Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 02:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe
-
Size
454KB
-
MD5
3d79e772da9b32b4905bc7ac91f3f730
-
SHA1
574d87655f5f926fd39d260121afda8718ef8cdf
-
SHA256
8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348a
-
SHA512
5f0b50a1665ec1c5d7fd380163e3b8132616ea316d9ad7841a855430eed12b3f2f2e3cc7185f531cd67dd1db39e9ea79538860d9a7c72fa56532b98e5c78b63c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2352-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-532-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2112-519-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1496-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-457-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2464-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-354-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2832-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-340-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/276-314-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1496-301-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2200-287-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2064-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-251-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2252-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-78-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2924-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-23-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2544-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/680-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-1050-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-1319-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2908-1332-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2544 9pdjp.exe 1800 486684.exe 1260 9xxxllx.exe 3008 5tntbh.exe 2720 4206846.exe 2924 20402.exe 2712 nththn.exe 2764 rfxffxx.exe 2384 u264624.exe 2592 1tntbn.exe 2748 rrflrrf.exe 3012 nthhbn.exe 2016 08602.exe 236 o268442.exe 1832 5lxfrxf.exe 2364 042248.exe 1116 ffxflrx.exe 1992 1lfxlll.exe 1700 lfxlrxr.exe 3004 nhbhnb.exe 2868 xxrrrxf.exe 2252 48684.exe 2444 k48800.exe 1540 222400.exe 2560 204088.exe 1516 202844.exe 1744 tnhntt.exe 2124 5btttb.exe 2032 hbhntb.exe 2328 48462.exe 2064 48664.exe 2200 jjvvj.exe 2956 826228.exe 1496 i480848.exe 2356 pjjjv.exe 276 rfrrxxl.exe 2504 4262880.exe 3008 04686.exe 2280 jdvdp.exe 2832 7htntn.exe 2816 m0408.exe 2764 648806.exe 2680 086800.exe 2592 6424406.exe 2632 jpdpd.exe 3012 hbbbnn.exe 236 tththn.exe 2000 6062664.exe 1976 ppddj.exe 1848 002284.exe 1992 bbnntt.exe 1472 44420.exe 1776 vpjvp.exe 3064 pjvvj.exe 2796 042806.exe 2464 rfffrxl.exe 1588 9bnthh.exe 2052 60240.exe 776 vjjpv.exe 316 2688468.exe 2168 4802820.exe 564 642800.exe 704 486806.exe 1652 488424.exe -
resource yara_rule behavioral1/memory/2352-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-327-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2020-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-519-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1496-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-354-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2832-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-251-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2252-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1544-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-951-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-964-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-1050-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-1063-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-1089-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-1174-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2022224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8862406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0822828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2544 2352 8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe 30 PID 2352 wrote to memory of 2544 2352 8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe 30 PID 2352 wrote to memory of 2544 2352 8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe 30 PID 2352 wrote to memory of 2544 2352 8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe 30 PID 2544 wrote to memory of 1800 2544 9pdjp.exe 31 PID 2544 wrote to memory of 1800 2544 9pdjp.exe 31 PID 2544 wrote to memory of 1800 2544 9pdjp.exe 31 PID 2544 wrote to memory of 1800 2544 9pdjp.exe 31 PID 1800 wrote to memory of 1260 1800 486684.exe 32 PID 1800 wrote to memory of 1260 1800 486684.exe 32 PID 1800 wrote to memory of 1260 1800 486684.exe 32 PID 1800 wrote to memory of 1260 1800 486684.exe 32 PID 1260 wrote to memory of 3008 1260 9xxxllx.exe 67 PID 1260 wrote to memory of 3008 1260 9xxxllx.exe 67 PID 1260 wrote to memory of 3008 1260 9xxxllx.exe 67 PID 1260 wrote to memory of 3008 1260 9xxxllx.exe 67 PID 3008 wrote to memory of 2720 3008 5tntbh.exe 34 PID 3008 wrote to memory of 2720 3008 5tntbh.exe 34 PID 3008 wrote to memory of 2720 3008 5tntbh.exe 34 PID 3008 wrote to memory of 2720 3008 5tntbh.exe 34 PID 2720 wrote to memory of 2924 2720 4206846.exe 35 PID 2720 wrote to memory of 2924 2720 4206846.exe 35 PID 2720 wrote to memory of 2924 2720 4206846.exe 35 PID 2720 wrote to memory of 2924 2720 4206846.exe 35 PID 2924 wrote to memory of 2712 2924 20402.exe 36 PID 2924 wrote to memory of 2712 2924 20402.exe 36 PID 2924 wrote to memory of 2712 2924 20402.exe 36 PID 2924 wrote to memory of 2712 2924 20402.exe 36 PID 2712 wrote to memory of 2764 2712 nththn.exe 37 PID 2712 wrote to memory of 2764 2712 nththn.exe 37 PID 2712 wrote to memory of 2764 2712 nththn.exe 37 PID 2712 wrote to memory of 2764 2712 nththn.exe 37 PID 2764 wrote to memory of 2384 2764 rfxffxx.exe 38 PID 2764 wrote to memory of 2384 2764 rfxffxx.exe 38 PID 2764 wrote to memory of 2384 2764 rfxffxx.exe 38 PID 2764 wrote to memory of 2384 2764 rfxffxx.exe 38 PID 2384 wrote to memory of 2592 2384 u264624.exe 39 PID 2384 wrote to memory of 2592 2384 u264624.exe 39 PID 2384 wrote to memory of 2592 2384 u264624.exe 39 PID 2384 wrote to memory of 2592 2384 u264624.exe 39 PID 2592 wrote to memory of 2748 2592 1tntbn.exe 40 PID 2592 wrote to memory of 2748 2592 1tntbn.exe 40 PID 2592 wrote to memory of 2748 2592 1tntbn.exe 40 PID 2592 wrote to memory of 2748 2592 1tntbn.exe 40 PID 2748 wrote to memory of 3012 2748 rrflrrf.exe 109 PID 2748 wrote to memory of 3012 2748 rrflrrf.exe 109 PID 2748 wrote to memory of 3012 2748 rrflrrf.exe 109 PID 2748 wrote to memory of 3012 2748 rrflrrf.exe 109 PID 3012 wrote to memory of 2016 3012 nthhbn.exe 42 PID 3012 wrote to memory of 2016 3012 nthhbn.exe 42 PID 3012 wrote to memory of 2016 3012 nthhbn.exe 42 PID 3012 wrote to memory of 2016 3012 nthhbn.exe 42 PID 2016 wrote to memory of 236 2016 08602.exe 43 PID 2016 wrote to memory of 236 2016 08602.exe 43 PID 2016 wrote to memory of 236 2016 08602.exe 43 PID 2016 wrote to memory of 236 2016 08602.exe 43 PID 236 wrote to memory of 1832 236 o268442.exe 44 PID 236 wrote to memory of 1832 236 o268442.exe 44 PID 236 wrote to memory of 1832 236 o268442.exe 44 PID 236 wrote to memory of 1832 236 o268442.exe 44 PID 1832 wrote to memory of 2364 1832 5lxfrxf.exe 45 PID 1832 wrote to memory of 2364 1832 5lxfrxf.exe 45 PID 1832 wrote to memory of 2364 1832 5lxfrxf.exe 45 PID 1832 wrote to memory of 2364 1832 5lxfrxf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe"C:\Users\Admin\AppData\Local\Temp\8306b76cb1308ef0d7b8dfa23bb18d5dc826c084549b54ea8c9879ec182f348aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\9pdjp.exec:\9pdjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\486684.exec:\486684.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\9xxxllx.exec:\9xxxllx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\5tntbh.exec:\5tntbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\4206846.exec:\4206846.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\20402.exec:\20402.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\nththn.exec:\nththn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\rfxffxx.exec:\rfxffxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\u264624.exec:\u264624.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\1tntbn.exec:\1tntbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\rrflrrf.exec:\rrflrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\nthhbn.exec:\nthhbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\08602.exec:\08602.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\o268442.exec:\o268442.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:236 -
\??\c:\5lxfrxf.exec:\5lxfrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\042248.exec:\042248.exe17⤵
- Executes dropped EXE
PID:2364 -
\??\c:\ffxflrx.exec:\ffxflrx.exe18⤵
- Executes dropped EXE
PID:1116 -
\??\c:\1lfxlll.exec:\1lfxlll.exe19⤵
- Executes dropped EXE
PID:1992 -
\??\c:\lfxlrxr.exec:\lfxlrxr.exe20⤵
- Executes dropped EXE
PID:1700 -
\??\c:\nhbhnb.exec:\nhbhnb.exe21⤵
- Executes dropped EXE
PID:3004 -
\??\c:\xxrrrxf.exec:\xxrrrxf.exe22⤵
- Executes dropped EXE
PID:2868 -
\??\c:\48684.exec:\48684.exe23⤵
- Executes dropped EXE
PID:2252 -
\??\c:\k48800.exec:\k48800.exe24⤵
- Executes dropped EXE
PID:2444 -
\??\c:\222400.exec:\222400.exe25⤵
- Executes dropped EXE
PID:1540 -
\??\c:\204088.exec:\204088.exe26⤵
- Executes dropped EXE
PID:2560 -
\??\c:\202844.exec:\202844.exe27⤵
- Executes dropped EXE
PID:1516 -
\??\c:\tnhntt.exec:\tnhntt.exe28⤵
- Executes dropped EXE
PID:1744 -
\??\c:\5btttb.exec:\5btttb.exe29⤵
- Executes dropped EXE
PID:2124 -
\??\c:\hbhntb.exec:\hbhntb.exe30⤵
- Executes dropped EXE
PID:2032 -
\??\c:\48462.exec:\48462.exe31⤵
- Executes dropped EXE
PID:2328 -
\??\c:\48664.exec:\48664.exe32⤵
- Executes dropped EXE
PID:2064 -
\??\c:\jjvvj.exec:\jjvvj.exe33⤵
- Executes dropped EXE
PID:2200 -
\??\c:\826228.exec:\826228.exe34⤵
- Executes dropped EXE
PID:2956 -
\??\c:\i480848.exec:\i480848.exe35⤵
- Executes dropped EXE
PID:1496 -
\??\c:\pjjjv.exec:\pjjjv.exe36⤵
- Executes dropped EXE
PID:2356 -
\??\c:\rfrrxxl.exec:\rfrrxxl.exe37⤵
- Executes dropped EXE
PID:276 -
\??\c:\4262880.exec:\4262880.exe38⤵
- Executes dropped EXE
PID:2504 -
\??\c:\04686.exec:\04686.exe39⤵
- Executes dropped EXE
PID:3008 -
\??\c:\jdvdp.exec:\jdvdp.exe40⤵
- Executes dropped EXE
PID:2280 -
\??\c:\7htntn.exec:\7htntn.exe41⤵
- Executes dropped EXE
PID:2832 -
\??\c:\m0408.exec:\m0408.exe42⤵
- Executes dropped EXE
PID:2816 -
\??\c:\648806.exec:\648806.exe43⤵
- Executes dropped EXE
PID:2764 -
\??\c:\086800.exec:\086800.exe44⤵
- Executes dropped EXE
PID:2680 -
\??\c:\6424406.exec:\6424406.exe45⤵
- Executes dropped EXE
PID:2592 -
\??\c:\jpdpd.exec:\jpdpd.exe46⤵
- Executes dropped EXE
PID:2632 -
\??\c:\hbbbnn.exec:\hbbbnn.exe47⤵
- Executes dropped EXE
PID:3012 -
\??\c:\tththn.exec:\tththn.exe48⤵
- Executes dropped EXE
PID:236 -
\??\c:\6062664.exec:\6062664.exe49⤵
- Executes dropped EXE
PID:2000 -
\??\c:\ppddj.exec:\ppddj.exe50⤵
- Executes dropped EXE
PID:1976 -
\??\c:\002284.exec:\002284.exe51⤵
- Executes dropped EXE
PID:1848 -
\??\c:\bbnntt.exec:\bbnntt.exe52⤵
- Executes dropped EXE
PID:1992 -
\??\c:\44420.exec:\44420.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472 -
\??\c:\vpjvp.exec:\vpjvp.exe54⤵
- Executes dropped EXE
PID:1776 -
\??\c:\pjvvj.exec:\pjvvj.exe55⤵
- Executes dropped EXE
PID:3064 -
\??\c:\042806.exec:\042806.exe56⤵
- Executes dropped EXE
PID:2796 -
\??\c:\rfffrxl.exec:\rfffrxl.exe57⤵
- Executes dropped EXE
PID:2464 -
\??\c:\9bnthh.exec:\9bnthh.exe58⤵
- Executes dropped EXE
PID:1588 -
\??\c:\60240.exec:\60240.exe59⤵
- Executes dropped EXE
PID:2052 -
\??\c:\vjjpv.exec:\vjjpv.exe60⤵
- Executes dropped EXE
PID:776 -
\??\c:\2688468.exec:\2688468.exe61⤵
- Executes dropped EXE
PID:316 -
\??\c:\4802820.exec:\4802820.exe62⤵
- Executes dropped EXE
PID:2168 -
\??\c:\642800.exec:\642800.exe63⤵
- Executes dropped EXE
PID:564 -
\??\c:\486806.exec:\486806.exe64⤵
- Executes dropped EXE
PID:704 -
\??\c:\488424.exec:\488424.exe65⤵
- Executes dropped EXE
PID:1652 -
\??\c:\864000.exec:\864000.exe66⤵PID:1964
-
\??\c:\w20464.exec:\w20464.exe67⤵PID:2468
-
\??\c:\xrrlrfl.exec:\xrrlrfl.exe68⤵PID:1496
-
\??\c:\q08806.exec:\q08806.exe69⤵PID:2112
-
\??\c:\fflrflf.exec:\fflrflf.exe70⤵PID:3048
-
\??\c:\o484622.exec:\o484622.exe71⤵PID:2020
-
\??\c:\a4280.exec:\a4280.exe72⤵PID:2084
-
\??\c:\648806.exec:\648806.exe73⤵PID:2832
-
\??\c:\vpjjp.exec:\vpjjp.exe74⤵PID:1808
-
\??\c:\602802.exec:\602802.exe75⤵PID:1892
-
\??\c:\826862.exec:\826862.exe76⤵PID:2520
-
\??\c:\hhbnbb.exec:\hhbnbb.exe77⤵PID:1684
-
\??\c:\dvjjv.exec:\dvjjv.exe78⤵PID:2672
-
\??\c:\0428062.exec:\0428062.exe79⤵PID:2592
-
\??\c:\htbbbh.exec:\htbbbh.exe80⤵PID:2684
-
\??\c:\a0440.exec:\a0440.exe81⤵PID:3012
-
\??\c:\080024.exec:\080024.exe82⤵PID:1544
-
\??\c:\fxfrrxf.exec:\fxfrrxf.exe83⤵PID:2824
-
\??\c:\5frxffl.exec:\5frxffl.exe84⤵PID:1116
-
\??\c:\g2046.exec:\g2046.exe85⤵PID:2484
-
\??\c:\086688.exec:\086688.exe86⤵PID:2284
-
\??\c:\pjdvv.exec:\pjdvv.exe87⤵PID:2856
-
\??\c:\9jvvv.exec:\9jvvv.exe88⤵PID:2016
-
\??\c:\ppddj.exec:\ppddj.exe89⤵PID:1400
-
\??\c:\3nbttb.exec:\3nbttb.exe90⤵PID:1960
-
\??\c:\s4442.exec:\s4442.exe91⤵PID:680
-
\??\c:\lxrxxxf.exec:\lxrxxxf.exe92⤵PID:2008
-
\??\c:\jjpdd.exec:\jjpdd.exe93⤵PID:2852
-
\??\c:\lxrlxrf.exec:\lxrlxrf.exe94⤵PID:1804
-
\??\c:\9nbbhn.exec:\9nbbhn.exe95⤵PID:2812
-
\??\c:\82668.exec:\82668.exe96⤵PID:3004
-
\??\c:\7bbnbb.exec:\7bbnbb.exe97⤵PID:1376
-
\??\c:\5jvdp.exec:\5jvdp.exe98⤵PID:2444
-
\??\c:\lfllrfl.exec:\lfllrfl.exe99⤵PID:2880
-
\??\c:\vdppv.exec:\vdppv.exe100⤵PID:1584
-
\??\c:\nbtthh.exec:\nbtthh.exe101⤵PID:1416
-
\??\c:\ffllxrf.exec:\ffllxrf.exe102⤵PID:2276
-
\??\c:\7vjpd.exec:\7vjpd.exe103⤵PID:2688
-
\??\c:\264406.exec:\264406.exe104⤵PID:2864
-
\??\c:\60446.exec:\60446.exe105⤵PID:1780
-
\??\c:\ddvpv.exec:\ddvpv.exe106⤵PID:1840
-
\??\c:\jjdvj.exec:\jjdvj.exe107⤵PID:2640
-
\??\c:\ddvdp.exec:\ddvdp.exe108⤵PID:852
-
\??\c:\5frrxxf.exec:\5frrxxf.exe109⤵PID:2020
-
\??\c:\btnnbb.exec:\btnnbb.exe110⤵PID:2884
-
\??\c:\djvdv.exec:\djvdv.exe111⤵PID:2908
-
\??\c:\04066.exec:\04066.exe112⤵PID:2948
-
\??\c:\0428086.exec:\0428086.exe113⤵PID:2540
-
\??\c:\26462.exec:\26462.exe114⤵PID:2900
-
\??\c:\a2002.exec:\a2002.exe115⤵PID:1972
-
\??\c:\64484.exec:\64484.exe116⤵PID:2428
-
\??\c:\c422446.exec:\c422446.exe117⤵PID:2664
-
\??\c:\7nhnbh.exec:\7nhnbh.exe118⤵PID:1532
-
\??\c:\pjjjp.exec:\pjjjp.exe119⤵PID:324
-
\??\c:\k64022.exec:\k64022.exe120⤵PID:2500
-
\??\c:\lxrxlrx.exec:\lxrxlrx.exe121⤵PID:2204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-