Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe
-
Size
454KB
-
MD5
b9a742dd8f9d8a4456237a88ff801dff
-
SHA1
ab09169e2bfc796d27f58479a7009686840c52e0
-
SHA256
249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08
-
SHA512
f10b51a83a7820b993cea4a32fb6f6c4cbdad4f3334f7e5109091ec87bfea7f2ee016fda12905d1fe4d8861b611643ea283fdc39736311589e8f04fb07ad31e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/3012-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/800-137-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/800-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-148-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2868-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-218-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2528-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-237-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1084-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-269-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2512-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-350-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2872-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-405-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/3004-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-506-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1816-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-673-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2820-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-1047-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2556 nhbnbh.exe 3068 thbhtn.exe 2416 nnhnht.exe 2316 jjdjv.exe 2896 tthhhn.exe 3020 3djpd.exe 2792 llffxxr.exe 2768 xlffrxl.exe 2644 xxrfllr.exe 2800 5xllrxr.exe 2164 1llfrxr.exe 1264 lfllxfl.exe 800 fxrrffr.exe 1932 vpdjv.exe 2868 rllrrxf.exe 1060 vvpvj.exe 1832 rlfllfl.exe 1772 3dppd.exe 2268 rrrrxfr.exe 1244 jjpvd.exe 996 pjdpd.exe 1684 pjvvv.exe 2528 3jddj.exe 1084 htbhnn.exe 2084 dpjdp.exe 2276 rlxflxl.exe 2512 nbbbhh.exe 860 nttthh.exe 880 ddpvv.exe 1856 rlrxffl.exe 2436 tnnnnt.exe 1444 frxrrrr.exe 316 tthnbb.exe 2368 pjddv.exe 2272 3xxxfll.exe 2780 fxrrrrx.exe 2916 hbnnbb.exe 2960 vvpvd.exe 2956 dvppd.exe 2872 rlxxlfl.exe 2792 hbnnbh.exe 2652 9dddp.exe 2804 1xxrflx.exe 1872 9xfflxx.exe 2860 tnbbhh.exe 1812 jjjpd.exe 2204 pdvdj.exe 2832 lxrxxxx.exe 3004 hhbbnn.exe 2844 hthnbh.exe 1932 jjdjv.exe 1052 lflxxfr.exe 1720 rlxxxxf.exe 1060 thbbhn.exe 2032 pjvpv.exe 2344 dpjpv.exe 2072 9xrlrxl.exe 2984 ntntbn.exe 872 bnbtbb.exe 1308 vvppv.exe 2080 pjvjp.exe 3048 9fflrxr.exe 1348 nhbntb.exe 1084 vjvdj.exe -
resource yara_rule behavioral1/memory/3012-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-106-0x0000000001C70000-0x0000000001C9A000-memory.dmp upx behavioral1/memory/1264-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-350-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2872-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-379-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2804-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-960-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-985-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-992-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lflxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhnth.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2556 3012 249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe 30 PID 3012 wrote to memory of 2556 3012 249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe 30 PID 3012 wrote to memory of 2556 3012 249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe 30 PID 3012 wrote to memory of 2556 3012 249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe 30 PID 2556 wrote to memory of 3068 2556 nhbnbh.exe 31 PID 2556 wrote to memory of 3068 2556 nhbnbh.exe 31 PID 2556 wrote to memory of 3068 2556 nhbnbh.exe 31 PID 2556 wrote to memory of 3068 2556 nhbnbh.exe 31 PID 3068 wrote to memory of 2416 3068 thbhtn.exe 32 PID 3068 wrote to memory of 2416 3068 thbhtn.exe 32 PID 3068 wrote to memory of 2416 3068 thbhtn.exe 32 PID 3068 wrote to memory of 2416 3068 thbhtn.exe 32 PID 2416 wrote to memory of 2316 2416 nnhnht.exe 33 PID 2416 wrote to memory of 2316 2416 nnhnht.exe 33 PID 2416 wrote to memory of 2316 2416 nnhnht.exe 33 PID 2416 wrote to memory of 2316 2416 nnhnht.exe 33 PID 2316 wrote to memory of 2896 2316 jjdjv.exe 34 PID 2316 wrote to memory of 2896 2316 jjdjv.exe 34 PID 2316 wrote to memory of 2896 2316 jjdjv.exe 34 PID 2316 wrote to memory of 2896 2316 jjdjv.exe 34 PID 2896 wrote to memory of 3020 2896 tthhhn.exe 35 PID 2896 wrote to memory of 3020 2896 tthhhn.exe 35 PID 2896 wrote to memory of 3020 2896 tthhhn.exe 35 PID 2896 wrote to memory of 3020 2896 tthhhn.exe 35 PID 3020 wrote to memory of 2792 3020 3djpd.exe 36 PID 3020 wrote to memory of 2792 3020 3djpd.exe 36 PID 3020 wrote to memory of 2792 3020 3djpd.exe 36 PID 3020 wrote to memory of 2792 3020 3djpd.exe 36 PID 2792 wrote to memory of 2768 2792 llffxxr.exe 37 PID 2792 wrote to memory of 2768 2792 llffxxr.exe 37 PID 2792 wrote to memory of 2768 2792 llffxxr.exe 37 PID 2792 wrote to memory of 2768 2792 llffxxr.exe 37 PID 2768 wrote to memory of 2644 2768 xlffrxl.exe 38 PID 2768 wrote to memory of 2644 2768 xlffrxl.exe 38 PID 2768 wrote to memory of 2644 2768 xlffrxl.exe 38 PID 2768 wrote to memory of 2644 2768 xlffrxl.exe 38 PID 2644 wrote to memory of 2800 2644 xxrfllr.exe 39 PID 2644 wrote to memory of 2800 2644 xxrfllr.exe 39 PID 2644 wrote to memory of 2800 2644 xxrfllr.exe 39 PID 2644 wrote to memory of 2800 2644 xxrfllr.exe 39 PID 2800 wrote to memory of 2164 2800 5xllrxr.exe 40 PID 2800 wrote to memory of 2164 2800 5xllrxr.exe 40 PID 2800 wrote to memory of 2164 2800 5xllrxr.exe 40 PID 2800 wrote to memory of 2164 2800 5xllrxr.exe 40 PID 2164 wrote to memory of 1264 2164 1llfrxr.exe 41 PID 2164 wrote to memory of 1264 2164 1llfrxr.exe 41 PID 2164 wrote to memory of 1264 2164 1llfrxr.exe 41 PID 2164 wrote to memory of 1264 2164 1llfrxr.exe 41 PID 1264 wrote to memory of 800 1264 lfllxfl.exe 42 PID 1264 wrote to memory of 800 1264 lfllxfl.exe 42 PID 1264 wrote to memory of 800 1264 lfllxfl.exe 42 PID 1264 wrote to memory of 800 1264 lfllxfl.exe 42 PID 800 wrote to memory of 1932 800 fxrrffr.exe 43 PID 800 wrote to memory of 1932 800 fxrrffr.exe 43 PID 800 wrote to memory of 1932 800 fxrrffr.exe 43 PID 800 wrote to memory of 1932 800 fxrrffr.exe 43 PID 1932 wrote to memory of 2868 1932 vpdjv.exe 44 PID 1932 wrote to memory of 2868 1932 vpdjv.exe 44 PID 1932 wrote to memory of 2868 1932 vpdjv.exe 44 PID 1932 wrote to memory of 2868 1932 vpdjv.exe 44 PID 2868 wrote to memory of 1060 2868 rllrrxf.exe 45 PID 2868 wrote to memory of 1060 2868 rllrrxf.exe 45 PID 2868 wrote to memory of 1060 2868 rllrrxf.exe 45 PID 2868 wrote to memory of 1060 2868 rllrrxf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe"C:\Users\Admin\AppData\Local\Temp\249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\nhbnbh.exec:\nhbnbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\thbhtn.exec:\thbhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\nnhnht.exec:\nnhnht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\jjdjv.exec:\jjdjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\tthhhn.exec:\tthhhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\3djpd.exec:\3djpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\llffxxr.exec:\llffxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\xlffrxl.exec:\xlffrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\xxrfllr.exec:\xxrfllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\5xllrxr.exec:\5xllrxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\1llfrxr.exec:\1llfrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\lfllxfl.exec:\lfllxfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\fxrrffr.exec:\fxrrffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\vpdjv.exec:\vpdjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\rllrrxf.exec:\rllrrxf.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\vvpvj.exec:\vvpvj.exe17⤵
- Executes dropped EXE
PID:1060 -
\??\c:\rlfllfl.exec:\rlfllfl.exe18⤵
- Executes dropped EXE
PID:1832 -
\??\c:\3dppd.exec:\3dppd.exe19⤵
- Executes dropped EXE
PID:1772 -
\??\c:\rrrrxfr.exec:\rrrrxfr.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
\??\c:\jjpvd.exec:\jjpvd.exe21⤵
- Executes dropped EXE
PID:1244 -
\??\c:\pjdpd.exec:\pjdpd.exe22⤵
- Executes dropped EXE
PID:996 -
\??\c:\pjvvv.exec:\pjvvv.exe23⤵
- Executes dropped EXE
PID:1684 -
\??\c:\3jddj.exec:\3jddj.exe24⤵
- Executes dropped EXE
PID:2528 -
\??\c:\htbhnn.exec:\htbhnn.exe25⤵
- Executes dropped EXE
PID:1084 -
\??\c:\dpjdp.exec:\dpjdp.exe26⤵
- Executes dropped EXE
PID:2084 -
\??\c:\rlxflxl.exec:\rlxflxl.exe27⤵
- Executes dropped EXE
PID:2276 -
\??\c:\nbbbhh.exec:\nbbbhh.exe28⤵
- Executes dropped EXE
PID:2512 -
\??\c:\nttthh.exec:\nttthh.exe29⤵
- Executes dropped EXE
PID:860 -
\??\c:\ddpvv.exec:\ddpvv.exe30⤵
- Executes dropped EXE
PID:880 -
\??\c:\rlrxffl.exec:\rlrxffl.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856 -
\??\c:\tnnnnt.exec:\tnnnnt.exe32⤵
- Executes dropped EXE
PID:2436 -
\??\c:\frxrrrr.exec:\frxrrrr.exe33⤵
- Executes dropped EXE
PID:1444 -
\??\c:\tthnbb.exec:\tthnbb.exe34⤵
- Executes dropped EXE
PID:316 -
\??\c:\pjddv.exec:\pjddv.exe35⤵
- Executes dropped EXE
PID:2368 -
\??\c:\3xxxfll.exec:\3xxxfll.exe36⤵
- Executes dropped EXE
PID:2272 -
\??\c:\fxrrrrx.exec:\fxrrrrx.exe37⤵
- Executes dropped EXE
PID:2780 -
\??\c:\hbnnbb.exec:\hbnnbb.exe38⤵
- Executes dropped EXE
PID:2916 -
\??\c:\vvpvd.exec:\vvpvd.exe39⤵
- Executes dropped EXE
PID:2960 -
\??\c:\dvppd.exec:\dvppd.exe40⤵
- Executes dropped EXE
PID:2956 -
\??\c:\rlxxlfl.exec:\rlxxlfl.exe41⤵
- Executes dropped EXE
PID:2872 -
\??\c:\hbnnbh.exec:\hbnnbh.exe42⤵
- Executes dropped EXE
PID:2792 -
\??\c:\9dddp.exec:\9dddp.exe43⤵
- Executes dropped EXE
PID:2652 -
\??\c:\1xxrflx.exec:\1xxrflx.exe44⤵
- Executes dropped EXE
PID:2804 -
\??\c:\9xfflxx.exec:\9xfflxx.exe45⤵
- Executes dropped EXE
PID:1872 -
\??\c:\tnbbhh.exec:\tnbbhh.exe46⤵
- Executes dropped EXE
PID:2860 -
\??\c:\jjjpd.exec:\jjjpd.exe47⤵
- Executes dropped EXE
PID:1812 -
\??\c:\pdvdj.exec:\pdvdj.exe48⤵
- Executes dropped EXE
PID:2204 -
\??\c:\lxrxxxx.exec:\lxrxxxx.exe49⤵
- Executes dropped EXE
PID:2832 -
\??\c:\hhbbnn.exec:\hhbbnn.exe50⤵
- Executes dropped EXE
PID:3004 -
\??\c:\hthnbh.exec:\hthnbh.exe51⤵
- Executes dropped EXE
PID:2844 -
\??\c:\jjdjv.exec:\jjdjv.exe52⤵
- Executes dropped EXE
PID:1932 -
\??\c:\lflxxfr.exec:\lflxxfr.exe53⤵
- Executes dropped EXE
PID:1052 -
\??\c:\rlxxxxf.exec:\rlxxxxf.exe54⤵
- Executes dropped EXE
PID:1720 -
\??\c:\thbbhn.exec:\thbbhn.exe55⤵
- Executes dropped EXE
PID:1060 -
\??\c:\pjvpv.exec:\pjvpv.exe56⤵
- Executes dropped EXE
PID:2032 -
\??\c:\dpjpv.exec:\dpjpv.exe57⤵
- Executes dropped EXE
PID:2344 -
\??\c:\9xrlrxl.exec:\9xrlrxl.exe58⤵
- Executes dropped EXE
PID:2072 -
\??\c:\ntntbn.exec:\ntntbn.exe59⤵
- Executes dropped EXE
PID:2984 -
\??\c:\bnbtbb.exec:\bnbtbb.exe60⤵
- Executes dropped EXE
PID:872 -
\??\c:\vvppv.exec:\vvppv.exe61⤵
- Executes dropped EXE
PID:1308 -
\??\c:\pjvjp.exec:\pjvjp.exe62⤵
- Executes dropped EXE
PID:2080 -
\??\c:\9fflrxr.exec:\9fflrxr.exe63⤵
- Executes dropped EXE
PID:3048 -
\??\c:\nhbntb.exec:\nhbntb.exe64⤵
- Executes dropped EXE
PID:1348 -
\??\c:\vjvdj.exec:\vjvdj.exe65⤵
- Executes dropped EXE
PID:1084 -
\??\c:\pdvdp.exec:\pdvdp.exe66⤵PID:612
-
\??\c:\rlflxxf.exec:\rlflxxf.exe67⤵PID:2208
-
\??\c:\1bnhnt.exec:\1bnhnt.exe68⤵PID:2352
-
\??\c:\hhtbhh.exec:\hhtbhh.exe69⤵PID:780
-
\??\c:\dvpvj.exec:\dvpvj.exe70⤵PID:2132
-
\??\c:\xrlxxfx.exec:\xrlxxfx.exe71⤵PID:772
-
\??\c:\xrffllx.exec:\xrffllx.exe72⤵PID:2256
-
\??\c:\bbttbb.exec:\bbttbb.exe73⤵PID:2408
-
\??\c:\1hbnbb.exec:\1hbnbb.exe74⤵
- System Location Discovery: System Language Discovery
PID:1584 -
\??\c:\jdvvd.exec:\jdvvd.exe75⤵PID:2436
-
\??\c:\fxxxfxf.exec:\fxxxfxf.exe76⤵PID:1816
-
\??\c:\9lxxffr.exec:\9lxxffr.exe77⤵PID:2364
-
\??\c:\ttnbbb.exec:\ttnbbb.exe78⤵PID:2368
-
\??\c:\jjjvd.exec:\jjjvd.exe79⤵PID:1620
-
\??\c:\xfxfflx.exec:\xfxfflx.exe80⤵PID:2780
-
\??\c:\nbnthn.exec:\nbnthn.exe81⤵PID:2896
-
\??\c:\btnntb.exec:\btnntb.exe82⤵PID:2748
-
\??\c:\7pjjp.exec:\7pjjp.exe83⤵PID:2976
-
\??\c:\lfxxflx.exec:\lfxxflx.exe84⤵PID:2656
-
\??\c:\xxrrxxr.exec:\xxrrxxr.exe85⤵PID:2768
-
\??\c:\nhtbnt.exec:\nhtbnt.exe86⤵PID:2704
-
\??\c:\jjjvd.exec:\jjjvd.exe87⤵PID:2940
-
\??\c:\ffrfllr.exec:\ffrfllr.exe88⤵PID:1536
-
\??\c:\xxrrffr.exec:\xxrrffr.exe89⤵PID:1324
-
\??\c:\1bthnt.exec:\1bthnt.exe90⤵PID:2836
-
\??\c:\vpppd.exec:\vpppd.exe91⤵PID:1264
-
\??\c:\9jddj.exec:\9jddj.exe92⤵PID:2820
-
\??\c:\rlflxfr.exec:\rlflxfr.exe93⤵PID:2848
-
\??\c:\bbbbnn.exec:\bbbbnn.exe94⤵PID:1940
-
\??\c:\ttnbht.exec:\ttnbht.exe95⤵PID:2972
-
\??\c:\pjvjv.exec:\pjvjv.exe96⤵PID:2044
-
\??\c:\lllxfrr.exec:\lllxfrr.exe97⤵PID:1088
-
\??\c:\9lrxffl.exec:\9lrxffl.exe98⤵PID:2088
-
\??\c:\htbtbn.exec:\htbtbn.exe99⤵PID:1796
-
\??\c:\ppdjp.exec:\ppdjp.exe100⤵PID:1500
-
\??\c:\7ffrffr.exec:\7ffrffr.exe101⤵PID:2268
-
\??\c:\3fxxffl.exec:\3fxxffl.exe102⤵PID:2112
-
\??\c:\1bhnbh.exec:\1bhnbh.exe103⤵PID:284
-
\??\c:\pdpdp.exec:\pdpdp.exe104⤵PID:916
-
\??\c:\fxlrxxl.exec:\fxlrxxl.exe105⤵PID:3040
-
\??\c:\7rfxrxf.exec:\7rfxrxf.exe106⤵PID:2992
-
\??\c:\nhtbtb.exec:\nhtbtb.exe107⤵PID:1348
-
\??\c:\pjdvv.exec:\pjdvv.exe108⤵PID:1676
-
\??\c:\7rrrxxf.exec:\7rrrxxf.exe109⤵PID:2248
-
\??\c:\rrfflfl.exec:\rrfflfl.exe110⤵PID:2432
-
\??\c:\7httbh.exec:\7httbh.exe111⤵PID:1280
-
\??\c:\ppjjp.exec:\ppjjp.exe112⤵PID:780
-
\??\c:\9dvdp.exec:\9dvdp.exe113⤵PID:2132
-
\??\c:\llxfxfx.exec:\llxfxfx.exe114⤵PID:1808
-
\??\c:\tbbbnt.exec:\tbbbnt.exe115⤵PID:2256
-
\??\c:\1nttbh.exec:\1nttbh.exe116⤵PID:1616
-
\??\c:\3jjpd.exec:\3jjpd.exe117⤵PID:2608
-
\??\c:\lfxfllx.exec:\lfxfllx.exe118⤵PID:2436
-
\??\c:\lfxfrrf.exec:\lfxfrrf.exe119⤵PID:1736
-
\??\c:\btntht.exec:\btntht.exe120⤵PID:1824
-
\??\c:\jjvpv.exec:\jjvpv.exe121⤵PID:2148
-
\??\c:\rxfrxlr.exec:\rxfrxlr.exe122⤵PID:2272
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-