Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 21:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe
-
Size
454KB
-
MD5
ca175a8654e17740060bd3dc7beecc4c
-
SHA1
1fca61813a09a03bc15d5d3e8904ac619cd66949
-
SHA256
45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4
-
SHA512
7b2ebc19b512ae2c36f8c9a52d2ac70ec60bfaf72ce8bb910ad43ba2eb694d79ad10d09b8535d52d8803608da17b304b54da9af807bfc20412773917138842e1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTx:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/1708-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-25-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2188-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-64-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/868-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-155-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1984-153-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2764-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-170-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2136-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-229-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2776-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-995-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2416-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-1034-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2952 jdddp.exe 2248 fxrrlrf.exe 2188 fllrflf.exe 2208 7rrrxll.exe 2640 lfrxllr.exe 2908 hhtthh.exe 2860 ffflxfl.exe 2884 llflxxx.exe 868 ffxxflf.exe 2552 nnbhnb.exe 2984 1jdpp.exe 1832 xrxxfxf.exe 1984 tnhnbb.exe 1692 lflrllx.exe 2724 ppdpv.exe 1156 5bnttb.exe 2764 1jvdd.exe 1776 lllflxl.exe 2120 hbnbtb.exe 2256 fxxxlrf.exe 2136 btnthn.exe 1396 dppvj.exe 1048 1xlrfrf.exe 1572 ttbnht.exe 2424 tnbbhn.exe 2776 rfrfrrx.exe 1620 1tnhnt.exe 1528 jjjpd.exe 860 tnhnhn.exe 1432 jdvdv.exe 2912 fxrrxrf.exe 1576 dpdvp.exe 1444 xxrxlrf.exe 2500 frfxlrx.exe 2200 hhnthh.exe 1292 7pjpp.exe 2664 fxrxlxr.exe 2680 3lxxlll.exe 2816 tnhhtt.exe 2908 dvddp.exe 2860 pvjjj.exe 1276 xrfxfxl.exe 2812 hbtntb.exe 2548 jdddp.exe 1600 jdjdp.exe 660 xlrfxfl.exe 2364 hbntbb.exe 1472 dvvdv.exe 1760 pdppd.exe 2520 xlrlxxx.exe 1672 tnhnbt.exe 1556 nnhthn.exe 1976 jjdjp.exe 2976 rxxlrxr.exe 1844 1nhnbb.exe 2412 tnbhtt.exe 3000 pjdpd.exe 448 fxlrffr.exe 2256 rrfxffr.exe 2224 ttttht.exe 944 jdvvj.exe 2420 rrlrllx.exe 1048 nhbbnn.exe 1992 7vpvj.exe -
resource yara_rule behavioral1/memory/1708-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-267-0x0000000001C60000-0x0000000001C8A000-memory.dmp upx behavioral1/memory/1528-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-301-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1444-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-545-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1528-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-822-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-884-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-1002-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-1034-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1980-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-1048-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-1061-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-1124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-1282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-1331-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2952 1708 45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe 31 PID 1708 wrote to memory of 2952 1708 45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe 31 PID 1708 wrote to memory of 2952 1708 45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe 31 PID 1708 wrote to memory of 2952 1708 45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe 31 PID 2952 wrote to memory of 2248 2952 jdddp.exe 32 PID 2952 wrote to memory of 2248 2952 jdddp.exe 32 PID 2952 wrote to memory of 2248 2952 jdddp.exe 32 PID 2952 wrote to memory of 2248 2952 jdddp.exe 32 PID 2248 wrote to memory of 2188 2248 fxrrlrf.exe 33 PID 2248 wrote to memory of 2188 2248 fxrrlrf.exe 33 PID 2248 wrote to memory of 2188 2248 fxrrlrf.exe 33 PID 2248 wrote to memory of 2188 2248 fxrrlrf.exe 33 PID 2188 wrote to memory of 2208 2188 fllrflf.exe 34 PID 2188 wrote to memory of 2208 2188 fllrflf.exe 34 PID 2188 wrote to memory of 2208 2188 fllrflf.exe 34 PID 2188 wrote to memory of 2208 2188 fllrflf.exe 34 PID 2208 wrote to memory of 2640 2208 7rrrxll.exe 35 PID 2208 wrote to memory of 2640 2208 7rrrxll.exe 35 PID 2208 wrote to memory of 2640 2208 7rrrxll.exe 35 PID 2208 wrote to memory of 2640 2208 7rrrxll.exe 35 PID 2640 wrote to memory of 2908 2640 lfrxllr.exe 36 PID 2640 wrote to memory of 2908 2640 lfrxllr.exe 36 PID 2640 wrote to memory of 2908 2640 lfrxllr.exe 36 PID 2640 wrote to memory of 2908 2640 lfrxllr.exe 36 PID 2908 wrote to memory of 2860 2908 hhtthh.exe 37 PID 2908 wrote to memory of 2860 2908 hhtthh.exe 37 PID 2908 wrote to memory of 2860 2908 hhtthh.exe 37 PID 2908 wrote to memory of 2860 2908 hhtthh.exe 37 PID 2860 wrote to memory of 2884 2860 ffflxfl.exe 38 PID 2860 wrote to memory of 2884 2860 ffflxfl.exe 38 PID 2860 wrote to memory of 2884 2860 ffflxfl.exe 38 PID 2860 wrote to memory of 2884 2860 ffflxfl.exe 38 PID 2884 wrote to memory of 868 2884 llflxxx.exe 39 PID 2884 wrote to memory of 868 2884 llflxxx.exe 39 PID 2884 wrote to memory of 868 2884 llflxxx.exe 39 PID 2884 wrote to memory of 868 2884 llflxxx.exe 39 PID 868 wrote to memory of 2552 868 ffxxflf.exe 40 PID 868 wrote to memory of 2552 868 ffxxflf.exe 40 PID 868 wrote to memory of 2552 868 ffxxflf.exe 40 PID 868 wrote to memory of 2552 868 ffxxflf.exe 40 PID 2552 wrote to memory of 2984 2552 nnbhnb.exe 41 PID 2552 wrote to memory of 2984 2552 nnbhnb.exe 41 PID 2552 wrote to memory of 2984 2552 nnbhnb.exe 41 PID 2552 wrote to memory of 2984 2552 nnbhnb.exe 41 PID 2984 wrote to memory of 1832 2984 1jdpp.exe 42 PID 2984 wrote to memory of 1832 2984 1jdpp.exe 42 PID 2984 wrote to memory of 1832 2984 1jdpp.exe 42 PID 2984 wrote to memory of 1832 2984 1jdpp.exe 42 PID 1832 wrote to memory of 1984 1832 xrxxfxf.exe 43 PID 1832 wrote to memory of 1984 1832 xrxxfxf.exe 43 PID 1832 wrote to memory of 1984 1832 xrxxfxf.exe 43 PID 1832 wrote to memory of 1984 1832 xrxxfxf.exe 43 PID 1984 wrote to memory of 1692 1984 tnhnbb.exe 44 PID 1984 wrote to memory of 1692 1984 tnhnbb.exe 44 PID 1984 wrote to memory of 1692 1984 tnhnbb.exe 44 PID 1984 wrote to memory of 1692 1984 tnhnbb.exe 44 PID 1692 wrote to memory of 2724 1692 lflrllx.exe 45 PID 1692 wrote to memory of 2724 1692 lflrllx.exe 45 PID 1692 wrote to memory of 2724 1692 lflrllx.exe 45 PID 1692 wrote to memory of 2724 1692 lflrllx.exe 45 PID 2724 wrote to memory of 1156 2724 ppdpv.exe 46 PID 2724 wrote to memory of 1156 2724 ppdpv.exe 46 PID 2724 wrote to memory of 1156 2724 ppdpv.exe 46 PID 2724 wrote to memory of 1156 2724 ppdpv.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe"C:\Users\Admin\AppData\Local\Temp\45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\jdddp.exec:\jdddp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\fxrrlrf.exec:\fxrrlrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\fllrflf.exec:\fllrflf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\7rrrxll.exec:\7rrrxll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\lfrxllr.exec:\lfrxllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\hhtthh.exec:\hhtthh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\ffflxfl.exec:\ffflxfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\llflxxx.exec:\llflxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\ffxxflf.exec:\ffxxflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\nnbhnb.exec:\nnbhnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\1jdpp.exec:\1jdpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\xrxxfxf.exec:\xrxxfxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\tnhnbb.exec:\tnhnbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\lflrllx.exec:\lflrllx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\ppdpv.exec:\ppdpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\5bnttb.exec:\5bnttb.exe17⤵
- Executes dropped EXE
PID:1156 -
\??\c:\1jvdd.exec:\1jvdd.exe18⤵
- Executes dropped EXE
PID:2764 -
\??\c:\lllflxl.exec:\lllflxl.exe19⤵
- Executes dropped EXE
PID:1776 -
\??\c:\hbnbtb.exec:\hbnbtb.exe20⤵
- Executes dropped EXE
PID:2120 -
\??\c:\fxxxlrf.exec:\fxxxlrf.exe21⤵
- Executes dropped EXE
PID:2256 -
\??\c:\btnthn.exec:\btnthn.exe22⤵
- Executes dropped EXE
PID:2136 -
\??\c:\dppvj.exec:\dppvj.exe23⤵
- Executes dropped EXE
PID:1396 -
\??\c:\1xlrfrf.exec:\1xlrfrf.exe24⤵
- Executes dropped EXE
PID:1048 -
\??\c:\ttbnht.exec:\ttbnht.exe25⤵
- Executes dropped EXE
PID:1572 -
\??\c:\tnbbhn.exec:\tnbbhn.exe26⤵
- Executes dropped EXE
PID:2424 -
\??\c:\rfrfrrx.exec:\rfrfrrx.exe27⤵
- Executes dropped EXE
PID:2776 -
\??\c:\1tnhnt.exec:\1tnhnt.exe28⤵
- Executes dropped EXE
PID:1620 -
\??\c:\jjjpd.exec:\jjjpd.exe29⤵
- Executes dropped EXE
PID:1528 -
\??\c:\tnhnhn.exec:\tnhnhn.exe30⤵
- Executes dropped EXE
PID:860 -
\??\c:\jdvdv.exec:\jdvdv.exe31⤵
- Executes dropped EXE
PID:1432 -
\??\c:\fxrrxrf.exec:\fxrrxrf.exe32⤵
- Executes dropped EXE
PID:2912 -
\??\c:\dpdvp.exec:\dpdvp.exe33⤵
- Executes dropped EXE
PID:1576 -
\??\c:\xxrxlrf.exec:\xxrxlrf.exe34⤵
- Executes dropped EXE
PID:1444 -
\??\c:\frfxlrx.exec:\frfxlrx.exe35⤵
- Executes dropped EXE
PID:2500 -
\??\c:\hhnthh.exec:\hhnthh.exe36⤵
- Executes dropped EXE
PID:2200 -
\??\c:\7pjpp.exec:\7pjpp.exe37⤵
- Executes dropped EXE
PID:1292 -
\??\c:\fxrxlxr.exec:\fxrxlxr.exe38⤵
- Executes dropped EXE
PID:2664 -
\??\c:\3lxxlll.exec:\3lxxlll.exe39⤵
- Executes dropped EXE
PID:2680 -
\??\c:\tnhhtt.exec:\tnhhtt.exe40⤵
- Executes dropped EXE
PID:2816 -
\??\c:\dvddp.exec:\dvddp.exe41⤵
- Executes dropped EXE
PID:2908 -
\??\c:\pvjjj.exec:\pvjjj.exe42⤵
- Executes dropped EXE
PID:2860 -
\??\c:\xrfxfxl.exec:\xrfxfxl.exe43⤵
- Executes dropped EXE
PID:1276 -
\??\c:\hbtntb.exec:\hbtntb.exe44⤵
- Executes dropped EXE
PID:2812 -
\??\c:\jdddp.exec:\jdddp.exe45⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jdjdp.exec:\jdjdp.exe46⤵
- Executes dropped EXE
PID:1600 -
\??\c:\xlrfxfl.exec:\xlrfxfl.exe47⤵
- Executes dropped EXE
PID:660 -
\??\c:\hbntbb.exec:\hbntbb.exe48⤵
- Executes dropped EXE
PID:2364 -
\??\c:\dvvdv.exec:\dvvdv.exe49⤵
- Executes dropped EXE
PID:1472 -
\??\c:\pdppd.exec:\pdppd.exe50⤵
- Executes dropped EXE
PID:1760 -
\??\c:\xlrlxxx.exec:\xlrlxxx.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
\??\c:\tnhnbt.exec:\tnhnbt.exe52⤵
- Executes dropped EXE
PID:1672 -
\??\c:\nnhthn.exec:\nnhthn.exe53⤵
- Executes dropped EXE
PID:1556 -
\??\c:\jjdjp.exec:\jjdjp.exe54⤵
- Executes dropped EXE
PID:1976 -
\??\c:\rxxlrxr.exec:\rxxlrxr.exe55⤵
- Executes dropped EXE
PID:2976 -
\??\c:\1nhnbb.exec:\1nhnbb.exe56⤵
- Executes dropped EXE
PID:1844 -
\??\c:\tnbhtt.exec:\tnbhtt.exe57⤵
- Executes dropped EXE
PID:2412 -
\??\c:\pjdpd.exec:\pjdpd.exe58⤵
- Executes dropped EXE
PID:3000 -
\??\c:\fxlrffr.exec:\fxlrffr.exe59⤵
- Executes dropped EXE
PID:448 -
\??\c:\rrfxffr.exec:\rrfxffr.exe60⤵
- Executes dropped EXE
PID:2256 -
\??\c:\ttttht.exec:\ttttht.exe61⤵
- Executes dropped EXE
PID:2224 -
\??\c:\jdvvj.exec:\jdvvj.exe62⤵
- Executes dropped EXE
PID:944 -
\??\c:\rrlrllx.exec:\rrlrllx.exe63⤵
- Executes dropped EXE
PID:2420 -
\??\c:\nhbbnn.exec:\nhbbnn.exe64⤵
- Executes dropped EXE
PID:1048 -
\??\c:\7vpvj.exec:\7vpvj.exe65⤵
- Executes dropped EXE
PID:1992 -
\??\c:\pjddd.exec:\pjddd.exe66⤵PID:1336
-
\??\c:\xrfxlrf.exec:\xrfxlrf.exe67⤵PID:2288
-
\??\c:\nnhhbh.exec:\nnhhbh.exe68⤵PID:2776
-
\??\c:\5djjp.exec:\5djjp.exe69⤵PID:2216
-
\??\c:\jdvvd.exec:\jdvvd.exe70⤵PID:2488
-
\??\c:\rrrxlxr.exec:\rrrxlxr.exe71⤵PID:1528
-
\??\c:\9thhhn.exec:\9thhhn.exe72⤵PID:876
-
\??\c:\jvvpp.exec:\jvvpp.exe73⤵PID:2944
-
\??\c:\ppjjj.exec:\ppjjj.exe74⤵PID:2964
-
\??\c:\xrfrflx.exec:\xrfrflx.exe75⤵PID:3028
-
\??\c:\fxxfllf.exec:\fxxfllf.exe76⤵PID:2892
-
\??\c:\hbhhnn.exec:\hbhhnn.exe77⤵PID:1792
-
\??\c:\pdppp.exec:\pdppp.exe78⤵PID:3048
-
\??\c:\5pddj.exec:\5pddj.exe79⤵PID:2624
-
\??\c:\1rffrxl.exec:\1rffrxl.exe80⤵PID:2164
-
\??\c:\tnhhtb.exec:\tnhhtb.exe81⤵PID:2796
-
\??\c:\9pvdp.exec:\9pvdp.exe82⤵PID:2640
-
\??\c:\jjvpv.exec:\jjvpv.exe83⤵PID:2540
-
\??\c:\fxrfxxr.exec:\fxrfxxr.exe84⤵PID:2696
-
\??\c:\hhbbhn.exec:\hhbbhn.exe85⤵PID:2672
-
\??\c:\3nhnbh.exec:\3nhnbh.exe86⤵PID:1268
-
\??\c:\vpjpd.exec:\vpjpd.exe87⤵PID:2648
-
\??\c:\rllxrfx.exec:\rllxrfx.exe88⤵PID:2580
-
\??\c:\nhthbt.exec:\nhthbt.exe89⤵PID:2996
-
\??\c:\nnbnht.exec:\nnbnht.exe90⤵PID:1808
-
\??\c:\3djjp.exec:\3djjp.exe91⤵PID:1316
-
\??\c:\fxrxffr.exec:\fxrxffr.exe92⤵PID:1092
-
\??\c:\hnbbbt.exec:\hnbbbt.exe93⤵PID:1984
-
\??\c:\3nhhbb.exec:\3nhhbb.exe94⤵PID:1996
-
\??\c:\vpvdv.exec:\vpvdv.exe95⤵PID:1908
-
\??\c:\ffxxflx.exec:\ffxxflx.exe96⤵PID:2972
-
\??\c:\nnnthh.exec:\nnnthh.exe97⤵PID:2740
-
\??\c:\hhnbtb.exec:\hhnbtb.exe98⤵PID:2764
-
\??\c:\1dpvj.exec:\1dpvj.exe99⤵PID:2064
-
\??\c:\llrfrxr.exec:\llrfrxr.exe100⤵PID:2176
-
\??\c:\7httbn.exec:\7httbn.exe101⤵PID:348
-
\??\c:\1tnnhh.exec:\1tnnhh.exe102⤵PID:1604
-
\??\c:\ppjjp.exec:\ppjjp.exe103⤵PID:1636
-
\??\c:\9rxfflf.exec:\9rxfflf.exe104⤵PID:1916
-
\??\c:\1fffrfr.exec:\1fffrfr.exe105⤵PID:944
-
\??\c:\3nttht.exec:\3nttht.exe106⤵PID:912
-
\??\c:\pddvp.exec:\pddvp.exe107⤵PID:612
-
\??\c:\rrrrfrx.exec:\rrrrfrx.exe108⤵PID:2184
-
\??\c:\flxlrxr.exec:\flxlrxr.exe109⤵PID:316
-
\??\c:\hbnntt.exec:\hbnntt.exe110⤵PID:2232
-
\??\c:\vppvd.exec:\vppvd.exe111⤵PID:2236
-
\??\c:\jjddv.exec:\jjddv.exe112⤵PID:1000
-
\??\c:\llfrlxx.exec:\llfrlxx.exe113⤵
- System Location Discovery: System Language Discovery
PID:1728 -
\??\c:\bbthht.exec:\bbthht.exe114⤵PID:112
-
\??\c:\hhnbth.exec:\hhnbth.exe115⤵PID:1492
-
\??\c:\jdjdd.exec:\jdjdd.exe116⤵PID:2084
-
\??\c:\7fxfxfr.exec:\7fxfxfr.exe117⤵PID:1632
-
\??\c:\xrrfxll.exec:\xrrfxll.exe118⤵PID:2964
-
\??\c:\ttbnth.exec:\ttbnth.exe119⤵PID:1924
-
\??\c:\fxxfrxl.exec:\fxxfrxl.exe120⤵PID:2160
-
\??\c:\5bnbth.exec:\5bnbth.exe121⤵PID:1368
-
\??\c:\bhhtbn.exec:\bhhtbn.exe122⤵PID:2196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-