Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 19:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe
-
Size
453KB
-
MD5
c9c07b4997b436d1457289c48f295623
-
SHA1
83d7e2b1148265917c4ab59b3547e5d25f04cd88
-
SHA256
011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f
-
SHA512
dba7be233759ec602541531b72df212fdd4c60547d940678b5fc0f4006def09493e4f0258a749822c2cc3d774f08bf90827b1a93ba20c5d0cf9e6e31fd49b3a4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2828-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-75-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-103-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2540-112-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2544-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-223-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2012-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/664-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-536-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2172-562-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2936-594-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2392-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-729-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1296-757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-959-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1808-1002-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2212 bnbtbb.exe 1832 vvpdj.exe 2932 rlrrxxr.exe 2124 vpjpd.exe 2820 1flflfl.exe 2168 bhtnhb.exe 2708 dvjjp.exe 2636 5pjdv.exe 2756 hnbtnb.exe 2520 dvjpp.exe 2540 fxxrxxx.exe 2544 hbbbhh.exe 2980 vpvvv.exe 632 lxxrxlr.exe 2308 tnhtbb.exe 2292 bnhhtt.exe 2464 xlxrrrr.exe 808 hnntnb.exe 1500 vpvdj.exe 1372 xxrrxfr.exe 1612 thtntn.exe 3068 vpjpd.exe 2012 lxllrrx.exe 1640 jvjjj.exe 2372 dpdvp.exe 532 fxlrrll.exe 872 thnhhb.exe 912 tnhntn.exe 3012 vjdjj.exe 1812 7flrxxl.exe 1504 btnntn.exe 2452 7rflrxl.exe 2212 tbnhhh.exe 2900 1nnhbn.exe 1724 vjvvv.exe 1720 frrflxf.exe 1248 xlfffff.exe 2124 hnbttn.exe 2584 3dvvv.exe 2600 pdvpj.exe 2392 xrffxxf.exe 2704 ntbttn.exe 2636 5hnhhb.exe 2696 dvppd.exe 2532 vvdvv.exe 2516 5rfrrxl.exe 2524 nhtnbh.exe 2612 7pddd.exe 2180 pdjvv.exe 2980 xrffxrr.exe 1804 5lrllfl.exe 664 bnhhnn.exe 1440 jdjjv.exe 2272 vpdjj.exe 328 llrfxrr.exe 752 lxlllfl.exe 1528 thnbnn.exe 1296 nnthnn.exe 2396 djppp.exe 1708 7rfxxrl.exe 1612 xlllfxf.exe 3068 hbhhbt.exe 2336 7dvpp.exe 1900 3pvvd.exe -
resource yara_rule behavioral1/memory/2828-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/664-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-680-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2512-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/748-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-853-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-909-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-1028-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-1075-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrfxl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2828 wrote to memory of 2212 2828 011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe 28 PID 2828 wrote to memory of 2212 2828 011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe 28 PID 2828 wrote to memory of 2212 2828 011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe 28 PID 2828 wrote to memory of 2212 2828 011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe 28 PID 2212 wrote to memory of 1832 2212 bnbtbb.exe 29 PID 2212 wrote to memory of 1832 2212 bnbtbb.exe 29 PID 2212 wrote to memory of 1832 2212 bnbtbb.exe 29 PID 2212 wrote to memory of 1832 2212 bnbtbb.exe 29 PID 1832 wrote to memory of 2932 1832 vvpdj.exe 30 PID 1832 wrote to memory of 2932 1832 vvpdj.exe 30 PID 1832 wrote to memory of 2932 1832 vvpdj.exe 30 PID 1832 wrote to memory of 2932 1832 vvpdj.exe 30 PID 2932 wrote to memory of 2124 2932 rlrrxxr.exe 31 PID 2932 wrote to memory of 2124 2932 rlrrxxr.exe 31 PID 2932 wrote to memory of 2124 2932 rlrrxxr.exe 31 PID 2932 wrote to memory of 2124 2932 rlrrxxr.exe 31 PID 2124 wrote to memory of 2820 2124 vpjpd.exe 32 PID 2124 wrote to memory of 2820 2124 vpjpd.exe 32 PID 2124 wrote to memory of 2820 2124 vpjpd.exe 32 PID 2124 wrote to memory of 2820 2124 vpjpd.exe 32 PID 2820 wrote to memory of 2168 2820 1flflfl.exe 33 PID 2820 wrote to memory of 2168 2820 1flflfl.exe 33 PID 2820 wrote to memory of 2168 2820 1flflfl.exe 33 PID 2820 wrote to memory of 2168 2820 1flflfl.exe 33 PID 2168 wrote to memory of 2708 2168 bhtnhb.exe 34 PID 2168 wrote to memory of 2708 2168 bhtnhb.exe 34 PID 2168 wrote to memory of 2708 2168 bhtnhb.exe 34 PID 2168 wrote to memory of 2708 2168 bhtnhb.exe 34 PID 2708 wrote to memory of 2636 2708 dvjjp.exe 35 PID 2708 wrote to memory of 2636 2708 dvjjp.exe 35 PID 2708 wrote to memory of 2636 2708 dvjjp.exe 35 PID 2708 wrote to memory of 2636 2708 dvjjp.exe 35 PID 2636 wrote to memory of 2756 2636 5pjdv.exe 36 PID 2636 wrote to memory of 2756 2636 5pjdv.exe 36 PID 2636 wrote to memory of 2756 2636 5pjdv.exe 36 PID 2636 wrote to memory of 2756 2636 5pjdv.exe 36 PID 2756 wrote to memory of 2520 2756 hnbtnb.exe 37 PID 2756 wrote to memory of 2520 2756 hnbtnb.exe 37 PID 2756 wrote to memory of 2520 2756 hnbtnb.exe 37 PID 2756 wrote to memory of 2520 2756 hnbtnb.exe 37 PID 2520 wrote to memory of 2540 2520 dvjpp.exe 38 PID 2520 wrote to memory of 2540 2520 dvjpp.exe 38 PID 2520 wrote to memory of 2540 2520 dvjpp.exe 38 PID 2520 wrote to memory of 2540 2520 dvjpp.exe 38 PID 2540 wrote to memory of 2544 2540 fxxrxxx.exe 39 PID 2540 wrote to memory of 2544 2540 fxxrxxx.exe 39 PID 2540 wrote to memory of 2544 2540 fxxrxxx.exe 39 PID 2540 wrote to memory of 2544 2540 fxxrxxx.exe 39 PID 2544 wrote to memory of 2980 2544 hbbbhh.exe 40 PID 2544 wrote to memory of 2980 2544 hbbbhh.exe 40 PID 2544 wrote to memory of 2980 2544 hbbbhh.exe 40 PID 2544 wrote to memory of 2980 2544 hbbbhh.exe 40 PID 2980 wrote to memory of 632 2980 vpvvv.exe 41 PID 2980 wrote to memory of 632 2980 vpvvv.exe 41 PID 2980 wrote to memory of 632 2980 vpvvv.exe 41 PID 2980 wrote to memory of 632 2980 vpvvv.exe 41 PID 632 wrote to memory of 2308 632 lxxrxlr.exe 42 PID 632 wrote to memory of 2308 632 lxxrxlr.exe 42 PID 632 wrote to memory of 2308 632 lxxrxlr.exe 42 PID 632 wrote to memory of 2308 632 lxxrxlr.exe 42 PID 2308 wrote to memory of 2292 2308 tnhtbb.exe 43 PID 2308 wrote to memory of 2292 2308 tnhtbb.exe 43 PID 2308 wrote to memory of 2292 2308 tnhtbb.exe 43 PID 2308 wrote to memory of 2292 2308 tnhtbb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe"C:\Users\Admin\AppData\Local\Temp\011ff012c48d6faeba31d9179552bc8045080539a423ca303c50b10fa5392d2f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\bnbtbb.exec:\bnbtbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\vvpdj.exec:\vvpdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\rlrrxxr.exec:\rlrrxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\vpjpd.exec:\vpjpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\1flflfl.exec:\1flflfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\bhtnhb.exec:\bhtnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\dvjjp.exec:\dvjjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\5pjdv.exec:\5pjdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\hnbtnb.exec:\hnbtnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\dvjpp.exec:\dvjpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\fxxrxxx.exec:\fxxrxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\hbbbhh.exec:\hbbbhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\vpvvv.exec:\vpvvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\lxxrxlr.exec:\lxxrxlr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\tnhtbb.exec:\tnhtbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\bnhhtt.exec:\bnhhtt.exe17⤵
- Executes dropped EXE
PID:2292 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe18⤵
- Executes dropped EXE
PID:2464 -
\??\c:\hnntnb.exec:\hnntnb.exe19⤵
- Executes dropped EXE
PID:808 -
\??\c:\vpvdj.exec:\vpvdj.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1500 -
\??\c:\xxrrxfr.exec:\xxrrxfr.exe21⤵
- Executes dropped EXE
PID:1372 -
\??\c:\thtntn.exec:\thtntn.exe22⤵
- Executes dropped EXE
PID:1612 -
\??\c:\vpjpd.exec:\vpjpd.exe23⤵
- Executes dropped EXE
PID:3068 -
\??\c:\lxllrrx.exec:\lxllrrx.exe24⤵
- Executes dropped EXE
PID:2012 -
\??\c:\jvjjj.exec:\jvjjj.exe25⤵
- Executes dropped EXE
PID:1640 -
\??\c:\dpdvp.exec:\dpdvp.exe26⤵
- Executes dropped EXE
PID:2372 -
\??\c:\fxlrrll.exec:\fxlrrll.exe27⤵
- Executes dropped EXE
PID:532 -
\??\c:\thnhhb.exec:\thnhhb.exe28⤵
- Executes dropped EXE
PID:872 -
\??\c:\tnhntn.exec:\tnhntn.exe29⤵
- Executes dropped EXE
PID:912 -
\??\c:\vjdjj.exec:\vjdjj.exe30⤵
- Executes dropped EXE
PID:3012 -
\??\c:\7flrxxl.exec:\7flrxxl.exe31⤵
- Executes dropped EXE
PID:1812 -
\??\c:\btnntn.exec:\btnntn.exe32⤵
- Executes dropped EXE
PID:1504 -
\??\c:\7rflrxl.exec:\7rflrxl.exe33⤵
- Executes dropped EXE
PID:2452 -
\??\c:\tbnhhh.exec:\tbnhhh.exe34⤵
- Executes dropped EXE
PID:2212 -
\??\c:\1nnhbn.exec:\1nnhbn.exe35⤵
- Executes dropped EXE
PID:2900 -
\??\c:\vjvvv.exec:\vjvvv.exe36⤵
- Executes dropped EXE
PID:1724 -
\??\c:\frrflxf.exec:\frrflxf.exe37⤵
- Executes dropped EXE
PID:1720 -
\??\c:\xlfffff.exec:\xlfffff.exe38⤵
- Executes dropped EXE
PID:1248 -
\??\c:\hnbttn.exec:\hnbttn.exe39⤵
- Executes dropped EXE
PID:2124 -
\??\c:\3dvvv.exec:\3dvvv.exe40⤵
- Executes dropped EXE
PID:2584 -
\??\c:\pdvpj.exec:\pdvpj.exe41⤵
- Executes dropped EXE
PID:2600 -
\??\c:\xrffxxf.exec:\xrffxxf.exe42⤵
- Executes dropped EXE
PID:2392 -
\??\c:\ntbttn.exec:\ntbttn.exe43⤵
- Executes dropped EXE
PID:2704 -
\??\c:\5hnhhb.exec:\5hnhhb.exe44⤵
- Executes dropped EXE
PID:2636 -
\??\c:\dvppd.exec:\dvppd.exe45⤵
- Executes dropped EXE
PID:2696 -
\??\c:\vvdvv.exec:\vvdvv.exe46⤵
- Executes dropped EXE
PID:2532 -
\??\c:\5rfrrxl.exec:\5rfrrxl.exe47⤵
- Executes dropped EXE
PID:2516 -
\??\c:\nhtnbh.exec:\nhtnbh.exe48⤵
- Executes dropped EXE
PID:2524 -
\??\c:\7pddd.exec:\7pddd.exe49⤵
- Executes dropped EXE
PID:2612 -
\??\c:\pdjvv.exec:\pdjvv.exe50⤵
- Executes dropped EXE
PID:2180 -
\??\c:\xrffxrr.exec:\xrffxrr.exe51⤵
- Executes dropped EXE
PID:2980 -
\??\c:\5lrllfl.exec:\5lrllfl.exe52⤵
- Executes dropped EXE
PID:1804 -
\??\c:\bnhhnn.exec:\bnhhnn.exe53⤵
- Executes dropped EXE
PID:664 -
\??\c:\jdjjv.exec:\jdjjv.exe54⤵
- Executes dropped EXE
PID:1440 -
\??\c:\vpdjj.exec:\vpdjj.exe55⤵
- Executes dropped EXE
PID:2272 -
\??\c:\llrfxrr.exec:\llrfxrr.exe56⤵
- Executes dropped EXE
PID:328 -
\??\c:\lxlllfl.exec:\lxlllfl.exe57⤵
- Executes dropped EXE
PID:752 -
\??\c:\thnbnn.exec:\thnbnn.exe58⤵
- Executes dropped EXE
PID:1528 -
\??\c:\nnthnn.exec:\nnthnn.exe59⤵
- Executes dropped EXE
PID:1296 -
\??\c:\djppp.exec:\djppp.exe60⤵
- Executes dropped EXE
PID:2396 -
\??\c:\7rfxxrl.exec:\7rfxxrl.exe61⤵
- Executes dropped EXE
PID:1708 -
\??\c:\xlllfxf.exec:\xlllfxf.exe62⤵
- Executes dropped EXE
PID:1612 -
\??\c:\hbhhbt.exec:\hbhhbt.exe63⤵
- Executes dropped EXE
PID:3068 -
\??\c:\7dvpp.exec:\7dvpp.exe64⤵
- Executes dropped EXE
PID:2336 -
\??\c:\3pvvd.exec:\3pvvd.exe65⤵
- Executes dropped EXE
PID:1900 -
\??\c:\5xfxrrr.exec:\5xfxrrr.exe66⤵PID:480
-
\??\c:\thhhhn.exec:\thhhhn.exe67⤵PID:1384
-
\??\c:\jpvvv.exec:\jpvvv.exe68⤵PID:532
-
\??\c:\frrrllr.exec:\frrrllr.exe69⤵PID:2148
-
\??\c:\5lxrxrx.exec:\5lxrxrx.exe70⤵PID:872
-
\??\c:\1hbhhb.exec:\1hbhhb.exe71⤵PID:1344
-
\??\c:\dppjv.exec:\dppjv.exe72⤵PID:2344
-
\??\c:\5vdvp.exec:\5vdvp.exe73⤵PID:2172
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe74⤵PID:3028
-
\??\c:\1tbtnb.exec:\1tbtnb.exe75⤵PID:888
-
\??\c:\1tnnnh.exec:\1tnnnh.exe76⤵PID:2452
-
\??\c:\pjvvv.exec:\pjvvv.exe77⤵PID:2080
-
\??\c:\frllflf.exec:\frllflf.exe78⤵PID:2936
-
\??\c:\lxlfrrx.exec:\lxlfrrx.exe79⤵PID:2576
-
\??\c:\hthbbt.exec:\hthbbt.exe80⤵PID:2932
-
\??\c:\jpdvv.exec:\jpdvv.exe81⤵PID:2944
-
\??\c:\vjppd.exec:\vjppd.exe82⤵PID:2684
-
\??\c:\lxlffxf.exec:\lxlffxf.exe83⤵PID:2916
-
\??\c:\xlxxfxl.exec:\xlxxfxl.exe84⤵PID:2584
-
\??\c:\hbtnnb.exec:\hbtnnb.exe85⤵
- System Location Discovery: System Language Discovery
PID:2620 -
\??\c:\dpjdj.exec:\dpjdj.exe86⤵PID:2392
-
\??\c:\vdpdv.exec:\vdpdv.exe87⤵PID:2776
-
\??\c:\7frffxx.exec:\7frffxx.exe88⤵PID:2636
-
\??\c:\hnbbbt.exec:\hnbbbt.exe89⤵PID:2768
-
\??\c:\btbtbt.exec:\btbtbt.exe90⤵PID:2580
-
\??\c:\1jpvj.exec:\1jpvj.exe91⤵PID:2664
-
\??\c:\1xfffrx.exec:\1xfffrx.exe92⤵PID:2524
-
\??\c:\flffxrl.exec:\flffxrl.exe93⤵PID:2512
-
\??\c:\7hhbhh.exec:\7hhbhh.exe94⤵PID:2180
-
\??\c:\7vjjj.exec:\7vjjj.exe95⤵PID:980
-
\??\c:\7pvvv.exec:\7pvvv.exe96⤵PID:2420
-
\??\c:\frxrlff.exec:\frxrlff.exe97⤵PID:2296
-
\??\c:\3thbbt.exec:\3thbbt.exe98⤵PID:2300
-
\??\c:\bnbtbb.exec:\bnbtbb.exe99⤵PID:748
-
\??\c:\jpdpd.exec:\jpdpd.exe100⤵PID:1704
-
\??\c:\lxlffxl.exec:\lxlffxl.exe101⤵PID:752
-
\??\c:\xrffffr.exec:\xrffffr.exe102⤵PID:1528
-
\??\c:\thnhhb.exec:\thnhhb.exe103⤵PID:1296
-
\??\c:\9djjj.exec:\9djjj.exe104⤵PID:1692
-
\??\c:\1pppj.exec:\1pppj.exe105⤵PID:2892
-
\??\c:\frxxxxr.exec:\frxxxxr.exe106⤵PID:2728
-
\??\c:\thtnnn.exec:\thtnnn.exe107⤵PID:1880
-
\??\c:\1ntttt.exec:\1ntttt.exe108⤵PID:2336
-
\??\c:\jdjdj.exec:\jdjdj.exe109⤵PID:1688
-
\??\c:\xlrllfr.exec:\xlrllfr.exe110⤵PID:1076
-
\??\c:\lxfffxf.exec:\lxfffxf.exe111⤵PID:1304
-
\??\c:\1bnnnn.exec:\1bnnnn.exe112⤵PID:3060
-
\??\c:\5bbnhb.exec:\5bbnhb.exe113⤵PID:3008
-
\??\c:\pdvdd.exec:\pdvdd.exe114⤵PID:872
-
\??\c:\lflrfxl.exec:\lflrfxl.exe115⤵
- System Location Discovery: System Language Discovery
PID:3012 -
\??\c:\lxffrrr.exec:\lxffrrr.exe116⤵PID:684
-
\??\c:\5bhbbb.exec:\5bhbbb.exe117⤵PID:2172
-
\??\c:\5jpjj.exec:\5jpjj.exe118⤵PID:2384
-
\??\c:\flfxrrx.exec:\flfxrrx.exe119⤵PID:288
-
\??\c:\9rlllll.exec:\9rlllll.exe120⤵PID:1596
-
\??\c:\nhhbht.exec:\nhhbht.exe121⤵PID:2368
-
\??\c:\5ppjj.exec:\5ppjj.exe122⤵PID:2936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-