:2364
-
\??\c:\rrflfrl.exec:\rrflfrl.exe80⤵PID:2796
-
\??\c:\3htbht.exec:\3htbht.exe81⤵PID:2536
-
\??\c:\hnnhbn.exec:\hnnhbn.exe82⤵PID:2776
-
\??\c:\pppdv.exec:\pppdv.exe83⤵PID:2572
-
\??\c:\5xrxfrl.exec:\5xrxfrl.exe84⤵PID:2056
-
\??\c:\1hnbtb.exec:\1hnbtb.exe85⤵PID:2388
-
\??\c:\hhhnth.exec:\hhhnth.exe86⤵PID:2496
-
\??\c:\vdjvd.exec:\vdjvd.exe87⤵PID:2040
-
\??\c:\ffxlfff.exec:\ffxlfff.exe88⤵PID:2808
-
\??\c:\ttnntn.exec:\ttnntn.exe89⤵PID:264
-
\??\c:\hhhntb.exec:\hhhntb.exe90⤵PID:2868
-
\??\c:\jddpj.exec:\jddpj.exe91⤵PID:1692
-
\??\c:\5lflxxf.exec:\5lflxxf.exe92⤵PID:2220
-
\??\c:\ttthbh.exec:\ttthbh.exe93⤵PID:1500
-
\??\c:\jdvpd.exec:\jdvpd.exe94⤵PID:1684
-
\??\c:\dvjvj.exec:\dvjvj.exe95⤵PID:676
-
\??\c:\rfllllr.exec:\rfllllr.exe96⤵PID:2332
-
\??\c:\ntthth.exec:\ntthth.exe97⤵PID:1764
-
\??\c:\jjpdv.exec:\jjpdv.exe98⤵PID:1944
-
\??\c:\jjjvp.exec:\jjjvp.exe99⤵PID:3028
-
\??\c:\lffrllr.exec:\lffrllr.exe100⤵PID:1828
-
\??\c:\7bbhbn.exec:\7bbhbn.exe101⤵PID:2080
-
\??\c:\ddvvd.exec:\ddvvd.exe102⤵PID:1784
-
\??\c:\rxxlfrr.exec:\rxxlfrr.exe103⤵PID:1624
-
\??\c:\xrxlrrf.exec:\xrxlrrf.exe104⤵PID:916
-
\??\c:\bhbnth.exec:\bhbnth.exe105⤵PID:464
-
\??\c:\vvjvp.exec:\vvjvp.exe106⤵PID:860
-
\??\c:\xxxrffx.exec:\xxxrffx.exe107⤵PID:1044
-
\??\c:\bhnbth.exec:\bhnbth.exe108⤵PID:2328
-
\??\c:\jjjvv.exec:\jjjvv.exe109⤵PID:2428
-
\??\c:\rxrxllx.exec:\rxrxllx.exe110⤵PID:956
-
\??\c:\1bbnbt.exec:\1bbnbt.exe111⤵PID:908
-
\??\c:\xfxflrf.exec:\xfxflrf.exe112⤵PID:2288
-
\??\c:\xffrfrf.exec:\xffrfrf.exe113⤵PID:1372
-
\??\c:\hhntnb.exec:\hhntnb.exe114⤵PID:1648
-
\??\c:\9dpdd.exec:\9dpdd.exe115⤵PID:2420
-
\??\c:\7pppd.exec:\7pppd.exe116⤵PID:2172
-
\??\c:\rrrxxfr.exec:\rrrxxfr.exe117⤵PID:2192
-
\??\c:\nnntbn.exec:\nnntbn.exe118⤵PID:3040
-
\??\c:\ddvjv.exec:\ddvjv.exe119⤵PID:2704
-
\??\c:\vddpj.exec:\vddpj.exe120⤵PID:2348
-
\??\c:\lflxlff.exec:\lflxlff.exe121⤵PID:2516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-