Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe
-
Size
454KB
-
MD5
c91ca7a7775240001c0561985e00f02f
-
SHA1
c2960e0fbe92f88afaf9530544d70c1747d56f8b
-
SHA256
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777
-
SHA512
52f0328b29ab476a3a866e11b727befda9756455f43c14ec0da53ecc2f90a92a1912338cf487df5fc7bfd196cacc9a5c0a5e4c93535bfad1b19e328f89adfcb1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2280-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-55-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2716-53-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2780-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-148-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2372-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/668-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-582-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2592-663-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2428-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2672 djddp.exe 2736 1lfrxrr.exe 2676 hnhhtb.exe 2184 vjvvd.exe 2716 1xlrllx.exe 2556 llxxrlr.exe 3040 lrfrlll.exe 2780 5lflrxl.exe 640 xxlrrrx.exe 2092 ttntth.exe 2212 xfxfxxl.exe 1836 ppdjv.exe 1804 9frxlfl.exe 2888 3rllrrf.exe 1940 vdvpd.exe 3032 llfrrrx.exe 2372 jdvdd.exe 2956 dddpv.exe 2244 flxfrrf.exe 668 pjjpd.exe 2644 7frlllx.exe 448 3bhhtt.exe 1892 jdjdp.exe 1268 rlfxllr.exe 1356 jvjjp.exe 1308 bthnnt.exe 1980 nnhhth.exe 1956 xrllrrf.exe 1240 btnhnh.exe 1472 5rlrlrf.exe 1524 bthhtb.exe 2280 tthtbt.exe 2440 1btbhn.exe 2764 rrlxxfx.exe 1988 nhttht.exe 2936 jdjvj.exe 2680 fxrrxxl.exe 2660 lfflflf.exe 2716 hnhbtt.exe 2616 jjvdv.exe 3044 vjvdp.exe 332 lxllrlr.exe 568 btnntb.exe 236 7vdvv.exe 2436 vjppj.exe 2896 lfxxflr.exe 2784 bthbtt.exe 2104 jpddj.exe 2612 jvjjp.exe 1032 rlxxllr.exe 1844 nhbbnt.exe 3008 ddppv.exe 2076 ffxfrlr.exe 2684 lfxlrrx.exe 2312 3nbttt.exe 2144 9vjjj.exe 2236 1xrfrxr.exe 2168 hbhntt.exe 344 nbntbb.exe 2644 ppjvv.exe 2952 flrxrxl.exe 1896 nhtbht.exe 1892 bhnbtt.exe 1684 vdddv.exe -
resource yara_rule behavioral1/memory/2280-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-53-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2780-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/668-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-677-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frflrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2672 2280 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 30 PID 2280 wrote to memory of 2672 2280 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 30 PID 2280 wrote to memory of 2672 2280 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 30 PID 2280 wrote to memory of 2672 2280 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 30 PID 2672 wrote to memory of 2736 2672 djddp.exe 31 PID 2672 wrote to memory of 2736 2672 djddp.exe 31 PID 2672 wrote to memory of 2736 2672 djddp.exe 31 PID 2672 wrote to memory of 2736 2672 djddp.exe 31 PID 2736 wrote to memory of 2676 2736 1lfrxrr.exe 32 PID 2736 wrote to memory of 2676 2736 1lfrxrr.exe 32 PID 2736 wrote to memory of 2676 2736 1lfrxrr.exe 32 PID 2736 wrote to memory of 2676 2736 1lfrxrr.exe 32 PID 2676 wrote to memory of 2184 2676 hnhhtb.exe 33 PID 2676 wrote to memory of 2184 2676 hnhhtb.exe 33 PID 2676 wrote to memory of 2184 2676 hnhhtb.exe 33 PID 2676 wrote to memory of 2184 2676 hnhhtb.exe 33 PID 2184 wrote to memory of 2716 2184 vjvvd.exe 34 PID 2184 wrote to memory of 2716 2184 vjvvd.exe 34 PID 2184 wrote to memory of 2716 2184 vjvvd.exe 34 PID 2184 wrote to memory of 2716 2184 vjvvd.exe 34 PID 2716 wrote to memory of 2556 2716 1xlrllx.exe 35 PID 2716 wrote to memory of 2556 2716 1xlrllx.exe 35 PID 2716 wrote to memory of 2556 2716 1xlrllx.exe 35 PID 2716 wrote to memory of 2556 2716 1xlrllx.exe 35 PID 2556 wrote to memory of 3040 2556 llxxrlr.exe 36 PID 2556 wrote to memory of 3040 2556 llxxrlr.exe 36 PID 2556 wrote to memory of 3040 2556 llxxrlr.exe 36 PID 2556 wrote to memory of 3040 2556 llxxrlr.exe 36 PID 3040 wrote to memory of 2780 3040 lrfrlll.exe 37 PID 3040 wrote to memory of 2780 3040 lrfrlll.exe 37 PID 3040 wrote to memory of 2780 3040 lrfrlll.exe 37 PID 3040 wrote to memory of 2780 3040 lrfrlll.exe 37 PID 2780 wrote to memory of 640 2780 5lflrxl.exe 38 PID 2780 wrote to memory of 640 2780 5lflrxl.exe 38 PID 2780 wrote to memory of 640 2780 5lflrxl.exe 38 PID 2780 wrote to memory of 640 2780 5lflrxl.exe 38 PID 640 wrote to memory of 2092 640 xxlrrrx.exe 39 PID 640 wrote to memory of 2092 640 xxlrrrx.exe 39 PID 640 wrote to memory of 2092 640 xxlrrrx.exe 39 PID 640 wrote to memory of 2092 640 xxlrrrx.exe 39 PID 2092 wrote to memory of 2212 2092 ttntth.exe 40 PID 2092 wrote to memory of 2212 2092 ttntth.exe 40 PID 2092 wrote to memory of 2212 2092 ttntth.exe 40 PID 2092 wrote to memory of 2212 2092 ttntth.exe 40 PID 2212 wrote to memory of 1836 2212 xfxfxxl.exe 41 PID 2212 wrote to memory of 1836 2212 xfxfxxl.exe 41 PID 2212 wrote to memory of 1836 2212 xfxfxxl.exe 41 PID 2212 wrote to memory of 1836 2212 xfxfxxl.exe 41 PID 1836 wrote to memory of 1804 1836 ppdjv.exe 42 PID 1836 wrote to memory of 1804 1836 ppdjv.exe 42 PID 1836 wrote to memory of 1804 1836 ppdjv.exe 42 PID 1836 wrote to memory of 1804 1836 ppdjv.exe 42 PID 1804 wrote to memory of 2888 1804 9frxlfl.exe 43 PID 1804 wrote to memory of 2888 1804 9frxlfl.exe 43 PID 1804 wrote to memory of 2888 1804 9frxlfl.exe 43 PID 1804 wrote to memory of 2888 1804 9frxlfl.exe 43 PID 2888 wrote to memory of 1940 2888 3rllrrf.exe 44 PID 2888 wrote to memory of 1940 2888 3rllrrf.exe 44 PID 2888 wrote to memory of 1940 2888 3rllrrf.exe 44 PID 2888 wrote to memory of 1940 2888 3rllrrf.exe 44 PID 1940 wrote to memory of 3032 1940 vdvpd.exe 45 PID 1940 wrote to memory of 3032 1940 vdvpd.exe 45 PID 1940 wrote to memory of 3032 1940 vdvpd.exe 45 PID 1940 wrote to memory of 3032 1940 vdvpd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe"C:\Users\Admin\AppData\Local\Temp\bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\djddp.exec:\djddp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\1lfrxrr.exec:\1lfrxrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\hnhhtb.exec:\hnhhtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\vjvvd.exec:\vjvvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\1xlrllx.exec:\1xlrllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\llxxrlr.exec:\llxxrlr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\lrfrlll.exec:\lrfrlll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\5lflrxl.exec:\5lflrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\xxlrrrx.exec:\xxlrrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\ttntth.exec:\ttntth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\xfxfxxl.exec:\xfxfxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\ppdjv.exec:\ppdjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\9frxlfl.exec:\9frxlfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\3rllrrf.exec:\3rllrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\vdvpd.exec:\vdvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\llfrrrx.exec:\llfrrrx.exe17⤵
- Executes dropped EXE
PID:3032 -
\??\c:\jdvdd.exec:\jdvdd.exe18⤵
- Executes dropped EXE
PID:2372 -
\??\c:\dddpv.exec:\dddpv.exe19⤵
- Executes dropped EXE
PID:2956 -
\??\c:\flxfrrf.exec:\flxfrrf.exe20⤵
- Executes dropped EXE
PID:2244 -
\??\c:\pjjpd.exec:\pjjpd.exe21⤵
- Executes dropped EXE
PID:668 -
\??\c:\7frlllx.exec:\7frlllx.exe22⤵
- Executes dropped EXE
PID:2644 -
\??\c:\3bhhtt.exec:\3bhhtt.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\jdjdp.exec:\jdjdp.exe24⤵
- Executes dropped EXE
PID:1892 -
\??\c:\rlfxllr.exec:\rlfxllr.exe25⤵
- Executes dropped EXE
PID:1268 -
\??\c:\jvjjp.exec:\jvjjp.exe26⤵
- Executes dropped EXE
PID:1356 -
\??\c:\bthnnt.exec:\bthnnt.exe27⤵
- Executes dropped EXE
PID:1308 -
\??\c:\nnhhth.exec:\nnhhth.exe28⤵
- Executes dropped EXE
PID:1980 -
\??\c:\xrllrrf.exec:\xrllrrf.exe29⤵
- Executes dropped EXE
PID:1956 -
\??\c:\btnhnh.exec:\btnhnh.exe30⤵
- Executes dropped EXE
PID:1240 -
\??\c:\5rlrlrf.exec:\5rlrlrf.exe31⤵
- Executes dropped EXE
PID:1472 -
\??\c:\bthhtb.exec:\bthhtb.exe32⤵
- Executes dropped EXE
PID:1524 -
\??\c:\tthtbt.exec:\tthtbt.exe33⤵
- Executes dropped EXE
PID:2280 -
\??\c:\1btbhn.exec:\1btbhn.exe34⤵
- Executes dropped EXE
PID:2440 -
\??\c:\rrlxxfx.exec:\rrlxxfx.exe35⤵
- Executes dropped EXE
PID:2764 -
\??\c:\nhttht.exec:\nhttht.exe36⤵
- Executes dropped EXE
PID:1988 -
\??\c:\jdjvj.exec:\jdjvj.exe37⤵
- Executes dropped EXE
PID:2936 -
\??\c:\fxrrxxl.exec:\fxrrxxl.exe38⤵
- Executes dropped EXE
PID:2680 -
\??\c:\lfflflf.exec:\lfflflf.exe39⤵
- Executes dropped EXE
PID:2660 -
\??\c:\hnhbtt.exec:\hnhbtt.exe40⤵
- Executes dropped EXE
PID:2716 -
\??\c:\jjvdv.exec:\jjvdv.exe41⤵
- Executes dropped EXE
PID:2616 -
\??\c:\vjvdp.exec:\vjvdp.exe42⤵
- Executes dropped EXE
PID:3044 -
\??\c:\lxllrlr.exec:\lxllrlr.exe43⤵
- Executes dropped EXE
PID:332 -
\??\c:\btnntb.exec:\btnntb.exe44⤵
- Executes dropped EXE
PID:568 -
\??\c:\7vdvv.exec:\7vdvv.exe45⤵
- Executes dropped EXE
PID:236 -
\??\c:\vjppj.exec:\vjppj.exe46⤵
- Executes dropped EXE
PID:2436 -
\??\c:\lfxxflr.exec:\lfxxflr.exe47⤵
- Executes dropped EXE
PID:2896 -
\??\c:\bthbtt.exec:\bthbtt.exe48⤵
- Executes dropped EXE
PID:2784 -
\??\c:\jpddj.exec:\jpddj.exe49⤵
- Executes dropped EXE
PID:2104 -
\??\c:\jvjjp.exec:\jvjjp.exe50⤵
- Executes dropped EXE
PID:2612 -
\??\c:\rlxxllr.exec:\rlxxllr.exe51⤵
- Executes dropped EXE
PID:1032 -
\??\c:\nhbbnt.exec:\nhbbnt.exe52⤵
- Executes dropped EXE
PID:1844 -
\??\c:\ddppv.exec:\ddppv.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
\??\c:\ffxfrlr.exec:\ffxfrlr.exe54⤵
- Executes dropped EXE
PID:2076 -
\??\c:\lfxlrrx.exec:\lfxlrrx.exe55⤵
- Executes dropped EXE
PID:2684 -
\??\c:\3nbttt.exec:\3nbttt.exe56⤵
- Executes dropped EXE
PID:2312 -
\??\c:\9vjjj.exec:\9vjjj.exe57⤵
- Executes dropped EXE
PID:2144 -
\??\c:\1xrfrxr.exec:\1xrfrxr.exe58⤵
- Executes dropped EXE
PID:2236 -
\??\c:\hbhntt.exec:\hbhntt.exe59⤵
- Executes dropped EXE
PID:2168 -
\??\c:\nbntbb.exec:\nbntbb.exe60⤵
- Executes dropped EXE
PID:344 -
\??\c:\ppjvv.exec:\ppjvv.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644 -
\??\c:\flrxrxl.exec:\flrxrxl.exe62⤵
- Executes dropped EXE
PID:2952 -
\??\c:\nhtbht.exec:\nhtbht.exe63⤵
- Executes dropped EXE
PID:1896 -
\??\c:\bhnbtt.exec:\bhnbtt.exe64⤵
- Executes dropped EXE
PID:1892 -
\??\c:\vdddv.exec:\vdddv.exe65⤵
- Executes dropped EXE
PID:1684 -
\??\c:\9xrfrxr.exec:\9xrfrxr.exe66⤵PID:888
-
\??\c:\nttbnt.exec:\nttbnt.exe67⤵PID:1564
-
\??\c:\jjpvj.exec:\jjpvj.exe68⤵PID:2476
-
\??\c:\rfxrllx.exec:\rfxrllx.exe69⤵PID:1956
-
\??\c:\rrxfxff.exec:\rrxfxff.exe70⤵PID:1696
-
\??\c:\9bhntb.exec:\9bhntb.exe71⤵PID:1240
-
\??\c:\nhnbhh.exec:\nhnbhh.exe72⤵PID:1968
-
\??\c:\ddppv.exec:\ddppv.exe73⤵PID:2852
-
\??\c:\rxrxfrx.exec:\rxrxfrx.exe74⤵PID:2732
-
\??\c:\tbtbnn.exec:\tbtbnn.exe75⤵PID:2700
-
\??\c:\btnbtt.exec:\btnbtt.exe76⤵PID:2820
-
\??\c:\jjdpj.exec:\jjdpj.exe77⤵PID:2840
-
\??\c:\ffrfrxr.exec:\ffrfrxr.exe78⤵PID:2836
-
\??\c:\3bttbh.exec:\3bttbh.exe79⤵PID:2936
-
\??\c:\tnbhtt.exec:\tnbhtt.exe80⤵PID:2576
-
\??\c:\fffflrr.exec:\fffflrr.exe81⤵PID:2600
-
\??\c:\ffflflf.exec:\ffflflf.exe82⤵PID:2112
-
\??\c:\tttbnb.exec:\tttbnb.exe83⤵PID:2592
-
\??\c:\ppjpj.exec:\ppjpj.exe84⤵PID:2804
-
\??\c:\xrlrxfr.exec:\xrlrxfr.exe85⤵PID:1476
-
\??\c:\lxrrfxf.exec:\lxrrfxf.exe86⤵PID:3020
-
\??\c:\hbhntn.exec:\hbhntn.exe87⤵PID:236
-
\??\c:\vjvdp.exec:\vjvdp.exe88⤵PID:2428
-
\??\c:\rlfxllx.exec:\rlfxllx.exe89⤵PID:2812
-
\??\c:\xfflxfr.exec:\xfflxfr.exe90⤵PID:2808
-
\??\c:\hhbhtt.exec:\hhbhtt.exe91⤵PID:1248
-
\??\c:\jvjpp.exec:\jvjpp.exe92⤵PID:1804
-
\??\c:\vvjjd.exec:\vvjjd.exe93⤵PID:892
-
\??\c:\rfffxfx.exec:\rfffxfx.exe94⤵PID:1844
-
\??\c:\3thbtb.exec:\3thbtb.exe95⤵PID:1112
-
\??\c:\3nnhhn.exec:\3nnhhn.exe96⤵PID:2460
-
\??\c:\7pvdv.exec:\7pvdv.exe97⤵PID:2684
-
\??\c:\rrflrxl.exec:\rrflrxl.exe98⤵PID:2312
-
\??\c:\fflxflf.exec:\fflxflf.exe99⤵PID:2144
-
\??\c:\7bnttb.exec:\7bnttb.exe100⤵PID:1080
-
\??\c:\pjvvj.exec:\pjvvj.exe101⤵PID:748
-
\??\c:\vjdjv.exec:\vjdjv.exe102⤵PID:1040
-
\??\c:\llfflfx.exec:\llfflfx.exe103⤵PID:1960
-
\??\c:\ffflxfx.exec:\ffflxfx.exe104⤵PID:940
-
\??\c:\3bnbht.exec:\3bnbht.exe105⤵PID:1268
-
\??\c:\7jjjj.exec:\7jjjj.exe106⤵PID:1704
-
\??\c:\xxrfxfx.exec:\xxrfxfx.exe107⤵PID:744
-
\??\c:\frflrrf.exec:\frflrrf.exe108⤵
- System Location Discovery: System Language Discovery
PID:888 -
\??\c:\btnntb.exec:\btnntb.exe109⤵PID:2464
-
\??\c:\jjvdp.exec:\jjvdp.exe110⤵PID:288
-
\??\c:\jjdjv.exec:\jjdjv.exe111⤵PID:2516
-
\??\c:\lxrxfrr.exec:\lxrxfrr.exe112⤵PID:1936
-
\??\c:\hhtntn.exec:\hhtntn.exe113⤵PID:2300
-
\??\c:\bnhntt.exec:\bnhntt.exe114⤵PID:1912
-
\??\c:\jvpvd.exec:\jvpvd.exe115⤵PID:2304
-
\??\c:\3pvvj.exec:\3pvvj.exe116⤵PID:2732
-
\??\c:\lfxxrrf.exec:\lfxxrrf.exe117⤵PID:2440
-
\??\c:\5rfrffl.exec:\5rfrffl.exe118⤵PID:2548
-
\??\c:\hbtthh.exec:\hbtthh.exe119⤵PID:2840
-
\??\c:\pvpvj.exec:\pvpvj.exe120⤵PID:1988
-
\??\c:\djdpj.exec:\djdpj.exe121⤵PID:2084
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe122⤵PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-