Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 08:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f0cfdb0bd2ce5f715dd291dd127297586b43ff90a031b7e26f5130a0592ba8fN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9f0cfdb0bd2ce5f715dd291dd127297586b43ff90a031b7e26f5130a0592ba8fN.exe
-
Size
456KB
-
MD5
f2ff4d878412cba135f0b9346cca90e0
-
SHA1
961b4089289df0a2b98eb7aefa709a0825c20846
-
SHA256
9f0cfdb0bd2ce5f715dd291dd127297586b43ff90a031b7e26f5130a0592ba8f
-
SHA512
b6e18de3bc648f25444b280fc09e9b042d946ef69792eaacbc84e09bb72d622b6d05fcf38a31c85c3c1466423881e2f059574c89576a5613a21419d1cef6220d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRC:q7Tc2NYHUrAwfMp3CDRC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2504-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/612-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-318-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1424-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-716-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2992-718-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3000-982-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-981-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1876-989-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1028-996-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-1052-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/920-1119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-1139-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2624-1225-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2028-1342-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2820 5vpvj.exe 2740 8684264.exe 2264 86802.exe 2924 jjdjv.exe 3044 rflrxrx.exe 2860 420688.exe 2652 s4684.exe 2340 xrflrxx.exe 2548 0800262.exe 3036 20482.exe 2240 pjdjv.exe 1264 42026.exe 2812 0424220.exe 1844 llrrffr.exe 2984 08064.exe 2904 e08404.exe 2044 k68260.exe 2324 xrfflfl.exe 1244 frxrrll.exe 2436 8668286.exe 692 6866262.exe 612 084060.exe 2096 o080224.exe 2944 w02244.exe 540 hthnhn.exe 1792 0206228.exe 1736 ttnhnt.exe 568 864602.exe 2472 9jdjp.exe 1680 7lflllr.exe 1620 1htnnn.exe 896 826022.exe 1976 vjvvd.exe 1592 llxrxxf.exe 2220 5nnnnn.exe 1424 nbtttb.exe 2244 jjjpp.exe 2924 e46804.exe 3044 04284.exe 2996 202222.exe 2672 w64644.exe 2216 m2440.exe 2644 5xfxxxl.exe 2032 268066.exe 1968 5bnnnt.exe 2476 jdvvd.exe 2012 rfxrxxl.exe 3040 jdjpd.exe 2968 2028846.exe 2320 hhtbtb.exe 2984 7nbttb.exe 2084 46020.exe 2904 2640224.exe 2992 826806.exe 376 xxllfxr.exe 2044 0420286.exe 2120 820680.exe 1388 bbbhnn.exe 1960 k60088.exe 2436 pdppv.exe 2164 6024680.exe 1656 s6408.exe 1852 c800662.exe 2004 2644668.exe -
resource yara_rule behavioral1/memory/2504-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-168-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/2436-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-318-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1424-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-968-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-982-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-981-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1028-996-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-1052-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-1119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-1206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-1250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-1264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-1328-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6024680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i244046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0484668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2644668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2820 2504 9f0cfdb0bd2ce5f715dd291dd127297586b43ff90a031b7e26f5130a0592ba8fN.exe 30 PID 2504 wrote to memory of 2820 2504 9f0cfdb0bd2ce5f715dd291dd127297586b43ff90a031b7e26f5130a0592ba8fN.exe 30 PID 2504 wrote to memory of 2820 2504 9f0cfdb0bd2ce5f715dd291dd127297586b43ff90a031b7e26f5130a0592ba8fN.exe 30 PID 2504 wrote to memory of 2820 2504 9f0cfdb0bd2ce5f715dd291dd127297586b43ff90a031b7e26f5130a0592ba8fN.exe 30 PID 2820 wrote to memory of 2740 2820 5vpvj.exe 31 PID 2820 wrote to memory of 2740 2820 5vpvj.exe 31 PID 2820 wrote to memory of 2740 2820 5vpvj.exe 31 PID 2820 wrote to memory of 2740 2820 5vpvj.exe 31 PID 2740 wrote to memory of 2264 2740 8684264.exe 32 PID 2740 wrote to memory of 2264 2740 8684264.exe 32 PID 2740 wrote to memory of 2264 2740 8684264.exe 32 PID 2740 wrote to memory of 2264 2740 8684264.exe 32 PID 2264 wrote to memory of 2924 2264 86802.exe 33 PID 2264 wrote to memory of 2924 2264 86802.exe 33 PID 2264 wrote to memory of 2924 2264 86802.exe 33 PID 2264 wrote to memory of 2924 2264 86802.exe 33 PID 2924 wrote to memory of 3044 2924 jjdjv.exe 34 PID 2924 wrote to memory of 3044 2924 jjdjv.exe 34 PID 2924 wrote to memory of 3044 2924 jjdjv.exe 34 PID 2924 wrote to memory of 3044 2924 jjdjv.exe 34 PID 3044 wrote to memory of 2860 3044 rflrxrx.exe 35 PID 3044 wrote to memory of 2860 3044 rflrxrx.exe 35 PID 3044 wrote to memory of 2860 3044 rflrxrx.exe 35 PID 3044 wrote to memory of 2860 3044 rflrxrx.exe 35 PID 2860 wrote to memory of 2652 2860 420688.exe 36 PID 2860 wrote to memory of 2652 2860 420688.exe 36 PID 2860 wrote to memory of 2652 2860 420688.exe 36 PID 2860 wrote to memory of 2652 2860 420688.exe 36 PID 2652 wrote to memory of 2340 2652 s4684.exe 37 PID 2652 wrote to memory of 2340 2652 s4684.exe 37 PID 2652 wrote to memory of 2340 2652 s4684.exe 37 PID 2652 wrote to memory of 2340 2652 s4684.exe 37 PID 2340 wrote to memory of 2548 2340 xrflrxx.exe 38 PID 2340 wrote to memory of 2548 2340 xrflrxx.exe 38 PID 2340 wrote to memory of 2548 2340 xrflrxx.exe 38 PID 2340 wrote to memory of 2548 2340 xrflrxx.exe 38 PID 2548 wrote to memory of 3036 2548 0800262.exe 39 PID 2548 wrote to memory of 3036 2548 0800262.exe 39 PID 2548 wrote to memory of 3036 2548 0800262.exe 39 PID 2548 wrote to memory of 3036 2548 0800262.exe 39 PID 3036 wrote to memory of 2240 3036 20482.exe 40 PID 3036 wrote to memory of 2240 3036 20482.exe 40 PID 3036 wrote to memory of 2240 3036 20482.exe 40 PID 3036 wrote to memory of 2240 3036 20482.exe 40 PID 2240 wrote to memory of 1264 2240 pjdjv.exe 41 PID 2240 wrote to memory of 1264 2240 pjdjv.exe 41 PID 2240 wrote to memory of 1264 2240 pjdjv.exe 41 PID 2240 wrote to memory of 1264 2240 pjdjv.exe 41 PID 1264 wrote to memory of 2812 1264 42026.exe 42 PID 1264 wrote to memory of 2812 1264 42026.exe 42 PID 1264 wrote to memory of 2812 1264 42026.exe 42 PID 1264 wrote to memory of 2812 1264 42026.exe 42 PID 2812 wrote to memory of 1844 2812 0424220.exe 43 PID 2812 wrote to memory of 1844 2812 0424220.exe 43 PID 2812 wrote to memory of 1844 2812 0424220.exe 43 PID 2812 wrote to memory of 1844 2812 0424220.exe 43 PID 1844 wrote to memory of 2984 1844 llrrffr.exe 44 PID 1844 wrote to memory of 2984 1844 llrrffr.exe 44 PID 1844 wrote to memory of 2984 1844 llrrffr.exe 44 PID 1844 wrote to memory of 2984 1844 llrrffr.exe 44 PID 2984 wrote to memory of 2904 2984 08064.exe 45 PID 2984 wrote to memory of 2904 2984 08064.exe 45 PID 2984 wrote to memory of 2904 2984 08064.exe 45 PID 2984 wrote to memory of 2904 2984 08064.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f0cfdb0bd2ce5f715dd291dd127297586b43ff90a031b7e26f5130a0592ba8fN.exe"C:\Users\Admin\AppData\Local\Temp\9f0cfdb0bd2ce5f715dd291dd127297586b43ff90a031b7e26f5130a0592ba8fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\5vpvj.exec:\5vpvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\8684264.exec:\8684264.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\86802.exec:\86802.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\jjdjv.exec:\jjdjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\rflrxrx.exec:\rflrxrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\420688.exec:\420688.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\s4684.exec:\s4684.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\xrflrxx.exec:\xrflrxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\0800262.exec:\0800262.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\20482.exec:\20482.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\pjdjv.exec:\pjdjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\42026.exec:\42026.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\0424220.exec:\0424220.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\llrrffr.exec:\llrrffr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\08064.exec:\08064.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\e08404.exec:\e08404.exe17⤵
- Executes dropped EXE
PID:2904 -
\??\c:\k68260.exec:\k68260.exe18⤵
- Executes dropped EXE
PID:2044 -
\??\c:\xrfflfl.exec:\xrfflfl.exe19⤵
- Executes dropped EXE
PID:2324 -
\??\c:\frxrrll.exec:\frxrrll.exe20⤵
- Executes dropped EXE
PID:1244 -
\??\c:\8668286.exec:\8668286.exe21⤵
- Executes dropped EXE
PID:2436 -
\??\c:\6866262.exec:\6866262.exe22⤵
- Executes dropped EXE
PID:692 -
\??\c:\084060.exec:\084060.exe23⤵
- Executes dropped EXE
PID:612 -
\??\c:\o080224.exec:\o080224.exe24⤵
- Executes dropped EXE
PID:2096 -
\??\c:\w02244.exec:\w02244.exe25⤵
- Executes dropped EXE
PID:2944 -
\??\c:\hthnhn.exec:\hthnhn.exe26⤵
- Executes dropped EXE
PID:540 -
\??\c:\0206228.exec:\0206228.exe27⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ttnhnt.exec:\ttnhnt.exe28⤵
- Executes dropped EXE
PID:1736 -
\??\c:\864602.exec:\864602.exe29⤵
- Executes dropped EXE
PID:568 -
\??\c:\9jdjp.exec:\9jdjp.exe30⤵
- Executes dropped EXE
PID:2472 -
\??\c:\7lflllr.exec:\7lflllr.exe31⤵
- Executes dropped EXE
PID:1680 -
\??\c:\1htnnn.exec:\1htnnn.exe32⤵
- Executes dropped EXE
PID:1620 -
\??\c:\826022.exec:\826022.exe33⤵
- Executes dropped EXE
PID:896 -
\??\c:\vjvvd.exec:\vjvvd.exe34⤵
- Executes dropped EXE
PID:1976 -
\??\c:\llxrxxf.exec:\llxrxxf.exe35⤵
- Executes dropped EXE
PID:1592 -
\??\c:\5nnnnn.exec:\5nnnnn.exe36⤵
- Executes dropped EXE
PID:2220 -
\??\c:\nbtttb.exec:\nbtttb.exe37⤵
- Executes dropped EXE
PID:1424 -
\??\c:\jjjpp.exec:\jjjpp.exe38⤵
- Executes dropped EXE
PID:2244 -
\??\c:\e46804.exec:\e46804.exe39⤵
- Executes dropped EXE
PID:2924 -
\??\c:\04284.exec:\04284.exe40⤵
- Executes dropped EXE
PID:3044 -
\??\c:\202222.exec:\202222.exe41⤵
- Executes dropped EXE
PID:2996 -
\??\c:\w64644.exec:\w64644.exe42⤵
- Executes dropped EXE
PID:2672 -
\??\c:\m2440.exec:\m2440.exe43⤵
- Executes dropped EXE
PID:2216 -
\??\c:\5xfxxxl.exec:\5xfxxxl.exe44⤵
- Executes dropped EXE
PID:2644 -
\??\c:\268066.exec:\268066.exe45⤵
- Executes dropped EXE
PID:2032 -
\??\c:\5bnnnt.exec:\5bnnnt.exe46⤵
- Executes dropped EXE
PID:1968 -
\??\c:\jdvvd.exec:\jdvvd.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476 -
\??\c:\rfxrxxl.exec:\rfxrxxl.exe48⤵
- Executes dropped EXE
PID:2012 -
\??\c:\jdjpd.exec:\jdjpd.exe49⤵
- Executes dropped EXE
PID:3040 -
\??\c:\2028846.exec:\2028846.exe50⤵
- Executes dropped EXE
PID:2968 -
\??\c:\hhtbtb.exec:\hhtbtb.exe51⤵
- Executes dropped EXE
PID:2320 -
\??\c:\7nbttb.exec:\7nbttb.exe52⤵
- Executes dropped EXE
PID:2984 -
\??\c:\46020.exec:\46020.exe53⤵
- Executes dropped EXE
PID:2084 -
\??\c:\2640224.exec:\2640224.exe54⤵
- Executes dropped EXE
PID:2904 -
\??\c:\826806.exec:\826806.exe55⤵
- Executes dropped EXE
PID:2992 -
\??\c:\xxllfxr.exec:\xxllfxr.exe56⤵
- Executes dropped EXE
PID:376 -
\??\c:\0420286.exec:\0420286.exe57⤵
- Executes dropped EXE
PID:2044 -
\??\c:\820680.exec:\820680.exe58⤵
- Executes dropped EXE
PID:2120 -
\??\c:\bbbhnn.exec:\bbbhnn.exe59⤵
- Executes dropped EXE
PID:1388 -
\??\c:\k60088.exec:\k60088.exe60⤵
- Executes dropped EXE
PID:1960 -
\??\c:\pdppv.exec:\pdppv.exe61⤵
- Executes dropped EXE
PID:2436 -
\??\c:\6024680.exec:\6024680.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
\??\c:\s6408.exec:\s6408.exe63⤵
- Executes dropped EXE
PID:1656 -
\??\c:\c800662.exec:\c800662.exe64⤵
- Executes dropped EXE
PID:1852 -
\??\c:\2644668.exec:\2644668.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004 -
\??\c:\3xffflx.exec:\3xffflx.exe66⤵PID:1836
-
\??\c:\lfrxlrf.exec:\lfrxlrf.exe67⤵PID:1544
-
\??\c:\4200044.exec:\4200044.exe68⤵PID:540
-
\??\c:\pjddv.exec:\pjddv.exe69⤵PID:2308
-
\??\c:\m0402.exec:\m0402.exe70⤵PID:2128
-
\??\c:\48628.exec:\48628.exe71⤵PID:956
-
\??\c:\86442.exec:\86442.exe72⤵PID:1812
-
\??\c:\682824.exec:\682824.exe73⤵PID:996
-
\??\c:\pjvpv.exec:\pjvpv.exe74⤵PID:2360
-
\??\c:\8020248.exec:\8020248.exe75⤵PID:1720
-
\??\c:\608844.exec:\608844.exe76⤵PID:2504
-
\??\c:\86884.exec:\86884.exe77⤵PID:2928
-
\??\c:\xrflxxl.exec:\xrflxxl.exe78⤵PID:1652
-
\??\c:\1pppp.exec:\1pppp.exe79⤵PID:2784
-
\??\c:\lfllllr.exec:\lfllllr.exe80⤵PID:2760
-
\??\c:\hbnnnt.exec:\hbnnnt.exe81⤵PID:2776
-
\??\c:\20224.exec:\20224.exe82⤵PID:3068
-
\??\c:\20840.exec:\20840.exe83⤵PID:2664
-
\??\c:\dpddj.exec:\dpddj.exe84⤵PID:2092
-
\??\c:\60200.exec:\60200.exe85⤵PID:2680
-
\??\c:\48062.exec:\48062.exe86⤵PID:2936
-
\??\c:\3thnnn.exec:\3thnnn.exe87⤵PID:2668
-
\??\c:\dvpvj.exec:\dvpvj.exe88⤵PID:2216
-
\??\c:\5nbbnn.exec:\5nbbnn.exe89⤵PID:2808
-
\??\c:\9jdjp.exec:\9jdjp.exe90⤵PID:2032
-
\??\c:\82064.exec:\82064.exe91⤵PID:2232
-
\??\c:\864404.exec:\864404.exe92⤵PID:2240
-
\??\c:\xxfflrf.exec:\xxfflrf.exe93⤵PID:2980
-
\??\c:\1pvdj.exec:\1pvdj.exe94⤵PID:2248
-
\??\c:\0288222.exec:\0288222.exe95⤵PID:1860
-
\??\c:\3rrxflx.exec:\3rrxflx.exe96⤵PID:2320
-
\??\c:\htbtbb.exec:\htbtbb.exe97⤵PID:1908
-
\??\c:\lfxrxlf.exec:\lfxrxlf.exe98⤵PID:2084
-
\??\c:\xrflrrl.exec:\xrflrrl.exe99⤵PID:2112
-
\??\c:\jjvdd.exec:\jjvdd.exe100⤵PID:2992
-
\??\c:\e08222.exec:\e08222.exe101⤵PID:1468
-
\??\c:\i268008.exec:\i268008.exe102⤵PID:1260
-
\??\c:\i022480.exec:\i022480.exe103⤵PID:1712
-
\??\c:\6822882.exec:\6822882.exe104⤵PID:2132
-
\??\c:\o866884.exec:\o866884.exe105⤵PID:400
-
\??\c:\048462.exec:\048462.exe106⤵PID:2432
-
\??\c:\xlrxflr.exec:\xlrxflr.exe107⤵PID:612
-
\??\c:\86406.exec:\86406.exe108⤵PID:1192
-
\??\c:\4622228.exec:\4622228.exe109⤵PID:1340
-
\??\c:\tnhhtb.exec:\tnhhtb.exe110⤵PID:964
-
\??\c:\rlxfrrf.exec:\rlxfrrf.exe111⤵PID:1252
-
\??\c:\1nbhth.exec:\1nbhth.exe112⤵PID:1536
-
\??\c:\6606222.exec:\6606222.exe113⤵PID:912
-
\??\c:\820682.exec:\820682.exe114⤵PID:2380
-
\??\c:\jvvvd.exec:\jvvvd.exe115⤵PID:568
-
\??\c:\3pjdj.exec:\3pjdj.exe116⤵
- System Location Discovery: System Language Discovery
PID:2076 -
\??\c:\rlxrfxl.exec:\rlxrfxl.exe117⤵PID:1812
-
\??\c:\fxxfrrx.exec:\fxxfrrx.exe118⤵PID:3056
-
\??\c:\08624.exec:\08624.exe119⤵PID:2360
-
\??\c:\6460662.exec:\6460662.exe120⤵PID:2104
-
\??\c:\0466224.exec:\0466224.exe121⤵PID:2504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-