Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11-01-2025 06:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe
-
Size
455KB
-
MD5
6c094423151ca8135feb0ddf76a08630
-
SHA1
39cf6929aad58026554fde70ae75b8936e2708b7
-
SHA256
080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266
-
SHA512
af3b5c4e540831fa6e9b13f202f1886f5cd70bd55bae9a06245494b4088a66e80abb831b17998d551e52decddc4901681406e640fba512042164b075df098030
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 37 IoCs
resource yara_rule behavioral1/memory/2116-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/488-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/980-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1276-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-430-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2564-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-1141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/472-1219-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2368 0866280.exe 1564 600044.exe 2440 rllfrlf.exe 2504 frfrffr.exe 2992 o084068.exe 2832 pdpdd.exe 2360 rfrxfxf.exe 3068 9fxxrrf.exe 2996 22046.exe 2720 3ntbbb.exe 2528 20840.exe 1500 jjdjp.exe 1496 vvpvj.exe 488 frfffff.exe 2864 9rxflll.exe 2900 3fxllrf.exe 3016 xrrxrxl.exe 2112 9ntttn.exe 1852 868288.exe 2180 8206284.exe 2096 pddpd.exe 1740 jdjvd.exe 1548 640026.exe 1532 vpdjv.exe 2400 480860.exe 1732 pjppv.exe 1700 266462.exe 2912 a4228.exe 2652 nhtbnt.exe 2044 rrflxxf.exe 2288 pppdp.exe 876 448686.exe 1488 60802.exe 1604 dddpv.exe 1276 e88028.exe 1536 s2686.exe 2260 8848866.exe 2828 220280.exe 2184 e08080.exe 2156 jvpjj.exe 3032 482248.exe 2712 dpddj.exe 2724 7tthbn.exe 2764 5nbnnt.exe 2688 220202.exe 2472 6642448.exe 2452 hbthtb.exe 980 rrrxrfx.exe 1040 s0406.exe 3020 628006.exe 2788 lfflxxr.exe 2924 26046.exe 2852 8644680.exe 340 btntnt.exe 264 tbbnbb.exe 2284 nnhnht.exe 1292 pjvdj.exe 848 vpjvd.exe 2400 1nhtth.exe 708 o480620.exe 2084 0006240.exe 1860 3jdjp.exe 2584 9jddp.exe 2336 bhnttb.exe -
resource yara_rule behavioral1/memory/2116-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/488-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-875-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-888-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-1065-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-1072-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-1109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-1141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-1154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-1180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-1212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/472-1219-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1488-1336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-1349-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2606228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2368 2116 080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe 30 PID 2116 wrote to memory of 2368 2116 080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe 30 PID 2116 wrote to memory of 2368 2116 080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe 30 PID 2116 wrote to memory of 2368 2116 080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe 30 PID 2368 wrote to memory of 1564 2368 0866280.exe 31 PID 2368 wrote to memory of 1564 2368 0866280.exe 31 PID 2368 wrote to memory of 1564 2368 0866280.exe 31 PID 2368 wrote to memory of 1564 2368 0866280.exe 31 PID 1564 wrote to memory of 2440 1564 600044.exe 32 PID 1564 wrote to memory of 2440 1564 600044.exe 32 PID 1564 wrote to memory of 2440 1564 600044.exe 32 PID 1564 wrote to memory of 2440 1564 600044.exe 32 PID 2440 wrote to memory of 2504 2440 rllfrlf.exe 33 PID 2440 wrote to memory of 2504 2440 rllfrlf.exe 33 PID 2440 wrote to memory of 2504 2440 rllfrlf.exe 33 PID 2440 wrote to memory of 2504 2440 rllfrlf.exe 33 PID 2504 wrote to memory of 2992 2504 frfrffr.exe 34 PID 2504 wrote to memory of 2992 2504 frfrffr.exe 34 PID 2504 wrote to memory of 2992 2504 frfrffr.exe 34 PID 2504 wrote to memory of 2992 2504 frfrffr.exe 34 PID 2992 wrote to memory of 2832 2992 o084068.exe 35 PID 2992 wrote to memory of 2832 2992 o084068.exe 35 PID 2992 wrote to memory of 2832 2992 o084068.exe 35 PID 2992 wrote to memory of 2832 2992 o084068.exe 35 PID 2832 wrote to memory of 2360 2832 pdpdd.exe 36 PID 2832 wrote to memory of 2360 2832 pdpdd.exe 36 PID 2832 wrote to memory of 2360 2832 pdpdd.exe 36 PID 2832 wrote to memory of 2360 2832 pdpdd.exe 36 PID 2360 wrote to memory of 3068 2360 rfrxfxf.exe 37 PID 2360 wrote to memory of 3068 2360 rfrxfxf.exe 37 PID 2360 wrote to memory of 3068 2360 rfrxfxf.exe 37 PID 2360 wrote to memory of 3068 2360 rfrxfxf.exe 37 PID 3068 wrote to memory of 2996 3068 9fxxrrf.exe 38 PID 3068 wrote to memory of 2996 3068 9fxxrrf.exe 38 PID 3068 wrote to memory of 2996 3068 9fxxrrf.exe 38 PID 3068 wrote to memory of 2996 3068 9fxxrrf.exe 38 PID 2996 wrote to memory of 2720 2996 22046.exe 39 PID 2996 wrote to memory of 2720 2996 22046.exe 39 PID 2996 wrote to memory of 2720 2996 22046.exe 39 PID 2996 wrote to memory of 2720 2996 22046.exe 39 PID 2720 wrote to memory of 2528 2720 3ntbbb.exe 40 PID 2720 wrote to memory of 2528 2720 3ntbbb.exe 40 PID 2720 wrote to memory of 2528 2720 3ntbbb.exe 40 PID 2720 wrote to memory of 2528 2720 3ntbbb.exe 40 PID 2528 wrote to memory of 1500 2528 20840.exe 41 PID 2528 wrote to memory of 1500 2528 20840.exe 41 PID 2528 wrote to memory of 1500 2528 20840.exe 41 PID 2528 wrote to memory of 1500 2528 20840.exe 41 PID 1500 wrote to memory of 1496 1500 jjdjp.exe 42 PID 1500 wrote to memory of 1496 1500 jjdjp.exe 42 PID 1500 wrote to memory of 1496 1500 jjdjp.exe 42 PID 1500 wrote to memory of 1496 1500 jjdjp.exe 42 PID 1496 wrote to memory of 488 1496 vvpvj.exe 43 PID 1496 wrote to memory of 488 1496 vvpvj.exe 43 PID 1496 wrote to memory of 488 1496 vvpvj.exe 43 PID 1496 wrote to memory of 488 1496 vvpvj.exe 43 PID 488 wrote to memory of 2864 488 frfffff.exe 44 PID 488 wrote to memory of 2864 488 frfffff.exe 44 PID 488 wrote to memory of 2864 488 frfffff.exe 44 PID 488 wrote to memory of 2864 488 frfffff.exe 44 PID 2864 wrote to memory of 2900 2864 9rxflll.exe 45 PID 2864 wrote to memory of 2900 2864 9rxflll.exe 45 PID 2864 wrote to memory of 2900 2864 9rxflll.exe 45 PID 2864 wrote to memory of 2900 2864 9rxflll.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe"C:\Users\Admin\AppData\Local\Temp\080d54551ba3a3dd64424914eabd635189889694ede76c42a27f7ab53688d266N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\0866280.exec:\0866280.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\600044.exec:\600044.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\rllfrlf.exec:\rllfrlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\frfrffr.exec:\frfrffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\o084068.exec:\o084068.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\pdpdd.exec:\pdpdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\rfrxfxf.exec:\rfrxfxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\9fxxrrf.exec:\9fxxrrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\22046.exec:\22046.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\3ntbbb.exec:\3ntbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\20840.exec:\20840.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\jjdjp.exec:\jjdjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\vvpvj.exec:\vvpvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\frfffff.exec:\frfffff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:488 -
\??\c:\9rxflll.exec:\9rxflll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\3fxllrf.exec:\3fxllrf.exe17⤵
- Executes dropped EXE
PID:2900 -
\??\c:\xrrxrxl.exec:\xrrxrxl.exe18⤵
- Executes dropped EXE
PID:3016 -
\??\c:\9ntttn.exec:\9ntttn.exe19⤵
- Executes dropped EXE
PID:2112 -
\??\c:\868288.exec:\868288.exe20⤵
- Executes dropped EXE
PID:1852 -
\??\c:\8206284.exec:\8206284.exe21⤵
- Executes dropped EXE
PID:2180 -
\??\c:\pddpd.exec:\pddpd.exe22⤵
- Executes dropped EXE
PID:2096 -
\??\c:\jdjvd.exec:\jdjvd.exe23⤵
- Executes dropped EXE
PID:1740 -
\??\c:\640026.exec:\640026.exe24⤵
- Executes dropped EXE
PID:1548 -
\??\c:\vpdjv.exec:\vpdjv.exe25⤵
- Executes dropped EXE
PID:1532 -
\??\c:\480860.exec:\480860.exe26⤵
- Executes dropped EXE
PID:2400 -
\??\c:\pjppv.exec:\pjppv.exe27⤵
- Executes dropped EXE
PID:1732 -
\??\c:\266462.exec:\266462.exe28⤵
- Executes dropped EXE
PID:1700 -
\??\c:\a4228.exec:\a4228.exe29⤵
- Executes dropped EXE
PID:2912 -
\??\c:\nhtbnt.exec:\nhtbnt.exe30⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rrflxxf.exec:\rrflxxf.exe31⤵
- Executes dropped EXE
PID:2044 -
\??\c:\pppdp.exec:\pppdp.exe32⤵
- Executes dropped EXE
PID:2288 -
\??\c:\448686.exec:\448686.exe33⤵
- Executes dropped EXE
PID:876 -
\??\c:\60802.exec:\60802.exe34⤵
- Executes dropped EXE
PID:1488 -
\??\c:\dddpv.exec:\dddpv.exe35⤵
- Executes dropped EXE
PID:1604 -
\??\c:\e88028.exec:\e88028.exe36⤵
- Executes dropped EXE
PID:1276 -
\??\c:\s2686.exec:\s2686.exe37⤵
- Executes dropped EXE
PID:1536 -
\??\c:\8848866.exec:\8848866.exe38⤵
- Executes dropped EXE
PID:2260 -
\??\c:\220280.exec:\220280.exe39⤵
- Executes dropped EXE
PID:2828 -
\??\c:\e08080.exec:\e08080.exe40⤵
- Executes dropped EXE
PID:2184 -
\??\c:\jvpjj.exec:\jvpjj.exe41⤵
- Executes dropped EXE
PID:2156 -
\??\c:\482248.exec:\482248.exe42⤵
- Executes dropped EXE
PID:3032 -
\??\c:\dpddj.exec:\dpddj.exe43⤵
- Executes dropped EXE
PID:2712 -
\??\c:\7tthbn.exec:\7tthbn.exe44⤵
- Executes dropped EXE
PID:2724 -
\??\c:\5nbnnt.exec:\5nbnnt.exe45⤵
- Executes dropped EXE
PID:2764 -
\??\c:\220202.exec:\220202.exe46⤵
- Executes dropped EXE
PID:2688 -
\??\c:\6642448.exec:\6642448.exe47⤵
- Executes dropped EXE
PID:2472 -
\??\c:\hbthtb.exec:\hbthtb.exe48⤵
- Executes dropped EXE
PID:2452 -
\??\c:\rrrxrfx.exec:\rrrxrfx.exe49⤵
- Executes dropped EXE
PID:980 -
\??\c:\s0406.exec:\s0406.exe50⤵
- Executes dropped EXE
PID:1040 -
\??\c:\628006.exec:\628006.exe51⤵
- Executes dropped EXE
PID:3020 -
\??\c:\lfflxxr.exec:\lfflxxr.exe52⤵
- Executes dropped EXE
PID:2788 -
\??\c:\26046.exec:\26046.exe53⤵
- Executes dropped EXE
PID:2924 -
\??\c:\8644680.exec:\8644680.exe54⤵
- Executes dropped EXE
PID:2852 -
\??\c:\btntnt.exec:\btntnt.exe55⤵
- Executes dropped EXE
PID:340 -
\??\c:\tbbnbb.exec:\tbbnbb.exe56⤵
- Executes dropped EXE
PID:264 -
\??\c:\nnhnht.exec:\nnhnht.exe57⤵
- Executes dropped EXE
PID:2284 -
\??\c:\pjvdj.exec:\pjvdj.exe58⤵
- Executes dropped EXE
PID:1292 -
\??\c:\vpjvd.exec:\vpjvd.exe59⤵
- Executes dropped EXE
PID:848 -
\??\c:\1nhtth.exec:\1nhtth.exe60⤵
- Executes dropped EXE
PID:2400 -
\??\c:\o480620.exec:\o480620.exe61⤵
- Executes dropped EXE
PID:708 -
\??\c:\0006240.exec:\0006240.exe62⤵
- Executes dropped EXE
PID:2084 -
\??\c:\3jdjp.exec:\3jdjp.exe63⤵
- Executes dropped EXE
PID:1860 -
\??\c:\9jddp.exec:\9jddp.exe64⤵
- Executes dropped EXE
PID:2584 -
\??\c:\bhnttb.exec:\bhnttb.exe65⤵
- Executes dropped EXE
PID:2336 -
\??\c:\lfrrfrx.exec:\lfrrfrx.exe66⤵PID:2652
-
\??\c:\1pdpv.exec:\1pdpv.exe67⤵PID:1680
-
\??\c:\g2022.exec:\g2022.exe68⤵PID:2288
-
\??\c:\8684668.exec:\8684668.exe69⤵PID:2444
-
\??\c:\046644.exec:\046644.exe70⤵PID:1784
-
\??\c:\88020.exec:\88020.exe71⤵PID:2368
-
\??\c:\bthntb.exec:\bthntb.exe72⤵PID:1908
-
\??\c:\fffxxrx.exec:\fffxxrx.exe73⤵PID:1536
-
\??\c:\pjjpv.exec:\pjjpv.exe74⤵PID:2164
-
\??\c:\88202.exec:\88202.exe75⤵PID:1716
-
\??\c:\44840.exec:\44840.exe76⤵PID:2416
-
\??\c:\6022884.exec:\6022884.exe77⤵PID:2628
-
\??\c:\pjvpj.exec:\pjvpj.exe78⤵PID:2812
-
\??\c:\rfrlrlf.exec:\rfrlrlf.exe79⤵PID:2200
-
\??\c:\rfffrxf.exec:\rfffrxf.exe80⤵PID:2476
-
\??\c:\ththhn.exec:\ththhn.exe81⤵PID:2728
-
\??\c:\pjpvd.exec:\pjpvd.exe82⤵PID:1324
-
\??\c:\3rfxxff.exec:\3rfxxff.exe83⤵PID:3008
-
\??\c:\xrffllf.exec:\xrffllf.exe84⤵PID:2272
-
\??\c:\vjvvd.exec:\vjvvd.exe85⤵PID:1272
-
\??\c:\6466666.exec:\6466666.exe86⤵PID:1424
-
\??\c:\nbhbtt.exec:\nbhbtt.exe87⤵PID:2032
-
\??\c:\0802442.exec:\0802442.exe88⤵PID:288
-
\??\c:\1btthh.exec:\1btthh.exe89⤵PID:2000
-
\??\c:\lrlrffr.exec:\lrlrffr.exe90⤵PID:488
-
\??\c:\064264.exec:\064264.exe91⤵PID:1164
-
\??\c:\226262.exec:\226262.exe92⤵PID:2176
-
\??\c:\q20080.exec:\q20080.exe93⤵PID:2892
-
\??\c:\6044020.exec:\6044020.exe94⤵PID:1664
-
\??\c:\htthnh.exec:\htthnh.exe95⤵PID:928
-
\??\c:\ddvpd.exec:\ddvpd.exe96⤵PID:2564
-
\??\c:\fxlrxff.exec:\fxlrxff.exe97⤵PID:1852
-
\??\c:\80404.exec:\80404.exe98⤵PID:2280
-
\??\c:\420628.exec:\420628.exe99⤵PID:1156
-
\??\c:\20840.exec:\20840.exe100⤵PID:1992
-
\??\c:\bntnnh.exec:\bntnnh.exe101⤵PID:264
-
\??\c:\a2006.exec:\a2006.exe102⤵PID:1824
-
\??\c:\3hthhh.exec:\3hthhh.exe103⤵PID:2576
-
\??\c:\262222.exec:\262222.exe104⤵PID:2784
-
\??\c:\42062.exec:\42062.exe105⤵PID:2856
-
\??\c:\8644040.exec:\8644040.exe106⤵PID:2268
-
\??\c:\vvppd.exec:\vvppd.exe107⤵PID:2668
-
\??\c:\bnnbth.exec:\bnnbth.exe108⤵PID:2024
-
\??\c:\42046.exec:\42046.exe109⤵PID:1136
-
\??\c:\w60046.exec:\w60046.exe110⤵PID:2208
-
\??\c:\o684668.exec:\o684668.exe111⤵PID:852
-
\??\c:\hbtttn.exec:\hbtttn.exe112⤵PID:2772
-
\??\c:\3vjjj.exec:\3vjjj.exe113⤵PID:556
-
\??\c:\8648828.exec:\8648828.exe114⤵PID:1604
-
\??\c:\9tbhnh.exec:\9tbhnh.exe115⤵PID:1684
-
\??\c:\m2068.exec:\m2068.exe116⤵PID:1804
-
\??\c:\u400228.exec:\u400228.exe117⤵PID:1196
-
\??\c:\jdjdv.exec:\jdjdv.exe118⤵PID:2260
-
\??\c:\0082204.exec:\0082204.exe119⤵PID:1988
-
\??\c:\o442446.exec:\o442446.exe120⤵PID:632
-
\??\c:\xfxrxfr.exec:\xfxrxfr.exe121⤵
- System Location Discovery: System Language Discovery
PID:2440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-