Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe
-
Size
454KB
-
MD5
5b5e55e9109ef0c766a32ea8d1070723
-
SHA1
55149d7e7fe851a0eada703f46a0ae265a4dfa2e
-
SHA256
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866
-
SHA512
c21648d477d3a0b9e20b178259f1070e4770d6375cf487c9e3f722b2f0b9c7964bd75d96ee4008dc05e7f624011999a5900dfc5d68e2c6a6f87a40affe099799
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 34 IoCs
resource yara_rule behavioral1/memory/3020-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-74-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2556-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/480-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1284-517-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1712-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/860-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-854-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3032 1rrrfll.exe 2280 jdjvp.exe 2788 ttnbnb.exe 2692 lllxrfx.exe 2752 jppvp.exe 1732 5ttbth.exe 2556 xxxlffx.exe 1748 5tbnht.exe 2976 3dvpd.exe 1832 jddjp.exe 3012 jvvpd.exe 2192 jjjpd.exe 2060 lxrfxfr.exe 1228 ntnnnt.exe 2844 rlfxlrf.exe 1808 9hbhnb.exe 1800 rrrfrfr.exe 2152 pjpdv.exe 2916 xxxxxrr.exe 2204 jdpvj.exe 832 flrfxll.exe 848 vpppp.exe 2408 lfxflrx.exe 1352 7dvjv.exe 1812 llffflx.exe 1780 jpppp.exe 1540 7xfxflx.exe 944 1dvjv.exe 2484 lxxlxlf.exe 1488 pppdp.exe 892 lrlxxlr.exe 2640 pdpdd.exe 2436 fxlfrrf.exe 2020 ttthbn.exe 1588 vddpj.exe 2280 ffxrlrr.exe 2716 7bthnn.exe 2676 jjddj.exe 2816 jjjdv.exe 2600 xfxflxr.exe 1764 nbhbhh.exe 2612 5jpjd.exe 3024 5xlflfx.exe 556 1bnbtt.exe 3004 jpvjv.exe 1832 9pjvd.exe 2992 flrllrl.exe 2172 hhntht.exe 2196 vdjdv.exe 2060 xxxllxr.exe 2784 hnnbbn.exe 2648 dppdv.exe 1280 vdjvp.exe 1772 xrrfrxl.exe 480 tnnhbb.exe 328 1vpvj.exe 2924 1fxlxlx.exe 1508 rlffrxr.exe 1288 3nbtht.exe 1548 jvjdv.exe 1704 5flfxlf.exe 1120 fffrflx.exe 948 ttthbn.exe 1284 5jvjj.exe -
resource yara_rule behavioral1/memory/3020-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/848-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/480-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-768-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/324-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-927-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 3032 3020 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 30 PID 3020 wrote to memory of 3032 3020 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 30 PID 3020 wrote to memory of 3032 3020 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 30 PID 3020 wrote to memory of 3032 3020 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 30 PID 3032 wrote to memory of 2280 3032 1rrrfll.exe 31 PID 3032 wrote to memory of 2280 3032 1rrrfll.exe 31 PID 3032 wrote to memory of 2280 3032 1rrrfll.exe 31 PID 3032 wrote to memory of 2280 3032 1rrrfll.exe 31 PID 2280 wrote to memory of 2788 2280 jdjvp.exe 32 PID 2280 wrote to memory of 2788 2280 jdjvp.exe 32 PID 2280 wrote to memory of 2788 2280 jdjvp.exe 32 PID 2280 wrote to memory of 2788 2280 jdjvp.exe 32 PID 2788 wrote to memory of 2692 2788 ttnbnb.exe 33 PID 2788 wrote to memory of 2692 2788 ttnbnb.exe 33 PID 2788 wrote to memory of 2692 2788 ttnbnb.exe 33 PID 2788 wrote to memory of 2692 2788 ttnbnb.exe 33 PID 2692 wrote to memory of 2752 2692 lllxrfx.exe 34 PID 2692 wrote to memory of 2752 2692 lllxrfx.exe 34 PID 2692 wrote to memory of 2752 2692 lllxrfx.exe 34 PID 2692 wrote to memory of 2752 2692 lllxrfx.exe 34 PID 2752 wrote to memory of 1732 2752 jppvp.exe 35 PID 2752 wrote to memory of 1732 2752 jppvp.exe 35 PID 2752 wrote to memory of 1732 2752 jppvp.exe 35 PID 2752 wrote to memory of 1732 2752 jppvp.exe 35 PID 1732 wrote to memory of 2556 1732 5ttbth.exe 36 PID 1732 wrote to memory of 2556 1732 5ttbth.exe 36 PID 1732 wrote to memory of 2556 1732 5ttbth.exe 36 PID 1732 wrote to memory of 2556 1732 5ttbth.exe 36 PID 2556 wrote to memory of 1748 2556 xxxlffx.exe 37 PID 2556 wrote to memory of 1748 2556 xxxlffx.exe 37 PID 2556 wrote to memory of 1748 2556 xxxlffx.exe 37 PID 2556 wrote to memory of 1748 2556 xxxlffx.exe 37 PID 1748 wrote to memory of 2976 1748 5tbnht.exe 38 PID 1748 wrote to memory of 2976 1748 5tbnht.exe 38 PID 1748 wrote to memory of 2976 1748 5tbnht.exe 38 PID 1748 wrote to memory of 2976 1748 5tbnht.exe 38 PID 2976 wrote to memory of 1832 2976 3dvpd.exe 39 PID 2976 wrote to memory of 1832 2976 3dvpd.exe 39 PID 2976 wrote to memory of 1832 2976 3dvpd.exe 39 PID 2976 wrote to memory of 1832 2976 3dvpd.exe 39 PID 1832 wrote to memory of 3012 1832 jddjp.exe 40 PID 1832 wrote to memory of 3012 1832 jddjp.exe 40 PID 1832 wrote to memory of 3012 1832 jddjp.exe 40 PID 1832 wrote to memory of 3012 1832 jddjp.exe 40 PID 3012 wrote to memory of 2192 3012 jvvpd.exe 41 PID 3012 wrote to memory of 2192 3012 jvvpd.exe 41 PID 3012 wrote to memory of 2192 3012 jvvpd.exe 41 PID 3012 wrote to memory of 2192 3012 jvvpd.exe 41 PID 2192 wrote to memory of 2060 2192 jjjpd.exe 42 PID 2192 wrote to memory of 2060 2192 jjjpd.exe 42 PID 2192 wrote to memory of 2060 2192 jjjpd.exe 42 PID 2192 wrote to memory of 2060 2192 jjjpd.exe 42 PID 2060 wrote to memory of 1228 2060 lxrfxfr.exe 43 PID 2060 wrote to memory of 1228 2060 lxrfxfr.exe 43 PID 2060 wrote to memory of 1228 2060 lxrfxfr.exe 43 PID 2060 wrote to memory of 1228 2060 lxrfxfr.exe 43 PID 1228 wrote to memory of 2844 1228 ntnnnt.exe 44 PID 1228 wrote to memory of 2844 1228 ntnnnt.exe 44 PID 1228 wrote to memory of 2844 1228 ntnnnt.exe 44 PID 1228 wrote to memory of 2844 1228 ntnnnt.exe 44 PID 2844 wrote to memory of 1808 2844 rlfxlrf.exe 45 PID 2844 wrote to memory of 1808 2844 rlfxlrf.exe 45 PID 2844 wrote to memory of 1808 2844 rlfxlrf.exe 45 PID 2844 wrote to memory of 1808 2844 rlfxlrf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe"C:\Users\Admin\AppData\Local\Temp\bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\1rrrfll.exec:\1rrrfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\jdjvp.exec:\jdjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\ttnbnb.exec:\ttnbnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\lllxrfx.exec:\lllxrfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\jppvp.exec:\jppvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\5ttbth.exec:\5ttbth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\xxxlffx.exec:\xxxlffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\5tbnht.exec:\5tbnht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\3dvpd.exec:\3dvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\jddjp.exec:\jddjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\jvvpd.exec:\jvvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\jjjpd.exec:\jjjpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\lxrfxfr.exec:\lxrfxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\ntnnnt.exec:\ntnnnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\rlfxlrf.exec:\rlfxlrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\9hbhnb.exec:\9hbhnb.exe17⤵
- Executes dropped EXE
PID:1808 -
\??\c:\rrrfrfr.exec:\rrrfrfr.exe18⤵
- Executes dropped EXE
PID:1800 -
\??\c:\pjpdv.exec:\pjpdv.exe19⤵
- Executes dropped EXE
PID:2152 -
\??\c:\xxxxxrr.exec:\xxxxxrr.exe20⤵
- Executes dropped EXE
PID:2916 -
\??\c:\jdpvj.exec:\jdpvj.exe21⤵
- Executes dropped EXE
PID:2204 -
\??\c:\flrfxll.exec:\flrfxll.exe22⤵
- Executes dropped EXE
PID:832 -
\??\c:\vpppp.exec:\vpppp.exe23⤵
- Executes dropped EXE
PID:848 -
\??\c:\lfxflrx.exec:\lfxflrx.exe24⤵
- Executes dropped EXE
PID:2408 -
\??\c:\7dvjv.exec:\7dvjv.exe25⤵
- Executes dropped EXE
PID:1352 -
\??\c:\llffflx.exec:\llffflx.exe26⤵
- Executes dropped EXE
PID:1812 -
\??\c:\jpppp.exec:\jpppp.exe27⤵
- Executes dropped EXE
PID:1780 -
\??\c:\7xfxflx.exec:\7xfxflx.exe28⤵
- Executes dropped EXE
PID:1540 -
\??\c:\1dvjv.exec:\1dvjv.exe29⤵
- Executes dropped EXE
PID:944 -
\??\c:\lxxlxlf.exec:\lxxlxlf.exe30⤵
- Executes dropped EXE
PID:2484 -
\??\c:\pppdp.exec:\pppdp.exe31⤵
- Executes dropped EXE
PID:1488 -
\??\c:\lrlxxlr.exec:\lrlxxlr.exe32⤵
- Executes dropped EXE
PID:892 -
\??\c:\pdpdd.exec:\pdpdd.exe33⤵
- Executes dropped EXE
PID:2640 -
\??\c:\fxlfrrf.exec:\fxlfrrf.exe34⤵
- Executes dropped EXE
PID:2436 -
\??\c:\ttthbn.exec:\ttthbn.exe35⤵
- Executes dropped EXE
PID:2020 -
\??\c:\vddpj.exec:\vddpj.exe36⤵
- Executes dropped EXE
PID:1588 -
\??\c:\ffxrlrr.exec:\ffxrlrr.exe37⤵
- Executes dropped EXE
PID:2280 -
\??\c:\7bthnn.exec:\7bthnn.exe38⤵
- Executes dropped EXE
PID:2716 -
\??\c:\jjddj.exec:\jjddj.exe39⤵
- Executes dropped EXE
PID:2676 -
\??\c:\jjjdv.exec:\jjjdv.exe40⤵
- Executes dropped EXE
PID:2816 -
\??\c:\xfxflxr.exec:\xfxflxr.exe41⤵
- Executes dropped EXE
PID:2600 -
\??\c:\nbhbhh.exec:\nbhbhh.exe42⤵
- Executes dropped EXE
PID:1764 -
\??\c:\5jpjd.exec:\5jpjd.exe43⤵
- Executes dropped EXE
PID:2612 -
\??\c:\5xlflfx.exec:\5xlflfx.exe44⤵
- Executes dropped EXE
PID:3024 -
\??\c:\1bnbtt.exec:\1bnbtt.exe45⤵
- Executes dropped EXE
PID:556 -
\??\c:\jpvjv.exec:\jpvjv.exe46⤵
- Executes dropped EXE
PID:3004 -
\??\c:\9pjvd.exec:\9pjvd.exe47⤵
- Executes dropped EXE
PID:1832 -
\??\c:\flrllrl.exec:\flrllrl.exe48⤵
- Executes dropped EXE
PID:2992 -
\??\c:\hhntht.exec:\hhntht.exe49⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vdjdv.exec:\vdjdv.exe50⤵
- Executes dropped EXE
PID:2196 -
\??\c:\xxxllxr.exec:\xxxllxr.exe51⤵
- Executes dropped EXE
PID:2060 -
\??\c:\hnnbbn.exec:\hnnbbn.exe52⤵
- Executes dropped EXE
PID:2784 -
\??\c:\dppdv.exec:\dppdv.exe53⤵
- Executes dropped EXE
PID:2648 -
\??\c:\vdjvp.exec:\vdjvp.exe54⤵
- Executes dropped EXE
PID:1280 -
\??\c:\xrrfrxl.exec:\xrrfrxl.exe55⤵
- Executes dropped EXE
PID:1772 -
\??\c:\tnnhbb.exec:\tnnhbb.exe56⤵
- Executes dropped EXE
PID:480 -
\??\c:\1vpvj.exec:\1vpvj.exe57⤵
- Executes dropped EXE
PID:328 -
\??\c:\1fxlxlx.exec:\1fxlxlx.exe58⤵
- Executes dropped EXE
PID:2924 -
\??\c:\rlffrxr.exec:\rlffrxr.exe59⤵
- Executes dropped EXE
PID:1508 -
\??\c:\3nbtht.exec:\3nbtht.exe60⤵
- Executes dropped EXE
PID:1288 -
\??\c:\jvjdv.exec:\jvjdv.exe61⤵
- Executes dropped EXE
PID:1548 -
\??\c:\5flfxlf.exec:\5flfxlf.exe62⤵
- Executes dropped EXE
PID:1704 -
\??\c:\fffrflx.exec:\fffrflx.exe63⤵
- Executes dropped EXE
PID:1120 -
\??\c:\ttthbn.exec:\ttthbn.exe64⤵
- Executes dropped EXE
PID:948 -
\??\c:\5jvjj.exec:\5jvjj.exe65⤵
- Executes dropped EXE
PID:1284 -
\??\c:\lxffxrl.exec:\lxffxrl.exe66⤵PID:1348
-
\??\c:\9ttthh.exec:\9ttthh.exe67⤵PID:1712
-
\??\c:\ddvpv.exec:\ddvpv.exe68⤵PID:900
-
\??\c:\llxxlxr.exec:\llxxlxr.exe69⤵PID:928
-
\??\c:\xrllxfr.exec:\xrllxfr.exe70⤵PID:2404
-
\??\c:\bhtnnn.exec:\bhtnnn.exe71⤵PID:944
-
\??\c:\ddpvp.exec:\ddpvp.exe72⤵PID:2360
-
\??\c:\9lrllrf.exec:\9lrllrf.exe73⤵PID:696
-
\??\c:\lllxrlf.exec:\lllxrlf.exe74⤵PID:1956
-
\??\c:\9bhbnh.exec:\9bhbnh.exe75⤵PID:2096
-
\??\c:\vjvpv.exec:\vjvpv.exe76⤵PID:3060
-
\??\c:\lrfrlxx.exec:\lrfrlxx.exe77⤵PID:2652
-
\??\c:\5bbnhn.exec:\5bbnhn.exe78⤵PID:2200
-
\??\c:\7ppdj.exec:\7ppdj.exe79⤵PID:2904
-
\??\c:\djjvv.exec:\djjvv.exe80⤵PID:2900
-
\??\c:\flrxllf.exec:\flrxllf.exe81⤵PID:2896
-
\??\c:\bhbnhn.exec:\bhbnhn.exe82⤵PID:2840
-
\??\c:\9jjjd.exec:\9jjjd.exe83⤵PID:2608
-
\??\c:\1pjvp.exec:\1pjvp.exe84⤵PID:2616
-
\??\c:\xfrlfrl.exec:\xfrlfrl.exe85⤵PID:2560
-
\??\c:\bttttn.exec:\bttttn.exe86⤵PID:2972
-
\??\c:\jjvpj.exec:\jjvpj.exe87⤵PID:644
-
\??\c:\vdvpv.exec:\vdvpv.exe88⤵PID:2008
-
\??\c:\rxrxlrf.exec:\rxrxlrf.exe89⤵PID:2996
-
\??\c:\nttnhh.exec:\nttnhh.exe90⤵PID:2656
-
\??\c:\3djdp.exec:\3djdp.exe91⤵PID:3012
-
\??\c:\jvvjv.exec:\jvvjv.exe92⤵PID:2012
-
\??\c:\flrffxf.exec:\flrffxf.exe93⤵PID:860
-
\??\c:\bbtthn.exec:\bbtthn.exe94⤵PID:664
-
\??\c:\jpvdd.exec:\jpvdd.exe95⤵PID:1336
-
\??\c:\lllxlrr.exec:\lllxlrr.exe96⤵PID:2844
-
\??\c:\rrllxxl.exec:\rrllxxl.exe97⤵PID:2000
-
\??\c:\nbhtbh.exec:\nbhtbh.exe98⤵PID:1484
-
\??\c:\pdjvj.exec:\pdjvj.exe99⤵PID:1800
-
\??\c:\rrlxrxf.exec:\rrlxrxf.exe100⤵PID:2284
-
\??\c:\hhhnbh.exec:\hhhnbh.exe101⤵PID:2452
-
\??\c:\vdjvj.exec:\vdjvj.exe102⤵PID:2456
-
\??\c:\3ddvp.exec:\3ddvp.exe103⤵PID:540
-
\??\c:\xxfrxfr.exec:\xxfrxfr.exe104⤵PID:1288
-
\??\c:\hbbhnt.exec:\hbbhnt.exe105⤵PID:2260
-
\??\c:\7fxxrxf.exec:\7fxxrxf.exe106⤵PID:2224
-
\??\c:\ffrrflr.exec:\ffrrflr.exe107⤵PID:2236
-
\??\c:\bhbtnn.exec:\bhbtnn.exe108⤵PID:1352
-
\??\c:\vvjdd.exec:\vvjdd.exe109⤵PID:1784
-
\??\c:\xrlfffl.exec:\xrlfffl.exe110⤵PID:2528
-
\??\c:\tbnbtn.exec:\tbnbtn.exe111⤵PID:324
-
\??\c:\bhhnhh.exec:\bhhnhh.exe112⤵PID:1720
-
\??\c:\vvpjv.exec:\vvpjv.exe113⤵PID:2480
-
\??\c:\rlxxffx.exec:\rlxxffx.exe114⤵PID:2072
-
\??\c:\lrfrxfr.exec:\lrfrxfr.exe115⤵PID:2248
-
\??\c:\tttbnn.exec:\tttbnn.exe116⤵PID:2044
-
\??\c:\vddjp.exec:\vddjp.exe117⤵PID:2120
-
\??\c:\vvpvj.exec:\vvpvj.exe118⤵PID:2640
-
\??\c:\llrfrxx.exec:\llrfrxx.exe119⤵PID:1536
-
\??\c:\ntbbnt.exec:\ntbbnt.exe120⤵PID:2756
-
\??\c:\djddj.exec:\djddj.exe121⤵PID:1728
-
\??\c:\jpppj.exec:\jpppj.exe122⤵PID:2200
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-