Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/11/2024, 01:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91fc09b286409c8dc6121094f926bfb0050334371e07afcf165c9e63521ed2b3.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
91fc09b286409c8dc6121094f926bfb0050334371e07afcf165c9e63521ed2b3.exe
-
Size
453KB
-
MD5
4fbda3e8226948b2d6806b186764b2d8
-
SHA1
336903eec00feeeb7baa1aa948655732f098e935
-
SHA256
91fc09b286409c8dc6121094f926bfb0050334371e07afcf165c9e63521ed2b3
-
SHA512
243a27c72485f324a1936898ae4eeb14c916a3f66cb2e741e60b4b4b69ff159235717b5665e8fc2ee691a17d9be27a0465ed86de35c47053dd48185fd28f2bf9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeg:q7Tc2NYHUrAwfMp3CDg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/2720-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1128-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-316-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2652-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1452-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-551-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2524-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-885-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2736-1131-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/308-1249-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1772-1253-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2720 4860804.exe 2728 rlfrxfx.exe 2736 xrlxrfx.exe 2872 m0424.exe 2688 vvvdv.exe 2596 204406.exe 3060 60468.exe 1652 flrrxrx.exe 1160 tthnth.exe 1492 04204.exe 2104 hhtnbb.exe 2420 jppvv.exe 2664 820862.exe 2404 6468844.exe 1128 ppjpj.exe 2880 420628.exe 2676 xffxrrr.exe 1608 866684.exe 2344 00888.exe 2956 226884.exe 1000 260628.exe 1088 60408.exe 2216 046684.exe 1784 a2686.exe 1752 dppdd.exe 1876 vvppp.exe 2024 rxlrxlr.exe 904 66880.exe 2656 a8246.exe 1540 8084284.exe 2976 rrxxrrx.exe 876 04464.exe 2684 rffrfff.exe 1600 842424.exe 2724 rxrfrfr.exe 2820 9vppd.exe 2840 bhttnn.exe 2872 8468422.exe 2772 828040.exe 2652 006406.exe 2740 hbbtnh.exe 2336 84846.exe 2588 480246.exe 580 444406.exe 2292 64280.exe 776 hthbbn.exe 3024 0480242.exe 2420 hhbhhb.exe 1776 8248066.exe 1744 00080.exe 2260 4828068.exe 2120 vvjvj.exe 2876 btbbhh.exe 308 hhtbnt.exe 1452 hhbhnn.exe 1608 bhhtht.exe 1464 8224284.exe 2960 bhhtth.exe 2956 xlfrxll.exe 2448 6028468.exe 1088 480624.exe 2464 o602008.exe 1956 c240464.exe 1784 2228408.exe -
resource yara_rule behavioral1/memory/2720-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1128-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1452-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/496-859-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-954-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-993-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-1111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-1118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-1132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-1183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-1191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-1226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-1240-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/308-1242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-1250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-1253-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1932-1270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-1277-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2844460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9httbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 444406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k22806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fflrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2040804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4824620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 804846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6046842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2720 2680 91fc09b286409c8dc6121094f926bfb0050334371e07afcf165c9e63521ed2b3.exe 30 PID 2680 wrote to memory of 2720 2680 91fc09b286409c8dc6121094f926bfb0050334371e07afcf165c9e63521ed2b3.exe 30 PID 2680 wrote to memory of 2720 2680 91fc09b286409c8dc6121094f926bfb0050334371e07afcf165c9e63521ed2b3.exe 30 PID 2680 wrote to memory of 2720 2680 91fc09b286409c8dc6121094f926bfb0050334371e07afcf165c9e63521ed2b3.exe 30 PID 2720 wrote to memory of 2728 2720 4860804.exe 31 PID 2720 wrote to memory of 2728 2720 4860804.exe 31 PID 2720 wrote to memory of 2728 2720 4860804.exe 31 PID 2720 wrote to memory of 2728 2720 4860804.exe 31 PID 2728 wrote to memory of 2736 2728 rlfrxfx.exe 32 PID 2728 wrote to memory of 2736 2728 rlfrxfx.exe 32 PID 2728 wrote to memory of 2736 2728 rlfrxfx.exe 32 PID 2728 wrote to memory of 2736 2728 rlfrxfx.exe 32 PID 2736 wrote to memory of 2872 2736 xrlxrfx.exe 33 PID 2736 wrote to memory of 2872 2736 xrlxrfx.exe 33 PID 2736 wrote to memory of 2872 2736 xrlxrfx.exe 33 PID 2736 wrote to memory of 2872 2736 xrlxrfx.exe 33 PID 2872 wrote to memory of 2688 2872 m0424.exe 34 PID 2872 wrote to memory of 2688 2872 m0424.exe 34 PID 2872 wrote to memory of 2688 2872 m0424.exe 34 PID 2872 wrote to memory of 2688 2872 m0424.exe 34 PID 2688 wrote to memory of 2596 2688 vvvdv.exe 35 PID 2688 wrote to memory of 2596 2688 vvvdv.exe 35 PID 2688 wrote to memory of 2596 2688 vvvdv.exe 35 PID 2688 wrote to memory of 2596 2688 vvvdv.exe 35 PID 2596 wrote to memory of 3060 2596 204406.exe 36 PID 2596 wrote to memory of 3060 2596 204406.exe 36 PID 2596 wrote to memory of 3060 2596 204406.exe 36 PID 2596 wrote to memory of 3060 2596 204406.exe 36 PID 3060 wrote to memory of 1652 3060 60468.exe 37 PID 3060 wrote to memory of 1652 3060 60468.exe 37 PID 3060 wrote to memory of 1652 3060 60468.exe 37 PID 3060 wrote to memory of 1652 3060 60468.exe 37 PID 1652 wrote to memory of 1160 1652 flrrxrx.exe 38 PID 1652 wrote to memory of 1160 1652 flrrxrx.exe 38 PID 1652 wrote to memory of 1160 1652 flrrxrx.exe 38 PID 1652 wrote to memory of 1160 1652 flrrxrx.exe 38 PID 1160 wrote to memory of 1492 1160 tthnth.exe 39 PID 1160 wrote to memory of 1492 1160 tthnth.exe 39 PID 1160 wrote to memory of 1492 1160 tthnth.exe 39 PID 1160 wrote to memory of 1492 1160 tthnth.exe 39 PID 1492 wrote to memory of 2104 1492 04204.exe 40 PID 1492 wrote to memory of 2104 1492 04204.exe 40 PID 1492 wrote to memory of 2104 1492 04204.exe 40 PID 1492 wrote to memory of 2104 1492 04204.exe 40 PID 2104 wrote to memory of 2420 2104 hhtnbb.exe 41 PID 2104 wrote to memory of 2420 2104 hhtnbb.exe 41 PID 2104 wrote to memory of 2420 2104 hhtnbb.exe 41 PID 2104 wrote to memory of 2420 2104 hhtnbb.exe 41 PID 2420 wrote to memory of 2664 2420 jppvv.exe 42 PID 2420 wrote to memory of 2664 2420 jppvv.exe 42 PID 2420 wrote to memory of 2664 2420 jppvv.exe 42 PID 2420 wrote to memory of 2664 2420 jppvv.exe 42 PID 2664 wrote to memory of 2404 2664 820862.exe 43 PID 2664 wrote to memory of 2404 2664 820862.exe 43 PID 2664 wrote to memory of 2404 2664 820862.exe 43 PID 2664 wrote to memory of 2404 2664 820862.exe 43 PID 2404 wrote to memory of 1128 2404 6468844.exe 44 PID 2404 wrote to memory of 1128 2404 6468844.exe 44 PID 2404 wrote to memory of 1128 2404 6468844.exe 44 PID 2404 wrote to memory of 1128 2404 6468844.exe 44 PID 1128 wrote to memory of 2880 1128 ppjpj.exe 45 PID 1128 wrote to memory of 2880 1128 ppjpj.exe 45 PID 1128 wrote to memory of 2880 1128 ppjpj.exe 45 PID 1128 wrote to memory of 2880 1128 ppjpj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\91fc09b286409c8dc6121094f926bfb0050334371e07afcf165c9e63521ed2b3.exe"C:\Users\Admin\AppData\Local\Temp\91fc09b286409c8dc6121094f926bfb0050334371e07afcf165c9e63521ed2b3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\4860804.exec:\4860804.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\rlfrxfx.exec:\rlfrxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\xrlxrfx.exec:\xrlxrfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\m0424.exec:\m0424.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\vvvdv.exec:\vvvdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\204406.exec:\204406.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\60468.exec:\60468.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\flrrxrx.exec:\flrrxrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\tthnth.exec:\tthnth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\04204.exec:\04204.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\hhtnbb.exec:\hhtnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\jppvv.exec:\jppvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\820862.exec:\820862.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\6468844.exec:\6468844.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\ppjpj.exec:\ppjpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\420628.exec:\420628.exe17⤵
- Executes dropped EXE
PID:2880 -
\??\c:\xffxrrr.exec:\xffxrrr.exe18⤵
- Executes dropped EXE
PID:2676 -
\??\c:\866684.exec:\866684.exe19⤵
- Executes dropped EXE
PID:1608 -
\??\c:\00888.exec:\00888.exe20⤵
- Executes dropped EXE
PID:2344 -
\??\c:\226884.exec:\226884.exe21⤵
- Executes dropped EXE
PID:2956 -
\??\c:\260628.exec:\260628.exe22⤵
- Executes dropped EXE
PID:1000 -
\??\c:\60408.exec:\60408.exe23⤵
- Executes dropped EXE
PID:1088 -
\??\c:\046684.exec:\046684.exe24⤵
- Executes dropped EXE
PID:2216 -
\??\c:\a2686.exec:\a2686.exe25⤵
- Executes dropped EXE
PID:1784 -
\??\c:\dppdd.exec:\dppdd.exe26⤵
- Executes dropped EXE
PID:1752 -
\??\c:\vvppp.exec:\vvppp.exe27⤵
- Executes dropped EXE
PID:1876 -
\??\c:\rxlrxlr.exec:\rxlrxlr.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024 -
\??\c:\66880.exec:\66880.exe29⤵
- Executes dropped EXE
PID:904 -
\??\c:\a8246.exec:\a8246.exe30⤵
- Executes dropped EXE
PID:2656 -
\??\c:\8084284.exec:\8084284.exe31⤵
- Executes dropped EXE
PID:1540 -
\??\c:\rrxxrrx.exec:\rrxxrrx.exe32⤵
- Executes dropped EXE
PID:2976 -
\??\c:\04464.exec:\04464.exe33⤵
- Executes dropped EXE
PID:876 -
\??\c:\rffrfff.exec:\rffrfff.exe34⤵
- Executes dropped EXE
PID:2684 -
\??\c:\842424.exec:\842424.exe35⤵
- Executes dropped EXE
PID:1600 -
\??\c:\rxrfrfr.exec:\rxrfrfr.exe36⤵
- Executes dropped EXE
PID:2724 -
\??\c:\9vppd.exec:\9vppd.exe37⤵
- Executes dropped EXE
PID:2820 -
\??\c:\bhttnn.exec:\bhttnn.exe38⤵
- Executes dropped EXE
PID:2840 -
\??\c:\8468422.exec:\8468422.exe39⤵
- Executes dropped EXE
PID:2872 -
\??\c:\828040.exec:\828040.exe40⤵
- Executes dropped EXE
PID:2772 -
\??\c:\006406.exec:\006406.exe41⤵
- Executes dropped EXE
PID:2652 -
\??\c:\hbbtnh.exec:\hbbtnh.exe42⤵
- Executes dropped EXE
PID:2740 -
\??\c:\84846.exec:\84846.exe43⤵
- Executes dropped EXE
PID:2336 -
\??\c:\480246.exec:\480246.exe44⤵
- Executes dropped EXE
PID:2588 -
\??\c:\444406.exec:\444406.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:580 -
\??\c:\64280.exec:\64280.exe46⤵
- Executes dropped EXE
PID:2292 -
\??\c:\hthbbn.exec:\hthbbn.exe47⤵
- Executes dropped EXE
PID:776 -
\??\c:\0480242.exec:\0480242.exe48⤵
- Executes dropped EXE
PID:3024 -
\??\c:\hhbhhb.exec:\hhbhhb.exe49⤵
- Executes dropped EXE
PID:2420 -
\??\c:\8248066.exec:\8248066.exe50⤵
- Executes dropped EXE
PID:1776 -
\??\c:\00080.exec:\00080.exe51⤵
- Executes dropped EXE
PID:1744 -
\??\c:\4828068.exec:\4828068.exe52⤵
- Executes dropped EXE
PID:2260 -
\??\c:\vvjvj.exec:\vvjvj.exe53⤵
- Executes dropped EXE
PID:2120 -
\??\c:\btbbhh.exec:\btbbhh.exe54⤵
- Executes dropped EXE
PID:2876 -
\??\c:\hhtbnt.exec:\hhtbnt.exe55⤵
- Executes dropped EXE
PID:308 -
\??\c:\hhbhnn.exec:\hhbhnn.exe56⤵
- Executes dropped EXE
PID:1452 -
\??\c:\bhhtht.exec:\bhhtht.exe57⤵
- Executes dropped EXE
PID:1608 -
\??\c:\8224284.exec:\8224284.exe58⤵
- Executes dropped EXE
PID:1464 -
\??\c:\bhhtth.exec:\bhhtth.exe59⤵
- Executes dropped EXE
PID:2960 -
\??\c:\xlfrxll.exec:\xlfrxll.exe60⤵
- Executes dropped EXE
PID:2956 -
\??\c:\6028468.exec:\6028468.exe61⤵
- Executes dropped EXE
PID:2448 -
\??\c:\480624.exec:\480624.exe62⤵
- Executes dropped EXE
PID:1088 -
\??\c:\o602008.exec:\o602008.exe63⤵
- Executes dropped EXE
PID:2464 -
\??\c:\c240464.exec:\c240464.exe64⤵
- Executes dropped EXE
PID:1956 -
\??\c:\2228408.exec:\2228408.exe65⤵
- Executes dropped EXE
PID:1784 -
\??\c:\m6642.exec:\m6642.exe66⤵PID:1668
-
\??\c:\84006.exec:\84006.exe67⤵PID:3048
-
\??\c:\02426.exec:\02426.exe68⤵PID:1716
-
\??\c:\vdjvp.exec:\vdjvp.exe69⤵PID:880
-
\??\c:\thnhnh.exec:\thnhnh.exe70⤵PID:2400
-
\??\c:\rxfrxlf.exec:\rxfrxlf.exe71⤵PID:2040
-
\??\c:\xxxlxfr.exec:\xxxlxfr.exe72⤵PID:2248
-
\??\c:\jpdpd.exec:\jpdpd.exe73⤵PID:1540
-
\??\c:\bbnnbh.exec:\bbnnbh.exe74⤵PID:1064
-
\??\c:\fllllxf.exec:\fllllxf.exe75⤵PID:2072
-
\??\c:\ffxrllx.exec:\ffxrllx.exe76⤵PID:2792
-
\??\c:\000668.exec:\000668.exe77⤵PID:1592
-
\??\c:\4884220.exec:\4884220.exe78⤵PID:1600
-
\??\c:\pjpjp.exec:\pjpjp.exe79⤵PID:2724
-
\??\c:\k20022.exec:\k20022.exe80⤵PID:2788
-
\??\c:\886268.exec:\886268.exe81⤵PID:2836
-
\??\c:\8200408.exec:\8200408.exe82⤵PID:2928
-
\??\c:\o486006.exec:\o486006.exe83⤵PID:2640
-
\??\c:\pjvjv.exec:\pjvjv.exe84⤵PID:2744
-
\??\c:\rrfrllx.exec:\rrfrllx.exe85⤵PID:1920
-
\??\c:\424426.exec:\424426.exe86⤵PID:3008
-
\??\c:\vvjpj.exec:\vvjpj.exe87⤵PID:1164
-
\??\c:\frrfffx.exec:\frrfffx.exe88⤵PID:1336
-
\??\c:\o828406.exec:\o828406.exe89⤵PID:3020
-
\??\c:\00046.exec:\00046.exe90⤵PID:2204
-
\??\c:\0868448.exec:\0868448.exe91⤵PID:2272
-
\??\c:\tthttb.exec:\tthttb.exe92⤵PID:1440
-
\??\c:\26286.exec:\26286.exe93⤵PID:2156
-
\??\c:\3rlrfrx.exec:\3rlrfrx.exe94⤵PID:1616
-
\??\c:\8828064.exec:\8828064.exe95⤵PID:1924
-
\??\c:\ddvjv.exec:\ddvjv.exe96⤵PID:1768
-
\??\c:\0428208.exec:\0428208.exe97⤵PID:3032
-
\??\c:\hbtbtb.exec:\hbtbtb.exe98⤵PID:1772
-
\??\c:\220262.exec:\220262.exe99⤵PID:848
-
\??\c:\8066602.exec:\8066602.exe100⤵PID:1968
-
\??\c:\xllrxfr.exec:\xllrxfr.exe101⤵PID:2004
-
\??\c:\5xflxlx.exec:\5xflxlx.exe102⤵PID:2304
-
\??\c:\vjdjp.exec:\vjdjp.exe103⤵PID:2960
-
\??\c:\nhbhtn.exec:\nhbhtn.exe104⤵PID:2192
-
\??\c:\rrlrxxf.exec:\rrlrxxf.exe105⤵PID:2456
-
\??\c:\2404206.exec:\2404206.exe106⤵PID:948
-
\??\c:\thhtnb.exec:\thhtnb.exe107⤵PID:1016
-
\??\c:\q86280.exec:\q86280.exe108⤵PID:872
-
\??\c:\9xrxxxl.exec:\9xrxxxl.exe109⤵PID:1784
-
\??\c:\0268466.exec:\0268466.exe110⤵PID:2280
-
\??\c:\hbntnt.exec:\hbntnt.exe111⤵PID:1228
-
\??\c:\pvpdp.exec:\pvpdp.exe112⤵PID:828
-
\??\c:\8622608.exec:\8622608.exe113⤵PID:892
-
\??\c:\20628.exec:\20628.exe114⤵PID:2660
-
\??\c:\dvddp.exec:\dvddp.exe115⤵PID:2256
-
\??\c:\1jpdp.exec:\1jpdp.exe116⤵PID:1488
-
\??\c:\28406.exec:\28406.exe117⤵PID:2524
-
\??\c:\rrfxfxx.exec:\rrfxfxx.exe118⤵PID:1192
-
\??\c:\046662.exec:\046662.exe119⤵PID:2076
-
\??\c:\rxxxlxl.exec:\rxxxlxl.exe120⤵PID:2504
-
\??\c:\xrrrxlx.exec:\xrrrxlx.exe121⤵PID:2700
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-