Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe
-
Size
454KB
-
MD5
c13b9cd72959128a35499c01694261eb
-
SHA1
8f202387ea428641fa629bbc3b90c5fcda895b4f
-
SHA256
95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d
-
SHA512
68db9efb599086b26e54702fc5728b9f6492feaff82599cf227e7a60ccaf5fd5dd50a2de43db9d95a5b9a5912f6d964817da212ebf1bc11da2eccf8abbe04be9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2252-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-45-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2816-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/576-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-180-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2144-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1180-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1180-214-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2404-225-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2424-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-362-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2828-365-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2548-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1100-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-455-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1716-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/808-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-495-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2504-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-618-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2244-625-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2588-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2712 btnbhh.exe 2908 9djvj.exe 2704 bbtbnb.exe 1440 frlxllf.exe 2816 hbhnnt.exe 2600 3frlrrf.exe 2620 7ttttt.exe 2024 3frrfll.exe 2548 tntthh.exe 1776 lllxxfx.exe 2896 tnbbnb.exe 576 lfflxfl.exe 2204 hbnnbh.exe 2028 3nhnnt.exe 1096 lfrxflf.exe 1764 1httht.exe 1312 3dvjp.exe 2144 tnbbhn.exe 2368 ddppd.exe 1596 pjdjv.exe 1180 rllxlrf.exe 2404 pvpdj.exe 2424 vjdpj.exe 1708 9dvpd.exe 2084 vvjvj.exe 496 jddvd.exe 2552 ppjjp.exe 1736 bttbht.exe 2068 5jvvd.exe 860 1bnnhn.exe 1144 ppjpd.exe 1548 ppvdp.exe 2340 vpjpv.exe 2680 nbbhtt.exe 2244 ppjdv.exe 2828 xlrfxlr.exe 2740 tthntb.exe 2572 vvpvd.exe 2816 1flffxr.exe 2108 3nhthb.exe 2620 jppjv.exe 3028 fxrlxrl.exe 2024 nbthbb.exe 2548 7jjpv.exe 1820 djjjv.exe 1100 1xxflxl.exe 2896 1hbhnt.exe 2020 vdvdj.exe 1320 xrlrlrf.exe 484 nnhthb.exe 2780 djdpd.exe 2376 rrrfrfx.exe 1812 9ffxrff.exe 2148 bbhtbb.exe 1720 3jdpd.exe 1716 1xxfrfx.exe 808 xfxlflx.exe 2336 tbbnnb.exe 848 jjjjp.exe 896 rxxfxlf.exe 2396 ffxrxlx.exe 2404 nnntnn.exe 2812 ddvjv.exe 1712 lrlxrxf.exe -
resource yara_rule behavioral1/memory/2252-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1180-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-362-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2108-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/664-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-596-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2860-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-638-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llfrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2712 2252 95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe 30 PID 2252 wrote to memory of 2712 2252 95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe 30 PID 2252 wrote to memory of 2712 2252 95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe 30 PID 2252 wrote to memory of 2712 2252 95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe 30 PID 2712 wrote to memory of 2908 2712 btnbhh.exe 31 PID 2712 wrote to memory of 2908 2712 btnbhh.exe 31 PID 2712 wrote to memory of 2908 2712 btnbhh.exe 31 PID 2712 wrote to memory of 2908 2712 btnbhh.exe 31 PID 2908 wrote to memory of 2704 2908 9djvj.exe 32 PID 2908 wrote to memory of 2704 2908 9djvj.exe 32 PID 2908 wrote to memory of 2704 2908 9djvj.exe 32 PID 2908 wrote to memory of 2704 2908 9djvj.exe 32 PID 2704 wrote to memory of 1440 2704 bbtbnb.exe 33 PID 2704 wrote to memory of 1440 2704 bbtbnb.exe 33 PID 2704 wrote to memory of 1440 2704 bbtbnb.exe 33 PID 2704 wrote to memory of 1440 2704 bbtbnb.exe 33 PID 1440 wrote to memory of 2816 1440 frlxllf.exe 34 PID 1440 wrote to memory of 2816 1440 frlxllf.exe 34 PID 1440 wrote to memory of 2816 1440 frlxllf.exe 34 PID 1440 wrote to memory of 2816 1440 frlxllf.exe 34 PID 2816 wrote to memory of 2600 2816 hbhnnt.exe 35 PID 2816 wrote to memory of 2600 2816 hbhnnt.exe 35 PID 2816 wrote to memory of 2600 2816 hbhnnt.exe 35 PID 2816 wrote to memory of 2600 2816 hbhnnt.exe 35 PID 2600 wrote to memory of 2620 2600 3frlrrf.exe 36 PID 2600 wrote to memory of 2620 2600 3frlrrf.exe 36 PID 2600 wrote to memory of 2620 2600 3frlrrf.exe 36 PID 2600 wrote to memory of 2620 2600 3frlrrf.exe 36 PID 2620 wrote to memory of 2024 2620 7ttttt.exe 37 PID 2620 wrote to memory of 2024 2620 7ttttt.exe 37 PID 2620 wrote to memory of 2024 2620 7ttttt.exe 37 PID 2620 wrote to memory of 2024 2620 7ttttt.exe 37 PID 2024 wrote to memory of 2548 2024 3frrfll.exe 38 PID 2024 wrote to memory of 2548 2024 3frrfll.exe 38 PID 2024 wrote to memory of 2548 2024 3frrfll.exe 38 PID 2024 wrote to memory of 2548 2024 3frrfll.exe 38 PID 2548 wrote to memory of 1776 2548 tntthh.exe 39 PID 2548 wrote to memory of 1776 2548 tntthh.exe 39 PID 2548 wrote to memory of 1776 2548 tntthh.exe 39 PID 2548 wrote to memory of 1776 2548 tntthh.exe 39 PID 1776 wrote to memory of 2896 1776 lllxxfx.exe 40 PID 1776 wrote to memory of 2896 1776 lllxxfx.exe 40 PID 1776 wrote to memory of 2896 1776 lllxxfx.exe 40 PID 1776 wrote to memory of 2896 1776 lllxxfx.exe 40 PID 2896 wrote to memory of 576 2896 tnbbnb.exe 41 PID 2896 wrote to memory of 576 2896 tnbbnb.exe 41 PID 2896 wrote to memory of 576 2896 tnbbnb.exe 41 PID 2896 wrote to memory of 576 2896 tnbbnb.exe 41 PID 576 wrote to memory of 2204 576 lfflxfl.exe 42 PID 576 wrote to memory of 2204 576 lfflxfl.exe 42 PID 576 wrote to memory of 2204 576 lfflxfl.exe 42 PID 576 wrote to memory of 2204 576 lfflxfl.exe 42 PID 2204 wrote to memory of 2028 2204 hbnnbh.exe 43 PID 2204 wrote to memory of 2028 2204 hbnnbh.exe 43 PID 2204 wrote to memory of 2028 2204 hbnnbh.exe 43 PID 2204 wrote to memory of 2028 2204 hbnnbh.exe 43 PID 2028 wrote to memory of 1096 2028 3nhnnt.exe 44 PID 2028 wrote to memory of 1096 2028 3nhnnt.exe 44 PID 2028 wrote to memory of 1096 2028 3nhnnt.exe 44 PID 2028 wrote to memory of 1096 2028 3nhnnt.exe 44 PID 1096 wrote to memory of 1764 1096 lfrxflf.exe 45 PID 1096 wrote to memory of 1764 1096 lfrxflf.exe 45 PID 1096 wrote to memory of 1764 1096 lfrxflf.exe 45 PID 1096 wrote to memory of 1764 1096 lfrxflf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe"C:\Users\Admin\AppData\Local\Temp\95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\btnbhh.exec:\btnbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\9djvj.exec:\9djvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\bbtbnb.exec:\bbtbnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\frlxllf.exec:\frlxllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\hbhnnt.exec:\hbhnnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\3frlrrf.exec:\3frlrrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\7ttttt.exec:\7ttttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\3frrfll.exec:\3frrfll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\tntthh.exec:\tntthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\lllxxfx.exec:\lllxxfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\tnbbnb.exec:\tnbbnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\lfflxfl.exec:\lfflxfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
\??\c:\hbnnbh.exec:\hbnnbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\3nhnnt.exec:\3nhnnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\lfrxflf.exec:\lfrxflf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\1httht.exec:\1httht.exe17⤵
- Executes dropped EXE
PID:1764 -
\??\c:\3dvjp.exec:\3dvjp.exe18⤵
- Executes dropped EXE
PID:1312 -
\??\c:\tnbbhn.exec:\tnbbhn.exe19⤵
- Executes dropped EXE
PID:2144 -
\??\c:\ddppd.exec:\ddppd.exe20⤵
- Executes dropped EXE
PID:2368 -
\??\c:\pjdjv.exec:\pjdjv.exe21⤵
- Executes dropped EXE
PID:1596 -
\??\c:\rllxlrf.exec:\rllxlrf.exe22⤵
- Executes dropped EXE
PID:1180 -
\??\c:\pvpdj.exec:\pvpdj.exe23⤵
- Executes dropped EXE
PID:2404 -
\??\c:\vjdpj.exec:\vjdpj.exe24⤵
- Executes dropped EXE
PID:2424 -
\??\c:\9dvpd.exec:\9dvpd.exe25⤵
- Executes dropped EXE
PID:1708 -
\??\c:\vvjvj.exec:\vvjvj.exe26⤵
- Executes dropped EXE
PID:2084 -
\??\c:\jddvd.exec:\jddvd.exe27⤵
- Executes dropped EXE
PID:496 -
\??\c:\ppjjp.exec:\ppjjp.exe28⤵
- Executes dropped EXE
PID:2552 -
\??\c:\bttbht.exec:\bttbht.exe29⤵
- Executes dropped EXE
PID:1736 -
\??\c:\5jvvd.exec:\5jvvd.exe30⤵
- Executes dropped EXE
PID:2068 -
\??\c:\1bnnhn.exec:\1bnnhn.exe31⤵
- Executes dropped EXE
PID:860 -
\??\c:\ppjpd.exec:\ppjpd.exe32⤵
- Executes dropped EXE
PID:1144 -
\??\c:\ppvdp.exec:\ppvdp.exe33⤵
- Executes dropped EXE
PID:1548 -
\??\c:\vpjpv.exec:\vpjpv.exe34⤵
- Executes dropped EXE
PID:2340 -
\??\c:\nbbhtt.exec:\nbbhtt.exe35⤵
- Executes dropped EXE
PID:2680 -
\??\c:\ppjdv.exec:\ppjdv.exe36⤵
- Executes dropped EXE
PID:2244 -
\??\c:\xlrfxlr.exec:\xlrfxlr.exe37⤵
- Executes dropped EXE
PID:2828 -
\??\c:\tthntb.exec:\tthntb.exe38⤵
- Executes dropped EXE
PID:2740 -
\??\c:\vvpvd.exec:\vvpvd.exe39⤵
- Executes dropped EXE
PID:2572 -
\??\c:\1flffxr.exec:\1flffxr.exe40⤵
- Executes dropped EXE
PID:2816 -
\??\c:\3nhthb.exec:\3nhthb.exe41⤵
- Executes dropped EXE
PID:2108 -
\??\c:\jppjv.exec:\jppjv.exe42⤵
- Executes dropped EXE
PID:2620 -
\??\c:\fxrlxrl.exec:\fxrlxrl.exe43⤵
- Executes dropped EXE
PID:3028 -
\??\c:\nbthbb.exec:\nbthbb.exe44⤵
- Executes dropped EXE
PID:2024 -
\??\c:\7jjpv.exec:\7jjpv.exe45⤵
- Executes dropped EXE
PID:2548 -
\??\c:\djjjv.exec:\djjjv.exe46⤵
- Executes dropped EXE
PID:1820 -
\??\c:\1xxflxl.exec:\1xxflxl.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100 -
\??\c:\1hbhnt.exec:\1hbhnt.exe48⤵
- Executes dropped EXE
PID:2896 -
\??\c:\vdvdj.exec:\vdvdj.exe49⤵
- Executes dropped EXE
PID:2020 -
\??\c:\xrlrlrf.exec:\xrlrlrf.exe50⤵
- Executes dropped EXE
PID:1320 -
\??\c:\nnhthb.exec:\nnhthb.exe51⤵
- Executes dropped EXE
PID:484 -
\??\c:\djdpd.exec:\djdpd.exe52⤵
- Executes dropped EXE
PID:2780 -
\??\c:\rrrfrfx.exec:\rrrfrfx.exe53⤵
- Executes dropped EXE
PID:2376 -
\??\c:\9ffxrff.exec:\9ffxrff.exe54⤵
- Executes dropped EXE
PID:1812 -
\??\c:\bbhtbb.exec:\bbhtbb.exe55⤵
- Executes dropped EXE
PID:2148 -
\??\c:\3jdpd.exec:\3jdpd.exe56⤵
- Executes dropped EXE
PID:1720 -
\??\c:\1xxfrfx.exec:\1xxfrfx.exe57⤵
- Executes dropped EXE
PID:1716 -
\??\c:\xfxlflx.exec:\xfxlflx.exe58⤵
- Executes dropped EXE
PID:808 -
\??\c:\tbbnnb.exec:\tbbnnb.exe59⤵
- Executes dropped EXE
PID:2336 -
\??\c:\jjjjp.exec:\jjjjp.exe60⤵
- Executes dropped EXE
PID:848 -
\??\c:\rxxfxlf.exec:\rxxfxlf.exe61⤵
- Executes dropped EXE
PID:896 -
\??\c:\ffxrxlx.exec:\ffxrxlx.exe62⤵
- Executes dropped EXE
PID:2396 -
\??\c:\nnntnn.exec:\nnntnn.exe63⤵
- Executes dropped EXE
PID:2404 -
\??\c:\ddvjv.exec:\ddvjv.exe64⤵
- Executes dropped EXE
PID:2812 -
\??\c:\lrlxrxf.exec:\lrlxrxf.exe65⤵
- Executes dropped EXE
PID:1712 -
\??\c:\lrrxrxr.exec:\lrrxrxr.exe66⤵PID:1704
-
\??\c:\nnhttb.exec:\nnhttb.exe67⤵PID:2084
-
\??\c:\pdvpj.exec:\pdvpj.exe68⤵PID:2504
-
\??\c:\lrlfrfl.exec:\lrlfrfl.exe69⤵PID:664
-
\??\c:\hnnbth.exec:\hnnbth.exe70⤵PID:2476
-
\??\c:\5bbhtt.exec:\5bbhtt.exe71⤵PID:2440
-
\??\c:\vdjvj.exec:\vdjvj.exe72⤵PID:268
-
\??\c:\frrffrx.exec:\frrffrx.exe73⤵PID:3068
-
\??\c:\bbtthh.exec:\bbtthh.exe74⤵PID:2728
-
\??\c:\9hbhtb.exec:\9hbhtb.exe75⤵PID:1688
-
\??\c:\jpjpp.exec:\jpjpp.exe76⤵PID:2860
-
\??\c:\3xrlrxl.exec:\3xrlrxl.exe77⤵PID:2340
-
\??\c:\nnntht.exec:\nnntht.exe78⤵PID:2844
-
\??\c:\pjjvj.exec:\pjjvj.exe79⤵PID:2244
-
\??\c:\fllfrrr.exec:\fllfrrr.exe80⤵PID:1328
-
\??\c:\bbbnnt.exec:\bbbnnt.exe81⤵PID:2588
-
\??\c:\9vvdj.exec:\9vvdj.exe82⤵PID:2648
-
\??\c:\xlxlrxl.exec:\xlxlrxl.exe83⤵PID:2816
-
\??\c:\frrfxfr.exec:\frrfxfr.exe84⤵PID:2080
-
\??\c:\9hbbtb.exec:\9hbbtb.exe85⤵PID:2980
-
\??\c:\jpppj.exec:\jpppj.exe86⤵PID:1628
-
\??\c:\rllrxlf.exec:\rllrxlf.exe87⤵PID:2408
-
\??\c:\fffllxf.exec:\fffllxf.exe88⤵PID:2556
-
\??\c:\hhbthb.exec:\hhbthb.exe89⤵PID:1692
-
\??\c:\5pdjd.exec:\5pdjd.exe90⤵PID:340
-
\??\c:\xxlxrfr.exec:\xxlxrfr.exe91⤵
- System Location Discovery: System Language Discovery
PID:1208 -
\??\c:\xfxflrf.exec:\xfxflrf.exe92⤵PID:1496
-
\??\c:\bbbhtb.exec:\bbbhtb.exe93⤵PID:2360
-
\??\c:\vdjvp.exec:\vdjvp.exe94⤵PID:1320
-
\??\c:\lllxlrx.exec:\lllxlrx.exe95⤵PID:2372
-
\??\c:\lxxfrlf.exec:\lxxfrlf.exe96⤵PID:2776
-
\??\c:\bbnbtb.exec:\bbnbtb.exe97⤵PID:1500
-
\??\c:\ddjvj.exec:\ddjvj.exe98⤵PID:1760
-
\??\c:\fxxlrxr.exec:\fxxlrxr.exe99⤵PID:2484
-
\??\c:\ttnthh.exec:\ttnthh.exe100⤵PID:2236
-
\??\c:\djpvp.exec:\djpvp.exe101⤵PID:948
-
\??\c:\dddjv.exec:\dddjv.exe102⤵PID:324
-
\??\c:\xfxlrxl.exec:\xfxlrxl.exe103⤵PID:764
-
\??\c:\vvvdp.exec:\vvvdp.exe104⤵PID:548
-
\??\c:\pvvjv.exec:\pvvjv.exe105⤵PID:1512
-
\??\c:\1ffxrxl.exec:\1ffxrxl.exe106⤵PID:1772
-
\??\c:\hbbnbh.exec:\hbbnbh.exe107⤵PID:2404
-
\??\c:\djjpd.exec:\djjpd.exe108⤵PID:2812
-
\??\c:\dpjdd.exec:\dpjdd.exe109⤵PID:2276
-
\??\c:\llxlffx.exec:\llxlffx.exe110⤵PID:1552
-
\??\c:\1nntnb.exec:\1nntnb.exe111⤵PID:2328
-
\??\c:\7nhntb.exec:\7nhntb.exe112⤵PID:2552
-
\??\c:\dvpdj.exec:\dvpdj.exe113⤵PID:2748
-
\??\c:\9fxfrxl.exec:\9fxfrxl.exe114⤵PID:980
-
\??\c:\fffrxff.exec:\fffrxff.exe115⤵PID:2992
-
\??\c:\ntntbn.exec:\ntntbn.exe116⤵PID:1376
-
\??\c:\5dddp.exec:\5dddp.exe117⤵PID:2716
-
\??\c:\7jdpd.exec:\7jdpd.exe118⤵PID:1576
-
\??\c:\3rlxlxl.exec:\3rlxlxl.exe119⤵PID:2848
-
\??\c:\bhhbnb.exec:\bhhbnb.exe120⤵PID:2340
-
\??\c:\vpdvd.exec:\vpdvd.exe121⤵PID:2732
-
\??\c:\ddjjv.exec:\ddjjv.exe122⤵PID:2684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-