Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 05:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe
-
Size
456KB
-
MD5
627aa7a5f1f15e7a6322745971081fe4
-
SHA1
5378db3a53eb41924351ccc8d221da1e0086da50
-
SHA256
15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978
-
SHA512
178493b59d9e5ee30bcfd3e14470882e1989dd3b659f2e7e5112fdb2f9f8809b7ea08391b4a5ce25314e46e43ef7eeaf2293a128fa28bb7ea511375900155afd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRF:q7Tc2NYHUrAwfMp3CDRF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2684-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-41-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-54-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2740-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-99-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2728-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-157-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1188-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1204-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1204-176-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1292-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-201-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-284-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1912-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-286-0x0000000077730000-0x000000007784F000-memory.dmp family_blackmoon behavioral1/memory/2696-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-336-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2640-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-357-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2500-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1072-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-505-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/952-511-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/880-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-835-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/932-1112-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1880-1125-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2916-1206-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2164-1274-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1824-1296-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2684 7jddj.exe 1440 9pddp.exe 2052 3rxrrxx.exe 2748 1nbttt.exe 2868 vvddj.exe 2740 3rxrrlf.exe 1728 5pdjv.exe 2168 1rlflrf.exe 2604 5hnhhh.exe 2728 vpddd.exe 2324 hbbbtt.exe 1684 5rxrrrl.exe 2980 ttbhbb.exe 2912 pjjdj.exe 2952 jdppv.exe 1896 1hbnth.exe 1188 lllxxrx.exe 1204 3vpjp.exe 3036 xxxrxff.exe 1292 hhbttt.exe 2164 fffxfxf.exe 2584 ddjvd.exe 2784 rllllll.exe 952 9bnhnn.exe 1528 lrrrxfl.exe 2180 5nbbhh.exe 2332 9djvp.exe 2268 7bnhhh.exe 884 fxfxxrx.exe 880 nbhhnn.exe 1912 dvppp.exe 328 rrlxxrl.exe 1888 lxxxxrr.exe 2696 hhnttb.exe 2052 dvdvv.exe 2852 7xfllrr.exe 2760 rrrlrlf.exe 2732 nhnnhh.exe 2640 jdjdj.exe 2792 3xlffrx.exe 2500 fffrlff.exe 2620 tnttbb.exe 2068 ddvvp.exe 676 xrlffxr.exe 1488 fffrxxr.exe 1072 tbbbhh.exe 1684 vvvpp.exe 2704 vvvpj.exe 2964 xfrlrxf.exe 1244 bttnnn.exe 820 1ntttn.exe 844 djvvd.exe 2024 1rxrlll.exe 1152 nhbttt.exe 3052 hbbbhh.exe 3012 djppd.exe 2116 1jvvd.exe 2304 llfrrff.exe 2128 btbntn.exe 1200 bhttbh.exe 2584 jjpvp.exe 2784 xfrxxxl.exe 1040 hbttnt.exe 952 tthbtn.exe -
resource yara_rule behavioral1/memory/2684-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1188-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-257-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2268-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-284-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1912-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-286-0x0000000077730000-0x000000007784F000-memory.dmp upx behavioral1/memory/2696-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-848-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1484-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-918-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-967-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-994-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-1081-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-1144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-1293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-1296-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2684 1956 15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe 31 PID 1956 wrote to memory of 2684 1956 15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe 31 PID 1956 wrote to memory of 2684 1956 15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe 31 PID 1956 wrote to memory of 2684 1956 15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe 31 PID 2684 wrote to memory of 1440 2684 7jddj.exe 32 PID 2684 wrote to memory of 1440 2684 7jddj.exe 32 PID 2684 wrote to memory of 1440 2684 7jddj.exe 32 PID 2684 wrote to memory of 1440 2684 7jddj.exe 32 PID 1440 wrote to memory of 2052 1440 9pddp.exe 33 PID 1440 wrote to memory of 2052 1440 9pddp.exe 33 PID 1440 wrote to memory of 2052 1440 9pddp.exe 33 PID 1440 wrote to memory of 2052 1440 9pddp.exe 33 PID 2052 wrote to memory of 2748 2052 3rxrrxx.exe 34 PID 2052 wrote to memory of 2748 2052 3rxrrxx.exe 34 PID 2052 wrote to memory of 2748 2052 3rxrrxx.exe 34 PID 2052 wrote to memory of 2748 2052 3rxrrxx.exe 34 PID 2748 wrote to memory of 2868 2748 1nbttt.exe 35 PID 2748 wrote to memory of 2868 2748 1nbttt.exe 35 PID 2748 wrote to memory of 2868 2748 1nbttt.exe 35 PID 2748 wrote to memory of 2868 2748 1nbttt.exe 35 PID 2868 wrote to memory of 2740 2868 vvddj.exe 36 PID 2868 wrote to memory of 2740 2868 vvddj.exe 36 PID 2868 wrote to memory of 2740 2868 vvddj.exe 36 PID 2868 wrote to memory of 2740 2868 vvddj.exe 36 PID 2740 wrote to memory of 1728 2740 3rxrrlf.exe 37 PID 2740 wrote to memory of 1728 2740 3rxrrlf.exe 37 PID 2740 wrote to memory of 1728 2740 3rxrrlf.exe 37 PID 2740 wrote to memory of 1728 2740 3rxrrlf.exe 37 PID 1728 wrote to memory of 2168 1728 5pdjv.exe 38 PID 1728 wrote to memory of 2168 1728 5pdjv.exe 38 PID 1728 wrote to memory of 2168 1728 5pdjv.exe 38 PID 1728 wrote to memory of 2168 1728 5pdjv.exe 38 PID 2168 wrote to memory of 2604 2168 1rlflrf.exe 39 PID 2168 wrote to memory of 2604 2168 1rlflrf.exe 39 PID 2168 wrote to memory of 2604 2168 1rlflrf.exe 39 PID 2168 wrote to memory of 2604 2168 1rlflrf.exe 39 PID 2604 wrote to memory of 2728 2604 5hnhhh.exe 40 PID 2604 wrote to memory of 2728 2604 5hnhhh.exe 40 PID 2604 wrote to memory of 2728 2604 5hnhhh.exe 40 PID 2604 wrote to memory of 2728 2604 5hnhhh.exe 40 PID 2728 wrote to memory of 2324 2728 vpddd.exe 41 PID 2728 wrote to memory of 2324 2728 vpddd.exe 41 PID 2728 wrote to memory of 2324 2728 vpddd.exe 41 PID 2728 wrote to memory of 2324 2728 vpddd.exe 41 PID 2324 wrote to memory of 1684 2324 hbbbtt.exe 42 PID 2324 wrote to memory of 1684 2324 hbbbtt.exe 42 PID 2324 wrote to memory of 1684 2324 hbbbtt.exe 42 PID 2324 wrote to memory of 1684 2324 hbbbtt.exe 42 PID 1684 wrote to memory of 2980 1684 5rxrrrl.exe 43 PID 1684 wrote to memory of 2980 1684 5rxrrrl.exe 43 PID 1684 wrote to memory of 2980 1684 5rxrrrl.exe 43 PID 1684 wrote to memory of 2980 1684 5rxrrrl.exe 43 PID 2980 wrote to memory of 2912 2980 ttbhbb.exe 44 PID 2980 wrote to memory of 2912 2980 ttbhbb.exe 44 PID 2980 wrote to memory of 2912 2980 ttbhbb.exe 44 PID 2980 wrote to memory of 2912 2980 ttbhbb.exe 44 PID 2912 wrote to memory of 2952 2912 pjjdj.exe 45 PID 2912 wrote to memory of 2952 2912 pjjdj.exe 45 PID 2912 wrote to memory of 2952 2912 pjjdj.exe 45 PID 2912 wrote to memory of 2952 2912 pjjdj.exe 45 PID 2952 wrote to memory of 1896 2952 jdppv.exe 46 PID 2952 wrote to memory of 1896 2952 jdppv.exe 46 PID 2952 wrote to memory of 1896 2952 jdppv.exe 46 PID 2952 wrote to memory of 1896 2952 jdppv.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe"C:\Users\Admin\AppData\Local\Temp\15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\7jddj.exec:\7jddj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\9pddp.exec:\9pddp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\3rxrrxx.exec:\3rxrrxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\1nbttt.exec:\1nbttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\vvddj.exec:\vvddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\3rxrrlf.exec:\3rxrrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\5pdjv.exec:\5pdjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\1rlflrf.exec:\1rlflrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\5hnhhh.exec:\5hnhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\vpddd.exec:\vpddd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\hbbbtt.exec:\hbbbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\5rxrrrl.exec:\5rxrrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\ttbhbb.exec:\ttbhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\pjjdj.exec:\pjjdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\jdppv.exec:\jdppv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\1hbnth.exec:\1hbnth.exe17⤵
- Executes dropped EXE
PID:1896 -
\??\c:\lllxxrx.exec:\lllxxrx.exe18⤵
- Executes dropped EXE
PID:1188 -
\??\c:\3vpjp.exec:\3vpjp.exe19⤵
- Executes dropped EXE
PID:1204 -
\??\c:\xxxrxff.exec:\xxxrxff.exe20⤵
- Executes dropped EXE
PID:3036 -
\??\c:\hhbttt.exec:\hhbttt.exe21⤵
- Executes dropped EXE
PID:1292 -
\??\c:\fffxfxf.exec:\fffxfxf.exe22⤵
- Executes dropped EXE
PID:2164 -
\??\c:\ddjvd.exec:\ddjvd.exe23⤵
- Executes dropped EXE
PID:2584 -
\??\c:\rllllll.exec:\rllllll.exe24⤵
- Executes dropped EXE
PID:2784 -
\??\c:\9bnhnn.exec:\9bnhnn.exe25⤵
- Executes dropped EXE
PID:952 -
\??\c:\lrrrxfl.exec:\lrrrxfl.exe26⤵
- Executes dropped EXE
PID:1528 -
\??\c:\5nbbhh.exec:\5nbbhh.exe27⤵
- Executes dropped EXE
PID:2180 -
\??\c:\9djvp.exec:\9djvp.exe28⤵
- Executes dropped EXE
PID:2332 -
\??\c:\7bnhhh.exec:\7bnhhh.exe29⤵
- Executes dropped EXE
PID:2268 -
\??\c:\fxfxxrx.exec:\fxfxxrx.exe30⤵
- Executes dropped EXE
PID:884 -
\??\c:\nbhhnn.exec:\nbhhnn.exe31⤵
- Executes dropped EXE
PID:880 -
\??\c:\dvppp.exec:\dvppp.exe32⤵
- Executes dropped EXE
PID:1912 -
\??\c:\rlrlllr.exec:\rlrlllr.exe33⤵PID:1880
-
\??\c:\rrlxxrl.exec:\rrlxxrl.exe34⤵
- Executes dropped EXE
PID:328 -
\??\c:\lxxxxrr.exec:\lxxxxrr.exe35⤵
- Executes dropped EXE
PID:1888 -
\??\c:\hhnttb.exec:\hhnttb.exe36⤵
- Executes dropped EXE
PID:2696 -
\??\c:\dvdvv.exec:\dvdvv.exe37⤵
- Executes dropped EXE
PID:2052 -
\??\c:\7xfllrr.exec:\7xfllrr.exe38⤵
- Executes dropped EXE
PID:2852 -
\??\c:\rrrlrlf.exec:\rrrlrlf.exe39⤵
- Executes dropped EXE
PID:2760 -
\??\c:\nhnnhh.exec:\nhnnhh.exe40⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jdjdj.exec:\jdjdj.exe41⤵
- Executes dropped EXE
PID:2640 -
\??\c:\3xlffrx.exec:\3xlffrx.exe42⤵
- Executes dropped EXE
PID:2792 -
\??\c:\fffrlff.exec:\fffrlff.exe43⤵
- Executes dropped EXE
PID:2500 -
\??\c:\tnttbb.exec:\tnttbb.exe44⤵
- Executes dropped EXE
PID:2620 -
\??\c:\ddvvp.exec:\ddvvp.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
\??\c:\xrlffxr.exec:\xrlffxr.exe46⤵
- Executes dropped EXE
PID:676 -
\??\c:\fffrxxr.exec:\fffrxxr.exe47⤵
- Executes dropped EXE
PID:1488 -
\??\c:\tbbbhh.exec:\tbbbhh.exe48⤵
- Executes dropped EXE
PID:1072 -
\??\c:\vvvpp.exec:\vvvpp.exe49⤵
- Executes dropped EXE
PID:1684 -
\??\c:\vvvpj.exec:\vvvpj.exe50⤵
- Executes dropped EXE
PID:2704 -
\??\c:\xfrlrxf.exec:\xfrlrxf.exe51⤵
- Executes dropped EXE
PID:2964 -
\??\c:\bttnnn.exec:\bttnnn.exe52⤵
- Executes dropped EXE
PID:1244 -
\??\c:\1ntttn.exec:\1ntttn.exe53⤵
- Executes dropped EXE
PID:820 -
\??\c:\djvvd.exec:\djvvd.exe54⤵
- Executes dropped EXE
PID:844 -
\??\c:\1rxrlll.exec:\1rxrlll.exe55⤵
- Executes dropped EXE
PID:2024 -
\??\c:\nhbttt.exec:\nhbttt.exe56⤵
- Executes dropped EXE
PID:1152 -
\??\c:\hbbbhh.exec:\hbbbhh.exe57⤵
- Executes dropped EXE
PID:3052 -
\??\c:\djppd.exec:\djppd.exe58⤵
- Executes dropped EXE
PID:3012 -
\??\c:\1jvvd.exec:\1jvvd.exe59⤵
- Executes dropped EXE
PID:2116 -
\??\c:\llfrrff.exec:\llfrrff.exe60⤵
- Executes dropped EXE
PID:2304 -
\??\c:\btbntn.exec:\btbntn.exe61⤵
- Executes dropped EXE
PID:2128 -
\??\c:\bhttbh.exec:\bhttbh.exe62⤵
- Executes dropped EXE
PID:1200 -
\??\c:\jjpvp.exec:\jjpvp.exe63⤵
- Executes dropped EXE
PID:2584 -
\??\c:\xfrxxxl.exec:\xfrxxxl.exe64⤵
- Executes dropped EXE
PID:2784 -
\??\c:\hbttnt.exec:\hbttnt.exe65⤵
- Executes dropped EXE
PID:1040 -
\??\c:\tthbtn.exec:\tthbtn.exe66⤵
- Executes dropped EXE
PID:952 -
\??\c:\dvdvd.exec:\dvdvd.exe67⤵PID:2156
-
\??\c:\rfrxflx.exec:\rfrxflx.exe68⤵PID:780
-
\??\c:\5nbbhn.exec:\5nbbhn.exe69⤵PID:1480
-
\??\c:\7hnttn.exec:\7hnttn.exe70⤵PID:692
-
\??\c:\jvpvj.exec:\jvpvj.exe71⤵PID:348
-
\??\c:\xxfflrr.exec:\xxfflrr.exe72⤵PID:1088
-
\??\c:\xrrrrlr.exec:\xrrrrlr.exe73⤵PID:880
-
\??\c:\1bnnnt.exec:\1bnnnt.exe74⤵PID:1892
-
\??\c:\3pppp.exec:\3pppp.exe75⤵PID:1880
-
\??\c:\5pvdd.exec:\5pvdd.exe76⤵PID:328
-
\??\c:\3rrflff.exec:\3rrflff.exe77⤵PID:1484
-
\??\c:\1nbttn.exec:\1nbttn.exe78⤵PID:2264
-
\??\c:\hbhttn.exec:\hbhttn.exe79⤵PID:2832
-
\??\c:\5pjdj.exec:\5pjdj.exe80⤵PID:2196
-
\??\c:\xrxxrll.exec:\xrxxrll.exe81⤵PID:2712
-
\??\c:\lrrrrxx.exec:\lrrrrxx.exe82⤵PID:2820
-
\??\c:\3ntttt.exec:\3ntttt.exe83⤵PID:2336
-
\??\c:\ppvdj.exec:\ppvdj.exe84⤵PID:2628
-
\??\c:\9dppv.exec:\9dppv.exe85⤵PID:2624
-
\??\c:\5lfflll.exec:\5lfflll.exe86⤵PID:2676
-
\??\c:\nntbhn.exec:\nntbhn.exe87⤵PID:2472
-
\??\c:\btbntt.exec:\btbntt.exe88⤵PID:1792
-
\??\c:\vpvpj.exec:\vpvpj.exe89⤵PID:288
-
\??\c:\xxxflfl.exec:\xxxflfl.exe90⤵PID:1796
-
\??\c:\frllllx.exec:\frllllx.exe91⤵PID:2980
-
\??\c:\nnbbhh.exec:\nnbbhh.exe92⤵PID:2864
-
\??\c:\jdddp.exec:\jdddp.exe93⤵PID:2908
-
\??\c:\xxffffl.exec:\xxffffl.exe94⤵PID:1244
-
\??\c:\httbbb.exec:\httbbb.exe95⤵PID:1808
-
\??\c:\hhtbbb.exec:\hhtbbb.exe96⤵PID:844
-
\??\c:\dppvj.exec:\dppvj.exe97⤵PID:1412
-
\??\c:\xffrrfl.exec:\xffrrfl.exe98⤵PID:1152
-
\??\c:\rllflfl.exec:\rllflfl.exe99⤵PID:3020
-
\??\c:\9hnhnh.exec:\9hnhnh.exe100⤵PID:1952
-
\??\c:\5vpdd.exec:\5vpdd.exe101⤵PID:2096
-
\??\c:\vpdjv.exec:\vpdjv.exe102⤵PID:1260
-
\??\c:\rfrxxrx.exec:\rfrxxrx.exe103⤵PID:1616
-
\??\c:\3bhtbt.exec:\3bhtbt.exe104⤵PID:956
-
\??\c:\5tbttn.exec:\5tbttn.exe105⤵PID:1352
-
\??\c:\1pvpv.exec:\1pvpv.exe106⤵PID:1720
-
\??\c:\xrxrxrr.exec:\xrxrxrr.exe107⤵PID:316
-
\??\c:\5lxxrxf.exec:\5lxxrxf.exe108⤵PID:1828
-
\??\c:\bbhhhh.exec:\bbhhhh.exe109⤵PID:2424
-
\??\c:\7pddj.exec:\7pddj.exe110⤵PID:2156
-
\??\c:\5vjpp.exec:\5vjpp.exe111⤵PID:2488
-
\??\c:\7fxfllr.exec:\7fxfllr.exe112⤵PID:1480
-
\??\c:\bbhhbb.exec:\bbhhbb.exe113⤵PID:692
-
\??\c:\nbhntn.exec:\nbhntn.exe114⤵PID:348
-
\??\c:\dpvdj.exec:\dpvdj.exe115⤵PID:1088
-
\??\c:\fxffflr.exec:\fxffflr.exe116⤵PID:1552
-
\??\c:\5hnhbt.exec:\5hnhbt.exe117⤵PID:1960
-
\??\c:\bhnntt.exec:\bhnntt.exe118⤵PID:2120
-
\??\c:\djjdv.exec:\djjdv.exe119⤵PID:1888
-
\??\c:\llrrxrx.exec:\llrrxrx.exe120⤵PID:1484
-
\??\c:\1xrffff.exec:\1xrffff.exe121⤵PID:2804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-