Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe
-
Size
456KB
-
MD5
3ffe60842436bfaf2ed6518cc3168a65
-
SHA1
ca384ddd1b715a366d8586e4147139e289922de8
-
SHA256
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea
-
SHA512
3aa3437cbb0b124a8224306bce01bdeb85e677f7ca4a5181c85e0e7610d606da529be5886fcc640533d80ac8deec62726c89eee447efbaeabce089e65d2989f7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2824-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-34-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2700-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-55-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3000-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-94-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2008-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/736-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-249-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2324-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-456-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2512-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1412-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-845-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2560-881-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2684 tnbtnt.exe 2564 btbhtt.exe 1640 ddpvd.exe 2700 5tbhhn.exe 796 rlrxllx.exe 3000 9btbbh.exe 1012 rfrxfxx.exe 1772 hhhhnn.exe 2492 jjdpd.exe 2220 7xrxfrf.exe 2008 pdppp.exe 1496 ddvvp.exe 1140 lfxfrlx.exe 2032 vdvvv.exe 2752 5rfffrx.exe 1708 9jvvd.exe 2876 9ppjj.exe 2216 nnbnhn.exe 2224 3ddjj.exe 2244 3dppd.exe 3012 rlxfffr.exe 736 ddvdp.exe 2368 lrrfxrl.exe 1216 1dvvd.exe 2272 rrrxflf.exe 2348 hbtbhn.exe 328 pjjvj.exe 1664 nhbbht.exe 3024 lfxxflx.exe 2324 9nnnnt.exe 2296 fxlrxfl.exe 3060 jvjjv.exe 1524 3jpjj.exe 2836 tthnbh.exe 2640 jjddj.exe 2532 lxrrrxl.exe 2528 rrxrrfl.exe 2580 tnbbhn.exe 480 1jdpd.exe 3000 rrflxxf.exe 628 9xrrxxr.exe 2892 1vjjp.exe 2400 7vvjv.exe 2180 lxlxflf.exe 2588 thbthn.exe 1192 5jpdd.exe 2008 djdvd.exe 1544 rllrffr.exe 1996 btnbnn.exe 2728 pdppp.exe 2028 7fxxfrf.exe 2752 9lxxxxf.exe 2132 bbnnbb.exe 2096 jjdvj.exe 2512 flflxfr.exe 2288 1tbbbn.exe 2940 1bbthn.exe 856 7jjjj.exe 236 xrrrffr.exe 1964 bntttb.exe 1296 pdjdj.exe 1776 ppppd.exe 1656 rxxxflx.exe 1216 7hbhtt.exe -
resource yara_rule behavioral1/memory/2824-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/736-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/628-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-403-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1544-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-932-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxfxx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2684 2824 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 30 PID 2824 wrote to memory of 2684 2824 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 30 PID 2824 wrote to memory of 2684 2824 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 30 PID 2824 wrote to memory of 2684 2824 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 30 PID 2684 wrote to memory of 2564 2684 tnbtnt.exe 31 PID 2684 wrote to memory of 2564 2684 tnbtnt.exe 31 PID 2684 wrote to memory of 2564 2684 tnbtnt.exe 31 PID 2684 wrote to memory of 2564 2684 tnbtnt.exe 31 PID 2564 wrote to memory of 1640 2564 btbhtt.exe 32 PID 2564 wrote to memory of 1640 2564 btbhtt.exe 32 PID 2564 wrote to memory of 1640 2564 btbhtt.exe 32 PID 2564 wrote to memory of 1640 2564 btbhtt.exe 32 PID 1640 wrote to memory of 2700 1640 ddpvd.exe 33 PID 1640 wrote to memory of 2700 1640 ddpvd.exe 33 PID 1640 wrote to memory of 2700 1640 ddpvd.exe 33 PID 1640 wrote to memory of 2700 1640 ddpvd.exe 33 PID 2700 wrote to memory of 796 2700 5tbhhn.exe 34 PID 2700 wrote to memory of 796 2700 5tbhhn.exe 34 PID 2700 wrote to memory of 796 2700 5tbhhn.exe 34 PID 2700 wrote to memory of 796 2700 5tbhhn.exe 34 PID 796 wrote to memory of 3000 796 rlrxllx.exe 35 PID 796 wrote to memory of 3000 796 rlrxllx.exe 35 PID 796 wrote to memory of 3000 796 rlrxllx.exe 35 PID 796 wrote to memory of 3000 796 rlrxllx.exe 35 PID 3000 wrote to memory of 1012 3000 9btbbh.exe 36 PID 3000 wrote to memory of 1012 3000 9btbbh.exe 36 PID 3000 wrote to memory of 1012 3000 9btbbh.exe 36 PID 3000 wrote to memory of 1012 3000 9btbbh.exe 36 PID 1012 wrote to memory of 1772 1012 rfrxfxx.exe 37 PID 1012 wrote to memory of 1772 1012 rfrxfxx.exe 37 PID 1012 wrote to memory of 1772 1012 rfrxfxx.exe 37 PID 1012 wrote to memory of 1772 1012 rfrxfxx.exe 37 PID 1772 wrote to memory of 2492 1772 hhhhnn.exe 38 PID 1772 wrote to memory of 2492 1772 hhhhnn.exe 38 PID 1772 wrote to memory of 2492 1772 hhhhnn.exe 38 PID 1772 wrote to memory of 2492 1772 hhhhnn.exe 38 PID 2492 wrote to memory of 2220 2492 jjdpd.exe 39 PID 2492 wrote to memory of 2220 2492 jjdpd.exe 39 PID 2492 wrote to memory of 2220 2492 jjdpd.exe 39 PID 2492 wrote to memory of 2220 2492 jjdpd.exe 39 PID 2220 wrote to memory of 2008 2220 7xrxfrf.exe 40 PID 2220 wrote to memory of 2008 2220 7xrxfrf.exe 40 PID 2220 wrote to memory of 2008 2220 7xrxfrf.exe 40 PID 2220 wrote to memory of 2008 2220 7xrxfrf.exe 40 PID 2008 wrote to memory of 1496 2008 pdppp.exe 41 PID 2008 wrote to memory of 1496 2008 pdppp.exe 41 PID 2008 wrote to memory of 1496 2008 pdppp.exe 41 PID 2008 wrote to memory of 1496 2008 pdppp.exe 41 PID 1496 wrote to memory of 1140 1496 ddvvp.exe 42 PID 1496 wrote to memory of 1140 1496 ddvvp.exe 42 PID 1496 wrote to memory of 1140 1496 ddvvp.exe 42 PID 1496 wrote to memory of 1140 1496 ddvvp.exe 42 PID 1140 wrote to memory of 2032 1140 lfxfrlx.exe 43 PID 1140 wrote to memory of 2032 1140 lfxfrlx.exe 43 PID 1140 wrote to memory of 2032 1140 lfxfrlx.exe 43 PID 1140 wrote to memory of 2032 1140 lfxfrlx.exe 43 PID 2032 wrote to memory of 2752 2032 vdvvv.exe 44 PID 2032 wrote to memory of 2752 2032 vdvvv.exe 44 PID 2032 wrote to memory of 2752 2032 vdvvv.exe 44 PID 2032 wrote to memory of 2752 2032 vdvvv.exe 44 PID 2752 wrote to memory of 1708 2752 5rfffrx.exe 45 PID 2752 wrote to memory of 1708 2752 5rfffrx.exe 45 PID 2752 wrote to memory of 1708 2752 5rfffrx.exe 45 PID 2752 wrote to memory of 1708 2752 5rfffrx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe"C:\Users\Admin\AppData\Local\Temp\feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\tnbtnt.exec:\tnbtnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\btbhtt.exec:\btbhtt.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\ddpvd.exec:\ddpvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\5tbhhn.exec:\5tbhhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\rlrxllx.exec:\rlrxllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\9btbbh.exec:\9btbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\rfrxfxx.exec:\rfrxfxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\hhhhnn.exec:\hhhhnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\jjdpd.exec:\jjdpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\7xrxfrf.exec:\7xrxfrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\pdppp.exec:\pdppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\ddvvp.exec:\ddvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\lfxfrlx.exec:\lfxfrlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\vdvvv.exec:\vdvvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\5rfffrx.exec:\5rfffrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\9jvvd.exec:\9jvvd.exe17⤵
- Executes dropped EXE
PID:1708 -
\??\c:\9ppjj.exec:\9ppjj.exe18⤵
- Executes dropped EXE
PID:2876 -
\??\c:\nnbnhn.exec:\nnbnhn.exe19⤵
- Executes dropped EXE
PID:2216 -
\??\c:\3ddjj.exec:\3ddjj.exe20⤵
- Executes dropped EXE
PID:2224 -
\??\c:\3dppd.exec:\3dppd.exe21⤵
- Executes dropped EXE
PID:2244 -
\??\c:\rlxfffr.exec:\rlxfffr.exe22⤵
- Executes dropped EXE
PID:3012 -
\??\c:\ddvdp.exec:\ddvdp.exe23⤵
- Executes dropped EXE
PID:736 -
\??\c:\lrrfxrl.exec:\lrrfxrl.exe24⤵
- Executes dropped EXE
PID:2368 -
\??\c:\1dvvd.exec:\1dvvd.exe25⤵
- Executes dropped EXE
PID:1216 -
\??\c:\rrrxflf.exec:\rrrxflf.exe26⤵
- Executes dropped EXE
PID:2272 -
\??\c:\hbtbhn.exec:\hbtbhn.exe27⤵
- Executes dropped EXE
PID:2348 -
\??\c:\pjjvj.exec:\pjjvj.exe28⤵
- Executes dropped EXE
PID:328 -
\??\c:\nhbbht.exec:\nhbbht.exe29⤵
- Executes dropped EXE
PID:1664 -
\??\c:\lfxxflx.exec:\lfxxflx.exe30⤵
- Executes dropped EXE
PID:3024 -
\??\c:\9nnnnt.exec:\9nnnnt.exe31⤵
- Executes dropped EXE
PID:2324 -
\??\c:\fxlrxfl.exec:\fxlrxfl.exe32⤵
- Executes dropped EXE
PID:2296 -
\??\c:\jvjjv.exec:\jvjjv.exe33⤵
- Executes dropped EXE
PID:3060 -
\??\c:\3jpjj.exec:\3jpjj.exe34⤵
- Executes dropped EXE
PID:1524 -
\??\c:\tthnbh.exec:\tthnbh.exe35⤵
- Executes dropped EXE
PID:2836 -
\??\c:\jjddj.exec:\jjddj.exe36⤵
- Executes dropped EXE
PID:2640 -
\??\c:\lxrrrxl.exec:\lxrrrxl.exe37⤵
- Executes dropped EXE
PID:2532 -
\??\c:\rrxrrfl.exec:\rrxrrfl.exe38⤵
- Executes dropped EXE
PID:2528 -
\??\c:\tnbbhn.exec:\tnbbhn.exe39⤵
- Executes dropped EXE
PID:2580 -
\??\c:\1jdpd.exec:\1jdpd.exe40⤵
- Executes dropped EXE
PID:480 -
\??\c:\rrflxxf.exec:\rrflxxf.exe41⤵
- Executes dropped EXE
PID:3000 -
\??\c:\9xrrxxr.exec:\9xrrxxr.exe42⤵
- Executes dropped EXE
PID:628 -
\??\c:\1vjjp.exec:\1vjjp.exe43⤵
- Executes dropped EXE
PID:2892 -
\??\c:\7vvjv.exec:\7vvjv.exe44⤵
- Executes dropped EXE
PID:2400 -
\??\c:\lxlxflf.exec:\lxlxflf.exe45⤵
- Executes dropped EXE
PID:2180 -
\??\c:\thbthn.exec:\thbthn.exe46⤵
- Executes dropped EXE
PID:2588 -
\??\c:\5jpdd.exec:\5jpdd.exe47⤵
- Executes dropped EXE
PID:1192 -
\??\c:\djdvd.exec:\djdvd.exe48⤵
- Executes dropped EXE
PID:2008 -
\??\c:\rllrffr.exec:\rllrffr.exe49⤵
- Executes dropped EXE
PID:1544 -
\??\c:\btnbnn.exec:\btnbnn.exe50⤵
- Executes dropped EXE
PID:1996 -
\??\c:\pdppp.exec:\pdppp.exe51⤵
- Executes dropped EXE
PID:2728 -
\??\c:\7fxxfrf.exec:\7fxxfrf.exe52⤵
- Executes dropped EXE
PID:2028 -
\??\c:\9lxxxxf.exec:\9lxxxxf.exe53⤵
- Executes dropped EXE
PID:2752 -
\??\c:\bbnnbb.exec:\bbnnbb.exe54⤵
- Executes dropped EXE
PID:2132 -
\??\c:\jjdvj.exec:\jjdvj.exe55⤵
- Executes dropped EXE
PID:2096 -
\??\c:\flflxfr.exec:\flflxfr.exe56⤵
- Executes dropped EXE
PID:2512 -
\??\c:\1tbbbn.exec:\1tbbbn.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
\??\c:\1bbthn.exec:\1bbthn.exe58⤵
- Executes dropped EXE
PID:2940 -
\??\c:\7jjjj.exec:\7jjjj.exe59⤵
- Executes dropped EXE
PID:856 -
\??\c:\xrrrffr.exec:\xrrrffr.exe60⤵
- Executes dropped EXE
PID:236 -
\??\c:\bntttb.exec:\bntttb.exe61⤵
- Executes dropped EXE
PID:1964 -
\??\c:\pdjdj.exec:\pdjdj.exe62⤵
- Executes dropped EXE
PID:1296 -
\??\c:\ppppd.exec:\ppppd.exe63⤵
- Executes dropped EXE
PID:1776 -
\??\c:\rxxxflx.exec:\rxxxflx.exe64⤵
- Executes dropped EXE
PID:1656 -
\??\c:\7hbhtt.exec:\7hbhtt.exe65⤵
- Executes dropped EXE
PID:1216 -
\??\c:\nttbhh.exec:\nttbhh.exe66⤵PID:948
-
\??\c:\jvdvv.exec:\jvdvv.exe67⤵PID:1912
-
\??\c:\xxllrrx.exec:\xxllrrx.exe68⤵PID:2476
-
\??\c:\bbtthh.exec:\bbtthh.exe69⤵PID:1884
-
\??\c:\3pddp.exec:\3pddp.exe70⤵PID:2236
-
\??\c:\1pvdd.exec:\1pvdd.exe71⤵PID:1412
-
\??\c:\1xrfrxf.exec:\1xrfrxf.exe72⤵PID:1788
-
\??\c:\7nnntb.exec:\7nnntb.exe73⤵PID:2816
-
\??\c:\jpjpv.exec:\jpjpv.exe74⤵PID:2104
-
\??\c:\7fxfllr.exec:\7fxfllr.exe75⤵
- System Location Discovery: System Language Discovery
PID:2684 -
\??\c:\bbthnn.exec:\bbthnn.exe76⤵PID:2780
-
\??\c:\nnhhtn.exec:\nnhhtn.exe77⤵PID:2880
-
\??\c:\5jjvj.exec:\5jjvj.exe78⤵PID:2840
-
\??\c:\fxlrxrr.exec:\fxlrxrr.exe79⤵PID:2600
-
\??\c:\rrfrflx.exec:\rrfrflx.exe80⤵PID:2984
-
\??\c:\nnhnbb.exec:\nnhnbb.exe81⤵PID:2996
-
\??\c:\3dvpp.exec:\3dvpp.exe82⤵PID:772
-
\??\c:\5lffxxf.exec:\5lffxxf.exe83⤵PID:580
-
\??\c:\fxllrrx.exec:\fxllrrx.exe84⤵PID:992
-
\??\c:\nnthnt.exec:\nnthnt.exe85⤵PID:1236
-
\??\c:\hntnbt.exec:\hntnbt.exe86⤵PID:2888
-
\??\c:\vppvv.exec:\vppvv.exe87⤵PID:1748
-
\??\c:\5lfflfl.exec:\5lfflfl.exe88⤵PID:2316
-
\??\c:\bbttnn.exec:\bbttnn.exe89⤵PID:2792
-
\??\c:\btnbnn.exec:\btnbnn.exe90⤵PID:2320
-
\??\c:\1jpvd.exec:\1jpvd.exe91⤵PID:2764
-
\??\c:\jdvdj.exec:\jdvdj.exe92⤵PID:2772
-
\??\c:\lfxfffl.exec:\lfxfffl.exe93⤵PID:2416
-
\??\c:\tththh.exec:\tththh.exe94⤵PID:2032
-
\??\c:\nnhhhh.exec:\nnhhhh.exe95⤵PID:1924
-
\??\c:\7dpdj.exec:\7dpdj.exe96⤵PID:1948
-
\??\c:\fxrfffl.exec:\fxrfffl.exe97⤵PID:1708
-
\??\c:\llllffr.exec:\llllffr.exe98⤵PID:2132
-
\??\c:\tnhbbb.exec:\tnhbbb.exe99⤵PID:2228
-
\??\c:\bbtthh.exec:\bbtthh.exe100⤵PID:1360
-
\??\c:\vpddd.exec:\vpddd.exe101⤵PID:2740
-
\??\c:\frlfllr.exec:\frlfllr.exe102⤵PID:2144
-
\??\c:\hbhhhh.exec:\hbhhhh.exe103⤵PID:2244
-
\??\c:\5nbnbt.exec:\5nbnbt.exe104⤵PID:1180
-
\??\c:\9dvvv.exec:\9dvvv.exe105⤵PID:952
-
\??\c:\rlfrxxf.exec:\rlfrxxf.exe106⤵PID:1784
-
\??\c:\xrfxxfx.exec:\xrfxxfx.exe107⤵PID:2368
-
\??\c:\5hbbhh.exec:\5hbbhh.exe108⤵PID:904
-
\??\c:\vpdvv.exec:\vpdvv.exe109⤵PID:1988
-
\??\c:\3pdpp.exec:\3pdpp.exe110⤵PID:680
-
\??\c:\xxrrrrx.exec:\xxrrrrx.exe111⤵PID:2348
-
\??\c:\3nhhnn.exec:\3nhhnn.exe112⤵PID:2152
-
\??\c:\bhnbtb.exec:\bhnbtb.exe113⤵PID:600
-
\??\c:\dvpvd.exec:\dvpvd.exe114⤵PID:336
-
\??\c:\7hthhb.exec:\7hthhb.exe115⤵PID:2712
-
\??\c:\5dpvj.exec:\5dpvj.exe116⤵PID:2824
-
\??\c:\vpddj.exec:\vpddj.exe117⤵PID:2652
-
\??\c:\rlfrlfr.exec:\rlfrlfr.exe118⤵PID:2848
-
\??\c:\bbtbhn.exec:\bbtbhn.exe119⤵PID:2852
-
\??\c:\vpppv.exec:\vpppv.exe120⤵PID:2664
-
\??\c:\9pddj.exec:\9pddj.exe121⤵PID:1396
-
\??\c:\xrxxfxx.exec:\xrxxfxx.exe122⤵
- System Location Discovery: System Language Discovery
PID:2560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-