Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 05:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe
-
Size
453KB
-
MD5
21f7f1bb95bfc7466f96b95b89014e35
-
SHA1
ef7c775bd3be2c8c01fcb19408178bf59b0d2d16
-
SHA256
fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9
-
SHA512
b240ad4d4537e68cc99da80459875933fee94002e72675966704693e5cb23697aba1fffd20e776ed287e77e3bb9cbe1ffdd6a4545f5a870784e58913e675e742
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2216-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1136-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-168-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/600-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/108-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-507-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/976-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/976-519-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2824-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-701-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2676-705-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2676-710-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2452-729-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1956-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-782-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/884-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-905-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2836-1201-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2056 7ntttt.exe 2232 5vdvv.exe 2552 jdjdj.exe 2720 hbtbnn.exe 2816 pjdvj.exe 2332 xlxrxfr.exe 2844 1dvdp.exe 2884 xxlrfrx.exe 2648 bbnnhh.exe 2156 jjvdd.exe 1576 xrlrllx.exe 1136 fxxrxfr.exe 1712 llxrrxf.exe 1420 1frrrff.exe 1608 nhtbtb.exe 1368 lxlllfl.exe 1004 5pvjp.exe 2928 vdvdp.exe 2924 xrrxffr.exe 448 tttbbn.exe 600 5jpvj.exe 1820 xlxfxxx.exe 2008 dpdjd.exe 108 tnbbbn.exe 1780 1bhhht.exe 236 flflrrf.exe 2140 bnbbtt.exe 2148 rlflxxr.exe 832 tthhtt.exe 348 3jpjp.exe 1456 9xllxfx.exe 2356 vppvj.exe 2056 1xffxff.exe 2164 bhnntt.exe 2536 pdppv.exe 2204 vdjvv.exe 2828 rlxrxxf.exe 2724 tbnthh.exe 2768 jvjvv.exe 2888 5jppp.exe 2956 lfrfflr.exe 2932 lrfxxxx.exe 2788 ntnhhh.exe 2620 dvjjj.exe 2648 5jjdj.exe 1804 rrfllff.exe 3060 thhhnn.exe 2028 5nnhhh.exe 2392 3vdvd.exe 1844 xrllrlr.exe 1784 bntntt.exe 1268 hthhhb.exe 1376 dvvvj.exe 2792 djvpp.exe 1368 rlxxxxr.exe 1348 1nhbbb.exe 2024 7nhbtt.exe 788 jjvvv.exe 2460 rllfffl.exe 824 lfrlrll.exe 2064 5ttttt.exe 2284 tthhnn.exe 2980 vjpvj.exe 1732 llxrxxx.exe -
resource yara_rule behavioral1/memory/2216-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-507-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/976-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-905-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/668-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-1045-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-1144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-1157-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frrrrx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2056 2216 fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe 30 PID 2216 wrote to memory of 2056 2216 fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe 30 PID 2216 wrote to memory of 2056 2216 fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe 30 PID 2216 wrote to memory of 2056 2216 fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe 30 PID 2056 wrote to memory of 2232 2056 7ntttt.exe 31 PID 2056 wrote to memory of 2232 2056 7ntttt.exe 31 PID 2056 wrote to memory of 2232 2056 7ntttt.exe 31 PID 2056 wrote to memory of 2232 2056 7ntttt.exe 31 PID 2232 wrote to memory of 2552 2232 5vdvv.exe 32 PID 2232 wrote to memory of 2552 2232 5vdvv.exe 32 PID 2232 wrote to memory of 2552 2232 5vdvv.exe 32 PID 2232 wrote to memory of 2552 2232 5vdvv.exe 32 PID 2552 wrote to memory of 2720 2552 jdjdj.exe 34 PID 2552 wrote to memory of 2720 2552 jdjdj.exe 34 PID 2552 wrote to memory of 2720 2552 jdjdj.exe 34 PID 2552 wrote to memory of 2720 2552 jdjdj.exe 34 PID 2720 wrote to memory of 2816 2720 hbtbnn.exe 35 PID 2720 wrote to memory of 2816 2720 hbtbnn.exe 35 PID 2720 wrote to memory of 2816 2720 hbtbnn.exe 35 PID 2720 wrote to memory of 2816 2720 hbtbnn.exe 35 PID 2816 wrote to memory of 2332 2816 pjdvj.exe 36 PID 2816 wrote to memory of 2332 2816 pjdvj.exe 36 PID 2816 wrote to memory of 2332 2816 pjdvj.exe 36 PID 2816 wrote to memory of 2332 2816 pjdvj.exe 36 PID 2332 wrote to memory of 2844 2332 xlxrxfr.exe 37 PID 2332 wrote to memory of 2844 2332 xlxrxfr.exe 37 PID 2332 wrote to memory of 2844 2332 xlxrxfr.exe 37 PID 2332 wrote to memory of 2844 2332 xlxrxfr.exe 37 PID 2844 wrote to memory of 2884 2844 1dvdp.exe 38 PID 2844 wrote to memory of 2884 2844 1dvdp.exe 38 PID 2844 wrote to memory of 2884 2844 1dvdp.exe 38 PID 2844 wrote to memory of 2884 2844 1dvdp.exe 38 PID 2884 wrote to memory of 2648 2884 xxlrfrx.exe 39 PID 2884 wrote to memory of 2648 2884 xxlrfrx.exe 39 PID 2884 wrote to memory of 2648 2884 xxlrfrx.exe 39 PID 2884 wrote to memory of 2648 2884 xxlrfrx.exe 39 PID 2648 wrote to memory of 2156 2648 bbnnhh.exe 40 PID 2648 wrote to memory of 2156 2648 bbnnhh.exe 40 PID 2648 wrote to memory of 2156 2648 bbnnhh.exe 40 PID 2648 wrote to memory of 2156 2648 bbnnhh.exe 40 PID 2156 wrote to memory of 1576 2156 jjvdd.exe 41 PID 2156 wrote to memory of 1576 2156 jjvdd.exe 41 PID 2156 wrote to memory of 1576 2156 jjvdd.exe 41 PID 2156 wrote to memory of 1576 2156 jjvdd.exe 41 PID 1576 wrote to memory of 1136 1576 xrlrllx.exe 42 PID 1576 wrote to memory of 1136 1576 xrlrllx.exe 42 PID 1576 wrote to memory of 1136 1576 xrlrllx.exe 42 PID 1576 wrote to memory of 1136 1576 xrlrllx.exe 42 PID 1136 wrote to memory of 1712 1136 fxxrxfr.exe 43 PID 1136 wrote to memory of 1712 1136 fxxrxfr.exe 43 PID 1136 wrote to memory of 1712 1136 fxxrxfr.exe 43 PID 1136 wrote to memory of 1712 1136 fxxrxfr.exe 43 PID 1712 wrote to memory of 1420 1712 llxrrxf.exe 44 PID 1712 wrote to memory of 1420 1712 llxrrxf.exe 44 PID 1712 wrote to memory of 1420 1712 llxrrxf.exe 44 PID 1712 wrote to memory of 1420 1712 llxrrxf.exe 44 PID 1420 wrote to memory of 1608 1420 1frrrff.exe 45 PID 1420 wrote to memory of 1608 1420 1frrrff.exe 45 PID 1420 wrote to memory of 1608 1420 1frrrff.exe 45 PID 1420 wrote to memory of 1608 1420 1frrrff.exe 45 PID 1608 wrote to memory of 1368 1608 nhtbtb.exe 46 PID 1608 wrote to memory of 1368 1608 nhtbtb.exe 46 PID 1608 wrote to memory of 1368 1608 nhtbtb.exe 46 PID 1608 wrote to memory of 1368 1608 nhtbtb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe"C:\Users\Admin\AppData\Local\Temp\fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\7ntttt.exec:\7ntttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\5vdvv.exec:\5vdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\jdjdj.exec:\jdjdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\hbtbnn.exec:\hbtbnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\pjdvj.exec:\pjdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\xlxrxfr.exec:\xlxrxfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\1dvdp.exec:\1dvdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\xxlrfrx.exec:\xxlrfrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\bbnnhh.exec:\bbnnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\jjvdd.exec:\jjvdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\xrlrllx.exec:\xrlrllx.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\fxxrxfr.exec:\fxxrxfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\llxrrxf.exec:\llxrrxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\1frrrff.exec:\1frrrff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\nhtbtb.exec:\nhtbtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\lxlllfl.exec:\lxlllfl.exe17⤵
- Executes dropped EXE
PID:1368 -
\??\c:\5pvjp.exec:\5pvjp.exe18⤵
- Executes dropped EXE
PID:1004 -
\??\c:\vdvdp.exec:\vdvdp.exe19⤵
- Executes dropped EXE
PID:2928 -
\??\c:\xrrxffr.exec:\xrrxffr.exe20⤵
- Executes dropped EXE
PID:2924 -
\??\c:\tttbbn.exec:\tttbbn.exe21⤵
- Executes dropped EXE
PID:448 -
\??\c:\5jpvj.exec:\5jpvj.exe22⤵
- Executes dropped EXE
PID:600 -
\??\c:\xlxfxxx.exec:\xlxfxxx.exe23⤵
- Executes dropped EXE
PID:1820 -
\??\c:\dpdjd.exec:\dpdjd.exe24⤵
- Executes dropped EXE
PID:2008 -
\??\c:\tnbbbn.exec:\tnbbbn.exe25⤵
- Executes dropped EXE
PID:108 -
\??\c:\1bhhht.exec:\1bhhht.exe26⤵
- Executes dropped EXE
PID:1780 -
\??\c:\flflrrf.exec:\flflrrf.exe27⤵
- Executes dropped EXE
PID:236 -
\??\c:\bnbbtt.exec:\bnbbtt.exe28⤵
- Executes dropped EXE
PID:2140 -
\??\c:\rlflxxr.exec:\rlflxxr.exe29⤵
- Executes dropped EXE
PID:2148 -
\??\c:\tthhtt.exec:\tthhtt.exe30⤵
- Executes dropped EXE
PID:832 -
\??\c:\3jpjp.exec:\3jpjp.exe31⤵
- Executes dropped EXE
PID:348 -
\??\c:\9xllxfx.exec:\9xllxfx.exe32⤵
- Executes dropped EXE
PID:1456 -
\??\c:\vppvj.exec:\vppvj.exe33⤵
- Executes dropped EXE
PID:2356 -
\??\c:\1xffxff.exec:\1xffxff.exe34⤵
- Executes dropped EXE
PID:2056 -
\??\c:\bhnntt.exec:\bhnntt.exe35⤵
- Executes dropped EXE
PID:2164 -
\??\c:\pdppv.exec:\pdppv.exe36⤵
- Executes dropped EXE
PID:2536 -
\??\c:\vdjvv.exec:\vdjvv.exe37⤵
- Executes dropped EXE
PID:2204 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe38⤵
- Executes dropped EXE
PID:2828 -
\??\c:\tbnthh.exec:\tbnthh.exe39⤵
- Executes dropped EXE
PID:2724 -
\??\c:\jvjvv.exec:\jvjvv.exe40⤵
- Executes dropped EXE
PID:2768 -
\??\c:\5jppp.exec:\5jppp.exe41⤵
- Executes dropped EXE
PID:2888 -
\??\c:\lfrfflr.exec:\lfrfflr.exe42⤵
- Executes dropped EXE
PID:2956 -
\??\c:\lrfxxxx.exec:\lrfxxxx.exe43⤵
- Executes dropped EXE
PID:2932 -
\??\c:\ntnhhh.exec:\ntnhhh.exe44⤵
- Executes dropped EXE
PID:2788 -
\??\c:\dvjjj.exec:\dvjjj.exe45⤵
- Executes dropped EXE
PID:2620 -
\??\c:\5jjdj.exec:\5jjdj.exe46⤵
- Executes dropped EXE
PID:2648 -
\??\c:\rrfllff.exec:\rrfllff.exe47⤵
- Executes dropped EXE
PID:1804 -
\??\c:\thhhnn.exec:\thhhnn.exe48⤵
- Executes dropped EXE
PID:3060 -
\??\c:\5nnhhh.exec:\5nnhhh.exe49⤵
- Executes dropped EXE
PID:2028 -
\??\c:\3vdvd.exec:\3vdvd.exe50⤵
- Executes dropped EXE
PID:2392 -
\??\c:\xrllrlr.exec:\xrllrlr.exe51⤵
- Executes dropped EXE
PID:1844 -
\??\c:\bntntt.exec:\bntntt.exe52⤵
- Executes dropped EXE
PID:1784 -
\??\c:\hthhhb.exec:\hthhhb.exe53⤵
- Executes dropped EXE
PID:1268 -
\??\c:\dvvvj.exec:\dvvvj.exe54⤵
- Executes dropped EXE
PID:1376 -
\??\c:\djvpp.exec:\djvpp.exe55⤵
- Executes dropped EXE
PID:2792 -
\??\c:\rlxxxxr.exec:\rlxxxxr.exe56⤵
- Executes dropped EXE
PID:1368 -
\??\c:\1nhbbb.exec:\1nhbbb.exe57⤵
- Executes dropped EXE
PID:1348 -
\??\c:\7nhbtt.exec:\7nhbtt.exe58⤵
- Executes dropped EXE
PID:2024 -
\??\c:\jjvvv.exec:\jjvvv.exe59⤵
- Executes dropped EXE
PID:788 -
\??\c:\rllfffl.exec:\rllfffl.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460 -
\??\c:\lfrlrll.exec:\lfrlrll.exe61⤵
- Executes dropped EXE
PID:824 -
\??\c:\5ttttt.exec:\5ttttt.exe62⤵
- Executes dropped EXE
PID:2064 -
\??\c:\tthhnn.exec:\tthhnn.exe63⤵
- Executes dropped EXE
PID:2284 -
\??\c:\vjpvj.exec:\vjpvj.exe64⤵
- Executes dropped EXE
PID:2980 -
\??\c:\llxrxxx.exec:\llxrxxx.exe65⤵
- Executes dropped EXE
PID:1732 -
\??\c:\xxrxxrf.exec:\xxrxxrf.exe66⤵PID:1816
-
\??\c:\nbhbnt.exec:\nbhbnt.exe67⤵PID:976
-
\??\c:\jjvvd.exec:\jjvvd.exe68⤵PID:1664
-
\??\c:\rfrlllx.exec:\rfrlllx.exe69⤵PID:2964
-
\??\c:\rflfrrr.exec:\rflfrrr.exe70⤵PID:1076
-
\??\c:\9nbbbb.exec:\9nbbbb.exe71⤵PID:2148
-
\??\c:\jvjpv.exec:\jvjpv.exe72⤵PID:2296
-
\??\c:\1pvpp.exec:\1pvpp.exe73⤵PID:872
-
\??\c:\1rlrlfl.exec:\1rlrlfl.exe74⤵PID:2132
-
\??\c:\hthnnb.exec:\hthnnb.exe75⤵PID:2216
-
\??\c:\hbnbbh.exec:\hbnbbh.exe76⤵PID:2200
-
\??\c:\pdjdv.exec:\pdjdv.exe77⤵PID:1584
-
\??\c:\vpvvj.exec:\vpvvj.exe78⤵PID:2072
-
\??\c:\xrllxrf.exec:\xrllxrf.exe79⤵
- System Location Discovery: System Language Discovery
PID:2904 -
\??\c:\bnhnbn.exec:\bnhnbn.exe80⤵PID:2536
-
\??\c:\bthtbb.exec:\bthtbb.exe81⤵PID:2204
-
\??\c:\jvdvp.exec:\jvdvp.exe82⤵PID:2824
-
\??\c:\rllxflr.exec:\rllxflr.exe83⤵PID:2724
-
\??\c:\xxlrxfx.exec:\xxlrxfx.exe84⤵PID:2768
-
\??\c:\thttnt.exec:\thttnt.exe85⤵PID:2544
-
\??\c:\5ppvj.exec:\5ppvj.exe86⤵PID:2408
-
\??\c:\9dpjj.exec:\9dpjj.exe87⤵PID:2692
-
\??\c:\lxrxffl.exec:\lxrxffl.exe88⤵PID:2628
-
\??\c:\bthhbb.exec:\bthhbb.exe89⤵PID:2784
-
\??\c:\3bnbhn.exec:\3bnbhn.exe90⤵PID:2004
-
\??\c:\ppjvd.exec:\ppjvd.exe91⤵PID:1484
-
\??\c:\fffrlxr.exec:\fffrlxr.exe92⤵PID:3060
-
\??\c:\bbnntb.exec:\bbnntb.exe93⤵PID:2516
-
\??\c:\5jddj.exec:\5jddj.exe94⤵PID:1684
-
\??\c:\dvjjp.exec:\dvjjp.exe95⤵PID:2520
-
\??\c:\frffrrr.exec:\frffrrr.exe96⤵PID:1980
-
\??\c:\tnhhtn.exec:\tnhhtn.exe97⤵PID:2676
-
\??\c:\vvpvj.exec:\vvpvj.exe98⤵PID:1012
-
\??\c:\ffrfrrf.exec:\ffrfrrf.exe99⤵PID:3012
-
\??\c:\llfflrf.exec:\llfflrf.exe100⤵PID:2452
-
\??\c:\3thhnt.exec:\3thhnt.exe101⤵PID:852
-
\??\c:\3pvpj.exec:\3pvpj.exe102⤵PID:1672
-
\??\c:\jdpdp.exec:\jdpdp.exe103⤵PID:1956
-
\??\c:\ffrrrrr.exec:\ffrrrrr.exe104⤵PID:824
-
\??\c:\tnhntt.exec:\tnhntt.exe105⤵PID:1212
-
\??\c:\hhnnbt.exec:\hhnnbt.exe106⤵
- System Location Discovery: System Language Discovery
PID:1604 -
\??\c:\5jvdd.exec:\5jvdd.exe107⤵PID:2848
-
\??\c:\fxxflrf.exec:\fxxflrf.exe108⤵PID:2508
-
\??\c:\hhntbb.exec:\hhntbb.exe109⤵PID:1816
-
\??\c:\9bhbbh.exec:\9bhbbh.exe110⤵PID:1656
-
\??\c:\vpddd.exec:\vpddd.exe111⤵PID:2952
-
\??\c:\llflxxl.exec:\llflxxl.exe112⤵PID:1716
-
\??\c:\9rllrxf.exec:\9rllrxf.exe113⤵PID:1068
-
\??\c:\thbbnt.exec:\thbbnt.exe114⤵PID:2448
-
\??\c:\vvjjv.exec:\vvjjv.exe115⤵PID:884
-
\??\c:\rlxlxlr.exec:\rlxlxlr.exe116⤵PID:2336
-
\??\c:\5htthh.exec:\5htthh.exe117⤵PID:2432
-
\??\c:\hthnbb.exec:\hthnbb.exe118⤵PID:2248
-
\??\c:\pjpjv.exec:\pjpjv.exe119⤵PID:2068
-
\??\c:\7dppv.exec:\7dppv.exe120⤵PID:2056
-
\??\c:\1fxxxlx.exec:\1fxxxlx.exe121⤵
- System Location Discovery: System Language Discovery
PID:2232 -
\??\c:\1bnnnn.exec:\1bnnnn.exe122⤵PID:2548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-