Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe
-
Size
453KB
-
MD5
0fe2187cb558d7370cf21c3d181fce54
-
SHA1
d0e83b3b3278cb34ca72d963c9e25274f89e3790
-
SHA256
facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb
-
SHA512
2f5fc673b3ef95ee5c3ccc6f0524eab6f34a456a3bfe2a100f84e6e74a4d7bd6ac96aa93d0b5043505428c9b42555847a3ceb3351ad4df54b14b4051c0d8b892
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/340-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/336-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-53-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2904-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-123-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2660-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-256-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/464-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-142-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/3000-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-132-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1096-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-560-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2568-559-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2568-557-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/336-589-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2892-610-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2328-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-736-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/680-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1876 bbnnnh.exe 1812 1rxflrf.exe 2460 thtntn.exe 336 fxrfllx.exe 1096 fxlrxrl.exe 2884 5dvvj.exe 2904 rfxlxrx.exe 2192 bnbhbh.exe 2664 dpvdv.exe 2632 lrlrxlx.exe 2816 nbnnnh.exe 2660 7lxxlfl.exe 3000 hhbhtt.exe 2944 pdpdj.exe 1296 7lxrrff.exe 2928 tttthh.exe 1612 vjppp.exe 1340 xrllxxf.exe 2320 hbhntn.exe 2104 vvppv.exe 1092 dvjjp.exe 1276 3tnbnn.exe 464 pjvvd.exe 956 1rflxfx.exe 344 5bnhnh.exe 2380 5bnthh.exe 2580 xffffxf.exe 328 hhtbnt.exe 772 dvjjv.exe 1956 dvpvj.exe 2428 xrfllfl.exe 1320 3nnbnt.exe 2456 hthttt.exe 1484 9lflxxr.exe 2440 xrfxfff.exe 616 1bbtbh.exe 2776 pjvdj.exe 3040 pjdjv.exe 2836 rxlrrxr.exe 2848 hhbhbb.exe 2704 5dpjv.exe 2672 9vjjd.exe 2900 5lfrxfl.exe 2344 ffxlxlx.exe 1132 tbbnhn.exe 2340 vpvdv.exe 1300 9vpdp.exe 3012 rrrfrxl.exe 636 lxxlrll.exe 1296 tthhnn.exe 1968 jjvjv.exe 2864 ddvdv.exe 844 rrlrlrf.exe 2164 bbhbnb.exe 2056 1hbtbb.exe 1292 pdpjd.exe 1472 9vvpp.exe 1236 xlrxlrl.exe 1908 tttnbn.exe 1276 9bnbbh.exe 464 7jvdv.exe 2184 7pvpd.exe 2136 rrlrffr.exe 2116 5bnhnn.exe -
resource yara_rule behavioral1/memory/340-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/336-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/336-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/464-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-557-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2892-610-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2328-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-876-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 340 wrote to memory of 1876 340 facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe 30 PID 340 wrote to memory of 1876 340 facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe 30 PID 340 wrote to memory of 1876 340 facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe 30 PID 340 wrote to memory of 1876 340 facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe 30 PID 1876 wrote to memory of 1812 1876 bbnnnh.exe 31 PID 1876 wrote to memory of 1812 1876 bbnnnh.exe 31 PID 1876 wrote to memory of 1812 1876 bbnnnh.exe 31 PID 1876 wrote to memory of 1812 1876 bbnnnh.exe 31 PID 1812 wrote to memory of 2460 1812 1rxflrf.exe 32 PID 1812 wrote to memory of 2460 1812 1rxflrf.exe 32 PID 1812 wrote to memory of 2460 1812 1rxflrf.exe 32 PID 1812 wrote to memory of 2460 1812 1rxflrf.exe 32 PID 2460 wrote to memory of 336 2460 thtntn.exe 33 PID 2460 wrote to memory of 336 2460 thtntn.exe 33 PID 2460 wrote to memory of 336 2460 thtntn.exe 33 PID 2460 wrote to memory of 336 2460 thtntn.exe 33 PID 336 wrote to memory of 1096 336 fxrfllx.exe 34 PID 336 wrote to memory of 1096 336 fxrfllx.exe 34 PID 336 wrote to memory of 1096 336 fxrfllx.exe 34 PID 336 wrote to memory of 1096 336 fxrfllx.exe 34 PID 1096 wrote to memory of 2884 1096 fxlrxrl.exe 35 PID 1096 wrote to memory of 2884 1096 fxlrxrl.exe 35 PID 1096 wrote to memory of 2884 1096 fxlrxrl.exe 35 PID 1096 wrote to memory of 2884 1096 fxlrxrl.exe 35 PID 2884 wrote to memory of 2904 2884 5dvvj.exe 36 PID 2884 wrote to memory of 2904 2884 5dvvj.exe 36 PID 2884 wrote to memory of 2904 2884 5dvvj.exe 36 PID 2884 wrote to memory of 2904 2884 5dvvj.exe 36 PID 2904 wrote to memory of 2192 2904 rfxlxrx.exe 37 PID 2904 wrote to memory of 2192 2904 rfxlxrx.exe 37 PID 2904 wrote to memory of 2192 2904 rfxlxrx.exe 37 PID 2904 wrote to memory of 2192 2904 rfxlxrx.exe 37 PID 2192 wrote to memory of 2664 2192 bnbhbh.exe 38 PID 2192 wrote to memory of 2664 2192 bnbhbh.exe 38 PID 2192 wrote to memory of 2664 2192 bnbhbh.exe 38 PID 2192 wrote to memory of 2664 2192 bnbhbh.exe 38 PID 2664 wrote to memory of 2632 2664 dpvdv.exe 39 PID 2664 wrote to memory of 2632 2664 dpvdv.exe 39 PID 2664 wrote to memory of 2632 2664 dpvdv.exe 39 PID 2664 wrote to memory of 2632 2664 dpvdv.exe 39 PID 2632 wrote to memory of 2816 2632 lrlrxlx.exe 40 PID 2632 wrote to memory of 2816 2632 lrlrxlx.exe 40 PID 2632 wrote to memory of 2816 2632 lrlrxlx.exe 40 PID 2632 wrote to memory of 2816 2632 lrlrxlx.exe 40 PID 2816 wrote to memory of 2660 2816 nbnnnh.exe 41 PID 2816 wrote to memory of 2660 2816 nbnnnh.exe 41 PID 2816 wrote to memory of 2660 2816 nbnnnh.exe 41 PID 2816 wrote to memory of 2660 2816 nbnnnh.exe 41 PID 2660 wrote to memory of 3000 2660 7lxxlfl.exe 42 PID 2660 wrote to memory of 3000 2660 7lxxlfl.exe 42 PID 2660 wrote to memory of 3000 2660 7lxxlfl.exe 42 PID 2660 wrote to memory of 3000 2660 7lxxlfl.exe 42 PID 3000 wrote to memory of 2944 3000 hhbhtt.exe 43 PID 3000 wrote to memory of 2944 3000 hhbhtt.exe 43 PID 3000 wrote to memory of 2944 3000 hhbhtt.exe 43 PID 3000 wrote to memory of 2944 3000 hhbhtt.exe 43 PID 2944 wrote to memory of 1296 2944 pdpdj.exe 44 PID 2944 wrote to memory of 1296 2944 pdpdj.exe 44 PID 2944 wrote to memory of 1296 2944 pdpdj.exe 44 PID 2944 wrote to memory of 1296 2944 pdpdj.exe 44 PID 1296 wrote to memory of 2928 1296 7lxrrff.exe 45 PID 1296 wrote to memory of 2928 1296 7lxrrff.exe 45 PID 1296 wrote to memory of 2928 1296 7lxrrff.exe 45 PID 1296 wrote to memory of 2928 1296 7lxrrff.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe"C:\Users\Admin\AppData\Local\Temp\facb57411b3685914525d0e7afa0fd974987faebd1d91aed2ab1cff47fad3eeb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:340 -
\??\c:\bbnnnh.exec:\bbnnnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\1rxflrf.exec:\1rxflrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\thtntn.exec:\thtntn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\fxrfllx.exec:\fxrfllx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\fxlrxrl.exec:\fxlrxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\5dvvj.exec:\5dvvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\rfxlxrx.exec:\rfxlxrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\bnbhbh.exec:\bnbhbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\dpvdv.exec:\dpvdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\lrlrxlx.exec:\lrlrxlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\nbnnnh.exec:\nbnnnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\7lxxlfl.exec:\7lxxlfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\hhbhtt.exec:\hhbhtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\pdpdj.exec:\pdpdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\7lxrrff.exec:\7lxrrff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\tttthh.exec:\tttthh.exe17⤵
- Executes dropped EXE
PID:2928 -
\??\c:\vjppp.exec:\vjppp.exe18⤵
- Executes dropped EXE
PID:1612 -
\??\c:\xrllxxf.exec:\xrllxxf.exe19⤵
- Executes dropped EXE
PID:1340 -
\??\c:\hbhntn.exec:\hbhntn.exe20⤵
- Executes dropped EXE
PID:2320 -
\??\c:\vvppv.exec:\vvppv.exe21⤵
- Executes dropped EXE
PID:2104 -
\??\c:\dvjjp.exec:\dvjjp.exe22⤵
- Executes dropped EXE
PID:1092 -
\??\c:\3tnbnn.exec:\3tnbnn.exe23⤵
- Executes dropped EXE
PID:1276 -
\??\c:\pjvvd.exec:\pjvvd.exe24⤵
- Executes dropped EXE
PID:464 -
\??\c:\1rflxfx.exec:\1rflxfx.exe25⤵
- Executes dropped EXE
PID:956 -
\??\c:\5bnhnh.exec:\5bnhnh.exe26⤵
- Executes dropped EXE
PID:344 -
\??\c:\5bnthh.exec:\5bnthh.exe27⤵
- Executes dropped EXE
PID:2380 -
\??\c:\xffffxf.exec:\xffffxf.exe28⤵
- Executes dropped EXE
PID:2580 -
\??\c:\hhtbnt.exec:\hhtbnt.exe29⤵
- Executes dropped EXE
PID:328 -
\??\c:\dvjjv.exec:\dvjjv.exe30⤵
- Executes dropped EXE
PID:772 -
\??\c:\dvpvj.exec:\dvpvj.exe31⤵
- Executes dropped EXE
PID:1956 -
\??\c:\xrfllfl.exec:\xrfllfl.exe32⤵
- Executes dropped EXE
PID:2428 -
\??\c:\3nnbnt.exec:\3nnbnt.exe33⤵
- Executes dropped EXE
PID:1320 -
\??\c:\hthttt.exec:\hthttt.exe34⤵
- Executes dropped EXE
PID:2456 -
\??\c:\9lflxxr.exec:\9lflxxr.exe35⤵
- Executes dropped EXE
PID:1484 -
\??\c:\xrfxfff.exec:\xrfxfff.exe36⤵
- Executes dropped EXE
PID:2440 -
\??\c:\1bbtbh.exec:\1bbtbh.exe37⤵
- Executes dropped EXE
PID:616 -
\??\c:\pjvdj.exec:\pjvdj.exe38⤵
- Executes dropped EXE
PID:2776 -
\??\c:\pjdjv.exec:\pjdjv.exe39⤵
- Executes dropped EXE
PID:3040 -
\??\c:\rxlrrxr.exec:\rxlrrxr.exe40⤵
- Executes dropped EXE
PID:2836 -
\??\c:\hhbhbb.exec:\hhbhbb.exe41⤵
- Executes dropped EXE
PID:2848 -
\??\c:\5dpjv.exec:\5dpjv.exe42⤵
- Executes dropped EXE
PID:2704 -
\??\c:\9vjjd.exec:\9vjjd.exe43⤵
- Executes dropped EXE
PID:2672 -
\??\c:\5lfrxfl.exec:\5lfrxfl.exe44⤵
- Executes dropped EXE
PID:2900 -
\??\c:\ffxlxlx.exec:\ffxlxlx.exe45⤵
- Executes dropped EXE
PID:2344 -
\??\c:\tbbnhn.exec:\tbbnhn.exe46⤵
- Executes dropped EXE
PID:1132 -
\??\c:\vpvdv.exec:\vpvdv.exe47⤵
- Executes dropped EXE
PID:2340 -
\??\c:\9vpdp.exec:\9vpdp.exe48⤵
- Executes dropped EXE
PID:1300 -
\??\c:\rrrfrxl.exec:\rrrfrxl.exe49⤵
- Executes dropped EXE
PID:3012 -
\??\c:\lxxlrll.exec:\lxxlrll.exe50⤵
- Executes dropped EXE
PID:636 -
\??\c:\tthhnn.exec:\tthhnn.exe51⤵
- Executes dropped EXE
PID:1296 -
\??\c:\jjvjv.exec:\jjvjv.exe52⤵
- Executes dropped EXE
PID:1968 -
\??\c:\ddvdv.exec:\ddvdv.exe53⤵
- Executes dropped EXE
PID:2864 -
\??\c:\rrlrlrf.exec:\rrlrlrf.exe54⤵
- Executes dropped EXE
PID:844 -
\??\c:\bbhbnb.exec:\bbhbnb.exe55⤵
- Executes dropped EXE
PID:2164 -
\??\c:\1hbtbb.exec:\1hbtbb.exe56⤵
- Executes dropped EXE
PID:2056 -
\??\c:\pdpjd.exec:\pdpjd.exe57⤵
- Executes dropped EXE
PID:1292 -
\??\c:\9vvpp.exec:\9vvpp.exe58⤵
- Executes dropped EXE
PID:1472 -
\??\c:\xlrxlrl.exec:\xlrxlrl.exe59⤵
- Executes dropped EXE
PID:1236 -
\??\c:\tttnbn.exec:\tttnbn.exe60⤵
- Executes dropped EXE
PID:1908 -
\??\c:\9bnbbh.exec:\9bnbbh.exe61⤵
- Executes dropped EXE
PID:1276 -
\??\c:\7jvdv.exec:\7jvdv.exe62⤵
- Executes dropped EXE
PID:464 -
\??\c:\7pvpd.exec:\7pvpd.exe63⤵
- Executes dropped EXE
PID:2184 -
\??\c:\rrlrffr.exec:\rrlrffr.exe64⤵
- Executes dropped EXE
PID:2136 -
\??\c:\5bnhnn.exec:\5bnhnn.exe65⤵
- Executes dropped EXE
PID:2116 -
\??\c:\lfxrxxl.exec:\lfxrxxl.exe66⤵PID:2380
-
\??\c:\nnbnbb.exec:\nnbnbb.exe67⤵PID:1156
-
\??\c:\vjvvp.exec:\vjvvp.exe68⤵PID:548
-
\??\c:\7lxrrll.exec:\7lxrrll.exe69⤵PID:1684
-
\??\c:\nhhntb.exec:\nhhntb.exe70⤵PID:1924
-
\??\c:\ppdvd.exec:\ppdvd.exe71⤵PID:1816
-
\??\c:\rlxxffl.exec:\rlxxffl.exe72⤵PID:2568
-
\??\c:\btnbhb.exec:\btnbhb.exe73⤵PID:2304
-
\??\c:\jjvdp.exec:\jjvdp.exe74⤵PID:2288
-
\??\c:\pvpvj.exec:\pvpvj.exe75⤵PID:2264
-
\??\c:\flflxxl.exec:\flflxxl.exe76⤵PID:3036
-
\??\c:\3tnnbn.exec:\3tnnbn.exe77⤵PID:336
-
\??\c:\jjdpj.exec:\jjdpj.exe78⤵PID:2880
-
\??\c:\frflrfl.exec:\frflrfl.exe79⤵PID:584
-
\??\c:\tnhtbh.exec:\tnhtbh.exe80⤵PID:2892
-
\??\c:\5thnbh.exec:\5thnbh.exe81⤵PID:2808
-
\??\c:\pvppv.exec:\pvppv.exe82⤵PID:1588
-
\??\c:\flfxflr.exec:\flfxflr.exe83⤵PID:2912
-
\??\c:\lffrffl.exec:\lffrffl.exe84⤵PID:2328
-
\??\c:\5hbhnn.exec:\5hbhnn.exe85⤵PID:2756
-
\??\c:\vpdpv.exec:\vpdpv.exe86⤵PID:2344
-
\??\c:\jdvvj.exec:\jdvvj.exe87⤵PID:1132
-
\??\c:\xxrflrx.exec:\xxrflrx.exe88⤵PID:2340
-
\??\c:\tnhnbh.exec:\tnhnbh.exe89⤵PID:2868
-
\??\c:\nnbbhh.exec:\nnbbhh.exe90⤵PID:2996
-
\??\c:\jdvdp.exec:\jdvdp.exe91⤵PID:2844
-
\??\c:\fxxffrr.exec:\fxxffrr.exe92⤵PID:1556
-
\??\c:\flfllrf.exec:\flfllrf.exe93⤵PID:1196
-
\??\c:\5nhhbb.exec:\5nhhbb.exe94⤵PID:2444
-
\??\c:\pjjpd.exec:\pjjpd.exe95⤵PID:3016
-
\??\c:\xxrxfrf.exec:\xxrxfrf.exe96⤵PID:2080
-
\??\c:\xfxxllr.exec:\xfxxllr.exe97⤵PID:1584
-
\??\c:\7thnht.exec:\7thnht.exe98⤵PID:896
-
\??\c:\vpdjp.exec:\vpdjp.exe99⤵PID:2100
-
\??\c:\jjdjj.exec:\jjdjj.exe100⤵PID:2188
-
\??\c:\xrllrrx.exec:\xrllrrx.exe101⤵PID:1608
-
\??\c:\bnhnnn.exec:\bnhnnn.exe102⤵PID:2984
-
\??\c:\7tbbbh.exec:\7tbbbh.exe103⤵PID:680
-
\??\c:\vpddd.exec:\vpddd.exe104⤵PID:1740
-
\??\c:\rllxxxf.exec:\rllxxxf.exe105⤵PID:564
-
\??\c:\rlffllr.exec:\rlffllr.exe106⤵PID:904
-
\??\c:\hbbthn.exec:\hbbthn.exe107⤵PID:1156
-
\??\c:\9ddjp.exec:\9ddjp.exe108⤵PID:328
-
\??\c:\pjddd.exec:\pjddd.exe109⤵PID:1780
-
\??\c:\rlxrxxl.exec:\rlxrxxl.exe110⤵PID:1868
-
\??\c:\tbbtbn.exec:\tbbtbn.exe111⤵
- System Location Discovery: System Language Discovery
PID:2240 -
\??\c:\thhhnt.exec:\thhhnt.exe112⤵PID:1988
-
\??\c:\jdjjd.exec:\jdjjd.exe113⤵PID:3032
-
\??\c:\llflrrl.exec:\llflrrl.exe114⤵PID:2456
-
\??\c:\rlxfllx.exec:\rlxfllx.exe115⤵PID:2556
-
\??\c:\nnhbbt.exec:\nnhbbt.exe116⤵PID:1484
-
\??\c:\jdvdp.exec:\jdvdp.exe117⤵PID:2764
-
\??\c:\vpdvv.exec:\vpdvv.exe118⤵PID:2876
-
\??\c:\lflfffr.exec:\lflfffr.exe119⤵PID:2880
-
\??\c:\tthhnn.exec:\tthhnn.exe120⤵PID:2652
-
\??\c:\jvpvj.exec:\jvpvj.exe121⤵PID:2904
-
\??\c:\ddvdj.exec:\ddvdj.exe122⤵PID:3052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-