Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 19:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe
-
Size
454KB
-
MD5
26e47a741468ae2447aef83a6c757333
-
SHA1
67b02a8d491a13031954390fd8a9582871f85c92
-
SHA256
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a
-
SHA512
05d40185474e5a31b99516b60af9e2c528e00fce7979564ce9c1eefa7033cea75c3d3e01721bbdd0a0f8e672f0d3e2ac47cbae7be11aabc39b0f04574a596c15
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH2:q7Tc2NYHUrAwfMp3CDH2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/1884-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-32-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1992-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-125-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1820-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-131-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2840-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-150-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1948-172-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1948-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/372-187-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/372-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-208-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1720-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-244-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1064-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-290-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2076-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-300-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1584-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-317-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2796-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-402-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1348-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/524-449-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2140-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-523-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2304-549-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1040-559-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2748-630-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2568-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-713-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2176-750-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2216-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-848-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2524-863-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1884 bbntbt.exe 1992 vvvpd.exe 2372 lfxxlrl.exe 2380 1bttbt.exe 2172 vjdvj.exe 2772 9rxfrlx.exe 2692 vdjjp.exe 2160 fxrrllx.exe 2704 vvjpj.exe 2564 nbnnnn.exe 3048 3vjjp.exe 1820 xlxllfl.exe 2840 jjvpp.exe 2392 7xlflrx.exe 780 pdddd.exe 1004 lfxrrrr.exe 1948 dpddd.exe 1660 5fllfxl.exe 372 jdppd.exe 2248 xrxfrxx.exe 2448 dpvpv.exe 2320 xlfrxxl.exe 2452 jjvvd.exe 1380 9lxrxxf.exe 1720 llxfffr.exe 2988 htnntt.exe 1064 rxxxlfl.exe 1332 htbbnh.exe 2216 pjdjj.exe 1744 lxffxxx.exe 2076 hthnnn.exe 1584 rlllrrf.exe 3036 tnttbt.exe 2376 vjvjv.exe 1428 frxrxrl.exe 2008 lxlfrrx.exe 2660 btbhnn.exe 2708 5vjpv.exe 2796 djvvd.exe 2720 xrrrrll.exe 2972 hthbbb.exe 2872 3bhbnn.exe 2860 1vddd.exe 2788 fxffffr.exe 2612 nbtbhh.exe 2564 3tnnnn.exe 1316 jvdvv.exe 568 lxlfllf.exe 2472 1bhtnh.exe 1108 nbnntn.exe 776 dpvpj.exe 1348 vjppp.exe 524 9rfxxrx.exe 1004 tnhhth.exe 1948 djpjd.exe 2940 pjppv.exe 2932 3frxxxx.exe 2924 tbbbhh.exe 2140 hbhhhb.exe 2088 vjvdj.exe 2952 lxxrxxf.exe 2452 fxfflff.exe 2548 tntttn.exe 1812 5vdvv.exe -
resource yara_rule behavioral1/memory/1884-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/372-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-559-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2792-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-713-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2176-750-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/900-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-851-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lllxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfffr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1884 1972 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 30 PID 1972 wrote to memory of 1884 1972 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 30 PID 1972 wrote to memory of 1884 1972 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 30 PID 1972 wrote to memory of 1884 1972 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 30 PID 1884 wrote to memory of 1992 1884 bbntbt.exe 31 PID 1884 wrote to memory of 1992 1884 bbntbt.exe 31 PID 1884 wrote to memory of 1992 1884 bbntbt.exe 31 PID 1884 wrote to memory of 1992 1884 bbntbt.exe 31 PID 1992 wrote to memory of 2372 1992 vvvpd.exe 32 PID 1992 wrote to memory of 2372 1992 vvvpd.exe 32 PID 1992 wrote to memory of 2372 1992 vvvpd.exe 32 PID 1992 wrote to memory of 2372 1992 vvvpd.exe 32 PID 2372 wrote to memory of 2380 2372 lfxxlrl.exe 33 PID 2372 wrote to memory of 2380 2372 lfxxlrl.exe 33 PID 2372 wrote to memory of 2380 2372 lfxxlrl.exe 33 PID 2372 wrote to memory of 2380 2372 lfxxlrl.exe 33 PID 2380 wrote to memory of 2172 2380 1bttbt.exe 34 PID 2380 wrote to memory of 2172 2380 1bttbt.exe 34 PID 2380 wrote to memory of 2172 2380 1bttbt.exe 34 PID 2380 wrote to memory of 2172 2380 1bttbt.exe 34 PID 2172 wrote to memory of 2772 2172 vjdvj.exe 35 PID 2172 wrote to memory of 2772 2172 vjdvj.exe 35 PID 2172 wrote to memory of 2772 2172 vjdvj.exe 35 PID 2172 wrote to memory of 2772 2172 vjdvj.exe 35 PID 2772 wrote to memory of 2692 2772 9rxfrlx.exe 36 PID 2772 wrote to memory of 2692 2772 9rxfrlx.exe 36 PID 2772 wrote to memory of 2692 2772 9rxfrlx.exe 36 PID 2772 wrote to memory of 2692 2772 9rxfrlx.exe 36 PID 2692 wrote to memory of 2160 2692 vdjjp.exe 37 PID 2692 wrote to memory of 2160 2692 vdjjp.exe 37 PID 2692 wrote to memory of 2160 2692 vdjjp.exe 37 PID 2692 wrote to memory of 2160 2692 vdjjp.exe 37 PID 2160 wrote to memory of 2704 2160 fxrrllx.exe 38 PID 2160 wrote to memory of 2704 2160 fxrrllx.exe 38 PID 2160 wrote to memory of 2704 2160 fxrrllx.exe 38 PID 2160 wrote to memory of 2704 2160 fxrrllx.exe 38 PID 2704 wrote to memory of 2564 2704 vvjpj.exe 39 PID 2704 wrote to memory of 2564 2704 vvjpj.exe 39 PID 2704 wrote to memory of 2564 2704 vvjpj.exe 39 PID 2704 wrote to memory of 2564 2704 vvjpj.exe 39 PID 2564 wrote to memory of 3048 2564 nbnnnn.exe 40 PID 2564 wrote to memory of 3048 2564 nbnnnn.exe 40 PID 2564 wrote to memory of 3048 2564 nbnnnn.exe 40 PID 2564 wrote to memory of 3048 2564 nbnnnn.exe 40 PID 3048 wrote to memory of 1820 3048 3vjjp.exe 41 PID 3048 wrote to memory of 1820 3048 3vjjp.exe 41 PID 3048 wrote to memory of 1820 3048 3vjjp.exe 41 PID 3048 wrote to memory of 1820 3048 3vjjp.exe 41 PID 1820 wrote to memory of 2840 1820 xlxllfl.exe 42 PID 1820 wrote to memory of 2840 1820 xlxllfl.exe 42 PID 1820 wrote to memory of 2840 1820 xlxllfl.exe 42 PID 1820 wrote to memory of 2840 1820 xlxllfl.exe 42 PID 2840 wrote to memory of 2392 2840 jjvpp.exe 43 PID 2840 wrote to memory of 2392 2840 jjvpp.exe 43 PID 2840 wrote to memory of 2392 2840 jjvpp.exe 43 PID 2840 wrote to memory of 2392 2840 jjvpp.exe 43 PID 2392 wrote to memory of 780 2392 7xlflrx.exe 44 PID 2392 wrote to memory of 780 2392 7xlflrx.exe 44 PID 2392 wrote to memory of 780 2392 7xlflrx.exe 44 PID 2392 wrote to memory of 780 2392 7xlflrx.exe 44 PID 780 wrote to memory of 1004 780 pdddd.exe 45 PID 780 wrote to memory of 1004 780 pdddd.exe 45 PID 780 wrote to memory of 1004 780 pdddd.exe 45 PID 780 wrote to memory of 1004 780 pdddd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe"C:\Users\Admin\AppData\Local\Temp\11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\bbntbt.exec:\bbntbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\vvvpd.exec:\vvvpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\lfxxlrl.exec:\lfxxlrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\1bttbt.exec:\1bttbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\vjdvj.exec:\vjdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\9rxfrlx.exec:\9rxfrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\vdjjp.exec:\vdjjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\fxrrllx.exec:\fxrrllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\vvjpj.exec:\vvjpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\nbnnnn.exec:\nbnnnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\3vjjp.exec:\3vjjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\xlxllfl.exec:\xlxllfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\jjvpp.exec:\jjvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\7xlflrx.exec:\7xlflrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\pdddd.exec:\pdddd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\lfxrrrr.exec:\lfxrrrr.exe17⤵
- Executes dropped EXE
PID:1004 -
\??\c:\dpddd.exec:\dpddd.exe18⤵
- Executes dropped EXE
PID:1948 -
\??\c:\5fllfxl.exec:\5fllfxl.exe19⤵
- Executes dropped EXE
PID:1660 -
\??\c:\jdppd.exec:\jdppd.exe20⤵
- Executes dropped EXE
PID:372 -
\??\c:\xrxfrxx.exec:\xrxfrxx.exe21⤵
- Executes dropped EXE
PID:2248 -
\??\c:\dpvpv.exec:\dpvpv.exe22⤵
- Executes dropped EXE
PID:2448 -
\??\c:\xlfrxxl.exec:\xlfrxxl.exe23⤵
- Executes dropped EXE
PID:2320 -
\??\c:\jjvvd.exec:\jjvvd.exe24⤵
- Executes dropped EXE
PID:2452 -
\??\c:\9lxrxxf.exec:\9lxrxxf.exe25⤵
- Executes dropped EXE
PID:1380 -
\??\c:\llxfffr.exec:\llxfffr.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1720 -
\??\c:\htnntt.exec:\htnntt.exe27⤵
- Executes dropped EXE
PID:2988 -
\??\c:\rxxxlfl.exec:\rxxxlfl.exe28⤵
- Executes dropped EXE
PID:1064 -
\??\c:\htbbnh.exec:\htbbnh.exe29⤵
- Executes dropped EXE
PID:1332 -
\??\c:\pjdjj.exec:\pjdjj.exe30⤵
- Executes dropped EXE
PID:2216 -
\??\c:\lxffxxx.exec:\lxffxxx.exe31⤵
- Executes dropped EXE
PID:1744 -
\??\c:\hthnnn.exec:\hthnnn.exe32⤵
- Executes dropped EXE
PID:2076 -
\??\c:\rlllrrf.exec:\rlllrrf.exe33⤵
- Executes dropped EXE
PID:1584 -
\??\c:\tnttbt.exec:\tnttbt.exe34⤵
- Executes dropped EXE
PID:3036 -
\??\c:\vjvjv.exec:\vjvjv.exe35⤵
- Executes dropped EXE
PID:2376 -
\??\c:\frxrxrl.exec:\frxrxrl.exe36⤵
- Executes dropped EXE
PID:1428 -
\??\c:\lxlfrrx.exec:\lxlfrrx.exe37⤵
- Executes dropped EXE
PID:2008 -
\??\c:\btbhnn.exec:\btbhnn.exe38⤵
- Executes dropped EXE
PID:2660 -
\??\c:\5vjpv.exec:\5vjpv.exe39⤵
- Executes dropped EXE
PID:2708 -
\??\c:\djvvd.exec:\djvvd.exe40⤵
- Executes dropped EXE
PID:2796 -
\??\c:\xrrrrll.exec:\xrrrrll.exe41⤵
- Executes dropped EXE
PID:2720 -
\??\c:\hthbbb.exec:\hthbbb.exe42⤵
- Executes dropped EXE
PID:2972 -
\??\c:\3bhbnn.exec:\3bhbnn.exe43⤵
- Executes dropped EXE
PID:2872 -
\??\c:\1vddd.exec:\1vddd.exe44⤵
- Executes dropped EXE
PID:2860 -
\??\c:\fxffffr.exec:\fxffffr.exe45⤵
- Executes dropped EXE
PID:2788 -
\??\c:\nbtbhh.exec:\nbtbhh.exe46⤵
- Executes dropped EXE
PID:2612 -
\??\c:\3tnnnn.exec:\3tnnnn.exe47⤵
- Executes dropped EXE
PID:2564 -
\??\c:\jvdvv.exec:\jvdvv.exe48⤵
- Executes dropped EXE
PID:1316 -
\??\c:\lxlfllf.exec:\lxlfllf.exe49⤵
- Executes dropped EXE
PID:568 -
\??\c:\1bhtnh.exec:\1bhtnh.exe50⤵
- Executes dropped EXE
PID:2472 -
\??\c:\nbnntn.exec:\nbnntn.exe51⤵
- Executes dropped EXE
PID:1108 -
\??\c:\dpvpj.exec:\dpvpj.exe52⤵
- Executes dropped EXE
PID:776 -
\??\c:\vjppp.exec:\vjppp.exe53⤵
- Executes dropped EXE
PID:1348 -
\??\c:\9rfxxrx.exec:\9rfxxrx.exe54⤵
- Executes dropped EXE
PID:524 -
\??\c:\tnhhth.exec:\tnhhth.exe55⤵
- Executes dropped EXE
PID:1004 -
\??\c:\djpjd.exec:\djpjd.exe56⤵
- Executes dropped EXE
PID:1948 -
\??\c:\pjppv.exec:\pjppv.exe57⤵
- Executes dropped EXE
PID:2940 -
\??\c:\3frxxxx.exec:\3frxxxx.exe58⤵
- Executes dropped EXE
PID:2932 -
\??\c:\tbbbhh.exec:\tbbbhh.exe59⤵
- Executes dropped EXE
PID:2924 -
\??\c:\hbhhhb.exec:\hbhhhb.exe60⤵
- Executes dropped EXE
PID:2140 -
\??\c:\vjvdj.exec:\vjvdj.exe61⤵
- Executes dropped EXE
PID:2088 -
\??\c:\lxxrxxf.exec:\lxxrxxf.exe62⤵
- Executes dropped EXE
PID:2952 -
\??\c:\fxfflff.exec:\fxfflff.exe63⤵
- Executes dropped EXE
PID:2452 -
\??\c:\tntttn.exec:\tntttn.exe64⤵
- Executes dropped EXE
PID:2548 -
\??\c:\5vdvv.exec:\5vdvv.exe65⤵
- Executes dropped EXE
PID:1812 -
\??\c:\3vpdd.exec:\3vpdd.exe66⤵PID:1772
-
\??\c:\rlrfffl.exec:\rlrfffl.exe67⤵PID:1824
-
\??\c:\5bbbnh.exec:\5bbbnh.exe68⤵PID:696
-
\??\c:\tnnbtt.exec:\tnnbtt.exe69⤵PID:2304
-
\??\c:\dvdvj.exec:\dvdvj.exe70⤵PID:1136
-
\??\c:\1rfxfxx.exec:\1rfxfxx.exe71⤵PID:1040
-
\??\c:\lflffxf.exec:\lflffxf.exe72⤵PID:2492
-
\??\c:\5hhnbb.exec:\5hhnbb.exe73⤵PID:2124
-
\??\c:\dvpjp.exec:\dvpjp.exe74⤵PID:1696
-
\??\c:\9jjdj.exec:\9jjdj.exe75⤵
- System Location Discovery: System Language Discovery
PID:1124 -
\??\c:\9flllrr.exec:\9flllrr.exe76⤵PID:1588
-
\??\c:\httnnn.exec:\httnnn.exe77⤵PID:1884
-
\??\c:\thtnnh.exec:\thtnnh.exe78⤵PID:3040
-
\??\c:\vpjjj.exec:\vpjjj.exe79⤵PID:2352
-
\??\c:\dvpjv.exec:\dvpjv.exe80⤵PID:2748
-
\??\c:\7ffxlfl.exec:\7ffxlfl.exe81⤵PID:2380
-
\??\c:\bththn.exec:\bththn.exe82⤵PID:2792
-
\??\c:\thtnnh.exec:\thtnnh.exe83⤵PID:2856
-
\??\c:\3jdjd.exec:\3jdjd.exe84⤵PID:2712
-
\??\c:\9xlfflr.exec:\9xlfflr.exe85⤵PID:2880
-
\??\c:\1lfxrrx.exec:\1lfxrrx.exe86⤵PID:2592
-
\??\c:\nbnnnn.exec:\nbnnnn.exe87⤵PID:2740
-
\??\c:\pjvpp.exec:\pjvpp.exe88⤵PID:2568
-
\??\c:\pjpjj.exec:\pjpjj.exe89⤵PID:1808
-
\??\c:\lfrrlff.exec:\lfrrlff.exe90⤵PID:3064
-
\??\c:\7bnbbt.exec:\7bnbbt.exe91⤵PID:788
-
\??\c:\bhnnnh.exec:\bhnnnh.exe92⤵PID:676
-
\??\c:\vvddd.exec:\vvddd.exe93⤵PID:2388
-
\??\c:\3frrlxf.exec:\3frrlxf.exe94⤵PID:2100
-
\??\c:\lfxlxxx.exec:\lfxlxxx.exe95⤵PID:804
-
\??\c:\3thbhh.exec:\3thbhh.exe96⤵PID:1144
-
\??\c:\thnntn.exec:\thnntn.exe97⤵PID:1548
-
\??\c:\dppjv.exec:\dppjv.exe98⤵PID:1936
-
\??\c:\rfffxrr.exec:\rfffxrr.exe99⤵PID:1408
-
\??\c:\1nhhnt.exec:\1nhhnt.exe100⤵PID:2916
-
\??\c:\5ttnnb.exec:\5ttnnb.exe101⤵PID:2808
-
\??\c:\ppdvj.exec:\ppdvj.exe102⤵PID:2176
-
\??\c:\5xfrlff.exec:\5xfrlff.exe103⤵PID:2540
-
\??\c:\lfllrrx.exec:\lfllrrx.exe104⤵PID:2112
-
\??\c:\5nttbb.exec:\5nttbb.exe105⤵PID:1656
-
\??\c:\pjvvj.exec:\pjvvj.exe106⤵PID:2088
-
\??\c:\djvpj.exec:\djvpj.exe107⤵PID:2900
-
\??\c:\7flrxrx.exec:\7flrxrx.exe108⤵PID:900
-
\??\c:\hbtbbn.exec:\hbtbbn.exe109⤵PID:1952
-
\??\c:\dvddd.exec:\dvddd.exe110⤵PID:928
-
\??\c:\1xlffxx.exec:\1xlffxx.exe111⤵PID:1636
-
\??\c:\lfrrxfl.exec:\lfrrxfl.exe112⤵PID:1824
-
\??\c:\bthhnh.exec:\bthhnh.exe113⤵PID:696
-
\??\c:\7pjjv.exec:\7pjjv.exe114⤵PID:2208
-
\??\c:\xrxxxlf.exec:\xrxxxlf.exe115⤵PID:2216
-
\??\c:\hhbhtt.exec:\hhbhtt.exe116⤵PID:2312
-
\??\c:\bnbbnn.exec:\bnbbnn.exe117⤵PID:896
-
\??\c:\pdppv.exec:\pdppv.exe118⤵PID:1560
-
\??\c:\rfrxffl.exec:\rfrxffl.exe119⤵PID:2524
-
\??\c:\llflxxl.exec:\llflxxl.exe120⤵PID:1584
-
\??\c:\bnbttb.exec:\bnbttb.exe121⤵PID:1884
-
\??\c:\3jpjj.exec:\3jpjj.exe122⤵PID:2288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-