Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe
-
Size
454KB
-
MD5
cb44d12bed4d2308ac57804dad74c860
-
SHA1
344b3cbfaf0756fbe228181578da754296b27977
-
SHA256
5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90
-
SHA512
057b2acdf4aec8b2bb2788eae4c28427a72dc48b93a0bb6b6cdf010af02b674e4f2d08430bb6e4389eaf6cb7f58f2252dcfbd4d02bcbe5836889db11b2cd328b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2156-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-75-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2400-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/820-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-183-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2300-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1288-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1356-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-467-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/792-648-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/576-658-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2652-671-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1904-692-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/856-718-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1736-846-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2212-945-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2272-951-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1236-974-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-1016-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2756 7frlrxx.exe 2932 9rlfrxl.exe 2848 7ntttb.exe 2728 frrxxrl.exe 2560 tnbhnt.exe 1724 xfxfflx.exe 2572 hnthht.exe 1028 1vppv.exe 2400 vpjpd.exe 2460 rrflrxf.exe 820 jjdvd.exe 1844 btnthh.exe 2320 ffxflrf.exe 2900 hhbhbn.exe 1784 rlffrfl.exe 2000 rrlfxfx.exe 2536 dvppj.exe 1032 jvppd.exe 2408 btntbn.exe 2300 5jpdd.exe 1108 5bhntb.exe 404 rrlxllf.exe 1860 bhnhtb.exe 1288 5lfxlrx.exe 676 tnhnbn.exe 1356 vpdjd.exe 1704 lfrfrff.exe 956 5jjjv.exe 2972 1pjdv.exe 3032 btbnbh.exe 2476 rllxxxr.exe 884 9jjdp.exe 2748 fxxfrxr.exe 2776 nnnhbn.exe 2664 dvdjp.exe 2720 djvvd.exe 2676 lxfffrx.exe 2184 hbthnn.exe 2604 5pppd.exe 2588 7dpdj.exe 2628 7rxxxxf.exe 3044 3hbnbh.exe 532 dpvpp.exe 1492 rlffflr.exe 1248 nbttnt.exe 544 vdpvd.exe 2400 vdpvj.exe 2860 xllflrr.exe 900 5httbb.exe 2036 dvppv.exe 1844 fxrrrfx.exe 2844 bbnbhn.exe 2888 pjdjj.exe 1932 1vjjp.exe 1800 xxxfffr.exe 2456 nbttbb.exe 2956 dpppp.exe 2404 xffrxxl.exe 2228 7nhtnb.exe 2264 ppjpd.exe 1204 1frrxxl.exe 840 7htbth.exe 444 7bbbnt.exe 1684 1djjv.exe -
resource yara_rule behavioral1/memory/2156-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/820-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-846-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1920-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-974-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-1036-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1068-1088-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-1137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-1163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-1213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-1269-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lflrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2756 2156 5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe 30 PID 2156 wrote to memory of 2756 2156 5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe 30 PID 2156 wrote to memory of 2756 2156 5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe 30 PID 2156 wrote to memory of 2756 2156 5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe 30 PID 2756 wrote to memory of 2932 2756 7frlrxx.exe 31 PID 2756 wrote to memory of 2932 2756 7frlrxx.exe 31 PID 2756 wrote to memory of 2932 2756 7frlrxx.exe 31 PID 2756 wrote to memory of 2932 2756 7frlrxx.exe 31 PID 2932 wrote to memory of 2848 2932 9rlfrxl.exe 32 PID 2932 wrote to memory of 2848 2932 9rlfrxl.exe 32 PID 2932 wrote to memory of 2848 2932 9rlfrxl.exe 32 PID 2932 wrote to memory of 2848 2932 9rlfrxl.exe 32 PID 2848 wrote to memory of 2728 2848 7ntttb.exe 33 PID 2848 wrote to memory of 2728 2848 7ntttb.exe 33 PID 2848 wrote to memory of 2728 2848 7ntttb.exe 33 PID 2848 wrote to memory of 2728 2848 7ntttb.exe 33 PID 2728 wrote to memory of 2560 2728 frrxxrl.exe 34 PID 2728 wrote to memory of 2560 2728 frrxxrl.exe 34 PID 2728 wrote to memory of 2560 2728 frrxxrl.exe 34 PID 2728 wrote to memory of 2560 2728 frrxxrl.exe 34 PID 2560 wrote to memory of 1724 2560 tnbhnt.exe 35 PID 2560 wrote to memory of 1724 2560 tnbhnt.exe 35 PID 2560 wrote to memory of 1724 2560 tnbhnt.exe 35 PID 2560 wrote to memory of 1724 2560 tnbhnt.exe 35 PID 1724 wrote to memory of 2572 1724 xfxfflx.exe 36 PID 1724 wrote to memory of 2572 1724 xfxfflx.exe 36 PID 1724 wrote to memory of 2572 1724 xfxfflx.exe 36 PID 1724 wrote to memory of 2572 1724 xfxfflx.exe 36 PID 2572 wrote to memory of 1028 2572 hnthht.exe 37 PID 2572 wrote to memory of 1028 2572 hnthht.exe 37 PID 2572 wrote to memory of 1028 2572 hnthht.exe 37 PID 2572 wrote to memory of 1028 2572 hnthht.exe 37 PID 1028 wrote to memory of 2400 1028 1vppv.exe 38 PID 1028 wrote to memory of 2400 1028 1vppv.exe 38 PID 1028 wrote to memory of 2400 1028 1vppv.exe 38 PID 1028 wrote to memory of 2400 1028 1vppv.exe 38 PID 2400 wrote to memory of 2460 2400 vpjpd.exe 39 PID 2400 wrote to memory of 2460 2400 vpjpd.exe 39 PID 2400 wrote to memory of 2460 2400 vpjpd.exe 39 PID 2400 wrote to memory of 2460 2400 vpjpd.exe 39 PID 2460 wrote to memory of 820 2460 rrflrxf.exe 40 PID 2460 wrote to memory of 820 2460 rrflrxf.exe 40 PID 2460 wrote to memory of 820 2460 rrflrxf.exe 40 PID 2460 wrote to memory of 820 2460 rrflrxf.exe 40 PID 820 wrote to memory of 1844 820 jjdvd.exe 41 PID 820 wrote to memory of 1844 820 jjdvd.exe 41 PID 820 wrote to memory of 1844 820 jjdvd.exe 41 PID 820 wrote to memory of 1844 820 jjdvd.exe 41 PID 1844 wrote to memory of 2320 1844 btnthh.exe 42 PID 1844 wrote to memory of 2320 1844 btnthh.exe 42 PID 1844 wrote to memory of 2320 1844 btnthh.exe 42 PID 1844 wrote to memory of 2320 1844 btnthh.exe 42 PID 2320 wrote to memory of 2900 2320 ffxflrf.exe 43 PID 2320 wrote to memory of 2900 2320 ffxflrf.exe 43 PID 2320 wrote to memory of 2900 2320 ffxflrf.exe 43 PID 2320 wrote to memory of 2900 2320 ffxflrf.exe 43 PID 2900 wrote to memory of 1784 2900 hhbhbn.exe 44 PID 2900 wrote to memory of 1784 2900 hhbhbn.exe 44 PID 2900 wrote to memory of 1784 2900 hhbhbn.exe 44 PID 2900 wrote to memory of 1784 2900 hhbhbn.exe 44 PID 1784 wrote to memory of 2000 1784 rlffrfl.exe 45 PID 1784 wrote to memory of 2000 1784 rlffrfl.exe 45 PID 1784 wrote to memory of 2000 1784 rlffrfl.exe 45 PID 1784 wrote to memory of 2000 1784 rlffrfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe"C:\Users\Admin\AppData\Local\Temp\5442698e6103071b1554e672d161d27d27e591595c356e58d32e93e3412ebd90N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\7frlrxx.exec:\7frlrxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\9rlfrxl.exec:\9rlfrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\7ntttb.exec:\7ntttb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\frrxxrl.exec:\frrxxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\tnbhnt.exec:\tnbhnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\xfxfflx.exec:\xfxfflx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\hnthht.exec:\hnthht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\1vppv.exec:\1vppv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\vpjpd.exec:\vpjpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\rrflrxf.exec:\rrflrxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\jjdvd.exec:\jjdvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\btnthh.exec:\btnthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\ffxflrf.exec:\ffxflrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\hhbhbn.exec:\hhbhbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\rlffrfl.exec:\rlffrfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\rrlfxfx.exec:\rrlfxfx.exe17⤵
- Executes dropped EXE
PID:2000 -
\??\c:\dvppj.exec:\dvppj.exe18⤵
- Executes dropped EXE
PID:2536 -
\??\c:\jvppd.exec:\jvppd.exe19⤵
- Executes dropped EXE
PID:1032 -
\??\c:\btntbn.exec:\btntbn.exe20⤵
- Executes dropped EXE
PID:2408 -
\??\c:\5jpdd.exec:\5jpdd.exe21⤵
- Executes dropped EXE
PID:2300 -
\??\c:\5bhntb.exec:\5bhntb.exe22⤵
- Executes dropped EXE
PID:1108 -
\??\c:\rrlxllf.exec:\rrlxllf.exe23⤵
- Executes dropped EXE
PID:404 -
\??\c:\bhnhtb.exec:\bhnhtb.exe24⤵
- Executes dropped EXE
PID:1860 -
\??\c:\5lfxlrx.exec:\5lfxlrx.exe25⤵
- Executes dropped EXE
PID:1288 -
\??\c:\tnhnbn.exec:\tnhnbn.exe26⤵
- Executes dropped EXE
PID:676 -
\??\c:\vpdjd.exec:\vpdjd.exe27⤵
- Executes dropped EXE
PID:1356 -
\??\c:\lfrfrff.exec:\lfrfrff.exe28⤵
- Executes dropped EXE
PID:1704 -
\??\c:\5jjjv.exec:\5jjjv.exe29⤵
- Executes dropped EXE
PID:956 -
\??\c:\1pjdv.exec:\1pjdv.exe30⤵
- Executes dropped EXE
PID:2972 -
\??\c:\btbnbh.exec:\btbnbh.exe31⤵
- Executes dropped EXE
PID:3032 -
\??\c:\rllxxxr.exec:\rllxxxr.exe32⤵
- Executes dropped EXE
PID:2476 -
\??\c:\9jjdp.exec:\9jjdp.exe33⤵
- Executes dropped EXE
PID:884 -
\??\c:\fxxfrxr.exec:\fxxfrxr.exe34⤵
- Executes dropped EXE
PID:2748 -
\??\c:\nnnhbn.exec:\nnnhbn.exe35⤵
- Executes dropped EXE
PID:2776 -
\??\c:\dvdjp.exec:\dvdjp.exe36⤵
- Executes dropped EXE
PID:2664 -
\??\c:\djvvd.exec:\djvvd.exe37⤵
- Executes dropped EXE
PID:2720 -
\??\c:\lxfffrx.exec:\lxfffrx.exe38⤵
- Executes dropped EXE
PID:2676 -
\??\c:\hbthnn.exec:\hbthnn.exe39⤵
- Executes dropped EXE
PID:2184 -
\??\c:\5pppd.exec:\5pppd.exe40⤵
- Executes dropped EXE
PID:2604 -
\??\c:\7dpdj.exec:\7dpdj.exe41⤵
- Executes dropped EXE
PID:2588 -
\??\c:\7rxxxxf.exec:\7rxxxxf.exe42⤵
- Executes dropped EXE
PID:2628 -
\??\c:\3hbnbh.exec:\3hbnbh.exe43⤵
- Executes dropped EXE
PID:3044 -
\??\c:\dpvpp.exec:\dpvpp.exe44⤵
- Executes dropped EXE
PID:532 -
\??\c:\rlffflr.exec:\rlffflr.exe45⤵
- Executes dropped EXE
PID:1492 -
\??\c:\nbttnt.exec:\nbttnt.exe46⤵
- Executes dropped EXE
PID:1248 -
\??\c:\vdpvd.exec:\vdpvd.exe47⤵
- Executes dropped EXE
PID:544 -
\??\c:\vdpvj.exec:\vdpvj.exe48⤵
- Executes dropped EXE
PID:2400 -
\??\c:\xllflrr.exec:\xllflrr.exe49⤵
- Executes dropped EXE
PID:2860 -
\??\c:\5httbb.exec:\5httbb.exe50⤵
- Executes dropped EXE
PID:900 -
\??\c:\dvppv.exec:\dvppv.exe51⤵
- Executes dropped EXE
PID:2036 -
\??\c:\fxrrrfx.exec:\fxrrrfx.exe52⤵
- Executes dropped EXE
PID:1844 -
\??\c:\bbnbhn.exec:\bbnbhn.exe53⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pjdjj.exec:\pjdjj.exe54⤵
- Executes dropped EXE
PID:2888 -
\??\c:\1vjjp.exec:\1vjjp.exe55⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xxxfffr.exec:\xxxfffr.exe56⤵
- Executes dropped EXE
PID:1800 -
\??\c:\nbttbb.exec:\nbttbb.exe57⤵
- Executes dropped EXE
PID:2456 -
\??\c:\dpppp.exec:\dpppp.exe58⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xffrxxl.exec:\xffrxxl.exe59⤵
- Executes dropped EXE
PID:2404 -
\??\c:\7nhtnb.exec:\7nhtnb.exe60⤵
- Executes dropped EXE
PID:2228 -
\??\c:\ppjpd.exec:\ppjpd.exe61⤵
- Executes dropped EXE
PID:2264 -
\??\c:\1frrxxl.exec:\1frrxxl.exe62⤵
- Executes dropped EXE
PID:1204 -
\??\c:\7htbth.exec:\7htbth.exe63⤵
- Executes dropped EXE
PID:840 -
\??\c:\7bbbnt.exec:\7bbbnt.exe64⤵
- Executes dropped EXE
PID:444 -
\??\c:\1djjv.exec:\1djjv.exe65⤵
- Executes dropped EXE
PID:1684 -
\??\c:\frxrxrx.exec:\frxrxrx.exe66⤵PID:2424
-
\??\c:\ththnn.exec:\ththnn.exe67⤵PID:1580
-
\??\c:\ddpvj.exec:\ddpvj.exe68⤵PID:1600
-
\??\c:\rxxrlxr.exec:\rxxrlxr.exe69⤵
- System Location Discovery: System Language Discovery
PID:1540 -
\??\c:\5nnttb.exec:\5nnttb.exe70⤵PID:924
-
\??\c:\bthnbb.exec:\bthnbb.exe71⤵PID:2140
-
\??\c:\pppvj.exec:\pppvj.exe72⤵PID:2144
-
\??\c:\frrxllx.exec:\frrxllx.exe73⤵PID:1488
-
\??\c:\flrfxfx.exec:\flrfxfx.exe74⤵PID:1000
-
\??\c:\nnnbnt.exec:\nnnbnt.exe75⤵PID:2524
-
\??\c:\9dppj.exec:\9dppj.exe76⤵PID:2416
-
\??\c:\xfxlflx.exec:\xfxlflx.exe77⤵PID:2916
-
\??\c:\ffxxffx.exec:\ffxxffx.exe78⤵PID:2772
-
\??\c:\nntbnb.exec:\nntbnb.exe79⤵PID:2740
-
\??\c:\pddvp.exec:\pddvp.exe80⤵PID:1692
-
\??\c:\1rrfxrf.exec:\1rrfxrf.exe81⤵PID:2928
-
\??\c:\9xrxlrf.exec:\9xrxlrf.exe82⤵PID:2584
-
\??\c:\bbnbht.exec:\bbnbht.exe83⤵PID:2808
-
\??\c:\ppjvj.exec:\ppjvj.exe84⤵PID:2568
-
\??\c:\rllrflf.exec:\rllrflf.exe85⤵PID:2872
-
\??\c:\xxfrlxr.exec:\xxfrlxr.exe86⤵PID:3008
-
\??\c:\nnhhtb.exec:\nnhhtb.exe87⤵PID:3016
-
\??\c:\vpjjp.exec:\vpjjp.exe88⤵PID:792
-
\??\c:\dvdpp.exec:\dvdpp.exe89⤵PID:576
-
\??\c:\llllxxl.exec:\llllxxl.exe90⤵PID:2208
-
\??\c:\3hhbtn.exec:\3hhbtn.exe91⤵PID:2652
-
\??\c:\9ppjv.exec:\9ppjv.exe92⤵PID:2176
-
\??\c:\rlfrllx.exec:\rlfrllx.exe93⤵PID:1344
-
\??\c:\nbnbbh.exec:\nbnbbh.exe94⤵PID:1904
-
\??\c:\5jpdv.exec:\5jpdv.exe95⤵PID:2056
-
\??\c:\jjvjv.exec:\jjvjv.exe96⤵PID:2328
-
\??\c:\rrlxrxx.exec:\rrlxrxx.exe97⤵PID:2596
-
\??\c:\1ttbth.exec:\1ttbth.exe98⤵PID:856
-
\??\c:\dvvdj.exec:\dvvdj.exe99⤵PID:1784
-
\??\c:\vvjpd.exec:\vvjpd.exe100⤵PID:2760
-
\??\c:\xrllxxf.exec:\xrllxxf.exe101⤵PID:2128
-
\??\c:\5tttbb.exec:\5tttbb.exe102⤵PID:2340
-
\??\c:\tnhbth.exec:\tnhbth.exe103⤵PID:2108
-
\??\c:\jdvdd.exec:\jdvdd.exe104⤵PID:2112
-
\??\c:\lfxlrxl.exec:\lfxlrxl.exe105⤵
- System Location Discovery: System Language Discovery
PID:1664 -
\??\c:\7tnbth.exec:\7tnbth.exe106⤵PID:1500
-
\??\c:\hhthnn.exec:\hhthnn.exe107⤵PID:276
-
\??\c:\pdjvj.exec:\pdjvj.exe108⤵PID:2192
-
\??\c:\7rlrlll.exec:\7rlrlll.exe109⤵PID:404
-
\??\c:\ntbhbh.exec:\ntbhbh.exe110⤵PID:1340
-
\??\c:\ppvpv.exec:\ppvpv.exe111⤵PID:2424
-
\??\c:\dddjd.exec:\dddjd.exe112⤵PID:1580
-
\??\c:\xlrxrxx.exec:\xlrxrxx.exe113⤵PID:676
-
\??\c:\jjjpd.exec:\jjjpd.exe114⤵PID:1704
-
\??\c:\rfrllfx.exec:\rfrllfx.exe115⤵PID:652
-
\??\c:\hbtnhn.exec:\hbtnhn.exe116⤵PID:2356
-
\??\c:\vpvdp.exec:\vpvdp.exe117⤵PID:2304
-
\??\c:\9dpdp.exec:\9dpdp.exe118⤵PID:3032
-
\??\c:\7xlxflf.exec:\7xlxflf.exe119⤵PID:1736
-
\??\c:\xffxrxr.exec:\xffxrxr.exe120⤵PID:1296
-
\??\c:\hnnbnh.exec:\hnnbnh.exe121⤵PID:2788
-
\??\c:\jjjvd.exec:\jjjvd.exe122⤵PID:2792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-