Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe
-
Size
454KB
-
MD5
cbdf7352fb2534971c710847791a1f50
-
SHA1
c45c598e645adcd2ee426926b06d381602fe8cc1
-
SHA256
907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cb
-
SHA512
c2f22da7fddd8a8fe541ba922b1b463712808a24cc6255d4b5c4d68da91ad73ad9168c8dd1b088a0dd4da8e1ecedae0be289f660f5e0e37b9218770d9a94a5f3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/1224-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-84-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1716-82-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2556-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/928-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-120-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2932-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1368-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/964-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/916-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-279-0x0000000076F20000-0x000000007703F000-memory.dmp family_blackmoon behavioral1/memory/2492-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-392-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2932-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-406-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1880-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-428-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2200-447-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2396-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-812-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2740-819-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-826-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2840-856-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1584-991-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-1083-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/3036-1146-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2860-1573-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2332 1jdjj.exe 2536 bhbbnt.exe 3064 rllrffx.exe 2108 flxxllx.exe 2852 vpjpv.exe 2568 rxxlxfx.exe 2828 btntht.exe 1716 lxlxfrf.exe 2556 tntbhn.exe 1056 vjvvp.exe 928 btnbnt.exe 1644 dvpvv.exe 2932 bhbhhh.exe 1368 7jppv.exe 2804 5lxflrx.exe 2824 hthnbb.exe 1980 rfrlrrf.exe 1700 tnbhbb.exe 1268 pdddj.exe 1600 xlflxxf.exe 2212 hthhbn.exe 1448 ddvjv.exe 964 nhbntb.exe 1656 dppdv.exe 916 xrlflrf.exe 1444 ththtt.exe 376 fxlrxxf.exe 2124 tnbntb.exe 2440 lxlxxfr.exe 1436 7nthtb.exe 2996 ppjjv.exe 2492 7pjjp.exe 1428 rlfflfx.exe 2536 hhhhtt.exe 2668 vpjvj.exe 2272 jdvvd.exe 2812 1lrxxxx.exe 2852 hhbbnn.exe 2904 1bntnn.exe 2648 9ddjv.exe 2584 llxfxfl.exe 1716 rfxxrrf.exe 2556 5ttbnn.exe 2612 9ppvp.exe 1056 5xfllxx.exe 2776 lllrxxl.exe 2908 5thhhn.exe 320 vpjpv.exe 2932 xxrxrxl.exe 2924 fxlrxfx.exe 2768 hbnttt.exe 1880 vvvdd.exe 1992 frxrrrr.exe 536 nnbtbn.exe 2200 tttbht.exe 1948 ppjjd.exe 2396 xfxfrrf.exe 1008 1xxxxfl.exe 2484 tnhhtt.exe 1312 1ddpv.exe 1804 ffxlrxl.exe 1668 1fflxfl.exe 1680 7btbnt.exe 2120 7dppd.exe -
resource yara_rule behavioral1/memory/2332-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/928-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/964-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-279-0x0000000076F20000-0x000000007703F000-memory.dmp upx behavioral1/memory/2492-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-327-0x0000000001C50000-0x0000000001C7A000-memory.dmp upx behavioral1/memory/2648-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-812-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2740-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-856-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2832-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-966-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-991-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-1084-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-1139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-1203-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fflxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2332 1224 907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe 31 PID 1224 wrote to memory of 2332 1224 907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe 31 PID 1224 wrote to memory of 2332 1224 907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe 31 PID 1224 wrote to memory of 2332 1224 907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe 31 PID 2332 wrote to memory of 2536 2332 1jdjj.exe 32 PID 2332 wrote to memory of 2536 2332 1jdjj.exe 32 PID 2332 wrote to memory of 2536 2332 1jdjj.exe 32 PID 2332 wrote to memory of 2536 2332 1jdjj.exe 32 PID 2536 wrote to memory of 3064 2536 bhbbnt.exe 33 PID 2536 wrote to memory of 3064 2536 bhbbnt.exe 33 PID 2536 wrote to memory of 3064 2536 bhbbnt.exe 33 PID 2536 wrote to memory of 3064 2536 bhbbnt.exe 33 PID 3064 wrote to memory of 2108 3064 rllrffx.exe 34 PID 3064 wrote to memory of 2108 3064 rllrffx.exe 34 PID 3064 wrote to memory of 2108 3064 rllrffx.exe 34 PID 3064 wrote to memory of 2108 3064 rllrffx.exe 34 PID 2108 wrote to memory of 2852 2108 flxxllx.exe 35 PID 2108 wrote to memory of 2852 2108 flxxllx.exe 35 PID 2108 wrote to memory of 2852 2108 flxxllx.exe 35 PID 2108 wrote to memory of 2852 2108 flxxllx.exe 35 PID 2852 wrote to memory of 2568 2852 vpjpv.exe 36 PID 2852 wrote to memory of 2568 2852 vpjpv.exe 36 PID 2852 wrote to memory of 2568 2852 vpjpv.exe 36 PID 2852 wrote to memory of 2568 2852 vpjpv.exe 36 PID 2568 wrote to memory of 2828 2568 rxxlxfx.exe 37 PID 2568 wrote to memory of 2828 2568 rxxlxfx.exe 37 PID 2568 wrote to memory of 2828 2568 rxxlxfx.exe 37 PID 2568 wrote to memory of 2828 2568 rxxlxfx.exe 37 PID 2828 wrote to memory of 1716 2828 btntht.exe 38 PID 2828 wrote to memory of 1716 2828 btntht.exe 38 PID 2828 wrote to memory of 1716 2828 btntht.exe 38 PID 2828 wrote to memory of 1716 2828 btntht.exe 38 PID 1716 wrote to memory of 2556 1716 lxlxfrf.exe 39 PID 1716 wrote to memory of 2556 1716 lxlxfrf.exe 39 PID 1716 wrote to memory of 2556 1716 lxlxfrf.exe 39 PID 1716 wrote to memory of 2556 1716 lxlxfrf.exe 39 PID 2556 wrote to memory of 1056 2556 tntbhn.exe 40 PID 2556 wrote to memory of 1056 2556 tntbhn.exe 40 PID 2556 wrote to memory of 1056 2556 tntbhn.exe 40 PID 2556 wrote to memory of 1056 2556 tntbhn.exe 40 PID 1056 wrote to memory of 928 1056 vjvvp.exe 41 PID 1056 wrote to memory of 928 1056 vjvvp.exe 41 PID 1056 wrote to memory of 928 1056 vjvvp.exe 41 PID 1056 wrote to memory of 928 1056 vjvvp.exe 41 PID 928 wrote to memory of 1644 928 btnbnt.exe 42 PID 928 wrote to memory of 1644 928 btnbnt.exe 42 PID 928 wrote to memory of 1644 928 btnbnt.exe 42 PID 928 wrote to memory of 1644 928 btnbnt.exe 42 PID 1644 wrote to memory of 2932 1644 dvpvv.exe 43 PID 1644 wrote to memory of 2932 1644 dvpvv.exe 43 PID 1644 wrote to memory of 2932 1644 dvpvv.exe 43 PID 1644 wrote to memory of 2932 1644 dvpvv.exe 43 PID 2932 wrote to memory of 1368 2932 bhbhhh.exe 44 PID 2932 wrote to memory of 1368 2932 bhbhhh.exe 44 PID 2932 wrote to memory of 1368 2932 bhbhhh.exe 44 PID 2932 wrote to memory of 1368 2932 bhbhhh.exe 44 PID 1368 wrote to memory of 2804 1368 7jppv.exe 45 PID 1368 wrote to memory of 2804 1368 7jppv.exe 45 PID 1368 wrote to memory of 2804 1368 7jppv.exe 45 PID 1368 wrote to memory of 2804 1368 7jppv.exe 45 PID 2804 wrote to memory of 2824 2804 5lxflrx.exe 46 PID 2804 wrote to memory of 2824 2804 5lxflrx.exe 46 PID 2804 wrote to memory of 2824 2804 5lxflrx.exe 46 PID 2804 wrote to memory of 2824 2804 5lxflrx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe"C:\Users\Admin\AppData\Local\Temp\907e4063bb136f5661169875d3579e0a44fad12b6e8d8bdd3be80f13902210cbN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\1jdjj.exec:\1jdjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\bhbbnt.exec:\bhbbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\rllrffx.exec:\rllrffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\flxxllx.exec:\flxxllx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\vpjpv.exec:\vpjpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\rxxlxfx.exec:\rxxlxfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\btntht.exec:\btntht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\lxlxfrf.exec:\lxlxfrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\tntbhn.exec:\tntbhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\vjvvp.exec:\vjvvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\btnbnt.exec:\btnbnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
\??\c:\dvpvv.exec:\dvpvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\bhbhhh.exec:\bhbhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\7jppv.exec:\7jppv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\5lxflrx.exec:\5lxflrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\hthnbb.exec:\hthnbb.exe17⤵
- Executes dropped EXE
PID:2824 -
\??\c:\rfrlrrf.exec:\rfrlrrf.exe18⤵
- Executes dropped EXE
PID:1980 -
\??\c:\tnbhbb.exec:\tnbhbb.exe19⤵
- Executes dropped EXE
PID:1700 -
\??\c:\pdddj.exec:\pdddj.exe20⤵
- Executes dropped EXE
PID:1268 -
\??\c:\xlflxxf.exec:\xlflxxf.exe21⤵
- Executes dropped EXE
PID:1600 -
\??\c:\hthhbn.exec:\hthhbn.exe22⤵
- Executes dropped EXE
PID:2212 -
\??\c:\ddvjv.exec:\ddvjv.exe23⤵
- Executes dropped EXE
PID:1448 -
\??\c:\nhbntb.exec:\nhbntb.exe24⤵
- Executes dropped EXE
PID:964 -
\??\c:\dppdv.exec:\dppdv.exe25⤵
- Executes dropped EXE
PID:1656 -
\??\c:\xrlflrf.exec:\xrlflrf.exe26⤵
- Executes dropped EXE
PID:916 -
\??\c:\ththtt.exec:\ththtt.exe27⤵
- Executes dropped EXE
PID:1444 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe28⤵
- Executes dropped EXE
PID:376 -
\??\c:\tnbntb.exec:\tnbntb.exe29⤵
- Executes dropped EXE
PID:2124 -
\??\c:\lxlxxfr.exec:\lxlxxfr.exe30⤵
- Executes dropped EXE
PID:2440 -
\??\c:\7nthtb.exec:\7nthtb.exe31⤵
- Executes dropped EXE
PID:1436 -
\??\c:\ppjjv.exec:\ppjjv.exe32⤵
- Executes dropped EXE
PID:2996 -
\??\c:\ffllrrx.exec:\ffllrrx.exe33⤵PID:1648
-
\??\c:\7pjjp.exec:\7pjjp.exe34⤵
- Executes dropped EXE
PID:2492 -
\??\c:\rlfflfx.exec:\rlfflfx.exe35⤵
- Executes dropped EXE
PID:1428 -
\??\c:\hhhhtt.exec:\hhhhtt.exe36⤵
- Executes dropped EXE
PID:2536 -
\??\c:\vpjvj.exec:\vpjvj.exe37⤵
- Executes dropped EXE
PID:2668 -
\??\c:\jdvvd.exec:\jdvvd.exe38⤵
- Executes dropped EXE
PID:2272 -
\??\c:\1lrxxxx.exec:\1lrxxxx.exe39⤵
- Executes dropped EXE
PID:2812 -
\??\c:\hhbbnn.exec:\hhbbnn.exe40⤵
- Executes dropped EXE
PID:2852 -
\??\c:\1bntnn.exec:\1bntnn.exe41⤵
- Executes dropped EXE
PID:2904 -
\??\c:\9ddjv.exec:\9ddjv.exe42⤵
- Executes dropped EXE
PID:2648 -
\??\c:\llxfxfl.exec:\llxfxfl.exe43⤵
- Executes dropped EXE
PID:2584 -
\??\c:\rfxxrrf.exec:\rfxxrrf.exe44⤵
- Executes dropped EXE
PID:1716 -
\??\c:\5ttbnn.exec:\5ttbnn.exe45⤵
- Executes dropped EXE
PID:2556 -
\??\c:\9ppvp.exec:\9ppvp.exe46⤵
- Executes dropped EXE
PID:2612 -
\??\c:\5xfllxx.exec:\5xfllxx.exe47⤵
- Executes dropped EXE
PID:1056 -
\??\c:\lllrxxl.exec:\lllrxxl.exe48⤵
- Executes dropped EXE
PID:2776 -
\??\c:\5thhhn.exec:\5thhhn.exe49⤵
- Executes dropped EXE
PID:2908 -
\??\c:\vpjpv.exec:\vpjpv.exe50⤵
- Executes dropped EXE
PID:320 -
\??\c:\xxrxrxl.exec:\xxrxrxl.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
\??\c:\fxlrxfx.exec:\fxlrxfx.exe52⤵
- Executes dropped EXE
PID:2924 -
\??\c:\hbnttt.exec:\hbnttt.exe53⤵
- Executes dropped EXE
PID:2768 -
\??\c:\vvvdd.exec:\vvvdd.exe54⤵
- Executes dropped EXE
PID:1880 -
\??\c:\frxrrrr.exec:\frxrrrr.exe55⤵
- Executes dropped EXE
PID:1992 -
\??\c:\nnbtbn.exec:\nnbtbn.exe56⤵
- Executes dropped EXE
PID:536 -
\??\c:\tttbht.exec:\tttbht.exe57⤵
- Executes dropped EXE
PID:2200 -
\??\c:\ppjjd.exec:\ppjjd.exe58⤵
- Executes dropped EXE
PID:1948 -
\??\c:\xfxfrrf.exec:\xfxfrrf.exe59⤵
- Executes dropped EXE
PID:2396 -
\??\c:\1xxxxfl.exec:\1xxxxfl.exe60⤵
- Executes dropped EXE
PID:1008 -
\??\c:\tnhhtt.exec:\tnhhtt.exe61⤵
- Executes dropped EXE
PID:2484 -
\??\c:\1ddpv.exec:\1ddpv.exe62⤵
- Executes dropped EXE
PID:1312 -
\??\c:\ffxlrxl.exec:\ffxlrxl.exe63⤵
- Executes dropped EXE
PID:1804 -
\??\c:\1fflxfl.exec:\1fflxfl.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
\??\c:\7btbnt.exec:\7btbnt.exe65⤵
- Executes dropped EXE
PID:1680 -
\??\c:\7dppd.exec:\7dppd.exe66⤵
- Executes dropped EXE
PID:2120 -
\??\c:\rfrrrrx.exec:\rfrrrrx.exe67⤵PID:3016
-
\??\c:\1rrxfrr.exec:\1rrxfrr.exe68⤵PID:2300
-
\??\c:\bbnbbb.exec:\bbnbbb.exe69⤵PID:352
-
\??\c:\ppjpj.exec:\ppjpj.exe70⤵PID:2336
-
\??\c:\7xllrrr.exec:\7xllrrr.exe71⤵PID:2380
-
\??\c:\lflxlxf.exec:\lflxlxf.exe72⤵PID:768
-
\??\c:\bbbnbb.exec:\bbbnbb.exe73⤵PID:1532
-
\??\c:\dvvpv.exec:\dvvpv.exe74⤵PID:1764
-
\??\c:\5jvdj.exec:\5jvdj.exe75⤵PID:2492
-
\??\c:\7xlrfxl.exec:\7xlrfxl.exe76⤵PID:2640
-
\??\c:\9btbnn.exec:\9btbnn.exe77⤵PID:2940
-
\??\c:\3vddj.exec:\3vddj.exe78⤵PID:2536
-
\??\c:\jddjp.exec:\jddjp.exe79⤵PID:2700
-
\??\c:\lrrlxlr.exec:\lrrlxlr.exe80⤵PID:2868
-
\??\c:\7htbhn.exec:\7htbhn.exe81⤵PID:2684
-
\??\c:\vvvjp.exec:\vvvjp.exe82⤵PID:2744
-
\??\c:\flrllll.exec:\flrllll.exe83⤵PID:1556
-
\??\c:\3rfrrrx.exec:\3rfrrrx.exe84⤵PID:2832
-
\??\c:\hnbhhn.exec:\hnbhhn.exe85⤵PID:2624
-
\??\c:\jdpjv.exec:\jdpjv.exe86⤵PID:2084
-
\??\c:\pdpvd.exec:\pdpvd.exe87⤵PID:2152
-
\??\c:\9xllfll.exec:\9xllfll.exe88⤵PID:1488
-
\??\c:\hbbhnn.exec:\hbbhnn.exe89⤵PID:3052
-
\??\c:\vjdpj.exec:\vjdpj.exe90⤵PID:1644
-
\??\c:\xrrrlrx.exec:\xrrrlrx.exe91⤵PID:1720
-
\??\c:\flflxxl.exec:\flflxxl.exe92⤵PID:576
-
\??\c:\nbnttt.exec:\nbnttt.exe93⤵PID:2912
-
\??\c:\pjddp.exec:\pjddp.exe94⤵PID:712
-
\??\c:\pjddd.exec:\pjddd.exe95⤵PID:468
-
\??\c:\7fxxllx.exec:\7fxxllx.exe96⤵PID:1880
-
\??\c:\nbhbhb.exec:\nbhbhb.exe97⤵PID:2000
-
\??\c:\pdvdp.exec:\pdvdp.exe98⤵PID:380
-
\??\c:\jjjvj.exec:\jjjvj.exe99⤵PID:1848
-
\??\c:\xxlfxfx.exec:\xxlfxfx.exe100⤵PID:708
-
\??\c:\nnnhhb.exec:\nnnhhb.exe101⤵PID:2004
-
\??\c:\vpjpd.exec:\vpjpd.exe102⤵PID:444
-
\??\c:\dvpvj.exec:\dvpvj.exe103⤵PID:1448
-
\??\c:\5xrxxxx.exec:\5xrxxxx.exe104⤵PID:1564
-
\??\c:\bhhnhb.exec:\bhhnhb.exe105⤵PID:2148
-
\??\c:\vpjpd.exec:\vpjpd.exe106⤵PID:1688
-
\??\c:\9jvpv.exec:\9jvpv.exe107⤵PID:3020
-
\??\c:\3ffxxff.exec:\3ffxxff.exe108⤵PID:112
-
\??\c:\lfffxxl.exec:\lfffxxl.exe109⤵PID:2132
-
\??\c:\hbnbhh.exec:\hbnbhh.exe110⤵PID:1252
-
\??\c:\djpvp.exec:\djpvp.exe111⤵PID:1016
-
\??\c:\lflxrlf.exec:\lflxrlf.exe112⤵PID:280
-
\??\c:\nhbbbb.exec:\nhbbbb.exe113⤵PID:316
-
\??\c:\3nbbbb.exec:\3nbbbb.exe114⤵PID:1436
-
\??\c:\dvddj.exec:\dvddj.exe115⤵PID:1540
-
\??\c:\9pjdd.exec:\9pjdd.exe116⤵PID:2480
-
\??\c:\rlxxffr.exec:\rlxxffr.exe117⤵PID:2740
-
\??\c:\nbhhnn.exec:\nbhhnn.exe118⤵PID:1428
-
\??\c:\3dvdd.exec:\3dvdd.exe119⤵PID:2836
-
\??\c:\xlffrrf.exec:\xlffrrf.exe120⤵PID:2108
-
\??\c:\xlxxffr.exec:\xlxxffr.exe121⤵PID:2808
-
\??\c:\nhttbn.exec:\nhttbn.exe122⤵PID:2840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-