Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe
-
Size
454KB
-
MD5
9266bf7a5d8e0c018e0f74c79b4baa89
-
SHA1
0a21af8b6c9c1eff5e5470c961e0c6f17c02ec79
-
SHA256
cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef
-
SHA512
bca019be20f8afcb8ff846bd6892f82773adc5f1c16911b428eb86c32daac14259addb2a38e8a4548f4ea85a36825ee541962edc115fdea3503b55c5f65d07f5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2380-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1212-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-95-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2664-105-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2664-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-210-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/904-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-381-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1524-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/408-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-1139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-1222-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1432-1357-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2144 rfrrrlr.exe 1212 7pvjp.exe 2204 5xlfxxx.exe 2708 thbhnn.exe 2980 xlffffl.exe 2864 fxxfxxl.exe 2500 tnbtbt.exe 2872 jdpjj.exe 2672 lxxrrff.exe 2664 hnnnnn.exe 1600 llfxrlr.exe 2052 rflrxxf.exe 1924 1hnhbb.exe 1752 dpdvp.exe 1932 7nbthh.exe 836 jdjjj.exe 1996 5hthnn.exe 1984 dpddj.exe 2920 xxlrrlx.exe 3056 bbntbh.exe 1804 dpddj.exe 2220 lxllrrx.exe 2336 jpddj.exe 548 rllxrxl.exe 904 1jppv.exe 932 5xlfxrx.exe 1336 ddppv.exe 2584 xlxxffr.exe 2096 9vvjp.exe 1432 lfxflrf.exe 1668 jpjpv.exe 2364 lfrrffl.exe 1576 nhnttt.exe 2360 1jvpp.exe 2544 jvdvp.exe 2416 rlffllr.exe 3044 tnbhtt.exe 2824 pdjjd.exe 2980 vjjdj.exe 2744 lfrllll.exe 2780 thhbht.exe 2792 tnbbbn.exe 2612 pjvvv.exe 2668 5rfxrll.exe 2788 lfrxxfx.exe 2292 nbnbbt.exe 1768 dpdvd.exe 1436 lxrxfxx.exe 1556 lxffllf.exe 1924 tnhtht.exe 1736 9vdvv.exe 1980 ppddp.exe 1524 frlfrlf.exe 1720 9bbbnn.exe 1624 bthbnh.exe 2004 pjdvv.exe 2808 rlfflfl.exe 2000 btntbb.exe 2296 nbnthh.exe 1804 pdpjj.exe 2596 frllllr.exe 408 lfxxfll.exe 2336 bnbbtt.exe 344 7ppjd.exe -
resource yara_rule behavioral1/memory/2144-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/932-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-444-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1804-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/344-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-884-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-1008-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-1094-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-1107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-1120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-1139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-1179-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1848-1222-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1744-1344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-1357-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2076-1370-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2144 2380 cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe 30 PID 2380 wrote to memory of 2144 2380 cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe 30 PID 2380 wrote to memory of 2144 2380 cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe 30 PID 2380 wrote to memory of 2144 2380 cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe 30 PID 2144 wrote to memory of 1212 2144 rfrrrlr.exe 31 PID 2144 wrote to memory of 1212 2144 rfrrrlr.exe 31 PID 2144 wrote to memory of 1212 2144 rfrrrlr.exe 31 PID 2144 wrote to memory of 1212 2144 rfrrrlr.exe 31 PID 1212 wrote to memory of 2204 1212 7pvjp.exe 32 PID 1212 wrote to memory of 2204 1212 7pvjp.exe 32 PID 1212 wrote to memory of 2204 1212 7pvjp.exe 32 PID 1212 wrote to memory of 2204 1212 7pvjp.exe 32 PID 2204 wrote to memory of 2708 2204 5xlfxxx.exe 33 PID 2204 wrote to memory of 2708 2204 5xlfxxx.exe 33 PID 2204 wrote to memory of 2708 2204 5xlfxxx.exe 33 PID 2204 wrote to memory of 2708 2204 5xlfxxx.exe 33 PID 2708 wrote to memory of 2980 2708 thbhnn.exe 34 PID 2708 wrote to memory of 2980 2708 thbhnn.exe 34 PID 2708 wrote to memory of 2980 2708 thbhnn.exe 34 PID 2708 wrote to memory of 2980 2708 thbhnn.exe 34 PID 2980 wrote to memory of 2864 2980 xlffffl.exe 35 PID 2980 wrote to memory of 2864 2980 xlffffl.exe 35 PID 2980 wrote to memory of 2864 2980 xlffffl.exe 35 PID 2980 wrote to memory of 2864 2980 xlffffl.exe 35 PID 2864 wrote to memory of 2500 2864 fxxfxxl.exe 36 PID 2864 wrote to memory of 2500 2864 fxxfxxl.exe 36 PID 2864 wrote to memory of 2500 2864 fxxfxxl.exe 36 PID 2864 wrote to memory of 2500 2864 fxxfxxl.exe 36 PID 2500 wrote to memory of 2872 2500 tnbtbt.exe 37 PID 2500 wrote to memory of 2872 2500 tnbtbt.exe 37 PID 2500 wrote to memory of 2872 2500 tnbtbt.exe 37 PID 2500 wrote to memory of 2872 2500 tnbtbt.exe 37 PID 2872 wrote to memory of 2672 2872 jdpjj.exe 38 PID 2872 wrote to memory of 2672 2872 jdpjj.exe 38 PID 2872 wrote to memory of 2672 2872 jdpjj.exe 38 PID 2872 wrote to memory of 2672 2872 jdpjj.exe 38 PID 2672 wrote to memory of 2664 2672 lxxrrff.exe 39 PID 2672 wrote to memory of 2664 2672 lxxrrff.exe 39 PID 2672 wrote to memory of 2664 2672 lxxrrff.exe 39 PID 2672 wrote to memory of 2664 2672 lxxrrff.exe 39 PID 2664 wrote to memory of 1600 2664 hnnnnn.exe 40 PID 2664 wrote to memory of 1600 2664 hnnnnn.exe 40 PID 2664 wrote to memory of 1600 2664 hnnnnn.exe 40 PID 2664 wrote to memory of 1600 2664 hnnnnn.exe 40 PID 1600 wrote to memory of 2052 1600 llfxrlr.exe 41 PID 1600 wrote to memory of 2052 1600 llfxrlr.exe 41 PID 1600 wrote to memory of 2052 1600 llfxrlr.exe 41 PID 1600 wrote to memory of 2052 1600 llfxrlr.exe 41 PID 2052 wrote to memory of 1924 2052 rflrxxf.exe 42 PID 2052 wrote to memory of 1924 2052 rflrxxf.exe 42 PID 2052 wrote to memory of 1924 2052 rflrxxf.exe 42 PID 2052 wrote to memory of 1924 2052 rflrxxf.exe 42 PID 1924 wrote to memory of 1752 1924 1hnhbb.exe 43 PID 1924 wrote to memory of 1752 1924 1hnhbb.exe 43 PID 1924 wrote to memory of 1752 1924 1hnhbb.exe 43 PID 1924 wrote to memory of 1752 1924 1hnhbb.exe 43 PID 1752 wrote to memory of 1932 1752 dpdvp.exe 44 PID 1752 wrote to memory of 1932 1752 dpdvp.exe 44 PID 1752 wrote to memory of 1932 1752 dpdvp.exe 44 PID 1752 wrote to memory of 1932 1752 dpdvp.exe 44 PID 1932 wrote to memory of 836 1932 7nbthh.exe 45 PID 1932 wrote to memory of 836 1932 7nbthh.exe 45 PID 1932 wrote to memory of 836 1932 7nbthh.exe 45 PID 1932 wrote to memory of 836 1932 7nbthh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe"C:\Users\Admin\AppData\Local\Temp\cbe39598647d05214249bdc417b58ab97fef245ec9cc76facb1f8478dfad6cef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\rfrrrlr.exec:\rfrrrlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\7pvjp.exec:\7pvjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\5xlfxxx.exec:\5xlfxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\thbhnn.exec:\thbhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\xlffffl.exec:\xlffffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\fxxfxxl.exec:\fxxfxxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\tnbtbt.exec:\tnbtbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\jdpjj.exec:\jdpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\lxxrrff.exec:\lxxrrff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\hnnnnn.exec:\hnnnnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\llfxrlr.exec:\llfxrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\rflrxxf.exec:\rflrxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\1hnhbb.exec:\1hnhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\dpdvp.exec:\dpdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\7nbthh.exec:\7nbthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\jdjjj.exec:\jdjjj.exe17⤵
- Executes dropped EXE
PID:836 -
\??\c:\5hthnn.exec:\5hthnn.exe18⤵
- Executes dropped EXE
PID:1996 -
\??\c:\dpddj.exec:\dpddj.exe19⤵
- Executes dropped EXE
PID:1984 -
\??\c:\xxlrrlx.exec:\xxlrrlx.exe20⤵
- Executes dropped EXE
PID:2920 -
\??\c:\bbntbh.exec:\bbntbh.exe21⤵
- Executes dropped EXE
PID:3056 -
\??\c:\dpddj.exec:\dpddj.exe22⤵
- Executes dropped EXE
PID:1804 -
\??\c:\lxllrrx.exec:\lxllrrx.exe23⤵
- Executes dropped EXE
PID:2220 -
\??\c:\jpddj.exec:\jpddj.exe24⤵
- Executes dropped EXE
PID:2336 -
\??\c:\rllxrxl.exec:\rllxrxl.exe25⤵
- Executes dropped EXE
PID:548 -
\??\c:\1jppv.exec:\1jppv.exe26⤵
- Executes dropped EXE
PID:904 -
\??\c:\5xlfxrx.exec:\5xlfxrx.exe27⤵
- Executes dropped EXE
PID:932 -
\??\c:\ddppv.exec:\ddppv.exe28⤵
- Executes dropped EXE
PID:1336 -
\??\c:\xlxxffr.exec:\xlxxffr.exe29⤵
- Executes dropped EXE
PID:2584 -
\??\c:\9vvjp.exec:\9vvjp.exe30⤵
- Executes dropped EXE
PID:2096 -
\??\c:\lfxflrf.exec:\lfxflrf.exe31⤵
- Executes dropped EXE
PID:1432 -
\??\c:\jpjpv.exec:\jpjpv.exe32⤵
- Executes dropped EXE
PID:1668 -
\??\c:\lfrrffl.exec:\lfrrffl.exe33⤵
- Executes dropped EXE
PID:2364 -
\??\c:\nhnttt.exec:\nhnttt.exe34⤵
- Executes dropped EXE
PID:1576 -
\??\c:\1jvpp.exec:\1jvpp.exe35⤵
- Executes dropped EXE
PID:2360 -
\??\c:\jvdvp.exec:\jvdvp.exe36⤵
- Executes dropped EXE
PID:2544 -
\??\c:\rlffllr.exec:\rlffllr.exe37⤵
- Executes dropped EXE
PID:2416 -
\??\c:\tnbhtt.exec:\tnbhtt.exe38⤵
- Executes dropped EXE
PID:3044 -
\??\c:\pdjjd.exec:\pdjjd.exe39⤵
- Executes dropped EXE
PID:2824 -
\??\c:\vjjdj.exec:\vjjdj.exe40⤵
- Executes dropped EXE
PID:2980 -
\??\c:\lfrllll.exec:\lfrllll.exe41⤵
- Executes dropped EXE
PID:2744 -
\??\c:\thhbht.exec:\thhbht.exe42⤵
- Executes dropped EXE
PID:2780 -
\??\c:\tnbbbn.exec:\tnbbbn.exe43⤵
- Executes dropped EXE
PID:2792 -
\??\c:\pjvvv.exec:\pjvvv.exe44⤵
- Executes dropped EXE
PID:2612 -
\??\c:\5rfxrll.exec:\5rfxrll.exe45⤵
- Executes dropped EXE
PID:2668 -
\??\c:\lfrxxfx.exec:\lfrxxfx.exe46⤵
- Executes dropped EXE
PID:2788 -
\??\c:\nbnbbt.exec:\nbnbbt.exe47⤵
- Executes dropped EXE
PID:2292 -
\??\c:\dpdvd.exec:\dpdvd.exe48⤵
- Executes dropped EXE
PID:1768 -
\??\c:\lxrxfxx.exec:\lxrxfxx.exe49⤵
- Executes dropped EXE
PID:1436 -
\??\c:\lxffllf.exec:\lxffllf.exe50⤵
- Executes dropped EXE
PID:1556 -
\??\c:\tnhtht.exec:\tnhtht.exe51⤵
- Executes dropped EXE
PID:1924 -
\??\c:\9vdvv.exec:\9vdvv.exe52⤵
- Executes dropped EXE
PID:1736 -
\??\c:\ppddp.exec:\ppddp.exe53⤵
- Executes dropped EXE
PID:1980 -
\??\c:\frlfrlf.exec:\frlfrlf.exe54⤵
- Executes dropped EXE
PID:1524 -
\??\c:\9bbbnn.exec:\9bbbnn.exe55⤵
- Executes dropped EXE
PID:1720 -
\??\c:\bthbnh.exec:\bthbnh.exe56⤵
- Executes dropped EXE
PID:1624 -
\??\c:\pjdvv.exec:\pjdvv.exe57⤵
- Executes dropped EXE
PID:2004 -
\??\c:\rlfflfl.exec:\rlfflfl.exe58⤵
- Executes dropped EXE
PID:2808 -
\??\c:\btntbb.exec:\btntbb.exe59⤵
- Executes dropped EXE
PID:2000 -
\??\c:\nbnthh.exec:\nbnthh.exe60⤵
- Executes dropped EXE
PID:2296 -
\??\c:\pdpjj.exec:\pdpjj.exe61⤵
- Executes dropped EXE
PID:1804 -
\??\c:\frllllr.exec:\frllllr.exe62⤵
- Executes dropped EXE
PID:2596 -
\??\c:\lfxxfll.exec:\lfxxfll.exe63⤵
- Executes dropped EXE
PID:408 -
\??\c:\bnbbtt.exec:\bnbbtt.exe64⤵
- Executes dropped EXE
PID:2336 -
\??\c:\7ppjd.exec:\7ppjd.exe65⤵
- Executes dropped EXE
PID:344 -
\??\c:\1dppp.exec:\1dppp.exe66⤵PID:896
-
\??\c:\rxrxflr.exec:\rxrxflr.exe67⤵PID:2484
-
\??\c:\nnbhhh.exec:\nnbhhh.exe68⤵PID:2288
-
\??\c:\ttnhhb.exec:\ttnhhb.exe69⤵PID:740
-
\??\c:\dvdjv.exec:\dvdjv.exe70⤵PID:1336
-
\??\c:\flffxxf.exec:\flffxxf.exe71⤵PID:2940
-
\??\c:\3frrlfl.exec:\3frrlfl.exe72⤵PID:2096
-
\??\c:\5nbhnb.exec:\5nbhnb.exe73⤵PID:2012
-
\??\c:\vpjjv.exec:\vpjjv.exe74⤵PID:884
-
\??\c:\3djjj.exec:\3djjj.exe75⤵PID:1572
-
\??\c:\xlxxffl.exec:\xlxxffl.exe76⤵PID:1552
-
\??\c:\3nbtbb.exec:\3nbtbb.exe77⤵PID:3024
-
\??\c:\thbbbb.exec:\thbbbb.exe78⤵PID:2244
-
\??\c:\dvjjp.exec:\dvjjp.exe79⤵PID:2528
-
\??\c:\rllxlrx.exec:\rllxlrx.exe80⤵PID:2416
-
\??\c:\hbbntt.exec:\hbbntt.exe81⤵PID:3044
-
\??\c:\3thhhb.exec:\3thhhb.exe82⤵PID:1244
-
\??\c:\jdjdj.exec:\jdjdj.exe83⤵PID:2496
-
\??\c:\fxlxffx.exec:\fxlxffx.exe84⤵PID:2992
-
\??\c:\5nhnnn.exec:\5nhnnn.exe85⤵PID:2892
-
\??\c:\9ntttt.exec:\9ntttt.exe86⤵PID:2872
-
\??\c:\pdppp.exec:\pdppp.exe87⤵PID:2688
-
\??\c:\jpjdj.exec:\jpjdj.exe88⤵PID:2644
-
\??\c:\9rfxxxf.exec:\9rfxxxf.exe89⤵PID:2728
-
\??\c:\tnbthb.exec:\tnbthb.exe90⤵PID:2292
-
\??\c:\hthbbb.exec:\hthbbb.exe91⤵PID:376
-
\??\c:\7vjpv.exec:\7vjpv.exe92⤵PID:1916
-
\??\c:\llxxrxl.exec:\llxxrxl.exe93⤵PID:848
-
\??\c:\rlflxxf.exec:\rlflxxf.exe94⤵PID:544
-
\??\c:\tnhthh.exec:\tnhthh.exe95⤵PID:2124
-
\??\c:\7pvpv.exec:\7pvpv.exe96⤵PID:1344
-
\??\c:\xrfffrx.exec:\xrfffrx.exe97⤵PID:296
-
\??\c:\lxxxllr.exec:\lxxxllr.exe98⤵PID:1720
-
\??\c:\9bttbh.exec:\9bttbh.exe99⤵PID:1628
-
\??\c:\vpdjv.exec:\vpdjv.exe100⤵PID:2956
-
\??\c:\jvppv.exec:\jvppv.exe101⤵PID:1852
-
\??\c:\xfrrxxl.exec:\xfrrxxl.exe102⤵PID:2472
-
\??\c:\1bbbnn.exec:\1bbbnn.exe103⤵PID:2160
-
\??\c:\nbhbbn.exec:\nbhbbn.exe104⤵PID:2216
-
\??\c:\7pjjj.exec:\7pjjj.exe105⤵PID:1068
-
\??\c:\1xlxxxx.exec:\1xlxxxx.exe106⤵PID:1956
-
\??\c:\bbtbbb.exec:\bbtbbb.exe107⤵PID:624
-
\??\c:\thttbt.exec:\thttbt.exe108⤵PID:1324
-
\??\c:\ddjdj.exec:\ddjdj.exe109⤵PID:1088
-
\??\c:\rlflffl.exec:\rlflffl.exe110⤵PID:1516
-
\??\c:\1xxfflf.exec:\1xxfflf.exe111⤵PID:1792
-
\??\c:\btbbbb.exec:\btbbbb.exe112⤵
- System Location Discovery: System Language Discovery
PID:2168 -
\??\c:\5dddd.exec:\5dddd.exe113⤵PID:2064
-
\??\c:\9lxrxxr.exec:\9lxrxxr.exe114⤵PID:1228
-
\??\c:\lxlrrrx.exec:\lxlrrrx.exe115⤵PID:2304
-
\??\c:\3tttbb.exec:\3tttbb.exe116⤵PID:2696
-
\??\c:\hbhhhb.exec:\hbhhhb.exe117⤵PID:2088
-
\??\c:\jdpvd.exec:\jdpvd.exe118⤵PID:2252
-
\??\c:\3lrrffx.exec:\3lrrffx.exe119⤵PID:1584
-
\??\c:\lxxxffl.exec:\lxxxffl.exe120⤵PID:2132
-
\??\c:\hthhnn.exec:\hthhnn.exe121⤵PID:1664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-