Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 13:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe
-
Size
455KB
-
MD5
40c4b7e83f5fbe81d82a353ae43ab140
-
SHA1
0c33d189a37c5e93e13bcd837da78e44a1cc60c4
-
SHA256
4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289c
-
SHA512
5f78b180f5f95db3d127c4f8bdfbb1da52108758e5d133935a673924c357d0a1fd2f183c9c84698fb9f261f52413497fca4036495cb66d3c27134c526ea27359
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/1984-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-78-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/592-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/476-168-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2960-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-294-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1932-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-335-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2332-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-362-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2944-348-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2744-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-205-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1720-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/476-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1060-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1388-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/544-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-857-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2836-969-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1664-1039-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-1242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2976 lfrxxfx.exe 2356 lllxrff.exe 2204 w82240.exe 2724 04804.exe 2864 8206446.exe 2848 lfxxflr.exe 2908 5thtnh.exe 2640 g4808.exe 2628 xxxfrxl.exe 2132 hthnht.exe 592 26064.exe 1480 82084.exe 1860 202626.exe 1388 82444.exe 2772 4828062.exe 1060 864668.exe 2276 822462.exe 476 608288.exe 2960 a2206.exe 1720 60024.exe 2556 1nthnt.exe 2252 nhbntb.exe 604 2208224.exe 1616 xxrrflf.exe 2956 hbnthn.exe 1760 xlxxllx.exe 1576 20002.exe 2296 dvpdj.exe 1796 9bbntt.exe 2508 vjvdj.exe 1556 i828628.exe 876 202866.exe 2432 htthhh.exe 2500 pvpvd.exe 1932 pjvvj.exe 2136 dvpvj.exe 2744 m4280.exe 2808 jjdjp.exe 1676 hhhhbn.exe 2944 rrfflrf.exe 2332 008684.exe 2940 pjdjv.exe 2760 8660224.exe 2856 frlrflf.exe 2672 04824.exe 2824 48680.exe 1844 64824.exe 1652 pjjvj.exe 1920 nhhtbb.exe 1648 flrxrxl.exe 828 e60688.exe 2912 nnhthn.exe 2024 rlfrlrx.exe 1512 jpjjj.exe 2084 4200228.exe 1112 pjvvd.exe 476 xxrlrxf.exe 2052 u080624.exe 1608 nhnhnt.exe 880 4824628.exe 2580 26068.exe 1684 q44206.exe 604 fxxflrl.exe 760 1pjjj.exe -
resource yara_rule behavioral1/memory/1984-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/476-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1060-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-813-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-857-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2340-937-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2756-940-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2836-969-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1664-1039-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-1052-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-1130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-1179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-1204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-1217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-1242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-1351-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c822442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8260424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o824220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4862846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q82828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o048662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8868008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2602440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e00244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrxfr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2976 1984 4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe 30 PID 1984 wrote to memory of 2976 1984 4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe 30 PID 1984 wrote to memory of 2976 1984 4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe 30 PID 1984 wrote to memory of 2976 1984 4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe 30 PID 2976 wrote to memory of 2356 2976 lfrxxfx.exe 31 PID 2976 wrote to memory of 2356 2976 lfrxxfx.exe 31 PID 2976 wrote to memory of 2356 2976 lfrxxfx.exe 31 PID 2976 wrote to memory of 2356 2976 lfrxxfx.exe 31 PID 2356 wrote to memory of 2204 2356 lllxrff.exe 32 PID 2356 wrote to memory of 2204 2356 lllxrff.exe 32 PID 2356 wrote to memory of 2204 2356 lllxrff.exe 32 PID 2356 wrote to memory of 2204 2356 lllxrff.exe 32 PID 2204 wrote to memory of 2724 2204 w82240.exe 33 PID 2204 wrote to memory of 2724 2204 w82240.exe 33 PID 2204 wrote to memory of 2724 2204 w82240.exe 33 PID 2204 wrote to memory of 2724 2204 w82240.exe 33 PID 2724 wrote to memory of 2864 2724 04804.exe 34 PID 2724 wrote to memory of 2864 2724 04804.exe 34 PID 2724 wrote to memory of 2864 2724 04804.exe 34 PID 2724 wrote to memory of 2864 2724 04804.exe 34 PID 2864 wrote to memory of 2848 2864 8206446.exe 35 PID 2864 wrote to memory of 2848 2864 8206446.exe 35 PID 2864 wrote to memory of 2848 2864 8206446.exe 35 PID 2864 wrote to memory of 2848 2864 8206446.exe 35 PID 2848 wrote to memory of 2908 2848 lfxxflr.exe 36 PID 2848 wrote to memory of 2908 2848 lfxxflr.exe 36 PID 2848 wrote to memory of 2908 2848 lfxxflr.exe 36 PID 2848 wrote to memory of 2908 2848 lfxxflr.exe 36 PID 2908 wrote to memory of 2640 2908 5thtnh.exe 37 PID 2908 wrote to memory of 2640 2908 5thtnh.exe 37 PID 2908 wrote to memory of 2640 2908 5thtnh.exe 37 PID 2908 wrote to memory of 2640 2908 5thtnh.exe 37 PID 2640 wrote to memory of 2628 2640 g4808.exe 38 PID 2640 wrote to memory of 2628 2640 g4808.exe 38 PID 2640 wrote to memory of 2628 2640 g4808.exe 38 PID 2640 wrote to memory of 2628 2640 g4808.exe 38 PID 2628 wrote to memory of 2132 2628 xxxfrxl.exe 39 PID 2628 wrote to memory of 2132 2628 xxxfrxl.exe 39 PID 2628 wrote to memory of 2132 2628 xxxfrxl.exe 39 PID 2628 wrote to memory of 2132 2628 xxxfrxl.exe 39 PID 2132 wrote to memory of 592 2132 hthnht.exe 40 PID 2132 wrote to memory of 592 2132 hthnht.exe 40 PID 2132 wrote to memory of 592 2132 hthnht.exe 40 PID 2132 wrote to memory of 592 2132 hthnht.exe 40 PID 592 wrote to memory of 1480 592 26064.exe 41 PID 592 wrote to memory of 1480 592 26064.exe 41 PID 592 wrote to memory of 1480 592 26064.exe 41 PID 592 wrote to memory of 1480 592 26064.exe 41 PID 1480 wrote to memory of 1860 1480 82084.exe 42 PID 1480 wrote to memory of 1860 1480 82084.exe 42 PID 1480 wrote to memory of 1860 1480 82084.exe 42 PID 1480 wrote to memory of 1860 1480 82084.exe 42 PID 1860 wrote to memory of 1388 1860 202626.exe 43 PID 1860 wrote to memory of 1388 1860 202626.exe 43 PID 1860 wrote to memory of 1388 1860 202626.exe 43 PID 1860 wrote to memory of 1388 1860 202626.exe 43 PID 1388 wrote to memory of 2772 1388 82444.exe 44 PID 1388 wrote to memory of 2772 1388 82444.exe 44 PID 1388 wrote to memory of 2772 1388 82444.exe 44 PID 1388 wrote to memory of 2772 1388 82444.exe 44 PID 2772 wrote to memory of 1060 2772 4828062.exe 45 PID 2772 wrote to memory of 1060 2772 4828062.exe 45 PID 2772 wrote to memory of 1060 2772 4828062.exe 45 PID 2772 wrote to memory of 1060 2772 4828062.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe"C:\Users\Admin\AppData\Local\Temp\4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\lfrxxfx.exec:\lfrxxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\lllxrff.exec:\lllxrff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\w82240.exec:\w82240.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\04804.exec:\04804.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\8206446.exec:\8206446.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\lfxxflr.exec:\lfxxflr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\5thtnh.exec:\5thtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\g4808.exec:\g4808.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\xxxfrxl.exec:\xxxfrxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\hthnht.exec:\hthnht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\26064.exec:\26064.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\82084.exec:\82084.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\202626.exec:\202626.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\82444.exec:\82444.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\4828062.exec:\4828062.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\864668.exec:\864668.exe17⤵
- Executes dropped EXE
PID:1060 -
\??\c:\822462.exec:\822462.exe18⤵
- Executes dropped EXE
PID:2276 -
\??\c:\608288.exec:\608288.exe19⤵
- Executes dropped EXE
PID:476 -
\??\c:\a2206.exec:\a2206.exe20⤵
- Executes dropped EXE
PID:2960 -
\??\c:\60024.exec:\60024.exe21⤵
- Executes dropped EXE
PID:1720 -
\??\c:\1nthnt.exec:\1nthnt.exe22⤵
- Executes dropped EXE
PID:2556 -
\??\c:\nhbntb.exec:\nhbntb.exe23⤵
- Executes dropped EXE
PID:2252 -
\??\c:\2208224.exec:\2208224.exe24⤵
- Executes dropped EXE
PID:604 -
\??\c:\xxrrflf.exec:\xxrrflf.exe25⤵
- Executes dropped EXE
PID:1616 -
\??\c:\hbnthn.exec:\hbnthn.exe26⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xlxxllx.exec:\xlxxllx.exe27⤵
- Executes dropped EXE
PID:1760 -
\??\c:\20002.exec:\20002.exe28⤵
- Executes dropped EXE
PID:1576 -
\??\c:\dvpdj.exec:\dvpdj.exe29⤵
- Executes dropped EXE
PID:2296 -
\??\c:\9bbntt.exec:\9bbntt.exe30⤵
- Executes dropped EXE
PID:1796 -
\??\c:\vjvdj.exec:\vjvdj.exe31⤵
- Executes dropped EXE
PID:2508 -
\??\c:\i828628.exec:\i828628.exe32⤵
- Executes dropped EXE
PID:1556 -
\??\c:\202866.exec:\202866.exe33⤵
- Executes dropped EXE
PID:876 -
\??\c:\htthhh.exec:\htthhh.exe34⤵
- Executes dropped EXE
PID:2432 -
\??\c:\pvpvd.exec:\pvpvd.exe35⤵
- Executes dropped EXE
PID:2500 -
\??\c:\pjvvj.exec:\pjvvj.exe36⤵
- Executes dropped EXE
PID:1932 -
\??\c:\dvpvj.exec:\dvpvj.exe37⤵
- Executes dropped EXE
PID:2136 -
\??\c:\m4280.exec:\m4280.exe38⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jjdjp.exec:\jjdjp.exe39⤵
- Executes dropped EXE
PID:2808 -
\??\c:\hhhhbn.exec:\hhhhbn.exe40⤵
- Executes dropped EXE
PID:1676 -
\??\c:\rrfflrf.exec:\rrfflrf.exe41⤵
- Executes dropped EXE
PID:2944 -
\??\c:\008684.exec:\008684.exe42⤵
- Executes dropped EXE
PID:2332 -
\??\c:\pjdjv.exec:\pjdjv.exe43⤵
- Executes dropped EXE
PID:2940 -
\??\c:\8660224.exec:\8660224.exe44⤵
- Executes dropped EXE
PID:2760 -
\??\c:\frlrflf.exec:\frlrflf.exe45⤵
- Executes dropped EXE
PID:2856 -
\??\c:\04824.exec:\04824.exe46⤵
- Executes dropped EXE
PID:2672 -
\??\c:\48680.exec:\48680.exe47⤵
- Executes dropped EXE
PID:2824 -
\??\c:\64824.exec:\64824.exe48⤵
- Executes dropped EXE
PID:1844 -
\??\c:\pjjvj.exec:\pjjvj.exe49⤵
- Executes dropped EXE
PID:1652 -
\??\c:\nhhtbb.exec:\nhhtbb.exe50⤵
- Executes dropped EXE
PID:1920 -
\??\c:\flrxrxl.exec:\flrxrxl.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
\??\c:\e60688.exec:\e60688.exe52⤵
- Executes dropped EXE
PID:828 -
\??\c:\nnhthn.exec:\nnhthn.exe53⤵
- Executes dropped EXE
PID:2912 -
\??\c:\rlfrlrx.exec:\rlfrlrx.exe54⤵
- Executes dropped EXE
PID:2024 -
\??\c:\jpjjj.exec:\jpjjj.exe55⤵
- Executes dropped EXE
PID:1512 -
\??\c:\4200228.exec:\4200228.exe56⤵
- Executes dropped EXE
PID:2084 -
\??\c:\pjvvd.exec:\pjvvd.exe57⤵
- Executes dropped EXE
PID:1112 -
\??\c:\xxrlrxf.exec:\xxrlrxf.exe58⤵
- Executes dropped EXE
PID:476 -
\??\c:\u080624.exec:\u080624.exe59⤵
- Executes dropped EXE
PID:2052 -
\??\c:\nhnhnt.exec:\nhnhnt.exe60⤵
- Executes dropped EXE
PID:1608 -
\??\c:\4824628.exec:\4824628.exe61⤵
- Executes dropped EXE
PID:880 -
\??\c:\26068.exec:\26068.exe62⤵
- Executes dropped EXE
PID:2580 -
\??\c:\q44206.exec:\q44206.exe63⤵
- Executes dropped EXE
PID:1684 -
\??\c:\fxxflrl.exec:\fxxflrl.exe64⤵
- Executes dropped EXE
PID:604 -
\??\c:\1pjjj.exec:\1pjjj.exe65⤵
- Executes dropped EXE
PID:760 -
\??\c:\lffffrx.exec:\lffffrx.exe66⤵PID:2956
-
\??\c:\82064.exec:\82064.exe67⤵PID:1760
-
\??\c:\ffxfrxr.exec:\ffxfrxr.exe68⤵PID:896
-
\??\c:\4826446.exec:\4826446.exe69⤵PID:1196
-
\??\c:\fxrrfrf.exec:\fxrrfrf.exe70⤵PID:2152
-
\??\c:\0462402.exec:\0462402.exe71⤵PID:2096
-
\??\c:\608468.exec:\608468.exe72⤵PID:2016
-
\??\c:\ppjjv.exec:\ppjjv.exe73⤵PID:1944
-
\??\c:\w66802.exec:\w66802.exe74⤵PID:872
-
\??\c:\i206282.exec:\i206282.exe75⤵PID:2884
-
\??\c:\82062.exec:\82062.exe76⤵PID:1984
-
\??\c:\bbntbh.exec:\bbntbh.exe77⤵PID:2524
-
\??\c:\k60868.exec:\k60868.exe78⤵PID:2356
-
\??\c:\ppdpv.exec:\ppdpv.exe79⤵PID:2928
-
\??\c:\2646286.exec:\2646286.exe80⤵PID:1192
-
\??\c:\ffxlflf.exec:\ffxlflf.exe81⤵PID:2800
-
\??\c:\c428002.exec:\c428002.exe82⤵PID:1680
-
\??\c:\rxflxxl.exec:\rxflxxl.exe83⤵PID:556
-
\??\c:\rxlrxrf.exec:\rxlrxrf.exe84⤵PID:2792
-
\??\c:\flrlfxf.exec:\flrlfxf.exe85⤵PID:2712
-
\??\c:\w88022.exec:\w88022.exe86⤵PID:2980
-
\??\c:\262288.exec:\262288.exe87⤵PID:1260
-
\??\c:\088828.exec:\088828.exe88⤵PID:2804
-
\??\c:\000226.exec:\000226.exe89⤵PID:2668
-
\??\c:\0822880.exec:\0822880.exe90⤵PID:2440
-
\??\c:\m0806.exec:\m0806.exe91⤵PID:2856
-
\??\c:\pjdjv.exec:\pjdjv.exe92⤵PID:2716
-
\??\c:\jddpj.exec:\jddpj.exe93⤵PID:3020
-
\??\c:\048804.exec:\048804.exe94⤵PID:988
-
\??\c:\vpdjp.exec:\vpdjp.exe95⤵PID:544
-
\??\c:\dddjv.exec:\dddjv.exe96⤵PID:1480
-
\??\c:\826066.exec:\826066.exe97⤵PID:2076
-
\??\c:\26402.exec:\26402.exe98⤵PID:3000
-
\??\c:\4484624.exec:\4484624.exe99⤵PID:1620
-
\??\c:\64288.exec:\64288.exe100⤵PID:1352
-
\??\c:\bbhthh.exec:\bbhthh.exe101⤵PID:2256
-
\??\c:\u424620.exec:\u424620.exe102⤵PID:2220
-
\??\c:\xrfrxfr.exec:\xrfrxfr.exe103⤵PID:1836
-
\??\c:\20846.exec:\20846.exe104⤵PID:2924
-
\??\c:\ddvvd.exec:\ddvvd.exe105⤵PID:1720
-
\??\c:\dvdjp.exec:\dvdjp.exe106⤵PID:2196
-
\??\c:\g0062.exec:\g0062.exe107⤵PID:1752
-
\??\c:\26440.exec:\26440.exe108⤵PID:576
-
\??\c:\i828402.exec:\i828402.exe109⤵PID:1740
-
\??\c:\9vvdj.exec:\9vvdj.exe110⤵PID:1616
-
\??\c:\hbttnt.exec:\hbttnt.exe111⤵PID:1804
-
\??\c:\7rlxlrf.exec:\7rlxlrf.exe112⤵PID:900
-
\??\c:\i828040.exec:\i828040.exe113⤵PID:340
-
\??\c:\btnbhn.exec:\btnbhn.exe114⤵PID:2232
-
\??\c:\8202686.exec:\8202686.exe115⤵PID:2900
-
\??\c:\nhbhtb.exec:\nhbhtb.exe116⤵PID:2512
-
\??\c:\222400.exec:\222400.exe117⤵PID:2492
-
\??\c:\1jvdj.exec:\1jvdj.exe118⤵PID:2212
-
\??\c:\pvpdv.exec:\pvpdv.exe119⤵PID:940
-
\??\c:\4806246.exec:\4806246.exe120⤵PID:872
-
\??\c:\nthbhh.exec:\nthbhh.exe121⤵PID:1504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-