Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe
-
Size
454KB
-
MD5
fddbc0fe12541ffda2bf139c1847103b
-
SHA1
3288d732d4d849faca4c2f5f1721eb77a3a9c860
-
SHA256
ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607
-
SHA512
36c990c860b7ec326e9d39f91df186651e09fe1065f8d6c9455fe76008851c146ff6e278409baad2d9a8d8e12a196cb2300003acb6d6a9721ce23e69fce6ca7e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2552-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/788-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1020-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-133-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2148-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-185-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2116-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/804-331-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2888-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-405-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/1940-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-424-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1000-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-486-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3028-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-683-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1748-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-798-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/556-909-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1920-937-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/836-997-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1524-1062-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/836-1277-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1036 ppdjp.exe 1660 vppvp.exe 1892 lfxfrfx.exe 3056 tbthhb.exe 776 lfxxflr.exe 2828 nhhtbn.exe 2896 5rrxflf.exe 3064 pppdv.exe 788 3lfxlrl.exe 2608 1vjvd.exe 2736 3nhbnn.exe 1020 9xrxflf.exe 2916 tbbhtb.exe 2148 xrllxfl.exe 2864 hnbttn.exe 1936 9lxxlrx.exe 1112 1hthtb.exe 1612 1rxfffr.exe 3024 5nbhnn.exe 2988 lfxlxff.exe 2536 bhhttn.exe 2116 vpddj.exe 668 hhthbn.exe 1544 7jvpd.exe 316 nbhnnt.exe 2248 vjvvv.exe 2120 llxxlrr.exe 1744 1xrrxfr.exe 2404 fffrfrl.exe 2552 rxlllfr.exe 2348 htnnbb.exe 2520 dvjpd.exe 1704 fxrrrrf.exe 1364 hhbnhn.exe 3056 jdppp.exe 804 frlllff.exe 2884 5hnbtb.exe 2888 5pjjp.exe 2616 xflfxxx.exe 2252 tnnthn.exe 2780 9btbnt.exe 1980 jjvdj.exe 2676 rrlfxlx.exe 2336 9bhhhh.exe 1452 ttnthn.exe 1552 9pjvj.exe 112 1rfllrf.exe 2916 tnhnbh.exe 2148 hhbhbh.exe 1940 9jvdj.exe 2716 frrllrx.exe 1928 9fxfrxf.exe 1000 jpvjv.exe 1360 dddpd.exe 2980 rxrfxxl.exe 2108 tnhntb.exe 2408 pdppp.exe 448 lrflrxl.exe 1108 httthh.exe 596 hbntbh.exe 1548 pjvvp.exe 3028 xxxfrxr.exe 760 hhbnnb.exe 1684 7ddvj.exe -
resource yara_rule behavioral1/memory/2552-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/668-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1000-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-486-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/3028-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-1017-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-1042-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-1055-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-1069-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-1118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-1258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-1277-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2100-1278-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2552 wrote to memory of 1036 2552 ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe 30 PID 2552 wrote to memory of 1036 2552 ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe 30 PID 2552 wrote to memory of 1036 2552 ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe 30 PID 2552 wrote to memory of 1036 2552 ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe 30 PID 1036 wrote to memory of 1660 1036 ppdjp.exe 31 PID 1036 wrote to memory of 1660 1036 ppdjp.exe 31 PID 1036 wrote to memory of 1660 1036 ppdjp.exe 31 PID 1036 wrote to memory of 1660 1036 ppdjp.exe 31 PID 1660 wrote to memory of 1892 1660 vppvp.exe 32 PID 1660 wrote to memory of 1892 1660 vppvp.exe 32 PID 1660 wrote to memory of 1892 1660 vppvp.exe 32 PID 1660 wrote to memory of 1892 1660 vppvp.exe 32 PID 1892 wrote to memory of 3056 1892 lfxfrfx.exe 33 PID 1892 wrote to memory of 3056 1892 lfxfrfx.exe 33 PID 1892 wrote to memory of 3056 1892 lfxfrfx.exe 33 PID 1892 wrote to memory of 3056 1892 lfxfrfx.exe 33 PID 3056 wrote to memory of 776 3056 tbthhb.exe 34 PID 3056 wrote to memory of 776 3056 tbthhb.exe 34 PID 3056 wrote to memory of 776 3056 tbthhb.exe 34 PID 3056 wrote to memory of 776 3056 tbthhb.exe 34 PID 776 wrote to memory of 2828 776 lfxxflr.exe 35 PID 776 wrote to memory of 2828 776 lfxxflr.exe 35 PID 776 wrote to memory of 2828 776 lfxxflr.exe 35 PID 776 wrote to memory of 2828 776 lfxxflr.exe 35 PID 2828 wrote to memory of 2896 2828 nhhtbn.exe 36 PID 2828 wrote to memory of 2896 2828 nhhtbn.exe 36 PID 2828 wrote to memory of 2896 2828 nhhtbn.exe 36 PID 2828 wrote to memory of 2896 2828 nhhtbn.exe 36 PID 2896 wrote to memory of 3064 2896 5rrxflf.exe 37 PID 2896 wrote to memory of 3064 2896 5rrxflf.exe 37 PID 2896 wrote to memory of 3064 2896 5rrxflf.exe 37 PID 2896 wrote to memory of 3064 2896 5rrxflf.exe 37 PID 3064 wrote to memory of 788 3064 pppdv.exe 38 PID 3064 wrote to memory of 788 3064 pppdv.exe 38 PID 3064 wrote to memory of 788 3064 pppdv.exe 38 PID 3064 wrote to memory of 788 3064 pppdv.exe 38 PID 788 wrote to memory of 2608 788 3lfxlrl.exe 39 PID 788 wrote to memory of 2608 788 3lfxlrl.exe 39 PID 788 wrote to memory of 2608 788 3lfxlrl.exe 39 PID 788 wrote to memory of 2608 788 3lfxlrl.exe 39 PID 2608 wrote to memory of 2736 2608 1vjvd.exe 40 PID 2608 wrote to memory of 2736 2608 1vjvd.exe 40 PID 2608 wrote to memory of 2736 2608 1vjvd.exe 40 PID 2608 wrote to memory of 2736 2608 1vjvd.exe 40 PID 2736 wrote to memory of 1020 2736 3nhbnn.exe 41 PID 2736 wrote to memory of 1020 2736 3nhbnn.exe 41 PID 2736 wrote to memory of 1020 2736 3nhbnn.exe 41 PID 2736 wrote to memory of 1020 2736 3nhbnn.exe 41 PID 1020 wrote to memory of 2916 1020 9xrxflf.exe 42 PID 1020 wrote to memory of 2916 1020 9xrxflf.exe 42 PID 1020 wrote to memory of 2916 1020 9xrxflf.exe 42 PID 1020 wrote to memory of 2916 1020 9xrxflf.exe 42 PID 2916 wrote to memory of 2148 2916 tbbhtb.exe 43 PID 2916 wrote to memory of 2148 2916 tbbhtb.exe 43 PID 2916 wrote to memory of 2148 2916 tbbhtb.exe 43 PID 2916 wrote to memory of 2148 2916 tbbhtb.exe 43 PID 2148 wrote to memory of 2864 2148 xrllxfl.exe 44 PID 2148 wrote to memory of 2864 2148 xrllxfl.exe 44 PID 2148 wrote to memory of 2864 2148 xrllxfl.exe 44 PID 2148 wrote to memory of 2864 2148 xrllxfl.exe 44 PID 2864 wrote to memory of 1936 2864 hnbttn.exe 45 PID 2864 wrote to memory of 1936 2864 hnbttn.exe 45 PID 2864 wrote to memory of 1936 2864 hnbttn.exe 45 PID 2864 wrote to memory of 1936 2864 hnbttn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe"C:\Users\Admin\AppData\Local\Temp\ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\ppdjp.exec:\ppdjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\vppvp.exec:\vppvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\lfxfrfx.exec:\lfxfrfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\tbthhb.exec:\tbthhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\lfxxflr.exec:\lfxxflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\nhhtbn.exec:\nhhtbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\5rrxflf.exec:\5rrxflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\pppdv.exec:\pppdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\3lfxlrl.exec:\3lfxlrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
\??\c:\1vjvd.exec:\1vjvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\3nhbnn.exec:\3nhbnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\9xrxflf.exec:\9xrxflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\tbbhtb.exec:\tbbhtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\xrllxfl.exec:\xrllxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\hnbttn.exec:\hnbttn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\9lxxlrx.exec:\9lxxlrx.exe17⤵
- Executes dropped EXE
PID:1936 -
\??\c:\1hthtb.exec:\1hthtb.exe18⤵
- Executes dropped EXE
PID:1112 -
\??\c:\1rxfffr.exec:\1rxfffr.exe19⤵
- Executes dropped EXE
PID:1612 -
\??\c:\5nbhnn.exec:\5nbhnn.exe20⤵
- Executes dropped EXE
PID:3024 -
\??\c:\lfxlxff.exec:\lfxlxff.exe21⤵
- Executes dropped EXE
PID:2988 -
\??\c:\bhhttn.exec:\bhhttn.exe22⤵
- Executes dropped EXE
PID:2536 -
\??\c:\vpddj.exec:\vpddj.exe23⤵
- Executes dropped EXE
PID:2116 -
\??\c:\hhthbn.exec:\hhthbn.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:668 -
\??\c:\7jvpd.exec:\7jvpd.exe25⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nbhnnt.exec:\nbhnnt.exe26⤵
- Executes dropped EXE
PID:316 -
\??\c:\vjvvv.exec:\vjvvv.exe27⤵
- Executes dropped EXE
PID:2248 -
\??\c:\llxxlrr.exec:\llxxlrr.exe28⤵
- Executes dropped EXE
PID:2120 -
\??\c:\1xrrxfr.exec:\1xrrxfr.exe29⤵
- Executes dropped EXE
PID:1744 -
\??\c:\fffrfrl.exec:\fffrfrl.exe30⤵
- Executes dropped EXE
PID:2404 -
\??\c:\rxlllfr.exec:\rxlllfr.exe31⤵
- Executes dropped EXE
PID:2552 -
\??\c:\htnnbb.exec:\htnnbb.exe32⤵
- Executes dropped EXE
PID:2348 -
\??\c:\dvjpd.exec:\dvjpd.exe33⤵
- Executes dropped EXE
PID:2520 -
\??\c:\fxrrrrf.exec:\fxrrrrf.exe34⤵
- Executes dropped EXE
PID:1704 -
\??\c:\hhbnhn.exec:\hhbnhn.exe35⤵
- Executes dropped EXE
PID:1364 -
\??\c:\jdppp.exec:\jdppp.exe36⤵
- Executes dropped EXE
PID:3056 -
\??\c:\frlllff.exec:\frlllff.exe37⤵
- Executes dropped EXE
PID:804 -
\??\c:\5hnbtb.exec:\5hnbtb.exe38⤵
- Executes dropped EXE
PID:2884 -
\??\c:\5pjjp.exec:\5pjjp.exe39⤵
- Executes dropped EXE
PID:2888 -
\??\c:\xflfxxx.exec:\xflfxxx.exe40⤵
- Executes dropped EXE
PID:2616 -
\??\c:\tnnthn.exec:\tnnthn.exe41⤵
- Executes dropped EXE
PID:2252 -
\??\c:\9btbnt.exec:\9btbnt.exe42⤵
- Executes dropped EXE
PID:2780 -
\??\c:\jjvdj.exec:\jjvdj.exe43⤵
- Executes dropped EXE
PID:1980 -
\??\c:\rrlfxlx.exec:\rrlfxlx.exe44⤵
- Executes dropped EXE
PID:2676 -
\??\c:\9bhhhh.exec:\9bhhhh.exe45⤵
- Executes dropped EXE
PID:2336 -
\??\c:\ttnthn.exec:\ttnthn.exe46⤵
- Executes dropped EXE
PID:1452 -
\??\c:\9pjvj.exec:\9pjvj.exe47⤵
- Executes dropped EXE
PID:1552 -
\??\c:\1rfllrf.exec:\1rfllrf.exe48⤵
- Executes dropped EXE
PID:112 -
\??\c:\tnhnbh.exec:\tnhnbh.exe49⤵
- Executes dropped EXE
PID:2916 -
\??\c:\hhbhbh.exec:\hhbhbh.exe50⤵
- Executes dropped EXE
PID:2148 -
\??\c:\9jvdj.exec:\9jvdj.exe51⤵
- Executes dropped EXE
PID:1940 -
\??\c:\frrllrx.exec:\frrllrx.exe52⤵
- Executes dropped EXE
PID:2716 -
\??\c:\9fxfrxf.exec:\9fxfrxf.exe53⤵
- Executes dropped EXE
PID:1928 -
\??\c:\jpvjv.exec:\jpvjv.exe54⤵
- Executes dropped EXE
PID:1000 -
\??\c:\dddpd.exec:\dddpd.exe55⤵
- Executes dropped EXE
PID:1360 -
\??\c:\rxrfxxl.exec:\rxrfxxl.exe56⤵
- Executes dropped EXE
PID:2980 -
\??\c:\tnhntb.exec:\tnhntb.exe57⤵
- Executes dropped EXE
PID:2108 -
\??\c:\pdppp.exec:\pdppp.exe58⤵
- Executes dropped EXE
PID:2408 -
\??\c:\lrflrxl.exec:\lrflrxl.exe59⤵
- Executes dropped EXE
PID:448 -
\??\c:\httthh.exec:\httthh.exe60⤵
- Executes dropped EXE
PID:1108 -
\??\c:\hbntbh.exec:\hbntbh.exe61⤵
- Executes dropped EXE
PID:596 -
\??\c:\pjvvp.exec:\pjvvp.exe62⤵
- Executes dropped EXE
PID:1548 -
\??\c:\xxxfrxr.exec:\xxxfrxr.exe63⤵
- Executes dropped EXE
PID:3028 -
\??\c:\hhbnnb.exec:\hhbnnb.exe64⤵
- Executes dropped EXE
PID:760 -
\??\c:\7ddvj.exec:\7ddvj.exe65⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jddjp.exec:\jddjp.exe66⤵PID:2564
-
\??\c:\lfxfxfr.exec:\lfxfxfr.exe67⤵PID:1044
-
\??\c:\bttnnh.exec:\bttnnh.exe68⤵PID:1432
-
\??\c:\ntnbnn.exec:\ntnbnn.exe69⤵PID:2420
-
\??\c:\5dvjv.exec:\5dvjv.exe70⤵PID:1568
-
\??\c:\xrlxrxf.exec:\xrlxrxf.exe71⤵PID:2176
-
\??\c:\rflrxxl.exec:\rflrxxl.exe72⤵PID:2348
-
\??\c:\tbtnbn.exec:\tbtnbn.exe73⤵PID:1900
-
\??\c:\jpvpj.exec:\jpvpj.exe74⤵PID:1704
-
\??\c:\llflxxl.exec:\llflxxl.exe75⤵PID:2912
-
\??\c:\nbhbtb.exec:\nbhbtb.exe76⤵PID:612
-
\??\c:\btnhnh.exec:\btnhnh.exe77⤵PID:2260
-
\??\c:\pvvjv.exec:\pvvjv.exe78⤵PID:2724
-
\??\c:\rlfrxxl.exec:\rlfrxxl.exe79⤵PID:2768
-
\??\c:\ntthtb.exec:\ntthtb.exe80⤵PID:2772
-
\??\c:\ttnttt.exec:\ttnttt.exe81⤵PID:2888
-
\??\c:\dvvvj.exec:\dvvvj.exe82⤵PID:2868
-
\??\c:\xfxlfrr.exec:\xfxlfrr.exe83⤵PID:3048
-
\??\c:\1nthht.exec:\1nthht.exe84⤵PID:2620
-
\??\c:\nhnnbh.exec:\nhnnbh.exe85⤵PID:2384
-
\??\c:\7djvp.exec:\7djvp.exe86⤵PID:2212
-
\??\c:\fxrrffr.exec:\fxrrffr.exe87⤵PID:556
-
\??\c:\tnhhnt.exec:\tnhhnt.exe88⤵PID:1728
-
\??\c:\tnbhtt.exec:\tnbhtt.exe89⤵PID:2008
-
\??\c:\dpvjp.exec:\dpvjp.exe90⤵PID:2576
-
\??\c:\llxflrl.exec:\llxflrl.exe91⤵PID:1916
-
\??\c:\hnbhbt.exec:\hnbhbt.exe92⤵PID:2680
-
\??\c:\tttnbh.exec:\tttnbh.exe93⤵PID:1832
-
\??\c:\vjvvd.exec:\vjvvd.exe94⤵PID:1748
-
\??\c:\xrfflrf.exec:\xrfflrf.exe95⤵PID:1232
-
\??\c:\hthbnn.exec:\hthbnn.exe96⤵PID:856
-
\??\c:\vvjdd.exec:\vvjdd.exe97⤵PID:2132
-
\??\c:\xlxflll.exec:\xlxflll.exe98⤵PID:2164
-
\??\c:\7tnbbn.exec:\7tnbbn.exe99⤵PID:2076
-
\??\c:\1hbthh.exec:\1hbthh.exe100⤵PID:1580
-
\??\c:\vvjdp.exec:\vvjdp.exe101⤵PID:1268
-
\??\c:\rlrllrl.exec:\rlrllrl.exe102⤵PID:832
-
\??\c:\rxxlfrr.exec:\rxxlfrr.exe103⤵PID:1012
-
\??\c:\bhnthn.exec:\bhnthn.exe104⤵PID:1736
-
\??\c:\jvpvd.exec:\jvpvd.exe105⤵PID:2488
-
\??\c:\rlxxlxl.exec:\rlxxlxl.exe106⤵PID:828
-
\??\c:\lfxlrrl.exec:\lfxlrrl.exe107⤵PID:2448
-
\??\c:\ttthtb.exec:\ttthtb.exe108⤵PID:884
-
\??\c:\jjddj.exec:\jjddj.exe109⤵PID:1744
-
\??\c:\fllrlrr.exec:\fllrlrr.exe110⤵PID:2196
-
\??\c:\nnhhnt.exec:\nnhhnt.exe111⤵PID:1640
-
\??\c:\jjjpj.exec:\jjjpj.exe112⤵PID:1532
-
\??\c:\llxlfrl.exec:\llxlfrl.exe113⤵PID:2052
-
\??\c:\bbbnhn.exec:\bbbnhn.exe114⤵PID:1632
-
\??\c:\7ttnbt.exec:\7ttnbt.exe115⤵PID:1892
-
\??\c:\5jvjv.exec:\5jvjv.exe116⤵PID:2084
-
\??\c:\lllrlff.exec:\lllrlff.exe117⤵PID:2760
-
\??\c:\bhbhtt.exec:\bhbhtt.exe118⤵PID:2200
-
\??\c:\9vddp.exec:\9vddp.exe119⤵PID:2904
-
\??\c:\pdvdj.exec:\pdvdj.exe120⤵PID:2768
-
\??\c:\5fxfrxl.exec:\5fxfrxl.exe121⤵PID:2892
-
\??\c:\tbbtnt.exec:\tbbtnt.exe122⤵PID:2644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-