Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 09:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8f4fa29200c65440a32f6e0998d47b7eea7a70dccc7d69d6002c67d7365cc074.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8f4fa29200c65440a32f6e0998d47b7eea7a70dccc7d69d6002c67d7365cc074.exe
-
Size
456KB
-
MD5
d658d7a0f530660440f550031e5983cf
-
SHA1
a0399dffba47bee2c109f985154c9c0e5355411a
-
SHA256
8f4fa29200c65440a32f6e0998d47b7eea7a70dccc7d69d6002c67d7365cc074
-
SHA512
7612c677b7747599550e11803bc9cfe6b09773ce18d2b4d713c008669a9ec7735a509ef9b27f6d36634819528f4d4f3b3506f6be34077368dabe4f08e55309f6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRn:q7Tc2NYHUrAwfMp3CDRn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2348-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-461-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1912-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-423-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2340-380-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2760-367-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/308-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-316-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2520-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-238-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/684-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-219-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2272-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-131-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2620-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-42-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2524-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1176-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-957-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/356-1028-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2348 hnnbhn.exe 2524 vpdjp.exe 2252 ppjpd.exe 1988 o868068.exe 2016 xxllrrx.exe 2764 9btbhh.exe 2900 httttt.exe 2628 nnbbnn.exe 2932 606246.exe 2760 pjvvj.exe 2620 k64062.exe 2696 hhbntb.exe 2140 hhbbnn.exe 2856 lfrlxxf.exe 2516 llxfrxf.exe 2824 3nhntb.exe 1560 nnnbnt.exe 1488 btnthn.exe 2964 26468.exe 2836 bhbhht.exe 2828 2206842.exe 2576 rlfrffr.exe 2272 ddvvj.exe 912 5jvdp.exe 684 pvppd.exe 1996 nnnntb.exe 1332 xlfflrf.exe 1676 xrxfllx.exe 484 hbhhtt.exe 2172 1jjpv.exe 2972 hbnthb.exe 2412 w80284.exe 2312 lllrlrf.exe 2540 2882240.exe 2520 4828262.exe 2548 7vjdj.exe 2572 jdvvd.exe 308 42668.exe 1840 dvvdj.exe 2776 hbbthn.exe 2880 fxrxrxl.exe 2932 0462408.exe 536 hbnnbh.exe 2760 fxxfxfx.exe 2736 flxxffx.exe 2340 g4846.exe 2308 04802.exe 2864 420606.exe 2092 q48428.exe 1992 vvvvj.exe 1920 7pdvj.exe 1216 00840.exe 1912 bbtbhh.exe 1772 0488668.exe 2188 fxllrxf.exe 548 fxrlffr.exe 2328 nhbnbn.exe 860 hhtbhn.exe 684 hbtntb.exe 1836 btnthh.exe 2160 dvvvd.exe 2904 080022.exe 900 bbtnbn.exe 2812 jdvdp.exe -
resource yara_rule behavioral1/memory/2348-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-423-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2760-367-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/308-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-316-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2520-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1176-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-983-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-996-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/356-1028-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-1053-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-1066-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-1115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-1224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-1237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-1250-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k80622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 660280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i202000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6028440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 204468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i644000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0804400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2348 2324 8f4fa29200c65440a32f6e0998d47b7eea7a70dccc7d69d6002c67d7365cc074.exe 30 PID 2324 wrote to memory of 2348 2324 8f4fa29200c65440a32f6e0998d47b7eea7a70dccc7d69d6002c67d7365cc074.exe 30 PID 2324 wrote to memory of 2348 2324 8f4fa29200c65440a32f6e0998d47b7eea7a70dccc7d69d6002c67d7365cc074.exe 30 PID 2324 wrote to memory of 2348 2324 8f4fa29200c65440a32f6e0998d47b7eea7a70dccc7d69d6002c67d7365cc074.exe 30 PID 2348 wrote to memory of 2524 2348 hnnbhn.exe 31 PID 2348 wrote to memory of 2524 2348 hnnbhn.exe 31 PID 2348 wrote to memory of 2524 2348 hnnbhn.exe 31 PID 2348 wrote to memory of 2524 2348 hnnbhn.exe 31 PID 2524 wrote to memory of 2252 2524 vpdjp.exe 32 PID 2524 wrote to memory of 2252 2524 vpdjp.exe 32 PID 2524 wrote to memory of 2252 2524 vpdjp.exe 32 PID 2524 wrote to memory of 2252 2524 vpdjp.exe 32 PID 2252 wrote to memory of 1988 2252 ppjpd.exe 33 PID 2252 wrote to memory of 1988 2252 ppjpd.exe 33 PID 2252 wrote to memory of 1988 2252 ppjpd.exe 33 PID 2252 wrote to memory of 1988 2252 ppjpd.exe 33 PID 1988 wrote to memory of 2016 1988 o868068.exe 34 PID 1988 wrote to memory of 2016 1988 o868068.exe 34 PID 1988 wrote to memory of 2016 1988 o868068.exe 34 PID 1988 wrote to memory of 2016 1988 o868068.exe 34 PID 2016 wrote to memory of 2764 2016 xxllrrx.exe 35 PID 2016 wrote to memory of 2764 2016 xxllrrx.exe 35 PID 2016 wrote to memory of 2764 2016 xxllrrx.exe 35 PID 2016 wrote to memory of 2764 2016 xxllrrx.exe 35 PID 2764 wrote to memory of 2900 2764 9btbhh.exe 36 PID 2764 wrote to memory of 2900 2764 9btbhh.exe 36 PID 2764 wrote to memory of 2900 2764 9btbhh.exe 36 PID 2764 wrote to memory of 2900 2764 9btbhh.exe 36 PID 2900 wrote to memory of 2628 2900 httttt.exe 37 PID 2900 wrote to memory of 2628 2900 httttt.exe 37 PID 2900 wrote to memory of 2628 2900 httttt.exe 37 PID 2900 wrote to memory of 2628 2900 httttt.exe 37 PID 2628 wrote to memory of 2932 2628 nnbbnn.exe 38 PID 2628 wrote to memory of 2932 2628 nnbbnn.exe 38 PID 2628 wrote to memory of 2932 2628 nnbbnn.exe 38 PID 2628 wrote to memory of 2932 2628 nnbbnn.exe 38 PID 2932 wrote to memory of 2760 2932 606246.exe 39 PID 2932 wrote to memory of 2760 2932 606246.exe 39 PID 2932 wrote to memory of 2760 2932 606246.exe 39 PID 2932 wrote to memory of 2760 2932 606246.exe 39 PID 2760 wrote to memory of 2620 2760 pjvvj.exe 40 PID 2760 wrote to memory of 2620 2760 pjvvj.exe 40 PID 2760 wrote to memory of 2620 2760 pjvvj.exe 40 PID 2760 wrote to memory of 2620 2760 pjvvj.exe 40 PID 2620 wrote to memory of 2696 2620 k64062.exe 41 PID 2620 wrote to memory of 2696 2620 k64062.exe 41 PID 2620 wrote to memory of 2696 2620 k64062.exe 41 PID 2620 wrote to memory of 2696 2620 k64062.exe 41 PID 2696 wrote to memory of 2140 2696 hhbntb.exe 42 PID 2696 wrote to memory of 2140 2696 hhbntb.exe 42 PID 2696 wrote to memory of 2140 2696 hhbntb.exe 42 PID 2696 wrote to memory of 2140 2696 hhbntb.exe 42 PID 2140 wrote to memory of 2856 2140 hhbbnn.exe 43 PID 2140 wrote to memory of 2856 2140 hhbbnn.exe 43 PID 2140 wrote to memory of 2856 2140 hhbbnn.exe 43 PID 2140 wrote to memory of 2856 2140 hhbbnn.exe 43 PID 2856 wrote to memory of 2516 2856 lfrlxxf.exe 44 PID 2856 wrote to memory of 2516 2856 lfrlxxf.exe 44 PID 2856 wrote to memory of 2516 2856 lfrlxxf.exe 44 PID 2856 wrote to memory of 2516 2856 lfrlxxf.exe 44 PID 2516 wrote to memory of 2824 2516 llxfrxf.exe 45 PID 2516 wrote to memory of 2824 2516 llxfrxf.exe 45 PID 2516 wrote to memory of 2824 2516 llxfrxf.exe 45 PID 2516 wrote to memory of 2824 2516 llxfrxf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f4fa29200c65440a32f6e0998d47b7eea7a70dccc7d69d6002c67d7365cc074.exe"C:\Users\Admin\AppData\Local\Temp\8f4fa29200c65440a32f6e0998d47b7eea7a70dccc7d69d6002c67d7365cc074.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\hnnbhn.exec:\hnnbhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\vpdjp.exec:\vpdjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\ppjpd.exec:\ppjpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\o868068.exec:\o868068.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\xxllrrx.exec:\xxllrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\9btbhh.exec:\9btbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\httttt.exec:\httttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\nnbbnn.exec:\nnbbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\606246.exec:\606246.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\pjvvj.exec:\pjvvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\k64062.exec:\k64062.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\hhbntb.exec:\hhbntb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\hhbbnn.exec:\hhbbnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\lfrlxxf.exec:\lfrlxxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\llxfrxf.exec:\llxfrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\3nhntb.exec:\3nhntb.exe17⤵
- Executes dropped EXE
PID:2824 -
\??\c:\nnnbnt.exec:\nnnbnt.exe18⤵
- Executes dropped EXE
PID:1560 -
\??\c:\btnthn.exec:\btnthn.exe19⤵
- Executes dropped EXE
PID:1488 -
\??\c:\26468.exec:\26468.exe20⤵
- Executes dropped EXE
PID:2964 -
\??\c:\bhbhht.exec:\bhbhht.exe21⤵
- Executes dropped EXE
PID:2836 -
\??\c:\2206842.exec:\2206842.exe22⤵
- Executes dropped EXE
PID:2828 -
\??\c:\rlfrffr.exec:\rlfrffr.exe23⤵
- Executes dropped EXE
PID:2576 -
\??\c:\ddvvj.exec:\ddvvj.exe24⤵
- Executes dropped EXE
PID:2272 -
\??\c:\5jvdp.exec:\5jvdp.exe25⤵
- Executes dropped EXE
PID:912 -
\??\c:\pvppd.exec:\pvppd.exe26⤵
- Executes dropped EXE
PID:684 -
\??\c:\nnnntb.exec:\nnnntb.exe27⤵
- Executes dropped EXE
PID:1996 -
\??\c:\xlfflrf.exec:\xlfflrf.exe28⤵
- Executes dropped EXE
PID:1332 -
\??\c:\xrxfllx.exec:\xrxfllx.exe29⤵
- Executes dropped EXE
PID:1676 -
\??\c:\hbhhtt.exec:\hbhhtt.exe30⤵
- Executes dropped EXE
PID:484 -
\??\c:\1jjpv.exec:\1jjpv.exe31⤵
- Executes dropped EXE
PID:2172 -
\??\c:\hbnthb.exec:\hbnthb.exe32⤵
- Executes dropped EXE
PID:2972 -
\??\c:\w80284.exec:\w80284.exe33⤵
- Executes dropped EXE
PID:2412 -
\??\c:\lllrlrf.exec:\lllrlrf.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312 -
\??\c:\2882240.exec:\2882240.exe35⤵
- Executes dropped EXE
PID:2540 -
\??\c:\4828262.exec:\4828262.exe36⤵
- Executes dropped EXE
PID:2520 -
\??\c:\7vjdj.exec:\7vjdj.exe37⤵
- Executes dropped EXE
PID:2548 -
\??\c:\jdvvd.exec:\jdvvd.exe38⤵
- Executes dropped EXE
PID:2572 -
\??\c:\42668.exec:\42668.exe39⤵
- Executes dropped EXE
PID:308 -
\??\c:\dvvdj.exec:\dvvdj.exe40⤵
- Executes dropped EXE
PID:1840 -
\??\c:\hbbthn.exec:\hbbthn.exe41⤵
- Executes dropped EXE
PID:2776 -
\??\c:\fxrxrxl.exec:\fxrxrxl.exe42⤵
- Executes dropped EXE
PID:2880 -
\??\c:\0462408.exec:\0462408.exe43⤵
- Executes dropped EXE
PID:2932 -
\??\c:\hbnnbh.exec:\hbnnbh.exe44⤵
- Executes dropped EXE
PID:536 -
\??\c:\fxxfxfx.exec:\fxxfxfx.exe45⤵
- Executes dropped EXE
PID:2760 -
\??\c:\flxxffx.exec:\flxxffx.exe46⤵
- Executes dropped EXE
PID:2736 -
\??\c:\g4846.exec:\g4846.exe47⤵
- Executes dropped EXE
PID:2340 -
\??\c:\04802.exec:\04802.exe48⤵
- Executes dropped EXE
PID:2308 -
\??\c:\420606.exec:\420606.exe49⤵
- Executes dropped EXE
PID:2864 -
\??\c:\q48428.exec:\q48428.exe50⤵
- Executes dropped EXE
PID:2092 -
\??\c:\vvvvj.exec:\vvvvj.exe51⤵
- Executes dropped EXE
PID:1992 -
\??\c:\7pdvj.exec:\7pdvj.exe52⤵
- Executes dropped EXE
PID:1920 -
\??\c:\00840.exec:\00840.exe53⤵
- Executes dropped EXE
PID:1216 -
\??\c:\bbtbhh.exec:\bbtbhh.exe54⤵
- Executes dropped EXE
PID:1912 -
\??\c:\0488668.exec:\0488668.exe55⤵
- Executes dropped EXE
PID:1772 -
\??\c:\fxllrxf.exec:\fxllrxf.exe56⤵
- Executes dropped EXE
PID:2188 -
\??\c:\fxrlffr.exec:\fxrlffr.exe57⤵
- Executes dropped EXE
PID:548 -
\??\c:\nhbnbn.exec:\nhbnbn.exe58⤵
- Executes dropped EXE
PID:2328 -
\??\c:\hhtbhn.exec:\hhtbhn.exe59⤵
- Executes dropped EXE
PID:860 -
\??\c:\hbtntb.exec:\hbtntb.exe60⤵
- Executes dropped EXE
PID:684 -
\??\c:\btnthh.exec:\btnthh.exe61⤵
- Executes dropped EXE
PID:1836 -
\??\c:\dvvvd.exec:\dvvvd.exe62⤵
- Executes dropped EXE
PID:2160 -
\??\c:\080022.exec:\080022.exe63⤵
- Executes dropped EXE
PID:2904 -
\??\c:\bbtnbn.exec:\bbtnbn.exe64⤵
- Executes dropped EXE
PID:900 -
\??\c:\jdvdp.exec:\jdvdp.exe65⤵
- Executes dropped EXE
PID:2812 -
\??\c:\8262024.exec:\8262024.exe66⤵PID:2972
-
\??\c:\jdjjd.exec:\jdjjd.exe67⤵PID:1932
-
\??\c:\9rllllr.exec:\9rllllr.exe68⤵PID:980
-
\??\c:\ppdpv.exec:\ppdpv.exe69⤵PID:2220
-
\??\c:\djppd.exec:\djppd.exe70⤵PID:2372
-
\??\c:\08628.exec:\08628.exe71⤵PID:2216
-
\??\c:\0488408.exec:\0488408.exe72⤵PID:1584
-
\??\c:\o044668.exec:\o044668.exe73⤵PID:2524
-
\??\c:\rlffxxl.exec:\rlffxxl.exe74⤵PID:2080
-
\??\c:\ddvjd.exec:\ddvjd.exe75⤵PID:2776
-
\??\c:\fxrxfrf.exec:\fxrxfrf.exe76⤵PID:2044
-
\??\c:\3htttb.exec:\3htttb.exe77⤵PID:2420
-
\??\c:\xfxxlrf.exec:\xfxxlrf.exe78⤵PID:2368
-
\??\c:\82408.exec:\82408.exe79⤵PID:1316
-
\??\c:\thbhtn.exec:\thbhtn.exe80⤵PID:1148
-
\??\c:\frrlxrx.exec:\frrlxrx.exe81⤵PID:2628
-
\??\c:\rrlrfff.exec:\rrlrfff.exe82⤵PID:2988
-
\??\c:\lxrrflx.exec:\lxrrflx.exe83⤵PID:2920
-
\??\c:\0468002.exec:\0468002.exe84⤵PID:2384
-
\??\c:\1frrffl.exec:\1frrffl.exe85⤵PID:2620
-
\??\c:\6084668.exec:\6084668.exe86⤵PID:2652
-
\??\c:\888226.exec:\888226.exe87⤵PID:1992
-
\??\c:\4866264.exec:\4866264.exe88⤵PID:1176
-
\??\c:\1dvjp.exec:\1dvjp.exe89⤵PID:2448
-
\??\c:\a0840.exec:\a0840.exe90⤵PID:2472
-
\??\c:\664804.exec:\664804.exe91⤵PID:2576
-
\??\c:\thbnhb.exec:\thbnhb.exe92⤵PID:2860
-
\??\c:\k60684.exec:\k60684.exe93⤵PID:2720
-
\??\c:\0868440.exec:\0868440.exe94⤵PID:2964
-
\??\c:\646244.exec:\646244.exe95⤵PID:1792
-
\??\c:\hbnntb.exec:\hbnntb.exe96⤵PID:2748
-
\??\c:\86002.exec:\86002.exe97⤵PID:852
-
\??\c:\1dvdj.exec:\1dvdj.exe98⤵PID:3036
-
\??\c:\vpjpv.exec:\vpjpv.exe99⤵PID:2024
-
\??\c:\26080.exec:\26080.exe100⤵
- System Location Discovery: System Language Discovery
PID:2060 -
\??\c:\u200608.exec:\u200608.exe101⤵PID:2976
-
\??\c:\42068.exec:\42068.exe102⤵PID:408
-
\??\c:\3tnnbb.exec:\3tnnbb.exe103⤵PID:780
-
\??\c:\ttbbhn.exec:\ttbbhn.exe104⤵PID:1476
-
\??\c:\5vpvd.exec:\5vpvd.exe105⤵PID:2396
-
\??\c:\22242.exec:\22242.exe106⤵PID:3056
-
\??\c:\rfrxlfr.exec:\rfrxlfr.exe107⤵PID:2388
-
\??\c:\1hhhbh.exec:\1hhhbh.exe108⤵PID:2392
-
\??\c:\5fxfllr.exec:\5fxfllr.exe109⤵PID:984
-
\??\c:\w60488.exec:\w60488.exe110⤵PID:2456
-
\??\c:\bbnnnn.exec:\bbnnnn.exe111⤵PID:2208
-
\??\c:\42062.exec:\42062.exe112⤵PID:1380
-
\??\c:\42066.exec:\42066.exe113⤵PID:1120
-
\??\c:\i084044.exec:\i084044.exe114⤵PID:2236
-
\??\c:\3rflxxf.exec:\3rflxxf.exe115⤵PID:2556
-
\??\c:\ppdjv.exec:\ppdjv.exe116⤵PID:2064
-
\??\c:\0840628.exec:\0840628.exe117⤵PID:296
-
\??\c:\486248.exec:\486248.exe118⤵PID:1708
-
\??\c:\c206846.exec:\c206846.exe119⤵PID:1232
-
\??\c:\w86644.exec:\w86644.exe120⤵PID:2804
-
\??\c:\llrrrxf.exec:\llrrrxf.exe121⤵PID:2956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-