Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 22:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe
-
Size
456KB
-
MD5
2f5a81ff4be3901a96c9ee57ca57ee1f
-
SHA1
98edefc1d7ec94393f4e4427f9396ce7d50261f5
-
SHA256
104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca
-
SHA512
4229b7fb9e0c9469bcb75dbafaa2fd5dbd7ef0df69ea774fdb60cfbedb15b1afa2a66cd3bd52a41f6e8df0aba641281497c66a939c328a231488cdd02eec095f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR2:q7Tc2NYHUrAwfMp3CDR2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2268-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-44-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2592-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-63-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2552-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1184-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-156-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2420-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-225-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1692-243-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1904-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-290-0x0000000076C10000-0x0000000076D2F000-memory.dmp family_blackmoon behavioral1/memory/1584-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-360-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2468-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-675-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2624-689-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2412-703-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1924-718-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1716-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-783-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2488-799-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2648-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-1048-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-1047-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2268 lfrrxxl.exe 2808 jdvvj.exe 2688 9thhnn.exe 2592 9dvdp.exe 2844 xlllfxr.exe 2552 vddvj.exe 2964 fxlrffr.exe 1092 3nhbnt.exe 1184 xrrllrx.exe 2192 3btthh.exe 2448 9fxfllr.exe 2340 hhbnbb.exe 2624 3pvdj.exe 2100 lfxrffl.exe 1640 9lfrrxl.exe 2596 9fflrxl.exe 2420 thbbtb.exe 1920 ppjpd.exe 1740 vjvvp.exe 2232 hbhhnt.exe 1784 jjdjv.exe 2220 djdjv.exe 1088 3hbnbh.exe 1048 3dpjp.exe 1652 7xrflrf.exe 1692 9fflxfr.exe 1600 tnnttt.exe 996 ffrrflx.exe 1904 5nbbbh.exe 2836 dvpdj.exe 888 5hnnbt.exe 2464 fxflxxr.exe 2760 1jpvd.exe 2804 nhbbnt.exe 2812 7nbnbh.exe 2796 3jvvd.exe 2740 7fxrrxl.exe 2668 nthbbt.exe 2588 tnnbbb.exe 2676 pjjpv.exe 2980 rlxxffl.exe 1480 nhbntb.exe 1092 hhhtbn.exe 2160 1jddj.exe 1792 lfrxxxx.exe 2084 btthtb.exe 2460 9nbntb.exe 1776 pjvjp.exe 2624 xrxxflr.exe 464 lxxxflf.exe 2308 ttnbtt.exe 1640 9vvdj.exe 2040 xrlxfrr.exe 1944 9xllrrx.exe 1432 1bnthn.exe 1920 jjpvj.exe 264 9rllflr.exe 1044 fxffllr.exe 2536 nhhtbb.exe 2108 jvvjp.exe 1768 vvjpj.exe 548 lfrflll.exe 1132 tbhhht.exe 2436 vpjpd.exe -
resource yara_rule behavioral1/memory/2268-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-702-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2748-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-771-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-783-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2488-798-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2936-812-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2664-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-984-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-1048-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2268 2648 104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe 30 PID 2648 wrote to memory of 2268 2648 104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe 30 PID 2648 wrote to memory of 2268 2648 104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe 30 PID 2648 wrote to memory of 2268 2648 104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe 30 PID 2268 wrote to memory of 2808 2268 lfrrxxl.exe 31 PID 2268 wrote to memory of 2808 2268 lfrrxxl.exe 31 PID 2268 wrote to memory of 2808 2268 lfrrxxl.exe 31 PID 2268 wrote to memory of 2808 2268 lfrrxxl.exe 31 PID 2808 wrote to memory of 2688 2808 jdvvj.exe 32 PID 2808 wrote to memory of 2688 2808 jdvvj.exe 32 PID 2808 wrote to memory of 2688 2808 jdvvj.exe 32 PID 2808 wrote to memory of 2688 2808 jdvvj.exe 32 PID 2688 wrote to memory of 2592 2688 9thhnn.exe 33 PID 2688 wrote to memory of 2592 2688 9thhnn.exe 33 PID 2688 wrote to memory of 2592 2688 9thhnn.exe 33 PID 2688 wrote to memory of 2592 2688 9thhnn.exe 33 PID 2592 wrote to memory of 2844 2592 9dvdp.exe 34 PID 2592 wrote to memory of 2844 2592 9dvdp.exe 34 PID 2592 wrote to memory of 2844 2592 9dvdp.exe 34 PID 2592 wrote to memory of 2844 2592 9dvdp.exe 34 PID 2844 wrote to memory of 2552 2844 xlllfxr.exe 35 PID 2844 wrote to memory of 2552 2844 xlllfxr.exe 35 PID 2844 wrote to memory of 2552 2844 xlllfxr.exe 35 PID 2844 wrote to memory of 2552 2844 xlllfxr.exe 35 PID 2552 wrote to memory of 2964 2552 vddvj.exe 36 PID 2552 wrote to memory of 2964 2552 vddvj.exe 36 PID 2552 wrote to memory of 2964 2552 vddvj.exe 36 PID 2552 wrote to memory of 2964 2552 vddvj.exe 36 PID 2964 wrote to memory of 1092 2964 fxlrffr.exe 37 PID 2964 wrote to memory of 1092 2964 fxlrffr.exe 37 PID 2964 wrote to memory of 1092 2964 fxlrffr.exe 37 PID 2964 wrote to memory of 1092 2964 fxlrffr.exe 37 PID 1092 wrote to memory of 1184 1092 3nhbnt.exe 38 PID 1092 wrote to memory of 1184 1092 3nhbnt.exe 38 PID 1092 wrote to memory of 1184 1092 3nhbnt.exe 38 PID 1092 wrote to memory of 1184 1092 3nhbnt.exe 38 PID 1184 wrote to memory of 2192 1184 xrrllrx.exe 39 PID 1184 wrote to memory of 2192 1184 xrrllrx.exe 39 PID 1184 wrote to memory of 2192 1184 xrrllrx.exe 39 PID 1184 wrote to memory of 2192 1184 xrrllrx.exe 39 PID 2192 wrote to memory of 2448 2192 3btthh.exe 40 PID 2192 wrote to memory of 2448 2192 3btthh.exe 40 PID 2192 wrote to memory of 2448 2192 3btthh.exe 40 PID 2192 wrote to memory of 2448 2192 3btthh.exe 40 PID 2448 wrote to memory of 2340 2448 9fxfllr.exe 41 PID 2448 wrote to memory of 2340 2448 9fxfllr.exe 41 PID 2448 wrote to memory of 2340 2448 9fxfllr.exe 41 PID 2448 wrote to memory of 2340 2448 9fxfllr.exe 41 PID 2340 wrote to memory of 2624 2340 hhbnbb.exe 42 PID 2340 wrote to memory of 2624 2340 hhbnbb.exe 42 PID 2340 wrote to memory of 2624 2340 hhbnbb.exe 42 PID 2340 wrote to memory of 2624 2340 hhbnbb.exe 42 PID 2624 wrote to memory of 2100 2624 3pvdj.exe 43 PID 2624 wrote to memory of 2100 2624 3pvdj.exe 43 PID 2624 wrote to memory of 2100 2624 3pvdj.exe 43 PID 2624 wrote to memory of 2100 2624 3pvdj.exe 43 PID 2100 wrote to memory of 1640 2100 lfxrffl.exe 44 PID 2100 wrote to memory of 1640 2100 lfxrffl.exe 44 PID 2100 wrote to memory of 1640 2100 lfxrffl.exe 44 PID 2100 wrote to memory of 1640 2100 lfxrffl.exe 44 PID 1640 wrote to memory of 2596 1640 9lfrrxl.exe 45 PID 1640 wrote to memory of 2596 1640 9lfrrxl.exe 45 PID 1640 wrote to memory of 2596 1640 9lfrrxl.exe 45 PID 1640 wrote to memory of 2596 1640 9lfrrxl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe"C:\Users\Admin\AppData\Local\Temp\104f3fefacbc7f08ad3b0d1c879239bd99ad12153b6555a6946ffe6904f893ca.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\jdvvj.exec:\jdvvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\9thhnn.exec:\9thhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\9dvdp.exec:\9dvdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\xlllfxr.exec:\xlllfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\vddvj.exec:\vddvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\fxlrffr.exec:\fxlrffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\3nhbnt.exec:\3nhbnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\xrrllrx.exec:\xrrllrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\3btthh.exec:\3btthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\9fxfllr.exec:\9fxfllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\hhbnbb.exec:\hhbnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\3pvdj.exec:\3pvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\lfxrffl.exec:\lfxrffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\9lfrrxl.exec:\9lfrrxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\9fflrxl.exec:\9fflrxl.exe17⤵
- Executes dropped EXE
PID:2596 -
\??\c:\thbbtb.exec:\thbbtb.exe18⤵
- Executes dropped EXE
PID:2420 -
\??\c:\ppjpd.exec:\ppjpd.exe19⤵
- Executes dropped EXE
PID:1920 -
\??\c:\vjvvp.exec:\vjvvp.exe20⤵
- Executes dropped EXE
PID:1740 -
\??\c:\hbhhnt.exec:\hbhhnt.exe21⤵
- Executes dropped EXE
PID:2232 -
\??\c:\jjdjv.exec:\jjdjv.exe22⤵
- Executes dropped EXE
PID:1784 -
\??\c:\djdjv.exec:\djdjv.exe23⤵
- Executes dropped EXE
PID:2220 -
\??\c:\3hbnbh.exec:\3hbnbh.exe24⤵
- Executes dropped EXE
PID:1088 -
\??\c:\3dpjp.exec:\3dpjp.exe25⤵
- Executes dropped EXE
PID:1048 -
\??\c:\7xrflrf.exec:\7xrflrf.exe26⤵
- Executes dropped EXE
PID:1652 -
\??\c:\9fflxfr.exec:\9fflxfr.exe27⤵
- Executes dropped EXE
PID:1692 -
\??\c:\tnnttt.exec:\tnnttt.exe28⤵
- Executes dropped EXE
PID:1600 -
\??\c:\ffrrflx.exec:\ffrrflx.exe29⤵
- Executes dropped EXE
PID:996 -
\??\c:\5nbbbh.exec:\5nbbbh.exe30⤵
- Executes dropped EXE
PID:1904 -
\??\c:\dvpdj.exec:\dvpdj.exe31⤵
- Executes dropped EXE
PID:2836 -
\??\c:\5hnnbt.exec:\5hnnbt.exe32⤵
- Executes dropped EXE
PID:888 -
\??\c:\fxflxxr.exec:\fxflxxr.exe33⤵
- Executes dropped EXE
PID:2464 -
\??\c:\hbntbb.exec:\hbntbb.exe34⤵PID:1584
-
\??\c:\1jpvd.exec:\1jpvd.exe35⤵
- Executes dropped EXE
PID:2760 -
\??\c:\nhbbnt.exec:\nhbbnt.exe36⤵
- Executes dropped EXE
PID:2804 -
\??\c:\7nbnbh.exec:\7nbnbh.exe37⤵
- Executes dropped EXE
PID:2812 -
\??\c:\3jvvd.exec:\3jvvd.exe38⤵
- Executes dropped EXE
PID:2796 -
\??\c:\7fxrrxl.exec:\7fxrrxl.exe39⤵
- Executes dropped EXE
PID:2740 -
\??\c:\nthbbt.exec:\nthbbt.exe40⤵
- Executes dropped EXE
PID:2668 -
\??\c:\tnnbbb.exec:\tnnbbb.exe41⤵
- Executes dropped EXE
PID:2588 -
\??\c:\pjjpv.exec:\pjjpv.exe42⤵
- Executes dropped EXE
PID:2676 -
\??\c:\rlxxffl.exec:\rlxxffl.exe43⤵
- Executes dropped EXE
PID:2980 -
\??\c:\nhbntb.exec:\nhbntb.exe44⤵
- Executes dropped EXE
PID:1480 -
\??\c:\hhhtbn.exec:\hhhtbn.exe45⤵
- Executes dropped EXE
PID:1092 -
\??\c:\1jddj.exec:\1jddj.exe46⤵
- Executes dropped EXE
PID:2160 -
\??\c:\lfrxxxx.exec:\lfrxxxx.exe47⤵
- Executes dropped EXE
PID:1792 -
\??\c:\btthtb.exec:\btthtb.exe48⤵
- Executes dropped EXE
PID:2084 -
\??\c:\9nbntb.exec:\9nbntb.exe49⤵
- Executes dropped EXE
PID:2460 -
\??\c:\pjvjp.exec:\pjvjp.exe50⤵
- Executes dropped EXE
PID:1776 -
\??\c:\xrxxflr.exec:\xrxxflr.exe51⤵
- Executes dropped EXE
PID:2624 -
\??\c:\lxxxflf.exec:\lxxxflf.exe52⤵
- Executes dropped EXE
PID:464 -
\??\c:\ttnbtt.exec:\ttnbtt.exe53⤵
- Executes dropped EXE
PID:2308 -
\??\c:\9vvdj.exec:\9vvdj.exe54⤵
- Executes dropped EXE
PID:1640 -
\??\c:\xrlxfrr.exec:\xrlxfrr.exe55⤵
- Executes dropped EXE
PID:2040 -
\??\c:\9xllrrx.exec:\9xllrrx.exe56⤵
- Executes dropped EXE
PID:1944 -
\??\c:\1bnthn.exec:\1bnthn.exe57⤵
- Executes dropped EXE
PID:1432 -
\??\c:\jjpvj.exec:\jjpvj.exe58⤵
- Executes dropped EXE
PID:1920 -
\??\c:\9rllflr.exec:\9rllflr.exe59⤵
- Executes dropped EXE
PID:264 -
\??\c:\fxffllr.exec:\fxffllr.exe60⤵
- Executes dropped EXE
PID:1044 -
\??\c:\nhhtbb.exec:\nhhtbb.exe61⤵
- Executes dropped EXE
PID:2536 -
\??\c:\jvvjp.exec:\jvvjp.exe62⤵
- Executes dropped EXE
PID:2108 -
\??\c:\vvjpj.exec:\vvjpj.exe63⤵
- Executes dropped EXE
PID:1768 -
\??\c:\lfrflll.exec:\lfrflll.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:548 -
\??\c:\tbhhht.exec:\tbhhht.exe65⤵
- Executes dropped EXE
PID:1132 -
\??\c:\vpjpd.exec:\vpjpd.exe66⤵
- Executes dropped EXE
PID:2436 -
\??\c:\rlrxrlf.exec:\rlrxrlf.exe67⤵PID:1652
-
\??\c:\fxlrxfl.exec:\fxlrxfl.exe68⤵PID:2016
-
\??\c:\7hbhhn.exec:\7hbhhn.exe69⤵PID:844
-
\??\c:\jdjjp.exec:\jdjjp.exe70⤵PID:1336
-
\??\c:\pppjp.exec:\pppjp.exe71⤵PID:2332
-
\??\c:\llflxxf.exec:\llflxxf.exe72⤵PID:996
-
\??\c:\5nbbhn.exec:\5nbbhn.exe73⤵PID:2932
-
\??\c:\dvdpv.exec:\dvdpv.exe74⤵PID:1496
-
\??\c:\ddvdp.exec:\ddvdp.exe75⤵PID:612
-
\??\c:\rrlrflx.exec:\rrlrflx.exe76⤵PID:1556
-
\??\c:\nhtbnn.exec:\nhtbnn.exe77⤵PID:2468
-
\??\c:\hhbntt.exec:\hhbntt.exe78⤵PID:2800
-
\??\c:\djvdj.exec:\djvdj.exe79⤵PID:2680
-
\??\c:\xxllrxr.exec:\xxllrxr.exe80⤵PID:2832
-
\??\c:\nnntbb.exec:\nnntbb.exe81⤵PID:2812
-
\??\c:\nhttbb.exec:\nhttbb.exe82⤵PID:2796
-
\??\c:\jjddp.exec:\jjddp.exe83⤵PID:2740
-
\??\c:\dvvdp.exec:\dvvdp.exe84⤵PID:2728
-
\??\c:\7xlxxfr.exec:\7xlxxfr.exe85⤵PID:2764
-
\??\c:\5hnthh.exec:\5hnthh.exe86⤵PID:1624
-
\??\c:\hbnbhn.exec:\hbnbhn.exe87⤵PID:2980
-
\??\c:\vvjpv.exec:\vvjpv.exe88⤵PID:1244
-
\??\c:\3xlflll.exec:\3xlflll.exe89⤵PID:1500
-
\??\c:\1btbht.exec:\1btbht.exe90⤵PID:2072
-
\??\c:\nhtbhh.exec:\nhtbhh.exe91⤵PID:2200
-
\??\c:\pjdvv.exec:\pjdvv.exe92⤵PID:2400
-
\??\c:\pvppd.exec:\pvppd.exe93⤵PID:2852
-
\??\c:\rrllrrf.exec:\rrllrrf.exe94⤵PID:2340
-
\??\c:\5btbhh.exec:\5btbhh.exe95⤵PID:2624
-
\??\c:\dpjjv.exec:\dpjjv.exe96⤵PID:1380
-
\??\c:\vpjjp.exec:\vpjjp.exe97⤵PID:2412
-
\??\c:\5xlrrxf.exec:\5xlrrxf.exe98⤵PID:2596
-
\??\c:\fxfrxxr.exec:\fxfrxxr.exe99⤵PID:1924
-
\??\c:\7tttbb.exec:\7tttbb.exe100⤵PID:2000
-
\??\c:\3dvvp.exec:\3dvvp.exe101⤵PID:2872
-
\??\c:\9jpjj.exec:\9jpjj.exe102⤵PID:2748
-
\??\c:\rlxxlxf.exec:\rlxxlxf.exe103⤵PID:2652
-
\??\c:\btbbbh.exec:\btbbbh.exe104⤵PID:3060
-
\??\c:\hbnntt.exec:\hbnntt.exe105⤵PID:1096
-
\??\c:\dvjjp.exec:\dvjjp.exe106⤵PID:1180
-
\??\c:\7frfllr.exec:\7frfllr.exe107⤵PID:1752
-
\??\c:\hhttbb.exec:\hhttbb.exe108⤵PID:1748
-
\??\c:\ddvvp.exec:\ddvvp.exe109⤵PID:1716
-
\??\c:\jvjjp.exec:\jvjjp.exe110⤵PID:1652
-
\??\c:\llfrflx.exec:\llfrflx.exe111⤵PID:2488
-
\??\c:\tbthnb.exec:\tbthnb.exe112⤵PID:2020
-
\??\c:\hnnhtb.exec:\hnnhtb.exe113⤵PID:2936
-
\??\c:\1dddp.exec:\1dddp.exe114⤵PID:2532
-
\??\c:\lxrfrxr.exec:\lxrfrxr.exe115⤵PID:1492
-
\??\c:\ffxxflr.exec:\ffxxflr.exe116⤵PID:2312
-
\??\c:\nhnhnn.exec:\nhnhnn.exe117⤵PID:2664
-
\??\c:\9ddvv.exec:\9ddvv.exe118⤵PID:2648
-
\??\c:\vvjjp.exec:\vvjjp.exe119⤵PID:2468
-
\??\c:\fxrlrrx.exec:\fxrlrrx.exe120⤵PID:2800
-
\??\c:\nhbbnn.exec:\nhbbnn.exe121⤵PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-