Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 01:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe
-
Size
453KB
-
MD5
6f15a998b54aa1da248ae4e9f5881417
-
SHA1
fa2fdacc0902d688f6f7ec88d7d42ab38cde75e6
-
SHA256
a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9
-
SHA512
d9ae53aeffb4e018661274b9b7757e6d03782902cebe00bf6dcd2d489fa7b0ed3b6af9210eb6f1aba9c31e660f8ab9af7b09bad1c9f4d78bafc5562c1ff9e62e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2756-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1108-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/792-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-164-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2480-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-183-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1968-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/444-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/716-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-290-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2364-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1000-380-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/484-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-440-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2268-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/296-497-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1628-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-701-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1708-808-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1544-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-973-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1000-972-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1172-1050-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2820 fxrxrlf.exe 2616 9bthnn.exe 1644 9lllxfr.exe 1108 btttbb.exe 2604 rfrxffl.exe 1912 nhtttt.exe 2784 dvjjv.exe 792 5fxflfr.exe 580 dvddp.exe 564 xlrxrrl.exe 2160 ddppd.exe 2704 xrfflfl.exe 772 5dddv.exe 2232 rllrflr.exe 316 3btbhh.exe 1616 3dddj.exe 3016 xrflrxl.exe 2480 bhbtbh.exe 1968 xlxfrlx.exe 2256 7thnht.exe 2464 5lrxffl.exe 444 3hbbbh.exe 2260 9jvdj.exe 1340 ffxfrxl.exe 1840 1vddp.exe 1260 7pjjv.exe 1028 nthnhh.exe 1892 5dpvd.exe 2004 xrlxrrl.exe 716 hthhnt.exe 2352 jjpvd.exe 1448 tnhthh.exe 2364 5vppv.exe 2840 lxrrrxl.exe 3000 xrxfllx.exe 2904 btbbhn.exe 2944 pjdvd.exe 2340 vdpdd.exe 2924 llxxrrx.exe 2656 bthhnt.exe 2604 1pddd.exe 2660 lfxfrlf.exe 604 3rllxfl.exe 1000 9btthh.exe 484 btnnbb.exe 2648 jjjdp.exe 2292 llflxfr.exe 2968 nhbbhh.exe 2788 3hbntt.exe 2040 ppjdv.exe 2080 pdvvp.exe 2220 fxllrrr.exe 324 ttbhtt.exe 1932 3htttt.exe 2460 vdjpv.exe 3032 3xllrrx.exe 2184 lfxflrx.exe 2060 bbbhbh.exe 2240 pjdjp.exe 2268 7jvvj.exe 2256 xrflllr.exe 296 5thhnt.exe 2348 vvvpd.exe 2532 9vvdj.exe -
resource yara_rule behavioral1/memory/2756-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1108-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/716-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1000-380-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/484-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-522-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1628-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-701-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/408-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-808-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1540-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-931-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2580-959-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-1037-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/444-1064-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2820 2756 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 30 PID 2756 wrote to memory of 2820 2756 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 30 PID 2756 wrote to memory of 2820 2756 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 30 PID 2756 wrote to memory of 2820 2756 a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe 30 PID 2820 wrote to memory of 2616 2820 fxrxrlf.exe 31 PID 2820 wrote to memory of 2616 2820 fxrxrlf.exe 31 PID 2820 wrote to memory of 2616 2820 fxrxrlf.exe 31 PID 2820 wrote to memory of 2616 2820 fxrxrlf.exe 31 PID 2616 wrote to memory of 1644 2616 9bthnn.exe 32 PID 2616 wrote to memory of 1644 2616 9bthnn.exe 32 PID 2616 wrote to memory of 1644 2616 9bthnn.exe 32 PID 2616 wrote to memory of 1644 2616 9bthnn.exe 32 PID 1644 wrote to memory of 1108 1644 9lllxfr.exe 33 PID 1644 wrote to memory of 1108 1644 9lllxfr.exe 33 PID 1644 wrote to memory of 1108 1644 9lllxfr.exe 33 PID 1644 wrote to memory of 1108 1644 9lllxfr.exe 33 PID 1108 wrote to memory of 2604 1108 btttbb.exe 34 PID 1108 wrote to memory of 2604 1108 btttbb.exe 34 PID 1108 wrote to memory of 2604 1108 btttbb.exe 34 PID 1108 wrote to memory of 2604 1108 btttbb.exe 34 PID 2604 wrote to memory of 1912 2604 rfrxffl.exe 35 PID 2604 wrote to memory of 1912 2604 rfrxffl.exe 35 PID 2604 wrote to memory of 1912 2604 rfrxffl.exe 35 PID 2604 wrote to memory of 1912 2604 rfrxffl.exe 35 PID 1912 wrote to memory of 2784 1912 nhtttt.exe 36 PID 1912 wrote to memory of 2784 1912 nhtttt.exe 36 PID 1912 wrote to memory of 2784 1912 nhtttt.exe 36 PID 1912 wrote to memory of 2784 1912 nhtttt.exe 36 PID 2784 wrote to memory of 792 2784 dvjjv.exe 37 PID 2784 wrote to memory of 792 2784 dvjjv.exe 37 PID 2784 wrote to memory of 792 2784 dvjjv.exe 37 PID 2784 wrote to memory of 792 2784 dvjjv.exe 37 PID 792 wrote to memory of 580 792 5fxflfr.exe 38 PID 792 wrote to memory of 580 792 5fxflfr.exe 38 PID 792 wrote to memory of 580 792 5fxflfr.exe 38 PID 792 wrote to memory of 580 792 5fxflfr.exe 38 PID 580 wrote to memory of 564 580 dvddp.exe 39 PID 580 wrote to memory of 564 580 dvddp.exe 39 PID 580 wrote to memory of 564 580 dvddp.exe 39 PID 580 wrote to memory of 564 580 dvddp.exe 39 PID 564 wrote to memory of 2160 564 xlrxrrl.exe 40 PID 564 wrote to memory of 2160 564 xlrxrrl.exe 40 PID 564 wrote to memory of 2160 564 xlrxrrl.exe 40 PID 564 wrote to memory of 2160 564 xlrxrrl.exe 40 PID 2160 wrote to memory of 2704 2160 ddppd.exe 41 PID 2160 wrote to memory of 2704 2160 ddppd.exe 41 PID 2160 wrote to memory of 2704 2160 ddppd.exe 41 PID 2160 wrote to memory of 2704 2160 ddppd.exe 41 PID 2704 wrote to memory of 772 2704 xrfflfl.exe 42 PID 2704 wrote to memory of 772 2704 xrfflfl.exe 42 PID 2704 wrote to memory of 772 2704 xrfflfl.exe 42 PID 2704 wrote to memory of 772 2704 xrfflfl.exe 42 PID 772 wrote to memory of 2232 772 5dddv.exe 43 PID 772 wrote to memory of 2232 772 5dddv.exe 43 PID 772 wrote to memory of 2232 772 5dddv.exe 43 PID 772 wrote to memory of 2232 772 5dddv.exe 43 PID 2232 wrote to memory of 316 2232 rllrflr.exe 44 PID 2232 wrote to memory of 316 2232 rllrflr.exe 44 PID 2232 wrote to memory of 316 2232 rllrflr.exe 44 PID 2232 wrote to memory of 316 2232 rllrflr.exe 44 PID 316 wrote to memory of 1616 316 3btbhh.exe 45 PID 316 wrote to memory of 1616 316 3btbhh.exe 45 PID 316 wrote to memory of 1616 316 3btbhh.exe 45 PID 316 wrote to memory of 1616 316 3btbhh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe"C:\Users\Admin\AppData\Local\Temp\a46b742425db56d3eb923b0a4eb686771c26e9a5979c86027215ec54e8a2f2d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\fxrxrlf.exec:\fxrxrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\9bthnn.exec:\9bthnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\9lllxfr.exec:\9lllxfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\btttbb.exec:\btttbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\rfrxffl.exec:\rfrxffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\nhtttt.exec:\nhtttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\dvjjv.exec:\dvjjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\5fxflfr.exec:\5fxflfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\dvddp.exec:\dvddp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\xlrxrrl.exec:\xlrxrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
\??\c:\ddppd.exec:\ddppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\xrfflfl.exec:\xrfflfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\5dddv.exec:\5dddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\rllrflr.exec:\rllrflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\3btbhh.exec:\3btbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\3dddj.exec:\3dddj.exe17⤵
- Executes dropped EXE
PID:1616 -
\??\c:\xrflrxl.exec:\xrflrxl.exe18⤵
- Executes dropped EXE
PID:3016 -
\??\c:\bhbtbh.exec:\bhbtbh.exe19⤵
- Executes dropped EXE
PID:2480 -
\??\c:\xlxfrlx.exec:\xlxfrlx.exe20⤵
- Executes dropped EXE
PID:1968 -
\??\c:\7thnht.exec:\7thnht.exe21⤵
- Executes dropped EXE
PID:2256 -
\??\c:\5lrxffl.exec:\5lrxffl.exe22⤵
- Executes dropped EXE
PID:2464 -
\??\c:\3hbbbh.exec:\3hbbbh.exe23⤵
- Executes dropped EXE
PID:444 -
\??\c:\9jvdj.exec:\9jvdj.exe24⤵
- Executes dropped EXE
PID:2260 -
\??\c:\ffxfrxl.exec:\ffxfrxl.exe25⤵
- Executes dropped EXE
PID:1340 -
\??\c:\1vddp.exec:\1vddp.exe26⤵
- Executes dropped EXE
PID:1840 -
\??\c:\7pjjv.exec:\7pjjv.exe27⤵
- Executes dropped EXE
PID:1260 -
\??\c:\nthnhh.exec:\nthnhh.exe28⤵
- Executes dropped EXE
PID:1028 -
\??\c:\5dpvd.exec:\5dpvd.exe29⤵
- Executes dropped EXE
PID:1892 -
\??\c:\xrlxrrl.exec:\xrlxrrl.exe30⤵
- Executes dropped EXE
PID:2004 -
\??\c:\hthhnt.exec:\hthhnt.exe31⤵
- Executes dropped EXE
PID:716 -
\??\c:\jjpvd.exec:\jjpvd.exe32⤵
- Executes dropped EXE
PID:2352 -
\??\c:\tnhthh.exec:\tnhthh.exe33⤵
- Executes dropped EXE
PID:1448 -
\??\c:\5vppv.exec:\5vppv.exe34⤵
- Executes dropped EXE
PID:2364 -
\??\c:\lxrrrxl.exec:\lxrrrxl.exe35⤵
- Executes dropped EXE
PID:2840 -
\??\c:\xrxfllx.exec:\xrxfllx.exe36⤵
- Executes dropped EXE
PID:3000 -
\??\c:\btbbhn.exec:\btbbhn.exe37⤵
- Executes dropped EXE
PID:2904 -
\??\c:\pjdvd.exec:\pjdvd.exe38⤵
- Executes dropped EXE
PID:2944 -
\??\c:\vdpdd.exec:\vdpdd.exe39⤵
- Executes dropped EXE
PID:2340 -
\??\c:\llxxrrx.exec:\llxxrrx.exe40⤵
- Executes dropped EXE
PID:2924 -
\??\c:\bthhnt.exec:\bthhnt.exe41⤵
- Executes dropped EXE
PID:2656 -
\??\c:\1pddd.exec:\1pddd.exe42⤵
- Executes dropped EXE
PID:2604 -
\??\c:\lfxfrlf.exec:\lfxfrlf.exe43⤵
- Executes dropped EXE
PID:2660 -
\??\c:\3rllxfl.exec:\3rllxfl.exe44⤵
- Executes dropped EXE
PID:604 -
\??\c:\9btthh.exec:\9btthh.exe45⤵
- Executes dropped EXE
PID:1000 -
\??\c:\btnnbb.exec:\btnnbb.exe46⤵
- Executes dropped EXE
PID:484 -
\??\c:\jjjdp.exec:\jjjdp.exe47⤵
- Executes dropped EXE
PID:2648 -
\??\c:\llflxfr.exec:\llflxfr.exe48⤵
- Executes dropped EXE
PID:2292 -
\??\c:\nhbbhh.exec:\nhbbhh.exe49⤵
- Executes dropped EXE
PID:2968 -
\??\c:\3hbntt.exec:\3hbntt.exe50⤵
- Executes dropped EXE
PID:2788 -
\??\c:\ppjdv.exec:\ppjdv.exe51⤵
- Executes dropped EXE
PID:2040 -
\??\c:\pdvvp.exec:\pdvvp.exe52⤵
- Executes dropped EXE
PID:2080 -
\??\c:\fxllrrr.exec:\fxllrrr.exe53⤵
- Executes dropped EXE
PID:2220 -
\??\c:\ttbhtt.exec:\ttbhtt.exe54⤵
- Executes dropped EXE
PID:324 -
\??\c:\3htttt.exec:\3htttt.exe55⤵
- Executes dropped EXE
PID:1932 -
\??\c:\vdjpv.exec:\vdjpv.exe56⤵
- Executes dropped EXE
PID:2460 -
\??\c:\3xllrrx.exec:\3xllrrx.exe57⤵
- Executes dropped EXE
PID:3032 -
\??\c:\lfxflrx.exec:\lfxflrx.exe58⤵
- Executes dropped EXE
PID:2184 -
\??\c:\bbbhbh.exec:\bbbhbh.exe59⤵
- Executes dropped EXE
PID:2060 -
\??\c:\pjdjp.exec:\pjdjp.exe60⤵
- Executes dropped EXE
PID:2240 -
\??\c:\7jvvj.exec:\7jvvj.exe61⤵
- Executes dropped EXE
PID:2268 -
\??\c:\xrflllr.exec:\xrflllr.exe62⤵
- Executes dropped EXE
PID:2256 -
\??\c:\5thhnt.exec:\5thhnt.exe63⤵
- Executes dropped EXE
PID:296 -
\??\c:\vvvpd.exec:\vvvpd.exe64⤵
- Executes dropped EXE
PID:2348 -
\??\c:\9vvdj.exec:\9vvdj.exe65⤵
- Executes dropped EXE
PID:2532 -
\??\c:\3frxxfr.exec:\3frxxfr.exe66⤵PID:1232
-
\??\c:\bbbbbh.exec:\bbbbbh.exe67⤵PID:852
-
\??\c:\tnbbbn.exec:\tnbbbn.exe68⤵PID:872
-
\??\c:\vjvvd.exec:\vjvvd.exe69⤵PID:1264
-
\??\c:\xrfllrl.exec:\xrfllrl.exe70⤵PID:1128
-
\??\c:\ffflxfl.exec:\ffflxfl.exe71⤵PID:2108
-
\??\c:\bbtbhn.exec:\bbtbhn.exe72⤵PID:1628
-
\??\c:\pjpvj.exec:\pjpvj.exe73⤵PID:280
-
\??\c:\lrfxfxx.exec:\lrfxfxx.exe74⤵PID:1256
-
\??\c:\lxxxffr.exec:\lxxxffr.exe75⤵
- System Location Discovery: System Language Discovery
PID:1920 -
\??\c:\tnbhtt.exec:\tnbhtt.exe76⤵PID:2352
-
\??\c:\jdjjp.exec:\jdjjp.exe77⤵PID:1448
-
\??\c:\dvppv.exec:\dvppv.exe78⤵PID:2824
-
\??\c:\rlrrffr.exec:\rlrrffr.exe79⤵PID:2916
-
\??\c:\tnnnbt.exec:\tnnnbt.exe80⤵PID:2724
-
\??\c:\5bhtbh.exec:\5bhtbh.exe81⤵PID:1652
-
\??\c:\pdvvp.exec:\pdvvp.exe82⤵PID:2912
-
\??\c:\lxrfrxr.exec:\lxrfrxr.exe83⤵PID:2720
-
\??\c:\bnnbhb.exec:\bnnbhb.exe84⤵PID:1224
-
\??\c:\nbnnbt.exec:\nbnnbt.exe85⤵PID:2744
-
\??\c:\9jvpp.exec:\9jvpp.exe86⤵PID:2180
-
\??\c:\jdppv.exec:\jdppv.exe87⤵PID:264
-
\??\c:\5lxfrrf.exec:\5lxfrrf.exe88⤵PID:2784
-
\??\c:\1thhhh.exec:\1thhhh.exe89⤵PID:1004
-
\??\c:\jjddj.exec:\jjddj.exe90⤵PID:2028
-
\??\c:\jdjpd.exec:\jdjpd.exe91⤵PID:2052
-
\??\c:\1rffflf.exec:\1rffflf.exe92⤵PID:880
-
\??\c:\hhbbhh.exec:\hhbbhh.exe93⤵PID:652
-
\??\c:\pdvvj.exec:\pdvvj.exe94⤵PID:2504
-
\??\c:\ddvvp.exec:\ddvvp.exe95⤵PID:2960
-
\??\c:\llrxfrf.exec:\llrxfrf.exe96⤵PID:2508
-
\??\c:\9htnbt.exec:\9htnbt.exe97⤵PID:2880
-
\??\c:\hhbnht.exec:\hhbnht.exe98⤵PID:1640
-
\??\c:\jjpvj.exec:\jjpvj.exe99⤵PID:1604
-
\??\c:\lrrffrl.exec:\lrrffrl.exe100⤵PID:2816
-
\??\c:\5nhntt.exec:\5nhntt.exe101⤵PID:1824
-
\??\c:\bthttt.exec:\bthttt.exe102⤵
- System Location Discovery: System Language Discovery
PID:2264 -
\??\c:\dvddj.exec:\dvddj.exe103⤵PID:2312
-
\??\c:\rfrrrfx.exec:\rfrrrfx.exe104⤵PID:1972
-
\??\c:\frffrrf.exec:\frffrrf.exe105⤵PID:2472
-
\??\c:\1hnnbn.exec:\1hnnbn.exe106⤵PID:2436
-
\??\c:\dvjjv.exec:\dvjjv.exe107⤵
- System Location Discovery: System Language Discovery
PID:1096 -
\??\c:\jvppv.exec:\jvppv.exe108⤵PID:408
-
\??\c:\llrflfx.exec:\llrflfx.exe109⤵PID:2300
-
\??\c:\ntthtb.exec:\ntthtb.exe110⤵PID:1252
-
\??\c:\hbnbnn.exec:\hbnbnn.exe111⤵PID:1712
-
\??\c:\pjddj.exec:\pjddj.exe112⤵PID:1708
-
\??\c:\vjdvp.exec:\vjdvp.exe113⤵PID:1112
-
\??\c:\llfrrrl.exec:\llfrrrl.exe114⤵PID:624
-
\??\c:\hbnnnn.exec:\hbnnnn.exe115⤵PID:2112
-
\??\c:\htntbt.exec:\htntbt.exe116⤵PID:1892
-
\??\c:\vpddp.exec:\vpddp.exe117⤵PID:2996
-
\??\c:\ppjvv.exec:\ppjvv.exe118⤵PID:1628
-
\??\c:\7rxxlxl.exec:\7rxxlxl.exe119⤵PID:280
-
\??\c:\bthhtn.exec:\bthhtn.exe120⤵PID:1888
-
\??\c:\bhtthn.exec:\bhtthn.exe121⤵PID:908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-