Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe
-
Size
455KB
-
MD5
bcd0f66fa1c1e3f79613b76df340bacc
-
SHA1
707fae71aa8138faa299a140e6962175c7524018
-
SHA256
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31
-
SHA512
dd636eecf5e6047e601d5a981b231916191efd9478789f4bd45a40487780efe85699b47a44589ba1c7b6bef6e5dcda221e878886758e968d4a43d83123db4591
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2660-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-21-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2780-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-221-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2320-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1452-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/624-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-691-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2932-706-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/972-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-1023-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1688-1116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-1208-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2416 3jpvd.exe 2780 lfxxflr.exe 2904 djjpd.exe 2884 hbtbnn.exe 2664 frxrrll.exe 2612 5thnnn.exe 2604 3xlrfrl.exe 1796 hnhnbn.exe 2976 rxrfrxr.exe 2428 ttnthn.exe 2608 rlffxrr.exe 2292 7fxfrrf.exe 1884 pvpvd.exe 800 xrlrxfx.exe 2648 ppjvd.exe 1992 fxrrffr.exe 1372 pjppp.exe 1344 xlxfllf.exe 2204 nhbhnb.exe 2364 ddvjp.exe 1804 3bthnt.exe 2968 rrxxrrx.exe 1972 bnhnbh.exe 1608 3jjjj.exe 1980 xxlxflx.exe 1452 pjddj.exe 2320 5tntbb.exe 1756 7jjpv.exe 2940 xlflxff.exe 1812 1nnbtt.exe 624 jdjvj.exe 3060 thbnnb.exe 1688 ppppj.exe 2676 7nbnhb.exe 2668 tbttbt.exe 2572 dppdd.exe 2688 rfrrxxf.exe 2548 bbbhtt.exe 2556 vpddp.exe 3020 jvjjj.exe 2612 lrllrrf.exe 1368 hbntnb.exe 2980 pjppd.exe 2012 vppvd.exe 2976 lxffrlx.exe 2408 bthtbb.exe 2532 tbnhth.exe 1520 1dvvd.exe 2028 rrrfxrl.exe 1324 tnbbhn.exe 1664 btnthh.exe 1760 vjdjp.exe 852 1rlxlrf.exe 1988 hhbntt.exe 2756 bbhhnn.exe 2924 vdpjv.exe 2424 llflxfr.exe 2920 7lffllx.exe 2392 hhtbnn.exe 2960 vpjjp.exe 2956 3jddj.exe 848 rlllllf.exe 1100 nnnbnt.exe 1608 bbnhhn.exe -
resource yara_rule behavioral1/memory/2660-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-21-0x00000000002C0000-0x00000000002EA000-memory.dmp upx behavioral1/memory/2904-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1452-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-275-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/624-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-369-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2532-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-564-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1688-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/972-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-875-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-1023-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1028-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-1116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-1181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-1208-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2692-1220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/480-1233-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rflrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2416 2660 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 30 PID 2660 wrote to memory of 2416 2660 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 30 PID 2660 wrote to memory of 2416 2660 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 30 PID 2660 wrote to memory of 2416 2660 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 30 PID 2416 wrote to memory of 2780 2416 3jpvd.exe 31 PID 2416 wrote to memory of 2780 2416 3jpvd.exe 31 PID 2416 wrote to memory of 2780 2416 3jpvd.exe 31 PID 2416 wrote to memory of 2780 2416 3jpvd.exe 31 PID 2780 wrote to memory of 2904 2780 lfxxflr.exe 32 PID 2780 wrote to memory of 2904 2780 lfxxflr.exe 32 PID 2780 wrote to memory of 2904 2780 lfxxflr.exe 32 PID 2780 wrote to memory of 2904 2780 lfxxflr.exe 32 PID 2904 wrote to memory of 2884 2904 djjpd.exe 33 PID 2904 wrote to memory of 2884 2904 djjpd.exe 33 PID 2904 wrote to memory of 2884 2904 djjpd.exe 33 PID 2904 wrote to memory of 2884 2904 djjpd.exe 33 PID 2884 wrote to memory of 2664 2884 hbtbnn.exe 34 PID 2884 wrote to memory of 2664 2884 hbtbnn.exe 34 PID 2884 wrote to memory of 2664 2884 hbtbnn.exe 34 PID 2884 wrote to memory of 2664 2884 hbtbnn.exe 34 PID 2664 wrote to memory of 2612 2664 frxrrll.exe 35 PID 2664 wrote to memory of 2612 2664 frxrrll.exe 35 PID 2664 wrote to memory of 2612 2664 frxrrll.exe 35 PID 2664 wrote to memory of 2612 2664 frxrrll.exe 35 PID 2612 wrote to memory of 2604 2612 5thnnn.exe 36 PID 2612 wrote to memory of 2604 2612 5thnnn.exe 36 PID 2612 wrote to memory of 2604 2612 5thnnn.exe 36 PID 2612 wrote to memory of 2604 2612 5thnnn.exe 36 PID 2604 wrote to memory of 1796 2604 3xlrfrl.exe 37 PID 2604 wrote to memory of 1796 2604 3xlrfrl.exe 37 PID 2604 wrote to memory of 1796 2604 3xlrfrl.exe 37 PID 2604 wrote to memory of 1796 2604 3xlrfrl.exe 37 PID 1796 wrote to memory of 2976 1796 hnhnbn.exe 38 PID 1796 wrote to memory of 2976 1796 hnhnbn.exe 38 PID 1796 wrote to memory of 2976 1796 hnhnbn.exe 38 PID 1796 wrote to memory of 2976 1796 hnhnbn.exe 38 PID 2976 wrote to memory of 2428 2976 rxrfrxr.exe 39 PID 2976 wrote to memory of 2428 2976 rxrfrxr.exe 39 PID 2976 wrote to memory of 2428 2976 rxrfrxr.exe 39 PID 2976 wrote to memory of 2428 2976 rxrfrxr.exe 39 PID 2428 wrote to memory of 2608 2428 ttnthn.exe 40 PID 2428 wrote to memory of 2608 2428 ttnthn.exe 40 PID 2428 wrote to memory of 2608 2428 ttnthn.exe 40 PID 2428 wrote to memory of 2608 2428 ttnthn.exe 40 PID 2608 wrote to memory of 2292 2608 rlffxrr.exe 41 PID 2608 wrote to memory of 2292 2608 rlffxrr.exe 41 PID 2608 wrote to memory of 2292 2608 rlffxrr.exe 41 PID 2608 wrote to memory of 2292 2608 rlffxrr.exe 41 PID 2292 wrote to memory of 1884 2292 7fxfrrf.exe 42 PID 2292 wrote to memory of 1884 2292 7fxfrrf.exe 42 PID 2292 wrote to memory of 1884 2292 7fxfrrf.exe 42 PID 2292 wrote to memory of 1884 2292 7fxfrrf.exe 42 PID 1884 wrote to memory of 800 1884 pvpvd.exe 43 PID 1884 wrote to memory of 800 1884 pvpvd.exe 43 PID 1884 wrote to memory of 800 1884 pvpvd.exe 43 PID 1884 wrote to memory of 800 1884 pvpvd.exe 43 PID 800 wrote to memory of 2648 800 xrlrxfx.exe 44 PID 800 wrote to memory of 2648 800 xrlrxfx.exe 44 PID 800 wrote to memory of 2648 800 xrlrxfx.exe 44 PID 800 wrote to memory of 2648 800 xrlrxfx.exe 44 PID 2648 wrote to memory of 1992 2648 ppjvd.exe 45 PID 2648 wrote to memory of 1992 2648 ppjvd.exe 45 PID 2648 wrote to memory of 1992 2648 ppjvd.exe 45 PID 2648 wrote to memory of 1992 2648 ppjvd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe"C:\Users\Admin\AppData\Local\Temp\998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\3jpvd.exec:\3jpvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\lfxxflr.exec:\lfxxflr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\djjpd.exec:\djjpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\hbtbnn.exec:\hbtbnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\frxrrll.exec:\frxrrll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\5thnnn.exec:\5thnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\3xlrfrl.exec:\3xlrfrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\hnhnbn.exec:\hnhnbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\rxrfrxr.exec:\rxrfrxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\ttnthn.exec:\ttnthn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\rlffxrr.exec:\rlffxrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\7fxfrrf.exec:\7fxfrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\pvpvd.exec:\pvpvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\xrlrxfx.exec:\xrlrxfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\ppjvd.exec:\ppjvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\fxrrffr.exec:\fxrrffr.exe17⤵
- Executes dropped EXE
PID:1992 -
\??\c:\pjppp.exec:\pjppp.exe18⤵
- Executes dropped EXE
PID:1372 -
\??\c:\xlxfllf.exec:\xlxfllf.exe19⤵
- Executes dropped EXE
PID:1344 -
\??\c:\nhbhnb.exec:\nhbhnb.exe20⤵
- Executes dropped EXE
PID:2204 -
\??\c:\ddvjp.exec:\ddvjp.exe21⤵
- Executes dropped EXE
PID:2364 -
\??\c:\3bthnt.exec:\3bthnt.exe22⤵
- Executes dropped EXE
PID:1804 -
\??\c:\rrxxrrx.exec:\rrxxrrx.exe23⤵
- Executes dropped EXE
PID:2968 -
\??\c:\bnhnbh.exec:\bnhnbh.exe24⤵
- Executes dropped EXE
PID:1972 -
\??\c:\3jjjj.exec:\3jjjj.exe25⤵
- Executes dropped EXE
PID:1608 -
\??\c:\xxlxflx.exec:\xxlxflx.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
\??\c:\pjddj.exec:\pjddj.exe27⤵
- Executes dropped EXE
PID:1452 -
\??\c:\5tntbb.exec:\5tntbb.exe28⤵
- Executes dropped EXE
PID:2320 -
\??\c:\7jjpv.exec:\7jjpv.exe29⤵
- Executes dropped EXE
PID:1756 -
\??\c:\xlflxff.exec:\xlflxff.exe30⤵
- Executes dropped EXE
PID:2940 -
\??\c:\1nnbtt.exec:\1nnbtt.exe31⤵
- Executes dropped EXE
PID:1812 -
\??\c:\jdjvj.exec:\jdjvj.exe32⤵
- Executes dropped EXE
PID:624 -
\??\c:\thbnnb.exec:\thbnnb.exe33⤵
- Executes dropped EXE
PID:3060 -
\??\c:\ppppj.exec:\ppppj.exe34⤵
- Executes dropped EXE
PID:1688 -
\??\c:\7nbnhb.exec:\7nbnhb.exe35⤵
- Executes dropped EXE
PID:2676 -
\??\c:\tbttbt.exec:\tbttbt.exe36⤵
- Executes dropped EXE
PID:2668 -
\??\c:\dppdd.exec:\dppdd.exe37⤵
- Executes dropped EXE
PID:2572 -
\??\c:\rfrrxxf.exec:\rfrrxxf.exe38⤵
- Executes dropped EXE
PID:2688 -
\??\c:\bbbhtt.exec:\bbbhtt.exe39⤵
- Executes dropped EXE
PID:2548 -
\??\c:\vpddp.exec:\vpddp.exe40⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jvjjj.exec:\jvjjj.exe41⤵
- Executes dropped EXE
PID:3020 -
\??\c:\lrllrrf.exec:\lrllrrf.exe42⤵
- Executes dropped EXE
PID:2612 -
\??\c:\hbntnb.exec:\hbntnb.exe43⤵
- Executes dropped EXE
PID:1368 -
\??\c:\pjppd.exec:\pjppd.exe44⤵
- Executes dropped EXE
PID:2980 -
\??\c:\vppvd.exec:\vppvd.exe45⤵
- Executes dropped EXE
PID:2012 -
\??\c:\lxffrlx.exec:\lxffrlx.exe46⤵
- Executes dropped EXE
PID:2976 -
\??\c:\bthtbb.exec:\bthtbb.exe47⤵
- Executes dropped EXE
PID:2408 -
\??\c:\tbnhth.exec:\tbnhth.exe48⤵
- Executes dropped EXE
PID:2532 -
\??\c:\1dvvd.exec:\1dvvd.exe49⤵
- Executes dropped EXE
PID:1520 -
\??\c:\rrrfxrl.exec:\rrrfxrl.exe50⤵
- Executes dropped EXE
PID:2028 -
\??\c:\tnbbhn.exec:\tnbbhn.exe51⤵
- Executes dropped EXE
PID:1324 -
\??\c:\btnthh.exec:\btnthh.exe52⤵
- Executes dropped EXE
PID:1664 -
\??\c:\vjdjp.exec:\vjdjp.exe53⤵
- Executes dropped EXE
PID:1760 -
\??\c:\1rlxlrf.exec:\1rlxlrf.exe54⤵
- Executes dropped EXE
PID:852 -
\??\c:\hhbntt.exec:\hhbntt.exe55⤵
- Executes dropped EXE
PID:1988 -
\??\c:\bbhhnn.exec:\bbhhnn.exe56⤵
- Executes dropped EXE
PID:2756 -
\??\c:\vdpjv.exec:\vdpjv.exe57⤵
- Executes dropped EXE
PID:2924 -
\??\c:\llflxfr.exec:\llflxfr.exe58⤵
- Executes dropped EXE
PID:2424 -
\??\c:\7lffllx.exec:\7lffllx.exe59⤵
- Executes dropped EXE
PID:2920 -
\??\c:\hhtbnn.exec:\hhtbnn.exe60⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vpjjp.exec:\vpjjp.exe61⤵
- Executes dropped EXE
PID:2960 -
\??\c:\3jddj.exec:\3jddj.exe62⤵
- Executes dropped EXE
PID:2956 -
\??\c:\rlllllf.exec:\rlllllf.exe63⤵
- Executes dropped EXE
PID:848 -
\??\c:\nnnbnt.exec:\nnnbnt.exe64⤵
- Executes dropped EXE
PID:1100 -
\??\c:\bbnhhn.exec:\bbnhhn.exe65⤵
- Executes dropped EXE
PID:1608 -
\??\c:\ppjjv.exec:\ppjjv.exe66⤵PID:1028
-
\??\c:\xrrrxfr.exec:\xrrrxfr.exe67⤵PID:2304
-
\??\c:\lrrfrxl.exec:\lrrfrxl.exe68⤵PID:2092
-
\??\c:\9bnhnh.exec:\9bnhnh.exe69⤵PID:2320
-
\??\c:\9pddd.exec:\9pddd.exe70⤵PID:2020
-
\??\c:\9rrxfrx.exec:\9rrxfrx.exe71⤵
- System Location Discovery: System Language Discovery
PID:2340 -
\??\c:\nnbhnn.exec:\nnbhnn.exe72⤵PID:904
-
\??\c:\nbhnnt.exec:\nbhnnt.exe73⤵PID:316
-
\??\c:\ddpdp.exec:\ddpdp.exe74⤵PID:624
-
\??\c:\fxffllr.exec:\fxffllr.exe75⤵PID:2700
-
\??\c:\llrffrf.exec:\llrffrf.exe76⤵PID:3060
-
\??\c:\bbbhbh.exec:\bbbhbh.exe77⤵PID:1688
-
\??\c:\7vjdv.exec:\7vjdv.exe78⤵PID:2684
-
\??\c:\rlfrflf.exec:\rlfrflf.exe79⤵PID:2820
-
\??\c:\1ttnbh.exec:\1ttnbh.exe80⤵PID:2552
-
\??\c:\dvvdj.exec:\dvvdj.exe81⤵PID:2544
-
\??\c:\pvpvj.exec:\pvpvj.exe82⤵PID:2548
-
\??\c:\xxxfrxr.exec:\xxxfrxr.exe83⤵PID:1640
-
\??\c:\ttntnt.exec:\ttntnt.exe84⤵PID:1528
-
\??\c:\pjjvp.exec:\pjjvp.exe85⤵PID:1716
-
\??\c:\7pvdj.exec:\7pvdj.exe86⤵PID:1868
-
\??\c:\rrrfllx.exec:\rrrfllx.exe87⤵PID:1080
-
\??\c:\ththhb.exec:\ththhb.exe88⤵PID:2152
-
\??\c:\5jvjp.exec:\5jvjp.exe89⤵PID:2428
-
\??\c:\pdppv.exec:\pdppv.exe90⤵PID:2408
-
\??\c:\xxrrfrr.exec:\xxrrfrr.exe91⤵PID:896
-
\??\c:\nbnnbb.exec:\nbnnbb.exe92⤵PID:2440
-
\??\c:\nhbbbb.exec:\nhbbbb.exe93⤵PID:1680
-
\??\c:\vpppd.exec:\vpppd.exe94⤵PID:2616
-
\??\c:\rrlflfl.exec:\rrlflfl.exe95⤵PID:2836
-
\??\c:\hbbhtb.exec:\hbbhtb.exe96⤵PID:592
-
\??\c:\nnhthn.exec:\nnhthn.exe97⤵PID:2932
-
\??\c:\pjvjd.exec:\pjvjd.exe98⤵PID:2140
-
\??\c:\fxlrflx.exec:\fxlrflx.exe99⤵PID:2016
-
\??\c:\btnbhn.exec:\btnbhn.exe100⤵PID:2204
-
\??\c:\9dppv.exec:\9dppv.exe101⤵PID:2936
-
\??\c:\9jdvv.exec:\9jdvv.exe102⤵PID:444
-
\??\c:\9llxlrx.exec:\9llxlrx.exe103⤵PID:1104
-
\??\c:\nnhnbb.exec:\nnhnbb.exe104⤵PID:972
-
\??\c:\dpppv.exec:\dpppv.exe105⤵PID:3032
-
\??\c:\vdpvj.exec:\vdpvj.exe106⤵PID:1880
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe107⤵PID:1936
-
\??\c:\bbtthh.exec:\bbtthh.exe108⤵PID:372
-
\??\c:\9jddv.exec:\9jddv.exe109⤵PID:2336
-
\??\c:\rxrlxfr.exec:\rxrlxfr.exe110⤵PID:3028
-
\??\c:\rrllxfr.exec:\rrllxfr.exe111⤵PID:1940
-
\??\c:\1tbbhb.exec:\1tbbhb.exe112⤵PID:1756
-
\??\c:\pjdpd.exec:\pjdpd.exe113⤵PID:1200
-
\??\c:\1rrrxfl.exec:\1rrrxfl.exe114⤵PID:2356
-
\??\c:\5fflxfr.exec:\5fflxfr.exe115⤵PID:2728
-
\??\c:\7nhntt.exec:\7nhntt.exe116⤵PID:2696
-
\??\c:\5pjvp.exec:\5pjvp.exe117⤵PID:2660
-
\??\c:\9xlxflr.exec:\9xlxflr.exe118⤵PID:2776
-
\??\c:\7hbnbn.exec:\7hbnbn.exe119⤵PID:2744
-
\??\c:\ppvdv.exec:\ppvdv.exe120⤵PID:2760
-
\??\c:\rlfrxfx.exec:\rlfrxfx.exe121⤵PID:2876
-
\??\c:\5bnhhb.exec:\5bnhhb.exe122⤵PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-