Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2c42d75f2ce756bf92c271b142b549345f43bf1ef0db6b9074c757c9af95bde8N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
2c42d75f2ce756bf92c271b142b549345f43bf1ef0db6b9074c757c9af95bde8N.exe
-
Size
454KB
-
MD5
8a58cba655cf9e0683739ac81b6843e0
-
SHA1
d81c968d94c6393250470cc5bb90655fe1050cee
-
SHA256
2c42d75f2ce756bf92c271b142b549345f43bf1ef0db6b9074c757c9af95bde8
-
SHA512
e2f250c8a88c608244aa7b5bb7249496ab702cd925945a841cce15ad3489acc157ca67c4bdda1a46065b83437c8822064976313f4502232fba410f2be6c92f86
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3788-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-741-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-905-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-951-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-1177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-1515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4380 llfrrlx.exe 1596 rrxrfxl.exe 3240 fxlffrx.exe 1844 0608242.exe 2056 400808.exe 3884 jdjjj.exe 3276 o442486.exe 3544 pdvjd.exe 2644 vjjjv.exe 2884 1rrfrlx.exe 3728 jvdpp.exe 3584 2286486.exe 1204 64200.exe 4428 688606.exe 4264 4204266.exe 2412 4620422.exe 4280 fxrxrlx.exe 4028 3llfrrl.exe 3948 66826.exe 2896 5fxlxrf.exe 2540 e62048.exe 4852 0886482.exe 1720 vpdvp.exe 3864 frlfrlf.exe 2960 006048.exe 2380 0820488.exe 264 64464.exe 4816 082082.exe 4848 662600.exe 1068 nbnhtn.exe 4952 8220264.exe 2808 7pdpj.exe 4268 9tbnhb.exe 4688 64864.exe 4304 fxrxrxl.exe 3768 4882048.exe 888 468888.exe 5112 bthtbt.exe 4616 fxfxllx.exe 5016 e62606.exe 1520 8648624.exe 4088 602642.exe 2040 vdvpj.exe 684 pvvjj.exe 2832 xfxxrlf.exe 448 082608.exe 1928 1bbthb.exe 1048 3pppj.exe 400 46220.exe 4568 fxxlxrr.exe 4100 86848.exe 2140 04606.exe 2228 ppvvv.exe 2056 xllllll.exe 4424 48666.exe 2052 ttbhbb.exe 1088 88244.exe 1548 htnnhh.exe 4252 bttnnn.exe 4824 8848040.exe 1028 llxrrff.exe 2288 hbtnhn.exe 4104 2008260.exe 2616 rlrrrfl.exe -
resource yara_rule behavioral2/memory/3788-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-951-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-1177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-1436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-1515-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o008208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w00464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2084842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8600484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420482.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3788 wrote to memory of 4380 3788 2c42d75f2ce756bf92c271b142b549345f43bf1ef0db6b9074c757c9af95bde8N.exe 83 PID 3788 wrote to memory of 4380 3788 2c42d75f2ce756bf92c271b142b549345f43bf1ef0db6b9074c757c9af95bde8N.exe 83 PID 3788 wrote to memory of 4380 3788 2c42d75f2ce756bf92c271b142b549345f43bf1ef0db6b9074c757c9af95bde8N.exe 83 PID 4380 wrote to memory of 1596 4380 llfrrlx.exe 84 PID 4380 wrote to memory of 1596 4380 llfrrlx.exe 84 PID 4380 wrote to memory of 1596 4380 llfrrlx.exe 84 PID 1596 wrote to memory of 3240 1596 rrxrfxl.exe 85 PID 1596 wrote to memory of 3240 1596 rrxrfxl.exe 85 PID 1596 wrote to memory of 3240 1596 rrxrfxl.exe 85 PID 3240 wrote to memory of 1844 3240 fxlffrx.exe 86 PID 3240 wrote to memory of 1844 3240 fxlffrx.exe 86 PID 3240 wrote to memory of 1844 3240 fxlffrx.exe 86 PID 1844 wrote to memory of 2056 1844 0608242.exe 87 PID 1844 wrote to memory of 2056 1844 0608242.exe 87 PID 1844 wrote to memory of 2056 1844 0608242.exe 87 PID 2056 wrote to memory of 3884 2056 400808.exe 88 PID 2056 wrote to memory of 3884 2056 400808.exe 88 PID 2056 wrote to memory of 3884 2056 400808.exe 88 PID 3884 wrote to memory of 3276 3884 jdjjj.exe 89 PID 3884 wrote to memory of 3276 3884 jdjjj.exe 89 PID 3884 wrote to memory of 3276 3884 jdjjj.exe 89 PID 3276 wrote to memory of 3544 3276 o442486.exe 90 PID 3276 wrote to memory of 3544 3276 o442486.exe 90 PID 3276 wrote to memory of 3544 3276 o442486.exe 90 PID 3544 wrote to memory of 2644 3544 pdvjd.exe 91 PID 3544 wrote to memory of 2644 3544 pdvjd.exe 91 PID 3544 wrote to memory of 2644 3544 pdvjd.exe 91 PID 2644 wrote to memory of 2884 2644 vjjjv.exe 92 PID 2644 wrote to memory of 2884 2644 vjjjv.exe 92 PID 2644 wrote to memory of 2884 2644 vjjjv.exe 92 PID 2884 wrote to memory of 3728 2884 1rrfrlx.exe 93 PID 2884 wrote to memory of 3728 2884 1rrfrlx.exe 93 PID 2884 wrote to memory of 3728 2884 1rrfrlx.exe 93 PID 3728 wrote to memory of 3584 3728 jvdpp.exe 94 PID 3728 wrote to memory of 3584 3728 jvdpp.exe 94 PID 3728 wrote to memory of 3584 3728 jvdpp.exe 94 PID 3584 wrote to memory of 1204 3584 2286486.exe 95 PID 3584 wrote to memory of 1204 3584 2286486.exe 95 PID 3584 wrote to memory of 1204 3584 2286486.exe 95 PID 1204 wrote to memory of 4428 1204 64200.exe 96 PID 1204 wrote to memory of 4428 1204 64200.exe 96 PID 1204 wrote to memory of 4428 1204 64200.exe 96 PID 4428 wrote to memory of 4264 4428 688606.exe 97 PID 4428 wrote to memory of 4264 4428 688606.exe 97 PID 4428 wrote to memory of 4264 4428 688606.exe 97 PID 4264 wrote to memory of 2412 4264 4204266.exe 98 PID 4264 wrote to memory of 2412 4264 4204266.exe 98 PID 4264 wrote to memory of 2412 4264 4204266.exe 98 PID 2412 wrote to memory of 4280 2412 4620422.exe 99 PID 2412 wrote to memory of 4280 2412 4620422.exe 99 PID 2412 wrote to memory of 4280 2412 4620422.exe 99 PID 4280 wrote to memory of 4028 4280 fxrxrlx.exe 100 PID 4280 wrote to memory of 4028 4280 fxrxrlx.exe 100 PID 4280 wrote to memory of 4028 4280 fxrxrlx.exe 100 PID 4028 wrote to memory of 3948 4028 3llfrrl.exe 101 PID 4028 wrote to memory of 3948 4028 3llfrrl.exe 101 PID 4028 wrote to memory of 3948 4028 3llfrrl.exe 101 PID 3948 wrote to memory of 2896 3948 66826.exe 102 PID 3948 wrote to memory of 2896 3948 66826.exe 102 PID 3948 wrote to memory of 2896 3948 66826.exe 102 PID 2896 wrote to memory of 2540 2896 5fxlxrf.exe 103 PID 2896 wrote to memory of 2540 2896 5fxlxrf.exe 103 PID 2896 wrote to memory of 2540 2896 5fxlxrf.exe 103 PID 2540 wrote to memory of 4852 2540 e62048.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c42d75f2ce756bf92c271b142b549345f43bf1ef0db6b9074c757c9af95bde8N.exe"C:\Users\Admin\AppData\Local\Temp\2c42d75f2ce756bf92c271b142b549345f43bf1ef0db6b9074c757c9af95bde8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\llfrrlx.exec:\llfrrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\rrxrfxl.exec:\rrxrfxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\fxlffrx.exec:\fxlffrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\0608242.exec:\0608242.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\400808.exec:\400808.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\jdjjj.exec:\jdjjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\o442486.exec:\o442486.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\pdvjd.exec:\pdvjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\vjjjv.exec:\vjjjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\1rrfrlx.exec:\1rrfrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\jvdpp.exec:\jvdpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\2286486.exec:\2286486.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\64200.exec:\64200.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\688606.exec:\688606.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\4204266.exec:\4204266.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\4620422.exec:\4620422.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\fxrxrlx.exec:\fxrxrlx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\3llfrrl.exec:\3llfrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\66826.exec:\66826.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\5fxlxrf.exec:\5fxlxrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\e62048.exec:\e62048.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\0886482.exec:\0886482.exe23⤵
- Executes dropped EXE
PID:4852 -
\??\c:\vpdvp.exec:\vpdvp.exe24⤵
- Executes dropped EXE
PID:1720 -
\??\c:\frlfrlf.exec:\frlfrlf.exe25⤵
- Executes dropped EXE
PID:3864 -
\??\c:\006048.exec:\006048.exe26⤵
- Executes dropped EXE
PID:2960 -
\??\c:\0820488.exec:\0820488.exe27⤵
- Executes dropped EXE
PID:2380 -
\??\c:\64464.exec:\64464.exe28⤵
- Executes dropped EXE
PID:264 -
\??\c:\082082.exec:\082082.exe29⤵
- Executes dropped EXE
PID:4816 -
\??\c:\662600.exec:\662600.exe30⤵
- Executes dropped EXE
PID:4848 -
\??\c:\nbnhtn.exec:\nbnhtn.exe31⤵
- Executes dropped EXE
PID:1068 -
\??\c:\8220264.exec:\8220264.exe32⤵
- Executes dropped EXE
PID:4952 -
\??\c:\7pdpj.exec:\7pdpj.exe33⤵
- Executes dropped EXE
PID:2808 -
\??\c:\9tbnhb.exec:\9tbnhb.exe34⤵
- Executes dropped EXE
PID:4268 -
\??\c:\64864.exec:\64864.exe35⤵
- Executes dropped EXE
PID:4688 -
\??\c:\fxrxrxl.exec:\fxrxrxl.exe36⤵
- Executes dropped EXE
PID:4304 -
\??\c:\4882048.exec:\4882048.exe37⤵
- Executes dropped EXE
PID:3768 -
\??\c:\468888.exec:\468888.exe38⤵
- Executes dropped EXE
PID:888 -
\??\c:\bthtbt.exec:\bthtbt.exe39⤵
- Executes dropped EXE
PID:5112 -
\??\c:\fxfxllx.exec:\fxfxllx.exe40⤵
- Executes dropped EXE
PID:4616 -
\??\c:\e62606.exec:\e62606.exe41⤵
- Executes dropped EXE
PID:5016 -
\??\c:\8648624.exec:\8648624.exe42⤵
- Executes dropped EXE
PID:1520 -
\??\c:\602642.exec:\602642.exe43⤵
- Executes dropped EXE
PID:4088 -
\??\c:\vdvpj.exec:\vdvpj.exe44⤵
- Executes dropped EXE
PID:2040 -
\??\c:\pvvjj.exec:\pvvjj.exe45⤵
- Executes dropped EXE
PID:684 -
\??\c:\xfxxrlf.exec:\xfxxrlf.exe46⤵
- Executes dropped EXE
PID:2832 -
\??\c:\082608.exec:\082608.exe47⤵
- Executes dropped EXE
PID:448 -
\??\c:\1bbthb.exec:\1bbthb.exe48⤵
- Executes dropped EXE
PID:1928 -
\??\c:\3pppj.exec:\3pppj.exe49⤵
- Executes dropped EXE
PID:1048 -
\??\c:\46220.exec:\46220.exe50⤵
- Executes dropped EXE
PID:400 -
\??\c:\fxxlxrr.exec:\fxxlxrr.exe51⤵
- Executes dropped EXE
PID:4568 -
\??\c:\86848.exec:\86848.exe52⤵
- Executes dropped EXE
PID:4100 -
\??\c:\04606.exec:\04606.exe53⤵
- Executes dropped EXE
PID:2140 -
\??\c:\ppvvv.exec:\ppvvv.exe54⤵
- Executes dropped EXE
PID:2228 -
\??\c:\xllllll.exec:\xllllll.exe55⤵
- Executes dropped EXE
PID:2056 -
\??\c:\48666.exec:\48666.exe56⤵
- Executes dropped EXE
PID:4424 -
\??\c:\ttbhbb.exec:\ttbhbb.exe57⤵
- Executes dropped EXE
PID:2052 -
\??\c:\88244.exec:\88244.exe58⤵
- Executes dropped EXE
PID:1088 -
\??\c:\htnnhh.exec:\htnnhh.exe59⤵
- Executes dropped EXE
PID:1548 -
\??\c:\bttnnn.exec:\bttnnn.exe60⤵
- Executes dropped EXE
PID:4252 -
\??\c:\8848040.exec:\8848040.exe61⤵
- Executes dropped EXE
PID:4824 -
\??\c:\llxrrff.exec:\llxrrff.exe62⤵
- Executes dropped EXE
PID:1028 -
\??\c:\hbtnhn.exec:\hbtnhn.exe63⤵
- Executes dropped EXE
PID:2288 -
\??\c:\2008260.exec:\2008260.exe64⤵
- Executes dropped EXE
PID:4104 -
\??\c:\rlrrrfl.exec:\rlrrrfl.exe65⤵
- Executes dropped EXE
PID:2616 -
\??\c:\vjpjv.exec:\vjpjv.exe66⤵PID:3456
-
\??\c:\204864.exec:\204864.exe67⤵PID:3088
-
\??\c:\nhtbnt.exec:\nhtbnt.exe68⤵PID:4532
-
\??\c:\40642.exec:\40642.exe69⤵PID:2060
-
\??\c:\nhnhtt.exec:\nhnhtt.exe70⤵PID:4280
-
\??\c:\xffxflx.exec:\xffxflx.exe71⤵PID:2300
-
\??\c:\9bhhnb.exec:\9bhhnb.exe72⤵PID:1552
-
\??\c:\2008866.exec:\2008866.exe73⤵PID:3628
-
\??\c:\828820.exec:\828820.exe74⤵PID:2072
-
\??\c:\0046828.exec:\0046828.exe75⤵PID:728
-
\??\c:\5ppjj.exec:\5ppjj.exe76⤵PID:4372
-
\??\c:\682486.exec:\682486.exe77⤵PID:2592
-
\??\c:\djjvj.exec:\djjvj.exe78⤵PID:3148
-
\??\c:\xxlxrxf.exec:\xxlxrxf.exe79⤵PID:1788
-
\??\c:\6820820.exec:\6820820.exe80⤵PID:3156
-
\??\c:\0226604.exec:\0226604.exe81⤵PID:1692
-
\??\c:\42226.exec:\42226.exe82⤵PID:5044
-
\??\c:\026042.exec:\026042.exe83⤵PID:1820
-
\??\c:\nhhbtt.exec:\nhhbtt.exe84⤵PID:1172
-
\??\c:\pdjvp.exec:\pdjvp.exe85⤵PID:220
-
\??\c:\046004.exec:\046004.exe86⤵PID:4748
-
\??\c:\040260.exec:\040260.exe87⤵PID:2080
-
\??\c:\thhtnh.exec:\thhtnh.exe88⤵PID:1580
-
\??\c:\06808.exec:\06808.exe89⤵PID:3484
-
\??\c:\fllflfx.exec:\fllflfx.exe90⤵PID:4976
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe91⤵PID:2564
-
\??\c:\4286482.exec:\4286482.exe92⤵PID:1804
-
\??\c:\nbnbth.exec:\nbnbth.exe93⤵PID:516
-
\??\c:\6426486.exec:\6426486.exe94⤵PID:4700
-
\??\c:\bnhthh.exec:\bnhthh.exe95⤵PID:1716
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe96⤵PID:3400
-
\??\c:\rlxrfxr.exec:\rlxrfxr.exe97⤵PID:2664
-
\??\c:\thhtnh.exec:\thhtnh.exe98⤵PID:4536
-
\??\c:\02826.exec:\02826.exe99⤵PID:1860
-
\??\c:\rfrlxxl.exec:\rfrlxxl.exe100⤵
- System Location Discovery: System Language Discovery
PID:4888 -
\??\c:\fflxlfr.exec:\fflxlfr.exe101⤵PID:4368
-
\??\c:\1xlxlrx.exec:\1xlxlrx.exe102⤵PID:1816
-
\??\c:\fxfxllx.exec:\fxfxllx.exe103⤵PID:4132
-
\??\c:\htthtt.exec:\htthtt.exe104⤵PID:2040
-
\??\c:\pppjp.exec:\pppjp.exe105⤵PID:4864
-
\??\c:\80600.exec:\80600.exe106⤵PID:4356
-
\??\c:\s0826.exec:\s0826.exe107⤵PID:448
-
\??\c:\9xflflf.exec:\9xflflf.exe108⤵PID:1796
-
\??\c:\fffxlfr.exec:\fffxlfr.exe109⤵PID:4084
-
\??\c:\rrxrxxr.exec:\rrxrxxr.exe110⤵PID:5008
-
\??\c:\e40426.exec:\e40426.exe111⤵PID:5096
-
\??\c:\a4226.exec:\a4226.exe112⤵PID:1036
-
\??\c:\26682.exec:\26682.exe113⤵PID:544
-
\??\c:\606444.exec:\606444.exe114⤵PID:3660
-
\??\c:\nnthtn.exec:\nnthtn.exe115⤵PID:4880
-
\??\c:\dvvjv.exec:\dvvjv.exe116⤵PID:4024
-
\??\c:\26280.exec:\26280.exe117⤵PID:900
-
\??\c:\nbhbnh.exec:\nbhbnh.exe118⤵PID:1396
-
\??\c:\5xrfxrf.exec:\5xrfxrf.exe119⤵PID:4552
-
\??\c:\ddvjv.exec:\ddvjv.exe120⤵PID:1924
-
\??\c:\fxfxxrx.exec:\fxfxxrx.exe121⤵
- System Location Discovery: System Language Discovery
PID:3168 -
\??\c:\26608.exec:\26608.exe122⤵PID:4676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-