Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe
-
Size
455KB
-
MD5
fe90074b77b4f211c2a73b2ffa0a0dd0
-
SHA1
50905d03c3d9199fb3881c84cb266987c05dd5eb
-
SHA256
e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637
-
SHA512
cb33d4c4226b93eb1abb048885393b3968a74ae3b01035ec669228b910a4819e716acb04ab4fac7a14c873b88c7c4ca379b84800e0ecad0fe3ccd4325f838f4f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTI:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/1316-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-55-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2588-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1428-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1468-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-222-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/640-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-472-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2392-485-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1688-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-659-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3000-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-668-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2540-716-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1632-715-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2716 rxrxrxl.exe 2840 1bhnnb.exe 1856 ffxfrrf.exe 2868 vvjpj.exe 2620 lfxfrxf.exe 2588 lfflffx.exe 2508 jvjpv.exe 1428 fxrxffl.exe 1468 1dddp.exe 2664 xfflrxl.exe 1120 rlflxfl.exe 1992 bbbnth.exe 2084 vvjpp.exe 1364 nnnhth.exe 308 nhhbnb.exe 2384 dddpj.exe 596 thhtnb.exe 2284 jjvjv.exe 1928 bhhhbn.exe 1296 jvvpp.exe 2060 bhhthn.exe 1264 jpjpp.exe 1096 xrlxlff.exe 1524 hnntnh.exe 2052 rxxrfxx.exe 640 vdpdv.exe 2336 lxrfrfr.exe 2296 xrffxrf.exe 996 fffrfrl.exe 2036 jdddp.exe 2020 fxrrxfl.exe 2316 dddvv.exe 1568 ffxfrfr.exe 2720 5nbbhh.exe 2816 7dpdd.exe 2784 lfxlrfl.exe 2928 bhhnbh.exe 2504 vpjpj.exe 2572 xxrfxff.exe 2652 tnntbb.exe 1660 vvppv.exe 3000 fflxxlf.exe 572 ntthbn.exe 2644 vvppd.exe 2880 jjddp.exe 2040 llxrlrx.exe 372 3nhhnt.exe 1152 jvppv.exe 1528 llflrxl.exe 812 7tnnnn.exe 1704 nthhnh.exe 712 dvjpd.exe 2244 5lxfxlx.exe 1952 nnhnbb.exe 2420 ddpjp.exe 2392 rxxlfrl.exe 2184 xxrxlrl.exe 2552 hhbhnb.exe 444 pjjpj.exe 2060 vvpdv.exe 2220 1lxlxlx.exe 660 1bhhth.exe 1820 jpjvp.exe 1956 fxlfllx.exe -
resource yara_rule behavioral1/memory/1316-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-146-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1928-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/660-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-661-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxflxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7httht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1316 wrote to memory of 2716 1316 e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe 30 PID 1316 wrote to memory of 2716 1316 e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe 30 PID 1316 wrote to memory of 2716 1316 e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe 30 PID 1316 wrote to memory of 2716 1316 e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe 30 PID 2716 wrote to memory of 2840 2716 rxrxrxl.exe 31 PID 2716 wrote to memory of 2840 2716 rxrxrxl.exe 31 PID 2716 wrote to memory of 2840 2716 rxrxrxl.exe 31 PID 2716 wrote to memory of 2840 2716 rxrxrxl.exe 31 PID 2840 wrote to memory of 1856 2840 1bhnnb.exe 32 PID 2840 wrote to memory of 1856 2840 1bhnnb.exe 32 PID 2840 wrote to memory of 1856 2840 1bhnnb.exe 32 PID 2840 wrote to memory of 1856 2840 1bhnnb.exe 32 PID 1856 wrote to memory of 2868 1856 ffxfrrf.exe 33 PID 1856 wrote to memory of 2868 1856 ffxfrrf.exe 33 PID 1856 wrote to memory of 2868 1856 ffxfrrf.exe 33 PID 1856 wrote to memory of 2868 1856 ffxfrrf.exe 33 PID 2868 wrote to memory of 2620 2868 vvjpj.exe 34 PID 2868 wrote to memory of 2620 2868 vvjpj.exe 34 PID 2868 wrote to memory of 2620 2868 vvjpj.exe 34 PID 2868 wrote to memory of 2620 2868 vvjpj.exe 34 PID 2620 wrote to memory of 2588 2620 lfxfrxf.exe 35 PID 2620 wrote to memory of 2588 2620 lfxfrxf.exe 35 PID 2620 wrote to memory of 2588 2620 lfxfrxf.exe 35 PID 2620 wrote to memory of 2588 2620 lfxfrxf.exe 35 PID 2588 wrote to memory of 2508 2588 lfflffx.exe 36 PID 2588 wrote to memory of 2508 2588 lfflffx.exe 36 PID 2588 wrote to memory of 2508 2588 lfflffx.exe 36 PID 2588 wrote to memory of 2508 2588 lfflffx.exe 36 PID 2508 wrote to memory of 1428 2508 jvjpv.exe 37 PID 2508 wrote to memory of 1428 2508 jvjpv.exe 37 PID 2508 wrote to memory of 1428 2508 jvjpv.exe 37 PID 2508 wrote to memory of 1428 2508 jvjpv.exe 37 PID 1428 wrote to memory of 1468 1428 fxrxffl.exe 38 PID 1428 wrote to memory of 1468 1428 fxrxffl.exe 38 PID 1428 wrote to memory of 1468 1428 fxrxffl.exe 38 PID 1428 wrote to memory of 1468 1428 fxrxffl.exe 38 PID 1468 wrote to memory of 2664 1468 1dddp.exe 39 PID 1468 wrote to memory of 2664 1468 1dddp.exe 39 PID 1468 wrote to memory of 2664 1468 1dddp.exe 39 PID 1468 wrote to memory of 2664 1468 1dddp.exe 39 PID 2664 wrote to memory of 1120 2664 xfflrxl.exe 40 PID 2664 wrote to memory of 1120 2664 xfflrxl.exe 40 PID 2664 wrote to memory of 1120 2664 xfflrxl.exe 40 PID 2664 wrote to memory of 1120 2664 xfflrxl.exe 40 PID 1120 wrote to memory of 1992 1120 rlflxfl.exe 41 PID 1120 wrote to memory of 1992 1120 rlflxfl.exe 41 PID 1120 wrote to memory of 1992 1120 rlflxfl.exe 41 PID 1120 wrote to memory of 1992 1120 rlflxfl.exe 41 PID 1992 wrote to memory of 2084 1992 bbbnth.exe 42 PID 1992 wrote to memory of 2084 1992 bbbnth.exe 42 PID 1992 wrote to memory of 2084 1992 bbbnth.exe 42 PID 1992 wrote to memory of 2084 1992 bbbnth.exe 42 PID 2084 wrote to memory of 1364 2084 vvjpp.exe 43 PID 2084 wrote to memory of 1364 2084 vvjpp.exe 43 PID 2084 wrote to memory of 1364 2084 vvjpp.exe 43 PID 2084 wrote to memory of 1364 2084 vvjpp.exe 43 PID 1364 wrote to memory of 308 1364 nnnhth.exe 44 PID 1364 wrote to memory of 308 1364 nnnhth.exe 44 PID 1364 wrote to memory of 308 1364 nnnhth.exe 44 PID 1364 wrote to memory of 308 1364 nnnhth.exe 44 PID 308 wrote to memory of 2384 308 nhhbnb.exe 45 PID 308 wrote to memory of 2384 308 nhhbnb.exe 45 PID 308 wrote to memory of 2384 308 nhhbnb.exe 45 PID 308 wrote to memory of 2384 308 nhhbnb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe"C:\Users\Admin\AppData\Local\Temp\e124b9514ccf49ca332eda8a489eff83eabd6191cf99aa6f339dec443633b637N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\rxrxrxl.exec:\rxrxrxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\1bhnnb.exec:\1bhnnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\ffxfrrf.exec:\ffxfrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\vvjpj.exec:\vvjpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\lfxfrxf.exec:\lfxfrxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\lfflffx.exec:\lfflffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\jvjpv.exec:\jvjpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\fxrxffl.exec:\fxrxffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\1dddp.exec:\1dddp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\xfflrxl.exec:\xfflrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\rlflxfl.exec:\rlflxfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\bbbnth.exec:\bbbnth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\vvjpp.exec:\vvjpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\nnnhth.exec:\nnnhth.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\nhhbnb.exec:\nhhbnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:308 -
\??\c:\dddpj.exec:\dddpj.exe17⤵
- Executes dropped EXE
PID:2384 -
\??\c:\thhtnb.exec:\thhtnb.exe18⤵
- Executes dropped EXE
PID:596 -
\??\c:\jjvjv.exec:\jjvjv.exe19⤵
- Executes dropped EXE
PID:2284 -
\??\c:\bhhhbn.exec:\bhhhbn.exe20⤵
- Executes dropped EXE
PID:1928 -
\??\c:\jvvpp.exec:\jvvpp.exe21⤵
- Executes dropped EXE
PID:1296 -
\??\c:\bhhthn.exec:\bhhthn.exe22⤵
- Executes dropped EXE
PID:2060 -
\??\c:\jpjpp.exec:\jpjpp.exe23⤵
- Executes dropped EXE
PID:1264 -
\??\c:\xrlxlff.exec:\xrlxlff.exe24⤵
- Executes dropped EXE
PID:1096 -
\??\c:\hnntnh.exec:\hnntnh.exe25⤵
- Executes dropped EXE
PID:1524 -
\??\c:\rxxrfxx.exec:\rxxrfxx.exe26⤵
- Executes dropped EXE
PID:2052 -
\??\c:\vdpdv.exec:\vdpdv.exe27⤵
- Executes dropped EXE
PID:640 -
\??\c:\lxrfrfr.exec:\lxrfrfr.exe28⤵
- Executes dropped EXE
PID:2336 -
\??\c:\xrffxrf.exec:\xrffxrf.exe29⤵
- Executes dropped EXE
PID:2296 -
\??\c:\fffrfrl.exec:\fffrfrl.exe30⤵
- Executes dropped EXE
PID:996 -
\??\c:\jdddp.exec:\jdddp.exe31⤵
- Executes dropped EXE
PID:2036 -
\??\c:\fxrrxfl.exec:\fxrrxfl.exe32⤵
- Executes dropped EXE
PID:2020 -
\??\c:\dddvv.exec:\dddvv.exe33⤵
- Executes dropped EXE
PID:2316 -
\??\c:\ffxfrfr.exec:\ffxfrfr.exe34⤵
- Executes dropped EXE
PID:1568 -
\??\c:\5nbbhh.exec:\5nbbhh.exe35⤵
- Executes dropped EXE
PID:2720 -
\??\c:\7dpdd.exec:\7dpdd.exe36⤵
- Executes dropped EXE
PID:2816 -
\??\c:\lfxlrfl.exec:\lfxlrfl.exe37⤵
- Executes dropped EXE
PID:2784 -
\??\c:\bhhnbh.exec:\bhhnbh.exe38⤵
- Executes dropped EXE
PID:2928 -
\??\c:\vpjpj.exec:\vpjpj.exe39⤵
- Executes dropped EXE
PID:2504 -
\??\c:\xxrfxff.exec:\xxrfxff.exe40⤵
- Executes dropped EXE
PID:2572 -
\??\c:\tnntbb.exec:\tnntbb.exe41⤵
- Executes dropped EXE
PID:2652 -
\??\c:\vvppv.exec:\vvppv.exe42⤵
- Executes dropped EXE
PID:1660 -
\??\c:\fflxxlf.exec:\fflxxlf.exe43⤵
- Executes dropped EXE
PID:3000 -
\??\c:\ntthbn.exec:\ntthbn.exe44⤵
- Executes dropped EXE
PID:572 -
\??\c:\vvppd.exec:\vvppd.exe45⤵
- Executes dropped EXE
PID:2644 -
\??\c:\jjddp.exec:\jjddp.exe46⤵
- Executes dropped EXE
PID:2880 -
\??\c:\llxrlrx.exec:\llxrlrx.exe47⤵
- Executes dropped EXE
PID:2040 -
\??\c:\3nhhnt.exec:\3nhhnt.exe48⤵
- Executes dropped EXE
PID:372 -
\??\c:\jvppv.exec:\jvppv.exe49⤵
- Executes dropped EXE
PID:1152 -
\??\c:\llflrxl.exec:\llflrxl.exe50⤵
- Executes dropped EXE
PID:1528 -
\??\c:\7tnnnn.exec:\7tnnnn.exe51⤵
- Executes dropped EXE
PID:812 -
\??\c:\nthhnh.exec:\nthhnh.exe52⤵
- Executes dropped EXE
PID:1704 -
\??\c:\dvjpd.exec:\dvjpd.exe53⤵
- Executes dropped EXE
PID:712 -
\??\c:\5lxfxlx.exec:\5lxfxlx.exe54⤵
- Executes dropped EXE
PID:2244 -
\??\c:\nnhnbb.exec:\nnhnbb.exe55⤵
- Executes dropped EXE
PID:1952 -
\??\c:\ddpjp.exec:\ddpjp.exe56⤵
- Executes dropped EXE
PID:2420 -
\??\c:\rxxlfrl.exec:\rxxlfrl.exe57⤵
- Executes dropped EXE
PID:2392 -
\??\c:\xxrxlrl.exec:\xxrxlrl.exe58⤵
- Executes dropped EXE
PID:2184 -
\??\c:\hhbhnb.exec:\hhbhnb.exe59⤵
- Executes dropped EXE
PID:2552 -
\??\c:\pjjpj.exec:\pjjpj.exe60⤵
- Executes dropped EXE
PID:444 -
\??\c:\vvpdv.exec:\vvpdv.exe61⤵
- Executes dropped EXE
PID:2060 -
\??\c:\1lxlxlx.exec:\1lxlxlx.exe62⤵
- Executes dropped EXE
PID:2220 -
\??\c:\1bhhth.exec:\1bhhth.exe63⤵
- Executes dropped EXE
PID:660 -
\??\c:\jpjvp.exec:\jpjvp.exe64⤵
- Executes dropped EXE
PID:1820 -
\??\c:\fxlfllx.exec:\fxlfllx.exe65⤵
- Executes dropped EXE
PID:1956 -
\??\c:\bhnthh.exec:\bhnthh.exe66⤵PID:1688
-
\??\c:\tnbnbh.exec:\tnbnbh.exe67⤵PID:1816
-
\??\c:\pppjj.exec:\pppjj.exe68⤵PID:640
-
\??\c:\xrlrrxx.exec:\xrlrrxx.exe69⤵PID:2336
-
\??\c:\bnnnhh.exec:\bnnnhh.exe70⤵PID:1948
-
\??\c:\pjddj.exec:\pjddj.exe71⤵PID:2920
-
\??\c:\5xlffxx.exec:\5xlffxx.exe72⤵PID:2364
-
\??\c:\5thntb.exec:\5thntb.exe73⤵PID:2036
-
\??\c:\vvvdv.exec:\vvvdv.exe74⤵PID:1196
-
\??\c:\pjjvp.exec:\pjjvp.exe75⤵PID:2836
-
\??\c:\llxfrfr.exec:\llxfrfr.exe76⤵PID:2704
-
\??\c:\thntbh.exec:\thntbh.exe77⤵PID:2788
-
\??\c:\dpvpd.exec:\dpvpd.exe78⤵PID:2400
-
\??\c:\fxrxffl.exec:\fxrxffl.exe79⤵PID:2772
-
\??\c:\nnnthn.exec:\nnnthn.exe80⤵PID:2608
-
\??\c:\nhbbhh.exec:\nhbbhh.exe81⤵PID:2748
-
\??\c:\9dvjp.exec:\9dvjp.exe82⤵PID:2616
-
\??\c:\3xfxxxx.exec:\3xfxxxx.exe83⤵PID:3004
-
\??\c:\bhthht.exec:\bhthht.exe84⤵PID:3020
-
\??\c:\pdvvd.exec:\pdvvd.exe85⤵PID:1564
-
\??\c:\lfrflxl.exec:\lfrflxl.exe86⤵PID:3000
-
\??\c:\rffxfxf.exec:\rffxfxf.exe87⤵PID:572
-
\??\c:\hhhtnt.exec:\hhhtnt.exe88⤵PID:2864
-
\??\c:\7pppv.exec:\7pppv.exe89⤵PID:1556
-
\??\c:\1xxlflx.exec:\1xxlflx.exe90⤵PID:1920
-
\??\c:\hhbbhh.exec:\hhbbhh.exe91⤵PID:1632
-
\??\c:\vvdvv.exec:\vvdvv.exe92⤵PID:1908
-
\??\c:\fxrrxfr.exec:\fxrrxfr.exe93⤵PID:2312
-
\??\c:\rfxrflr.exec:\rfxrflr.exe94⤵PID:2540
-
\??\c:\7thhnb.exec:\7thhnb.exe95⤵PID:784
-
\??\c:\dvdvv.exec:\dvdvv.exe96⤵PID:1760
-
\??\c:\xxxfrfl.exec:\xxxfrfl.exe97⤵PID:2116
-
\??\c:\lllrlrr.exec:\lllrlrr.exe98⤵PID:2284
-
\??\c:\tnhhtb.exec:\tnhhtb.exe99⤵PID:2164
-
\??\c:\jdpjv.exec:\jdpjv.exe100⤵PID:1928
-
\??\c:\1pddv.exec:\1pddv.exe101⤵PID:912
-
\??\c:\rrflxfr.exec:\rrflxfr.exe102⤵PID:1136
-
\??\c:\hhbhtb.exec:\hhbhtb.exe103⤵PID:2992
-
\??\c:\vvpdv.exec:\vvpdv.exe104⤵PID:1356
-
\??\c:\vdvjv.exec:\vdvjv.exe105⤵PID:2100
-
\??\c:\9rfrffr.exec:\9rfrffr.exe106⤵PID:700
-
\??\c:\nhtthn.exec:\nhtthn.exe107⤵PID:2108
-
\??\c:\hbtbbb.exec:\hbtbbb.exe108⤵PID:1520
-
\??\c:\9pdvd.exec:\9pdvd.exe109⤵PID:2852
-
\??\c:\9fflxlx.exec:\9fflxlx.exe110⤵PID:1764
-
\??\c:\tnhtnn.exec:\tnhtnn.exe111⤵PID:880
-
\??\c:\1jvdd.exec:\1jvdd.exe112⤵PID:1948
-
\??\c:\fxxxllf.exec:\fxxxllf.exe113⤵PID:2272
-
\??\c:\ddppv.exec:\ddppv.exe114⤵PID:2320
-
\??\c:\jjjpp.exec:\jjjpp.exe115⤵PID:2324
-
\??\c:\1fxxxxl.exec:\1fxxxxl.exe116⤵PID:1572
-
\??\c:\nnhthb.exec:\nnhthb.exe117⤵PID:2800
-
\??\c:\btbhnn.exec:\btbhnn.exe118⤵PID:2804
-
\??\c:\vpddj.exec:\vpddj.exe119⤵PID:2812
-
\??\c:\fxllrlr.exec:\fxllrlr.exe120⤵
- System Location Discovery: System Language Discovery
PID:3044 -
\??\c:\thtbhh.exec:\thtbhh.exe121⤵PID:2768
-
\??\c:\btnnbh.exec:\btnnbh.exe122⤵PID:2568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-