Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 09:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe
-
Size
487KB
-
MD5
6ee38431c177f390173f0ab32b549408
-
SHA1
3bf399258a013dec7952affe25b0909579948802
-
SHA256
fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57
-
SHA512
c523b1a2f4bc774621e6ff64221bb462f372f514c32061839c4852034a390fa5bbfb17d47e45fe393a59f36d2df6b1f3e677e7b116a48d7e0e22d22d89c84dfb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2CfNnkymTwaJ3tb:q7Tc2NYHUrAwfMHNnplsp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2136-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-87-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2624-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-102-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2700-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1120-126-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1120-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-136-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2924-134-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-160-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2484-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1448-194-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2164-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1016-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/692-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-293-0x0000000077380000-0x000000007747A000-memory.dmp family_blackmoon behavioral1/memory/1620-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-388-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-394-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1172-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-433-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/644-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-677-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/1664-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-716-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1916-735-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2176-739-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1236-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1568-788-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1612-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-1109-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/576-1116-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2404 lrfffll.exe 1632 9hhbnb.exe 2192 ffrrflr.exe 2248 djvvd.exe 2840 7rllrrx.exe 2752 3rflllr.exe 2660 thnbhb.exe 2652 9lrrrxf.exe 2624 1bhtbh.exe 2700 ntntbh.exe 2512 bhbbbn.exe 1120 nhbttn.exe 2924 djdpv.exe 2904 lxrrfxf.exe 2984 7vjpd.exe 1528 thnbht.exe 3032 pvdjp.exe 1436 ntnntt.exe 2484 1pvdj.exe 1448 nntttt.exe 2164 djvvj.exe 1792 nnnntb.exe 2304 djpvd.exe 1768 nthbhn.exe 1016 vvvdp.exe 692 7hhbbn.exe 2552 pvjpv.exe 2420 1flflll.exe 2424 ppdvd.exe 2044 xfrxfrx.exe 1724 7dvjj.exe 1620 vppjp.exe 1740 flxlflx.exe 2492 jvjpv.exe 2756 frlrffr.exe 2824 7hthbt.exe 2888 9dvpj.exe 2856 vddpj.exe 2896 7fxfrfl.exe 2760 tthnhh.exe 1752 pvppd.exe 2680 pvjvj.exe 1868 xfrrxfl.exe 2624 5hthtb.exe 2748 3pddp.exe 1172 ffflrrx.exe 1680 rlxlxfr.exe 2968 htbhnb.exe 2924 jjjjp.exe 2996 llrxfll.exe 2904 5fllrxf.exe 2012 hnhtth.exe 1988 pdppj.exe 3024 rxxllrf.exe 1436 3xlrfrr.exe 1952 tbntnb.exe 2608 9pddv.exe 2848 ffrrxfx.exe 644 3xrrxff.exe 2164 3ththn.exe 1096 jjvdj.exe 552 1fxlxfl.exe 984 rrrxfrr.exe 2580 tnttht.exe -
resource yara_rule behavioral1/memory/2136-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-102-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2700-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-136-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2904-141-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2904-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-293-0x0000000077380000-0x000000007747A000-memory.dmp upx behavioral1/memory/1620-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-677-0x0000000001C80000-0x0000000001CAA000-memory.dmp upx behavioral1/memory/1664-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-851-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-997-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-1040-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-1089-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-1102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-1157-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flffllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2404 2136 fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe 30 PID 2136 wrote to memory of 2404 2136 fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe 30 PID 2136 wrote to memory of 2404 2136 fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe 30 PID 2136 wrote to memory of 2404 2136 fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe 30 PID 2404 wrote to memory of 1632 2404 lrfffll.exe 31 PID 2404 wrote to memory of 1632 2404 lrfffll.exe 31 PID 2404 wrote to memory of 1632 2404 lrfffll.exe 31 PID 2404 wrote to memory of 1632 2404 lrfffll.exe 31 PID 1632 wrote to memory of 2192 1632 9hhbnb.exe 32 PID 1632 wrote to memory of 2192 1632 9hhbnb.exe 32 PID 1632 wrote to memory of 2192 1632 9hhbnb.exe 32 PID 1632 wrote to memory of 2192 1632 9hhbnb.exe 32 PID 2192 wrote to memory of 2248 2192 ffrrflr.exe 33 PID 2192 wrote to memory of 2248 2192 ffrrflr.exe 33 PID 2192 wrote to memory of 2248 2192 ffrrflr.exe 33 PID 2192 wrote to memory of 2248 2192 ffrrflr.exe 33 PID 2248 wrote to memory of 2840 2248 djvvd.exe 34 PID 2248 wrote to memory of 2840 2248 djvvd.exe 34 PID 2248 wrote to memory of 2840 2248 djvvd.exe 34 PID 2248 wrote to memory of 2840 2248 djvvd.exe 34 PID 2840 wrote to memory of 2752 2840 7rllrrx.exe 35 PID 2840 wrote to memory of 2752 2840 7rllrrx.exe 35 PID 2840 wrote to memory of 2752 2840 7rllrrx.exe 35 PID 2840 wrote to memory of 2752 2840 7rllrrx.exe 35 PID 2752 wrote to memory of 2660 2752 3rflllr.exe 36 PID 2752 wrote to memory of 2660 2752 3rflllr.exe 36 PID 2752 wrote to memory of 2660 2752 3rflllr.exe 36 PID 2752 wrote to memory of 2660 2752 3rflllr.exe 36 PID 2660 wrote to memory of 2652 2660 thnbhb.exe 37 PID 2660 wrote to memory of 2652 2660 thnbhb.exe 37 PID 2660 wrote to memory of 2652 2660 thnbhb.exe 37 PID 2660 wrote to memory of 2652 2660 thnbhb.exe 37 PID 2652 wrote to memory of 2624 2652 9lrrrxf.exe 38 PID 2652 wrote to memory of 2624 2652 9lrrrxf.exe 38 PID 2652 wrote to memory of 2624 2652 9lrrrxf.exe 38 PID 2652 wrote to memory of 2624 2652 9lrrrxf.exe 38 PID 2624 wrote to memory of 2700 2624 1bhtbh.exe 39 PID 2624 wrote to memory of 2700 2624 1bhtbh.exe 39 PID 2624 wrote to memory of 2700 2624 1bhtbh.exe 39 PID 2624 wrote to memory of 2700 2624 1bhtbh.exe 39 PID 2700 wrote to memory of 2512 2700 ntntbh.exe 40 PID 2700 wrote to memory of 2512 2700 ntntbh.exe 40 PID 2700 wrote to memory of 2512 2700 ntntbh.exe 40 PID 2700 wrote to memory of 2512 2700 ntntbh.exe 40 PID 2512 wrote to memory of 1120 2512 bhbbbn.exe 41 PID 2512 wrote to memory of 1120 2512 bhbbbn.exe 41 PID 2512 wrote to memory of 1120 2512 bhbbbn.exe 41 PID 2512 wrote to memory of 1120 2512 bhbbbn.exe 41 PID 1120 wrote to memory of 2924 1120 nhbttn.exe 42 PID 1120 wrote to memory of 2924 1120 nhbttn.exe 42 PID 1120 wrote to memory of 2924 1120 nhbttn.exe 42 PID 1120 wrote to memory of 2924 1120 nhbttn.exe 42 PID 2924 wrote to memory of 2904 2924 djdpv.exe 43 PID 2924 wrote to memory of 2904 2924 djdpv.exe 43 PID 2924 wrote to memory of 2904 2924 djdpv.exe 43 PID 2924 wrote to memory of 2904 2924 djdpv.exe 43 PID 2904 wrote to memory of 2984 2904 lxrrfxf.exe 44 PID 2904 wrote to memory of 2984 2904 lxrrfxf.exe 44 PID 2904 wrote to memory of 2984 2904 lxrrfxf.exe 44 PID 2904 wrote to memory of 2984 2904 lxrrfxf.exe 44 PID 2984 wrote to memory of 1528 2984 7vjpd.exe 45 PID 2984 wrote to memory of 1528 2984 7vjpd.exe 45 PID 2984 wrote to memory of 1528 2984 7vjpd.exe 45 PID 2984 wrote to memory of 1528 2984 7vjpd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe"C:\Users\Admin\AppData\Local\Temp\fe31971659c280308977f5092dec377e63c42d8df18c9d790fab2f08fd88ed57.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\lrfffll.exec:\lrfffll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\9hhbnb.exec:\9hhbnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\ffrrflr.exec:\ffrrflr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\djvvd.exec:\djvvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\7rllrrx.exec:\7rllrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\3rflllr.exec:\3rflllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\thnbhb.exec:\thnbhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\9lrrrxf.exec:\9lrrrxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\1bhtbh.exec:\1bhtbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\ntntbh.exec:\ntntbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\bhbbbn.exec:\bhbbbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\nhbttn.exec:\nhbttn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\djdpv.exec:\djdpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\lxrrfxf.exec:\lxrrfxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\7vjpd.exec:\7vjpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\thnbht.exec:\thnbht.exe17⤵
- Executes dropped EXE
PID:1528 -
\??\c:\pvdjp.exec:\pvdjp.exe18⤵
- Executes dropped EXE
PID:3032 -
\??\c:\ntnntt.exec:\ntnntt.exe19⤵
- Executes dropped EXE
PID:1436 -
\??\c:\1pvdj.exec:\1pvdj.exe20⤵
- Executes dropped EXE
PID:2484 -
\??\c:\nntttt.exec:\nntttt.exe21⤵
- Executes dropped EXE
PID:1448 -
\??\c:\djvvj.exec:\djvvj.exe22⤵
- Executes dropped EXE
PID:2164 -
\??\c:\nnnntb.exec:\nnnntb.exe23⤵
- Executes dropped EXE
PID:1792 -
\??\c:\djpvd.exec:\djpvd.exe24⤵
- Executes dropped EXE
PID:2304 -
\??\c:\nthbhn.exec:\nthbhn.exe25⤵
- Executes dropped EXE
PID:1768 -
\??\c:\vvvdp.exec:\vvvdp.exe26⤵
- Executes dropped EXE
PID:1016 -
\??\c:\7hhbbn.exec:\7hhbbn.exe27⤵
- Executes dropped EXE
PID:692 -
\??\c:\pvjpv.exec:\pvjpv.exe28⤵
- Executes dropped EXE
PID:2552 -
\??\c:\1flflll.exec:\1flflll.exe29⤵
- Executes dropped EXE
PID:2420 -
\??\c:\ppdvd.exec:\ppdvd.exe30⤵
- Executes dropped EXE
PID:2424 -
\??\c:\xfrxfrx.exec:\xfrxfrx.exe31⤵
- Executes dropped EXE
PID:2044 -
\??\c:\7dvjj.exec:\7dvjj.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724 -
\??\c:\rrffffr.exec:\rrffffr.exe33⤵PID:1644
-
\??\c:\vppjp.exec:\vppjp.exe34⤵
- Executes dropped EXE
PID:1620 -
\??\c:\flxlflx.exec:\flxlflx.exe35⤵
- Executes dropped EXE
PID:1740 -
\??\c:\jvjpv.exec:\jvjpv.exe36⤵
- Executes dropped EXE
PID:2492 -
\??\c:\frlrffr.exec:\frlrffr.exe37⤵
- Executes dropped EXE
PID:2756 -
\??\c:\7hthbt.exec:\7hthbt.exe38⤵
- Executes dropped EXE
PID:2824 -
\??\c:\9dvpj.exec:\9dvpj.exe39⤵
- Executes dropped EXE
PID:2888 -
\??\c:\vddpj.exec:\vddpj.exe40⤵
- Executes dropped EXE
PID:2856 -
\??\c:\7fxfrfl.exec:\7fxfrfl.exe41⤵
- Executes dropped EXE
PID:2896 -
\??\c:\tthnhh.exec:\tthnhh.exe42⤵
- Executes dropped EXE
PID:2760 -
\??\c:\pvppd.exec:\pvppd.exe43⤵
- Executes dropped EXE
PID:1752 -
\??\c:\pvjvj.exec:\pvjvj.exe44⤵
- Executes dropped EXE
PID:2680 -
\??\c:\xfrrxfl.exec:\xfrrxfl.exe45⤵
- Executes dropped EXE
PID:1868 -
\??\c:\5hthtb.exec:\5hthtb.exe46⤵
- Executes dropped EXE
PID:2624 -
\??\c:\3pddp.exec:\3pddp.exe47⤵
- Executes dropped EXE
PID:2748 -
\??\c:\ffflrrx.exec:\ffflrrx.exe48⤵
- Executes dropped EXE
PID:1172 -
\??\c:\rlxlxfr.exec:\rlxlxfr.exe49⤵
- Executes dropped EXE
PID:1680 -
\??\c:\htbhnb.exec:\htbhnb.exe50⤵
- Executes dropped EXE
PID:2968 -
\??\c:\jjjjp.exec:\jjjjp.exe51⤵
- Executes dropped EXE
PID:2924 -
\??\c:\llrxfll.exec:\llrxfll.exe52⤵
- Executes dropped EXE
PID:2996 -
\??\c:\5fllrxf.exec:\5fllrxf.exe53⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hnhtth.exec:\hnhtth.exe54⤵
- Executes dropped EXE
PID:2012 -
\??\c:\pdppj.exec:\pdppj.exe55⤵
- Executes dropped EXE
PID:1988 -
\??\c:\rxxllrf.exec:\rxxllrf.exe56⤵
- Executes dropped EXE
PID:3024 -
\??\c:\3xlrfrr.exec:\3xlrfrr.exe57⤵
- Executes dropped EXE
PID:1436 -
\??\c:\tbntnb.exec:\tbntnb.exe58⤵
- Executes dropped EXE
PID:1952 -
\??\c:\9pddv.exec:\9pddv.exe59⤵
- Executes dropped EXE
PID:2608 -
\??\c:\ffrrxfx.exec:\ffrrxfx.exe60⤵
- Executes dropped EXE
PID:2848 -
\??\c:\3xrrxff.exec:\3xrrxff.exe61⤵
- Executes dropped EXE
PID:644 -
\??\c:\3ththn.exec:\3ththn.exe62⤵
- Executes dropped EXE
PID:2164 -
\??\c:\jjvdj.exec:\jjvdj.exe63⤵
- Executes dropped EXE
PID:1096 -
\??\c:\1fxlxfl.exec:\1fxlxfl.exe64⤵
- Executes dropped EXE
PID:552 -
\??\c:\rrrxfrr.exec:\rrrxfrr.exe65⤵
- Executes dropped EXE
PID:984 -
\??\c:\tnttht.exec:\tnttht.exe66⤵
- Executes dropped EXE
PID:2580 -
\??\c:\dvddd.exec:\dvddd.exe67⤵PID:2264
-
\??\c:\rxffrxl.exec:\rxffrxl.exe68⤵PID:2128
-
\??\c:\xlxffll.exec:\xlxffll.exe69⤵PID:1488
-
\??\c:\nnttbh.exec:\nnttbh.exe70⤵
- System Location Discovery: System Language Discovery
PID:2552 -
\??\c:\jvjpv.exec:\jvjpv.exe71⤵PID:2256
-
\??\c:\vpdvd.exec:\vpdvd.exe72⤵PID:580
-
\??\c:\5lrfllr.exec:\5lrfllr.exe73⤵PID:2172
-
\??\c:\1tnntn.exec:\1tnntn.exe74⤵PID:2044
-
\??\c:\1dvvj.exec:\1dvvj.exe75⤵PID:1588
-
\??\c:\5jppv.exec:\5jppv.exe76⤵PID:1904
-
\??\c:\fflrxfl.exec:\fflrxfl.exe77⤵PID:2224
-
\??\c:\hbhntt.exec:\hbhntt.exe78⤵PID:696
-
\??\c:\vpvjj.exec:\vpvjj.exe79⤵PID:948
-
\??\c:\djvpd.exec:\djvpd.exe80⤵PID:1484
-
\??\c:\lrffrxx.exec:\lrffrxx.exe81⤵PID:2836
-
\??\c:\7tbhhh.exec:\7tbhhh.exe82⤵PID:2732
-
\??\c:\btbttn.exec:\btbttn.exe83⤵PID:2200
-
\??\c:\vvdjp.exec:\vvdjp.exe84⤵PID:2980
-
\??\c:\xrrfllx.exec:\xrrfllx.exe85⤵PID:2760
-
\??\c:\1tbhnb.exec:\1tbhnb.exe86⤵PID:2620
-
\??\c:\bbbtbb.exec:\bbbtbb.exe87⤵PID:2652
-
\??\c:\jpddd.exec:\jpddd.exe88⤵PID:2692
-
\??\c:\rrfffxx.exec:\rrfffxx.exe89⤵PID:2320
-
\??\c:\rfxfxxf.exec:\rfxfxxf.exe90⤵PID:684
-
\??\c:\hnttbn.exec:\hnttbn.exe91⤵PID:1708
-
\??\c:\jppjv.exec:\jppjv.exe92⤵PID:1220
-
\??\c:\ddpjj.exec:\ddpjj.exe93⤵PID:2968
-
\??\c:\xfrxflf.exec:\xfrxflf.exe94⤵PID:2956
-
\??\c:\nnnnbh.exec:\nnnnbh.exe95⤵PID:3004
-
\??\c:\vdpvj.exec:\vdpvj.exe96⤵PID:1664
-
\??\c:\rxflxxr.exec:\rxflxxr.exe97⤵PID:1916
-
\??\c:\llrxxfl.exec:\llrxxfl.exe98⤵PID:2020
-
\??\c:\bhnbnt.exec:\bhnbnt.exe99⤵PID:2036
-
\??\c:\pdpjv.exec:\pdpjv.exe100⤵PID:2536
-
\??\c:\xrrlxlx.exec:\xrrlxlx.exe101⤵PID:2176
-
\??\c:\ttbhtt.exec:\ttbhtt.exe102⤵PID:2288
-
\??\c:\7hnnnn.exec:\7hnnnn.exe103⤵PID:1448
-
\??\c:\ppjjd.exec:\ppjjd.exe104⤵PID:1516
-
\??\c:\rrxxxxf.exec:\rrxxxxf.exe105⤵PID:1236
-
\??\c:\1xrxrrf.exec:\1xrxrrf.exe106⤵PID:1652
-
\??\c:\hnnttb.exec:\hnnttb.exe107⤵PID:1508
-
\??\c:\vdppv.exec:\vdppv.exe108⤵PID:1568
-
\??\c:\rrrlllf.exec:\rrrlllf.exe109⤵PID:2360
-
\??\c:\1ttbhn.exec:\1ttbhn.exe110⤵PID:1592
-
\??\c:\djppp.exec:\djppp.exe111⤵PID:1908
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe112⤵PID:1308
-
\??\c:\tbbntt.exec:\tbbntt.exe113⤵PID:2716
-
\??\c:\htnnbb.exec:\htnnbb.exe114⤵PID:1504
-
\??\c:\ddjpv.exec:\ddjpv.exe115⤵PID:2372
-
\??\c:\flxfrrx.exec:\flxfrrx.exe116⤵PID:588
-
\??\c:\bbhnht.exec:\bbhnht.exe117⤵PID:1820
-
\??\c:\5htnnn.exec:\5htnnn.exe118⤵PID:1612
-
\??\c:\vjvvj.exec:\vjvvj.exe119⤵PID:1904
-
\??\c:\lxffrrx.exec:\lxffrrx.exe120⤵PID:2224
-
\??\c:\htnntt.exec:\htnntt.exe121⤵PID:2492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-