Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 05:17
Behavioral task
behavioral1
Sample
113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe
-
Size
378KB
-
MD5
ff6a31485fc178613ce9cd886a6343a6
-
SHA1
66a7fb935a0d73e068e3e630fb208b871e90dca8
-
SHA256
113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef
-
SHA512
4e8cb5c9cb4818a3c79c9774ddc297e163c93d2e31375105f68de60984e780eccc384569fcf74bc368df8ccd95983f2572886888c52714ac1526557c2ef39896
-
SSDEEP
6144:0cm4FmowdHoSHWVs+QEoD/dL/4oSlCIqbKRs4EkfRDaPRrnVkWHQrvD:C4wFHoS2Vs+IdMoSzqkR5RWVVWrL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2660-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2516-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2660-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3008-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3032-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2724-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2612-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2596-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1632-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1948-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1880-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1648-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1900-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1000-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1540-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1944-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1944-209-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1592-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3052-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/936-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1996-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2736-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/348-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/844-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1656-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2504-445-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2812-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1036-478-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2776-534-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1992-565-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-657-0x0000000000320000-0x0000000000347000-memory.dmp family_blackmoon behavioral1/memory/448-763-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/808-818-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/892-821-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3008-856-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2276-868-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3052-1040-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2412-1089-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2172-1258-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/280-1297-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2660 xffrlrf.exe 3008 jdvdp.exe 3032 fxrxlrf.exe 2724 nnnttb.exe 2772 dvvjv.exe 2584 9ffrxfr.exe 2612 7ppvj.exe 2744 rlfrflf.exe 2596 hnbnnb.exe 2628 ddvdv.exe 1632 tnbbnh.exe 1948 dvjpd.exe 1636 fxxfrxl.exe 1880 btthbn.exe 1648 ffxfllr.exe 1900 bhhtbn.exe 856 pvjjp.exe 2812 1frfllx.exe 2116 dvvjd.exe 1000 3fffxlx.exe 2216 dvvvj.exe 1944 jjdpd.exe 1540 rrllffr.exe 3052 nnthnt.exe 1592 jddjv.exe 936 xflfxfx.exe 2464 3ddjj.exe 1976 nnbntt.exe 2428 fxrrffr.exe 1416 fffrfxl.exe 1996 dvjvd.exe 2144 xxxfxlx.exe 2940 nhbtbh.exe 3004 dvvdj.exe 2204 llfrxlf.exe 1488 5thttt.exe 2684 tnbntt.exe 2680 5pvjd.exe 3044 5flxxxf.exe 2736 rrlxrxr.exe 2768 1bbntb.exe 2576 ddpdp.exe 2588 dddvd.exe 2964 xrlxflr.exe 2972 tbbtnn.exe 1020 nnnbtb.exe 992 9pvdd.exe 348 5lxfrlx.exe 2020 xrfxlrl.exe 2396 hbthbh.exe 1708 jjdjv.exe 844 5pjpp.exe 1656 xffxrfx.exe 2504 fffxllr.exe 1176 nnhnhh.exe 2812 jvpvp.exe 2116 llffllr.exe 320 9lxrffl.exe 1036 bttnbb.exe 1220 tnbhtb.exe 916 jdpdp.exe 1172 llxfxfl.exe 2904 3bnbhb.exe 1896 hhtbnt.exe -
resource yara_rule behavioral1/memory/2516-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2660-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c000000012263-9.dat upx behavioral1/memory/2516-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2660-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016cfe-16.dat upx behavioral1/memory/3008-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3032-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d0b-28.dat upx behavioral1/files/0x0008000000016d13-39.dat upx behavioral1/memory/2772-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d2e-57.dat upx behavioral1/files/0x0007000000016d24-49.dat upx behavioral1/memory/2724-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d36-64.dat upx behavioral1/memory/2612-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2612-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d3f-77.dat upx behavioral1/files/0x0008000000016d47-84.dat upx behavioral1/memory/2596-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2744-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000174ac-94.dat upx behavioral1/memory/2628-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001752f-101.dat upx behavioral1/memory/1632-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x001500000001866d-111.dat upx behavioral1/files/0x0009000000018678-119.dat upx behavioral1/memory/1948-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018690-129.dat upx behavioral1/files/0x000500000001879b-136.dat upx behavioral1/memory/1880-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1648-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000190cd-145.dat upx behavioral1/memory/1900-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000190d6-154.dat upx behavioral1/files/0x00050000000191f3-164.dat upx behavioral1/memory/2812-172-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0009000000016c58-174.dat upx behavioral1/files/0x00050000000191f7-182.dat upx behavioral1/files/0x0005000000019218-191.dat upx behavioral1/memory/1000-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1000-189-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0005000000019229-202.dat upx behavioral1/files/0x000500000001924c-221.dat upx behavioral1/memory/1540-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019234-212.dat upx behavioral1/memory/1944-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1592-234-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001926b-232.dat upx behavioral1/memory/3052-230-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019271-241.dat upx behavioral1/memory/936-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2464-250-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019273-249.dat upx behavioral1/files/0x0005000000019277-259.dat upx behavioral1/files/0x0005000000019382-268.dat upx behavioral1/files/0x0005000000019389-276.dat upx behavioral1/files/0x00050000000193be-284.dat upx behavioral1/memory/1996-285-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193c4-294.dat upx behavioral1/memory/1996-293-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2940-308-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2736-353-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2576-366-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2660 2516 113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe 30 PID 2516 wrote to memory of 2660 2516 113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe 30 PID 2516 wrote to memory of 2660 2516 113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe 30 PID 2516 wrote to memory of 2660 2516 113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe 30 PID 2660 wrote to memory of 3008 2660 xffrlrf.exe 31 PID 2660 wrote to memory of 3008 2660 xffrlrf.exe 31 PID 2660 wrote to memory of 3008 2660 xffrlrf.exe 31 PID 2660 wrote to memory of 3008 2660 xffrlrf.exe 31 PID 3008 wrote to memory of 3032 3008 jdvdp.exe 32 PID 3008 wrote to memory of 3032 3008 jdvdp.exe 32 PID 3008 wrote to memory of 3032 3008 jdvdp.exe 32 PID 3008 wrote to memory of 3032 3008 jdvdp.exe 32 PID 3032 wrote to memory of 2724 3032 fxrxlrf.exe 33 PID 3032 wrote to memory of 2724 3032 fxrxlrf.exe 33 PID 3032 wrote to memory of 2724 3032 fxrxlrf.exe 33 PID 3032 wrote to memory of 2724 3032 fxrxlrf.exe 33 PID 2724 wrote to memory of 2772 2724 nnnttb.exe 34 PID 2724 wrote to memory of 2772 2724 nnnttb.exe 34 PID 2724 wrote to memory of 2772 2724 nnnttb.exe 34 PID 2724 wrote to memory of 2772 2724 nnnttb.exe 34 PID 2772 wrote to memory of 2584 2772 dvvjv.exe 35 PID 2772 wrote to memory of 2584 2772 dvvjv.exe 35 PID 2772 wrote to memory of 2584 2772 dvvjv.exe 35 PID 2772 wrote to memory of 2584 2772 dvvjv.exe 35 PID 2584 wrote to memory of 2612 2584 9ffrxfr.exe 36 PID 2584 wrote to memory of 2612 2584 9ffrxfr.exe 36 PID 2584 wrote to memory of 2612 2584 9ffrxfr.exe 36 PID 2584 wrote to memory of 2612 2584 9ffrxfr.exe 36 PID 2612 wrote to memory of 2744 2612 7ppvj.exe 37 PID 2612 wrote to memory of 2744 2612 7ppvj.exe 37 PID 2612 wrote to memory of 2744 2612 7ppvj.exe 37 PID 2612 wrote to memory of 2744 2612 7ppvj.exe 37 PID 2744 wrote to memory of 2596 2744 rlfrflf.exe 38 PID 2744 wrote to memory of 2596 2744 rlfrflf.exe 38 PID 2744 wrote to memory of 2596 2744 rlfrflf.exe 38 PID 2744 wrote to memory of 2596 2744 rlfrflf.exe 38 PID 2596 wrote to memory of 2628 2596 hnbnnb.exe 39 PID 2596 wrote to memory of 2628 2596 hnbnnb.exe 39 PID 2596 wrote to memory of 2628 2596 hnbnnb.exe 39 PID 2596 wrote to memory of 2628 2596 hnbnnb.exe 39 PID 2628 wrote to memory of 1632 2628 ddvdv.exe 40 PID 2628 wrote to memory of 1632 2628 ddvdv.exe 40 PID 2628 wrote to memory of 1632 2628 ddvdv.exe 40 PID 2628 wrote to memory of 1632 2628 ddvdv.exe 40 PID 1632 wrote to memory of 1948 1632 tnbbnh.exe 41 PID 1632 wrote to memory of 1948 1632 tnbbnh.exe 41 PID 1632 wrote to memory of 1948 1632 tnbbnh.exe 41 PID 1632 wrote to memory of 1948 1632 tnbbnh.exe 41 PID 1948 wrote to memory of 1636 1948 dvjpd.exe 42 PID 1948 wrote to memory of 1636 1948 dvjpd.exe 42 PID 1948 wrote to memory of 1636 1948 dvjpd.exe 42 PID 1948 wrote to memory of 1636 1948 dvjpd.exe 42 PID 1636 wrote to memory of 1880 1636 fxxfrxl.exe 43 PID 1636 wrote to memory of 1880 1636 fxxfrxl.exe 43 PID 1636 wrote to memory of 1880 1636 fxxfrxl.exe 43 PID 1636 wrote to memory of 1880 1636 fxxfrxl.exe 43 PID 1880 wrote to memory of 1648 1880 btthbn.exe 44 PID 1880 wrote to memory of 1648 1880 btthbn.exe 44 PID 1880 wrote to memory of 1648 1880 btthbn.exe 44 PID 1880 wrote to memory of 1648 1880 btthbn.exe 44 PID 1648 wrote to memory of 1900 1648 ffxfllr.exe 45 PID 1648 wrote to memory of 1900 1648 ffxfllr.exe 45 PID 1648 wrote to memory of 1900 1648 ffxfllr.exe 45 PID 1648 wrote to memory of 1900 1648 ffxfllr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe"C:\Users\Admin\AppData\Local\Temp\113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\xffrlrf.exec:\xffrlrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\jdvdp.exec:\jdvdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\fxrxlrf.exec:\fxrxlrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\nnnttb.exec:\nnnttb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\dvvjv.exec:\dvvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\9ffrxfr.exec:\9ffrxfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\7ppvj.exec:\7ppvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\rlfrflf.exec:\rlfrflf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\hnbnnb.exec:\hnbnnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\ddvdv.exec:\ddvdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\tnbbnh.exec:\tnbbnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\dvjpd.exec:\dvjpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\fxxfrxl.exec:\fxxfrxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\btthbn.exec:\btthbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\ffxfllr.exec:\ffxfllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\bhhtbn.exec:\bhhtbn.exe17⤵
- Executes dropped EXE
PID:1900 -
\??\c:\pvjjp.exec:\pvjjp.exe18⤵
- Executes dropped EXE
PID:856 -
\??\c:\1frfllx.exec:\1frfllx.exe19⤵
- Executes dropped EXE
PID:2812 -
\??\c:\dvvjd.exec:\dvvjd.exe20⤵
- Executes dropped EXE
PID:2116 -
\??\c:\3fffxlx.exec:\3fffxlx.exe21⤵
- Executes dropped EXE
PID:1000 -
\??\c:\dvvvj.exec:\dvvvj.exe22⤵
- Executes dropped EXE
PID:2216 -
\??\c:\jjdpd.exec:\jjdpd.exe23⤵
- Executes dropped EXE
PID:1944 -
\??\c:\rrllffr.exec:\rrllffr.exe24⤵
- Executes dropped EXE
PID:1540 -
\??\c:\nnthnt.exec:\nnthnt.exe25⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jddjv.exec:\jddjv.exe26⤵
- Executes dropped EXE
PID:1592 -
\??\c:\xflfxfx.exec:\xflfxfx.exe27⤵
- Executes dropped EXE
PID:936 -
\??\c:\3ddjj.exec:\3ddjj.exe28⤵
- Executes dropped EXE
PID:2464 -
\??\c:\nnbntt.exec:\nnbntt.exe29⤵
- Executes dropped EXE
PID:1976 -
\??\c:\fxrrffr.exec:\fxrrffr.exe30⤵
- Executes dropped EXE
PID:2428 -
\??\c:\fffrfxl.exec:\fffrfxl.exe31⤵
- Executes dropped EXE
PID:1416 -
\??\c:\dvjvd.exec:\dvjvd.exe32⤵
- Executes dropped EXE
PID:1996 -
\??\c:\xxxfxlx.exec:\xxxfxlx.exe33⤵
- Executes dropped EXE
PID:2144 -
\??\c:\nhbtbh.exec:\nhbtbh.exe34⤵
- Executes dropped EXE
PID:2940 -
\??\c:\dvvdj.exec:\dvvdj.exe35⤵
- Executes dropped EXE
PID:3004 -
\??\c:\llfrxlf.exec:\llfrxlf.exe36⤵
- Executes dropped EXE
PID:2204 -
\??\c:\5thttt.exec:\5thttt.exe37⤵
- Executes dropped EXE
PID:1488 -
\??\c:\tnbntt.exec:\tnbntt.exe38⤵
- Executes dropped EXE
PID:2684 -
\??\c:\5pvjd.exec:\5pvjd.exe39⤵
- Executes dropped EXE
PID:2680 -
\??\c:\5flxxxf.exec:\5flxxxf.exe40⤵
- Executes dropped EXE
PID:3044 -
\??\c:\rrlxrxr.exec:\rrlxrxr.exe41⤵
- Executes dropped EXE
PID:2736 -
\??\c:\1bbntb.exec:\1bbntb.exe42⤵
- Executes dropped EXE
PID:2768 -
\??\c:\ddpdp.exec:\ddpdp.exe43⤵
- Executes dropped EXE
PID:2576 -
\??\c:\dddvd.exec:\dddvd.exe44⤵
- Executes dropped EXE
PID:2588 -
\??\c:\xrlxflr.exec:\xrlxflr.exe45⤵
- Executes dropped EXE
PID:2964 -
\??\c:\tbbtnn.exec:\tbbtnn.exe46⤵
- Executes dropped EXE
PID:2972 -
\??\c:\nnnbtb.exec:\nnnbtb.exe47⤵
- Executes dropped EXE
PID:1020 -
\??\c:\9pvdd.exec:\9pvdd.exe48⤵
- Executes dropped EXE
PID:992 -
\??\c:\5lxfrlx.exec:\5lxfrlx.exe49⤵
- Executes dropped EXE
PID:348 -
\??\c:\xrfxlrl.exec:\xrfxlrl.exe50⤵
- Executes dropped EXE
PID:2020 -
\??\c:\hbthbh.exec:\hbthbh.exe51⤵
- Executes dropped EXE
PID:2396 -
\??\c:\jjdjv.exec:\jjdjv.exe52⤵
- Executes dropped EXE
PID:1708 -
\??\c:\5pjpp.exec:\5pjpp.exe53⤵
- Executes dropped EXE
PID:844 -
\??\c:\xffxrfx.exec:\xffxrfx.exe54⤵
- Executes dropped EXE
PID:1656 -
\??\c:\fffxllr.exec:\fffxllr.exe55⤵
- Executes dropped EXE
PID:2504 -
\??\c:\nnhnhh.exec:\nnhnhh.exe56⤵
- Executes dropped EXE
PID:1176 -
\??\c:\jvpvp.exec:\jvpvp.exe57⤵
- Executes dropped EXE
PID:2812 -
\??\c:\llffllr.exec:\llffllr.exe58⤵
- Executes dropped EXE
PID:2116 -
\??\c:\9lxrffl.exec:\9lxrffl.exe59⤵
- Executes dropped EXE
PID:320 -
\??\c:\bttnbb.exec:\bttnbb.exe60⤵
- Executes dropped EXE
PID:1036 -
\??\c:\tnbhtb.exec:\tnbhtb.exe61⤵
- Executes dropped EXE
PID:1220 -
\??\c:\jdpdp.exec:\jdpdp.exe62⤵
- Executes dropped EXE
PID:916 -
\??\c:\llxfxfl.exec:\llxfxfl.exe63⤵
- Executes dropped EXE
PID:1172 -
\??\c:\3bnbhb.exec:\3bnbhb.exe64⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hhtbnt.exec:\hhtbnt.exe65⤵
- Executes dropped EXE
PID:1896 -
\??\c:\jjjjp.exec:\jjjjp.exe66⤵PID:1932
-
\??\c:\vjvdd.exec:\vjvdd.exe67⤵PID:904
-
\??\c:\lxfxllr.exec:\lxfxllr.exe68⤵PID:2348
-
\??\c:\hhbnth.exec:\hhbnth.exe69⤵PID:2776
-
\??\c:\vpjvp.exec:\vpjvp.exe70⤵PID:2280
-
\??\c:\vvpvv.exec:\vvpvv.exe71⤵PID:548
-
\??\c:\5rflxfx.exec:\5rflxfx.exe72⤵PID:112
-
\??\c:\nnhnbb.exec:\nnhnbb.exe73⤵PID:2148
-
\??\c:\3bnbbn.exec:\3bnbbn.exe74⤵PID:1992
-
\??\c:\5vvjd.exec:\5vvjd.exe75⤵PID:1508
-
\??\c:\rlflxxr.exec:\rlflxxr.exe76⤵PID:1628
-
\??\c:\xxxflrl.exec:\xxxflrl.exe77⤵PID:2940
-
\??\c:\bbbnnt.exec:\bbbnnt.exe78⤵PID:2884
-
\??\c:\7jdpj.exec:\7jdpj.exe79⤵PID:2716
-
\??\c:\jdpdp.exec:\jdpdp.exe80⤵PID:2816
-
\??\c:\flxlflr.exec:\flxlflr.exe81⤵PID:2820
-
\??\c:\9xlrfxl.exec:\9xlrfxl.exe82⤵PID:2708
-
\??\c:\tbtbhn.exec:\tbtbhn.exe83⤵PID:2836
-
\??\c:\5vvjp.exec:\5vvjp.exe84⤵PID:2600
-
\??\c:\1lflffl.exec:\1lflffl.exe85⤵PID:2612
-
\??\c:\xxrfllf.exec:\xxrfllf.exe86⤵PID:2580
-
\??\c:\nthnbb.exec:\nthnbb.exe87⤵PID:2652
-
\??\c:\dvppv.exec:\dvppv.exe88⤵PID:2968
-
\??\c:\vvpdp.exec:\vvpdp.exe89⤵PID:2828
-
\??\c:\9rlrxfl.exec:\9rlrxfl.exe90⤵PID:1536
-
\??\c:\ttnnbh.exec:\ttnnbh.exe91⤵PID:2644
-
\??\c:\1hnnnt.exec:\1hnnnt.exe92⤵PID:1348
-
\??\c:\pjddj.exec:\pjddj.exe93⤵PID:1856
-
\??\c:\fxllxfr.exec:\fxllxfr.exe94⤵PID:1888
-
\??\c:\xlrlrlf.exec:\xlrlrlf.exe95⤵PID:1216
-
\??\c:\9ttbbn.exec:\9ttbbn.exe96⤵PID:1624
-
\??\c:\dddpd.exec:\dddpd.exe97⤵PID:1044
-
\??\c:\pjvpv.exec:\pjvpv.exe98⤵PID:840
-
\??\c:\3rlrxxf.exec:\3rlrxxf.exe99⤵PID:764
-
\??\c:\tnttbb.exec:\tnttbb.exe100⤵PID:2196
-
\??\c:\tbnthh.exec:\tbnthh.exe101⤵PID:2616
-
\??\c:\vvjpv.exec:\vvjpv.exe102⤵PID:2388
-
\??\c:\9dpjp.exec:\9dpjp.exe103⤵PID:2456
-
\??\c:\rrxxllx.exec:\rrxxllx.exe104⤵PID:2124
-
\??\c:\ttntbb.exec:\ttntbb.exe105⤵PID:2444
-
\??\c:\hhtthh.exec:\hhtthh.exe106⤵PID:448
-
\??\c:\jdjdp.exec:\jdjdp.exe107⤵PID:1092
-
\??\c:\ffffllf.exec:\ffffllf.exe108⤵PID:1304
-
\??\c:\lfxxfll.exec:\lfxxfll.exe109⤵PID:1680
-
\??\c:\nhnthh.exec:\nhnthh.exe110⤵PID:872
-
\??\c:\dvvvj.exec:\dvvvj.exe111⤵PID:936
-
\??\c:\9jvvv.exec:\9jvvv.exe112⤵PID:2076
-
\??\c:\3fffllr.exec:\3fffllr.exe113⤵PID:2332
-
\??\c:\ttbhbh.exec:\ttbhbh.exe114⤵PID:760
-
\??\c:\tnhnnn.exec:\tnhnnn.exe115⤵PID:808
-
\??\c:\pddvv.exec:\pddvv.exe116⤵PID:892
-
\??\c:\lfrxflx.exec:\lfrxflx.exe117⤵PID:2500
-
\??\c:\bthhnn.exec:\bthhnn.exe118⤵PID:2288
-
\??\c:\hbbhhn.exec:\hbbhhn.exe119⤵PID:2960
-
\??\c:\pjvpj.exec:\pjvpj.exe120⤵PID:2956
-
\??\c:\fxrrllx.exec:\fxrrllx.exe121⤵PID:3008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-