Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe
-
Size
455KB
-
MD5
bcd0f66fa1c1e3f79613b76df340bacc
-
SHA1
707fae71aa8138faa299a140e6962175c7524018
-
SHA256
998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31
-
SHA512
dd636eecf5e6047e601d5a981b231916191efd9478789f4bd45a40487780efe85699b47a44589ba1c7b6bef6e5dcda221e878886758e968d4a43d83123db4591
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/1316-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-33-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2844-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-52-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2604-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/856-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-200-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2956-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-283-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2944-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-366-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2428-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1468-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-400-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2904-398-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1552-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2716 lflxfll.exe 2840 bththn.exe 1856 ddvpj.exe 2868 nnhnnb.exe 2844 vvpdp.exe 2604 rrllrrf.exe 3000 vjddj.exe 1980 ddvdv.exe 572 fxlrxfr.exe 2880 vddpj.exe 856 lrfrxlx.exe 1988 hbtbtb.exe 1632 vdvvd.exe 1552 dvvdv.exe 2312 lxlllfl.exe 784 vpvvd.exe 2556 rxrxlrf.exe 1160 pjvjj.exe 2180 lffrrxr.exe 2956 vdpdp.exe 2536 fffrflf.exe 1812 ppjvj.exe 1524 ffrrxxl.exe 2052 hbtnbh.exe 1700 fxrlxxr.exe 2460 jjvdp.exe 2204 7ffrllf.exe 1764 nbbbnt.exe 2064 dvpjj.exe 2216 5hthnb.exe 892 pdvdp.exe 1316 hhttbh.exe 2788 ppjdj.exe 2804 rlxxflr.exe 2944 1hhbhh.exe 2700 tnhntt.exe 3044 5vpjv.exe 2768 xxxllxr.exe 2780 hbntbh.exe 2652 ddjdp.exe 2428 lrlxffx.exe 1564 ffxfxxl.exe 1468 9btnbh.exe 2644 dpjvp.exe 572 lrrxlrf.exe 2904 3rllrxf.exe 2004 1bhbht.exe 1920 pjpvj.exe 1716 lllxrxl.exe 1968 hhhthn.exe 1552 pvpdj.exe 2384 jjdjv.exe 2544 xfxrlrf.exe 1760 nhhthn.exe 2420 dvvdj.exe 2556 fxrrllr.exe 2164 rxxlfxf.exe 2948 ttbhbn.exe 1984 jpppd.exe 2956 dddpj.exe 2276 fxxrrfx.exe 832 btnthh.exe 1344 vvvdp.exe 1600 rlflrxl.exe -
resource yara_rule behavioral1/memory/1316-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-52-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2604-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/856-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-398-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/1552-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-848-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbht.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1316 wrote to memory of 2716 1316 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 30 PID 1316 wrote to memory of 2716 1316 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 30 PID 1316 wrote to memory of 2716 1316 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 30 PID 1316 wrote to memory of 2716 1316 998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe 30 PID 2716 wrote to memory of 2840 2716 lflxfll.exe 31 PID 2716 wrote to memory of 2840 2716 lflxfll.exe 31 PID 2716 wrote to memory of 2840 2716 lflxfll.exe 31 PID 2716 wrote to memory of 2840 2716 lflxfll.exe 31 PID 2840 wrote to memory of 1856 2840 bththn.exe 32 PID 2840 wrote to memory of 1856 2840 bththn.exe 32 PID 2840 wrote to memory of 1856 2840 bththn.exe 32 PID 2840 wrote to memory of 1856 2840 bththn.exe 32 PID 1856 wrote to memory of 2868 1856 ddvpj.exe 33 PID 1856 wrote to memory of 2868 1856 ddvpj.exe 33 PID 1856 wrote to memory of 2868 1856 ddvpj.exe 33 PID 1856 wrote to memory of 2868 1856 ddvpj.exe 33 PID 2868 wrote to memory of 2844 2868 nnhnnb.exe 34 PID 2868 wrote to memory of 2844 2868 nnhnnb.exe 34 PID 2868 wrote to memory of 2844 2868 nnhnnb.exe 34 PID 2868 wrote to memory of 2844 2868 nnhnnb.exe 34 PID 2844 wrote to memory of 2604 2844 vvpdp.exe 35 PID 2844 wrote to memory of 2604 2844 vvpdp.exe 35 PID 2844 wrote to memory of 2604 2844 vvpdp.exe 35 PID 2844 wrote to memory of 2604 2844 vvpdp.exe 35 PID 2604 wrote to memory of 3000 2604 rrllrrf.exe 36 PID 2604 wrote to memory of 3000 2604 rrllrrf.exe 36 PID 2604 wrote to memory of 3000 2604 rrllrrf.exe 36 PID 2604 wrote to memory of 3000 2604 rrllrrf.exe 36 PID 3000 wrote to memory of 1980 3000 vjddj.exe 37 PID 3000 wrote to memory of 1980 3000 vjddj.exe 37 PID 3000 wrote to memory of 1980 3000 vjddj.exe 37 PID 3000 wrote to memory of 1980 3000 vjddj.exe 37 PID 1980 wrote to memory of 572 1980 ddvdv.exe 38 PID 1980 wrote to memory of 572 1980 ddvdv.exe 38 PID 1980 wrote to memory of 572 1980 ddvdv.exe 38 PID 1980 wrote to memory of 572 1980 ddvdv.exe 38 PID 572 wrote to memory of 2880 572 fxlrxfr.exe 39 PID 572 wrote to memory of 2880 572 fxlrxfr.exe 39 PID 572 wrote to memory of 2880 572 fxlrxfr.exe 39 PID 572 wrote to memory of 2880 572 fxlrxfr.exe 39 PID 2880 wrote to memory of 856 2880 vddpj.exe 40 PID 2880 wrote to memory of 856 2880 vddpj.exe 40 PID 2880 wrote to memory of 856 2880 vddpj.exe 40 PID 2880 wrote to memory of 856 2880 vddpj.exe 40 PID 856 wrote to memory of 1988 856 lrfrxlx.exe 41 PID 856 wrote to memory of 1988 856 lrfrxlx.exe 41 PID 856 wrote to memory of 1988 856 lrfrxlx.exe 41 PID 856 wrote to memory of 1988 856 lrfrxlx.exe 41 PID 1988 wrote to memory of 1632 1988 hbtbtb.exe 42 PID 1988 wrote to memory of 1632 1988 hbtbtb.exe 42 PID 1988 wrote to memory of 1632 1988 hbtbtb.exe 42 PID 1988 wrote to memory of 1632 1988 hbtbtb.exe 42 PID 1632 wrote to memory of 1552 1632 vdvvd.exe 43 PID 1632 wrote to memory of 1552 1632 vdvvd.exe 43 PID 1632 wrote to memory of 1552 1632 vdvvd.exe 43 PID 1632 wrote to memory of 1552 1632 vdvvd.exe 43 PID 1552 wrote to memory of 2312 1552 dvvdv.exe 44 PID 1552 wrote to memory of 2312 1552 dvvdv.exe 44 PID 1552 wrote to memory of 2312 1552 dvvdv.exe 44 PID 1552 wrote to memory of 2312 1552 dvvdv.exe 44 PID 2312 wrote to memory of 784 2312 lxlllfl.exe 45 PID 2312 wrote to memory of 784 2312 lxlllfl.exe 45 PID 2312 wrote to memory of 784 2312 lxlllfl.exe 45 PID 2312 wrote to memory of 784 2312 lxlllfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe"C:\Users\Admin\AppData\Local\Temp\998c61dcd8a4736dc5309e0a618e3f24e04205711f02133e7765910c826c6d31.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\lflxfll.exec:\lflxfll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\bththn.exec:\bththn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\ddvpj.exec:\ddvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\nnhnnb.exec:\nnhnnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\vvpdp.exec:\vvpdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\rrllrrf.exec:\rrllrrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\vjddj.exec:\vjddj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\ddvdv.exec:\ddvdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\fxlrxfr.exec:\fxlrxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\vddpj.exec:\vddpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\lrfrxlx.exec:\lrfrxlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\hbtbtb.exec:\hbtbtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\vdvvd.exec:\vdvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\dvvdv.exec:\dvvdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\lxlllfl.exec:\lxlllfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\vpvvd.exec:\vpvvd.exe17⤵
- Executes dropped EXE
PID:784 -
\??\c:\rxrxlrf.exec:\rxrxlrf.exe18⤵
- Executes dropped EXE
PID:2556 -
\??\c:\pjvjj.exec:\pjvjj.exe19⤵
- Executes dropped EXE
PID:1160 -
\??\c:\lffrrxr.exec:\lffrrxr.exe20⤵
- Executes dropped EXE
PID:2180 -
\??\c:\vdpdp.exec:\vdpdp.exe21⤵
- Executes dropped EXE
PID:2956 -
\??\c:\fffrflf.exec:\fffrflf.exe22⤵
- Executes dropped EXE
PID:2536 -
\??\c:\ppjvj.exec:\ppjvj.exe23⤵
- Executes dropped EXE
PID:1812 -
\??\c:\ffrrxxl.exec:\ffrrxxl.exe24⤵
- Executes dropped EXE
PID:1524 -
\??\c:\hbtnbh.exec:\hbtnbh.exe25⤵
- Executes dropped EXE
PID:2052 -
\??\c:\fxrlxxr.exec:\fxrlxxr.exe26⤵
- Executes dropped EXE
PID:1700 -
\??\c:\jjvdp.exec:\jjvdp.exe27⤵
- Executes dropped EXE
PID:2460 -
\??\c:\7ffrllf.exec:\7ffrllf.exe28⤵
- Executes dropped EXE
PID:2204 -
\??\c:\nbbbnt.exec:\nbbbnt.exe29⤵
- Executes dropped EXE
PID:1764 -
\??\c:\dvpjj.exec:\dvpjj.exe30⤵
- Executes dropped EXE
PID:2064 -
\??\c:\5hthnb.exec:\5hthnb.exe31⤵
- Executes dropped EXE
PID:2216 -
\??\c:\pdvdp.exec:\pdvdp.exe32⤵
- Executes dropped EXE
PID:892 -
\??\c:\hhttbh.exec:\hhttbh.exe33⤵
- Executes dropped EXE
PID:1316 -
\??\c:\ppjdj.exec:\ppjdj.exe34⤵
- Executes dropped EXE
PID:2788 -
\??\c:\rlxxflr.exec:\rlxxflr.exe35⤵
- Executes dropped EXE
PID:2804 -
\??\c:\1hhbhh.exec:\1hhbhh.exe36⤵
- Executes dropped EXE
PID:2944 -
\??\c:\tnhntt.exec:\tnhntt.exe37⤵
- Executes dropped EXE
PID:2700 -
\??\c:\5vpjv.exec:\5vpjv.exe38⤵
- Executes dropped EXE
PID:3044 -
\??\c:\xxxllxr.exec:\xxxllxr.exe39⤵
- Executes dropped EXE
PID:2768 -
\??\c:\hbntbh.exec:\hbntbh.exe40⤵
- Executes dropped EXE
PID:2780 -
\??\c:\ddjdp.exec:\ddjdp.exe41⤵
- Executes dropped EXE
PID:2652 -
\??\c:\lrlxffx.exec:\lrlxffx.exe42⤵
- Executes dropped EXE
PID:2428 -
\??\c:\ffxfxxl.exec:\ffxfxxl.exe43⤵
- Executes dropped EXE
PID:1564 -
\??\c:\9btnbh.exec:\9btnbh.exe44⤵
- Executes dropped EXE
PID:1468 -
\??\c:\dpjvp.exec:\dpjvp.exe45⤵
- Executes dropped EXE
PID:2644 -
\??\c:\lrrxlrf.exec:\lrrxlrf.exe46⤵
- Executes dropped EXE
PID:572 -
\??\c:\3rllrxf.exec:\3rllrxf.exe47⤵
- Executes dropped EXE
PID:2904 -
\??\c:\1bhbht.exec:\1bhbht.exe48⤵
- Executes dropped EXE
PID:2004 -
\??\c:\pjpvj.exec:\pjpvj.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920 -
\??\c:\lllxrxl.exec:\lllxrxl.exe50⤵
- Executes dropped EXE
PID:1716 -
\??\c:\hhhthn.exec:\hhhthn.exe51⤵
- Executes dropped EXE
PID:1968 -
\??\c:\pvpdj.exec:\pvpdj.exe52⤵
- Executes dropped EXE
PID:1552 -
\??\c:\jjdjv.exec:\jjdjv.exe53⤵
- Executes dropped EXE
PID:2384 -
\??\c:\xfxrlrf.exec:\xfxrlrf.exe54⤵
- Executes dropped EXE
PID:2544 -
\??\c:\nhhthn.exec:\nhhthn.exe55⤵
- Executes dropped EXE
PID:1760 -
\??\c:\dvvdj.exec:\dvvdj.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420 -
\??\c:\fxrrllr.exec:\fxrrllr.exe57⤵
- Executes dropped EXE
PID:2556 -
\??\c:\rxxlfxf.exec:\rxxlfxf.exe58⤵
- Executes dropped EXE
PID:2164 -
\??\c:\ttbhbn.exec:\ttbhbn.exe59⤵
- Executes dropped EXE
PID:2948 -
\??\c:\jpppd.exec:\jpppd.exe60⤵
- Executes dropped EXE
PID:1984 -
\??\c:\dddpj.exec:\dddpj.exe61⤵
- Executes dropped EXE
PID:2956 -
\??\c:\fxxrrfx.exec:\fxxrrfx.exe62⤵
- Executes dropped EXE
PID:2276 -
\??\c:\btnthh.exec:\btnthh.exe63⤵
- Executes dropped EXE
PID:832 -
\??\c:\vvvdp.exec:\vvvdp.exe64⤵
- Executes dropped EXE
PID:1344 -
\??\c:\rlflrxl.exec:\rlflrxl.exe65⤵
- Executes dropped EXE
PID:1600 -
\??\c:\ffxlxlf.exec:\ffxlxlf.exe66⤵PID:2500
-
\??\c:\hnnbnt.exec:\hnnbnt.exe67⤵PID:2120
-
\??\c:\vvvdv.exec:\vvvdv.exe68⤵PID:2336
-
\??\c:\xrflxxf.exec:\xrflxxf.exe69⤵PID:2852
-
\??\c:\lfxxlxr.exec:\lfxxlxr.exe70⤵PID:1948
-
\??\c:\pppdv.exec:\pppdv.exe71⤵PID:1784
-
\??\c:\vddjd.exec:\vddjd.exe72⤵PID:2064
-
\??\c:\rlxlxfr.exec:\rlxlxfr.exe73⤵PID:2024
-
\??\c:\nttbbn.exec:\nttbbn.exe74⤵PID:2304
-
\??\c:\dvpvd.exec:\dvpvd.exe75⤵PID:2724
-
\??\c:\vjdjd.exec:\vjdjd.exe76⤵PID:2932
-
\??\c:\5lflrxl.exec:\5lflrxl.exe77⤵PID:2788
-
\??\c:\tbhbnb.exec:\tbhbnb.exe78⤵PID:2848
-
\??\c:\pjjjd.exec:\pjjjd.exe79⤵PID:2840
-
\??\c:\9jvdp.exec:\9jvdp.exe80⤵PID:2700
-
\??\c:\lfxfllf.exec:\lfxfllf.exe81⤵PID:2764
-
\??\c:\ttttnn.exec:\ttttnn.exe82⤵PID:2768
-
\??\c:\btthnt.exec:\btthnt.exe83⤵PID:2068
-
\??\c:\vdjpp.exec:\vdjpp.exe84⤵PID:2508
-
\??\c:\9rrxfrl.exec:\9rrxfrl.exe85⤵PID:1428
-
\??\c:\bhtbtb.exec:\bhtbtb.exe86⤵PID:1852
-
\??\c:\ddpvj.exec:\ddpvj.exe87⤵PID:1868
-
\??\c:\pppvd.exec:\pppvd.exe88⤵PID:2828
-
\??\c:\fxxxllx.exec:\fxxxllx.exe89⤵PID:2888
-
\??\c:\hbtbtb.exec:\hbtbtb.exe90⤵PID:2372
-
\??\c:\jjjdp.exec:\jjjdp.exe91⤵PID:1152
-
\??\c:\9lfflrf.exec:\9lfflrf.exe92⤵PID:1664
-
\??\c:\rfrxflx.exec:\rfrxflx.exe93⤵PID:2072
-
\??\c:\nnnbnb.exec:\nnnbnb.exe94⤵PID:1704
-
\??\c:\3vdpd.exec:\3vdpd.exe95⤵PID:2008
-
\??\c:\vdpjd.exec:\vdpjd.exe96⤵PID:712
-
\??\c:\ffflxxl.exec:\ffflxxl.exe97⤵PID:1516
-
\??\c:\rrfxxfr.exec:\rrfxxfr.exe98⤵PID:1492
-
\??\c:\9ttnnt.exec:\9ttnnt.exe99⤵PID:1240
-
\??\c:\jppdv.exec:\jppdv.exe100⤵PID:2468
-
\??\c:\1xrfrfr.exec:\1xrfrfr.exe101⤵PID:2144
-
\??\c:\xrlxrff.exec:\xrlxrff.exe102⤵PID:2552
-
\??\c:\1btbhh.exec:\1btbhh.exe103⤵PID:2996
-
\??\c:\pjdjv.exec:\pjdjv.exe104⤵PID:1588
-
\??\c:\3ppvd.exec:\3ppvd.exe105⤵PID:3032
-
\??\c:\5frlxfr.exec:\5frlxfr.exe106⤵PID:1644
-
\??\c:\fxfrxfx.exec:\fxfrxfx.exe107⤵PID:1708
-
\??\c:\hhbhth.exec:\hhbhth.exe108⤵PID:1028
-
\??\c:\jvvjp.exec:\jvvjp.exe109⤵PID:1416
-
\??\c:\1xlxlxx.exec:\1xlxlxx.exe110⤵PID:2328
-
\??\c:\lfxlxlf.exec:\lfxlxlf.exe111⤵PID:2980
-
\??\c:\3btbht.exec:\3btbht.exe112⤵PID:2076
-
\??\c:\vpdjp.exec:\vpdjp.exe113⤵PID:1804
-
\??\c:\xrlfrrr.exec:\xrlfrrr.exe114⤵PID:2456
-
\??\c:\hbtbtt.exec:\hbtbtt.exe115⤵PID:1784
-
\??\c:\djjdv.exec:\djjdv.exe116⤵PID:2216
-
\??\c:\7xflrxr.exec:\7xflrxr.exe117⤵PID:2320
-
\??\c:\bhhnht.exec:\bhhnht.exe118⤵PID:2324
-
\??\c:\pjjpj.exec:\pjjpj.exe119⤵PID:2724
-
\??\c:\ppjpd.exec:\ppjpd.exe120⤵PID:2800
-
\??\c:\lrrxfrf.exec:\lrrxfrf.exe121⤵PID:2816
-
\??\c:\bhnbtt.exec:\bhnbtt.exe122⤵PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-