Analysis
-
max time kernel
120s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 07:12
Behavioral task
behavioral1
Sample
66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe
-
Size
335KB
-
MD5
8bdb34ccd778ead5bc39282cfb0c24b0
-
SHA1
244f3049066858971bf5c32329a002eb8b7feb96
-
SHA256
66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968
-
SHA512
31c664d5742c839471df34559b5e36b3c1b9caf0e5dfff6a74f77a473d3f2388f209461dfb328b3d8be126da5b1ca858063f310cdcfd7b689d30b46d5b47b300
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRV:R4wFHoSHYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2400-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2124-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/320-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2712-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/528-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2536-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2084-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2520-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/672-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2904-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2368-136-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/2368-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2408-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-169-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2252-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/316-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1924-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2060-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2472-216-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1352-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1732-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2276-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1468-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2040-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2172-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2804-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2804-308-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1144-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2636-418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2128-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1324-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1952-520-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3036-726-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/556-747-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2124 pdppv.exe 2740 fllfrrl.exe 320 ppvjj.exe 2576 ttnbth.exe 2712 dvddp.exe 2536 3tbtnh.exe 528 pvdpd.exe 2080 3rrllxr.exe 2084 jjpdj.exe 2628 vjpjj.exe 2520 ntbnbh.exe 672 9frffrf.exe 2112 vvvdv.exe 2904 ffrfxlf.exe 2368 1pjjp.exe 2868 3frflfr.exe 2408 djjjd.exe 2132 rxfffll.exe 2252 vvvdp.exe 1696 nnnhhn.exe 1240 3pjpd.exe 316 hnnbth.exe 1924 jjjdv.exe 2060 9tbbhn.exe 2472 pvpjd.exe 1352 rflxxfx.exe 1732 nhnhhb.exe 1072 ffxxxfl.exe 2276 bhhthb.exe 1468 fllllff.exe 2040 htnnbh.exe 768 9xllrxf.exe 1740 9htttt.exe 3044 dpjdv.exe 2172 xxlrxxf.exe 2668 hthhhh.exe 1432 jvvjd.exe 2804 xfflfxx.exe 2968 bbtbhn.exe 2756 vvjjp.exe 2564 llrfrlx.exe 2588 tbbbht.exe 1804 3dvvp.exe 2560 xfxxlxx.exe 2224 hnntbn.exe 2392 vddpj.exe 1044 xflxlrr.exe 1304 hhhtth.exe 1144 ttbhhb.exe 1964 9llflxr.exe 3000 xlrlrlf.exe 2344 bhnnhh.exe 2796 ppjvp.exe 2136 llrrflx.exe 2916 nbhhnb.exe 2948 pjjjp.exe 2808 5lrflrx.exe 2636 tthttb.exe 1300 ntttnt.exe 2128 xxrrrrx.exe 2408 bhttbh.exe 3012 vjvvd.exe 1120 rrlrfxf.exe 2440 thhhnh.exe -
resource yara_rule behavioral1/memory/2400-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b00000001227d-7.dat upx behavioral1/memory/2400-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000f00000001866e-16.dat upx behavioral1/memory/2740-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2124-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018687-23.dat upx behavioral1/files/0x0007000000018c1a-32.dat upx behavioral1/memory/2576-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/320-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2576-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000018c26-41.dat upx behavioral1/memory/2712-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000018f53-53.dat upx behavioral1/memory/528-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001903b-61.dat upx behavioral1/memory/2536-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000190e0-77.dat upx behavioral1/memory/2084-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000190ce-71.dat upx behavioral1/files/0x0006000000019397-88.dat upx behavioral1/memory/2628-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2084-85-0x0000000000250000-0x0000000000277000-memory.dmp upx behavioral1/files/0x0005000000019423-95.dat upx behavioral1/memory/2628-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2520-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019426-101.dat upx behavioral1/memory/672-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019438-113.dat upx behavioral1/memory/672-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019442-121.dat upx behavioral1/memory/2112-120-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001944d-129.dat upx behavioral1/memory/2904-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00350000000174a2-137.dat upx behavioral1/memory/2868-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2368-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019458-146.dat upx behavioral1/files/0x000500000001945c-155.dat upx behavioral1/memory/2408-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001946b-162.dat upx behavioral1/files/0x000500000001946e-172.dat upx behavioral1/memory/2252-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194ae-178.dat upx behavioral1/files/0x00050000000194c9-185.dat upx behavioral1/files/0x00050000000194df-193.dat upx behavioral1/memory/316-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194ff-199.dat upx behavioral1/memory/1924-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001952c-209.dat upx behavioral1/memory/2060-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019630-215.dat upx behavioral1/files/0x0005000000019632-225.dat upx behavioral1/memory/1352-224-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001963a-233.dat upx behavioral1/memory/1732-235-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001963b-241.dat upx behavioral1/memory/2276-249-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000197aa-250.dat upx behavioral1/files/0x0005000000019a62-257.dat upx behavioral1/memory/1468-258-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019afd-266.dat upx behavioral1/memory/2040-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2172-290-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2124 2400 66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe 30 PID 2400 wrote to memory of 2124 2400 66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe 30 PID 2400 wrote to memory of 2124 2400 66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe 30 PID 2400 wrote to memory of 2124 2400 66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe 30 PID 2124 wrote to memory of 2740 2124 pdppv.exe 31 PID 2124 wrote to memory of 2740 2124 pdppv.exe 31 PID 2124 wrote to memory of 2740 2124 pdppv.exe 31 PID 2124 wrote to memory of 2740 2124 pdppv.exe 31 PID 2740 wrote to memory of 320 2740 fllfrrl.exe 32 PID 2740 wrote to memory of 320 2740 fllfrrl.exe 32 PID 2740 wrote to memory of 320 2740 fllfrrl.exe 32 PID 2740 wrote to memory of 320 2740 fllfrrl.exe 32 PID 320 wrote to memory of 2576 320 ppvjj.exe 33 PID 320 wrote to memory of 2576 320 ppvjj.exe 33 PID 320 wrote to memory of 2576 320 ppvjj.exe 33 PID 320 wrote to memory of 2576 320 ppvjj.exe 33 PID 2576 wrote to memory of 2712 2576 ttnbth.exe 34 PID 2576 wrote to memory of 2712 2576 ttnbth.exe 34 PID 2576 wrote to memory of 2712 2576 ttnbth.exe 34 PID 2576 wrote to memory of 2712 2576 ttnbth.exe 34 PID 2712 wrote to memory of 2536 2712 dvddp.exe 35 PID 2712 wrote to memory of 2536 2712 dvddp.exe 35 PID 2712 wrote to memory of 2536 2712 dvddp.exe 35 PID 2712 wrote to memory of 2536 2712 dvddp.exe 35 PID 2536 wrote to memory of 528 2536 3tbtnh.exe 36 PID 2536 wrote to memory of 528 2536 3tbtnh.exe 36 PID 2536 wrote to memory of 528 2536 3tbtnh.exe 36 PID 2536 wrote to memory of 528 2536 3tbtnh.exe 36 PID 528 wrote to memory of 2080 528 pvdpd.exe 37 PID 528 wrote to memory of 2080 528 pvdpd.exe 37 PID 528 wrote to memory of 2080 528 pvdpd.exe 37 PID 528 wrote to memory of 2080 528 pvdpd.exe 37 PID 2080 wrote to memory of 2084 2080 3rrllxr.exe 38 PID 2080 wrote to memory of 2084 2080 3rrllxr.exe 38 PID 2080 wrote to memory of 2084 2080 3rrllxr.exe 38 PID 2080 wrote to memory of 2084 2080 3rrllxr.exe 38 PID 2084 wrote to memory of 2628 2084 jjpdj.exe 39 PID 2084 wrote to memory of 2628 2084 jjpdj.exe 39 PID 2084 wrote to memory of 2628 2084 jjpdj.exe 39 PID 2084 wrote to memory of 2628 2084 jjpdj.exe 39 PID 2628 wrote to memory of 2520 2628 vjpjj.exe 40 PID 2628 wrote to memory of 2520 2628 vjpjj.exe 40 PID 2628 wrote to memory of 2520 2628 vjpjj.exe 40 PID 2628 wrote to memory of 2520 2628 vjpjj.exe 40 PID 2520 wrote to memory of 672 2520 ntbnbh.exe 41 PID 2520 wrote to memory of 672 2520 ntbnbh.exe 41 PID 2520 wrote to memory of 672 2520 ntbnbh.exe 41 PID 2520 wrote to memory of 672 2520 ntbnbh.exe 41 PID 672 wrote to memory of 2112 672 9frffrf.exe 42 PID 672 wrote to memory of 2112 672 9frffrf.exe 42 PID 672 wrote to memory of 2112 672 9frffrf.exe 42 PID 672 wrote to memory of 2112 672 9frffrf.exe 42 PID 2112 wrote to memory of 2904 2112 vvvdv.exe 43 PID 2112 wrote to memory of 2904 2112 vvvdv.exe 43 PID 2112 wrote to memory of 2904 2112 vvvdv.exe 43 PID 2112 wrote to memory of 2904 2112 vvvdv.exe 43 PID 2904 wrote to memory of 2368 2904 ffrfxlf.exe 44 PID 2904 wrote to memory of 2368 2904 ffrfxlf.exe 44 PID 2904 wrote to memory of 2368 2904 ffrfxlf.exe 44 PID 2904 wrote to memory of 2368 2904 ffrfxlf.exe 44 PID 2368 wrote to memory of 2868 2368 1pjjp.exe 45 PID 2368 wrote to memory of 2868 2368 1pjjp.exe 45 PID 2368 wrote to memory of 2868 2368 1pjjp.exe 45 PID 2368 wrote to memory of 2868 2368 1pjjp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe"C:\Users\Admin\AppData\Local\Temp\66f5f2932d1a1b9f72eb4ad73c48c1bff60b0f12be85ac87dacf0a4fdab06968N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\pdppv.exec:\pdppv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\fllfrrl.exec:\fllfrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\ppvjj.exec:\ppvjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\ttnbth.exec:\ttnbth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\dvddp.exec:\dvddp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\3tbtnh.exec:\3tbtnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\pvdpd.exec:\pvdpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\3rrllxr.exec:\3rrllxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\jjpdj.exec:\jjpdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\vjpjj.exec:\vjpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\ntbnbh.exec:\ntbnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\9frffrf.exec:\9frffrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\vvvdv.exec:\vvvdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\ffrfxlf.exec:\ffrfxlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\1pjjp.exec:\1pjjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\3frflfr.exec:\3frflfr.exe17⤵
- Executes dropped EXE
PID:2868 -
\??\c:\djjjd.exec:\djjjd.exe18⤵
- Executes dropped EXE
PID:2408 -
\??\c:\rxfffll.exec:\rxfffll.exe19⤵
- Executes dropped EXE
PID:2132 -
\??\c:\vvvdp.exec:\vvvdp.exe20⤵
- Executes dropped EXE
PID:2252 -
\??\c:\nnnhhn.exec:\nnnhhn.exe21⤵
- Executes dropped EXE
PID:1696 -
\??\c:\3pjpd.exec:\3pjpd.exe22⤵
- Executes dropped EXE
PID:1240 -
\??\c:\hnnbth.exec:\hnnbth.exe23⤵
- Executes dropped EXE
PID:316 -
\??\c:\jjjdv.exec:\jjjdv.exe24⤵
- Executes dropped EXE
PID:1924 -
\??\c:\9tbbhn.exec:\9tbbhn.exe25⤵
- Executes dropped EXE
PID:2060 -
\??\c:\pvpjd.exec:\pvpjd.exe26⤵
- Executes dropped EXE
PID:2472 -
\??\c:\rflxxfx.exec:\rflxxfx.exe27⤵
- Executes dropped EXE
PID:1352 -
\??\c:\nhnhhb.exec:\nhnhhb.exe28⤵
- Executes dropped EXE
PID:1732 -
\??\c:\ffxxxfl.exec:\ffxxxfl.exe29⤵
- Executes dropped EXE
PID:1072 -
\??\c:\bhhthb.exec:\bhhthb.exe30⤵
- Executes dropped EXE
PID:2276 -
\??\c:\fllllff.exec:\fllllff.exe31⤵
- Executes dropped EXE
PID:1468 -
\??\c:\htnnbh.exec:\htnnbh.exe32⤵
- Executes dropped EXE
PID:2040 -
\??\c:\9xllrxf.exec:\9xllrxf.exe33⤵
- Executes dropped EXE
PID:768 -
\??\c:\9htttt.exec:\9htttt.exe34⤵
- Executes dropped EXE
PID:1740 -
\??\c:\dpjdv.exec:\dpjdv.exe35⤵
- Executes dropped EXE
PID:3044 -
\??\c:\xxlrxxf.exec:\xxlrxxf.exe36⤵
- Executes dropped EXE
PID:2172 -
\??\c:\hthhhh.exec:\hthhhh.exe37⤵
- Executes dropped EXE
PID:2668 -
\??\c:\jvvjd.exec:\jvvjd.exe38⤵
- Executes dropped EXE
PID:1432 -
\??\c:\xfflfxx.exec:\xfflfxx.exe39⤵
- Executes dropped EXE
PID:2804 -
\??\c:\bbtbhn.exec:\bbtbhn.exe40⤵
- Executes dropped EXE
PID:2968 -
\??\c:\vvjjp.exec:\vvjjp.exe41⤵
- Executes dropped EXE
PID:2756 -
\??\c:\llrfrlx.exec:\llrfrlx.exe42⤵
- Executes dropped EXE
PID:2564 -
\??\c:\tbbbht.exec:\tbbbht.exe43⤵
- Executes dropped EXE
PID:2588 -
\??\c:\3dvvp.exec:\3dvvp.exe44⤵
- Executes dropped EXE
PID:1804 -
\??\c:\xfxxlxx.exec:\xfxxlxx.exe45⤵
- Executes dropped EXE
PID:2560 -
\??\c:\hnntbn.exec:\hnntbn.exe46⤵
- Executes dropped EXE
PID:2224 -
\??\c:\vddpj.exec:\vddpj.exe47⤵
- Executes dropped EXE
PID:2392 -
\??\c:\xflxlrr.exec:\xflxlrr.exe48⤵
- Executes dropped EXE
PID:1044 -
\??\c:\hhhtth.exec:\hhhtth.exe49⤵
- Executes dropped EXE
PID:1304 -
\??\c:\ttbhhb.exec:\ttbhhb.exe50⤵
- Executes dropped EXE
PID:1144 -
\??\c:\9llflxr.exec:\9llflxr.exe51⤵
- Executes dropped EXE
PID:1964 -
\??\c:\xlrlrlf.exec:\xlrlrlf.exe52⤵
- Executes dropped EXE
PID:3000 -
\??\c:\bhnnhh.exec:\bhnnhh.exe53⤵
- Executes dropped EXE
PID:2344 -
\??\c:\ppjvp.exec:\ppjvp.exe54⤵
- Executes dropped EXE
PID:2796 -
\??\c:\llrrflx.exec:\llrrflx.exe55⤵
- Executes dropped EXE
PID:2136 -
\??\c:\nbhhnb.exec:\nbhhnb.exe56⤵
- Executes dropped EXE
PID:2916 -
\??\c:\pjjjp.exec:\pjjjp.exe57⤵
- Executes dropped EXE
PID:2948 -
\??\c:\5lrflrx.exec:\5lrflrx.exe58⤵
- Executes dropped EXE
PID:2808 -
\??\c:\tthttb.exec:\tthttb.exe59⤵
- Executes dropped EXE
PID:2636 -
\??\c:\ntttnt.exec:\ntttnt.exe60⤵
- Executes dropped EXE
PID:1300 -
\??\c:\xxrrrrx.exec:\xxrrrrx.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
\??\c:\bhttbh.exec:\bhttbh.exe62⤵
- Executes dropped EXE
PID:2408 -
\??\c:\vjvvd.exec:\vjvvd.exe63⤵
- Executes dropped EXE
PID:3012 -
\??\c:\rrlrfxf.exec:\rrlrfxf.exe64⤵
- Executes dropped EXE
PID:1120 -
\??\c:\thhhnh.exec:\thhhnh.exe65⤵
- Executes dropped EXE
PID:2440 -
\??\c:\pvpjd.exec:\pvpjd.exe66⤵PID:1324
-
\??\c:\rrrrlrf.exec:\rrrrlrf.exe67⤵PID:952
-
\??\c:\nntbnt.exec:\nntbnt.exe68⤵PID:1860
-
\??\c:\dvdjp.exec:\dvdjp.exe69⤵PID:896
-
\??\c:\rlffrrr.exec:\rlffrrr.exe70⤵PID:1800
-
\??\c:\bthbhb.exec:\bthbhb.exe71⤵PID:2220
-
\??\c:\bhbbnb.exec:\bhbbnb.exe72⤵PID:1508
-
\??\c:\rfrlrrx.exec:\rfrlrrx.exe73⤵PID:2452
-
\??\c:\nnttbh.exec:\nnttbh.exe74⤵PID:1944
-
\??\c:\djvpp.exec:\djvpp.exe75⤵PID:2476
-
\??\c:\lfflxfr.exec:\lfflxfr.exe76⤵PID:2448
-
\??\c:\bhntbt.exec:\bhntbt.exe77⤵PID:1952
-
\??\c:\hnntnt.exec:\hnntnt.exe78⤵PID:372
-
\??\c:\jjdpd.exec:\jjdpd.exe79⤵PID:1904
-
\??\c:\3fxrfrx.exec:\3fxrfrx.exe80⤵PID:2052
-
\??\c:\bnbtnn.exec:\bnbtnn.exe81⤵PID:768
-
\??\c:\pvdpd.exec:\pvdpd.exe82⤵PID:2724
-
\??\c:\5frrflr.exec:\5frrflr.exe83⤵PID:2620
-
\??\c:\rrxlxfr.exec:\rrxlxfr.exe84⤵PID:2684
-
\??\c:\bhttnb.exec:\bhttnb.exe85⤵PID:1576
-
\??\c:\djpdv.exec:\djpdv.exe86⤵PID:2124
-
\??\c:\1xrrfrl.exec:\1xrrfrl.exe87⤵PID:2748
-
\??\c:\ttnbnb.exec:\ttnbnb.exe88⤵PID:2680
-
\??\c:\jjddv.exec:\jjddv.exe89⤵PID:2912
-
\??\c:\ddjpj.exec:\ddjpj.exe90⤵PID:2576
-
\??\c:\nhbtbt.exec:\nhbtbt.exe91⤵PID:2676
-
\??\c:\nbtbhh.exec:\nbtbhh.exe92⤵PID:2568
-
\??\c:\pjvpv.exec:\pjvpv.exe93⤵PID:2536
-
\??\c:\rxlfllx.exec:\rxlfllx.exe94⤵PID:2616
-
\??\c:\nthhtt.exec:\nthhtt.exe95⤵PID:2316
-
\??\c:\jpvjp.exec:\jpvjp.exe96⤵PID:1772
-
\??\c:\rfxxfxf.exec:\rfxxfxf.exe97⤵PID:2640
-
\??\c:\nhnnbn.exec:\nhnnbn.exe98⤵PID:2084
-
\??\c:\pvppp.exec:\pvppp.exe99⤵PID:2928
-
\??\c:\hhbthn.exec:\hhbthn.exe100⤵PID:2792
-
\??\c:\dvvjj.exec:\dvvjj.exe101⤵PID:2204
-
\??\c:\vvjpd.exec:\vvjpd.exe102⤵PID:672
-
\??\c:\7rllfff.exec:\7rllfff.exe103⤵PID:2872
-
\??\c:\ntnbtb.exec:\ntnbtb.exe104⤵PID:2932
-
\??\c:\ppvvp.exec:\ppvvp.exe105⤵PID:2916
-
\??\c:\9jvjp.exec:\9jvjp.exe106⤵PID:2880
-
\??\c:\frrlrfl.exec:\frrlrfl.exe107⤵PID:3064
-
\??\c:\bbnhnh.exec:\bbnhnh.exe108⤵PID:2376
-
\??\c:\jpddd.exec:\jpddd.exe109⤵
- System Location Discovery: System Language Discovery
PID:2056 -
\??\c:\xlfxxrr.exec:\xlfxxrr.exe110⤵PID:2132
-
\??\c:\btnbtb.exec:\btnbtb.exe111⤵PID:3016
-
\??\c:\nttnhn.exec:\nttnhn.exe112⤵PID:2248
-
\??\c:\vvdpv.exec:\vvdpv.exe113⤵PID:1320
-
\??\c:\xxxlflx.exec:\xxxlflx.exe114⤵PID:3036
-
\??\c:\tntthb.exec:\tntthb.exe115⤵PID:2404
-
\??\c:\thntht.exec:\thntht.exe116⤵PID:316
-
\??\c:\djjjj.exec:\djjjj.exe117⤵PID:2024
-
\??\c:\xrlfxfr.exec:\xrlfxfr.exe118⤵PID:556
-
\??\c:\tntbbh.exec:\tntbbh.exe119⤵PID:1760
-
\??\c:\thnbtb.exec:\thnbtb.exe120⤵PID:1748
-
\??\c:\pjvvp.exec:\pjvvp.exe121⤵
- System Location Discovery: System Language Discovery
PID:268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-