Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe
-
Size
456KB
-
MD5
1275ac8c581a0c7b5144340f4c05df69
-
SHA1
da9f1de28ae1eebc93d597b16973d99ba395ca9a
-
SHA256
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c
-
SHA512
8a249fae4020eff9514b4bca0a42edb24a18cc2c0e1a81078c40daf7580bd254f1139f75eb51fc4465c359e730d54a768f85b09194a3c2933dc15fa8711d34d8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR6:q7Tc2NYHUrAwfMp3CDR6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/1740-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-53-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2604-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/692-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1456-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1388-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1544-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-325-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2076-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-338-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3056-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/916-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-657-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2548-691-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/2028-794-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2556-870-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2836 3lfflrf.exe 2300 rfxxxxr.exe 2676 bhnhhb.exe 2928 vjddp.exe 2604 fxrxllx.exe 2580 dvjpv.exe 3048 3jvvd.exe 692 bbthhb.exe 2436 vvppp.exe 2524 xlxrfrr.exe 860 7tbbhn.exe 788 xlflrxl.exe 2060 7hbhbb.exe 2660 frlfrxx.exe 2224 7xxxxrx.exe 1940 5frxllx.exe 1456 tnthnn.exe 2988 jddpd.exe 2128 fxllrrr.exe 2392 bthhtn.exe 1944 jjjpd.exe 2080 rxflllx.exe 1388 hbnhbb.exe 704 pjvpd.exe 1544 fxfxxxf.exe 1036 hnnhbn.exe 2312 djpdd.exe 2532 bnbbhh.exe 2372 ddpjp.exe 1324 lfrxlrx.exe 2828 nhbtbh.exe 1596 vpddj.exe 2848 3bhhhn.exe 2960 pjppj.exe 2820 jjvdj.exe 3060 rfllrfl.exe 2076 thbtbb.exe 2604 bbbbth.exe 2612 ddvjp.exe 2096 lfxfrxl.exe 3056 tnbhtt.exe 2164 5nttnh.exe 2436 jvjdj.exe 2056 5rrxffl.exe 1436 xlxfllr.exe 860 tnbbhh.exe 988 1jdjp.exe 2648 3rxlffr.exe 2904 9ffrrxr.exe 2940 1nhbbt.exe 320 hthnnt.exe 380 pppvj.exe 2440 1rlrxxf.exe 1456 9htthn.exe 1932 tthttn.exe 2124 5dppp.exe 2264 lffxllr.exe 1136 3rrxxrx.exe 1944 1thhhh.exe 1648 3bhbtb.exe 948 vjppv.exe 916 flfffff.exe 704 lxfxrrl.exe 2244 tnbbhn.exe -
resource yara_rule behavioral1/memory/1740-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-657-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2128-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-880-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2836 1740 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 31 PID 1740 wrote to memory of 2836 1740 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 31 PID 1740 wrote to memory of 2836 1740 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 31 PID 1740 wrote to memory of 2836 1740 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 31 PID 2836 wrote to memory of 2300 2836 3lfflrf.exe 32 PID 2836 wrote to memory of 2300 2836 3lfflrf.exe 32 PID 2836 wrote to memory of 2300 2836 3lfflrf.exe 32 PID 2836 wrote to memory of 2300 2836 3lfflrf.exe 32 PID 2300 wrote to memory of 2676 2300 rfxxxxr.exe 33 PID 2300 wrote to memory of 2676 2300 rfxxxxr.exe 33 PID 2300 wrote to memory of 2676 2300 rfxxxxr.exe 33 PID 2300 wrote to memory of 2676 2300 rfxxxxr.exe 33 PID 2676 wrote to memory of 2928 2676 bhnhhb.exe 34 PID 2676 wrote to memory of 2928 2676 bhnhhb.exe 34 PID 2676 wrote to memory of 2928 2676 bhnhhb.exe 34 PID 2676 wrote to memory of 2928 2676 bhnhhb.exe 34 PID 2928 wrote to memory of 2604 2928 vjddp.exe 35 PID 2928 wrote to memory of 2604 2928 vjddp.exe 35 PID 2928 wrote to memory of 2604 2928 vjddp.exe 35 PID 2928 wrote to memory of 2604 2928 vjddp.exe 35 PID 2604 wrote to memory of 2580 2604 fxrxllx.exe 36 PID 2604 wrote to memory of 2580 2604 fxrxllx.exe 36 PID 2604 wrote to memory of 2580 2604 fxrxllx.exe 36 PID 2604 wrote to memory of 2580 2604 fxrxllx.exe 36 PID 2580 wrote to memory of 3048 2580 dvjpv.exe 37 PID 2580 wrote to memory of 3048 2580 dvjpv.exe 37 PID 2580 wrote to memory of 3048 2580 dvjpv.exe 37 PID 2580 wrote to memory of 3048 2580 dvjpv.exe 37 PID 3048 wrote to memory of 692 3048 3jvvd.exe 38 PID 3048 wrote to memory of 692 3048 3jvvd.exe 38 PID 3048 wrote to memory of 692 3048 3jvvd.exe 38 PID 3048 wrote to memory of 692 3048 3jvvd.exe 38 PID 692 wrote to memory of 2436 692 bbthhb.exe 39 PID 692 wrote to memory of 2436 692 bbthhb.exe 39 PID 692 wrote to memory of 2436 692 bbthhb.exe 39 PID 692 wrote to memory of 2436 692 bbthhb.exe 39 PID 2436 wrote to memory of 2524 2436 vvppp.exe 40 PID 2436 wrote to memory of 2524 2436 vvppp.exe 40 PID 2436 wrote to memory of 2524 2436 vvppp.exe 40 PID 2436 wrote to memory of 2524 2436 vvppp.exe 40 PID 2524 wrote to memory of 860 2524 xlxrfrr.exe 41 PID 2524 wrote to memory of 860 2524 xlxrfrr.exe 41 PID 2524 wrote to memory of 860 2524 xlxrfrr.exe 41 PID 2524 wrote to memory of 860 2524 xlxrfrr.exe 41 PID 860 wrote to memory of 788 860 7tbbhn.exe 42 PID 860 wrote to memory of 788 860 7tbbhn.exe 42 PID 860 wrote to memory of 788 860 7tbbhn.exe 42 PID 860 wrote to memory of 788 860 7tbbhn.exe 42 PID 788 wrote to memory of 2060 788 xlflrxl.exe 43 PID 788 wrote to memory of 2060 788 xlflrxl.exe 43 PID 788 wrote to memory of 2060 788 xlflrxl.exe 43 PID 788 wrote to memory of 2060 788 xlflrxl.exe 43 PID 2060 wrote to memory of 2660 2060 7hbhbb.exe 44 PID 2060 wrote to memory of 2660 2060 7hbhbb.exe 44 PID 2060 wrote to memory of 2660 2060 7hbhbb.exe 44 PID 2060 wrote to memory of 2660 2060 7hbhbb.exe 44 PID 2660 wrote to memory of 2224 2660 frlfrxx.exe 45 PID 2660 wrote to memory of 2224 2660 frlfrxx.exe 45 PID 2660 wrote to memory of 2224 2660 frlfrxx.exe 45 PID 2660 wrote to memory of 2224 2660 frlfrxx.exe 45 PID 2224 wrote to memory of 1940 2224 7xxxxrx.exe 46 PID 2224 wrote to memory of 1940 2224 7xxxxrx.exe 46 PID 2224 wrote to memory of 1940 2224 7xxxxrx.exe 46 PID 2224 wrote to memory of 1940 2224 7xxxxrx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe"C:\Users\Admin\AppData\Local\Temp\bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\3lfflrf.exec:\3lfflrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\rfxxxxr.exec:\rfxxxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\bhnhhb.exec:\bhnhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\vjddp.exec:\vjddp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\fxrxllx.exec:\fxrxllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\dvjpv.exec:\dvjpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\3jvvd.exec:\3jvvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\bbthhb.exec:\bbthhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\vvppp.exec:\vvppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\xlxrfrr.exec:\xlxrfrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\7tbbhn.exec:\7tbbhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\xlflrxl.exec:\xlflrxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
\??\c:\7hbhbb.exec:\7hbhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\frlfrxx.exec:\frlfrxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\7xxxxrx.exec:\7xxxxrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\5frxllx.exec:\5frxllx.exe17⤵
- Executes dropped EXE
PID:1940 -
\??\c:\tnthnn.exec:\tnthnn.exe18⤵
- Executes dropped EXE
PID:1456 -
\??\c:\jddpd.exec:\jddpd.exe19⤵
- Executes dropped EXE
PID:2988 -
\??\c:\fxllrrr.exec:\fxllrrr.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
\??\c:\bthhtn.exec:\bthhtn.exe21⤵
- Executes dropped EXE
PID:2392 -
\??\c:\jjjpd.exec:\jjjpd.exe22⤵
- Executes dropped EXE
PID:1944 -
\??\c:\rxflllx.exec:\rxflllx.exe23⤵
- Executes dropped EXE
PID:2080 -
\??\c:\hbnhbb.exec:\hbnhbb.exe24⤵
- Executes dropped EXE
PID:1388 -
\??\c:\pjvpd.exec:\pjvpd.exe25⤵
- Executes dropped EXE
PID:704 -
\??\c:\fxfxxxf.exec:\fxfxxxf.exe26⤵
- Executes dropped EXE
PID:1544 -
\??\c:\hnnhbn.exec:\hnnhbn.exe27⤵
- Executes dropped EXE
PID:1036 -
\??\c:\djpdd.exec:\djpdd.exe28⤵
- Executes dropped EXE
PID:2312 -
\??\c:\bnbbhh.exec:\bnbbhh.exe29⤵
- Executes dropped EXE
PID:2532 -
\??\c:\ddpjp.exec:\ddpjp.exe30⤵
- Executes dropped EXE
PID:2372 -
\??\c:\lfrxlrx.exec:\lfrxlrx.exe31⤵
- Executes dropped EXE
PID:1324 -
\??\c:\nhbtbh.exec:\nhbtbh.exe32⤵
- Executes dropped EXE
PID:2828 -
\??\c:\vpddj.exec:\vpddj.exe33⤵
- Executes dropped EXE
PID:1596 -
\??\c:\3bhhhn.exec:\3bhhhn.exe34⤵
- Executes dropped EXE
PID:2848 -
\??\c:\pjppj.exec:\pjppj.exe35⤵
- Executes dropped EXE
PID:2960 -
\??\c:\jjvdj.exec:\jjvdj.exe36⤵
- Executes dropped EXE
PID:2820 -
\??\c:\rfllrfl.exec:\rfllrfl.exe37⤵
- Executes dropped EXE
PID:3060 -
\??\c:\thbtbb.exec:\thbtbb.exe38⤵
- Executes dropped EXE
PID:2076 -
\??\c:\bbbbth.exec:\bbbbth.exe39⤵
- Executes dropped EXE
PID:2604 -
\??\c:\ddvjp.exec:\ddvjp.exe40⤵
- Executes dropped EXE
PID:2612 -
\??\c:\lfxfrxl.exec:\lfxfrxl.exe41⤵
- Executes dropped EXE
PID:2096 -
\??\c:\tnbhtt.exec:\tnbhtt.exe42⤵
- Executes dropped EXE
PID:3056 -
\??\c:\5nttnh.exec:\5nttnh.exe43⤵
- Executes dropped EXE
PID:2164 -
\??\c:\jvjdj.exec:\jvjdj.exe44⤵
- Executes dropped EXE
PID:2436 -
\??\c:\5rrxffl.exec:\5rrxffl.exe45⤵
- Executes dropped EXE
PID:2056 -
\??\c:\xlxfllr.exec:\xlxfllr.exe46⤵
- Executes dropped EXE
PID:1436 -
\??\c:\tnbbhh.exec:\tnbbhh.exe47⤵
- Executes dropped EXE
PID:860 -
\??\c:\1jdjp.exec:\1jdjp.exe48⤵
- Executes dropped EXE
PID:988 -
\??\c:\3rxlffr.exec:\3rxlffr.exe49⤵
- Executes dropped EXE
PID:2648 -
\??\c:\9ffrrxr.exec:\9ffrrxr.exe50⤵
- Executes dropped EXE
PID:2904 -
\??\c:\1nhbbt.exec:\1nhbbt.exe51⤵
- Executes dropped EXE
PID:2940 -
\??\c:\hthnnt.exec:\hthnnt.exe52⤵
- Executes dropped EXE
PID:320 -
\??\c:\pppvj.exec:\pppvj.exe53⤵
- Executes dropped EXE
PID:380 -
\??\c:\1rlrxxf.exec:\1rlrxxf.exe54⤵
- Executes dropped EXE
PID:2440 -
\??\c:\9htthn.exec:\9htthn.exe55⤵
- Executes dropped EXE
PID:1456 -
\??\c:\tthttn.exec:\tthttn.exe56⤵
- Executes dropped EXE
PID:1932 -
\??\c:\5dppp.exec:\5dppp.exe57⤵
- Executes dropped EXE
PID:2124 -
\??\c:\lffxllr.exec:\lffxllr.exe58⤵
- Executes dropped EXE
PID:2264 -
\??\c:\3rrxxrx.exec:\3rrxxrx.exe59⤵
- Executes dropped EXE
PID:1136 -
\??\c:\1thhhh.exec:\1thhhh.exe60⤵
- Executes dropped EXE
PID:1944 -
\??\c:\3bhbtb.exec:\3bhbtb.exe61⤵
- Executes dropped EXE
PID:1648 -
\??\c:\vjppv.exec:\vjppv.exe62⤵
- Executes dropped EXE
PID:948 -
\??\c:\flfffff.exec:\flfffff.exe63⤵
- Executes dropped EXE
PID:916 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe64⤵
- Executes dropped EXE
PID:704 -
\??\c:\tnbbhn.exec:\tnbbhn.exe65⤵
- Executes dropped EXE
PID:2244 -
\??\c:\thhbhn.exec:\thhbhn.exe66⤵PID:1948
-
\??\c:\3dvpd.exec:\3dvpd.exe67⤵PID:3012
-
\??\c:\frlffxr.exec:\frlffxr.exe68⤵PID:1492
-
\??\c:\lfrxlrf.exec:\lfrxlrf.exe69⤵PID:1672
-
\??\c:\hhtthb.exec:\hhtthb.exe70⤵PID:576
-
\??\c:\tnhtth.exec:\tnhtth.exe71⤵PID:1688
-
\??\c:\vjddj.exec:\vjddj.exe72⤵PID:1128
-
\??\c:\5xxffxl.exec:\5xxffxl.exe73⤵PID:1752
-
\??\c:\btnnnn.exec:\btnnnn.exe74⤵PID:2684
-
\??\c:\jvdvd.exec:\jvdvd.exe75⤵PID:2972
-
\??\c:\xlfffxl.exec:\xlfffxl.exe76⤵PID:1592
-
\??\c:\nhnnnt.exec:\nhnnnt.exe77⤵PID:2720
-
\??\c:\7vppd.exec:\7vppd.exe78⤵PID:2928
-
\??\c:\lxlrxxx.exec:\lxlrxxx.exe79⤵PID:2576
-
\??\c:\nnbhhh.exec:\nnbhhh.exe80⤵PID:2076
-
\??\c:\vpjpd.exec:\vpjpd.exe81⤵PID:2204
-
\??\c:\5xrxxxx.exec:\5xrxxxx.exe82⤵PID:2176
-
\??\c:\7dvvd.exec:\7dvvd.exe83⤵PID:2296
-
\??\c:\lxxrrrr.exec:\lxxrrrr.exe84⤵PID:2068
-
\??\c:\bnhhbt.exec:\bnhhbt.exe85⤵PID:2164
-
\??\c:\jjjjd.exec:\jjjjd.exe86⤵PID:628
-
\??\c:\vjvpv.exec:\vjvpv.exe87⤵PID:908
-
\??\c:\flfrxxl.exec:\flfrxxl.exe88⤵PID:2772
-
\??\c:\hbhhnh.exec:\hbhhnh.exe89⤵PID:2548
-
\??\c:\5bnntt.exec:\5bnntt.exe90⤵PID:2764
-
\??\c:\pdjjd.exec:\pdjjd.exe91⤵PID:2796
-
\??\c:\ddvvd.exec:\ddvvd.exe92⤵PID:2760
-
\??\c:\frlrxrx.exec:\frlrxrx.exe93⤵PID:2072
-
\??\c:\nhtthh.exec:\nhtthh.exe94⤵PID:592
-
\??\c:\thttbh.exec:\thttbh.exe95⤵PID:1940
-
\??\c:\pjvpv.exec:\pjvpv.exe96⤵PID:880
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe97⤵PID:1456
-
\??\c:\nbnntn.exec:\nbnntn.exe98⤵PID:1932
-
\??\c:\5tntht.exec:\5tntht.exe99⤵PID:2128
-
\??\c:\vddvv.exec:\vddvv.exe100⤵PID:2264
-
\??\c:\9rfflfl.exec:\9rfflfl.exe101⤵PID:2452
-
\??\c:\bbhhbt.exec:\bbhhbt.exe102⤵PID:2528
-
\??\c:\5thhbh.exec:\5thhbh.exe103⤵PID:2232
-
\??\c:\ddjvd.exec:\ddjvd.exe104⤵PID:840
-
\??\c:\rflllll.exec:\rflllll.exe105⤵PID:2256
-
\??\c:\lfxrffx.exec:\lfxrffx.exe106⤵PID:1644
-
\??\c:\1bnnhh.exec:\1bnnhh.exe107⤵PID:1552
-
\??\c:\jvjpd.exec:\jvjpd.exe108⤵PID:2028
-
\??\c:\1jpvv.exec:\1jpvv.exe109⤵PID:1064
-
\??\c:\1frrxfr.exec:\1frrxfr.exe110⤵PID:2092
-
\??\c:\1rfxxxx.exec:\1rfxxxx.exe111⤵PID:2268
-
\??\c:\htnntt.exec:\htnntt.exe112⤵PID:2948
-
\??\c:\vjjjd.exec:\vjjjd.exe113⤵PID:2492
-
\??\c:\jdjdj.exec:\jdjdj.exe114⤵PID:2828
-
\??\c:\lfxxllf.exec:\lfxxllf.exe115⤵PID:1752
-
\??\c:\hhbhhn.exec:\hhbhhn.exe116⤵PID:2184
-
\??\c:\tthhnt.exec:\tthhnt.exe117⤵PID:2972
-
\??\c:\9jvvv.exec:\9jvvv.exe118⤵PID:2748
-
\??\c:\3xxlxxf.exec:\3xxlxxf.exe119⤵PID:2920
-
\??\c:\fxlrfll.exec:\fxlrfll.exe120⤵PID:2556
-
\??\c:\thtnnn.exec:\thtnnn.exe121⤵PID:108
-
\??\c:\hbnntt.exec:\hbnntt.exe122⤵PID:2416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-