Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe
Resource
win7-20240729-en
7 signatures
150 seconds
General
-
Target
c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe
-
Size
455KB
-
MD5
9517cd45110a99aacbe4ecb7b474b3b6
-
SHA1
296de4475495f8bc8281c800129b511517f2140f
-
SHA256
c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985
-
SHA512
61247fcd020a157a8723cdfb9a71935ffbd91082f8d5a560bf90598129853b820ea8c028c058f3abc00b3dedc63da170607e65540dc38812f30adfac24776c25
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbem:q7Tc2NYHUrAwfMp3CDm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2232-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-37-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2636-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/616-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/928-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-133-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1468-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1320-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/372-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/372-231-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2396-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1384-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-726-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1944-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-948-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2084-975-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/628-1030-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1584-1116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-1122-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2672-1149-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1776-1255-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2144 dddjp.exe 2760 vpjvj.exe 2948 vdvdp.exe 2788 7fflxlx.exe 2636 5pjpd.exe 2828 vvvdj.exe 2620 xlxxxfr.exe 2512 nthnbh.exe 2868 dddpp.exe 2924 rlflfxr.exe 616 jpdvp.exe 2016 pjpjj.exe 1720 lrflflx.exe 928 nthtbh.exe 1468 vvdjp.exe 480 xxflxxl.exe 828 pppvp.exe 2176 flfrxxx.exe 2388 xffflrx.exe 2400 nnhthn.exe 1432 1jdpd.exe 1984 9bbhbn.exe 1320 jdvjp.exe 372 7tntbh.exe 1096 pvpvd.exe 2396 thtnbh.exe 2468 1vpdp.exe 2340 tbnnbb.exe 2204 pvdjv.exe 1948 tbnnbh.exe 1760 1vdjp.exe 2352 7rrxxlx.exe 1592 hnbnbb.exe 2740 pdvdd.exe 2776 xfrxffr.exe 2780 bttnnn.exe 2796 7vjdv.exe 2572 5xrrxfl.exe 2864 nnthtb.exe 2548 nnntht.exe 3024 jjpvj.exe 2360 xxxxflr.exe 1308 bhttbn.exe 1884 1jvvv.exe 1292 7vpdp.exe 1816 5flxrlf.exe 1684 hthhtn.exe 1384 jpdpp.exe 2016 rxllrrr.exe 440 xrxrrll.exe 2852 tbtbnt.exe 2200 1pdjj.exe 1908 rxflfxx.exe 2648 btbttn.exe 2408 vpddj.exe 1924 xfrllrf.exe 2276 nnnbnt.exe 1152 vjppv.exe 2132 7xlrxfr.exe 1268 9bttnn.exe 1828 nthntb.exe 836 ddvdp.exe 1608 xrflxxf.exe 1820 nnbhnn.exe -
resource yara_rule behavioral1/memory/2232-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/616-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/928-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/372-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-948-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/592-953-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-975-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/628-1030-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1584-1116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-1150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-1248-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xllxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2144 2232 c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe 31 PID 2232 wrote to memory of 2144 2232 c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe 31 PID 2232 wrote to memory of 2144 2232 c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe 31 PID 2232 wrote to memory of 2144 2232 c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe 31 PID 2144 wrote to memory of 2760 2144 dddjp.exe 32 PID 2144 wrote to memory of 2760 2144 dddjp.exe 32 PID 2144 wrote to memory of 2760 2144 dddjp.exe 32 PID 2144 wrote to memory of 2760 2144 dddjp.exe 32 PID 2760 wrote to memory of 2948 2760 vpjvj.exe 33 PID 2760 wrote to memory of 2948 2760 vpjvj.exe 33 PID 2760 wrote to memory of 2948 2760 vpjvj.exe 33 PID 2760 wrote to memory of 2948 2760 vpjvj.exe 33 PID 2948 wrote to memory of 2788 2948 vdvdp.exe 34 PID 2948 wrote to memory of 2788 2948 vdvdp.exe 34 PID 2948 wrote to memory of 2788 2948 vdvdp.exe 34 PID 2948 wrote to memory of 2788 2948 vdvdp.exe 34 PID 2788 wrote to memory of 2636 2788 7fflxlx.exe 35 PID 2788 wrote to memory of 2636 2788 7fflxlx.exe 35 PID 2788 wrote to memory of 2636 2788 7fflxlx.exe 35 PID 2788 wrote to memory of 2636 2788 7fflxlx.exe 35 PID 2636 wrote to memory of 2828 2636 5pjpd.exe 36 PID 2636 wrote to memory of 2828 2636 5pjpd.exe 36 PID 2636 wrote to memory of 2828 2636 5pjpd.exe 36 PID 2636 wrote to memory of 2828 2636 5pjpd.exe 36 PID 2828 wrote to memory of 2620 2828 vvvdj.exe 37 PID 2828 wrote to memory of 2620 2828 vvvdj.exe 37 PID 2828 wrote to memory of 2620 2828 vvvdj.exe 37 PID 2828 wrote to memory of 2620 2828 vvvdj.exe 37 PID 2620 wrote to memory of 2512 2620 xlxxxfr.exe 38 PID 2620 wrote to memory of 2512 2620 xlxxxfr.exe 38 PID 2620 wrote to memory of 2512 2620 xlxxxfr.exe 38 PID 2620 wrote to memory of 2512 2620 xlxxxfr.exe 38 PID 2512 wrote to memory of 2868 2512 nthnbh.exe 39 PID 2512 wrote to memory of 2868 2512 nthnbh.exe 39 PID 2512 wrote to memory of 2868 2512 nthnbh.exe 39 PID 2512 wrote to memory of 2868 2512 nthnbh.exe 39 PID 2868 wrote to memory of 2924 2868 dddpp.exe 40 PID 2868 wrote to memory of 2924 2868 dddpp.exe 40 PID 2868 wrote to memory of 2924 2868 dddpp.exe 40 PID 2868 wrote to memory of 2924 2868 dddpp.exe 40 PID 2924 wrote to memory of 616 2924 rlflfxr.exe 41 PID 2924 wrote to memory of 616 2924 rlflfxr.exe 41 PID 2924 wrote to memory of 616 2924 rlflfxr.exe 41 PID 2924 wrote to memory of 616 2924 rlflfxr.exe 41 PID 616 wrote to memory of 2016 616 jpdvp.exe 42 PID 616 wrote to memory of 2016 616 jpdvp.exe 42 PID 616 wrote to memory of 2016 616 jpdvp.exe 42 PID 616 wrote to memory of 2016 616 jpdvp.exe 42 PID 2016 wrote to memory of 1720 2016 pjpjj.exe 43 PID 2016 wrote to memory of 1720 2016 pjpjj.exe 43 PID 2016 wrote to memory of 1720 2016 pjpjj.exe 43 PID 2016 wrote to memory of 1720 2016 pjpjj.exe 43 PID 1720 wrote to memory of 928 1720 lrflflx.exe 44 PID 1720 wrote to memory of 928 1720 lrflflx.exe 44 PID 1720 wrote to memory of 928 1720 lrflflx.exe 44 PID 1720 wrote to memory of 928 1720 lrflflx.exe 44 PID 928 wrote to memory of 1468 928 nthtbh.exe 45 PID 928 wrote to memory of 1468 928 nthtbh.exe 45 PID 928 wrote to memory of 1468 928 nthtbh.exe 45 PID 928 wrote to memory of 1468 928 nthtbh.exe 45 PID 1468 wrote to memory of 480 1468 vvdjp.exe 46 PID 1468 wrote to memory of 480 1468 vvdjp.exe 46 PID 1468 wrote to memory of 480 1468 vvdjp.exe 46 PID 1468 wrote to memory of 480 1468 vvdjp.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe"C:\Users\Admin\AppData\Local\Temp\c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\dddjp.exec:\dddjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\vpjvj.exec:\vpjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\vdvdp.exec:\vdvdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\7fflxlx.exec:\7fflxlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\5pjpd.exec:\5pjpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\vvvdj.exec:\vvvdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\xlxxxfr.exec:\xlxxxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\nthnbh.exec:\nthnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\dddpp.exec:\dddpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\rlflfxr.exec:\rlflfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\jpdvp.exec:\jpdvp.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:616 -
\??\c:\pjpjj.exec:\pjpjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\lrflflx.exec:\lrflflx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\nthtbh.exec:\nthtbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
\??\c:\vvdjp.exec:\vvdjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\xxflxxl.exec:\xxflxxl.exe17⤵
- Executes dropped EXE
PID:480 -
\??\c:\pppvp.exec:\pppvp.exe18⤵
- Executes dropped EXE
PID:828 -
\??\c:\flfrxxx.exec:\flfrxxx.exe19⤵
- Executes dropped EXE
PID:2176 -
\??\c:\xffflrx.exec:\xffflrx.exe20⤵
- Executes dropped EXE
PID:2388 -
\??\c:\nnhthn.exec:\nnhthn.exe21⤵
- Executes dropped EXE
PID:2400 -
\??\c:\1jdpd.exec:\1jdpd.exe22⤵
- Executes dropped EXE
PID:1432 -
\??\c:\9bbhbn.exec:\9bbhbn.exe23⤵
- Executes dropped EXE
PID:1984 -
\??\c:\jdvjp.exec:\jdvjp.exe24⤵
- Executes dropped EXE
PID:1320 -
\??\c:\7tntbh.exec:\7tntbh.exe25⤵
- Executes dropped EXE
PID:372 -
\??\c:\pvpvd.exec:\pvpvd.exe26⤵
- Executes dropped EXE
PID:1096 -
\??\c:\thtnbh.exec:\thtnbh.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396 -
\??\c:\1vpdp.exec:\1vpdp.exe28⤵
- Executes dropped EXE
PID:2468 -
\??\c:\tbnnbb.exec:\tbnnbb.exe29⤵
- Executes dropped EXE
PID:2340 -
\??\c:\pvdjv.exec:\pvdjv.exe30⤵
- Executes dropped EXE
PID:2204 -
\??\c:\tbnnbh.exec:\tbnnbh.exe31⤵
- Executes dropped EXE
PID:1948 -
\??\c:\1vdjp.exec:\1vdjp.exe32⤵
- Executes dropped EXE
PID:1760 -
\??\c:\7rrxxlx.exec:\7rrxxlx.exe33⤵
- Executes dropped EXE
PID:2352 -
\??\c:\hnbnbb.exec:\hnbnbb.exe34⤵
- Executes dropped EXE
PID:1592 -
\??\c:\pdvdd.exec:\pdvdd.exe35⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xfrxffr.exec:\xfrxffr.exe36⤵
- Executes dropped EXE
PID:2776 -
\??\c:\bttnnn.exec:\bttnnn.exe37⤵
- Executes dropped EXE
PID:2780 -
\??\c:\7vjdv.exec:\7vjdv.exe38⤵
- Executes dropped EXE
PID:2796 -
\??\c:\5xrrxfl.exec:\5xrrxfl.exe39⤵
- Executes dropped EXE
PID:2572 -
\??\c:\nnthtb.exec:\nnthtb.exe40⤵
- Executes dropped EXE
PID:2864 -
\??\c:\nnntht.exec:\nnntht.exe41⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jjpvj.exec:\jjpvj.exe42⤵
- Executes dropped EXE
PID:3024 -
\??\c:\xxxxflr.exec:\xxxxflr.exe43⤵
- Executes dropped EXE
PID:2360 -
\??\c:\bhttbn.exec:\bhttbn.exe44⤵
- Executes dropped EXE
PID:1308 -
\??\c:\1jvvv.exec:\1jvvv.exe45⤵
- Executes dropped EXE
PID:1884 -
\??\c:\7vpdp.exec:\7vpdp.exe46⤵
- Executes dropped EXE
PID:1292 -
\??\c:\5flxrlf.exec:\5flxrlf.exe47⤵
- Executes dropped EXE
PID:1816 -
\??\c:\hthhtn.exec:\hthhtn.exe48⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jpdpp.exec:\jpdpp.exe49⤵
- Executes dropped EXE
PID:1384 -
\??\c:\rxllrrr.exec:\rxllrrr.exe50⤵
- Executes dropped EXE
PID:2016 -
\??\c:\xrxrrll.exec:\xrxrrll.exe51⤵
- Executes dropped EXE
PID:440 -
\??\c:\tbtbnt.exec:\tbtbnt.exe52⤵
- Executes dropped EXE
PID:2852 -
\??\c:\1pdjj.exec:\1pdjj.exe53⤵
- Executes dropped EXE
PID:2200 -
\??\c:\rxflfxx.exec:\rxflfxx.exe54⤵
- Executes dropped EXE
PID:1908 -
\??\c:\btbttn.exec:\btbttn.exe55⤵
- Executes dropped EXE
PID:2648 -
\??\c:\vpddj.exec:\vpddj.exe56⤵
- Executes dropped EXE
PID:2408 -
\??\c:\xfrllrf.exec:\xfrllrf.exe57⤵
- Executes dropped EXE
PID:1924 -
\??\c:\nnnbnt.exec:\nnnbnt.exe58⤵
- Executes dropped EXE
PID:2276 -
\??\c:\vjppv.exec:\vjppv.exe59⤵
- Executes dropped EXE
PID:1152 -
\??\c:\7xlrxfr.exec:\7xlrxfr.exe60⤵
- Executes dropped EXE
PID:2132 -
\??\c:\9bttnn.exec:\9bttnn.exe61⤵
- Executes dropped EXE
PID:1268 -
\??\c:\nthntb.exec:\nthntb.exe62⤵
- Executes dropped EXE
PID:1828 -
\??\c:\ddvdp.exec:\ddvdp.exe63⤵
- Executes dropped EXE
PID:836 -
\??\c:\xrflxxf.exec:\xrflxxf.exe64⤵
- Executes dropped EXE
PID:1608 -
\??\c:\nnbhnn.exec:\nnbhnn.exe65⤵
- Executes dropped EXE
PID:1820 -
\??\c:\5nbthh.exec:\5nbthh.exe66⤵PID:1600
-
\??\c:\ppvpv.exec:\ppvpv.exe67⤵PID:2644
-
\??\c:\9xllrrx.exec:\9xllrrx.exe68⤵PID:1892
-
\??\c:\7nhbhn.exec:\7nhbhn.exe69⤵PID:2484
-
\??\c:\tbhhtb.exec:\tbhhtb.exe70⤵PID:860
-
\??\c:\dvppp.exec:\dvppp.exe71⤵PID:2312
-
\??\c:\llrxrrx.exec:\llrxrrx.exe72⤵PID:2332
-
\??\c:\3rxxrff.exec:\3rxxrff.exe73⤵
- System Location Discovery: System Language Discovery
PID:764 -
\??\c:\nnnhhn.exec:\nnnhhn.exe74⤵PID:1948
-
\??\c:\jjpvj.exec:\jjpvj.exe75⤵PID:2096
-
\??\c:\jdddd.exec:\jdddd.exe76⤵PID:2384
-
\??\c:\3rfxxfl.exec:\3rfxxfl.exe77⤵PID:1936
-
\??\c:\9thnbb.exec:\9thnbb.exe78⤵PID:1592
-
\??\c:\vpppp.exec:\vpppp.exe79⤵PID:2740
-
\??\c:\lxlrxlf.exec:\lxlrxlf.exe80⤵PID:2744
-
\??\c:\lfrxlxf.exec:\lfrxlxf.exe81⤵PID:2708
-
\??\c:\bthhhn.exec:\bthhhn.exe82⤵PID:1088
-
\??\c:\ddjpv.exec:\ddjpv.exe83⤵PID:2712
-
\??\c:\flxflrx.exec:\flxflrx.exe84⤵PID:2560
-
\??\c:\nntttb.exec:\nntttb.exe85⤵PID:1488
-
\??\c:\nthnbh.exec:\nthnbh.exe86⤵PID:2612
-
\??\c:\dpvvd.exec:\dpvvd.exe87⤵PID:2668
-
\??\c:\ffxrlxl.exec:\ffxrlxl.exe88⤵PID:2876
-
\??\c:\hntbbn.exec:\hntbbn.exe89⤵PID:2872
-
\??\c:\7vvvd.exec:\7vvvd.exe90⤵PID:1220
-
\??\c:\xfxfrxr.exec:\xfxfrxr.exe91⤵PID:3004
-
\??\c:\rffxlrl.exec:\rffxlrl.exe92⤵PID:1176
-
\??\c:\ttbhnt.exec:\ttbhnt.exe93⤵PID:2292
-
\??\c:\vvpdp.exec:\vvpdp.exe94⤵PID:1076
-
\??\c:\rxlrxxf.exec:\rxlrxxf.exe95⤵PID:2608
-
\??\c:\3thtbb.exec:\3thtbb.exe96⤵PID:1872
-
\??\c:\jpddd.exec:\jpddd.exe97⤵PID:1700
-
\??\c:\jdpvj.exec:\jdpvj.exe98⤵PID:1996
-
\??\c:\xxlxfrf.exec:\xxlxfrf.exe99⤵PID:596
-
\??\c:\nnttbb.exec:\nnttbb.exe100⤵PID:2976
-
\??\c:\1pdvv.exec:\1pdvv.exe101⤵PID:1648
-
\??\c:\ffrxfrf.exec:\ffrxfrf.exe102⤵PID:908
-
\??\c:\xrrrlrr.exec:\xrrrlrr.exe103⤵PID:2388
-
\??\c:\7bthnt.exec:\7bthnt.exe104⤵PID:1060
-
\??\c:\djvvd.exec:\djvvd.exe105⤵PID:1604
-
\??\c:\fxffllx.exec:\fxffllx.exe106⤵PID:900
-
\??\c:\nhnbnt.exec:\nhnbnt.exe107⤵PID:940
-
\??\c:\ntnntb.exec:\ntnntb.exe108⤵PID:556
-
\??\c:\jppdv.exec:\jppdv.exe109⤵PID:2148
-
\??\c:\hththt.exec:\hththt.exe110⤵PID:1944
-
\??\c:\hhtthh.exec:\hhtthh.exe111⤵PID:1724
-
\??\c:\dvpvd.exec:\dvpvd.exe112⤵PID:1964
-
\??\c:\bhbnbh.exec:\bhbnbh.exe113⤵PID:1768
-
\??\c:\tbnbnt.exec:\tbnbnt.exe114⤵PID:2492
-
\??\c:\djppv.exec:\djppv.exe115⤵PID:2112
-
\??\c:\fxlfrrx.exec:\fxlfrrx.exe116⤵PID:2336
-
\??\c:\3rlrrff.exec:\3rlrrff.exe117⤵PID:1192
-
\??\c:\hhttnt.exec:\hhttnt.exe118⤵PID:2996
-
\??\c:\jjpjd.exec:\jjpjd.exe119⤵PID:2656
-
\??\c:\lrfxxxf.exec:\lrfxxxf.exe120⤵PID:1596
-
\??\c:\xxrxxxx.exec:\xxrxxxx.exe121⤵PID:1588
-
\??\c:\9hbnbb.exec:\9hbnbb.exe122⤵PID:2752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-