Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 16:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
805c064fbac273e844a0ff2f36db59cca8121e4fb83f12d4f78b17fe9c3a038fN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
805c064fbac273e844a0ff2f36db59cca8121e4fb83f12d4f78b17fe9c3a038fN.exe
-
Size
453KB
-
MD5
9cd837c44820eacae660047c82ce1fb0
-
SHA1
833e809c1e7d0ad910cc431b5d8669ebc320195e
-
SHA256
805c064fbac273e844a0ff2f36db59cca8121e4fb83f12d4f78b17fe9c3a038f
-
SHA512
47c5ec0797469e94559b9c6e803eb489abf807330f897951010c52875357969cb7bf096227ebd99b7b94d84c4590cd0c27fc8994e29668dc34c6a8d2f1890c32
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2608-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-41-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2984-46-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2984-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-79-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2828-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-103-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1784-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/288-149-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-193-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1488-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-201-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/896-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/656-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/856-439-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1764-450-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-475-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/884-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-549-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2504-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-864-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-1008-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon behavioral1/memory/2176-1034-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1748-1083-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2244-1314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2608 rxrlxrr.exe 2384 042284.exe 2324 78286.exe 2984 84688.exe 1156 m2002.exe 2856 rffflrx.exe 2776 86880.exe 2828 jvjjp.exe 2736 tthhtn.exe 2764 420628.exe 2712 c026662.exe 980 fxlxflx.exe 1784 frrlrrl.exe 2008 9lrrrrf.exe 288 6084668.exe 1692 dvdjv.exe 2748 jdpdp.exe 2636 vpdpd.exe 2084 q02422.exe 2228 0866684.exe 1488 60808.exe 1260 rxlxlrl.exe 896 0424668.exe 1724 lfxlxxl.exe 1312 88280.exe 1748 jvjpv.exe 1804 dpvvd.exe 656 8262664.exe 3032 llxfxxl.exe 340 606844.exe 1336 4608002.exe 876 hbhbhh.exe 1668 nhtbhh.exe 2568 k40206.exe 1988 266680.exe 2004 ddvdp.exe 2604 fxxfrrr.exe 2212 xllxrrr.exe 3068 640240.exe 2760 2688284.exe 2844 0466286.exe 2800 820680.exe 2896 864422.exe 2908 pjjpv.exe 2936 7bbbbb.exe 2672 5rlrflr.exe 2660 5rffrxx.exe 2724 08602.exe 2040 82064.exe 2052 20222.exe 980 o828668.exe 2548 5ntbnn.exe 380 7jjjp.exe 1280 6084668.exe 856 g0424.exe 1764 rlrrlrx.exe 1292 0846884.exe 2688 82002.exe 2636 fxfxxxx.exe 2972 6040880.exe 2124 fffrffx.exe 2956 rfrxflx.exe 2076 8206886.exe 1800 xfrlffl.exe -
resource yara_rule behavioral1/memory/2608-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-94-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2764-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-167-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2748-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/656-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-771-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-857-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-1108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-1229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-1314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-1339-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u022262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfffflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i266846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8684666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2422446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4424020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2608 2092 805c064fbac273e844a0ff2f36db59cca8121e4fb83f12d4f78b17fe9c3a038fN.exe 30 PID 2092 wrote to memory of 2608 2092 805c064fbac273e844a0ff2f36db59cca8121e4fb83f12d4f78b17fe9c3a038fN.exe 30 PID 2092 wrote to memory of 2608 2092 805c064fbac273e844a0ff2f36db59cca8121e4fb83f12d4f78b17fe9c3a038fN.exe 30 PID 2092 wrote to memory of 2608 2092 805c064fbac273e844a0ff2f36db59cca8121e4fb83f12d4f78b17fe9c3a038fN.exe 30 PID 2608 wrote to memory of 2384 2608 rxrlxrr.exe 31 PID 2608 wrote to memory of 2384 2608 rxrlxrr.exe 31 PID 2608 wrote to memory of 2384 2608 rxrlxrr.exe 31 PID 2608 wrote to memory of 2384 2608 rxrlxrr.exe 31 PID 2384 wrote to memory of 2324 2384 042284.exe 32 PID 2384 wrote to memory of 2324 2384 042284.exe 32 PID 2384 wrote to memory of 2324 2384 042284.exe 32 PID 2384 wrote to memory of 2324 2384 042284.exe 32 PID 2324 wrote to memory of 2984 2324 78286.exe 33 PID 2324 wrote to memory of 2984 2324 78286.exe 33 PID 2324 wrote to memory of 2984 2324 78286.exe 33 PID 2324 wrote to memory of 2984 2324 78286.exe 33 PID 2984 wrote to memory of 1156 2984 84688.exe 34 PID 2984 wrote to memory of 1156 2984 84688.exe 34 PID 2984 wrote to memory of 1156 2984 84688.exe 34 PID 2984 wrote to memory of 1156 2984 84688.exe 34 PID 1156 wrote to memory of 2856 1156 m2002.exe 35 PID 1156 wrote to memory of 2856 1156 m2002.exe 35 PID 1156 wrote to memory of 2856 1156 m2002.exe 35 PID 1156 wrote to memory of 2856 1156 m2002.exe 35 PID 2856 wrote to memory of 2776 2856 rffflrx.exe 36 PID 2856 wrote to memory of 2776 2856 rffflrx.exe 36 PID 2856 wrote to memory of 2776 2856 rffflrx.exe 36 PID 2856 wrote to memory of 2776 2856 rffflrx.exe 36 PID 2776 wrote to memory of 2828 2776 86880.exe 37 PID 2776 wrote to memory of 2828 2776 86880.exe 37 PID 2776 wrote to memory of 2828 2776 86880.exe 37 PID 2776 wrote to memory of 2828 2776 86880.exe 37 PID 2828 wrote to memory of 2736 2828 jvjjp.exe 38 PID 2828 wrote to memory of 2736 2828 jvjjp.exe 38 PID 2828 wrote to memory of 2736 2828 jvjjp.exe 38 PID 2828 wrote to memory of 2736 2828 jvjjp.exe 38 PID 2736 wrote to memory of 2764 2736 tthhtn.exe 39 PID 2736 wrote to memory of 2764 2736 tthhtn.exe 39 PID 2736 wrote to memory of 2764 2736 tthhtn.exe 39 PID 2736 wrote to memory of 2764 2736 tthhtn.exe 39 PID 2764 wrote to memory of 2712 2764 420628.exe 40 PID 2764 wrote to memory of 2712 2764 420628.exe 40 PID 2764 wrote to memory of 2712 2764 420628.exe 40 PID 2764 wrote to memory of 2712 2764 420628.exe 40 PID 2712 wrote to memory of 980 2712 c026662.exe 41 PID 2712 wrote to memory of 980 2712 c026662.exe 41 PID 2712 wrote to memory of 980 2712 c026662.exe 41 PID 2712 wrote to memory of 980 2712 c026662.exe 41 PID 980 wrote to memory of 1784 980 fxlxflx.exe 42 PID 980 wrote to memory of 1784 980 fxlxflx.exe 42 PID 980 wrote to memory of 1784 980 fxlxflx.exe 42 PID 980 wrote to memory of 1784 980 fxlxflx.exe 42 PID 1784 wrote to memory of 2008 1784 frrlrrl.exe 43 PID 1784 wrote to memory of 2008 1784 frrlrrl.exe 43 PID 1784 wrote to memory of 2008 1784 frrlrrl.exe 43 PID 1784 wrote to memory of 2008 1784 frrlrrl.exe 43 PID 2008 wrote to memory of 288 2008 9lrrrrf.exe 44 PID 2008 wrote to memory of 288 2008 9lrrrrf.exe 44 PID 2008 wrote to memory of 288 2008 9lrrrrf.exe 44 PID 2008 wrote to memory of 288 2008 9lrrrrf.exe 44 PID 288 wrote to memory of 1692 288 6084668.exe 45 PID 288 wrote to memory of 1692 288 6084668.exe 45 PID 288 wrote to memory of 1692 288 6084668.exe 45 PID 288 wrote to memory of 1692 288 6084668.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\805c064fbac273e844a0ff2f36db59cca8121e4fb83f12d4f78b17fe9c3a038fN.exe"C:\Users\Admin\AppData\Local\Temp\805c064fbac273e844a0ff2f36db59cca8121e4fb83f12d4f78b17fe9c3a038fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\rxrlxrr.exec:\rxrlxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\042284.exec:\042284.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\78286.exec:\78286.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\84688.exec:\84688.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\m2002.exec:\m2002.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\rffflrx.exec:\rffflrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\86880.exec:\86880.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\jvjjp.exec:\jvjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\tthhtn.exec:\tthhtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\420628.exec:\420628.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\c026662.exec:\c026662.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\fxlxflx.exec:\fxlxflx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\frrlrrl.exec:\frrlrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\9lrrrrf.exec:\9lrrrrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\6084668.exec:\6084668.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:288 -
\??\c:\dvdjv.exec:\dvdjv.exe17⤵
- Executes dropped EXE
PID:1692 -
\??\c:\jdpdp.exec:\jdpdp.exe18⤵
- Executes dropped EXE
PID:2748 -
\??\c:\vpdpd.exec:\vpdpd.exe19⤵
- Executes dropped EXE
PID:2636 -
\??\c:\q02422.exec:\q02422.exe20⤵
- Executes dropped EXE
PID:2084 -
\??\c:\0866684.exec:\0866684.exe21⤵
- Executes dropped EXE
PID:2228 -
\??\c:\60808.exec:\60808.exe22⤵
- Executes dropped EXE
PID:1488 -
\??\c:\rxlxlrl.exec:\rxlxlrl.exe23⤵
- Executes dropped EXE
PID:1260 -
\??\c:\0424668.exec:\0424668.exe24⤵
- Executes dropped EXE
PID:896 -
\??\c:\lfxlxxl.exec:\lfxlxxl.exe25⤵
- Executes dropped EXE
PID:1724 -
\??\c:\88280.exec:\88280.exe26⤵
- Executes dropped EXE
PID:1312 -
\??\c:\jvjpv.exec:\jvjpv.exe27⤵
- Executes dropped EXE
PID:1748 -
\??\c:\dpvvd.exec:\dpvvd.exe28⤵
- Executes dropped EXE
PID:1804 -
\??\c:\8262664.exec:\8262664.exe29⤵
- Executes dropped EXE
PID:656 -
\??\c:\llxfxxl.exec:\llxfxxl.exe30⤵
- Executes dropped EXE
PID:3032 -
\??\c:\606844.exec:\606844.exe31⤵
- Executes dropped EXE
PID:340 -
\??\c:\4608002.exec:\4608002.exe32⤵
- Executes dropped EXE
PID:1336 -
\??\c:\hbhbhh.exec:\hbhbhh.exe33⤵
- Executes dropped EXE
PID:876 -
\??\c:\nhtbhh.exec:\nhtbhh.exe34⤵
- Executes dropped EXE
PID:1668 -
\??\c:\k40206.exec:\k40206.exe35⤵
- Executes dropped EXE
PID:2568 -
\??\c:\266680.exec:\266680.exe36⤵
- Executes dropped EXE
PID:1988 -
\??\c:\ddvdp.exec:\ddvdp.exe37⤵
- Executes dropped EXE
PID:2004 -
\??\c:\fxxfrrr.exec:\fxxfrrr.exe38⤵
- Executes dropped EXE
PID:2604 -
\??\c:\xllxrrr.exec:\xllxrrr.exe39⤵
- Executes dropped EXE
PID:2212 -
\??\c:\640240.exec:\640240.exe40⤵
- Executes dropped EXE
PID:3068 -
\??\c:\2688284.exec:\2688284.exe41⤵
- Executes dropped EXE
PID:2760 -
\??\c:\0466286.exec:\0466286.exe42⤵
- Executes dropped EXE
PID:2844 -
\??\c:\820680.exec:\820680.exe43⤵
- Executes dropped EXE
PID:2800 -
\??\c:\864422.exec:\864422.exe44⤵
- Executes dropped EXE
PID:2896 -
\??\c:\pjjpv.exec:\pjjpv.exe45⤵
- Executes dropped EXE
PID:2908 -
\??\c:\7bbbbb.exec:\7bbbbb.exe46⤵
- Executes dropped EXE
PID:2936 -
\??\c:\5rlrflr.exec:\5rlrflr.exe47⤵
- Executes dropped EXE
PID:2672 -
\??\c:\5rffrxx.exec:\5rffrxx.exe48⤵
- Executes dropped EXE
PID:2660 -
\??\c:\08602.exec:\08602.exe49⤵
- Executes dropped EXE
PID:2724 -
\??\c:\82064.exec:\82064.exe50⤵
- Executes dropped EXE
PID:2040 -
\??\c:\20222.exec:\20222.exe51⤵
- Executes dropped EXE
PID:2052 -
\??\c:\o828668.exec:\o828668.exe52⤵
- Executes dropped EXE
PID:980 -
\??\c:\5ntbnn.exec:\5ntbnn.exe53⤵
- Executes dropped EXE
PID:2548 -
\??\c:\7jjjp.exec:\7jjjp.exe54⤵
- Executes dropped EXE
PID:380 -
\??\c:\6084668.exec:\6084668.exe55⤵
- Executes dropped EXE
PID:1280 -
\??\c:\g0424.exec:\g0424.exe56⤵
- Executes dropped EXE
PID:856 -
\??\c:\rlrrlrx.exec:\rlrrlrx.exe57⤵
- Executes dropped EXE
PID:1764 -
\??\c:\0846884.exec:\0846884.exe58⤵
- Executes dropped EXE
PID:1292 -
\??\c:\82002.exec:\82002.exe59⤵
- Executes dropped EXE
PID:2688 -
\??\c:\fxfxxxx.exec:\fxfxxxx.exe60⤵
- Executes dropped EXE
PID:2636 -
\??\c:\6040880.exec:\6040880.exe61⤵
- Executes dropped EXE
PID:2972 -
\??\c:\fffrffx.exec:\fffrffx.exe62⤵
- Executes dropped EXE
PID:2124 -
\??\c:\rfrxflx.exec:\rfrxflx.exe63⤵
- Executes dropped EXE
PID:2956 -
\??\c:\8206886.exec:\8206886.exe64⤵
- Executes dropped EXE
PID:2076 -
\??\c:\xfrlffl.exec:\xfrlffl.exe65⤵
- Executes dropped EXE
PID:1800 -
\??\c:\62266.exec:\62266.exe66⤵PID:2396
-
\??\c:\vjdvj.exec:\vjdvj.exe67⤵PID:2624
-
\??\c:\tnthnt.exec:\tnthnt.exe68⤵PID:2348
-
\??\c:\hbhhnn.exec:\hbhhnn.exe69⤵PID:492
-
\??\c:\4262064.exec:\4262064.exe70⤵PID:1036
-
\??\c:\ffxlxrx.exec:\ffxlxrx.exe71⤵PID:1560
-
\??\c:\s0688.exec:\s0688.exe72⤵PID:884
-
\??\c:\a2608.exec:\a2608.exe73⤵PID:2504
-
\??\c:\466224.exec:\466224.exe74⤵PID:956
-
\??\c:\llflrfr.exec:\llflrfr.exe75⤵PID:988
-
\??\c:\42620.exec:\42620.exe76⤵PID:2444
-
\??\c:\820400.exec:\820400.exe77⤵PID:1520
-
\??\c:\q22024.exec:\q22024.exe78⤵PID:876
-
\??\c:\8266886.exec:\8266886.exe79⤵PID:1584
-
\??\c:\6462068.exec:\6462068.exe80⤵PID:2064
-
\??\c:\4026482.exec:\4026482.exe81⤵PID:2580
-
\??\c:\vpjdp.exec:\vpjdp.exe82⤵PID:2552
-
\??\c:\g8280.exec:\g8280.exe83⤵PID:2728
-
\??\c:\1rffrxl.exec:\1rffrxl.exe84⤵PID:2480
-
\??\c:\5flrxll.exec:\5flrxll.exe85⤵PID:592
-
\??\c:\6088402.exec:\6088402.exe86⤵PID:2868
-
\??\c:\pjdjp.exec:\pjdjp.exe87⤵PID:2876
-
\??\c:\4480420.exec:\4480420.exe88⤵PID:2864
-
\??\c:\e26240.exec:\e26240.exe89⤵PID:2808
-
\??\c:\82060.exec:\82060.exe90⤵PID:2684
-
\??\c:\22624.exec:\22624.exe91⤵PID:2816
-
\??\c:\vpjjp.exec:\vpjjp.exe92⤵PID:2648
-
\??\c:\4828062.exec:\4828062.exe93⤵PID:2884
-
\??\c:\8688446.exec:\8688446.exe94⤵PID:2328
-
\??\c:\btthbh.exec:\btthbh.exe95⤵PID:2692
-
\??\c:\4862806.exec:\4862806.exe96⤵PID:556
-
\??\c:\860688.exec:\860688.exe97⤵PID:1916
-
\??\c:\bhhntt.exec:\bhhntt.exe98⤵PID:1812
-
\??\c:\frxxxxl.exec:\frxxxxl.exe99⤵PID:2008
-
\??\c:\826282.exec:\826282.exe100⤵PID:1144
-
\??\c:\dvjpv.exec:\dvjpv.exe101⤵PID:1904
-
\??\c:\486048.exec:\486048.exe102⤵PID:2752
-
\??\c:\bttbnh.exec:\bttbnh.exe103⤵PID:2708
-
\??\c:\08668.exec:\08668.exe104⤵PID:2116
-
\??\c:\080622.exec:\080622.exe105⤵PID:2744
-
\??\c:\q64402.exec:\q64402.exe106⤵PID:572
-
\??\c:\8606880.exec:\8606880.exe107⤵PID:2228
-
\??\c:\jddpv.exec:\jddpv.exe108⤵PID:1568
-
\??\c:\3ntttn.exec:\3ntttn.exe109⤵PID:632
-
\??\c:\8688440.exec:\8688440.exe110⤵PID:1960
-
\??\c:\4822884.exec:\4822884.exe111⤵PID:2600
-
\??\c:\22220.exec:\22220.exe112⤵PID:2044
-
\??\c:\s6446.exec:\s6446.exe113⤵PID:2240
-
\??\c:\08006.exec:\08006.exe114⤵PID:1312
-
\??\c:\ttnhbh.exec:\ttnhbh.exe115⤵PID:1776
-
\??\c:\jdpjv.exec:\jdpjv.exe116⤵PID:584
-
\??\c:\e04066.exec:\e04066.exe117⤵PID:2484
-
\??\c:\xxxfxff.exec:\xxxfxff.exe118⤵PID:2192
-
\??\c:\3nbhhb.exec:\3nbhhb.exe119⤵PID:1532
-
\??\c:\nnhhnt.exec:\nnhhnt.exe120⤵PID:2440
-
\??\c:\60860.exec:\60860.exe121⤵PID:1652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-