Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe
-
Size
453KB
-
MD5
4304bb1ac409f30a064f5c9bd4ee0455
-
SHA1
543744d7798a3b9d98f4f4c5257011b9d177c32b
-
SHA256
945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f
-
SHA512
de92ec0bcaf96184c6369058fbed7b287f9a865441007037969d793d1fe2263a407b7a0f66fd76fd6276edff7d634cc2eea5fa42fea86b40ba93b446786ad589
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/1680-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-35-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2696-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-57-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2756-55-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2660-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-205-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/620-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-325-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2696-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-393-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1692-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1104-408-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2116-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-817-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2580-855-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2028-985-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-1067-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/2660-1211-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1804 lrlxfxl.exe 2336 lxrrxxx.exe 2696 nbhhbh.exe 2856 nbhbbn.exe 2756 jjjdp.exe 2828 lxxxfxr.exe 2628 jvjvj.exe 2660 llfrflf.exe 2652 nnbbnn.exe 2232 1jdjv.exe 2708 tnhtnt.exe 1632 rxxlxrf.exe 1092 tbthnh.exe 2928 jjdvp.exe 1052 tnntbh.exe 1772 ppdjv.exe 2164 3tnbtn.exe 2052 3ppjj.exe 2100 lfxfrrf.exe 1032 tbbhhb.exe 2200 xrfrffr.exe 960 tthhtb.exe 2088 xrllrrf.exe 620 fxlxrxl.exe 1732 pjvpp.exe 856 jpdjv.exe 1664 xfxrxlf.exe 2400 btthnt.exe 2076 9vpvj.exe 2464 bhnthh.exe 1760 jdvvd.exe 2036 lflxlxx.exe 1608 hhtbtt.exe 3016 vpjjp.exe 2348 lfrxfxf.exe 2436 bbtnhh.exe 2696 7vjjv.exe 2856 ddjdp.exe 2988 5xrxfff.exe 2904 1bhhhn.exe 2828 jdvvj.exe 2780 9jdjp.exe 2616 fxxlffx.exe 2300 5lxflrr.exe 2652 hbtbhn.exe 1692 ppdjv.exe 1104 vpjpd.exe 2960 lllxfrf.exe 3048 bbbhnn.exe 2944 1dpvp.exe 2116 frxxfxx.exe 1612 3lfxrrl.exe 2236 bbthbb.exe 600 ppjvd.exe 480 flrllrx.exe 2052 rrfrxrf.exe 1808 7hhbht.exe 2100 9jvdp.exe 444 7rrflxr.exe 3000 tthtbb.exe 1244 nthnhn.exe 1396 9jddj.exe 1500 5flrffr.exe 1556 lfxxflf.exe -
resource yara_rule behavioral1/memory/1680-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-203-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/620-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-487-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1732-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-985-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-1023-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-1178-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1804 1680 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 30 PID 1680 wrote to memory of 1804 1680 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 30 PID 1680 wrote to memory of 1804 1680 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 30 PID 1680 wrote to memory of 1804 1680 945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe 30 PID 1804 wrote to memory of 2336 1804 lrlxfxl.exe 31 PID 1804 wrote to memory of 2336 1804 lrlxfxl.exe 31 PID 1804 wrote to memory of 2336 1804 lrlxfxl.exe 31 PID 1804 wrote to memory of 2336 1804 lrlxfxl.exe 31 PID 2336 wrote to memory of 2696 2336 lxrrxxx.exe 32 PID 2336 wrote to memory of 2696 2336 lxrrxxx.exe 32 PID 2336 wrote to memory of 2696 2336 lxrrxxx.exe 32 PID 2336 wrote to memory of 2696 2336 lxrrxxx.exe 32 PID 2696 wrote to memory of 2856 2696 nbhhbh.exe 33 PID 2696 wrote to memory of 2856 2696 nbhhbh.exe 33 PID 2696 wrote to memory of 2856 2696 nbhhbh.exe 33 PID 2696 wrote to memory of 2856 2696 nbhhbh.exe 33 PID 2856 wrote to memory of 2756 2856 nbhbbn.exe 34 PID 2856 wrote to memory of 2756 2856 nbhbbn.exe 34 PID 2856 wrote to memory of 2756 2856 nbhbbn.exe 34 PID 2856 wrote to memory of 2756 2856 nbhbbn.exe 34 PID 2756 wrote to memory of 2828 2756 jjjdp.exe 35 PID 2756 wrote to memory of 2828 2756 jjjdp.exe 35 PID 2756 wrote to memory of 2828 2756 jjjdp.exe 35 PID 2756 wrote to memory of 2828 2756 jjjdp.exe 35 PID 2828 wrote to memory of 2628 2828 lxxxfxr.exe 36 PID 2828 wrote to memory of 2628 2828 lxxxfxr.exe 36 PID 2828 wrote to memory of 2628 2828 lxxxfxr.exe 36 PID 2828 wrote to memory of 2628 2828 lxxxfxr.exe 36 PID 2628 wrote to memory of 2660 2628 jvjvj.exe 37 PID 2628 wrote to memory of 2660 2628 jvjvj.exe 37 PID 2628 wrote to memory of 2660 2628 jvjvj.exe 37 PID 2628 wrote to memory of 2660 2628 jvjvj.exe 37 PID 2660 wrote to memory of 2652 2660 llfrflf.exe 38 PID 2660 wrote to memory of 2652 2660 llfrflf.exe 38 PID 2660 wrote to memory of 2652 2660 llfrflf.exe 38 PID 2660 wrote to memory of 2652 2660 llfrflf.exe 38 PID 2652 wrote to memory of 2232 2652 nnbbnn.exe 39 PID 2652 wrote to memory of 2232 2652 nnbbnn.exe 39 PID 2652 wrote to memory of 2232 2652 nnbbnn.exe 39 PID 2652 wrote to memory of 2232 2652 nnbbnn.exe 39 PID 2232 wrote to memory of 2708 2232 1jdjv.exe 40 PID 2232 wrote to memory of 2708 2232 1jdjv.exe 40 PID 2232 wrote to memory of 2708 2232 1jdjv.exe 40 PID 2232 wrote to memory of 2708 2232 1jdjv.exe 40 PID 2708 wrote to memory of 1632 2708 tnhtnt.exe 41 PID 2708 wrote to memory of 1632 2708 tnhtnt.exe 41 PID 2708 wrote to memory of 1632 2708 tnhtnt.exe 41 PID 2708 wrote to memory of 1632 2708 tnhtnt.exe 41 PID 1632 wrote to memory of 1092 1632 rxxlxrf.exe 42 PID 1632 wrote to memory of 1092 1632 rxxlxrf.exe 42 PID 1632 wrote to memory of 1092 1632 rxxlxrf.exe 42 PID 1632 wrote to memory of 1092 1632 rxxlxrf.exe 42 PID 1092 wrote to memory of 2928 1092 tbthnh.exe 43 PID 1092 wrote to memory of 2928 1092 tbthnh.exe 43 PID 1092 wrote to memory of 2928 1092 tbthnh.exe 43 PID 1092 wrote to memory of 2928 1092 tbthnh.exe 43 PID 2928 wrote to memory of 1052 2928 jjdvp.exe 44 PID 2928 wrote to memory of 1052 2928 jjdvp.exe 44 PID 2928 wrote to memory of 1052 2928 jjdvp.exe 44 PID 2928 wrote to memory of 1052 2928 jjdvp.exe 44 PID 1052 wrote to memory of 1772 1052 tnntbh.exe 45 PID 1052 wrote to memory of 1772 1052 tnntbh.exe 45 PID 1052 wrote to memory of 1772 1052 tnntbh.exe 45 PID 1052 wrote to memory of 1772 1052 tnntbh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe"C:\Users\Admin\AppData\Local\Temp\945345a5575d7cda69fa7a7ee7ed7980fd7a7892c16f564e36db00913003c14f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\lrlxfxl.exec:\lrlxfxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\lxrrxxx.exec:\lxrrxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\nbhhbh.exec:\nbhhbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\nbhbbn.exec:\nbhbbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\jjjdp.exec:\jjjdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\lxxxfxr.exec:\lxxxfxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\jvjvj.exec:\jvjvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\llfrflf.exec:\llfrflf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\nnbbnn.exec:\nnbbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\1jdjv.exec:\1jdjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\tnhtnt.exec:\tnhtnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\rxxlxrf.exec:\rxxlxrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\tbthnh.exec:\tbthnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\jjdvp.exec:\jjdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\tnntbh.exec:\tnntbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\ppdjv.exec:\ppdjv.exe17⤵
- Executes dropped EXE
PID:1772 -
\??\c:\3tnbtn.exec:\3tnbtn.exe18⤵
- Executes dropped EXE
PID:2164 -
\??\c:\3ppjj.exec:\3ppjj.exe19⤵
- Executes dropped EXE
PID:2052 -
\??\c:\lfxfrrf.exec:\lfxfrrf.exe20⤵
- Executes dropped EXE
PID:2100 -
\??\c:\tbbhhb.exec:\tbbhhb.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1032 -
\??\c:\xrfrffr.exec:\xrfrffr.exe22⤵
- Executes dropped EXE
PID:2200 -
\??\c:\tthhtb.exec:\tthhtb.exe23⤵
- Executes dropped EXE
PID:960 -
\??\c:\xrllrrf.exec:\xrllrrf.exe24⤵
- Executes dropped EXE
PID:2088 -
\??\c:\fxlxrxl.exec:\fxlxrxl.exe25⤵
- Executes dropped EXE
PID:620 -
\??\c:\pjvpp.exec:\pjvpp.exe26⤵
- Executes dropped EXE
PID:1732 -
\??\c:\jpdjv.exec:\jpdjv.exe27⤵
- Executes dropped EXE
PID:856 -
\??\c:\xfxrxlf.exec:\xfxrxlf.exe28⤵
- Executes dropped EXE
PID:1664 -
\??\c:\btthnt.exec:\btthnt.exe29⤵
- Executes dropped EXE
PID:2400 -
\??\c:\9vpvj.exec:\9vpvj.exe30⤵
- Executes dropped EXE
PID:2076 -
\??\c:\bhnthh.exec:\bhnthh.exe31⤵
- Executes dropped EXE
PID:2464 -
\??\c:\jdvvd.exec:\jdvvd.exe32⤵
- Executes dropped EXE
PID:1760 -
\??\c:\lflxlxx.exec:\lflxlxx.exe33⤵
- Executes dropped EXE
PID:2036 -
\??\c:\hhtbtt.exec:\hhtbtt.exe34⤵
- Executes dropped EXE
PID:1608 -
\??\c:\vpjjp.exec:\vpjjp.exe35⤵
- Executes dropped EXE
PID:3016 -
\??\c:\lfrxfxf.exec:\lfrxfxf.exe36⤵
- Executes dropped EXE
PID:2348 -
\??\c:\bbtnhh.exec:\bbtnhh.exe37⤵
- Executes dropped EXE
PID:2436 -
\??\c:\7vjjv.exec:\7vjjv.exe38⤵
- Executes dropped EXE
PID:2696 -
\??\c:\ddjdp.exec:\ddjdp.exe39⤵
- Executes dropped EXE
PID:2856 -
\??\c:\5xrxfff.exec:\5xrxfff.exe40⤵
- Executes dropped EXE
PID:2988 -
\??\c:\1bhhhn.exec:\1bhhhn.exe41⤵
- Executes dropped EXE
PID:2904 -
\??\c:\jdvvj.exec:\jdvvj.exe42⤵
- Executes dropped EXE
PID:2828 -
\??\c:\9jdjp.exec:\9jdjp.exe43⤵
- Executes dropped EXE
PID:2780 -
\??\c:\fxxlffx.exec:\fxxlffx.exe44⤵
- Executes dropped EXE
PID:2616 -
\??\c:\5lxflrr.exec:\5lxflrr.exe45⤵
- Executes dropped EXE
PID:2300 -
\??\c:\hbtbhn.exec:\hbtbhn.exe46⤵
- Executes dropped EXE
PID:2652 -
\??\c:\ppdjv.exec:\ppdjv.exe47⤵
- Executes dropped EXE
PID:1692 -
\??\c:\vpjpd.exec:\vpjpd.exe48⤵
- Executes dropped EXE
PID:1104 -
\??\c:\lllxfrf.exec:\lllxfrf.exe49⤵
- Executes dropped EXE
PID:2960 -
\??\c:\bbbhnn.exec:\bbbhnn.exe50⤵
- Executes dropped EXE
PID:3048 -
\??\c:\1dpvp.exec:\1dpvp.exe51⤵
- Executes dropped EXE
PID:2944 -
\??\c:\frxxfxx.exec:\frxxfxx.exe52⤵
- Executes dropped EXE
PID:2116 -
\??\c:\3lfxrrl.exec:\3lfxrrl.exe53⤵
- Executes dropped EXE
PID:1612 -
\??\c:\bbthbb.exec:\bbthbb.exe54⤵
- Executes dropped EXE
PID:2236 -
\??\c:\ppjvd.exec:\ppjvd.exe55⤵
- Executes dropped EXE
PID:600 -
\??\c:\flrllrx.exec:\flrllrx.exe56⤵
- Executes dropped EXE
PID:480 -
\??\c:\rrfrxrf.exec:\rrfrxrf.exe57⤵
- Executes dropped EXE
PID:2052 -
\??\c:\7hhbht.exec:\7hhbht.exe58⤵
- Executes dropped EXE
PID:1808 -
\??\c:\9jvdp.exec:\9jvdp.exe59⤵
- Executes dropped EXE
PID:2100 -
\??\c:\7rrflxr.exec:\7rrflxr.exe60⤵
- Executes dropped EXE
PID:444 -
\??\c:\tthtbb.exec:\tthtbb.exe61⤵
- Executes dropped EXE
PID:3000 -
\??\c:\nthnhn.exec:\nthnhn.exe62⤵
- Executes dropped EXE
PID:1244 -
\??\c:\9jddj.exec:\9jddj.exe63⤵
- Executes dropped EXE
PID:1396 -
\??\c:\5flrffr.exec:\5flrffr.exe64⤵
- Executes dropped EXE
PID:1500 -
\??\c:\lfxxflf.exec:\lfxxflf.exe65⤵
- Executes dropped EXE
PID:1556 -
\??\c:\nhhnhh.exec:\nhhnhh.exe66⤵PID:1780
-
\??\c:\pppdv.exec:\pppdv.exe67⤵PID:1732
-
\??\c:\7jvpd.exec:\7jvpd.exe68⤵PID:2448
-
\??\c:\1xxflll.exec:\1xxflll.exe69⤵PID:2320
-
\??\c:\bnbnhh.exec:\bnbnhh.exe70⤵PID:1648
-
\??\c:\5bbhnt.exec:\5bbhnt.exe71⤵PID:2360
-
\??\c:\9dppv.exec:\9dppv.exe72⤵PID:1280
-
\??\c:\5rlrxfr.exec:\5rlrxfr.exe73⤵PID:1768
-
\??\c:\nthnht.exec:\nthnht.exe74⤵PID:2064
-
\??\c:\htnthh.exec:\htnthh.exe75⤵PID:868
-
\??\c:\jdjjd.exec:\jdjjd.exe76⤵PID:3040
-
\??\c:\9fxlxxf.exec:\9fxlxxf.exe77⤵PID:1596
-
\??\c:\rxxxrxr.exec:\rxxxrxr.exe78⤵PID:2968
-
\??\c:\bbbttn.exec:\bbbttn.exe79⤵PID:2460
-
\??\c:\5jvdv.exec:\5jvdv.exe80⤵PID:2112
-
\??\c:\xrllxxl.exec:\xrllxxl.exe81⤵PID:2892
-
\??\c:\fflrllx.exec:\fflrllx.exe82⤵PID:2872
-
\??\c:\nnbnhh.exec:\nnbnhh.exe83⤵PID:2768
-
\??\c:\bbtbtb.exec:\bbtbtb.exe84⤵PID:2640
-
\??\c:\1dvdp.exec:\1dvdp.exe85⤵PID:1800
-
\??\c:\xrllrrf.exec:\xrllrrf.exe86⤵PID:2776
-
\??\c:\tttbnn.exec:\tttbnn.exe87⤵PID:2660
-
\??\c:\5ntnbh.exec:\5ntnbh.exe88⤵PID:2616
-
\??\c:\7pjpv.exec:\7pjpv.exe89⤵PID:2668
-
\??\c:\xxxxffl.exec:\xxxxffl.exe90⤵PID:1996
-
\??\c:\bhnnhn.exec:\bhnnhn.exe91⤵PID:1316
-
\??\c:\bhnbth.exec:\bhnbth.exe92⤵PID:3060
-
\??\c:\dvjvj.exec:\dvjvj.exe93⤵PID:1632
-
\??\c:\lfrxxfl.exec:\lfrxxfl.exe94⤵PID:2920
-
\??\c:\1thhnn.exec:\1thhnn.exe95⤵PID:2932
-
\??\c:\bnhtnn.exec:\bnhtnn.exe96⤵PID:840
-
\??\c:\pvdpv.exec:\pvdpv.exe97⤵PID:2116
-
\??\c:\llxrfrl.exec:\llxrfrl.exe98⤵PID:2120
-
\??\c:\7fxrfrf.exec:\7fxrfrf.exe99⤵PID:2272
-
\??\c:\5bntbb.exec:\5bntbb.exe100⤵PID:600
-
\??\c:\dvjjp.exec:\dvjjp.exe101⤵PID:2396
-
\??\c:\1vjpv.exec:\1vjpv.exe102⤵PID:2080
-
\??\c:\xlrfrff.exec:\xlrfrff.exe103⤵PID:2208
-
\??\c:\bbhhnn.exec:\bbhhnn.exe104⤵PID:2508
-
\??\c:\1hnnnn.exec:\1hnnnn.exe105⤵PID:2136
-
\??\c:\7ddvv.exec:\7ddvv.exe106⤵PID:444
-
\??\c:\llxxlfl.exec:\llxxlfl.exe107⤵PID:680
-
\??\c:\frlxflx.exec:\frlxflx.exe108⤵
- System Location Discovery: System Language Discovery
PID:1244 -
\??\c:\nnhhth.exec:\nnhhth.exe109⤵PID:636
-
\??\c:\5jvjj.exec:\5jvjj.exe110⤵PID:2000
-
\??\c:\jpjvj.exec:\jpjvj.exe111⤵PID:2260
-
\??\c:\xrfrxlx.exec:\xrfrxlx.exe112⤵PID:2564
-
\??\c:\nhbbth.exec:\nhbbth.exe113⤵PID:1932
-
\??\c:\nbnntb.exec:\nbnntb.exe114⤵PID:1664
-
\??\c:\ddvdp.exec:\ddvdp.exe115⤵PID:2424
-
\??\c:\lllxxfx.exec:\lllxxfx.exe116⤵PID:2328
-
\??\c:\thbnnb.exec:\thbnnb.exe117⤵PID:2420
-
\??\c:\7hbnhn.exec:\7hbnhn.exe118⤵PID:1344
-
\??\c:\7jdpp.exec:\7jdpp.exe119⤵PID:2580
-
\??\c:\rrffxxl.exec:\rrffxxl.exe120⤵PID:3012
-
\??\c:\3vpdj.exec:\3vpdj.exe121⤵PID:1600
-
\??\c:\ffxfllr.exec:\ffxfllr.exe122⤵PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-