Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29/12/2024, 02:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe
-
Size
337KB
-
MD5
38e3f2dc1c787ea2f0dd506ced55f71f
-
SHA1
2ddaaba255f14d8f362a6e07c9d3f28dd1f22fc0
-
SHA256
969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25
-
SHA512
9543608ccf5f237837deca17107996ab243115b9cd01ff0878735cafb362e35f682876530e7613b9c5a6631d875dc15e60925bc07a973699ccefa87f723f9f6d
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhR:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
resource yara_rule behavioral1/memory/2340-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-54-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1648-61-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1648-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/480-73-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/936-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-86-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2356-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-117-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3020-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-171-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1268-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-221-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1608-230-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1692-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-266-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2032-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-411-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2912-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/440-494-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1536-532-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1752-553-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1580-563-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1580-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-605-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2712-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-685-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2364-699-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/628-713-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2216-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-765-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1028-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-778-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2556-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-898-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-947-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-1010-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-1038-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2324 9rxxxff.exe 2808 dvppv.exe 2900 vpvvp.exe 2748 9vddj.exe 2744 nhttnn.exe 1648 dvvvd.exe 480 8288444.exe 936 26202.exe 2356 04886.exe 2404 u866668.exe 1808 q68804.exe 2160 k02800.exe 2172 lflrrlr.exe 3020 1xfflfl.exe 2332 640466.exe 2296 3lxrrlr.exe 2924 240444.exe 1268 246660.exe 2272 k64400.exe 2144 flrrrlr.exe 2056 20046.exe 1940 xlrrxff.exe 1640 hbnbhh.exe 1608 688664.exe 2040 46620.exe 2444 1xfxfff.exe 1692 2004062.exe 2648 xxlrxfx.exe 2032 w24220.exe 2644 6062224.exe 2064 lxrllll.exe 2980 428404.exe 2236 0844042.exe 2880 rxflfrr.exe 2856 1hhttb.exe 2968 428244.exe 2704 jjvvv.exe 2812 9xrlrrf.exe 2176 6462204.exe 2548 64662.exe 1368 820644.exe 480 i462486.exe 2084 82284.exe 2400 202282.exe 2376 1btnnn.exe 2004 frfrrrr.exe 2184 vpdvj.exe 2088 8240840.exe 2868 frrrrrx.exe 2912 bnbhhh.exe 2308 86228.exe 1980 3vdvv.exe 2780 i040880.exe 1988 86402.exe 2288 vpdvd.exe 1460 w24404.exe 2272 4666266.exe 2136 0804000.exe 2148 flllrrx.exe 2432 lfrrrxx.exe 324 828622.exe 440 1rxffxf.exe 1540 8240228.exe 1608 jdvvp.exe -
resource yara_rule behavioral1/memory/2340-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-117-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3020-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-553-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1580-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/628-712-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2216-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-853-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-852-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2556-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-898-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0840000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2602846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2324 2340 969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe 30 PID 2340 wrote to memory of 2324 2340 969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe 30 PID 2340 wrote to memory of 2324 2340 969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe 30 PID 2340 wrote to memory of 2324 2340 969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe 30 PID 2324 wrote to memory of 2808 2324 9rxxxff.exe 31 PID 2324 wrote to memory of 2808 2324 9rxxxff.exe 31 PID 2324 wrote to memory of 2808 2324 9rxxxff.exe 31 PID 2324 wrote to memory of 2808 2324 9rxxxff.exe 31 PID 2808 wrote to memory of 2900 2808 dvppv.exe 32 PID 2808 wrote to memory of 2900 2808 dvppv.exe 32 PID 2808 wrote to memory of 2900 2808 dvppv.exe 32 PID 2808 wrote to memory of 2900 2808 dvppv.exe 32 PID 2900 wrote to memory of 2748 2900 vpvvp.exe 33 PID 2900 wrote to memory of 2748 2900 vpvvp.exe 33 PID 2900 wrote to memory of 2748 2900 vpvvp.exe 33 PID 2900 wrote to memory of 2748 2900 vpvvp.exe 33 PID 2748 wrote to memory of 2744 2748 9vddj.exe 34 PID 2748 wrote to memory of 2744 2748 9vddj.exe 34 PID 2748 wrote to memory of 2744 2748 9vddj.exe 34 PID 2748 wrote to memory of 2744 2748 9vddj.exe 34 PID 2744 wrote to memory of 1648 2744 nhttnn.exe 35 PID 2744 wrote to memory of 1648 2744 nhttnn.exe 35 PID 2744 wrote to memory of 1648 2744 nhttnn.exe 35 PID 2744 wrote to memory of 1648 2744 nhttnn.exe 35 PID 1648 wrote to memory of 480 1648 dvvvd.exe 36 PID 1648 wrote to memory of 480 1648 dvvvd.exe 36 PID 1648 wrote to memory of 480 1648 dvvvd.exe 36 PID 1648 wrote to memory of 480 1648 dvvvd.exe 36 PID 480 wrote to memory of 936 480 8288444.exe 37 PID 480 wrote to memory of 936 480 8288444.exe 37 PID 480 wrote to memory of 936 480 8288444.exe 37 PID 480 wrote to memory of 936 480 8288444.exe 37 PID 936 wrote to memory of 2356 936 26202.exe 38 PID 936 wrote to memory of 2356 936 26202.exe 38 PID 936 wrote to memory of 2356 936 26202.exe 38 PID 936 wrote to memory of 2356 936 26202.exe 38 PID 2356 wrote to memory of 2404 2356 04886.exe 39 PID 2356 wrote to memory of 2404 2356 04886.exe 39 PID 2356 wrote to memory of 2404 2356 04886.exe 39 PID 2356 wrote to memory of 2404 2356 04886.exe 39 PID 2404 wrote to memory of 1808 2404 u866668.exe 40 PID 2404 wrote to memory of 1808 2404 u866668.exe 40 PID 2404 wrote to memory of 1808 2404 u866668.exe 40 PID 2404 wrote to memory of 1808 2404 u866668.exe 40 PID 1808 wrote to memory of 2160 1808 q68804.exe 41 PID 1808 wrote to memory of 2160 1808 q68804.exe 41 PID 1808 wrote to memory of 2160 1808 q68804.exe 41 PID 1808 wrote to memory of 2160 1808 q68804.exe 41 PID 2160 wrote to memory of 2172 2160 k02800.exe 42 PID 2160 wrote to memory of 2172 2160 k02800.exe 42 PID 2160 wrote to memory of 2172 2160 k02800.exe 42 PID 2160 wrote to memory of 2172 2160 k02800.exe 42 PID 2172 wrote to memory of 3020 2172 lflrrlr.exe 43 PID 2172 wrote to memory of 3020 2172 lflrrlr.exe 43 PID 2172 wrote to memory of 3020 2172 lflrrlr.exe 43 PID 2172 wrote to memory of 3020 2172 lflrrlr.exe 43 PID 3020 wrote to memory of 2332 3020 1xfflfl.exe 44 PID 3020 wrote to memory of 2332 3020 1xfflfl.exe 44 PID 3020 wrote to memory of 2332 3020 1xfflfl.exe 44 PID 3020 wrote to memory of 2332 3020 1xfflfl.exe 44 PID 2332 wrote to memory of 2296 2332 640466.exe 45 PID 2332 wrote to memory of 2296 2332 640466.exe 45 PID 2332 wrote to memory of 2296 2332 640466.exe 45 PID 2332 wrote to memory of 2296 2332 640466.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe"C:\Users\Admin\AppData\Local\Temp\969aab668129ea436c9bc57504a4b3ad2e38293c7b4a41627bf5f6b06eab8d25.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\9rxxxff.exec:\9rxxxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\dvppv.exec:\dvppv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\vpvvp.exec:\vpvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\9vddj.exec:\9vddj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\nhttnn.exec:\nhttnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\dvvvd.exec:\dvvvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\8288444.exec:\8288444.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480 -
\??\c:\26202.exec:\26202.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\04886.exec:\04886.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\u866668.exec:\u866668.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\q68804.exec:\q68804.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\k02800.exec:\k02800.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\lflrrlr.exec:\lflrrlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\1xfflfl.exec:\1xfflfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\640466.exec:\640466.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\3lxrrlr.exec:\3lxrrlr.exe17⤵
- Executes dropped EXE
PID:2296 -
\??\c:\240444.exec:\240444.exe18⤵
- Executes dropped EXE
PID:2924 -
\??\c:\246660.exec:\246660.exe19⤵
- Executes dropped EXE
PID:1268 -
\??\c:\k64400.exec:\k64400.exe20⤵
- Executes dropped EXE
PID:2272 -
\??\c:\flrrrlr.exec:\flrrrlr.exe21⤵
- Executes dropped EXE
PID:2144 -
\??\c:\20046.exec:\20046.exe22⤵
- Executes dropped EXE
PID:2056 -
\??\c:\xlrrxff.exec:\xlrrxff.exe23⤵
- Executes dropped EXE
PID:1940 -
\??\c:\hbnbhh.exec:\hbnbhh.exe24⤵
- Executes dropped EXE
PID:1640 -
\??\c:\688664.exec:\688664.exe25⤵
- Executes dropped EXE
PID:1608 -
\??\c:\46620.exec:\46620.exe26⤵
- Executes dropped EXE
PID:2040 -
\??\c:\1xfxfff.exec:\1xfxfff.exe27⤵
- Executes dropped EXE
PID:2444 -
\??\c:\2004062.exec:\2004062.exe28⤵
- Executes dropped EXE
PID:1692 -
\??\c:\xxlrxfx.exec:\xxlrxfx.exe29⤵
- Executes dropped EXE
PID:2648 -
\??\c:\w24220.exec:\w24220.exe30⤵
- Executes dropped EXE
PID:2032 -
\??\c:\6062224.exec:\6062224.exe31⤵
- Executes dropped EXE
PID:2644 -
\??\c:\lxrllll.exec:\lxrllll.exe32⤵
- Executes dropped EXE
PID:2064 -
\??\c:\428404.exec:\428404.exe33⤵
- Executes dropped EXE
PID:2980 -
\??\c:\0844042.exec:\0844042.exe34⤵
- Executes dropped EXE
PID:2236 -
\??\c:\rxflfrr.exec:\rxflfrr.exe35⤵
- Executes dropped EXE
PID:2880 -
\??\c:\1hhttb.exec:\1hhttb.exe36⤵
- Executes dropped EXE
PID:2856 -
\??\c:\428244.exec:\428244.exe37⤵
- Executes dropped EXE
PID:2968 -
\??\c:\jjvvv.exec:\jjvvv.exe38⤵
- Executes dropped EXE
PID:2704 -
\??\c:\9xrlrrf.exec:\9xrlrrf.exe39⤵
- Executes dropped EXE
PID:2812 -
\??\c:\6462204.exec:\6462204.exe40⤵
- Executes dropped EXE
PID:2176 -
\??\c:\64662.exec:\64662.exe41⤵
- Executes dropped EXE
PID:2548 -
\??\c:\820644.exec:\820644.exe42⤵
- Executes dropped EXE
PID:1368 -
\??\c:\i462486.exec:\i462486.exe43⤵
- Executes dropped EXE
PID:480 -
\??\c:\82284.exec:\82284.exe44⤵
- Executes dropped EXE
PID:2084 -
\??\c:\202282.exec:\202282.exe45⤵
- Executes dropped EXE
PID:2400 -
\??\c:\1btnnn.exec:\1btnnn.exe46⤵
- Executes dropped EXE
PID:2376 -
\??\c:\frfrrrr.exec:\frfrrrr.exe47⤵
- Executes dropped EXE
PID:2004 -
\??\c:\vpdvj.exec:\vpdvj.exe48⤵
- Executes dropped EXE
PID:2184 -
\??\c:\8240840.exec:\8240840.exe49⤵
- Executes dropped EXE
PID:2088 -
\??\c:\frrrrrx.exec:\frrrrrx.exe50⤵
- Executes dropped EXE
PID:2868 -
\??\c:\bnbhhh.exec:\bnbhhh.exe51⤵
- Executes dropped EXE
PID:2912 -
\??\c:\86228.exec:\86228.exe52⤵
- Executes dropped EXE
PID:2308 -
\??\c:\3vdvv.exec:\3vdvv.exe53⤵
- Executes dropped EXE
PID:1980 -
\??\c:\i040880.exec:\i040880.exe54⤵
- Executes dropped EXE
PID:2780 -
\??\c:\86402.exec:\86402.exe55⤵
- Executes dropped EXE
PID:1988 -
\??\c:\vpdvd.exec:\vpdvd.exe56⤵
- Executes dropped EXE
PID:2288 -
\??\c:\w24404.exec:\w24404.exe57⤵
- Executes dropped EXE
PID:1460 -
\??\c:\4666266.exec:\4666266.exe58⤵
- Executes dropped EXE
PID:2272 -
\??\c:\0804000.exec:\0804000.exe59⤵
- Executes dropped EXE
PID:2136 -
\??\c:\flllrrx.exec:\flllrrx.exe60⤵
- Executes dropped EXE
PID:2148 -
\??\c:\lfrrrxx.exec:\lfrrrxx.exe61⤵
- Executes dropped EXE
PID:2432 -
\??\c:\828622.exec:\828622.exe62⤵
- Executes dropped EXE
PID:324 -
\??\c:\1rxffxf.exec:\1rxffxf.exe63⤵
- Executes dropped EXE
PID:440 -
\??\c:\8240228.exec:\8240228.exe64⤵
- Executes dropped EXE
PID:1540 -
\??\c:\jdvvp.exec:\jdvvp.exe65⤵
- Executes dropped EXE
PID:1608 -
\??\c:\7vjdd.exec:\7vjdd.exe66⤵PID:1656
-
\??\c:\20888.exec:\20888.exe67⤵PID:1036
-
\??\c:\80044.exec:\80044.exe68⤵PID:1812
-
\??\c:\lrxxrll.exec:\lrxxrll.exe69⤵PID:1536
-
\??\c:\vjvpp.exec:\vjvpp.exe70⤵PID:1720
-
\??\c:\lxllxff.exec:\lxllxff.exe71⤵PID:2648
-
\??\c:\lflrxlr.exec:\lflrxlr.exe72⤵PID:2032
-
\??\c:\646844.exec:\646844.exe73⤵PID:1752
-
\??\c:\8268480.exec:\8268480.exe74⤵PID:1192
-
\??\c:\ppjvj.exec:\ppjvj.exe75⤵PID:1580
-
\??\c:\bbnthn.exec:\bbnthn.exe76⤵PID:2984
-
\??\c:\60860.exec:\60860.exe77⤵PID:3004
-
\??\c:\bbnntt.exec:\bbnntt.exe78⤵PID:2572
-
\??\c:\820062.exec:\820062.exe79⤵PID:2892
-
\??\c:\lxxfffr.exec:\lxxfffr.exe80⤵PID:2760
-
\??\c:\7hbhtb.exec:\7hbhtb.exe81⤵PID:2712
-
\??\c:\nbbbhh.exec:\nbbbhh.exe82⤵PID:2620
-
\??\c:\jjddj.exec:\jjddj.exe83⤵PID:796
-
\??\c:\5rlxlrx.exec:\5rlxlrx.exe84⤵PID:872
-
\??\c:\m6446.exec:\m6446.exe85⤵PID:816
-
\??\c:\hnttnn.exec:\hnttnn.exe86⤵PID:2080
-
\??\c:\6006228.exec:\6006228.exe87⤵PID:836
-
\??\c:\5vjpp.exec:\5vjpp.exe88⤵PID:2412
-
\??\c:\nhhnnn.exec:\nhhnnn.exe89⤵PID:2372
-
\??\c:\0466606.exec:\0466606.exe90⤵PID:2920
-
\??\c:\1nbhhn.exec:\1nbhhn.exe91⤵PID:2248
-
\??\c:\q08444.exec:\q08444.exe92⤵PID:2528
-
\??\c:\s0804.exec:\s0804.exe93⤵PID:2928
-
\??\c:\a4280.exec:\a4280.exe94⤵PID:3020
-
\??\c:\820622.exec:\820622.exe95⤵PID:2364
-
\??\c:\084460.exec:\084460.exe96⤵PID:2076
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe97⤵PID:628
-
\??\c:\nbhhhb.exec:\nbhhhb.exe98⤵PID:1768
-
\??\c:\s8484.exec:\s8484.exe99⤵PID:2216
-
\??\c:\pjdjv.exec:\pjdjv.exe100⤵PID:2504
-
\??\c:\k26800.exec:\k26800.exe101⤵PID:2440
-
\??\c:\5rllrrx.exec:\5rllrrx.exe102⤵PID:2136
-
\??\c:\3flrrlr.exec:\3flrrlr.exe103⤵PID:1776
-
\??\c:\dpddd.exec:\dpddd.exe104⤵PID:2432
-
\??\c:\7hbbnb.exec:\7hbbnb.exe105⤵PID:1976
-
\??\c:\w02288.exec:\w02288.exe106⤵PID:440
-
\??\c:\3rxrrrr.exec:\3rxrrrr.exe107⤵PID:1028
-
\??\c:\jvdjv.exec:\jvdjv.exe108⤵PID:2208
-
\??\c:\u462822.exec:\u462822.exe109⤵PID:1412
-
\??\c:\xlrfffr.exec:\xlrfffr.exe110⤵PID:1604
-
\??\c:\868226.exec:\868226.exe111⤵PID:1056
-
\??\c:\xrflrrf.exec:\xrflrrf.exe112⤵PID:2516
-
\??\c:\5tbtnn.exec:\5tbtnn.exe113⤵PID:1924
-
\??\c:\64668.exec:\64668.exe114⤵PID:1508
-
\??\c:\htbtnh.exec:\htbtnh.exe115⤵PID:2660
-
\??\c:\vpjjv.exec:\vpjjv.exe116⤵PID:2816
-
\??\c:\xrllllr.exec:\xrllllr.exe117⤵PID:1588
-
\??\c:\bnnhhn.exec:\bnnhhn.exe118⤵PID:2416
-
\??\c:\8024444.exec:\8024444.exe119⤵PID:2836
-
\??\c:\w42882.exec:\w42882.exe120⤵PID:2728
-
\??\c:\pvdpj.exec:\pvdpj.exe121⤵PID:2864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-