Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 06:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe
-
Size
454KB
-
MD5
f484a319108eca7ca1710eca7f592c02
-
SHA1
f0fbb191a4c381ac71ab372f64a47e93a118b917
-
SHA256
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855
-
SHA512
8e040a478bc96482d3196f9273d70677b20408b4176e052bd2bfee45de655eb8851993f5d086f3831a98696ac77b7fd39822f355be3d5e917df14206c164018b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2100-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-53-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2692-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-84-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1992-89-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1992-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-148-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/856-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-182-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2272-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-282-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1028-291-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1980-295-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2828-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-446-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/856-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-466-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1424-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1172-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-524-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1028-546-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-630-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-703-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1752-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/820-738-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1172-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-801-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2152 jjpjp.exe 2888 jjdjp.exe 2848 48662.exe 2940 q64448.exe 2720 42402.exe 2692 0806624.exe 2864 2464640.exe 1992 8622828.exe 2792 nnntth.exe 2164 rlxflrf.exe 332 m0880.exe 2516 u644088.exe 872 080448.exe 1924 9llfxrl.exe 856 868466.exe 2384 lxflllf.exe 1468 484400.exe 2272 2082440.exe 1860 08408.exe 2660 042840.exe 1640 hbhbbt.exe 1908 1rfxfxx.exe 1496 u688040.exe 1720 64286.exe 1600 q04440.exe 1028 6460606.exe 1884 800404.exe 324 664288.exe 1448 w64084.exe 1980 jjvvd.exe 2144 7vdjj.exe 1552 dvdvd.exe 2948 ffrxlrr.exe 2828 0806268.exe 2848 00644.exe 2548 424400.exe 2860 nhhnth.exe 2868 7ffflfr.exe 2700 bthhtt.exe 2360 nbhhhb.exe 2292 7bhbbb.exe 2080 pppdv.exe 1968 nnntht.exe 932 02446.exe 704 0426880.exe 2680 xrffrrf.exe 2336 c040268.exe 2112 04808.exe 2596 7jvvd.exe 1948 420206.exe 688 3pjjv.exe 856 dvjpv.exe 1808 0446284.exe 1708 6886220.exe 2188 jvjjv.exe 1424 3hthtt.exe 1732 pjvjp.exe 2588 04680.exe 1172 06840.exe 1584 m4240.exe 728 82868.exe 1736 m8802.exe 2636 xrllxxr.exe 972 vvpdd.exe -
resource yara_rule behavioral1/memory/2100-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/856-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/856-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-573-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2688-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-630-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2768-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/820-738-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1860-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-801-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e04026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0844448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6024286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4824624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2152 2100 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 30 PID 2100 wrote to memory of 2152 2100 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 30 PID 2100 wrote to memory of 2152 2100 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 30 PID 2100 wrote to memory of 2152 2100 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 30 PID 2152 wrote to memory of 2888 2152 jjpjp.exe 31 PID 2152 wrote to memory of 2888 2152 jjpjp.exe 31 PID 2152 wrote to memory of 2888 2152 jjpjp.exe 31 PID 2152 wrote to memory of 2888 2152 jjpjp.exe 31 PID 2888 wrote to memory of 2848 2888 jjdjp.exe 32 PID 2888 wrote to memory of 2848 2888 jjdjp.exe 32 PID 2888 wrote to memory of 2848 2888 jjdjp.exe 32 PID 2888 wrote to memory of 2848 2888 jjdjp.exe 32 PID 2848 wrote to memory of 2940 2848 48662.exe 33 PID 2848 wrote to memory of 2940 2848 48662.exe 33 PID 2848 wrote to memory of 2940 2848 48662.exe 33 PID 2848 wrote to memory of 2940 2848 48662.exe 33 PID 2940 wrote to memory of 2720 2940 q64448.exe 34 PID 2940 wrote to memory of 2720 2940 q64448.exe 34 PID 2940 wrote to memory of 2720 2940 q64448.exe 34 PID 2940 wrote to memory of 2720 2940 q64448.exe 34 PID 2720 wrote to memory of 2692 2720 42402.exe 35 PID 2720 wrote to memory of 2692 2720 42402.exe 35 PID 2720 wrote to memory of 2692 2720 42402.exe 35 PID 2720 wrote to memory of 2692 2720 42402.exe 35 PID 2692 wrote to memory of 2864 2692 0806624.exe 36 PID 2692 wrote to memory of 2864 2692 0806624.exe 36 PID 2692 wrote to memory of 2864 2692 0806624.exe 36 PID 2692 wrote to memory of 2864 2692 0806624.exe 36 PID 2864 wrote to memory of 1992 2864 2464640.exe 37 PID 2864 wrote to memory of 1992 2864 2464640.exe 37 PID 2864 wrote to memory of 1992 2864 2464640.exe 37 PID 2864 wrote to memory of 1992 2864 2464640.exe 37 PID 1992 wrote to memory of 2792 1992 8622828.exe 38 PID 1992 wrote to memory of 2792 1992 8622828.exe 38 PID 1992 wrote to memory of 2792 1992 8622828.exe 38 PID 1992 wrote to memory of 2792 1992 8622828.exe 38 PID 2792 wrote to memory of 2164 2792 nnntth.exe 39 PID 2792 wrote to memory of 2164 2792 nnntth.exe 39 PID 2792 wrote to memory of 2164 2792 nnntth.exe 39 PID 2792 wrote to memory of 2164 2792 nnntth.exe 39 PID 2164 wrote to memory of 332 2164 rlxflrf.exe 40 PID 2164 wrote to memory of 332 2164 rlxflrf.exe 40 PID 2164 wrote to memory of 332 2164 rlxflrf.exe 40 PID 2164 wrote to memory of 332 2164 rlxflrf.exe 40 PID 332 wrote to memory of 2516 332 m0880.exe 41 PID 332 wrote to memory of 2516 332 m0880.exe 41 PID 332 wrote to memory of 2516 332 m0880.exe 41 PID 332 wrote to memory of 2516 332 m0880.exe 41 PID 2516 wrote to memory of 872 2516 u644088.exe 42 PID 2516 wrote to memory of 872 2516 u644088.exe 42 PID 2516 wrote to memory of 872 2516 u644088.exe 42 PID 2516 wrote to memory of 872 2516 u644088.exe 42 PID 872 wrote to memory of 1924 872 080448.exe 43 PID 872 wrote to memory of 1924 872 080448.exe 43 PID 872 wrote to memory of 1924 872 080448.exe 43 PID 872 wrote to memory of 1924 872 080448.exe 43 PID 1924 wrote to memory of 856 1924 9llfxrl.exe 44 PID 1924 wrote to memory of 856 1924 9llfxrl.exe 44 PID 1924 wrote to memory of 856 1924 9llfxrl.exe 44 PID 1924 wrote to memory of 856 1924 9llfxrl.exe 44 PID 856 wrote to memory of 2384 856 868466.exe 45 PID 856 wrote to memory of 2384 856 868466.exe 45 PID 856 wrote to memory of 2384 856 868466.exe 45 PID 856 wrote to memory of 2384 856 868466.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe"C:\Users\Admin\AppData\Local\Temp\5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\jjpjp.exec:\jjpjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\jjdjp.exec:\jjdjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\48662.exec:\48662.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\q64448.exec:\q64448.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\42402.exec:\42402.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\0806624.exec:\0806624.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\2464640.exec:\2464640.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\8622828.exec:\8622828.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\nnntth.exec:\nnntth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\rlxflrf.exec:\rlxflrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\m0880.exec:\m0880.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
\??\c:\u644088.exec:\u644088.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\080448.exec:\080448.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\9llfxrl.exec:\9llfxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\868466.exec:\868466.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\lxflllf.exec:\lxflllf.exe17⤵
- Executes dropped EXE
PID:2384 -
\??\c:\484400.exec:\484400.exe18⤵
- Executes dropped EXE
PID:1468 -
\??\c:\2082440.exec:\2082440.exe19⤵
- Executes dropped EXE
PID:2272 -
\??\c:\08408.exec:\08408.exe20⤵
- Executes dropped EXE
PID:1860 -
\??\c:\042840.exec:\042840.exe21⤵
- Executes dropped EXE
PID:2660 -
\??\c:\hbhbbt.exec:\hbhbbt.exe22⤵
- Executes dropped EXE
PID:1640 -
\??\c:\1rfxfxx.exec:\1rfxfxx.exe23⤵
- Executes dropped EXE
PID:1908 -
\??\c:\u688040.exec:\u688040.exe24⤵
- Executes dropped EXE
PID:1496 -
\??\c:\64286.exec:\64286.exe25⤵
- Executes dropped EXE
PID:1720 -
\??\c:\q04440.exec:\q04440.exe26⤵
- Executes dropped EXE
PID:1600 -
\??\c:\6460606.exec:\6460606.exe27⤵
- Executes dropped EXE
PID:1028 -
\??\c:\800404.exec:\800404.exe28⤵
- Executes dropped EXE
PID:1884 -
\??\c:\664288.exec:\664288.exe29⤵
- Executes dropped EXE
PID:324 -
\??\c:\w64084.exec:\w64084.exe30⤵
- Executes dropped EXE
PID:1448 -
\??\c:\jjvvd.exec:\jjvvd.exe31⤵
- Executes dropped EXE
PID:1980 -
\??\c:\7vdjj.exec:\7vdjj.exe32⤵
- Executes dropped EXE
PID:2144 -
\??\c:\dvdvd.exec:\dvdvd.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
\??\c:\ffrxlrr.exec:\ffrxlrr.exe34⤵
- Executes dropped EXE
PID:2948 -
\??\c:\0806268.exec:\0806268.exe35⤵
- Executes dropped EXE
PID:2828 -
\??\c:\00644.exec:\00644.exe36⤵
- Executes dropped EXE
PID:2848 -
\??\c:\424400.exec:\424400.exe37⤵
- Executes dropped EXE
PID:2548 -
\??\c:\nhhnth.exec:\nhhnth.exe38⤵
- Executes dropped EXE
PID:2860 -
\??\c:\7ffflfr.exec:\7ffflfr.exe39⤵
- Executes dropped EXE
PID:2868 -
\??\c:\bthhtt.exec:\bthhtt.exe40⤵
- Executes dropped EXE
PID:2700 -
\??\c:\nbhhhb.exec:\nbhhhb.exe41⤵
- Executes dropped EXE
PID:2360 -
\??\c:\7bhbbb.exec:\7bhbbb.exe42⤵
- Executes dropped EXE
PID:2292 -
\??\c:\pppdv.exec:\pppdv.exe43⤵
- Executes dropped EXE
PID:2080 -
\??\c:\nnntht.exec:\nnntht.exe44⤵
- Executes dropped EXE
PID:1968 -
\??\c:\02446.exec:\02446.exe45⤵
- Executes dropped EXE
PID:932 -
\??\c:\0426880.exec:\0426880.exe46⤵
- Executes dropped EXE
PID:704 -
\??\c:\xrffrrf.exec:\xrffrrf.exe47⤵
- Executes dropped EXE
PID:2680 -
\??\c:\c040268.exec:\c040268.exe48⤵
- Executes dropped EXE
PID:2336 -
\??\c:\04808.exec:\04808.exe49⤵
- Executes dropped EXE
PID:2112 -
\??\c:\7jvvd.exec:\7jvvd.exe50⤵
- Executes dropped EXE
PID:2596 -
\??\c:\420206.exec:\420206.exe51⤵
- Executes dropped EXE
PID:1948 -
\??\c:\3pjjv.exec:\3pjjv.exe52⤵
- Executes dropped EXE
PID:688 -
\??\c:\dvjpv.exec:\dvjpv.exe53⤵
- Executes dropped EXE
PID:856 -
\??\c:\0446284.exec:\0446284.exe54⤵
- Executes dropped EXE
PID:1808 -
\??\c:\6886220.exec:\6886220.exe55⤵
- Executes dropped EXE
PID:1708 -
\??\c:\jvjjv.exec:\jvjjv.exe56⤵
- Executes dropped EXE
PID:2188 -
\??\c:\3hthtt.exec:\3hthtt.exe57⤵
- Executes dropped EXE
PID:1424 -
\??\c:\pjvjp.exec:\pjvjp.exe58⤵
- Executes dropped EXE
PID:1732 -
\??\c:\04680.exec:\04680.exe59⤵
- Executes dropped EXE
PID:2588 -
\??\c:\06840.exec:\06840.exe60⤵
- Executes dropped EXE
PID:1172 -
\??\c:\m4240.exec:\m4240.exe61⤵
- Executes dropped EXE
PID:1584 -
\??\c:\82868.exec:\82868.exe62⤵
- Executes dropped EXE
PID:728 -
\??\c:\m8802.exec:\m8802.exe63⤵
- Executes dropped EXE
PID:1736 -
\??\c:\xrllxxr.exec:\xrllxxr.exe64⤵
- Executes dropped EXE
PID:2636 -
\??\c:\vvpdd.exec:\vvpdd.exe65⤵
- Executes dropped EXE
PID:972 -
\??\c:\u868602.exec:\u868602.exe66⤵PID:2640
-
\??\c:\42628.exec:\42628.exe67⤵PID:1028
-
\??\c:\vdvvj.exec:\vdvvj.exe68⤵PID:2316
-
\??\c:\7llxlrf.exec:\7llxlrf.exe69⤵PID:1692
-
\??\c:\m4868.exec:\m4868.exe70⤵PID:1756
-
\??\c:\26808.exec:\26808.exe71⤵PID:2056
-
\??\c:\8228886.exec:\8228886.exe72⤵PID:2568
-
\??\c:\604406.exec:\604406.exe73⤵PID:2152
-
\??\c:\9tbbnh.exec:\9tbbnh.exe74⤵PID:1696
-
\??\c:\826640.exec:\826640.exe75⤵PID:2944
-
\??\c:\vpddd.exec:\vpddd.exe76⤵PID:2912
-
\??\c:\6682828.exec:\6682828.exe77⤵PID:2840
-
\??\c:\48682.exec:\48682.exe78⤵PID:2824
-
\??\c:\dpdjp.exec:\dpdjp.exe79⤵PID:2940
-
\??\c:\4200002.exec:\4200002.exe80⤵PID:2688
-
\??\c:\g0606.exec:\g0606.exe81⤵PID:2708
-
\??\c:\48024.exec:\48024.exe82⤵PID:2768
-
\??\c:\9lxxlrx.exec:\9lxxlrx.exe83⤵PID:2700
-
\??\c:\1dppv.exec:\1dppv.exe84⤵PID:2064
-
\??\c:\rrlxxlr.exec:\rrlxxlr.exe85⤵PID:2292
-
\??\c:\q48400.exec:\q48400.exe86⤵PID:2328
-
\??\c:\hhbnbh.exec:\hhbnbh.exe87⤵PID:2324
-
\??\c:\a6842.exec:\a6842.exe88⤵PID:932
-
\??\c:\0284044.exec:\0284044.exe89⤵PID:2972
-
\??\c:\1pvdp.exec:\1pvdp.exe90⤵PID:2764
-
\??\c:\3dpjj.exec:\3dpjj.exe91⤵PID:1460
-
\??\c:\5rlrllr.exec:\5rlrllr.exe92⤵PID:2372
-
\??\c:\xrflfll.exec:\xrflfll.exe93⤵PID:1256
-
\??\c:\pjvpd.exec:\pjvpd.exe94⤵PID:1092
-
\??\c:\0206060.exec:\0206060.exe95⤵PID:1752
-
\??\c:\0866828.exec:\0866828.exe96⤵PID:2440
-
\??\c:\nbtttn.exec:\nbtttn.exe97⤵PID:820
-
\??\c:\xrfrxxf.exec:\xrfrxxf.exe98⤵PID:2672
-
\??\c:\7tbtbt.exec:\7tbtbt.exe99⤵PID:2272
-
\??\c:\thnnbt.exec:\thnnbt.exe100⤵PID:1532
-
\??\c:\08222.exec:\08222.exe101⤵PID:1860
-
\??\c:\btnhnh.exec:\btnhnh.exe102⤵PID:2460
-
\??\c:\ppjvv.exec:\ppjvv.exe103⤵PID:2588
-
\??\c:\2622288.exec:\2622288.exe104⤵PID:1172
-
\??\c:\20824.exec:\20824.exe105⤵PID:1088
-
\??\c:\08688.exec:\08688.exe106⤵PID:1972
-
\??\c:\644882.exec:\644882.exe107⤵PID:1736
-
\??\c:\20266.exec:\20266.exe108⤵PID:468
-
\??\c:\9jvdj.exec:\9jvdj.exe109⤵PID:972
-
\??\c:\64684.exec:\64684.exe110⤵PID:1716
-
\??\c:\202604.exec:\202604.exe111⤵PID:2628
-
\??\c:\pjvvj.exec:\pjvvj.exe112⤵PID:1760
-
\??\c:\424060.exec:\424060.exe113⤵PID:988
-
\??\c:\1vdjp.exec:\1vdjp.exe114⤵PID:904
-
\??\c:\q44066.exec:\q44066.exe115⤵PID:1980
-
\??\c:\0800668.exec:\0800668.exe116⤵PID:2240
-
\??\c:\ffrlrlx.exec:\ffrlrlx.exe117⤵PID:2916
-
\??\c:\262466.exec:\262466.exe118⤵PID:2892
-
\??\c:\08668.exec:\08668.exe119⤵PID:2108
-
\??\c:\080000.exec:\080000.exe120⤵PID:2908
-
\??\c:\pdddd.exec:\pdddd.exe121⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-