Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe
-
Size
454KB
-
MD5
d884599bc7f70d21692cdb41865021b0
-
SHA1
c08aee552c09e6d883d3897ed6c7b14325028aff
-
SHA256
f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5
-
SHA512
9a571f547beef515fc6bb068e5f23d7faab00cf8de5a34ea67943541bdb104f6df2d3b29b7912aa2953c2930b59d37ae4e732b3fd14df37aab177170813cb578
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/1604-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-534-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2408-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-283-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/552-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-269-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2936-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-232-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/448-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-197-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-188-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1388-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1388-178-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1284-161-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1980-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-142-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1488-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-114-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-103-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2592-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-737-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/616-775-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2120-847-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2360-1037-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-1100-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1524-1233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2008 pjvdp.exe 2348 llrxlxl.exe 1864 ddvjj.exe 2236 xxxrlfr.exe 3056 jdvvj.exe 2808 frllrrf.exe 2832 nhnntn.exe 2728 vpdjv.exe 2592 lxxxllx.exe 2568 hbhntb.exe 2688 rllrxfr.exe 2992 hbtbhh.exe 1488 jvjjp.exe 1296 lffffxl.exe 1980 3tnthh.exe 1284 jvvvv.exe 380 xlrxlxl.exe 1388 tnnthh.exe 2636 pdvdv.exe 2424 3rxrxff.exe 2448 bttnnn.exe 1848 jdvjj.exe 448 ddvvd.exe 1948 rfxfrfl.exe 800 7pvdd.exe 764 jdvpv.exe 2936 5nbhnh.exe 2964 3nttnn.exe 552 vpjdj.exe 3044 1lfffff.exe 2508 xrffrrf.exe 2008 5pjpp.exe 2500 lxfxlfr.exe 2484 hthhnn.exe 2888 nhtbhh.exe 2092 5vjvv.exe 2716 pdvpv.exe 2724 5rflfxf.exe 2156 rlflrlr.exe 2792 5nhnbh.exe 2656 jdvdd.exe 2188 ffrrfrx.exe 2840 xfrllrl.exe 2680 9hnttb.exe 2844 djdjj.exe 672 1vvpp.exe 2992 lrlfrfl.exe 1180 7frrrrf.exe 1660 hnnnnh.exe 1308 9ppdj.exe 356 dpjjj.exe 1648 7xfrrll.exe 2112 9lfxfxf.exe 1040 5nbhnt.exe 584 hntbtt.exe 2556 1vpvd.exe 2184 jpvpj.exe 2136 rxrfrlx.exe 2268 9lfxlfr.exe 2448 hhbhtb.exe 860 jdjjp.exe 2248 vpdjj.exe 900 lxxrflf.exe 1236 9lflrrx.exe -
resource yara_rule behavioral1/memory/1596-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/552-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-847-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2800-860-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-1037-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-1114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-1233-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2008 2508 f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe 30 PID 2508 wrote to memory of 2008 2508 f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe 30 PID 2508 wrote to memory of 2008 2508 f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe 30 PID 2508 wrote to memory of 2008 2508 f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe 30 PID 2008 wrote to memory of 2348 2008 pjvdp.exe 31 PID 2008 wrote to memory of 2348 2008 pjvdp.exe 31 PID 2008 wrote to memory of 2348 2008 pjvdp.exe 31 PID 2008 wrote to memory of 2348 2008 pjvdp.exe 31 PID 2348 wrote to memory of 1864 2348 llrxlxl.exe 32 PID 2348 wrote to memory of 1864 2348 llrxlxl.exe 32 PID 2348 wrote to memory of 1864 2348 llrxlxl.exe 32 PID 2348 wrote to memory of 1864 2348 llrxlxl.exe 32 PID 1864 wrote to memory of 2236 1864 ddvjj.exe 33 PID 1864 wrote to memory of 2236 1864 ddvjj.exe 33 PID 1864 wrote to memory of 2236 1864 ddvjj.exe 33 PID 1864 wrote to memory of 2236 1864 ddvjj.exe 33 PID 2236 wrote to memory of 3056 2236 xxxrlfr.exe 34 PID 2236 wrote to memory of 3056 2236 xxxrlfr.exe 34 PID 2236 wrote to memory of 3056 2236 xxxrlfr.exe 34 PID 2236 wrote to memory of 3056 2236 xxxrlfr.exe 34 PID 3056 wrote to memory of 2808 3056 jdvvj.exe 35 PID 3056 wrote to memory of 2808 3056 jdvvj.exe 35 PID 3056 wrote to memory of 2808 3056 jdvvj.exe 35 PID 3056 wrote to memory of 2808 3056 jdvvj.exe 35 PID 2808 wrote to memory of 2832 2808 frllrrf.exe 36 PID 2808 wrote to memory of 2832 2808 frllrrf.exe 36 PID 2808 wrote to memory of 2832 2808 frllrrf.exe 36 PID 2808 wrote to memory of 2832 2808 frllrrf.exe 36 PID 2832 wrote to memory of 2728 2832 nhnntn.exe 37 PID 2832 wrote to memory of 2728 2832 nhnntn.exe 37 PID 2832 wrote to memory of 2728 2832 nhnntn.exe 37 PID 2832 wrote to memory of 2728 2832 nhnntn.exe 37 PID 2728 wrote to memory of 2592 2728 vpdjv.exe 38 PID 2728 wrote to memory of 2592 2728 vpdjv.exe 38 PID 2728 wrote to memory of 2592 2728 vpdjv.exe 38 PID 2728 wrote to memory of 2592 2728 vpdjv.exe 38 PID 2592 wrote to memory of 2568 2592 lxxxllx.exe 39 PID 2592 wrote to memory of 2568 2592 lxxxllx.exe 39 PID 2592 wrote to memory of 2568 2592 lxxxllx.exe 39 PID 2592 wrote to memory of 2568 2592 lxxxllx.exe 39 PID 2568 wrote to memory of 2688 2568 hbhntb.exe 40 PID 2568 wrote to memory of 2688 2568 hbhntb.exe 40 PID 2568 wrote to memory of 2688 2568 hbhntb.exe 40 PID 2568 wrote to memory of 2688 2568 hbhntb.exe 40 PID 2688 wrote to memory of 2992 2688 rllrxfr.exe 41 PID 2688 wrote to memory of 2992 2688 rllrxfr.exe 41 PID 2688 wrote to memory of 2992 2688 rllrxfr.exe 41 PID 2688 wrote to memory of 2992 2688 rllrxfr.exe 41 PID 2992 wrote to memory of 1488 2992 hbtbhh.exe 42 PID 2992 wrote to memory of 1488 2992 hbtbhh.exe 42 PID 2992 wrote to memory of 1488 2992 hbtbhh.exe 42 PID 2992 wrote to memory of 1488 2992 hbtbhh.exe 42 PID 1488 wrote to memory of 1296 1488 jvjjp.exe 43 PID 1488 wrote to memory of 1296 1488 jvjjp.exe 43 PID 1488 wrote to memory of 1296 1488 jvjjp.exe 43 PID 1488 wrote to memory of 1296 1488 jvjjp.exe 43 PID 1296 wrote to memory of 1980 1296 lffffxl.exe 44 PID 1296 wrote to memory of 1980 1296 lffffxl.exe 44 PID 1296 wrote to memory of 1980 1296 lffffxl.exe 44 PID 1296 wrote to memory of 1980 1296 lffffxl.exe 44 PID 1980 wrote to memory of 1284 1980 3tnthh.exe 45 PID 1980 wrote to memory of 1284 1980 3tnthh.exe 45 PID 1980 wrote to memory of 1284 1980 3tnthh.exe 45 PID 1980 wrote to memory of 1284 1980 3tnthh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe"C:\Users\Admin\AppData\Local\Temp\f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\pjvdp.exec:\pjvdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\llrxlxl.exec:\llrxlxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\ddvjj.exec:\ddvjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\xxxrlfr.exec:\xxxrlfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\jdvvj.exec:\jdvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\frllrrf.exec:\frllrrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\nhnntn.exec:\nhnntn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\vpdjv.exec:\vpdjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\lxxxllx.exec:\lxxxllx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\hbhntb.exec:\hbhntb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\rllrxfr.exec:\rllrxfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\hbtbhh.exec:\hbtbhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\jvjjp.exec:\jvjjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\lffffxl.exec:\lffffxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\3tnthh.exec:\3tnthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\jvvvv.exec:\jvvvv.exe17⤵
- Executes dropped EXE
PID:1284 -
\??\c:\xlrxlxl.exec:\xlrxlxl.exe18⤵
- Executes dropped EXE
PID:380 -
\??\c:\tnnthh.exec:\tnnthh.exe19⤵
- Executes dropped EXE
PID:1388 -
\??\c:\pdvdv.exec:\pdvdv.exe20⤵
- Executes dropped EXE
PID:2636 -
\??\c:\3rxrxff.exec:\3rxrxff.exe21⤵
- Executes dropped EXE
PID:2424 -
\??\c:\bttnnn.exec:\bttnnn.exe22⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jdvjj.exec:\jdvjj.exe23⤵
- Executes dropped EXE
PID:1848 -
\??\c:\ddvvd.exec:\ddvvd.exe24⤵
- Executes dropped EXE
PID:448 -
\??\c:\rfxfrfl.exec:\rfxfrfl.exe25⤵
- Executes dropped EXE
PID:1948 -
\??\c:\7pvdd.exec:\7pvdd.exe26⤵
- Executes dropped EXE
PID:800 -
\??\c:\jdvpv.exec:\jdvpv.exe27⤵
- Executes dropped EXE
PID:764 -
\??\c:\5nbhnh.exec:\5nbhnh.exe28⤵
- Executes dropped EXE
PID:2936 -
\??\c:\3nttnn.exec:\3nttnn.exe29⤵
- Executes dropped EXE
PID:2964 -
\??\c:\vpjdj.exec:\vpjdj.exe30⤵
- Executes dropped EXE
PID:552 -
\??\c:\1lfffff.exec:\1lfffff.exe31⤵
- Executes dropped EXE
PID:3044 -
\??\c:\xrffrrf.exec:\xrffrrf.exe32⤵
- Executes dropped EXE
PID:2508 -
\??\c:\5pjpp.exec:\5pjpp.exe33⤵
- Executes dropped EXE
PID:2008 -
\??\c:\lxfxlfr.exec:\lxfxlfr.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2500 -
\??\c:\hthhnn.exec:\hthhnn.exe35⤵
- Executes dropped EXE
PID:2484 -
\??\c:\nhtbhh.exec:\nhtbhh.exe36⤵
- Executes dropped EXE
PID:2888 -
\??\c:\5vjvv.exec:\5vjvv.exe37⤵
- Executes dropped EXE
PID:2092 -
\??\c:\pdvpv.exec:\pdvpv.exe38⤵
- Executes dropped EXE
PID:2716 -
\??\c:\5rflfxf.exec:\5rflfxf.exe39⤵
- Executes dropped EXE
PID:2724 -
\??\c:\rlflrlr.exec:\rlflrlr.exe40⤵
- Executes dropped EXE
PID:2156 -
\??\c:\5nhnbh.exec:\5nhnbh.exe41⤵
- Executes dropped EXE
PID:2792 -
\??\c:\jdvdd.exec:\jdvdd.exe42⤵
- Executes dropped EXE
PID:2656 -
\??\c:\ffrrfrx.exec:\ffrrfrx.exe43⤵
- Executes dropped EXE
PID:2188 -
\??\c:\xfrllrl.exec:\xfrllrl.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
\??\c:\9hnttb.exec:\9hnttb.exe45⤵
- Executes dropped EXE
PID:2680 -
\??\c:\djdjj.exec:\djdjj.exe46⤵
- Executes dropped EXE
PID:2844 -
\??\c:\1vvpp.exec:\1vvpp.exe47⤵
- Executes dropped EXE
PID:672 -
\??\c:\lrlfrfl.exec:\lrlfrfl.exe48⤵
- Executes dropped EXE
PID:2992 -
\??\c:\7frrrrf.exec:\7frrrrf.exe49⤵
- Executes dropped EXE
PID:1180 -
\??\c:\hnnnnh.exec:\hnnnnh.exe50⤵
- Executes dropped EXE
PID:1660 -
\??\c:\9ppdj.exec:\9ppdj.exe51⤵
- Executes dropped EXE
PID:1308 -
\??\c:\dpjjj.exec:\dpjjj.exe52⤵
- Executes dropped EXE
PID:356 -
\??\c:\7xfrrll.exec:\7xfrrll.exe53⤵
- Executes dropped EXE
PID:1648 -
\??\c:\9lfxfxf.exec:\9lfxfxf.exe54⤵
- Executes dropped EXE
PID:2112 -
\??\c:\5nbhnt.exec:\5nbhnt.exe55⤵
- Executes dropped EXE
PID:1040 -
\??\c:\hntbtt.exec:\hntbtt.exe56⤵
- Executes dropped EXE
PID:584 -
\??\c:\1vpvd.exec:\1vpvd.exe57⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jpvpj.exec:\jpvpj.exe58⤵
- Executes dropped EXE
PID:2184 -
\??\c:\rxrfrlx.exec:\rxrfrlx.exe59⤵
- Executes dropped EXE
PID:2136 -
\??\c:\9lfxlfr.exec:\9lfxlfr.exe60⤵
- Executes dropped EXE
PID:2268 -
\??\c:\hhbhtb.exec:\hhbhtb.exe61⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jdjjp.exec:\jdjjp.exe62⤵
- Executes dropped EXE
PID:860 -
\??\c:\vpdjj.exec:\vpdjj.exe63⤵
- Executes dropped EXE
PID:2248 -
\??\c:\lxxrflf.exec:\lxxrflf.exe64⤵
- Executes dropped EXE
PID:900 -
\??\c:\9lflrrx.exec:\9lflrrx.exe65⤵
- Executes dropped EXE
PID:1236 -
\??\c:\btbhnn.exec:\btbhnn.exe66⤵PID:800
-
\??\c:\3ttbbb.exec:\3ttbbb.exe67⤵PID:2408
-
\??\c:\pdjjd.exec:\pdjjd.exe68⤵PID:2896
-
\??\c:\rrrllrl.exec:\rrrllrl.exe69⤵PID:2400
-
\??\c:\lrlrfxl.exec:\lrlrfxl.exe70⤵PID:1888
-
\??\c:\nnbntn.exec:\nnbntn.exe71⤵PID:3036
-
\??\c:\3tnnhh.exec:\3tnnhh.exe72⤵PID:752
-
\??\c:\vvpvj.exec:\vvpvj.exe73⤵PID:1604
-
\??\c:\pvvjd.exec:\pvvjd.exe74⤵PID:1720
-
\??\c:\xxfxrff.exec:\xxfxrff.exe75⤵PID:2328
-
\??\c:\3nntnn.exec:\3nntnn.exe76⤵PID:1616
-
\??\c:\nhthhn.exec:\nhthhn.exe77⤵PID:2056
-
\??\c:\7ddpv.exec:\7ddpv.exe78⤵PID:2196
-
\??\c:\jvpvv.exec:\jvpvv.exe79⤵PID:2080
-
\??\c:\xxxfrxl.exec:\xxxfrxl.exe80⤵PID:3056
-
\??\c:\llffrrx.exec:\llffrrx.exe81⤵PID:2904
-
\??\c:\ntbttt.exec:\ntbttt.exe82⤵PID:2576
-
\??\c:\ddvdp.exec:\ddvdp.exe83⤵PID:2816
-
\??\c:\pjdpd.exec:\pjdpd.exe84⤵PID:2596
-
\??\c:\5xlfffr.exec:\5xlfffr.exe85⤵PID:2732
-
\??\c:\rflrxxf.exec:\rflrxxf.exe86⤵PID:2592
-
\??\c:\thnnnn.exec:\thnnnn.exe87⤵PID:2640
-
\??\c:\bnbbbb.exec:\bnbbbb.exe88⤵PID:2372
-
\??\c:\dddjj.exec:\dddjj.exe89⤵PID:1632
-
\??\c:\vpdjp.exec:\vpdjp.exe90⤵PID:2312
-
\??\c:\5lrffll.exec:\5lrffll.exe91⤵PID:1096
-
\??\c:\rxlxrfx.exec:\rxlxrfx.exe92⤵PID:1352
-
\??\c:\7nhhhh.exec:\7nhhhh.exe93⤵PID:1596
-
\??\c:\lxlfxxf.exec:\lxlfxxf.exe94⤵PID:1724
-
\??\c:\1jpdj.exec:\1jpdj.exe95⤵PID:1076
-
\??\c:\9xrrrxf.exec:\9xrrrxf.exe96⤵PID:2104
-
\??\c:\nbntnn.exec:\nbntnn.exe97⤵PID:1760
-
\??\c:\nnhnnt.exec:\nnhnnt.exe98⤵PID:2628
-
\??\c:\jppdp.exec:\jppdp.exe99⤵PID:2164
-
\??\c:\ffxllfr.exec:\ffxllfr.exe100⤵PID:2192
-
\??\c:\3ttbnt.exec:\3ttbnt.exe101⤵PID:2424
-
\??\c:\jjjvp.exec:\jjjvp.exe102⤵PID:2864
-
\??\c:\xrxxfxr.exec:\xrxxfxr.exe103⤵PID:2268
-
\??\c:\htbbhn.exec:\htbbhn.exe104⤵PID:1208
-
\??\c:\hbnttt.exec:\hbnttt.exe105⤵PID:1032
-
\??\c:\xfxlfxx.exec:\xfxlfxx.exe106⤵PID:1144
-
\??\c:\xrflrxf.exec:\xrflrxf.exe107⤵PID:616
-
\??\c:\nbbnbn.exec:\nbbnbn.exe108⤵PID:1544
-
\??\c:\pvjjd.exec:\pvjjd.exe109⤵PID:2956
-
\??\c:\bnhbhb.exec:\bnhbhb.exe110⤵PID:2948
-
\??\c:\ddjpp.exec:\ddjpp.exe111⤵PID:996
-
\??\c:\hthhhh.exec:\hthhhh.exe112⤵PID:2244
-
\??\c:\dvdvj.exec:\dvdvj.exe113⤵PID:1044
-
\??\c:\jdpdj.exec:\jdpdj.exe114⤵PID:1608
-
\??\c:\xlfflll.exec:\xlfflll.exe115⤵PID:2496
-
\??\c:\bbnbhn.exec:\bbnbhn.exe116⤵PID:2240
-
\??\c:\9dvjj.exec:\9dvjj.exe117⤵PID:2008
-
\??\c:\frxrlfr.exec:\frxrlfr.exe118⤵PID:2120
-
\??\c:\3vdjv.exec:\3vdjv.exe119⤵PID:2484
-
\??\c:\frfxxxf.exec:\frfxxxf.exe120⤵PID:2660
-
\??\c:\bnnnnn.exec:\bnnnnn.exe121⤵PID:2800
-
\??\c:\jjdpd.exec:\jjdpd.exe122⤵PID:2772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-