Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe
-
Size
454KB
-
MD5
1c977ccb5393f8f5cff03b6ce0871d9f
-
SHA1
bc0d6f2e5733d0192033a4a1a6f543443a5cf2b1
-
SHA256
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b
-
SHA512
91fbe701f28ae8552ad002b1e2219708b451aeb3048d42346bb3b5edd10cd6c569004290c0a85396464dd9512054909bfadb40b428f6e7b5395686d0b82bce0b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe83:q7Tc2NYHUrAwfMp3CD83
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2780-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1072-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-522-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/588-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-852-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1040-957-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1800-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-596-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2832-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-497-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2124-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-211-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/700-185-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2076-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/700-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/112-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-135-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/2608-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-124-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2868-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-49-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3004 9bhbbt.exe 2808 jdpjj.exe 2064 9xrfxrr.exe 2596 hbhbbb.exe 2592 dvddj.exe 2096 rfrlrrx.exe 1304 xxrxxrl.exe 2412 htttbt.exe 2952 5pdvd.exe 1504 7xlrrrr.exe 2868 hbnnhb.exe 2608 7tbhnb.exe 2060 dvjjv.exe 112 xrflfrf.exe 700 nbnnbb.exe 2176 vjvvj.exe 2076 9llfrll.exe 2400 rfrxlfl.exe 2244 nbhhhb.exe 1812 1xlrflr.exe 1028 lxrxrlr.exe 2524 tbthhn.exe 1616 pjvpp.exe 2344 xrxrrrr.exe 3052 lfxrxrr.exe 2632 nnbhtn.exe 1196 vpppv.exe 1016 9xfxxxf.exe 1976 5ttnnn.exe 1824 jvjjj.exe 2708 1xfxfxf.exe 1708 hbhthn.exe 2904 3lfxxff.exe 2680 1tnnbn.exe 2548 dvjjp.exe 2052 lfrxllr.exe 2872 lfxfrlr.exe 1160 5thbhn.exe 2396 vjjdj.exe 2976 pdpvd.exe 2640 fxllxxl.exe 2884 btbhtb.exe 2968 nhhhhb.exe 2956 dvpvj.exe 1072 rlrfrrx.exe 1968 bthntt.exe 540 pdvvd.exe 2080 ppddj.exe 2156 rfllxrr.exe 2120 bthnbn.exe 2448 nhtntb.exe 644 jdpvd.exe 1992 llxflrl.exe 616 rlffllr.exe 1044 tbnhbb.exe 696 tthhtt.exe 2124 pjvjj.exe 2360 pdppv.exe 1584 rfxfrrf.exe 2300 hthnbt.exe 1652 htbbnn.exe 1564 jdjvp.exe 2644 3llxxrr.exe 1736 xrxxffl.exe -
resource yara_rule behavioral1/memory/2780-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-938-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-135-0x0000000000340000-0x000000000036A000-memory.dmp upx behavioral1/memory/2608-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-46-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 3004 2780 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 30 PID 2780 wrote to memory of 3004 2780 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 30 PID 2780 wrote to memory of 3004 2780 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 30 PID 2780 wrote to memory of 3004 2780 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 30 PID 3004 wrote to memory of 2808 3004 9bhbbt.exe 98 PID 3004 wrote to memory of 2808 3004 9bhbbt.exe 98 PID 3004 wrote to memory of 2808 3004 9bhbbt.exe 98 PID 3004 wrote to memory of 2808 3004 9bhbbt.exe 98 PID 2808 wrote to memory of 2064 2808 jdpjj.exe 265 PID 2808 wrote to memory of 2064 2808 jdpjj.exe 265 PID 2808 wrote to memory of 2064 2808 jdpjj.exe 265 PID 2808 wrote to memory of 2064 2808 jdpjj.exe 265 PID 2064 wrote to memory of 2596 2064 9xrfxrr.exe 33 PID 2064 wrote to memory of 2596 2064 9xrfxrr.exe 33 PID 2064 wrote to memory of 2596 2064 9xrfxrr.exe 33 PID 2064 wrote to memory of 2596 2064 9xrfxrr.exe 33 PID 2596 wrote to memory of 2592 2596 hbhbbb.exe 34 PID 2596 wrote to memory of 2592 2596 hbhbbb.exe 34 PID 2596 wrote to memory of 2592 2596 hbhbbb.exe 34 PID 2596 wrote to memory of 2592 2596 hbhbbb.exe 34 PID 2592 wrote to memory of 2096 2592 dvddj.exe 35 PID 2592 wrote to memory of 2096 2592 dvddj.exe 35 PID 2592 wrote to memory of 2096 2592 dvddj.exe 35 PID 2592 wrote to memory of 2096 2592 dvddj.exe 35 PID 2096 wrote to memory of 1304 2096 rfrlrrx.exe 36 PID 2096 wrote to memory of 1304 2096 rfrlrrx.exe 36 PID 2096 wrote to memory of 1304 2096 rfrlrrx.exe 36 PID 2096 wrote to memory of 1304 2096 rfrlrrx.exe 36 PID 1304 wrote to memory of 2412 1304 xxrxxrl.exe 37 PID 1304 wrote to memory of 2412 1304 xxrxxrl.exe 37 PID 1304 wrote to memory of 2412 1304 xxrxxrl.exe 37 PID 1304 wrote to memory of 2412 1304 xxrxxrl.exe 37 PID 2412 wrote to memory of 2952 2412 htttbt.exe 38 PID 2412 wrote to memory of 2952 2412 htttbt.exe 38 PID 2412 wrote to memory of 2952 2412 htttbt.exe 38 PID 2412 wrote to memory of 2952 2412 htttbt.exe 38 PID 2952 wrote to memory of 1504 2952 5pdvd.exe 39 PID 2952 wrote to memory of 1504 2952 5pdvd.exe 39 PID 2952 wrote to memory of 1504 2952 5pdvd.exe 39 PID 2952 wrote to memory of 1504 2952 5pdvd.exe 39 PID 1504 wrote to memory of 2868 1504 7xlrrrr.exe 40 PID 1504 wrote to memory of 2868 1504 7xlrrrr.exe 40 PID 1504 wrote to memory of 2868 1504 7xlrrrr.exe 40 PID 1504 wrote to memory of 2868 1504 7xlrrrr.exe 40 PID 2868 wrote to memory of 2608 2868 hbnnhb.exe 41 PID 2868 wrote to memory of 2608 2868 hbnnhb.exe 41 PID 2868 wrote to memory of 2608 2868 hbnnhb.exe 41 PID 2868 wrote to memory of 2608 2868 hbnnhb.exe 41 PID 2608 wrote to memory of 2060 2608 7tbhnb.exe 42 PID 2608 wrote to memory of 2060 2608 7tbhnb.exe 42 PID 2608 wrote to memory of 2060 2608 7tbhnb.exe 42 PID 2608 wrote to memory of 2060 2608 7tbhnb.exe 42 PID 2060 wrote to memory of 112 2060 dvjjv.exe 43 PID 2060 wrote to memory of 112 2060 dvjjv.exe 43 PID 2060 wrote to memory of 112 2060 dvjjv.exe 43 PID 2060 wrote to memory of 112 2060 dvjjv.exe 43 PID 112 wrote to memory of 700 112 xrflfrf.exe 44 PID 112 wrote to memory of 700 112 xrflfrf.exe 44 PID 112 wrote to memory of 700 112 xrflfrf.exe 44 PID 112 wrote to memory of 700 112 xrflfrf.exe 44 PID 700 wrote to memory of 2176 700 nbnnbb.exe 45 PID 700 wrote to memory of 2176 700 nbnnbb.exe 45 PID 700 wrote to memory of 2176 700 nbnnbb.exe 45 PID 700 wrote to memory of 2176 700 nbnnbb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe"C:\Users\Admin\AppData\Local\Temp\efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\9bhbbt.exec:\9bhbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\jdpjj.exec:\jdpjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\9xrfxrr.exec:\9xrfxrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\hbhbbb.exec:\hbhbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\dvddj.exec:\dvddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\rfrlrrx.exec:\rfrlrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\xxrxxrl.exec:\xxrxxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\htttbt.exec:\htttbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\5pdvd.exec:\5pdvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\7xlrrrr.exec:\7xlrrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\hbnnhb.exec:\hbnnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\7tbhnb.exec:\7tbhnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\dvjjv.exec:\dvjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\xrflfrf.exec:\xrflfrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\nbnnbb.exec:\nbnnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
\??\c:\vjvvj.exec:\vjvvj.exe17⤵
- Executes dropped EXE
PID:2176 -
\??\c:\9llfrll.exec:\9llfrll.exe18⤵
- Executes dropped EXE
PID:2076 -
\??\c:\rfrxlfl.exec:\rfrxlfl.exe19⤵
- Executes dropped EXE
PID:2400 -
\??\c:\nbhhhb.exec:\nbhhhb.exe20⤵
- Executes dropped EXE
PID:2244 -
\??\c:\1xlrflr.exec:\1xlrflr.exe21⤵
- Executes dropped EXE
PID:1812 -
\??\c:\lxrxrlr.exec:\lxrxrlr.exe22⤵
- Executes dropped EXE
PID:1028 -
\??\c:\tbthhn.exec:\tbthhn.exe23⤵
- Executes dropped EXE
PID:2524 -
\??\c:\pjvpp.exec:\pjvpp.exe24⤵
- Executes dropped EXE
PID:1616 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe25⤵
- Executes dropped EXE
PID:2344 -
\??\c:\lfxrxrr.exec:\lfxrxrr.exe26⤵
- Executes dropped EXE
PID:3052 -
\??\c:\nnbhtn.exec:\nnbhtn.exe27⤵
- Executes dropped EXE
PID:2632 -
\??\c:\vpppv.exec:\vpppv.exe28⤵
- Executes dropped EXE
PID:1196 -
\??\c:\9xfxxxf.exec:\9xfxxxf.exe29⤵
- Executes dropped EXE
PID:1016 -
\??\c:\5ttnnn.exec:\5ttnnn.exe30⤵
- Executes dropped EXE
PID:1976 -
\??\c:\jvjjj.exec:\jvjjj.exe31⤵
- Executes dropped EXE
PID:1824 -
\??\c:\1xfxfxf.exec:\1xfxfxf.exe32⤵
- Executes dropped EXE
PID:2708 -
\??\c:\hbhthn.exec:\hbhthn.exe33⤵
- Executes dropped EXE
PID:1708 -
\??\c:\3lfxxff.exec:\3lfxxff.exe34⤵
- Executes dropped EXE
PID:2904 -
\??\c:\1tnnbn.exec:\1tnnbn.exe35⤵
- Executes dropped EXE
PID:2680 -
\??\c:\dvjjp.exec:\dvjjp.exe36⤵
- Executes dropped EXE
PID:2548 -
\??\c:\lfrxllr.exec:\lfrxllr.exe37⤵
- Executes dropped EXE
PID:2052 -
\??\c:\lfxfrlr.exec:\lfxfrlr.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2872 -
\??\c:\5thbhn.exec:\5thbhn.exe39⤵
- Executes dropped EXE
PID:1160 -
\??\c:\vjjdj.exec:\vjjdj.exe40⤵
- Executes dropped EXE
PID:2396 -
\??\c:\pdpvd.exec:\pdpvd.exe41⤵
- Executes dropped EXE
PID:2976 -
\??\c:\fxllxxl.exec:\fxllxxl.exe42⤵
- Executes dropped EXE
PID:2640 -
\??\c:\btbhtb.exec:\btbhtb.exe43⤵
- Executes dropped EXE
PID:2884 -
\??\c:\nhhhhb.exec:\nhhhhb.exe44⤵
- Executes dropped EXE
PID:2968 -
\??\c:\dvpvj.exec:\dvpvj.exe45⤵
- Executes dropped EXE
PID:2956 -
\??\c:\rlrfrrx.exec:\rlrfrrx.exe46⤵
- Executes dropped EXE
PID:1072 -
\??\c:\bthntt.exec:\bthntt.exe47⤵
- Executes dropped EXE
PID:1968 -
\??\c:\pdvvd.exec:\pdvvd.exe48⤵
- Executes dropped EXE
PID:540 -
\??\c:\ppddj.exec:\ppddj.exe49⤵
- Executes dropped EXE
PID:2080 -
\??\c:\rfllxrr.exec:\rfllxrr.exe50⤵
- Executes dropped EXE
PID:2156 -
\??\c:\bthnbn.exec:\bthnbn.exe51⤵
- Executes dropped EXE
PID:2120 -
\??\c:\nhtntb.exec:\nhtntb.exe52⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jdpvd.exec:\jdpvd.exe53⤵
- Executes dropped EXE
PID:644 -
\??\c:\llxflrl.exec:\llxflrl.exe54⤵
- Executes dropped EXE
PID:1992 -
\??\c:\rlffllr.exec:\rlffllr.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:616 -
\??\c:\tbnhbb.exec:\tbnhbb.exe56⤵
- Executes dropped EXE
PID:1044 -
\??\c:\tthhtt.exec:\tthhtt.exe57⤵
- Executes dropped EXE
PID:696 -
\??\c:\pjvjj.exec:\pjvjj.exe58⤵
- Executes dropped EXE
PID:2124 -
\??\c:\pdppv.exec:\pdppv.exe59⤵
- Executes dropped EXE
PID:2360 -
\??\c:\rfxfrrf.exec:\rfxfrrf.exe60⤵
- Executes dropped EXE
PID:1584 -
\??\c:\hthnbt.exec:\hthnbt.exe61⤵
- Executes dropped EXE
PID:2300 -
\??\c:\htbbnn.exec:\htbbnn.exe62⤵
- Executes dropped EXE
PID:1652 -
\??\c:\jdjvp.exec:\jdjvp.exe63⤵
- Executes dropped EXE
PID:1564 -
\??\c:\3llxxrr.exec:\3llxxrr.exe64⤵
- Executes dropped EXE
PID:2644 -
\??\c:\xrxxffl.exec:\xrxxffl.exe65⤵
- Executes dropped EXE
PID:1736 -
\??\c:\1thhnn.exec:\1thhnn.exe66⤵PID:2828
-
\??\c:\nbttnh.exec:\nbttnh.exe67⤵PID:2888
-
\??\c:\vvjjj.exec:\vvjjj.exe68⤵PID:1064
-
\??\c:\xlffrrf.exec:\xlffrrf.exe69⤵PID:2832
-
\??\c:\9lfxxxx.exec:\9lfxxxx.exe70⤵PID:2808
-
\??\c:\btbhtb.exec:\btbhtb.exe71⤵PID:2724
-
\??\c:\dvjpd.exec:\dvjpd.exe72⤵PID:2020
-
\??\c:\jjpvj.exec:\jjpvj.exe73⤵PID:2804
-
\??\c:\7lxxffr.exec:\7lxxffr.exe74⤵PID:2236
-
\??\c:\thtbhh.exec:\thtbhh.exe75⤵PID:1272
-
\??\c:\9bnhnn.exec:\9bnhnn.exe76⤵PID:2788
-
\??\c:\9dvdj.exec:\9dvdj.exe77⤵PID:2960
-
\??\c:\jvjjp.exec:\jvjjp.exe78⤵PID:2396
-
\??\c:\llxfxfl.exec:\llxfxfl.exe79⤵PID:1776
-
\??\c:\7bhttt.exec:\7bhttt.exe80⤵PID:2920
-
\??\c:\tnhnbn.exec:\tnhnbn.exe81⤵PID:2908
-
\??\c:\vjppd.exec:\vjppd.exe82⤵PID:2624
-
\??\c:\vvjvj.exec:\vvjvj.exe83⤵PID:2648
-
\??\c:\1xlrrxl.exec:\1xlrrxl.exe84⤵PID:2544
-
\??\c:\5thbhb.exec:\5thbhb.exe85⤵PID:2388
-
\??\c:\hbnnhh.exec:\hbnnhh.exe86⤵PID:588
-
\??\c:\vvpvd.exec:\vvpvd.exe87⤵PID:2204
-
\??\c:\rlxfllx.exec:\rlxfllx.exe88⤵PID:2612
-
\??\c:\rlxrrrx.exec:\rlxrrrx.exe89⤵PID:1876
-
\??\c:\tnhtnn.exec:\tnhtnn.exe90⤵PID:2084
-
\??\c:\vvjvj.exec:\vvjvj.exe91⤵PID:1836
-
\??\c:\1dvpp.exec:\1dvpp.exe92⤵PID:1256
-
\??\c:\rlfrxll.exec:\rlfrxll.exe93⤵PID:2428
-
\??\c:\fxffrlx.exec:\fxffrlx.exe94⤵PID:2224
-
\??\c:\3hhhnn.exec:\3hhhnn.exe95⤵PID:636
-
\??\c:\7jvpj.exec:\7jvpj.exe96⤵PID:1616
-
\??\c:\7dppv.exec:\7dppv.exe97⤵PID:1800
-
\??\c:\lfllrlr.exec:\lfllrlr.exe98⤵PID:3008
-
\??\c:\lxlrxxl.exec:\lxlrxxl.exe99⤵PID:1788
-
\??\c:\tnbhtt.exec:\tnbhtt.exe100⤵PID:2796
-
\??\c:\jpjvd.exec:\jpjvd.exe101⤵PID:1196
-
\??\c:\pjvdj.exec:\pjvdj.exe102⤵PID:2372
-
\??\c:\xrflffl.exec:\xrflffl.exe103⤵PID:1964
-
\??\c:\1lxfxfx.exec:\1lxfxfx.exe104⤵
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\btnnbh.exec:\btnnbh.exe105⤵PID:3056
-
\??\c:\thttnn.exec:\thttnn.exe106⤵PID:2816
-
\??\c:\pjdvj.exec:\pjdvj.exe107⤵PID:2888
-
\??\c:\7ddpv.exec:\7ddpv.exe108⤵PID:860
-
\??\c:\lxfflrx.exec:\lxfflrx.exe109⤵PID:2108
-
\??\c:\rfrrllr.exec:\rfrrllr.exe110⤵PID:2664
-
\??\c:\5tnntb.exec:\5tnntb.exe111⤵PID:2680
-
\??\c:\1vjdj.exec:\1vjdj.exe112⤵PID:1388
-
\??\c:\jjdjv.exec:\jjdjv.exe113⤵PID:2804
-
\??\c:\frffllr.exec:\frffllr.exe114⤵PID:2684
-
\??\c:\rxxffrx.exec:\rxxffrx.exe115⤵PID:2720
-
\??\c:\1bhbtn.exec:\1bhbtn.exe116⤵PID:1816
-
\??\c:\1nbbhn.exec:\1nbbhn.exe117⤵PID:2960
-
\??\c:\jpvpp.exec:\jpvpp.exe118⤵PID:2396
-
\??\c:\vdppv.exec:\vdppv.exe119⤵PID:2640
-
\??\c:\rflrxxx.exec:\rflrxxx.exe120⤵PID:2212
-
\??\c:\lfllxll.exec:\lfllxll.exe121⤵PID:1796
-
\??\c:\7bbbbt.exec:\7bbbbt.exe122⤵PID:2532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-