Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe
-
Size
456KB
-
MD5
3799c66fab41c45c55aa6ab406d340b4
-
SHA1
0ad46dc0dc1efa53fa0d2b260b56e560e215b9f9
-
SHA256
c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd
-
SHA512
4d46fb8a51da53890ca5fd887e9049085036a1f4ff19b7390c59b6386b4d6ad9273092722c8f5bd86128c6e2eeff757f36cc02e2e3796943a11a79cacd5a71c3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRx:q7Tc2NYHUrAwfMp3CDRx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2776-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-25-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2668-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1328-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/480-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1936-228-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/3028-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/300-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/624-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-330-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2720-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-383-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2616-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/824-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-450-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1804-465-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2348-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-610-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2964-646-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2408-653-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2648-678-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2464-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-864-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2776 7rxrlff.exe 2704 bhbhtt.exe 2668 jddjd.exe 2856 ppjpj.exe 2600 5nhhhn.exe 2624 hbtthh.exe 1640 7nttth.exe 1716 fxxlrxf.exe 2584 3hhnbh.exe 2152 1jdpd.exe 1328 bbbhtb.exe 1700 5jdjd.exe 968 9ffrffr.exe 1680 hnbbtb.exe 1760 xxllrfl.exe 480 thbhth.exe 2844 7lflxfl.exe 2196 5vpvd.exe 2404 xxflrfx.exe 2936 5nbhnt.exe 1788 rlxfrxl.exe 1972 1hnhnn.exe 1140 jpvjj.exe 1936 ffxfrxl.exe 1452 flfxxrf.exe 3028 3rrflxr.exe 1756 pjpvj.exe 2248 rlfflrf.exe 300 pjdjd.exe 624 ffxlflr.exe 2692 vjpjp.exe 2412 hbttnn.exe 2684 jjjvp.exe 2708 fxrrffl.exe 2736 tbntbb.exe 2768 ppjdj.exe 2556 fxlflrl.exe 2720 bntbht.exe 2604 dvpvj.exe 1808 llfflrf.exe 1748 3nnnnn.exe 1080 3pvvd.exe 2240 pppdj.exe 2532 xxrlxfr.exe 1780 tbbnbt.exe 308 jdpvj.exe 2616 lfxlffx.exe 1356 lxrfxfr.exe 2868 1jddp.exe 1212 pvppd.exe 824 rrlrflr.exe 1984 bthttn.exe 1568 ddpdj.exe 2056 xffrrlf.exe 2924 rlflflx.exe 1804 3nntbb.exe 2224 5pvdj.exe 2960 7lxlxff.exe 1204 bthnbh.exe 1376 3btttt.exe 2628 pjdpj.exe 2512 rfffrrx.exe 2300 hnntnn.exe 2332 dvjjd.exe -
resource yara_rule behavioral1/memory/2776-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-25-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2668-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1328-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/480-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/300-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/824-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/824-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-538-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2348-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-610-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2648-678-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2464-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-824-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2108-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-864-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-871-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xflxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2776 2656 c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe 30 PID 2656 wrote to memory of 2776 2656 c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe 30 PID 2656 wrote to memory of 2776 2656 c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe 30 PID 2656 wrote to memory of 2776 2656 c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe 30 PID 2776 wrote to memory of 2704 2776 7rxrlff.exe 31 PID 2776 wrote to memory of 2704 2776 7rxrlff.exe 31 PID 2776 wrote to memory of 2704 2776 7rxrlff.exe 31 PID 2776 wrote to memory of 2704 2776 7rxrlff.exe 31 PID 2704 wrote to memory of 2668 2704 bhbhtt.exe 32 PID 2704 wrote to memory of 2668 2704 bhbhtt.exe 32 PID 2704 wrote to memory of 2668 2704 bhbhtt.exe 32 PID 2704 wrote to memory of 2668 2704 bhbhtt.exe 32 PID 2668 wrote to memory of 2856 2668 jddjd.exe 33 PID 2668 wrote to memory of 2856 2668 jddjd.exe 33 PID 2668 wrote to memory of 2856 2668 jddjd.exe 33 PID 2668 wrote to memory of 2856 2668 jddjd.exe 33 PID 2856 wrote to memory of 2600 2856 ppjpj.exe 34 PID 2856 wrote to memory of 2600 2856 ppjpj.exe 34 PID 2856 wrote to memory of 2600 2856 ppjpj.exe 34 PID 2856 wrote to memory of 2600 2856 ppjpj.exe 34 PID 2600 wrote to memory of 2624 2600 5nhhhn.exe 35 PID 2600 wrote to memory of 2624 2600 5nhhhn.exe 35 PID 2600 wrote to memory of 2624 2600 5nhhhn.exe 35 PID 2600 wrote to memory of 2624 2600 5nhhhn.exe 35 PID 2624 wrote to memory of 1640 2624 hbtthh.exe 36 PID 2624 wrote to memory of 1640 2624 hbtthh.exe 36 PID 2624 wrote to memory of 1640 2624 hbtthh.exe 36 PID 2624 wrote to memory of 1640 2624 hbtthh.exe 36 PID 1640 wrote to memory of 1716 1640 7nttth.exe 37 PID 1640 wrote to memory of 1716 1640 7nttth.exe 37 PID 1640 wrote to memory of 1716 1640 7nttth.exe 37 PID 1640 wrote to memory of 1716 1640 7nttth.exe 37 PID 1716 wrote to memory of 2584 1716 fxxlrxf.exe 38 PID 1716 wrote to memory of 2584 1716 fxxlrxf.exe 38 PID 1716 wrote to memory of 2584 1716 fxxlrxf.exe 38 PID 1716 wrote to memory of 2584 1716 fxxlrxf.exe 38 PID 2584 wrote to memory of 2152 2584 3hhnbh.exe 39 PID 2584 wrote to memory of 2152 2584 3hhnbh.exe 39 PID 2584 wrote to memory of 2152 2584 3hhnbh.exe 39 PID 2584 wrote to memory of 2152 2584 3hhnbh.exe 39 PID 2152 wrote to memory of 1328 2152 1jdpd.exe 40 PID 2152 wrote to memory of 1328 2152 1jdpd.exe 40 PID 2152 wrote to memory of 1328 2152 1jdpd.exe 40 PID 2152 wrote to memory of 1328 2152 1jdpd.exe 40 PID 1328 wrote to memory of 1700 1328 bbbhtb.exe 41 PID 1328 wrote to memory of 1700 1328 bbbhtb.exe 41 PID 1328 wrote to memory of 1700 1328 bbbhtb.exe 41 PID 1328 wrote to memory of 1700 1328 bbbhtb.exe 41 PID 1700 wrote to memory of 968 1700 5jdjd.exe 42 PID 1700 wrote to memory of 968 1700 5jdjd.exe 42 PID 1700 wrote to memory of 968 1700 5jdjd.exe 42 PID 1700 wrote to memory of 968 1700 5jdjd.exe 42 PID 968 wrote to memory of 1680 968 9ffrffr.exe 43 PID 968 wrote to memory of 1680 968 9ffrffr.exe 43 PID 968 wrote to memory of 1680 968 9ffrffr.exe 43 PID 968 wrote to memory of 1680 968 9ffrffr.exe 43 PID 1680 wrote to memory of 1760 1680 hnbbtb.exe 44 PID 1680 wrote to memory of 1760 1680 hnbbtb.exe 44 PID 1680 wrote to memory of 1760 1680 hnbbtb.exe 44 PID 1680 wrote to memory of 1760 1680 hnbbtb.exe 44 PID 1760 wrote to memory of 480 1760 xxllrfl.exe 45 PID 1760 wrote to memory of 480 1760 xxllrfl.exe 45 PID 1760 wrote to memory of 480 1760 xxllrfl.exe 45 PID 1760 wrote to memory of 480 1760 xxllrfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe"C:\Users\Admin\AppData\Local\Temp\c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\7rxrlff.exec:\7rxrlff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\bhbhtt.exec:\bhbhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\jddjd.exec:\jddjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\ppjpj.exec:\ppjpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\5nhhhn.exec:\5nhhhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\hbtthh.exec:\hbtthh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\7nttth.exec:\7nttth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\fxxlrxf.exec:\fxxlrxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\3hhnbh.exec:\3hhnbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\1jdpd.exec:\1jdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\bbbhtb.exec:\bbbhtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\5jdjd.exec:\5jdjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\9ffrffr.exec:\9ffrffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\hnbbtb.exec:\hnbbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\xxllrfl.exec:\xxllrfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\thbhth.exec:\thbhth.exe17⤵
- Executes dropped EXE
PID:480 -
\??\c:\7lflxfl.exec:\7lflxfl.exe18⤵
- Executes dropped EXE
PID:2844 -
\??\c:\5vpvd.exec:\5vpvd.exe19⤵
- Executes dropped EXE
PID:2196 -
\??\c:\xxflrfx.exec:\xxflrfx.exe20⤵
- Executes dropped EXE
PID:2404 -
\??\c:\5nbhnt.exec:\5nbhnt.exe21⤵
- Executes dropped EXE
PID:2936 -
\??\c:\rlxfrxl.exec:\rlxfrxl.exe22⤵
- Executes dropped EXE
PID:1788 -
\??\c:\1hnhnn.exec:\1hnhnn.exe23⤵
- Executes dropped EXE
PID:1972 -
\??\c:\jpvjj.exec:\jpvjj.exe24⤵
- Executes dropped EXE
PID:1140 -
\??\c:\ffxfrxl.exec:\ffxfrxl.exe25⤵
- Executes dropped EXE
PID:1936 -
\??\c:\flfxxrf.exec:\flfxxrf.exe26⤵
- Executes dropped EXE
PID:1452 -
\??\c:\3rrflxr.exec:\3rrflxr.exe27⤵
- Executes dropped EXE
PID:3028 -
\??\c:\pjpvj.exec:\pjpvj.exe28⤵
- Executes dropped EXE
PID:1756 -
\??\c:\rlfflrf.exec:\rlfflrf.exe29⤵
- Executes dropped EXE
PID:2248 -
\??\c:\pjdjd.exec:\pjdjd.exe30⤵
- Executes dropped EXE
PID:300 -
\??\c:\ffxlflr.exec:\ffxlflr.exe31⤵
- Executes dropped EXE
PID:624 -
\??\c:\vjpjp.exec:\vjpjp.exe32⤵
- Executes dropped EXE
PID:2692 -
\??\c:\hbttnn.exec:\hbttnn.exe33⤵
- Executes dropped EXE
PID:2412 -
\??\c:\jjjvp.exec:\jjjvp.exe34⤵
- Executes dropped EXE
PID:2684 -
\??\c:\fxrrffl.exec:\fxrrffl.exe35⤵
- Executes dropped EXE
PID:2708 -
\??\c:\tbntbb.exec:\tbntbb.exe36⤵
- Executes dropped EXE
PID:2736 -
\??\c:\ppjdj.exec:\ppjdj.exe37⤵
- Executes dropped EXE
PID:2768 -
\??\c:\fxlflrl.exec:\fxlflrl.exe38⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bntbht.exec:\bntbht.exe39⤵
- Executes dropped EXE
PID:2720 -
\??\c:\dvpvj.exec:\dvpvj.exe40⤵
- Executes dropped EXE
PID:2604 -
\??\c:\llfflrf.exec:\llfflrf.exe41⤵
- Executes dropped EXE
PID:1808 -
\??\c:\3nnnnn.exec:\3nnnnn.exe42⤵
- Executes dropped EXE
PID:1748 -
\??\c:\3pvvd.exec:\3pvvd.exe43⤵
- Executes dropped EXE
PID:1080 -
\??\c:\pppdj.exec:\pppdj.exe44⤵
- Executes dropped EXE
PID:2240 -
\??\c:\xxrlxfr.exec:\xxrlxfr.exe45⤵
- Executes dropped EXE
PID:2532 -
\??\c:\tbbnbt.exec:\tbbnbt.exe46⤵
- Executes dropped EXE
PID:1780 -
\??\c:\jdpvj.exec:\jdpvj.exe47⤵
- Executes dropped EXE
PID:308 -
\??\c:\lfxlffx.exec:\lfxlffx.exe48⤵
- Executes dropped EXE
PID:2616 -
\??\c:\lxrfxfr.exec:\lxrfxfr.exe49⤵
- Executes dropped EXE
PID:1356 -
\??\c:\1jddp.exec:\1jddp.exe50⤵
- Executes dropped EXE
PID:2868 -
\??\c:\pvppd.exec:\pvppd.exe51⤵
- Executes dropped EXE
PID:1212 -
\??\c:\rrlrflr.exec:\rrlrflr.exe52⤵
- Executes dropped EXE
PID:824 -
\??\c:\bthttn.exec:\bthttn.exe53⤵
- Executes dropped EXE
PID:1984 -
\??\c:\ddpdj.exec:\ddpdj.exe54⤵
- Executes dropped EXE
PID:1568 -
\??\c:\xffrrlf.exec:\xffrrlf.exe55⤵
- Executes dropped EXE
PID:2056 -
\??\c:\rlflflx.exec:\rlflflx.exe56⤵
- Executes dropped EXE
PID:2924 -
\??\c:\3nntbb.exec:\3nntbb.exe57⤵
- Executes dropped EXE
PID:1804 -
\??\c:\5pvdj.exec:\5pvdj.exe58⤵
- Executes dropped EXE
PID:2224 -
\??\c:\7lxlxff.exec:\7lxlxff.exe59⤵
- Executes dropped EXE
PID:2960 -
\??\c:\bthnbh.exec:\bthnbh.exe60⤵
- Executes dropped EXE
PID:1204 -
\??\c:\3btttt.exec:\3btttt.exe61⤵
- Executes dropped EXE
PID:1376 -
\??\c:\pjdpj.exec:\pjdpj.exe62⤵
- Executes dropped EXE
PID:2628 -
\??\c:\rfffrrx.exec:\rfffrrx.exe63⤵
- Executes dropped EXE
PID:2512 -
\??\c:\hnntnn.exec:\hnntnn.exe64⤵
- Executes dropped EXE
PID:2300 -
\??\c:\dvjjd.exec:\dvjjd.exe65⤵
- Executes dropped EXE
PID:2332 -
\??\c:\7jvdp.exec:\7jvdp.exe66⤵PID:2336
-
\??\c:\lxxxflf.exec:\lxxxflf.exe67⤵
- System Location Discovery: System Language Discovery
PID:2940 -
\??\c:\1htttb.exec:\1htttb.exe68⤵PID:904
-
\??\c:\tnhntb.exec:\tnhntb.exe69⤵PID:672
-
\??\c:\7ppvj.exec:\7ppvj.exe70⤵PID:2348
-
\??\c:\9lrxxll.exec:\9lrxxll.exe71⤵PID:2796
-
\??\c:\ddpvj.exec:\ddpvj.exe72⤵PID:1688
-
\??\c:\1ppdp.exec:\1ppdp.exe73⤵PID:2680
-
\??\c:\rrrllxr.exec:\rrrllxr.exe74⤵PID:2820
-
\??\c:\hbthnt.exec:\hbthnt.exe75⤵PID:2580
-
\??\c:\5pjdd.exec:\5pjdd.exe76⤵PID:2884
-
\??\c:\9fxxxfl.exec:\9fxxxfl.exe77⤵PID:2808
-
\??\c:\3lflrxf.exec:\3lflrxf.exe78⤵PID:2576
-
\??\c:\hhbhnn.exec:\hhbhnn.exe79⤵PID:2984
-
\??\c:\jddpv.exec:\jddpv.exe80⤵PID:2560
-
\??\c:\5xrxlxl.exec:\5xrxlxl.exe81⤵PID:2008
-
\??\c:\xrrrffr.exec:\xrrrffr.exe82⤵PID:2964
-
\??\c:\1ntttt.exec:\1ntttt.exe83⤵PID:1676
-
\??\c:\ppdvv.exec:\ppdvv.exe84⤵PID:2368
-
\??\c:\llfrxxl.exec:\llfrxxl.exe85⤵PID:2832
-
\??\c:\5xlrffl.exec:\5xlrffl.exe86⤵PID:2408
-
\??\c:\7hbntb.exec:\7hbntb.exe87⤵PID:1624
-
\??\c:\jvjdj.exec:\jvjdj.exe88⤵PID:2028
-
\??\c:\fxflrxl.exec:\fxflrxl.exe89⤵PID:2652
-
\??\c:\xxllxxl.exec:\xxllxxl.exe90⤵PID:2648
-
\??\c:\bbnthh.exec:\bbnthh.exe91⤵PID:1928
-
\??\c:\jdppv.exec:\jdppv.exe92⤵PID:584
-
\??\c:\9jdvv.exec:\9jdvv.exe93⤵PID:264
-
\??\c:\7fflllr.exec:\7fflllr.exe94⤵PID:1348
-
\??\c:\btttnn.exec:\btttnn.exe95⤵
- System Location Discovery: System Language Discovery
PID:2096 -
\??\c:\5vpdp.exec:\5vpdp.exe96⤵PID:2396
-
\??\c:\9djjv.exec:\9djjv.exe97⤵PID:2404
-
\??\c:\lfxfxxl.exec:\lfxfxxl.exe98⤵PID:2164
-
\??\c:\fxrxflx.exec:\fxrxflx.exe99⤵PID:2936
-
\??\c:\nnbhtt.exec:\nnbhtt.exe100⤵PID:2156
-
\??\c:\vpdvp.exec:\vpdvp.exe101⤵PID:1708
-
\??\c:\xxrfrfr.exec:\xxrfrfr.exe102⤵PID:1100
-
\??\c:\hbtbtb.exec:\hbtbtb.exe103⤵PID:2464
-
\??\c:\hbtthn.exec:\hbtthn.exe104⤵PID:2628
-
\??\c:\pjjpd.exec:\pjjpd.exe105⤵PID:3024
-
\??\c:\rlxlflr.exec:\rlxlflr.exe106⤵PID:1380
-
\??\c:\nnnthn.exec:\nnnthn.exe107⤵PID:564
-
\??\c:\3ttbhh.exec:\3ttbhh.exe108⤵PID:2084
-
\??\c:\ddjpj.exec:\ddjpj.exe109⤵PID:1200
-
\??\c:\fxrfrfl.exec:\fxrfrfl.exe110⤵PID:776
-
\??\c:\tnnthh.exec:\tnnthh.exe111⤵PID:2696
-
\??\c:\5vpdd.exec:\5vpdd.exe112⤵PID:1596
-
\??\c:\3xrlrxl.exec:\3xrlrxl.exe113⤵PID:2784
-
\??\c:\7bbbnn.exec:\7bbbnn.exe114⤵PID:2108
-
\??\c:\pjdpd.exec:\pjdpd.exe115⤵PID:2376
-
\??\c:\jdjpv.exec:\jdjpv.exe116⤵PID:2772
-
\??\c:\rxffxll.exec:\rxffxll.exe117⤵PID:2544
-
\??\c:\3nnhtb.exec:\3nnhtb.exe118⤵PID:2540
-
\??\c:\vvvdp.exec:\vvvdp.exe119⤵PID:2588
-
\??\c:\rlxlrxl.exec:\rlxlrxl.exe120⤵PID:2624
-
\??\c:\ttnbhn.exec:\ttnbhn.exe121⤵PID:2560
-
\??\c:\7hhhbb.exec:\7hhhbb.exe122⤵PID:1808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-