Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-01-2025 06:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce94f91f14606ad5d92ecfa1bf328b2277502cf48785e8d9ea25b260e23c059d.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ce94f91f14606ad5d92ecfa1bf328b2277502cf48785e8d9ea25b260e23c059d.exe
-
Size
455KB
-
MD5
32a7bb8ba4ec350b9ccc077653a7da74
-
SHA1
828356e42db2c0e1eeacee4a4cb0e596ffd33b0c
-
SHA256
ce94f91f14606ad5d92ecfa1bf328b2277502cf48785e8d9ea25b260e23c059d
-
SHA512
42becce2b510fa0d87cdcd78f16743efc3ca6d098774c479c83c7218845cb0c0fd48af435d9c77fd86c0d29cf342980cb1a49231aed13f406f9026375b01a83f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2432-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-33-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2712-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/816-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-525-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2516-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-784-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2208-812-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1952-954-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/952-1058-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2300 fllrlxx.exe 2764 4200440.exe 2784 8640686.exe 2712 bnhnnn.exe 2876 lfrfrrx.exe 2544 nhntnb.exe 2016 2600842.exe 1692 rllrffl.exe 816 64224.exe 584 bhbbbh.exe 2648 tnhhbb.exe 1952 u640624.exe 1044 ddvjv.exe 2336 u268624.exe 1800 5xlffrf.exe 2820 w24462.exe 1612 3bthnb.exe 888 bhbntb.exe 2188 w04048.exe 2104 9vvvv.exe 1140 604284.exe 1088 q80284.exe 1264 7xfrxlx.exe 1356 tnhnbb.exe 2060 00882.exe 844 4480228.exe 2208 djdvj.exe 1740 nbhntt.exe 2908 rrlxxfr.exe 1756 2646802.exe 2408 4806446.exe 1608 1pjjp.exe 2756 m2402.exe 2704 pvpdv.exe 2772 e42802.exe 2824 btnbnn.exe 2652 u662408.exe 2712 hbttnt.exe 2552 600684.exe 2672 660640.exe 2996 e48484.exe 772 c262068.exe 476 26402.exe 2852 k40802.exe 2992 0246226.exe 2172 a2068.exe 2840 rxlxrll.exe 2392 9vpjp.exe 1228 8402888.exe 2028 1jpjp.exe 1320 fllxfxx.exe 2760 ddvjd.exe 1696 bnhnnn.exe 1928 dvjjd.exe 1772 66068.exe 1988 rrlrfrf.exe 2744 tnhnhh.exe 3032 c828240.exe 2948 6088240.exe 1580 3vvdd.exe 1352 480066.exe 2400 o002664.exe 836 jddpv.exe 2520 ppjpj.exe -
resource yara_rule behavioral1/memory/2432-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/816-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-342-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2672-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-771-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-812-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2720-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-1048-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-1112-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e60266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2300 2432 ce94f91f14606ad5d92ecfa1bf328b2277502cf48785e8d9ea25b260e23c059d.exe 30 PID 2432 wrote to memory of 2300 2432 ce94f91f14606ad5d92ecfa1bf328b2277502cf48785e8d9ea25b260e23c059d.exe 30 PID 2432 wrote to memory of 2300 2432 ce94f91f14606ad5d92ecfa1bf328b2277502cf48785e8d9ea25b260e23c059d.exe 30 PID 2432 wrote to memory of 2300 2432 ce94f91f14606ad5d92ecfa1bf328b2277502cf48785e8d9ea25b260e23c059d.exe 30 PID 2300 wrote to memory of 2764 2300 fllrlxx.exe 31 PID 2300 wrote to memory of 2764 2300 fllrlxx.exe 31 PID 2300 wrote to memory of 2764 2300 fllrlxx.exe 31 PID 2300 wrote to memory of 2764 2300 fllrlxx.exe 31 PID 2764 wrote to memory of 2784 2764 4200440.exe 32 PID 2764 wrote to memory of 2784 2764 4200440.exe 32 PID 2764 wrote to memory of 2784 2764 4200440.exe 32 PID 2764 wrote to memory of 2784 2764 4200440.exe 32 PID 2784 wrote to memory of 2712 2784 8640686.exe 33 PID 2784 wrote to memory of 2712 2784 8640686.exe 33 PID 2784 wrote to memory of 2712 2784 8640686.exe 33 PID 2784 wrote to memory of 2712 2784 8640686.exe 33 PID 2712 wrote to memory of 2876 2712 bnhnnn.exe 34 PID 2712 wrote to memory of 2876 2712 bnhnnn.exe 34 PID 2712 wrote to memory of 2876 2712 bnhnnn.exe 34 PID 2712 wrote to memory of 2876 2712 bnhnnn.exe 34 PID 2876 wrote to memory of 2544 2876 lfrfrrx.exe 35 PID 2876 wrote to memory of 2544 2876 lfrfrrx.exe 35 PID 2876 wrote to memory of 2544 2876 lfrfrrx.exe 35 PID 2876 wrote to memory of 2544 2876 lfrfrrx.exe 35 PID 2544 wrote to memory of 2016 2544 nhntnb.exe 36 PID 2544 wrote to memory of 2016 2544 nhntnb.exe 36 PID 2544 wrote to memory of 2016 2544 nhntnb.exe 36 PID 2544 wrote to memory of 2016 2544 nhntnb.exe 36 PID 2016 wrote to memory of 1692 2016 2600842.exe 37 PID 2016 wrote to memory of 1692 2016 2600842.exe 37 PID 2016 wrote to memory of 1692 2016 2600842.exe 37 PID 2016 wrote to memory of 1692 2016 2600842.exe 37 PID 1692 wrote to memory of 816 1692 rllrffl.exe 38 PID 1692 wrote to memory of 816 1692 rllrffl.exe 38 PID 1692 wrote to memory of 816 1692 rllrffl.exe 38 PID 1692 wrote to memory of 816 1692 rllrffl.exe 38 PID 816 wrote to memory of 584 816 64224.exe 39 PID 816 wrote to memory of 584 816 64224.exe 39 PID 816 wrote to memory of 584 816 64224.exe 39 PID 816 wrote to memory of 584 816 64224.exe 39 PID 584 wrote to memory of 2648 584 bhbbbh.exe 40 PID 584 wrote to memory of 2648 584 bhbbbh.exe 40 PID 584 wrote to memory of 2648 584 bhbbbh.exe 40 PID 584 wrote to memory of 2648 584 bhbbbh.exe 40 PID 2648 wrote to memory of 1952 2648 tnhhbb.exe 41 PID 2648 wrote to memory of 1952 2648 tnhhbb.exe 41 PID 2648 wrote to memory of 1952 2648 tnhhbb.exe 41 PID 2648 wrote to memory of 1952 2648 tnhhbb.exe 41 PID 1952 wrote to memory of 1044 1952 u640624.exe 42 PID 1952 wrote to memory of 1044 1952 u640624.exe 42 PID 1952 wrote to memory of 1044 1952 u640624.exe 42 PID 1952 wrote to memory of 1044 1952 u640624.exe 42 PID 1044 wrote to memory of 2336 1044 ddvjv.exe 43 PID 1044 wrote to memory of 2336 1044 ddvjv.exe 43 PID 1044 wrote to memory of 2336 1044 ddvjv.exe 43 PID 1044 wrote to memory of 2336 1044 ddvjv.exe 43 PID 2336 wrote to memory of 1800 2336 u268624.exe 44 PID 2336 wrote to memory of 1800 2336 u268624.exe 44 PID 2336 wrote to memory of 1800 2336 u268624.exe 44 PID 2336 wrote to memory of 1800 2336 u268624.exe 44 PID 1800 wrote to memory of 2820 1800 5xlffrf.exe 45 PID 1800 wrote to memory of 2820 1800 5xlffrf.exe 45 PID 1800 wrote to memory of 2820 1800 5xlffrf.exe 45 PID 1800 wrote to memory of 2820 1800 5xlffrf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce94f91f14606ad5d92ecfa1bf328b2277502cf48785e8d9ea25b260e23c059d.exe"C:\Users\Admin\AppData\Local\Temp\ce94f91f14606ad5d92ecfa1bf328b2277502cf48785e8d9ea25b260e23c059d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\fllrlxx.exec:\fllrlxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\4200440.exec:\4200440.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\8640686.exec:\8640686.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\bnhnnn.exec:\bnhnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\lfrfrrx.exec:\lfrfrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\nhntnb.exec:\nhntnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\2600842.exec:\2600842.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\rllrffl.exec:\rllrffl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\64224.exec:\64224.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\bhbbbh.exec:\bhbbbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\tnhhbb.exec:\tnhhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\u640624.exec:\u640624.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\ddvjv.exec:\ddvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\u268624.exec:\u268624.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\5xlffrf.exec:\5xlffrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\w24462.exec:\w24462.exe17⤵
- Executes dropped EXE
PID:2820 -
\??\c:\3bthnb.exec:\3bthnb.exe18⤵
- Executes dropped EXE
PID:1612 -
\??\c:\bhbntb.exec:\bhbntb.exe19⤵
- Executes dropped EXE
PID:888 -
\??\c:\w04048.exec:\w04048.exe20⤵
- Executes dropped EXE
PID:2188 -
\??\c:\9vvvv.exec:\9vvvv.exe21⤵
- Executes dropped EXE
PID:2104 -
\??\c:\604284.exec:\604284.exe22⤵
- Executes dropped EXE
PID:1140 -
\??\c:\q80284.exec:\q80284.exe23⤵
- Executes dropped EXE
PID:1088 -
\??\c:\7xfrxlx.exec:\7xfrxlx.exe24⤵
- Executes dropped EXE
PID:1264 -
\??\c:\tnhnbb.exec:\tnhnbb.exe25⤵
- Executes dropped EXE
PID:1356 -
\??\c:\00882.exec:\00882.exe26⤵
- Executes dropped EXE
PID:2060 -
\??\c:\4480228.exec:\4480228.exe27⤵
- Executes dropped EXE
PID:844 -
\??\c:\djdvj.exec:\djdvj.exe28⤵
- Executes dropped EXE
PID:2208 -
\??\c:\nbhntt.exec:\nbhntt.exe29⤵
- Executes dropped EXE
PID:1740 -
\??\c:\rrlxxfr.exec:\rrlxxfr.exe30⤵
- Executes dropped EXE
PID:2908 -
\??\c:\2646802.exec:\2646802.exe31⤵
- Executes dropped EXE
PID:1756 -
\??\c:\4806446.exec:\4806446.exe32⤵
- Executes dropped EXE
PID:2408 -
\??\c:\1pjjp.exec:\1pjjp.exe33⤵
- Executes dropped EXE
PID:1608 -
\??\c:\m2402.exec:\m2402.exe34⤵
- Executes dropped EXE
PID:2756 -
\??\c:\pvpdv.exec:\pvpdv.exe35⤵
- Executes dropped EXE
PID:2704 -
\??\c:\e42802.exec:\e42802.exe36⤵
- Executes dropped EXE
PID:2772 -
\??\c:\btnbnn.exec:\btnbnn.exe37⤵
- Executes dropped EXE
PID:2824 -
\??\c:\u662408.exec:\u662408.exe38⤵
- Executes dropped EXE
PID:2652 -
\??\c:\hbttnt.exec:\hbttnt.exe39⤵
- Executes dropped EXE
PID:2712 -
\??\c:\600684.exec:\600684.exe40⤵
- Executes dropped EXE
PID:2552 -
\??\c:\660640.exec:\660640.exe41⤵
- Executes dropped EXE
PID:2672 -
\??\c:\e48484.exec:\e48484.exe42⤵
- Executes dropped EXE
PID:2996 -
\??\c:\c262068.exec:\c262068.exe43⤵
- Executes dropped EXE
PID:772 -
\??\c:\26402.exec:\26402.exe44⤵
- Executes dropped EXE
PID:476 -
\??\c:\k40802.exec:\k40802.exe45⤵
- Executes dropped EXE
PID:2852 -
\??\c:\0246226.exec:\0246226.exe46⤵
- Executes dropped EXE
PID:2992 -
\??\c:\a2068.exec:\a2068.exe47⤵
- Executes dropped EXE
PID:2172 -
\??\c:\rxlxrll.exec:\rxlxrll.exe48⤵
- Executes dropped EXE
PID:2840 -
\??\c:\9vpjp.exec:\9vpjp.exe49⤵
- Executes dropped EXE
PID:2392 -
\??\c:\8402888.exec:\8402888.exe50⤵
- Executes dropped EXE
PID:1228 -
\??\c:\1jpjp.exec:\1jpjp.exe51⤵
- Executes dropped EXE
PID:2028 -
\??\c:\fllxfxx.exec:\fllxfxx.exe52⤵
- Executes dropped EXE
PID:1320 -
\??\c:\ddvjd.exec:\ddvjd.exe53⤵
- Executes dropped EXE
PID:2760 -
\??\c:\bnhnnn.exec:\bnhnnn.exe54⤵
- Executes dropped EXE
PID:1696 -
\??\c:\dvjjd.exec:\dvjjd.exe55⤵
- Executes dropped EXE
PID:1928 -
\??\c:\66068.exec:\66068.exe56⤵
- Executes dropped EXE
PID:1772 -
\??\c:\rrlrfrf.exec:\rrlrfrf.exe57⤵
- Executes dropped EXE
PID:1988 -
\??\c:\tnhnhh.exec:\tnhnhh.exe58⤵
- Executes dropped EXE
PID:2744 -
\??\c:\c828240.exec:\c828240.exe59⤵
- Executes dropped EXE
PID:3032 -
\??\c:\6088240.exec:\6088240.exe60⤵
- Executes dropped EXE
PID:2948 -
\??\c:\3vvdd.exec:\3vvdd.exe61⤵
- Executes dropped EXE
PID:1580 -
\??\c:\480066.exec:\480066.exe62⤵
- Executes dropped EXE
PID:1352 -
\??\c:\o002664.exec:\o002664.exe63⤵
- Executes dropped EXE
PID:2400 -
\??\c:\jddpv.exec:\jddpv.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836 -
\??\c:\ppjpj.exec:\ppjpj.exe65⤵
- Executes dropped EXE
PID:2520 -
\??\c:\2022222.exec:\2022222.exe66⤵PID:1440
-
\??\c:\tnbbbb.exec:\tnbbbb.exe67⤵
- System Location Discovery: System Language Discovery
PID:2516 -
\??\c:\i662400.exec:\i662400.exe68⤵PID:2636
-
\??\c:\bttbth.exec:\bttbth.exe69⤵PID:2208
-
\??\c:\1frllrx.exec:\1frllrx.exe70⤵PID:2896
-
\??\c:\04680.exec:\04680.exe71⤵PID:2376
-
\??\c:\ffxllxx.exec:\ffxllxx.exe72⤵PID:1748
-
\??\c:\w20028.exec:\w20028.exe73⤵PID:1756
-
\??\c:\424068.exec:\424068.exe74⤵PID:3064
-
\??\c:\24860.exec:\24860.exe75⤵PID:2656
-
\??\c:\7rxxrrr.exec:\7rxxrrr.exe76⤵PID:2796
-
\??\c:\jvpdj.exec:\jvpdj.exe77⤵
- System Location Discovery: System Language Discovery
PID:2676 -
\??\c:\thbtbb.exec:\thbtbb.exe78⤵PID:2668
-
\??\c:\48624.exec:\48624.exe79⤵PID:2576
-
\??\c:\ddvjp.exec:\ddvjp.exe80⤵PID:1824
-
\??\c:\000860.exec:\000860.exe81⤵PID:2564
-
\??\c:\604024.exec:\604024.exe82⤵PID:2616
-
\??\c:\8264808.exec:\8264808.exe83⤵PID:2600
-
\??\c:\7xlxxrr.exec:\7xlxxrr.exe84⤵PID:2976
-
\??\c:\8868686.exec:\8868686.exe85⤵PID:320
-
\??\c:\jpvvv.exec:\jpvvv.exe86⤵PID:1316
-
\??\c:\1frxfll.exec:\1frxfll.exe87⤵PID:2856
-
\??\c:\c082844.exec:\c082844.exe88⤵PID:2852
-
\??\c:\vdppd.exec:\vdppd.exe89⤵PID:2092
-
\??\c:\s8246.exec:\s8246.exe90⤵PID:2536
-
\??\c:\8808286.exec:\8808286.exe91⤵PID:2280
-
\??\c:\llxllfx.exec:\llxllfx.exe92⤵PID:2392
-
\??\c:\1jpjj.exec:\1jpjj.exe93⤵PID:1228
-
\??\c:\rfffffl.exec:\rfffffl.exe94⤵PID:2028
-
\??\c:\86822.exec:\86822.exe95⤵PID:2620
-
\??\c:\nhhttb.exec:\nhhttb.exe96⤵PID:340
-
\??\c:\bthnhh.exec:\bthnhh.exe97⤵PID:1644
-
\??\c:\42286.exec:\42286.exe98⤵PID:1872
-
\??\c:\k86628.exec:\k86628.exe99⤵PID:1772
-
\??\c:\jvjjp.exec:\jvjjp.exe100⤵
- System Location Discovery: System Language Discovery
PID:1672 -
\??\c:\rfrrxfl.exec:\rfrrxfl.exe101⤵PID:1588
-
\??\c:\a8804.exec:\a8804.exe102⤵PID:1576
-
\??\c:\c600228.exec:\c600228.exe103⤵PID:2948
-
\??\c:\668060.exec:\668060.exe104⤵PID:1140
-
\??\c:\ffllfff.exec:\ffllfff.exe105⤵
- System Location Discovery: System Language Discovery
PID:1352 -
\??\c:\642228.exec:\642228.exe106⤵PID:1380
-
\??\c:\vdvvd.exec:\vdvvd.exe107⤵PID:1972
-
\??\c:\htthbh.exec:\htthbh.exe108⤵PID:2284
-
\??\c:\pjpvj.exec:\pjpvj.exe109⤵PID:1328
-
\??\c:\462882.exec:\462882.exe110⤵PID:2464
-
\??\c:\0244600.exec:\0244600.exe111⤵PID:1804
-
\??\c:\lrrllll.exec:\lrrllll.exe112⤵PID:2208
-
\??\c:\64400.exec:\64400.exe113⤵PID:2312
-
\??\c:\k84404.exec:\k84404.exe114⤵PID:892
-
\??\c:\jpjpv.exec:\jpjpv.exe115⤵PID:2268
-
\??\c:\02068.exec:\02068.exe116⤵PID:2252
-
\??\c:\9pvpd.exec:\9pvpd.exe117⤵PID:1712
-
\??\c:\26840.exec:\26840.exe118⤵PID:2748
-
\??\c:\c428020.exec:\c428020.exe119⤵PID:2684
-
\??\c:\9thtbn.exec:\9thtbn.exe120⤵PID:2764
-
\??\c:\flfllrr.exec:\flfllrr.exe121⤵PID:2780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-