Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 04:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2001530ceb7b77293eede8b85937e917665ca0986e6b39836c238572aa5d8827N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2001530ceb7b77293eede8b85937e917665ca0986e6b39836c238572aa5d8827N.exe
-
Size
453KB
-
MD5
6f20589f4843e015d6d80577f17ff0c0
-
SHA1
e39ae26d46178ac49234197e472f5d452e2c43ae
-
SHA256
2001530ceb7b77293eede8b85937e917665ca0986e6b39836c238572aa5d8827
-
SHA512
e3bb0e74c57e93722f81d81bed0a8a54099e3627d3794dab67e41ff985dcd6baf7a2e45fbcf0bf34aa56f41afe60d9a6749aeba83295652e98bcfedf2eab1565
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2348-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-26-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2064-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1840-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-113-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2684-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-118-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2860-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1292-138-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1216-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-199-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1460-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/664-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-230-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1744-235-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1824-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/980-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-320-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/1520-318-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/2252-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-336-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2884-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-461-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2128-489-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1148-514-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3040-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/288-553-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1476-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-887-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2052-900-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2704-908-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/2900-927-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/3064-1190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-1203-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1376-1347-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2348 48662.exe 2064 xrflrrl.exe 2340 a4408.exe 1412 7xllrxx.exe 1840 fffxffl.exe 1272 jdpdd.exe 2900 2028006.exe 2756 2640228.exe 2932 xlxlxxf.exe 2968 8822446.exe 1648 pppdj.exe 2684 a6280.exe 2860 ddvdj.exe 1292 xrrxllr.exe 1216 64662.exe 2056 1frffff.exe 1764 42406.exe 1792 s8844.exe 3004 7jddd.exe 1240 8682484.exe 1624 vvvdp.exe 1460 5bnntt.exe 2160 lfxfrrf.exe 664 04224.exe 1744 jjdpd.exe 1824 20888.exe 1756 82608.exe 2508 8206400.exe 572 5rrxllr.exe 980 xrrxlrf.exe 1740 e26244.exe 2404 4828606.exe 1588 lffflrl.exe 1892 lrlrlfl.exe 1520 48024.exe 2252 486688.exe 2552 q60244.exe 2420 ddpvj.exe 2368 4208068.exe 2780 8262006.exe 2884 60402.exe 2876 88064.exe 536 1xxxxxl.exe 2924 6088440.exe 2796 8868020.exe 2644 hbttnb.exe 2736 jjjjv.exe 2744 8644006.exe 2684 08664.exe 2804 442466.exe 2692 bhbthh.exe 2076 5ppjv.exe 1216 m6486.exe 2852 w26284.exe 1964 82468.exe 1796 6022228.exe 2800 04864.exe 3028 2646840.exe 2576 8644662.exe 1240 9nbbhh.exe 2128 006642.exe 1460 s6400.exe 1124 864620.exe 1604 tbthbb.exe -
resource yara_rule behavioral1/memory/2348-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1460-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/664-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-318-0x0000000000340000-0x000000000036A000-memory.dmp upx behavioral1/memory/2252-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-907-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-978-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-997-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-1079-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-1104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-1190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-1204-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1272-1203-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2692-1267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-1280-0x00000000003A0000-0x00000000003CA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8666224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6080224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u800062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q48022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k26240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lffxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26408.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2348 2324 2001530ceb7b77293eede8b85937e917665ca0986e6b39836c238572aa5d8827N.exe 30 PID 2324 wrote to memory of 2348 2324 2001530ceb7b77293eede8b85937e917665ca0986e6b39836c238572aa5d8827N.exe 30 PID 2324 wrote to memory of 2348 2324 2001530ceb7b77293eede8b85937e917665ca0986e6b39836c238572aa5d8827N.exe 30 PID 2324 wrote to memory of 2348 2324 2001530ceb7b77293eede8b85937e917665ca0986e6b39836c238572aa5d8827N.exe 30 PID 2348 wrote to memory of 2064 2348 48662.exe 31 PID 2348 wrote to memory of 2064 2348 48662.exe 31 PID 2348 wrote to memory of 2064 2348 48662.exe 31 PID 2348 wrote to memory of 2064 2348 48662.exe 31 PID 2064 wrote to memory of 2340 2064 xrflrrl.exe 32 PID 2064 wrote to memory of 2340 2064 xrflrrl.exe 32 PID 2064 wrote to memory of 2340 2064 xrflrrl.exe 32 PID 2064 wrote to memory of 2340 2064 xrflrrl.exe 32 PID 2340 wrote to memory of 1412 2340 a4408.exe 33 PID 2340 wrote to memory of 1412 2340 a4408.exe 33 PID 2340 wrote to memory of 1412 2340 a4408.exe 33 PID 2340 wrote to memory of 1412 2340 a4408.exe 33 PID 1412 wrote to memory of 1840 1412 7xllrxx.exe 34 PID 1412 wrote to memory of 1840 1412 7xllrxx.exe 34 PID 1412 wrote to memory of 1840 1412 7xllrxx.exe 34 PID 1412 wrote to memory of 1840 1412 7xllrxx.exe 34 PID 1840 wrote to memory of 1272 1840 fffxffl.exe 35 PID 1840 wrote to memory of 1272 1840 fffxffl.exe 35 PID 1840 wrote to memory of 1272 1840 fffxffl.exe 35 PID 1840 wrote to memory of 1272 1840 fffxffl.exe 35 PID 1272 wrote to memory of 2900 1272 jdpdd.exe 36 PID 1272 wrote to memory of 2900 1272 jdpdd.exe 36 PID 1272 wrote to memory of 2900 1272 jdpdd.exe 36 PID 1272 wrote to memory of 2900 1272 jdpdd.exe 36 PID 2900 wrote to memory of 2756 2900 2028006.exe 37 PID 2900 wrote to memory of 2756 2900 2028006.exe 37 PID 2900 wrote to memory of 2756 2900 2028006.exe 37 PID 2900 wrote to memory of 2756 2900 2028006.exe 37 PID 2756 wrote to memory of 2932 2756 2640228.exe 38 PID 2756 wrote to memory of 2932 2756 2640228.exe 38 PID 2756 wrote to memory of 2932 2756 2640228.exe 38 PID 2756 wrote to memory of 2932 2756 2640228.exe 38 PID 2932 wrote to memory of 2968 2932 xlxlxxf.exe 39 PID 2932 wrote to memory of 2968 2932 xlxlxxf.exe 39 PID 2932 wrote to memory of 2968 2932 xlxlxxf.exe 39 PID 2932 wrote to memory of 2968 2932 xlxlxxf.exe 39 PID 2968 wrote to memory of 1648 2968 8822446.exe 40 PID 2968 wrote to memory of 1648 2968 8822446.exe 40 PID 2968 wrote to memory of 1648 2968 8822446.exe 40 PID 2968 wrote to memory of 1648 2968 8822446.exe 40 PID 1648 wrote to memory of 2684 1648 pppdj.exe 41 PID 1648 wrote to memory of 2684 1648 pppdj.exe 41 PID 1648 wrote to memory of 2684 1648 pppdj.exe 41 PID 1648 wrote to memory of 2684 1648 pppdj.exe 41 PID 2684 wrote to memory of 2860 2684 a6280.exe 42 PID 2684 wrote to memory of 2860 2684 a6280.exe 42 PID 2684 wrote to memory of 2860 2684 a6280.exe 42 PID 2684 wrote to memory of 2860 2684 a6280.exe 42 PID 2860 wrote to memory of 1292 2860 ddvdj.exe 43 PID 2860 wrote to memory of 1292 2860 ddvdj.exe 43 PID 2860 wrote to memory of 1292 2860 ddvdj.exe 43 PID 2860 wrote to memory of 1292 2860 ddvdj.exe 43 PID 1292 wrote to memory of 1216 1292 xrrxllr.exe 44 PID 1292 wrote to memory of 1216 1292 xrrxllr.exe 44 PID 1292 wrote to memory of 1216 1292 xrrxllr.exe 44 PID 1292 wrote to memory of 1216 1292 xrrxllr.exe 44 PID 1216 wrote to memory of 2056 1216 64662.exe 45 PID 1216 wrote to memory of 2056 1216 64662.exe 45 PID 1216 wrote to memory of 2056 1216 64662.exe 45 PID 1216 wrote to memory of 2056 1216 64662.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2001530ceb7b77293eede8b85937e917665ca0986e6b39836c238572aa5d8827N.exe"C:\Users\Admin\AppData\Local\Temp\2001530ceb7b77293eede8b85937e917665ca0986e6b39836c238572aa5d8827N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\48662.exec:\48662.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\xrflrrl.exec:\xrflrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\a4408.exec:\a4408.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\7xllrxx.exec:\7xllrxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\fffxffl.exec:\fffxffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\jdpdd.exec:\jdpdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\2028006.exec:\2028006.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\2640228.exec:\2640228.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\xlxlxxf.exec:\xlxlxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\8822446.exec:\8822446.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\pppdj.exec:\pppdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\a6280.exec:\a6280.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\ddvdj.exec:\ddvdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\xrrxllr.exec:\xrrxllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\64662.exec:\64662.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\1frffff.exec:\1frffff.exe17⤵
- Executes dropped EXE
PID:2056 -
\??\c:\42406.exec:\42406.exe18⤵
- Executes dropped EXE
PID:1764 -
\??\c:\s8844.exec:\s8844.exe19⤵
- Executes dropped EXE
PID:1792 -
\??\c:\7jddd.exec:\7jddd.exe20⤵
- Executes dropped EXE
PID:3004 -
\??\c:\8682484.exec:\8682484.exe21⤵
- Executes dropped EXE
PID:1240 -
\??\c:\vvvdp.exec:\vvvdp.exe22⤵
- Executes dropped EXE
PID:1624 -
\??\c:\5bnntt.exec:\5bnntt.exe23⤵
- Executes dropped EXE
PID:1460 -
\??\c:\lfxfrrf.exec:\lfxfrrf.exe24⤵
- Executes dropped EXE
PID:2160 -
\??\c:\04224.exec:\04224.exe25⤵
- Executes dropped EXE
PID:664 -
\??\c:\jjdpd.exec:\jjdpd.exe26⤵
- Executes dropped EXE
PID:1744 -
\??\c:\20888.exec:\20888.exe27⤵
- Executes dropped EXE
PID:1824 -
\??\c:\82608.exec:\82608.exe28⤵
- Executes dropped EXE
PID:1756 -
\??\c:\8206400.exec:\8206400.exe29⤵
- Executes dropped EXE
PID:2508 -
\??\c:\5rrxllr.exec:\5rrxllr.exe30⤵
- Executes dropped EXE
PID:572 -
\??\c:\xrrxlrf.exec:\xrrxlrf.exe31⤵
- Executes dropped EXE
PID:980 -
\??\c:\e26244.exec:\e26244.exe32⤵
- Executes dropped EXE
PID:1740 -
\??\c:\4828606.exec:\4828606.exe33⤵
- Executes dropped EXE
PID:2404 -
\??\c:\lffflrl.exec:\lffflrl.exe34⤵
- Executes dropped EXE
PID:1588 -
\??\c:\lrlrlfl.exec:\lrlrlfl.exe35⤵
- Executes dropped EXE
PID:1892 -
\??\c:\48024.exec:\48024.exe36⤵
- Executes dropped EXE
PID:1520 -
\??\c:\486688.exec:\486688.exe37⤵
- Executes dropped EXE
PID:2252 -
\??\c:\q60244.exec:\q60244.exe38⤵
- Executes dropped EXE
PID:2552 -
\??\c:\ddpvj.exec:\ddpvj.exe39⤵
- Executes dropped EXE
PID:2420 -
\??\c:\4208068.exec:\4208068.exe40⤵
- Executes dropped EXE
PID:2368 -
\??\c:\8262006.exec:\8262006.exe41⤵
- Executes dropped EXE
PID:2780 -
\??\c:\60402.exec:\60402.exe42⤵
- Executes dropped EXE
PID:2884 -
\??\c:\88064.exec:\88064.exe43⤵
- Executes dropped EXE
PID:2876 -
\??\c:\1xxxxxl.exec:\1xxxxxl.exe44⤵
- Executes dropped EXE
PID:536 -
\??\c:\6088440.exec:\6088440.exe45⤵
- Executes dropped EXE
PID:2924 -
\??\c:\8868020.exec:\8868020.exe46⤵
- Executes dropped EXE
PID:2796 -
\??\c:\hbttnb.exec:\hbttnb.exe47⤵
- Executes dropped EXE
PID:2644 -
\??\c:\jjjjv.exec:\jjjjv.exe48⤵
- Executes dropped EXE
PID:2736 -
\??\c:\8644006.exec:\8644006.exe49⤵
- Executes dropped EXE
PID:2744 -
\??\c:\08664.exec:\08664.exe50⤵
- Executes dropped EXE
PID:2684 -
\??\c:\442466.exec:\442466.exe51⤵
- Executes dropped EXE
PID:2804 -
\??\c:\bhbthh.exec:\bhbthh.exe52⤵
- Executes dropped EXE
PID:2692 -
\??\c:\5ppjv.exec:\5ppjv.exe53⤵
- Executes dropped EXE
PID:2076 -
\??\c:\m6486.exec:\m6486.exe54⤵
- Executes dropped EXE
PID:1216 -
\??\c:\w26284.exec:\w26284.exe55⤵
- Executes dropped EXE
PID:2852 -
\??\c:\82468.exec:\82468.exe56⤵
- Executes dropped EXE
PID:1964 -
\??\c:\6022228.exec:\6022228.exe57⤵
- Executes dropped EXE
PID:1796 -
\??\c:\04864.exec:\04864.exe58⤵
- Executes dropped EXE
PID:2800 -
\??\c:\2646840.exec:\2646840.exe59⤵
- Executes dropped EXE
PID:3028 -
\??\c:\8644662.exec:\8644662.exe60⤵
- Executes dropped EXE
PID:2576 -
\??\c:\9nbbhh.exec:\9nbbhh.exe61⤵
- Executes dropped EXE
PID:1240 -
\??\c:\006642.exec:\006642.exe62⤵
- Executes dropped EXE
PID:2128 -
\??\c:\s6400.exec:\s6400.exe63⤵
- Executes dropped EXE
PID:1460 -
\??\c:\864620.exec:\864620.exe64⤵
- Executes dropped EXE
PID:1124 -
\??\c:\tbthbb.exec:\tbthbb.exe65⤵
- Executes dropped EXE
PID:1604 -
\??\c:\6480886.exec:\6480886.exe66⤵PID:1148
-
\??\c:\82402.exec:\82402.exe67⤵PID:3040
-
\??\c:\nbbhnb.exec:\nbbhnb.exe68⤵PID:1836
-
\??\c:\9djdj.exec:\9djdj.exe69⤵PID:1824
-
\??\c:\dvvvj.exec:\dvvvj.exe70⤵PID:1544
-
\??\c:\k60684.exec:\k60684.exe71⤵PID:676
-
\??\c:\xxfrxxr.exec:\xxfrxxr.exe72⤵PID:288
-
\??\c:\hthtbb.exec:\hthtbb.exe73⤵PID:1476
-
\??\c:\vddvp.exec:\vddvp.exe74⤵PID:1120
-
\??\c:\rfrlxxf.exec:\rfrlxxf.exe75⤵PID:2184
-
\??\c:\tththn.exec:\tththn.exe76⤵PID:2264
-
\??\c:\604288.exec:\604288.exe77⤵PID:2324
-
\??\c:\3nbhnn.exec:\3nbhnn.exe78⤵PID:2072
-
\??\c:\48446.exec:\48446.exe79⤵PID:1516
-
\??\c:\264644.exec:\264644.exe80⤵PID:2348
-
\??\c:\pjvvd.exec:\pjvvd.exe81⤵PID:292
-
\??\c:\fxxlrxr.exec:\fxxlrxr.exe82⤵PID:2588
-
\??\c:\0422880.exec:\0422880.exe83⤵PID:1144
-
\??\c:\5hbhnh.exec:\5hbhnh.exe84⤵PID:2472
-
\??\c:\xrfllrl.exec:\xrfllrl.exe85⤵PID:2880
-
\??\c:\82680.exec:\82680.exe86⤵PID:2732
-
\??\c:\04284.exec:\04284.exe87⤵PID:2772
-
\??\c:\6042402.exec:\6042402.exe88⤵PID:2748
-
\??\c:\0844066.exec:\0844066.exe89⤵PID:2112
-
\??\c:\0462846.exec:\0462846.exe90⤵PID:2908
-
\??\c:\86846.exec:\86846.exe91⤵PID:2632
-
\??\c:\680206.exec:\680206.exe92⤵PID:2676
-
\??\c:\pjddd.exec:\pjddd.exe93⤵PID:2668
-
\??\c:\dvjpv.exec:\dvjpv.exe94⤵PID:2440
-
\??\c:\686688.exec:\686688.exe95⤵PID:268
-
\??\c:\jdpvp.exec:\jdpvp.exe96⤵PID:2804
-
\??\c:\xlffllx.exec:\xlffllx.exe97⤵PID:2692
-
\??\c:\042284.exec:\042284.exe98⤵PID:2076
-
\??\c:\48068.exec:\48068.exe99⤵PID:1696
-
\??\c:\nttbht.exec:\nttbht.exe100⤵PID:1416
-
\??\c:\llfrfff.exec:\llfrfff.exe101⤵PID:1964
-
\??\c:\08802.exec:\08802.exe102⤵PID:2988
-
\??\c:\vjvdj.exec:\vjvdj.exe103⤵PID:548
-
\??\c:\xlxxxrx.exec:\xlxxxrx.exe104⤵PID:2132
-
\??\c:\xxxxlfr.exec:\xxxxlfr.exe105⤵PID:2136
-
\??\c:\fxrrrrx.exec:\fxrrrrx.exe106⤵PID:1240
-
\??\c:\i046884.exec:\i046884.exe107⤵PID:852
-
\??\c:\642466.exec:\642466.exe108⤵PID:2240
-
\??\c:\9dvvv.exec:\9dvvv.exe109⤵PID:1376
-
\??\c:\080082.exec:\080082.exe110⤵PID:780
-
\??\c:\vpdjp.exec:\vpdjp.exe111⤵PID:2400
-
\??\c:\e80466.exec:\e80466.exe112⤵PID:984
-
\??\c:\608860.exec:\608860.exe113⤵PID:2196
-
\??\c:\8606880.exec:\8606880.exe114⤵PID:856
-
\??\c:\2040284.exec:\2040284.exe115⤵PID:1572
-
\??\c:\bthnbh.exec:\bthnbh.exe116⤵PID:1932
-
\??\c:\lfrlrfl.exec:\lfrlrfl.exe117⤵PID:1284
-
\??\c:\1ddpv.exec:\1ddpv.exe118⤵PID:1492
-
\??\c:\8640628.exec:\8640628.exe119⤵PID:2116
-
\??\c:\u084046.exec:\u084046.exe120⤵PID:2236
-
\??\c:\xfxrfxf.exec:\xfxrfxf.exe121⤵PID:2336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-