Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 05:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ce24f98d605e466397ca44ea84f8b9bb807e92fcfe09e6afd8d82a690eea5f9N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7ce24f98d605e466397ca44ea84f8b9bb807e92fcfe09e6afd8d82a690eea5f9N.exe
-
Size
454KB
-
MD5
1ef241005d4ef3a44f69114fb4b9de00
-
SHA1
530c9516f91327e8b887966d9eb932448706d025
-
SHA256
7ce24f98d605e466397ca44ea84f8b9bb807e92fcfe09e6afd8d82a690eea5f9
-
SHA512
4a8723fb5924f127c814a9a4930edc5f56141b0ef0c44257639ee138585dd72d7770cf88caab8e47ba30ee56f3b70fec0eb96ce5f95a0a58d42244f375b24fd1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/1660-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-55-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2896-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-75-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2456-73-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2160-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-95-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1624-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-115-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1804-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/268-172-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2880-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/268-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-225-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/568-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-267-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1564-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-569-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2824-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1344-1034-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-1071-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/316-1207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-1232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-1269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-1284-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2668-1334-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-1383-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2968 fxfflll.exe 2540 9hbhbt.exe 2832 rfrrxfl.exe 2528 rlffxxx.exe 2616 1flllll.exe 2460 dvpvj.exe 2456 rrxfrxf.exe 2896 thbbnt.exe 776 ffxxrrx.exe 2160 rfrxllr.exe 1624 ddppj.exe 672 lflfxxx.exe 1804 5pvdj.exe 2320 lfxffxl.exe 480 hbnbhh.exe 2776 jdvdv.exe 268 dpjjp.exe 2880 5rfffff.exe 2392 nbhbbb.exe 1520 pdjjp.exe 2012 frfllrx.exe 2624 tnbbhh.exe 1396 rrrxlrr.exe 908 tthnhh.exe 2956 dvdjp.exe 568 xxlflrx.exe 3052 1vjjj.exe 1564 xxlxlfl.exe 2004 dvjdp.exe 1584 lrxllfl.exe 2656 thnbbt.exe 2964 1jjjv.exe 2544 jjvvj.exe 2056 nbttbb.exe 2440 5bnhbb.exe 2548 1vddv.exe 2584 1rfxxfl.exe 2488 9htntn.exe 2456 ttnbnn.exe 2464 jdvpv.exe 1952 1fxrlfr.exe 864 7rfxfff.exe 1028 nbtbnt.exe 2176 jjddp.exe 1044 3jjpj.exe 1440 fxrflrf.exe 2024 9bhhhh.exe 2148 7pjvj.exe 1796 jvjjp.exe 1444 lrrfrfx.exe 1784 btnntt.exe 308 dvjdd.exe 2804 jvvvv.exe 2716 fxrrxrx.exe 3032 bthnbb.exe 2852 9bnbhn.exe 1512 vvpdv.exe 404 jdpvd.exe 2400 ffxfxrx.exe 1380 nhbbnt.exe 1268 nbnnbt.exe 2380 djpjj.exe 1344 rxrxfrf.exe 3008 xrllllx.exe -
resource yara_rule behavioral1/memory/1660-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-171-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2880-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-266-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1564-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-459-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2656-569-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2824-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1344-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-1108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-1133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-1158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-1207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-1232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-1269-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2968 1660 7ce24f98d605e466397ca44ea84f8b9bb807e92fcfe09e6afd8d82a690eea5f9N.exe 29 PID 1660 wrote to memory of 2968 1660 7ce24f98d605e466397ca44ea84f8b9bb807e92fcfe09e6afd8d82a690eea5f9N.exe 29 PID 1660 wrote to memory of 2968 1660 7ce24f98d605e466397ca44ea84f8b9bb807e92fcfe09e6afd8d82a690eea5f9N.exe 29 PID 1660 wrote to memory of 2968 1660 7ce24f98d605e466397ca44ea84f8b9bb807e92fcfe09e6afd8d82a690eea5f9N.exe 29 PID 2968 wrote to memory of 2540 2968 fxfflll.exe 30 PID 2968 wrote to memory of 2540 2968 fxfflll.exe 30 PID 2968 wrote to memory of 2540 2968 fxfflll.exe 30 PID 2968 wrote to memory of 2540 2968 fxfflll.exe 30 PID 2540 wrote to memory of 2832 2540 9hbhbt.exe 31 PID 2540 wrote to memory of 2832 2540 9hbhbt.exe 31 PID 2540 wrote to memory of 2832 2540 9hbhbt.exe 31 PID 2540 wrote to memory of 2832 2540 9hbhbt.exe 31 PID 2832 wrote to memory of 2528 2832 rfrrxfl.exe 32 PID 2832 wrote to memory of 2528 2832 rfrrxfl.exe 32 PID 2832 wrote to memory of 2528 2832 rfrrxfl.exe 32 PID 2832 wrote to memory of 2528 2832 rfrrxfl.exe 32 PID 2528 wrote to memory of 2616 2528 rlffxxx.exe 33 PID 2528 wrote to memory of 2616 2528 rlffxxx.exe 33 PID 2528 wrote to memory of 2616 2528 rlffxxx.exe 33 PID 2528 wrote to memory of 2616 2528 rlffxxx.exe 33 PID 2616 wrote to memory of 2460 2616 1flllll.exe 34 PID 2616 wrote to memory of 2460 2616 1flllll.exe 34 PID 2616 wrote to memory of 2460 2616 1flllll.exe 34 PID 2616 wrote to memory of 2460 2616 1flllll.exe 34 PID 2460 wrote to memory of 2456 2460 dvpvj.exe 35 PID 2460 wrote to memory of 2456 2460 dvpvj.exe 35 PID 2460 wrote to memory of 2456 2460 dvpvj.exe 35 PID 2460 wrote to memory of 2456 2460 dvpvj.exe 35 PID 2456 wrote to memory of 2896 2456 rrxfrxf.exe 36 PID 2456 wrote to memory of 2896 2456 rrxfrxf.exe 36 PID 2456 wrote to memory of 2896 2456 rrxfrxf.exe 36 PID 2456 wrote to memory of 2896 2456 rrxfrxf.exe 36 PID 2896 wrote to memory of 776 2896 thbbnt.exe 37 PID 2896 wrote to memory of 776 2896 thbbnt.exe 37 PID 2896 wrote to memory of 776 2896 thbbnt.exe 37 PID 2896 wrote to memory of 776 2896 thbbnt.exe 37 PID 776 wrote to memory of 2160 776 ffxxrrx.exe 38 PID 776 wrote to memory of 2160 776 ffxxrrx.exe 38 PID 776 wrote to memory of 2160 776 ffxxrrx.exe 38 PID 776 wrote to memory of 2160 776 ffxxrrx.exe 38 PID 2160 wrote to memory of 1624 2160 rfrxllr.exe 39 PID 2160 wrote to memory of 1624 2160 rfrxllr.exe 39 PID 2160 wrote to memory of 1624 2160 rfrxllr.exe 39 PID 2160 wrote to memory of 1624 2160 rfrxllr.exe 39 PID 1624 wrote to memory of 672 1624 ddppj.exe 40 PID 1624 wrote to memory of 672 1624 ddppj.exe 40 PID 1624 wrote to memory of 672 1624 ddppj.exe 40 PID 1624 wrote to memory of 672 1624 ddppj.exe 40 PID 672 wrote to memory of 1804 672 lflfxxx.exe 41 PID 672 wrote to memory of 1804 672 lflfxxx.exe 41 PID 672 wrote to memory of 1804 672 lflfxxx.exe 41 PID 672 wrote to memory of 1804 672 lflfxxx.exe 41 PID 1804 wrote to memory of 2320 1804 5pvdj.exe 42 PID 1804 wrote to memory of 2320 1804 5pvdj.exe 42 PID 1804 wrote to memory of 2320 1804 5pvdj.exe 42 PID 1804 wrote to memory of 2320 1804 5pvdj.exe 42 PID 2320 wrote to memory of 480 2320 lfxffxl.exe 43 PID 2320 wrote to memory of 480 2320 lfxffxl.exe 43 PID 2320 wrote to memory of 480 2320 lfxffxl.exe 43 PID 2320 wrote to memory of 480 2320 lfxffxl.exe 43 PID 480 wrote to memory of 2776 480 hbnbhh.exe 44 PID 480 wrote to memory of 2776 480 hbnbhh.exe 44 PID 480 wrote to memory of 2776 480 hbnbhh.exe 44 PID 480 wrote to memory of 2776 480 hbnbhh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ce24f98d605e466397ca44ea84f8b9bb807e92fcfe09e6afd8d82a690eea5f9N.exe"C:\Users\Admin\AppData\Local\Temp\7ce24f98d605e466397ca44ea84f8b9bb807e92fcfe09e6afd8d82a690eea5f9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\fxfflll.exec:\fxfflll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\9hbhbt.exec:\9hbhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\rfrrxfl.exec:\rfrrxfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\rlffxxx.exec:\rlffxxx.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\1flllll.exec:\1flllll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\dvpvj.exec:\dvpvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\rrxfrxf.exec:\rrxfrxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\thbbnt.exec:\thbbnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\ffxxrrx.exec:\ffxxrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\rfrxllr.exec:\rfrxllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\ddppj.exec:\ddppj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\lflfxxx.exec:\lflfxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\5pvdj.exec:\5pvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\lfxffxl.exec:\lfxffxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\hbnbhh.exec:\hbnbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480 -
\??\c:\jdvdv.exec:\jdvdv.exe17⤵
- Executes dropped EXE
PID:2776 -
\??\c:\dpjjp.exec:\dpjjp.exe18⤵
- Executes dropped EXE
PID:268 -
\??\c:\5rfffff.exec:\5rfffff.exe19⤵
- Executes dropped EXE
PID:2880 -
\??\c:\nbhbbb.exec:\nbhbbb.exe20⤵
- Executes dropped EXE
PID:2392 -
\??\c:\pdjjp.exec:\pdjjp.exe21⤵
- Executes dropped EXE
PID:1520 -
\??\c:\frfllrx.exec:\frfllrx.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012 -
\??\c:\tnbbhh.exec:\tnbbhh.exe23⤵
- Executes dropped EXE
PID:2624 -
\??\c:\rrrxlrr.exec:\rrrxlrr.exe24⤵
- Executes dropped EXE
PID:1396 -
\??\c:\tthnhh.exec:\tthnhh.exe25⤵
- Executes dropped EXE
PID:908 -
\??\c:\dvdjp.exec:\dvdjp.exe26⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xxlflrx.exec:\xxlflrx.exe27⤵
- Executes dropped EXE
PID:568 -
\??\c:\1vjjj.exec:\1vjjj.exe28⤵
- Executes dropped EXE
PID:3052 -
\??\c:\xxlxlfl.exec:\xxlxlfl.exe29⤵
- Executes dropped EXE
PID:1564 -
\??\c:\dvjdp.exec:\dvjdp.exe30⤵
- Executes dropped EXE
PID:2004 -
\??\c:\lrxllfl.exec:\lrxllfl.exe31⤵
- Executes dropped EXE
PID:1584 -
\??\c:\thnbbt.exec:\thnbbt.exe32⤵
- Executes dropped EXE
PID:2656 -
\??\c:\1jjjv.exec:\1jjjv.exe33⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jjvvj.exec:\jjvvj.exe34⤵
- Executes dropped EXE
PID:2544 -
\??\c:\nbttbb.exec:\nbttbb.exe35⤵
- Executes dropped EXE
PID:2056 -
\??\c:\5bnhbb.exec:\5bnhbb.exe36⤵
- Executes dropped EXE
PID:2440 -
\??\c:\1vddv.exec:\1vddv.exe37⤵
- Executes dropped EXE
PID:2548 -
\??\c:\1rfxxfl.exec:\1rfxxfl.exe38⤵
- Executes dropped EXE
PID:2584 -
\??\c:\9htntn.exec:\9htntn.exe39⤵
- Executes dropped EXE
PID:2488 -
\??\c:\ttnbnn.exec:\ttnbnn.exe40⤵
- Executes dropped EXE
PID:2456 -
\??\c:\jdvpv.exec:\jdvpv.exe41⤵
- Executes dropped EXE
PID:2464 -
\??\c:\1fxrlfr.exec:\1fxrlfr.exe42⤵
- Executes dropped EXE
PID:1952 -
\??\c:\7rfxfff.exec:\7rfxfff.exe43⤵
- Executes dropped EXE
PID:864 -
\??\c:\nbtbnt.exec:\nbtbnt.exe44⤵
- Executes dropped EXE
PID:1028 -
\??\c:\jjddp.exec:\jjddp.exe45⤵
- Executes dropped EXE
PID:2176 -
\??\c:\3jjpj.exec:\3jjpj.exe46⤵
- Executes dropped EXE
PID:1044 -
\??\c:\fxrflrf.exec:\fxrflrf.exe47⤵
- Executes dropped EXE
PID:1440 -
\??\c:\9bhhhh.exec:\9bhhhh.exe48⤵
- Executes dropped EXE
PID:2024 -
\??\c:\7pjvj.exec:\7pjvj.exe49⤵
- Executes dropped EXE
PID:2148 -
\??\c:\jvjjp.exec:\jvjjp.exe50⤵
- Executes dropped EXE
PID:1796 -
\??\c:\lrrfrfx.exec:\lrrfrfx.exe51⤵
- Executes dropped EXE
PID:1444 -
\??\c:\btnntt.exec:\btnntt.exe52⤵
- Executes dropped EXE
PID:1784 -
\??\c:\dvjdd.exec:\dvjdd.exe53⤵
- Executes dropped EXE
PID:308 -
\??\c:\jvvvv.exec:\jvvvv.exe54⤵
- Executes dropped EXE
PID:2804 -
\??\c:\fxrrxrx.exec:\fxrrxrx.exe55⤵
- Executes dropped EXE
PID:2716 -
\??\c:\bthnbb.exec:\bthnbb.exe56⤵
- Executes dropped EXE
PID:3032 -
\??\c:\9bnbhn.exec:\9bnbhn.exe57⤵
- Executes dropped EXE
PID:2852 -
\??\c:\vvpdv.exec:\vvpdv.exe58⤵
- Executes dropped EXE
PID:1512 -
\??\c:\jdpvd.exec:\jdpvd.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:404 -
\??\c:\ffxfxrx.exec:\ffxfxrx.exe60⤵
- Executes dropped EXE
PID:2400 -
\??\c:\nhbbnt.exec:\nhbbnt.exe61⤵
- Executes dropped EXE
PID:1380 -
\??\c:\nbnnbt.exec:\nbnnbt.exe62⤵
- Executes dropped EXE
PID:1268 -
\??\c:\djpjj.exec:\djpjj.exe63⤵
- Executes dropped EXE
PID:2380 -
\??\c:\rxrxfrf.exec:\rxrxfrf.exe64⤵
- Executes dropped EXE
PID:1344 -
\??\c:\xrllllx.exec:\xrllllx.exe65⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hhtnnt.exec:\hhtnnt.exe66⤵PID:1920
-
\??\c:\jvppj.exec:\jvppj.exe67⤵PID:2128
-
\??\c:\jvpjp.exec:\jvpjp.exe68⤵PID:692
-
\??\c:\9lfrffr.exec:\9lfrffr.exe69⤵PID:2080
-
\??\c:\rrfrflr.exec:\rrfrflr.exe70⤵PID:2228
-
\??\c:\thbhtb.exec:\thbhtb.exe71⤵PID:1580
-
\??\c:\pjddj.exec:\pjddj.exe72⤵PID:1588
-
\??\c:\vpvpp.exec:\vpvpp.exe73⤵PID:2504
-
\??\c:\3rrfffl.exec:\3rrfffl.exe74⤵PID:2656
-
\??\c:\rfxxflr.exec:\rfxxflr.exe75⤵PID:2540
-
\??\c:\htnttt.exec:\htnttt.exe76⤵PID:2824
-
\??\c:\1pjvv.exec:\1pjvv.exe77⤵PID:2448
-
\??\c:\3jddp.exec:\3jddp.exe78⤵PID:1728
-
\??\c:\rxfxxxx.exec:\rxfxxxx.exe79⤵PID:2468
-
\??\c:\htnbbh.exec:\htnbbh.exe80⤵PID:2580
-
\??\c:\bnttbt.exec:\bnttbt.exe81⤵PID:2532
-
\??\c:\pjjjv.exec:\pjjjv.exe82⤵PID:2456
-
\??\c:\rlxfllr.exec:\rlxfllr.exe83⤵PID:2896
-
\??\c:\xrllflr.exec:\xrllflr.exe84⤵PID:1952
-
\??\c:\bthbbb.exec:\bthbbb.exe85⤵PID:864
-
\??\c:\dvjjj.exec:\dvjjj.exe86⤵PID:1628
-
\??\c:\7pvpj.exec:\7pvpj.exe87⤵PID:2176
-
\??\c:\1xlfxfr.exec:\1xlfxfr.exe88⤵PID:1044
-
\??\c:\xxflrrf.exec:\xxflrrf.exe89⤵PID:2344
-
\??\c:\1ntthh.exec:\1ntthh.exe90⤵PID:1812
-
\??\c:\jvjpp.exec:\jvjpp.exe91⤵PID:2148
-
\??\c:\jjvdp.exec:\jjvdp.exe92⤵PID:1796
-
\??\c:\lllrxfx.exec:\lllrxfx.exe93⤵PID:2212
-
\??\c:\nhbhtb.exec:\nhbhtb.exe94⤵PID:2360
-
\??\c:\thhnbb.exec:\thhnbb.exe95⤵PID:2780
-
\??\c:\vjvpd.exec:\vjvpd.exe96⤵PID:2880
-
\??\c:\fxffffr.exec:\fxffffr.exe97⤵PID:2796
-
\??\c:\ffxlrxf.exec:\ffxlrxf.exe98⤵PID:3032
-
\??\c:\hbbbhb.exec:\hbbbhb.exe99⤵PID:3004
-
\??\c:\3pjpv.exec:\3pjpv.exe100⤵PID:2480
-
\??\c:\9vpvj.exec:\9vpvj.exe101⤵PID:1088
-
\??\c:\fllrflx.exec:\fllrflx.exe102⤵PID:1052
-
\??\c:\hhbntt.exec:\hhbntt.exe103⤵PID:1380
-
\??\c:\nhnntb.exec:\nhnntb.exe104⤵PID:1596
-
\??\c:\vpdjj.exec:\vpdjj.exe105⤵PID:2380
-
\??\c:\xrxxfrx.exec:\xrxxfrx.exe106⤵PID:2000
-
\??\c:\1rlrlrx.exec:\1rlrlrx.exe107⤵PID:3008
-
\??\c:\9bhbbt.exec:\9bhbbt.exe108⤵PID:1920
-
\??\c:\jvppd.exec:\jvppd.exe109⤵PID:2128
-
\??\c:\dpjpj.exec:\dpjpj.exe110⤵PID:692
-
\??\c:\rrrfxfx.exec:\rrrfxfx.exe111⤵PID:1976
-
\??\c:\hhbbhh.exec:\hhbbhh.exe112⤵PID:2228
-
\??\c:\pjpvd.exec:\pjpvd.exe113⤵PID:1580
-
\??\c:\jvvjv.exec:\jvvjv.exe114⤵PID:1588
-
\??\c:\flllrrr.exec:\flllrrr.exe115⤵PID:2568
-
\??\c:\thtbtt.exec:\thtbtt.exe116⤵PID:2820
-
\??\c:\hbtbhh.exec:\hbtbhh.exe117⤵PID:2676
-
\??\c:\djddv.exec:\djddv.exe118⤵PID:2824
-
\??\c:\ffrxlfl.exec:\ffrxlfl.exe119⤵PID:2600
-
\??\c:\xxffrrx.exec:\xxffrrx.exe120⤵PID:2500
-
\??\c:\btbhbb.exec:\btbhbb.exe121⤵PID:2484
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-