Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
793c269ade5d617bb59832f9230d0f97b808074cacce4f4dedd8c9a524f49bf2N.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
793c269ade5d617bb59832f9230d0f97b808074cacce4f4dedd8c9a524f49bf2N.exe
-
Size
454KB
-
MD5
da76b6e9aaf490136483720361a13bc0
-
SHA1
c3b189afd2f3defe6c268d08c527a4d325894304
-
SHA256
793c269ade5d617bb59832f9230d0f97b808074cacce4f4dedd8c9a524f49bf2
-
SHA512
5d3b603c0d50d2af35d47333ffa6af6450bff09d9e56d6cb15d91aa39061b274fac13c3909162020f4e2d064688c9cbd45b14f1f2a502bd4146a4d75cdd28fd8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel:q7Tc2NYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/1768-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-82-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2764-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/916-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-260-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1528-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1348-553-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1644-566-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/464-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-938-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1408-1044-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-1065-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2128-1078-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2192-1129-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2676-1225-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2408-1291-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1236 3rffxfl.exe 1768 5htbhh.exe 2256 fxxlfff.exe 2848 c422468.exe 1700 44468.exe 2668 rrlxrrl.exe 2148 g0884.exe 2704 dppvj.exe 2752 3rrllrl.exe 2764 488806.exe 2528 820206.exe 2488 822068.exe 2564 4420286.exe 1056 fflrfrf.exe 636 642884.exe 2316 jjvpd.exe 2452 5ppjv.exe 1920 602866.exe 2784 1ttthh.exe 2796 6006868.exe 2096 442462.exe 2084 xfllfxx.exe 2056 llfxrxr.exe 916 08062.exe 264 22624.exe 1312 42664.exe 848 64066.exe 1528 0446288.exe 1404 86400.exe 348 1flxffr.exe 3012 3tbnnh.exe 1480 vpdjd.exe 2916 9djdd.exe 2440 20204.exe 2228 w42226.exe 1232 htw244.exe 2284 6800222.exe 2248 60048.exe 2260 20668.exe 2204 jvvdj.exe 2848 htnthh.exe 812 60628.exe 3032 282460.exe 2688 5htthb.exe 2708 2468040.exe 2704 9pjjp.exe 2372 s0666.exe 2860 w86222.exe 2756 62668.exe 2500 u024068.exe 2560 nhhbbh.exe 2948 lxxrllx.exe 1848 lxrxfxf.exe 2224 g2006.exe 2220 824462.exe 2316 q80626.exe 2320 tnttbb.exe 1964 4866284.exe 1912 40004.exe 1752 xrrfxrf.exe 2836 22444.exe 2360 604028.exe 2096 xfrrlff.exe 340 608088.exe -
resource yara_rule behavioral1/memory/1768-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/812-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/464-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1568-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-1001-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-1044-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-1058-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-1097-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-1116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-1129-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/2212-1162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-1287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-1307-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8682262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e20066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w80248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o206888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8206280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c022400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 1236 1820 793c269ade5d617bb59832f9230d0f97b808074cacce4f4dedd8c9a524f49bf2N.exe 28 PID 1820 wrote to memory of 1236 1820 793c269ade5d617bb59832f9230d0f97b808074cacce4f4dedd8c9a524f49bf2N.exe 28 PID 1820 wrote to memory of 1236 1820 793c269ade5d617bb59832f9230d0f97b808074cacce4f4dedd8c9a524f49bf2N.exe 28 PID 1820 wrote to memory of 1236 1820 793c269ade5d617bb59832f9230d0f97b808074cacce4f4dedd8c9a524f49bf2N.exe 28 PID 1236 wrote to memory of 1768 1236 3rffxfl.exe 29 PID 1236 wrote to memory of 1768 1236 3rffxfl.exe 29 PID 1236 wrote to memory of 1768 1236 3rffxfl.exe 29 PID 1236 wrote to memory of 1768 1236 3rffxfl.exe 29 PID 1768 wrote to memory of 2256 1768 5htbhh.exe 30 PID 1768 wrote to memory of 2256 1768 5htbhh.exe 30 PID 1768 wrote to memory of 2256 1768 5htbhh.exe 30 PID 1768 wrote to memory of 2256 1768 5htbhh.exe 30 PID 2256 wrote to memory of 2848 2256 fxxlfff.exe 31 PID 2256 wrote to memory of 2848 2256 fxxlfff.exe 31 PID 2256 wrote to memory of 2848 2256 fxxlfff.exe 31 PID 2256 wrote to memory of 2848 2256 fxxlfff.exe 31 PID 2848 wrote to memory of 1700 2848 c422468.exe 32 PID 2848 wrote to memory of 1700 2848 c422468.exe 32 PID 2848 wrote to memory of 1700 2848 c422468.exe 32 PID 2848 wrote to memory of 1700 2848 c422468.exe 32 PID 1700 wrote to memory of 2668 1700 44468.exe 33 PID 1700 wrote to memory of 2668 1700 44468.exe 33 PID 1700 wrote to memory of 2668 1700 44468.exe 33 PID 1700 wrote to memory of 2668 1700 44468.exe 33 PID 2668 wrote to memory of 2148 2668 rrlxrrl.exe 34 PID 2668 wrote to memory of 2148 2668 rrlxrrl.exe 34 PID 2668 wrote to memory of 2148 2668 rrlxrrl.exe 34 PID 2668 wrote to memory of 2148 2668 rrlxrrl.exe 34 PID 2148 wrote to memory of 2704 2148 g0884.exe 35 PID 2148 wrote to memory of 2704 2148 g0884.exe 35 PID 2148 wrote to memory of 2704 2148 g0884.exe 35 PID 2148 wrote to memory of 2704 2148 g0884.exe 35 PID 2704 wrote to memory of 2752 2704 dppvj.exe 36 PID 2704 wrote to memory of 2752 2704 dppvj.exe 36 PID 2704 wrote to memory of 2752 2704 dppvj.exe 36 PID 2704 wrote to memory of 2752 2704 dppvj.exe 36 PID 2752 wrote to memory of 2764 2752 3rrllrl.exe 37 PID 2752 wrote to memory of 2764 2752 3rrllrl.exe 37 PID 2752 wrote to memory of 2764 2752 3rrllrl.exe 37 PID 2752 wrote to memory of 2764 2752 3rrllrl.exe 37 PID 2764 wrote to memory of 2528 2764 488806.exe 38 PID 2764 wrote to memory of 2528 2764 488806.exe 38 PID 2764 wrote to memory of 2528 2764 488806.exe 38 PID 2764 wrote to memory of 2528 2764 488806.exe 38 PID 2528 wrote to memory of 2488 2528 820206.exe 39 PID 2528 wrote to memory of 2488 2528 820206.exe 39 PID 2528 wrote to memory of 2488 2528 820206.exe 39 PID 2528 wrote to memory of 2488 2528 820206.exe 39 PID 2488 wrote to memory of 2564 2488 822068.exe 40 PID 2488 wrote to memory of 2564 2488 822068.exe 40 PID 2488 wrote to memory of 2564 2488 822068.exe 40 PID 2488 wrote to memory of 2564 2488 822068.exe 40 PID 2564 wrote to memory of 1056 2564 4420286.exe 41 PID 2564 wrote to memory of 1056 2564 4420286.exe 41 PID 2564 wrote to memory of 1056 2564 4420286.exe 41 PID 2564 wrote to memory of 1056 2564 4420286.exe 41 PID 1056 wrote to memory of 636 1056 fflrfrf.exe 42 PID 1056 wrote to memory of 636 1056 fflrfrf.exe 42 PID 1056 wrote to memory of 636 1056 fflrfrf.exe 42 PID 1056 wrote to memory of 636 1056 fflrfrf.exe 42 PID 636 wrote to memory of 2316 636 642884.exe 43 PID 636 wrote to memory of 2316 636 642884.exe 43 PID 636 wrote to memory of 2316 636 642884.exe 43 PID 636 wrote to memory of 2316 636 642884.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\793c269ade5d617bb59832f9230d0f97b808074cacce4f4dedd8c9a524f49bf2N.exe"C:\Users\Admin\AppData\Local\Temp\793c269ade5d617bb59832f9230d0f97b808074cacce4f4dedd8c9a524f49bf2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\3rffxfl.exec:\3rffxfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\5htbhh.exec:\5htbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\fxxlfff.exec:\fxxlfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\c422468.exec:\c422468.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\44468.exec:\44468.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\rrlxrrl.exec:\rrlxrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\g0884.exec:\g0884.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\dppvj.exec:\dppvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\3rrllrl.exec:\3rrllrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\488806.exec:\488806.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\820206.exec:\820206.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\822068.exec:\822068.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\4420286.exec:\4420286.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\fflrfrf.exec:\fflrfrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\642884.exec:\642884.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\jjvpd.exec:\jjvpd.exe17⤵
- Executes dropped EXE
PID:2316 -
\??\c:\5ppjv.exec:\5ppjv.exe18⤵
- Executes dropped EXE
PID:2452 -
\??\c:\602866.exec:\602866.exe19⤵
- Executes dropped EXE
PID:1920 -
\??\c:\1ttthh.exec:\1ttthh.exe20⤵
- Executes dropped EXE
PID:2784 -
\??\c:\6006868.exec:\6006868.exe21⤵
- Executes dropped EXE
PID:2796 -
\??\c:\442462.exec:\442462.exe22⤵
- Executes dropped EXE
PID:2096 -
\??\c:\xfllfxx.exec:\xfllfxx.exe23⤵
- Executes dropped EXE
PID:2084 -
\??\c:\llfxrxr.exec:\llfxrxr.exe24⤵
- Executes dropped EXE
PID:2056 -
\??\c:\08062.exec:\08062.exe25⤵
- Executes dropped EXE
PID:916 -
\??\c:\22624.exec:\22624.exe26⤵
- Executes dropped EXE
PID:264 -
\??\c:\42664.exec:\42664.exe27⤵
- Executes dropped EXE
PID:1312 -
\??\c:\64066.exec:\64066.exe28⤵
- Executes dropped EXE
PID:848 -
\??\c:\0446288.exec:\0446288.exe29⤵
- Executes dropped EXE
PID:1528 -
\??\c:\86400.exec:\86400.exe30⤵
- Executes dropped EXE
PID:1404 -
\??\c:\1flxffr.exec:\1flxffr.exe31⤵
- Executes dropped EXE
PID:348 -
\??\c:\3tbnnh.exec:\3tbnnh.exe32⤵
- Executes dropped EXE
PID:3012 -
\??\c:\vpdjd.exec:\vpdjd.exe33⤵
- Executes dropped EXE
PID:1480 -
\??\c:\9djdd.exec:\9djdd.exe34⤵
- Executes dropped EXE
PID:2916 -
\??\c:\20204.exec:\20204.exe35⤵
- Executes dropped EXE
PID:2440 -
\??\c:\w42226.exec:\w42226.exe36⤵
- Executes dropped EXE
PID:2228 -
\??\c:\htw244.exec:\htw244.exe37⤵
- Executes dropped EXE
PID:1232 -
\??\c:\6800222.exec:\6800222.exe38⤵
- Executes dropped EXE
PID:2284 -
\??\c:\60048.exec:\60048.exe39⤵
- Executes dropped EXE
PID:2248 -
\??\c:\20668.exec:\20668.exe40⤵
- Executes dropped EXE
PID:2260 -
\??\c:\jvvdj.exec:\jvvdj.exe41⤵
- Executes dropped EXE
PID:2204 -
\??\c:\htnthh.exec:\htnthh.exe42⤵
- Executes dropped EXE
PID:2848 -
\??\c:\60628.exec:\60628.exe43⤵
- Executes dropped EXE
PID:812 -
\??\c:\282460.exec:\282460.exe44⤵
- Executes dropped EXE
PID:3032 -
\??\c:\5htthb.exec:\5htthb.exe45⤵
- Executes dropped EXE
PID:2688 -
\??\c:\2468040.exec:\2468040.exe46⤵
- Executes dropped EXE
PID:2708 -
\??\c:\9pjjp.exec:\9pjjp.exe47⤵
- Executes dropped EXE
PID:2704 -
\??\c:\s0666.exec:\s0666.exe48⤵
- Executes dropped EXE
PID:2372 -
\??\c:\w86222.exec:\w86222.exe49⤵
- Executes dropped EXE
PID:2860 -
\??\c:\62668.exec:\62668.exe50⤵
- Executes dropped EXE
PID:2756 -
\??\c:\u024068.exec:\u024068.exe51⤵
- Executes dropped EXE
PID:2500 -
\??\c:\nhhbbh.exec:\nhhbbh.exe52⤵
- Executes dropped EXE
PID:2560 -
\??\c:\lxxrllx.exec:\lxxrllx.exe53⤵
- Executes dropped EXE
PID:2948 -
\??\c:\lxrxfxf.exec:\lxrxfxf.exe54⤵
- Executes dropped EXE
PID:1848 -
\??\c:\g2006.exec:\g2006.exe55⤵
- Executes dropped EXE
PID:2224 -
\??\c:\824462.exec:\824462.exe56⤵
- Executes dropped EXE
PID:2220 -
\??\c:\q80626.exec:\q80626.exe57⤵
- Executes dropped EXE
PID:2316 -
\??\c:\tnttbb.exec:\tnttbb.exe58⤵
- Executes dropped EXE
PID:2320 -
\??\c:\4866284.exec:\4866284.exe59⤵
- Executes dropped EXE
PID:1964 -
\??\c:\40004.exec:\40004.exe60⤵
- Executes dropped EXE
PID:1912 -
\??\c:\xrrfxrf.exec:\xrrfxrf.exe61⤵
- Executes dropped EXE
PID:1752 -
\??\c:\22444.exec:\22444.exe62⤵
- Executes dropped EXE
PID:2836 -
\??\c:\604028.exec:\604028.exe63⤵
- Executes dropped EXE
PID:2360 -
\??\c:\xfrrlff.exec:\xfrrlff.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
\??\c:\608088.exec:\608088.exe65⤵
- Executes dropped EXE
PID:340 -
\??\c:\xxxxxxf.exec:\xxxxxxf.exe66⤵PID:1720
-
\??\c:\7bthtt.exec:\7bthtt.exe67⤵PID:444
-
\??\c:\1vjpv.exec:\1vjpv.exe68⤵PID:992
-
\??\c:\s4222.exec:\s4222.exe69⤵PID:2344
-
\??\c:\s2044.exec:\s2044.exe70⤵PID:1980
-
\??\c:\fflxlff.exec:\fflxlff.exe71⤵PID:2080
-
\??\c:\lfrxllr.exec:\lfrxllr.exe72⤵PID:1328
-
\??\c:\7rrfrrx.exec:\7rrfrrx.exe73⤵PID:1348
-
\??\c:\0866266.exec:\0866266.exe74⤵PID:1732
-
\??\c:\lflfllf.exec:\lflfllf.exe75⤵PID:1644
-
\??\c:\64840.exec:\64840.exe76⤵PID:348
-
\??\c:\2084406.exec:\2084406.exe77⤵PID:2180
-
\??\c:\7bbhnt.exec:\7bbhnt.exe78⤵PID:464
-
\??\c:\48282.exec:\48282.exe79⤵PID:2212
-
\??\c:\tbtbnb.exec:\tbtbnb.exe80⤵PID:2916
-
\??\c:\vpjpv.exec:\vpjpv.exe81⤵PID:1820
-
\??\c:\7djpd.exec:\7djpd.exe82⤵PID:1572
-
\??\c:\llfxrrx.exec:\llfxrrx.exe83⤵PID:2264
-
\??\c:\hhhnbh.exec:\hhhnbh.exe84⤵PID:1548
-
\??\c:\2224660.exec:\2224660.exe85⤵PID:2280
-
\??\c:\pjdpd.exec:\pjdpd.exe86⤵PID:852
-
\??\c:\642466.exec:\642466.exe87⤵PID:1220
-
\??\c:\5nhntb.exec:\5nhntb.exe88⤵PID:2852
-
\??\c:\w60202.exec:\w60202.exe89⤵PID:2168
-
\??\c:\e04428.exec:\e04428.exe90⤵PID:2108
-
\??\c:\260222.exec:\260222.exe91⤵PID:2148
-
\??\c:\pjdpd.exec:\pjdpd.exe92⤵PID:2640
-
\??\c:\64824.exec:\64824.exe93⤵PID:2736
-
\??\c:\a2680.exec:\a2680.exe94⤵PID:2816
-
\??\c:\9jpvj.exec:\9jpvj.exe95⤵PID:2748
-
\??\c:\ffxlfrx.exec:\ffxlfrx.exe96⤵PID:2484
-
\??\c:\1xllxfr.exec:\1xllxfr.exe97⤵PID:2428
-
\??\c:\2420666.exec:\2420666.exe98⤵PID:2656
-
\??\c:\86402.exec:\86402.exe99⤵PID:2956
-
\??\c:\hhbhtt.exec:\hhbhtt.exe100⤵PID:2216
-
\??\c:\nhhhnt.exec:\nhhhnt.exe101⤵PID:2760
-
\??\c:\04662.exec:\04662.exe102⤵PID:808
-
\??\c:\0826846.exec:\0826846.exe103⤵PID:2036
-
\??\c:\pdpvj.exec:\pdpvj.exe104⤵
- System Location Discovery: System Language Discovery
PID:1996 -
\??\c:\dvpvv.exec:\dvpvv.exe105⤵PID:2044
-
\??\c:\60288.exec:\60288.exe106⤵PID:1860
-
\??\c:\5nhnnn.exec:\5nhnnn.exe107⤵PID:2792
-
\??\c:\04202.exec:\04202.exe108⤵PID:2728
-
\??\c:\5jvpp.exec:\5jvpp.exe109⤵PID:2136
-
\??\c:\4864664.exec:\4864664.exe110⤵PID:2964
-
\??\c:\4806846.exec:\4806846.exe111⤵PID:2304
-
\??\c:\260084.exec:\260084.exe112⤵PID:2056
-
\??\c:\o668002.exec:\o668002.exe113⤵PID:1200
-
\??\c:\e26800.exec:\e26800.exe114⤵PID:916
-
\??\c:\vjvdd.exec:\vjvdd.exe115⤵PID:532
-
\??\c:\04446.exec:\04446.exe116⤵PID:1324
-
\??\c:\1rffllx.exec:\1rffllx.exe117⤵PID:1312
-
\??\c:\1fxxxxl.exec:\1fxxxxl.exe118⤵PID:844
-
\??\c:\3hhbnt.exec:\3hhbnt.exe119⤵PID:1492
-
\??\c:\3dvvd.exec:\3dvvd.exe120⤵PID:1348
-
\??\c:\42224.exec:\42224.exe121⤵PID:1732
-
\??\c:\hhnbbn.exec:\hhnbbn.exe122⤵PID:3056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-