Analysis
-
max time kernel
55s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 19:56
Behavioral task
behavioral1
Sample
1fc543a4b6aa653c7f29a5ce554e69c3f2cce38a866dbf6be3201f12f4919a47.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
General
-
Target
1fc543a4b6aa653c7f29a5ce554e69c3f2cce38a866dbf6be3201f12f4919a47.exe
-
Size
81KB
-
MD5
9955aecf57d405d0ae85452145b769fe
-
SHA1
9bb93e535c8de60b61b0dbbad197cfc3fb8ebfb1
-
SHA256
1fc543a4b6aa653c7f29a5ce554e69c3f2cce38a866dbf6be3201f12f4919a47
-
SHA512
d15380045c6e785538a805d8d1c13ef880480598d618d47edcd4df46143352f0918a5d426e642e6a280d57e0018aed30ff7bc4d1b7b05becca5c3f6f318b917f
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzYBbKd+XsWgADUOjgRpnzQX:9hOmTsF93UYfwC6GIoutyaVszyKd+XY8
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral1/memory/2484-0-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2108-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2236-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2120-35-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2232-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2172-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2576-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2700-54-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2776-85-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2580-95-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2580-91-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1028-108-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1028-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1332-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2984-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1292-139-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1292-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2136-168-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2908-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1980-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1368-206-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1368-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1736-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2420-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1520-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1800-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2732-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-344-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2712-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-370-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2668-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2780-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1332-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1976-418-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2020-422-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2020-427-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2408-439-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2932-448-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1100-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1704-487-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1704-486-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1552-500-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/948-507-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2824-533-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2056-547-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/2484-567-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2068-574-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2068-573-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2828-578-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2804-627-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2720-632-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2552-641-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2352-647-0x00000000001C0000-0x00000000001E7000-memory.dmp family_blackmoon behavioral1/memory/1300-657-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-656-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1252-676-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1840-703-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2848-715-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2344-728-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2528-736-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1492-749-0x00000000002D0000-0x00000000002F7000-memory.dmp family_blackmoon behavioral1/memory/1472-742-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2108 frxlrxr.exe 2236 jvvvp.exe 2120 ttbtbn.exe 2232 xllflff.exe 2700 fxfrfff.exe 2172 nhtthb.exe 2576 vpdjv.exe 2776 lxfrrxf.exe 2580 bhbntb.exe 2780 xlxrxfx.exe 1028 rxlflrf.exe 1332 lxlrxxl.exe 1996 pdjjv.exe 1292 bthhbb.exe 1968 llrxffl.exe 2984 ppvpv.exe 2136 1hbbhh.exe 2092 ddvjd.exe 1980 htbnbn.exe 2908 jdjvd.exe 1368 3jvvv.exe 2316 1fxxrrf.exe 1736 tnhtnn.exe 892 pjppv.exe 2420 tttnhn.exe 1520 dpvdp.exe 2356 ttbnbn.exe 2224 lrlxxll.exe 604 jvpjv.exe 756 rffrrlf.exe 2028 djjjj.exe 1800 xrrrfxx.exe 2732 9hbtbn.exe 2500 rlxxllf.exe 836 hnnhhb.exe 2744 pvvjp.exe 2748 bbtnnh.exe 2556 3btbnh.exe 2704 xxlxrfx.exe 2332 vdjjj.exe 2576 xfrxxrr.exe 2712 vddvp.exe 2668 rxxrlfr.exe 3012 jpjdp.exe 2780 7frrrll.exe 1788 ttnbnh.exe 1320 djvpv.exe 1332 hnnhhn.exe 1960 hbhbhh.exe 1976 pdpdj.exe 2020 btnntt.exe 2844 vddjv.exe 2408 bhnbtn.exe 2932 pvdvv.exe 2644 7htnhn.exe 2092 rfxrxxx.exe 2904 bntbnn.exe 1540 xxfrxfr.exe 1100 jvpjv.exe 1704 flxrlfl.exe 2316 djjjp.exe 1552 ttnbht.exe 948 vdpjj.exe 1336 1dvdp.exe -
resource yara_rule behavioral1/memory/2484-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000a0000000122db-7.dat upx behavioral1/memory/2108-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016ebe-18.dat upx behavioral1/memory/2236-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001705e-25.dat upx behavioral1/memory/2484-3-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2232-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000173e1-36.dat upx behavioral1/memory/2120-34-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2232-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000173e4-45.dat upx behavioral1/memory/2172-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000017462-63.dat upx behavioral1/memory/2576-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000191c6-75.dat upx behavioral1/memory/2576-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000173ec-56.dat upx behavioral1/memory/2580-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194d1-83.dat upx behavioral1/memory/2776-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2780-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194f1-93.dat upx behavioral1/files/0x000500000001951e-104.dat upx behavioral1/memory/1028-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019622-115.dat upx behavioral1/memory/1332-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019624-122.dat upx behavioral1/files/0x0009000000016db3-130.dat upx behavioral1/files/0x000500000001962d-149.dat upx behavioral1/files/0x000500000001979c-159.dat upx behavioral1/memory/2136-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2984-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001962c-142.dat upx behavioral1/memory/1292-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019a54-167.dat upx behavioral1/files/0x0005000000019aef-176.dat upx behavioral1/files/0x0005000000019c4d-194.dat upx behavioral1/memory/2908-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019af1-188.dat upx behavioral1/memory/1980-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c66-203.dat upx behavioral1/memory/1368-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019c68-215.dat upx behavioral1/files/0x0005000000019c9f-225.dat upx behavioral1/memory/892-226-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1736-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019d6d-234.dat upx behavioral1/files/0x0005000000019f39-243.dat upx behavioral1/memory/2420-242-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1520-252-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019f50-250.dat upx behavioral1/files/0x000500000001a04b-260.dat upx behavioral1/files/0x000500000001a055-268.dat upx behavioral1/files/0x000500000001a08c-276.dat upx behavioral1/files/0x000500000001a2df-282.dat upx behavioral1/memory/2028-286-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a310-292.dat upx behavioral1/memory/1800-294-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1800-302-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2732-309-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2744-322-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2704-344-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2712-367-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2108 2484 1fc543a4b6aa653c7f29a5ce554e69c3f2cce38a866dbf6be3201f12f4919a47.exe 31 PID 2484 wrote to memory of 2108 2484 1fc543a4b6aa653c7f29a5ce554e69c3f2cce38a866dbf6be3201f12f4919a47.exe 31 PID 2484 wrote to memory of 2108 2484 1fc543a4b6aa653c7f29a5ce554e69c3f2cce38a866dbf6be3201f12f4919a47.exe 31 PID 2484 wrote to memory of 2108 2484 1fc543a4b6aa653c7f29a5ce554e69c3f2cce38a866dbf6be3201f12f4919a47.exe 31 PID 2108 wrote to memory of 2236 2108 frxlrxr.exe 32 PID 2108 wrote to memory of 2236 2108 frxlrxr.exe 32 PID 2108 wrote to memory of 2236 2108 frxlrxr.exe 32 PID 2108 wrote to memory of 2236 2108 frxlrxr.exe 32 PID 2236 wrote to memory of 2120 2236 jvvvp.exe 33 PID 2236 wrote to memory of 2120 2236 jvvvp.exe 33 PID 2236 wrote to memory of 2120 2236 jvvvp.exe 33 PID 2236 wrote to memory of 2120 2236 jvvvp.exe 33 PID 2120 wrote to memory of 2232 2120 ttbtbn.exe 34 PID 2120 wrote to memory of 2232 2120 ttbtbn.exe 34 PID 2120 wrote to memory of 2232 2120 ttbtbn.exe 34 PID 2120 wrote to memory of 2232 2120 ttbtbn.exe 34 PID 2232 wrote to memory of 2700 2232 xllflff.exe 35 PID 2232 wrote to memory of 2700 2232 xllflff.exe 35 PID 2232 wrote to memory of 2700 2232 xllflff.exe 35 PID 2232 wrote to memory of 2700 2232 xllflff.exe 35 PID 2700 wrote to memory of 2172 2700 fxfrfff.exe 36 PID 2700 wrote to memory of 2172 2700 fxfrfff.exe 36 PID 2700 wrote to memory of 2172 2700 fxfrfff.exe 36 PID 2700 wrote to memory of 2172 2700 fxfrfff.exe 36 PID 2172 wrote to memory of 2576 2172 nhtthb.exe 71 PID 2172 wrote to memory of 2576 2172 nhtthb.exe 71 PID 2172 wrote to memory of 2576 2172 nhtthb.exe 71 PID 2172 wrote to memory of 2576 2172 nhtthb.exe 71 PID 2576 wrote to memory of 2776 2576 vpdjv.exe 38 PID 2576 wrote to memory of 2776 2576 vpdjv.exe 38 PID 2576 wrote to memory of 2776 2576 vpdjv.exe 38 PID 2576 wrote to memory of 2776 2576 vpdjv.exe 38 PID 2776 wrote to memory of 2580 2776 lxfrrxf.exe 39 PID 2776 wrote to memory of 2580 2776 lxfrrxf.exe 39 PID 2776 wrote to memory of 2580 2776 lxfrrxf.exe 39 PID 2776 wrote to memory of 2580 2776 lxfrrxf.exe 39 PID 2580 wrote to memory of 2780 2580 bhbntb.exe 75 PID 2580 wrote to memory of 2780 2580 bhbntb.exe 75 PID 2580 wrote to memory of 2780 2580 bhbntb.exe 75 PID 2580 wrote to memory of 2780 2580 bhbntb.exe 75 PID 2780 wrote to memory of 1028 2780 xlxrxfx.exe 41 PID 2780 wrote to memory of 1028 2780 xlxrxfx.exe 41 PID 2780 wrote to memory of 1028 2780 xlxrxfx.exe 41 PID 2780 wrote to memory of 1028 2780 xlxrxfx.exe 41 PID 1028 wrote to memory of 1332 1028 rxlflrf.exe 78 PID 1028 wrote to memory of 1332 1028 rxlflrf.exe 78 PID 1028 wrote to memory of 1332 1028 rxlflrf.exe 78 PID 1028 wrote to memory of 1332 1028 rxlflrf.exe 78 PID 1332 wrote to memory of 1996 1332 lxlrxxl.exe 43 PID 1332 wrote to memory of 1996 1332 lxlrxxl.exe 43 PID 1332 wrote to memory of 1996 1332 lxlrxxl.exe 43 PID 1332 wrote to memory of 1996 1332 lxlrxxl.exe 43 PID 1996 wrote to memory of 1292 1996 pdjjv.exe 44 PID 1996 wrote to memory of 1292 1996 pdjjv.exe 44 PID 1996 wrote to memory of 1292 1996 pdjjv.exe 44 PID 1996 wrote to memory of 1292 1996 pdjjv.exe 44 PID 1292 wrote to memory of 1968 1292 bthhbb.exe 45 PID 1292 wrote to memory of 1968 1292 bthhbb.exe 45 PID 1292 wrote to memory of 1968 1292 bthhbb.exe 45 PID 1292 wrote to memory of 1968 1292 bthhbb.exe 45 PID 1968 wrote to memory of 2984 1968 llrxffl.exe 46 PID 1968 wrote to memory of 2984 1968 llrxffl.exe 46 PID 1968 wrote to memory of 2984 1968 llrxffl.exe 46 PID 1968 wrote to memory of 2984 1968 llrxffl.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fc543a4b6aa653c7f29a5ce554e69c3f2cce38a866dbf6be3201f12f4919a47.exe"C:\Users\Admin\AppData\Local\Temp\1fc543a4b6aa653c7f29a5ce554e69c3f2cce38a866dbf6be3201f12f4919a47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\frxlrxr.exec:\frxlrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\jvvvp.exec:\jvvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\ttbtbn.exec:\ttbtbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\xllflff.exec:\xllflff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\fxfrfff.exec:\fxfrfff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\nhtthb.exec:\nhtthb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\vpdjv.exec:\vpdjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\lxfrrxf.exec:\lxfrrxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\bhbntb.exec:\bhbntb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\xlxrxfx.exec:\xlxrxfx.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\rxlflrf.exec:\rxlflrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\lxlrxxl.exec:\lxlrxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\pdjjv.exec:\pdjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\bthhbb.exec:\bthhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\llrxffl.exec:\llrxffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\ppvpv.exec:\ppvpv.exe17⤵
- Executes dropped EXE
PID:2984 -
\??\c:\1hbbhh.exec:\1hbbhh.exe18⤵
- Executes dropped EXE
PID:2136 -
\??\c:\ddvjd.exec:\ddvjd.exe19⤵
- Executes dropped EXE
PID:2092 -
\??\c:\htbnbn.exec:\htbnbn.exe20⤵
- Executes dropped EXE
PID:1980 -
\??\c:\jdjvd.exec:\jdjvd.exe21⤵
- Executes dropped EXE
PID:2908 -
\??\c:\3jvvv.exec:\3jvvv.exe22⤵
- Executes dropped EXE
PID:1368 -
\??\c:\1fxxrrf.exec:\1fxxrrf.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
\??\c:\tnhtnn.exec:\tnhtnn.exe24⤵
- Executes dropped EXE
PID:1736 -
\??\c:\pjppv.exec:\pjppv.exe25⤵
- Executes dropped EXE
PID:892 -
\??\c:\tttnhn.exec:\tttnhn.exe26⤵
- Executes dropped EXE
PID:2420 -
\??\c:\dpvdp.exec:\dpvdp.exe27⤵
- Executes dropped EXE
PID:1520 -
\??\c:\ttbnbn.exec:\ttbnbn.exe28⤵
- Executes dropped EXE
PID:2356 -
\??\c:\lrlxxll.exec:\lrlxxll.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2224 -
\??\c:\jvpjv.exec:\jvpjv.exe30⤵
- Executes dropped EXE
PID:604 -
\??\c:\rffrrlf.exec:\rffrrlf.exe31⤵
- Executes dropped EXE
PID:756 -
\??\c:\djjjj.exec:\djjjj.exe32⤵
- Executes dropped EXE
PID:2028 -
\??\c:\xrrrfxx.exec:\xrrrfxx.exe33⤵
- Executes dropped EXE
PID:1800 -
\??\c:\9hbtbn.exec:\9hbtbn.exe34⤵
- Executes dropped EXE
PID:2732 -
\??\c:\rlxxllf.exec:\rlxxllf.exe35⤵
- Executes dropped EXE
PID:2500 -
\??\c:\hnnhhb.exec:\hnnhhb.exe36⤵
- Executes dropped EXE
PID:836 -
\??\c:\pvvjp.exec:\pvvjp.exe37⤵
- Executes dropped EXE
PID:2744 -
\??\c:\bbtnnh.exec:\bbtnnh.exe38⤵
- Executes dropped EXE
PID:2748 -
\??\c:\3btbnh.exec:\3btbnh.exe39⤵
- Executes dropped EXE
PID:2556 -
\??\c:\xxlxrfx.exec:\xxlxrfx.exe40⤵
- Executes dropped EXE
PID:2704 -
\??\c:\vdjjj.exec:\vdjjj.exe41⤵
- Executes dropped EXE
PID:2332 -
\??\c:\xfrxxrr.exec:\xfrxxrr.exe42⤵
- Executes dropped EXE
PID:2576 -
\??\c:\vddvp.exec:\vddvp.exe43⤵
- Executes dropped EXE
PID:2712 -
\??\c:\rxxrlfr.exec:\rxxrlfr.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668 -
\??\c:\jpjdp.exec:\jpjdp.exe45⤵
- Executes dropped EXE
PID:3012 -
\??\c:\7frrrll.exec:\7frrrll.exe46⤵
- Executes dropped EXE
PID:2780 -
\??\c:\ttnbnh.exec:\ttnbnh.exe47⤵
- Executes dropped EXE
PID:1788 -
\??\c:\djvpv.exec:\djvpv.exe48⤵
- Executes dropped EXE
PID:1320 -
\??\c:\hnnhhn.exec:\hnnhhn.exe49⤵
- Executes dropped EXE
PID:1332 -
\??\c:\hbhbhh.exec:\hbhbhh.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1960 -
\??\c:\pdpdj.exec:\pdpdj.exe51⤵
- Executes dropped EXE
PID:1976 -
\??\c:\btnntt.exec:\btnntt.exe52⤵
- Executes dropped EXE
PID:2020 -
\??\c:\vddjv.exec:\vddjv.exe53⤵
- Executes dropped EXE
PID:2844 -
\??\c:\bhnbtn.exec:\bhnbtn.exe54⤵
- Executes dropped EXE
PID:2408 -
\??\c:\pvdvv.exec:\pvdvv.exe55⤵
- Executes dropped EXE
PID:2932 -
\??\c:\7htnhn.exec:\7htnhn.exe56⤵
- Executes dropped EXE
PID:2644 -
\??\c:\rfxrxxx.exec:\rfxrxxx.exe57⤵
- Executes dropped EXE
PID:2092 -
\??\c:\bntbnn.exec:\bntbnn.exe58⤵
- Executes dropped EXE
PID:2904 -
\??\c:\xxfrxfr.exec:\xxfrxfr.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540 -
\??\c:\jvpjv.exec:\jvpjv.exe60⤵
- Executes dropped EXE
PID:1100 -
\??\c:\flxrlfl.exec:\flxrlfl.exe61⤵
- Executes dropped EXE
PID:1704 -
\??\c:\djjjp.exec:\djjjp.exe62⤵
- Executes dropped EXE
PID:2316 -
\??\c:\ttnbht.exec:\ttnbht.exe63⤵
- Executes dropped EXE
PID:1552 -
\??\c:\vdpjj.exec:\vdpjj.exe64⤵
- Executes dropped EXE
PID:948 -
\??\c:\1dvdp.exec:\1dvdp.exe65⤵
- Executes dropped EXE
PID:1336 -
\??\c:\ddjjp.exec:\ddjjp.exe66⤵PID:2416
-
\??\c:\hntnth.exec:\hntnth.exe67⤵PID:2916
-
\??\c:\pdddv.exec:\pdddv.exe68⤵PID:2824
-
\??\c:\btthbb.exec:\btthbb.exe69⤵
- System Location Discovery: System Language Discovery
PID:2052 -
\??\c:\jpvpp.exec:\jpvpp.exe70⤵PID:2056
-
\??\c:\jjvpj.exec:\jjvpj.exe71⤵PID:324
-
\??\c:\1xxlrlr.exec:\1xxlrlr.exe72⤵PID:2988
-
\??\c:\lllffxx.exec:\lllffxx.exe73⤵PID:2484
-
\??\c:\thbbbb.exec:\thbbbb.exe74⤵PID:2068
-
\??\c:\vvpdp.exec:\vvpdp.exe75⤵PID:2828
-
\??\c:\nnhttn.exec:\nnhttn.exe76⤵PID:3044
-
\??\c:\bhbnhb.exec:\bhbnhb.exe77⤵PID:2688
-
\??\c:\ddjdv.exec:\ddjdv.exe78⤵PID:3040
-
\??\c:\bbnbth.exec:\bbnbth.exe79⤵
- System Location Discovery: System Language Discovery
PID:2692 -
\??\c:\rrflffr.exec:\rrflffr.exe80⤵PID:2672
-
\??\c:\tbbttn.exec:\tbbttn.exe81⤵PID:2948
-
\??\c:\bnttnh.exec:\bnttnh.exe82⤵PID:2804
-
\??\c:\vvpdd.exec:\vvpdd.exe83⤵PID:2720
-
\??\c:\nntbhb.exec:\nntbhb.exe84⤵PID:2552
-
\??\c:\jpjpj.exec:\jpjpj.exe85⤵PID:2352
-
\??\c:\nthhbn.exec:\nthhbn.exe86⤵PID:2668
-
\??\c:\flfrrff.exec:\flfrrff.exe87⤵PID:1300
-
\??\c:\jjdvv.exec:\jjdvv.exe88⤵PID:1256
-
\??\c:\nhnbbt.exec:\nhnbbt.exe89⤵PID:1252
-
\??\c:\flrxxrr.exec:\flrxxrr.exe90⤵PID:1624
-
\??\c:\bbnnnt.exec:\bbnnnt.exe91⤵PID:1992
-
\??\c:\pdpdd.exec:\pdpdd.exe92⤵PID:1976
-
\??\c:\xfrfflf.exec:\xfrfflf.exe93⤵PID:1840
-
\??\c:\ffrrfrl.exec:\ffrrfrl.exe94⤵PID:2856
-
\??\c:\pvjdj.exec:\pvjdj.exe95⤵PID:2848
-
\??\c:\5jddd.exec:\5jddd.exe96⤵PID:1908
-
\??\c:\9thnnb.exec:\9thnnb.exe97⤵PID:2344
-
\??\c:\dpppj.exec:\dpppj.exe98⤵PID:2528
-
\??\c:\hnntnh.exec:\hnntnh.exe99⤵PID:1472
-
\??\c:\nhbhbb.exec:\nhbhbb.exe100⤵PID:1492
-
\??\c:\rlffxfl.exec:\rlffxfl.exe101⤵PID:1220
-
\??\c:\vvpvj.exec:\vvpvj.exe102⤵PID:2412
-
\??\c:\5jjpp.exec:\5jjpp.exe103⤵PID:752
-
\??\c:\tbtbth.exec:\tbtbth.exe104⤵PID:1660
-
\??\c:\frrrlrr.exec:\frrrlrr.exe105⤵PID:948
-
\??\c:\bthnnh.exec:\bthnnh.exe106⤵PID:1644
-
\??\c:\xflxlxl.exec:\xflxlxl.exe107⤵PID:2280
-
\??\c:\ntntnb.exec:\ntntnb.exe108⤵PID:1264
-
\??\c:\pjvpv.exec:\pjvpv.exe109⤵PID:1936
-
\??\c:\ffflfff.exec:\ffflfff.exe110⤵PID:1940
-
\??\c:\ppdvd.exec:\ppdvd.exe111⤵
- System Location Discovery: System Language Discovery
PID:2324 -
\??\c:\lffrfxf.exec:\lffrfxf.exe112⤵PID:604
-
\??\c:\tnnthh.exec:\tnnthh.exe113⤵
- System Location Discovery: System Language Discovery
PID:2164 -
\??\c:\lxfflff.exec:\lxfflff.exe114⤵PID:3028
-
\??\c:\djdvv.exec:\djdvv.exe115⤵PID:1572
-
\??\c:\lxxllxf.exec:\lxxllxf.exe116⤵PID:1580
-
\??\c:\jvvdv.exec:\jvvdv.exe117⤵PID:2236
-
\??\c:\tntbbn.exec:\tntbbn.exe118⤵PID:2772
-
\??\c:\ppvdj.exec:\ppvdj.exe119⤵PID:836
-
\??\c:\frxlrfx.exec:\frxlrfx.exe120⤵
- System Location Discovery: System Language Discovery
PID:2788 -
\??\c:\xllflrr.exec:\xllflrr.exe121⤵PID:2684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-