Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 19:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe
-
Size
453KB
-
MD5
08f87bcea1bf3ec48a5a678d201db4da
-
SHA1
c3ce831d8daedaab496143294ac496383d2fad58
-
SHA256
9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed
-
SHA512
c79453d923e8a2c0ab6e8a3f30f188c4811d4a8ffef67c8a6b3f57221555cb3b0f3d089422510e8fb3ebb7007e013e0ceb90f6a89ce8b906272a876789dc36f9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 37 IoCs
resource yara_rule behavioral1/memory/2588-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1356-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/112-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1904-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/700-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-792-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/580-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/764-1027-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1576-1122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2628 xxllrrx.exe 2624 e64466.exe 2188 jjvvd.exe 2540 024404.exe 2096 2088008.exe 2956 264062.exe 2948 84002.exe 1356 0860222.exe 2844 lxflrxf.exe 2676 82064.exe 1904 o200668.exe 2340 ddvdj.exe 1480 u862442.exe 1968 fxrxxfl.exe 2740 rlrfffl.exe 1788 868406.exe 2356 vpdvj.exe 2288 bbntbh.exe 2284 nbttnt.exe 2360 2022824.exe 2124 60446.exe 112 080022.exe 640 2062820.exe 1700 hbntbn.exe 2484 6026662.exe 760 q08400.exe 696 5bhntt.exe 916 m6068.exe 2516 26006.exe 1676 tnhtnn.exe 2228 04686.exe 2240 6400640.exe 1508 xxfxflr.exe 2544 864488.exe 1784 5pjdv.exe 2036 4866240.exe 1604 1bhbhh.exe 2368 o424062.exe 2764 862860.exe 2540 1vvpj.exe 2992 xlfxxrr.exe 2940 20262.exe 2812 m8600.exe 2556 0860606.exe 2804 3xrxxxf.exe 2848 428604.exe 2696 202844.exe 2040 xfllrrx.exe 1636 s8668.exe 2504 9bthbt.exe 1480 4688002.exe 1968 c866880.exe 2740 0084620.exe 1704 hhtttn.exe 1292 7vdvp.exe 772 08662.exe 580 e64400.exe 1312 flxxffr.exe 2404 ddpvd.exe 1976 6028028.exe 1164 424022.exe 2144 9lxxfll.exe 2660 dpjjv.exe 960 jdjdj.exe -
resource yara_rule behavioral1/memory/2588-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1312-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/700-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-915-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-940-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-977-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-1002-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-1094-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-1122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-1184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-1209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-1246-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0866224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c866880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q80004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i262402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q08888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8260264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2628 2588 9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe 30 PID 2588 wrote to memory of 2628 2588 9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe 30 PID 2588 wrote to memory of 2628 2588 9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe 30 PID 2588 wrote to memory of 2628 2588 9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe 30 PID 2628 wrote to memory of 2624 2628 xxllrrx.exe 31 PID 2628 wrote to memory of 2624 2628 xxllrrx.exe 31 PID 2628 wrote to memory of 2624 2628 xxllrrx.exe 31 PID 2628 wrote to memory of 2624 2628 xxllrrx.exe 31 PID 2624 wrote to memory of 2188 2624 e64466.exe 32 PID 2624 wrote to memory of 2188 2624 e64466.exe 32 PID 2624 wrote to memory of 2188 2624 e64466.exe 32 PID 2624 wrote to memory of 2188 2624 e64466.exe 32 PID 2188 wrote to memory of 2540 2188 jjvvd.exe 69 PID 2188 wrote to memory of 2540 2188 jjvvd.exe 69 PID 2188 wrote to memory of 2540 2188 jjvvd.exe 69 PID 2188 wrote to memory of 2540 2188 jjvvd.exe 69 PID 2540 wrote to memory of 2096 2540 024404.exe 34 PID 2540 wrote to memory of 2096 2540 024404.exe 34 PID 2540 wrote to memory of 2096 2540 024404.exe 34 PID 2540 wrote to memory of 2096 2540 024404.exe 34 PID 2096 wrote to memory of 2956 2096 2088008.exe 35 PID 2096 wrote to memory of 2956 2096 2088008.exe 35 PID 2096 wrote to memory of 2956 2096 2088008.exe 35 PID 2096 wrote to memory of 2956 2096 2088008.exe 35 PID 2956 wrote to memory of 2948 2956 264062.exe 36 PID 2956 wrote to memory of 2948 2956 264062.exe 36 PID 2956 wrote to memory of 2948 2956 264062.exe 36 PID 2956 wrote to memory of 2948 2956 264062.exe 36 PID 2948 wrote to memory of 1356 2948 84002.exe 37 PID 2948 wrote to memory of 1356 2948 84002.exe 37 PID 2948 wrote to memory of 1356 2948 84002.exe 37 PID 2948 wrote to memory of 1356 2948 84002.exe 37 PID 1356 wrote to memory of 2844 1356 0860222.exe 38 PID 1356 wrote to memory of 2844 1356 0860222.exe 38 PID 1356 wrote to memory of 2844 1356 0860222.exe 38 PID 1356 wrote to memory of 2844 1356 0860222.exe 38 PID 2844 wrote to memory of 2676 2844 lxflrxf.exe 39 PID 2844 wrote to memory of 2676 2844 lxflrxf.exe 39 PID 2844 wrote to memory of 2676 2844 lxflrxf.exe 39 PID 2844 wrote to memory of 2676 2844 lxflrxf.exe 39 PID 2676 wrote to memory of 1904 2676 82064.exe 40 PID 2676 wrote to memory of 1904 2676 82064.exe 40 PID 2676 wrote to memory of 1904 2676 82064.exe 40 PID 2676 wrote to memory of 1904 2676 82064.exe 40 PID 1904 wrote to memory of 2340 1904 o200668.exe 41 PID 1904 wrote to memory of 2340 1904 o200668.exe 41 PID 1904 wrote to memory of 2340 1904 o200668.exe 41 PID 1904 wrote to memory of 2340 1904 o200668.exe 41 PID 2340 wrote to memory of 1480 2340 ddvdj.exe 80 PID 2340 wrote to memory of 1480 2340 ddvdj.exe 80 PID 2340 wrote to memory of 1480 2340 ddvdj.exe 80 PID 2340 wrote to memory of 1480 2340 ddvdj.exe 80 PID 1480 wrote to memory of 1968 1480 u862442.exe 43 PID 1480 wrote to memory of 1968 1480 u862442.exe 43 PID 1480 wrote to memory of 1968 1480 u862442.exe 43 PID 1480 wrote to memory of 1968 1480 u862442.exe 43 PID 1968 wrote to memory of 2740 1968 fxrxxfl.exe 44 PID 1968 wrote to memory of 2740 1968 fxrxxfl.exe 44 PID 1968 wrote to memory of 2740 1968 fxrxxfl.exe 44 PID 1968 wrote to memory of 2740 1968 fxrxxfl.exe 44 PID 2740 wrote to memory of 1788 2740 rlrfffl.exe 45 PID 2740 wrote to memory of 1788 2740 rlrfffl.exe 45 PID 2740 wrote to memory of 1788 2740 rlrfffl.exe 45 PID 2740 wrote to memory of 1788 2740 rlrfffl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe"C:\Users\Admin\AppData\Local\Temp\9993ee81ae54e4d7188cf32866e47c7c3a50aabff4a4b8b2c8964269e77ed1ed.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\xxllrrx.exec:\xxllrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\e64466.exec:\e64466.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\jjvvd.exec:\jjvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\024404.exec:\024404.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\2088008.exec:\2088008.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\264062.exec:\264062.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\84002.exec:\84002.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\0860222.exec:\0860222.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\lxflrxf.exec:\lxflrxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\82064.exec:\82064.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\o200668.exec:\o200668.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\ddvdj.exec:\ddvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\u862442.exec:\u862442.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\fxrxxfl.exec:\fxrxxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\rlrfffl.exec:\rlrfffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\868406.exec:\868406.exe17⤵
- Executes dropped EXE
PID:1788 -
\??\c:\vpdvj.exec:\vpdvj.exe18⤵
- Executes dropped EXE
PID:2356 -
\??\c:\bbntbh.exec:\bbntbh.exe19⤵
- Executes dropped EXE
PID:2288 -
\??\c:\nbttnt.exec:\nbttnt.exe20⤵
- Executes dropped EXE
PID:2284 -
\??\c:\2022824.exec:\2022824.exe21⤵
- Executes dropped EXE
PID:2360 -
\??\c:\60446.exec:\60446.exe22⤵
- Executes dropped EXE
PID:2124 -
\??\c:\080022.exec:\080022.exe23⤵
- Executes dropped EXE
PID:112 -
\??\c:\2062820.exec:\2062820.exe24⤵
- Executes dropped EXE
PID:640 -
\??\c:\hbntbn.exec:\hbntbn.exe25⤵
- Executes dropped EXE
PID:1700 -
\??\c:\6026662.exec:\6026662.exe26⤵
- Executes dropped EXE
PID:2484 -
\??\c:\q08400.exec:\q08400.exe27⤵
- Executes dropped EXE
PID:760 -
\??\c:\5bhntt.exec:\5bhntt.exe28⤵
- Executes dropped EXE
PID:696 -
\??\c:\m6068.exec:\m6068.exe29⤵
- Executes dropped EXE
PID:916 -
\??\c:\26006.exec:\26006.exe30⤵
- Executes dropped EXE
PID:2516 -
\??\c:\tnhtnn.exec:\tnhtnn.exe31⤵
- Executes dropped EXE
PID:1676 -
\??\c:\04686.exec:\04686.exe32⤵
- Executes dropped EXE
PID:2228 -
\??\c:\6400640.exec:\6400640.exe33⤵
- Executes dropped EXE
PID:2240 -
\??\c:\xxfxflr.exec:\xxfxflr.exe34⤵
- Executes dropped EXE
PID:1508 -
\??\c:\864488.exec:\864488.exe35⤵
- Executes dropped EXE
PID:2544 -
\??\c:\5pjdv.exec:\5pjdv.exe36⤵
- Executes dropped EXE
PID:1784 -
\??\c:\4866240.exec:\4866240.exe37⤵
- Executes dropped EXE
PID:2036 -
\??\c:\1bhbhh.exec:\1bhbhh.exe38⤵
- Executes dropped EXE
PID:1604 -
\??\c:\o424062.exec:\o424062.exe39⤵
- Executes dropped EXE
PID:2368 -
\??\c:\862860.exec:\862860.exe40⤵
- Executes dropped EXE
PID:2764 -
\??\c:\1vvpj.exec:\1vvpj.exe41⤵
- Executes dropped EXE
PID:2540 -
\??\c:\xlfxxrr.exec:\xlfxxrr.exe42⤵
- Executes dropped EXE
PID:2992 -
\??\c:\20262.exec:\20262.exe43⤵
- Executes dropped EXE
PID:2940 -
\??\c:\m8600.exec:\m8600.exe44⤵
- Executes dropped EXE
PID:2812 -
\??\c:\0860606.exec:\0860606.exe45⤵
- Executes dropped EXE
PID:2556 -
\??\c:\3xrxxxf.exec:\3xrxxxf.exe46⤵
- Executes dropped EXE
PID:2804 -
\??\c:\428604.exec:\428604.exe47⤵
- Executes dropped EXE
PID:2848 -
\??\c:\202844.exec:\202844.exe48⤵
- Executes dropped EXE
PID:2696 -
\??\c:\xfllrrx.exec:\xfllrrx.exe49⤵
- Executes dropped EXE
PID:2040 -
\??\c:\s8668.exec:\s8668.exe50⤵
- Executes dropped EXE
PID:1636 -
\??\c:\9bthbt.exec:\9bthbt.exe51⤵
- Executes dropped EXE
PID:2504 -
\??\c:\4688002.exec:\4688002.exe52⤵
- Executes dropped EXE
PID:1480 -
\??\c:\c866880.exec:\c866880.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968 -
\??\c:\0084620.exec:\0084620.exe54⤵
- Executes dropped EXE
PID:2740 -
\??\c:\hhtttn.exec:\hhtttn.exe55⤵
- Executes dropped EXE
PID:1704 -
\??\c:\7vdvp.exec:\7vdvp.exe56⤵
- Executes dropped EXE
PID:1292 -
\??\c:\08662.exec:\08662.exe57⤵
- Executes dropped EXE
PID:772 -
\??\c:\e64400.exec:\e64400.exe58⤵
- Executes dropped EXE
PID:580 -
\??\c:\flxxffr.exec:\flxxffr.exe59⤵
- Executes dropped EXE
PID:1312 -
\??\c:\ddpvd.exec:\ddpvd.exe60⤵
- Executes dropped EXE
PID:2404 -
\??\c:\6028028.exec:\6028028.exe61⤵
- Executes dropped EXE
PID:1976 -
\??\c:\424022.exec:\424022.exe62⤵
- Executes dropped EXE
PID:1164 -
\??\c:\9lxxfll.exec:\9lxxfll.exe63⤵
- Executes dropped EXE
PID:2144 -
\??\c:\dpjjv.exec:\dpjjv.exe64⤵
- Executes dropped EXE
PID:2660 -
\??\c:\jdjdj.exec:\jdjdj.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:960 -
\??\c:\rlxfllr.exec:\rlxfllr.exe66⤵PID:1432
-
\??\c:\20628.exec:\20628.exe67⤵PID:1544
-
\??\c:\hnbtbn.exec:\hnbtbn.exe68⤵PID:1768
-
\??\c:\pjdpv.exec:\pjdpv.exe69⤵PID:1232
-
\??\c:\xfxrxxf.exec:\xfxrxxf.exe70⤵PID:1656
-
\??\c:\rxlffxf.exec:\rxlffxf.exe71⤵PID:2268
-
\??\c:\66444.exec:\66444.exe72⤵PID:848
-
\??\c:\htnhnt.exec:\htnhnt.exe73⤵PID:2180
-
\??\c:\08446.exec:\08446.exe74⤵PID:1036
-
\??\c:\7xrlfxx.exec:\7xrlfxx.exe75⤵PID:2448
-
\??\c:\dpjvd.exec:\dpjvd.exe76⤵PID:276
-
\??\c:\rlrrfxx.exec:\rlrrfxx.exe77⤵PID:2632
-
\??\c:\bntbbb.exec:\bntbbb.exe78⤵PID:2656
-
\??\c:\hbhhht.exec:\hbhhht.exe79⤵PID:2172
-
\??\c:\0866224.exec:\0866224.exe80⤵
- System Location Discovery: System Language Discovery
PID:2624 -
\??\c:\tnbhnn.exec:\tnbhnn.exe81⤵PID:2316
-
\??\c:\djjvd.exec:\djjvd.exe82⤵PID:2788
-
\??\c:\q02666.exec:\q02666.exe83⤵PID:2156
-
\??\c:\nnbbhh.exec:\nnbbhh.exe84⤵PID:2860
-
\??\c:\086026.exec:\086026.exe85⤵PID:1812
-
\??\c:\9rrlfff.exec:\9rrlfff.exe86⤵PID:2904
-
\??\c:\u422446.exec:\u422446.exe87⤵PID:2804
-
\??\c:\7frxflx.exec:\7frxflx.exe88⤵PID:2520
-
\??\c:\424404.exec:\424404.exe89⤵PID:1356
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe90⤵PID:2700
-
\??\c:\3rffxff.exec:\3rffxff.exe91⤵PID:2936
-
\??\c:\lflllfl.exec:\lflllfl.exe92⤵PID:2684
-
\??\c:\42040.exec:\42040.exe93⤵PID:2732
-
\??\c:\8622222.exec:\8622222.exe94⤵PID:2932
-
\??\c:\5jvvv.exec:\5jvvv.exe95⤵PID:2340
-
\??\c:\9xlrxlr.exec:\9xlrxlr.exe96⤵PID:3016
-
\??\c:\a4884.exec:\a4884.exe97⤵PID:2756
-
\??\c:\vdppj.exec:\vdppj.exe98⤵PID:2900
-
\??\c:\pdjpd.exec:\pdjpd.exe99⤵PID:1980
-
\??\c:\bnbtnn.exec:\bnbtnn.exe100⤵PID:2884
-
\??\c:\4824608.exec:\4824608.exe101⤵PID:2132
-
\??\c:\7lfrrll.exec:\7lfrrll.exe102⤵PID:3032
-
\??\c:\u600262.exec:\u600262.exe103⤵PID:700
-
\??\c:\6400228.exec:\6400228.exe104⤵PID:2260
-
\??\c:\o868668.exec:\o868668.exe105⤵PID:1648
-
\??\c:\060066.exec:\060066.exe106⤵PID:1448
-
\??\c:\o048008.exec:\o048008.exe107⤵PID:2244
-
\??\c:\nbbbtt.exec:\nbbbtt.exe108⤵PID:3000
-
\??\c:\3lfxllr.exec:\3lfxllr.exe109⤵PID:1372
-
\??\c:\26402.exec:\26402.exe110⤵PID:3012
-
\??\c:\66802.exec:\66802.exe111⤵PID:1764
-
\??\c:\i424408.exec:\i424408.exe112⤵PID:632
-
\??\c:\bhbbhh.exec:\bhbbhh.exe113⤵PID:956
-
\??\c:\2022868.exec:\2022868.exe114⤵PID:2516
-
\??\c:\424028.exec:\424028.exe115⤵
- System Location Discovery: System Language Discovery
PID:2208 -
\??\c:\6462840.exec:\6462840.exe116⤵PID:2164
-
\??\c:\ppdvv.exec:\ppdvv.exe117⤵PID:2248
-
\??\c:\86244.exec:\86244.exe118⤵PID:1944
-
\??\c:\64066.exec:\64066.exe119⤵PID:2220
-
\??\c:\9fflrlr.exec:\9fflrlr.exe120⤵PID:2612
-
\??\c:\868848.exec:\868848.exe121⤵PID:276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-