Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 20:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fed7038153472a430620c9ec5339988eaf8493153b48a6272b468e363fd85a7fN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
fed7038153472a430620c9ec5339988eaf8493153b48a6272b468e363fd85a7fN.exe
-
Size
200KB
-
MD5
c5b678a06eeaed38a35478094826a930
-
SHA1
2654c63c507c162466ec225f2fa63dbb7416c404
-
SHA256
fed7038153472a430620c9ec5339988eaf8493153b48a6272b468e363fd85a7f
-
SHA512
eb467063cc3252c28e6a164789df045a78c521091f61a3327867ed36fa0ab2f771ffad7675cadce966338d344e98dc6617342bb0baa1a348317e12dc57257987
-
SSDEEP
1536:1vQBeOGtrYSSsrc93UBIfdC67m6AJiqpfg3Cn/uiYs9oV:1hOm2sI93UufdC67ciyfmCnmiYNV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2420-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-49-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-54-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2892-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-108-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3016-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1412-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-142-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1904-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-317-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2764-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-398-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2928-425-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-514-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2076-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-539-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-602-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2996-612-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1508-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-737-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2284-853-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2716-878-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2732-904-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2052-911-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1636 jvdjp.exe 320 lxxrxrx.exe 2284 9btbhb.exe 2820 hthnth.exe 2768 9xrrllr.exe 2052 rlxlxlf.exe 2636 hhbnbh.exe 2892 dpjjp.exe 2684 5xlrrxf.exe 2664 pdppd.exe 1568 1rlfllx.exe 1396 tthhnn.exe 3016 jjvdj.exe 1412 xlfxxxl.exe 2908 llrflfr.exe 2876 nhthht.exe 1904 pjvvp.exe 1852 lflxllf.exe 2268 tnnnhn.exe 2164 dvjpv.exe 1868 9llfxfx.exe 1316 nnhnbb.exe 1100 jjvdj.exe 3020 ffxlflx.exe 2132 bthbnn.exe 1476 9rlrxfl.exe 1124 lfxfllr.exe 2144 nbnnhh.exe 2540 dvdjd.exe 1408 3xlrrxf.exe 1752 9llxlxr.exe 1648 9hbbth.exe 1716 pjdjp.exe 2536 fxlrxxf.exe 2276 xfxfxlr.exe 1628 bthnnn.exe 2720 pjvvd.exe 2756 jvjdd.exe 2764 7rlxffr.exe 2772 bbbbnt.exe 2900 btbhnn.exe 2612 vddpp.exe 2636 9vpjd.exe 2732 xxfrrfl.exe 2364 nntbhn.exe 2656 ttbnnb.exe 632 5jpdv.exe 576 ddjpj.exe 3040 rfrrxxf.exe 1404 fxlrflr.exe 1004 htntnt.exe 3028 5vjjp.exe 2928 jdvdj.exe 2600 lfffllf.exe 2356 llflrlf.exe 1680 hhthhn.exe 2516 1jdpp.exe 2316 pjvvp.exe 2372 fxrxlrx.exe 2384 rlfrlrx.exe 2120 bbnhht.exe 2400 btbhnn.exe 2288 vpddd.exe 2592 3dvdj.exe -
resource yara_rule behavioral1/memory/2420-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-54-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2892-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-514-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2076-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-878-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/1148-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-1120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-1193-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2868-1236-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2584-1309-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 1636 2420 fed7038153472a430620c9ec5339988eaf8493153b48a6272b468e363fd85a7fN.exe 30 PID 2420 wrote to memory of 1636 2420 fed7038153472a430620c9ec5339988eaf8493153b48a6272b468e363fd85a7fN.exe 30 PID 2420 wrote to memory of 1636 2420 fed7038153472a430620c9ec5339988eaf8493153b48a6272b468e363fd85a7fN.exe 30 PID 2420 wrote to memory of 1636 2420 fed7038153472a430620c9ec5339988eaf8493153b48a6272b468e363fd85a7fN.exe 30 PID 1636 wrote to memory of 320 1636 jvdjp.exe 31 PID 1636 wrote to memory of 320 1636 jvdjp.exe 31 PID 1636 wrote to memory of 320 1636 jvdjp.exe 31 PID 1636 wrote to memory of 320 1636 jvdjp.exe 31 PID 320 wrote to memory of 2284 320 lxxrxrx.exe 32 PID 320 wrote to memory of 2284 320 lxxrxrx.exe 32 PID 320 wrote to memory of 2284 320 lxxrxrx.exe 32 PID 320 wrote to memory of 2284 320 lxxrxrx.exe 32 PID 2284 wrote to memory of 2820 2284 9btbhb.exe 33 PID 2284 wrote to memory of 2820 2284 9btbhb.exe 33 PID 2284 wrote to memory of 2820 2284 9btbhb.exe 33 PID 2284 wrote to memory of 2820 2284 9btbhb.exe 33 PID 2820 wrote to memory of 2768 2820 hthnth.exe 34 PID 2820 wrote to memory of 2768 2820 hthnth.exe 34 PID 2820 wrote to memory of 2768 2820 hthnth.exe 34 PID 2820 wrote to memory of 2768 2820 hthnth.exe 34 PID 2768 wrote to memory of 2052 2768 9xrrllr.exe 35 PID 2768 wrote to memory of 2052 2768 9xrrllr.exe 35 PID 2768 wrote to memory of 2052 2768 9xrrllr.exe 35 PID 2768 wrote to memory of 2052 2768 9xrrllr.exe 35 PID 2052 wrote to memory of 2636 2052 rlxlxlf.exe 36 PID 2052 wrote to memory of 2636 2052 rlxlxlf.exe 36 PID 2052 wrote to memory of 2636 2052 rlxlxlf.exe 36 PID 2052 wrote to memory of 2636 2052 rlxlxlf.exe 36 PID 2636 wrote to memory of 2892 2636 hhbnbh.exe 37 PID 2636 wrote to memory of 2892 2636 hhbnbh.exe 37 PID 2636 wrote to memory of 2892 2636 hhbnbh.exe 37 PID 2636 wrote to memory of 2892 2636 hhbnbh.exe 37 PID 2892 wrote to memory of 2684 2892 dpjjp.exe 38 PID 2892 wrote to memory of 2684 2892 dpjjp.exe 38 PID 2892 wrote to memory of 2684 2892 dpjjp.exe 38 PID 2892 wrote to memory of 2684 2892 dpjjp.exe 38 PID 2684 wrote to memory of 2664 2684 5xlrrxf.exe 39 PID 2684 wrote to memory of 2664 2684 5xlrrxf.exe 39 PID 2684 wrote to memory of 2664 2684 5xlrrxf.exe 39 PID 2684 wrote to memory of 2664 2684 5xlrrxf.exe 39 PID 2664 wrote to memory of 1568 2664 pdppd.exe 40 PID 2664 wrote to memory of 1568 2664 pdppd.exe 40 PID 2664 wrote to memory of 1568 2664 pdppd.exe 40 PID 2664 wrote to memory of 1568 2664 pdppd.exe 40 PID 1568 wrote to memory of 1396 1568 1rlfllx.exe 41 PID 1568 wrote to memory of 1396 1568 1rlfllx.exe 41 PID 1568 wrote to memory of 1396 1568 1rlfllx.exe 41 PID 1568 wrote to memory of 1396 1568 1rlfllx.exe 41 PID 1396 wrote to memory of 3016 1396 tthhnn.exe 42 PID 1396 wrote to memory of 3016 1396 tthhnn.exe 42 PID 1396 wrote to memory of 3016 1396 tthhnn.exe 42 PID 1396 wrote to memory of 3016 1396 tthhnn.exe 42 PID 3016 wrote to memory of 1412 3016 jjvdj.exe 43 PID 3016 wrote to memory of 1412 3016 jjvdj.exe 43 PID 3016 wrote to memory of 1412 3016 jjvdj.exe 43 PID 3016 wrote to memory of 1412 3016 jjvdj.exe 43 PID 1412 wrote to memory of 2908 1412 xlfxxxl.exe 44 PID 1412 wrote to memory of 2908 1412 xlfxxxl.exe 44 PID 1412 wrote to memory of 2908 1412 xlfxxxl.exe 44 PID 1412 wrote to memory of 2908 1412 xlfxxxl.exe 44 PID 2908 wrote to memory of 2876 2908 llrflfr.exe 45 PID 2908 wrote to memory of 2876 2908 llrflfr.exe 45 PID 2908 wrote to memory of 2876 2908 llrflfr.exe 45 PID 2908 wrote to memory of 2876 2908 llrflfr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fed7038153472a430620c9ec5339988eaf8493153b48a6272b468e363fd85a7fN.exe"C:\Users\Admin\AppData\Local\Temp\fed7038153472a430620c9ec5339988eaf8493153b48a6272b468e363fd85a7fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\jvdjp.exec:\jvdjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\lxxrxrx.exec:\lxxrxrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\9btbhb.exec:\9btbhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\hthnth.exec:\hthnth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\9xrrllr.exec:\9xrrllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\rlxlxlf.exec:\rlxlxlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\hhbnbh.exec:\hhbnbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\dpjjp.exec:\dpjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\5xlrrxf.exec:\5xlrrxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\pdppd.exec:\pdppd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\1rlfllx.exec:\1rlfllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\tthhnn.exec:\tthhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\jjvdj.exec:\jjvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\xlfxxxl.exec:\xlfxxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\llrflfr.exec:\llrflfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\nhthht.exec:\nhthht.exe17⤵
- Executes dropped EXE
PID:2876 -
\??\c:\pjvvp.exec:\pjvvp.exe18⤵
- Executes dropped EXE
PID:1904 -
\??\c:\lflxllf.exec:\lflxllf.exe19⤵
- Executes dropped EXE
PID:1852 -
\??\c:\tnnnhn.exec:\tnnnhn.exe20⤵
- Executes dropped EXE
PID:2268 -
\??\c:\dvjpv.exec:\dvjpv.exe21⤵
- Executes dropped EXE
PID:2164 -
\??\c:\9llfxfx.exec:\9llfxfx.exe22⤵
- Executes dropped EXE
PID:1868 -
\??\c:\nnhnbb.exec:\nnhnbb.exe23⤵
- Executes dropped EXE
PID:1316 -
\??\c:\jjvdj.exec:\jjvdj.exe24⤵
- Executes dropped EXE
PID:1100 -
\??\c:\ffxlflx.exec:\ffxlflx.exe25⤵
- Executes dropped EXE
PID:3020 -
\??\c:\bthbnn.exec:\bthbnn.exe26⤵
- Executes dropped EXE
PID:2132 -
\??\c:\9rlrxfl.exec:\9rlrxfl.exe27⤵
- Executes dropped EXE
PID:1476 -
\??\c:\lfxfllr.exec:\lfxfllr.exe28⤵
- Executes dropped EXE
PID:1124 -
\??\c:\nbnnhh.exec:\nbnnhh.exe29⤵
- Executes dropped EXE
PID:2144 -
\??\c:\dvdjd.exec:\dvdjd.exe30⤵
- Executes dropped EXE
PID:2540 -
\??\c:\3xlrrxf.exec:\3xlrrxf.exe31⤵
- Executes dropped EXE
PID:1408 -
\??\c:\9llxlxr.exec:\9llxlxr.exe32⤵
- Executes dropped EXE
PID:1752 -
\??\c:\9hbbth.exec:\9hbbth.exe33⤵
- Executes dropped EXE
PID:1648 -
\??\c:\pjdjp.exec:\pjdjp.exe34⤵
- Executes dropped EXE
PID:1716 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe35⤵
- Executes dropped EXE
PID:2536 -
\??\c:\xfxfxlr.exec:\xfxfxlr.exe36⤵
- Executes dropped EXE
PID:2276 -
\??\c:\bthnnn.exec:\bthnnn.exe37⤵
- Executes dropped EXE
PID:1628 -
\??\c:\pjvvd.exec:\pjvvd.exe38⤵
- Executes dropped EXE
PID:2720 -
\??\c:\jvjdd.exec:\jvjdd.exe39⤵
- Executes dropped EXE
PID:2756 -
\??\c:\7rlxffr.exec:\7rlxffr.exe40⤵
- Executes dropped EXE
PID:2764 -
\??\c:\bbbbnt.exec:\bbbbnt.exe41⤵
- Executes dropped EXE
PID:2772 -
\??\c:\btbhnn.exec:\btbhnn.exe42⤵
- Executes dropped EXE
PID:2900 -
\??\c:\vddpp.exec:\vddpp.exe43⤵
- Executes dropped EXE
PID:2612 -
\??\c:\9vpjd.exec:\9vpjd.exe44⤵
- Executes dropped EXE
PID:2636 -
\??\c:\xxfrrfl.exec:\xxfrrfl.exe45⤵
- Executes dropped EXE
PID:2732 -
\??\c:\nntbhn.exec:\nntbhn.exe46⤵
- Executes dropped EXE
PID:2364 -
\??\c:\ttbnnb.exec:\ttbnnb.exe47⤵
- Executes dropped EXE
PID:2656 -
\??\c:\5jpdv.exec:\5jpdv.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:632 -
\??\c:\ddjpj.exec:\ddjpj.exe49⤵
- Executes dropped EXE
PID:576 -
\??\c:\rfrrxxf.exec:\rfrrxxf.exe50⤵
- Executes dropped EXE
PID:3040 -
\??\c:\fxlrflr.exec:\fxlrflr.exe51⤵
- Executes dropped EXE
PID:1404 -
\??\c:\htntnt.exec:\htntnt.exe52⤵
- Executes dropped EXE
PID:1004 -
\??\c:\5vjjp.exec:\5vjjp.exe53⤵
- Executes dropped EXE
PID:3028 -
\??\c:\jdvdj.exec:\jdvdj.exe54⤵
- Executes dropped EXE
PID:2928 -
\??\c:\lfffllf.exec:\lfffllf.exe55⤵
- Executes dropped EXE
PID:2600 -
\??\c:\llflrlf.exec:\llflrlf.exe56⤵
- Executes dropped EXE
PID:2356 -
\??\c:\hhthhn.exec:\hhthhn.exe57⤵
- Executes dropped EXE
PID:1680 -
\??\c:\1jdpp.exec:\1jdpp.exe58⤵
- Executes dropped EXE
PID:2516 -
\??\c:\pjvvp.exec:\pjvvp.exe59⤵
- Executes dropped EXE
PID:2316 -
\??\c:\fxrxlrx.exec:\fxrxlrx.exe60⤵
- Executes dropped EXE
PID:2372 -
\??\c:\rlfrlrx.exec:\rlfrlrx.exe61⤵
- Executes dropped EXE
PID:2384 -
\??\c:\bbnhht.exec:\bbnhht.exe62⤵
- Executes dropped EXE
PID:2120 -
\??\c:\btbhnn.exec:\btbhnn.exe63⤵
- Executes dropped EXE
PID:2400 -
\??\c:\vpddd.exec:\vpddd.exe64⤵
- Executes dropped EXE
PID:2288 -
\??\c:\3dvdj.exec:\3dvdj.exe65⤵
- Executes dropped EXE
PID:2592 -
\??\c:\fxrxlxf.exec:\fxrxlxf.exe66⤵PID:1860
-
\??\c:\fxlrflf.exec:\fxlrflf.exe67⤵PID:876
-
\??\c:\btnhth.exec:\btnhth.exe68⤵PID:1476
-
\??\c:\bbnthb.exec:\bbnthb.exe69⤵PID:1196
-
\??\c:\pjvdj.exec:\pjvdj.exe70⤵PID:2076
-
\??\c:\pjvjd.exec:\pjvjd.exe71⤵PID:2000
-
\??\c:\3frfffl.exec:\3frfffl.exe72⤵PID:2080
-
\??\c:\rrxlrxl.exec:\rrxlrxl.exe73⤵PID:2552
-
\??\c:\nhbhth.exec:\nhbhth.exe74⤵PID:1660
-
\??\c:\3dvpv.exec:\3dvpv.exe75⤵PID:1640
-
\??\c:\jdvvv.exec:\jdvvv.exe76⤵PID:2544
-
\??\c:\1frlxfl.exec:\1frlxfl.exe77⤵PID:2572
-
\??\c:\hbntnb.exec:\hbntnb.exe78⤵PID:2536
-
\??\c:\bthnnn.exec:\bthnnn.exe79⤵PID:2460
-
\??\c:\1djjp.exec:\1djjp.exe80⤵PID:1524
-
\??\c:\1pvvj.exec:\1pvvj.exe81⤵PID:2816
-
\??\c:\xrfflrf.exec:\xrfflrf.exe82⤵PID:2756
-
\??\c:\lfrxlfr.exec:\lfrxlfr.exe83⤵PID:2648
-
\??\c:\3tnhbb.exec:\3tnhbb.exe84⤵PID:2996
-
\??\c:\jjpjd.exec:\jjpjd.exe85⤵PID:2800
-
\??\c:\ddjpd.exec:\ddjpd.exe86⤵PID:2616
-
\??\c:\lrfxfff.exec:\lrfxfff.exe87⤵PID:2040
-
\??\c:\rlrrxfr.exec:\rlrrxfr.exe88⤵PID:2628
-
\??\c:\tntnnt.exec:\tntnnt.exe89⤵PID:1508
-
\??\c:\nhtbht.exec:\nhtbht.exe90⤵PID:2896
-
\??\c:\vvjpd.exec:\vvjpd.exe91⤵PID:1956
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe92⤵PID:2980
-
\??\c:\7lfflrl.exec:\7lfflrl.exe93⤵PID:1056
-
\??\c:\9htthh.exec:\9htthh.exe94⤵PID:1948
-
\??\c:\thtntt.exec:\thtntt.exe95⤵PID:2912
-
\??\c:\3dddp.exec:\3dddp.exe96⤵PID:2964
-
\??\c:\jdppp.exec:\jdppp.exe97⤵PID:2940
-
\??\c:\rlxrxxr.exec:\rlxrxxr.exe98⤵PID:1008
-
\??\c:\tnnbtt.exec:\tnnbtt.exe99⤵PID:1952
-
\??\c:\3nhhnn.exec:\3nhhnn.exe100⤵PID:2248
-
\??\c:\1vvdj.exec:\1vvdj.exe101⤵PID:1552
-
\??\c:\dvvdp.exec:\dvvdp.exe102⤵PID:2024
-
\??\c:\xrxlxxx.exec:\xrxlxxx.exe103⤵PID:828
-
\??\c:\rlllxfl.exec:\rlllxfl.exe104⤵PID:2944
-
\??\c:\3thttb.exec:\3thttb.exe105⤵PID:1548
-
\??\c:\nnhhbh.exec:\nnhhbh.exe106⤵PID:408
-
\??\c:\dvdjj.exec:\dvdjj.exe107⤵PID:1100
-
\??\c:\jdjjp.exec:\jdjjp.exe108⤵PID:1216
-
\??\c:\xxxfxlf.exec:\xxxfxlf.exe109⤵PID:2984
-
\??\c:\lxlfllr.exec:\lxlfllr.exe110⤵PID:924
-
\??\c:\tnbbnn.exec:\tnbbnn.exe111⤵PID:2500
-
\??\c:\5tntbb.exec:\5tntbb.exe112⤵PID:1124
-
\??\c:\vvjdp.exec:\vvjdp.exe113⤵PID:624
-
\??\c:\xxlllrx.exec:\xxlllrx.exe114⤵PID:604
-
\??\c:\rlxfllr.exec:\rlxfllr.exe115⤵PID:2492
-
\??\c:\tnnttb.exec:\tnnttb.exe116⤵PID:2540
-
\??\c:\bthnhb.exec:\bthnhb.exe117⤵PID:1432
-
\??\c:\dvdjv.exec:\dvdjv.exe118⤵PID:2256
-
\??\c:\5pdvv.exec:\5pdvv.exe119⤵PID:1656
-
\??\c:\xrlfrrf.exec:\xrlfrrf.exe120⤵PID:1716
-
\??\c:\1rllffl.exec:\1rllffl.exe121⤵PID:2396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-