Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 15:32
Behavioral task
behavioral1
Sample
f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe
-
Size
130KB
-
MD5
52039e11a38cbca607d22dbc06785fc7
-
SHA1
1beb567a22d519b6530301280644df6375f390bf
-
SHA256
f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33
-
SHA512
76fab7b3065e222b48efc4b51faed6f647a09b1e8d5f42d7cb4d78e3c4760619c5e13aa782fa288c1bbed0e00f5c2aacbc0434ed4456129d8f74a4933aecac3c
-
SSDEEP
3072:0hOmTsF93UYfwC6GIoutX8Kikz9qI+fPl/d:0cm4FmowdHoSH5L+Zd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2968-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2144-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2844-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2968-37-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2816-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/760-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2568-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2568-55-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/656-74-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2936-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2364-94-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/464-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2916-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2372-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/344-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2408-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/864-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2536-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1660-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2276-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2212-268-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2212-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2312-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1744-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2964-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2964-316-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2892-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2580-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2876-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2620-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2944-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2768-403-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2400-454-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2400-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2072-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3000-475-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2204-536-0x00000000003D0000-0x00000000003F7000-memory.dmp family_blackmoon behavioral1/memory/1224-549-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/1280-556-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2496-563-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2140-567-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2728-602-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/848-667-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2252-670-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/596-685-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2924-719-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1916-836-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2776-1021-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2040-1134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1440-1141-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/340-1155-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/340-1154-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2584-1196-0x0000000000260000-0x0000000000287000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2844 5frxxrr.exe 2144 thnnbb.exe 2856 bntnnn.exe 2816 dddpj.exe 2568 lrffxxr.exe 760 5frllfl.exe 656 ttbtbb.exe 2936 jvjjp.exe 2364 7frrlff.exe 1852 7bntbn.exe 2548 7nnhhb.exe 464 dpppj.exe 1920 vdppp.exe 2440 3rxrxrf.exe 2916 5hthnh.exe 2372 1tbttt.exe 532 pvdvv.exe 2008 ppvdv.exe 344 xlrlfxr.exe 2408 5tbttn.exe 864 tbnhbh.exe 3016 dpvdd.exe 2536 rflrlff.exe 952 rxfxxxr.exe 2276 rlrrffx.exe 1660 9htbnt.exe 2208 3vpvp.exe 2212 7lrrffx.exe 2044 7xlrllr.exe 1740 nnbnhn.exe 2312 dpppv.exe 1744 jvdjj.exe 2864 3xlrffl.exe 2964 1nhnbb.exe 2884 hbhbbt.exe 1512 ddppj.exe 2892 dpdjj.exe 2736 frrrrrf.exe 2580 lfllxll.exe 2876 1nbnnh.exe 2644 thbbnn.exe 2620 pddjv.exe 848 9vjjd.exe 2944 lrxxrlr.exe 2396 3lfxllx.exe 2364 flllxrx.exe 2768 3htttn.exe 1016 btbtnb.exe 2556 3vjjj.exe 840 djpjj.exe 804 fllxlxf.exe 2920 9frrxrx.exe 1580 5xfxrll.exe 1076 tnbbhh.exe 2400 nbhnnn.exe 2032 3vpdd.exe 2072 dpvdv.exe 3000 9flrrll.exe 2244 rxrllxx.exe 2172 thnnnt.exe 3028 vjjdv.exe 1876 vdvpv.exe 1448 dpvdj.exe 1416 5lxxrll.exe -
resource yara_rule behavioral1/memory/2968-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0063000000011c27-5.dat upx behavioral1/memory/2968-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2144-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001878d-19.dat upx behavioral1/memory/2844-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000190c6-26.dat upx behavioral1/memory/2856-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000191f3-36.dat upx behavioral1/memory/2816-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019217-45.dat upx behavioral1/memory/760-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019220-58.dat upx behavioral1/memory/2568-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019238-66.dat upx behavioral1/files/0x0008000000019240-77.dat upx behavioral1/memory/2936-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2936-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2364-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001925d-85.dat upx behavioral1/files/0x0005000000019fb9-96.dat upx behavioral1/files/0x000500000001a067-103.dat upx behavioral1/memory/464-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a07b-112.dat upx behavioral1/files/0x000500000001a0a1-122.dat upx behavioral1/memory/464-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a301-131.dat upx behavioral1/files/0x000500000001a345-139.dat upx behavioral1/files/0x000500000001a42b-146.dat upx behavioral1/memory/2916-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a42d-158.dat upx behavioral1/memory/2372-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/532-166-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001a42f-167.dat upx behavioral1/files/0x000500000001a431-175.dat upx behavioral1/files/0x000500000001a434-183.dat upx behavioral1/memory/344-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2408-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a46a-194.dat upx behavioral1/memory/2408-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a48c-206.dat upx behavioral1/memory/3016-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/864-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2536-215-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a48e-214.dat upx behavioral1/files/0x000500000001a49a-223.dat upx behavioral1/files/0x000500000001a49c-230.dat upx behavioral1/memory/2276-231-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1660-242-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4aa-241.dat upx behavioral1/memory/2276-239-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b5-249.dat upx behavioral1/memory/2208-250-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b7-258.dat upx behavioral1/files/0x000500000001a4bb-265.dat upx behavioral1/memory/2044-269-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2212-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c0-277.dat upx behavioral1/files/0x000500000001a4c4-286.dat upx behavioral1/memory/1740-285-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001a4c6-292.dat upx behavioral1/memory/2312-295-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1744-303-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2964-317-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2844 2968 f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe 30 PID 2968 wrote to memory of 2844 2968 f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe 30 PID 2968 wrote to memory of 2844 2968 f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe 30 PID 2968 wrote to memory of 2844 2968 f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe 30 PID 2844 wrote to memory of 2144 2844 5frxxrr.exe 31 PID 2844 wrote to memory of 2144 2844 5frxxrr.exe 31 PID 2844 wrote to memory of 2144 2844 5frxxrr.exe 31 PID 2844 wrote to memory of 2144 2844 5frxxrr.exe 31 PID 2144 wrote to memory of 2856 2144 thnnbb.exe 32 PID 2144 wrote to memory of 2856 2144 thnnbb.exe 32 PID 2144 wrote to memory of 2856 2144 thnnbb.exe 32 PID 2144 wrote to memory of 2856 2144 thnnbb.exe 32 PID 2856 wrote to memory of 2816 2856 bntnnn.exe 33 PID 2856 wrote to memory of 2816 2856 bntnnn.exe 33 PID 2856 wrote to memory of 2816 2856 bntnnn.exe 33 PID 2856 wrote to memory of 2816 2856 bntnnn.exe 33 PID 2816 wrote to memory of 2568 2816 dddpj.exe 34 PID 2816 wrote to memory of 2568 2816 dddpj.exe 34 PID 2816 wrote to memory of 2568 2816 dddpj.exe 34 PID 2816 wrote to memory of 2568 2816 dddpj.exe 34 PID 2568 wrote to memory of 760 2568 lrffxxr.exe 35 PID 2568 wrote to memory of 760 2568 lrffxxr.exe 35 PID 2568 wrote to memory of 760 2568 lrffxxr.exe 35 PID 2568 wrote to memory of 760 2568 lrffxxr.exe 35 PID 760 wrote to memory of 656 760 5frllfl.exe 36 PID 760 wrote to memory of 656 760 5frllfl.exe 36 PID 760 wrote to memory of 656 760 5frllfl.exe 36 PID 760 wrote to memory of 656 760 5frllfl.exe 36 PID 656 wrote to memory of 2936 656 ttbtbb.exe 37 PID 656 wrote to memory of 2936 656 ttbtbb.exe 37 PID 656 wrote to memory of 2936 656 ttbtbb.exe 37 PID 656 wrote to memory of 2936 656 ttbtbb.exe 37 PID 2936 wrote to memory of 2364 2936 jvjjp.exe 38 PID 2936 wrote to memory of 2364 2936 jvjjp.exe 38 PID 2936 wrote to memory of 2364 2936 jvjjp.exe 38 PID 2936 wrote to memory of 2364 2936 jvjjp.exe 38 PID 2364 wrote to memory of 1852 2364 7frrlff.exe 39 PID 2364 wrote to memory of 1852 2364 7frrlff.exe 39 PID 2364 wrote to memory of 1852 2364 7frrlff.exe 39 PID 2364 wrote to memory of 1852 2364 7frrlff.exe 39 PID 1852 wrote to memory of 2548 1852 7bntbn.exe 40 PID 1852 wrote to memory of 2548 1852 7bntbn.exe 40 PID 1852 wrote to memory of 2548 1852 7bntbn.exe 40 PID 1852 wrote to memory of 2548 1852 7bntbn.exe 40 PID 2548 wrote to memory of 464 2548 7nnhhb.exe 41 PID 2548 wrote to memory of 464 2548 7nnhhb.exe 41 PID 2548 wrote to memory of 464 2548 7nnhhb.exe 41 PID 2548 wrote to memory of 464 2548 7nnhhb.exe 41 PID 464 wrote to memory of 1920 464 dpppj.exe 42 PID 464 wrote to memory of 1920 464 dpppj.exe 42 PID 464 wrote to memory of 1920 464 dpppj.exe 42 PID 464 wrote to memory of 1920 464 dpppj.exe 42 PID 1920 wrote to memory of 2440 1920 vdppp.exe 43 PID 1920 wrote to memory of 2440 1920 vdppp.exe 43 PID 1920 wrote to memory of 2440 1920 vdppp.exe 43 PID 1920 wrote to memory of 2440 1920 vdppp.exe 43 PID 2440 wrote to memory of 2916 2440 3rxrxrf.exe 44 PID 2440 wrote to memory of 2916 2440 3rxrxrf.exe 44 PID 2440 wrote to memory of 2916 2440 3rxrxrf.exe 44 PID 2440 wrote to memory of 2916 2440 3rxrxrf.exe 44 PID 2916 wrote to memory of 2372 2916 5hthnh.exe 45 PID 2916 wrote to memory of 2372 2916 5hthnh.exe 45 PID 2916 wrote to memory of 2372 2916 5hthnh.exe 45 PID 2916 wrote to memory of 2372 2916 5hthnh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe"C:\Users\Admin\AppData\Local\Temp\f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\5frxxrr.exec:\5frxxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\thnnbb.exec:\thnnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\bntnnn.exec:\bntnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\dddpj.exec:\dddpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\lrffxxr.exec:\lrffxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\5frllfl.exec:\5frllfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\ttbtbb.exec:\ttbtbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
\??\c:\jvjjp.exec:\jvjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\7frrlff.exec:\7frrlff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\7bntbn.exec:\7bntbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\7nnhhb.exec:\7nnhhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\dpppj.exec:\dpppj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\vdppp.exec:\vdppp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\3rxrxrf.exec:\3rxrxrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\5hthnh.exec:\5hthnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\1tbttt.exec:\1tbttt.exe17⤵
- Executes dropped EXE
PID:2372 -
\??\c:\pvdvv.exec:\pvdvv.exe18⤵
- Executes dropped EXE
PID:532 -
\??\c:\ppvdv.exec:\ppvdv.exe19⤵
- Executes dropped EXE
PID:2008 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe20⤵
- Executes dropped EXE
PID:344 -
\??\c:\5tbttn.exec:\5tbttn.exe21⤵
- Executes dropped EXE
PID:2408 -
\??\c:\tbnhbh.exec:\tbnhbh.exe22⤵
- Executes dropped EXE
PID:864 -
\??\c:\dpvdd.exec:\dpvdd.exe23⤵
- Executes dropped EXE
PID:3016 -
\??\c:\rflrlff.exec:\rflrlff.exe24⤵
- Executes dropped EXE
PID:2536 -
\??\c:\rxfxxxr.exec:\rxfxxxr.exe25⤵
- Executes dropped EXE
PID:952 -
\??\c:\rlrrffx.exec:\rlrrffx.exe26⤵
- Executes dropped EXE
PID:2276 -
\??\c:\9htbnt.exec:\9htbnt.exe27⤵
- Executes dropped EXE
PID:1660 -
\??\c:\3vpvp.exec:\3vpvp.exe28⤵
- Executes dropped EXE
PID:2208 -
\??\c:\7lrrffx.exec:\7lrrffx.exe29⤵
- Executes dropped EXE
PID:2212 -
\??\c:\7xlrllr.exec:\7xlrllr.exe30⤵
- Executes dropped EXE
PID:2044 -
\??\c:\nnbnhn.exec:\nnbnhn.exe31⤵
- Executes dropped EXE
PID:1740 -
\??\c:\dpppv.exec:\dpppv.exe32⤵
- Executes dropped EXE
PID:2312 -
\??\c:\jvdjj.exec:\jvdjj.exe33⤵
- Executes dropped EXE
PID:1744 -
\??\c:\3xlrffl.exec:\3xlrffl.exe34⤵
- Executes dropped EXE
PID:2864 -
\??\c:\1nhnbb.exec:\1nhnbb.exe35⤵
- Executes dropped EXE
PID:2964 -
\??\c:\hbhbbt.exec:\hbhbbt.exe36⤵
- Executes dropped EXE
PID:2884 -
\??\c:\ddppj.exec:\ddppj.exe37⤵
- Executes dropped EXE
PID:1512 -
\??\c:\dpdjj.exec:\dpdjj.exe38⤵
- Executes dropped EXE
PID:2892 -
\??\c:\frrrrrf.exec:\frrrrrf.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\lfllxll.exec:\lfllxll.exe40⤵
- Executes dropped EXE
PID:2580 -
\??\c:\1nbnnh.exec:\1nbnnh.exe41⤵
- Executes dropped EXE
PID:2876 -
\??\c:\thbbnn.exec:\thbbnn.exe42⤵
- Executes dropped EXE
PID:2644 -
\??\c:\pddjv.exec:\pddjv.exe43⤵
- Executes dropped EXE
PID:2620 -
\??\c:\9vjjd.exec:\9vjjd.exe44⤵
- Executes dropped EXE
PID:848 -
\??\c:\lrxxrlr.exec:\lrxxrlr.exe45⤵
- Executes dropped EXE
PID:2944 -
\??\c:\3lfxllx.exec:\3lfxllx.exe46⤵
- Executes dropped EXE
PID:2396 -
\??\c:\flllxrx.exec:\flllxrx.exe47⤵
- Executes dropped EXE
PID:2364 -
\??\c:\3htttn.exec:\3htttn.exe48⤵
- Executes dropped EXE
PID:2768 -
\??\c:\btbtnb.exec:\btbtnb.exe49⤵
- Executes dropped EXE
PID:1016 -
\??\c:\3vjjj.exec:\3vjjj.exe50⤵
- Executes dropped EXE
PID:2556 -
\??\c:\djpjj.exec:\djpjj.exe51⤵
- Executes dropped EXE
PID:840 -
\??\c:\fllxlxf.exec:\fllxlxf.exe52⤵
- Executes dropped EXE
PID:804 -
\??\c:\9frrxrx.exec:\9frrxrx.exe53⤵
- Executes dropped EXE
PID:2920 -
\??\c:\5xfxrll.exec:\5xfxrll.exe54⤵
- Executes dropped EXE
PID:1580 -
\??\c:\tnbbhh.exec:\tnbbhh.exe55⤵
- Executes dropped EXE
PID:1076 -
\??\c:\nbhnnn.exec:\nbhnnn.exe56⤵
- Executes dropped EXE
PID:2400 -
\??\c:\3vpdd.exec:\3vpdd.exe57⤵
- Executes dropped EXE
PID:2032 -
\??\c:\dpvdv.exec:\dpvdv.exe58⤵
- Executes dropped EXE
PID:2072 -
\??\c:\9flrrll.exec:\9flrrll.exe59⤵
- Executes dropped EXE
PID:3000 -
\??\c:\rxrllxx.exec:\rxrllxx.exe60⤵
- Executes dropped EXE
PID:2244 -
\??\c:\thnnnt.exec:\thnnnt.exe61⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vjjdv.exec:\vjjdv.exe62⤵
- Executes dropped EXE
PID:3028 -
\??\c:\vdvpv.exec:\vdvpv.exe63⤵
- Executes dropped EXE
PID:1876 -
\??\c:\dpvdj.exec:\dpvdj.exe64⤵
- Executes dropped EXE
PID:1448 -
\??\c:\5lxxrll.exec:\5lxxrll.exe65⤵
- Executes dropped EXE
PID:1416 -
\??\c:\3rxxfxf.exec:\3rxxfxf.exe66⤵PID:2464
-
\??\c:\hhbhhn.exec:\hhbhhn.exe67⤵PID:1256
-
\??\c:\tbtttt.exec:\tbtttt.exe68⤵PID:640
-
\??\c:\pvvvp.exec:\pvvvp.exe69⤵PID:2204
-
\??\c:\1jvdj.exec:\1jvdj.exe70⤵PID:1868
-
\??\c:\1vjjj.exec:\1vjjj.exe71⤵PID:1224
-
\??\c:\5xlrxxx.exec:\5xlrxxx.exe72⤵PID:1280
-
\??\c:\9ntbhn.exec:\9ntbhn.exe73⤵PID:2496
-
\??\c:\thnnnn.exec:\thnnnn.exe74⤵PID:2140
-
\??\c:\jjvvv.exec:\jjvvv.exe75⤵PID:1412
-
\??\c:\pdjjv.exec:\pdjjv.exe76⤵PID:2404
-
\??\c:\frfrflx.exec:\frfrflx.exe77⤵PID:2980
-
\??\c:\9frflrf.exec:\9frflrf.exe78⤵PID:1304
-
\??\c:\7rrxrxl.exec:\7rrxrxl.exe79⤵PID:2728
-
\??\c:\btnbnh.exec:\btnbnh.exe80⤵PID:2752
-
\??\c:\tntbtn.exec:\tntbtn.exe81⤵PID:1516
-
\??\c:\pjvdj.exec:\pjvdj.exe82⤵PID:2704
-
\??\c:\vpvvj.exec:\vpvvj.exe83⤵PID:2940
-
\??\c:\1llffxf.exec:\1llffxf.exe84⤵PID:2616
-
\??\c:\rflxlll.exec:\rflxlll.exe85⤵PID:3044
-
\??\c:\1hnnhh.exec:\1hnnhh.exe86⤵PID:1460
-
\??\c:\thhnbb.exec:\thhnbb.exe87⤵PID:2644
-
\??\c:\jvdjj.exec:\jvdjj.exe88⤵PID:656
-
\??\c:\9vjdp.exec:\9vjdp.exe89⤵PID:848
-
\??\c:\7lfffrf.exec:\7lfffrf.exe90⤵PID:2252
-
\??\c:\9frxrrf.exec:\9frxrrf.exe91⤵PID:2396
-
\??\c:\thbhtn.exec:\thbhtn.exe92⤵PID:596
-
\??\c:\jpjvd.exec:\jpjvd.exe93⤵PID:2768
-
\??\c:\rlrxxfl.exec:\rlrxxfl.exe94⤵PID:2424
-
\??\c:\xlrflrf.exec:\xlrflrf.exe95⤵PID:2784
-
\??\c:\1tbbbb.exec:\1tbbbb.exe96⤵PID:2064
-
\??\c:\7bnhhn.exec:\7bnhhn.exe97⤵PID:2924
-
\??\c:\tbhhnh.exec:\tbhhnh.exe98⤵PID:2900
-
\??\c:\ppvjp.exec:\ppvjp.exe99⤵PID:552
-
\??\c:\rxfxxrx.exec:\rxfxxrx.exe100⤵PID:2268
-
\??\c:\rlflxxf.exec:\rlflxxf.exe101⤵PID:2400
-
\??\c:\thnntt.exec:\thnntt.exe102⤵PID:2436
-
\??\c:\hnthhh.exec:\hnthhh.exe103⤵PID:2028
-
\??\c:\vjpjp.exec:\vjpjp.exe104⤵PID:2380
-
\??\c:\fxrllfr.exec:\fxrllfr.exe105⤵PID:1848
-
\??\c:\lrrlxxx.exec:\lrrlxxx.exe106⤵PID:1156
-
\??\c:\nbtnbb.exec:\nbtnbb.exe107⤵PID:2120
-
\??\c:\7thbhh.exec:\7thbhh.exe108⤵PID:1212
-
\??\c:\dvdpj.exec:\dvdpj.exe109⤵PID:872
-
\??\c:\9pvdj.exec:\9pvdj.exe110⤵PID:956
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe111⤵PID:992
-
\??\c:\fxrrfff.exec:\fxrrfff.exe112⤵PID:1632
-
\??\c:\3tnntn.exec:\3tnntn.exe113⤵PID:1904
-
\??\c:\3bhbbb.exec:\3bhbbb.exe114⤵PID:1860
-
\??\c:\dpddp.exec:\dpddp.exe115⤵PID:2420
-
\??\c:\dpjpd.exec:\dpjpd.exe116⤵PID:1916
-
\??\c:\lxffrrr.exec:\lxffrrr.exe117⤵PID:2328
-
\??\c:\lfrflrx.exec:\lfrflrx.exe118⤵PID:3012
-
\??\c:\7ttthh.exec:\7ttthh.exe119⤵PID:1672
-
\??\c:\7thhhh.exec:\7thhhh.exe120⤵PID:396
-
\??\c:\pdppp.exec:\pdppp.exe121⤵
- System Location Discovery: System Language Discovery
PID:340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-