Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 03:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
09982311d633254ffcce1d2ead0c3a8ccb9996ed68bab809709c3fc1426a5961.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
09982311d633254ffcce1d2ead0c3a8ccb9996ed68bab809709c3fc1426a5961.exe
-
Size
454KB
-
MD5
2f3a01ad714bac2112883cc808dc26b9
-
SHA1
4e4629b8df749a9b5d74aef0d5c4c7d25dc2d227
-
SHA256
09982311d633254ffcce1d2ead0c3a8ccb9996ed68bab809709c3fc1426a5961
-
SHA512
6b2e5c47ffb0cd2c1ec8b32cd9193e869826f83f1cf29ee71da008508f24a627042e270c64c16c43a2224ece4cfc2d9ee3043e9358e96012782b4ec628a71732
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeu:q7Tc2NYHUrAwfMp3CDu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/1312-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-75-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2732-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1400-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-144-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/1616-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-173-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/2916-181-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2916-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/556-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-320-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2176-329-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2084-343-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2084-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-358-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2860-364-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2740-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-420-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1792-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-469-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2220-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1216-512-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/1640-533-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1896-542-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2460-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-611-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2928-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-790-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1216-795-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/940-808-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1720 fflxrxl.exe 2176 fxxrxfr.exe 2560 c206468.exe 2796 264022.exe 2240 w46062.exe 2924 w48804.exe 2764 a8000.exe 2732 0822068.exe 2640 5rfrrrx.exe 2608 1lrlxfl.exe 1624 s4840.exe 1400 602206.exe 1656 vpjvp.exe 1616 m8822.exe 1792 82008.exe 1608 1httth.exe 1804 20228.exe 2916 nbhbtt.exe 2976 8248828.exe 556 fxfxfxf.exe 1752 s8884.exe 2012 w42862.exe 664 5lxrlfl.exe 1704 400422.exe 1316 dvvvd.exe 1324 868288.exe 2580 vjvvd.exe 1236 o888008.exe 2408 lllrfll.exe 1996 9fllrlr.exe 308 hbtbhh.exe 2280 24840.exe 1580 jvpvj.exe 2148 424026.exe 2176 frfxxrx.exe 2088 28082.exe 2084 68062.exe 2844 c206640.exe 2856 pvvpd.exe 2860 jvpjj.exe 2740 420400.exe 2636 lfxxrll.exe 2728 btnnbh.exe 2640 c066822.exe 2684 jdpdj.exe 2676 bhhtnb.exe 1712 86402.exe 1268 808844.exe 1772 bthnbb.exe 2428 rflrrfx.exe 340 82402.exe 1792 0200448.exe 1604 86406.exe 1736 djvjj.exe 2912 g8008.exe 2292 a2060.exe 2220 lfxfrrf.exe 396 nbnnnn.exe 660 tnhthh.exe 324 6806268.exe 1020 820622.exe 1216 6622262.exe 664 hbttbh.exe 1704 8646220.exe -
resource yara_rule behavioral1/memory/1720-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-75-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2732-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-512-0x0000000001C70000-0x0000000001C9A000-memory.dmp upx behavioral1/memory/2460-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-964-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-989-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-1056-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4644604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w42840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8684680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 226284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c868664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1312 wrote to memory of 1720 1312 09982311d633254ffcce1d2ead0c3a8ccb9996ed68bab809709c3fc1426a5961.exe 30 PID 1312 wrote to memory of 1720 1312 09982311d633254ffcce1d2ead0c3a8ccb9996ed68bab809709c3fc1426a5961.exe 30 PID 1312 wrote to memory of 1720 1312 09982311d633254ffcce1d2ead0c3a8ccb9996ed68bab809709c3fc1426a5961.exe 30 PID 1312 wrote to memory of 1720 1312 09982311d633254ffcce1d2ead0c3a8ccb9996ed68bab809709c3fc1426a5961.exe 30 PID 1720 wrote to memory of 2176 1720 fflxrxl.exe 31 PID 1720 wrote to memory of 2176 1720 fflxrxl.exe 31 PID 1720 wrote to memory of 2176 1720 fflxrxl.exe 31 PID 1720 wrote to memory of 2176 1720 fflxrxl.exe 31 PID 2176 wrote to memory of 2560 2176 fxxrxfr.exe 32 PID 2176 wrote to memory of 2560 2176 fxxrxfr.exe 32 PID 2176 wrote to memory of 2560 2176 fxxrxfr.exe 32 PID 2176 wrote to memory of 2560 2176 fxxrxfr.exe 32 PID 2560 wrote to memory of 2796 2560 c206468.exe 33 PID 2560 wrote to memory of 2796 2560 c206468.exe 33 PID 2560 wrote to memory of 2796 2560 c206468.exe 33 PID 2560 wrote to memory of 2796 2560 c206468.exe 33 PID 2796 wrote to memory of 2240 2796 264022.exe 34 PID 2796 wrote to memory of 2240 2796 264022.exe 34 PID 2796 wrote to memory of 2240 2796 264022.exe 34 PID 2796 wrote to memory of 2240 2796 264022.exe 34 PID 2240 wrote to memory of 2924 2240 w46062.exe 35 PID 2240 wrote to memory of 2924 2240 w46062.exe 35 PID 2240 wrote to memory of 2924 2240 w46062.exe 35 PID 2240 wrote to memory of 2924 2240 w46062.exe 35 PID 2924 wrote to memory of 2764 2924 w48804.exe 36 PID 2924 wrote to memory of 2764 2924 w48804.exe 36 PID 2924 wrote to memory of 2764 2924 w48804.exe 36 PID 2924 wrote to memory of 2764 2924 w48804.exe 36 PID 2764 wrote to memory of 2732 2764 a8000.exe 37 PID 2764 wrote to memory of 2732 2764 a8000.exe 37 PID 2764 wrote to memory of 2732 2764 a8000.exe 37 PID 2764 wrote to memory of 2732 2764 a8000.exe 37 PID 2732 wrote to memory of 2640 2732 0822068.exe 38 PID 2732 wrote to memory of 2640 2732 0822068.exe 38 PID 2732 wrote to memory of 2640 2732 0822068.exe 38 PID 2732 wrote to memory of 2640 2732 0822068.exe 38 PID 2640 wrote to memory of 2608 2640 5rfrrrx.exe 39 PID 2640 wrote to memory of 2608 2640 5rfrrrx.exe 39 PID 2640 wrote to memory of 2608 2640 5rfrrrx.exe 39 PID 2640 wrote to memory of 2608 2640 5rfrrrx.exe 39 PID 2608 wrote to memory of 1624 2608 1lrlxfl.exe 40 PID 2608 wrote to memory of 1624 2608 1lrlxfl.exe 40 PID 2608 wrote to memory of 1624 2608 1lrlxfl.exe 40 PID 2608 wrote to memory of 1624 2608 1lrlxfl.exe 40 PID 1624 wrote to memory of 1400 1624 s4840.exe 41 PID 1624 wrote to memory of 1400 1624 s4840.exe 41 PID 1624 wrote to memory of 1400 1624 s4840.exe 41 PID 1624 wrote to memory of 1400 1624 s4840.exe 41 PID 1400 wrote to memory of 1656 1400 602206.exe 42 PID 1400 wrote to memory of 1656 1400 602206.exe 42 PID 1400 wrote to memory of 1656 1400 602206.exe 42 PID 1400 wrote to memory of 1656 1400 602206.exe 42 PID 1656 wrote to memory of 1616 1656 vpjvp.exe 43 PID 1656 wrote to memory of 1616 1656 vpjvp.exe 43 PID 1656 wrote to memory of 1616 1656 vpjvp.exe 43 PID 1656 wrote to memory of 1616 1656 vpjvp.exe 43 PID 1616 wrote to memory of 1792 1616 m8822.exe 44 PID 1616 wrote to memory of 1792 1616 m8822.exe 44 PID 1616 wrote to memory of 1792 1616 m8822.exe 44 PID 1616 wrote to memory of 1792 1616 m8822.exe 44 PID 1792 wrote to memory of 1608 1792 82008.exe 45 PID 1792 wrote to memory of 1608 1792 82008.exe 45 PID 1792 wrote to memory of 1608 1792 82008.exe 45 PID 1792 wrote to memory of 1608 1792 82008.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\09982311d633254ffcce1d2ead0c3a8ccb9996ed68bab809709c3fc1426a5961.exe"C:\Users\Admin\AppData\Local\Temp\09982311d633254ffcce1d2ead0c3a8ccb9996ed68bab809709c3fc1426a5961.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\fflxrxl.exec:\fflxrxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\fxxrxfr.exec:\fxxrxfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\c206468.exec:\c206468.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\264022.exec:\264022.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\w46062.exec:\w46062.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\w48804.exec:\w48804.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\a8000.exec:\a8000.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\0822068.exec:\0822068.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\5rfrrrx.exec:\5rfrrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\1lrlxfl.exec:\1lrlxfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\s4840.exec:\s4840.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\602206.exec:\602206.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\vpjvp.exec:\vpjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\m8822.exec:\m8822.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\82008.exec:\82008.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\1httth.exec:\1httth.exe17⤵
- Executes dropped EXE
PID:1608 -
\??\c:\20228.exec:\20228.exe18⤵
- Executes dropped EXE
PID:1804 -
\??\c:\nbhbtt.exec:\nbhbtt.exe19⤵
- Executes dropped EXE
PID:2916 -
\??\c:\8248828.exec:\8248828.exe20⤵
- Executes dropped EXE
PID:2976 -
\??\c:\fxfxfxf.exec:\fxfxfxf.exe21⤵
- Executes dropped EXE
PID:556 -
\??\c:\s8884.exec:\s8884.exe22⤵
- Executes dropped EXE
PID:1752 -
\??\c:\w42862.exec:\w42862.exe23⤵
- Executes dropped EXE
PID:2012 -
\??\c:\5lxrlfl.exec:\5lxrlfl.exe24⤵
- Executes dropped EXE
PID:664 -
\??\c:\400422.exec:\400422.exe25⤵
- Executes dropped EXE
PID:1704 -
\??\c:\dvvvd.exec:\dvvvd.exe26⤵
- Executes dropped EXE
PID:1316 -
\??\c:\868288.exec:\868288.exe27⤵
- Executes dropped EXE
PID:1324 -
\??\c:\vjvvd.exec:\vjvvd.exe28⤵
- Executes dropped EXE
PID:2580 -
\??\c:\o888008.exec:\o888008.exe29⤵
- Executes dropped EXE
PID:1236 -
\??\c:\lllrfll.exec:\lllrfll.exe30⤵
- Executes dropped EXE
PID:2408 -
\??\c:\9fllrlr.exec:\9fllrlr.exe31⤵
- Executes dropped EXE
PID:1996 -
\??\c:\hbtbhh.exec:\hbtbhh.exe32⤵
- Executes dropped EXE
PID:308 -
\??\c:\24840.exec:\24840.exe33⤵
- Executes dropped EXE
PID:2280 -
\??\c:\jvpvj.exec:\jvpvj.exe34⤵
- Executes dropped EXE
PID:1580 -
\??\c:\424026.exec:\424026.exe35⤵
- Executes dropped EXE
PID:2148 -
\??\c:\frfxxrx.exec:\frfxxrx.exe36⤵
- Executes dropped EXE
PID:2176 -
\??\c:\28082.exec:\28082.exe37⤵
- Executes dropped EXE
PID:2088 -
\??\c:\68062.exec:\68062.exe38⤵
- Executes dropped EXE
PID:2084 -
\??\c:\c206640.exec:\c206640.exe39⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pvvpd.exec:\pvvpd.exe40⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jvpjj.exec:\jvpjj.exe41⤵
- Executes dropped EXE
PID:2860 -
\??\c:\420400.exec:\420400.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740 -
\??\c:\lfxxrll.exec:\lfxxrll.exe43⤵
- Executes dropped EXE
PID:2636 -
\??\c:\btnnbh.exec:\btnnbh.exe44⤵
- Executes dropped EXE
PID:2728 -
\??\c:\c066822.exec:\c066822.exe45⤵
- Executes dropped EXE
PID:2640 -
\??\c:\jdpdj.exec:\jdpdj.exe46⤵
- Executes dropped EXE
PID:2684 -
\??\c:\bhhtnb.exec:\bhhtnb.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
\??\c:\86402.exec:\86402.exe48⤵
- Executes dropped EXE
PID:1712 -
\??\c:\808844.exec:\808844.exe49⤵
- Executes dropped EXE
PID:1268 -
\??\c:\bthnbb.exec:\bthnbb.exe50⤵
- Executes dropped EXE
PID:1772 -
\??\c:\rflrrfx.exec:\rflrrfx.exe51⤵
- Executes dropped EXE
PID:2428 -
\??\c:\82402.exec:\82402.exe52⤵
- Executes dropped EXE
PID:340 -
\??\c:\0200448.exec:\0200448.exe53⤵
- Executes dropped EXE
PID:1792 -
\??\c:\86406.exec:\86406.exe54⤵
- Executes dropped EXE
PID:1604 -
\??\c:\djvjj.exec:\djvjj.exe55⤵
- Executes dropped EXE
PID:1736 -
\??\c:\g8008.exec:\g8008.exe56⤵
- Executes dropped EXE
PID:2912 -
\??\c:\a2060.exec:\a2060.exe57⤵
- Executes dropped EXE
PID:2292 -
\??\c:\lfxfrrf.exec:\lfxfrrf.exe58⤵
- Executes dropped EXE
PID:2220 -
\??\c:\nbnnnn.exec:\nbnnnn.exe59⤵
- Executes dropped EXE
PID:396 -
\??\c:\tnhthh.exec:\tnhthh.exe60⤵
- Executes dropped EXE
PID:660 -
\??\c:\6806268.exec:\6806268.exe61⤵
- Executes dropped EXE
PID:324 -
\??\c:\820622.exec:\820622.exe62⤵
- Executes dropped EXE
PID:1020 -
\??\c:\6622262.exec:\6622262.exe63⤵
- Executes dropped EXE
PID:1216 -
\??\c:\hbttbh.exec:\hbttbh.exe64⤵
- Executes dropped EXE
PID:664 -
\??\c:\8646220.exec:\8646220.exe65⤵
- Executes dropped EXE
PID:1704 -
\??\c:\8262662.exec:\8262662.exe66⤵PID:1640
-
\??\c:\xrfrrrr.exec:\xrfrrrr.exe67⤵PID:2480
-
\??\c:\26880.exec:\26880.exe68⤵PID:1896
-
\??\c:\rfrllfl.exec:\rfrllfl.exe69⤵PID:1700
-
\??\c:\i080228.exec:\i080228.exe70⤵PID:2460
-
\??\c:\6422846.exec:\6422846.exe71⤵PID:2456
-
\??\c:\26466.exec:\26466.exe72⤵PID:1620
-
\??\c:\flxrxrx.exec:\flxrxrx.exe73⤵PID:2140
-
\??\c:\a8224.exec:\a8224.exe74⤵PID:2204
-
\??\c:\64224.exec:\64224.exe75⤵PID:2096
-
\??\c:\0866284.exec:\0866284.exe76⤵PID:2156
-
\??\c:\42400.exec:\42400.exe77⤵PID:3068
-
\??\c:\q44022.exec:\q44022.exe78⤵PID:2356
-
\??\c:\086060.exec:\086060.exe79⤵PID:1980
-
\??\c:\42844.exec:\42844.exe80⤵PID:2088
-
\??\c:\3pvpj.exec:\3pvpj.exe81⤵PID:1912
-
\??\c:\082800.exec:\082800.exe82⤵PID:2448
-
\??\c:\86068.exec:\86068.exe83⤵PID:2500
-
\??\c:\ttntbh.exec:\ttntbh.exe84⤵PID:2928
-
\??\c:\e84046.exec:\e84046.exe85⤵PID:2648
-
\??\c:\2046442.exec:\2046442.exe86⤵PID:2980
-
\??\c:\7lxrxxf.exec:\7lxrxxf.exe87⤵PID:2752
-
\??\c:\k22244.exec:\k22244.exe88⤵PID:1716
-
\??\c:\o040628.exec:\o040628.exe89⤵PID:2656
-
\??\c:\xrxxfxf.exec:\xrxxfxf.exe90⤵PID:2584
-
\??\c:\3xlrxxl.exec:\3xlrxxl.exe91⤵PID:2284
-
\??\c:\jdddd.exec:\jdddd.exe92⤵PID:1712
-
\??\c:\fxllxxl.exec:\fxllxxl.exe93⤵PID:2432
-
\??\c:\42468.exec:\42468.exe94⤵PID:1260
-
\??\c:\ttnnhn.exec:\ttnnhn.exe95⤵PID:1272
-
\??\c:\422844.exec:\422844.exe96⤵
- System Location Discovery: System Language Discovery
PID:1952 -
\??\c:\5rfxffl.exec:\5rfxffl.exe97⤵PID:1560
-
\??\c:\vpvdp.exec:\vpvdp.exe98⤵PID:1040
-
\??\c:\1rrxrrf.exec:\1rrxrrf.exe99⤵PID:2892
-
\??\c:\g4288.exec:\g4288.exe100⤵PID:2956
-
\??\c:\6468062.exec:\6468062.exe101⤵PID:2896
-
\??\c:\5pvvv.exec:\5pvvv.exe102⤵PID:2716
-
\??\c:\608462.exec:\608462.exe103⤵PID:1812
-
\??\c:\0826662.exec:\0826662.exe104⤵PID:2592
-
\??\c:\6644046.exec:\6644046.exe105⤵PID:660
-
\??\c:\xrflrrf.exec:\xrflrrf.exe106⤵PID:2232
-
\??\c:\bbttbb.exec:\bbttbb.exe107⤵PID:1768
-
\??\c:\28684.exec:\28684.exe108⤵PID:1216
-
\??\c:\btnthh.exec:\btnthh.exe109⤵PID:892
-
\??\c:\42062.exec:\42062.exe110⤵PID:940
-
\??\c:\3vpvv.exec:\3vpvv.exe111⤵PID:1324
-
\??\c:\frffrrx.exec:\frffrrx.exe112⤵PID:1688
-
\??\c:\nhbhtt.exec:\nhbhtt.exe113⤵PID:2552
-
\??\c:\hbnnhn.exec:\hbnnhn.exe114⤵PID:904
-
\??\c:\6020228.exec:\6020228.exe115⤵PID:2476
-
\??\c:\fxllrxl.exec:\fxllrxl.exe116⤵PID:1304
-
\??\c:\9rlxrxf.exec:\9rlxrxf.exe117⤵PID:2540
-
\??\c:\226284.exec:\226284.exe118⤵
- System Location Discovery: System Language Discovery
PID:2064 -
\??\c:\1pvpv.exec:\1pvpv.exe119⤵PID:1588
-
\??\c:\o202040.exec:\o202040.exe120⤵PID:2340
-
\??\c:\604062.exec:\604062.exe121⤵PID:2148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-