Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 20:14
Behavioral task
behavioral1
Sample
2f34bf410c832b7e6edd1e20a26bb22ecfbc1ff7b3d81a736eb086b3232cf6ab.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
General
-
Target
2f34bf410c832b7e6edd1e20a26bb22ecfbc1ff7b3d81a736eb086b3232cf6ab.exe
-
Size
119KB
-
MD5
dac5536ad06f6bc26aa4073d1a40881f
-
SHA1
5fc0bae656e3f22f6eaa596fc2d7baabddd40ee3
-
SHA256
2f34bf410c832b7e6edd1e20a26bb22ecfbc1ff7b3d81a736eb086b3232cf6ab
-
SHA512
e66e31b2d188e7bd1530b98dc41e6cc91641b2bc7d7f02b8f185a9cefa2f4d19d81e326776da67236e99d782be2e538bfe8d6fadd2bc4a79fde4faaa5561fcc7
-
SSDEEP
3072:khOmTsF93UYfwC6GIoutpYcvrqrE66kropO6BWlPFH48h:kcm4FmowdHoSphraHcpOFltH42
Malware Config
Signatures
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2128-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2700-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2676-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2700-24-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2784-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2580-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/580-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2564-62-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2564-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2344-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2580-88-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2900-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2240-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/752-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1932-133-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2064-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1932-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/352-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2972-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2368-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1096-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1088-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2496-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2520-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2216-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1644-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2464-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2716-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2320-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1256-423-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2168-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2100-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2500-488-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2480-526-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2504-552-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2952-565-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2932-579-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2684-593-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2920-632-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/3024-641-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/3024-642-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2464-787-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3052-864-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1260-933-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2676 pvvpv.exe 2700 frrrllx.exe 2784 ntntbb.exe 2580 dpvvv.exe 580 xxrfrfr.exe 2564 htbthh.exe 2596 vvvpd.exe 2344 9ntnhb.exe 2900 9hnbtn.exe 2240 rllxxlf.exe 752 hhbttt.exe 1744 frrxllr.exe 1932 rrrfxxr.exe 2064 nnnhnt.exe 352 pjdjd.exe 1908 ntbbhn.exe 2888 bthntt.exe 2972 djddd.exe 2368 xxlrlxx.exe 1748 tbbtnn.exe 1096 jpjjv.exe 1640 rxfxfxf.exe 1088 xfxfxxl.exe 2496 bnnnbt.exe 2216 3pjvj.exe 2520 pvvvp.exe 2464 7fxflxr.exe 1644 ththbh.exe 1628 pjdjd.exe 2504 nnbnhb.exe 2748 vvvvj.exe 2652 lxfxlff.exe 2704 rrxlfrl.exe 2964 tbbhtn.exe 2724 dddjd.exe 2716 fffxlrf.exe 2436 3flllfx.exe 2556 1tttht.exe 2320 pvjjd.exe 3044 lfllxlf.exe 1340 3lrrrrr.exe 2912 5nnhnb.exe 2584 5jvvp.exe 2936 xrlrflr.exe 992 frxrllr.exe 2132 5thnbn.exe 2432 9tnbnh.exe 2000 jpddd.exe 2836 rxrrrfl.exe 2064 xfflrlr.exe 1256 ttntbh.exe 812 pjjpd.exe 828 rllrrxl.exe 1820 5xxlfrf.exe 2244 btnbht.exe 2168 3tthtn.exe 2156 jjppd.exe 2100 ffxrfrl.exe 2020 rxxfxxf.exe 836 bthhbh.exe 2500 jjdpj.exe 872 ffxrfll.exe 912 9ntnth.exe 960 5ppdp.exe -
resource yara_rule behavioral1/memory/2128-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2676-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c00000001227f-9.dat upx behavioral1/files/0x00080000000162d1-17.dat upx behavioral1/memory/2128-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2700-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2676-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001638b-29.dat upx behavioral1/memory/2784-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2580-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000164b0-40.dat upx behavioral1/memory/2784-38-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0007000000016618-48.dat upx behavioral1/memory/580-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001667f-59.dat upx behavioral1/memory/2564-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016b6b-66.dat upx behavioral1/memory/2564-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2596-75-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0007000000016d82-79.dat upx behavioral1/memory/2344-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016d96-87.dat upx behavioral1/memory/2900-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016db1-99.dat upx behavioral1/memory/2900-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2240-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016dbf-107.dat upx behavioral1/files/0x0006000000016dc8-119.dat upx behavioral1/memory/1744-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/752-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016dd3-125.dat upx behavioral1/files/0x0006000000016dda-137.dat upx behavioral1/memory/2064-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1932-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000016ddf-145.dat upx behavioral1/files/0x00060000000170f2-151.dat upx behavioral1/memory/352-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017131-162.dat upx behavioral1/files/0x0006000000017292-172.dat upx behavioral1/memory/2972-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000175d2-179.dat upx behavioral1/files/0x00060000000175e4-186.dat upx behavioral1/memory/2368-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018716-197.dat upx behavioral1/files/0x0005000000018718-207.dat upx behavioral1/memory/1096-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000f000000015f16-213.dat upx behavioral1/memory/1088-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018728-221.dat upx behavioral1/files/0x0006000000018b7d-232.dat upx behavioral1/memory/2496-231-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2520-243-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018ba5-242.dat upx behavioral1/files/0x0006000000018bb8-250.dat upx behavioral1/memory/2216-240-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018bbc-260.dat upx behavioral1/files/0x0006000000016ddf-268.dat upx behavioral1/memory/1644-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2464-258-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018bc1-275.dat upx behavioral1/memory/2504-277-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018bc7-285.dat upx behavioral1/files/0x0006000000018be0-293.dat upx behavioral1/memory/2964-307-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5httbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2676 2128 2f34bf410c832b7e6edd1e20a26bb22ecfbc1ff7b3d81a736eb086b3232cf6ab.exe 30 PID 2128 wrote to memory of 2676 2128 2f34bf410c832b7e6edd1e20a26bb22ecfbc1ff7b3d81a736eb086b3232cf6ab.exe 30 PID 2128 wrote to memory of 2676 2128 2f34bf410c832b7e6edd1e20a26bb22ecfbc1ff7b3d81a736eb086b3232cf6ab.exe 30 PID 2128 wrote to memory of 2676 2128 2f34bf410c832b7e6edd1e20a26bb22ecfbc1ff7b3d81a736eb086b3232cf6ab.exe 30 PID 2676 wrote to memory of 2700 2676 pvvpv.exe 31 PID 2676 wrote to memory of 2700 2676 pvvpv.exe 31 PID 2676 wrote to memory of 2700 2676 pvvpv.exe 31 PID 2676 wrote to memory of 2700 2676 pvvpv.exe 31 PID 2700 wrote to memory of 2784 2700 frrrllx.exe 32 PID 2700 wrote to memory of 2784 2700 frrrllx.exe 32 PID 2700 wrote to memory of 2784 2700 frrrllx.exe 32 PID 2700 wrote to memory of 2784 2700 frrrllx.exe 32 PID 2784 wrote to memory of 2580 2784 ntntbb.exe 33 PID 2784 wrote to memory of 2580 2784 ntntbb.exe 33 PID 2784 wrote to memory of 2580 2784 ntntbb.exe 33 PID 2784 wrote to memory of 2580 2784 ntntbb.exe 33 PID 2580 wrote to memory of 580 2580 dpvvv.exe 34 PID 2580 wrote to memory of 580 2580 dpvvv.exe 34 PID 2580 wrote to memory of 580 2580 dpvvv.exe 34 PID 2580 wrote to memory of 580 2580 dpvvv.exe 34 PID 580 wrote to memory of 2564 580 xxrfrfr.exe 35 PID 580 wrote to memory of 2564 580 xxrfrfr.exe 35 PID 580 wrote to memory of 2564 580 xxrfrfr.exe 35 PID 580 wrote to memory of 2564 580 xxrfrfr.exe 35 PID 2564 wrote to memory of 2596 2564 htbthh.exe 36 PID 2564 wrote to memory of 2596 2564 htbthh.exe 36 PID 2564 wrote to memory of 2596 2564 htbthh.exe 36 PID 2564 wrote to memory of 2596 2564 htbthh.exe 36 PID 2596 wrote to memory of 2344 2596 vvvpd.exe 37 PID 2596 wrote to memory of 2344 2596 vvvpd.exe 37 PID 2596 wrote to memory of 2344 2596 vvvpd.exe 37 PID 2596 wrote to memory of 2344 2596 vvvpd.exe 37 PID 2344 wrote to memory of 2900 2344 9ntnhb.exe 38 PID 2344 wrote to memory of 2900 2344 9ntnhb.exe 38 PID 2344 wrote to memory of 2900 2344 9ntnhb.exe 38 PID 2344 wrote to memory of 2900 2344 9ntnhb.exe 38 PID 2900 wrote to memory of 2240 2900 9hnbtn.exe 39 PID 2900 wrote to memory of 2240 2900 9hnbtn.exe 39 PID 2900 wrote to memory of 2240 2900 9hnbtn.exe 39 PID 2900 wrote to memory of 2240 2900 9hnbtn.exe 39 PID 2240 wrote to memory of 752 2240 rllxxlf.exe 40 PID 2240 wrote to memory of 752 2240 rllxxlf.exe 40 PID 2240 wrote to memory of 752 2240 rllxxlf.exe 40 PID 2240 wrote to memory of 752 2240 rllxxlf.exe 40 PID 752 wrote to memory of 1744 752 hhbttt.exe 41 PID 752 wrote to memory of 1744 752 hhbttt.exe 41 PID 752 wrote to memory of 1744 752 hhbttt.exe 41 PID 752 wrote to memory of 1744 752 hhbttt.exe 41 PID 1744 wrote to memory of 1932 1744 frrxllr.exe 42 PID 1744 wrote to memory of 1932 1744 frrxllr.exe 42 PID 1744 wrote to memory of 1932 1744 frrxllr.exe 42 PID 1744 wrote to memory of 1932 1744 frrxllr.exe 42 PID 1932 wrote to memory of 2064 1932 rrrfxxr.exe 43 PID 1932 wrote to memory of 2064 1932 rrrfxxr.exe 43 PID 1932 wrote to memory of 2064 1932 rrrfxxr.exe 43 PID 1932 wrote to memory of 2064 1932 rrrfxxr.exe 43 PID 2064 wrote to memory of 352 2064 nnnhnt.exe 44 PID 2064 wrote to memory of 352 2064 nnnhnt.exe 44 PID 2064 wrote to memory of 352 2064 nnnhnt.exe 44 PID 2064 wrote to memory of 352 2064 nnnhnt.exe 44 PID 352 wrote to memory of 1908 352 pjdjd.exe 45 PID 352 wrote to memory of 1908 352 pjdjd.exe 45 PID 352 wrote to memory of 1908 352 pjdjd.exe 45 PID 352 wrote to memory of 1908 352 pjdjd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f34bf410c832b7e6edd1e20a26bb22ecfbc1ff7b3d81a736eb086b3232cf6ab.exe"C:\Users\Admin\AppData\Local\Temp\2f34bf410c832b7e6edd1e20a26bb22ecfbc1ff7b3d81a736eb086b3232cf6ab.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\pvvpv.exec:\pvvpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\frrrllx.exec:\frrrllx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\ntntbb.exec:\ntntbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\dpvvv.exec:\dpvvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\xxrfrfr.exec:\xxrfrfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\htbthh.exec:\htbthh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\vvvpd.exec:\vvvpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\9ntnhb.exec:\9ntnhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\9hnbtn.exec:\9hnbtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\rllxxlf.exec:\rllxxlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\hhbttt.exec:\hhbttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\frrxllr.exec:\frrxllr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\rrrfxxr.exec:\rrrfxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\nnnhnt.exec:\nnnhnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\pjdjd.exec:\pjdjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:352 -
\??\c:\ntbbhn.exec:\ntbbhn.exe17⤵
- Executes dropped EXE
PID:1908 -
\??\c:\bthntt.exec:\bthntt.exe18⤵
- Executes dropped EXE
PID:2888 -
\??\c:\djddd.exec:\djddd.exe19⤵
- Executes dropped EXE
PID:2972 -
\??\c:\xxlrlxx.exec:\xxlrlxx.exe20⤵
- Executes dropped EXE
PID:2368 -
\??\c:\tbbtnn.exec:\tbbtnn.exe21⤵
- Executes dropped EXE
PID:1748 -
\??\c:\jpjjv.exec:\jpjjv.exe22⤵
- Executes dropped EXE
PID:1096 -
\??\c:\rxfxfxf.exec:\rxfxfxf.exe23⤵
- Executes dropped EXE
PID:1640 -
\??\c:\xfxfxxl.exec:\xfxfxxl.exe24⤵
- Executes dropped EXE
PID:1088 -
\??\c:\bnnnbt.exec:\bnnnbt.exe25⤵
- Executes dropped EXE
PID:2496 -
\??\c:\3pjvj.exec:\3pjvj.exe26⤵
- Executes dropped EXE
PID:2216 -
\??\c:\pvvvp.exec:\pvvvp.exe27⤵
- Executes dropped EXE
PID:2520 -
\??\c:\7fxflxr.exec:\7fxflxr.exe28⤵
- Executes dropped EXE
PID:2464 -
\??\c:\ththbh.exec:\ththbh.exe29⤵
- Executes dropped EXE
PID:1644 -
\??\c:\pjdjd.exec:\pjdjd.exe30⤵
- Executes dropped EXE
PID:1628 -
\??\c:\nnbnhb.exec:\nnbnhb.exe31⤵
- Executes dropped EXE
PID:2504 -
\??\c:\vvvvj.exec:\vvvvj.exe32⤵
- Executes dropped EXE
PID:2748 -
\??\c:\lxfxlff.exec:\lxfxlff.exe33⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rrxlfrl.exec:\rrxlfrl.exe34⤵
- Executes dropped EXE
PID:2704 -
\??\c:\tbbhtn.exec:\tbbhtn.exe35⤵
- Executes dropped EXE
PID:2964 -
\??\c:\dddjd.exec:\dddjd.exe36⤵
- Executes dropped EXE
PID:2724 -
\??\c:\fffxlrf.exec:\fffxlrf.exe37⤵
- Executes dropped EXE
PID:2716 -
\??\c:\3flllfx.exec:\3flllfx.exe38⤵
- Executes dropped EXE
PID:2436 -
\??\c:\1tttht.exec:\1tttht.exe39⤵
- Executes dropped EXE
PID:2556 -
\??\c:\pvjjd.exec:\pvjjd.exe40⤵
- Executes dropped EXE
PID:2320 -
\??\c:\lfllxlf.exec:\lfllxlf.exe41⤵
- Executes dropped EXE
PID:3044 -
\??\c:\3lrrrrr.exec:\3lrrrrr.exe42⤵
- Executes dropped EXE
PID:1340 -
\??\c:\5nnhnb.exec:\5nnhnb.exe43⤵
- Executes dropped EXE
PID:2912 -
\??\c:\5jvvp.exec:\5jvvp.exe44⤵
- Executes dropped EXE
PID:2584 -
\??\c:\xrlrflr.exec:\xrlrflr.exe45⤵
- Executes dropped EXE
PID:2936 -
\??\c:\frxrllr.exec:\frxrllr.exe46⤵
- Executes dropped EXE
PID:992 -
\??\c:\5thnbn.exec:\5thnbn.exe47⤵
- Executes dropped EXE
PID:2132 -
\??\c:\9tnbnh.exec:\9tnbnh.exe48⤵
- Executes dropped EXE
PID:2432 -
\??\c:\jpddd.exec:\jpddd.exe49⤵
- Executes dropped EXE
PID:2000 -
\??\c:\rxrrrfl.exec:\rxrrrfl.exe50⤵
- Executes dropped EXE
PID:2836 -
\??\c:\xfflrlr.exec:\xfflrlr.exe51⤵
- Executes dropped EXE
PID:2064 -
\??\c:\ttntbh.exec:\ttntbh.exe52⤵
- Executes dropped EXE
PID:1256 -
\??\c:\pjjpd.exec:\pjjpd.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:812 -
\??\c:\rllrrxl.exec:\rllrrxl.exe54⤵
- Executes dropped EXE
PID:828 -
\??\c:\5xxlfrf.exec:\5xxlfrf.exe55⤵
- Executes dropped EXE
PID:1820 -
\??\c:\btnbht.exec:\btnbht.exe56⤵
- Executes dropped EXE
PID:2244 -
\??\c:\3tthtn.exec:\3tthtn.exe57⤵
- Executes dropped EXE
PID:2168 -
\??\c:\jjppd.exec:\jjppd.exe58⤵
- Executes dropped EXE
PID:2156 -
\??\c:\ffxrfrl.exec:\ffxrfrl.exe59⤵
- Executes dropped EXE
PID:2100 -
\??\c:\rxxfxxf.exec:\rxxfxxf.exe60⤵
- Executes dropped EXE
PID:2020 -
\??\c:\bthhbh.exec:\bthhbh.exe61⤵
- Executes dropped EXE
PID:836 -
\??\c:\jjdpj.exec:\jjdpj.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2500 -
\??\c:\ffxrfll.exec:\ffxrfll.exe63⤵
- Executes dropped EXE
PID:872 -
\??\c:\9ntnth.exec:\9ntnth.exe64⤵
- Executes dropped EXE
PID:912 -
\??\c:\5ppdp.exec:\5ppdp.exe65⤵
- Executes dropped EXE
PID:960 -
\??\c:\jpdvj.exec:\jpdvj.exe66⤵PID:2112
-
\??\c:\rlrxrff.exec:\rlrxrff.exe67⤵PID:1780
-
\??\c:\7hbhbn.exec:\7hbhbn.exe68⤵PID:1328
-
\??\c:\hbthbn.exec:\hbthbn.exe69⤵PID:2480
-
\??\c:\7jjdd.exec:\7jjdd.exe70⤵PID:948
-
\??\c:\3llllrf.exec:\3llllrf.exe71⤵PID:2128
-
\??\c:\7rxrxrf.exec:\7rxrxrf.exe72⤵PID:2504
-
\??\c:\ppjjj.exec:\ppjjj.exe73⤵PID:2696
-
\??\c:\lllrfrf.exec:\lllrfrf.exe74⤵PID:2952
-
\??\c:\hnhnnb.exec:\hnhnnb.exe75⤵PID:2664
-
\??\c:\hthhtt.exec:\hthhtt.exe76⤵PID:2932
-
\??\c:\dvpvj.exec:\dvpvj.exe77⤵PID:2352
-
\??\c:\rrrxlrf.exec:\rrrxlrf.exe78⤵PID:2684
-
\??\c:\flrllff.exec:\flrllff.exe79⤵PID:2668
-
\??\c:\tbbnnh.exec:\tbbnnh.exe80⤵PID:2564
-
\??\c:\pjjdd.exec:\pjjdd.exe81⤵PID:2340
-
\??\c:\xrlxrlx.exec:\xrlxrlx.exe82⤵PID:2596
-
\??\c:\xlflfxf.exec:\xlflfxf.exe83⤵PID:2904
-
\??\c:\nhthnt.exec:\nhthnt.exe84⤵PID:2920
-
\??\c:\9bhtht.exec:\9bhtht.exe85⤵PID:3024
-
\??\c:\dpdjj.exec:\dpdjj.exe86⤵PID:856
-
\??\c:\rrllffx.exec:\rrllffx.exe87⤵PID:1676
-
\??\c:\hhhnbn.exec:\hhhnbn.exe88⤵PID:2132
-
\??\c:\bntntn.exec:\bntntn.exe89⤵PID:1260
-
\??\c:\dvvpj.exec:\dvvpj.exe90⤵PID:2000
-
\??\c:\dvvdd.exec:\dvvdd.exe91⤵PID:2780
-
\??\c:\rrlffrl.exec:\rrlffrl.exe92⤵PID:264
-
\??\c:\1bhttb.exec:\1bhttb.exe93⤵PID:1256
-
\??\c:\nnbhth.exec:\nnbhth.exe94⤵PID:1044
-
\??\c:\pppdv.exec:\pppdv.exe95⤵PID:1520
-
\??\c:\fllxffx.exec:\fllxffx.exe96⤵PID:1924
-
\??\c:\5rrfxlf.exec:\5rrfxlf.exe97⤵PID:2208
-
\??\c:\ttbtht.exec:\ttbtht.exe98⤵PID:2164
-
\??\c:\vpvjd.exec:\vpvjd.exe99⤵PID:1952
-
\??\c:\dvddj.exec:\dvddj.exe100⤵PID:1096
-
\??\c:\lfrrlrx.exec:\lfrrlrx.exe101⤵PID:1768
-
\??\c:\ttthbn.exec:\ttthbn.exe102⤵PID:1368
-
\??\c:\nhbnbn.exec:\nhbnbn.exe103⤵PID:1156
-
\??\c:\jpjdj.exec:\jpjdj.exe104⤵PID:872
-
\??\c:\lffrlxr.exec:\lffrlxr.exe105⤵PID:2944
-
\??\c:\thnbbb.exec:\thnbbb.exe106⤵PID:2216
-
\??\c:\nbhbhb.exec:\nbhbhb.exe107⤵PID:2956
-
\??\c:\jjjpv.exec:\jjjpv.exe108⤵PID:2464
-
\??\c:\xlrlffl.exec:\xlrlffl.exe109⤵PID:1852
-
\??\c:\fflffxx.exec:\fflffxx.exe110⤵PID:888
-
\??\c:\hhhtnb.exec:\hhhtnb.exe111⤵PID:1936
-
\??\c:\1djdv.exec:\1djdv.exe112⤵PID:2928
-
\??\c:\rrxlxxr.exec:\rrxlxxr.exe113⤵PID:2748
-
\??\c:\3llxxlr.exec:\3llxxlr.exe114⤵PID:2652
-
\??\c:\tnhtbn.exec:\tnhtbn.exe115⤵PID:2692
-
\??\c:\jjddd.exec:\jjddd.exe116⤵PID:2664
-
\??\c:\pjppj.exec:\pjppj.exe117⤵PID:2572
-
\??\c:\xxfrflf.exec:\xxfrflf.exe118⤵PID:2708
-
\??\c:\rxxxfxl.exec:\rxxxfxl.exe119⤵PID:2548
-
\??\c:\3bbtbb.exec:\3bbtbb.exe120⤵PID:3032
-
\??\c:\3vvdp.exec:\3vvdp.exe121⤵PID:3052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-