Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 09:07
Behavioral task
behavioral1
Sample
73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe
-
Size
87KB
-
MD5
4b7f3720bb32bfbb1914aafd7419cdf0
-
SHA1
c0f28c08f8201d51e2ef53c04586785589249a79
-
SHA256
73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72
-
SHA512
01bfe54325acad87ed8a78f1ab2d1bd62adbc4c38d1ceb179be9e060f1e057b474068ae0d101f9c85b8e0d12fd58fdaad8db7b9257c137bcf24b321e4429f1eb
-
SSDEEP
1536:xvQBeOGtrYS3srx93UBWfwC6Ggnouy82F13w1rCJtzGeKuO+mqizpPubYDEzfY:xhOmTsF93UYfwC6GIout03LzuuOlzpPf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
Processes:
resource yara_rule behavioral1/memory/1036-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1184-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2128-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2140-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2836-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2212-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-86-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2624-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2596-94-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2596-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2040-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1032-123-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/528-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/528-141-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1388-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2656-151-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/780-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1912-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2684-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1988-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1856-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1136-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1744-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1780-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2188-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1944-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2412-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2616-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2080-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2888-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1592-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2568-619-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1860-650-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1472-691-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1772-801-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/560-800-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/560-798-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2272-824-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2348-834-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2012-865-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2036-909-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2036-908-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2812-938-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2820-1141-0x00000000003D0000-0x00000000003F7000-memory.dmp family_blackmoon behavioral1/memory/540-1325-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1032-1462-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/472-1470-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
lfffxfr.exefxrrffr.exehtnttb.exebtbttb.exejdjjp.exe7xllrxr.exetnbntn.exepdvvj.exe1jvdd.exe3rrfflr.exenhhhhh.exejjvvv.exe9ppdj.exe9xxxllr.exerlfflrx.exehbhnbb.exedvpvv.exe5vpjj.exefxfflrf.exetnntbn.exevpppj.exedjjpv.exexrffllr.exexxrlxxl.exe9bhhhn.exejvjjp.exe3jpjp.exelxllrxf.exe1bnnbh.exebthhhh.exevpjjp.exe7fflxfl.exefxxxfxl.exehhnnnn.exevvvdj.exejdpdj.exe3frfxxf.exexlrrfff.exehbtbhn.exe5hbnnn.exe9jdjj.exevvdjp.exexrflllr.exe7bhtht.exe7bbnhh.exe9jvvv.exejdpjp.exerxrfflf.exetnhhtb.exenhnhhh.exevpppd.exevvvdd.exefxffxfr.exe3xrfffl.exenbthtb.exebbhntt.exe3pjjp.exejjppd.exe5lffxlr.exe3xlxflx.exe9hthnn.exenbnhnn.exepjjdj.exepjddj.exepid Process 1036 lfffxfr.exe 2128 fxrrffr.exe 2140 htnttb.exe 2704 btbttb.exe 2836 jdjjp.exe 2728 7xllrxr.exe 2212 tnbntn.exe 2624 pdvvj.exe 2596 1jvdd.exe 2040 3rrfflr.exe 2080 nhhhhh.exe 1032 jjvvv.exe 1388 9ppdj.exe 528 9xxxllr.exe 2656 rlfflrx.exe 2144 hbhnbb.exe 780 dvpvv.exe 1912 5vpjj.exe 2684 fxfflrf.exe 2328 tnntbn.exe 1988 vpppj.exe 1856 djjpv.exe 1136 xrffllr.exe 2028 xxrlxxl.exe 1744 9bhhhn.exe 1780 jvjjp.exe 1488 3jpjp.exe 2188 lxllrxf.exe 1632 1bnnbh.exe 1944 bthhhh.exe 1232 vpjjp.exe 2332 7fflxfl.exe 1732 fxxxfxl.exe 2412 hhnnnn.exe 1556 vvvdj.exe 2864 jdpdj.exe 2816 3frfxxf.exe 2752 xlrrfff.exe 2840 hbtbhn.exe 2196 5hbnnn.exe 2644 9jdjj.exe 2616 vvdjp.exe 2668 xrflllr.exe 2764 7bhtht.exe 2672 7bbnhh.exe 2080 9jvvv.exe 1096 jdpjp.exe 2888 rxrfflf.exe 1480 tnhhtb.exe 1996 nhnhhh.exe 2656 vpppd.exe 1644 vvvdd.exe 1916 fxffxfr.exe 1592 3xrfffl.exe 1932 nbthtb.exe 2472 bbhntt.exe 2968 3pjjp.exe 2372 jjppd.exe 1720 5lffxlr.exe 2920 3xlxflx.exe 2576 9hthnn.exe 684 nbnhnn.exe 852 pjjdj.exe 816 pjddj.exe -
Processes:
resource yara_rule behavioral1/memory/1184-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000120ff-9.dat upx behavioral1/memory/1036-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1184-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000192f0-30.dat upx behavioral1/memory/2128-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001933e-48.dat upx behavioral1/memory/2704-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001932a-39.dat upx behavioral1/memory/2140-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001925c-20.dat upx behavioral1/memory/2128-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2836-52-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0006000000019346-59.dat upx behavioral1/memory/2836-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019384-65.dat upx behavioral1/memory/2728-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000193af-77.dat upx behavioral1/memory/2212-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000194f6-85.dat upx behavioral1/memory/2624-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2596-94-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000019501-97.dat upx behavioral1/memory/2596-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2040-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019503-105.dat upx behavioral1/files/0x0005000000019515-115.dat upx behavioral1/files/0x000500000001953a-124.dat upx behavioral1/files/0x000500000001957c-134.dat upx behavioral1/memory/528-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019589-143.dat upx behavioral1/memory/1388-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001961b-153.dat upx behavioral1/files/0x000500000001961f-160.dat upx behavioral1/files/0x0005000000019624-171.dat upx behavioral1/memory/780-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1912-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019625-179.dat upx behavioral1/files/0x00050000000197c1-191.dat upx behavioral1/memory/2684-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019aea-198.dat upx behavioral1/files/0x0005000000019aec-205.dat upx behavioral1/memory/1856-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1988-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019aee-217.dat upx behavioral1/memory/1856-216-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1136-226-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c50-227.dat upx behavioral1/files/0x0005000000019c66-237.dat upx behavioral1/files/0x0005000000019c68-246.dat upx behavioral1/memory/1744-245-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019cbf-254.dat upx behavioral1/memory/1780-253-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d8b-262.dat upx behavioral1/memory/2188-271-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1632-272-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019f4a-269.dat upx behavioral1/files/0x0005000000019f4e-280.dat upx behavioral1/memory/1944-288-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a04e-289.dat upx behavioral1/files/0x000500000001a061-297.dat upx behavioral1/memory/2332-298-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2332-306-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2412-320-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
flffxrl.exe1xllfxl.exedvpvv.exevpjjj.exetnttht.exexrfrfxf.exenhnhhh.exexfrrxrf.exelxffflr.exe1nthtt.exe3xrfffl.exenbnhhh.exenhnnnn.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flffxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xllfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exelfffxfr.exefxrrffr.exehtnttb.exebtbttb.exejdjjp.exe7xllrxr.exetnbntn.exepdvvj.exe1jvdd.exe3rrfflr.exenhhhhh.exejjvvv.exe9ppdj.exe9xxxllr.exerlfflrx.exedescription pid Process procid_target PID 1184 wrote to memory of 1036 1184 73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe 30 PID 1184 wrote to memory of 1036 1184 73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe 30 PID 1184 wrote to memory of 1036 1184 73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe 30 PID 1184 wrote to memory of 1036 1184 73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe 30 PID 1036 wrote to memory of 2128 1036 lfffxfr.exe 31 PID 1036 wrote to memory of 2128 1036 lfffxfr.exe 31 PID 1036 wrote to memory of 2128 1036 lfffxfr.exe 31 PID 1036 wrote to memory of 2128 1036 lfffxfr.exe 31 PID 2128 wrote to memory of 2140 2128 fxrrffr.exe 32 PID 2128 wrote to memory of 2140 2128 fxrrffr.exe 32 PID 2128 wrote to memory of 2140 2128 fxrrffr.exe 32 PID 2128 wrote to memory of 2140 2128 fxrrffr.exe 32 PID 2140 wrote to memory of 2704 2140 htnttb.exe 33 PID 2140 wrote to memory of 2704 2140 htnttb.exe 33 PID 2140 wrote to memory of 2704 2140 htnttb.exe 33 PID 2140 wrote to memory of 2704 2140 htnttb.exe 33 PID 2704 wrote to memory of 2836 2704 btbttb.exe 34 PID 2704 wrote to memory of 2836 2704 btbttb.exe 34 PID 2704 wrote to memory of 2836 2704 btbttb.exe 34 PID 2704 wrote to memory of 2836 2704 btbttb.exe 34 PID 2836 wrote to memory of 2728 2836 jdjjp.exe 35 PID 2836 wrote to memory of 2728 2836 jdjjp.exe 35 PID 2836 wrote to memory of 2728 2836 jdjjp.exe 35 PID 2836 wrote to memory of 2728 2836 jdjjp.exe 35 PID 2728 wrote to memory of 2212 2728 7xllrxr.exe 36 PID 2728 wrote to memory of 2212 2728 7xllrxr.exe 36 PID 2728 wrote to memory of 2212 2728 7xllrxr.exe 36 PID 2728 wrote to memory of 2212 2728 7xllrxr.exe 36 PID 2212 wrote to memory of 2624 2212 tnbntn.exe 37 PID 2212 wrote to memory of 2624 2212 tnbntn.exe 37 PID 2212 wrote to memory of 2624 2212 tnbntn.exe 37 PID 2212 wrote to memory of 2624 2212 tnbntn.exe 37 PID 2624 wrote to memory of 2596 2624 pdvvj.exe 38 PID 2624 wrote to memory of 2596 2624 pdvvj.exe 38 PID 2624 wrote to memory of 2596 2624 pdvvj.exe 38 PID 2624 wrote to memory of 2596 2624 pdvvj.exe 38 PID 2596 wrote to memory of 2040 2596 1jvdd.exe 39 PID 2596 wrote to memory of 2040 2596 1jvdd.exe 39 PID 2596 wrote to memory of 2040 2596 1jvdd.exe 39 PID 2596 wrote to memory of 2040 2596 1jvdd.exe 39 PID 2040 wrote to memory of 2080 2040 3rrfflr.exe 40 PID 2040 wrote to memory of 2080 2040 3rrfflr.exe 40 PID 2040 wrote to memory of 2080 2040 3rrfflr.exe 40 PID 2040 wrote to memory of 2080 2040 3rrfflr.exe 40 PID 2080 wrote to memory of 1032 2080 nhhhhh.exe 41 PID 2080 wrote to memory of 1032 2080 nhhhhh.exe 41 PID 2080 wrote to memory of 1032 2080 nhhhhh.exe 41 PID 2080 wrote to memory of 1032 2080 nhhhhh.exe 41 PID 1032 wrote to memory of 1388 1032 jjvvv.exe 42 PID 1032 wrote to memory of 1388 1032 jjvvv.exe 42 PID 1032 wrote to memory of 1388 1032 jjvvv.exe 42 PID 1032 wrote to memory of 1388 1032 jjvvv.exe 42 PID 1388 wrote to memory of 528 1388 9ppdj.exe 43 PID 1388 wrote to memory of 528 1388 9ppdj.exe 43 PID 1388 wrote to memory of 528 1388 9ppdj.exe 43 PID 1388 wrote to memory of 528 1388 9ppdj.exe 43 PID 528 wrote to memory of 2656 528 9xxxllr.exe 44 PID 528 wrote to memory of 2656 528 9xxxllr.exe 44 PID 528 wrote to memory of 2656 528 9xxxllr.exe 44 PID 528 wrote to memory of 2656 528 9xxxllr.exe 44 PID 2656 wrote to memory of 2144 2656 rlfflrx.exe 45 PID 2656 wrote to memory of 2144 2656 rlfflrx.exe 45 PID 2656 wrote to memory of 2144 2656 rlfflrx.exe 45 PID 2656 wrote to memory of 2144 2656 rlfflrx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe"C:\Users\Admin\AppData\Local\Temp\73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\lfffxfr.exec:\lfffxfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\fxrrffr.exec:\fxrrffr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\htnttb.exec:\htnttb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\btbttb.exec:\btbttb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\jdjjp.exec:\jdjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\7xllrxr.exec:\7xllrxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\tnbntn.exec:\tnbntn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\pdvvj.exec:\pdvvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\1jvdd.exec:\1jvdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\3rrfflr.exec:\3rrfflr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\nhhhhh.exec:\nhhhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\jjvvv.exec:\jjvvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\9ppdj.exec:\9ppdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\9xxxllr.exec:\9xxxllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\rlfflrx.exec:\rlfflrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\hbhnbb.exec:\hbhnbb.exe17⤵
- Executes dropped EXE
PID:2144 -
\??\c:\dvpvv.exec:\dvpvv.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:780 -
\??\c:\5vpjj.exec:\5vpjj.exe19⤵
- Executes dropped EXE
PID:1912 -
\??\c:\fxfflrf.exec:\fxfflrf.exe20⤵
- Executes dropped EXE
PID:2684 -
\??\c:\tnntbn.exec:\tnntbn.exe21⤵
- Executes dropped EXE
PID:2328 -
\??\c:\vpppj.exec:\vpppj.exe22⤵
- Executes dropped EXE
PID:1988 -
\??\c:\djjpv.exec:\djjpv.exe23⤵
- Executes dropped EXE
PID:1856 -
\??\c:\xrffllr.exec:\xrffllr.exe24⤵
- Executes dropped EXE
PID:1136 -
\??\c:\xxrlxxl.exec:\xxrlxxl.exe25⤵
- Executes dropped EXE
PID:2028 -
\??\c:\9bhhhn.exec:\9bhhhn.exe26⤵
- Executes dropped EXE
PID:1744 -
\??\c:\jvjjp.exec:\jvjjp.exe27⤵
- Executes dropped EXE
PID:1780 -
\??\c:\3jpjp.exec:\3jpjp.exe28⤵
- Executes dropped EXE
PID:1488 -
\??\c:\lxllrxf.exec:\lxllrxf.exe29⤵
- Executes dropped EXE
PID:2188 -
\??\c:\1bnnbh.exec:\1bnnbh.exe30⤵
- Executes dropped EXE
PID:1632 -
\??\c:\bthhhh.exec:\bthhhh.exe31⤵
- Executes dropped EXE
PID:1944 -
\??\c:\vpjjp.exec:\vpjjp.exe32⤵
- Executes dropped EXE
PID:1232 -
\??\c:\7fflxfl.exec:\7fflxfl.exe33⤵
- Executes dropped EXE
PID:2332 -
\??\c:\fxxxfxl.exec:\fxxxfxl.exe34⤵
- Executes dropped EXE
PID:1732 -
\??\c:\hhnnnn.exec:\hhnnnn.exe35⤵
- Executes dropped EXE
PID:2412 -
\??\c:\vvvdj.exec:\vvvdj.exe36⤵
- Executes dropped EXE
PID:1556 -
\??\c:\jdpdj.exec:\jdpdj.exe37⤵
- Executes dropped EXE
PID:2864 -
\??\c:\3frfxxf.exec:\3frfxxf.exe38⤵
- Executes dropped EXE
PID:2816 -
\??\c:\xlrrfff.exec:\xlrrfff.exe39⤵
- Executes dropped EXE
PID:2752 -
\??\c:\hbtbhn.exec:\hbtbhn.exe40⤵
- Executes dropped EXE
PID:2840 -
\??\c:\5hbnnn.exec:\5hbnnn.exe41⤵
- Executes dropped EXE
PID:2196 -
\??\c:\9jdjj.exec:\9jdjj.exe42⤵
- Executes dropped EXE
PID:2644 -
\??\c:\vvdjp.exec:\vvdjp.exe43⤵
- Executes dropped EXE
PID:2616 -
\??\c:\xrflllr.exec:\xrflllr.exe44⤵
- Executes dropped EXE
PID:2668 -
\??\c:\7bhtht.exec:\7bhtht.exe45⤵
- Executes dropped EXE
PID:2764 -
\??\c:\7bbnhh.exec:\7bbnhh.exe46⤵
- Executes dropped EXE
PID:2672 -
\??\c:\9jvvv.exec:\9jvvv.exe47⤵
- Executes dropped EXE
PID:2080 -
\??\c:\jdpjp.exec:\jdpjp.exe48⤵
- Executes dropped EXE
PID:1096 -
\??\c:\rxrfflf.exec:\rxrfflf.exe49⤵
- Executes dropped EXE
PID:2888 -
\??\c:\tnhhtb.exec:\tnhhtb.exe50⤵
- Executes dropped EXE
PID:1480 -
\??\c:\nhnhhh.exec:\nhnhhh.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1996 -
\??\c:\vpppd.exec:\vpppd.exe52⤵
- Executes dropped EXE
PID:2656 -
\??\c:\vvvdd.exec:\vvvdd.exe53⤵
- Executes dropped EXE
PID:1644 -
\??\c:\fxffxfr.exec:\fxffxfr.exe54⤵
- Executes dropped EXE
PID:1916 -
\??\c:\3xrfffl.exec:\3xrfffl.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592 -
\??\c:\nbthtb.exec:\nbthtb.exe56⤵
- Executes dropped EXE
PID:1932 -
\??\c:\bbhntt.exec:\bbhntt.exe57⤵
- Executes dropped EXE
PID:2472 -
\??\c:\3pjjp.exec:\3pjjp.exe58⤵
- Executes dropped EXE
PID:2968 -
\??\c:\jjppd.exec:\jjppd.exe59⤵
- Executes dropped EXE
PID:2372 -
\??\c:\5lffxlr.exec:\5lffxlr.exe60⤵
- Executes dropped EXE
PID:1720 -
\??\c:\3xlxflx.exec:\3xlxflx.exe61⤵
- Executes dropped EXE
PID:2920 -
\??\c:\9hthnn.exec:\9hthnn.exe62⤵
- Executes dropped EXE
PID:2576 -
\??\c:\nbnhnn.exec:\nbnhnn.exe63⤵
- Executes dropped EXE
PID:684 -
\??\c:\pjjdj.exec:\pjjdj.exe64⤵
- Executes dropped EXE
PID:852 -
\??\c:\pjddj.exec:\pjddj.exe65⤵
- Executes dropped EXE
PID:816 -
\??\c:\frxflfx.exec:\frxflfx.exe66⤵PID:1744
-
\??\c:\5flrflr.exec:\5flrflr.exe67⤵PID:3064
-
\??\c:\3tntbt.exec:\3tntbt.exe68⤵PID:1296
-
\??\c:\thtbhn.exec:\thtbhn.exe69⤵PID:1928
-
\??\c:\jdjjv.exec:\jdjjv.exe70⤵PID:1564
-
\??\c:\pjvdj.exec:\pjvdj.exe71⤵PID:2540
-
\??\c:\tnttbb.exec:\tnttbb.exe72⤵PID:1980
-
\??\c:\3thnhn.exec:\3thnhn.exe73⤵PID:2272
-
\??\c:\htbbhh.exec:\htbbhh.exe74⤵PID:1704
-
\??\c:\5jvvv.exec:\5jvvv.exe75⤵PID:2132
-
\??\c:\jdpvj.exec:\jdpvj.exe76⤵PID:2740
-
\??\c:\xrllllr.exec:\xrllllr.exe77⤵PID:2440
-
\??\c:\lflrxxf.exec:\lflrxxf.exe78⤵PID:2116
-
\??\c:\ntthhb.exec:\ntthhb.exe79⤵PID:2012
-
\??\c:\jjpjd.exec:\jjpjd.exe80⤵PID:2152
-
\??\c:\dvppv.exec:\dvppv.exe81⤵PID:2804
-
\??\c:\rlxrxff.exec:\rlxrxff.exe82⤵PID:2728
-
\??\c:\lxffflr.exec:\lxffflr.exe83⤵
- System Location Discovery: System Language Discovery
PID:2568 -
\??\c:\frxrrll.exec:\frxrrll.exe84⤵PID:2708
-
\??\c:\1hnnnt.exec:\1hnnnt.exe85⤵PID:2592
-
\??\c:\3pddv.exec:\3pddv.exe86⤵PID:2796
-
\??\c:\jjvdp.exec:\jjvdp.exe87⤵PID:2260
-
\??\c:\9rffxxf.exec:\9rffxxf.exe88⤵PID:1860
-
\??\c:\xxffrlf.exec:\xxffrlf.exe89⤵PID:2300
-
\??\c:\3flllrr.exec:\3flllrr.exe90⤵PID:748
-
\??\c:\3ntnbb.exec:\3ntnbb.exe91⤵PID:1972
-
\??\c:\hbhhbh.exec:\hbhhbh.exe92⤵PID:1084
-
\??\c:\7vpvv.exec:\7vpvv.exe93⤵PID:376
-
\??\c:\jvdvp.exec:\jvdvp.exe94⤵PID:928
-
\??\c:\xxflrfl.exec:\xxflrfl.exe95⤵PID:1472
-
\??\c:\frxxfxr.exec:\frxxfxr.exe96⤵PID:1716
-
\??\c:\hhhhbh.exec:\hhhhbh.exe97⤵PID:2496
-
\??\c:\bnbhbb.exec:\bnbhbb.exe98⤵PID:1148
-
\??\c:\ppjjv.exec:\ppjjv.exe99⤵PID:2904
-
\??\c:\1vpvv.exec:\1vpvv.exe100⤵PID:2684
-
\??\c:\rrrffrf.exec:\rrrffrf.exe101⤵PID:2932
-
\??\c:\rllrfxf.exec:\rllrfxf.exe102⤵PID:2996
-
\??\c:\tntnbb.exec:\tntnbb.exe103⤵PID:2056
-
\??\c:\nhtbtn.exec:\nhtbtn.exe104⤵PID:2984
-
\??\c:\tntntt.exec:\tntntt.exe105⤵PID:596
-
\??\c:\1jddj.exec:\1jddj.exe106⤵PID:1136
-
\??\c:\jdvpv.exec:\jdvpv.exe107⤵PID:1268
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe108⤵PID:1868
-
\??\c:\fflrxfl.exec:\fflrxfl.exe109⤵PID:1596
-
\??\c:\btnttb.exec:\btnttb.exe110⤵PID:1772
-
\??\c:\nhnthb.exec:\nhnthb.exe111⤵PID:2312
-
\??\c:\jvjdd.exec:\jvjdd.exe112⤵PID:560
-
\??\c:\dvjjd.exec:\dvjjd.exe113⤵PID:272
-
\??\c:\9jpjd.exec:\9jpjd.exe114⤵PID:1632
-
\??\c:\lrxrrlr.exec:\lrxrrlr.exe115⤵PID:1980
-
\??\c:\9nhbhh.exec:\9nhbhh.exe116⤵PID:2272
-
\??\c:\htbhtb.exec:\htbhtb.exe117⤵PID:2348
-
\??\c:\9vdvd.exec:\9vdvd.exe118⤵PID:2132
-
\??\c:\jjdjj.exec:\jjdjj.exe119⤵PID:2724
-
\??\c:\5lrrlll.exec:\5lrrlll.exe120⤵PID:2440
-
\??\c:\ffxlrrf.exec:\ffxlrrf.exe121⤵PID:1572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-