Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 15:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe
-
Size
456KB
-
MD5
6ddf887a55590e37b0a0b09645946bdf
-
SHA1
62878f3f0bedda9ad0e37e3d2598e0bac40e9c62
-
SHA256
c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e
-
SHA512
2d391a388188e673991c43e3a7e196fb0389178cb555a2daba1c11a6856c4241b2c7a9e2759385ab3da1fc8c5a044a9889e1ee8295c746151a2cd230379b899e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2676-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/980-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-184-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2420-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-264-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1956-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-388-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/468-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/988-468-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1496-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-730-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2116-842-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-966-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3048-981-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1232 pjdpp.exe 2120 dvpvj.exe 2392 lrxfxlr.exe 2992 nhhhbb.exe 2788 7lxflfl.exe 2640 9htthn.exe 2272 pjppp.exe 980 vvvvv.exe 2224 ddddv.exe 2108 dddpd.exe 2840 jjdjd.exe 2932 7fxfrxl.exe 3020 jjdjv.exe 2832 3xrlfrl.exe 1980 vvvjp.exe 2656 jdvvv.exe 2320 hbnbht.exe 2408 1jdjv.exe 2176 thntnb.exe 2064 jppdj.exe 2420 bthtbb.exe 760 9fflflx.exe 1848 lflllrf.exe 1356 rffrxlf.exe 2980 nnnbnt.exe 1100 vvpjp.exe 2020 rrrrfrl.exe 1436 3bbhth.exe 1956 5lflflr.exe 2504 ppjvd.exe 2468 ffffxlr.exe 2496 flflllf.exe 2776 1fxxxfx.exe 1596 nnnbnt.exe 1232 ppppp.exe 2072 vvppd.exe 2900 fxrxlrl.exe 2608 bthtbn.exe 2568 jdpvd.exe 2588 djpjv.exe 1608 rlxxxrf.exe 2484 5bthnt.exe 2912 tbhbbt.exe 980 jjdjp.exe 1788 xxlxxxl.exe 1368 nnntbh.exe 468 thttth.exe 2940 jddpv.exe 2756 lfrlxxl.exe 2856 bttbnt.exe 3028 nthnnt.exe 2452 vvpdj.exe 324 rfxflrf.exe 988 tnbnnb.exe 1800 5nhnhn.exe 568 dvdpv.exe 2060 9fxrrxr.exe 1508 xffrlrx.exe 624 ntthth.exe 2064 dvpvj.exe 680 fxxflrf.exe 632 1frrffr.exe 1664 hhhhtb.exe 1848 djdvd.exe -
resource yara_rule behavioral1/memory/2676-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-149-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2320-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/468-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-856-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-903-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1108-928-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-941-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-981-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2452-992-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-1067-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1btnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2676 wrote to memory of 1232 2676 c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe 31 PID 2676 wrote to memory of 1232 2676 c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe 31 PID 2676 wrote to memory of 1232 2676 c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe 31 PID 2676 wrote to memory of 1232 2676 c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe 31 PID 1232 wrote to memory of 2120 1232 pjdpp.exe 32 PID 1232 wrote to memory of 2120 1232 pjdpp.exe 32 PID 1232 wrote to memory of 2120 1232 pjdpp.exe 32 PID 1232 wrote to memory of 2120 1232 pjdpp.exe 32 PID 2120 wrote to memory of 2392 2120 dvpvj.exe 33 PID 2120 wrote to memory of 2392 2120 dvpvj.exe 33 PID 2120 wrote to memory of 2392 2120 dvpvj.exe 33 PID 2120 wrote to memory of 2392 2120 dvpvj.exe 33 PID 2392 wrote to memory of 2992 2392 lrxfxlr.exe 34 PID 2392 wrote to memory of 2992 2392 lrxfxlr.exe 34 PID 2392 wrote to memory of 2992 2392 lrxfxlr.exe 34 PID 2392 wrote to memory of 2992 2392 lrxfxlr.exe 34 PID 2992 wrote to memory of 2788 2992 nhhhbb.exe 35 PID 2992 wrote to memory of 2788 2992 nhhhbb.exe 35 PID 2992 wrote to memory of 2788 2992 nhhhbb.exe 35 PID 2992 wrote to memory of 2788 2992 nhhhbb.exe 35 PID 2788 wrote to memory of 2640 2788 7lxflfl.exe 36 PID 2788 wrote to memory of 2640 2788 7lxflfl.exe 36 PID 2788 wrote to memory of 2640 2788 7lxflfl.exe 36 PID 2788 wrote to memory of 2640 2788 7lxflfl.exe 36 PID 2640 wrote to memory of 2272 2640 9htthn.exe 37 PID 2640 wrote to memory of 2272 2640 9htthn.exe 37 PID 2640 wrote to memory of 2272 2640 9htthn.exe 37 PID 2640 wrote to memory of 2272 2640 9htthn.exe 37 PID 2272 wrote to memory of 980 2272 pjppp.exe 38 PID 2272 wrote to memory of 980 2272 pjppp.exe 38 PID 2272 wrote to memory of 980 2272 pjppp.exe 38 PID 2272 wrote to memory of 980 2272 pjppp.exe 38 PID 980 wrote to memory of 2224 980 vvvvv.exe 39 PID 980 wrote to memory of 2224 980 vvvvv.exe 39 PID 980 wrote to memory of 2224 980 vvvvv.exe 39 PID 980 wrote to memory of 2224 980 vvvvv.exe 39 PID 2224 wrote to memory of 2108 2224 ddddv.exe 40 PID 2224 wrote to memory of 2108 2224 ddddv.exe 40 PID 2224 wrote to memory of 2108 2224 ddddv.exe 40 PID 2224 wrote to memory of 2108 2224 ddddv.exe 40 PID 2108 wrote to memory of 2840 2108 dddpd.exe 41 PID 2108 wrote to memory of 2840 2108 dddpd.exe 41 PID 2108 wrote to memory of 2840 2108 dddpd.exe 41 PID 2108 wrote to memory of 2840 2108 dddpd.exe 41 PID 2840 wrote to memory of 2932 2840 jjdjd.exe 42 PID 2840 wrote to memory of 2932 2840 jjdjd.exe 42 PID 2840 wrote to memory of 2932 2840 jjdjd.exe 42 PID 2840 wrote to memory of 2932 2840 jjdjd.exe 42 PID 2932 wrote to memory of 3020 2932 7fxfrxl.exe 43 PID 2932 wrote to memory of 3020 2932 7fxfrxl.exe 43 PID 2932 wrote to memory of 3020 2932 7fxfrxl.exe 43 PID 2932 wrote to memory of 3020 2932 7fxfrxl.exe 43 PID 3020 wrote to memory of 2832 3020 jjdjv.exe 44 PID 3020 wrote to memory of 2832 3020 jjdjv.exe 44 PID 3020 wrote to memory of 2832 3020 jjdjv.exe 44 PID 3020 wrote to memory of 2832 3020 jjdjv.exe 44 PID 2832 wrote to memory of 1980 2832 3xrlfrl.exe 45 PID 2832 wrote to memory of 1980 2832 3xrlfrl.exe 45 PID 2832 wrote to memory of 1980 2832 3xrlfrl.exe 45 PID 2832 wrote to memory of 1980 2832 3xrlfrl.exe 45 PID 1980 wrote to memory of 2656 1980 vvvjp.exe 46 PID 1980 wrote to memory of 2656 1980 vvvjp.exe 46 PID 1980 wrote to memory of 2656 1980 vvvjp.exe 46 PID 1980 wrote to memory of 2656 1980 vvvjp.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe"C:\Users\Admin\AppData\Local\Temp\c403e61c9e7853f6ce479d095e3091a7b86c518eee1fe851bba053421142b97e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\pjdpp.exec:\pjdpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\dvpvj.exec:\dvpvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\lrxfxlr.exec:\lrxfxlr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\nhhhbb.exec:\nhhhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\7lxflfl.exec:\7lxflfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\9htthn.exec:\9htthn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\pjppp.exec:\pjppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\vvvvv.exec:\vvvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\ddddv.exec:\ddddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\dddpd.exec:\dddpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\jjdjd.exec:\jjdjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\7fxfrxl.exec:\7fxfrxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\jjdjv.exec:\jjdjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\3xrlfrl.exec:\3xrlfrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\vvvjp.exec:\vvvjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\jdvvv.exec:\jdvvv.exe17⤵
- Executes dropped EXE
PID:2656 -
\??\c:\hbnbht.exec:\hbnbht.exe18⤵
- Executes dropped EXE
PID:2320 -
\??\c:\1jdjv.exec:\1jdjv.exe19⤵
- Executes dropped EXE
PID:2408 -
\??\c:\thntnb.exec:\thntnb.exe20⤵
- Executes dropped EXE
PID:2176 -
\??\c:\jppdj.exec:\jppdj.exe21⤵
- Executes dropped EXE
PID:2064 -
\??\c:\bthtbb.exec:\bthtbb.exe22⤵
- Executes dropped EXE
PID:2420 -
\??\c:\9fflflx.exec:\9fflflx.exe23⤵
- Executes dropped EXE
PID:760 -
\??\c:\lflllrf.exec:\lflllrf.exe24⤵
- Executes dropped EXE
PID:1848 -
\??\c:\rffrxlf.exec:\rffrxlf.exe25⤵
- Executes dropped EXE
PID:1356 -
\??\c:\nnnbnt.exec:\nnnbnt.exe26⤵
- Executes dropped EXE
PID:2980 -
\??\c:\vvpjp.exec:\vvpjp.exe27⤵
- Executes dropped EXE
PID:1100 -
\??\c:\rrrrfrl.exec:\rrrrfrl.exe28⤵
- Executes dropped EXE
PID:2020 -
\??\c:\3bbhth.exec:\3bbhth.exe29⤵
- Executes dropped EXE
PID:1436 -
\??\c:\5lflflr.exec:\5lflflr.exe30⤵
- Executes dropped EXE
PID:1956 -
\??\c:\ppjvd.exec:\ppjvd.exe31⤵
- Executes dropped EXE
PID:2504 -
\??\c:\ffffxlr.exec:\ffffxlr.exe32⤵
- Executes dropped EXE
PID:2468 -
\??\c:\flflllf.exec:\flflllf.exe33⤵
- Executes dropped EXE
PID:2496 -
\??\c:\1fxxxfx.exec:\1fxxxfx.exe34⤵
- Executes dropped EXE
PID:2776 -
\??\c:\nnnbnt.exec:\nnnbnt.exe35⤵
- Executes dropped EXE
PID:1596 -
\??\c:\ppppp.exec:\ppppp.exe36⤵
- Executes dropped EXE
PID:1232 -
\??\c:\vvppd.exec:\vvppd.exe37⤵
- Executes dropped EXE
PID:2072 -
\??\c:\fxrxlrl.exec:\fxrxlrl.exe38⤵
- Executes dropped EXE
PID:2900 -
\??\c:\bthtbn.exec:\bthtbn.exe39⤵
- Executes dropped EXE
PID:2608 -
\??\c:\jdpvd.exec:\jdpvd.exe40⤵
- Executes dropped EXE
PID:2568 -
\??\c:\djpjv.exec:\djpjv.exe41⤵
- Executes dropped EXE
PID:2588 -
\??\c:\rlxxxrf.exec:\rlxxxrf.exe42⤵
- Executes dropped EXE
PID:1608 -
\??\c:\5bthnt.exec:\5bthnt.exe43⤵
- Executes dropped EXE
PID:2484 -
\??\c:\tbhbbt.exec:\tbhbbt.exe44⤵
- Executes dropped EXE
PID:2912 -
\??\c:\jjdjp.exec:\jjdjp.exe45⤵
- Executes dropped EXE
PID:980 -
\??\c:\xxlxxxl.exec:\xxlxxxl.exe46⤵
- Executes dropped EXE
PID:1788 -
\??\c:\nnntbh.exec:\nnntbh.exe47⤵
- Executes dropped EXE
PID:1368 -
\??\c:\thttth.exec:\thttth.exe48⤵
- Executes dropped EXE
PID:468 -
\??\c:\jddpv.exec:\jddpv.exe49⤵
- Executes dropped EXE
PID:2940 -
\??\c:\lfrlxxl.exec:\lfrlxxl.exe50⤵
- Executes dropped EXE
PID:2756 -
\??\c:\bttbnt.exec:\bttbnt.exe51⤵
- Executes dropped EXE
PID:2856 -
\??\c:\nthnnt.exec:\nthnnt.exe52⤵
- Executes dropped EXE
PID:3028 -
\??\c:\vvpdj.exec:\vvpdj.exe53⤵
- Executes dropped EXE
PID:2452 -
\??\c:\rfxflrf.exec:\rfxflrf.exe54⤵
- Executes dropped EXE
PID:324 -
\??\c:\tnbnnb.exec:\tnbnnb.exe55⤵
- Executes dropped EXE
PID:988 -
\??\c:\5nhnhn.exec:\5nhnhn.exe56⤵
- Executes dropped EXE
PID:1800 -
\??\c:\dvdpv.exec:\dvdpv.exe57⤵
- Executes dropped EXE
PID:568 -
\??\c:\9fxrrxr.exec:\9fxrrxr.exe58⤵
- Executes dropped EXE
PID:2060 -
\??\c:\xffrlrx.exec:\xffrlrx.exe59⤵
- Executes dropped EXE
PID:1508 -
\??\c:\ntthth.exec:\ntthth.exe60⤵
- Executes dropped EXE
PID:624 -
\??\c:\dvpvj.exec:\dvpvj.exe61⤵
- Executes dropped EXE
PID:2064 -
\??\c:\fxxflrf.exec:\fxxflrf.exe62⤵
- Executes dropped EXE
PID:680 -
\??\c:\1frrffr.exec:\1frrffr.exe63⤵
- Executes dropped EXE
PID:632 -
\??\c:\hhhhtb.exec:\hhhhtb.exe64⤵
- Executes dropped EXE
PID:1664 -
\??\c:\djdvd.exec:\djdvd.exe65⤵
- Executes dropped EXE
PID:1848 -
\??\c:\vvjdd.exec:\vvjdd.exe66⤵PID:1356
-
\??\c:\fxlrxxr.exec:\fxlrxxr.exe67⤵PID:1720
-
\??\c:\bnbtnn.exec:\bnbtnn.exe68⤵PID:1100
-
\??\c:\9dvdp.exec:\9dvdp.exe69⤵PID:1744
-
\??\c:\jjjjd.exec:\jjjjd.exe70⤵PID:2648
-
\??\c:\ffxrxrf.exec:\ffxrxrf.exe71⤵PID:3068
-
\??\c:\hbntbn.exec:\hbntbn.exe72⤵PID:1516
-
\??\c:\bhhthh.exec:\bhhthh.exe73⤵PID:1880
-
\??\c:\vvpvd.exec:\vvpvd.exe74⤵PID:880
-
\??\c:\ffxxffl.exec:\ffxxffl.exe75⤵PID:1496
-
\??\c:\7flxflf.exec:\7flxflf.exe76⤵PID:2488
-
\??\c:\tthtbh.exec:\tthtbh.exe77⤵PID:2800
-
\??\c:\jjpvd.exec:\jjpvd.exe78⤵PID:2864
-
\??\c:\fxlrfrl.exec:\fxlrfrl.exe79⤵PID:2792
-
\??\c:\5rffflr.exec:\5rffflr.exe80⤵PID:2888
-
\??\c:\tthtbb.exec:\tthtbb.exe81⤵PID:2480
-
\??\c:\1jvvj.exec:\1jvvj.exe82⤵PID:2732
-
\??\c:\ffxlxrf.exec:\ffxlxrf.exe83⤵PID:2844
-
\??\c:\lflfrrx.exec:\lflfrrx.exe84⤵PID:2788
-
\??\c:\nnbnbh.exec:\nnbnbh.exe85⤵PID:2620
-
\??\c:\3nbnnt.exec:\3nbnnt.exe86⤵PID:1576
-
\??\c:\jdddv.exec:\jdddv.exe87⤵PID:2920
-
\??\c:\rrlfrrx.exec:\rrlfrrx.exe88⤵PID:2324
-
\??\c:\1fxrfxf.exec:\1fxrfxf.exe89⤵PID:2428
-
\??\c:\nnhnbb.exec:\nnhnbb.exe90⤵PID:1776
-
\??\c:\dvddv.exec:\dvddv.exe91⤵PID:2952
-
\??\c:\jdvvj.exec:\jdvvj.exe92⤵PID:2960
-
\??\c:\lfflxxl.exec:\lfflxxl.exe93⤵PID:1096
-
\??\c:\rlxlxfr.exec:\rlxlxfr.exe94⤵PID:2820
-
\??\c:\bnbtnh.exec:\bnbtnh.exe95⤵PID:2856
-
\??\c:\pjdvd.exec:\pjdvd.exe96⤵PID:3020
-
\??\c:\rlxrxxx.exec:\rlxrxxx.exe97⤵PID:2860
-
\??\c:\xxflxxr.exec:\xxflxxr.exe98⤵PID:324
-
\??\c:\hhhthn.exec:\hhhthn.exe99⤵PID:988
-
\??\c:\3jvdp.exec:\3jvdp.exe100⤵PID:1800
-
\??\c:\jjdpj.exec:\jjdpj.exe101⤵PID:2408
-
\??\c:\lflrfff.exec:\lflrfff.exe102⤵PID:2060
-
\??\c:\1bhnnn.exec:\1bhnnn.exe103⤵PID:2164
-
\??\c:\vvpjj.exec:\vvpjj.exe104⤵PID:2380
-
\??\c:\5ppdp.exec:\5ppdp.exe105⤵PID:2432
-
\??\c:\1frxxfx.exec:\1frxxfx.exe106⤵PID:1612
-
\??\c:\bbbhtb.exec:\bbbhtb.exe107⤵PID:1032
-
\??\c:\tthhtb.exec:\tthhtb.exe108⤵PID:784
-
\??\c:\jdjpv.exec:\jdjpv.exe109⤵PID:1388
-
\??\c:\1lrfrfr.exec:\1lrfrfr.exe110⤵PID:1736
-
\??\c:\tnhnbh.exec:\tnhnbh.exe111⤵PID:1780
-
\??\c:\1nbbbb.exec:\1nbbbb.exe112⤵PID:1028
-
\??\c:\jdpvd.exec:\jdpvd.exe113⤵PID:1528
-
\??\c:\lfrrxlr.exec:\lfrrxlr.exe114⤵PID:1372
-
\??\c:\rxrfffr.exec:\rxrfffr.exe115⤵PID:684
-
\??\c:\hthbhb.exec:\hthbhb.exe116⤵PID:2116
-
\??\c:\vpvvj.exec:\vpvvj.exe117⤵PID:1516
-
\??\c:\dvdjd.exec:\dvdjd.exe118⤵PID:1804
-
\??\c:\lfffrxl.exec:\lfffrxl.exe119⤵PID:1040
-
\??\c:\5nnnhb.exec:\5nnnhb.exe120⤵PID:2084
-
\??\c:\jjjdj.exec:\jjjdj.exe121⤵PID:2772
-
\??\c:\pdppp.exec:\pdppp.exe122⤵PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-