Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe
-
Size
454KB
-
MD5
347ec512fa1836bfdad699e568f3ae3a
-
SHA1
703f2d9978965835ef0e7d6c01f82a7ca26c0ec4
-
SHA256
c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3
-
SHA512
f9afaa77cb35ed4dd628e30b91d85527e1645ef9fb329d108d2cb9b019df76d7094a95e3a013a42fc942b0d11702ffea299e794c204f88b658161f9d27db57c7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1744-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/108-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-128-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/2548-126-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/1556-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/404-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/616-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/304-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-559-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/108-611-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2408-630-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2724-655-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2188-682-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1140-795-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2336-923-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-974-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/464-994-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1520-1001-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2384-1064-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2244 ppjpj.exe 1300 rrrfxfr.exe 108 1pdpv.exe 2044 xrxlfrl.exe 2928 lllxlxl.exe 2016 9nthbh.exe 2188 nntnhn.exe 2716 vpvdj.exe 2868 1djdd.exe 2864 9lllxfl.exe 2504 5hbbhh.exe 2536 bbthtt.exe 2548 thbbnn.exe 2108 vpppv.exe 1516 7tbnhh.exe 2544 1vpdp.exe 1688 1thhnn.exe 1556 xrllrlf.exe 1804 hbtbht.exe 2984 1vvdj.exe 2136 nhtbbb.exe 1392 xxlxfxl.exe 404 bbthnt.exe 1528 vjvpj.exe 1396 ffflflx.exe 1148 7xrxflr.exe 772 lfrxllx.exe 828 jjjvj.exe 264 rlxxxxr.exe 616 ddvjv.exe 1904 xxrrffl.exe 3000 1xrrxxl.exe 2172 7dpvd.exe 2276 7llxxxl.exe 1572 thtbtt.exe 1592 vjddj.exe 1728 9vpdj.exe 1912 rllrfrf.exe 2044 thbhnn.exe 2912 tnhnnb.exe 2900 1jvdj.exe 2096 fllrlrl.exe 2596 9thtnh.exe 3060 1hbbbb.exe 2644 1dddd.exe 2364 flxffrf.exe 2516 hhhnbh.exe 2680 hbnnnt.exe 1576 ppvjv.exe 2736 llrfrxl.exe 2972 lllrxrl.exe 2428 thhnbh.exe 1444 pvjdp.exe 1720 jddjp.exe 2024 rlrrrrx.exe 2544 ttnbnn.exe 1652 7tbtbb.exe 2000 pvjpp.exe 1724 rlfrflf.exe 2520 frfffff.exe 2116 nnbtnh.exe 1424 1jdjd.exe 2384 1dvjv.exe 2764 ffxlllx.exe -
resource yara_rule behavioral1/memory/1744-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-88-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2504-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/404-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/616-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-655-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2204-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-995-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-1089-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-1103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-1171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-1250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-1299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-1325-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2244 1744 c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe 28 PID 1744 wrote to memory of 2244 1744 c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe 28 PID 1744 wrote to memory of 2244 1744 c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe 28 PID 1744 wrote to memory of 2244 1744 c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe 28 PID 2244 wrote to memory of 1300 2244 ppjpj.exe 29 PID 2244 wrote to memory of 1300 2244 ppjpj.exe 29 PID 2244 wrote to memory of 1300 2244 ppjpj.exe 29 PID 2244 wrote to memory of 1300 2244 ppjpj.exe 29 PID 1300 wrote to memory of 108 1300 rrrfxfr.exe 30 PID 1300 wrote to memory of 108 1300 rrrfxfr.exe 30 PID 1300 wrote to memory of 108 1300 rrrfxfr.exe 30 PID 1300 wrote to memory of 108 1300 rrrfxfr.exe 30 PID 108 wrote to memory of 2044 108 1pdpv.exe 31 PID 108 wrote to memory of 2044 108 1pdpv.exe 31 PID 108 wrote to memory of 2044 108 1pdpv.exe 31 PID 108 wrote to memory of 2044 108 1pdpv.exe 31 PID 2044 wrote to memory of 2928 2044 xrxlfrl.exe 32 PID 2044 wrote to memory of 2928 2044 xrxlfrl.exe 32 PID 2044 wrote to memory of 2928 2044 xrxlfrl.exe 32 PID 2044 wrote to memory of 2928 2044 xrxlfrl.exe 32 PID 2928 wrote to memory of 2016 2928 lllxlxl.exe 33 PID 2928 wrote to memory of 2016 2928 lllxlxl.exe 33 PID 2928 wrote to memory of 2016 2928 lllxlxl.exe 33 PID 2928 wrote to memory of 2016 2928 lllxlxl.exe 33 PID 2016 wrote to memory of 2188 2016 9nthbh.exe 34 PID 2016 wrote to memory of 2188 2016 9nthbh.exe 34 PID 2016 wrote to memory of 2188 2016 9nthbh.exe 34 PID 2016 wrote to memory of 2188 2016 9nthbh.exe 34 PID 2188 wrote to memory of 2716 2188 nntnhn.exe 35 PID 2188 wrote to memory of 2716 2188 nntnhn.exe 35 PID 2188 wrote to memory of 2716 2188 nntnhn.exe 35 PID 2188 wrote to memory of 2716 2188 nntnhn.exe 35 PID 2716 wrote to memory of 2868 2716 vpvdj.exe 36 PID 2716 wrote to memory of 2868 2716 vpvdj.exe 36 PID 2716 wrote to memory of 2868 2716 vpvdj.exe 36 PID 2716 wrote to memory of 2868 2716 vpvdj.exe 36 PID 2868 wrote to memory of 2864 2868 1djdd.exe 37 PID 2868 wrote to memory of 2864 2868 1djdd.exe 37 PID 2868 wrote to memory of 2864 2868 1djdd.exe 37 PID 2868 wrote to memory of 2864 2868 1djdd.exe 37 PID 2864 wrote to memory of 2504 2864 9lllxfl.exe 38 PID 2864 wrote to memory of 2504 2864 9lllxfl.exe 38 PID 2864 wrote to memory of 2504 2864 9lllxfl.exe 38 PID 2864 wrote to memory of 2504 2864 9lllxfl.exe 38 PID 2504 wrote to memory of 2536 2504 5hbbhh.exe 39 PID 2504 wrote to memory of 2536 2504 5hbbhh.exe 39 PID 2504 wrote to memory of 2536 2504 5hbbhh.exe 39 PID 2504 wrote to memory of 2536 2504 5hbbhh.exe 39 PID 2536 wrote to memory of 2548 2536 bbthtt.exe 40 PID 2536 wrote to memory of 2548 2536 bbthtt.exe 40 PID 2536 wrote to memory of 2548 2536 bbthtt.exe 40 PID 2536 wrote to memory of 2548 2536 bbthtt.exe 40 PID 2548 wrote to memory of 2108 2548 thbbnn.exe 41 PID 2548 wrote to memory of 2108 2548 thbbnn.exe 41 PID 2548 wrote to memory of 2108 2548 thbbnn.exe 41 PID 2548 wrote to memory of 2108 2548 thbbnn.exe 41 PID 2108 wrote to memory of 1516 2108 vpppv.exe 42 PID 2108 wrote to memory of 1516 2108 vpppv.exe 42 PID 2108 wrote to memory of 1516 2108 vpppv.exe 42 PID 2108 wrote to memory of 1516 2108 vpppv.exe 42 PID 1516 wrote to memory of 2544 1516 7tbnhh.exe 43 PID 1516 wrote to memory of 2544 1516 7tbnhh.exe 43 PID 1516 wrote to memory of 2544 1516 7tbnhh.exe 43 PID 1516 wrote to memory of 2544 1516 7tbnhh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe"C:\Users\Admin\AppData\Local\Temp\c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\ppjpj.exec:\ppjpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\rrrfxfr.exec:\rrrfxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\1pdpv.exec:\1pdpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:108 -
\??\c:\xrxlfrl.exec:\xrxlfrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\lllxlxl.exec:\lllxlxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\9nthbh.exec:\9nthbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\nntnhn.exec:\nntnhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\vpvdj.exec:\vpvdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\1djdd.exec:\1djdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\9lllxfl.exec:\9lllxfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\5hbbhh.exec:\5hbbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\bbthtt.exec:\bbthtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\thbbnn.exec:\thbbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\vpppv.exec:\vpppv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\7tbnhh.exec:\7tbnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\1vpdp.exec:\1vpdp.exe17⤵
- Executes dropped EXE
PID:2544 -
\??\c:\1thhnn.exec:\1thhnn.exe18⤵
- Executes dropped EXE
PID:1688 -
\??\c:\xrllrlf.exec:\xrllrlf.exe19⤵
- Executes dropped EXE
PID:1556 -
\??\c:\hbtbht.exec:\hbtbht.exe20⤵
- Executes dropped EXE
PID:1804 -
\??\c:\1vvdj.exec:\1vvdj.exe21⤵
- Executes dropped EXE
PID:2984 -
\??\c:\nhtbbb.exec:\nhtbbb.exe22⤵
- Executes dropped EXE
PID:2136 -
\??\c:\xxlxfxl.exec:\xxlxfxl.exe23⤵
- Executes dropped EXE
PID:1392 -
\??\c:\bbthnt.exec:\bbthnt.exe24⤵
- Executes dropped EXE
PID:404 -
\??\c:\vjvpj.exec:\vjvpj.exe25⤵
- Executes dropped EXE
PID:1528 -
\??\c:\ffflflx.exec:\ffflflx.exe26⤵
- Executes dropped EXE
PID:1396 -
\??\c:\7xrxflr.exec:\7xrxflr.exe27⤵
- Executes dropped EXE
PID:1148 -
\??\c:\lfrxllx.exec:\lfrxllx.exe28⤵
- Executes dropped EXE
PID:772 -
\??\c:\jjjvj.exec:\jjjvj.exe29⤵
- Executes dropped EXE
PID:828 -
\??\c:\rlxxxxr.exec:\rlxxxxr.exe30⤵
- Executes dropped EXE
PID:264 -
\??\c:\ddvjv.exec:\ddvjv.exe31⤵
- Executes dropped EXE
PID:616 -
\??\c:\xxrrffl.exec:\xxrrffl.exe32⤵
- Executes dropped EXE
PID:1904 -
\??\c:\1xrrxxl.exec:\1xrrxxl.exe33⤵
- Executes dropped EXE
PID:3000 -
\??\c:\7dpvd.exec:\7dpvd.exe34⤵
- Executes dropped EXE
PID:2172 -
\??\c:\7llxxxl.exec:\7llxxxl.exe35⤵
- Executes dropped EXE
PID:2276 -
\??\c:\thtbtt.exec:\thtbtt.exe36⤵
- Executes dropped EXE
PID:1572 -
\??\c:\vjddj.exec:\vjddj.exe37⤵
- Executes dropped EXE
PID:1592 -
\??\c:\9vpdj.exec:\9vpdj.exe38⤵
- Executes dropped EXE
PID:1728 -
\??\c:\rllrfrf.exec:\rllrfrf.exe39⤵
- Executes dropped EXE
PID:1912 -
\??\c:\thbhnn.exec:\thbhnn.exe40⤵
- Executes dropped EXE
PID:2044 -
\??\c:\tnhnnb.exec:\tnhnnb.exe41⤵
- Executes dropped EXE
PID:2912 -
\??\c:\1jvdj.exec:\1jvdj.exe42⤵
- Executes dropped EXE
PID:2900 -
\??\c:\fllrlrl.exec:\fllrlrl.exe43⤵
- Executes dropped EXE
PID:2096 -
\??\c:\9thtnh.exec:\9thtnh.exe44⤵
- Executes dropped EXE
PID:2596 -
\??\c:\1hbbbb.exec:\1hbbbb.exe45⤵
- Executes dropped EXE
PID:3060 -
\??\c:\1dddd.exec:\1dddd.exe46⤵
- Executes dropped EXE
PID:2644 -
\??\c:\flxffrf.exec:\flxffrf.exe47⤵
- Executes dropped EXE
PID:2364 -
\??\c:\hhhnbh.exec:\hhhnbh.exe48⤵
- Executes dropped EXE
PID:2516 -
\??\c:\hbnnnt.exec:\hbnnnt.exe49⤵
- Executes dropped EXE
PID:2680 -
\??\c:\ppvjv.exec:\ppvjv.exe50⤵
- Executes dropped EXE
PID:1576 -
\??\c:\llrfrxl.exec:\llrfrxl.exe51⤵
- Executes dropped EXE
PID:2736 -
\??\c:\lllrxrl.exec:\lllrxrl.exe52⤵
- Executes dropped EXE
PID:2972 -
\??\c:\thhnbh.exec:\thhnbh.exe53⤵
- Executes dropped EXE
PID:2428 -
\??\c:\pvjdp.exec:\pvjdp.exe54⤵
- Executes dropped EXE
PID:1444 -
\??\c:\jddjp.exec:\jddjp.exe55⤵
- Executes dropped EXE
PID:1720 -
\??\c:\rlrrrrx.exec:\rlrrrrx.exe56⤵
- Executes dropped EXE
PID:2024 -
\??\c:\ttnbnn.exec:\ttnbnn.exe57⤵
- Executes dropped EXE
PID:2544 -
\??\c:\7tbtbb.exec:\7tbtbb.exe58⤵
- Executes dropped EXE
PID:1652 -
\??\c:\pvjpp.exec:\pvjpp.exe59⤵
- Executes dropped EXE
PID:2000 -
\??\c:\rlfrflf.exec:\rlfrflf.exe60⤵
- Executes dropped EXE
PID:1724 -
\??\c:\frfffff.exec:\frfffff.exe61⤵
- Executes dropped EXE
PID:2520 -
\??\c:\nnbtnh.exec:\nnbtnh.exe62⤵
- Executes dropped EXE
PID:2116 -
\??\c:\1jdjd.exec:\1jdjd.exe63⤵
- Executes dropped EXE
PID:1424 -
\??\c:\1dvjv.exec:\1dvjv.exe64⤵
- Executes dropped EXE
PID:2384 -
\??\c:\ffxlllx.exec:\ffxlllx.exe65⤵
- Executes dropped EXE
PID:2764 -
\??\c:\bbttnh.exec:\bbttnh.exe66⤵PID:2088
-
\??\c:\ttnntt.exec:\ttnntt.exe67⤵PID:1104
-
\??\c:\3dvvv.exec:\3dvvv.exe68⤵PID:304
-
\??\c:\lxrlxfl.exec:\lxrlxfl.exe69⤵PID:692
-
\??\c:\xrlrffr.exec:\xrlrffr.exe70⤵PID:1148
-
\??\c:\7nhtht.exec:\7nhtht.exe71⤵PID:1320
-
\??\c:\pvjvj.exec:\pvjvj.exe72⤵PID:636
-
\??\c:\rlfflrf.exec:\rlfflrf.exe73⤵PID:1040
-
\??\c:\9lfrrrr.exec:\9lfrrrr.exe74⤵PID:1700
-
\??\c:\bbbnht.exec:\bbbnht.exe75⤵PID:2460
-
\??\c:\9pjdj.exec:\9pjdj.exe76⤵PID:1436
-
\??\c:\fxrxlrx.exec:\fxrxlrx.exe77⤵PID:1504
-
\??\c:\rrlxlrr.exec:\rrlxlrr.exe78⤵PID:2264
-
\??\c:\5tbhnn.exec:\5tbhnn.exe79⤵PID:2272
-
\??\c:\9jddj.exec:\9jddj.exe80⤵PID:2432
-
\??\c:\5jdjj.exec:\5jdjj.exe81⤵PID:1672
-
\??\c:\llxxffr.exec:\llxxffr.exe82⤵PID:108
-
\??\c:\3hbhnn.exec:\3hbhnn.exe83⤵PID:2400
-
\??\c:\bthbnn.exec:\bthbnn.exe84⤵PID:316
-
\??\c:\vvppp.exec:\vvppp.exe85⤵PID:2408
-
\??\c:\frfxflf.exec:\frfxflf.exe86⤵PID:2940
-
\??\c:\frlfrlr.exec:\frlfrlr.exe87⤵PID:2148
-
\??\c:\bbtbnt.exec:\bbtbnt.exe88⤵PID:3064
-
\??\c:\jdppv.exec:\jdppv.exe89⤵PID:2724
-
\??\c:\ppjpv.exec:\ppjpv.exe90⤵PID:2188
-
\??\c:\9xrfxlr.exec:\9xrfxlr.exe91⤵PID:2752
-
\??\c:\bbthnt.exec:\bbthnt.exe92⤵PID:2748
-
\??\c:\ppjpd.exec:\ppjpd.exe93⤵PID:2624
-
\??\c:\5vvpp.exec:\5vvpp.exe94⤵PID:2600
-
\??\c:\3llfrxr.exec:\3llfrxr.exe95⤵PID:2496
-
\??\c:\ntbhbt.exec:\ntbhbt.exe96⤵PID:2536
-
\??\c:\7nnnbn.exec:\7nnnbn.exe97⤵PID:2556
-
\??\c:\pjpjp.exec:\pjpjp.exe98⤵PID:2108
-
\??\c:\xrllffl.exec:\xrllffl.exe99⤵PID:572
-
\??\c:\9fxfxxf.exec:\9fxfxxf.exe100⤵PID:1508
-
\??\c:\nnbbhn.exec:\nnbbhn.exe101⤵PID:1604
-
\??\c:\3nbbhn.exec:\3nbbhn.exe102⤵PID:2248
-
\??\c:\ppjvd.exec:\ppjvd.exe103⤵PID:1944
-
\??\c:\rlflrrx.exec:\rlflrrx.exe104⤵PID:1524
-
\??\c:\hhthbn.exec:\hhthbn.exe105⤵PID:2804
-
\??\c:\tnhhtt.exec:\tnhhtt.exe106⤵PID:2988
-
\??\c:\vddpv.exec:\vddpv.exe107⤵PID:2204
-
\??\c:\rfxxflx.exec:\rfxxflx.exe108⤵PID:1764
-
\??\c:\ffflflr.exec:\ffflflr.exe109⤵PID:852
-
\??\c:\ttnbht.exec:\ttnbht.exe110⤵PID:904
-
\??\c:\7vvpd.exec:\7vvpd.exe111⤵PID:1140
-
\??\c:\pjpjp.exec:\pjpjp.exe112⤵PID:948
-
\??\c:\lfrxfll.exec:\lfrxfll.exe113⤵PID:304
-
\??\c:\nhtbnn.exec:\nhtbnn.exe114⤵PID:692
-
\??\c:\vvvvd.exec:\vvvvd.exe115⤵PID:1288
-
\??\c:\pdvvp.exec:\pdvvp.exe116⤵PID:564
-
\??\c:\fxxxlrr.exec:\fxxxlrr.exe117⤵PID:2668
-
\??\c:\thttbb.exec:\thttbb.exe118⤵PID:1476
-
\??\c:\bttbnb.exec:\bttbnb.exe119⤵PID:1020
-
\??\c:\jvppp.exec:\jvppp.exe120⤵PID:3056
-
\??\c:\fxlrrrf.exec:\fxlrrrf.exe121⤵PID:2176
-
\??\c:\lfllxxf.exec:\lfllxxf.exe122⤵PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-