Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 18:19
Behavioral task
behavioral1
Sample
375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe
-
Size
61KB
-
MD5
a9b1f3ca5d3acddd7dde1424ac09bcfe
-
SHA1
8276bd88b686c54884ef5e9a5ae5dd132be0ef4b
-
SHA256
375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38
-
SHA512
1f0c7e05152f929b79ae6475cba2b3de35df58d4d411ac84c27fc39ba5f442fd53326b207fb1d6174fbcbf7ec59547829d64c752b9de8b56f98717e103cec02a
-
SSDEEP
1536:kvQBeOGtrYS3srx93UBWfwC6Ggnouy8p5yAXNlIQldWAw:khOmTsF93UYfwC6GIoutpYcvldWAw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
Processes:
resource yara_rule behavioral1/memory/3040-1-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2528-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2544-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2876-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2168-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3004-61-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1932-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1932-70-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2628-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2608-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/996-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1660-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1876-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/480-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1816-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1980-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1820-163-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2532-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1500-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1616-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1720-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2748-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2328-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1600-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2648-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/996-377-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/876-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3068-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3008-486-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3008-487-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3028-519-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2400-532-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/1736-545-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1720-560-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1720-559-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1720-558-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2868-576-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2796-574-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2796-572-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2732-599-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/988-651-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/768-670-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1664-699-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2792-740-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2856-828-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1660-912-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/988-919-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1088-1019-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/1088-1018-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2852-1102-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2760-1119-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2832-1136-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/532-1210-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2936-1245-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
rlffflr.exe260688.exeo602068.exeppvjj.exenhtbnt.exexrlrflx.exefxfrxfr.exebbnnbh.exevppdv.exec088446.exelllrrxx.exe4208662.exehbhhtt.exe3dvdp.exejjdjv.exevpjpd.exea0842.exe864006.exebnbhtn.exe5bhhhh.exepjvpv.exee88068.exe8602604.exe640686.exe080606.exe080028.exe820028.exee48282.exennbbth.exe5rlflxl.exeg0844.exec422444.exehbtbtt.exevvpdd.exevvdjp.exe086228.exe7ddjv.exenhbtbn.exexrlrxxl.exeffflxfl.exek80806.exe4246440.exelfrrfrr.exebtntbh.exe6680846.exefxrxxxf.exe662406.exeu828446.exe4042604.exetnbhtt.exe66486.exettttbn.exe1bbbhn.exexxxflrr.exea4802.exeq08800.exetnbbhh.exetnbhhh.exe7htttb.exe6640846.exe862404.exeq26604.exeg0804.exedvppp.exepid Process 2168 rlffflr.exe 2528 260688.exe 2544 o602068.exe 2344 ppvjj.exe 2876 nhtbnt.exe 3004 xrlrflx.exe 1932 fxfrxfr.exe 2628 bbnnbh.exe 2608 vppdv.exe 996 c088446.exe 1660 lllrrxx.exe 1876 4208662.exe 2968 hbhhtt.exe 480 3dvdp.exe 2816 jjdjv.exe 1816 vpjpd.exe 1820 a0842.exe 1980 864006.exe 2948 bnbhtn.exe 2432 5bhhhh.exe 852 pjvpv.exe 2532 e88068.exe 1384 8602604.exe 2192 640686.exe 1332 080606.exe 1548 080028.exe 2104 820028.exe 2436 e48282.exe 1500 nnbbth.exe 1616 5rlflxl.exe 3048 g0844.exe 1720 c422444.exe 2348 hbtbtt.exe 2748 vvpdd.exe 2328 vvdjp.exe 2880 086228.exe 2740 7ddjv.exe 2764 nhbtbn.exe 1600 xrlrxxl.exe 2640 ffflxfl.exe 2848 k80806.exe 2776 4246440.exe 2648 lfrrfrr.exe 2128 btntbh.exe 996 6680846.exe 1824 fxrxxxf.exe 876 662406.exe 2812 u828446.exe 784 4042604.exe 1496 tnbhtt.exe 1804 66486.exe 532 ttttbn.exe 2164 1bbbhn.exe 2428 xxxflrr.exe 3068 a4802.exe 2964 q08800.exe 2176 tnbbhh.exe 852 tnbhhh.exe 1788 7htttb.exe 3064 6640846.exe 2532 862404.exe 3008 q26604.exe 2136 g0804.exe 1644 dvppp.exe -
Processes:
resource yara_rule behavioral1/memory/2168-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000120f9-7.dat upx behavioral1/memory/3040-1-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016141-18.dat upx behavioral1/memory/2528-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2544-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016399-36.dat upx behavioral1/files/0x00080000000162e4-27.dat upx behavioral1/memory/2876-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000164de-44.dat upx behavioral1/files/0x0008000000016689-53.dat upx behavioral1/memory/2168-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3004-56-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0007000000016b86-62.dat upx behavioral1/memory/2628-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1932-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c89-71.dat upx behavioral1/files/0x0007000000016ca0-83.dat upx behavioral1/memory/2628-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2608-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016cf0-90.dat upx behavioral1/memory/3004-101-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/996-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000174f8-99.dat upx behavioral1/memory/1660-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000017570-109.dat upx behavioral1/files/0x00060000000175f1-120.dat upx behavioral1/memory/1876-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000175f7-128.dat upx behavioral1/files/0x000d000000018683-136.dat upx behavioral1/memory/480-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018697-146.dat upx behavioral1/memory/1816-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018706-155.dat upx behavioral1/memory/1816-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2948-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001871c-174.dat upx behavioral1/memory/1980-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001870c-165.dat upx behavioral1/memory/1820-161-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0006000000018be7-190.dat upx behavioral1/files/0x0005000000018745-183.dat upx behavioral1/files/0x0006000000018d7b-198.dat upx behavioral1/files/0x0006000000018d83-208.dat upx behavioral1/memory/2532-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018fdf-217.dat upx behavioral1/files/0x0006000000019056-224.dat upx behavioral1/files/0x0008000000015fa6-233.dat upx behavioral1/files/0x0005000000019203-240.dat upx behavioral1/files/0x0005000000019237-247.dat upx behavioral1/memory/2436-249-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001924f-257.dat upx behavioral1/memory/1500-265-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019261-268.dat upx behavioral1/memory/1616-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019274-277.dat upx behavioral1/memory/1616-275-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001927a-285.dat upx behavioral1/memory/1720-292-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2748-305-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2328-312-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2740-325-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2640-339-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1600-338-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
q08800.exebttbtb.exetnbbbb.exec040240.exek08284.exejjpvd.exehbtnbb.exexrxrffl.exeppjjp.exe862444.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q08800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c040240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k08284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exerlffflr.exe260688.exeo602068.exeppvjj.exenhtbnt.exexrlrflx.exefxfrxfr.exebbnnbh.exevppdv.exec088446.exelllrrxx.exe4208662.exehbhhtt.exe3dvdp.exejjdjv.exedescription pid Process procid_target PID 3040 wrote to memory of 2168 3040 375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe 30 PID 3040 wrote to memory of 2168 3040 375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe 30 PID 3040 wrote to memory of 2168 3040 375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe 30 PID 3040 wrote to memory of 2168 3040 375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe 30 PID 2168 wrote to memory of 2528 2168 rlffflr.exe 31 PID 2168 wrote to memory of 2528 2168 rlffflr.exe 31 PID 2168 wrote to memory of 2528 2168 rlffflr.exe 31 PID 2168 wrote to memory of 2528 2168 rlffflr.exe 31 PID 2528 wrote to memory of 2544 2528 260688.exe 32 PID 2528 wrote to memory of 2544 2528 260688.exe 32 PID 2528 wrote to memory of 2544 2528 260688.exe 32 PID 2528 wrote to memory of 2544 2528 260688.exe 32 PID 2544 wrote to memory of 2344 2544 o602068.exe 33 PID 2544 wrote to memory of 2344 2544 o602068.exe 33 PID 2544 wrote to memory of 2344 2544 o602068.exe 33 PID 2544 wrote to memory of 2344 2544 o602068.exe 33 PID 2344 wrote to memory of 2876 2344 ppvjj.exe 34 PID 2344 wrote to memory of 2876 2344 ppvjj.exe 34 PID 2344 wrote to memory of 2876 2344 ppvjj.exe 34 PID 2344 wrote to memory of 2876 2344 ppvjj.exe 34 PID 2876 wrote to memory of 3004 2876 nhtbnt.exe 35 PID 2876 wrote to memory of 3004 2876 nhtbnt.exe 35 PID 2876 wrote to memory of 3004 2876 nhtbnt.exe 35 PID 2876 wrote to memory of 3004 2876 nhtbnt.exe 35 PID 3004 wrote to memory of 1932 3004 xrlrflx.exe 36 PID 3004 wrote to memory of 1932 3004 xrlrflx.exe 36 PID 3004 wrote to memory of 1932 3004 xrlrflx.exe 36 PID 3004 wrote to memory of 1932 3004 xrlrflx.exe 36 PID 1932 wrote to memory of 2628 1932 fxfrxfr.exe 37 PID 1932 wrote to memory of 2628 1932 fxfrxfr.exe 37 PID 1932 wrote to memory of 2628 1932 fxfrxfr.exe 37 PID 1932 wrote to memory of 2628 1932 fxfrxfr.exe 37 PID 2628 wrote to memory of 2608 2628 bbnnbh.exe 38 PID 2628 wrote to memory of 2608 2628 bbnnbh.exe 38 PID 2628 wrote to memory of 2608 2628 bbnnbh.exe 38 PID 2628 wrote to memory of 2608 2628 bbnnbh.exe 38 PID 2608 wrote to memory of 996 2608 vppdv.exe 39 PID 2608 wrote to memory of 996 2608 vppdv.exe 39 PID 2608 wrote to memory of 996 2608 vppdv.exe 39 PID 2608 wrote to memory of 996 2608 vppdv.exe 39 PID 996 wrote to memory of 1660 996 c088446.exe 40 PID 996 wrote to memory of 1660 996 c088446.exe 40 PID 996 wrote to memory of 1660 996 c088446.exe 40 PID 996 wrote to memory of 1660 996 c088446.exe 40 PID 1660 wrote to memory of 1876 1660 lllrrxx.exe 41 PID 1660 wrote to memory of 1876 1660 lllrrxx.exe 41 PID 1660 wrote to memory of 1876 1660 lllrrxx.exe 41 PID 1660 wrote to memory of 1876 1660 lllrrxx.exe 41 PID 1876 wrote to memory of 2968 1876 4208662.exe 42 PID 1876 wrote to memory of 2968 1876 4208662.exe 42 PID 1876 wrote to memory of 2968 1876 4208662.exe 42 PID 1876 wrote to memory of 2968 1876 4208662.exe 42 PID 2968 wrote to memory of 480 2968 hbhhtt.exe 43 PID 2968 wrote to memory of 480 2968 hbhhtt.exe 43 PID 2968 wrote to memory of 480 2968 hbhhtt.exe 43 PID 2968 wrote to memory of 480 2968 hbhhtt.exe 43 PID 480 wrote to memory of 2816 480 3dvdp.exe 44 PID 480 wrote to memory of 2816 480 3dvdp.exe 44 PID 480 wrote to memory of 2816 480 3dvdp.exe 44 PID 480 wrote to memory of 2816 480 3dvdp.exe 44 PID 2816 wrote to memory of 1816 2816 jjdjv.exe 45 PID 2816 wrote to memory of 1816 2816 jjdjv.exe 45 PID 2816 wrote to memory of 1816 2816 jjdjv.exe 45 PID 2816 wrote to memory of 1816 2816 jjdjv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe"C:\Users\Admin\AppData\Local\Temp\375bd19dc3703e65bf67bf9b3e0825f9599aaac92288a24addc691db5c008b38.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\rlffflr.exec:\rlffflr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\260688.exec:\260688.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\o602068.exec:\o602068.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\ppvjj.exec:\ppvjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\nhtbnt.exec:\nhtbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\xrlrflx.exec:\xrlrflx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\fxfrxfr.exec:\fxfrxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\bbnnbh.exec:\bbnnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\vppdv.exec:\vppdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\c088446.exec:\c088446.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\lllrrxx.exec:\lllrrxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\4208662.exec:\4208662.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\hbhhtt.exec:\hbhhtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\3dvdp.exec:\3dvdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480 -
\??\c:\jjdjv.exec:\jjdjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\vpjpd.exec:\vpjpd.exe17⤵
- Executes dropped EXE
PID:1816 -
\??\c:\a0842.exec:\a0842.exe18⤵
- Executes dropped EXE
PID:1820 -
\??\c:\864006.exec:\864006.exe19⤵
- Executes dropped EXE
PID:1980 -
\??\c:\bnbhtn.exec:\bnbhtn.exe20⤵
- Executes dropped EXE
PID:2948 -
\??\c:\5bhhhh.exec:\5bhhhh.exe21⤵
- Executes dropped EXE
PID:2432 -
\??\c:\pjvpv.exec:\pjvpv.exe22⤵
- Executes dropped EXE
PID:852 -
\??\c:\e88068.exec:\e88068.exe23⤵
- Executes dropped EXE
PID:2532 -
\??\c:\8602604.exec:\8602604.exe24⤵
- Executes dropped EXE
PID:1384 -
\??\c:\640686.exec:\640686.exe25⤵
- Executes dropped EXE
PID:2192 -
\??\c:\080606.exec:\080606.exe26⤵
- Executes dropped EXE
PID:1332 -
\??\c:\080028.exec:\080028.exe27⤵
- Executes dropped EXE
PID:1548 -
\??\c:\820028.exec:\820028.exe28⤵
- Executes dropped EXE
PID:2104 -
\??\c:\e48282.exec:\e48282.exe29⤵
- Executes dropped EXE
PID:2436 -
\??\c:\nnbbth.exec:\nnbbth.exe30⤵
- Executes dropped EXE
PID:1500 -
\??\c:\5rlflxl.exec:\5rlflxl.exe31⤵
- Executes dropped EXE
PID:1616 -
\??\c:\g0844.exec:\g0844.exe32⤵
- Executes dropped EXE
PID:3048 -
\??\c:\c422444.exec:\c422444.exe33⤵
- Executes dropped EXE
PID:1720 -
\??\c:\hbtbtt.exec:\hbtbtt.exe34⤵
- Executes dropped EXE
PID:2348 -
\??\c:\vvpdd.exec:\vvpdd.exe35⤵
- Executes dropped EXE
PID:2748 -
\??\c:\vvdjp.exec:\vvdjp.exe36⤵
- Executes dropped EXE
PID:2328 -
\??\c:\086228.exec:\086228.exe37⤵
- Executes dropped EXE
PID:2880 -
\??\c:\7ddjv.exec:\7ddjv.exe38⤵
- Executes dropped EXE
PID:2740 -
\??\c:\nhbtbn.exec:\nhbtbn.exe39⤵
- Executes dropped EXE
PID:2764 -
\??\c:\xrlrxxl.exec:\xrlrxxl.exe40⤵
- Executes dropped EXE
PID:1600 -
\??\c:\ffflxfl.exec:\ffflxfl.exe41⤵
- Executes dropped EXE
PID:2640 -
\??\c:\k80806.exec:\k80806.exe42⤵
- Executes dropped EXE
PID:2848 -
\??\c:\4246440.exec:\4246440.exe43⤵
- Executes dropped EXE
PID:2776 -
\??\c:\lfrrfrr.exec:\lfrrfrr.exe44⤵
- Executes dropped EXE
PID:2648 -
\??\c:\btntbh.exec:\btntbh.exe45⤵
- Executes dropped EXE
PID:2128 -
\??\c:\6680846.exec:\6680846.exe46⤵
- Executes dropped EXE
PID:996 -
\??\c:\fxrxxxf.exec:\fxrxxxf.exe47⤵
- Executes dropped EXE
PID:1824 -
\??\c:\662406.exec:\662406.exe48⤵
- Executes dropped EXE
PID:876 -
\??\c:\u828446.exec:\u828446.exe49⤵
- Executes dropped EXE
PID:2812 -
\??\c:\4042604.exec:\4042604.exe50⤵
- Executes dropped EXE
PID:784 -
\??\c:\tnbhtt.exec:\tnbhtt.exe51⤵
- Executes dropped EXE
PID:1496 -
\??\c:\66486.exec:\66486.exe52⤵
- Executes dropped EXE
PID:1804 -
\??\c:\ttttbn.exec:\ttttbn.exe53⤵
- Executes dropped EXE
PID:532 -
\??\c:\1bbbhn.exec:\1bbbhn.exe54⤵
- Executes dropped EXE
PID:2164 -
\??\c:\xxxflrr.exec:\xxxflrr.exe55⤵
- Executes dropped EXE
PID:2428 -
\??\c:\a4802.exec:\a4802.exe56⤵
- Executes dropped EXE
PID:3068 -
\??\c:\q08800.exec:\q08800.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
\??\c:\tnbbhh.exec:\tnbbhh.exe58⤵
- Executes dropped EXE
PID:2176 -
\??\c:\tnbhhh.exec:\tnbhhh.exe59⤵
- Executes dropped EXE
PID:852 -
\??\c:\7htttb.exec:\7htttb.exe60⤵
- Executes dropped EXE
PID:1788 -
\??\c:\6640846.exec:\6640846.exe61⤵
- Executes dropped EXE
PID:3064 -
\??\c:\862404.exec:\862404.exe62⤵
- Executes dropped EXE
PID:2532 -
\??\c:\q26604.exec:\q26604.exe63⤵
- Executes dropped EXE
PID:3008 -
\??\c:\g0804.exec:\g0804.exe64⤵
- Executes dropped EXE
PID:2136 -
\??\c:\dvppp.exec:\dvppp.exe65⤵
- Executes dropped EXE
PID:1644 -
\??\c:\48606.exec:\48606.exe66⤵PID:2472
-
\??\c:\26406.exec:\26406.exe67⤵PID:700
-
\??\c:\5xxflrl.exec:\5xxflrl.exe68⤵PID:2484
-
\??\c:\vjddp.exec:\vjddp.exe69⤵PID:3028
-
\??\c:\bbthht.exec:\bbthht.exe70⤵PID:2400
-
\??\c:\rlfrrfl.exec:\rlfrrfl.exe71⤵PID:1048
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe72⤵PID:1736
-
\??\c:\428400.exec:\428400.exe73⤵PID:2540
-
\??\c:\pppvp.exec:\pppvp.exe74⤵PID:1720
-
\??\c:\bnhbhh.exec:\bnhbhh.exe75⤵PID:2544
-
\??\c:\m2406.exec:\m2406.exe76⤵PID:2796
-
\??\c:\1ppdd.exec:\1ppdd.exe77⤵PID:2868
-
\??\c:\6066284.exec:\6066284.exe78⤵PID:2880
-
\??\c:\o820662.exec:\o820662.exe79⤵PID:2700
-
\??\c:\pjjjp.exec:\pjjjp.exe80⤵PID:2732
-
\??\c:\8240622.exec:\8240622.exe81⤵PID:1580
-
\??\c:\4862026.exec:\4862026.exe82⤵PID:316
-
\??\c:\4244062.exec:\4244062.exe83⤵PID:2892
-
\??\c:\646868.exec:\646868.exe84⤵PID:2660
-
\??\c:\ffrrffr.exec:\ffrrffr.exe85⤵PID:1948
-
\??\c:\ntnbtt.exec:\ntnbtt.exe86⤵PID:2228
-
\??\c:\pdvdv.exec:\pdvdv.exe87⤵PID:1800
-
\??\c:\2208262.exec:\2208262.exe88⤵PID:988
-
\??\c:\rrlrxxr.exec:\rrlrxxr.exe89⤵PID:2676
-
\??\c:\xrxflrx.exec:\xrxflrx.exe90⤵PID:592
-
\??\c:\684406.exec:\684406.exe91⤵PID:768
-
\??\c:\dvjvd.exec:\dvjvd.exe92⤵PID:2036
-
\??\c:\bttthh.exec:\bttthh.exe93⤵PID:1656
-
\??\c:\xrlfrrr.exec:\xrlfrrr.exe94⤵PID:1844
-
\??\c:\9jjdp.exec:\9jjdp.exe95⤵PID:2928
-
\??\c:\68024.exec:\68024.exe96⤵PID:1664
-
\??\c:\20280.exec:\20280.exe97⤵PID:1980
-
\??\c:\208884.exec:\208884.exe98⤵PID:2936
-
\??\c:\826462.exec:\826462.exe99⤵PID:872
-
\??\c:\tnhnbb.exec:\tnhnbb.exe100⤵PID:2360
-
\??\c:\86880.exec:\86880.exe101⤵PID:3052
-
\??\c:\3rlrrxf.exec:\3rlrrxf.exe102⤵PID:2792
-
\??\c:\ppjpj.exec:\ppjpj.exe103⤵PID:2784
-
\??\c:\26284.exec:\26284.exe104⤵PID:544
-
\??\c:\604026.exec:\604026.exe105⤵PID:1620
-
\??\c:\60208.exec:\60208.exe106⤵PID:2368
-
\??\c:\i668466.exec:\i668466.exe107⤵PID:1548
-
\??\c:\64062.exec:\64062.exe108⤵PID:1532
-
\??\c:\llffllr.exec:\llffllr.exe109⤵PID:2304
-
\??\c:\xffrrfr.exec:\xffrrfr.exe110⤵PID:3028
-
\??\c:\82680.exec:\82680.exe111⤵PID:848
-
\??\c:\rlrfflr.exec:\rlrfflr.exe112⤵PID:2060
-
\??\c:\6022446.exec:\6022446.exe113⤵PID:2168
-
\??\c:\1tnntt.exec:\1tnntt.exe114⤵PID:1076
-
\??\c:\3xlllrr.exec:\3xlllrr.exe115⤵PID:1624
-
\??\c:\9vpvd.exec:\9vpvd.exe116⤵PID:2856
-
\??\c:\7pdvd.exec:\7pdvd.exe117⤵PID:2900
-
\??\c:\4202828.exec:\4202828.exe118⤵PID:2836
-
\??\c:\6080228.exec:\6080228.exe119⤵PID:2724
-
\??\c:\60640.exec:\60640.exe120⤵PID:2700
-
\??\c:\8240624.exec:\8240624.exe121⤵PID:1612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-