Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 06:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe
-
Size
453KB
-
MD5
97baf383e69e610c067501a786f27fd0
-
SHA1
8efd084169d886c481d101fc7489c6ade4c416cc
-
SHA256
efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65
-
SHA512
c5ce3a570fde8a15262ac27e224e91e74f0d9bcdb68c21e977d0fc911e1e70213400ec1a5c359f60c31b989cc3bf2625662baad47b8343f16f14b6c2621e1979
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2748-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/792-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/916-257-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2792-303-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1540-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-436-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1776-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-496-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2012-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-570-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2764-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-597-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2580-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-836-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/2448-889-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2260-944-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2936-982-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1196-1050-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-1069-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1884-1096-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/664-1211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2776 jpdvj.exe 2564 tbtntn.exe 2780 xflrxxr.exe 2692 flrfrfx.exe 2572 hhhntb.exe 3044 vdpdd.exe 1996 ttbhht.exe 792 7bbtht.exe 3016 ddvdv.exe 2180 bbbnht.exe 2868 vjjjv.exe 2932 jppdj.exe 2888 rfrxxrr.exe 3028 vvdvj.exe 1868 rfxrflf.exe 1860 dvvdj.exe 2784 rxlxlxr.exe 2432 jjddp.exe 2320 rxfxlxl.exe 2192 vddpj.exe 2008 rffxrff.exe 1580 dpjjd.exe 1116 lrlfxll.exe 2288 djpvv.exe 352 rrxlfxx.exe 1556 rfxrxrl.exe 1380 5lrxlxr.exe 916 jpvjd.exe 2488 xxxrlrr.exe 2524 lrrxlff.exe 2040 bbtbnt.exe 2952 lrxlfrr.exe 2092 xlrlffr.exe 2792 pvdpj.exe 1540 xxxlfrl.exe 2820 ttbtnh.exe 2716 jvvpj.exe 2744 rrlxlll.exe 2780 rlxxrxl.exe 2692 bhhnht.exe 2728 jppdp.exe 2572 7flllrf.exe 320 5bnnbb.exe 716 ddpvv.exe 792 lrlxlxr.exe 580 hnnhbn.exe 2080 dvjvp.exe 2176 9lflfrf.exe 2872 ttbhhn.exe 1716 ddjpp.exe 1724 vddjv.exe 2356 rxlxlxr.exe 1784 nnnttb.exe 2404 pvvdv.exe 2120 ffllxrf.exe 1696 tbbhht.exe 2976 ddvjv.exe 1776 3xxlflf.exe 2132 tbbbth.exe 2232 1dvdj.exe 2460 rfrxlxr.exe 1420 bbhnbb.exe 1732 ppdpp.exe 1192 fffxlll.exe -
resource yara_rule behavioral1/memory/2748-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/716-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-903-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-1043-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-1050-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-1082-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1256-1184-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/664-1211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-1250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-1275-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lflxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2776 2748 efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe 30 PID 2748 wrote to memory of 2776 2748 efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe 30 PID 2748 wrote to memory of 2776 2748 efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe 30 PID 2748 wrote to memory of 2776 2748 efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe 30 PID 2776 wrote to memory of 2564 2776 jpdvj.exe 31 PID 2776 wrote to memory of 2564 2776 jpdvj.exe 31 PID 2776 wrote to memory of 2564 2776 jpdvj.exe 31 PID 2776 wrote to memory of 2564 2776 jpdvj.exe 31 PID 2564 wrote to memory of 2780 2564 tbtntn.exe 32 PID 2564 wrote to memory of 2780 2564 tbtntn.exe 32 PID 2564 wrote to memory of 2780 2564 tbtntn.exe 32 PID 2564 wrote to memory of 2780 2564 tbtntn.exe 32 PID 2780 wrote to memory of 2692 2780 xflrxxr.exe 33 PID 2780 wrote to memory of 2692 2780 xflrxxr.exe 33 PID 2780 wrote to memory of 2692 2780 xflrxxr.exe 33 PID 2780 wrote to memory of 2692 2780 xflrxxr.exe 33 PID 2692 wrote to memory of 2572 2692 flrfrfx.exe 34 PID 2692 wrote to memory of 2572 2692 flrfrfx.exe 34 PID 2692 wrote to memory of 2572 2692 flrfrfx.exe 34 PID 2692 wrote to memory of 2572 2692 flrfrfx.exe 34 PID 2572 wrote to memory of 3044 2572 hhhntb.exe 35 PID 2572 wrote to memory of 3044 2572 hhhntb.exe 35 PID 2572 wrote to memory of 3044 2572 hhhntb.exe 35 PID 2572 wrote to memory of 3044 2572 hhhntb.exe 35 PID 3044 wrote to memory of 1996 3044 vdpdd.exe 36 PID 3044 wrote to memory of 1996 3044 vdpdd.exe 36 PID 3044 wrote to memory of 1996 3044 vdpdd.exe 36 PID 3044 wrote to memory of 1996 3044 vdpdd.exe 36 PID 1996 wrote to memory of 792 1996 ttbhht.exe 37 PID 1996 wrote to memory of 792 1996 ttbhht.exe 37 PID 1996 wrote to memory of 792 1996 ttbhht.exe 37 PID 1996 wrote to memory of 792 1996 ttbhht.exe 37 PID 792 wrote to memory of 3016 792 7bbtht.exe 38 PID 792 wrote to memory of 3016 792 7bbtht.exe 38 PID 792 wrote to memory of 3016 792 7bbtht.exe 38 PID 792 wrote to memory of 3016 792 7bbtht.exe 38 PID 3016 wrote to memory of 2180 3016 ddvdv.exe 39 PID 3016 wrote to memory of 2180 3016 ddvdv.exe 39 PID 3016 wrote to memory of 2180 3016 ddvdv.exe 39 PID 3016 wrote to memory of 2180 3016 ddvdv.exe 39 PID 2180 wrote to memory of 2868 2180 bbbnht.exe 40 PID 2180 wrote to memory of 2868 2180 bbbnht.exe 40 PID 2180 wrote to memory of 2868 2180 bbbnht.exe 40 PID 2180 wrote to memory of 2868 2180 bbbnht.exe 40 PID 2868 wrote to memory of 2932 2868 vjjjv.exe 41 PID 2868 wrote to memory of 2932 2868 vjjjv.exe 41 PID 2868 wrote to memory of 2932 2868 vjjjv.exe 41 PID 2868 wrote to memory of 2932 2868 vjjjv.exe 41 PID 2932 wrote to memory of 2888 2932 jppdj.exe 42 PID 2932 wrote to memory of 2888 2932 jppdj.exe 42 PID 2932 wrote to memory of 2888 2932 jppdj.exe 42 PID 2932 wrote to memory of 2888 2932 jppdj.exe 42 PID 2888 wrote to memory of 3028 2888 rfrxxrr.exe 43 PID 2888 wrote to memory of 3028 2888 rfrxxrr.exe 43 PID 2888 wrote to memory of 3028 2888 rfrxxrr.exe 43 PID 2888 wrote to memory of 3028 2888 rfrxxrr.exe 43 PID 3028 wrote to memory of 1868 3028 vvdvj.exe 44 PID 3028 wrote to memory of 1868 3028 vvdvj.exe 44 PID 3028 wrote to memory of 1868 3028 vvdvj.exe 44 PID 3028 wrote to memory of 1868 3028 vvdvj.exe 44 PID 1868 wrote to memory of 1860 1868 rfxrflf.exe 45 PID 1868 wrote to memory of 1860 1868 rfxrflf.exe 45 PID 1868 wrote to memory of 1860 1868 rfxrflf.exe 45 PID 1868 wrote to memory of 1860 1868 rfxrflf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe"C:\Users\Admin\AppData\Local\Temp\efa2f1020fda74a155ca50c25888a6c5380723d4f0c3c2a8dbd4af67149bfe65N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\jpdvj.exec:\jpdvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\tbtntn.exec:\tbtntn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\xflrxxr.exec:\xflrxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\flrfrfx.exec:\flrfrfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\hhhntb.exec:\hhhntb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\vdpdd.exec:\vdpdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\ttbhht.exec:\ttbhht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\7bbtht.exec:\7bbtht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\ddvdv.exec:\ddvdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\bbbnht.exec:\bbbnht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\vjjjv.exec:\vjjjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\jppdj.exec:\jppdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\rfrxxrr.exec:\rfrxxrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\vvdvj.exec:\vvdvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\rfxrflf.exec:\rfxrflf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\dvvdj.exec:\dvvdj.exe17⤵
- Executes dropped EXE
PID:1860 -
\??\c:\rxlxlxr.exec:\rxlxlxr.exe18⤵
- Executes dropped EXE
PID:2784 -
\??\c:\jjddp.exec:\jjddp.exe19⤵
- Executes dropped EXE
PID:2432 -
\??\c:\rxfxlxl.exec:\rxfxlxl.exe20⤵
- Executes dropped EXE
PID:2320 -
\??\c:\vddpj.exec:\vddpj.exe21⤵
- Executes dropped EXE
PID:2192 -
\??\c:\rffxrff.exec:\rffxrff.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2008 -
\??\c:\dpjjd.exec:\dpjjd.exe23⤵
- Executes dropped EXE
PID:1580 -
\??\c:\lrlfxll.exec:\lrlfxll.exe24⤵
- Executes dropped EXE
PID:1116 -
\??\c:\djpvv.exec:\djpvv.exe25⤵
- Executes dropped EXE
PID:2288 -
\??\c:\rrxlfxx.exec:\rrxlfxx.exe26⤵
- Executes dropped EXE
PID:352 -
\??\c:\rfxrxrl.exec:\rfxrxrl.exe27⤵
- Executes dropped EXE
PID:1556 -
\??\c:\5lrxlxr.exec:\5lrxlxr.exe28⤵
- Executes dropped EXE
PID:1380 -
\??\c:\jpvjd.exec:\jpvjd.exe29⤵
- Executes dropped EXE
PID:916 -
\??\c:\xxxrlrr.exec:\xxxrlrr.exe30⤵
- Executes dropped EXE
PID:2488 -
\??\c:\lrrxlff.exec:\lrrxlff.exe31⤵
- Executes dropped EXE
PID:2524 -
\??\c:\bbtbnt.exec:\bbtbnt.exe32⤵
- Executes dropped EXE
PID:2040 -
\??\c:\lrxlfrr.exec:\lrxlfrr.exe33⤵
- Executes dropped EXE
PID:2952 -
\??\c:\xlrlffr.exec:\xlrlffr.exe34⤵
- Executes dropped EXE
PID:2092 -
\??\c:\pvdpj.exec:\pvdpj.exe35⤵
- Executes dropped EXE
PID:2792 -
\??\c:\xxxlfrl.exec:\xxxlfrl.exe36⤵
- Executes dropped EXE
PID:1540 -
\??\c:\ttbtnh.exec:\ttbtnh.exe37⤵
- Executes dropped EXE
PID:2820 -
\??\c:\jvvpj.exec:\jvvpj.exe38⤵
- Executes dropped EXE
PID:2716 -
\??\c:\rrlxlll.exec:\rrlxlll.exe39⤵
- Executes dropped EXE
PID:2744 -
\??\c:\rlxxrxl.exec:\rlxxrxl.exe40⤵
- Executes dropped EXE
PID:2780 -
\??\c:\bhhnht.exec:\bhhnht.exe41⤵
- Executes dropped EXE
PID:2692 -
\??\c:\jppdp.exec:\jppdp.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\7flllrf.exec:\7flllrf.exe43⤵
- Executes dropped EXE
PID:2572 -
\??\c:\5bnnbb.exec:\5bnnbb.exe44⤵
- Executes dropped EXE
PID:320 -
\??\c:\ddpvv.exec:\ddpvv.exe45⤵
- Executes dropped EXE
PID:716 -
\??\c:\lrlxlxr.exec:\lrlxlxr.exe46⤵
- Executes dropped EXE
PID:792 -
\??\c:\hnnhbn.exec:\hnnhbn.exe47⤵
- Executes dropped EXE
PID:580 -
\??\c:\dvjvp.exec:\dvjvp.exe48⤵
- Executes dropped EXE
PID:2080 -
\??\c:\9lflfrf.exec:\9lflfrf.exe49⤵
- Executes dropped EXE
PID:2176 -
\??\c:\ttbhhn.exec:\ttbhhn.exe50⤵
- Executes dropped EXE
PID:2872 -
\??\c:\ddjpp.exec:\ddjpp.exe51⤵
- Executes dropped EXE
PID:1716 -
\??\c:\vddjv.exec:\vddjv.exe52⤵
- Executes dropped EXE
PID:1724 -
\??\c:\rxlxlxr.exec:\rxlxlxr.exe53⤵
- Executes dropped EXE
PID:2356 -
\??\c:\nnnttb.exec:\nnnttb.exe54⤵
- Executes dropped EXE
PID:1784 -
\??\c:\pvvdv.exec:\pvvdv.exe55⤵
- Executes dropped EXE
PID:2404 -
\??\c:\ffllxrf.exec:\ffllxrf.exe56⤵
- Executes dropped EXE
PID:2120 -
\??\c:\tbbhht.exec:\tbbhht.exe57⤵
- Executes dropped EXE
PID:1696 -
\??\c:\ddvjv.exec:\ddvjv.exe58⤵
- Executes dropped EXE
PID:2976 -
\??\c:\3xxlflf.exec:\3xxlflf.exe59⤵
- Executes dropped EXE
PID:1776 -
\??\c:\tbbbth.exec:\tbbbth.exe60⤵
- Executes dropped EXE
PID:2132 -
\??\c:\1dvdj.exec:\1dvdj.exe61⤵
- Executes dropped EXE
PID:2232 -
\??\c:\rfrxlxr.exec:\rfrxlxr.exe62⤵
- Executes dropped EXE
PID:2460 -
\??\c:\bbhnbb.exec:\bbhnbb.exe63⤵
- Executes dropped EXE
PID:1420 -
\??\c:\ppdpp.exec:\ppdpp.exe64⤵
- Executes dropped EXE
PID:1732 -
\??\c:\fffxlll.exec:\fffxlll.exe65⤵
- Executes dropped EXE
PID:1192 -
\??\c:\flrrlrl.exec:\flrrlrl.exe66⤵PID:2292
-
\??\c:\bbtbhb.exec:\bbtbhb.exe67⤵PID:1664
-
\??\c:\vddpp.exec:\vddpp.exe68⤵PID:1908
-
\??\c:\lxxlxlf.exec:\lxxlxlf.exe69⤵PID:1056
-
\??\c:\xrrrrll.exec:\xrrrrll.exe70⤵PID:2012
-
\??\c:\3btbnt.exec:\3btbnt.exe71⤵PID:1924
-
\??\c:\1ddjv.exec:\1ddjv.exe72⤵PID:1232
-
\??\c:\flflxlf.exec:\flflxlf.exe73⤵PID:960
-
\??\c:\ffxxrfr.exec:\ffxxrfr.exe74⤵PID:2488
-
\??\c:\tbhnbh.exec:\tbhnbh.exe75⤵PID:1936
-
\??\c:\9pjpj.exec:\9pjpj.exe76⤵PID:2528
-
\??\c:\rlrrllf.exec:\rlrrllf.exe77⤵PID:2444
-
\??\c:\7llrlrl.exec:\7llrlrl.exe78⤵PID:2764
-
\??\c:\ntnttb.exec:\ntnttb.exe79⤵PID:2708
-
\??\c:\3vpjd.exec:\3vpjd.exe80⤵PID:2776
-
\??\c:\frlllfr.exec:\frlllfr.exe81⤵PID:2700
-
\??\c:\bbtbth.exec:\bbtbth.exe82⤵PID:2204
-
\??\c:\7hhnbh.exec:\7hhnbh.exe83⤵PID:2580
-
\??\c:\pvjdd.exec:\pvjdd.exe84⤵PID:2724
-
\??\c:\lxxllrr.exec:\lxxllrr.exe85⤵PID:2620
-
\??\c:\nnnthn.exec:\nnnthn.exe86⤵PID:340
-
\??\c:\1btbhn.exec:\1btbhn.exe87⤵PID:1220
-
\??\c:\dpppj.exec:\dpppj.exe88⤵PID:604
-
\??\c:\xfxxxlf.exec:\xfxxxlf.exe89⤵PID:1012
-
\??\c:\bbbhbn.exec:\bbbhbn.exe90⤵PID:1584
-
\??\c:\nnhnbh.exec:\nnhnbh.exe91⤵PID:792
-
\??\c:\ppvpv.exec:\ppvpv.exe92⤵PID:580
-
\??\c:\rrxxrll.exec:\rrxxrll.exe93⤵PID:868
-
\??\c:\ntbnbh.exec:\ntbnbh.exe94⤵PID:2860
-
\??\c:\tbtbnb.exec:\tbtbnb.exe95⤵PID:2872
-
\??\c:\9djdp.exec:\9djdp.exe96⤵PID:2928
-
\??\c:\lfffrxr.exec:\lfffrxr.exe97⤵PID:3056
-
\??\c:\hhbntb.exec:\hhbntb.exe98⤵PID:1752
-
\??\c:\fllrfxx.exec:\fllrfxx.exe99⤵PID:1852
-
\??\c:\1llrlrf.exec:\1llrlrf.exe100⤵PID:1588
-
\??\c:\bbtbhh.exec:\bbtbhh.exe101⤵PID:2536
-
\??\c:\dvjpp.exec:\dvjpp.exe102⤵PID:2968
-
\??\c:\3rrxlfl.exec:\3rrxlfl.exe103⤵PID:2224
-
\??\c:\bhhttn.exec:\bhhttn.exe104⤵PID:2440
-
\??\c:\7dvdj.exec:\7dvdj.exe105⤵PID:2320
-
\??\c:\7dpvd.exec:\7dpvd.exe106⤵PID:2232
-
\??\c:\rxflxfx.exec:\rxflxfx.exe107⤵PID:2460
-
\??\c:\3tnhth.exec:\3tnhth.exe108⤵PID:1420
-
\??\c:\5pdpj.exec:\5pdpj.exe109⤵PID:1632
-
\??\c:\jpvjj.exec:\jpvjj.exe110⤵PID:1884
-
\??\c:\5llxrfx.exec:\5llxrfx.exe111⤵PID:1520
-
\??\c:\tbhthn.exec:\tbhthn.exe112⤵PID:760
-
\??\c:\jjjvj.exec:\jjjvj.exe113⤵PID:1892
-
\??\c:\rrrllxr.exec:\rrrllxr.exe114⤵PID:3004
-
\??\c:\ttbhbh.exec:\ttbhbh.exe115⤵PID:700
-
\??\c:\nbbbtb.exec:\nbbbtb.exe116⤵PID:2300
-
\??\c:\jjjpd.exec:\jjjpd.exe117⤵PID:916
-
\??\c:\rrxfrfx.exec:\rrxfrfx.exe118⤵PID:2416
-
\??\c:\thhtht.exec:\thhtht.exe119⤵PID:1936
-
\??\c:\9tttbb.exec:\9tttbb.exe120⤵PID:2528
-
\??\c:\djjjj.exec:\djjjj.exe121⤵PID:908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-