Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 01:24
Behavioral task
behavioral1
Sample
af3c355b18f2ab1a1c47ab7396a81a093e4f04ca7281d442abb435e4cc3c6460.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
General
-
Target
af3c355b18f2ab1a1c47ab7396a81a093e4f04ca7281d442abb435e4cc3c6460.exe
-
Size
51KB
-
MD5
d621e74fb5676bd70d450b0abc1b41b8
-
SHA1
b936709c1d6fdaba64319f67031fa4d3dd2ab6c0
-
SHA256
af3c355b18f2ab1a1c47ab7396a81a093e4f04ca7281d442abb435e4cc3c6460
-
SHA512
9699755c0f2f7ffe920e7696a5b66528f1a9bdc43e872b91b62107c2f0c59dc06d9ebfab457eeb4bc0e024dad9f12b5910f7b1221185fbafdf14cbcb472f3843
-
SSDEEP
1536:hBvQBeOGtrYS3srx93UBWfwC6Ggnouy87bGoX:hBhOmTsF93UYfwC6GIout7bnX
Malware Config
Signatures
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2052-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/772-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/580-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2724-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3056-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2816-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2456-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2980-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1080-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/640-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1992-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1968-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2424-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1116-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2568-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2628-206-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1628-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1100-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1960-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1576-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2132-278-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2468-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3020-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2140-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2660-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-402-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1204-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1992-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1724-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1644-518-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2056-568-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/804-575-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3000-588-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-748-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1628-749-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1396-806-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3004-838-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1336-843-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2000-856-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/640-944-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1440-1010-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2984-1178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-1385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3056-1406-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 772 bbtnht.exe 2940 ddjdv.exe 2432 rrlxrxr.exe 580 hthnbt.exe 2724 pjvjp.exe 2684 vpdjp.exe 3056 fxlrrxx.exe 2816 xrfrxlx.exe 2664 btbtbb.exe 2532 hbbnbt.exe 2456 vpddj.exe 2980 rlrxllx.exe 1080 5lrlxfr.exe 640 bbhbtb.exe 1992 hbnbnn.exe 1968 9pdjp.exe 2424 9xrxxfl.exe 1740 btnthh.exe 1640 nhntbt.exe 1116 dddvd.exe 2568 jdjpp.exe 2628 xrxxlrr.exe 1628 fxllrlr.exe 1100 hhbnhh.exe 1960 3jvvd.exe 1800 pjvvp.exe 536 lxflrxf.exe 1940 9thnnn.exe 352 1btbhn.exe 1576 dpvvv.exe 2132 3jpjd.exe 1112 fxlfffr.exe 804 hhbnhh.exe 280 jvvvd.exe 2468 7jdpj.exe 3020 frxrrll.exe 2996 5frxlrf.exe 2140 bttntn.exe 580 nhnhnn.exe 2680 vjppp.exe 2660 9dpdj.exe 2688 xlflflr.exe 2616 xrfxrrl.exe 2816 btnntt.exe 2560 vpvdj.exe 2648 5dddj.exe 2972 xlllrlr.exe 1916 lffrfll.exe 2420 nhhhnn.exe 1892 thhnhh.exe 1204 1jvvv.exe 640 vjjdd.exe 1992 9xfxxxl.exe 1848 xxrxffl.exe 1736 3hhhnt.exe 1572 hbthbb.exe 1724 vpvdv.exe 1640 dpjpd.exe 2136 7xlfffl.exe 2840 lflrxxx.exe 1064 nbntbb.exe 2920 pvvpp.exe 2180 9pvjp.exe 1920 fxlffff.exe -
resource yara_rule behavioral1/memory/2052-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2052-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/772-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000b0000000120dc-10.dat upx behavioral1/memory/772-14-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0007000000019219-19.dat upx behavioral1/memory/2940-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001921d-26.dat upx behavioral1/memory/2432-32-0x00000000003C0000-0x00000000003E7000-memory.dmp upx behavioral1/files/0x0007000000019329-36.dat upx behavioral1/memory/580-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019369-47.dat upx behavioral1/memory/580-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2724-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000019371-56.dat upx behavioral1/files/0x000600000001937b-62.dat upx behavioral1/memory/3056-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001938e-73.dat upx behavioral1/memory/2816-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000195cc-81.dat upx behavioral1/files/0x000500000001a3ed-89.dat upx behavioral1/files/0x000500000001a423-97.dat upx behavioral1/memory/2456-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a445-108.dat upx behavioral1/memory/2456-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a447-116.dat upx behavioral1/memory/2980-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1080-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a452-126.dat upx behavioral1/memory/640-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a454-135.dat upx behavioral1/memory/640-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1992-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a463-145.dat upx behavioral1/memory/1968-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a46d-151.dat upx behavioral1/memory/2424-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a470-163.dat upx behavioral1/files/0x000500000001a472-171.dat upx behavioral1/files/0x000500000001a478-179.dat upx behavioral1/memory/1116-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a47c-187.dat upx behavioral1/memory/2568-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a47f-197.dat upx behavioral1/files/0x000500000001a481-204.dat upx behavioral1/memory/1628-215-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a483-213.dat upx behavioral1/files/0x000500000001a485-222.dat upx behavioral1/memory/1100-224-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a487-230.dat upx behavioral1/memory/1960-233-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a489-240.dat upx behavioral1/files/0x000500000001a48b-249.dat upx behavioral1/files/0x000500000001a48d-257.dat upx behavioral1/files/0x000500000001a48f-265.dat upx behavioral1/memory/1576-273-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a491-274.dat upx behavioral1/files/0x000500000001a493-283.dat upx behavioral1/memory/2468-304-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3020-310-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3020-317-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2140-330-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2660-344-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2688-350-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 772 2052 af3c355b18f2ab1a1c47ab7396a81a093e4f04ca7281d442abb435e4cc3c6460.exe 30 PID 2052 wrote to memory of 772 2052 af3c355b18f2ab1a1c47ab7396a81a093e4f04ca7281d442abb435e4cc3c6460.exe 30 PID 2052 wrote to memory of 772 2052 af3c355b18f2ab1a1c47ab7396a81a093e4f04ca7281d442abb435e4cc3c6460.exe 30 PID 2052 wrote to memory of 772 2052 af3c355b18f2ab1a1c47ab7396a81a093e4f04ca7281d442abb435e4cc3c6460.exe 30 PID 772 wrote to memory of 2940 772 bbtnht.exe 31 PID 772 wrote to memory of 2940 772 bbtnht.exe 31 PID 772 wrote to memory of 2940 772 bbtnht.exe 31 PID 772 wrote to memory of 2940 772 bbtnht.exe 31 PID 2940 wrote to memory of 2432 2940 ddjdv.exe 32 PID 2940 wrote to memory of 2432 2940 ddjdv.exe 32 PID 2940 wrote to memory of 2432 2940 ddjdv.exe 32 PID 2940 wrote to memory of 2432 2940 ddjdv.exe 32 PID 2432 wrote to memory of 580 2432 rrlxrxr.exe 33 PID 2432 wrote to memory of 580 2432 rrlxrxr.exe 33 PID 2432 wrote to memory of 580 2432 rrlxrxr.exe 33 PID 2432 wrote to memory of 580 2432 rrlxrxr.exe 33 PID 580 wrote to memory of 2724 580 hthnbt.exe 34 PID 580 wrote to memory of 2724 580 hthnbt.exe 34 PID 580 wrote to memory of 2724 580 hthnbt.exe 34 PID 580 wrote to memory of 2724 580 hthnbt.exe 34 PID 2724 wrote to memory of 2684 2724 pjvjp.exe 35 PID 2724 wrote to memory of 2684 2724 pjvjp.exe 35 PID 2724 wrote to memory of 2684 2724 pjvjp.exe 35 PID 2724 wrote to memory of 2684 2724 pjvjp.exe 35 PID 2684 wrote to memory of 3056 2684 vpdjp.exe 36 PID 2684 wrote to memory of 3056 2684 vpdjp.exe 36 PID 2684 wrote to memory of 3056 2684 vpdjp.exe 36 PID 2684 wrote to memory of 3056 2684 vpdjp.exe 36 PID 3056 wrote to memory of 2816 3056 fxlrrxx.exe 37 PID 3056 wrote to memory of 2816 3056 fxlrrxx.exe 37 PID 3056 wrote to memory of 2816 3056 fxlrrxx.exe 37 PID 3056 wrote to memory of 2816 3056 fxlrrxx.exe 37 PID 2816 wrote to memory of 2664 2816 xrfrxlx.exe 38 PID 2816 wrote to memory of 2664 2816 xrfrxlx.exe 38 PID 2816 wrote to memory of 2664 2816 xrfrxlx.exe 38 PID 2816 wrote to memory of 2664 2816 xrfrxlx.exe 38 PID 2664 wrote to memory of 2532 2664 btbtbb.exe 39 PID 2664 wrote to memory of 2532 2664 btbtbb.exe 39 PID 2664 wrote to memory of 2532 2664 btbtbb.exe 39 PID 2664 wrote to memory of 2532 2664 btbtbb.exe 39 PID 2532 wrote to memory of 2456 2532 hbbnbt.exe 40 PID 2532 wrote to memory of 2456 2532 hbbnbt.exe 40 PID 2532 wrote to memory of 2456 2532 hbbnbt.exe 40 PID 2532 wrote to memory of 2456 2532 hbbnbt.exe 40 PID 2456 wrote to memory of 2980 2456 vpddj.exe 41 PID 2456 wrote to memory of 2980 2456 vpddj.exe 41 PID 2456 wrote to memory of 2980 2456 vpddj.exe 41 PID 2456 wrote to memory of 2980 2456 vpddj.exe 41 PID 2980 wrote to memory of 1080 2980 rlrxllx.exe 42 PID 2980 wrote to memory of 1080 2980 rlrxllx.exe 42 PID 2980 wrote to memory of 1080 2980 rlrxllx.exe 42 PID 2980 wrote to memory of 1080 2980 rlrxllx.exe 42 PID 1080 wrote to memory of 640 1080 5lrlxfr.exe 43 PID 1080 wrote to memory of 640 1080 5lrlxfr.exe 43 PID 1080 wrote to memory of 640 1080 5lrlxfr.exe 43 PID 1080 wrote to memory of 640 1080 5lrlxfr.exe 43 PID 640 wrote to memory of 1992 640 bbhbtb.exe 44 PID 640 wrote to memory of 1992 640 bbhbtb.exe 44 PID 640 wrote to memory of 1992 640 bbhbtb.exe 44 PID 640 wrote to memory of 1992 640 bbhbtb.exe 44 PID 1992 wrote to memory of 1968 1992 hbnbnn.exe 45 PID 1992 wrote to memory of 1968 1992 hbnbnn.exe 45 PID 1992 wrote to memory of 1968 1992 hbnbnn.exe 45 PID 1992 wrote to memory of 1968 1992 hbnbnn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\af3c355b18f2ab1a1c47ab7396a81a093e4f04ca7281d442abb435e4cc3c6460.exe"C:\Users\Admin\AppData\Local\Temp\af3c355b18f2ab1a1c47ab7396a81a093e4f04ca7281d442abb435e4cc3c6460.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\bbtnht.exec:\bbtnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\ddjdv.exec:\ddjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\rrlxrxr.exec:\rrlxrxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\hthnbt.exec:\hthnbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\pjvjp.exec:\pjvjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\vpdjp.exec:\vpdjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\fxlrrxx.exec:\fxlrrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\xrfrxlx.exec:\xrfrxlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\btbtbb.exec:\btbtbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\hbbnbt.exec:\hbbnbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\vpddj.exec:\vpddj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\rlrxllx.exec:\rlrxllx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\5lrlxfr.exec:\5lrlxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\bbhbtb.exec:\bbhbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\hbnbnn.exec:\hbnbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\9pdjp.exec:\9pdjp.exe17⤵
- Executes dropped EXE
PID:1968 -
\??\c:\9xrxxfl.exec:\9xrxxfl.exe18⤵
- Executes dropped EXE
PID:2424 -
\??\c:\btnthh.exec:\btnthh.exe19⤵
- Executes dropped EXE
PID:1740 -
\??\c:\nhntbt.exec:\nhntbt.exe20⤵
- Executes dropped EXE
PID:1640 -
\??\c:\dddvd.exec:\dddvd.exe21⤵
- Executes dropped EXE
PID:1116 -
\??\c:\jdjpp.exec:\jdjpp.exe22⤵
- Executes dropped EXE
PID:2568 -
\??\c:\xrxxlrr.exec:\xrxxlrr.exe23⤵
- Executes dropped EXE
PID:2628 -
\??\c:\fxllrlr.exec:\fxllrlr.exe24⤵
- Executes dropped EXE
PID:1628 -
\??\c:\hhbnhh.exec:\hhbnhh.exe25⤵
- Executes dropped EXE
PID:1100 -
\??\c:\3jvvd.exec:\3jvvd.exe26⤵
- Executes dropped EXE
PID:1960 -
\??\c:\pjvvp.exec:\pjvvp.exe27⤵
- Executes dropped EXE
PID:1800 -
\??\c:\lxflrxf.exec:\lxflrxf.exe28⤵
- Executes dropped EXE
PID:536 -
\??\c:\9thnnn.exec:\9thnnn.exe29⤵
- Executes dropped EXE
PID:1940 -
\??\c:\1btbhn.exec:\1btbhn.exe30⤵
- Executes dropped EXE
PID:352 -
\??\c:\dpvvv.exec:\dpvvv.exe31⤵
- Executes dropped EXE
PID:1576 -
\??\c:\3jpjd.exec:\3jpjd.exe32⤵
- Executes dropped EXE
PID:2132 -
\??\c:\fxlfffr.exec:\fxlfffr.exe33⤵
- Executes dropped EXE
PID:1112 -
\??\c:\hhbnhh.exec:\hhbnhh.exe34⤵
- Executes dropped EXE
PID:804 -
\??\c:\jvvvd.exec:\jvvvd.exe35⤵
- Executes dropped EXE
PID:280 -
\??\c:\7jdpj.exec:\7jdpj.exe36⤵
- Executes dropped EXE
PID:2468 -
\??\c:\frxrrll.exec:\frxrrll.exe37⤵
- Executes dropped EXE
PID:3020 -
\??\c:\5frxlrf.exec:\5frxlrf.exe38⤵
- Executes dropped EXE
PID:2996 -
\??\c:\bttntn.exec:\bttntn.exe39⤵
- Executes dropped EXE
PID:2140 -
\??\c:\nhnhnn.exec:\nhnhnn.exe40⤵
- Executes dropped EXE
PID:580 -
\??\c:\vjppp.exec:\vjppp.exe41⤵
- Executes dropped EXE
PID:2680 -
\??\c:\9dpdj.exec:\9dpdj.exe42⤵
- Executes dropped EXE
PID:2660 -
\??\c:\xlflflr.exec:\xlflflr.exe43⤵
- Executes dropped EXE
PID:2688 -
\??\c:\xrfxrrl.exec:\xrfxrrl.exe44⤵
- Executes dropped EXE
PID:2616 -
\??\c:\btnntt.exec:\btnntt.exe45⤵
- Executes dropped EXE
PID:2816 -
\??\c:\vpvdj.exec:\vpvdj.exe46⤵
- Executes dropped EXE
PID:2560 -
\??\c:\5dddj.exec:\5dddj.exe47⤵
- Executes dropped EXE
PID:2648 -
\??\c:\xlllrlr.exec:\xlllrlr.exe48⤵
- Executes dropped EXE
PID:2972 -
\??\c:\lffrfll.exec:\lffrfll.exe49⤵
- Executes dropped EXE
PID:1916 -
\??\c:\nhhhnn.exec:\nhhhnn.exe50⤵
- Executes dropped EXE
PID:2420 -
\??\c:\thhnhh.exec:\thhnhh.exe51⤵
- Executes dropped EXE
PID:1892 -
\??\c:\1jvvv.exec:\1jvvv.exe52⤵
- Executes dropped EXE
PID:1204 -
\??\c:\vjjdd.exec:\vjjdd.exe53⤵
- Executes dropped EXE
PID:640 -
\??\c:\9xfxxxl.exec:\9xfxxxl.exe54⤵
- Executes dropped EXE
PID:1992 -
\??\c:\xxrxffl.exec:\xxrxffl.exe55⤵
- Executes dropped EXE
PID:1848 -
\??\c:\3hhhnt.exec:\3hhhnt.exe56⤵
- Executes dropped EXE
PID:1736 -
\??\c:\hbthbb.exec:\hbthbb.exe57⤵
- Executes dropped EXE
PID:1572 -
\??\c:\vpvdv.exec:\vpvdv.exe58⤵
- Executes dropped EXE
PID:1724 -
\??\c:\dpjpd.exec:\dpjpd.exe59⤵
- Executes dropped EXE
PID:1640 -
\??\c:\7xlfffl.exec:\7xlfffl.exe60⤵
- Executes dropped EXE
PID:2136 -
\??\c:\lflrxxx.exec:\lflrxxx.exe61⤵
- Executes dropped EXE
PID:2840 -
\??\c:\nbntbb.exec:\nbntbb.exe62⤵
- Executes dropped EXE
PID:1064 -
\??\c:\pvvpp.exec:\pvvpp.exe63⤵
- Executes dropped EXE
PID:2920 -
\??\c:\9pvjp.exec:\9pvjp.exe64⤵
- Executes dropped EXE
PID:2180 -
\??\c:\fxlffff.exec:\fxlffff.exe65⤵
- Executes dropped EXE
PID:1920 -
\??\c:\rrxfrxf.exec:\rrxfrxf.exe66⤵PID:1668
-
\??\c:\hntttb.exec:\hntttb.exe67⤵PID:276
-
\??\c:\hbthht.exec:\hbthht.exe68⤵PID:1956
-
\??\c:\dvdjv.exec:\dvdjv.exe69⤵PID:1644
-
\??\c:\9pdvd.exec:\9pdvd.exe70⤵PID:2248
-
\??\c:\rrxffxr.exec:\rrxffxr.exe71⤵PID:880
-
\??\c:\5thhbb.exec:\5thhbb.exe72⤵PID:1396
-
\??\c:\pjvvv.exec:\pjvvv.exe73⤵PID:3028
-
\??\c:\llllrlf.exec:\llllrlf.exe74⤵PID:2276
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe75⤵PID:2488
-
\??\c:\hbbbht.exec:\hbbbht.exe76⤵PID:2056
-
\??\c:\5tnntn.exec:\5tnntn.exe77⤵
- System Location Discovery: System Language Discovery
PID:804 -
\??\c:\dpvjj.exec:\dpvjj.exe78⤵PID:1336
-
\??\c:\pdpjv.exec:\pdpjv.exe79⤵PID:3000
-
\??\c:\rfrrxlf.exec:\rfrrxlf.exe80⤵PID:2000
-
\??\c:\7lxfllf.exec:\7lxfllf.exe81⤵
- System Location Discovery: System Language Discovery
PID:2656 -
\??\c:\bnnnhb.exec:\bnnnhb.exe82⤵PID:2764
-
\??\c:\ttbhbh.exec:\ttbhbh.exe83⤵PID:2760
-
\??\c:\9dppv.exec:\9dppv.exe84⤵PID:2408
-
\??\c:\jvdpd.exec:\jvdpd.exe85⤵PID:2660
-
\??\c:\rlffllr.exec:\rlffllr.exe86⤵PID:2792
-
\??\c:\7lrlrxl.exec:\7lrlrxl.exe87⤵PID:2852
-
\??\c:\bntbbh.exec:\bntbbh.exe88⤵PID:2664
-
\??\c:\jjdjd.exec:\jjdjd.exe89⤵PID:2524
-
\??\c:\lfxxfll.exec:\lfxxfll.exe90⤵PID:2004
-
\??\c:\bnhbtb.exec:\bnhbtb.exe91⤵PID:1636
-
\??\c:\hbtntb.exec:\hbtntb.exe92⤵PID:1860
-
\??\c:\dpvpv.exec:\dpvpv.exe93⤵PID:1656
-
\??\c:\flffxxf.exec:\flffxxf.exe94⤵PID:1268
-
\??\c:\fxlllfl.exec:\fxlllfl.exe95⤵PID:2316
-
\??\c:\tnbnhb.exec:\tnbnhb.exe96⤵PID:2340
-
\??\c:\hbnhnh.exec:\hbnhnh.exe97⤵PID:1968
-
\??\c:\9vdjd.exec:\9vdjd.exe98⤵PID:1788
-
\??\c:\jvvvp.exec:\jvvvp.exe99⤵PID:1736
-
\??\c:\jvvvd.exec:\jvvvd.exe100⤵PID:1572
-
\??\c:\rrllfff.exec:\rrllfff.exe101⤵PID:2872
-
\??\c:\fxxxxxl.exec:\fxxxxxl.exe102⤵PID:1640
-
\??\c:\1nntnt.exec:\1nntnt.exe103⤵PID:1900
-
\??\c:\7hnnnn.exec:\7hnnnn.exe104⤵PID:2776
-
\??\c:\1jjjj.exec:\1jjjj.exe105⤵PID:2708
-
\??\c:\rfllxlx.exec:\rfllxlx.exe106⤵PID:1628
-
\??\c:\fxrxlfr.exec:\fxrxlfr.exe107⤵PID:2184
-
\??\c:\5hthtb.exec:\5hthtb.exe108⤵PID:1920
-
\??\c:\bbnnhh.exec:\bbnnhh.exe109⤵PID:1668
-
\??\c:\dvjpd.exec:\dvjpd.exe110⤵PID:276
-
\??\c:\jjvjj.exec:\jjvjj.exe111⤵PID:3032
-
\??\c:\3fxflxf.exec:\3fxflxf.exe112⤵PID:2320
-
\??\c:\xxrrxfr.exec:\xxrrxfr.exe113⤵PID:2248
-
\??\c:\tnttbb.exec:\tnttbb.exe114⤵PID:2088
-
\??\c:\tnbhtt.exec:\tnbhtt.exe115⤵PID:1396
-
\??\c:\1pdpd.exec:\1pdpd.exe116⤵PID:1576
-
\??\c:\3djpd.exec:\3djpd.exe117⤵PID:1500
-
\??\c:\fxrlllf.exec:\fxrlllf.exe118⤵PID:2488
-
\??\c:\9lxxrxf.exec:\9lxxrxf.exe119⤵PID:1540
-
\??\c:\xflfxrr.exec:\xflfxrr.exe120⤵PID:3004
-
\??\c:\thhnnn.exec:\thhnnn.exe121⤵PID:1336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-