Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 01:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe
-
Size
452KB
-
MD5
9b5f5c496740a90f0be8bf8bcb256110
-
SHA1
46f1efafa6623130dc998d0709dd201cc3d351fd
-
SHA256
9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9
-
SHA512
3298f46d35430cb1587334705d9734cc5900e4daef5e54269c43227151f1e3a67f11345cba455671ec3a0ed59370fd6a76fc61639e226e82816a4aeef44d3957
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2808-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-25-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2704-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/352-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1448-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-365-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2844-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/604-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-494-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1660-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-559-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2096-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-646-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/864-680-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2868-687-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2984-694-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2036-757-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/1096-783-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/1020-822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-835-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2688-873-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2912 pdppp.exe 2792 008668.exe 2920 q80648.exe 2704 7djpd.exe 2672 pdjjj.exe 2476 680808.exe 1720 xrllxxx.exe 2500 7rxlrrx.exe 2756 82066.exe 2272 4206602.exe 1368 tnnhnh.exe 2880 rlfxrrr.exe 2836 5vjdd.exe 380 4606600.exe 1584 68484.exe 776 08084.exe 2324 1bhnbt.exe 2632 5flllrf.exe 2460 k86422.exe 1116 u244484.exe 284 802288.exe 2052 0466224.exe 2556 xrxfflr.exe 1484 vjvpp.exe 1276 dpvpv.exe 1648 5hnttt.exe 276 thnbbt.exe 1608 xlxfrrx.exe 352 6066822.exe 2456 0806884.exe 1448 46266.exe 2808 hhnntn.exe 2916 9jdvj.exe 2948 424022.exe 2792 26400.exe 2996 6866840.exe 2852 k08400.exe 2736 46840.exe 2544 4244826.exe 2712 thnbbb.exe 1588 i806668.exe 2624 m6480.exe 1580 dpddd.exe 3056 8022262.exe 2092 64606.exe 1372 nhbbbh.exe 2844 86822.exe 2984 q06686.exe 592 xrlflrx.exe 604 nnnhtn.exe 792 1rfffff.exe 2720 024844.exe 2528 vpvvd.exe 1908 60422.exe 1864 nbnnnn.exe 2076 9djvv.exe 2264 e20004.exe 1416 k60288.exe 1832 4226604.exe 1896 1rlrxfr.exe 2052 e42200.exe 2556 tnbbnn.exe 1280 q46626.exe 1552 e40028.exe -
resource yara_rule behavioral1/memory/2808-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-25-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2704-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-365-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2092-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-640-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1368-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-680-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1716-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-744-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2036-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-822-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-835-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2688-873-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q80066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c088684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c862880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2912 2808 9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe 30 PID 2808 wrote to memory of 2912 2808 9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe 30 PID 2808 wrote to memory of 2912 2808 9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe 30 PID 2808 wrote to memory of 2912 2808 9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe 30 PID 2912 wrote to memory of 2792 2912 pdppp.exe 31 PID 2912 wrote to memory of 2792 2912 pdppp.exe 31 PID 2912 wrote to memory of 2792 2912 pdppp.exe 31 PID 2912 wrote to memory of 2792 2912 pdppp.exe 31 PID 2792 wrote to memory of 2920 2792 008668.exe 32 PID 2792 wrote to memory of 2920 2792 008668.exe 32 PID 2792 wrote to memory of 2920 2792 008668.exe 32 PID 2792 wrote to memory of 2920 2792 008668.exe 32 PID 2920 wrote to memory of 2704 2920 q80648.exe 33 PID 2920 wrote to memory of 2704 2920 q80648.exe 33 PID 2920 wrote to memory of 2704 2920 q80648.exe 33 PID 2920 wrote to memory of 2704 2920 q80648.exe 33 PID 2704 wrote to memory of 2672 2704 7djpd.exe 34 PID 2704 wrote to memory of 2672 2704 7djpd.exe 34 PID 2704 wrote to memory of 2672 2704 7djpd.exe 34 PID 2704 wrote to memory of 2672 2704 7djpd.exe 34 PID 2672 wrote to memory of 2476 2672 pdjjj.exe 35 PID 2672 wrote to memory of 2476 2672 pdjjj.exe 35 PID 2672 wrote to memory of 2476 2672 pdjjj.exe 35 PID 2672 wrote to memory of 2476 2672 pdjjj.exe 35 PID 2476 wrote to memory of 1720 2476 680808.exe 36 PID 2476 wrote to memory of 1720 2476 680808.exe 36 PID 2476 wrote to memory of 1720 2476 680808.exe 36 PID 2476 wrote to memory of 1720 2476 680808.exe 36 PID 1720 wrote to memory of 2500 1720 xrllxxx.exe 37 PID 1720 wrote to memory of 2500 1720 xrllxxx.exe 37 PID 1720 wrote to memory of 2500 1720 xrllxxx.exe 37 PID 1720 wrote to memory of 2500 1720 xrllxxx.exe 37 PID 2500 wrote to memory of 2756 2500 7rxlrrx.exe 38 PID 2500 wrote to memory of 2756 2500 7rxlrrx.exe 38 PID 2500 wrote to memory of 2756 2500 7rxlrrx.exe 38 PID 2500 wrote to memory of 2756 2500 7rxlrrx.exe 38 PID 2756 wrote to memory of 2272 2756 82066.exe 39 PID 2756 wrote to memory of 2272 2756 82066.exe 39 PID 2756 wrote to memory of 2272 2756 82066.exe 39 PID 2756 wrote to memory of 2272 2756 82066.exe 39 PID 2272 wrote to memory of 1368 2272 4206602.exe 40 PID 2272 wrote to memory of 1368 2272 4206602.exe 40 PID 2272 wrote to memory of 1368 2272 4206602.exe 40 PID 2272 wrote to memory of 1368 2272 4206602.exe 40 PID 1368 wrote to memory of 2880 1368 tnnhnh.exe 41 PID 1368 wrote to memory of 2880 1368 tnnhnh.exe 41 PID 1368 wrote to memory of 2880 1368 tnnhnh.exe 41 PID 1368 wrote to memory of 2880 1368 tnnhnh.exe 41 PID 2880 wrote to memory of 2836 2880 rlfxrrr.exe 42 PID 2880 wrote to memory of 2836 2880 rlfxrrr.exe 42 PID 2880 wrote to memory of 2836 2880 rlfxrrr.exe 42 PID 2880 wrote to memory of 2836 2880 rlfxrrr.exe 42 PID 2836 wrote to memory of 380 2836 5vjdd.exe 43 PID 2836 wrote to memory of 380 2836 5vjdd.exe 43 PID 2836 wrote to memory of 380 2836 5vjdd.exe 43 PID 2836 wrote to memory of 380 2836 5vjdd.exe 43 PID 380 wrote to memory of 1584 380 4606600.exe 44 PID 380 wrote to memory of 1584 380 4606600.exe 44 PID 380 wrote to memory of 1584 380 4606600.exe 44 PID 380 wrote to memory of 1584 380 4606600.exe 44 PID 1584 wrote to memory of 776 1584 68484.exe 45 PID 1584 wrote to memory of 776 1584 68484.exe 45 PID 1584 wrote to memory of 776 1584 68484.exe 45 PID 1584 wrote to memory of 776 1584 68484.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe"C:\Users\Admin\AppData\Local\Temp\9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\pdppp.exec:\pdppp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\008668.exec:\008668.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\q80648.exec:\q80648.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\7djpd.exec:\7djpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\pdjjj.exec:\pdjjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\680808.exec:\680808.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\xrllxxx.exec:\xrllxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\7rxlrrx.exec:\7rxlrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\82066.exec:\82066.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\4206602.exec:\4206602.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\tnnhnh.exec:\tnnhnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\rlfxrrr.exec:\rlfxrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\5vjdd.exec:\5vjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\4606600.exec:\4606600.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\68484.exec:\68484.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\08084.exec:\08084.exe17⤵
- Executes dropped EXE
PID:776 -
\??\c:\1bhnbt.exec:\1bhnbt.exe18⤵
- Executes dropped EXE
PID:2324 -
\??\c:\5flllrf.exec:\5flllrf.exe19⤵
- Executes dropped EXE
PID:2632 -
\??\c:\k86422.exec:\k86422.exe20⤵
- Executes dropped EXE
PID:2460 -
\??\c:\u244484.exec:\u244484.exe21⤵
- Executes dropped EXE
PID:1116 -
\??\c:\802288.exec:\802288.exe22⤵
- Executes dropped EXE
PID:284 -
\??\c:\0466224.exec:\0466224.exe23⤵
- Executes dropped EXE
PID:2052 -
\??\c:\xrxfflr.exec:\xrxfflr.exe24⤵
- Executes dropped EXE
PID:2556 -
\??\c:\vjvpp.exec:\vjvpp.exe25⤵
- Executes dropped EXE
PID:1484 -
\??\c:\dpvpv.exec:\dpvpv.exe26⤵
- Executes dropped EXE
PID:1276 -
\??\c:\5hnttt.exec:\5hnttt.exe27⤵
- Executes dropped EXE
PID:1648 -
\??\c:\thnbbt.exec:\thnbbt.exe28⤵
- Executes dropped EXE
PID:276 -
\??\c:\xlxfrrx.exec:\xlxfrrx.exe29⤵
- Executes dropped EXE
PID:1608 -
\??\c:\6066822.exec:\6066822.exe30⤵
- Executes dropped EXE
PID:352 -
\??\c:\0806884.exec:\0806884.exe31⤵
- Executes dropped EXE
PID:2456 -
\??\c:\46266.exec:\46266.exe32⤵
- Executes dropped EXE
PID:1448 -
\??\c:\hhnntn.exec:\hhnntn.exe33⤵
- Executes dropped EXE
PID:2808 -
\??\c:\9jdvj.exec:\9jdvj.exe34⤵
- Executes dropped EXE
PID:2916 -
\??\c:\424022.exec:\424022.exe35⤵
- Executes dropped EXE
PID:2948 -
\??\c:\26400.exec:\26400.exe36⤵
- Executes dropped EXE
PID:2792 -
\??\c:\6866840.exec:\6866840.exe37⤵
- Executes dropped EXE
PID:2996 -
\??\c:\k08400.exec:\k08400.exe38⤵
- Executes dropped EXE
PID:2852 -
\??\c:\46840.exec:\46840.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\4244826.exec:\4244826.exe40⤵
- Executes dropped EXE
PID:2544 -
\??\c:\thnbbb.exec:\thnbbb.exe41⤵
- Executes dropped EXE
PID:2712 -
\??\c:\i806668.exec:\i806668.exe42⤵
- Executes dropped EXE
PID:1588 -
\??\c:\m6480.exec:\m6480.exe43⤵
- Executes dropped EXE
PID:2624 -
\??\c:\dpddd.exec:\dpddd.exe44⤵
- Executes dropped EXE
PID:1580 -
\??\c:\8022262.exec:\8022262.exe45⤵
- Executes dropped EXE
PID:3056 -
\??\c:\64606.exec:\64606.exe46⤵
- Executes dropped EXE
PID:2092 -
\??\c:\nhbbbh.exec:\nhbbbh.exe47⤵
- Executes dropped EXE
PID:1372 -
\??\c:\86822.exec:\86822.exe48⤵
- Executes dropped EXE
PID:2844 -
\??\c:\q06686.exec:\q06686.exe49⤵
- Executes dropped EXE
PID:2984 -
\??\c:\xrlflrx.exec:\xrlflrx.exe50⤵
- Executes dropped EXE
PID:592 -
\??\c:\nnnhtn.exec:\nnnhtn.exe51⤵
- Executes dropped EXE
PID:604 -
\??\c:\1rfffff.exec:\1rfffff.exe52⤵
- Executes dropped EXE
PID:792 -
\??\c:\024844.exec:\024844.exe53⤵
- Executes dropped EXE
PID:2720 -
\??\c:\vpvvd.exec:\vpvvd.exe54⤵
- Executes dropped EXE
PID:2528 -
\??\c:\60422.exec:\60422.exe55⤵
- Executes dropped EXE
PID:1908 -
\??\c:\nbnnnn.exec:\nbnnnn.exe56⤵
- Executes dropped EXE
PID:1864 -
\??\c:\9djvv.exec:\9djvv.exe57⤵
- Executes dropped EXE
PID:2076 -
\??\c:\e20004.exec:\e20004.exe58⤵
- Executes dropped EXE
PID:2264 -
\??\c:\k60288.exec:\k60288.exe59⤵
- Executes dropped EXE
PID:1416 -
\??\c:\4226604.exec:\4226604.exe60⤵
- Executes dropped EXE
PID:1832 -
\??\c:\1rlrxfr.exec:\1rlrxfr.exe61⤵
- Executes dropped EXE
PID:1896 -
\??\c:\e42200.exec:\e42200.exe62⤵
- Executes dropped EXE
PID:2052 -
\??\c:\tnbbnn.exec:\tnbbnn.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556 -
\??\c:\q46626.exec:\q46626.exe64⤵
- Executes dropped EXE
PID:1280 -
\??\c:\e40028.exec:\e40028.exe65⤵
- Executes dropped EXE
PID:1552 -
\??\c:\pdpdj.exec:\pdpdj.exe66⤵PID:1660
-
\??\c:\1htnbb.exec:\1htnbb.exe67⤵PID:568
-
\??\c:\42884.exec:\42884.exe68⤵
- System Location Discovery: System Language Discovery
PID:872 -
\??\c:\9nttbb.exec:\9nttbb.exe69⤵PID:640
-
\??\c:\lxfxxff.exec:\lxfxxff.exe70⤵PID:1852
-
\??\c:\268428.exec:\268428.exe71⤵PID:1912
-
\??\c:\q60006.exec:\q60006.exe72⤵PID:1216
-
\??\c:\nbthht.exec:\nbthht.exe73⤵PID:2856
-
\??\c:\dvjpp.exec:\dvjpp.exe74⤵PID:2384
-
\??\c:\8462644.exec:\8462644.exe75⤵PID:2808
-
\??\c:\vvjpd.exec:\vvjpd.exe76⤵PID:2916
-
\??\c:\02828.exec:\02828.exe77⤵PID:2668
-
\??\c:\42226.exec:\42226.exe78⤵PID:2960
-
\??\c:\606282.exec:\606282.exe79⤵PID:1868
-
\??\c:\a2846.exec:\a2846.exe80⤵PID:2796
-
\??\c:\8606406.exec:\8606406.exe81⤵PID:2676
-
\??\c:\82446.exec:\82446.exe82⤵PID:2096
-
\??\c:\nnnbbn.exec:\nnnbbn.exe83⤵PID:3036
-
\??\c:\vjddj.exec:\vjddj.exe84⤵PID:1720
-
\??\c:\lfxrlrl.exec:\lfxrlrl.exe85⤵PID:2164
-
\??\c:\fxlflxx.exec:\fxlflxx.exe86⤵PID:2756
-
\??\c:\s4664.exec:\s4664.exe87⤵PID:2572
-
\??\c:\7lrlfxx.exec:\7lrlfxx.exe88⤵PID:2876
-
\??\c:\u866662.exec:\u866662.exe89⤵PID:1368
-
\??\c:\thtbbh.exec:\thtbbh.exe90⤵PID:864
-
\??\c:\3thhnn.exec:\3thhnn.exe91⤵PID:2868
-
\??\c:\2240640.exec:\2240640.exe92⤵PID:2984
-
\??\c:\86446.exec:\86446.exe93⤵PID:600
-
\??\c:\flrllll.exec:\flrllll.exe94⤵PID:2292
-
\??\c:\jvddj.exec:\jvddj.exe95⤵PID:1556
-
\??\c:\42002.exec:\42002.exe96⤵PID:1716
-
\??\c:\5htthh.exec:\5htthh.exe97⤵PID:1100
-
\??\c:\3lxffxf.exec:\3lxffxf.exe98⤵PID:2324
-
\??\c:\08662.exec:\08662.exe99⤵PID:1924
-
\??\c:\5pvvp.exec:\5pvvp.exe100⤵PID:2424
-
\??\c:\062644.exec:\062644.exe101⤵PID:2408
-
\??\c:\9vjjv.exec:\9vjjv.exe102⤵PID:2036
-
\??\c:\nnbbbb.exec:\nnbbbb.exe103⤵PID:1096
-
\??\c:\2000606.exec:\2000606.exe104⤵PID:1844
-
\??\c:\8684662.exec:\8684662.exe105⤵PID:284
-
\??\c:\420282.exec:\420282.exe106⤵PID:1288
-
\??\c:\42406.exec:\42406.exe107⤵PID:784
-
\??\c:\60228.exec:\60228.exe108⤵PID:2420
-
\??\c:\lxrrffr.exec:\lxrrffr.exe109⤵PID:948
-
\??\c:\2022880.exec:\2022880.exe110⤵PID:624
-
\??\c:\42446.exec:\42446.exe111⤵PID:2020
-
\??\c:\rlrxxfr.exec:\rlrxxfr.exe112⤵PID:1020
-
\??\c:\9lllrxx.exec:\9lllrxx.exe113⤵PID:2120
-
\??\c:\282484.exec:\282484.exe114⤵PID:2200
-
\??\c:\pdvdj.exec:\pdvdj.exe115⤵PID:2284
-
\??\c:\6440006.exec:\6440006.exe116⤵PID:912
-
\??\c:\20262.exec:\20262.exe117⤵PID:2812
-
\??\c:\3frrflr.exec:\3frrflr.exe118⤵PID:2316
-
\??\c:\42620.exec:\42620.exe119⤵PID:2784
-
\??\c:\86888.exec:\86888.exe120⤵PID:2688
-
\??\c:\42262.exec:\42262.exe121⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-