Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe
-
Size
456KB
-
MD5
044c864cf0553ce844727934000d968c
-
SHA1
d845f6017ba164abc08c17d129ff7e42b50dbc6a
-
SHA256
713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08
-
SHA512
7fbd5ce6db4f13cd58d5a12dad8b610c6fe22e5a15b816acd54b5b29ee9675d5910d118487c95554b97044b650045ba8094698f27cb5e8ad073d9f79a2a50931
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/2764-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-73-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/580-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/484-81-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2064-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-135-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1820-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/296-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1112-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-269-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1812-268-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2544-275-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1916-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-306-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1540-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/588-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/528-383-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/528-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/528-381-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2172-390-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1736-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-403-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2824-448-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2824-467-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2184-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-584-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/908-588-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2760-601-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2844-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-647-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2064-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-885-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3004 xrllfxl.exe 2248 vdvdv.exe 2804 thbtbt.exe 2744 5jddd.exe 2620 tnbhht.exe 2320 djdvp.exe 2660 5rfxxxx.exe 484 jjvjp.exe 580 rffrlrx.exe 880 nbhbhh.exe 2064 xlxflrf.exe 2788 1bntbb.exe 2516 llxlxxl.exe 2232 bbhntt.exe 1820 5ddjp.exe 1940 fffrxfr.exe 3024 pjdvd.exe 2088 rfxrffr.exe 1956 7bntbb.exe 1688 7fxfllr.exe 1532 bhbttn.exe 296 5pjdp.exe 1252 rlrrrll.exe 2772 tnnnbt.exe 1812 fxxflrf.exe 1112 bthntt.exe 2112 pjvpj.exe 2392 rrfxxfx.exe 2544 vvjvd.exe 1916 7rxfllr.exe 1448 1dvvv.exe 2400 lrxflfr.exe 1540 dvvdj.exe 2852 rllxlxl.exe 2904 3rffffl.exe 2948 ntnttb.exe 2636 ddvvj.exe 2924 fxrlrrr.exe 2672 7bhhnt.exe 2620 bbnthn.exe 2172 9jpjj.exe 588 llllxff.exe 528 7ffrxfr.exe 2000 nthtth.exe 2648 vpvjj.exe 1736 fffflll.exe 2084 5tbhbt.exe 2504 nhntbh.exe 2796 pjvdj.exe 2156 1fxfxxl.exe 1380 fxlxffr.exe 976 hbhnbb.exe 2824 vvjjp.exe 1616 xfxlxlr.exe 2592 5lrrxfl.exe 2264 hbhntt.exe 2184 bhbnbh.exe 2436 pjvdj.exe 1124 9frxlrx.exe 1688 lfrxlrf.exe 1504 bnhhhh.exe 2492 jdpjj.exe 1232 dvjdp.exe 852 lffflfl.exe -
resource yara_rule behavioral1/memory/2764-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-81-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2064-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1112-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/588-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/528-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-467-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/2184-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-601-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/2844-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-686-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/2064-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/972-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-834-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9httnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9htbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3frrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2764 wrote to memory of 3004 2764 713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe 30 PID 2764 wrote to memory of 3004 2764 713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe 30 PID 2764 wrote to memory of 3004 2764 713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe 30 PID 2764 wrote to memory of 3004 2764 713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe 30 PID 3004 wrote to memory of 2248 3004 xrllfxl.exe 31 PID 3004 wrote to memory of 2248 3004 xrllfxl.exe 31 PID 3004 wrote to memory of 2248 3004 xrllfxl.exe 31 PID 3004 wrote to memory of 2248 3004 xrllfxl.exe 31 PID 2248 wrote to memory of 2804 2248 vdvdv.exe 32 PID 2248 wrote to memory of 2804 2248 vdvdv.exe 32 PID 2248 wrote to memory of 2804 2248 vdvdv.exe 32 PID 2248 wrote to memory of 2804 2248 vdvdv.exe 32 PID 2804 wrote to memory of 2744 2804 thbtbt.exe 33 PID 2804 wrote to memory of 2744 2804 thbtbt.exe 33 PID 2804 wrote to memory of 2744 2804 thbtbt.exe 33 PID 2804 wrote to memory of 2744 2804 thbtbt.exe 33 PID 2744 wrote to memory of 2620 2744 5jddd.exe 34 PID 2744 wrote to memory of 2620 2744 5jddd.exe 34 PID 2744 wrote to memory of 2620 2744 5jddd.exe 34 PID 2744 wrote to memory of 2620 2744 5jddd.exe 34 PID 2620 wrote to memory of 2320 2620 tnbhht.exe 35 PID 2620 wrote to memory of 2320 2620 tnbhht.exe 35 PID 2620 wrote to memory of 2320 2620 tnbhht.exe 35 PID 2620 wrote to memory of 2320 2620 tnbhht.exe 35 PID 2320 wrote to memory of 2660 2320 djdvp.exe 36 PID 2320 wrote to memory of 2660 2320 djdvp.exe 36 PID 2320 wrote to memory of 2660 2320 djdvp.exe 36 PID 2320 wrote to memory of 2660 2320 djdvp.exe 36 PID 2660 wrote to memory of 484 2660 5rfxxxx.exe 37 PID 2660 wrote to memory of 484 2660 5rfxxxx.exe 37 PID 2660 wrote to memory of 484 2660 5rfxxxx.exe 37 PID 2660 wrote to memory of 484 2660 5rfxxxx.exe 37 PID 484 wrote to memory of 580 484 jjvjp.exe 38 PID 484 wrote to memory of 580 484 jjvjp.exe 38 PID 484 wrote to memory of 580 484 jjvjp.exe 38 PID 484 wrote to memory of 580 484 jjvjp.exe 38 PID 580 wrote to memory of 880 580 rffrlrx.exe 39 PID 580 wrote to memory of 880 580 rffrlrx.exe 39 PID 580 wrote to memory of 880 580 rffrlrx.exe 39 PID 580 wrote to memory of 880 580 rffrlrx.exe 39 PID 880 wrote to memory of 2064 880 nbhbhh.exe 40 PID 880 wrote to memory of 2064 880 nbhbhh.exe 40 PID 880 wrote to memory of 2064 880 nbhbhh.exe 40 PID 880 wrote to memory of 2064 880 nbhbhh.exe 40 PID 2064 wrote to memory of 2788 2064 xlxflrf.exe 41 PID 2064 wrote to memory of 2788 2064 xlxflrf.exe 41 PID 2064 wrote to memory of 2788 2064 xlxflrf.exe 41 PID 2064 wrote to memory of 2788 2064 xlxflrf.exe 41 PID 2788 wrote to memory of 2516 2788 1bntbb.exe 42 PID 2788 wrote to memory of 2516 2788 1bntbb.exe 42 PID 2788 wrote to memory of 2516 2788 1bntbb.exe 42 PID 2788 wrote to memory of 2516 2788 1bntbb.exe 42 PID 2516 wrote to memory of 2232 2516 llxlxxl.exe 43 PID 2516 wrote to memory of 2232 2516 llxlxxl.exe 43 PID 2516 wrote to memory of 2232 2516 llxlxxl.exe 43 PID 2516 wrote to memory of 2232 2516 llxlxxl.exe 43 PID 2232 wrote to memory of 1820 2232 bbhntt.exe 44 PID 2232 wrote to memory of 1820 2232 bbhntt.exe 44 PID 2232 wrote to memory of 1820 2232 bbhntt.exe 44 PID 2232 wrote to memory of 1820 2232 bbhntt.exe 44 PID 1820 wrote to memory of 1940 1820 5ddjp.exe 45 PID 1820 wrote to memory of 1940 1820 5ddjp.exe 45 PID 1820 wrote to memory of 1940 1820 5ddjp.exe 45 PID 1820 wrote to memory of 1940 1820 5ddjp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe"C:\Users\Admin\AppData\Local\Temp\713fa9643098371c2136612bd5be704143d3aa87bf138679d90075431e596f08.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\xrllfxl.exec:\xrllfxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\vdvdv.exec:\vdvdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\thbtbt.exec:\thbtbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\5jddd.exec:\5jddd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\tnbhht.exec:\tnbhht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\djdvp.exec:\djdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\5rfxxxx.exec:\5rfxxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\jjvjp.exec:\jjvjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
\??\c:\rffrlrx.exec:\rffrlrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\nbhbhh.exec:\nbhbhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\xlxflrf.exec:\xlxflrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\1bntbb.exec:\1bntbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\llxlxxl.exec:\llxlxxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\bbhntt.exec:\bbhntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\5ddjp.exec:\5ddjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\fffrxfr.exec:\fffrxfr.exe17⤵
- Executes dropped EXE
PID:1940 -
\??\c:\pjdvd.exec:\pjdvd.exe18⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rfxrffr.exec:\rfxrffr.exe19⤵
- Executes dropped EXE
PID:2088 -
\??\c:\7bntbb.exec:\7bntbb.exe20⤵
- Executes dropped EXE
PID:1956 -
\??\c:\7fxfllr.exec:\7fxfllr.exe21⤵
- Executes dropped EXE
PID:1688 -
\??\c:\bhbttn.exec:\bhbttn.exe22⤵
- Executes dropped EXE
PID:1532 -
\??\c:\5pjdp.exec:\5pjdp.exe23⤵
- Executes dropped EXE
PID:296 -
\??\c:\rlrrrll.exec:\rlrrrll.exe24⤵
- Executes dropped EXE
PID:1252 -
\??\c:\tnnnbt.exec:\tnnnbt.exe25⤵
- Executes dropped EXE
PID:2772 -
\??\c:\fxxflrf.exec:\fxxflrf.exe26⤵
- Executes dropped EXE
PID:1812 -
\??\c:\bthntt.exec:\bthntt.exe27⤵
- Executes dropped EXE
PID:1112 -
\??\c:\pjvpj.exec:\pjvpj.exe28⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rrfxxfx.exec:\rrfxxfx.exe29⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vvjvd.exec:\vvjvd.exe30⤵
- Executes dropped EXE
PID:2544 -
\??\c:\7rxfllr.exec:\7rxfllr.exe31⤵
- Executes dropped EXE
PID:1916 -
\??\c:\1dvvv.exec:\1dvvv.exe32⤵
- Executes dropped EXE
PID:1448 -
\??\c:\lrxflfr.exec:\lrxflfr.exe33⤵
- Executes dropped EXE
PID:2400 -
\??\c:\dvvdj.exec:\dvvdj.exe34⤵
- Executes dropped EXE
PID:1540 -
\??\c:\rllxlxl.exec:\rllxlxl.exe35⤵
- Executes dropped EXE
PID:2852 -
\??\c:\3rffffl.exec:\3rffffl.exe36⤵
- Executes dropped EXE
PID:2904 -
\??\c:\ntnttb.exec:\ntnttb.exe37⤵
- Executes dropped EXE
PID:2948 -
\??\c:\ddvvj.exec:\ddvvj.exe38⤵
- Executes dropped EXE
PID:2636 -
\??\c:\fxrlrrr.exec:\fxrlrrr.exe39⤵
- Executes dropped EXE
PID:2924 -
\??\c:\7bhhnt.exec:\7bhhnt.exe40⤵
- Executes dropped EXE
PID:2672 -
\??\c:\bbnthn.exec:\bbnthn.exe41⤵
- Executes dropped EXE
PID:2620 -
\??\c:\9jpjj.exec:\9jpjj.exe42⤵
- Executes dropped EXE
PID:2172 -
\??\c:\llllxff.exec:\llllxff.exe43⤵
- Executes dropped EXE
PID:588 -
\??\c:\7ffrxfr.exec:\7ffrxfr.exe44⤵
- Executes dropped EXE
PID:528 -
\??\c:\nthtth.exec:\nthtth.exe45⤵
- Executes dropped EXE
PID:2000 -
\??\c:\vpvjj.exec:\vpvjj.exe46⤵
- Executes dropped EXE
PID:2648 -
\??\c:\fffflll.exec:\fffflll.exe47⤵
- Executes dropped EXE
PID:1736 -
\??\c:\5tbhbt.exec:\5tbhbt.exe48⤵
- Executes dropped EXE
PID:2084 -
\??\c:\nhntbh.exec:\nhntbh.exe49⤵
- Executes dropped EXE
PID:2504 -
\??\c:\pjvdj.exec:\pjvdj.exe50⤵
- Executes dropped EXE
PID:2796 -
\??\c:\1fxfxxl.exec:\1fxfxxl.exe51⤵
- Executes dropped EXE
PID:2156 -
\??\c:\fxlxffr.exec:\fxlxffr.exe52⤵
- Executes dropped EXE
PID:1380 -
\??\c:\hbhnbb.exec:\hbhnbb.exe53⤵
- Executes dropped EXE
PID:976 -
\??\c:\vvjjp.exec:\vvjjp.exe54⤵
- Executes dropped EXE
PID:2824 -
\??\c:\xfxlxlr.exec:\xfxlxlr.exe55⤵
- Executes dropped EXE
PID:1616 -
\??\c:\5lrrxfl.exec:\5lrrxfl.exe56⤵
- Executes dropped EXE
PID:2592 -
\??\c:\hbhntt.exec:\hbhntt.exe57⤵
- Executes dropped EXE
PID:2264 -
\??\c:\bhbnbh.exec:\bhbnbh.exe58⤵
- Executes dropped EXE
PID:2184 -
\??\c:\pjvdj.exec:\pjvdj.exe59⤵
- Executes dropped EXE
PID:2436 -
\??\c:\9frxlrx.exec:\9frxlrx.exe60⤵
- Executes dropped EXE
PID:1124 -
\??\c:\lfrxlrf.exec:\lfrxlrf.exe61⤵
- Executes dropped EXE
PID:1688 -
\??\c:\bnhhhh.exec:\bnhhhh.exe62⤵
- Executes dropped EXE
PID:1504 -
\??\c:\jdpjj.exec:\jdpjj.exe63⤵
- Executes dropped EXE
PID:2492 -
\??\c:\dvjdp.exec:\dvjdp.exe64⤵
- Executes dropped EXE
PID:1232 -
\??\c:\lffflfl.exec:\lffflfl.exe65⤵
- Executes dropped EXE
PID:852 -
\??\c:\3htnhh.exec:\3htnhh.exe66⤵PID:1712
-
\??\c:\jvpvj.exec:\jvpvj.exe67⤵PID:1996
-
\??\c:\ppvpj.exec:\ppvpj.exe68⤵PID:1028
-
\??\c:\rlffrxl.exec:\rlffrxl.exe69⤵PID:1892
-
\??\c:\9htbtt.exec:\9htbtt.exe70⤵PID:1588
-
\??\c:\jdpjd.exec:\jdpjd.exe71⤵PID:1628
-
\??\c:\1pvvj.exec:\1pvvj.exe72⤵PID:1716
-
\??\c:\llxfxfr.exec:\llxfxfr.exe73⤵PID:1796
-
\??\c:\5bnhnn.exec:\5bnhnn.exe74⤵PID:2688
-
\??\c:\9hntnt.exec:\9hntnt.exe75⤵PID:2364
-
\??\c:\pjvdj.exec:\pjvdj.exe76⤵PID:908
-
\??\c:\3lfxllx.exec:\3lfxllx.exe77⤵PID:2400
-
\??\c:\5xffffr.exec:\5xffffr.exe78⤵PID:2760
-
\??\c:\bthhtb.exec:\bthhtb.exe79⤵PID:2724
-
\??\c:\dvjvj.exec:\dvjvj.exe80⤵PID:2844
-
\??\c:\7vddv.exec:\7vddv.exe81⤵PID:2948
-
\??\c:\3frrfxf.exec:\3frrfxf.exe82⤵PID:2696
-
\??\c:\hnthnh.exec:\hnthnh.exe83⤵PID:2728
-
\??\c:\jvddd.exec:\jvddd.exe84⤵PID:2408
-
\??\c:\pjddp.exec:\pjddp.exe85⤵PID:2620
-
\??\c:\3lfxfll.exec:\3lfxfll.exe86⤵PID:792
-
\??\c:\nhttbb.exec:\nhttbb.exe87⤵PID:1436
-
\??\c:\9bhtth.exec:\9bhtth.exe88⤵PID:1040
-
\??\c:\dvpvv.exec:\dvpvv.exe89⤵PID:2052
-
\??\c:\rrlxllx.exec:\rrlxllx.exe90⤵PID:1816
-
\??\c:\xrfxffr.exec:\xrfxffr.exe91⤵PID:2968
-
\??\c:\nttbtt.exec:\nttbtt.exe92⤵PID:2084
-
\??\c:\vjdjj.exec:\vjdjj.exe93⤵PID:2064
-
\??\c:\fxrxflr.exec:\fxrxflr.exe94⤵PID:2952
-
\??\c:\9nbbtt.exec:\9nbbtt.exe95⤵PID:1572
-
\??\c:\nnhtht.exec:\nnhtht.exe96⤵PID:1640
-
\??\c:\vpvvj.exec:\vpvvj.exe97⤵PID:1948
-
\??\c:\lfffflr.exec:\lfffflr.exe98⤵PID:2824
-
\??\c:\lxllrxf.exec:\lxllrxf.exe99⤵PID:1620
-
\??\c:\nbnntt.exec:\nbnntt.exe100⤵PID:2204
-
\??\c:\5hbbbb.exec:\5hbbbb.exe101⤵PID:2060
-
\??\c:\7jpdp.exec:\7jpdp.exe102⤵PID:2088
-
\??\c:\7xlllxf.exec:\7xlllxf.exe103⤵PID:2464
-
\??\c:\tnbhtt.exec:\tnbhtt.exe104⤵PID:1692
-
\??\c:\5bhhtb.exec:\5bhhtb.exe105⤵PID:2300
-
\??\c:\dvjpd.exec:\dvjpd.exe106⤵PID:704
-
\??\c:\5rxxfrf.exec:\5rxxfrf.exe107⤵PID:1292
-
\??\c:\5nhhnt.exec:\5nhhnt.exe108⤵PID:972
-
\??\c:\bnbbnn.exec:\bnbbnn.exe109⤵PID:2284
-
\??\c:\1pjdv.exec:\1pjdv.exe110⤵PID:1712
-
\??\c:\lffrffr.exec:\lffrffr.exe111⤵PID:924
-
\??\c:\rflfrxr.exec:\rflfrxr.exe112⤵
- System Location Discovery: System Language Discovery
PID:876 -
\??\c:\3tbthh.exec:\3tbthh.exe113⤵PID:624
-
\??\c:\vpjjj.exec:\vpjjj.exe114⤵PID:2376
-
\??\c:\1lrlxfr.exec:\1lrlxfr.exe115⤵PID:304
-
\??\c:\xlrffxf.exec:\xlrffxf.exe116⤵PID:2576
-
\??\c:\9btthn.exec:\9btthn.exe117⤵PID:1180
-
\??\c:\djddv.exec:\djddv.exe118⤵PID:1936
-
\??\c:\1vjpj.exec:\1vjpj.exe119⤵PID:1896
-
\??\c:\lfxrllf.exec:\lfxrllf.exe120⤵PID:1552
-
\??\c:\rrffffl.exec:\rrffffl.exe121⤵PID:1548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-