Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 08:59 UTC
Behavioral task
behavioral1
Sample
7f7c9265cc78fae4cfa8f34f5f2ced346b067a6481a6947f6e51dd77ea1ebda5.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7f7c9265cc78fae4cfa8f34f5f2ced346b067a6481a6947f6e51dd77ea1ebda5.exe
-
Size
333KB
-
MD5
f8ec27d08ba79928584ea5f3bca91286
-
SHA1
7c9f13ab5bf1d2cdf6c3c81f6829ca6c0949c1f8
-
SHA256
7f7c9265cc78fae4cfa8f34f5f2ced346b067a6481a6947f6e51dd77ea1ebda5
-
SHA512
875072787947e90a0b4db3f0579df6c2cec7e73cd55975fe038c769f1c51b01376f2c866649e45e003b155a0166a0e2e742010f4a6b128688134e1fb7dbbf1f4
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAben:R4wFHoSHYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2504-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2772-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2712-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1768-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2316-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2724-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/888-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1864-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1960-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/536-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2216-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2092-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2496-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2264-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2820-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2616-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2472-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-268-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2932-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1620-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/884-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1976-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2312-291-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1600-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2692-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2632-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2032-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2632-358-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2320-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2100-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3028-427-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/316-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2236-462-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/912-513-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/2840-561-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/656-640-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1520-647-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1520-646-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1868-658-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3036-905-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2880-924-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1028-956-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2332-8125-0x0000000077930000-0x0000000077A4F000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2820 3lxfllx.exe 2740 608628.exe 2264 8200244.exe 2496 264640.exe 2672 20802.exe 2772 206408.exe 2092 86844.exe 2712 6024406.exe 2216 42448.exe 1768 vpvdj.exe 2316 7jvpp.exe 2608 rfrrxxf.exe 1264 rflflfl.exe 2980 xlrlrrx.exe 1864 828462.exe 2724 8624440.exe 2544 82480.exe 888 4846406.exe 2900 s6842.exe 1292 5vpjp.exe 1960 u800040.exe 536 djddd.exe 2236 8244262.exe 2436 48006.exe 2616 1hnhnh.exe 1664 s6840.exe 852 q80462.exe 1544 60280.exe 620 nbnntt.exe 912 xllflfl.exe 2124 xrlrffl.exe 2472 680420.exe 1620 vdjpd.exe 2932 ffxxffl.exe 884 w64026.exe 1976 lfrxrrf.exe 2312 jppvv.exe 1600 7jvdp.exe 2188 08028.exe 2264 3btthh.exe 2644 w40628.exe 2996 g8044.exe 2908 420006.exe 2692 240242.exe 2632 bnnnbt.exe 2700 0428884.exe 2216 pdvdp.exe 2032 e82244.exe 2208 xrlxrlx.exe 1796 5vjjp.exe 2656 rlxlxlr.exe 2012 lxrlrrr.exe 2564 080688.exe 2368 s8286.exe 2320 hhbtbh.exe 2892 7rllrxf.exe 2952 8684662.exe 2904 088448.exe 1088 208800.exe 2100 w06064.exe 3028 k42222.exe 3000 lxrxlrx.exe 1280 xrfflfl.exe 1712 k82804.exe -
resource yara_rule behavioral1/memory/2504-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000c000000012281-5.dat upx behavioral1/memory/2820-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2504-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016c80-18.dat upx behavioral1/memory/2740-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016cd7-25.dat upx behavioral1/files/0x0007000000016d2a-33.dat upx behavioral1/files/0x0007000000016d3a-41.dat upx behavioral1/files/0x0007000000016d43-48.dat upx behavioral1/memory/2772-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016d54-65.dat upx behavioral1/memory/2712-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00070000000186e7-72.dat upx behavioral1/memory/1768-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186f1-90.dat upx behavioral1/memory/2316-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000186f4-98.dat upx behavioral1/files/0x0005000000018704-104.dat upx behavioral1/files/0x0005000000018739-112.dat upx behavioral1/memory/2724-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001878e-127.dat upx behavioral1/files/0x00050000000187a8-136.dat upx behavioral1/memory/2544-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/888-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018b4e-143.dat upx behavioral1/files/0x0006000000018c16-151.dat upx behavioral1/memory/1864-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019246-159.dat upx behavioral1/memory/1292-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000018744-119.dat upx behavioral1/files/0x0005000000019250-165.dat upx behavioral1/memory/1960-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/536-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x002d000000016875-174.dat upx behavioral1/files/0x00050000000186ed-82.dat upx behavioral1/files/0x0005000000019269-181.dat upx behavioral1/memory/2216-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019278-189.dat upx behavioral1/memory/2092-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016d4b-57.dat upx behavioral1/memory/2496-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2264-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2820-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019284-196.dat upx behavioral1/files/0x0005000000019297-206.dat upx behavioral1/memory/2616-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001933f-212.dat upx behavioral1/memory/1544-222-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019360-220.dat upx behavioral1/files/0x00050000000193a6-229.dat upx behavioral1/memory/2616-233-0x00000000002B0000-0x00000000002D7000-memory.dmp upx behavioral1/files/0x00050000000193b6-238.dat upx behavioral1/files/0x00050000000193c4-245.dat upx behavioral1/files/0x00050000000193df-252.dat upx behavioral1/memory/2472-260-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2932-268-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2932-272-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1620-279-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/884-278-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1976-285-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1600-297-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2264-304-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2996-316-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 022408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8680668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6028662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0462662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w04062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k80284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q42688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k08068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2820 2504 7f7c9265cc78fae4cfa8f34f5f2ced346b067a6481a6947f6e51dd77ea1ebda5.exe 30 PID 2504 wrote to memory of 2820 2504 7f7c9265cc78fae4cfa8f34f5f2ced346b067a6481a6947f6e51dd77ea1ebda5.exe 30 PID 2504 wrote to memory of 2820 2504 7f7c9265cc78fae4cfa8f34f5f2ced346b067a6481a6947f6e51dd77ea1ebda5.exe 30 PID 2504 wrote to memory of 2820 2504 7f7c9265cc78fae4cfa8f34f5f2ced346b067a6481a6947f6e51dd77ea1ebda5.exe 30 PID 2820 wrote to memory of 2740 2820 3lxfllx.exe 31 PID 2820 wrote to memory of 2740 2820 3lxfllx.exe 31 PID 2820 wrote to memory of 2740 2820 3lxfllx.exe 31 PID 2820 wrote to memory of 2740 2820 3lxfllx.exe 31 PID 2740 wrote to memory of 2264 2740 608628.exe 32 PID 2740 wrote to memory of 2264 2740 608628.exe 32 PID 2740 wrote to memory of 2264 2740 608628.exe 32 PID 2740 wrote to memory of 2264 2740 608628.exe 32 PID 2264 wrote to memory of 2496 2264 8200244.exe 33 PID 2264 wrote to memory of 2496 2264 8200244.exe 33 PID 2264 wrote to memory of 2496 2264 8200244.exe 33 PID 2264 wrote to memory of 2496 2264 8200244.exe 33 PID 2496 wrote to memory of 2672 2496 264640.exe 34 PID 2496 wrote to memory of 2672 2496 264640.exe 34 PID 2496 wrote to memory of 2672 2496 264640.exe 34 PID 2496 wrote to memory of 2672 2496 264640.exe 34 PID 2672 wrote to memory of 2772 2672 20802.exe 35 PID 2672 wrote to memory of 2772 2672 20802.exe 35 PID 2672 wrote to memory of 2772 2672 20802.exe 35 PID 2672 wrote to memory of 2772 2672 20802.exe 35 PID 2772 wrote to memory of 2092 2772 206408.exe 36 PID 2772 wrote to memory of 2092 2772 206408.exe 36 PID 2772 wrote to memory of 2092 2772 206408.exe 36 PID 2772 wrote to memory of 2092 2772 206408.exe 36 PID 2092 wrote to memory of 2712 2092 86844.exe 37 PID 2092 wrote to memory of 2712 2092 86844.exe 37 PID 2092 wrote to memory of 2712 2092 86844.exe 37 PID 2092 wrote to memory of 2712 2092 86844.exe 37 PID 2712 wrote to memory of 2216 2712 6024406.exe 38 PID 2712 wrote to memory of 2216 2712 6024406.exe 38 PID 2712 wrote to memory of 2216 2712 6024406.exe 38 PID 2712 wrote to memory of 2216 2712 6024406.exe 38 PID 2216 wrote to memory of 1768 2216 42448.exe 39 PID 2216 wrote to memory of 1768 2216 42448.exe 39 PID 2216 wrote to memory of 1768 2216 42448.exe 39 PID 2216 wrote to memory of 1768 2216 42448.exe 39 PID 1768 wrote to memory of 2316 1768 vpvdj.exe 40 PID 1768 wrote to memory of 2316 1768 vpvdj.exe 40 PID 1768 wrote to memory of 2316 1768 vpvdj.exe 40 PID 1768 wrote to memory of 2316 1768 vpvdj.exe 40 PID 2316 wrote to memory of 2608 2316 7jvpp.exe 41 PID 2316 wrote to memory of 2608 2316 7jvpp.exe 41 PID 2316 wrote to memory of 2608 2316 7jvpp.exe 41 PID 2316 wrote to memory of 2608 2316 7jvpp.exe 41 PID 2608 wrote to memory of 1264 2608 rfrrxxf.exe 42 PID 2608 wrote to memory of 1264 2608 rfrrxxf.exe 42 PID 2608 wrote to memory of 1264 2608 rfrrxxf.exe 42 PID 2608 wrote to memory of 1264 2608 rfrrxxf.exe 42 PID 1264 wrote to memory of 2980 1264 rflflfl.exe 43 PID 1264 wrote to memory of 2980 1264 rflflfl.exe 43 PID 1264 wrote to memory of 2980 1264 rflflfl.exe 43 PID 1264 wrote to memory of 2980 1264 rflflfl.exe 43 PID 2980 wrote to memory of 1864 2980 xlrlrrx.exe 44 PID 2980 wrote to memory of 1864 2980 xlrlrrx.exe 44 PID 2980 wrote to memory of 1864 2980 xlrlrrx.exe 44 PID 2980 wrote to memory of 1864 2980 xlrlrrx.exe 44 PID 1864 wrote to memory of 2724 1864 828462.exe 45 PID 1864 wrote to memory of 2724 1864 828462.exe 45 PID 1864 wrote to memory of 2724 1864 828462.exe 45 PID 1864 wrote to memory of 2724 1864 828462.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f7c9265cc78fae4cfa8f34f5f2ced346b067a6481a6947f6e51dd77ea1ebda5.exe"C:\Users\Admin\AppData\Local\Temp\7f7c9265cc78fae4cfa8f34f5f2ced346b067a6481a6947f6e51dd77ea1ebda5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\3lxfllx.exec:\3lxfllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\608628.exec:\608628.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\8200244.exec:\8200244.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\264640.exec:\264640.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\20802.exec:\20802.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\206408.exec:\206408.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\86844.exec:\86844.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\6024406.exec:\6024406.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\42448.exec:\42448.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\vpvdj.exec:\vpvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\7jvpp.exec:\7jvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\rfrrxxf.exec:\rfrrxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\rflflfl.exec:\rflflfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\xlrlrrx.exec:\xlrlrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\828462.exec:\828462.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\8624440.exec:\8624440.exe17⤵
- Executes dropped EXE
PID:2724 -
\??\c:\82480.exec:\82480.exe18⤵
- Executes dropped EXE
PID:2544 -
\??\c:\4846406.exec:\4846406.exe19⤵
- Executes dropped EXE
PID:888 -
\??\c:\s6842.exec:\s6842.exe20⤵
- Executes dropped EXE
PID:2900 -
\??\c:\5vpjp.exec:\5vpjp.exe21⤵
- Executes dropped EXE
PID:1292 -
\??\c:\u800040.exec:\u800040.exe22⤵
- Executes dropped EXE
PID:1960 -
\??\c:\djddd.exec:\djddd.exe23⤵
- Executes dropped EXE
PID:536 -
\??\c:\8244262.exec:\8244262.exe24⤵
- Executes dropped EXE
PID:2236 -
\??\c:\48006.exec:\48006.exe25⤵
- Executes dropped EXE
PID:2436 -
\??\c:\1hnhnh.exec:\1hnhnh.exe26⤵
- Executes dropped EXE
PID:2616 -
\??\c:\s6840.exec:\s6840.exe27⤵
- Executes dropped EXE
PID:1664 -
\??\c:\q80462.exec:\q80462.exe28⤵
- Executes dropped EXE
PID:852 -
\??\c:\60280.exec:\60280.exe29⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nbnntt.exec:\nbnntt.exe30⤵
- Executes dropped EXE
PID:620 -
\??\c:\xllflfl.exec:\xllflfl.exe31⤵
- Executes dropped EXE
PID:912 -
\??\c:\xrlrffl.exec:\xrlrffl.exe32⤵
- Executes dropped EXE
PID:2124 -
\??\c:\680420.exec:\680420.exe33⤵
- Executes dropped EXE
PID:2472 -
\??\c:\vdjpd.exec:\vdjpd.exe34⤵
- Executes dropped EXE
PID:1620 -
\??\c:\ffxxffl.exec:\ffxxffl.exe35⤵
- Executes dropped EXE
PID:2932 -
\??\c:\w64026.exec:\w64026.exe36⤵
- Executes dropped EXE
PID:884 -
\??\c:\lfrxrrf.exec:\lfrxrrf.exe37⤵
- Executes dropped EXE
PID:1976 -
\??\c:\jppvv.exec:\jppvv.exe38⤵
- Executes dropped EXE
PID:2312 -
\??\c:\7jvdp.exec:\7jvdp.exe39⤵
- Executes dropped EXE
PID:1600 -
\??\c:\08028.exec:\08028.exe40⤵
- Executes dropped EXE
PID:2188 -
\??\c:\3btthh.exec:\3btthh.exe41⤵
- Executes dropped EXE
PID:2264 -
\??\c:\w40628.exec:\w40628.exe42⤵
- Executes dropped EXE
PID:2644 -
\??\c:\g8044.exec:\g8044.exe43⤵
- Executes dropped EXE
PID:2996 -
\??\c:\420006.exec:\420006.exe44⤵
- Executes dropped EXE
PID:2908 -
\??\c:\240242.exec:\240242.exe45⤵
- Executes dropped EXE
PID:2692 -
\??\c:\bnnnbt.exec:\bnnnbt.exe46⤵
- Executes dropped EXE
PID:2632 -
\??\c:\0428884.exec:\0428884.exe47⤵
- Executes dropped EXE
PID:2700 -
\??\c:\pdvdp.exec:\pdvdp.exe48⤵
- Executes dropped EXE
PID:2216 -
\??\c:\e82244.exec:\e82244.exe49⤵
- Executes dropped EXE
PID:2032 -
\??\c:\xrlxrlx.exec:\xrlxrlx.exe50⤵
- Executes dropped EXE
PID:2208 -
\??\c:\5vjjp.exec:\5vjjp.exe51⤵
- Executes dropped EXE
PID:1796 -
\??\c:\rlxlxlr.exec:\rlxlxlr.exe52⤵
- Executes dropped EXE
PID:2656 -
\??\c:\lxrlrrr.exec:\lxrlrrr.exe53⤵
- Executes dropped EXE
PID:2012 -
\??\c:\080688.exec:\080688.exe54⤵
- Executes dropped EXE
PID:2564 -
\??\c:\s8286.exec:\s8286.exe55⤵
- Executes dropped EXE
PID:2368 -
\??\c:\hhbtbh.exec:\hhbtbh.exe56⤵
- Executes dropped EXE
PID:2320 -
\??\c:\7rllrxf.exec:\7rllrxf.exe57⤵
- Executes dropped EXE
PID:2892 -
\??\c:\8684662.exec:\8684662.exe58⤵
- Executes dropped EXE
PID:2952 -
\??\c:\088448.exec:\088448.exe59⤵
- Executes dropped EXE
PID:2904 -
\??\c:\208800.exec:\208800.exe60⤵
- Executes dropped EXE
PID:1088 -
\??\c:\w06064.exec:\w06064.exe61⤵
- Executes dropped EXE
PID:2100 -
\??\c:\k42222.exec:\k42222.exe62⤵
- Executes dropped EXE
PID:3028 -
\??\c:\lxrxlrx.exec:\lxrxlrx.exe63⤵
- Executes dropped EXE
PID:3000 -
\??\c:\xrfflfl.exec:\xrfflfl.exe64⤵
- Executes dropped EXE
PID:1280 -
\??\c:\k82804.exec:\k82804.exe65⤵
- Executes dropped EXE
PID:1712 -
\??\c:\lfxxllr.exec:\lfxxllr.exe66⤵PID:316
-
\??\c:\8646846.exec:\8646846.exe67⤵PID:1640
-
\??\c:\hnhhnt.exec:\hnhhnt.exe68⤵PID:2236
-
\??\c:\828406.exec:\828406.exe69⤵PID:1856
-
\??\c:\bthbhn.exec:\bthbhn.exe70⤵PID:2432
-
\??\c:\bbhtbt.exec:\bbhtbt.exe71⤵PID:1000
-
\??\c:\9xllrlr.exec:\9xllrlr.exe72⤵PID:788
-
\??\c:\864406.exec:\864406.exe73⤵PID:1532
-
\??\c:\jjdjp.exec:\jjdjp.exe74⤵PID:1556
-
\??\c:\60224.exec:\60224.exe75⤵PID:1536
-
\??\c:\22262.exec:\22262.exe76⤵PID:2128
-
\??\c:\bnhntt.exec:\bnhntt.exe77⤵PID:912
-
\??\c:\htbbhb.exec:\htbbhb.exe78⤵PID:2056
-
\??\c:\20228.exec:\20228.exe79⤵PID:2076
-
\??\c:\xxlrfrf.exec:\xxlrfrf.exe80⤵PID:2360
-
\??\c:\pjpvd.exec:\pjpvd.exe81⤵PID:2956
-
\??\c:\7tbtbb.exec:\7tbtbb.exe82⤵PID:896
-
\??\c:\bnhbhh.exec:\bnhbhh.exe83⤵PID:1500
-
\??\c:\4206228.exec:\4206228.exe84⤵PID:308
-
\??\c:\frlrxrx.exec:\frlrxrx.exe85⤵
- System Location Discovery: System Language Discovery
PID:2764 -
\??\c:\26846.exec:\26846.exe86⤵PID:2840
-
\??\c:\5tbttt.exec:\5tbttt.exe87⤵PID:2220
-
\??\c:\208404.exec:\208404.exe88⤵PID:2744
-
\??\c:\rfrrxxl.exec:\rfrrxxl.exe89⤵PID:2852
-
\??\c:\3djdj.exec:\3djdj.exe90⤵PID:2832
-
\??\c:\1nhbhh.exec:\1nhbhh.exe91⤵PID:3044
-
\??\c:\8606400.exec:\8606400.exe92⤵PID:2772
-
\??\c:\08624.exec:\08624.exe93⤵PID:2228
-
\??\c:\hbbhnt.exec:\hbbhnt.exe94⤵PID:2524
-
\??\c:\frllrxx.exec:\frllrxx.exe95⤵PID:1004
-
\??\c:\4240284.exec:\4240284.exe96⤵PID:2444
-
\??\c:\7nbnth.exec:\7nbnth.exe97⤵PID:1904
-
\??\c:\dvpvj.exec:\dvpvj.exe98⤵PID:2316
-
\??\c:\u484440.exec:\u484440.exe99⤵PID:2684
-
\??\c:\0644064.exec:\0644064.exe100⤵PID:2340
-
\??\c:\c062822.exec:\c062822.exe101⤵PID:656
-
\??\c:\3jvdj.exec:\3jvdj.exe102⤵PID:1520
-
\??\c:\vvvvd.exec:\vvvvd.exe103⤵PID:2736
-
\??\c:\nhtthh.exec:\nhtthh.exe104⤵PID:1868
-
\??\c:\hthhbb.exec:\hthhbb.exe105⤵PID:2320
-
\??\c:\nhbbtt.exec:\nhbbtt.exe106⤵PID:1908
-
\??\c:\0428000.exec:\0428000.exe107⤵
- System Location Discovery: System Language Discovery
PID:2952 -
\??\c:\1pjjv.exec:\1pjjv.exe108⤵PID:3024
-
\??\c:\6084002.exec:\6084002.exe109⤵PID:1088
-
\??\c:\btnnbh.exec:\btnnbh.exe110⤵PID:1508
-
\??\c:\8202402.exec:\8202402.exe111⤵PID:2036
-
\??\c:\1thhhn.exec:\1thhhn.exe112⤵PID:3000
-
\??\c:\82222.exec:\82222.exe113⤵PID:2324
-
\??\c:\c424440.exec:\c424440.exe114⤵PID:2620
-
\??\c:\o268484.exec:\o268484.exe115⤵PID:2016
-
\??\c:\e60644.exec:\e60644.exe116⤵PID:2172
-
\??\c:\82802.exec:\82802.exe117⤵PID:320
-
\??\c:\u284044.exec:\u284044.exe118⤵PID:2164
-
\??\c:\c882244.exec:\c882244.exe119⤵PID:1524
-
\??\c:\thtnnn.exec:\thtnnn.exe120⤵PID:1316
-
\??\c:\w20622.exec:\w20622.exe121⤵PID:2536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-