Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe
-
Size
454KB
-
MD5
b1c2b1be578c8456d581fab13a6adba6
-
SHA1
251ed896de4b6a048e864c1fd66731e6c8d63057
-
SHA256
c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa
-
SHA512
6a79c6210d645541bd117b0a7d089eaa614ef8bcb89a6f183e75007778d97a556de96fb1eac98d8a65dc30d8ba41a5accc1d7554b012146c51fc4f1f656f6970
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2108-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-93-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/548-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-112-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2436-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-165-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/2012-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-183-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/808-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1412-373-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/568-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/672-387-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2520-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-426-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2024-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-447-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2440-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/848-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-1027-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3068-1067-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2264-1078-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2512-1125-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1800-1150-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2036-1157-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1720-1170-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2428 ffrfrfr.exe 1712 jjddv.exe 2808 1fxrxxl.exe 2360 fxlrffr.exe 2916 tnnnbt.exe 2928 rlxfrxl.exe 2932 5thntt.exe 1900 1lxxxff.exe 2632 hhbbhh.exe 2236 nbhbnn.exe 548 3rflllx.exe 1476 hhtbnn.exe 2856 rlxfffr.exe 1584 hnbnbh.exe 2000 5rffllr.exe 352 5htnnn.exe 2436 lfxfxfl.exe 2012 7fxlxfl.exe 2968 jjddj.exe 2092 lrflrxf.exe 2100 1dpjj.exe 1920 lfxrflf.exe 2504 tnttbb.exe 1444 bbthtb.exe 808 9djvj.exe 2296 rrlrflx.exe 2208 5vjjv.exe 2260 xxfxfxl.exe 1780 btttbh.exe 2340 rlfrxff.exe 2392 tnhnbh.exe 1600 vvppv.exe 2040 ffrrfxf.exe 2712 vpjjv.exe 1480 xxlflfl.exe 2748 hbtbnn.exe 2724 nbnhhh.exe 2752 jjjpd.exe 2908 llflxxf.exe 2736 3xllrrx.exe 2668 nbhhnt.exe 2896 jdvvd.exe 2740 frlfllr.exe 1412 rlxflrf.exe 568 nhtbhh.exe 672 jpppv.exe 1104 xxlxlxr.exe 1876 3xlllll.exe 2520 nhhthn.exe 1824 3jdpv.exe 2828 7rflxxl.exe 1752 lxrxfxr.exe 2024 bbbntt.exe 2848 7jvdj.exe 2440 3xlfffl.exe 2148 tbnbhn.exe 2128 5tttnb.exe 2508 1dddj.exe 1068 ffrxrfl.exe 948 5nnnbh.exe 1544 hhbhnt.exe 1516 5ddjp.exe 344 ffrxflf.exe 2464 bthntt.exe -
resource yara_rule behavioral1/memory/2108-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-112-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/352-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-373-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/568-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-489-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/772-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-1013-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-1020-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-1028-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-1053-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xfflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflxfr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2428 2108 c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe 30 PID 2108 wrote to memory of 2428 2108 c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe 30 PID 2108 wrote to memory of 2428 2108 c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe 30 PID 2108 wrote to memory of 2428 2108 c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe 30 PID 2428 wrote to memory of 1712 2428 ffrfrfr.exe 31 PID 2428 wrote to memory of 1712 2428 ffrfrfr.exe 31 PID 2428 wrote to memory of 1712 2428 ffrfrfr.exe 31 PID 2428 wrote to memory of 1712 2428 ffrfrfr.exe 31 PID 1712 wrote to memory of 2808 1712 jjddv.exe 32 PID 1712 wrote to memory of 2808 1712 jjddv.exe 32 PID 1712 wrote to memory of 2808 1712 jjddv.exe 32 PID 1712 wrote to memory of 2808 1712 jjddv.exe 32 PID 2808 wrote to memory of 2360 2808 1fxrxxl.exe 33 PID 2808 wrote to memory of 2360 2808 1fxrxxl.exe 33 PID 2808 wrote to memory of 2360 2808 1fxrxxl.exe 33 PID 2808 wrote to memory of 2360 2808 1fxrxxl.exe 33 PID 2360 wrote to memory of 2916 2360 fxlrffr.exe 34 PID 2360 wrote to memory of 2916 2360 fxlrffr.exe 34 PID 2360 wrote to memory of 2916 2360 fxlrffr.exe 34 PID 2360 wrote to memory of 2916 2360 fxlrffr.exe 34 PID 2916 wrote to memory of 2928 2916 tnnnbt.exe 35 PID 2916 wrote to memory of 2928 2916 tnnnbt.exe 35 PID 2916 wrote to memory of 2928 2916 tnnnbt.exe 35 PID 2916 wrote to memory of 2928 2916 tnnnbt.exe 35 PID 2928 wrote to memory of 2932 2928 rlxfrxl.exe 36 PID 2928 wrote to memory of 2932 2928 rlxfrxl.exe 36 PID 2928 wrote to memory of 2932 2928 rlxfrxl.exe 36 PID 2928 wrote to memory of 2932 2928 rlxfrxl.exe 36 PID 2932 wrote to memory of 1900 2932 5thntt.exe 37 PID 2932 wrote to memory of 1900 2932 5thntt.exe 37 PID 2932 wrote to memory of 1900 2932 5thntt.exe 37 PID 2932 wrote to memory of 1900 2932 5thntt.exe 37 PID 1900 wrote to memory of 2632 1900 1lxxxff.exe 38 PID 1900 wrote to memory of 2632 1900 1lxxxff.exe 38 PID 1900 wrote to memory of 2632 1900 1lxxxff.exe 38 PID 1900 wrote to memory of 2632 1900 1lxxxff.exe 38 PID 2632 wrote to memory of 2236 2632 hhbbhh.exe 39 PID 2632 wrote to memory of 2236 2632 hhbbhh.exe 39 PID 2632 wrote to memory of 2236 2632 hhbbhh.exe 39 PID 2632 wrote to memory of 2236 2632 hhbbhh.exe 39 PID 2236 wrote to memory of 548 2236 nbhbnn.exe 40 PID 2236 wrote to memory of 548 2236 nbhbnn.exe 40 PID 2236 wrote to memory of 548 2236 nbhbnn.exe 40 PID 2236 wrote to memory of 548 2236 nbhbnn.exe 40 PID 548 wrote to memory of 1476 548 3rflllx.exe 41 PID 548 wrote to memory of 1476 548 3rflllx.exe 41 PID 548 wrote to memory of 1476 548 3rflllx.exe 41 PID 548 wrote to memory of 1476 548 3rflllx.exe 41 PID 1476 wrote to memory of 2856 1476 hhtbnn.exe 42 PID 1476 wrote to memory of 2856 1476 hhtbnn.exe 42 PID 1476 wrote to memory of 2856 1476 hhtbnn.exe 42 PID 1476 wrote to memory of 2856 1476 hhtbnn.exe 42 PID 2856 wrote to memory of 1584 2856 rlxfffr.exe 43 PID 2856 wrote to memory of 1584 2856 rlxfffr.exe 43 PID 2856 wrote to memory of 1584 2856 rlxfffr.exe 43 PID 2856 wrote to memory of 1584 2856 rlxfffr.exe 43 PID 1584 wrote to memory of 2000 1584 hnbnbh.exe 44 PID 1584 wrote to memory of 2000 1584 hnbnbh.exe 44 PID 1584 wrote to memory of 2000 1584 hnbnbh.exe 44 PID 1584 wrote to memory of 2000 1584 hnbnbh.exe 44 PID 2000 wrote to memory of 352 2000 5rffllr.exe 45 PID 2000 wrote to memory of 352 2000 5rffllr.exe 45 PID 2000 wrote to memory of 352 2000 5rffllr.exe 45 PID 2000 wrote to memory of 352 2000 5rffllr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe"C:\Users\Admin\AppData\Local\Temp\c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\ffrfrfr.exec:\ffrfrfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\jjddv.exec:\jjddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\1fxrxxl.exec:\1fxrxxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\fxlrffr.exec:\fxlrffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\tnnnbt.exec:\tnnnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\rlxfrxl.exec:\rlxfrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\5thntt.exec:\5thntt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\1lxxxff.exec:\1lxxxff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\hhbbhh.exec:\hhbbhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\nbhbnn.exec:\nbhbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\3rflllx.exec:\3rflllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\hhtbnn.exec:\hhtbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\rlxfffr.exec:\rlxfffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\hnbnbh.exec:\hnbnbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\5rffllr.exec:\5rffllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\5htnnn.exec:\5htnnn.exe17⤵
- Executes dropped EXE
PID:352 -
\??\c:\lfxfxfl.exec:\lfxfxfl.exe18⤵
- Executes dropped EXE
PID:2436 -
\??\c:\7fxlxfl.exec:\7fxlxfl.exe19⤵
- Executes dropped EXE
PID:2012 -
\??\c:\jjddj.exec:\jjddj.exe20⤵
- Executes dropped EXE
PID:2968 -
\??\c:\lrflrxf.exec:\lrflrxf.exe21⤵
- Executes dropped EXE
PID:2092 -
\??\c:\1dpjj.exec:\1dpjj.exe22⤵
- Executes dropped EXE
PID:2100 -
\??\c:\lfxrflf.exec:\lfxrflf.exe23⤵
- Executes dropped EXE
PID:1920 -
\??\c:\tnttbb.exec:\tnttbb.exe24⤵
- Executes dropped EXE
PID:2504 -
\??\c:\bbthtb.exec:\bbthtb.exe25⤵
- Executes dropped EXE
PID:1444 -
\??\c:\9djvj.exec:\9djvj.exe26⤵
- Executes dropped EXE
PID:808 -
\??\c:\rrlrflx.exec:\rrlrflx.exe27⤵
- Executes dropped EXE
PID:2296 -
\??\c:\5vjjv.exec:\5vjjv.exe28⤵
- Executes dropped EXE
PID:2208 -
\??\c:\xxfxfxl.exec:\xxfxfxl.exe29⤵
- Executes dropped EXE
PID:2260 -
\??\c:\btttbh.exec:\btttbh.exe30⤵
- Executes dropped EXE
PID:1780 -
\??\c:\rlfrxff.exec:\rlfrxff.exe31⤵
- Executes dropped EXE
PID:2340 -
\??\c:\tnhnbh.exec:\tnhnbh.exe32⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vvppv.exec:\vvppv.exe33⤵
- Executes dropped EXE
PID:1600 -
\??\c:\ffrrfxf.exec:\ffrrfxf.exe34⤵
- Executes dropped EXE
PID:2040 -
\??\c:\vpjjv.exec:\vpjjv.exe35⤵
- Executes dropped EXE
PID:2712 -
\??\c:\xxlflfl.exec:\xxlflfl.exe36⤵
- Executes dropped EXE
PID:1480 -
\??\c:\hbtbnn.exec:\hbtbnn.exe37⤵
- Executes dropped EXE
PID:2748 -
\??\c:\nbnhhh.exec:\nbnhhh.exe38⤵
- Executes dropped EXE
PID:2724 -
\??\c:\jjjpd.exec:\jjjpd.exe39⤵
- Executes dropped EXE
PID:2752 -
\??\c:\llflxxf.exec:\llflxxf.exe40⤵
- Executes dropped EXE
PID:2908 -
\??\c:\3xllrrx.exec:\3xllrrx.exe41⤵
- Executes dropped EXE
PID:2736 -
\??\c:\nbhhnt.exec:\nbhhnt.exe42⤵
- Executes dropped EXE
PID:2668 -
\??\c:\jdvvd.exec:\jdvvd.exe43⤵
- Executes dropped EXE
PID:2896 -
\??\c:\frlfllr.exec:\frlfllr.exe44⤵
- Executes dropped EXE
PID:2740 -
\??\c:\rlxflrf.exec:\rlxflrf.exe45⤵
- Executes dropped EXE
PID:1412 -
\??\c:\nhtbhh.exec:\nhtbhh.exe46⤵
- Executes dropped EXE
PID:568 -
\??\c:\jpppv.exec:\jpppv.exe47⤵
- Executes dropped EXE
PID:672 -
\??\c:\xxlxlxr.exec:\xxlxlxr.exe48⤵
- Executes dropped EXE
PID:1104 -
\??\c:\3xlllll.exec:\3xlllll.exe49⤵
- Executes dropped EXE
PID:1876 -
\??\c:\nhhthn.exec:\nhhthn.exe50⤵
- Executes dropped EXE
PID:2520 -
\??\c:\3jdpv.exec:\3jdpv.exe51⤵
- Executes dropped EXE
PID:1824 -
\??\c:\7rflxxl.exec:\7rflxxl.exe52⤵
- Executes dropped EXE
PID:2828 -
\??\c:\lxrxfxr.exec:\lxrxfxr.exe53⤵
- Executes dropped EXE
PID:1752 -
\??\c:\bbbntt.exec:\bbbntt.exe54⤵
- Executes dropped EXE
PID:2024 -
\??\c:\7jvdj.exec:\7jvdj.exe55⤵
- Executes dropped EXE
PID:2848 -
\??\c:\3xlfffl.exec:\3xlfffl.exe56⤵
- Executes dropped EXE
PID:2440 -
\??\c:\tbnbhn.exec:\tbnbhn.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
\??\c:\5tttnb.exec:\5tttnb.exe58⤵
- Executes dropped EXE
PID:2128 -
\??\c:\1dddj.exec:\1dddj.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508 -
\??\c:\ffrxrfl.exec:\ffrxrfl.exe60⤵
- Executes dropped EXE
PID:1068 -
\??\c:\5nnnbh.exec:\5nnnbh.exe61⤵
- Executes dropped EXE
PID:948 -
\??\c:\hhbhnt.exec:\hhbhnt.exe62⤵
- Executes dropped EXE
PID:1544 -
\??\c:\5ddjp.exec:\5ddjp.exe63⤵
- Executes dropped EXE
PID:1516 -
\??\c:\ffrxflf.exec:\ffrxflf.exe64⤵
- Executes dropped EXE
PID:344 -
\??\c:\bthntt.exec:\bthntt.exe65⤵
- Executes dropped EXE
PID:2464 -
\??\c:\nhbbhb.exec:\nhbbhb.exe66⤵PID:2296
-
\??\c:\vpjdd.exec:\vpjdd.exe67⤵PID:772
-
\??\c:\xflffrl.exec:\xflffrl.exe68⤵PID:848
-
\??\c:\bthhtt.exec:\bthhtt.exe69⤵PID:1968
-
\??\c:\9bttbt.exec:\9bttbt.exe70⤵PID:2108
-
\??\c:\pjdjp.exec:\pjdjp.exe71⤵PID:1948
-
\??\c:\xxflxfr.exec:\xxflxfr.exe72⤵
- System Location Discovery: System Language Discovery
PID:1716 -
\??\c:\1llrffl.exec:\1llrffl.exe73⤵PID:3056
-
\??\c:\bntttt.exec:\bntttt.exe74⤵PID:2172
-
\??\c:\1jpjp.exec:\1jpjp.exe75⤵PID:2264
-
\??\c:\vjdpd.exec:\vjdpd.exe76⤵PID:2868
-
\??\c:\9xlrxxf.exec:\9xlrxxf.exe77⤵PID:2872
-
\??\c:\1nhtnt.exec:\1nhtnt.exe78⤵PID:2744
-
\??\c:\dvppv.exec:\dvppv.exe79⤵
- System Location Discovery: System Language Discovery
PID:2224 -
\??\c:\jjdjp.exec:\jjdjp.exe80⤵PID:2656
-
\??\c:\7lxxffx.exec:\7lxxffx.exe81⤵PID:2788
-
\??\c:\tnhbnt.exec:\tnhbnt.exe82⤵PID:2644
-
\??\c:\hhbbnt.exec:\hhbbnt.exe83⤵PID:2652
-
\??\c:\jjjpv.exec:\jjjpv.exe84⤵PID:2336
-
\??\c:\fxffrrf.exec:\fxffrrf.exe85⤵PID:2236
-
\??\c:\7xlfxxl.exec:\7xlfxxl.exe86⤵PID:2164
-
\??\c:\hnhtnb.exec:\hnhtnb.exe87⤵PID:1532
-
\??\c:\9vjpp.exec:\9vjpp.exe88⤵PID:1408
-
\??\c:\jjvvv.exec:\jjvvv.exe89⤵PID:1476
-
\??\c:\9lfxrlr.exec:\9lfxrlr.exe90⤵PID:2516
-
\??\c:\hhbhbb.exec:\hhbhbb.exe91⤵PID:2520
-
\??\c:\1dvpd.exec:\1dvpd.exe92⤵PID:1944
-
\??\c:\3jpdj.exec:\3jpdj.exe93⤵PID:352
-
\??\c:\7fxrxxl.exec:\7fxrxxl.exe94⤵PID:1752
-
\??\c:\xllrrlr.exec:\xllrrlr.exe95⤵PID:832
-
\??\c:\tnhtbb.exec:\tnhtbb.exe96⤵PID:2012
-
\??\c:\ddppp.exec:\ddppp.exe97⤵PID:3060
-
\??\c:\vjdvd.exec:\vjdvd.exe98⤵PID:2220
-
\??\c:\rlxxlxr.exec:\rlxxlxr.exe99⤵PID:2240
-
\??\c:\1nhhtt.exec:\1nhhtt.exe100⤵PID:1276
-
\??\c:\bbtbhh.exec:\bbtbhh.exe101⤵PID:1236
-
\??\c:\pjvdv.exec:\pjvdv.exe102⤵PID:1564
-
\??\c:\lrrxlrl.exec:\lrrxlrl.exe103⤵PID:1516
-
\??\c:\hbntbh.exec:\hbntbh.exe104⤵PID:2452
-
\??\c:\vjppp.exec:\vjppp.exe105⤵PID:2328
-
\??\c:\vpjpd.exec:\vpjpd.exe106⤵PID:2252
-
\??\c:\7fxlrxl.exec:\7fxlrxl.exe107⤵PID:2364
-
\??\c:\7hbhnt.exec:\7hbhnt.exe108⤵PID:2524
-
\??\c:\hhtbnn.exec:\hhtbnn.exe109⤵PID:308
-
\??\c:\3vvdd.exec:\3vvdd.exe110⤵PID:2428
-
\??\c:\pvpdp.exec:\pvpdp.exe111⤵PID:2392
-
\??\c:\xrrrflr.exec:\xrrrflr.exe112⤵PID:3052
-
\??\c:\htnntt.exec:\htnntt.exe113⤵PID:1592
-
\??\c:\bnbbbb.exec:\bnbbbb.exe114⤵PID:1588
-
\??\c:\jvjvd.exec:\jvjvd.exe115⤵PID:536
-
\??\c:\9jjpp.exec:\9jjpp.exe116⤵PID:1480
-
\??\c:\xrlfllx.exec:\xrlfllx.exe117⤵PID:2868
-
\??\c:\ttntbb.exec:\ttntbb.exe118⤵PID:2872
-
\??\c:\hbnhnh.exec:\hbnhnh.exe119⤵PID:2744
-
\??\c:\pjvvj.exec:\pjvvj.exe120⤵PID:2928
-
\??\c:\lfrxfff.exec:\lfrxfff.exe121⤵
- System Location Discovery: System Language Discovery
PID:2736 -
\??\c:\xlrrxxx.exec:\xlrrxxx.exe122⤵PID:1884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-