Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/12/2024, 02:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe
-
Size
454KB
-
MD5
dcc0713afae461656b0300b7f0c71ce0
-
SHA1
511a84f3d09b24835861c6915225c65ad1c0b444
-
SHA256
f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65
-
SHA512
fb543600d2a271ab833bb1e02dad1f81b7c3f1d02bd9034c3e61d2783090fb2fc30811506e5fd51b3dca2d935c38b859a343daa18b40b51710505c768d90825b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2504-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-44-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2412-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-83-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2552-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-102-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/3044-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-121-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1888-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/820-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1292-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-280-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-296-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2504-301-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1244-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-396-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1476-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-988-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-1139-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2256-1137-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2696-1152-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2536-1177-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-1218-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/348-1240-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/348-1244-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2332 3frxfll.exe 2468 7lxlxfl.exe 2840 hhbhbb.exe 2412 thbttn.exe 2792 pppvj.exe 2156 3hbhnt.exe 2816 xrllfrl.exe 1920 9frxllf.exe 2552 ddvpj.exe 3044 7jdjp.exe 2056 1dvdj.exe 1888 ddvpd.exe 820 ddvdj.exe 1360 5nbhnn.exe 2000 5jvpj.exe 1664 lfrxxfx.exe 2872 ppppj.exe 3036 lllrxfl.exe 760 9lffrxl.exe 1600 bbbbth.exe 1948 5jdpd.exe 1528 1rlrflx.exe 1656 pjdvd.exe 900 rrflrff.exe 2196 ddvjv.exe 1292 xrfllfr.exe 1696 bhthtt.exe 1660 vvpvd.exe 776 flflrrf.exe 888 ppppd.exe 656 3tnnnh.exe 2504 5tbhnt.exe 1244 3dddj.exe 2476 frfxllf.exe 1708 vpjjd.exe 2944 5lflxfr.exe 2648 fxxfllr.exe 2692 7hntbh.exe 2820 1vvdp.exe 2700 xxlrffr.exe 3032 rxxffff.exe 2824 7tntbb.exe 2604 vjdvp.exe 3048 lllfllx.exe 3040 9hhntt.exe 2436 hbtntt.exe 2876 1ddvj.exe 1436 xxrxlrf.exe 1464 rlfxxxf.exe 2528 hbthnn.exe 952 ddvdd.exe 1992 ffrxlrf.exe 804 7lfrxfl.exe 2940 nnhnhb.exe 1576 vpdpd.exe 2976 vdvjp.exe 1476 lfrrrxf.exe 2896 bbtnhn.exe 2356 pdpvj.exe 2112 jdvdv.exe 2496 rxrfffx.exe 1632 bhthnn.exe 2904 5vvjp.exe 700 jvppd.exe -
resource yara_rule behavioral1/memory/2332-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-44-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2412-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-81-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1920-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/820-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-355-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1476-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-989-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-1014-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-1039-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-1137-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/2164-1204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-1240-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2904-1319-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2332 2504 f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe 31 PID 2504 wrote to memory of 2332 2504 f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe 31 PID 2504 wrote to memory of 2332 2504 f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe 31 PID 2504 wrote to memory of 2332 2504 f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe 31 PID 2332 wrote to memory of 2468 2332 3frxfll.exe 32 PID 2332 wrote to memory of 2468 2332 3frxfll.exe 32 PID 2332 wrote to memory of 2468 2332 3frxfll.exe 32 PID 2332 wrote to memory of 2468 2332 3frxfll.exe 32 PID 2468 wrote to memory of 2840 2468 7lxlxfl.exe 33 PID 2468 wrote to memory of 2840 2468 7lxlxfl.exe 33 PID 2468 wrote to memory of 2840 2468 7lxlxfl.exe 33 PID 2468 wrote to memory of 2840 2468 7lxlxfl.exe 33 PID 2840 wrote to memory of 2412 2840 hhbhbb.exe 34 PID 2840 wrote to memory of 2412 2840 hhbhbb.exe 34 PID 2840 wrote to memory of 2412 2840 hhbhbb.exe 34 PID 2840 wrote to memory of 2412 2840 hhbhbb.exe 34 PID 2412 wrote to memory of 2792 2412 thbttn.exe 35 PID 2412 wrote to memory of 2792 2412 thbttn.exe 35 PID 2412 wrote to memory of 2792 2412 thbttn.exe 35 PID 2412 wrote to memory of 2792 2412 thbttn.exe 35 PID 2792 wrote to memory of 2156 2792 pppvj.exe 36 PID 2792 wrote to memory of 2156 2792 pppvj.exe 36 PID 2792 wrote to memory of 2156 2792 pppvj.exe 36 PID 2792 wrote to memory of 2156 2792 pppvj.exe 36 PID 2156 wrote to memory of 2816 2156 3hbhnt.exe 37 PID 2156 wrote to memory of 2816 2156 3hbhnt.exe 37 PID 2156 wrote to memory of 2816 2156 3hbhnt.exe 37 PID 2156 wrote to memory of 2816 2156 3hbhnt.exe 37 PID 2816 wrote to memory of 1920 2816 xrllfrl.exe 38 PID 2816 wrote to memory of 1920 2816 xrllfrl.exe 38 PID 2816 wrote to memory of 1920 2816 xrllfrl.exe 38 PID 2816 wrote to memory of 1920 2816 xrllfrl.exe 38 PID 1920 wrote to memory of 2552 1920 9frxllf.exe 39 PID 1920 wrote to memory of 2552 1920 9frxllf.exe 39 PID 1920 wrote to memory of 2552 1920 9frxllf.exe 39 PID 1920 wrote to memory of 2552 1920 9frxllf.exe 39 PID 2552 wrote to memory of 3044 2552 ddvpj.exe 40 PID 2552 wrote to memory of 3044 2552 ddvpj.exe 40 PID 2552 wrote to memory of 3044 2552 ddvpj.exe 40 PID 2552 wrote to memory of 3044 2552 ddvpj.exe 40 PID 3044 wrote to memory of 2056 3044 7jdjp.exe 41 PID 3044 wrote to memory of 2056 3044 7jdjp.exe 41 PID 3044 wrote to memory of 2056 3044 7jdjp.exe 41 PID 3044 wrote to memory of 2056 3044 7jdjp.exe 41 PID 2056 wrote to memory of 1888 2056 1dvdj.exe 42 PID 2056 wrote to memory of 1888 2056 1dvdj.exe 42 PID 2056 wrote to memory of 1888 2056 1dvdj.exe 42 PID 2056 wrote to memory of 1888 2056 1dvdj.exe 42 PID 1888 wrote to memory of 820 1888 ddvpd.exe 43 PID 1888 wrote to memory of 820 1888 ddvpd.exe 43 PID 1888 wrote to memory of 820 1888 ddvpd.exe 43 PID 1888 wrote to memory of 820 1888 ddvpd.exe 43 PID 820 wrote to memory of 1360 820 ddvdj.exe 44 PID 820 wrote to memory of 1360 820 ddvdj.exe 44 PID 820 wrote to memory of 1360 820 ddvdj.exe 44 PID 820 wrote to memory of 1360 820 ddvdj.exe 44 PID 1360 wrote to memory of 2000 1360 5nbhnn.exe 45 PID 1360 wrote to memory of 2000 1360 5nbhnn.exe 45 PID 1360 wrote to memory of 2000 1360 5nbhnn.exe 45 PID 1360 wrote to memory of 2000 1360 5nbhnn.exe 45 PID 2000 wrote to memory of 1664 2000 5jvpj.exe 46 PID 2000 wrote to memory of 1664 2000 5jvpj.exe 46 PID 2000 wrote to memory of 1664 2000 5jvpj.exe 46 PID 2000 wrote to memory of 1664 2000 5jvpj.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe"C:\Users\Admin\AppData\Local\Temp\f689b1e5a7018296697fea7248d1d7e09434d97c907a717a24ecab0722c22a65N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\3frxfll.exec:\3frxfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\7lxlxfl.exec:\7lxlxfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\hhbhbb.exec:\hhbhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\thbttn.exec:\thbttn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\pppvj.exec:\pppvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\3hbhnt.exec:\3hbhnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\xrllfrl.exec:\xrllfrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\9frxllf.exec:\9frxllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\ddvpj.exec:\ddvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\7jdjp.exec:\7jdjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\1dvdj.exec:\1dvdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\ddvpd.exec:\ddvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\ddvdj.exec:\ddvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\5nbhnn.exec:\5nbhnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\5jvpj.exec:\5jvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\lfrxxfx.exec:\lfrxxfx.exe17⤵
- Executes dropped EXE
PID:1664 -
\??\c:\ppppj.exec:\ppppj.exe18⤵
- Executes dropped EXE
PID:2872 -
\??\c:\lllrxfl.exec:\lllrxfl.exe19⤵
- Executes dropped EXE
PID:3036 -
\??\c:\9lffrxl.exec:\9lffrxl.exe20⤵
- Executes dropped EXE
PID:760 -
\??\c:\bbbbth.exec:\bbbbth.exe21⤵
- Executes dropped EXE
PID:1600 -
\??\c:\5jdpd.exec:\5jdpd.exe22⤵
- Executes dropped EXE
PID:1948 -
\??\c:\1rlrflx.exec:\1rlrflx.exe23⤵
- Executes dropped EXE
PID:1528 -
\??\c:\pjdvd.exec:\pjdvd.exe24⤵
- Executes dropped EXE
PID:1656 -
\??\c:\rrflrff.exec:\rrflrff.exe25⤵
- Executes dropped EXE
PID:900 -
\??\c:\ddvjv.exec:\ddvjv.exe26⤵
- Executes dropped EXE
PID:2196 -
\??\c:\xrfllfr.exec:\xrfllfr.exe27⤵
- Executes dropped EXE
PID:1292 -
\??\c:\bhthtt.exec:\bhthtt.exe28⤵
- Executes dropped EXE
PID:1696 -
\??\c:\vvpvd.exec:\vvpvd.exe29⤵
- Executes dropped EXE
PID:1660 -
\??\c:\flflrrf.exec:\flflrrf.exe30⤵
- Executes dropped EXE
PID:776 -
\??\c:\ppppd.exec:\ppppd.exe31⤵
- Executes dropped EXE
PID:888 -
\??\c:\3tnnnh.exec:\3tnnnh.exe32⤵
- Executes dropped EXE
PID:656 -
\??\c:\5tbhnt.exec:\5tbhnt.exe33⤵
- Executes dropped EXE
PID:2504 -
\??\c:\3dddj.exec:\3dddj.exe34⤵
- Executes dropped EXE
PID:1244 -
\??\c:\frfxllf.exec:\frfxllf.exe35⤵
- Executes dropped EXE
PID:2476 -
\??\c:\vpjjd.exec:\vpjjd.exe36⤵
- Executes dropped EXE
PID:1708 -
\??\c:\5lflxfr.exec:\5lflxfr.exe37⤵
- Executes dropped EXE
PID:2944 -
\??\c:\fxxfllr.exec:\fxxfllr.exe38⤵
- Executes dropped EXE
PID:2648 -
\??\c:\7hntbh.exec:\7hntbh.exe39⤵
- Executes dropped EXE
PID:2692 -
\??\c:\1vvdp.exec:\1vvdp.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\xxlrffr.exec:\xxlrffr.exe41⤵
- Executes dropped EXE
PID:2700 -
\??\c:\rxxffff.exec:\rxxffff.exe42⤵
- Executes dropped EXE
PID:3032 -
\??\c:\7tntbb.exec:\7tntbb.exe43⤵
- Executes dropped EXE
PID:2824 -
\??\c:\vjdvp.exec:\vjdvp.exe44⤵
- Executes dropped EXE
PID:2604 -
\??\c:\lllfllx.exec:\lllfllx.exe45⤵
- Executes dropped EXE
PID:3048 -
\??\c:\9hhntt.exec:\9hhntt.exe46⤵
- Executes dropped EXE
PID:3040 -
\??\c:\hbtntt.exec:\hbtntt.exe47⤵
- Executes dropped EXE
PID:2436 -
\??\c:\1ddvj.exec:\1ddvj.exe48⤵
- Executes dropped EXE
PID:2876 -
\??\c:\xxrxlrf.exec:\xxrxlrf.exe49⤵
- Executes dropped EXE
PID:1436 -
\??\c:\rlfxxxf.exec:\rlfxxxf.exe50⤵
- Executes dropped EXE
PID:1464 -
\??\c:\hbthnn.exec:\hbthnn.exe51⤵
- Executes dropped EXE
PID:2528 -
\??\c:\ddvdd.exec:\ddvdd.exe52⤵
- Executes dropped EXE
PID:952 -
\??\c:\ffrxlrf.exec:\ffrxlrf.exe53⤵
- Executes dropped EXE
PID:1992 -
\??\c:\7lfrxfl.exec:\7lfrxfl.exe54⤵
- Executes dropped EXE
PID:804 -
\??\c:\nnhnhb.exec:\nnhnhb.exe55⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vpdpd.exec:\vpdpd.exe56⤵
- Executes dropped EXE
PID:1576 -
\??\c:\vdvjp.exec:\vdvjp.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
\??\c:\lfrrrxf.exec:\lfrrrxf.exe58⤵
- Executes dropped EXE
PID:1476 -
\??\c:\bbtnhn.exec:\bbtnhn.exe59⤵
- Executes dropped EXE
PID:2896 -
\??\c:\pdpvj.exec:\pdpvj.exe60⤵
- Executes dropped EXE
PID:2356 -
\??\c:\jdvdv.exec:\jdvdv.exe61⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rxrfffx.exec:\rxrfffx.exe62⤵
- Executes dropped EXE
PID:2496 -
\??\c:\bhthnn.exec:\bhthnn.exe63⤵
- Executes dropped EXE
PID:1632 -
\??\c:\5vvjp.exec:\5vvjp.exe64⤵
- Executes dropped EXE
PID:2904 -
\??\c:\jvppd.exec:\jvppd.exe65⤵
- Executes dropped EXE
PID:700 -
\??\c:\5lllrrf.exec:\5lllrrf.exe66⤵PID:1892
-
\??\c:\bbthtt.exec:\bbthtt.exe67⤵PID:784
-
\??\c:\nhntbb.exec:\nhntbb.exe68⤵PID:2116
-
\??\c:\vpjpd.exec:\vpjpd.exe69⤵PID:2432
-
\??\c:\3xfxrxl.exec:\3xfxrxl.exe70⤵PID:2132
-
\??\c:\thhhnt.exec:\thhhnt.exe71⤵PID:1008
-
\??\c:\tnntnb.exec:\tnntnb.exe72⤵PID:1788
-
\??\c:\vdddj.exec:\vdddj.exe73⤵PID:888
-
\??\c:\rrrfllx.exec:\rrrfllx.exe74⤵PID:656
-
\??\c:\1hthhn.exec:\1hthhn.exe75⤵PID:3008
-
\??\c:\bbttnh.exec:\bbttnh.exe76⤵PID:2296
-
\??\c:\ppddp.exec:\ppddp.exe77⤵PID:2176
-
\??\c:\vppvd.exec:\vppvd.exe78⤵PID:1740
-
\??\c:\rlxrxfl.exec:\rlxrxfl.exe79⤵PID:1196
-
\??\c:\3bnttb.exec:\3bnttb.exe80⤵PID:2644
-
\??\c:\djvpv.exec:\djvpv.exe81⤵PID:2748
-
\??\c:\lllrrxl.exec:\lllrrxl.exe82⤵PID:2664
-
\??\c:\fxrxllx.exec:\fxrxllx.exe83⤵PID:2808
-
\??\c:\7tntbh.exec:\7tntbh.exe84⤵PID:2900
-
\??\c:\dvjpd.exec:\dvjpd.exe85⤵PID:2816
-
\??\c:\fllrfrl.exec:\fllrfrl.exe86⤵PID:2540
-
\??\c:\3xlxxlf.exec:\3xlxxlf.exe87⤵PID:2824
-
\??\c:\3ttntt.exec:\3ttntt.exe88⤵PID:2828
-
\??\c:\jpjpd.exec:\jpjpd.exe89⤵PID:1440
-
\??\c:\1djjp.exec:\1djjp.exe90⤵PID:2724
-
\??\c:\fflrflx.exec:\fflrflx.exe91⤵PID:2788
-
\??\c:\5nhntt.exec:\5nhntt.exe92⤵PID:2052
-
\??\c:\3pddj.exec:\3pddj.exe93⤵PID:1800
-
\??\c:\pjjpj.exec:\pjjpj.exe94⤵PID:2352
-
\??\c:\llfrllx.exec:\llfrllx.exe95⤵PID:1908
-
\??\c:\hnhtnt.exec:\hnhtnt.exe96⤵
- System Location Discovery: System Language Discovery
PID:2856 -
\??\c:\9bnnnt.exec:\9bnnnt.exe97⤵PID:2640
-
\??\c:\jjpvd.exec:\jjpvd.exe98⤵PID:2948
-
\??\c:\7llrrfl.exec:\7llrrfl.exe99⤵PID:2852
-
\??\c:\rllrflx.exec:\rllrflx.exe100⤵PID:840
-
\??\c:\hnhtbh.exec:\hnhtbh.exe101⤵PID:1544
-
\??\c:\jjjdv.exec:\jjjdv.exe102⤵PID:1736
-
\??\c:\lrffxfr.exec:\lrffxfr.exe103⤵PID:1416
-
\??\c:\9lfflrf.exec:\9lfflrf.exe104⤵PID:2896
-
\??\c:\hbhnnh.exec:\hbhnnh.exe105⤵PID:1832
-
\??\c:\7vddd.exec:\7vddd.exe106⤵PID:2112
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe107⤵PID:1972
-
\??\c:\xfflxlx.exec:\xfflxlx.exe108⤵PID:1632
-
\??\c:\1nhhnn.exec:\1nhhnn.exe109⤵PID:2904
-
\??\c:\7dpvd.exec:\7dpvd.exe110⤵PID:900
-
\??\c:\rrflrfr.exec:\rrflrfr.exe111⤵
- System Location Discovery: System Language Discovery
PID:696 -
\??\c:\lfxlxfl.exec:\lfxlxfl.exe112⤵PID:784
-
\??\c:\3thbhn.exec:\3thbhn.exe113⤵PID:2076
-
\??\c:\jjvjv.exec:\jjvjv.exe114⤵PID:2100
-
\??\c:\vvpdp.exec:\vvpdp.exe115⤵PID:3028
-
\??\c:\llfflrx.exec:\llfflrx.exe116⤵PID:1008
-
\??\c:\1bbbhh.exec:\1bbbhh.exe117⤵PID:572
-
\??\c:\jdjjv.exec:\jdjjv.exe118⤵PID:888
-
\??\c:\1rxxffl.exec:\1rxxffl.exe119⤵PID:2504
-
\??\c:\ntbtnh.exec:\ntbtnh.exe120⤵PID:2956
-
\??\c:\pppvj.exec:\pppvj.exe121⤵PID:1364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-