Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 20:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe
-
Size
347KB
-
MD5
0de95bd87f843c0056a6b5857c176c39
-
SHA1
0c4bc06ac82bd47a8bd8ba46b85c10e83428f698
-
SHA256
2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30
-
SHA512
eff6f75235fb386cf8ae5554076a138b3f6128f1ea5261f16929443cc18872ab73e3aaf668438dca81dfbdccaed4a2409bba4e7e01e9ef5662ada52c0b7a24b6
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAd:l7TcbWXZshJX2VGdd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2024-10-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1656-7-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2452-26-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2452-28-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/2176-38-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1000-46-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2800-65-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2680-70-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2452-69-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/1920-57-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2680-75-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2976-85-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2820-95-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2544-104-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2696-114-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2820-127-0x0000000000230000-0x0000000000258000-memory.dmp family_blackmoon behavioral1/memory/672-143-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/672-141-0x0000000000250000-0x0000000000278000-memory.dmp family_blackmoon behavioral1/memory/1608-161-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2580-169-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2860-186-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2860-188-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/332-198-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1112-207-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1036-216-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1700-231-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1160-227-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1160-225-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1752-261-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/636-270-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2276-279-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2368-288-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2432-305-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1908-319-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1984-339-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/1940-353-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2960-352-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2636-410-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/2044-417-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1972-430-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1504-453-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1504-452-0x00000000002F0000-0x0000000000318000-memory.dmp family_blackmoon behavioral1/memory/2260-445-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2124-490-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/744-548-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2892-569-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/1900-613-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2316-650-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/672-730-0x0000000000220000-0x0000000000248000-memory.dmp family_blackmoon behavioral1/memory/2312-785-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral1/memory/2368-854-0x00000000003A0000-0x00000000003C8000-memory.dmp family_blackmoon behavioral1/memory/1528-879-0x00000000001B0000-0x00000000001D8000-memory.dmp family_blackmoon behavioral1/memory/744-1114-0x00000000003A0000-0x00000000003C8000-memory.dmp family_blackmoon behavioral1/memory/2336-1217-0x00000000002D0000-0x00000000002F8000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2024 a0806.exe 2452 k26244.exe 2176 9vjjv.exe 1000 020022.exe 1920 284062.exe 2800 fxxrrrx.exe 2680 hhntht.exe 2976 dvvdv.exe 2820 lfrfrfr.exe 2544 rlfxflx.exe 2696 3ttbtt.exe 2596 i824668.exe 2492 9thnbh.exe 672 5nbbhn.exe 1864 fxllffl.exe 1608 lrxrlxx.exe 2580 ddvjv.exe 2624 008462.exe 2860 20806.exe 332 c688884.exe 1112 82468.exe 1036 vdvdv.exe 1160 60802.exe 1700 6068620.exe 1796 446222.exe 1268 7rlllfr.exe 1752 82024.exe 636 ddpdj.exe 2276 jpppj.exe 2368 4484664.exe 1028 08064.exe 2432 c664662.exe 1100 424466.exe 1908 u084624.exe 2248 082826.exe 2452 rlxrxxl.exe 1984 btbtbb.exe 2196 fxrrxxf.exe 2960 60020.exe 1940 4228628.exe 2808 djdjp.exe 2012 642402.exe 2680 tnhnbb.exe 2788 g8624.exe 2708 bbhtbb.exe 2820 3frxxlr.exe 2544 fxffllf.exe 2636 4862840.exe 2044 vvpdj.exe 2572 pdvpp.exe 1972 6486404.exe 2720 60862.exe 2260 bbtbht.exe 1504 bthnnb.exe 948 fxlrffr.exe 1668 1hnnbt.exe 2256 60846.exe 828 btbbhh.exe 580 m6046.exe 2124 9bhntb.exe 592 220284.exe 1848 nnhhnh.exe 448 djjjp.exe 1080 dvjjp.exe -
resource yara_rule behavioral1/memory/2024-10-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1656-7-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2452-26-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2452-18-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2176-38-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1000-46-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2800-65-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2680-70-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2452-69-0x00000000001B0000-0x00000000001D8000-memory.dmp upx behavioral1/memory/1920-57-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2976-85-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2820-95-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2544-104-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2596-115-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2696-114-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2820-127-0x0000000000230000-0x0000000000258000-memory.dmp upx behavioral1/memory/672-143-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1608-161-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2860-188-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/332-198-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1112-207-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1036-216-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1700-231-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1160-227-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1752-253-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1752-261-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2276-279-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2368-288-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2432-305-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1908-312-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1940-353-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2044-417-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2720-431-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1972-430-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2260-438-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1504-453-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2260-445-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2892-562-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2892-569-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2304-570-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1900-613-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2316-650-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2648-663-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2312-785-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/556-835-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1732-897-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1008-964-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1516-1007-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/948-1020-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1664-1031-0x0000000000220000-0x0000000000248000-memory.dmp upx behavioral1/memory/1304-1082-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/744-1107-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/1528-1158-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2240-1185-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2336-1210-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/2764-1224-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i868068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 064406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2024 1656 2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe 28 PID 1656 wrote to memory of 2024 1656 2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe 28 PID 1656 wrote to memory of 2024 1656 2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe 28 PID 1656 wrote to memory of 2024 1656 2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe 28 PID 2024 wrote to memory of 2452 2024 a0806.exe 29 PID 2024 wrote to memory of 2452 2024 a0806.exe 29 PID 2024 wrote to memory of 2452 2024 a0806.exe 29 PID 2024 wrote to memory of 2452 2024 a0806.exe 29 PID 2452 wrote to memory of 2176 2452 k26244.exe 30 PID 2452 wrote to memory of 2176 2452 k26244.exe 30 PID 2452 wrote to memory of 2176 2452 k26244.exe 30 PID 2452 wrote to memory of 2176 2452 k26244.exe 30 PID 2176 wrote to memory of 1000 2176 9vjjv.exe 31 PID 2176 wrote to memory of 1000 2176 9vjjv.exe 31 PID 2176 wrote to memory of 1000 2176 9vjjv.exe 31 PID 2176 wrote to memory of 1000 2176 9vjjv.exe 31 PID 1000 wrote to memory of 1920 1000 020022.exe 32 PID 1000 wrote to memory of 1920 1000 020022.exe 32 PID 1000 wrote to memory of 1920 1000 020022.exe 32 PID 1000 wrote to memory of 1920 1000 020022.exe 32 PID 1920 wrote to memory of 2800 1920 284062.exe 33 PID 1920 wrote to memory of 2800 1920 284062.exe 33 PID 1920 wrote to memory of 2800 1920 284062.exe 33 PID 1920 wrote to memory of 2800 1920 284062.exe 33 PID 2800 wrote to memory of 2680 2800 fxxrrrx.exe 34 PID 2800 wrote to memory of 2680 2800 fxxrrrx.exe 34 PID 2800 wrote to memory of 2680 2800 fxxrrrx.exe 34 PID 2800 wrote to memory of 2680 2800 fxxrrrx.exe 34 PID 2680 wrote to memory of 2976 2680 hhntht.exe 35 PID 2680 wrote to memory of 2976 2680 hhntht.exe 35 PID 2680 wrote to memory of 2976 2680 hhntht.exe 35 PID 2680 wrote to memory of 2976 2680 hhntht.exe 35 PID 2976 wrote to memory of 2820 2976 dvvdv.exe 36 PID 2976 wrote to memory of 2820 2976 dvvdv.exe 36 PID 2976 wrote to memory of 2820 2976 dvvdv.exe 36 PID 2976 wrote to memory of 2820 2976 dvvdv.exe 36 PID 2820 wrote to memory of 2544 2820 lfrfrfr.exe 37 PID 2820 wrote to memory of 2544 2820 lfrfrfr.exe 37 PID 2820 wrote to memory of 2544 2820 lfrfrfr.exe 37 PID 2820 wrote to memory of 2544 2820 lfrfrfr.exe 37 PID 2544 wrote to memory of 2696 2544 rlfxflx.exe 38 PID 2544 wrote to memory of 2696 2544 rlfxflx.exe 38 PID 2544 wrote to memory of 2696 2544 rlfxflx.exe 38 PID 2544 wrote to memory of 2696 2544 rlfxflx.exe 38 PID 2696 wrote to memory of 2596 2696 3ttbtt.exe 39 PID 2696 wrote to memory of 2596 2696 3ttbtt.exe 39 PID 2696 wrote to memory of 2596 2696 3ttbtt.exe 39 PID 2696 wrote to memory of 2596 2696 3ttbtt.exe 39 PID 2596 wrote to memory of 2492 2596 i824668.exe 40 PID 2596 wrote to memory of 2492 2596 i824668.exe 40 PID 2596 wrote to memory of 2492 2596 i824668.exe 40 PID 2596 wrote to memory of 2492 2596 i824668.exe 40 PID 2492 wrote to memory of 672 2492 9thnbh.exe 41 PID 2492 wrote to memory of 672 2492 9thnbh.exe 41 PID 2492 wrote to memory of 672 2492 9thnbh.exe 41 PID 2492 wrote to memory of 672 2492 9thnbh.exe 41 PID 672 wrote to memory of 1864 672 5nbbhn.exe 42 PID 672 wrote to memory of 1864 672 5nbbhn.exe 42 PID 672 wrote to memory of 1864 672 5nbbhn.exe 42 PID 672 wrote to memory of 1864 672 5nbbhn.exe 42 PID 1864 wrote to memory of 1608 1864 fxllffl.exe 43 PID 1864 wrote to memory of 1608 1864 fxllffl.exe 43 PID 1864 wrote to memory of 1608 1864 fxllffl.exe 43 PID 1864 wrote to memory of 1608 1864 fxllffl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe"C:\Users\Admin\AppData\Local\Temp\2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\a0806.exec:\a0806.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\k26244.exec:\k26244.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\9vjjv.exec:\9vjjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\020022.exec:\020022.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\284062.exec:\284062.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\fxxrrrx.exec:\fxxrrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\hhntht.exec:\hhntht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\dvvdv.exec:\dvvdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\lfrfrfr.exec:\lfrfrfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\rlfxflx.exec:\rlfxflx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\3ttbtt.exec:\3ttbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\i824668.exec:\i824668.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\9thnbh.exec:\9thnbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\5nbbhn.exec:\5nbbhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\fxllffl.exec:\fxllffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\lrxrlxx.exec:\lrxrlxx.exe17⤵
- Executes dropped EXE
PID:1608 -
\??\c:\ddvjv.exec:\ddvjv.exe18⤵
- Executes dropped EXE
PID:2580 -
\??\c:\008462.exec:\008462.exe19⤵
- Executes dropped EXE
PID:2624 -
\??\c:\20806.exec:\20806.exe20⤵
- Executes dropped EXE
PID:2860 -
\??\c:\c688884.exec:\c688884.exe21⤵
- Executes dropped EXE
PID:332 -
\??\c:\82468.exec:\82468.exe22⤵
- Executes dropped EXE
PID:1112 -
\??\c:\vdvdv.exec:\vdvdv.exe23⤵
- Executes dropped EXE
PID:1036 -
\??\c:\60802.exec:\60802.exe24⤵
- Executes dropped EXE
PID:1160 -
\??\c:\6068620.exec:\6068620.exe25⤵
- Executes dropped EXE
PID:1700 -
\??\c:\446222.exec:\446222.exe26⤵
- Executes dropped EXE
PID:1796 -
\??\c:\7rlllfr.exec:\7rlllfr.exe27⤵
- Executes dropped EXE
PID:1268 -
\??\c:\82024.exec:\82024.exe28⤵
- Executes dropped EXE
PID:1752 -
\??\c:\ddpdj.exec:\ddpdj.exe29⤵
- Executes dropped EXE
PID:636 -
\??\c:\jpppj.exec:\jpppj.exe30⤵
- Executes dropped EXE
PID:2276 -
\??\c:\4484664.exec:\4484664.exe31⤵
- Executes dropped EXE
PID:2368 -
\??\c:\08064.exec:\08064.exe32⤵
- Executes dropped EXE
PID:1028 -
\??\c:\c664662.exec:\c664662.exe33⤵
- Executes dropped EXE
PID:2432 -
\??\c:\424466.exec:\424466.exe34⤵
- Executes dropped EXE
PID:1100 -
\??\c:\u084624.exec:\u084624.exe35⤵
- Executes dropped EXE
PID:1908 -
\??\c:\082826.exec:\082826.exe36⤵
- Executes dropped EXE
PID:2248 -
\??\c:\rlxrxxl.exec:\rlxrxxl.exe37⤵
- Executes dropped EXE
PID:2452 -
\??\c:\btbtbb.exec:\btbtbb.exe38⤵
- Executes dropped EXE
PID:1984 -
\??\c:\fxrrxxf.exec:\fxrrxxf.exe39⤵
- Executes dropped EXE
PID:2196 -
\??\c:\60020.exec:\60020.exe40⤵
- Executes dropped EXE
PID:2960 -
\??\c:\4228628.exec:\4228628.exe41⤵
- Executes dropped EXE
PID:1940 -
\??\c:\djdjp.exec:\djdjp.exe42⤵
- Executes dropped EXE
PID:2808 -
\??\c:\642402.exec:\642402.exe43⤵
- Executes dropped EXE
PID:2012 -
\??\c:\tnhnbb.exec:\tnhnbb.exe44⤵
- Executes dropped EXE
PID:2680 -
\??\c:\g8624.exec:\g8624.exe45⤵
- Executes dropped EXE
PID:2788 -
\??\c:\bbhtbb.exec:\bbhtbb.exe46⤵
- Executes dropped EXE
PID:2708 -
\??\c:\3frxxlr.exec:\3frxxlr.exe47⤵
- Executes dropped EXE
PID:2820 -
\??\c:\fxffllf.exec:\fxffllf.exe48⤵
- Executes dropped EXE
PID:2544 -
\??\c:\4862840.exec:\4862840.exe49⤵
- Executes dropped EXE
PID:2636 -
\??\c:\vvpdj.exec:\vvpdj.exe50⤵
- Executes dropped EXE
PID:2044 -
\??\c:\pdvpp.exec:\pdvpp.exe51⤵
- Executes dropped EXE
PID:2572 -
\??\c:\6486404.exec:\6486404.exe52⤵
- Executes dropped EXE
PID:1972 -
\??\c:\60862.exec:\60862.exe53⤵
- Executes dropped EXE
PID:2720 -
\??\c:\bbtbht.exec:\bbtbht.exe54⤵
- Executes dropped EXE
PID:2260 -
\??\c:\bthnnb.exec:\bthnnb.exe55⤵
- Executes dropped EXE
PID:1504 -
\??\c:\fxlrffr.exec:\fxlrffr.exe56⤵
- Executes dropped EXE
PID:948 -
\??\c:\1hnnbt.exec:\1hnnbt.exe57⤵
- Executes dropped EXE
PID:1668 -
\??\c:\60846.exec:\60846.exe58⤵
- Executes dropped EXE
PID:2256 -
\??\c:\btbbhh.exec:\btbbhh.exe59⤵
- Executes dropped EXE
PID:828 -
\??\c:\m6046.exec:\m6046.exe60⤵
- Executes dropped EXE
PID:580 -
\??\c:\9bhntb.exec:\9bhntb.exe61⤵
- Executes dropped EXE
PID:2124 -
\??\c:\220284.exec:\220284.exe62⤵
- Executes dropped EXE
PID:592 -
\??\c:\nnhhnh.exec:\nnhhnh.exe63⤵
- Executes dropped EXE
PID:1848 -
\??\c:\djjjp.exec:\djjjp.exe64⤵
- Executes dropped EXE
PID:448 -
\??\c:\dvjjp.exec:\dvjjp.exe65⤵
- Executes dropped EXE
PID:1080 -
\??\c:\04624.exec:\04624.exe66⤵PID:1212
-
\??\c:\26464.exec:\26464.exe67⤵PID:1376
-
\??\c:\tnnnnn.exec:\tnnnnn.exe68⤵PID:1540
-
\??\c:\o262442.exec:\o262442.exe69⤵PID:1216
-
\??\c:\bnnntt.exec:\bnnntt.exe70⤵PID:744
-
\??\c:\02286.exec:\02286.exe71⤵PID:556
-
\??\c:\60846.exec:\60846.exe72⤵PID:636
-
\??\c:\1vppd.exec:\1vppd.exe73⤵PID:2892
-
\??\c:\frflxfr.exec:\frflxfr.exe74⤵PID:2304
-
\??\c:\8264806.exec:\8264806.exe75⤵PID:2408
-
\??\c:\8640224.exec:\8640224.exe76⤵PID:2376
-
\??\c:\pjjpj.exec:\pjjpj.exe77⤵PID:1440
-
\??\c:\fxlrxrf.exec:\fxlrxrf.exe78⤵PID:1520
-
\??\c:\fxflrxf.exec:\fxflrxf.exe79⤵PID:1892
-
\??\c:\hhnnth.exec:\hhnnth.exe80⤵PID:1900
-
\??\c:\20406.exec:\20406.exe81⤵PID:2236
-
\??\c:\bbthtb.exec:\bbthtb.exe82⤵PID:2464
-
\??\c:\thttnh.exec:\thttnh.exe83⤵PID:1744
-
\??\c:\dddvv.exec:\dddvv.exe84⤵PID:2712
-
\??\c:\824606.exec:\824606.exe85⤵PID:1920
-
\??\c:\9ththh.exec:\9ththh.exe86⤵PID:2316
-
\??\c:\jdpjp.exec:\jdpjp.exe87⤵PID:2800
-
\??\c:\e42266.exec:\e42266.exe88⤵PID:1884
-
\??\c:\rlrxfrf.exec:\rlrxfrf.exe89⤵PID:2648
-
\??\c:\3flllxf.exec:\3flllxf.exe90⤵PID:2656
-
\??\c:\5jvvv.exec:\5jvvv.exe91⤵PID:2708
-
\??\c:\426888.exec:\426888.exe92⤵PID:2516
-
\??\c:\2684002.exec:\2684002.exe93⤵PID:2544
-
\??\c:\82406.exec:\82406.exe94⤵PID:2636
-
\??\c:\260684.exec:\260684.exe95⤵PID:1648
-
\??\c:\86406.exec:\86406.exe96⤵PID:2572
-
\??\c:\flflxxr.exec:\flflxxr.exe97⤵PID:2748
-
\??\c:\vvjpd.exec:\vvjpd.exe98⤵PID:2720
-
\??\c:\jjjjp.exec:\jjjjp.exe99⤵PID:672
-
\??\c:\04846.exec:\04846.exe100⤵PID:1408
-
\??\c:\0028020.exec:\0028020.exe101⤵PID:1672
-
\??\c:\04284.exec:\04284.exe102⤵PID:2508
-
\??\c:\3btbtt.exec:\3btbtt.exe103⤵PID:824
-
\??\c:\444406.exec:\444406.exe104⤵PID:2256
-
\??\c:\bbnnth.exec:\bbnnth.exe105⤵PID:828
-
\??\c:\26628.exec:\26628.exe106⤵PID:580
-
\??\c:\jdvdj.exec:\jdvdj.exe107⤵PID:2884
-
\??\c:\2206808.exec:\2206808.exe108⤵PID:2312
-
\??\c:\pjvjv.exec:\pjvjv.exe109⤵PID:1848
-
\??\c:\2684002.exec:\2684002.exe110⤵PID:1076
-
\??\c:\046668.exec:\046668.exe111⤵PID:1080
-
\??\c:\rlxrxxf.exec:\rlxrxxf.exe112⤵PID:1164
-
\??\c:\86400.exec:\86400.exe113⤵PID:1376
-
\??\c:\w22226.exec:\w22226.exe114⤵PID:1312
-
\??\c:\8204002.exec:\8204002.exe115⤵PID:852
-
\??\c:\2028440.exec:\2028440.exe116⤵PID:1244
-
\??\c:\4462262.exec:\4462262.exe117⤵PID:556
-
\??\c:\64246.exec:\64246.exe118⤵PID:2276
-
\??\c:\4806224.exec:\4806224.exe119⤵PID:2368
-
\??\c:\8486464.exec:\8486464.exe120⤵PID:888
-
\??\c:\jdvpp.exec:\jdvpp.exe121⤵PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-