Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe
Resource
win7-20240729-en
7 signatures
150 seconds
General
-
Target
25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe
-
Size
455KB
-
MD5
48dd9075dcc1cd32773c3a4c632b40d4
-
SHA1
520ec868cdc4b42c36972109f3833bd3ead00904
-
SHA256
25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a
-
SHA512
dff0594b6c9a86b71e95b2785909092264302ba0ad4e39e290fd3b468e9cc34156339de00a12d20dc301978c5f10c06b0e81ee1bea1300b08b474489e9aecbc4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2188-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/812-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-123-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2856-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-342-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2600-356-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-421-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2628-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/972-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-574-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2920-572-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3064-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-944-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2168-1186-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-1199-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1028-1280-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2760 hnnhth.exe 2632 nbbtht.exe 2704 dpjpp.exe 2852 djjvv.exe 1676 lrxrlxx.exe 2580 tnhtnb.exe 2184 lrxlxlr.exe 1496 lrlrflx.exe 812 bbbnbh.exe 2232 5lrflxl.exe 2112 bnbhth.exe 1988 pvpvj.exe 2856 7llrfxl.exe 2888 fxrlrll.exe 264 frxlfrl.exe 2496 rxrlxlx.exe 840 7llxlxr.exe 3068 flflflf.exe 2364 1ntbtt.exe 1120 flflfrx.exe 2272 hntbnt.exe 872 rfxlxfr.exe 2416 7nnbnt.exe 2452 xfxrfrx.exe 712 1nnbnt.exe 492 lrfrxlf.exe 2312 hnnntb.exe 2928 lxrrflx.exe 1500 rfffrfx.exe 2080 1vdjp.exe 1036 9hbhbb.exe 2996 djvjp.exe 2816 fllfrfx.exe 2820 7dvjv.exe 2672 jdjpv.exe 2160 xfxlxxf.exe 2716 hhbnhb.exe 2700 lrfrfrl.exe 2524 fllrlrf.exe 2600 9btbtb.exe 2592 jppdj.exe 1528 flflxfr.exe 2708 thbnnn.exe 1716 djvjd.exe 468 7jjjd.exe 2096 lrrfrfr.exe 2180 nthtnb.exe 2324 5vpvj.exe 2784 vpvvd.exe 1988 flfxlxl.exe 2856 bntnht.exe 1888 jjddd.exe 1884 1rrllxr.exe 2628 bnttnb.exe 1604 7tthtb.exe 972 vjjvp.exe 1076 xlrxlxl.exe 2392 bnntnh.exe 1556 vdvdp.exe 1480 7rxfrfr.exe 2280 rxffxll.exe 1940 nbhbbh.exe 1404 jjjvj.exe 1952 pvpdj.exe -
resource yara_rule behavioral1/memory/2188-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/812-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/972-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-572-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2648-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-944-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2148-952-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2168-1186-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1028-1273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-1293-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2760 2188 25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe 30 PID 2188 wrote to memory of 2760 2188 25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe 30 PID 2188 wrote to memory of 2760 2188 25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe 30 PID 2188 wrote to memory of 2760 2188 25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe 30 PID 2760 wrote to memory of 2632 2760 hnnhth.exe 31 PID 2760 wrote to memory of 2632 2760 hnnhth.exe 31 PID 2760 wrote to memory of 2632 2760 hnnhth.exe 31 PID 2760 wrote to memory of 2632 2760 hnnhth.exe 31 PID 2632 wrote to memory of 2704 2632 nbbtht.exe 32 PID 2632 wrote to memory of 2704 2632 nbbtht.exe 32 PID 2632 wrote to memory of 2704 2632 nbbtht.exe 32 PID 2632 wrote to memory of 2704 2632 nbbtht.exe 32 PID 2704 wrote to memory of 2852 2704 dpjpp.exe 33 PID 2704 wrote to memory of 2852 2704 dpjpp.exe 33 PID 2704 wrote to memory of 2852 2704 dpjpp.exe 33 PID 2704 wrote to memory of 2852 2704 dpjpp.exe 33 PID 2852 wrote to memory of 1676 2852 djjvv.exe 34 PID 2852 wrote to memory of 1676 2852 djjvv.exe 34 PID 2852 wrote to memory of 1676 2852 djjvv.exe 34 PID 2852 wrote to memory of 1676 2852 djjvv.exe 34 PID 1676 wrote to memory of 2580 1676 lrxrlxx.exe 35 PID 1676 wrote to memory of 2580 1676 lrxrlxx.exe 35 PID 1676 wrote to memory of 2580 1676 lrxrlxx.exe 35 PID 1676 wrote to memory of 2580 1676 lrxrlxx.exe 35 PID 2580 wrote to memory of 2184 2580 tnhtnb.exe 36 PID 2580 wrote to memory of 2184 2580 tnhtnb.exe 36 PID 2580 wrote to memory of 2184 2580 tnhtnb.exe 36 PID 2580 wrote to memory of 2184 2580 tnhtnb.exe 36 PID 2184 wrote to memory of 1496 2184 lrxlxlr.exe 37 PID 2184 wrote to memory of 1496 2184 lrxlxlr.exe 37 PID 2184 wrote to memory of 1496 2184 lrxlxlr.exe 37 PID 2184 wrote to memory of 1496 2184 lrxlxlr.exe 37 PID 1496 wrote to memory of 812 1496 lrlrflx.exe 38 PID 1496 wrote to memory of 812 1496 lrlrflx.exe 38 PID 1496 wrote to memory of 812 1496 lrlrflx.exe 38 PID 1496 wrote to memory of 812 1496 lrlrflx.exe 38 PID 812 wrote to memory of 2232 812 bbbnbh.exe 39 PID 812 wrote to memory of 2232 812 bbbnbh.exe 39 PID 812 wrote to memory of 2232 812 bbbnbh.exe 39 PID 812 wrote to memory of 2232 812 bbbnbh.exe 39 PID 2232 wrote to memory of 2112 2232 5lrflxl.exe 40 PID 2232 wrote to memory of 2112 2232 5lrflxl.exe 40 PID 2232 wrote to memory of 2112 2232 5lrflxl.exe 40 PID 2232 wrote to memory of 2112 2232 5lrflxl.exe 40 PID 2112 wrote to memory of 1988 2112 bnbhth.exe 41 PID 2112 wrote to memory of 1988 2112 bnbhth.exe 41 PID 2112 wrote to memory of 1988 2112 bnbhth.exe 41 PID 2112 wrote to memory of 1988 2112 bnbhth.exe 41 PID 1988 wrote to memory of 2856 1988 pvpvj.exe 42 PID 1988 wrote to memory of 2856 1988 pvpvj.exe 42 PID 1988 wrote to memory of 2856 1988 pvpvj.exe 42 PID 1988 wrote to memory of 2856 1988 pvpvj.exe 42 PID 2856 wrote to memory of 2888 2856 7llrfxl.exe 43 PID 2856 wrote to memory of 2888 2856 7llrfxl.exe 43 PID 2856 wrote to memory of 2888 2856 7llrfxl.exe 43 PID 2856 wrote to memory of 2888 2856 7llrfxl.exe 43 PID 2888 wrote to memory of 264 2888 fxrlrll.exe 44 PID 2888 wrote to memory of 264 2888 fxrlrll.exe 44 PID 2888 wrote to memory of 264 2888 fxrlrll.exe 44 PID 2888 wrote to memory of 264 2888 fxrlrll.exe 44 PID 264 wrote to memory of 2496 264 frxlfrl.exe 45 PID 264 wrote to memory of 2496 264 frxlfrl.exe 45 PID 264 wrote to memory of 2496 264 frxlfrl.exe 45 PID 264 wrote to memory of 2496 264 frxlfrl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe"C:\Users\Admin\AppData\Local\Temp\25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\hnnhth.exec:\hnnhth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\nbbtht.exec:\nbbtht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\dpjpp.exec:\dpjpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\djjvv.exec:\djjvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\lrxrlxx.exec:\lrxrlxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\tnhtnb.exec:\tnhtnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\lrxlxlr.exec:\lrxlxlr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\lrlrflx.exec:\lrlrflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\bbbnbh.exec:\bbbnbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\5lrflxl.exec:\5lrflxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\bnbhth.exec:\bnbhth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\pvpvj.exec:\pvpvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\7llrfxl.exec:\7llrfxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\fxrlrll.exec:\fxrlrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\frxlfrl.exec:\frxlfrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\rxrlxlx.exec:\rxrlxlx.exe17⤵
- Executes dropped EXE
PID:2496 -
\??\c:\7llxlxr.exec:\7llxlxr.exe18⤵
- Executes dropped EXE
PID:840 -
\??\c:\flflflf.exec:\flflflf.exe19⤵
- Executes dropped EXE
PID:3068 -
\??\c:\1ntbtt.exec:\1ntbtt.exe20⤵
- Executes dropped EXE
PID:2364 -
\??\c:\flflfrx.exec:\flflfrx.exe21⤵
- Executes dropped EXE
PID:1120 -
\??\c:\hntbnt.exec:\hntbnt.exe22⤵
- Executes dropped EXE
PID:2272 -
\??\c:\rfxlxfr.exec:\rfxlxfr.exe23⤵
- Executes dropped EXE
PID:872 -
\??\c:\7nnbnt.exec:\7nnbnt.exe24⤵
- Executes dropped EXE
PID:2416 -
\??\c:\xfxrfrx.exec:\xfxrfrx.exe25⤵
- Executes dropped EXE
PID:2452 -
\??\c:\1nnbnt.exec:\1nnbnt.exe26⤵
- Executes dropped EXE
PID:712 -
\??\c:\lrfrxlf.exec:\lrfrxlf.exe27⤵
- Executes dropped EXE
PID:492 -
\??\c:\hnnntb.exec:\hnnntb.exe28⤵
- Executes dropped EXE
PID:2312 -
\??\c:\lxrrflx.exec:\lxrrflx.exe29⤵
- Executes dropped EXE
PID:2928 -
\??\c:\rfffrfx.exec:\rfffrfx.exe30⤵
- Executes dropped EXE
PID:1500 -
\??\c:\1vdjp.exec:\1vdjp.exe31⤵
- Executes dropped EXE
PID:2080 -
\??\c:\9hbhbb.exec:\9hbhbb.exe32⤵
- Executes dropped EXE
PID:1036 -
\??\c:\djvjp.exec:\djvjp.exe33⤵
- Executes dropped EXE
PID:2996 -
\??\c:\fllfrfx.exec:\fllfrfx.exe34⤵
- Executes dropped EXE
PID:2816 -
\??\c:\7dvjv.exec:\7dvjv.exe35⤵
- Executes dropped EXE
PID:2820 -
\??\c:\jdjpv.exec:\jdjpv.exe36⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xfxlxxf.exec:\xfxlxxf.exe37⤵
- Executes dropped EXE
PID:2160 -
\??\c:\hhbnhb.exec:\hhbnhb.exe38⤵
- Executes dropped EXE
PID:2716 -
\??\c:\lrfrfrl.exec:\lrfrfrl.exe39⤵
- Executes dropped EXE
PID:2700 -
\??\c:\fllrlrf.exec:\fllrlrf.exe40⤵
- Executes dropped EXE
PID:2524 -
\??\c:\9btbtb.exec:\9btbtb.exe41⤵
- Executes dropped EXE
PID:2600 -
\??\c:\jppdj.exec:\jppdj.exe42⤵
- Executes dropped EXE
PID:2592 -
\??\c:\flflxfr.exec:\flflxfr.exe43⤵
- Executes dropped EXE
PID:1528 -
\??\c:\thbnnn.exec:\thbnnn.exe44⤵
- Executes dropped EXE
PID:2708 -
\??\c:\djvjd.exec:\djvjd.exe45⤵
- Executes dropped EXE
PID:1716 -
\??\c:\7jjjd.exec:\7jjjd.exe46⤵
- Executes dropped EXE
PID:468 -
\??\c:\lrrfrfr.exec:\lrrfrfr.exe47⤵
- Executes dropped EXE
PID:2096 -
\??\c:\nthtnb.exec:\nthtnb.exe48⤵
- Executes dropped EXE
PID:2180 -
\??\c:\5vpvj.exec:\5vpvj.exe49⤵
- Executes dropped EXE
PID:2324 -
\??\c:\vpvvd.exec:\vpvvd.exe50⤵
- Executes dropped EXE
PID:2784 -
\??\c:\flfxlxl.exec:\flfxlxl.exe51⤵
- Executes dropped EXE
PID:1988 -
\??\c:\bntnht.exec:\bntnht.exe52⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jjddd.exec:\jjddd.exe53⤵
- Executes dropped EXE
PID:1888 -
\??\c:\1rrllxr.exec:\1rrllxr.exe54⤵
- Executes dropped EXE
PID:1884 -
\??\c:\bnttnb.exec:\bnttnb.exe55⤵
- Executes dropped EXE
PID:2628 -
\??\c:\7tthtb.exec:\7tthtb.exe56⤵
- Executes dropped EXE
PID:1604 -
\??\c:\vjjvp.exec:\vjjvp.exe57⤵
- Executes dropped EXE
PID:972 -
\??\c:\xlrxlxl.exec:\xlrxlxl.exe58⤵
- Executes dropped EXE
PID:1076 -
\??\c:\bnntnh.exec:\bnntnh.exe59⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vdvdp.exec:\vdvdp.exe60⤵
- Executes dropped EXE
PID:1556 -
\??\c:\7rxfrfr.exec:\7rxfrfr.exe61⤵
- Executes dropped EXE
PID:1480 -
\??\c:\rxffxll.exec:\rxffxll.exe62⤵
- Executes dropped EXE
PID:2280 -
\??\c:\nbhbbh.exec:\nbhbbh.exe63⤵
- Executes dropped EXE
PID:1940 -
\??\c:\jjjvj.exec:\jjjvj.exe64⤵
- Executes dropped EXE
PID:1404 -
\??\c:\pvpdj.exec:\pvpdj.exe65⤵
- Executes dropped EXE
PID:1952 -
\??\c:\lxrlxfr.exec:\lxrlxfr.exe66⤵PID:1524
-
\??\c:\hnnthb.exec:\hnnthb.exe67⤵PID:2076
-
\??\c:\1jjpv.exec:\1jjpv.exe68⤵PID:1436
-
\??\c:\pdddj.exec:\pdddj.exe69⤵PID:2476
-
\??\c:\frrxfrr.exec:\frrxfrr.exe70⤵PID:2440
-
\??\c:\bhtbth.exec:\bhtbth.exe71⤵PID:2984
-
\??\c:\vdppv.exec:\vdppv.exe72⤵PID:2928
-
\??\c:\flxfxlx.exec:\flxfxlx.exe73⤵PID:2296
-
\??\c:\rrllxlf.exec:\rrllxlf.exe74⤵PID:988
-
\??\c:\nhbhtb.exec:\nhbhtb.exe75⤵PID:2920
-
\??\c:\vvvjd.exec:\vvvjd.exe76⤵PID:2676
-
\??\c:\rrrrlrl.exec:\rrrrlrl.exe77⤵PID:2808
-
\??\c:\7ntnht.exec:\7ntnht.exe78⤵PID:1656
-
\??\c:\djvvp.exec:\djvvp.exe79⤵
- System Location Discovery: System Language Discovery
PID:1668 -
\??\c:\3ddvj.exec:\3ddvj.exe80⤵PID:2672
-
\??\c:\xxfrxfx.exec:\xxfrxfx.exe81⤵PID:2908
-
\??\c:\thbhtn.exec:\thbhtn.exe82⤵PID:2692
-
\??\c:\nhbhnn.exec:\nhbhnn.exe83⤵PID:2548
-
\??\c:\dvvjd.exec:\dvvjd.exe84⤵PID:1816
-
\??\c:\rflrfrf.exec:\rflrfrf.exe85⤵PID:2648
-
\??\c:\1nhthn.exec:\1nhthn.exe86⤵PID:3064
-
\??\c:\nnhtht.exec:\nnhtht.exe87⤵PID:2052
-
\??\c:\djdpv.exec:\djdpv.exe88⤵PID:2892
-
\??\c:\lrrxxlr.exec:\lrrxxlr.exe89⤵PID:1960
-
\??\c:\bbntbn.exec:\bbntbn.exe90⤵PID:2232
-
\??\c:\djvdj.exec:\djvdj.exe91⤵PID:1052
-
\??\c:\5vpjj.exec:\5vpjj.exe92⤵PID:2208
-
\??\c:\flflfrx.exec:\flflfrx.exe93⤵PID:2724
-
\??\c:\5htbhn.exec:\5htbhn.exe94⤵PID:2860
-
\??\c:\9nntht.exec:\9nntht.exe95⤵PID:2872
-
\??\c:\vvddj.exec:\vvddj.exe96⤵PID:1872
-
\??\c:\3xrfrxl.exec:\3xrfrxl.exe97⤵PID:2748
-
\??\c:\bnhtbh.exec:\bnhtbh.exe98⤵PID:1736
-
\??\c:\hnbntb.exec:\hnbntb.exe99⤵PID:332
-
\??\c:\7jdvd.exec:\7jdvd.exe100⤵PID:316
-
\??\c:\3fflxlx.exec:\3fflxlx.exe101⤵PID:2332
-
\??\c:\nnhhth.exec:\nnhhth.exe102⤵PID:1076
-
\??\c:\dvvjp.exec:\dvvjp.exe103⤵PID:1216
-
\??\c:\vdpjp.exec:\vdpjp.exe104⤵PID:2364
-
\??\c:\rfxrfrl.exec:\rfxrfrl.exe105⤵PID:2120
-
\??\c:\htbnth.exec:\htbnth.exe106⤵PID:2140
-
\??\c:\ntnnbn.exec:\ntnnbn.exe107⤵PID:1940
-
\??\c:\ddppv.exec:\ddppv.exe108⤵PID:1404
-
\??\c:\xfllrxl.exec:\xfllrxl.exe109⤵PID:756
-
\??\c:\5nhhtb.exec:\5nhhtb.exe110⤵PID:1524
-
\??\c:\nththb.exec:\nththb.exe111⤵PID:712
-
\??\c:\xrfrlrl.exec:\xrfrlrl.exe112⤵PID:2412
-
\??\c:\hnhtht.exec:\hnhtht.exe113⤵PID:1864
-
\??\c:\9hbtnt.exec:\9hbtnt.exe114⤵PID:2440
-
\??\c:\vpdjv.exec:\vpdjv.exe115⤵
- System Location Discovery: System Language Discovery
PID:2456 -
\??\c:\7lxxxff.exec:\7lxxxff.exe116⤵PID:2928
-
\??\c:\nhnthn.exec:\nhnthn.exe117⤵PID:2296
-
\??\c:\1tnnbn.exec:\1tnnbn.exe118⤵PID:2080
-
\??\c:\vdpdj.exec:\vdpdj.exe119⤵PID:2996
-
\??\c:\llllrrf.exec:\llllrrf.exe120⤵PID:2788
-
\??\c:\lrfrflx.exec:\lrfrflx.exe121⤵PID:1576
-
\??\c:\7ththn.exec:\7ththn.exe122⤵PID:1548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-