Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 06:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe
-
Size
453KB
-
MD5
88e4c6874275afbaac76d29f0fb4daa5
-
SHA1
3e5cab8047fc7e3c2eb5022d7b7b6a1c1a17e961
-
SHA256
f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076
-
SHA512
f9a96c0213be0e76193c9c64d76febb2ed43ce72a1c1dd2ec39077d20706449423d1a0026c936bd4b7527ce18281ea11772e9bad34845d91a567c053b280cd94
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1976-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-26-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2316-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-64-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2672-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-120-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1672-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-260-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/752-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-483-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1796-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-639-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1708-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-894-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-926-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1760-997-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/1504-1100-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1504-1099-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2764-1166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2612-1199-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1348-1251-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2520 ffffxfx.exe 2316 thnttn.exe 1864 htnhbn.exe 2748 vpdvd.exe 2172 nnnnht.exe 2800 xxflffx.exe 2672 nhhtnh.exe 2848 7dpvp.exe 2872 7ffrfxl.exe 2624 htbbbt.exe 2632 llxfrxx.exe 2228 xxrfxlr.exe 1672 5vpjp.exe 1740 lxxxfxl.exe 1596 hbnbnb.exe 1648 rxxlxfx.exe 2004 bbnhbn.exe 1944 ddvpd.exe 2788 frrrrrx.exe 1480 1nnhhn.exe 2876 xrxxfrx.exe 2960 fffrlxr.exe 1588 ddppd.exe 2428 vpppv.exe 1996 7tnnnb.exe 1744 djjdp.exe 576 rrllxxf.exe 264 nbhtth.exe 2956 xrllxrf.exe 2868 nhtttn.exe 752 bthhnt.exe 1976 nnbbhh.exe 2512 lxfxxfx.exe 1812 3ntbbt.exe 2120 jjdpd.exe 2484 rrlrlrf.exe 2988 rxrfrxl.exe 1920 tbnhhh.exe 2768 vpdvd.exe 2724 7llllrr.exe 2800 hthbbb.exe 2684 jjjvj.exe 2220 5fxflrx.exe 3020 ntthth.exe 2580 nbhbhb.exe 2600 jvjdj.exe 1532 1frlfff.exe 1636 nnhbnt.exe 1672 9vjpv.exe 600 rxrxrfr.exe 1904 5flrrfl.exe 1908 5hnnhn.exe 2460 jjdjv.exe 1348 lfxrflr.exe 1388 rrrrxlf.exe 2880 tbbhbh.exe 2556 vddpd.exe 1776 jjjpj.exe 1480 rlrrlfx.exe 2972 nhbhbb.exe 2784 nbbtbt.exe 1796 9llrxxf.exe 1948 fllxrff.exe 960 tbttbn.exe -
resource yara_rule behavioral1/memory/1976-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-176-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2876-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-907-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-946-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-972-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-997-0x0000000001C80000-0x0000000001CAA000-memory.dmp upx behavioral1/memory/1504-1099-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2764-1166-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2064-1267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-1280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-1301-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2520 1976 f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe 30 PID 1976 wrote to memory of 2520 1976 f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe 30 PID 1976 wrote to memory of 2520 1976 f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe 30 PID 1976 wrote to memory of 2520 1976 f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe 30 PID 2520 wrote to memory of 2316 2520 ffffxfx.exe 31 PID 2520 wrote to memory of 2316 2520 ffffxfx.exe 31 PID 2520 wrote to memory of 2316 2520 ffffxfx.exe 31 PID 2520 wrote to memory of 2316 2520 ffffxfx.exe 31 PID 2316 wrote to memory of 1864 2316 thnttn.exe 32 PID 2316 wrote to memory of 1864 2316 thnttn.exe 32 PID 2316 wrote to memory of 1864 2316 thnttn.exe 32 PID 2316 wrote to memory of 1864 2316 thnttn.exe 32 PID 1864 wrote to memory of 2748 1864 htnhbn.exe 33 PID 1864 wrote to memory of 2748 1864 htnhbn.exe 33 PID 1864 wrote to memory of 2748 1864 htnhbn.exe 33 PID 1864 wrote to memory of 2748 1864 htnhbn.exe 33 PID 2748 wrote to memory of 2172 2748 vpdvd.exe 34 PID 2748 wrote to memory of 2172 2748 vpdvd.exe 34 PID 2748 wrote to memory of 2172 2748 vpdvd.exe 34 PID 2748 wrote to memory of 2172 2748 vpdvd.exe 34 PID 2172 wrote to memory of 2800 2172 nnnnht.exe 35 PID 2172 wrote to memory of 2800 2172 nnnnht.exe 35 PID 2172 wrote to memory of 2800 2172 nnnnht.exe 35 PID 2172 wrote to memory of 2800 2172 nnnnht.exe 35 PID 2800 wrote to memory of 2672 2800 xxflffx.exe 36 PID 2800 wrote to memory of 2672 2800 xxflffx.exe 36 PID 2800 wrote to memory of 2672 2800 xxflffx.exe 36 PID 2800 wrote to memory of 2672 2800 xxflffx.exe 36 PID 2672 wrote to memory of 2848 2672 nhhtnh.exe 37 PID 2672 wrote to memory of 2848 2672 nhhtnh.exe 37 PID 2672 wrote to memory of 2848 2672 nhhtnh.exe 37 PID 2672 wrote to memory of 2848 2672 nhhtnh.exe 37 PID 2848 wrote to memory of 2872 2848 7dpvp.exe 38 PID 2848 wrote to memory of 2872 2848 7dpvp.exe 38 PID 2848 wrote to memory of 2872 2848 7dpvp.exe 38 PID 2848 wrote to memory of 2872 2848 7dpvp.exe 38 PID 2872 wrote to memory of 2624 2872 7ffrfxl.exe 39 PID 2872 wrote to memory of 2624 2872 7ffrfxl.exe 39 PID 2872 wrote to memory of 2624 2872 7ffrfxl.exe 39 PID 2872 wrote to memory of 2624 2872 7ffrfxl.exe 39 PID 2624 wrote to memory of 2632 2624 htbbbt.exe 40 PID 2624 wrote to memory of 2632 2624 htbbbt.exe 40 PID 2624 wrote to memory of 2632 2624 htbbbt.exe 40 PID 2624 wrote to memory of 2632 2624 htbbbt.exe 40 PID 2632 wrote to memory of 2228 2632 llxfrxx.exe 41 PID 2632 wrote to memory of 2228 2632 llxfrxx.exe 41 PID 2632 wrote to memory of 2228 2632 llxfrxx.exe 41 PID 2632 wrote to memory of 2228 2632 llxfrxx.exe 41 PID 2228 wrote to memory of 1672 2228 xxrfxlr.exe 42 PID 2228 wrote to memory of 1672 2228 xxrfxlr.exe 42 PID 2228 wrote to memory of 1672 2228 xxrfxlr.exe 42 PID 2228 wrote to memory of 1672 2228 xxrfxlr.exe 42 PID 1672 wrote to memory of 1740 1672 5vpjp.exe 43 PID 1672 wrote to memory of 1740 1672 5vpjp.exe 43 PID 1672 wrote to memory of 1740 1672 5vpjp.exe 43 PID 1672 wrote to memory of 1740 1672 5vpjp.exe 43 PID 1740 wrote to memory of 1596 1740 lxxxfxl.exe 44 PID 1740 wrote to memory of 1596 1740 lxxxfxl.exe 44 PID 1740 wrote to memory of 1596 1740 lxxxfxl.exe 44 PID 1740 wrote to memory of 1596 1740 lxxxfxl.exe 44 PID 1596 wrote to memory of 1648 1596 hbnbnb.exe 45 PID 1596 wrote to memory of 1648 1596 hbnbnb.exe 45 PID 1596 wrote to memory of 1648 1596 hbnbnb.exe 45 PID 1596 wrote to memory of 1648 1596 hbnbnb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe"C:\Users\Admin\AppData\Local\Temp\f35dc90d8ee743e025e2323e95414df64906ad01095dba41f99880b4a5ffe076.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\ffffxfx.exec:\ffffxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\thnttn.exec:\thnttn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\htnhbn.exec:\htnhbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\vpdvd.exec:\vpdvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\nnnnht.exec:\nnnnht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\xxflffx.exec:\xxflffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\nhhtnh.exec:\nhhtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\7dpvp.exec:\7dpvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\7ffrfxl.exec:\7ffrfxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\htbbbt.exec:\htbbbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\llxfrxx.exec:\llxfrxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\xxrfxlr.exec:\xxrfxlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\5vpjp.exec:\5vpjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\lxxxfxl.exec:\lxxxfxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\hbnbnb.exec:\hbnbnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\rxxlxfx.exec:\rxxlxfx.exe17⤵
- Executes dropped EXE
PID:1648 -
\??\c:\bbnhbn.exec:\bbnhbn.exe18⤵
- Executes dropped EXE
PID:2004 -
\??\c:\ddvpd.exec:\ddvpd.exe19⤵
- Executes dropped EXE
PID:1944 -
\??\c:\frrrrrx.exec:\frrrrrx.exe20⤵
- Executes dropped EXE
PID:2788 -
\??\c:\1nnhhn.exec:\1nnhhn.exe21⤵
- Executes dropped EXE
PID:1480 -
\??\c:\xrxxfrx.exec:\xrxxfrx.exe22⤵
- Executes dropped EXE
PID:2876 -
\??\c:\fffrlxr.exec:\fffrlxr.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
\??\c:\ddppd.exec:\ddppd.exe24⤵
- Executes dropped EXE
PID:1588 -
\??\c:\vpppv.exec:\vpppv.exe25⤵
- Executes dropped EXE
PID:2428 -
\??\c:\7tnnnb.exec:\7tnnnb.exe26⤵
- Executes dropped EXE
PID:1996 -
\??\c:\djjdp.exec:\djjdp.exe27⤵
- Executes dropped EXE
PID:1744 -
\??\c:\rrllxxf.exec:\rrllxxf.exe28⤵
- Executes dropped EXE
PID:576 -
\??\c:\nbhtth.exec:\nbhtth.exe29⤵
- Executes dropped EXE
PID:264 -
\??\c:\xrllxrf.exec:\xrllxrf.exe30⤵
- Executes dropped EXE
PID:2956 -
\??\c:\nhtttn.exec:\nhtttn.exe31⤵
- Executes dropped EXE
PID:2868 -
\??\c:\bthhnt.exec:\bthhnt.exe32⤵
- Executes dropped EXE
PID:752 -
\??\c:\nnbbhh.exec:\nnbbhh.exe33⤵
- Executes dropped EXE
PID:1976 -
\??\c:\lxfxxfx.exec:\lxfxxfx.exe34⤵
- Executes dropped EXE
PID:2512 -
\??\c:\3ntbbt.exec:\3ntbbt.exe35⤵
- Executes dropped EXE
PID:1812 -
\??\c:\jjdpd.exec:\jjdpd.exe36⤵
- Executes dropped EXE
PID:2120 -
\??\c:\rrlrlrf.exec:\rrlrlrf.exe37⤵
- Executes dropped EXE
PID:2484 -
\??\c:\rxrfrxl.exec:\rxrfrxl.exe38⤵
- Executes dropped EXE
PID:2988 -
\??\c:\tbnhhh.exec:\tbnhhh.exe39⤵
- Executes dropped EXE
PID:1920 -
\??\c:\vpdvd.exec:\vpdvd.exe40⤵
- Executes dropped EXE
PID:2768 -
\??\c:\7llllrr.exec:\7llllrr.exe41⤵
- Executes dropped EXE
PID:2724 -
\??\c:\hthbbb.exec:\hthbbb.exe42⤵
- Executes dropped EXE
PID:2800 -
\??\c:\jjjvj.exec:\jjjvj.exe43⤵
- Executes dropped EXE
PID:2684 -
\??\c:\5fxflrx.exec:\5fxflrx.exe44⤵
- Executes dropped EXE
PID:2220 -
\??\c:\ntthth.exec:\ntthth.exe45⤵
- Executes dropped EXE
PID:3020 -
\??\c:\nbhbhb.exec:\nbhbhb.exe46⤵
- Executes dropped EXE
PID:2580 -
\??\c:\jvjdj.exec:\jvjdj.exe47⤵
- Executes dropped EXE
PID:2600 -
\??\c:\1frlfff.exec:\1frlfff.exe48⤵
- Executes dropped EXE
PID:1532 -
\??\c:\nnhbnt.exec:\nnhbnt.exe49⤵
- Executes dropped EXE
PID:1636 -
\??\c:\9vjpv.exec:\9vjpv.exe50⤵
- Executes dropped EXE
PID:1672 -
\??\c:\rxrxrfr.exec:\rxrxrfr.exe51⤵
- Executes dropped EXE
PID:600 -
\??\c:\5flrrfl.exec:\5flrrfl.exe52⤵
- Executes dropped EXE
PID:1904 -
\??\c:\5hnnhn.exec:\5hnnhn.exe53⤵
- Executes dropped EXE
PID:1908 -
\??\c:\jjdjv.exec:\jjdjv.exe54⤵
- Executes dropped EXE
PID:2460 -
\??\c:\lfxrflr.exec:\lfxrflr.exe55⤵
- Executes dropped EXE
PID:1348 -
\??\c:\rrrrxlf.exec:\rrrrxlf.exe56⤵
- Executes dropped EXE
PID:1388 -
\??\c:\tbbhbh.exec:\tbbhbh.exe57⤵
- Executes dropped EXE
PID:2880 -
\??\c:\vddpd.exec:\vddpd.exe58⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jjjpj.exec:\jjjpj.exe59⤵
- Executes dropped EXE
PID:1776 -
\??\c:\rlrrlfx.exec:\rlrrlfx.exe60⤵
- Executes dropped EXE
PID:1480 -
\??\c:\nhbhbb.exec:\nhbhbb.exe61⤵
- Executes dropped EXE
PID:2972 -
\??\c:\nbbtbt.exec:\nbbtbt.exe62⤵
- Executes dropped EXE
PID:2784 -
\??\c:\9llrxxf.exec:\9llrxxf.exe63⤵
- Executes dropped EXE
PID:1796 -
\??\c:\fllxrff.exec:\fllxrff.exe64⤵
- Executes dropped EXE
PID:1948 -
\??\c:\tbttbn.exec:\tbttbn.exe65⤵
- Executes dropped EXE
PID:960 -
\??\c:\jvvjv.exec:\jvvjv.exe66⤵PID:1744
-
\??\c:\lrfrxfr.exec:\lrfrxfr.exe67⤵PID:2360
-
\??\c:\xrfxlrf.exec:\xrfxlrf.exe68⤵PID:1372
-
\??\c:\bbtnth.exec:\bbtnth.exe69⤵PID:2940
-
\??\c:\vjdpj.exec:\vjdpj.exe70⤵PID:2252
-
\??\c:\ffrxlrf.exec:\ffrxlrf.exe71⤵PID:1888
-
\??\c:\xrfrxxf.exec:\xrfrxxf.exe72⤵PID:2244
-
\??\c:\nttthb.exec:\nttthb.exe73⤵PID:1044
-
\??\c:\dvpvj.exec:\dvpvj.exe74⤵PID:2008
-
\??\c:\llflfrr.exec:\llflfrr.exe75⤵PID:2492
-
\??\c:\ntbhnb.exec:\ntbhnb.exe76⤵PID:2068
-
\??\c:\bhbhth.exec:\bhbhth.exe77⤵PID:2388
-
\??\c:\pdpdv.exec:\pdpdv.exe78⤵PID:2852
-
\??\c:\7frrxfl.exec:\7frrxfl.exe79⤵
- System Location Discovery: System Language Discovery
PID:2888 -
\??\c:\hhbhtt.exec:\hhbhtt.exe80⤵PID:2712
-
\??\c:\bttbth.exec:\bttbth.exe81⤵PID:3056
-
\??\c:\pjjpp.exec:\pjjpp.exe82⤵PID:2796
-
\??\c:\rrrffrf.exec:\rrrffrf.exe83⤵PID:2700
-
\??\c:\bbbnhn.exec:\bbbnhn.exe84⤵PID:2672
-
\??\c:\dpdvj.exec:\dpdvj.exe85⤵PID:2792
-
\??\c:\5frrfxr.exec:\5frrfxr.exe86⤵PID:2728
-
\??\c:\xflrfxx.exec:\xflrfxx.exe87⤵PID:2568
-
\??\c:\tbtnbt.exec:\tbtnbt.exe88⤵PID:1708
-
\??\c:\dvppd.exec:\dvppd.exe89⤵PID:2632
-
\??\c:\1rrflrr.exec:\1rrflrr.exe90⤵PID:2600
-
\??\c:\bnhthn.exec:\bnhthn.exe91⤵PID:2992
-
\??\c:\7hnbnt.exec:\7hnbnt.exe92⤵PID:2456
-
\??\c:\vvvdp.exec:\vvvdp.exe93⤵PID:396
-
\??\c:\xxllxfl.exec:\xxllxfl.exe94⤵PID:1784
-
\??\c:\ttntnt.exec:\ttntnt.exe95⤵PID:1352
-
\??\c:\jpjdv.exec:\jpjdv.exe96⤵PID:1248
-
\??\c:\fflrxrx.exec:\fflrxrx.exe97⤵PID:1076
-
\??\c:\ffxxrrf.exec:\ffxxrrf.exe98⤵PID:1548
-
\??\c:\tbbtbn.exec:\tbbtbn.exe99⤵PID:1156
-
\??\c:\vdppv.exec:\vdppv.exe100⤵PID:2012
-
\??\c:\lflrlxf.exec:\lflrlxf.exe101⤵PID:2424
-
\??\c:\bbntbb.exec:\bbntbb.exe102⤵PID:2184
-
\??\c:\bhnhtn.exec:\bhnhtn.exe103⤵PID:2192
-
\??\c:\5vpdd.exec:\5vpdd.exe104⤵PID:2152
-
\??\c:\rrlfxfx.exec:\rrlfxfx.exe105⤵PID:2960
-
\??\c:\nnttht.exec:\nnttht.exe106⤵PID:1208
-
\??\c:\hbtnhh.exec:\hbtnhh.exe107⤵PID:844
-
\??\c:\pvppv.exec:\pvppv.exe108⤵PID:664
-
\??\c:\9frllfx.exec:\9frllfx.exe109⤵PID:1336
-
\??\c:\hntnth.exec:\hntnth.exe110⤵PID:1744
-
\??\c:\nbtbht.exec:\nbtbht.exe111⤵PID:2360
-
\??\c:\jjjjv.exec:\jjjjv.exe112⤵PID:1640
-
\??\c:\3rflxrf.exec:\3rflxrf.exe113⤵PID:2332
-
\??\c:\ttnthn.exec:\ttnthn.exe114⤵PID:2956
-
\??\c:\bnhhnh.exec:\bnhhnh.exe115⤵PID:2400
-
\??\c:\vvpvj.exec:\vvpvj.exe116⤵PID:3000
-
\??\c:\5xxlxrf.exec:\5xxlxrf.exe117⤵PID:2496
-
\??\c:\nnbhtn.exec:\nnbhtn.exe118⤵PID:1600
-
\??\c:\tnntnh.exec:\tnntnh.exe119⤵PID:2240
-
\??\c:\lrrffrr.exec:\lrrffrr.exe120⤵PID:1616
-
\??\c:\hnbnnn.exec:\hnbnnn.exe121⤵PID:2296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-