Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 19:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe
-
Size
456KB
-
MD5
9dd26fc3e2915f9f302bcde5f3f1e760
-
SHA1
7a03430ac573d329b8ec6d7d33bf21c921a960e9
-
SHA256
6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154c
-
SHA512
c08ecc7535aceabcd954e2548ea8a52f40ce52adb9adb53a242a7e94851e2e0394439d9d5659429e00f0a2d72808d7d2f50b39b5f01e8b44a0b5597723542c37
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRv:q7Tc2NYHUrAwfMp3CDRv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2672-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-599-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2680-656-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2020-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/788-941-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/848-990-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2608-1240-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2012-1295-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/960-1189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-1041-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1796-904-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2748-834-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/376-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/296-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1668 4862402.exe 3000 868866.exe 2800 rlxxffr.exe 2912 s0402.exe 2836 dvvvp.exe 2996 5thnhb.exe 2728 nbnhbb.exe 2760 pdpdd.exe 2748 c028664.exe 2764 bthhhb.exe 376 s8444.exe 2008 rflxxrx.exe 1248 680023t.exe 2376 02006.exe 2032 5rxfllr.exe 1564 e68266.exe 2680 rlfxffl.exe 1260 m4262.exe 3052 e26426.exe 2160 c862424.exe 2300 vvpjv.exe 1836 64686.exe 1368 9jpjv.exe 1572 60846.exe 1480 0862446.exe 2224 9fllxfl.exe 2408 bttthn.exe 2508 llxrxfl.exe 2404 1nbbnn.exe 900 0244000.exe 1612 648844.exe 1536 m0606.exe 2380 lxlrxxf.exe 2792 hbhhtt.exe 2820 tnbhhn.exe 2976 pjvdj.exe 2844 bbnbhh.exe 2732 btbbhh.exe 2928 fxlrllx.exe 2736 082840.exe 2220 lxllrrx.exe 1688 0804602.exe 1116 dpjpd.exe 1484 u022828.exe 1588 64224.exe 1216 08228.exe 2176 e02204.exe 1664 c460040.exe 2384 btbhhh.exe 1744 pdpvd.exe 2952 dvjvd.exe 2208 246022.exe 328 nhtttt.exe 2256 ththnh.exe 2432 vjpvd.exe 1764 vpvvp.exe 1552 642688.exe 3016 pjvvd.exe 968 7lrrxxf.exe 772 nhhhnt.exe 1708 vjdjv.exe 2344 rlxxfff.exe 692 tthhnn.exe 1444 xlxlrrr.exe -
resource yara_rule behavioral1/memory/2672-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/968-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-656-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2020-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-1054-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-1110-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2800-1297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-1189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-1061-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-1041-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/944-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-57-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rffxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4606446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k08200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 660024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4828446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 1668 2672 6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe 109 PID 2672 wrote to memory of 1668 2672 6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe 109 PID 2672 wrote to memory of 1668 2672 6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe 109 PID 2672 wrote to memory of 1668 2672 6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe 109 PID 1668 wrote to memory of 3000 1668 4862402.exe 32 PID 1668 wrote to memory of 3000 1668 4862402.exe 32 PID 1668 wrote to memory of 3000 1668 4862402.exe 32 PID 1668 wrote to memory of 3000 1668 4862402.exe 32 PID 3000 wrote to memory of 2800 3000 868866.exe 222 PID 3000 wrote to memory of 2800 3000 868866.exe 222 PID 3000 wrote to memory of 2800 3000 868866.exe 222 PID 3000 wrote to memory of 2800 3000 868866.exe 222 PID 2800 wrote to memory of 2912 2800 rlxxffr.exe 34 PID 2800 wrote to memory of 2912 2800 rlxxffr.exe 34 PID 2800 wrote to memory of 2912 2800 rlxxffr.exe 34 PID 2800 wrote to memory of 2912 2800 rlxxffr.exe 34 PID 2912 wrote to memory of 2836 2912 s0402.exe 224 PID 2912 wrote to memory of 2836 2912 s0402.exe 224 PID 2912 wrote to memory of 2836 2912 s0402.exe 224 PID 2912 wrote to memory of 2836 2912 s0402.exe 224 PID 2836 wrote to memory of 2996 2836 dvvvp.exe 36 PID 2836 wrote to memory of 2996 2836 dvvvp.exe 36 PID 2836 wrote to memory of 2996 2836 dvvvp.exe 36 PID 2836 wrote to memory of 2996 2836 dvvvp.exe 36 PID 2996 wrote to memory of 2728 2996 5thnhb.exe 37 PID 2996 wrote to memory of 2728 2996 5thnhb.exe 37 PID 2996 wrote to memory of 2728 2996 5thnhb.exe 37 PID 2996 wrote to memory of 2728 2996 5thnhb.exe 37 PID 2728 wrote to memory of 2760 2728 nbnhbb.exe 38 PID 2728 wrote to memory of 2760 2728 nbnhbb.exe 38 PID 2728 wrote to memory of 2760 2728 nbnhbb.exe 38 PID 2728 wrote to memory of 2760 2728 nbnhbb.exe 38 PID 2760 wrote to memory of 2748 2760 pdpdd.exe 39 PID 2760 wrote to memory of 2748 2760 pdpdd.exe 39 PID 2760 wrote to memory of 2748 2760 pdpdd.exe 39 PID 2760 wrote to memory of 2748 2760 pdpdd.exe 39 PID 2748 wrote to memory of 2764 2748 c028664.exe 40 PID 2748 wrote to memory of 2764 2748 c028664.exe 40 PID 2748 wrote to memory of 2764 2748 c028664.exe 40 PID 2748 wrote to memory of 2764 2748 c028664.exe 40 PID 2764 wrote to memory of 376 2764 bthhhb.exe 41 PID 2764 wrote to memory of 376 2764 bthhhb.exe 41 PID 2764 wrote to memory of 376 2764 bthhhb.exe 41 PID 2764 wrote to memory of 376 2764 bthhhb.exe 41 PID 376 wrote to memory of 2008 376 s8444.exe 42 PID 376 wrote to memory of 2008 376 s8444.exe 42 PID 376 wrote to memory of 2008 376 s8444.exe 42 PID 376 wrote to memory of 2008 376 s8444.exe 42 PID 2008 wrote to memory of 1248 2008 rflxxrx.exe 43 PID 2008 wrote to memory of 1248 2008 rflxxrx.exe 43 PID 2008 wrote to memory of 1248 2008 rflxxrx.exe 43 PID 2008 wrote to memory of 1248 2008 rflxxrx.exe 43 PID 1248 wrote to memory of 2376 1248 680023t.exe 44 PID 1248 wrote to memory of 2376 1248 680023t.exe 44 PID 1248 wrote to memory of 2376 1248 680023t.exe 44 PID 1248 wrote to memory of 2376 1248 680023t.exe 44 PID 2376 wrote to memory of 2032 2376 02006.exe 45 PID 2376 wrote to memory of 2032 2376 02006.exe 45 PID 2376 wrote to memory of 2032 2376 02006.exe 45 PID 2376 wrote to memory of 2032 2376 02006.exe 45 PID 2032 wrote to memory of 1564 2032 5rxfllr.exe 46 PID 2032 wrote to memory of 1564 2032 5rxfllr.exe 46 PID 2032 wrote to memory of 1564 2032 5rxfllr.exe 46 PID 2032 wrote to memory of 1564 2032 5rxfllr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe"C:\Users\Admin\AppData\Local\Temp\6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\4862402.exec:\4862402.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\868866.exec:\868866.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\rlxxffr.exec:\rlxxffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\s0402.exec:\s0402.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\dvvvp.exec:\dvvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\5thnhb.exec:\5thnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\nbnhbb.exec:\nbnhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\pdpdd.exec:\pdpdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\c028664.exec:\c028664.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\bthhhb.exec:\bthhhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\s8444.exec:\s8444.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\rflxxrx.exec:\rflxxrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\680023t.exec:\680023t.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\02006.exec:\02006.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\5rxfllr.exec:\5rxfllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\e68266.exec:\e68266.exe17⤵
- Executes dropped EXE
PID:1564 -
\??\c:\rlfxffl.exec:\rlfxffl.exe18⤵
- Executes dropped EXE
PID:2680 -
\??\c:\m4262.exec:\m4262.exe19⤵
- Executes dropped EXE
PID:1260 -
\??\c:\e26426.exec:\e26426.exe20⤵
- Executes dropped EXE
PID:3052 -
\??\c:\c862424.exec:\c862424.exe21⤵
- Executes dropped EXE
PID:2160 -
\??\c:\vvpjv.exec:\vvpjv.exe22⤵
- Executes dropped EXE
PID:2300 -
\??\c:\64686.exec:\64686.exe23⤵
- Executes dropped EXE
PID:1836 -
\??\c:\9jpjv.exec:\9jpjv.exe24⤵
- Executes dropped EXE
PID:1368 -
\??\c:\60846.exec:\60846.exe25⤵
- Executes dropped EXE
PID:1572 -
\??\c:\0862446.exec:\0862446.exe26⤵
- Executes dropped EXE
PID:1480 -
\??\c:\9fllxfl.exec:\9fllxfl.exe27⤵
- Executes dropped EXE
PID:2224 -
\??\c:\bttthn.exec:\bttthn.exe28⤵
- Executes dropped EXE
PID:2408 -
\??\c:\llxrxfl.exec:\llxrxfl.exe29⤵
- Executes dropped EXE
PID:2508 -
\??\c:\1nbbnn.exec:\1nbbnn.exe30⤵
- Executes dropped EXE
PID:2404 -
\??\c:\0244000.exec:\0244000.exe31⤵
- Executes dropped EXE
PID:900 -
\??\c:\648844.exec:\648844.exe32⤵
- Executes dropped EXE
PID:1612 -
\??\c:\m0606.exec:\m0606.exe33⤵
- Executes dropped EXE
PID:1536 -
\??\c:\lxlrxxf.exec:\lxlrxxf.exe34⤵
- Executes dropped EXE
PID:2380 -
\??\c:\hbhhtt.exec:\hbhhtt.exe35⤵
- Executes dropped EXE
PID:2792 -
\??\c:\tnbhhn.exec:\tnbhhn.exe36⤵
- Executes dropped EXE
PID:2820 -
\??\c:\pjvdj.exec:\pjvdj.exe37⤵
- Executes dropped EXE
PID:2976 -
\??\c:\bbnbhh.exec:\bbnbhh.exe38⤵
- Executes dropped EXE
PID:2844 -
\??\c:\btbbhh.exec:\btbbhh.exe39⤵
- Executes dropped EXE
PID:2732 -
\??\c:\fxlrllx.exec:\fxlrllx.exe40⤵
- Executes dropped EXE
PID:2928 -
\??\c:\082840.exec:\082840.exe41⤵
- Executes dropped EXE
PID:2736 -
\??\c:\lxllrrx.exec:\lxllrrx.exe42⤵
- Executes dropped EXE
PID:2220 -
\??\c:\0804602.exec:\0804602.exe43⤵
- Executes dropped EXE
PID:1688 -
\??\c:\dpjpd.exec:\dpjpd.exe44⤵
- Executes dropped EXE
PID:1116 -
\??\c:\u022828.exec:\u022828.exe45⤵
- Executes dropped EXE
PID:1484 -
\??\c:\64224.exec:\64224.exe46⤵
- Executes dropped EXE
PID:1588 -
\??\c:\08228.exec:\08228.exe47⤵
- Executes dropped EXE
PID:1216 -
\??\c:\e02204.exec:\e02204.exe48⤵
- Executes dropped EXE
PID:2176 -
\??\c:\c460040.exec:\c460040.exe49⤵
- Executes dropped EXE
PID:1664 -
\??\c:\btbhhh.exec:\btbhhh.exe50⤵
- Executes dropped EXE
PID:2384 -
\??\c:\pdpvd.exec:\pdpvd.exe51⤵
- Executes dropped EXE
PID:1744 -
\??\c:\dvjvd.exec:\dvjvd.exe52⤵
- Executes dropped EXE
PID:2952 -
\??\c:\246022.exec:\246022.exe53⤵
- Executes dropped EXE
PID:2208 -
\??\c:\nhtttt.exec:\nhtttt.exe54⤵
- Executes dropped EXE
PID:328 -
\??\c:\ththnh.exec:\ththnh.exe55⤵
- Executes dropped EXE
PID:2256 -
\??\c:\vjpvd.exec:\vjpvd.exe56⤵
- Executes dropped EXE
PID:2432 -
\??\c:\vpvvp.exec:\vpvvp.exe57⤵
- Executes dropped EXE
PID:1764 -
\??\c:\642688.exec:\642688.exe58⤵
- Executes dropped EXE
PID:1552 -
\??\c:\pjvvd.exec:\pjvvd.exe59⤵
- Executes dropped EXE
PID:3016 -
\??\c:\7lrrxxf.exec:\7lrrxxf.exe60⤵
- Executes dropped EXE
PID:968 -
\??\c:\nhhhnt.exec:\nhhhnt.exe61⤵
- Executes dropped EXE
PID:772 -
\??\c:\vjdjv.exec:\vjdjv.exe62⤵
- Executes dropped EXE
PID:1708 -
\??\c:\rlxxfff.exec:\rlxxfff.exe63⤵
- Executes dropped EXE
PID:2344 -
\??\c:\tthhnn.exec:\tthhnn.exe64⤵
- Executes dropped EXE
PID:692 -
\??\c:\xlxlrrr.exec:\xlxlrrr.exe65⤵
- Executes dropped EXE
PID:1444 -
\??\c:\20828.exec:\20828.exe66⤵PID:2596
-
\??\c:\u206228.exec:\u206228.exe67⤵PID:1052
-
\??\c:\jjpvj.exec:\jjpvj.exe68⤵PID:2108
-
\??\c:\lxrfffl.exec:\lxrfffl.exe69⤵PID:296
-
\??\c:\1ntbhn.exec:\1ntbhn.exe70⤵PID:1648
-
\??\c:\nhthtn.exec:\nhthtn.exe71⤵PID:2512
-
\??\c:\dvpvd.exec:\dvpvd.exe72⤵PID:2540
-
\??\c:\888644.exec:\888644.exe73⤵PID:2840
-
\??\c:\82406.exec:\82406.exe74⤵PID:2400
-
\??\c:\5djjp.exec:\5djjp.exe75⤵PID:2900
-
\??\c:\e86022.exec:\e86022.exe76⤵PID:2812
-
\??\c:\202048.exec:\202048.exe77⤵PID:2824
-
\??\c:\rlllxrf.exec:\rlllxrf.exe78⤵PID:1976
-
\??\c:\rfxxllf.exec:\rfxxllf.exe79⤵PID:2292
-
\??\c:\6022484.exec:\6022484.exe80⤵PID:1668
-
\??\c:\9bhbtn.exec:\9bhbtn.exe81⤵PID:376
-
\??\c:\86880.exec:\86880.exe82⤵PID:768
-
\??\c:\xrxflxx.exec:\xrxflxx.exe83⤵PID:2156
-
\??\c:\jvddd.exec:\jvddd.exe84⤵PID:2288
-
\??\c:\04226.exec:\04226.exe85⤵PID:1684
-
\??\c:\tnbhtn.exec:\tnbhtn.exe86⤵PID:1724
-
\??\c:\htntbh.exec:\htntbh.exe87⤵PID:1256
-
\??\c:\a2006.exec:\a2006.exe88⤵PID:2384
-
\??\c:\86628.exec:\86628.exe89⤵PID:2680
-
\??\c:\646288.exec:\646288.exe90⤵PID:3028
-
\??\c:\868848.exec:\868848.exe91⤵PID:1500
-
\??\c:\3nhhnn.exec:\3nhhnn.exe92⤵PID:2796
-
\??\c:\k20684.exec:\k20684.exe93⤵PID:1820
-
\??\c:\fxllllr.exec:\fxllllr.exe94⤵PID:1672
-
\??\c:\m2004.exec:\m2004.exe95⤵PID:2300
-
\??\c:\208462.exec:\208462.exe96⤵PID:796
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe97⤵PID:1576
-
\??\c:\i862840.exec:\i862840.exe98⤵PID:1376
-
\??\c:\w08804.exec:\w08804.exe99⤵PID:944
-
\??\c:\rlrlrxx.exec:\rlrlrxx.exe100⤵PID:956
-
\??\c:\42284.exec:\42284.exe101⤵PID:1696
-
\??\c:\hbnntt.exec:\hbnntt.exe102⤵PID:2124
-
\??\c:\1lxrrlr.exec:\1lxrrlr.exe103⤵PID:2224
-
\??\c:\vdjjv.exec:\vdjjv.exe104⤵PID:1996
-
\??\c:\hbttbh.exec:\hbttbh.exe105⤵PID:2240
-
\??\c:\rfxlxfl.exec:\rfxlxfl.exe106⤵
- System Location Discovery: System Language Discovery
PID:1756 -
\??\c:\pjvdp.exec:\pjvdp.exe107⤵PID:2308
-
\??\c:\4824668.exec:\4824668.exe108⤵PID:1512
-
\??\c:\lfrxlrr.exec:\lfrxlrr.exe109⤵PID:1540
-
\??\c:\rflfxrx.exec:\rflfxrx.exe110⤵PID:3000
-
\??\c:\080662.exec:\080662.exe111⤵PID:2484
-
\??\c:\8640228.exec:\8640228.exe112⤵PID:2924
-
\??\c:\024628.exec:\024628.exe113⤵PID:2904
-
\??\c:\4600808.exec:\4600808.exe114⤵PID:2420
-
\??\c:\nhtbbt.exec:\nhtbbt.exe115⤵PID:2700
-
\??\c:\48228.exec:\48228.exe116⤵PID:2812
-
\??\c:\60806.exec:\60806.exe117⤵PID:2824
-
\??\c:\k02244.exec:\k02244.exe118⤵PID:2748
-
\??\c:\bnnhbb.exec:\bnnhbb.exe119⤵PID:2072
-
\??\c:\2028484.exec:\2028484.exe120⤵PID:268
-
\??\c:\s8668.exec:\s8668.exe121⤵PID:2008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-