Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 21:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe
Resource
win7-20250207-en
windows7-x64
7 signatures
150 seconds
General
-
Target
596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe
-
Size
457KB
-
MD5
b0968197740f76cede5c6516cfc99850
-
SHA1
f3b18d0f66cea268bf4322f4b64db1ff5f219723
-
SHA256
596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e
-
SHA512
aa1882d7a9caf7c4e257e491dfe86c928748b43cbc3ede271273a212ddd318ef26db728d59e8b72987f343c19ff82c6f43e583e2178e16ea69760523ebf1f976
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2556-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1880-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-38-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2788-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-98-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2284-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-222-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1748-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-289-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3064-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-420-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2696-440-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2084-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-472-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1796-497-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1556-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/612-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-874-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2324-888-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2324-889-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2324-909-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1312-948-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2496-960-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2508-969-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2948-982-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1524-989-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2028-996-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/692-1027-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2220-1091-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1880 rrfxffr.exe 1584 20266.exe 2720 864444.exe 2576 0464444.exe 2788 1rxxffr.exe 892 3dppj.exe 3004 02488.exe 2744 lfxxflx.exe 2692 g8666.exe 2376 xlfllfl.exe 3016 nhtbhh.exe 2284 808466.exe 3040 428848.exe 2476 m8624.exe 1232 frfllrf.exe 2352 hhbntt.exe 2724 ffllrrx.exe 1240 3pvvv.exe 2252 86406.exe 1208 q08806.exe 1108 4804046.exe 1344 602262.exe 1728 u468828.exe 904 6422262.exe 612 2084484.exe 1748 c488884.exe 672 260222.exe 2328 rrlrflf.exe 2140 m6826.exe 1688 26006.exe 1760 26440.exe 3064 3bhnbt.exe 2524 hbnbhb.exe 1692 dpvvd.exe 2300 64062.exe 2808 i204480.exe 2740 2026606.exe 2776 o022824.exe 2756 7rfrflr.exe 2836 680006.exe 2892 6420062.exe 2996 422660.exe 2768 htbbbn.exe 2684 7vjvv.exe 332 pjpdj.exe 320 022664.exe 2468 a4666.exe 2292 7bbnnh.exe 3032 jvjpj.exe 2948 5llflff.exe 3000 86668.exe 3048 pdvpp.exe 2476 024400.exe 2696 g4000.exe 2500 hbnttb.exe 2084 2088482.exe 1792 48802.exe 1668 04880.exe 1796 7flfxxx.exe 1428 bthnnb.exe 1976 u422822.exe 1108 lxlrxxl.exe 1344 206682.exe 2200 e64440.exe -
resource yara_rule behavioral1/memory/2556-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-38-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2788-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-638-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2020-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-773-0x0000000001C70000-0x0000000001C9A000-memory.dmp upx behavioral1/memory/1540-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-888-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/2860-896-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-948-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2948-982-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1524-989-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2544-1015-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-1065-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-1072-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-1105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-1179-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2684620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6666466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i000000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c488884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2556 wrote to memory of 1880 2556 596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe 31 PID 2556 wrote to memory of 1880 2556 596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe 31 PID 2556 wrote to memory of 1880 2556 596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe 31 PID 2556 wrote to memory of 1880 2556 596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe 31 PID 1880 wrote to memory of 1584 1880 rrfxffr.exe 32 PID 1880 wrote to memory of 1584 1880 rrfxffr.exe 32 PID 1880 wrote to memory of 1584 1880 rrfxffr.exe 32 PID 1880 wrote to memory of 1584 1880 rrfxffr.exe 32 PID 1584 wrote to memory of 2720 1584 20266.exe 33 PID 1584 wrote to memory of 2720 1584 20266.exe 33 PID 1584 wrote to memory of 2720 1584 20266.exe 33 PID 1584 wrote to memory of 2720 1584 20266.exe 33 PID 2720 wrote to memory of 2576 2720 864444.exe 34 PID 2720 wrote to memory of 2576 2720 864444.exe 34 PID 2720 wrote to memory of 2576 2720 864444.exe 34 PID 2720 wrote to memory of 2576 2720 864444.exe 34 PID 2576 wrote to memory of 2788 2576 0464444.exe 35 PID 2576 wrote to memory of 2788 2576 0464444.exe 35 PID 2576 wrote to memory of 2788 2576 0464444.exe 35 PID 2576 wrote to memory of 2788 2576 0464444.exe 35 PID 2788 wrote to memory of 892 2788 1rxxffr.exe 36 PID 2788 wrote to memory of 892 2788 1rxxffr.exe 36 PID 2788 wrote to memory of 892 2788 1rxxffr.exe 36 PID 2788 wrote to memory of 892 2788 1rxxffr.exe 36 PID 892 wrote to memory of 3004 892 3dppj.exe 37 PID 892 wrote to memory of 3004 892 3dppj.exe 37 PID 892 wrote to memory of 3004 892 3dppj.exe 37 PID 892 wrote to memory of 3004 892 3dppj.exe 37 PID 3004 wrote to memory of 2744 3004 02488.exe 38 PID 3004 wrote to memory of 2744 3004 02488.exe 38 PID 3004 wrote to memory of 2744 3004 02488.exe 38 PID 3004 wrote to memory of 2744 3004 02488.exe 38 PID 2744 wrote to memory of 2692 2744 lfxxflx.exe 39 PID 2744 wrote to memory of 2692 2744 lfxxflx.exe 39 PID 2744 wrote to memory of 2692 2744 lfxxflx.exe 39 PID 2744 wrote to memory of 2692 2744 lfxxflx.exe 39 PID 2692 wrote to memory of 2376 2692 g8666.exe 40 PID 2692 wrote to memory of 2376 2692 g8666.exe 40 PID 2692 wrote to memory of 2376 2692 g8666.exe 40 PID 2692 wrote to memory of 2376 2692 g8666.exe 40 PID 2376 wrote to memory of 3016 2376 xlfllfl.exe 41 PID 2376 wrote to memory of 3016 2376 xlfllfl.exe 41 PID 2376 wrote to memory of 3016 2376 xlfllfl.exe 41 PID 2376 wrote to memory of 3016 2376 xlfllfl.exe 41 PID 3016 wrote to memory of 2284 3016 nhtbhh.exe 42 PID 3016 wrote to memory of 2284 3016 nhtbhh.exe 42 PID 3016 wrote to memory of 2284 3016 nhtbhh.exe 42 PID 3016 wrote to memory of 2284 3016 nhtbhh.exe 42 PID 2284 wrote to memory of 3040 2284 808466.exe 43 PID 2284 wrote to memory of 3040 2284 808466.exe 43 PID 2284 wrote to memory of 3040 2284 808466.exe 43 PID 2284 wrote to memory of 3040 2284 808466.exe 43 PID 3040 wrote to memory of 2476 3040 428848.exe 44 PID 3040 wrote to memory of 2476 3040 428848.exe 44 PID 3040 wrote to memory of 2476 3040 428848.exe 44 PID 3040 wrote to memory of 2476 3040 428848.exe 44 PID 2476 wrote to memory of 1232 2476 m8624.exe 45 PID 2476 wrote to memory of 1232 2476 m8624.exe 45 PID 2476 wrote to memory of 1232 2476 m8624.exe 45 PID 2476 wrote to memory of 1232 2476 m8624.exe 45 PID 1232 wrote to memory of 2352 1232 frfllrf.exe 46 PID 1232 wrote to memory of 2352 1232 frfllrf.exe 46 PID 1232 wrote to memory of 2352 1232 frfllrf.exe 46 PID 1232 wrote to memory of 2352 1232 frfllrf.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe"C:\Users\Admin\AppData\Local\Temp\596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\rrfxffr.exec:\rrfxffr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\20266.exec:\20266.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\864444.exec:\864444.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\0464444.exec:\0464444.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\1rxxffr.exec:\1rxxffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\3dppj.exec:\3dppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\02488.exec:\02488.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\lfxxflx.exec:\lfxxflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\g8666.exec:\g8666.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\xlfllfl.exec:\xlfllfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\nhtbhh.exec:\nhtbhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\808466.exec:\808466.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\428848.exec:\428848.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\m8624.exec:\m8624.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\frfllrf.exec:\frfllrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\hhbntt.exec:\hhbntt.exe17⤵
- Executes dropped EXE
PID:2352 -
\??\c:\ffllrrx.exec:\ffllrrx.exe18⤵
- Executes dropped EXE
PID:2724 -
\??\c:\3pvvv.exec:\3pvvv.exe19⤵
- Executes dropped EXE
PID:1240 -
\??\c:\86406.exec:\86406.exe20⤵
- Executes dropped EXE
PID:2252 -
\??\c:\q08806.exec:\q08806.exe21⤵
- Executes dropped EXE
PID:1208 -
\??\c:\4804046.exec:\4804046.exe22⤵
- Executes dropped EXE
PID:1108 -
\??\c:\602262.exec:\602262.exe23⤵
- Executes dropped EXE
PID:1344 -
\??\c:\u468828.exec:\u468828.exe24⤵
- Executes dropped EXE
PID:1728 -
\??\c:\6422262.exec:\6422262.exe25⤵
- Executes dropped EXE
PID:904 -
\??\c:\2084484.exec:\2084484.exe26⤵
- Executes dropped EXE
PID:612 -
\??\c:\c488884.exec:\c488884.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748 -
\??\c:\260222.exec:\260222.exe28⤵
- Executes dropped EXE
PID:672 -
\??\c:\rrlrflf.exec:\rrlrflf.exe29⤵
- Executes dropped EXE
PID:2328 -
\??\c:\m6826.exec:\m6826.exe30⤵
- Executes dropped EXE
PID:2140 -
\??\c:\26006.exec:\26006.exe31⤵
- Executes dropped EXE
PID:1688 -
\??\c:\26440.exec:\26440.exe32⤵
- Executes dropped EXE
PID:1760 -
\??\c:\3bhnbt.exec:\3bhnbt.exe33⤵
- Executes dropped EXE
PID:3064 -
\??\c:\hbnbhb.exec:\hbnbhb.exe34⤵
- Executes dropped EXE
PID:2524 -
\??\c:\dpvvd.exec:\dpvvd.exe35⤵
- Executes dropped EXE
PID:1692 -
\??\c:\64062.exec:\64062.exe36⤵
- Executes dropped EXE
PID:2300 -
\??\c:\i204480.exec:\i204480.exe37⤵
- Executes dropped EXE
PID:2808 -
\??\c:\2026606.exec:\2026606.exe38⤵
- Executes dropped EXE
PID:2740 -
\??\c:\o022824.exec:\o022824.exe39⤵
- Executes dropped EXE
PID:2776 -
\??\c:\7rfrflr.exec:\7rfrflr.exe40⤵
- Executes dropped EXE
PID:2756 -
\??\c:\680006.exec:\680006.exe41⤵
- Executes dropped EXE
PID:2836 -
\??\c:\6420062.exec:\6420062.exe42⤵
- Executes dropped EXE
PID:2892 -
\??\c:\422660.exec:\422660.exe43⤵
- Executes dropped EXE
PID:2996 -
\??\c:\htbbbn.exec:\htbbbn.exe44⤵
- Executes dropped EXE
PID:2768 -
\??\c:\7vjvv.exec:\7vjvv.exe45⤵
- Executes dropped EXE
PID:2684 -
\??\c:\pjpdj.exec:\pjpdj.exe46⤵
- Executes dropped EXE
PID:332 -
\??\c:\022664.exec:\022664.exe47⤵
- Executes dropped EXE
PID:320 -
\??\c:\a4666.exec:\a4666.exe48⤵
- Executes dropped EXE
PID:2468 -
\??\c:\7bbnnh.exec:\7bbnnh.exe49⤵
- Executes dropped EXE
PID:2292 -
\??\c:\jvjpj.exec:\jvjpj.exe50⤵
- Executes dropped EXE
PID:3032 -
\??\c:\5llflff.exec:\5llflff.exe51⤵
- Executes dropped EXE
PID:2948 -
\??\c:\86668.exec:\86668.exe52⤵
- Executes dropped EXE
PID:3000 -
\??\c:\pdvpp.exec:\pdvpp.exe53⤵
- Executes dropped EXE
PID:3048 -
\??\c:\024400.exec:\024400.exe54⤵
- Executes dropped EXE
PID:2476 -
\??\c:\g4000.exec:\g4000.exe55⤵
- Executes dropped EXE
PID:2696 -
\??\c:\hbnttb.exec:\hbnttb.exe56⤵
- Executes dropped EXE
PID:2500 -
\??\c:\2088482.exec:\2088482.exe57⤵
- Executes dropped EXE
PID:2084 -
\??\c:\48802.exec:\48802.exe58⤵
- Executes dropped EXE
PID:1792 -
\??\c:\04880.exec:\04880.exe59⤵
- Executes dropped EXE
PID:1668 -
\??\c:\7flfxxx.exec:\7flfxxx.exe60⤵
- Executes dropped EXE
PID:1796 -
\??\c:\bthnnb.exec:\bthnnb.exe61⤵
- Executes dropped EXE
PID:1428 -
\??\c:\u422822.exec:\u422822.exe62⤵
- Executes dropped EXE
PID:1976 -
\??\c:\lxlrxxl.exec:\lxlrxxl.exe63⤵
- Executes dropped EXE
PID:1108 -
\??\c:\206682.exec:\206682.exe64⤵
- Executes dropped EXE
PID:1344 -
\??\c:\e64440.exec:\e64440.exe65⤵
- Executes dropped EXE
PID:2200 -
\??\c:\k02224.exec:\k02224.exe66⤵PID:1028
-
\??\c:\488862.exec:\488862.exe67⤵PID:1556
-
\??\c:\864828.exec:\864828.exe68⤵PID:612
-
\??\c:\dvjpp.exec:\dvjpp.exe69⤵PID:2224
-
\??\c:\6428846.exec:\6428846.exe70⤵PID:1948
-
\??\c:\7fxrflx.exec:\7fxrflx.exe71⤵PID:528
-
\??\c:\thntbt.exec:\thntbt.exe72⤵PID:2320
-
\??\c:\2684624.exec:\2684624.exe73⤵PID:348
-
\??\c:\8684002.exec:\8684002.exe74⤵PID:1688
-
\??\c:\jjpvd.exec:\jjpvd.exe75⤵PID:2380
-
\??\c:\3tttnn.exec:\3tttnn.exe76⤵PID:2244
-
\??\c:\3hnttb.exec:\3hnttb.exe77⤵PID:1596
-
\??\c:\e42480.exec:\e42480.exe78⤵PID:2348
-
\??\c:\7ppjd.exec:\7ppjd.exe79⤵PID:956
-
\??\c:\nntbbb.exec:\nntbbb.exe80⤵PID:2324
-
\??\c:\480628.exec:\480628.exe81⤵PID:1800
-
\??\c:\q46626.exec:\q46626.exe82⤵PID:2840
-
\??\c:\86620.exec:\86620.exe83⤵PID:2896
-
\??\c:\868282.exec:\868282.exe84⤵PID:2904
-
\??\c:\fxrrxfr.exec:\fxrrxfr.exe85⤵PID:2788
-
\??\c:\48684.exec:\48684.exe86⤵PID:2908
-
\??\c:\2006224.exec:\2006224.exe87⤵PID:2020
-
\??\c:\rflxlff.exec:\rflxlff.exe88⤵PID:2632
-
\??\c:\hhtbtn.exec:\hhtbtn.exe89⤵PID:2684
-
\??\c:\268462.exec:\268462.exe90⤵PID:332
-
\??\c:\248480.exec:\248480.exe91⤵PID:320
-
\??\c:\ffflflr.exec:\ffflflr.exe92⤵PID:2480
-
\??\c:\vpjjp.exec:\vpjjp.exe93⤵PID:2716
-
\??\c:\vvpdv.exec:\vvpdv.exe94⤵PID:3016
-
\??\c:\04468.exec:\04468.exe95⤵PID:3036
-
\??\c:\6024662.exec:\6024662.exe96⤵PID:2472
-
\??\c:\vjvjv.exec:\vjvjv.exe97⤵PID:2028
-
\??\c:\vpdjv.exec:\vpdjv.exe98⤵PID:1076
-
\??\c:\e80684.exec:\e80684.exe99⤵PID:1044
-
\??\c:\646626.exec:\646626.exe100⤵PID:596
-
\??\c:\04286.exec:\04286.exe101⤵PID:2544
-
\??\c:\nntbnn.exec:\nntbnn.exe102⤵PID:1324
-
\??\c:\642228.exec:\642228.exe103⤵PID:2436
-
\??\c:\6022880.exec:\6022880.exe104⤵PID:444
-
\??\c:\2202406.exec:\2202406.exe105⤵PID:1780
-
\??\c:\jdvpv.exec:\jdvpv.exe106⤵PID:2608
-
\??\c:\9jdjp.exec:\9jdjp.exe107⤵PID:1876
-
\??\c:\xlfrflr.exec:\xlfrflr.exe108⤵PID:1716
-
\??\c:\c040280.exec:\c040280.exe109⤵PID:1972
-
\??\c:\fxffrrf.exec:\fxffrrf.exe110⤵PID:2520
-
\??\c:\60224.exec:\60224.exe111⤵PID:1540
-
\??\c:\tnhhnt.exec:\tnhhnt.exe112⤵
- System Location Discovery: System Language Discovery
PID:2220 -
\??\c:\08286.exec:\08286.exe113⤵PID:2588
-
\??\c:\4268406.exec:\4268406.exe114⤵PID:1388
-
\??\c:\642866.exec:\642866.exe115⤵PID:2160
-
\??\c:\s4202.exec:\s4202.exe116⤵PID:1788
-
\??\c:\9xxxflr.exec:\9xxxflr.exe117⤵PID:780
-
\??\c:\i268628.exec:\i268628.exe118⤵PID:884
-
\??\c:\7ppvd.exec:\7ppvd.exe119⤵PID:1760
-
\??\c:\1ffrxfl.exec:\1ffrxfl.exe120⤵PID:3064
-
\??\c:\20842.exec:\20842.exe121⤵PID:1604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-