Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe
-
Size
453KB
-
MD5
428f9de8c11c350e43f1b64eb48d875e
-
SHA1
661012d75fbda1296eda55a524559adfecec6047
-
SHA256
c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8
-
SHA512
4c742dc6a94c293ad6eec546f69d82a5716b101deeb0001c750554906d748ee2100f776272d534502555985a398b5b71f69879e44aae7e1de9c8ead83008c2b4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbebM:q7Tc2NYHUrAwfMp3CDbM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2116-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-41-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2696-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-66-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1980-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1072-219-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/896-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-442-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2588-488-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1124-501-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1760-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/652-547-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2544-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-573-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2056-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-612-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2616-645-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2436-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-780-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/3008-782-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2768-878-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2628-904-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2424-962-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2540 vvvjv.exe 1688 xxrxrrf.exe 2696 hhhnbn.exe 2856 nhbbht.exe 2284 jjvvd.exe 864 1btthn.exe 1980 jdpvj.exe 2780 9jjdp.exe 316 rlrxlll.exe 1964 rfrrlfl.exe 1504 llffffl.exe 1092 3dpdp.exe 2504 ffxrxfx.exe 2788 1jpvv.exe 2044 llfxffl.exe 2964 7jppp.exe 1432 rlfrxfl.exe 2944 vjpjp.exe 1684 lxrlrlr.exe 2392 9pjpv.exe 2444 5xrxxxf.exe 1072 vvjjp.exe 2028 rlxfflf.exe 896 bbbbhh.exe 2468 ppdpd.exe 2988 fxlxfrx.exe 1552 xrllffx.exe 1640 9ddpp.exe 1496 flrfxfx.exe 2144 tnbhhn.exe 2372 pjdjv.exe 2524 3hhntb.exe 2192 ppjvd.exe 2316 lflxflx.exe 2868 nhtbhh.exe 2732 vvppd.exe 2724 fxllxrx.exe 2912 lffrffx.exe 2808 hbtnbh.exe 2720 vpddj.exe 2600 9lxflfx.exe 2092 flrxllx.exe 2436 bbtbhn.exe 572 1pdjp.exe 1308 frflflr.exe 1504 ddjvj.exe 1724 vjjpv.exe 1248 lrrxlrf.exe 2504 hbthth.exe 2796 9bttth.exe 1152 jpdpv.exe 684 llxxflx.exe 2964 nhbbhh.exe 3052 jpvdd.exe 2288 jvdvj.exe 2588 3lffflx.exe 1684 nnhhnn.exe 3020 9pdvv.exe 628 9dpjj.exe 2452 xrlxfxr.exe 1124 9hbhtt.exe 1760 ntbnbt.exe 896 7jdjd.exe 1548 fxxfrrx.exe -
resource yara_rule behavioral1/memory/2116-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-211-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1072-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-290-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2524-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-488-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1760-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/652-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-633-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2436-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-838-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-858-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-878-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/684-975-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrflrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2540 2116 c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe 30 PID 2116 wrote to memory of 2540 2116 c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe 30 PID 2116 wrote to memory of 2540 2116 c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe 30 PID 2116 wrote to memory of 2540 2116 c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe 30 PID 2540 wrote to memory of 1688 2540 vvvjv.exe 31 PID 2540 wrote to memory of 1688 2540 vvvjv.exe 31 PID 2540 wrote to memory of 1688 2540 vvvjv.exe 31 PID 2540 wrote to memory of 1688 2540 vvvjv.exe 31 PID 1688 wrote to memory of 2696 1688 xxrxrrf.exe 32 PID 1688 wrote to memory of 2696 1688 xxrxrrf.exe 32 PID 1688 wrote to memory of 2696 1688 xxrxrrf.exe 32 PID 1688 wrote to memory of 2696 1688 xxrxrrf.exe 32 PID 2696 wrote to memory of 2856 2696 hhhnbn.exe 33 PID 2696 wrote to memory of 2856 2696 hhhnbn.exe 33 PID 2696 wrote to memory of 2856 2696 hhhnbn.exe 33 PID 2696 wrote to memory of 2856 2696 hhhnbn.exe 33 PID 2856 wrote to memory of 2284 2856 nhbbht.exe 34 PID 2856 wrote to memory of 2284 2856 nhbbht.exe 34 PID 2856 wrote to memory of 2284 2856 nhbbht.exe 34 PID 2856 wrote to memory of 2284 2856 nhbbht.exe 34 PID 2284 wrote to memory of 864 2284 jjvvd.exe 35 PID 2284 wrote to memory of 864 2284 jjvvd.exe 35 PID 2284 wrote to memory of 864 2284 jjvvd.exe 35 PID 2284 wrote to memory of 864 2284 jjvvd.exe 35 PID 864 wrote to memory of 1980 864 1btthn.exe 36 PID 864 wrote to memory of 1980 864 1btthn.exe 36 PID 864 wrote to memory of 1980 864 1btthn.exe 36 PID 864 wrote to memory of 1980 864 1btthn.exe 36 PID 1980 wrote to memory of 2780 1980 jdpvj.exe 37 PID 1980 wrote to memory of 2780 1980 jdpvj.exe 37 PID 1980 wrote to memory of 2780 1980 jdpvj.exe 37 PID 1980 wrote to memory of 2780 1980 jdpvj.exe 37 PID 2780 wrote to memory of 316 2780 9jjdp.exe 38 PID 2780 wrote to memory of 316 2780 9jjdp.exe 38 PID 2780 wrote to memory of 316 2780 9jjdp.exe 38 PID 2780 wrote to memory of 316 2780 9jjdp.exe 38 PID 316 wrote to memory of 1964 316 rlrxlll.exe 39 PID 316 wrote to memory of 1964 316 rlrxlll.exe 39 PID 316 wrote to memory of 1964 316 rlrxlll.exe 39 PID 316 wrote to memory of 1964 316 rlrxlll.exe 39 PID 1964 wrote to memory of 1504 1964 rfrrlfl.exe 40 PID 1964 wrote to memory of 1504 1964 rfrrlfl.exe 40 PID 1964 wrote to memory of 1504 1964 rfrrlfl.exe 40 PID 1964 wrote to memory of 1504 1964 rfrrlfl.exe 40 PID 1504 wrote to memory of 1092 1504 llffffl.exe 41 PID 1504 wrote to memory of 1092 1504 llffffl.exe 41 PID 1504 wrote to memory of 1092 1504 llffffl.exe 41 PID 1504 wrote to memory of 1092 1504 llffffl.exe 41 PID 1092 wrote to memory of 2504 1092 3dpdp.exe 42 PID 1092 wrote to memory of 2504 1092 3dpdp.exe 42 PID 1092 wrote to memory of 2504 1092 3dpdp.exe 42 PID 1092 wrote to memory of 2504 1092 3dpdp.exe 42 PID 2504 wrote to memory of 2788 2504 ffxrxfx.exe 43 PID 2504 wrote to memory of 2788 2504 ffxrxfx.exe 43 PID 2504 wrote to memory of 2788 2504 ffxrxfx.exe 43 PID 2504 wrote to memory of 2788 2504 ffxrxfx.exe 43 PID 2788 wrote to memory of 2044 2788 1jpvv.exe 44 PID 2788 wrote to memory of 2044 2788 1jpvv.exe 44 PID 2788 wrote to memory of 2044 2788 1jpvv.exe 44 PID 2788 wrote to memory of 2044 2788 1jpvv.exe 44 PID 2044 wrote to memory of 2964 2044 llfxffl.exe 45 PID 2044 wrote to memory of 2964 2044 llfxffl.exe 45 PID 2044 wrote to memory of 2964 2044 llfxffl.exe 45 PID 2044 wrote to memory of 2964 2044 llfxffl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe"C:\Users\Admin\AppData\Local\Temp\c292ac19152df46d6e086e4599c78ba37d01b750a4e8cb931d2f2fb0fd3011f8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\vvvjv.exec:\vvvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\xxrxrrf.exec:\xxrxrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\hhhnbn.exec:\hhhnbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\nhbbht.exec:\nhbbht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\jjvvd.exec:\jjvvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\1btthn.exec:\1btthn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\jdpvj.exec:\jdpvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\9jjdp.exec:\9jjdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\rlrxlll.exec:\rlrxlll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\rfrrlfl.exec:\rfrrlfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\llffffl.exec:\llffffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\3dpdp.exec:\3dpdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\ffxrxfx.exec:\ffxrxfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\1jpvv.exec:\1jpvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\llfxffl.exec:\llfxffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\7jppp.exec:\7jppp.exe17⤵
- Executes dropped EXE
PID:2964 -
\??\c:\rlfrxfl.exec:\rlfrxfl.exe18⤵
- Executes dropped EXE
PID:1432 -
\??\c:\vjpjp.exec:\vjpjp.exe19⤵
- Executes dropped EXE
PID:2944 -
\??\c:\lxrlrlr.exec:\lxrlrlr.exe20⤵
- Executes dropped EXE
PID:1684 -
\??\c:\9pjpv.exec:\9pjpv.exe21⤵
- Executes dropped EXE
PID:2392 -
\??\c:\5xrxxxf.exec:\5xrxxxf.exe22⤵
- Executes dropped EXE
PID:2444 -
\??\c:\vvjjp.exec:\vvjjp.exe23⤵
- Executes dropped EXE
PID:1072 -
\??\c:\rlxfflf.exec:\rlxfflf.exe24⤵
- Executes dropped EXE
PID:2028 -
\??\c:\bbbbhh.exec:\bbbbhh.exe25⤵
- Executes dropped EXE
PID:896 -
\??\c:\ppdpd.exec:\ppdpd.exe26⤵
- Executes dropped EXE
PID:2468 -
\??\c:\fxlxfrx.exec:\fxlxfrx.exe27⤵
- Executes dropped EXE
PID:2988 -
\??\c:\xrllffx.exec:\xrllffx.exe28⤵
- Executes dropped EXE
PID:1552 -
\??\c:\9ddpp.exec:\9ddpp.exe29⤵
- Executes dropped EXE
PID:1640 -
\??\c:\flrfxfx.exec:\flrfxfx.exe30⤵
- Executes dropped EXE
PID:1496 -
\??\c:\tnbhhn.exec:\tnbhhn.exe31⤵
- Executes dropped EXE
PID:2144 -
\??\c:\pjdjv.exec:\pjdjv.exe32⤵
- Executes dropped EXE
PID:2372 -
\??\c:\3hhntb.exec:\3hhntb.exe33⤵
- Executes dropped EXE
PID:2524 -
\??\c:\ppjvd.exec:\ppjvd.exe34⤵
- Executes dropped EXE
PID:2192 -
\??\c:\lflxflx.exec:\lflxflx.exe35⤵
- Executes dropped EXE
PID:2316 -
\??\c:\nhtbhh.exec:\nhtbhh.exe36⤵
- Executes dropped EXE
PID:2868 -
\??\c:\vvppd.exec:\vvppd.exe37⤵
- Executes dropped EXE
PID:2732 -
\??\c:\fxllxrx.exec:\fxllxrx.exe38⤵
- Executes dropped EXE
PID:2724 -
\??\c:\lffrffx.exec:\lffrffx.exe39⤵
- Executes dropped EXE
PID:2912 -
\??\c:\hbtnbh.exec:\hbtnbh.exe40⤵
- Executes dropped EXE
PID:2808 -
\??\c:\vpddj.exec:\vpddj.exe41⤵
- Executes dropped EXE
PID:2720 -
\??\c:\9lxflfx.exec:\9lxflfx.exe42⤵
- Executes dropped EXE
PID:2600 -
\??\c:\flrxllx.exec:\flrxllx.exe43⤵
- Executes dropped EXE
PID:2092 -
\??\c:\bbtbhn.exec:\bbtbhn.exe44⤵
- Executes dropped EXE
PID:2436 -
\??\c:\1pdjp.exec:\1pdjp.exe45⤵
- Executes dropped EXE
PID:572 -
\??\c:\frflflr.exec:\frflflr.exe46⤵
- Executes dropped EXE
PID:1308 -
\??\c:\ddjvj.exec:\ddjvj.exe47⤵
- Executes dropped EXE
PID:1504 -
\??\c:\vjjpv.exec:\vjjpv.exe48⤵
- Executes dropped EXE
PID:1724 -
\??\c:\lrrxlrf.exec:\lrrxlrf.exe49⤵
- Executes dropped EXE
PID:1248 -
\??\c:\hbthth.exec:\hbthth.exe50⤵
- Executes dropped EXE
PID:2504 -
\??\c:\9bttth.exec:\9bttth.exe51⤵
- Executes dropped EXE
PID:2796 -
\??\c:\jpdpv.exec:\jpdpv.exe52⤵
- Executes dropped EXE
PID:1152 -
\??\c:\llxxflx.exec:\llxxflx.exe53⤵
- Executes dropped EXE
PID:684 -
\??\c:\nhbbhh.exec:\nhbbhh.exe54⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jpvdd.exec:\jpvdd.exe55⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jvdvj.exec:\jvdvj.exe56⤵
- Executes dropped EXE
PID:2288 -
\??\c:\3lffflx.exec:\3lffflx.exe57⤵
- Executes dropped EXE
PID:2588 -
\??\c:\nnhhnn.exec:\nnhhnn.exe58⤵
- Executes dropped EXE
PID:1684 -
\??\c:\9pdvv.exec:\9pdvv.exe59⤵
- Executes dropped EXE
PID:3020 -
\??\c:\9dpjj.exec:\9dpjj.exe60⤵
- Executes dropped EXE
PID:628 -
\??\c:\xrlxfxr.exec:\xrlxfxr.exe61⤵
- Executes dropped EXE
PID:2452 -
\??\c:\9hbhtt.exec:\9hbhtt.exe62⤵
- Executes dropped EXE
PID:1124 -
\??\c:\ntbnbt.exec:\ntbnbt.exe63⤵
- Executes dropped EXE
PID:1760 -
\??\c:\7jdjd.exec:\7jdjd.exe64⤵
- Executes dropped EXE
PID:896 -
\??\c:\fxxfrrx.exec:\fxxfrrx.exe65⤵
- Executes dropped EXE
PID:1548 -
\??\c:\5hhttb.exec:\5hhttb.exe66⤵PID:1316
-
\??\c:\nhtbhb.exec:\nhtbhb.exe67⤵PID:3028
-
\??\c:\5dpvj.exec:\5dpvj.exe68⤵PID:344
-
\??\c:\rlfflxx.exec:\rlfflxx.exe69⤵PID:652
-
\??\c:\bbthbh.exec:\bbthbh.exe70⤵PID:888
-
\??\c:\jddpd.exec:\jddpd.exe71⤵PID:1496
-
\??\c:\1vvvp.exec:\1vvvp.exe72⤵PID:2116
-
\??\c:\1lrrffr.exec:\1lrrffr.exe73⤵PID:2544
-
\??\c:\nbthnb.exec:\nbthnb.exe74⤵PID:2056
-
\??\c:\jjddj.exec:\jjddj.exe75⤵PID:2324
-
\??\c:\dvjjv.exec:\dvjjv.exe76⤵PID:2752
-
\??\c:\9lflfrx.exec:\9lflfrx.exe77⤵PID:2888
-
\??\c:\bbbnht.exec:\bbbnht.exe78⤵PID:2856
-
\??\c:\btntbb.exec:\btntbb.exe79⤵PID:2312
-
\??\c:\vjjvv.exec:\vjjvv.exe80⤵PID:2724
-
\??\c:\lfrxlfl.exec:\lfrxlfl.exe81⤵PID:2772
-
\??\c:\nhttbb.exec:\nhttbb.exe82⤵PID:2808
-
\??\c:\hhtnth.exec:\hhtnth.exe83⤵PID:2872
-
\??\c:\pjdpd.exec:\pjdpd.exe84⤵PID:2616
-
\??\c:\hhhnth.exec:\hhhnth.exe85⤵PID:2092
-
\??\c:\hbntbb.exec:\hbntbb.exe86⤵PID:2436
-
\??\c:\5dpjj.exec:\5dpjj.exe87⤵PID:1516
-
\??\c:\rlxfrrx.exec:\rlxfrrx.exe88⤵PID:1308
-
\??\c:\9bhbtt.exec:\9bhbtt.exe89⤵PID:2672
-
\??\c:\3jjpp.exec:\3jjpp.exe90⤵PID:356
-
\??\c:\vjjjd.exec:\vjjjd.exe91⤵PID:1248
-
\??\c:\lrrlrxl.exec:\lrrlrxl.exe92⤵PID:2388
-
\??\c:\thtthh.exec:\thtthh.exe93⤵PID:1816
-
\??\c:\ttbhtb.exec:\ttbhtb.exe94⤵
- System Location Discovery: System Language Discovery
PID:1580 -
\??\c:\vpdjj.exec:\vpdjj.exe95⤵PID:1348
-
\??\c:\5ffxxff.exec:\5ffxxff.exe96⤵PID:2976
-
\??\c:\lfxflrx.exec:\lfxflrx.exe97⤵PID:2416
-
\??\c:\bttthh.exec:\bttthh.exe98⤵PID:1472
-
\??\c:\djdjv.exec:\djdjv.exe99⤵
- System Location Discovery: System Language Discovery
PID:1988 -
\??\c:\xxxrxlf.exec:\xxxrxlf.exe100⤵PID:1524
-
\??\c:\rfffrfl.exec:\rfffrfl.exe101⤵PID:1300
-
\??\c:\bbhtht.exec:\bbhtht.exe102⤵
- System Location Discovery: System Language Discovery
PID:3020 -
\??\c:\jppvp.exec:\jppvp.exe103⤵PID:692
-
\??\c:\ffrfrrl.exec:\ffrfrrl.exe104⤵PID:1536
-
\??\c:\xxxrflx.exec:\xxxrflx.exe105⤵PID:1124
-
\??\c:\hhhbth.exec:\hhhbth.exe106⤵PID:3008
-
\??\c:\vvpvj.exec:\vvpvj.exe107⤵PID:1852
-
\??\c:\jdvdp.exec:\jdvdp.exe108⤵PID:2360
-
\??\c:\flxxfff.exec:\flxxfff.exe109⤵PID:2468
-
\??\c:\hhhnth.exec:\hhhnth.exe110⤵PID:2988
-
\??\c:\7vjvd.exec:\7vjvd.exe111⤵PID:1040
-
\??\c:\llxlrrl.exec:\llxlrrl.exe112⤵PID:3032
-
\??\c:\tnhhnt.exec:\tnhhnt.exe113⤵PID:1840
-
\??\c:\7vvvp.exec:\7vvvp.exe114⤵PID:2356
-
\??\c:\vvvjd.exec:\vvvjd.exe115⤵PID:1708
-
\??\c:\xlxxrxl.exec:\xlxxrxl.exe116⤵PID:1732
-
\??\c:\bthhnh.exec:\bthhnh.exe117⤵PID:2528
-
\??\c:\1vpdp.exec:\1vpdp.exe118⤵PID:2748
-
\??\c:\frffrrx.exec:\frffrrx.exe119⤵PID:2848
-
\??\c:\7lxxfxf.exec:\7lxxfxf.exe120⤵PID:2868
-
\??\c:\hbthbh.exec:\hbthbh.exe121⤵PID:2768
-
\??\c:\ppjdp.exec:\ppjdp.exe122⤵PID:2896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-