Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe
Resource
win7-20241023-en
7 signatures
120 seconds
General
-
Target
156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe
-
Size
454KB
-
MD5
330d9748e78e07f66858e55df4cf5c10
-
SHA1
494cac1e46e2e253f174ce89b28deabfd8712719
-
SHA256
156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7c
-
SHA512
e03fdf218aaeb075ad1de0f24b6d2eb5ade58bb94ac42d1d013c8b138ab70d9f059f965288ee6ca1fc30ade5d27fab875ac422b1bb35690f233d0bf09601ff2b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ4:q7Tc2NYHUrAwfMp3CDJ4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2516-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/920-18-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/920-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-75-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2256-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-136-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-230-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/620-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-444-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/692-471-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/612-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1132-485-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1532-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-538-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2996-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-720-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1812-815-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1812-814-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2344-832-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1812-836-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1568-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-889-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 920 2028402.exe 2832 206688.exe 2780 djddp.exe 2872 20662.exe 2772 08400.exe 2640 xlfllrx.exe 1324 0806224.exe 2256 jvjjp.exe 3040 622646.exe 2732 888800.exe 2000 fxlrlrl.exe 2812 xlxrrrx.exe 1860 24040.exe 2984 q84844.exe 2904 q68844.exe 1964 o804006.exe 768 q02884.exe 2144 84844.exe 2176 htnthh.exe 1772 rlxxllr.exe 544 9jpjv.exe 2536 8646228.exe 1612 dpjjv.exe 1532 206800.exe 620 8622206.exe 956 c466606.exe 2720 w86480.exe 1680 e62600.exe 2976 o804884.exe 1688 vjvvd.exe 2348 i682888.exe 1608 e64460.exe 2868 428404.exe 2792 dvjjp.exe 2916 rxlfxxx.exe 2752 s4884.exe 2912 a0228.exe 2808 jdjjp.exe 2668 20200.exe 2632 428848.exe 2688 4684040.exe 2548 86440.exe 2256 6804600.exe 2208 206622.exe 1788 3dpjj.exe 2112 xrxrrrx.exe 2000 pjvdd.exe 1848 3jpjd.exe 2320 pdvdd.exe 2116 60280.exe 888 w64406.exe 1752 frfxxrr.exe 2888 08600.exe 596 046848.exe 768 htbbhh.exe 2136 o688440.exe 692 426826.exe 612 vjddj.exe 1132 6006820.exe 544 ffrflrr.exe 1192 864466.exe 788 4806606.exe 1792 428460.exe 1532 u084006.exe -
resource yara_rule behavioral1/memory/2516-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-18-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/920-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-444-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/596-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-485-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/1532-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-822-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-875-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-882-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-889-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-890-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 204444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8628862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c488602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8688006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffrll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 920 2516 156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe 30 PID 2516 wrote to memory of 920 2516 156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe 30 PID 2516 wrote to memory of 920 2516 156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe 30 PID 2516 wrote to memory of 920 2516 156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe 30 PID 920 wrote to memory of 2832 920 2028402.exe 31 PID 920 wrote to memory of 2832 920 2028402.exe 31 PID 920 wrote to memory of 2832 920 2028402.exe 31 PID 920 wrote to memory of 2832 920 2028402.exe 31 PID 2832 wrote to memory of 2780 2832 206688.exe 32 PID 2832 wrote to memory of 2780 2832 206688.exe 32 PID 2832 wrote to memory of 2780 2832 206688.exe 32 PID 2832 wrote to memory of 2780 2832 206688.exe 32 PID 2780 wrote to memory of 2872 2780 djddp.exe 33 PID 2780 wrote to memory of 2872 2780 djddp.exe 33 PID 2780 wrote to memory of 2872 2780 djddp.exe 33 PID 2780 wrote to memory of 2872 2780 djddp.exe 33 PID 2872 wrote to memory of 2772 2872 20662.exe 34 PID 2872 wrote to memory of 2772 2872 20662.exe 34 PID 2872 wrote to memory of 2772 2872 20662.exe 34 PID 2872 wrote to memory of 2772 2872 20662.exe 34 PID 2772 wrote to memory of 2640 2772 08400.exe 35 PID 2772 wrote to memory of 2640 2772 08400.exe 35 PID 2772 wrote to memory of 2640 2772 08400.exe 35 PID 2772 wrote to memory of 2640 2772 08400.exe 35 PID 2640 wrote to memory of 1324 2640 xlfllrx.exe 36 PID 2640 wrote to memory of 1324 2640 xlfllrx.exe 36 PID 2640 wrote to memory of 1324 2640 xlfllrx.exe 36 PID 2640 wrote to memory of 1324 2640 xlfllrx.exe 36 PID 1324 wrote to memory of 2256 1324 0806224.exe 37 PID 1324 wrote to memory of 2256 1324 0806224.exe 37 PID 1324 wrote to memory of 2256 1324 0806224.exe 37 PID 1324 wrote to memory of 2256 1324 0806224.exe 37 PID 2256 wrote to memory of 3040 2256 jvjjp.exe 38 PID 2256 wrote to memory of 3040 2256 jvjjp.exe 38 PID 2256 wrote to memory of 3040 2256 jvjjp.exe 38 PID 2256 wrote to memory of 3040 2256 jvjjp.exe 38 PID 3040 wrote to memory of 2732 3040 622646.exe 39 PID 3040 wrote to memory of 2732 3040 622646.exe 39 PID 3040 wrote to memory of 2732 3040 622646.exe 39 PID 3040 wrote to memory of 2732 3040 622646.exe 39 PID 2732 wrote to memory of 2000 2732 888800.exe 40 PID 2732 wrote to memory of 2000 2732 888800.exe 40 PID 2732 wrote to memory of 2000 2732 888800.exe 40 PID 2732 wrote to memory of 2000 2732 888800.exe 40 PID 2000 wrote to memory of 2812 2000 fxlrlrl.exe 41 PID 2000 wrote to memory of 2812 2000 fxlrlrl.exe 41 PID 2000 wrote to memory of 2812 2000 fxlrlrl.exe 41 PID 2000 wrote to memory of 2812 2000 fxlrlrl.exe 41 PID 2812 wrote to memory of 1860 2812 xlxrrrx.exe 42 PID 2812 wrote to memory of 1860 2812 xlxrrrx.exe 42 PID 2812 wrote to memory of 1860 2812 xlxrrrx.exe 42 PID 2812 wrote to memory of 1860 2812 xlxrrrx.exe 42 PID 1860 wrote to memory of 2984 1860 24040.exe 43 PID 1860 wrote to memory of 2984 1860 24040.exe 43 PID 1860 wrote to memory of 2984 1860 24040.exe 43 PID 1860 wrote to memory of 2984 1860 24040.exe 43 PID 2984 wrote to memory of 2904 2984 q84844.exe 44 PID 2984 wrote to memory of 2904 2984 q84844.exe 44 PID 2984 wrote to memory of 2904 2984 q84844.exe 44 PID 2984 wrote to memory of 2904 2984 q84844.exe 44 PID 2904 wrote to memory of 1964 2904 q68844.exe 45 PID 2904 wrote to memory of 1964 2904 q68844.exe 45 PID 2904 wrote to memory of 1964 2904 q68844.exe 45 PID 2904 wrote to memory of 1964 2904 q68844.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe"C:\Users\Admin\AppData\Local\Temp\156f1d2a394c39bcdf0d28e39a0e911e8d1b2a1a8f55e66f32f47897b5d57f7cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\2028402.exec:\2028402.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\206688.exec:\206688.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\djddp.exec:\djddp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\20662.exec:\20662.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\08400.exec:\08400.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\xlfllrx.exec:\xlfllrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\0806224.exec:\0806224.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\jvjjp.exec:\jvjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\622646.exec:\622646.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\888800.exec:\888800.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\fxlrlrl.exec:\fxlrlrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\xlxrrrx.exec:\xlxrrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\24040.exec:\24040.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\q84844.exec:\q84844.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\q68844.exec:\q68844.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\o804006.exec:\o804006.exe17⤵
- Executes dropped EXE
PID:1964 -
\??\c:\q02884.exec:\q02884.exe18⤵
- Executes dropped EXE
PID:768 -
\??\c:\84844.exec:\84844.exe19⤵
- Executes dropped EXE
PID:2144 -
\??\c:\htnthh.exec:\htnthh.exe20⤵
- Executes dropped EXE
PID:2176 -
\??\c:\rlxxllr.exec:\rlxxllr.exe21⤵
- Executes dropped EXE
PID:1772 -
\??\c:\9jpjv.exec:\9jpjv.exe22⤵
- Executes dropped EXE
PID:544 -
\??\c:\8646228.exec:\8646228.exe23⤵
- Executes dropped EXE
PID:2536 -
\??\c:\dpjjv.exec:\dpjjv.exe24⤵
- Executes dropped EXE
PID:1612 -
\??\c:\206800.exec:\206800.exe25⤵
- Executes dropped EXE
PID:1532 -
\??\c:\8622206.exec:\8622206.exe26⤵
- Executes dropped EXE
PID:620 -
\??\c:\c466606.exec:\c466606.exe27⤵
- Executes dropped EXE
PID:956 -
\??\c:\w86480.exec:\w86480.exe28⤵
- Executes dropped EXE
PID:2720 -
\??\c:\e62600.exec:\e62600.exe29⤵
- Executes dropped EXE
PID:1680 -
\??\c:\o804884.exec:\o804884.exe30⤵
- Executes dropped EXE
PID:2976 -
\??\c:\vjvvd.exec:\vjvvd.exe31⤵
- Executes dropped EXE
PID:1688 -
\??\c:\i682888.exec:\i682888.exe32⤵
- Executes dropped EXE
PID:2348 -
\??\c:\e64460.exec:\e64460.exe33⤵
- Executes dropped EXE
PID:1608 -
\??\c:\428404.exec:\428404.exe34⤵
- Executes dropped EXE
PID:2868 -
\??\c:\dvjjp.exec:\dvjjp.exe35⤵
- Executes dropped EXE
PID:2792 -
\??\c:\rxlfxxx.exec:\rxlfxxx.exe36⤵
- Executes dropped EXE
PID:2916 -
\??\c:\s4884.exec:\s4884.exe37⤵
- Executes dropped EXE
PID:2752 -
\??\c:\a0228.exec:\a0228.exe38⤵
- Executes dropped EXE
PID:2912 -
\??\c:\jdjjp.exec:\jdjjp.exe39⤵
- Executes dropped EXE
PID:2808 -
\??\c:\20200.exec:\20200.exe40⤵
- Executes dropped EXE
PID:2668 -
\??\c:\428848.exec:\428848.exe41⤵
- Executes dropped EXE
PID:2632 -
\??\c:\4684040.exec:\4684040.exe42⤵
- Executes dropped EXE
PID:2688 -
\??\c:\86440.exec:\86440.exe43⤵
- Executes dropped EXE
PID:2548 -
\??\c:\6804600.exec:\6804600.exe44⤵
- Executes dropped EXE
PID:2256 -
\??\c:\206622.exec:\206622.exe45⤵
- Executes dropped EXE
PID:2208 -
\??\c:\3dpjj.exec:\3dpjj.exe46⤵
- Executes dropped EXE
PID:1788 -
\??\c:\xrxrrrx.exec:\xrxrrrx.exe47⤵
- Executes dropped EXE
PID:2112 -
\??\c:\pjvdd.exec:\pjvdd.exe48⤵
- Executes dropped EXE
PID:2000 -
\??\c:\3jpjd.exec:\3jpjd.exe49⤵
- Executes dropped EXE
PID:1848 -
\??\c:\pdvdd.exec:\pdvdd.exe50⤵
- Executes dropped EXE
PID:2320 -
\??\c:\60280.exec:\60280.exe51⤵
- Executes dropped EXE
PID:2116 -
\??\c:\w64406.exec:\w64406.exe52⤵
- Executes dropped EXE
PID:888 -
\??\c:\frfxxrr.exec:\frfxxrr.exe53⤵
- Executes dropped EXE
PID:1752 -
\??\c:\08600.exec:\08600.exe54⤵
- Executes dropped EXE
PID:2888 -
\??\c:\046848.exec:\046848.exe55⤵
- Executes dropped EXE
PID:596 -
\??\c:\htbbhh.exec:\htbbhh.exe56⤵
- Executes dropped EXE
PID:768 -
\??\c:\o688440.exec:\o688440.exe57⤵
- Executes dropped EXE
PID:2136 -
\??\c:\426826.exec:\426826.exe58⤵
- Executes dropped EXE
PID:692 -
\??\c:\vjddj.exec:\vjddj.exe59⤵
- Executes dropped EXE
PID:612 -
\??\c:\6006820.exec:\6006820.exe60⤵
- Executes dropped EXE
PID:1132 -
\??\c:\ffrflrr.exec:\ffrflrr.exe61⤵
- Executes dropped EXE
PID:544 -
\??\c:\864466.exec:\864466.exe62⤵
- Executes dropped EXE
PID:1192 -
\??\c:\4806606.exec:\4806606.exe63⤵
- Executes dropped EXE
PID:788 -
\??\c:\428460.exec:\428460.exe64⤵
- Executes dropped EXE
PID:1792 -
\??\c:\u084006.exec:\u084006.exe65⤵
- Executes dropped EXE
PID:1532 -
\??\c:\htnnbb.exec:\htnnbb.exe66⤵PID:924
-
\??\c:\vvppd.exec:\vvppd.exe67⤵PID:1760
-
\??\c:\084688.exec:\084688.exe68⤵PID:2304
-
\??\c:\vjvvd.exec:\vjvvd.exe69⤵PID:1884
-
\??\c:\6860228.exec:\6860228.exe70⤵PID:2360
-
\??\c:\8644006.exec:\8644006.exe71⤵PID:2344
-
\??\c:\g8668.exec:\g8668.exe72⤵PID:884
-
\??\c:\5fxxffl.exec:\5fxxffl.exe73⤵PID:1976
-
\??\c:\frlxfxl.exec:\frlxfxl.exe74⤵PID:2848
-
\??\c:\dvjjp.exec:\dvjjp.exe75⤵PID:1704
-
\??\c:\8688006.exec:\8688006.exe76⤵
- System Location Discovery: System Language Discovery
PID:2868 -
\??\c:\6688002.exec:\6688002.exe77⤵PID:1600
-
\??\c:\frlrrrx.exec:\frlrrrx.exe78⤵PID:2796
-
\??\c:\42828.exec:\42828.exe79⤵PID:2996
-
\??\c:\g4806.exec:\g4806.exe80⤵PID:2680
-
\??\c:\jpjdp.exec:\jpjdp.exe81⤵PID:2808
-
\??\c:\200048.exec:\200048.exe82⤵PID:2708
-
\??\c:\080000.exec:\080000.exe83⤵
- System Location Discovery: System Language Discovery
PID:2216 -
\??\c:\7frlrxf.exec:\7frlrxf.exe84⤵PID:1904
-
\??\c:\2644044.exec:\2644044.exe85⤵PID:2444
-
\??\c:\w80004.exec:\w80004.exe86⤵PID:2248
-
\??\c:\4862828.exec:\4862828.exe87⤵PID:1148
-
\??\c:\5hnnhh.exec:\5hnnhh.exe88⤵
- System Location Discovery: System Language Discovery
PID:656 -
\??\c:\hbnhtb.exec:\hbnhtb.exe89⤵PID:2988
-
\??\c:\rfxfrrf.exec:\rfxfrrf.exe90⤵PID:2696
-
\??\c:\bnttnh.exec:\bnttnh.exe91⤵PID:2880
-
\??\c:\fxrrffx.exec:\fxrrffx.exe92⤵PID:2884
-
\??\c:\1flfrrr.exec:\1flfrrr.exe93⤵PID:2984
-
\??\c:\640626.exec:\640626.exe94⤵PID:1468
-
\??\c:\2640264.exec:\2640264.exe95⤵PID:1488
-
\??\c:\i244046.exec:\i244046.exe96⤵PID:1964
-
\??\c:\a6440.exec:\a6440.exe97⤵PID:2088
-
\??\c:\26824.exec:\26824.exe98⤵PID:1856
-
\??\c:\1frrxfl.exec:\1frrxfl.exe99⤵PID:1476
-
\??\c:\2662446.exec:\2662446.exe100⤵PID:1524
-
\??\c:\8688406.exec:\8688406.exe101⤵PID:1016
-
\??\c:\u462446.exec:\u462446.exe102⤵PID:1656
-
\??\c:\3xflllx.exec:\3xflllx.exe103⤵PID:1664
-
\??\c:\08002.exec:\08002.exe104⤵PID:540
-
\??\c:\u462828.exec:\u462828.exe105⤵PID:2536
-
\??\c:\dpjdd.exec:\dpjdd.exe106⤵PID:1352
-
\??\c:\tnhthh.exec:\tnhthh.exe107⤵PID:1792
-
\??\c:\5lxrrrx.exec:\5lxrrrx.exe108⤵PID:1532
-
\??\c:\e64066.exec:\e64066.exe109⤵PID:712
-
\??\c:\3jdvd.exec:\3jdvd.exe110⤵PID:2408
-
\??\c:\1dvvd.exec:\1dvvd.exe111⤵PID:1812
-
\??\c:\7hbbhh.exec:\7hbbhh.exe112⤵PID:2356
-
\??\c:\o206824.exec:\o206824.exe113⤵PID:1620
-
\??\c:\bthhtn.exec:\bthhtn.exe114⤵PID:2344
-
\??\c:\lrxxxll.exec:\lrxxxll.exe115⤵PID:1496
-
\??\c:\ddpvj.exec:\ddpvj.exe116⤵PID:2776
-
\??\c:\2662404.exec:\2662404.exe117⤵PID:1568
-
\??\c:\rlffllx.exec:\rlffllx.exe118⤵PID:2228
-
\??\c:\3nbbnn.exec:\3nbbnn.exe119⤵PID:2924
-
\??\c:\80628.exec:\80628.exe120⤵
- System Location Discovery: System Language Discovery
PID:2916 -
\??\c:\424024.exec:\424024.exe121⤵
- System Location Discovery: System Language Discovery
PID:2936 -
\??\c:\e08844.exec:\e08844.exe122⤵PID:1004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-