Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 06:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ec9b6f553aca84beeebc26c6b54c4472299f7363367dd77e45bad9a07cf17410.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ec9b6f553aca84beeebc26c6b54c4472299f7363367dd77e45bad9a07cf17410.exe
-
Size
455KB
-
MD5
57c35dd5c7d4d634fca2a36d462aeae7
-
SHA1
e7c53a3840dd49a90f3e63ff8fcdbc43f7877c11
-
SHA256
ec9b6f553aca84beeebc26c6b54c4472299f7363367dd77e45bad9a07cf17410
-
SHA512
f5d7e2ed266661665200e02a6ffe6ad9c96c75ffb5c17974f12c78644ee8e3fc846bfab0f18fdcc63627bcd3fae8a469dceb55310fade1dae66233b39afc6271
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2700-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-71-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3068-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/980-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-130-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/3028-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-150-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2416-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/408-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-218-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1368-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/976-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-447-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1992-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-532-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2344-547-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2344-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-636-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1976-775-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2036-777-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2996-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-1137-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1740 lxrlrrx.exe 2828 0428002.exe 2936 04848.exe 2900 8262446.exe 2636 ntntnb.exe 2604 pvpjd.exe 3020 xrlxllx.exe 3068 82024.exe 980 6062468.exe 2220 nhbhnb.exe 2248 6080220.exe 1684 ppdjd.exe 1924 8206802.exe 1956 7dpjv.exe 3028 jjdpd.exe 2416 bnttbn.exe 1320 2020044.exe 1636 g4268.exe 2160 04628.exe 2424 2606428.exe 2100 jvdvv.exe 408 3xlflfx.exe 2944 rlrxflx.exe 1940 048024.exe 1368 3hhnbn.exe 1536 xfxxlxr.exe 912 7dvvd.exe 1780 60468.exe 976 4464064.exe 3004 jjjpv.exe 2684 4404826.exe 2736 64044.exe 1584 5fllflf.exe 2716 w02400.exe 2868 tnbtbb.exe 2856 i646224.exe 2756 264688.exe 2904 1rffffr.exe 2636 86408.exe 2604 048466.exe 2280 8240282.exe 2640 048880.exe 688 5jdjv.exe 928 llrlxxr.exe 2064 tnhntb.exe 1284 6462224.exe 2068 04280.exe 3052 bthhhn.exe 2652 u888668.exe 1924 i028844.exe 2404 xxlrxxf.exe 2632 xxllrrr.exe 1788 k02640.exe 1892 5xllxff.exe 908 ttbbnn.exe 1308 jdvvp.exe 1612 jdpjd.exe 1912 7vjvv.exe 2424 9dppv.exe 2336 2066884.exe 1140 thtttt.exe 1332 64882.exe 1028 9rlrxrf.exe 1992 1xrrlfr.exe -
resource yara_rule behavioral1/memory/2700-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/976-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-775-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1008-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-919-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-939-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-1080-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-1111-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4288288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6088002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 1740 2700 ec9b6f553aca84beeebc26c6b54c4472299f7363367dd77e45bad9a07cf17410.exe 30 PID 2700 wrote to memory of 1740 2700 ec9b6f553aca84beeebc26c6b54c4472299f7363367dd77e45bad9a07cf17410.exe 30 PID 2700 wrote to memory of 1740 2700 ec9b6f553aca84beeebc26c6b54c4472299f7363367dd77e45bad9a07cf17410.exe 30 PID 2700 wrote to memory of 1740 2700 ec9b6f553aca84beeebc26c6b54c4472299f7363367dd77e45bad9a07cf17410.exe 30 PID 1740 wrote to memory of 2828 1740 lxrlrrx.exe 31 PID 1740 wrote to memory of 2828 1740 lxrlrrx.exe 31 PID 1740 wrote to memory of 2828 1740 lxrlrrx.exe 31 PID 1740 wrote to memory of 2828 1740 lxrlrrx.exe 31 PID 2828 wrote to memory of 2936 2828 0428002.exe 32 PID 2828 wrote to memory of 2936 2828 0428002.exe 32 PID 2828 wrote to memory of 2936 2828 0428002.exe 32 PID 2828 wrote to memory of 2936 2828 0428002.exe 32 PID 2936 wrote to memory of 2900 2936 04848.exe 33 PID 2936 wrote to memory of 2900 2936 04848.exe 33 PID 2936 wrote to memory of 2900 2936 04848.exe 33 PID 2936 wrote to memory of 2900 2936 04848.exe 33 PID 2900 wrote to memory of 2636 2900 8262446.exe 34 PID 2900 wrote to memory of 2636 2900 8262446.exe 34 PID 2900 wrote to memory of 2636 2900 8262446.exe 34 PID 2900 wrote to memory of 2636 2900 8262446.exe 34 PID 2636 wrote to memory of 2604 2636 ntntnb.exe 35 PID 2636 wrote to memory of 2604 2636 ntntnb.exe 35 PID 2636 wrote to memory of 2604 2636 ntntnb.exe 35 PID 2636 wrote to memory of 2604 2636 ntntnb.exe 35 PID 2604 wrote to memory of 3020 2604 pvpjd.exe 36 PID 2604 wrote to memory of 3020 2604 pvpjd.exe 36 PID 2604 wrote to memory of 3020 2604 pvpjd.exe 36 PID 2604 wrote to memory of 3020 2604 pvpjd.exe 36 PID 3020 wrote to memory of 3068 3020 xrlxllx.exe 37 PID 3020 wrote to memory of 3068 3020 xrlxllx.exe 37 PID 3020 wrote to memory of 3068 3020 xrlxllx.exe 37 PID 3020 wrote to memory of 3068 3020 xrlxllx.exe 37 PID 3068 wrote to memory of 980 3068 82024.exe 38 PID 3068 wrote to memory of 980 3068 82024.exe 38 PID 3068 wrote to memory of 980 3068 82024.exe 38 PID 3068 wrote to memory of 980 3068 82024.exe 38 PID 980 wrote to memory of 2220 980 6062468.exe 39 PID 980 wrote to memory of 2220 980 6062468.exe 39 PID 980 wrote to memory of 2220 980 6062468.exe 39 PID 980 wrote to memory of 2220 980 6062468.exe 39 PID 2220 wrote to memory of 2248 2220 nhbhnb.exe 40 PID 2220 wrote to memory of 2248 2220 nhbhnb.exe 40 PID 2220 wrote to memory of 2248 2220 nhbhnb.exe 40 PID 2220 wrote to memory of 2248 2220 nhbhnb.exe 40 PID 2248 wrote to memory of 1684 2248 6080220.exe 41 PID 2248 wrote to memory of 1684 2248 6080220.exe 41 PID 2248 wrote to memory of 1684 2248 6080220.exe 41 PID 2248 wrote to memory of 1684 2248 6080220.exe 41 PID 1684 wrote to memory of 1924 1684 ppdjd.exe 42 PID 1684 wrote to memory of 1924 1684 ppdjd.exe 42 PID 1684 wrote to memory of 1924 1684 ppdjd.exe 42 PID 1684 wrote to memory of 1924 1684 ppdjd.exe 42 PID 1924 wrote to memory of 1956 1924 8206802.exe 43 PID 1924 wrote to memory of 1956 1924 8206802.exe 43 PID 1924 wrote to memory of 1956 1924 8206802.exe 43 PID 1924 wrote to memory of 1956 1924 8206802.exe 43 PID 1956 wrote to memory of 3028 1956 7dpjv.exe 44 PID 1956 wrote to memory of 3028 1956 7dpjv.exe 44 PID 1956 wrote to memory of 3028 1956 7dpjv.exe 44 PID 1956 wrote to memory of 3028 1956 7dpjv.exe 44 PID 3028 wrote to memory of 2416 3028 jjdpd.exe 45 PID 3028 wrote to memory of 2416 3028 jjdpd.exe 45 PID 3028 wrote to memory of 2416 3028 jjdpd.exe 45 PID 3028 wrote to memory of 2416 3028 jjdpd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec9b6f553aca84beeebc26c6b54c4472299f7363367dd77e45bad9a07cf17410.exe"C:\Users\Admin\AppData\Local\Temp\ec9b6f553aca84beeebc26c6b54c4472299f7363367dd77e45bad9a07cf17410.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\lxrlrrx.exec:\lxrlrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\0428002.exec:\0428002.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\04848.exec:\04848.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\8262446.exec:\8262446.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\ntntnb.exec:\ntntnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\pvpjd.exec:\pvpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\xrlxllx.exec:\xrlxllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\82024.exec:\82024.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\6062468.exec:\6062468.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\nhbhnb.exec:\nhbhnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\6080220.exec:\6080220.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\ppdjd.exec:\ppdjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\8206802.exec:\8206802.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\7dpjv.exec:\7dpjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\jjdpd.exec:\jjdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\bnttbn.exec:\bnttbn.exe17⤵
- Executes dropped EXE
PID:2416 -
\??\c:\2020044.exec:\2020044.exe18⤵
- Executes dropped EXE
PID:1320 -
\??\c:\g4268.exec:\g4268.exe19⤵
- Executes dropped EXE
PID:1636 -
\??\c:\04628.exec:\04628.exe20⤵
- Executes dropped EXE
PID:2160 -
\??\c:\2606428.exec:\2606428.exe21⤵
- Executes dropped EXE
PID:2424 -
\??\c:\jvdvv.exec:\jvdvv.exe22⤵
- Executes dropped EXE
PID:2100 -
\??\c:\3xlflfx.exec:\3xlflfx.exe23⤵
- Executes dropped EXE
PID:408 -
\??\c:\rlrxflx.exec:\rlrxflx.exe24⤵
- Executes dropped EXE
PID:2944 -
\??\c:\048024.exec:\048024.exe25⤵
- Executes dropped EXE
PID:1940 -
\??\c:\3hhnbn.exec:\3hhnbn.exe26⤵
- Executes dropped EXE
PID:1368 -
\??\c:\xfxxlxr.exec:\xfxxlxr.exe27⤵
- Executes dropped EXE
PID:1536 -
\??\c:\7dvvd.exec:\7dvvd.exe28⤵
- Executes dropped EXE
PID:912 -
\??\c:\60468.exec:\60468.exe29⤵
- Executes dropped EXE
PID:1780 -
\??\c:\4464064.exec:\4464064.exe30⤵
- Executes dropped EXE
PID:976 -
\??\c:\jjjpv.exec:\jjjpv.exe31⤵
- Executes dropped EXE
PID:3004 -
\??\c:\4404826.exec:\4404826.exe32⤵
- Executes dropped EXE
PID:2684 -
\??\c:\64044.exec:\64044.exe33⤵
- Executes dropped EXE
PID:2736 -
\??\c:\5fllflf.exec:\5fllflf.exe34⤵
- Executes dropped EXE
PID:1584 -
\??\c:\w02400.exec:\w02400.exe35⤵
- Executes dropped EXE
PID:2716 -
\??\c:\tnbtbb.exec:\tnbtbb.exe36⤵
- Executes dropped EXE
PID:2868 -
\??\c:\i646224.exec:\i646224.exe37⤵
- Executes dropped EXE
PID:2856 -
\??\c:\264688.exec:\264688.exe38⤵
- Executes dropped EXE
PID:2756 -
\??\c:\1rffffr.exec:\1rffffr.exe39⤵
- Executes dropped EXE
PID:2904 -
\??\c:\86408.exec:\86408.exe40⤵
- Executes dropped EXE
PID:2636 -
\??\c:\048466.exec:\048466.exe41⤵
- Executes dropped EXE
PID:2604 -
\??\c:\8240282.exec:\8240282.exe42⤵
- Executes dropped EXE
PID:2280 -
\??\c:\048880.exec:\048880.exe43⤵
- Executes dropped EXE
PID:2640 -
\??\c:\5jdjv.exec:\5jdjv.exe44⤵
- Executes dropped EXE
PID:688 -
\??\c:\llrlxxr.exec:\llrlxxr.exe45⤵
- Executes dropped EXE
PID:928 -
\??\c:\tnhntb.exec:\tnhntb.exe46⤵
- Executes dropped EXE
PID:2064 -
\??\c:\6462224.exec:\6462224.exe47⤵
- Executes dropped EXE
PID:1284 -
\??\c:\04280.exec:\04280.exe48⤵
- Executes dropped EXE
PID:2068 -
\??\c:\bthhhn.exec:\bthhhn.exe49⤵
- Executes dropped EXE
PID:3052 -
\??\c:\u888668.exec:\u888668.exe50⤵
- Executes dropped EXE
PID:2652 -
\??\c:\i028844.exec:\i028844.exe51⤵
- Executes dropped EXE
PID:1924 -
\??\c:\xxlrxxf.exec:\xxlrxxf.exe52⤵
- Executes dropped EXE
PID:2404 -
\??\c:\xxllrrr.exec:\xxllrrr.exe53⤵
- Executes dropped EXE
PID:2632 -
\??\c:\k02640.exec:\k02640.exe54⤵
- Executes dropped EXE
PID:1788 -
\??\c:\5xllxff.exec:\5xllxff.exe55⤵
- Executes dropped EXE
PID:1892 -
\??\c:\ttbbnn.exec:\ttbbnn.exe56⤵
- Executes dropped EXE
PID:908 -
\??\c:\jdvvp.exec:\jdvvp.exe57⤵
- Executes dropped EXE
PID:1308 -
\??\c:\jdpjd.exec:\jdpjd.exe58⤵
- Executes dropped EXE
PID:1612 -
\??\c:\7vjvv.exec:\7vjvv.exe59⤵
- Executes dropped EXE
PID:1912 -
\??\c:\9dppv.exec:\9dppv.exe60⤵
- Executes dropped EXE
PID:2424 -
\??\c:\2066884.exec:\2066884.exe61⤵
- Executes dropped EXE
PID:2336 -
\??\c:\thtttt.exec:\thtttt.exe62⤵
- Executes dropped EXE
PID:1140 -
\??\c:\64882.exec:\64882.exe63⤵
- Executes dropped EXE
PID:1332 -
\??\c:\9rlrxrf.exec:\9rlrxrf.exe64⤵
- Executes dropped EXE
PID:1028 -
\??\c:\1xrrlfr.exec:\1xrrlfr.exe65⤵
- Executes dropped EXE
PID:1992 -
\??\c:\jjpvd.exec:\jjpvd.exe66⤵PID:1720
-
\??\c:\48622.exec:\48622.exe67⤵PID:2000
-
\??\c:\nbhtnb.exec:\nbhtnb.exe68⤵PID:1620
-
\??\c:\btntbb.exec:\btntbb.exe69⤵PID:2016
-
\??\c:\hbbhnh.exec:\hbbhnh.exe70⤵PID:2344
-
\??\c:\82462.exec:\82462.exe71⤵PID:1676
-
\??\c:\404664.exec:\404664.exe72⤵PID:2988
-
\??\c:\480606.exec:\480606.exe73⤵PID:2504
-
\??\c:\o040202.exec:\o040202.exe74⤵PID:2568
-
\??\c:\88446.exec:\88446.exe75⤵PID:3060
-
\??\c:\ppdvd.exec:\ppdvd.exe76⤵PID:1688
-
\??\c:\4420220.exec:\4420220.exe77⤵PID:2820
-
\??\c:\5rllfll.exec:\5rllfll.exe78⤵PID:2848
-
\??\c:\fffxrrf.exec:\fffxrrf.exe79⤵PID:2792
-
\??\c:\jjdpd.exec:\jjdpd.exe80⤵PID:2648
-
\??\c:\ttntht.exec:\ttntht.exe81⤵PID:468
-
\??\c:\e24400.exec:\e24400.exe82⤵PID:2644
-
\??\c:\tbbhtb.exec:\tbbhtb.exe83⤵PID:3012
-
\??\c:\8262828.exec:\8262828.exe84⤵PID:320
-
\??\c:\080244.exec:\080244.exe85⤵PID:2096
-
\??\c:\3jvvv.exec:\3jvvv.exe86⤵PID:2640
-
\??\c:\0800040.exec:\0800040.exe87⤵PID:592
-
\??\c:\486666.exec:\486666.exe88⤵PID:928
-
\??\c:\vpdjp.exec:\vpdjp.exe89⤵PID:1952
-
\??\c:\2080086.exec:\2080086.exe90⤵PID:2076
-
\??\c:\nbnnnt.exec:\nbnnnt.exe91⤵PID:2068
-
\??\c:\rlxxffl.exec:\rlxxffl.exe92⤵PID:3024
-
\??\c:\rfrxxfl.exec:\rfrxxfl.exe93⤵PID:1856
-
\??\c:\20624.exec:\20624.exe94⤵PID:1924
-
\??\c:\246222.exec:\246222.exe95⤵PID:684
-
\??\c:\7nhtbb.exec:\7nhtbb.exe96⤵PID:2632
-
\??\c:\6844042.exec:\6844042.exe97⤵PID:2056
-
\??\c:\64244.exec:\64244.exe98⤵
- System Location Discovery: System Language Discovery
PID:1776 -
\??\c:\dvppp.exec:\dvppp.exe99⤵PID:1320
-
\??\c:\6844444.exec:\6844444.exe100⤵PID:2176
-
\??\c:\q68660.exec:\q68660.exe101⤵PID:1944
-
\??\c:\42464.exec:\42464.exe102⤵PID:316
-
\??\c:\rxlllfl.exec:\rxlllfl.exe103⤵PID:2036
-
\??\c:\86462.exec:\86462.exe104⤵PID:2100
-
\??\c:\20888.exec:\20888.exe105⤵PID:448
-
\??\c:\pjpvv.exec:\pjpvv.exe106⤵PID:1976
-
\??\c:\00408.exec:\00408.exe107⤵PID:1648
-
\??\c:\20880.exec:\20880.exe108⤵PID:1860
-
\??\c:\3dpjj.exec:\3dpjj.exe109⤵PID:2980
-
\??\c:\2028002.exec:\2028002.exe110⤵PID:900
-
\??\c:\pdpjv.exec:\pdpjv.exe111⤵PID:1984
-
\??\c:\0888444.exec:\0888444.exe112⤵PID:2016
-
\??\c:\vjpvd.exec:\vjpvd.exe113⤵PID:1008
-
\??\c:\626844.exec:\626844.exe114⤵PID:1276
-
\??\c:\o084440.exec:\o084440.exe115⤵PID:2996
-
\??\c:\vjvjp.exec:\vjvjp.exe116⤵PID:2984
-
\??\c:\4240228.exec:\4240228.exe117⤵PID:2800
-
\??\c:\pdjjp.exec:\pdjjp.exe118⤵PID:1576
-
\??\c:\646840.exec:\646840.exe119⤵PID:2828
-
\??\c:\1tnnbb.exec:\1tnnbb.exe120⤵PID:2860
-
\??\c:\3pdjj.exec:\3pdjj.exe121⤵PID:2140
-
\??\c:\w84004.exec:\w84004.exe122⤵PID:2900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-