Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe
-
Size
457KB
-
MD5
86c46493d9d3bb1e05562b6e62ce3c6d
-
SHA1
7b41234680b1c6bbcc94cf8b4e4a788d35079220
-
SHA256
bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0
-
SHA512
d05862a2df3bf9d2e6f3458da6f2d45ccf1f76dae18e03972a328cedc0653dac9d298ea4f27239cd46c707c7134fc49a75f95d4ac8ecac31e2955c133b21eed8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRl:q7Tc2NYHUrAwfMp3CDRl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2428-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-29-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/3060-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1404-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-173-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2932-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2468-267-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2396-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-290-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2404-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-310-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2092-323-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2844-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-331-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2844-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-346-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2848-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-375-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2740-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/284-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/284-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-487-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/772-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-605-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2472-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/828-763-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/324-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-816-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2140 042800.exe 2332 5nnhhh.exe 3060 bthhnn.exe 2588 886480.exe 2980 6424622.exe 2156 820084.exe 2860 jjvjd.exe 2540 flrlxxf.exe 2976 26086.exe 2776 vpdpv.exe 2340 2084268.exe 1404 xffrlxx.exe 1292 3vjjd.exe 1552 046282.exe 2668 5lxrrrr.exe 2032 82664.exe 1376 tbnbbb.exe 2932 llflxxl.exe 2796 7pddj.exe 2228 6466846.exe 1600 7xfxfff.exe 2676 xrxfrrr.exe 1736 3xlrxfr.exe 296 s4228.exe 1852 bnbbtb.exe 1256 m0846.exe 2112 nhbhtb.exe 2468 8260222.exe 2396 82488.exe 2244 q84088.exe 2404 djjdv.exe 2140 tththt.exe 1532 lrfxfxx.exe 2092 882808.exe 2508 26424.exe 2844 lxlrrxl.exe 2956 1jdpd.exe 2848 1fxllxf.exe 2288 dvpdj.exe 3068 608428.exe 2860 jdvdd.exe 2744 vpddd.exe 2740 bnhtbh.exe 2672 djjjp.exe 2776 bbttth.exe 1268 26624.exe 2084 u862406.exe 1008 u484802.exe 1072 4266886.exe 1672 vdjvp.exe 1552 2668626.exe 1892 8206224.exe 1236 1ffrflx.exe 316 bhhnbn.exe 2448 pjdjp.exe 284 lrlrrxf.exe 2208 64286.exe 1548 5vpvp.exe 448 400262.exe 2188 u0642.exe 1284 o046846.exe 1876 60680.exe 1424 ddvvj.exe 1708 486206.exe -
resource yara_rule behavioral1/memory/2428-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1404-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2468-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-534-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/2116-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-824-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w80444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2646402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frfrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2140 2428 bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe 30 PID 2428 wrote to memory of 2140 2428 bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe 30 PID 2428 wrote to memory of 2140 2428 bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe 30 PID 2428 wrote to memory of 2140 2428 bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe 30 PID 2140 wrote to memory of 2332 2140 042800.exe 31 PID 2140 wrote to memory of 2332 2140 042800.exe 31 PID 2140 wrote to memory of 2332 2140 042800.exe 31 PID 2140 wrote to memory of 2332 2140 042800.exe 31 PID 2332 wrote to memory of 3060 2332 5nnhhh.exe 32 PID 2332 wrote to memory of 3060 2332 5nnhhh.exe 32 PID 2332 wrote to memory of 3060 2332 5nnhhh.exe 32 PID 2332 wrote to memory of 3060 2332 5nnhhh.exe 32 PID 3060 wrote to memory of 2588 3060 bthhnn.exe 33 PID 3060 wrote to memory of 2588 3060 bthhnn.exe 33 PID 3060 wrote to memory of 2588 3060 bthhnn.exe 33 PID 3060 wrote to memory of 2588 3060 bthhnn.exe 33 PID 2588 wrote to memory of 2980 2588 886480.exe 34 PID 2588 wrote to memory of 2980 2588 886480.exe 34 PID 2588 wrote to memory of 2980 2588 886480.exe 34 PID 2588 wrote to memory of 2980 2588 886480.exe 34 PID 2980 wrote to memory of 2156 2980 6424622.exe 35 PID 2980 wrote to memory of 2156 2980 6424622.exe 35 PID 2980 wrote to memory of 2156 2980 6424622.exe 35 PID 2980 wrote to memory of 2156 2980 6424622.exe 35 PID 2156 wrote to memory of 2860 2156 820084.exe 36 PID 2156 wrote to memory of 2860 2156 820084.exe 36 PID 2156 wrote to memory of 2860 2156 820084.exe 36 PID 2156 wrote to memory of 2860 2156 820084.exe 36 PID 2860 wrote to memory of 2540 2860 jjvjd.exe 37 PID 2860 wrote to memory of 2540 2860 jjvjd.exe 37 PID 2860 wrote to memory of 2540 2860 jjvjd.exe 37 PID 2860 wrote to memory of 2540 2860 jjvjd.exe 37 PID 2540 wrote to memory of 2976 2540 flrlxxf.exe 38 PID 2540 wrote to memory of 2976 2540 flrlxxf.exe 38 PID 2540 wrote to memory of 2976 2540 flrlxxf.exe 38 PID 2540 wrote to memory of 2976 2540 flrlxxf.exe 38 PID 2976 wrote to memory of 2776 2976 26086.exe 39 PID 2976 wrote to memory of 2776 2976 26086.exe 39 PID 2976 wrote to memory of 2776 2976 26086.exe 39 PID 2976 wrote to memory of 2776 2976 26086.exe 39 PID 2776 wrote to memory of 2340 2776 vpdpv.exe 40 PID 2776 wrote to memory of 2340 2776 vpdpv.exe 40 PID 2776 wrote to memory of 2340 2776 vpdpv.exe 40 PID 2776 wrote to memory of 2340 2776 vpdpv.exe 40 PID 2340 wrote to memory of 1404 2340 2084268.exe 41 PID 2340 wrote to memory of 1404 2340 2084268.exe 41 PID 2340 wrote to memory of 1404 2340 2084268.exe 41 PID 2340 wrote to memory of 1404 2340 2084268.exe 41 PID 1404 wrote to memory of 1292 1404 xffrlxx.exe 42 PID 1404 wrote to memory of 1292 1404 xffrlxx.exe 42 PID 1404 wrote to memory of 1292 1404 xffrlxx.exe 42 PID 1404 wrote to memory of 1292 1404 xffrlxx.exe 42 PID 1292 wrote to memory of 1552 1292 3vjjd.exe 43 PID 1292 wrote to memory of 1552 1292 3vjjd.exe 43 PID 1292 wrote to memory of 1552 1292 3vjjd.exe 43 PID 1292 wrote to memory of 1552 1292 3vjjd.exe 43 PID 1552 wrote to memory of 2668 1552 046282.exe 44 PID 1552 wrote to memory of 2668 1552 046282.exe 44 PID 1552 wrote to memory of 2668 1552 046282.exe 44 PID 1552 wrote to memory of 2668 1552 046282.exe 44 PID 2668 wrote to memory of 2032 2668 5lxrrrr.exe 45 PID 2668 wrote to memory of 2032 2668 5lxrrrr.exe 45 PID 2668 wrote to memory of 2032 2668 5lxrrrr.exe 45 PID 2668 wrote to memory of 2032 2668 5lxrrrr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe"C:\Users\Admin\AppData\Local\Temp\bc08bf5a92aded95c8a3e91c0d621dd5e9acd7da4492234afb3e5c6343424ae0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\042800.exec:\042800.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\5nnhhh.exec:\5nnhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\bthhnn.exec:\bthhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\886480.exec:\886480.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\6424622.exec:\6424622.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\820084.exec:\820084.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\jjvjd.exec:\jjvjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\flrlxxf.exec:\flrlxxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\26086.exec:\26086.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\vpdpv.exec:\vpdpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\2084268.exec:\2084268.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\xffrlxx.exec:\xffrlxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\3vjjd.exec:\3vjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\046282.exec:\046282.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\5lxrrrr.exec:\5lxrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\82664.exec:\82664.exe17⤵
- Executes dropped EXE
PID:2032 -
\??\c:\tbnbbb.exec:\tbnbbb.exe18⤵
- Executes dropped EXE
PID:1376 -
\??\c:\llflxxl.exec:\llflxxl.exe19⤵
- Executes dropped EXE
PID:2932 -
\??\c:\7pddj.exec:\7pddj.exe20⤵
- Executes dropped EXE
PID:2796 -
\??\c:\6466846.exec:\6466846.exe21⤵
- Executes dropped EXE
PID:2228 -
\??\c:\7xfxfff.exec:\7xfxfff.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600 -
\??\c:\xrxfrrr.exec:\xrxfrrr.exe23⤵
- Executes dropped EXE
PID:2676 -
\??\c:\3xlrxfr.exec:\3xlrxfr.exe24⤵
- Executes dropped EXE
PID:1736 -
\??\c:\s4228.exec:\s4228.exe25⤵
- Executes dropped EXE
PID:296 -
\??\c:\bnbbtb.exec:\bnbbtb.exe26⤵
- Executes dropped EXE
PID:1852 -
\??\c:\m0846.exec:\m0846.exe27⤵
- Executes dropped EXE
PID:1256 -
\??\c:\nhbhtb.exec:\nhbhtb.exe28⤵
- Executes dropped EXE
PID:2112 -
\??\c:\8260222.exec:\8260222.exe29⤵
- Executes dropped EXE
PID:2468 -
\??\c:\82488.exec:\82488.exe30⤵
- Executes dropped EXE
PID:2396 -
\??\c:\q84088.exec:\q84088.exe31⤵
- Executes dropped EXE
PID:2244 -
\??\c:\djjdv.exec:\djjdv.exe32⤵
- Executes dropped EXE
PID:2404 -
\??\c:\tththt.exec:\tththt.exe33⤵
- Executes dropped EXE
PID:2140 -
\??\c:\lrfxfxx.exec:\lrfxfxx.exe34⤵
- Executes dropped EXE
PID:1532 -
\??\c:\882808.exec:\882808.exe35⤵
- Executes dropped EXE
PID:2092 -
\??\c:\26424.exec:\26424.exe36⤵
- Executes dropped EXE
PID:2508 -
\??\c:\lxlrrxl.exec:\lxlrrxl.exe37⤵
- Executes dropped EXE
PID:2844 -
\??\c:\1jdpd.exec:\1jdpd.exe38⤵
- Executes dropped EXE
PID:2956 -
\??\c:\1fxllxf.exec:\1fxllxf.exe39⤵
- Executes dropped EXE
PID:2848 -
\??\c:\dvpdj.exec:\dvpdj.exe40⤵
- Executes dropped EXE
PID:2288 -
\??\c:\608428.exec:\608428.exe41⤵
- Executes dropped EXE
PID:3068 -
\??\c:\jdvdd.exec:\jdvdd.exe42⤵
- Executes dropped EXE
PID:2860 -
\??\c:\vpddd.exec:\vpddd.exe43⤵
- Executes dropped EXE
PID:2744 -
\??\c:\bnhtbh.exec:\bnhtbh.exe44⤵
- Executes dropped EXE
PID:2740 -
\??\c:\djjjp.exec:\djjjp.exe45⤵
- Executes dropped EXE
PID:2672 -
\??\c:\bbttth.exec:\bbttth.exe46⤵
- Executes dropped EXE
PID:2776 -
\??\c:\26624.exec:\26624.exe47⤵
- Executes dropped EXE
PID:1268 -
\??\c:\u862406.exec:\u862406.exe48⤵
- Executes dropped EXE
PID:2084 -
\??\c:\u484802.exec:\u484802.exe49⤵
- Executes dropped EXE
PID:1008 -
\??\c:\4266886.exec:\4266886.exe50⤵
- Executes dropped EXE
PID:1072 -
\??\c:\vdjvp.exec:\vdjvp.exe51⤵
- Executes dropped EXE
PID:1672 -
\??\c:\2668626.exec:\2668626.exe52⤵
- Executes dropped EXE
PID:1552 -
\??\c:\8206224.exec:\8206224.exe53⤵
- Executes dropped EXE
PID:1892 -
\??\c:\1ffrflx.exec:\1ffrflx.exe54⤵
- Executes dropped EXE
PID:1236 -
\??\c:\bhhnbn.exec:\bhhnbn.exe55⤵
- Executes dropped EXE
PID:316 -
\??\c:\pjdjp.exec:\pjdjp.exe56⤵
- Executes dropped EXE
PID:2448 -
\??\c:\lrlrrxf.exec:\lrlrrxf.exe57⤵
- Executes dropped EXE
PID:284 -
\??\c:\64286.exec:\64286.exe58⤵
- Executes dropped EXE
PID:2208 -
\??\c:\5vpvp.exec:\5vpvp.exe59⤵
- Executes dropped EXE
PID:1548 -
\??\c:\400262.exec:\400262.exe60⤵
- Executes dropped EXE
PID:448 -
\??\c:\u0642.exec:\u0642.exe61⤵
- Executes dropped EXE
PID:2188 -
\??\c:\o046846.exec:\o046846.exe62⤵
- Executes dropped EXE
PID:1284 -
\??\c:\60680.exec:\60680.exe63⤵
- Executes dropped EXE
PID:1876 -
\??\c:\ddvvj.exec:\ddvvj.exe64⤵
- Executes dropped EXE
PID:1424 -
\??\c:\486206.exec:\486206.exe65⤵
- Executes dropped EXE
PID:1708 -
\??\c:\64840.exec:\64840.exe66⤵PID:772
-
\??\c:\1dpvd.exec:\1dpvd.exe67⤵PID:1464
-
\??\c:\0806884.exec:\0806884.exe68⤵PID:2224
-
\??\c:\826200.exec:\826200.exe69⤵PID:2496
-
\??\c:\w08848.exec:\w08848.exe70⤵PID:1212
-
\??\c:\7vpvd.exec:\7vpvd.exe71⤵PID:2116
-
\??\c:\fxxflff.exec:\fxxflff.exe72⤵PID:2484
-
\??\c:\4820242.exec:\4820242.exe73⤵PID:2584
-
\??\c:\68884.exec:\68884.exe74⤵PID:2528
-
\??\c:\djjdd.exec:\djjdd.exe75⤵PID:2064
-
\??\c:\6406268.exec:\6406268.exe76⤵PID:2616
-
\??\c:\nhhntt.exec:\nhhntt.exe77⤵PID:2524
-
\??\c:\80666.exec:\80666.exe78⤵PID:2464
-
\??\c:\048688.exec:\048688.exe79⤵PID:2472
-
\??\c:\7vdjj.exec:\7vdjj.exe80⤵PID:2964
-
\??\c:\1bttbh.exec:\1bttbh.exe81⤵PID:2704
-
\??\c:\602288.exec:\602288.exe82⤵PID:3016
-
\??\c:\04224.exec:\04224.exe83⤵PID:2556
-
\??\c:\e04640.exec:\e04640.exe84⤵PID:2996
-
\??\c:\u804662.exec:\u804662.exe85⤵PID:2724
-
\??\c:\0844066.exec:\0844066.exe86⤵PID:2716
-
\??\c:\m0844.exec:\m0844.exe87⤵PID:2752
-
\??\c:\jvpvj.exec:\jvpvj.exe88⤵PID:2552
-
\??\c:\m6402.exec:\m6402.exe89⤵PID:2344
-
\??\c:\vddpj.exec:\vddpj.exe90⤵PID:1980
-
\??\c:\tnbbhh.exec:\tnbbhh.exe91⤵PID:1760
-
\??\c:\vpvvp.exec:\vpvvp.exe92⤵PID:2040
-
\??\c:\7dppp.exec:\7dppp.exe93⤵PID:1784
-
\??\c:\lxllrxl.exec:\lxllrxl.exe94⤵PID:1632
-
\??\c:\8606228.exec:\8606228.exe95⤵PID:1896
-
\??\c:\8682262.exec:\8682262.exe96⤵PID:1840
-
\??\c:\480202.exec:\480202.exe97⤵PID:2940
-
\??\c:\868062.exec:\868062.exe98⤵PID:2988
-
\??\c:\0228620.exec:\0228620.exe99⤵PID:1376
-
\??\c:\vdddj.exec:\vdddj.exe100⤵PID:112
-
\??\c:\6606442.exec:\6606442.exe101⤵PID:2176
-
\??\c:\6042446.exec:\6042446.exe102⤵PID:828
-
\??\c:\04242.exec:\04242.exe103⤵PID:1548
-
\??\c:\a2220.exec:\a2220.exe104⤵PID:328
-
\??\c:\w48800.exec:\w48800.exe105⤵PID:1312
-
\??\c:\tthnht.exec:\tthnht.exe106⤵PID:1436
-
\??\c:\djvjv.exec:\djvjv.exe107⤵PID:2368
-
\??\c:\flflrrf.exec:\flflrrf.exe108⤵PID:1796
-
\??\c:\rllrrlf.exec:\rllrrlf.exe109⤵PID:324
-
\??\c:\llrflrr.exec:\llrflrr.exe110⤵PID:2024
-
\??\c:\7lfrffr.exec:\7lfrffr.exe111⤵PID:2576
-
\??\c:\nnbhnn.exec:\nnbhnn.exe112⤵PID:2784
-
\??\c:\1fxfxlr.exec:\1fxfxlr.exe113⤵PID:1212
-
\??\c:\xfffrrf.exec:\xfffrrf.exe114⤵PID:2396
-
\??\c:\86468.exec:\86468.exe115⤵PID:2484
-
\??\c:\q86284.exec:\q86284.exe116⤵PID:2548
-
\??\c:\vdvjv.exec:\vdvjv.exe117⤵PID:2604
-
\??\c:\u268286.exec:\u268286.exe118⤵PID:1532
-
\??\c:\rllxrrr.exec:\rllxrrr.exe119⤵PID:1628
-
\??\c:\826288.exec:\826288.exe120⤵PID:2508
-
\??\c:\lrlxrfr.exec:\lrlxrfr.exe121⤵PID:3028
-
\??\c:\xxrxrrl.exec:\xxrxrrl.exe122⤵PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-