Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe
-
Size
455KB
-
MD5
15ae798e35de13c52aad0ab11b43da22
-
SHA1
920bb05c5addc00cc155fd657a31e77768f39eb4
-
SHA256
996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea
-
SHA512
882f0cd0bf571a57af13543d1813b9a84dcd36f46f02c83f533888a394d70519f01eeff0c7006efafd3dc0bb2e6d6a5610ab6ff66c97ab8f351e6b50ed74aeb3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/788-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-28-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1648-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-48-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2808-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-69-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2472-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-114-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3044-113-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3044-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/808-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-163-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1608-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-199-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2452-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-216-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1616-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/976-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-278-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/332-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-297-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1688-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-327-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2784-334-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2956-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-348-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/584-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-377-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2616-392-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1440-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-547-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2364-560-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2852-626-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2852-645-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/3044-658-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2668-900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 788 djjvv.exe 2088 fllllxf.exe 1648 vjpvv.exe 2808 9nhntb.exe 2796 jvdpp.exe 2472 rxllxrr.exe 2440 tnbhnn.exe 2632 vpvpd.exe 2816 rfrrrrf.exe 2612 pjvpv.exe 3044 9xllxrx.exe 1712 xlfxxrr.exe 1920 9bthhh.exe 2312 pdpvv.exe 808 lxflxrx.exe 2872 bthntt.exe 1608 pdddv.exe 540 fxrxfxf.exe 2448 7bhbtn.exe 2192 jvjpv.exe 2280 lxxxlxf.exe 2452 rfrlrff.exe 1328 hntbhh.exe 1616 7llxxxr.exe 976 bnnhnn.exe 1784 5hnhhb.exe 2520 xlfrrll.exe 2512 tbhnhb.exe 1732 5vpjj.exe 2496 3lxxfll.exe 332 thnnnn.exe 1688 9thhhb.exe 2184 lfrxfrr.exe 2912 rfrxxxx.exe 1912 tnbtbt.exe 2784 vpdpv.exe 2956 bnthhh.exe 584 dpvvj.exe 2308 rxlfffl.exe 2828 rxfxxrr.exe 2712 jpjpv.exe 1908 3jjjj.exe 2648 lflllfl.exe 2616 1nnnhh.exe 2000 3httnh.exe 2060 vjvjp.exe 2664 5flxxrl.exe 868 xrllxrx.exe 1596 hnttbt.exe 2880 1dpdd.exe 1304 7ddvv.exe 3056 xrlllll.exe 3064 5xfrlff.exe 1308 hnnnbb.exe 1440 pdpvd.exe 2556 frxllff.exe 1660 bhnntt.exe 2136 nbtbhh.exe 1704 dvpvv.exe 1888 7frlrrr.exe 1356 lxrlxrr.exe 2460 bnttht.exe 1800 ddjjp.exe 1776 dvddj.exe -
resource yara_rule behavioral1/memory/788-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-48-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2796-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/976-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-348-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/584-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-547-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2364-560-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/3016-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-900-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxlllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 788 2244 996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe 30 PID 2244 wrote to memory of 788 2244 996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe 30 PID 2244 wrote to memory of 788 2244 996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe 30 PID 2244 wrote to memory of 788 2244 996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe 30 PID 788 wrote to memory of 2088 788 djjvv.exe 31 PID 788 wrote to memory of 2088 788 djjvv.exe 31 PID 788 wrote to memory of 2088 788 djjvv.exe 31 PID 788 wrote to memory of 2088 788 djjvv.exe 31 PID 2088 wrote to memory of 1648 2088 fllllxf.exe 32 PID 2088 wrote to memory of 1648 2088 fllllxf.exe 32 PID 2088 wrote to memory of 1648 2088 fllllxf.exe 32 PID 2088 wrote to memory of 1648 2088 fllllxf.exe 32 PID 1648 wrote to memory of 2808 1648 vjpvv.exe 33 PID 1648 wrote to memory of 2808 1648 vjpvv.exe 33 PID 1648 wrote to memory of 2808 1648 vjpvv.exe 33 PID 1648 wrote to memory of 2808 1648 vjpvv.exe 33 PID 2808 wrote to memory of 2796 2808 9nhntb.exe 34 PID 2808 wrote to memory of 2796 2808 9nhntb.exe 34 PID 2808 wrote to memory of 2796 2808 9nhntb.exe 34 PID 2808 wrote to memory of 2796 2808 9nhntb.exe 34 PID 2796 wrote to memory of 2472 2796 jvdpp.exe 35 PID 2796 wrote to memory of 2472 2796 jvdpp.exe 35 PID 2796 wrote to memory of 2472 2796 jvdpp.exe 35 PID 2796 wrote to memory of 2472 2796 jvdpp.exe 35 PID 2472 wrote to memory of 2440 2472 rxllxrr.exe 36 PID 2472 wrote to memory of 2440 2472 rxllxrr.exe 36 PID 2472 wrote to memory of 2440 2472 rxllxrr.exe 36 PID 2472 wrote to memory of 2440 2472 rxllxrr.exe 36 PID 2440 wrote to memory of 2632 2440 tnbhnn.exe 37 PID 2440 wrote to memory of 2632 2440 tnbhnn.exe 37 PID 2440 wrote to memory of 2632 2440 tnbhnn.exe 37 PID 2440 wrote to memory of 2632 2440 tnbhnn.exe 37 PID 2632 wrote to memory of 2816 2632 vpvpd.exe 38 PID 2632 wrote to memory of 2816 2632 vpvpd.exe 38 PID 2632 wrote to memory of 2816 2632 vpvpd.exe 38 PID 2632 wrote to memory of 2816 2632 vpvpd.exe 38 PID 2816 wrote to memory of 2612 2816 rfrrrrf.exe 39 PID 2816 wrote to memory of 2612 2816 rfrrrrf.exe 39 PID 2816 wrote to memory of 2612 2816 rfrrrrf.exe 39 PID 2816 wrote to memory of 2612 2816 rfrrrrf.exe 39 PID 2612 wrote to memory of 3044 2612 pjvpv.exe 40 PID 2612 wrote to memory of 3044 2612 pjvpv.exe 40 PID 2612 wrote to memory of 3044 2612 pjvpv.exe 40 PID 2612 wrote to memory of 3044 2612 pjvpv.exe 40 PID 3044 wrote to memory of 1712 3044 9xllxrx.exe 41 PID 3044 wrote to memory of 1712 3044 9xllxrx.exe 41 PID 3044 wrote to memory of 1712 3044 9xllxrx.exe 41 PID 3044 wrote to memory of 1712 3044 9xllxrx.exe 41 PID 1712 wrote to memory of 1920 1712 xlfxxrr.exe 42 PID 1712 wrote to memory of 1920 1712 xlfxxrr.exe 42 PID 1712 wrote to memory of 1920 1712 xlfxxrr.exe 42 PID 1712 wrote to memory of 1920 1712 xlfxxrr.exe 42 PID 1920 wrote to memory of 2312 1920 9bthhh.exe 43 PID 1920 wrote to memory of 2312 1920 9bthhh.exe 43 PID 1920 wrote to memory of 2312 1920 9bthhh.exe 43 PID 1920 wrote to memory of 2312 1920 9bthhh.exe 43 PID 2312 wrote to memory of 808 2312 pdpvv.exe 44 PID 2312 wrote to memory of 808 2312 pdpvv.exe 44 PID 2312 wrote to memory of 808 2312 pdpvv.exe 44 PID 2312 wrote to memory of 808 2312 pdpvv.exe 44 PID 808 wrote to memory of 2872 808 lxflxrx.exe 45 PID 808 wrote to memory of 2872 808 lxflxrx.exe 45 PID 808 wrote to memory of 2872 808 lxflxrx.exe 45 PID 808 wrote to memory of 2872 808 lxflxrx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe"C:\Users\Admin\AppData\Local\Temp\996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\djjvv.exec:\djjvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
\??\c:\fllllxf.exec:\fllllxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\vjpvv.exec:\vjpvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\9nhntb.exec:\9nhntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\jvdpp.exec:\jvdpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\rxllxrr.exec:\rxllxrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\tnbhnn.exec:\tnbhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\vpvpd.exec:\vpvpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\rfrrrrf.exec:\rfrrrrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\pjvpv.exec:\pjvpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\9xllxrx.exec:\9xllxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\xlfxxrr.exec:\xlfxxrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\9bthhh.exec:\9bthhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\pdpvv.exec:\pdpvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\lxflxrx.exec:\lxflxrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\bthntt.exec:\bthntt.exe17⤵
- Executes dropped EXE
PID:2872 -
\??\c:\pdddv.exec:\pdddv.exe18⤵
- Executes dropped EXE
PID:1608 -
\??\c:\fxrxfxf.exec:\fxrxfxf.exe19⤵
- Executes dropped EXE
PID:540 -
\??\c:\7bhbtn.exec:\7bhbtn.exe20⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jvjpv.exec:\jvjpv.exe21⤵
- Executes dropped EXE
PID:2192 -
\??\c:\lxxxlxf.exec:\lxxxlxf.exe22⤵
- Executes dropped EXE
PID:2280 -
\??\c:\rfrlrff.exec:\rfrlrff.exe23⤵
- Executes dropped EXE
PID:2452 -
\??\c:\hntbhh.exec:\hntbhh.exe24⤵
- Executes dropped EXE
PID:1328 -
\??\c:\7llxxxr.exec:\7llxxxr.exe25⤵
- Executes dropped EXE
PID:1616 -
\??\c:\bnnhnn.exec:\bnnhnn.exe26⤵
- Executes dropped EXE
PID:976 -
\??\c:\5hnhhb.exec:\5hnhhb.exe27⤵
- Executes dropped EXE
PID:1784 -
\??\c:\xlfrrll.exec:\xlfrrll.exe28⤵
- Executes dropped EXE
PID:2520 -
\??\c:\tbhnhb.exec:\tbhnhb.exe29⤵
- Executes dropped EXE
PID:2512 -
\??\c:\5vpjj.exec:\5vpjj.exe30⤵
- Executes dropped EXE
PID:1732 -
\??\c:\3lxxfll.exec:\3lxxfll.exe31⤵
- Executes dropped EXE
PID:2496 -
\??\c:\thnnnn.exec:\thnnnn.exe32⤵
- Executes dropped EXE
PID:332 -
\??\c:\9thhhb.exec:\9thhhb.exe33⤵
- Executes dropped EXE
PID:1688 -
\??\c:\lfrxfrr.exec:\lfrxfrr.exe34⤵
- Executes dropped EXE
PID:2184 -
\??\c:\rfrxxxx.exec:\rfrxxxx.exe35⤵
- Executes dropped EXE
PID:2912 -
\??\c:\tnbtbt.exec:\tnbtbt.exe36⤵
- Executes dropped EXE
PID:1912 -
\??\c:\vpdpv.exec:\vpdpv.exe37⤵
- Executes dropped EXE
PID:2784 -
\??\c:\bnthhh.exec:\bnthhh.exe38⤵
- Executes dropped EXE
PID:2956 -
\??\c:\dpvvj.exec:\dpvvj.exe39⤵
- Executes dropped EXE
PID:584 -
\??\c:\rxlfffl.exec:\rxlfffl.exe40⤵
- Executes dropped EXE
PID:2308 -
\??\c:\rxfxxrr.exec:\rxfxxrr.exe41⤵
- Executes dropped EXE
PID:2828 -
\??\c:\jpjpv.exec:\jpjpv.exe42⤵
- Executes dropped EXE
PID:2712 -
\??\c:\3jjjj.exec:\3jjjj.exe43⤵
- Executes dropped EXE
PID:1908 -
\??\c:\lflllfl.exec:\lflllfl.exe44⤵
- Executes dropped EXE
PID:2648 -
\??\c:\1nnnhh.exec:\1nnnhh.exe45⤵
- Executes dropped EXE
PID:2616 -
\??\c:\3httnh.exec:\3httnh.exe46⤵
- Executes dropped EXE
PID:2000 -
\??\c:\vjvjp.exec:\vjvjp.exe47⤵
- Executes dropped EXE
PID:2060 -
\??\c:\5flxxrl.exec:\5flxxrl.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664 -
\??\c:\xrllxrx.exec:\xrllxrx.exe49⤵
- Executes dropped EXE
PID:868 -
\??\c:\hnttbt.exec:\hnttbt.exe50⤵
- Executes dropped EXE
PID:1596 -
\??\c:\1dpdd.exec:\1dpdd.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
\??\c:\7ddvv.exec:\7ddvv.exe52⤵
- Executes dropped EXE
PID:1304 -
\??\c:\xrlllll.exec:\xrlllll.exe53⤵
- Executes dropped EXE
PID:3056 -
\??\c:\5xfrlff.exec:\5xfrlff.exe54⤵
- Executes dropped EXE
PID:3064 -
\??\c:\hnnnbb.exec:\hnnnbb.exe55⤵
- Executes dropped EXE
PID:1308 -
\??\c:\pdpvd.exec:\pdpvd.exe56⤵
- Executes dropped EXE
PID:1440 -
\??\c:\frxllff.exec:\frxllff.exe57⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bhnntt.exec:\bhnntt.exe58⤵
- Executes dropped EXE
PID:1660 -
\??\c:\nbtbhh.exec:\nbtbhh.exe59⤵
- Executes dropped EXE
PID:2136 -
\??\c:\dvpvv.exec:\dvpvv.exe60⤵
- Executes dropped EXE
PID:1704 -
\??\c:\7frlrrr.exec:\7frlrrr.exe61⤵
- Executes dropped EXE
PID:1888 -
\??\c:\lxrlxrr.exec:\lxrlxrr.exe62⤵
- Executes dropped EXE
PID:1356 -
\??\c:\bnttht.exec:\bnttht.exe63⤵
- Executes dropped EXE
PID:2460 -
\??\c:\ddjjp.exec:\ddjjp.exe64⤵
- Executes dropped EXE
PID:1800 -
\??\c:\dvddj.exec:\dvddj.exe65⤵
- Executes dropped EXE
PID:1776 -
\??\c:\7lfxrll.exec:\7lfxrll.exe66⤵PID:1484
-
\??\c:\thnbbt.exec:\thnbbt.exe67⤵PID:1752
-
\??\c:\hnthhb.exec:\hnthhb.exe68⤵
- System Location Discovery: System Language Discovery
PID:2532 -
\??\c:\vjvvv.exec:\vjvvv.exe69⤵PID:2484
-
\??\c:\lrrlxrr.exec:\lrrlxrr.exe70⤵PID:2176
-
\??\c:\xlfrxff.exec:\xlfrxff.exe71⤵PID:2364
-
\??\c:\1nnhhb.exec:\1nnhhb.exe72⤵
- System Location Discovery: System Language Discovery
PID:2420 -
\??\c:\1pvvd.exec:\1pvvd.exe73⤵PID:596
-
\??\c:\lxlflff.exec:\lxlflff.exe74⤵PID:3016
-
\??\c:\lxlffxx.exec:\lxlffxx.exe75⤵PID:2404
-
\??\c:\5nbtbt.exec:\5nbtbt.exe76⤵PID:1272
-
\??\c:\bnbbbt.exec:\bnbbbt.exe77⤵PID:2840
-
\??\c:\5jppv.exec:\5jppv.exe78⤵PID:2944
-
\??\c:\fxfflfr.exec:\fxfflfr.exe79⤵PID:2700
-
\??\c:\nhttnb.exec:\nhttnb.exe80⤵PID:2308
-
\??\c:\htbntt.exec:\htbntt.exe81⤵PID:2852
-
\??\c:\dpvpp.exec:\dpvpp.exe82⤵PID:2812
-
\??\c:\pvjdj.exec:\pvjdj.exe83⤵PID:2768
-
\??\c:\lrxrxxx.exec:\lrxrxxx.exe84⤵PID:2652
-
\??\c:\bnbbnh.exec:\bnbbnh.exe85⤵PID:2648
-
\??\c:\nbbnnh.exec:\nbbnnh.exe86⤵PID:3044
-
\??\c:\jvvjj.exec:\jvvjj.exe87⤵PID:1864
-
\??\c:\xlrllff.exec:\xlrllff.exe88⤵PID:2060
-
\??\c:\xlfxxrr.exec:\xlfxxrr.exe89⤵PID:2320
-
\??\c:\hthbbt.exec:\hthbbt.exe90⤵PID:2876
-
\??\c:\jppdv.exec:\jppdv.exe91⤵PID:1312
-
\??\c:\1vppp.exec:\1vppp.exe92⤵PID:2872
-
\??\c:\rxxxlxf.exec:\rxxxlxf.exe93⤵PID:1764
-
\??\c:\thbbbt.exec:\thbbbt.exe94⤵PID:3060
-
\??\c:\dvddj.exec:\dvddj.exe95⤵PID:2252
-
\??\c:\9dpjd.exec:\9dpjd.exe96⤵PID:2144
-
\??\c:\fxllffl.exec:\fxllffl.exe97⤵PID:2260
-
\??\c:\nbbbbt.exec:\nbbbbt.exe98⤵PID:2280
-
\??\c:\5nbbtt.exec:\5nbbtt.exe99⤵PID:352
-
\??\c:\dpvvv.exec:\dpvvv.exe100⤵PID:2480
-
\??\c:\rffxxxf.exec:\rffxxxf.exe101⤵PID:1264
-
\??\c:\rllllff.exec:\rllllff.exe102⤵PID:2080
-
\??\c:\btbhhn.exec:\btbhhn.exe103⤵PID:1868
-
\??\c:\3djdd.exec:\3djdd.exe104⤵PID:1064
-
\??\c:\3vjjj.exec:\3vjjj.exe105⤵PID:2216
-
\??\c:\xfrllxx.exec:\xfrllxx.exe106⤵PID:2564
-
\??\c:\nthhbb.exec:\nthhbb.exe107⤵PID:2540
-
\??\c:\9jvpv.exec:\9jvpv.exe108⤵PID:2512
-
\??\c:\jddvj.exec:\jddvj.exe109⤵PID:2492
-
\??\c:\5lrrrll.exec:\5lrrrll.exe110⤵PID:2436
-
\??\c:\xrxrrfr.exec:\xrxrrfr.exe111⤵PID:2412
-
\??\c:\5tbbbb.exec:\5tbbbb.exe112⤵PID:2352
-
\??\c:\7hnhhn.exec:\7hnhhn.exe113⤵PID:2140
-
\??\c:\pvvdv.exec:\pvvdv.exe114⤵PID:2292
-
\??\c:\9rfxrff.exec:\9rfxrff.exe115⤵PID:596
-
\??\c:\lxlrrrr.exec:\lxlrrrr.exe116⤵PID:2232
-
\??\c:\ttbbhh.exec:\ttbbhh.exe117⤵PID:2868
-
\??\c:\vpvpp.exec:\vpvpp.exe118⤵PID:2792
-
\??\c:\3rfrfxf.exec:\3rfrfxf.exe119⤵PID:2740
-
\??\c:\5rxrxll.exec:\5rxrxll.exe120⤵PID:2804
-
\??\c:\tntntn.exec:\tntntn.exe121⤵PID:2924
-
\??\c:\pdddj.exec:\pdddj.exe122⤵PID:2828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-