Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 09:00
Behavioral task
behavioral1
Sample
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe
-
Size
335KB
-
MD5
7a0f333a155797167d0c5c56254cc806
-
SHA1
a2b255e1eb252ef27942c16ee3031bf6d5f63d5e
-
SHA256
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f
-
SHA512
7d1e40cafc3463f84b2610ef06f5644e9f5bab008da42a78d8d270a17d2110830377b4668643b74000d5ab296659dc930f710c647e80869b837a74c90a4cc82d
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRp:R4wFHoSHYHUrAwfMp3CDRp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
Processes:
resource yara_rule behavioral1/memory/1884-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2412-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1696-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2368-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2556-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2452-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2832-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2784-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2344-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-80-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2864-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2964-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2980-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2180-177-0x00000000002E0000-0x0000000000307000-memory.dmp family_blackmoon behavioral1/memory/2568-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1868-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2972-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/888-213-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/908-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2236-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2140-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/828-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2800-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2860-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/804-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2008-432-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2992-449-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1740-465-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2420-585-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2420-607-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2724-638-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2088-702-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1208-728-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/1796-751-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2676-906-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/684-927-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1816-933-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2996-939-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1984-973-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2060-6738-0x0000000076CF0000-0x0000000076DEA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
rlxfllr.exettbnhb.exedpppj.exexffrfrr.exentbttb.exedjdpp.exefrfxllr.exe5vddp.exefxflxrl.exe1pjdd.exe3xfxrlx.exetnbthn.exevpdpd.exennnttb.exexrxxlrf.exejpvdp.exerrlffxx.exe3nbhnb.exehtbbbt.exeddpvp.exettthbn.exedjddp.exexlrlxfr.exerrlxrfr.exevjvvj.exerxlfxrl.exetthhnt.exe7fxlxlx.exebbbhhn.exe7rlxfxx.exe9fxfrxf.exeflfrlfx.exebhtnnh.exevdvjp.exerllrfrl.exebhbtht.exejpvjj.exerxrrlxr.exerlxfrfr.exettnntt.exe7vjjv.exerxfxxll.exe3ththt.exepjpjp.exe3ffrlxl.exebbbbtt.exehhthbb.exe9ppjd.exeflllxfl.exebhbtnt.exevjjdv.exexrxfffr.exerrrxffl.exehbbhtb.exe3ppjd.exefrlflll.exe3bbnhn.exetttnnh.exe5dpdj.exe5lxfrfl.exe1rflxrf.exehhbnbn.exevvdvp.exeffxlrll.exepid Process 2412 rlxfllr.exe 2368 ttbnhb.exe 1696 dpppj.exe 2556 xffrfrr.exe 2452 ntbttb.exe 2812 djdpp.exe 2832 frfxllr.exe 2784 5vddp.exe 2728 fxflxrl.exe 2344 1pjdd.exe 2628 3xfxrlx.exe 2176 tnbthn.exe 2544 vpdpd.exe 848 nnnttb.exe 2964 xrxxlrf.exe 912 jpvdp.exe 2864 rrlffxx.exe 1196 3nbhnb.exe 2652 htbbbt.exe 2980 ddpvp.exe 2180 ttthbn.exe 2568 djddp.exe 1868 xlrlxfr.exe 2972 rrlxrfr.exe 888 vjvvj.exe 2948 rxlfxrl.exe 1380 tthhnt.exe 2300 7fxlxlx.exe 908 bbbhhn.exe 2236 7rlxfxx.exe 2360 9fxfrxf.exe 2140 flfrlfx.exe 2480 bhtnnh.exe 828 vdvjp.exe 896 rllrfrl.exe 1100 bhbtht.exe 2920 jpvjj.exe 1452 rxrrlxr.exe 1980 rlxfrfr.exe 1612 ttnntt.exe 1804 7vjjv.exe 2800 rxfxxll.exe 2576 3ththt.exe 2056 pjpjp.exe 1832 3ffrlxl.exe 2856 bbbbtt.exe 2860 hhthbb.exe 2740 9ppjd.exe 3004 flllxfl.exe 2988 bhbtnt.exe 1744 vjjdv.exe 2688 xrxfffr.exe 2172 rrrxffl.exe 2176 hbbhtb.exe 2672 3ppjd.exe 2352 frlflll.exe 848 3bbnhn.exe 640 tttnnh.exe 1496 5dpdj.exe 804 5lxfrfl.exe 308 1rflxrf.exe 2008 hhbnbn.exe 1196 vvdvp.exe 3008 ffxlrll.exe -
Processes:
resource yara_rule behavioral1/memory/1884-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2412-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000012118-7.dat upx behavioral1/memory/1884-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000017403-16.dat upx behavioral1/memory/2412-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1696-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001746a-25.dat upx behavioral1/memory/2368-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000174a6-32.dat upx behavioral1/memory/2556-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2452-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000174c3-41.dat upx behavioral1/files/0x000700000001757f-49.dat upx behavioral1/memory/2832-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0018000000018676-56.dat upx behavioral1/files/0x0007000000018696-63.dat upx behavioral1/memory/2784-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2728-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001926c-71.dat upx behavioral1/files/0x000500000001929a-98.dat upx behavioral1/memory/2628-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019278-91.dat upx behavioral1/memory/2344-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019275-83.dat upx behavioral1/memory/2728-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019319-106.dat upx behavioral1/files/0x0005000000019365-115.dat upx behavioral1/files/0x0005000000019377-121.dat upx behavioral1/memory/2864-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193a4-140.dat upx behavioral1/files/0x0005000000019387-132.dat upx behavioral1/memory/2964-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193b3-147.dat upx behavioral1/files/0x000900000001707c-154.dat upx behavioral1/files/0x00050000000193c1-161.dat upx behavioral1/files/0x0005000000019433-169.dat upx behavioral1/memory/2980-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019446-179.dat upx behavioral1/files/0x0005000000019450-188.dat upx behavioral1/memory/2568-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001945b-196.dat upx behavioral1/memory/1868-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019465-205.dat upx behavioral1/memory/2972-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019479-221.dat upx behavioral1/files/0x000500000001946a-215.dat upx behavioral1/memory/888-212-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001947d-228.dat upx behavioral1/memory/2300-229-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019485-236.dat upx behavioral1/memory/908-242-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x00050000000194d7-246.dat upx behavioral1/memory/908-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194df-253.dat upx behavioral1/memory/2236-252-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001950e-260.dat upx behavioral1/memory/2140-262-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2140-268-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/828-274-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/828-280-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2800-323-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2856-344-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2860-350-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fllffll.exehhhnbh.exebbbnnh.exefffffxf.exejpvdp.exerxxrfrl.exebbnnbh.exe7nnthh.exejjdpv.exenbnhhb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exerlxfllr.exettbnhb.exedpppj.exexffrfrr.exentbttb.exedjdpp.exefrfxllr.exe5vddp.exefxflxrl.exe1pjdd.exe3xfxrlx.exetnbthn.exevpdpd.exennnttb.exexrxxlrf.exedescription pid Process procid_target PID 1884 wrote to memory of 2412 1884 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 30 PID 1884 wrote to memory of 2412 1884 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 30 PID 1884 wrote to memory of 2412 1884 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 30 PID 1884 wrote to memory of 2412 1884 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 30 PID 2412 wrote to memory of 2368 2412 rlxfllr.exe 31 PID 2412 wrote to memory of 2368 2412 rlxfllr.exe 31 PID 2412 wrote to memory of 2368 2412 rlxfllr.exe 31 PID 2412 wrote to memory of 2368 2412 rlxfllr.exe 31 PID 2368 wrote to memory of 1696 2368 ttbnhb.exe 32 PID 2368 wrote to memory of 1696 2368 ttbnhb.exe 32 PID 2368 wrote to memory of 1696 2368 ttbnhb.exe 32 PID 2368 wrote to memory of 1696 2368 ttbnhb.exe 32 PID 1696 wrote to memory of 2556 1696 dpppj.exe 33 PID 1696 wrote to memory of 2556 1696 dpppj.exe 33 PID 1696 wrote to memory of 2556 1696 dpppj.exe 33 PID 1696 wrote to memory of 2556 1696 dpppj.exe 33 PID 2556 wrote to memory of 2452 2556 xffrfrr.exe 34 PID 2556 wrote to memory of 2452 2556 xffrfrr.exe 34 PID 2556 wrote to memory of 2452 2556 xffrfrr.exe 34 PID 2556 wrote to memory of 2452 2556 xffrfrr.exe 34 PID 2452 wrote to memory of 2812 2452 ntbttb.exe 35 PID 2452 wrote to memory of 2812 2452 ntbttb.exe 35 PID 2452 wrote to memory of 2812 2452 ntbttb.exe 35 PID 2452 wrote to memory of 2812 2452 ntbttb.exe 35 PID 2812 wrote to memory of 2832 2812 djdpp.exe 36 PID 2812 wrote to memory of 2832 2812 djdpp.exe 36 PID 2812 wrote to memory of 2832 2812 djdpp.exe 36 PID 2812 wrote to memory of 2832 2812 djdpp.exe 36 PID 2832 wrote to memory of 2784 2832 frfxllr.exe 37 PID 2832 wrote to memory of 2784 2832 frfxllr.exe 37 PID 2832 wrote to memory of 2784 2832 frfxllr.exe 37 PID 2832 wrote to memory of 2784 2832 frfxllr.exe 37 PID 2784 wrote to memory of 2728 2784 5vddp.exe 38 PID 2784 wrote to memory of 2728 2784 5vddp.exe 38 PID 2784 wrote to memory of 2728 2784 5vddp.exe 38 PID 2784 wrote to memory of 2728 2784 5vddp.exe 38 PID 2728 wrote to memory of 2344 2728 fxflxrl.exe 39 PID 2728 wrote to memory of 2344 2728 fxflxrl.exe 39 PID 2728 wrote to memory of 2344 2728 fxflxrl.exe 39 PID 2728 wrote to memory of 2344 2728 fxflxrl.exe 39 PID 2344 wrote to memory of 2628 2344 1pjdd.exe 40 PID 2344 wrote to memory of 2628 2344 1pjdd.exe 40 PID 2344 wrote to memory of 2628 2344 1pjdd.exe 40 PID 2344 wrote to memory of 2628 2344 1pjdd.exe 40 PID 2628 wrote to memory of 2176 2628 3xfxrlx.exe 41 PID 2628 wrote to memory of 2176 2628 3xfxrlx.exe 41 PID 2628 wrote to memory of 2176 2628 3xfxrlx.exe 41 PID 2628 wrote to memory of 2176 2628 3xfxrlx.exe 41 PID 2176 wrote to memory of 2544 2176 tnbthn.exe 42 PID 2176 wrote to memory of 2544 2176 tnbthn.exe 42 PID 2176 wrote to memory of 2544 2176 tnbthn.exe 42 PID 2176 wrote to memory of 2544 2176 tnbthn.exe 42 PID 2544 wrote to memory of 848 2544 vpdpd.exe 43 PID 2544 wrote to memory of 848 2544 vpdpd.exe 43 PID 2544 wrote to memory of 848 2544 vpdpd.exe 43 PID 2544 wrote to memory of 848 2544 vpdpd.exe 43 PID 848 wrote to memory of 2964 848 nnnttb.exe 44 PID 848 wrote to memory of 2964 848 nnnttb.exe 44 PID 848 wrote to memory of 2964 848 nnnttb.exe 44 PID 848 wrote to memory of 2964 848 nnnttb.exe 44 PID 2964 wrote to memory of 912 2964 xrxxlrf.exe 45 PID 2964 wrote to memory of 912 2964 xrxxlrf.exe 45 PID 2964 wrote to memory of 912 2964 xrxxlrf.exe 45 PID 2964 wrote to memory of 912 2964 xrxxlrf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe"C:\Users\Admin\AppData\Local\Temp\d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\rlxfllr.exec:\rlxfllr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\ttbnhb.exec:\ttbnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\dpppj.exec:\dpppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\xffrfrr.exec:\xffrfrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\ntbttb.exec:\ntbttb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\djdpp.exec:\djdpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\frfxllr.exec:\frfxllr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\5vddp.exec:\5vddp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\fxflxrl.exec:\fxflxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\1pjdd.exec:\1pjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\3xfxrlx.exec:\3xfxrlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\tnbthn.exec:\tnbthn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\vpdpd.exec:\vpdpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\nnnttb.exec:\nnnttb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\xrxxlrf.exec:\xrxxlrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\jpvdp.exec:\jpvdp.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:912 -
\??\c:\rrlffxx.exec:\rrlffxx.exe18⤵
- Executes dropped EXE
PID:2864 -
\??\c:\3nbhnb.exec:\3nbhnb.exe19⤵
- Executes dropped EXE
PID:1196 -
\??\c:\htbbbt.exec:\htbbbt.exe20⤵
- Executes dropped EXE
PID:2652 -
\??\c:\ddpvp.exec:\ddpvp.exe21⤵
- Executes dropped EXE
PID:2980 -
\??\c:\ttthbn.exec:\ttthbn.exe22⤵
- Executes dropped EXE
PID:2180 -
\??\c:\djddp.exec:\djddp.exe23⤵
- Executes dropped EXE
PID:2568 -
\??\c:\xlrlxfr.exec:\xlrlxfr.exe24⤵
- Executes dropped EXE
PID:1868 -
\??\c:\rrlxrfr.exec:\rrlxrfr.exe25⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vjvvj.exec:\vjvvj.exe26⤵
- Executes dropped EXE
PID:888 -
\??\c:\rxlfxrl.exec:\rxlfxrl.exe27⤵
- Executes dropped EXE
PID:2948 -
\??\c:\tthhnt.exec:\tthhnt.exe28⤵
- Executes dropped EXE
PID:1380 -
\??\c:\7fxlxlx.exec:\7fxlxlx.exe29⤵
- Executes dropped EXE
PID:2300 -
\??\c:\bbbhhn.exec:\bbbhhn.exe30⤵
- Executes dropped EXE
PID:908 -
\??\c:\7rlxfxx.exec:\7rlxfxx.exe31⤵
- Executes dropped EXE
PID:2236 -
\??\c:\9fxfrxf.exec:\9fxfrxf.exe32⤵
- Executes dropped EXE
PID:2360 -
\??\c:\flfrlfx.exec:\flfrlfx.exe33⤵
- Executes dropped EXE
PID:2140 -
\??\c:\bhtnnh.exec:\bhtnnh.exe34⤵
- Executes dropped EXE
PID:2480 -
\??\c:\vdvjp.exec:\vdvjp.exe35⤵
- Executes dropped EXE
PID:828 -
\??\c:\rllrfrl.exec:\rllrfrl.exe36⤵
- Executes dropped EXE
PID:896 -
\??\c:\bhbtht.exec:\bhbtht.exe37⤵
- Executes dropped EXE
PID:1100 -
\??\c:\jpvjj.exec:\jpvjj.exe38⤵
- Executes dropped EXE
PID:2920 -
\??\c:\rxrrlxr.exec:\rxrrlxr.exe39⤵
- Executes dropped EXE
PID:1452 -
\??\c:\rlxfrfr.exec:\rlxfrfr.exe40⤵
- Executes dropped EXE
PID:1980 -
\??\c:\ttnntt.exec:\ttnntt.exe41⤵
- Executes dropped EXE
PID:1612 -
\??\c:\7vjjv.exec:\7vjjv.exe42⤵
- Executes dropped EXE
PID:1804 -
\??\c:\rxfxxll.exec:\rxfxxll.exe43⤵
- Executes dropped EXE
PID:2800 -
\??\c:\3ththt.exec:\3ththt.exe44⤵
- Executes dropped EXE
PID:2576 -
\??\c:\pjpjp.exec:\pjpjp.exe45⤵
- Executes dropped EXE
PID:2056 -
\??\c:\3ffrlxl.exec:\3ffrlxl.exe46⤵
- Executes dropped EXE
PID:1832 -
\??\c:\bbbbtt.exec:\bbbbtt.exe47⤵
- Executes dropped EXE
PID:2856 -
\??\c:\hhthbb.exec:\hhthbb.exe48⤵
- Executes dropped EXE
PID:2860 -
\??\c:\9ppjd.exec:\9ppjd.exe49⤵
- Executes dropped EXE
PID:2740 -
\??\c:\flllxfl.exec:\flllxfl.exe50⤵
- Executes dropped EXE
PID:3004 -
\??\c:\bhbtnt.exec:\bhbtnt.exe51⤵
- Executes dropped EXE
PID:2988 -
\??\c:\vjjdv.exec:\vjjdv.exe52⤵
- Executes dropped EXE
PID:1744 -
\??\c:\xrxfffr.exec:\xrxfffr.exe53⤵
- Executes dropped EXE
PID:2688 -
\??\c:\rrrxffl.exec:\rrrxffl.exe54⤵
- Executes dropped EXE
PID:2172 -
\??\c:\hbbhtb.exec:\hbbhtb.exe55⤵
- Executes dropped EXE
PID:2176 -
\??\c:\3ppjd.exec:\3ppjd.exe56⤵
- Executes dropped EXE
PID:2672 -
\??\c:\frlflll.exec:\frlflll.exe57⤵
- Executes dropped EXE
PID:2352 -
\??\c:\3bbnhn.exec:\3bbnhn.exe58⤵
- Executes dropped EXE
PID:848 -
\??\c:\tttnnh.exec:\tttnnh.exe59⤵
- Executes dropped EXE
PID:640 -
\??\c:\5dpdj.exec:\5dpdj.exe60⤵
- Executes dropped EXE
PID:1496 -
\??\c:\5lxfrfl.exec:\5lxfrfl.exe61⤵
- Executes dropped EXE
PID:804 -
\??\c:\1rflxrf.exec:\1rflxrf.exe62⤵
- Executes dropped EXE
PID:308 -
\??\c:\hhbnbn.exec:\hhbnbn.exe63⤵
- Executes dropped EXE
PID:2008 -
\??\c:\vvdvp.exec:\vvdvp.exe64⤵
- Executes dropped EXE
PID:1196 -
\??\c:\ffxlrll.exec:\ffxlrll.exe65⤵
- Executes dropped EXE
PID:3008 -
\??\c:\bbbtnh.exec:\bbbtnh.exe66⤵PID:2992
-
\??\c:\bntnhb.exec:\bntnhb.exe67⤵PID:1636
-
\??\c:\vdvpj.exec:\vdvpj.exe68⤵PID:1824
-
\??\c:\xlrlxlx.exec:\xlrlxlx.exe69⤵PID:1740
-
\??\c:\rxxxrxr.exec:\rxxxrxr.exe70⤵PID:2012
-
\??\c:\hnhtth.exec:\hnhtth.exe71⤵PID:352
-
\??\c:\dpdpd.exec:\dpdpd.exe72⤵PID:1060
-
\??\c:\pdjdd.exec:\pdjdd.exe73⤵PID:960
-
\??\c:\rrfrxrf.exec:\rrfrxrf.exe74⤵PID:1056
-
\??\c:\hhbtnb.exec:\hhbtnb.exe75⤵PID:1872
-
\??\c:\hhhhbb.exec:\hhhhbb.exe76⤵PID:284
-
\??\c:\3jjpj.exec:\3jjpj.exe77⤵PID:1676
-
\??\c:\rlflrfx.exec:\rlflrfx.exe78⤵PID:1400
-
\??\c:\rxxrfrl.exec:\rxxrfrl.exe79⤵
- System Location Discovery: System Language Discovery
PID:2240 -
\??\c:\bnhthh.exec:\bnhthh.exe80⤵PID:1212
-
\??\c:\7pjvp.exec:\7pjvp.exe81⤵PID:3064
-
\??\c:\lrxxrll.exec:\lrxxrll.exe82⤵PID:1556
-
\??\c:\lrxlfll.exec:\lrxlfll.exe83⤵PID:624
-
\??\c:\hbhhbb.exec:\hbhhbb.exe84⤵PID:628
-
\??\c:\dpddd.exec:\dpddd.exe85⤵PID:2476
-
\??\c:\xrlxflx.exec:\xrlxflx.exe86⤵PID:880
-
\??\c:\lfflxlx.exec:\lfflxlx.exe87⤵PID:1884
-
\??\c:\btbtth.exec:\btbtth.exe88⤵PID:2200
-
\??\c:\jjjpj.exec:\jjjpj.exe89⤵PID:2204
-
\??\c:\pvpjd.exec:\pvpjd.exe90⤵PID:1456
-
\??\c:\xfllfrr.exec:\xfllfrr.exe91⤵PID:1964
-
\??\c:\bhhtth.exec:\bhhtth.exe92⤵PID:1612
-
\??\c:\tbntbh.exec:\tbntbh.exe93⤵PID:2420
-
\??\c:\jpvjd.exec:\jpvjd.exe94⤵PID:2800
-
\??\c:\xrrfrrf.exec:\xrrfrrf.exe95⤵PID:2576
-
\??\c:\1hhtnh.exec:\1hhtnh.exe96⤵PID:2372
-
\??\c:\pppjd.exec:\pppjd.exe97⤵PID:1832
-
\??\c:\pppvj.exec:\pppvj.exe98⤵PID:2904
-
\??\c:\rfrxllf.exec:\rfrxllf.exe99⤵PID:2860
-
\??\c:\bhbnnt.exec:\bhbnnt.exe100⤵PID:2740
-
\??\c:\ttnhhn.exec:\ttnhhn.exe101⤵PID:2772
-
\??\c:\djjdv.exec:\djjdv.exe102⤵PID:2724
-
\??\c:\llrlfxr.exec:\llrlfxr.exe103⤵PID:2872
-
\??\c:\9lxrrxl.exec:\9lxrrxl.exe104⤵PID:2664
-
\??\c:\hhhtnb.exec:\hhhtnb.exe105⤵PID:2312
-
\??\c:\dpdjd.exec:\dpdjd.exe106⤵PID:2212
-
\??\c:\vjdjj.exec:\vjdjj.exe107⤵PID:1120
-
\??\c:\lrrlffr.exec:\lrrlffr.exe108⤵PID:2956
-
\??\c:\nnhthn.exec:\nnhthn.exe109⤵PID:2020
-
\??\c:\thhnnn.exec:\thhnnn.exe110⤵PID:588
-
\??\c:\pddjv.exec:\pddjv.exe111⤵PID:2884
-
\??\c:\llfrlrl.exec:\llfrlrl.exe112⤵PID:1152
-
\??\c:\hhbnnh.exec:\hhbnnh.exe113⤵PID:2016
-
\??\c:\tnbnbn.exec:\tnbnbn.exe114⤵PID:1984
-
\??\c:\vvvdp.exec:\vvvdp.exe115⤵PID:2088
-
\??\c:\hhhbnn.exec:\hhhbnn.exe116⤵PID:2072
-
\??\c:\1jvpj.exec:\1jvpj.exe117⤵PID:1828
-
\??\c:\9ddpd.exec:\9ddpd.exe118⤵PID:2156
-
\??\c:\frfxxrx.exec:\frfxxrx.exe119⤵PID:1208
-
\??\c:\hnthnb.exec:\hnthnb.exe120⤵PID:1200
-
\??\c:\dvdvj.exec:\dvdvj.exe121⤵PID:448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-