Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 05:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe
-
Size
454KB
-
MD5
936d3d5d4af618d96c44c5a27ece8760
-
SHA1
c1cf85c1208ec5485d3c8f499ba71189832c492a
-
SHA256
0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80e
-
SHA512
f3ad4872ccb5327f06b47cbd656eb8315f0502faf6938ced7b5ed2eeda833833fd2f5647abbeaec93c1272a87a938a7b516f5a4433f2b9a372b5658dd31136ae
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/1680-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1220-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1220-76-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2640-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1880-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-228-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1376-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1376-247-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1420-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1580-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-407-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1520-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-460-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2436-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-500-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2040-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-585-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2724-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-839-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1736-840-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-1007-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2424-1090-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-1103-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2392-1123-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2292 fffrxlf.exe 1280 tnbnbn.exe 2572 jpjpd.exe 2340 3rfxfff.exe 2332 3httbb.exe 2820 7jppv.exe 1220 3fxfflf.exe 2640 1ddpd.exe 2732 xrlrlxx.exe 2684 ddjpd.exe 2232 xrflrfr.exe 1880 hhnthn.exe 3040 jdvdv.exe 1364 ffxfrrf.exe 2928 hbbttb.exe 2432 3llrxfx.exe 1044 rlfrllf.exe 2124 vdvdp.exe 1544 5vddp.exe 2560 nhtbnt.exe 1208 7jjvj.exe 1308 llfrfrf.exe 852 nnnthh.exe 1356 7xlrxrr.exe 1376 bbnthb.exe 2440 rrfrxfl.exe 1420 9rlxflf.exe 876 jdjjd.exe 1632 lxllffr.exe 1932 pdjjd.exe 528 xfxlxfr.exe 1580 nbhhnn.exe 1620 vjvpd.exe 1940 xrxlrxr.exe 2244 tthhtn.exe 1384 3jdjj.exe 2852 pdppp.exe 2776 rrrxxfl.exe 2772 nbhbbb.exe 2764 bttbnb.exe 2832 dpddj.exe 2828 rfrrxrx.exe 2624 xxllrfl.exe 2664 htbnnt.exe 2680 9ppjp.exe 2884 7jjdj.exe 1332 5rfxlff.exe 1520 thnhhn.exe 2932 5bhbhb.exe 1960 jvvvp.exe 1800 5rlxfxf.exe 2796 bthhhh.exe 300 5tnthn.exe 2020 7vjjp.exe 1044 pdpjv.exe 2436 frfflrf.exe 2264 hbntnh.exe 2052 pjvdp.exe 1436 jvvdp.exe 1012 ffxxrrr.exe 1208 htbtbt.exe 2596 ttntnn.exe 1908 5vpjp.exe 1912 xrrlrxf.exe -
resource yara_rule behavioral1/memory/1680-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1220-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1220-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-228-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1376-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-521-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2040-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-1071-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-1090-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-1110-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2292 1680 0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe 30 PID 1680 wrote to memory of 2292 1680 0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe 30 PID 1680 wrote to memory of 2292 1680 0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe 30 PID 1680 wrote to memory of 2292 1680 0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe 30 PID 2292 wrote to memory of 1280 2292 fffrxlf.exe 31 PID 2292 wrote to memory of 1280 2292 fffrxlf.exe 31 PID 2292 wrote to memory of 1280 2292 fffrxlf.exe 31 PID 2292 wrote to memory of 1280 2292 fffrxlf.exe 31 PID 1280 wrote to memory of 2572 1280 tnbnbn.exe 32 PID 1280 wrote to memory of 2572 1280 tnbnbn.exe 32 PID 1280 wrote to memory of 2572 1280 tnbnbn.exe 32 PID 1280 wrote to memory of 2572 1280 tnbnbn.exe 32 PID 2572 wrote to memory of 2340 2572 jpjpd.exe 33 PID 2572 wrote to memory of 2340 2572 jpjpd.exe 33 PID 2572 wrote to memory of 2340 2572 jpjpd.exe 33 PID 2572 wrote to memory of 2340 2572 jpjpd.exe 33 PID 2340 wrote to memory of 2332 2340 3rfxfff.exe 34 PID 2340 wrote to memory of 2332 2340 3rfxfff.exe 34 PID 2340 wrote to memory of 2332 2340 3rfxfff.exe 34 PID 2340 wrote to memory of 2332 2340 3rfxfff.exe 34 PID 2332 wrote to memory of 2820 2332 3httbb.exe 35 PID 2332 wrote to memory of 2820 2332 3httbb.exe 35 PID 2332 wrote to memory of 2820 2332 3httbb.exe 35 PID 2332 wrote to memory of 2820 2332 3httbb.exe 35 PID 2820 wrote to memory of 1220 2820 7jppv.exe 36 PID 2820 wrote to memory of 1220 2820 7jppv.exe 36 PID 2820 wrote to memory of 1220 2820 7jppv.exe 36 PID 2820 wrote to memory of 1220 2820 7jppv.exe 36 PID 1220 wrote to memory of 2640 1220 3fxfflf.exe 37 PID 1220 wrote to memory of 2640 1220 3fxfflf.exe 37 PID 1220 wrote to memory of 2640 1220 3fxfflf.exe 37 PID 1220 wrote to memory of 2640 1220 3fxfflf.exe 37 PID 2640 wrote to memory of 2732 2640 1ddpd.exe 38 PID 2640 wrote to memory of 2732 2640 1ddpd.exe 38 PID 2640 wrote to memory of 2732 2640 1ddpd.exe 38 PID 2640 wrote to memory of 2732 2640 1ddpd.exe 38 PID 2732 wrote to memory of 2684 2732 xrlrlxx.exe 39 PID 2732 wrote to memory of 2684 2732 xrlrlxx.exe 39 PID 2732 wrote to memory of 2684 2732 xrlrlxx.exe 39 PID 2732 wrote to memory of 2684 2732 xrlrlxx.exe 39 PID 2684 wrote to memory of 2232 2684 ddjpd.exe 40 PID 2684 wrote to memory of 2232 2684 ddjpd.exe 40 PID 2684 wrote to memory of 2232 2684 ddjpd.exe 40 PID 2684 wrote to memory of 2232 2684 ddjpd.exe 40 PID 2232 wrote to memory of 1880 2232 xrflrfr.exe 41 PID 2232 wrote to memory of 1880 2232 xrflrfr.exe 41 PID 2232 wrote to memory of 1880 2232 xrflrfr.exe 41 PID 2232 wrote to memory of 1880 2232 xrflrfr.exe 41 PID 1880 wrote to memory of 3040 1880 hhnthn.exe 42 PID 1880 wrote to memory of 3040 1880 hhnthn.exe 42 PID 1880 wrote to memory of 3040 1880 hhnthn.exe 42 PID 1880 wrote to memory of 3040 1880 hhnthn.exe 42 PID 3040 wrote to memory of 1364 3040 jdvdv.exe 43 PID 3040 wrote to memory of 1364 3040 jdvdv.exe 43 PID 3040 wrote to memory of 1364 3040 jdvdv.exe 43 PID 3040 wrote to memory of 1364 3040 jdvdv.exe 43 PID 1364 wrote to memory of 2928 1364 ffxfrrf.exe 44 PID 1364 wrote to memory of 2928 1364 ffxfrrf.exe 44 PID 1364 wrote to memory of 2928 1364 ffxfrrf.exe 44 PID 1364 wrote to memory of 2928 1364 ffxfrrf.exe 44 PID 2928 wrote to memory of 2432 2928 hbbttb.exe 45 PID 2928 wrote to memory of 2432 2928 hbbttb.exe 45 PID 2928 wrote to memory of 2432 2928 hbbttb.exe 45 PID 2928 wrote to memory of 2432 2928 hbbttb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe"C:\Users\Admin\AppData\Local\Temp\0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\fffrxlf.exec:\fffrxlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\tnbnbn.exec:\tnbnbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\jpjpd.exec:\jpjpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\3rfxfff.exec:\3rfxfff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\3httbb.exec:\3httbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\7jppv.exec:\7jppv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\3fxfflf.exec:\3fxfflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\1ddpd.exec:\1ddpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\xrlrlxx.exec:\xrlrlxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\ddjpd.exec:\ddjpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\xrflrfr.exec:\xrflrfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\hhnthn.exec:\hhnthn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\jdvdv.exec:\jdvdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\ffxfrrf.exec:\ffxfrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\hbbttb.exec:\hbbttb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\3llrxfx.exec:\3llrxfx.exe17⤵
- Executes dropped EXE
PID:2432 -
\??\c:\rlfrllf.exec:\rlfrllf.exe18⤵
- Executes dropped EXE
PID:1044 -
\??\c:\vdvdp.exec:\vdvdp.exe19⤵
- Executes dropped EXE
PID:2124 -
\??\c:\5vddp.exec:\5vddp.exe20⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nhtbnt.exec:\nhtbnt.exe21⤵
- Executes dropped EXE
PID:2560 -
\??\c:\7jjvj.exec:\7jjvj.exe22⤵
- Executes dropped EXE
PID:1208 -
\??\c:\llfrfrf.exec:\llfrfrf.exe23⤵
- Executes dropped EXE
PID:1308 -
\??\c:\nnnthh.exec:\nnnthh.exe24⤵
- Executes dropped EXE
PID:852 -
\??\c:\7xlrxrr.exec:\7xlrxrr.exe25⤵
- Executes dropped EXE
PID:1356 -
\??\c:\bbnthb.exec:\bbnthb.exe26⤵
- Executes dropped EXE
PID:1376 -
\??\c:\rrfrxfl.exec:\rrfrxfl.exe27⤵
- Executes dropped EXE
PID:2440 -
\??\c:\9rlxflf.exec:\9rlxflf.exe28⤵
- Executes dropped EXE
PID:1420 -
\??\c:\jdjjd.exec:\jdjjd.exe29⤵
- Executes dropped EXE
PID:876 -
\??\c:\lxllffr.exec:\lxllffr.exe30⤵
- Executes dropped EXE
PID:1632 -
\??\c:\pdjjd.exec:\pdjjd.exe31⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xfxlxfr.exec:\xfxlxfr.exe32⤵
- Executes dropped EXE
PID:528 -
\??\c:\nbhhnn.exec:\nbhhnn.exe33⤵
- Executes dropped EXE
PID:1580 -
\??\c:\vjvpd.exec:\vjvpd.exe34⤵
- Executes dropped EXE
PID:1620 -
\??\c:\xrxlrxr.exec:\xrxlrxr.exe35⤵
- Executes dropped EXE
PID:1940 -
\??\c:\tthhtn.exec:\tthhtn.exe36⤵
- Executes dropped EXE
PID:2244 -
\??\c:\3jdjj.exec:\3jdjj.exe37⤵
- Executes dropped EXE
PID:1384 -
\??\c:\pdppp.exec:\pdppp.exe38⤵
- Executes dropped EXE
PID:2852 -
\??\c:\rrrxxfl.exec:\rrrxxfl.exe39⤵
- Executes dropped EXE
PID:2776 -
\??\c:\nbhbbb.exec:\nbhbbb.exe40⤵
- Executes dropped EXE
PID:2772 -
\??\c:\bttbnb.exec:\bttbnb.exe41⤵
- Executes dropped EXE
PID:2764 -
\??\c:\dpddj.exec:\dpddj.exe42⤵
- Executes dropped EXE
PID:2832 -
\??\c:\rfrrxrx.exec:\rfrrxrx.exe43⤵
- Executes dropped EXE
PID:2828 -
\??\c:\xxllrfl.exec:\xxllrfl.exe44⤵
- Executes dropped EXE
PID:2624 -
\??\c:\htbnnt.exec:\htbnnt.exe45⤵
- Executes dropped EXE
PID:2664 -
\??\c:\9ppjp.exec:\9ppjp.exe46⤵
- Executes dropped EXE
PID:2680 -
\??\c:\7jjdj.exec:\7jjdj.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884 -
\??\c:\5rfxlff.exec:\5rfxlff.exe48⤵
- Executes dropped EXE
PID:1332 -
\??\c:\thnhhn.exec:\thnhhn.exe49⤵
- Executes dropped EXE
PID:1520 -
\??\c:\5bhbhb.exec:\5bhbhb.exe50⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jvvvp.exec:\jvvvp.exe51⤵
- Executes dropped EXE
PID:1960 -
\??\c:\5rlxfxf.exec:\5rlxfxf.exe52⤵
- Executes dropped EXE
PID:1800 -
\??\c:\bthhhh.exec:\bthhhh.exe53⤵
- Executes dropped EXE
PID:2796 -
\??\c:\5tnthn.exec:\5tnthn.exe54⤵
- Executes dropped EXE
PID:300 -
\??\c:\7vjjp.exec:\7vjjp.exe55⤵
- Executes dropped EXE
PID:2020 -
\??\c:\pdpjv.exec:\pdpjv.exe56⤵
- Executes dropped EXE
PID:1044 -
\??\c:\frfflrf.exec:\frfflrf.exe57⤵
- Executes dropped EXE
PID:2436 -
\??\c:\hbntnh.exec:\hbntnh.exe58⤵
- Executes dropped EXE
PID:2264 -
\??\c:\pjvdp.exec:\pjvdp.exe59⤵
- Executes dropped EXE
PID:2052 -
\??\c:\jvvdp.exec:\jvvdp.exe60⤵
- Executes dropped EXE
PID:1436 -
\??\c:\ffxxrrr.exec:\ffxxrrr.exe61⤵
- Executes dropped EXE
PID:1012 -
\??\c:\htbtbt.exec:\htbtbt.exe62⤵
- Executes dropped EXE
PID:1208 -
\??\c:\ttntnn.exec:\ttntnn.exe63⤵
- Executes dropped EXE
PID:2596 -
\??\c:\5vpjp.exec:\5vpjp.exe64⤵
- Executes dropped EXE
PID:1908 -
\??\c:\xrrlrxf.exec:\xrrlrxf.exe65⤵
- Executes dropped EXE
PID:1912 -
\??\c:\rfrrxxx.exec:\rfrrxxx.exe66⤵PID:2040
-
\??\c:\htttnh.exec:\htttnh.exe67⤵PID:324
-
\??\c:\3djvd.exec:\3djvd.exe68⤵PID:2072
-
\??\c:\1pvdp.exec:\1pvdp.exe69⤵PID:2248
-
\??\c:\rrlrrrx.exec:\rrlrrrx.exe70⤵PID:1624
-
\??\c:\tnbnnn.exec:\tnbnnn.exe71⤵PID:2472
-
\??\c:\thtnbt.exec:\thtnbt.exe72⤵PID:884
-
\??\c:\jdjvv.exec:\jdjvv.exe73⤵PID:3032
-
\??\c:\lfllxfr.exec:\lfllxfr.exe74⤵PID:2104
-
\??\c:\lxlfllf.exec:\lxlfllf.exe75⤵PID:2252
-
\??\c:\nhnnnn.exec:\nhnnnn.exe76⤵PID:2544
-
\??\c:\9pjjj.exec:\9pjjj.exe77⤵PID:1620
-
\??\c:\vdppp.exec:\vdppp.exe78⤵PID:2384
-
\??\c:\xrllxfl.exec:\xrllxfl.exe79⤵PID:1244
-
\??\c:\tthhnn.exec:\tthhnn.exe80⤵PID:2860
-
\??\c:\bnbbtt.exec:\bnbbtt.exe81⤵PID:2744
-
\??\c:\jpdvd.exec:\jpdvd.exe82⤵PID:2724
-
\??\c:\vpjpv.exec:\vpjpv.exe83⤵PID:2880
-
\??\c:\frxxllf.exec:\frxxllf.exe84⤵PID:2620
-
\??\c:\btnnbt.exec:\btnnbt.exe85⤵PID:2864
-
\??\c:\thhbht.exec:\thhbht.exe86⤵PID:2456
-
\??\c:\jppjd.exec:\jppjd.exe87⤵PID:2660
-
\??\c:\lxxflrx.exec:\lxxflrx.exe88⤵PID:1172
-
\??\c:\1llflrx.exec:\1llflrx.exe89⤵PID:2684
-
\??\c:\hbhhbt.exec:\hbhhbt.exe90⤵PID:2696
-
\??\c:\5jdvj.exec:\5jdvj.exe91⤵PID:2944
-
\??\c:\lxlflfl.exec:\lxlflfl.exe92⤵PID:872
-
\??\c:\lfrrxfl.exec:\lfrrxfl.exe93⤵PID:2872
-
\??\c:\hbnnnn.exec:\hbnnnn.exe94⤵PID:1896
-
\??\c:\vdjjv.exec:\vdjjv.exe95⤵PID:2924
-
\??\c:\dpvpp.exec:\dpvpp.exe96⤵PID:2928
-
\??\c:\xlrlrrx.exec:\xlrlrrx.exe97⤵PID:2796
-
\??\c:\rflxfff.exec:\rflxfff.exe98⤵PID:300
-
\??\c:\tbnbht.exec:\tbnbht.exe99⤵PID:2016
-
\??\c:\pdpvv.exec:\pdpvv.exe100⤵PID:2480
-
\??\c:\3jpjv.exec:\3jpjv.exe101⤵PID:2436
-
\??\c:\1ffxxrl.exec:\1ffxxrl.exe102⤵PID:2216
-
\??\c:\xlrlrlr.exec:\xlrlrlr.exe103⤵PID:588
-
\??\c:\hbhhnh.exec:\hbhhnh.exe104⤵PID:2160
-
\??\c:\jvjpp.exec:\jvjpp.exe105⤵PID:1968
-
\??\c:\5jpjp.exec:\5jpjp.exe106⤵PID:1308
-
\??\c:\xxllxrr.exec:\xxllxrr.exe107⤵PID:2428
-
\??\c:\frxfrll.exec:\frxfrll.exe108⤵PID:920
-
\??\c:\ntbttn.exec:\ntbttn.exe109⤵PID:2144
-
\??\c:\hthnhh.exec:\hthnhh.exe110⤵PID:1912
-
\??\c:\vjpjv.exec:\vjpjv.exe111⤵PID:1720
-
\??\c:\fxxlrrr.exec:\fxxlrrr.exe112⤵PID:324
-
\??\c:\xfxlfff.exec:\xfxlfff.exe113⤵PID:784
-
\??\c:\bntnnn.exec:\bntnnn.exe114⤵PID:2908
-
\??\c:\vpvvv.exec:\vpvvv.exe115⤵PID:1892
-
\??\c:\vpvdp.exec:\vpvdp.exe116⤵PID:1736
-
\??\c:\1rxxxxx.exec:\1rxxxxx.exe117⤵PID:1932
-
\??\c:\1hnbbt.exec:\1hnbbt.exe118⤵PID:3032
-
\??\c:\3nnbbn.exec:\3nnbbn.exe119⤵PID:2104
-
\??\c:\7vjjj.exec:\7vjjj.exe120⤵PID:2540
-
\??\c:\vjppp.exec:\vjppp.exe121⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-