Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 02:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d737bde504aabef9e1b390f7fb93dbf050d46400de1ff33893e532b5c3311374N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d737bde504aabef9e1b390f7fb93dbf050d46400de1ff33893e532b5c3311374N.exe
-
Size
454KB
-
MD5
6da57749ed15379431d3181d5d98c320
-
SHA1
b366c59e634b200e10c0215ab5b862c36640a21c
-
SHA256
d737bde504aabef9e1b390f7fb93dbf050d46400de1ff33893e532b5c3311374
-
SHA512
68e8923635d0109ec29dbeacd3033dbc8a14d4623e4e4cc806df3421f4a9b6f79bea515e4c1569cccf22819ee3348760dfb6e2805622d1ba092255c03605f7cb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/2556-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-77-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-82-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2720-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-235-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2384-260-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2384-285-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2416-293-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1812-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-313-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-380-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2616-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-407-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2532-426-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2532-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/392-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/940-684-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/752-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-748-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/880-830-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-843-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2840-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-951-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/2860-963-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2984-977-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2088-1002-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2492-1140-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2492-1159-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2868-1220-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2096-1227-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1736-1271-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/832-1322-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1724 264688.exe 2576 2006880.exe 2840 o040224.exe 2752 xxrxfrr.exe 2912 20626.exe 2768 s0880.exe 2888 020662.exe 2820 202222.exe 3028 42064.exe 2720 xlflfff.exe 2380 rllxllr.exe 2300 lxflrrr.exe 2856 1pppp.exe 1620 4200664.exe 1712 3lrrlrr.exe 1496 3pdvd.exe 2980 46828.exe 2956 q80444.exe 1556 00460.exe 236 vjppp.exe 284 7nbbbh.exe 2268 pdpjp.exe 1820 pdppv.exe 2136 606844.exe 896 lfxrrfl.exe 888 o006228.exe 1676 lfrxffr.exe 2384 lxrlfxf.exe 2080 268844.exe 2452 hbhbnh.exe 1528 rrlxlxf.exe 2416 484444.exe 1812 frffflr.exe 2332 208444.exe 1720 xlrxfff.exe 1536 9fllrxx.exe 1816 7ntttt.exe 2748 a4666.exe 2752 2044606.exe 2800 9vpjj.exe 3024 2400666.exe 3016 o426480.exe 2780 7bhhnh.exe 2820 jdvvv.exe 2664 e26688.exe 2676 fxflrlx.exe 2876 3nhhtb.exe 2864 2486466.exe 2616 vpddd.exe 2872 26624.exe 2528 bbbhnh.exe 2532 2462644.exe 1244 8026206.exe 1496 080066.exe 2972 4684484.exe 2992 9jdvj.exe 392 0866884.exe 2448 2022406.exe 236 20266.exe 2628 5hnnbh.exe 820 202262.exe 1304 048022.exe 3064 02686.exe 348 jdvdj.exe -
resource yara_rule behavioral1/memory/1724-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-380-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2864-399-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2616-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/392-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-862-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-869-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-888-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-943-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-1015-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-1052-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-1059-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-1066-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0844624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o460020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 220244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 020662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 1724 2556 d737bde504aabef9e1b390f7fb93dbf050d46400de1ff33893e532b5c3311374N.exe 31 PID 2556 wrote to memory of 1724 2556 d737bde504aabef9e1b390f7fb93dbf050d46400de1ff33893e532b5c3311374N.exe 31 PID 2556 wrote to memory of 1724 2556 d737bde504aabef9e1b390f7fb93dbf050d46400de1ff33893e532b5c3311374N.exe 31 PID 2556 wrote to memory of 1724 2556 d737bde504aabef9e1b390f7fb93dbf050d46400de1ff33893e532b5c3311374N.exe 31 PID 1724 wrote to memory of 2576 1724 264688.exe 32 PID 1724 wrote to memory of 2576 1724 264688.exe 32 PID 1724 wrote to memory of 2576 1724 264688.exe 32 PID 1724 wrote to memory of 2576 1724 264688.exe 32 PID 2576 wrote to memory of 2840 2576 2006880.exe 33 PID 2576 wrote to memory of 2840 2576 2006880.exe 33 PID 2576 wrote to memory of 2840 2576 2006880.exe 33 PID 2576 wrote to memory of 2840 2576 2006880.exe 33 PID 2840 wrote to memory of 2752 2840 o040224.exe 34 PID 2840 wrote to memory of 2752 2840 o040224.exe 34 PID 2840 wrote to memory of 2752 2840 o040224.exe 34 PID 2840 wrote to memory of 2752 2840 o040224.exe 34 PID 2752 wrote to memory of 2912 2752 xxrxfrr.exe 35 PID 2752 wrote to memory of 2912 2752 xxrxfrr.exe 35 PID 2752 wrote to memory of 2912 2752 xxrxfrr.exe 35 PID 2752 wrote to memory of 2912 2752 xxrxfrr.exe 35 PID 2912 wrote to memory of 2768 2912 20626.exe 36 PID 2912 wrote to memory of 2768 2912 20626.exe 36 PID 2912 wrote to memory of 2768 2912 20626.exe 36 PID 2912 wrote to memory of 2768 2912 20626.exe 36 PID 2768 wrote to memory of 2888 2768 s0880.exe 37 PID 2768 wrote to memory of 2888 2768 s0880.exe 37 PID 2768 wrote to memory of 2888 2768 s0880.exe 37 PID 2768 wrote to memory of 2888 2768 s0880.exe 37 PID 2888 wrote to memory of 2820 2888 020662.exe 38 PID 2888 wrote to memory of 2820 2888 020662.exe 38 PID 2888 wrote to memory of 2820 2888 020662.exe 38 PID 2888 wrote to memory of 2820 2888 020662.exe 38 PID 2820 wrote to memory of 3028 2820 202222.exe 39 PID 2820 wrote to memory of 3028 2820 202222.exe 39 PID 2820 wrote to memory of 3028 2820 202222.exe 39 PID 2820 wrote to memory of 3028 2820 202222.exe 39 PID 3028 wrote to memory of 2720 3028 42064.exe 40 PID 3028 wrote to memory of 2720 3028 42064.exe 40 PID 3028 wrote to memory of 2720 3028 42064.exe 40 PID 3028 wrote to memory of 2720 3028 42064.exe 40 PID 2720 wrote to memory of 2380 2720 xlflfff.exe 41 PID 2720 wrote to memory of 2380 2720 xlflfff.exe 41 PID 2720 wrote to memory of 2380 2720 xlflfff.exe 41 PID 2720 wrote to memory of 2380 2720 xlflfff.exe 41 PID 2380 wrote to memory of 2300 2380 rllxllr.exe 42 PID 2380 wrote to memory of 2300 2380 rllxllr.exe 42 PID 2380 wrote to memory of 2300 2380 rllxllr.exe 42 PID 2380 wrote to memory of 2300 2380 rllxllr.exe 42 PID 2300 wrote to memory of 2856 2300 lxflrrr.exe 43 PID 2300 wrote to memory of 2856 2300 lxflrrr.exe 43 PID 2300 wrote to memory of 2856 2300 lxflrrr.exe 43 PID 2300 wrote to memory of 2856 2300 lxflrrr.exe 43 PID 2856 wrote to memory of 1620 2856 1pppp.exe 44 PID 2856 wrote to memory of 1620 2856 1pppp.exe 44 PID 2856 wrote to memory of 1620 2856 1pppp.exe 44 PID 2856 wrote to memory of 1620 2856 1pppp.exe 44 PID 1620 wrote to memory of 1712 1620 4200664.exe 45 PID 1620 wrote to memory of 1712 1620 4200664.exe 45 PID 1620 wrote to memory of 1712 1620 4200664.exe 45 PID 1620 wrote to memory of 1712 1620 4200664.exe 45 PID 1712 wrote to memory of 1496 1712 3lrrlrr.exe 46 PID 1712 wrote to memory of 1496 1712 3lrrlrr.exe 46 PID 1712 wrote to memory of 1496 1712 3lrrlrr.exe 46 PID 1712 wrote to memory of 1496 1712 3lrrlrr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\d737bde504aabef9e1b390f7fb93dbf050d46400de1ff33893e532b5c3311374N.exe"C:\Users\Admin\AppData\Local\Temp\d737bde504aabef9e1b390f7fb93dbf050d46400de1ff33893e532b5c3311374N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\264688.exec:\264688.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\2006880.exec:\2006880.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\o040224.exec:\o040224.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\xxrxfrr.exec:\xxrxfrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\20626.exec:\20626.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\s0880.exec:\s0880.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\020662.exec:\020662.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\202222.exec:\202222.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\42064.exec:\42064.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\xlflfff.exec:\xlflfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\rllxllr.exec:\rllxllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\lxflrrr.exec:\lxflrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\1pppp.exec:\1pppp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\4200664.exec:\4200664.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\3lrrlrr.exec:\3lrrlrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\3pdvd.exec:\3pdvd.exe17⤵
- Executes dropped EXE
PID:1496 -
\??\c:\46828.exec:\46828.exe18⤵
- Executes dropped EXE
PID:2980 -
\??\c:\q80444.exec:\q80444.exe19⤵
- Executes dropped EXE
PID:2956 -
\??\c:\00460.exec:\00460.exe20⤵
- Executes dropped EXE
PID:1556 -
\??\c:\vjppp.exec:\vjppp.exe21⤵
- Executes dropped EXE
PID:236 -
\??\c:\7nbbbh.exec:\7nbbbh.exe22⤵
- Executes dropped EXE
PID:284 -
\??\c:\pdpjp.exec:\pdpjp.exe23⤵
- Executes dropped EXE
PID:2268 -
\??\c:\pdppv.exec:\pdppv.exe24⤵
- Executes dropped EXE
PID:1820 -
\??\c:\606844.exec:\606844.exe25⤵
- Executes dropped EXE
PID:2136 -
\??\c:\lfxrrfl.exec:\lfxrrfl.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896 -
\??\c:\o006228.exec:\o006228.exe27⤵
- Executes dropped EXE
PID:888 -
\??\c:\lfrxffr.exec:\lfrxffr.exe28⤵
- Executes dropped EXE
PID:1676 -
\??\c:\lxrlfxf.exec:\lxrlfxf.exe29⤵
- Executes dropped EXE
PID:2384 -
\??\c:\268844.exec:\268844.exe30⤵
- Executes dropped EXE
PID:2080 -
\??\c:\hbhbnh.exec:\hbhbnh.exe31⤵
- Executes dropped EXE
PID:2452 -
\??\c:\rrlxlxf.exec:\rrlxlxf.exe32⤵
- Executes dropped EXE
PID:1528 -
\??\c:\484444.exec:\484444.exe33⤵
- Executes dropped EXE
PID:2416 -
\??\c:\frffflr.exec:\frffflr.exe34⤵
- Executes dropped EXE
PID:1812 -
\??\c:\208444.exec:\208444.exe35⤵
- Executes dropped EXE
PID:2332 -
\??\c:\xlrxfff.exec:\xlrxfff.exe36⤵
- Executes dropped EXE
PID:1720 -
\??\c:\9fllrxx.exec:\9fllrxx.exe37⤵
- Executes dropped EXE
PID:1536 -
\??\c:\7ntttt.exec:\7ntttt.exe38⤵
- Executes dropped EXE
PID:1816 -
\??\c:\a4666.exec:\a4666.exe39⤵
- Executes dropped EXE
PID:2748 -
\??\c:\2044606.exec:\2044606.exe40⤵
- Executes dropped EXE
PID:2752 -
\??\c:\9vpjj.exec:\9vpjj.exe41⤵
- Executes dropped EXE
PID:2800 -
\??\c:\2400666.exec:\2400666.exe42⤵
- Executes dropped EXE
PID:3024 -
\??\c:\o426480.exec:\o426480.exe43⤵
- Executes dropped EXE
PID:3016 -
\??\c:\7bhhnh.exec:\7bhhnh.exe44⤵
- Executes dropped EXE
PID:2780 -
\??\c:\jdvvv.exec:\jdvvv.exe45⤵
- Executes dropped EXE
PID:2820 -
\??\c:\e26688.exec:\e26688.exe46⤵
- Executes dropped EXE
PID:2664 -
\??\c:\fxflrlx.exec:\fxflrlx.exe47⤵
- Executes dropped EXE
PID:2676 -
\??\c:\3nhhtb.exec:\3nhhtb.exe48⤵
- Executes dropped EXE
PID:2876 -
\??\c:\2486466.exec:\2486466.exe49⤵
- Executes dropped EXE
PID:2864 -
\??\c:\vpddd.exec:\vpddd.exe50⤵
- Executes dropped EXE
PID:2616 -
\??\c:\26624.exec:\26624.exe51⤵
- Executes dropped EXE
PID:2872 -
\??\c:\bbbhnh.exec:\bbbhnh.exe52⤵
- Executes dropped EXE
PID:2528 -
\??\c:\2462644.exec:\2462644.exe53⤵
- Executes dropped EXE
PID:2532 -
\??\c:\8026206.exec:\8026206.exe54⤵
- Executes dropped EXE
PID:1244 -
\??\c:\080066.exec:\080066.exe55⤵
- Executes dropped EXE
PID:1496 -
\??\c:\4684484.exec:\4684484.exe56⤵
- Executes dropped EXE
PID:2972 -
\??\c:\9jdvj.exec:\9jdvj.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
\??\c:\0866884.exec:\0866884.exe58⤵
- Executes dropped EXE
PID:392 -
\??\c:\2022406.exec:\2022406.exe59⤵
- Executes dropped EXE
PID:2448 -
\??\c:\20266.exec:\20266.exe60⤵
- Executes dropped EXE
PID:236 -
\??\c:\5hnnbh.exec:\5hnnbh.exe61⤵
- Executes dropped EXE
PID:2628 -
\??\c:\202262.exec:\202262.exe62⤵
- Executes dropped EXE
PID:820 -
\??\c:\048022.exec:\048022.exe63⤵
- Executes dropped EXE
PID:1304 -
\??\c:\02686.exec:\02686.exe64⤵
- Executes dropped EXE
PID:3064 -
\??\c:\jdvdj.exec:\jdvdj.exe65⤵
- Executes dropped EXE
PID:348 -
\??\c:\vjjjv.exec:\vjjjv.exe66⤵PID:896
-
\??\c:\4206846.exec:\4206846.exe67⤵PID:952
-
\??\c:\40602.exec:\40602.exe68⤵PID:1648
-
\??\c:\3lxxffr.exec:\3lxxffr.exe69⤵PID:2372
-
\??\c:\fflrxfr.exec:\fflrxfr.exe70⤵PID:1408
-
\??\c:\44628.exec:\44628.exe71⤵PID:2464
-
\??\c:\1nbbnh.exec:\1nbbnh.exe72⤵PID:1628
-
\??\c:\lfxxlfx.exec:\lfxxlfx.exe73⤵PID:2452
-
\??\c:\jdvdj.exec:\jdvdj.exe74⤵PID:2188
-
\??\c:\c644280.exec:\c644280.exe75⤵PID:1488
-
\??\c:\c606402.exec:\c606402.exe76⤵PID:1508
-
\??\c:\26806.exec:\26806.exe77⤵PID:2388
-
\??\c:\hbthbb.exec:\hbthbb.exe78⤵PID:1900
-
\??\c:\0424220.exec:\0424220.exe79⤵PID:2576
-
\??\c:\60086.exec:\60086.exe80⤵PID:1536
-
\??\c:\0844066.exec:\0844066.exe81⤵PID:2924
-
\??\c:\btbtbh.exec:\btbtbh.exe82⤵PID:2748
-
\??\c:\260406.exec:\260406.exe83⤵PID:2652
-
\??\c:\nhtttn.exec:\nhtttn.exe84⤵PID:2796
-
\??\c:\2608624.exec:\2608624.exe85⤵PID:2804
-
\??\c:\e46626.exec:\e46626.exe86⤵PID:1640
-
\??\c:\22066.exec:\22066.exe87⤵PID:2816
-
\??\c:\4828880.exec:\4828880.exe88⤵PID:3028
-
\??\c:\2088668.exec:\2088668.exe89⤵PID:2280
-
\??\c:\i406624.exec:\i406624.exe90⤵PID:2716
-
\??\c:\640644.exec:\640644.exe91⤵PID:2952
-
\??\c:\ppddj.exec:\ppddj.exe92⤵PID:2848
-
\??\c:\82068.exec:\82068.exe93⤵PID:940
-
\??\c:\jdpdj.exec:\jdpdj.exe94⤵PID:1872
-
\??\c:\9frxflr.exec:\9frxflr.exe95⤵PID:328
-
\??\c:\8640620.exec:\8640620.exe96⤵PID:1944
-
\??\c:\20446.exec:\20446.exe97⤵PID:2968
-
\??\c:\1rxflrl.exec:\1rxflrl.exe98⤵PID:1864
-
\??\c:\btnthn.exec:\btnthn.exe99⤵PID:2088
-
\??\c:\tbthtb.exec:\tbthtb.exe100⤵PID:1768
-
\??\c:\02020.exec:\02020.exe101⤵
- System Location Discovery: System Language Discovery
PID:1968 -
\??\c:\2088068.exec:\2088068.exe102⤵PID:2024
-
\??\c:\q68288.exec:\q68288.exe103⤵PID:752
-
\??\c:\080022.exec:\080022.exe104⤵
- System Location Discovery: System Language Discovery
PID:2328 -
\??\c:\42002.exec:\42002.exe105⤵PID:956
-
\??\c:\fxlrllx.exec:\fxlrllx.exe106⤵PID:1920
-
\??\c:\82642.exec:\82642.exe107⤵PID:492
-
\??\c:\824428.exec:\824428.exe108⤵PID:2108
-
\??\c:\nhbbnn.exec:\nhbbnn.exe109⤵PID:2160
-
\??\c:\260606.exec:\260606.exe110⤵PID:1464
-
\??\c:\ttnbbh.exec:\ttnbbh.exe111⤵PID:1764
-
\??\c:\004680.exec:\004680.exe112⤵PID:1044
-
\??\c:\pdjdj.exec:\pdjdj.exe113⤵PID:2372
-
\??\c:\82684.exec:\82684.exe114⤵PID:2392
-
\??\c:\vdvjv.exec:\vdvjv.exe115⤵PID:2464
-
\??\c:\i080668.exec:\i080668.exe116⤵PID:880
-
\??\c:\08228.exec:\08228.exe117⤵PID:2452
-
\??\c:\e08462.exec:\e08462.exe118⤵PID:1520
-
\??\c:\fxllrlr.exec:\fxllrlr.exe119⤵PID:2052
-
\??\c:\hbtbhn.exec:\hbtbhn.exe120⤵PID:1508
-
\??\c:\xfxxxff.exec:\xfxxxff.exe121⤵PID:2388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-