Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 19:39
Behavioral task
behavioral1
Sample
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe
-
Size
332KB
-
MD5
718282396c93a1b834a49a61ec1caeac
-
SHA1
6c5a47a597ecf7d48d3244e2fe5a22387231fe21
-
SHA256
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87
-
SHA512
6b76f7361a43683237ea7d052a45266ab2c6dc246246db230563b4dc9d9e2560a245b99c137a222909291042512d33fa844b68c05963e7d2fc846535d4aee91d
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbel:R4wFHoSHYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2280-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1708-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2800-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2828-44-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2176-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2964-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2892-67-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2712-76-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2712-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2664-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2688-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2444-100-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2444-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1340-112-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2508-120-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/1840-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1948-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1856-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/792-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/652-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/584-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/448-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2496-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1008-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/800-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2980-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3000-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2140-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2028-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2968-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2000-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1600-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-345-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2568-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2492-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2416-520-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1812-654-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1640-700-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1640-701-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1796-743-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/268-776-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2096-968-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2160-1072-0x0000000076C90000-0x0000000076DAF000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1708 flrrxrr.exe 2176 3jvpp.exe 2800 8022262.exe 2284 djjdj.exe 2828 m0604.exe 2964 7xllffx.exe 2892 hbhhbb.exe 2712 8066600.exe 2664 vpvdd.exe 2688 1nnhhh.exe 2444 jpvvd.exe 1340 64426.exe 2508 4860280.exe 1840 20828.exe 1948 lxllxfl.exe 1856 bhhhbn.exe 2356 7bnbbh.exe 792 424844.exe 652 frlxlxf.exe 584 4228480.exe 1352 080060.exe 448 22408.exe 2496 vvjdj.exe 1008 rlxflff.exe 800 pdppd.exe 2980 7lxxffr.exe 3000 08060.exe 916 jvdvv.exe 2236 646626.exe 2140 02840.exe 3060 nbbhhn.exe 2028 084008.exe 2968 frflrrx.exe 2000 lxfxxrx.exe 2204 02222.exe 2516 8204484.exe 1600 808222.exe 2528 08622.exe 2116 424444.exe 2952 frxfffl.exe 2740 268806.exe 2616 m8062.exe 2292 g2242.exe 2812 606048.exe 2744 flfxfff.exe 2928 24046.exe 3064 084004.exe 2724 1nnnnn.exe 2624 042200.exe 2664 c462288.exe 1760 0844044.exe 1556 bthhhn.exe 1168 i866228.exe 3036 tnbhhh.exe 1340 1nbbbh.exe 2508 lflrxxx.exe 1412 6468880.exe 2428 pdddp.exe 1164 4842826.exe 2472 e24400.exe 1232 08406.exe 2568 fxlrxlf.exe 716 nhbbnn.exe 2972 02222.exe -
resource yara_rule behavioral1/memory/2280-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2280-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000120fb-8.dat upx behavioral1/memory/1708-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016cc4-15.dat upx behavioral1/files/0x0009000000016ccd-24.dat upx behavioral1/memory/2800-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2828-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2176-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016ce8-39.dat upx behavioral1/files/0x0008000000016cd7-32.dat upx behavioral1/files/0x0007000000016cf0-48.dat upx behavioral1/memory/2964-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d04-57.dat upx behavioral1/memory/2964-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193e6-66.dat upx behavioral1/memory/2712-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2712-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2664-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193f0-79.dat upx behavioral1/files/0x000500000001945c-87.dat upx behavioral1/files/0x000500000001948d-95.dat upx behavioral1/memory/2688-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2444-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194e2-105.dat upx behavioral1/files/0x000500000001958b-113.dat upx behavioral1/files/0x0009000000016ca5-121.dat upx behavioral1/files/0x00050000000195c2-129.dat upx behavioral1/memory/1840-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1948-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1856-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c4-140.dat upx behavioral1/memory/1948-134-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/files/0x00050000000195c6-147.dat upx behavioral1/files/0x00050000000195c7-154.dat upx behavioral1/memory/792-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c8-164.dat upx behavioral1/files/0x00050000000195ca-171.dat upx behavioral1/memory/652-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195cc-179.dat upx behavioral1/memory/584-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195ce-188.dat upx behavioral1/files/0x00050000000195d0-196.dat upx behavioral1/memory/448-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2496-204-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195e0-203.dat upx behavioral1/memory/1008-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019624-212.dat upx behavioral1/files/0x0005000000019665-219.dat upx behavioral1/memory/800-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000196a0-228.dat upx behavioral1/memory/2980-227-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019931-236.dat upx behavioral1/files/0x0005000000019bec-243.dat upx behavioral1/files/0x0005000000019bf0-250.dat upx behavioral1/memory/3000-251-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2140-258-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf2-259.dat upx behavioral1/files/0x0005000000019c0b-266.dat upx behavioral1/memory/2028-274-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2000-281-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2968-280-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2000-287-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1600-303-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2400262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8020048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u804488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e20408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 1708 2280 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 30 PID 2280 wrote to memory of 1708 2280 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 30 PID 2280 wrote to memory of 1708 2280 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 30 PID 2280 wrote to memory of 1708 2280 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 30 PID 1708 wrote to memory of 2176 1708 flrrxrr.exe 31 PID 1708 wrote to memory of 2176 1708 flrrxrr.exe 31 PID 1708 wrote to memory of 2176 1708 flrrxrr.exe 31 PID 1708 wrote to memory of 2176 1708 flrrxrr.exe 31 PID 2176 wrote to memory of 2800 2176 3jvpp.exe 32 PID 2176 wrote to memory of 2800 2176 3jvpp.exe 32 PID 2176 wrote to memory of 2800 2176 3jvpp.exe 32 PID 2176 wrote to memory of 2800 2176 3jvpp.exe 32 PID 2800 wrote to memory of 2284 2800 8022262.exe 33 PID 2800 wrote to memory of 2284 2800 8022262.exe 33 PID 2800 wrote to memory of 2284 2800 8022262.exe 33 PID 2800 wrote to memory of 2284 2800 8022262.exe 33 PID 2284 wrote to memory of 2828 2284 djjdj.exe 34 PID 2284 wrote to memory of 2828 2284 djjdj.exe 34 PID 2284 wrote to memory of 2828 2284 djjdj.exe 34 PID 2284 wrote to memory of 2828 2284 djjdj.exe 34 PID 2828 wrote to memory of 2964 2828 m0604.exe 35 PID 2828 wrote to memory of 2964 2828 m0604.exe 35 PID 2828 wrote to memory of 2964 2828 m0604.exe 35 PID 2828 wrote to memory of 2964 2828 m0604.exe 35 PID 2964 wrote to memory of 2892 2964 7xllffx.exe 36 PID 2964 wrote to memory of 2892 2964 7xllffx.exe 36 PID 2964 wrote to memory of 2892 2964 7xllffx.exe 36 PID 2964 wrote to memory of 2892 2964 7xllffx.exe 36 PID 2892 wrote to memory of 2712 2892 hbhhbb.exe 37 PID 2892 wrote to memory of 2712 2892 hbhhbb.exe 37 PID 2892 wrote to memory of 2712 2892 hbhhbb.exe 37 PID 2892 wrote to memory of 2712 2892 hbhhbb.exe 37 PID 2712 wrote to memory of 2664 2712 8066600.exe 38 PID 2712 wrote to memory of 2664 2712 8066600.exe 38 PID 2712 wrote to memory of 2664 2712 8066600.exe 38 PID 2712 wrote to memory of 2664 2712 8066600.exe 38 PID 2664 wrote to memory of 2688 2664 vpvdd.exe 39 PID 2664 wrote to memory of 2688 2664 vpvdd.exe 39 PID 2664 wrote to memory of 2688 2664 vpvdd.exe 39 PID 2664 wrote to memory of 2688 2664 vpvdd.exe 39 PID 2688 wrote to memory of 2444 2688 1nnhhh.exe 40 PID 2688 wrote to memory of 2444 2688 1nnhhh.exe 40 PID 2688 wrote to memory of 2444 2688 1nnhhh.exe 40 PID 2688 wrote to memory of 2444 2688 1nnhhh.exe 40 PID 2444 wrote to memory of 1340 2444 jpvvd.exe 41 PID 2444 wrote to memory of 1340 2444 jpvvd.exe 41 PID 2444 wrote to memory of 1340 2444 jpvvd.exe 41 PID 2444 wrote to memory of 1340 2444 jpvvd.exe 41 PID 1340 wrote to memory of 2508 1340 64426.exe 42 PID 1340 wrote to memory of 2508 1340 64426.exe 42 PID 1340 wrote to memory of 2508 1340 64426.exe 42 PID 1340 wrote to memory of 2508 1340 64426.exe 42 PID 2508 wrote to memory of 1840 2508 4860280.exe 43 PID 2508 wrote to memory of 1840 2508 4860280.exe 43 PID 2508 wrote to memory of 1840 2508 4860280.exe 43 PID 2508 wrote to memory of 1840 2508 4860280.exe 43 PID 1840 wrote to memory of 1948 1840 20828.exe 44 PID 1840 wrote to memory of 1948 1840 20828.exe 44 PID 1840 wrote to memory of 1948 1840 20828.exe 44 PID 1840 wrote to memory of 1948 1840 20828.exe 44 PID 1948 wrote to memory of 1856 1948 lxllxfl.exe 45 PID 1948 wrote to memory of 1856 1948 lxllxfl.exe 45 PID 1948 wrote to memory of 1856 1948 lxllxfl.exe 45 PID 1948 wrote to memory of 1856 1948 lxllxfl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe"C:\Users\Admin\AppData\Local\Temp\105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\flrrxrr.exec:\flrrxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\3jvpp.exec:\3jvpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\8022262.exec:\8022262.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\djjdj.exec:\djjdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\m0604.exec:\m0604.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\7xllffx.exec:\7xllffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\hbhhbb.exec:\hbhhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\8066600.exec:\8066600.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\vpvdd.exec:\vpvdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\1nnhhh.exec:\1nnhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\jpvvd.exec:\jpvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\64426.exec:\64426.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\4860280.exec:\4860280.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\20828.exec:\20828.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\lxllxfl.exec:\lxllxfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\bhhhbn.exec:\bhhhbn.exe17⤵
- Executes dropped EXE
PID:1856 -
\??\c:\7bnbbh.exec:\7bnbbh.exe18⤵
- Executes dropped EXE
PID:2356 -
\??\c:\424844.exec:\424844.exe19⤵
- Executes dropped EXE
PID:792 -
\??\c:\frlxlxf.exec:\frlxlxf.exe20⤵
- Executes dropped EXE
PID:652 -
\??\c:\4228480.exec:\4228480.exe21⤵
- Executes dropped EXE
PID:584 -
\??\c:\080060.exec:\080060.exe22⤵
- Executes dropped EXE
PID:1352 -
\??\c:\22408.exec:\22408.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\vvjdj.exec:\vvjdj.exe24⤵
- Executes dropped EXE
PID:2496 -
\??\c:\rlxflff.exec:\rlxflff.exe25⤵
- Executes dropped EXE
PID:1008 -
\??\c:\pdppd.exec:\pdppd.exe26⤵
- Executes dropped EXE
PID:800 -
\??\c:\7lxxffr.exec:\7lxxffr.exe27⤵
- Executes dropped EXE
PID:2980 -
\??\c:\08060.exec:\08060.exe28⤵
- Executes dropped EXE
PID:3000 -
\??\c:\jvdvv.exec:\jvdvv.exe29⤵
- Executes dropped EXE
PID:916 -
\??\c:\646626.exec:\646626.exe30⤵
- Executes dropped EXE
PID:2236 -
\??\c:\02840.exec:\02840.exe31⤵
- Executes dropped EXE
PID:2140 -
\??\c:\nbbhhn.exec:\nbbhhn.exe32⤵
- Executes dropped EXE
PID:3060 -
\??\c:\084008.exec:\084008.exe33⤵
- Executes dropped EXE
PID:2028 -
\??\c:\frflrrx.exec:\frflrrx.exe34⤵
- Executes dropped EXE
PID:2968 -
\??\c:\lxfxxrx.exec:\lxfxxrx.exe35⤵
- Executes dropped EXE
PID:2000 -
\??\c:\02222.exec:\02222.exe36⤵
- Executes dropped EXE
PID:2204 -
\??\c:\8204484.exec:\8204484.exe37⤵
- Executes dropped EXE
PID:2516 -
\??\c:\808222.exec:\808222.exe38⤵
- Executes dropped EXE
PID:1600 -
\??\c:\08622.exec:\08622.exe39⤵
- Executes dropped EXE
PID:2528 -
\??\c:\424444.exec:\424444.exe40⤵
- Executes dropped EXE
PID:2116 -
\??\c:\frxfffl.exec:\frxfffl.exe41⤵
- Executes dropped EXE
PID:2952 -
\??\c:\268806.exec:\268806.exe42⤵
- Executes dropped EXE
PID:2740 -
\??\c:\m8062.exec:\m8062.exe43⤵
- Executes dropped EXE
PID:2616 -
\??\c:\g2242.exec:\g2242.exe44⤵
- Executes dropped EXE
PID:2292 -
\??\c:\606048.exec:\606048.exe45⤵
- Executes dropped EXE
PID:2812 -
\??\c:\flfxfff.exec:\flfxfff.exe46⤵
- Executes dropped EXE
PID:2744 -
\??\c:\24046.exec:\24046.exe47⤵
- Executes dropped EXE
PID:2928 -
\??\c:\084004.exec:\084004.exe48⤵
- Executes dropped EXE
PID:3064 -
\??\c:\1nnnnn.exec:\1nnnnn.exe49⤵
- Executes dropped EXE
PID:2724 -
\??\c:\042200.exec:\042200.exe50⤵
- Executes dropped EXE
PID:2624 -
\??\c:\c462288.exec:\c462288.exe51⤵
- Executes dropped EXE
PID:2664 -
\??\c:\0844044.exec:\0844044.exe52⤵
- Executes dropped EXE
PID:1760 -
\??\c:\bthhhn.exec:\bthhhn.exe53⤵
- Executes dropped EXE
PID:1556 -
\??\c:\i866228.exec:\i866228.exe54⤵
- Executes dropped EXE
PID:1168 -
\??\c:\tnbhhh.exec:\tnbhhh.exe55⤵
- Executes dropped EXE
PID:3036 -
\??\c:\1nbbbh.exec:\1nbbbh.exe56⤵
- Executes dropped EXE
PID:1340 -
\??\c:\lflrxxx.exec:\lflrxxx.exe57⤵
- Executes dropped EXE
PID:2508 -
\??\c:\6468880.exec:\6468880.exe58⤵
- Executes dropped EXE
PID:1412 -
\??\c:\pdddp.exec:\pdddp.exe59⤵
- Executes dropped EXE
PID:2428 -
\??\c:\4842826.exec:\4842826.exe60⤵
- Executes dropped EXE
PID:1164 -
\??\c:\e24400.exec:\e24400.exe61⤵
- Executes dropped EXE
PID:2472 -
\??\c:\08406.exec:\08406.exe62⤵
- Executes dropped EXE
PID:1232 -
\??\c:\fxlrxlf.exec:\fxlrxlf.exe63⤵
- Executes dropped EXE
PID:2568 -
\??\c:\nhbbnn.exec:\nhbbnn.exe64⤵
- Executes dropped EXE
PID:716 -
\??\c:\02222.exec:\02222.exe65⤵
- Executes dropped EXE
PID:2972 -
\??\c:\nhnntn.exec:\nhnntn.exe66⤵PID:1816
-
\??\c:\fxrrlxx.exec:\fxrrlxx.exe67⤵PID:1868
-
\??\c:\c848044.exec:\c848044.exe68⤵PID:2344
-
\??\c:\426646.exec:\426646.exe69⤵PID:1980
-
\??\c:\200008.exec:\200008.exe70⤵PID:1152
-
\??\c:\7jppp.exec:\7jppp.exe71⤵PID:2492
-
\??\c:\nbhnbb.exec:\nbhnbb.exe72⤵PID:1608
-
\??\c:\lxfffrx.exec:\lxfffrx.exe73⤵PID:2504
-
\??\c:\pdjpj.exec:\pdjpj.exe74⤵PID:1376
-
\??\c:\624220.exec:\624220.exe75⤵PID:1568
-
\??\c:\flrrrll.exec:\flrrrll.exe76⤵PID:928
-
\??\c:\m4000.exec:\m4000.exe77⤵PID:1572
-
\??\c:\86822.exec:\86822.exe78⤵PID:960
-
\??\c:\u404482.exec:\u404482.exe79⤵PID:2416
-
\??\c:\rfxllfl.exec:\rfxllfl.exe80⤵PID:2488
-
\??\c:\808404.exec:\808404.exe81⤵PID:2168
-
\??\c:\6806666.exec:\6806666.exe82⤵PID:2316
-
\??\c:\w84060.exec:\w84060.exe83⤵PID:2208
-
\??\c:\xrffrrr.exec:\xrffrrr.exe84⤵PID:1500
-
\??\c:\868866.exec:\868866.exe85⤵PID:2044
-
\??\c:\42828.exec:\42828.exe86⤵PID:2000
-
\??\c:\nbbnhb.exec:\nbbnhb.exe87⤵PID:1708
-
\??\c:\0226222.exec:\0226222.exe88⤵PID:556
-
\??\c:\rflllfl.exec:\rflllfl.exe89⤵PID:2704
-
\??\c:\thnttt.exec:\thnttt.exe90⤵PID:1284
-
\??\c:\08602.exec:\08602.exe91⤵PID:2876
-
\??\c:\3fxxfxl.exec:\3fxxfxl.exe92⤵PID:2808
-
\??\c:\frxxfff.exec:\frxxfff.exe93⤵PID:2720
-
\??\c:\htnhnh.exec:\htnhnh.exe94⤵PID:2828
-
\??\c:\84644.exec:\84644.exe95⤵PID:2764
-
\??\c:\042800.exec:\042800.exe96⤵PID:2772
-
\??\c:\e20408.exec:\e20408.exe97⤵
- System Location Discovery: System Language Discovery
PID:2728 -
\??\c:\642288.exec:\642288.exe98⤵PID:2844
-
\??\c:\7xfxlff.exec:\7xfxlff.exe99⤵PID:2656
-
\??\c:\642844.exec:\642844.exe100⤵PID:2608
-
\??\c:\hntthb.exec:\hntthb.exe101⤵PID:3044
-
\??\c:\u066002.exec:\u066002.exe102⤵PID:2612
-
\??\c:\8020048.exec:\8020048.exe103⤵
- System Location Discovery: System Language Discovery
PID:860 -
\??\c:\266284.exec:\266284.exe104⤵PID:2444
-
\??\c:\686482.exec:\686482.exe105⤵PID:1812
-
\??\c:\u060004.exec:\u060004.exe106⤵PID:2940
-
\??\c:\42802.exec:\42802.exe107⤵PID:2936
-
\??\c:\o202846.exec:\o202846.exe108⤵PID:2164
-
\??\c:\0800628.exec:\0800628.exe109⤵PID:1940
-
\??\c:\268800.exec:\268800.exe110⤵PID:2008
-
\??\c:\0866628.exec:\0866628.exe111⤵PID:2376
-
\??\c:\7thhhh.exec:\7thhhh.exe112⤵PID:1928
-
\??\c:\4862406.exec:\4862406.exe113⤵PID:2120
-
\??\c:\dvppd.exec:\dvppd.exe114⤵PID:1640
-
\??\c:\q68888.exec:\q68888.exe115⤵PID:604
-
\??\c:\9dvjp.exec:\9dvjp.exe116⤵PID:652
-
\??\c:\2028606.exec:\2028606.exe117⤵PID:1176
-
\??\c:\nbhhnb.exec:\nbhhnb.exe118⤵PID:1604
-
\??\c:\dvjvj.exec:\dvjvj.exe119⤵PID:2084
-
\??\c:\7ttttb.exec:\7ttttb.exe120⤵PID:2340
-
\??\c:\48286.exec:\48286.exe121⤵PID:272
-
\??\c:\420628.exec:\420628.exe122⤵PID:1796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-