Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/01/2025, 06:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe
-
Size
454KB
-
MD5
93fe093020186154dac55862e030f0f2
-
SHA1
a148ffbb2308f15e20d4cceff5030a0a63841c5d
-
SHA256
50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8
-
SHA512
fa6b0e5939d5212d748c883fe72c6cf88869130f24161192450ed18267c1ee0760a5fcfaf378331fbd3823b46c793448d45167bd14470e595a6e6e7490ff68e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 37 IoCs
resource yara_rule behavioral1/memory/2488-2-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/396-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/676-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-362-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1560-361-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1448-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1112-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-797-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1760-845-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-975-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-1267-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2880 vjvpj.exe 2616 lrrfrlf.exe 2160 hnbtnb.exe 2680 5dddp.exe 2900 lrxxxrl.exe 1920 rxfrlff.exe 2804 tbtnnt.exe 2700 pvvvv.exe 2532 jjpjd.exe 2992 xxxlfrl.exe 3000 9tbnth.exe 1560 5nnhhn.exe 2720 pdpvp.exe 1164 1lxlxlf.exe 1852 fxllrxf.exe 1928 nbbhnb.exe 1816 7tthth.exe 396 pvjjj.exe 2128 fllllfl.exe 2272 fffxxlf.exe 676 bbhtnb.exe 2148 pdjvj.exe 1632 llrlfrl.exe 3016 rrlrlfr.exe 1636 7bnhnb.exe 944 dvpvd.exe 2168 ffrllll.exe 2448 nhtnhn.exe 2280 jvpjj.exe 2292 9fxxflx.exe 1256 hhhthh.exe 2204 tthnhb.exe 1972 9dvdv.exe 2628 frflffr.exe 2744 5rflfxr.exe 2060 tnthhn.exe 2692 ddpvp.exe 2828 lrlrlxr.exe 2236 lxrlrrf.exe 2580 bnnnbb.exe 2560 pvdvp.exe 2988 rflffrr.exe 1544 nhbhnb.exe 1560 bbnnbh.exe 1676 5vdjd.exe 2536 rlxlxxx.exe 2852 5htbnb.exe 2268 dvppv.exe 1448 xxllffr.exe 2776 9nthbn.exe 1784 pjvjj.exe 1740 lfrlrlr.exe 1820 xffrlll.exe 2108 pvpdj.exe 676 rlfrxfr.exe 1240 hhbbnh.exe 1672 pddpd.exe 448 tnnnbn.exe 3008 7pdjp.exe 2912 xflxrfx.exe 2380 nhtnbt.exe 1548 ddvjd.exe 1536 llrxlrl.exe 2012 7hnbhb.exe -
resource yara_rule behavioral1/memory/2488-2-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/396-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1112-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-956-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-1116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-1172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-1264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-1303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-1335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-1348-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhbnb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2880 2488 50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe 31 PID 2488 wrote to memory of 2880 2488 50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe 31 PID 2488 wrote to memory of 2880 2488 50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe 31 PID 2488 wrote to memory of 2880 2488 50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe 31 PID 2880 wrote to memory of 2616 2880 vjvpj.exe 32 PID 2880 wrote to memory of 2616 2880 vjvpj.exe 32 PID 2880 wrote to memory of 2616 2880 vjvpj.exe 32 PID 2880 wrote to memory of 2616 2880 vjvpj.exe 32 PID 2616 wrote to memory of 2160 2616 lrrfrlf.exe 33 PID 2616 wrote to memory of 2160 2616 lrrfrlf.exe 33 PID 2616 wrote to memory of 2160 2616 lrrfrlf.exe 33 PID 2616 wrote to memory of 2160 2616 lrrfrlf.exe 33 PID 2160 wrote to memory of 2680 2160 hnbtnb.exe 34 PID 2160 wrote to memory of 2680 2160 hnbtnb.exe 34 PID 2160 wrote to memory of 2680 2160 hnbtnb.exe 34 PID 2160 wrote to memory of 2680 2160 hnbtnb.exe 34 PID 2680 wrote to memory of 2900 2680 5dddp.exe 35 PID 2680 wrote to memory of 2900 2680 5dddp.exe 35 PID 2680 wrote to memory of 2900 2680 5dddp.exe 35 PID 2680 wrote to memory of 2900 2680 5dddp.exe 35 PID 2900 wrote to memory of 1920 2900 lrxxxrl.exe 36 PID 2900 wrote to memory of 1920 2900 lrxxxrl.exe 36 PID 2900 wrote to memory of 1920 2900 lrxxxrl.exe 36 PID 2900 wrote to memory of 1920 2900 lrxxxrl.exe 36 PID 1920 wrote to memory of 2804 1920 rxfrlff.exe 37 PID 1920 wrote to memory of 2804 1920 rxfrlff.exe 37 PID 1920 wrote to memory of 2804 1920 rxfrlff.exe 37 PID 1920 wrote to memory of 2804 1920 rxfrlff.exe 37 PID 2804 wrote to memory of 2700 2804 tbtnnt.exe 38 PID 2804 wrote to memory of 2700 2804 tbtnnt.exe 38 PID 2804 wrote to memory of 2700 2804 tbtnnt.exe 38 PID 2804 wrote to memory of 2700 2804 tbtnnt.exe 38 PID 2700 wrote to memory of 2532 2700 pvvvv.exe 39 PID 2700 wrote to memory of 2532 2700 pvvvv.exe 39 PID 2700 wrote to memory of 2532 2700 pvvvv.exe 39 PID 2700 wrote to memory of 2532 2700 pvvvv.exe 39 PID 2532 wrote to memory of 2992 2532 jjpjd.exe 40 PID 2532 wrote to memory of 2992 2532 jjpjd.exe 40 PID 2532 wrote to memory of 2992 2532 jjpjd.exe 40 PID 2532 wrote to memory of 2992 2532 jjpjd.exe 40 PID 2992 wrote to memory of 3000 2992 xxxlfrl.exe 41 PID 2992 wrote to memory of 3000 2992 xxxlfrl.exe 41 PID 2992 wrote to memory of 3000 2992 xxxlfrl.exe 41 PID 2992 wrote to memory of 3000 2992 xxxlfrl.exe 41 PID 3000 wrote to memory of 1560 3000 9tbnth.exe 42 PID 3000 wrote to memory of 1560 3000 9tbnth.exe 42 PID 3000 wrote to memory of 1560 3000 9tbnth.exe 42 PID 3000 wrote to memory of 1560 3000 9tbnth.exe 42 PID 1560 wrote to memory of 2720 1560 5nnhhn.exe 43 PID 1560 wrote to memory of 2720 1560 5nnhhn.exe 43 PID 1560 wrote to memory of 2720 1560 5nnhhn.exe 43 PID 1560 wrote to memory of 2720 1560 5nnhhn.exe 43 PID 2720 wrote to memory of 1164 2720 pdpvp.exe 44 PID 2720 wrote to memory of 1164 2720 pdpvp.exe 44 PID 2720 wrote to memory of 1164 2720 pdpvp.exe 44 PID 2720 wrote to memory of 1164 2720 pdpvp.exe 44 PID 1164 wrote to memory of 1852 1164 1lxlxlf.exe 45 PID 1164 wrote to memory of 1852 1164 1lxlxlf.exe 45 PID 1164 wrote to memory of 1852 1164 1lxlxlf.exe 45 PID 1164 wrote to memory of 1852 1164 1lxlxlf.exe 45 PID 1852 wrote to memory of 1928 1852 fxllrxf.exe 46 PID 1852 wrote to memory of 1928 1852 fxllrxf.exe 46 PID 1852 wrote to memory of 1928 1852 fxllrxf.exe 46 PID 1852 wrote to memory of 1928 1852 fxllrxf.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe"C:\Users\Admin\AppData\Local\Temp\50653f3058ff70cfa695dbcb0370357795ed3e2d3eae1f03e831e4150d6614c8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\vjvpj.exec:\vjvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\lrrfrlf.exec:\lrrfrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\hnbtnb.exec:\hnbtnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\5dddp.exec:\5dddp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\lrxxxrl.exec:\lrxxxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\rxfrlff.exec:\rxfrlff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\tbtnnt.exec:\tbtnnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\pvvvv.exec:\pvvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\jjpjd.exec:\jjpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\xxxlfrl.exec:\xxxlfrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\9tbnth.exec:\9tbnth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\5nnhhn.exec:\5nnhhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\pdpvp.exec:\pdpvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\1lxlxlf.exec:\1lxlxlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\fxllrxf.exec:\fxllrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\nbbhnb.exec:\nbbhnb.exe17⤵
- Executes dropped EXE
PID:1928 -
\??\c:\7tthth.exec:\7tthth.exe18⤵
- Executes dropped EXE
PID:1816 -
\??\c:\pvjjj.exec:\pvjjj.exe19⤵
- Executes dropped EXE
PID:396 -
\??\c:\fllllfl.exec:\fllllfl.exe20⤵
- Executes dropped EXE
PID:2128 -
\??\c:\fffxxlf.exec:\fffxxlf.exe21⤵
- Executes dropped EXE
PID:2272 -
\??\c:\bbhtnb.exec:\bbhtnb.exe22⤵
- Executes dropped EXE
PID:676 -
\??\c:\pdjvj.exec:\pdjvj.exe23⤵
- Executes dropped EXE
PID:2148 -
\??\c:\llrlfrl.exec:\llrlfrl.exe24⤵
- Executes dropped EXE
PID:1632 -
\??\c:\rrlrlfr.exec:\rrlrlfr.exe25⤵
- Executes dropped EXE
PID:3016 -
\??\c:\7bnhnb.exec:\7bnhnb.exe26⤵
- Executes dropped EXE
PID:1636 -
\??\c:\dvpvd.exec:\dvpvd.exe27⤵
- Executes dropped EXE
PID:944 -
\??\c:\ffrllll.exec:\ffrllll.exe28⤵
- Executes dropped EXE
PID:2168 -
\??\c:\nhtnhn.exec:\nhtnhn.exe29⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jvpjj.exec:\jvpjj.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\9fxxflx.exec:\9fxxflx.exe31⤵
- Executes dropped EXE
PID:2292 -
\??\c:\hhhthh.exec:\hhhthh.exe32⤵
- Executes dropped EXE
PID:1256 -
\??\c:\tthnhb.exec:\tthnhb.exe33⤵
- Executes dropped EXE
PID:2204 -
\??\c:\9dvdv.exec:\9dvdv.exe34⤵
- Executes dropped EXE
PID:1972 -
\??\c:\frflffr.exec:\frflffr.exe35⤵
- Executes dropped EXE
PID:2628 -
\??\c:\5rflfxr.exec:\5rflfxr.exe36⤵
- Executes dropped EXE
PID:2744 -
\??\c:\tnthhn.exec:\tnthhn.exe37⤵
- Executes dropped EXE
PID:2060 -
\??\c:\ddpvp.exec:\ddpvp.exe38⤵
- Executes dropped EXE
PID:2692 -
\??\c:\lrlrlxr.exec:\lrlrlxr.exe39⤵
- Executes dropped EXE
PID:2828 -
\??\c:\lxrlrrf.exec:\lxrlrrf.exe40⤵
- Executes dropped EXE
PID:2236 -
\??\c:\bnnnbb.exec:\bnnnbb.exe41⤵
- Executes dropped EXE
PID:2580 -
\??\c:\pvdvp.exec:\pvdvp.exe42⤵
- Executes dropped EXE
PID:2560 -
\??\c:\rflffrr.exec:\rflffrr.exe43⤵
- Executes dropped EXE
PID:2988 -
\??\c:\nhbhnb.exec:\nhbhnb.exe44⤵
- Executes dropped EXE
PID:1544 -
\??\c:\bbnnbh.exec:\bbnnbh.exe45⤵
- Executes dropped EXE
PID:1560 -
\??\c:\5vdjd.exec:\5vdjd.exe46⤵
- Executes dropped EXE
PID:1676 -
\??\c:\rlxlxxx.exec:\rlxlxxx.exe47⤵
- Executes dropped EXE
PID:2536 -
\??\c:\5htbnb.exec:\5htbnb.exe48⤵
- Executes dropped EXE
PID:2852 -
\??\c:\dvppv.exec:\dvppv.exe49⤵
- Executes dropped EXE
PID:2268 -
\??\c:\xxllffr.exec:\xxllffr.exe50⤵
- Executes dropped EXE
PID:1448 -
\??\c:\9nthbn.exec:\9nthbn.exe51⤵
- Executes dropped EXE
PID:2776 -
\??\c:\pjvjj.exec:\pjvjj.exe52⤵
- Executes dropped EXE
PID:1784 -
\??\c:\lfrlrlr.exec:\lfrlrlr.exe53⤵
- Executes dropped EXE
PID:1740 -
\??\c:\xffrlll.exec:\xffrlll.exe54⤵
- Executes dropped EXE
PID:1820 -
\??\c:\pvpdj.exec:\pvpdj.exe55⤵
- Executes dropped EXE
PID:2108 -
\??\c:\rlfrxfr.exec:\rlfrxfr.exe56⤵
- Executes dropped EXE
PID:676 -
\??\c:\hhbbnh.exec:\hhbbnh.exe57⤵
- Executes dropped EXE
PID:1240 -
\??\c:\pddpd.exec:\pddpd.exe58⤵
- Executes dropped EXE
PID:1672 -
\??\c:\tnnnbn.exec:\tnnnbn.exe59⤵
- Executes dropped EXE
PID:448 -
\??\c:\7pdjp.exec:\7pdjp.exe60⤵
- Executes dropped EXE
PID:3008 -
\??\c:\xflxrfx.exec:\xflxrfx.exe61⤵
- Executes dropped EXE
PID:2912 -
\??\c:\nhtnbt.exec:\nhtnbt.exe62⤵
- Executes dropped EXE
PID:2380 -
\??\c:\ddvjd.exec:\ddvjd.exe63⤵
- Executes dropped EXE
PID:1548 -
\??\c:\llrxlrl.exec:\llrxlrl.exe64⤵
- Executes dropped EXE
PID:1536 -
\??\c:\7hnbhb.exec:\7hnbhb.exe65⤵
- Executes dropped EXE
PID:2012 -
\??\c:\ddjjp.exec:\ddjjp.exe66⤵PID:1780
-
\??\c:\xffrflf.exec:\xffrflf.exe67⤵PID:1012
-
\??\c:\hhnbtn.exec:\hhnbtn.exe68⤵PID:2844
-
\??\c:\hbbhtb.exec:\hbbhtb.exe69⤵PID:820
-
\??\c:\jddvv.exec:\jddvv.exe70⤵PID:408
-
\??\c:\lllxxlx.exec:\lllxxlx.exe71⤵PID:1872
-
\??\c:\hntnbb.exec:\hntnbb.exe72⤵PID:1400
-
\??\c:\pvvjv.exec:\pvvjv.exe73⤵PID:2740
-
\??\c:\jppdp.exec:\jppdp.exe74⤵PID:1364
-
\??\c:\3xxxfrf.exec:\3xxxfrf.exe75⤵PID:2156
-
\??\c:\thnbth.exec:\thnbth.exe76⤵PID:3044
-
\??\c:\3jdvj.exec:\3jdvj.exe77⤵PID:1384
-
\??\c:\djjdp.exec:\djjdp.exe78⤵PID:2824
-
\??\c:\xxxfxfx.exec:\xxxfxfx.exe79⤵PID:2648
-
\??\c:\tbbhbn.exec:\tbbhbn.exe80⤵PID:2532
-
\??\c:\jjjvv.exec:\jjjvv.exe81⤵PID:2704
-
\??\c:\vvvjd.exec:\vvvjd.exe82⤵PID:2552
-
\??\c:\lxxlfrl.exec:\lxxlfrl.exe83⤵PID:2620
-
\??\c:\1bntnb.exec:\1bntnb.exe84⤵
- System Location Discovery: System Language Discovery
PID:2588 -
\??\c:\vjjvd.exec:\vjjvd.exe85⤵PID:568
-
\??\c:\ppjjd.exec:\ppjjd.exe86⤵PID:2792
-
\??\c:\1rlrlxr.exec:\1rlrlxr.exe87⤵PID:1280
-
\??\c:\nhbbnb.exec:\nhbbnb.exe88⤵PID:1596
-
\??\c:\tnbbnb.exec:\tnbbnb.exe89⤵PID:2856
-
\??\c:\9dddv.exec:\9dddv.exe90⤵PID:1164
-
\??\c:\llllxll.exec:\llllxll.exe91⤵PID:1712
-
\??\c:\hbbhtb.exec:\hbbhtb.exe92⤵PID:1520
-
\??\c:\ddjpv.exec:\ddjpv.exe93⤵PID:1948
-
\??\c:\ppvjp.exec:\ppvjp.exe94⤵PID:768
-
\??\c:\xlxfrfl.exec:\xlxfrfl.exe95⤵PID:804
-
\??\c:\hhhbnh.exec:\hhhbnh.exe96⤵PID:3012
-
\??\c:\vvvpd.exec:\vvvpd.exe97⤵PID:2948
-
\??\c:\1ppvj.exec:\1ppvj.exe98⤵PID:2180
-
\??\c:\5lfrflx.exec:\5lfrflx.exe99⤵PID:2612
-
\??\c:\5nnbht.exec:\5nnbht.exe100⤵PID:2508
-
\??\c:\jpjvd.exec:\jpjvd.exe101⤵PID:2760
-
\??\c:\ppjvp.exec:\ppjvp.exe102⤵PID:2520
-
\??\c:\1hbhth.exec:\1hbhth.exe103⤵PID:1112
-
\??\c:\pvvjd.exec:\pvvjd.exe104⤵PID:3008
-
\??\c:\djpjp.exec:\djpjp.exe105⤵PID:1088
-
\??\c:\xlxrxxf.exec:\xlxrxxf.exe106⤵PID:2448
-
\??\c:\9hnhnh.exec:\9hnhnh.exe107⤵PID:2200
-
\??\c:\pppjj.exec:\pppjj.exe108⤵PID:2280
-
\??\c:\lllxlrf.exec:\lllxlrf.exe109⤵PID:2104
-
\??\c:\xrfflll.exec:\xrfflll.exe110⤵PID:1608
-
\??\c:\hbbhbt.exec:\hbbhbt.exe111⤵PID:2244
-
\??\c:\pjjpp.exec:\pjjpp.exe112⤵PID:2484
-
\??\c:\lxfxfff.exec:\lxfxfff.exe113⤵PID:820
-
\??\c:\9lflrxl.exec:\9lflrxl.exe114⤵PID:2308
-
\??\c:\ttthtb.exec:\ttthtb.exe115⤵PID:2400
-
\??\c:\ppvvp.exec:\ppvvp.exe116⤵PID:2748
-
\??\c:\5xfxrff.exec:\5xfxrff.exe117⤵PID:2900
-
\??\c:\tnbttn.exec:\tnbttn.exe118⤵PID:1996
-
\??\c:\5dpdd.exec:\5dpdd.exe119⤵PID:2688
-
\??\c:\1ddvj.exec:\1ddvj.exe120⤵PID:1076
-
\??\c:\flflrfr.exec:\flflrfr.exe121⤵PID:2640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-