Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:38
Behavioral task
behavioral1
Sample
ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe
-
Size
333KB
-
MD5
7ec1576f6914fa8334a8cf0dc86d6570
-
SHA1
3673ba21878e5c2ef9ac9895f99cd18b24feaf21
-
SHA256
ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1b
-
SHA512
3e2d772dafda5673f3cdeae8a919fe7424db3428efdc9db5d9eff2bb8b26fdd66ea36d185c4b301695a10c44217a6d5527f6c6f5023d2eae713af993b321a146
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAber:R4wFHoSHYHUrAwfMp3CDr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/2636-1-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2096-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2608-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/484-36-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/484-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2892-45-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2240-60-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2240-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2984-70-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2984-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2888-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2888-82-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2680-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2756-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3016-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/300-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2880-140-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2880-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1220-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3032-171-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2412-189-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/2532-194-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2444-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/692-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/872-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1648-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1648-231-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/872-222-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1064-249-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/1064-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2108-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2144-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2912-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2248-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2888-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1812-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2568-404-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2996-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2284-455-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2200-483-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2336-489-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1952-495-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1752-501-0x0000000000250000-0x0000000000277000-memory.dmp family_blackmoon behavioral1/memory/1052-512-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2892-568-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2712-595-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3012-649-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2428-735-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/888-747-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/636-861-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/536-998-0x0000000077390000-0x00000000774AF000-memory.dmp family_blackmoon behavioral1/memory/536-1471-0x0000000077390000-0x00000000774AF000-memory.dmp family_blackmoon behavioral1/memory/536-8626-0x0000000077390000-0x00000000774AF000-memory.dmp family_blackmoon behavioral1/memory/536-18565-0x0000000077390000-0x00000000774AF000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2096 w80262.exe 2608 xxxrffl.exe 2948 9bnbhn.exe 484 rlrllrf.exe 2892 fxrfrxr.exe 2840 vppdj.exe 2240 2008686.exe 2984 488044.exe 2888 c260208.exe 2680 k26400.exe 2756 jdpvj.exe 2520 1dpvv.exe 1504 860468.exe 3016 226866.exe 300 846064.exe 2880 3vjjp.exe 1220 lxlrlff.exe 1772 e28680.exe 1236 i484068.exe 3032 xfllrlf.exe 3064 48068.exe 2412 ffflxlx.exe 2532 60628.exe 2444 260202.exe 692 6066284.exe 872 8048800.exe 1648 lffrffr.exe 2108 q68064.exe 1064 7frrrfx.exe 1052 826864.exe 1916 w86006.exe 2624 w86246.exe 1696 rffflxr.exe 2028 2642446.exe 2584 4480206.exe 1580 22244.exe 2144 9rrfxrr.exe 2912 820024.exe 2928 7tttbb.exe 2892 6680246.exe 780 bhbtht.exe 2248 88046.exe 2704 hhttbn.exe 2720 48624.exe 1292 9frxllx.exe 2888 vppvd.exe 2804 826680.exe 1700 vpvpd.exe 1248 88684.exe 624 i480846.exe 1812 s4802.exe 1504 7vvvd.exe 3016 086846.exe 2740 ffxxrfr.exe 3012 rlxrrxr.exe 2568 vvpvj.exe 2996 ppjjd.exe 2000 jpdpp.exe 1636 rrlfrxf.exe 660 48006.exe 2484 k64088.exe 2992 48006.exe 2180 lfrxlxl.exe 2612 u888064.exe -
resource yara_rule behavioral1/memory/2636-1-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2096-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000120fc-6.dat upx behavioral1/files/0x00080000000194e6-16.dat upx behavioral1/memory/2096-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000019551-23.dat upx behavioral1/files/0x000700000001955c-32.dat upx behavioral1/memory/2948-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2608-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/484-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000195c0-41.dat upx behavioral1/files/0x00060000000195f9-49.dat upx behavioral1/files/0x00060000000195fb-56.dat upx behavioral1/memory/2240-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000195fd-65.dat upx behavioral1/files/0x00080000000195ff-74.dat upx behavioral1/memory/2984-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b5-84.dat upx behavioral1/memory/2888-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b7-93.dat upx behavioral1/memory/2680-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4b9-102.dat upx behavioral1/memory/2756-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2520-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4bb-111.dat upx behavioral1/files/0x00070000000194da-118.dat upx behavioral1/memory/3016-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4bd-127.dat upx behavioral1/files/0x000500000001a4bf-134.dat upx behavioral1/memory/2880-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/300-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2880-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c1-145.dat upx behavioral1/memory/1220-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4c3-154.dat upx behavioral1/files/0x000500000001a4c5-160.dat upx behavioral1/files/0x000500000001a4c7-167.dat upx behavioral1/files/0x000500000001a4c9-175.dat upx behavioral1/files/0x000500000001a4cb-182.dat upx behavioral1/memory/2412-189-0x00000000003B0000-0x00000000003D7000-memory.dmp upx behavioral1/files/0x000500000001a4cd-191.dat upx behavioral1/files/0x000500000001a4cf-198.dat upx behavioral1/memory/2444-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4d4-207.dat upx behavioral1/memory/692-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4d8-214.dat upx behavioral1/files/0x000500000001a4da-225.dat upx behavioral1/memory/872-224-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2108-234-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1648-233-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4dc-232.dat upx behavioral1/memory/1064-246-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4de-245.dat upx behavioral1/memory/2108-244-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001a4e1-254.dat upx behavioral1/memory/1064-253-0x00000000003B0000-0x00000000003D7000-memory.dmp upx behavioral1/files/0x000500000001a4e3-261.dat upx behavioral1/files/0x000500000001a4e5-268.dat upx behavioral1/memory/2144-295-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2912-306-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2248-327-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2888-348-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/624-365-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1812-371-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 886246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i420286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6646884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6084068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u460006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6040280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtht.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2096 2636 ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe 30 PID 2636 wrote to memory of 2096 2636 ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe 30 PID 2636 wrote to memory of 2096 2636 ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe 30 PID 2636 wrote to memory of 2096 2636 ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe 30 PID 2096 wrote to memory of 2608 2096 w80262.exe 31 PID 2096 wrote to memory of 2608 2096 w80262.exe 31 PID 2096 wrote to memory of 2608 2096 w80262.exe 31 PID 2096 wrote to memory of 2608 2096 w80262.exe 31 PID 2608 wrote to memory of 2948 2608 xxxrffl.exe 32 PID 2608 wrote to memory of 2948 2608 xxxrffl.exe 32 PID 2608 wrote to memory of 2948 2608 xxxrffl.exe 32 PID 2608 wrote to memory of 2948 2608 xxxrffl.exe 32 PID 2948 wrote to memory of 484 2948 9bnbhn.exe 33 PID 2948 wrote to memory of 484 2948 9bnbhn.exe 33 PID 2948 wrote to memory of 484 2948 9bnbhn.exe 33 PID 2948 wrote to memory of 484 2948 9bnbhn.exe 33 PID 484 wrote to memory of 2892 484 rlrllrf.exe 34 PID 484 wrote to memory of 2892 484 rlrllrf.exe 34 PID 484 wrote to memory of 2892 484 rlrllrf.exe 34 PID 484 wrote to memory of 2892 484 rlrllrf.exe 34 PID 2892 wrote to memory of 2840 2892 fxrfrxr.exe 35 PID 2892 wrote to memory of 2840 2892 fxrfrxr.exe 35 PID 2892 wrote to memory of 2840 2892 fxrfrxr.exe 35 PID 2892 wrote to memory of 2840 2892 fxrfrxr.exe 35 PID 2840 wrote to memory of 2240 2840 vppdj.exe 36 PID 2840 wrote to memory of 2240 2840 vppdj.exe 36 PID 2840 wrote to memory of 2240 2840 vppdj.exe 36 PID 2840 wrote to memory of 2240 2840 vppdj.exe 36 PID 2240 wrote to memory of 2984 2240 2008686.exe 37 PID 2240 wrote to memory of 2984 2240 2008686.exe 37 PID 2240 wrote to memory of 2984 2240 2008686.exe 37 PID 2240 wrote to memory of 2984 2240 2008686.exe 37 PID 2984 wrote to memory of 2888 2984 488044.exe 38 PID 2984 wrote to memory of 2888 2984 488044.exe 38 PID 2984 wrote to memory of 2888 2984 488044.exe 38 PID 2984 wrote to memory of 2888 2984 488044.exe 38 PID 2888 wrote to memory of 2680 2888 c260208.exe 39 PID 2888 wrote to memory of 2680 2888 c260208.exe 39 PID 2888 wrote to memory of 2680 2888 c260208.exe 39 PID 2888 wrote to memory of 2680 2888 c260208.exe 39 PID 2680 wrote to memory of 2756 2680 k26400.exe 40 PID 2680 wrote to memory of 2756 2680 k26400.exe 40 PID 2680 wrote to memory of 2756 2680 k26400.exe 40 PID 2680 wrote to memory of 2756 2680 k26400.exe 40 PID 2756 wrote to memory of 2520 2756 jdpvj.exe 41 PID 2756 wrote to memory of 2520 2756 jdpvj.exe 41 PID 2756 wrote to memory of 2520 2756 jdpvj.exe 41 PID 2756 wrote to memory of 2520 2756 jdpvj.exe 41 PID 2520 wrote to memory of 1504 2520 1dpvv.exe 42 PID 2520 wrote to memory of 1504 2520 1dpvv.exe 42 PID 2520 wrote to memory of 1504 2520 1dpvv.exe 42 PID 2520 wrote to memory of 1504 2520 1dpvv.exe 42 PID 1504 wrote to memory of 3016 1504 860468.exe 43 PID 1504 wrote to memory of 3016 1504 860468.exe 43 PID 1504 wrote to memory of 3016 1504 860468.exe 43 PID 1504 wrote to memory of 3016 1504 860468.exe 43 PID 3016 wrote to memory of 300 3016 226866.exe 44 PID 3016 wrote to memory of 300 3016 226866.exe 44 PID 3016 wrote to memory of 300 3016 226866.exe 44 PID 3016 wrote to memory of 300 3016 226866.exe 44 PID 300 wrote to memory of 2880 300 846064.exe 45 PID 300 wrote to memory of 2880 300 846064.exe 45 PID 300 wrote to memory of 2880 300 846064.exe 45 PID 300 wrote to memory of 2880 300 846064.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe"C:\Users\Admin\AppData\Local\Temp\ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\w80262.exec:\w80262.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\xxxrffl.exec:\xxxrffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\9bnbhn.exec:\9bnbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\rlrllrf.exec:\rlrllrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
\??\c:\fxrfrxr.exec:\fxrfrxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\vppdj.exec:\vppdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\2008686.exec:\2008686.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\488044.exec:\488044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\c260208.exec:\c260208.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\k26400.exec:\k26400.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\jdpvj.exec:\jdpvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\1dpvv.exec:\1dpvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\860468.exec:\860468.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\226866.exec:\226866.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\846064.exec:\846064.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:300 -
\??\c:\3vjjp.exec:\3vjjp.exe17⤵
- Executes dropped EXE
PID:2880 -
\??\c:\lxlrlff.exec:\lxlrlff.exe18⤵
- Executes dropped EXE
PID:1220 -
\??\c:\e28680.exec:\e28680.exe19⤵
- Executes dropped EXE
PID:1772 -
\??\c:\i484068.exec:\i484068.exe20⤵
- Executes dropped EXE
PID:1236 -
\??\c:\xfllrlf.exec:\xfllrlf.exe21⤵
- Executes dropped EXE
PID:3032 -
\??\c:\48068.exec:\48068.exe22⤵
- Executes dropped EXE
PID:3064 -
\??\c:\ffflxlx.exec:\ffflxlx.exe23⤵
- Executes dropped EXE
PID:2412 -
\??\c:\60628.exec:\60628.exe24⤵
- Executes dropped EXE
PID:2532 -
\??\c:\260202.exec:\260202.exe25⤵
- Executes dropped EXE
PID:2444 -
\??\c:\6066284.exec:\6066284.exe26⤵
- Executes dropped EXE
PID:692 -
\??\c:\8048800.exec:\8048800.exe27⤵
- Executes dropped EXE
PID:872 -
\??\c:\lffrffr.exec:\lffrffr.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
\??\c:\q68064.exec:\q68064.exe29⤵
- Executes dropped EXE
PID:2108 -
\??\c:\7frrrfx.exec:\7frrrfx.exe30⤵
- Executes dropped EXE
PID:1064 -
\??\c:\826864.exec:\826864.exe31⤵
- Executes dropped EXE
PID:1052 -
\??\c:\w86006.exec:\w86006.exe32⤵
- Executes dropped EXE
PID:1916 -
\??\c:\w86246.exec:\w86246.exe33⤵
- Executes dropped EXE
PID:2624 -
\??\c:\rffflxr.exec:\rffflxr.exe34⤵
- Executes dropped EXE
PID:1696 -
\??\c:\2642446.exec:\2642446.exe35⤵
- Executes dropped EXE
PID:2028 -
\??\c:\4480206.exec:\4480206.exe36⤵
- Executes dropped EXE
PID:2584 -
\??\c:\22244.exec:\22244.exe37⤵
- Executes dropped EXE
PID:1580 -
\??\c:\9rrfxrr.exec:\9rrfxrr.exe38⤵
- Executes dropped EXE
PID:2144 -
\??\c:\820024.exec:\820024.exe39⤵
- Executes dropped EXE
PID:2912 -
\??\c:\7tttbb.exec:\7tttbb.exe40⤵
- Executes dropped EXE
PID:2928 -
\??\c:\6680246.exec:\6680246.exe41⤵
- Executes dropped EXE
PID:2892 -
\??\c:\bhbtht.exec:\bhbtht.exe42⤵
- Executes dropped EXE
PID:780 -
\??\c:\88046.exec:\88046.exe43⤵
- Executes dropped EXE
PID:2248 -
\??\c:\hhttbn.exec:\hhttbn.exe44⤵
- Executes dropped EXE
PID:2704 -
\??\c:\48624.exec:\48624.exe45⤵
- Executes dropped EXE
PID:2720 -
\??\c:\9frxllx.exec:\9frxllx.exe46⤵
- Executes dropped EXE
PID:1292 -
\??\c:\vppvd.exec:\vppvd.exe47⤵
- Executes dropped EXE
PID:2888 -
\??\c:\826680.exec:\826680.exe48⤵
- Executes dropped EXE
PID:2804 -
\??\c:\vpvpd.exec:\vpvpd.exe49⤵
- Executes dropped EXE
PID:1700 -
\??\c:\88684.exec:\88684.exe50⤵
- Executes dropped EXE
PID:1248 -
\??\c:\i480846.exec:\i480846.exe51⤵
- Executes dropped EXE
PID:624 -
\??\c:\s4802.exec:\s4802.exe52⤵
- Executes dropped EXE
PID:1812 -
\??\c:\7vvvd.exec:\7vvvd.exe53⤵
- Executes dropped EXE
PID:1504 -
\??\c:\086846.exec:\086846.exe54⤵
- Executes dropped EXE
PID:3016 -
\??\c:\ffxxrfr.exec:\ffxxrfr.exe55⤵
- Executes dropped EXE
PID:2740 -
\??\c:\rlxrrxr.exec:\rlxrrxr.exe56⤵
- Executes dropped EXE
PID:3012 -
\??\c:\vvpvj.exec:\vvpvj.exe57⤵
- Executes dropped EXE
PID:2568 -
\??\c:\ppjjd.exec:\ppjjd.exe58⤵
- Executes dropped EXE
PID:2996 -
\??\c:\jpdpp.exec:\jpdpp.exe59⤵
- Executes dropped EXE
PID:2000 -
\??\c:\rrlfrxf.exec:\rrlfrxf.exe60⤵
- Executes dropped EXE
PID:1636 -
\??\c:\48006.exec:\48006.exe61⤵
- Executes dropped EXE
PID:660 -
\??\c:\k64088.exec:\k64088.exe62⤵
- Executes dropped EXE
PID:2484 -
\??\c:\48006.exec:\48006.exe63⤵
- Executes dropped EXE
PID:2992 -
\??\c:\lfrxlxl.exec:\lfrxlxl.exe64⤵
- Executes dropped EXE
PID:2180 -
\??\c:\u888064.exec:\u888064.exe65⤵
- Executes dropped EXE
PID:2612 -
\??\c:\ntnhht.exec:\ntnhht.exe66⤵PID:2284
-
\??\c:\5dvpv.exec:\5dvpv.exe67⤵PID:448
-
\??\c:\1htnbb.exec:\1htnbb.exe68⤵PID:2192
-
\??\c:\o480224.exec:\o480224.exe69⤵PID:2420
-
\??\c:\hbhbtt.exec:\hbhbtt.exe70⤵PID:332
-
\??\c:\44246.exec:\44246.exe71⤵PID:2200
-
\??\c:\k82280.exec:\k82280.exe72⤵PID:2336
-
\??\c:\264240.exec:\264240.exe73⤵PID:1952
-
\??\c:\u262002.exec:\u262002.exe74⤵PID:1752
-
\??\c:\3jdpv.exec:\3jdpv.exe75⤵PID:272
-
\??\c:\82868.exec:\82868.exe76⤵PID:1052
-
\??\c:\48624.exec:\48624.exe77⤵PID:1788
-
\??\c:\4428668.exec:\4428668.exe78⤵PID:2060
-
\??\c:\3xxlxfr.exec:\3xxlxfr.exe79⤵PID:2600
-
\??\c:\60428.exec:\60428.exe80⤵PID:2116
-
\??\c:\vpjpv.exec:\vpjpv.exe81⤵PID:1588
-
\??\c:\jdvdv.exec:\jdvdv.exe82⤵PID:2260
-
\??\c:\thhtnb.exec:\thhtnb.exe83⤵PID:1740
-
\??\c:\464406.exec:\464406.exe84⤵PID:2936
-
\??\c:\dpdpp.exec:\dpdpp.exe85⤵PID:2940
-
\??\c:\3vdvv.exec:\3vdvv.exe86⤵PID:2816
-
\??\c:\frlrxll.exec:\frlrxll.exe87⤵PID:2892
-
\??\c:\xrlxffl.exec:\xrlxffl.exe88⤵PID:780
-
\??\c:\xrxxrxl.exec:\xrxxrxl.exe89⤵PID:3028
-
\??\c:\m4006.exec:\m4006.exe90⤵PID:2984
-
\??\c:\k46628.exec:\k46628.exe91⤵PID:1324
-
\??\c:\042406.exec:\042406.exe92⤵PID:2712
-
\??\c:\xrrlfrx.exec:\xrrlfrx.exe93⤵PID:2548
-
\??\c:\22626.exec:\22626.exe94⤵PID:2296
-
\??\c:\88800.exec:\88800.exe95⤵PID:636
-
\??\c:\ffrfxfr.exec:\ffrfxfr.exe96⤵PID:2416
-
\??\c:\w26246.exec:\w26246.exe97⤵PID:624
-
\??\c:\w60206.exec:\w60206.exe98⤵PID:1256
-
\??\c:\lfrxrrf.exec:\lfrxrrf.exe99⤵PID:3060
-
\??\c:\rrflffr.exec:\rrflffr.exe100⤵PID:2972
-
\??\c:\86440.exec:\86440.exe101⤵PID:2740
-
\??\c:\w62666.exec:\w62666.exe102⤵PID:3012
-
\??\c:\1xrlrxf.exec:\1xrlrxf.exe103⤵PID:2068
-
\??\c:\220026.exec:\220026.exe104⤵PID:1980
-
\??\c:\602628.exec:\602628.exe105⤵PID:1092
-
\??\c:\hbttth.exec:\hbttth.exe106⤵PID:3068
-
\??\c:\jdppv.exec:\jdppv.exe107⤵PID:3032
-
\??\c:\264462.exec:\264462.exe108⤵PID:584
-
\??\c:\608442.exec:\608442.exe109⤵PID:1784
-
\??\c:\dpvpp.exec:\dpvpp.exe110⤵PID:268
-
\??\c:\480448.exec:\480448.exe111⤵PID:2532
-
\??\c:\llxxflx.exec:\llxxflx.exe112⤵PID:2528
-
\??\c:\7rfrxrx.exec:\7rfrxrx.exe113⤵PID:1800
-
\??\c:\0840628.exec:\0840628.exe114⤵PID:1344
-
\??\c:\862804.exec:\862804.exe115⤵PID:1288
-
\??\c:\1vddj.exec:\1vddj.exe116⤵PID:1776
-
\??\c:\0424224.exec:\0424224.exe117⤵PID:2288
-
\??\c:\k86288.exec:\k86288.exe118⤵PID:2428
-
\??\c:\88426.exec:\88426.exe119⤵PID:2256
-
\??\c:\lfxlrrx.exec:\lfxlrrx.exe120⤵PID:888
-
\??\c:\s8224.exec:\s8224.exe121⤵PID:876
-
\??\c:\vjjjj.exec:\vjjjj.exe122⤵PID:2152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-