Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 20:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe
-
Size
458KB
-
MD5
9683bfdccf3ba351ee2d0e45d1ea2f45
-
SHA1
007580a6470dbd24a7b3f9446131f132d8107506
-
SHA256
53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40
-
SHA512
6c7a63b50d39f65117afda202ec37dbfe061631b7821c2fa8f858deb6b960e4f650bdc87880c6b9dc3be4928d4002c1c46f0f869761b9500dcefed105cfb0e81
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbebC:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2396-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-146-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2880-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-181-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1556-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1800-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-236-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2260-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1020-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-511-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1488-517-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1572-591-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2948-618-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2704-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-840-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1124-1012-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1072-1077-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-1166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2812-1173-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1632 xrxrxrr.exe 1960 8602228.exe 2032 ffxrffx.exe 2884 26884.exe 2800 rfxxfxl.exe 2988 c424064.exe 3044 2066280.exe 2176 a0844.exe 2808 20662.exe 2728 vpjjv.exe 2588 q42828.exe 1032 9xxfxlf.exe 1636 w28466.exe 2764 48846.exe 1976 vjdvv.exe 2024 lrfrxxf.exe 2880 fxlrflr.exe 2436 lxlxxlr.exe 1848 u046408.exe 1664 hhbbhb.exe 1928 rxlxrrf.exe 236 g6422.exe 1556 48622.exe 1800 4288862.exe 852 8202222.exe 2144 1tnhtn.exe 700 jjpvv.exe 2260 0422046.exe 2280 1xrlllr.exe 1864 tthhtt.exe 904 42400.exe 2328 080622.exe 2120 thbbhh.exe 1540 3nhttn.exe 1644 2084040.exe 2428 20666.exe 2640 2060040.exe 2200 64846.exe 2804 m6842.exe 2960 w68400.exe 2800 pjpjj.exe 2976 pjjvv.exe 3048 4802446.exe 1348 46842.exe 1228 64220.exe 2716 20668.exe 2816 pjdjv.exe 2284 pjvdv.exe 2016 o022844.exe 3016 s2224.exe 1588 7vpdd.exe 1636 o268668.exe 2012 pdpvd.exe 868 0866822.exe 1932 5xlflrx.exe 2164 g2840.exe 2484 vpjvd.exe 2600 u084668.exe 1848 hnhnhh.exe 2452 fxfllfl.exe 788 7thbhb.exe 1928 xlxlxrx.exe 844 o284046.exe 2316 02266.exe -
resource yara_rule behavioral1/memory/2396-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1800-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-591-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2704-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-884-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-1039-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-1115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-1146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-1180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-1227-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3068-1249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-1262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-1281-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u022068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e46266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2264286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e82282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 1632 2396 53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe 30 PID 2396 wrote to memory of 1632 2396 53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe 30 PID 2396 wrote to memory of 1632 2396 53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe 30 PID 2396 wrote to memory of 1632 2396 53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe 30 PID 1632 wrote to memory of 1960 1632 xrxrxrr.exe 31 PID 1632 wrote to memory of 1960 1632 xrxrxrr.exe 31 PID 1632 wrote to memory of 1960 1632 xrxrxrr.exe 31 PID 1632 wrote to memory of 1960 1632 xrxrxrr.exe 31 PID 1960 wrote to memory of 2032 1960 8602228.exe 32 PID 1960 wrote to memory of 2032 1960 8602228.exe 32 PID 1960 wrote to memory of 2032 1960 8602228.exe 32 PID 1960 wrote to memory of 2032 1960 8602228.exe 32 PID 2032 wrote to memory of 2884 2032 ffxrffx.exe 33 PID 2032 wrote to memory of 2884 2032 ffxrffx.exe 33 PID 2032 wrote to memory of 2884 2032 ffxrffx.exe 33 PID 2032 wrote to memory of 2884 2032 ffxrffx.exe 33 PID 2884 wrote to memory of 2800 2884 26884.exe 34 PID 2884 wrote to memory of 2800 2884 26884.exe 34 PID 2884 wrote to memory of 2800 2884 26884.exe 34 PID 2884 wrote to memory of 2800 2884 26884.exe 34 PID 2800 wrote to memory of 2988 2800 rfxxfxl.exe 35 PID 2800 wrote to memory of 2988 2800 rfxxfxl.exe 35 PID 2800 wrote to memory of 2988 2800 rfxxfxl.exe 35 PID 2800 wrote to memory of 2988 2800 rfxxfxl.exe 35 PID 2988 wrote to memory of 3044 2988 c424064.exe 36 PID 2988 wrote to memory of 3044 2988 c424064.exe 36 PID 2988 wrote to memory of 3044 2988 c424064.exe 36 PID 2988 wrote to memory of 3044 2988 c424064.exe 36 PID 3044 wrote to memory of 2176 3044 2066280.exe 37 PID 3044 wrote to memory of 2176 3044 2066280.exe 37 PID 3044 wrote to memory of 2176 3044 2066280.exe 37 PID 3044 wrote to memory of 2176 3044 2066280.exe 37 PID 2176 wrote to memory of 2808 2176 a0844.exe 38 PID 2176 wrote to memory of 2808 2176 a0844.exe 38 PID 2176 wrote to memory of 2808 2176 a0844.exe 38 PID 2176 wrote to memory of 2808 2176 a0844.exe 38 PID 2808 wrote to memory of 2728 2808 20662.exe 39 PID 2808 wrote to memory of 2728 2808 20662.exe 39 PID 2808 wrote to memory of 2728 2808 20662.exe 39 PID 2808 wrote to memory of 2728 2808 20662.exe 39 PID 2728 wrote to memory of 2588 2728 vpjjv.exe 40 PID 2728 wrote to memory of 2588 2728 vpjjv.exe 40 PID 2728 wrote to memory of 2588 2728 vpjjv.exe 40 PID 2728 wrote to memory of 2588 2728 vpjjv.exe 40 PID 2588 wrote to memory of 1032 2588 q42828.exe 41 PID 2588 wrote to memory of 1032 2588 q42828.exe 41 PID 2588 wrote to memory of 1032 2588 q42828.exe 41 PID 2588 wrote to memory of 1032 2588 q42828.exe 41 PID 1032 wrote to memory of 1636 1032 9xxfxlf.exe 42 PID 1032 wrote to memory of 1636 1032 9xxfxlf.exe 42 PID 1032 wrote to memory of 1636 1032 9xxfxlf.exe 42 PID 1032 wrote to memory of 1636 1032 9xxfxlf.exe 42 PID 1636 wrote to memory of 2764 1636 w28466.exe 43 PID 1636 wrote to memory of 2764 1636 w28466.exe 43 PID 1636 wrote to memory of 2764 1636 w28466.exe 43 PID 1636 wrote to memory of 2764 1636 w28466.exe 43 PID 2764 wrote to memory of 1976 2764 48846.exe 44 PID 2764 wrote to memory of 1976 2764 48846.exe 44 PID 2764 wrote to memory of 1976 2764 48846.exe 44 PID 2764 wrote to memory of 1976 2764 48846.exe 44 PID 1976 wrote to memory of 2024 1976 vjdvv.exe 45 PID 1976 wrote to memory of 2024 1976 vjdvv.exe 45 PID 1976 wrote to memory of 2024 1976 vjdvv.exe 45 PID 1976 wrote to memory of 2024 1976 vjdvv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe"C:\Users\Admin\AppData\Local\Temp\53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\xrxrxrr.exec:\xrxrxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\8602228.exec:\8602228.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\ffxrffx.exec:\ffxrffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\26884.exec:\26884.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\rfxxfxl.exec:\rfxxfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\c424064.exec:\c424064.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\2066280.exec:\2066280.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\a0844.exec:\a0844.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\20662.exec:\20662.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\vpjjv.exec:\vpjjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\q42828.exec:\q42828.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\9xxfxlf.exec:\9xxfxlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\w28466.exec:\w28466.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\48846.exec:\48846.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\vjdvv.exec:\vjdvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\lrfrxxf.exec:\lrfrxxf.exe17⤵
- Executes dropped EXE
PID:2024 -
\??\c:\fxlrflr.exec:\fxlrflr.exe18⤵
- Executes dropped EXE
PID:2880 -
\??\c:\lxlxxlr.exec:\lxlxxlr.exe19⤵
- Executes dropped EXE
PID:2436 -
\??\c:\u046408.exec:\u046408.exe20⤵
- Executes dropped EXE
PID:1848 -
\??\c:\hhbbhb.exec:\hhbbhb.exe21⤵
- Executes dropped EXE
PID:1664 -
\??\c:\rxlxrrf.exec:\rxlxrrf.exe22⤵
- Executes dropped EXE
PID:1928 -
\??\c:\g6422.exec:\g6422.exe23⤵
- Executes dropped EXE
PID:236 -
\??\c:\48622.exec:\48622.exe24⤵
- Executes dropped EXE
PID:1556 -
\??\c:\4288862.exec:\4288862.exe25⤵
- Executes dropped EXE
PID:1800 -
\??\c:\8202222.exec:\8202222.exe26⤵
- Executes dropped EXE
PID:852 -
\??\c:\1tnhtn.exec:\1tnhtn.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
\??\c:\jjpvv.exec:\jjpvv.exe28⤵
- Executes dropped EXE
PID:700 -
\??\c:\0422046.exec:\0422046.exe29⤵
- Executes dropped EXE
PID:2260 -
\??\c:\1xrlllr.exec:\1xrlllr.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\tthhtt.exec:\tthhtt.exe31⤵
- Executes dropped EXE
PID:1864 -
\??\c:\42400.exec:\42400.exe32⤵
- Executes dropped EXE
PID:904 -
\??\c:\080622.exec:\080622.exe33⤵
- Executes dropped EXE
PID:2328 -
\??\c:\thbbhh.exec:\thbbhh.exe34⤵
- Executes dropped EXE
PID:2120 -
\??\c:\3nhttn.exec:\3nhttn.exe35⤵
- Executes dropped EXE
PID:1540 -
\??\c:\2084040.exec:\2084040.exe36⤵
- Executes dropped EXE
PID:1644 -
\??\c:\20666.exec:\20666.exe37⤵
- Executes dropped EXE
PID:2428 -
\??\c:\2060040.exec:\2060040.exe38⤵
- Executes dropped EXE
PID:2640 -
\??\c:\64846.exec:\64846.exe39⤵
- Executes dropped EXE
PID:2200 -
\??\c:\m6842.exec:\m6842.exe40⤵
- Executes dropped EXE
PID:2804 -
\??\c:\w68400.exec:\w68400.exe41⤵
- Executes dropped EXE
PID:2960 -
\??\c:\pjpjj.exec:\pjpjj.exe42⤵
- Executes dropped EXE
PID:2800 -
\??\c:\pjjvv.exec:\pjjvv.exe43⤵
- Executes dropped EXE
PID:2976 -
\??\c:\4802446.exec:\4802446.exe44⤵
- Executes dropped EXE
PID:3048 -
\??\c:\46842.exec:\46842.exe45⤵
- Executes dropped EXE
PID:1348 -
\??\c:\64220.exec:\64220.exe46⤵
- Executes dropped EXE
PID:1228 -
\??\c:\20668.exec:\20668.exe47⤵
- Executes dropped EXE
PID:2716 -
\??\c:\pjdjv.exec:\pjdjv.exe48⤵
- Executes dropped EXE
PID:2816 -
\??\c:\pjvdv.exec:\pjvdv.exe49⤵
- Executes dropped EXE
PID:2284 -
\??\c:\o022844.exec:\o022844.exe50⤵
- Executes dropped EXE
PID:2016 -
\??\c:\s2224.exec:\s2224.exe51⤵
- Executes dropped EXE
PID:3016 -
\??\c:\7vpdd.exec:\7vpdd.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588 -
\??\c:\o268668.exec:\o268668.exe53⤵
- Executes dropped EXE
PID:1636 -
\??\c:\pdpvd.exec:\pdpvd.exe54⤵
- Executes dropped EXE
PID:2012 -
\??\c:\0866822.exec:\0866822.exe55⤵
- Executes dropped EXE
PID:868 -
\??\c:\5xlflrx.exec:\5xlflrx.exe56⤵
- Executes dropped EXE
PID:1932 -
\??\c:\g2840.exec:\g2840.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
\??\c:\vpjvd.exec:\vpjvd.exe58⤵
- Executes dropped EXE
PID:2484 -
\??\c:\u084668.exec:\u084668.exe59⤵
- Executes dropped EXE
PID:2600 -
\??\c:\hnhnhh.exec:\hnhnhh.exe60⤵
- Executes dropped EXE
PID:1848 -
\??\c:\fxfllfl.exec:\fxfllfl.exe61⤵
- Executes dropped EXE
PID:2452 -
\??\c:\7thbhb.exec:\7thbhb.exe62⤵
- Executes dropped EXE
PID:788 -
\??\c:\xlxlxrx.exec:\xlxlxrx.exe63⤵
- Executes dropped EXE
PID:1928 -
\??\c:\o284046.exec:\o284046.exe64⤵
- Executes dropped EXE
PID:844 -
\??\c:\02266.exec:\02266.exe65⤵
- Executes dropped EXE
PID:2316 -
\??\c:\rlxxfxr.exec:\rlxxfxr.exe66⤵PID:1020
-
\??\c:\8628480.exec:\8628480.exe67⤵PID:1488
-
\??\c:\bnbnnh.exec:\bnbnnh.exe68⤵PID:616
-
\??\c:\5llxrrl.exec:\5llxrrl.exe69⤵PID:2144
-
\??\c:\286246.exec:\286246.exe70⤵PID:2432
-
\??\c:\xxflxrf.exec:\xxflxrf.exe71⤵PID:988
-
\??\c:\2000662.exec:\2000662.exe72⤵PID:2280
-
\??\c:\4244262.exec:\4244262.exe73⤵PID:2320
-
\??\c:\xlxxlrx.exec:\xlxxlrx.exe74⤵PID:2648
-
\??\c:\422244.exec:\422244.exe75⤵PID:1596
-
\??\c:\flrlrll.exec:\flrlrll.exe76⤵PID:2524
-
\??\c:\w44628.exec:\w44628.exe77⤵PID:2576
-
\??\c:\664028.exec:\664028.exe78⤵PID:1572
-
\??\c:\608400.exec:\608400.exe79⤵PID:1544
-
\??\c:\2884046.exec:\2884046.exe80⤵PID:2032
-
\??\c:\dvpjp.exec:\dvpjp.exe81⤵PID:824
-
\??\c:\08664.exec:\08664.exe82⤵PID:2948
-
\??\c:\hbntbb.exec:\hbntbb.exe83⤵PID:2560
-
\??\c:\08842.exec:\08842.exe84⤵PID:2704
-
\??\c:\0800228.exec:\0800228.exe85⤵PID:2988
-
\??\c:\m2006.exec:\m2006.exe86⤵PID:3044
-
\??\c:\8640220.exec:\8640220.exe87⤵PID:2868
-
\??\c:\rxflflr.exec:\rxflflr.exe88⤵PID:2980
-
\??\c:\jdvvj.exec:\jdvvj.exe89⤵PID:2692
-
\??\c:\7vvpv.exec:\7vvpv.exe90⤵PID:480
-
\??\c:\vpjpd.exec:\vpjpd.exe91⤵
- System Location Discovery: System Language Discovery
PID:2220 -
\??\c:\g6444.exec:\g6444.exe92⤵PID:2604
-
\??\c:\pjppj.exec:\pjppj.exe93⤵PID:3016
-
\??\c:\2066600.exec:\2066600.exe94⤵PID:2920
-
\??\c:\9fllflr.exec:\9fllflr.exe95⤵PID:3004
-
\??\c:\ppjdj.exec:\ppjdj.exe96⤵PID:3020
-
\??\c:\jdvjv.exec:\jdvjv.exe97⤵PID:3032
-
\??\c:\dpdjp.exec:\dpdjp.exe98⤵PID:2024
-
\??\c:\vjvvd.exec:\vjvvd.exe99⤵PID:556
-
\??\c:\hbnbnt.exec:\hbnbnt.exe100⤵PID:2272
-
\??\c:\lflxlfl.exec:\lflxlfl.exe101⤵PID:2300
-
\??\c:\bnbhhh.exec:\bnbhhh.exe102⤵PID:1900
-
\??\c:\nbtbhb.exec:\nbtbhb.exe103⤵PID:2148
-
\??\c:\u206262.exec:\u206262.exe104⤵PID:2332
-
\??\c:\7tnnnn.exec:\7tnnnn.exe105⤵PID:1712
-
\??\c:\btbhtn.exec:\btbhtn.exe106⤵PID:2476
-
\??\c:\hhnntb.exec:\hhnntb.exe107⤵PID:1728
-
\??\c:\5nbtbt.exec:\5nbtbt.exe108⤵PID:352
-
\??\c:\0828480.exec:\0828480.exe109⤵PID:1704
-
\??\c:\nbnhhh.exec:\nbnhhh.exe110⤵PID:1624
-
\??\c:\a0860.exec:\a0860.exe111⤵PID:2500
-
\??\c:\862844.exec:\862844.exe112⤵PID:2116
-
\??\c:\dvddp.exec:\dvddp.exe113⤵PID:2388
-
\??\c:\2640624.exec:\2640624.exe114⤵PID:2096
-
\??\c:\e86240.exec:\e86240.exe115⤵PID:1436
-
\??\c:\668622.exec:\668622.exe116⤵PID:1864
-
\??\c:\rlrflrx.exec:\rlrflrx.exe117⤵PID:1892
-
\??\c:\24868.exec:\24868.exe118⤵PID:1532
-
\??\c:\646660.exec:\646660.exe119⤵PID:2536
-
\??\c:\vvppv.exec:\vvppv.exe120⤵PID:1936
-
\??\c:\60840.exec:\60840.exe121⤵PID:1972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-