Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 04:20
Behavioral task
behavioral1
Sample
9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe
-
Size
334KB
-
MD5
9001bcd4ccc5a1740d8399910760cee7
-
SHA1
8a8c1d975fc0455f6d1e88f256074a066a7bbd04
-
SHA256
9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e
-
SHA512
b017adaca88fe3d6d5eb8e9092bfc28c04515407067cdbbe5f206183919a538a11b6b0b14b34ffbf7d0396d2b54fbe50229390869f7d2fd7e5cad9c44d57e302
-
SSDEEP
6144:vcm4FmowdHoStJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tX:94wFHoStJdSjylh2b77BoTMA9gX59sTf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2936-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2876-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2936-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2928-23-0x00000000003B0000-0x00000000003D7000-memory.dmp family_blackmoon behavioral1/memory/2928-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2940-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1092-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2948-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/572-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1484-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1796-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/568-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2116-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1160-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1956-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1692-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1364-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1764-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1684-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1276-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1716-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2832-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1588-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/708-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3044-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2128-383-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2772-391-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2584-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2292-494-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1036-564-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2976-608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1852-646-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3068-672-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1244-704-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2648-716-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2172-722-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2044-804-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2220-989-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/856-13988-0x00000000779A0000-0x0000000077ABF000-memory.dmp family_blackmoon behavioral1/memory/856-15376-0x00000000778A0000-0x000000007799A000-memory.dmp family_blackmoon behavioral1/memory/856-18702-0x00000000779A0000-0x0000000077ABF000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2936 tnhntt.exe 2928 826806.exe 2940 btnbtb.exe 1092 026080.exe 2948 1xlrxxf.exe 2740 q04422.exe 2728 hbthbt.exe 572 86408.exe 1484 0484660.exe 1796 0486280.exe 2588 08628.exe 568 5rlrrxl.exe 2564 a2624.exe 2552 xrlffrr.exe 2116 frflllr.exe 2404 frfxlll.exe 1160 c684066.exe 1192 a4624.exe 2480 vjppp.exe 1956 hhtntn.exe 2632 5hnhhh.exe 1944 080400.exe 1692 hbhnnn.exe 748 7llxxxx.exe 448 bhnnnn.exe 2292 60642.exe 868 w80288.exe 1364 060066.exe 1764 40284.exe 1684 80662.exe 632 pjpvj.exe 1268 jpddv.exe 788 8206406.exe 2120 4284222.exe 1816 8080046.exe 1276 86886.exe 2784 8648004.exe 1716 hbbbbb.exe 2832 604066.exe 2808 3ntbnb.exe 2596 800644.exe 1588 606244.exe 2796 k46622.exe 2912 pppdv.exe 2816 3dvvd.exe 2948 08006.exe 2708 9vppv.exe 656 q02844.exe 2728 3tbbhh.exe 1248 nbnntb.exe 708 4622262.exe 3044 e68844.exe 2604 bntnnn.exe 2128 w88286.exe 2772 6464620.exe 1332 7dvjv.exe 2512 26840.exe 2552 lrffrrx.exe 2584 i462880.exe 1428 tntnnh.exe 1424 q24066.exe 1244 g0228.exe 2648 660684.exe 2460 jvpvp.exe -
resource yara_rule behavioral1/memory/2876-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00090000000120f9-7.dat upx behavioral1/memory/2936-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2876-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016599-17.dat upx behavioral1/memory/2936-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2928-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016621-24.dat upx behavioral1/files/0x0008000000016846-33.dat upx behavioral1/memory/2940-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c3a-40.dat upx behavioral1/memory/1092-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c53-49.dat upx behavioral1/memory/2948-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2740-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016c5c-56.dat upx behavioral1/memory/2728-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016ca5-65.dat upx behavioral1/memory/572-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016cc9-74.dat upx behavioral1/memory/1484-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001939c-82.dat upx behavioral1/memory/1796-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001941b-89.dat upx behavioral1/memory/2588-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019429-98.dat upx behavioral1/files/0x000500000001946b-105.dat upx behavioral1/memory/568-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019481-113.dat upx behavioral1/files/0x00370000000160db-121.dat upx behavioral1/memory/2116-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019490-130.dat upx behavioral1/files/0x000500000001949d-136.dat upx behavioral1/files/0x00050000000194c6-145.dat upx behavioral1/memory/1160-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194d0-151.dat upx behavioral1/files/0x00050000000194da-158.dat upx behavioral1/memory/1956-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194e4-167.dat upx behavioral1/memory/1956-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194e6-174.dat upx behavioral1/files/0x0005000000019551-183.dat upx behavioral1/files/0x000500000001955c-189.dat upx behavioral1/memory/1692-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019581-197.dat upx behavioral1/files/0x00050000000195c0-204.dat upx behavioral1/files/0x00050000000195f7-211.dat upx behavioral1/files/0x00050000000195f9-219.dat upx behavioral1/files/0x00050000000195fb-227.dat upx behavioral1/memory/1364-225-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1764-234-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195fd-235.dat upx behavioral1/memory/1684-242-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195fe-243.dat upx behavioral1/files/0x00050000000195ff-250.dat upx behavioral1/memory/1816-269-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1276-281-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1716-293-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2832-299-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1588-315-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2596-324-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/708-361-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3044-372-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1428-417-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4880248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8000484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c248040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2936 2876 9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe 30 PID 2876 wrote to memory of 2936 2876 9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe 30 PID 2876 wrote to memory of 2936 2876 9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe 30 PID 2876 wrote to memory of 2936 2876 9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe 30 PID 2936 wrote to memory of 2928 2936 tnhntt.exe 31 PID 2936 wrote to memory of 2928 2936 tnhntt.exe 31 PID 2936 wrote to memory of 2928 2936 tnhntt.exe 31 PID 2936 wrote to memory of 2928 2936 tnhntt.exe 31 PID 2928 wrote to memory of 2940 2928 826806.exe 32 PID 2928 wrote to memory of 2940 2928 826806.exe 32 PID 2928 wrote to memory of 2940 2928 826806.exe 32 PID 2928 wrote to memory of 2940 2928 826806.exe 32 PID 2940 wrote to memory of 1092 2940 btnbtb.exe 33 PID 2940 wrote to memory of 1092 2940 btnbtb.exe 33 PID 2940 wrote to memory of 1092 2940 btnbtb.exe 33 PID 2940 wrote to memory of 1092 2940 btnbtb.exe 33 PID 1092 wrote to memory of 2948 1092 026080.exe 34 PID 1092 wrote to memory of 2948 1092 026080.exe 34 PID 1092 wrote to memory of 2948 1092 026080.exe 34 PID 1092 wrote to memory of 2948 1092 026080.exe 34 PID 2948 wrote to memory of 2740 2948 1xlrxxf.exe 35 PID 2948 wrote to memory of 2740 2948 1xlrxxf.exe 35 PID 2948 wrote to memory of 2740 2948 1xlrxxf.exe 35 PID 2948 wrote to memory of 2740 2948 1xlrxxf.exe 35 PID 2740 wrote to memory of 2728 2740 q04422.exe 36 PID 2740 wrote to memory of 2728 2740 q04422.exe 36 PID 2740 wrote to memory of 2728 2740 q04422.exe 36 PID 2740 wrote to memory of 2728 2740 q04422.exe 36 PID 2728 wrote to memory of 572 2728 hbthbt.exe 37 PID 2728 wrote to memory of 572 2728 hbthbt.exe 37 PID 2728 wrote to memory of 572 2728 hbthbt.exe 37 PID 2728 wrote to memory of 572 2728 hbthbt.exe 37 PID 572 wrote to memory of 1484 572 86408.exe 38 PID 572 wrote to memory of 1484 572 86408.exe 38 PID 572 wrote to memory of 1484 572 86408.exe 38 PID 572 wrote to memory of 1484 572 86408.exe 38 PID 1484 wrote to memory of 1796 1484 0484660.exe 39 PID 1484 wrote to memory of 1796 1484 0484660.exe 39 PID 1484 wrote to memory of 1796 1484 0484660.exe 39 PID 1484 wrote to memory of 1796 1484 0484660.exe 39 PID 1796 wrote to memory of 2588 1796 0486280.exe 40 PID 1796 wrote to memory of 2588 1796 0486280.exe 40 PID 1796 wrote to memory of 2588 1796 0486280.exe 40 PID 1796 wrote to memory of 2588 1796 0486280.exe 40 PID 2588 wrote to memory of 568 2588 08628.exe 41 PID 2588 wrote to memory of 568 2588 08628.exe 41 PID 2588 wrote to memory of 568 2588 08628.exe 41 PID 2588 wrote to memory of 568 2588 08628.exe 41 PID 568 wrote to memory of 2564 568 5rlrrxl.exe 42 PID 568 wrote to memory of 2564 568 5rlrrxl.exe 42 PID 568 wrote to memory of 2564 568 5rlrrxl.exe 42 PID 568 wrote to memory of 2564 568 5rlrrxl.exe 42 PID 2564 wrote to memory of 2552 2564 a2624.exe 43 PID 2564 wrote to memory of 2552 2564 a2624.exe 43 PID 2564 wrote to memory of 2552 2564 a2624.exe 43 PID 2564 wrote to memory of 2552 2564 a2624.exe 43 PID 2552 wrote to memory of 2116 2552 xrlffrr.exe 44 PID 2552 wrote to memory of 2116 2552 xrlffrr.exe 44 PID 2552 wrote to memory of 2116 2552 xrlffrr.exe 44 PID 2552 wrote to memory of 2116 2552 xrlffrr.exe 44 PID 2116 wrote to memory of 2404 2116 frflllr.exe 45 PID 2116 wrote to memory of 2404 2116 frflllr.exe 45 PID 2116 wrote to memory of 2404 2116 frflllr.exe 45 PID 2116 wrote to memory of 2404 2116 frflllr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe"C:\Users\Admin\AppData\Local\Temp\9aa96088e92ba873e7115f74a5148d7d3b0903d57e52c9a04e80e3be3cb35e9e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\tnhntt.exec:\tnhntt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\826806.exec:\826806.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\btnbtb.exec:\btnbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\026080.exec:\026080.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\1xlrxxf.exec:\1xlrxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\q04422.exec:\q04422.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\hbthbt.exec:\hbthbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\86408.exec:\86408.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\0484660.exec:\0484660.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\0486280.exec:\0486280.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\08628.exec:\08628.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\5rlrrxl.exec:\5rlrrxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
\??\c:\a2624.exec:\a2624.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\xrlffrr.exec:\xrlffrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\frflllr.exec:\frflllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\frfxlll.exec:\frfxlll.exe17⤵
- Executes dropped EXE
PID:2404 -
\??\c:\c684066.exec:\c684066.exe18⤵
- Executes dropped EXE
PID:1160 -
\??\c:\a4624.exec:\a4624.exe19⤵
- Executes dropped EXE
PID:1192 -
\??\c:\vjppp.exec:\vjppp.exe20⤵
- Executes dropped EXE
PID:2480 -
\??\c:\hhtntn.exec:\hhtntn.exe21⤵
- Executes dropped EXE
PID:1956 -
\??\c:\5hnhhh.exec:\5hnhhh.exe22⤵
- Executes dropped EXE
PID:2632 -
\??\c:\080400.exec:\080400.exe23⤵
- Executes dropped EXE
PID:1944 -
\??\c:\hbhnnn.exec:\hbhnnn.exe24⤵
- Executes dropped EXE
PID:1692 -
\??\c:\7llxxxx.exec:\7llxxxx.exe25⤵
- Executes dropped EXE
PID:748 -
\??\c:\bhnnnn.exec:\bhnnnn.exe26⤵
- Executes dropped EXE
PID:448 -
\??\c:\60642.exec:\60642.exe27⤵
- Executes dropped EXE
PID:2292 -
\??\c:\w80288.exec:\w80288.exe28⤵
- Executes dropped EXE
PID:868 -
\??\c:\060066.exec:\060066.exe29⤵
- Executes dropped EXE
PID:1364 -
\??\c:\40284.exec:\40284.exe30⤵
- Executes dropped EXE
PID:1764 -
\??\c:\80662.exec:\80662.exe31⤵
- Executes dropped EXE
PID:1684 -
\??\c:\pjpvj.exec:\pjpvj.exe32⤵
- Executes dropped EXE
PID:632 -
\??\c:\jpddv.exec:\jpddv.exe33⤵
- Executes dropped EXE
PID:1268 -
\??\c:\8206406.exec:\8206406.exe34⤵
- Executes dropped EXE
PID:788 -
\??\c:\4284222.exec:\4284222.exe35⤵
- Executes dropped EXE
PID:2120 -
\??\c:\8080046.exec:\8080046.exe36⤵
- Executes dropped EXE
PID:1816 -
\??\c:\86886.exec:\86886.exe37⤵
- Executes dropped EXE
PID:1276 -
\??\c:\8648004.exec:\8648004.exe38⤵
- Executes dropped EXE
PID:2784 -
\??\c:\hbbbbb.exec:\hbbbbb.exe39⤵
- Executes dropped EXE
PID:1716 -
\??\c:\604066.exec:\604066.exe40⤵
- Executes dropped EXE
PID:2832 -
\??\c:\3ntbnb.exec:\3ntbnb.exe41⤵
- Executes dropped EXE
PID:2808 -
\??\c:\800644.exec:\800644.exe42⤵
- Executes dropped EXE
PID:2596 -
\??\c:\606244.exec:\606244.exe43⤵
- Executes dropped EXE
PID:1588 -
\??\c:\k46622.exec:\k46622.exe44⤵
- Executes dropped EXE
PID:2796 -
\??\c:\pppdv.exec:\pppdv.exe45⤵
- Executes dropped EXE
PID:2912 -
\??\c:\3dvvd.exec:\3dvvd.exe46⤵
- Executes dropped EXE
PID:2816 -
\??\c:\08006.exec:\08006.exe47⤵
- Executes dropped EXE
PID:2948 -
\??\c:\9vppv.exec:\9vppv.exe48⤵
- Executes dropped EXE
PID:2708 -
\??\c:\q02844.exec:\q02844.exe49⤵
- Executes dropped EXE
PID:656 -
\??\c:\3tbbhh.exec:\3tbbhh.exe50⤵
- Executes dropped EXE
PID:2728 -
\??\c:\nbnntb.exec:\nbnntb.exe51⤵
- Executes dropped EXE
PID:1248 -
\??\c:\4622262.exec:\4622262.exe52⤵
- Executes dropped EXE
PID:708 -
\??\c:\e68844.exec:\e68844.exe53⤵
- Executes dropped EXE
PID:3044 -
\??\c:\bntnnn.exec:\bntnnn.exe54⤵
- Executes dropped EXE
PID:2604 -
\??\c:\w88286.exec:\w88286.exe55⤵
- Executes dropped EXE
PID:2128 -
\??\c:\6464620.exec:\6464620.exe56⤵
- Executes dropped EXE
PID:2772 -
\??\c:\7dvjv.exec:\7dvjv.exe57⤵
- Executes dropped EXE
PID:1332 -
\??\c:\26840.exec:\26840.exe58⤵
- Executes dropped EXE
PID:2512 -
\??\c:\lrffrrx.exec:\lrffrrx.exe59⤵
- Executes dropped EXE
PID:2552 -
\??\c:\i462880.exec:\i462880.exe60⤵
- Executes dropped EXE
PID:2584 -
\??\c:\tntnnh.exec:\tntnnh.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1428 -
\??\c:\q24066.exec:\q24066.exe62⤵
- Executes dropped EXE
PID:1424 -
\??\c:\g0228.exec:\g0228.exe63⤵
- Executes dropped EXE
PID:1244 -
\??\c:\660684.exec:\660684.exe64⤵
- Executes dropped EXE
PID:2648 -
\??\c:\jvpvp.exec:\jvpvp.exe65⤵
- Executes dropped EXE
PID:2460 -
\??\c:\6642808.exec:\6642808.exe66⤵PID:2184
-
\??\c:\9xfrxxx.exec:\9xfrxxx.exe67⤵PID:2284
-
\??\c:\6644480.exec:\6644480.exe68⤵PID:2124
-
\??\c:\9htbbb.exec:\9htbbb.exe69⤵PID:1944
-
\??\c:\86606.exec:\86606.exe70⤵PID:1692
-
\??\c:\k80066.exec:\k80066.exe71⤵PID:2436
-
\??\c:\0844062.exec:\0844062.exe72⤵PID:2348
-
\??\c:\6462488.exec:\6462488.exe73⤵PID:2000
-
\??\c:\c888822.exec:\c888822.exe74⤵PID:2292
-
\??\c:\608284.exec:\608284.exe75⤵PID:1344
-
\??\c:\7lfrrrr.exec:\7lfrrrr.exe76⤵PID:1540
-
\??\c:\8246662.exec:\8246662.exe77⤵PID:1740
-
\??\c:\08006.exec:\08006.exe78⤵PID:796
-
\??\c:\rllrxlf.exec:\rllrxlf.exe79⤵PID:1544
-
\??\c:\jvjpp.exec:\jvjpp.exe80⤵PID:2572
-
\??\c:\a8064.exec:\a8064.exe81⤵PID:2044
-
\??\c:\ntnhnh.exec:\ntnhnh.exe82⤵PID:1268
-
\??\c:\5thtbb.exec:\5thtbb.exe83⤵PID:1748
-
\??\c:\486284.exec:\486284.exe84⤵PID:2112
-
\??\c:\8264662.exec:\8264662.exe85⤵PID:1816
-
\??\c:\xlxrxxx.exec:\xlxrxxx.exe86⤵PID:1284
-
\??\c:\2466644.exec:\2466644.exe87⤵PID:1036
-
\??\c:\1xrrffl.exec:\1xrrffl.exe88⤵PID:2872
-
\??\c:\jvdpv.exec:\jvdpv.exe89⤵PID:2956
-
\??\c:\jvjdd.exec:\jvjdd.exe90⤵PID:2944
-
\??\c:\bnbbnh.exec:\bnbbnh.exe91⤵PID:1596
-
\??\c:\04624.exec:\04624.exe92⤵PID:1592
-
\??\c:\5jpjv.exec:\5jpjv.exe93⤵PID:2704
-
\??\c:\88408.exec:\88408.exe94⤵PID:2792
-
\??\c:\dddjp.exec:\dddjp.exe95⤵PID:2976
-
\??\c:\nhthnn.exec:\nhthnn.exe96⤵PID:2748
-
\??\c:\4828684.exec:\4828684.exe97⤵PID:2736
-
\??\c:\bbnnth.exec:\bbnnth.exe98⤵PID:536
-
\??\c:\264680.exec:\264680.exe99⤵PID:1388
-
\??\c:\o040284.exec:\o040284.exe100⤵PID:572
-
\??\c:\60680.exec:\60680.exe101⤵PID:2052
-
\??\c:\048088.exec:\048088.exe102⤵PID:1852
-
\??\c:\hnttbt.exec:\hnttbt.exe103⤵PID:2080
-
\??\c:\4822064.exec:\4822064.exe104⤵PID:2588
-
\??\c:\frflrll.exec:\frflrll.exe105⤵PID:2656
-
\??\c:\g6400.exec:\g6400.exe106⤵PID:2772
-
\??\c:\nhhhtt.exec:\nhhhtt.exe107⤵PID:3068
-
\??\c:\dvddj.exec:\dvddj.exe108⤵PID:2544
-
\??\c:\rflfxlr.exec:\rflfxlr.exe109⤵PID:2556
-
\??\c:\fxlflfl.exec:\fxlflfl.exe110⤵PID:2996
-
\??\c:\5hhhhb.exec:\5hhhhb.exe111⤵PID:2404
-
\??\c:\7frlrff.exec:\7frlrff.exe112⤵PID:1428
-
\??\c:\42440.exec:\42440.exe113⤵PID:2156
-
\??\c:\m2002.exec:\m2002.exe114⤵PID:1244
-
\??\c:\86888.exec:\86888.exe115⤵PID:2648
-
\??\c:\dvjjj.exec:\dvjjj.exe116⤵PID:2172
-
\??\c:\lflrrxx.exec:\lflrrxx.exe117⤵PID:2420
-
\??\c:\o026622.exec:\o026622.exe118⤵PID:1784
-
\??\c:\dpjdp.exec:\dpjdp.exe119⤵PID:468
-
\??\c:\xrrrrll.exec:\xrrrrll.exe120⤵PID:1656
-
\??\c:\lxlllff.exec:\lxlllff.exe121⤵PID:432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-