Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 01:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe
-
Size
454KB
-
MD5
b0ed066228c36f715ac3b14440c01d17
-
SHA1
0fe302f0f6cded692d118304d762df9e8ed6cbf8
-
SHA256
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245
-
SHA512
de74dbd511c625feca3a8a88a46dc6ac565e37e7a61f22c1607ce11e9dde7e412eceea2c10b04f8f29bb33b5e5930b477ad3027404a8c4223f0c0ab635a55c27
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 57 IoCs
resource yara_rule behavioral1/memory/692-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-62-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2156-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-93-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2636-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-186-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1184-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/660-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-315-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2388-349-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2848-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-365-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/772-373-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/772-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-381-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2268-380-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2004-384-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2660-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-395-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2064-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/308-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-451-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2280-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-472-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2052-471-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1996-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-557-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2032-632-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2864-636-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3000-666-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2536-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-686-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1148-723-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/384-774-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2984-793-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1680-802-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/776-833-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2424-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-860-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-881-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2352 vvvvd.exe 1056 7frxflr.exe 2072 s6062.exe 2464 bthntb.exe 3064 1fxrffl.exe 2156 7frrffr.exe 2904 ppvpp.exe 2760 68444.exe 2912 486284.exe 2808 5dpvd.exe 2636 a8002.exe 2804 5dvdj.exe 2508 vjvvv.exe 3012 2600686.exe 2960 4840284.exe 1768 g4880.exe 1152 lxflrlx.exe 2500 1jppv.exe 2512 rlflfrx.exe 1812 m6008.exe 1184 q82866.exe 1668 4428004.exe 448 tththh.exe 700 pjdjv.exe 1348 lfflxfr.exe 340 0422480.exe 1688 vvpjd.exe 1908 3rxrxxl.exe 2176 1rxlrxf.exe 2136 0828662.exe 660 i040284.exe 2028 640688.exe 2324 e02284.exe 1236 6404600.exe 2024 u480628.exe 2608 rllxlfl.exe 1956 2022408.exe 2032 xlfrxrf.exe 1256 nhtnnh.exe 1052 u206224.exe 2388 60840.exe 2848 ffxllrx.exe 2836 lfrrxrf.exe 772 a2442.exe 2268 9vpjp.exe 2004 24606.exe 2660 jvjpd.exe 2064 bhbtnt.exe 2976 2480406.exe 2964 bhhthb.exe 3012 6066802.exe 1372 i206820.exe 3020 rlxxxxx.exe 1180 hbnhnb.exe 308 04446.exe 1408 66468.exe 2280 tnhnnn.exe 2052 bbnbnh.exe 2444 048022.exe 1996 pjdjp.exe 384 200004.exe 448 vpdpv.exe 476 q08844.exe 2092 048084.exe -
resource yara_rule behavioral1/memory/2352-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-186-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1184-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/660-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-349-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2848-358-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2848-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-365-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/772-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-557-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/2040-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-636-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2536-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-672-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1148-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-860-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-867-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1956-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-889-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6640624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o422406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8202428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 692 wrote to memory of 2352 692 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 30 PID 692 wrote to memory of 2352 692 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 30 PID 692 wrote to memory of 2352 692 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 30 PID 692 wrote to memory of 2352 692 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 30 PID 2352 wrote to memory of 1056 2352 vvvvd.exe 31 PID 2352 wrote to memory of 1056 2352 vvvvd.exe 31 PID 2352 wrote to memory of 1056 2352 vvvvd.exe 31 PID 2352 wrote to memory of 1056 2352 vvvvd.exe 31 PID 1056 wrote to memory of 2072 1056 7frxflr.exe 32 PID 1056 wrote to memory of 2072 1056 7frxflr.exe 32 PID 1056 wrote to memory of 2072 1056 7frxflr.exe 32 PID 1056 wrote to memory of 2072 1056 7frxflr.exe 32 PID 2072 wrote to memory of 2464 2072 s6062.exe 33 PID 2072 wrote to memory of 2464 2072 s6062.exe 33 PID 2072 wrote to memory of 2464 2072 s6062.exe 33 PID 2072 wrote to memory of 2464 2072 s6062.exe 33 PID 2464 wrote to memory of 3064 2464 bthntb.exe 34 PID 2464 wrote to memory of 3064 2464 bthntb.exe 34 PID 2464 wrote to memory of 3064 2464 bthntb.exe 34 PID 2464 wrote to memory of 3064 2464 bthntb.exe 34 PID 3064 wrote to memory of 2156 3064 1fxrffl.exe 35 PID 3064 wrote to memory of 2156 3064 1fxrffl.exe 35 PID 3064 wrote to memory of 2156 3064 1fxrffl.exe 35 PID 3064 wrote to memory of 2156 3064 1fxrffl.exe 35 PID 2156 wrote to memory of 2904 2156 7frrffr.exe 36 PID 2156 wrote to memory of 2904 2156 7frrffr.exe 36 PID 2156 wrote to memory of 2904 2156 7frrffr.exe 36 PID 2156 wrote to memory of 2904 2156 7frrffr.exe 36 PID 2904 wrote to memory of 2760 2904 ppvpp.exe 37 PID 2904 wrote to memory of 2760 2904 ppvpp.exe 37 PID 2904 wrote to memory of 2760 2904 ppvpp.exe 37 PID 2904 wrote to memory of 2760 2904 ppvpp.exe 37 PID 2760 wrote to memory of 2912 2760 68444.exe 38 PID 2760 wrote to memory of 2912 2760 68444.exe 38 PID 2760 wrote to memory of 2912 2760 68444.exe 38 PID 2760 wrote to memory of 2912 2760 68444.exe 38 PID 2912 wrote to memory of 2808 2912 486284.exe 39 PID 2912 wrote to memory of 2808 2912 486284.exe 39 PID 2912 wrote to memory of 2808 2912 486284.exe 39 PID 2912 wrote to memory of 2808 2912 486284.exe 39 PID 2808 wrote to memory of 2636 2808 5dpvd.exe 40 PID 2808 wrote to memory of 2636 2808 5dpvd.exe 40 PID 2808 wrote to memory of 2636 2808 5dpvd.exe 40 PID 2808 wrote to memory of 2636 2808 5dpvd.exe 40 PID 2636 wrote to memory of 2804 2636 a8002.exe 41 PID 2636 wrote to memory of 2804 2636 a8002.exe 41 PID 2636 wrote to memory of 2804 2636 a8002.exe 41 PID 2636 wrote to memory of 2804 2636 a8002.exe 41 PID 2804 wrote to memory of 2508 2804 5dvdj.exe 42 PID 2804 wrote to memory of 2508 2804 5dvdj.exe 42 PID 2804 wrote to memory of 2508 2804 5dvdj.exe 42 PID 2804 wrote to memory of 2508 2804 5dvdj.exe 42 PID 2508 wrote to memory of 3012 2508 vjvvv.exe 43 PID 2508 wrote to memory of 3012 2508 vjvvv.exe 43 PID 2508 wrote to memory of 3012 2508 vjvvv.exe 43 PID 2508 wrote to memory of 3012 2508 vjvvv.exe 43 PID 3012 wrote to memory of 2960 3012 2600686.exe 44 PID 3012 wrote to memory of 2960 3012 2600686.exe 44 PID 3012 wrote to memory of 2960 3012 2600686.exe 44 PID 3012 wrote to memory of 2960 3012 2600686.exe 44 PID 2960 wrote to memory of 1768 2960 4840284.exe 45 PID 2960 wrote to memory of 1768 2960 4840284.exe 45 PID 2960 wrote to memory of 1768 2960 4840284.exe 45 PID 2960 wrote to memory of 1768 2960 4840284.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe"C:\Users\Admin\AppData\Local\Temp\abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\vvvvd.exec:\vvvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\7frxflr.exec:\7frxflr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\s6062.exec:\s6062.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\bthntb.exec:\bthntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\1fxrffl.exec:\1fxrffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\7frrffr.exec:\7frrffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\ppvpp.exec:\ppvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\68444.exec:\68444.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\486284.exec:\486284.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\5dpvd.exec:\5dpvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\a8002.exec:\a8002.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\5dvdj.exec:\5dvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\vjvvv.exec:\vjvvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\2600686.exec:\2600686.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\4840284.exec:\4840284.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\g4880.exec:\g4880.exe17⤵
- Executes dropped EXE
PID:1768 -
\??\c:\lxflrlx.exec:\lxflrlx.exe18⤵
- Executes dropped EXE
PID:1152 -
\??\c:\1jppv.exec:\1jppv.exe19⤵
- Executes dropped EXE
PID:2500 -
\??\c:\rlflfrx.exec:\rlflfrx.exe20⤵
- Executes dropped EXE
PID:2512 -
\??\c:\m6008.exec:\m6008.exe21⤵
- Executes dropped EXE
PID:1812 -
\??\c:\q82866.exec:\q82866.exe22⤵
- Executes dropped EXE
PID:1184 -
\??\c:\4428004.exec:\4428004.exe23⤵
- Executes dropped EXE
PID:1668 -
\??\c:\tththh.exec:\tththh.exe24⤵
- Executes dropped EXE
PID:448 -
\??\c:\pjdjv.exec:\pjdjv.exe25⤵
- Executes dropped EXE
PID:700 -
\??\c:\lfflxfr.exec:\lfflxfr.exe26⤵
- Executes dropped EXE
PID:1348 -
\??\c:\0422480.exec:\0422480.exe27⤵
- Executes dropped EXE
PID:340 -
\??\c:\vvpjd.exec:\vvpjd.exe28⤵
- Executes dropped EXE
PID:1688 -
\??\c:\3rxrxxl.exec:\3rxrxxl.exe29⤵
- Executes dropped EXE
PID:1908 -
\??\c:\1rxlrxf.exec:\1rxlrxf.exe30⤵
- Executes dropped EXE
PID:2176 -
\??\c:\0828662.exec:\0828662.exe31⤵
- Executes dropped EXE
PID:2136 -
\??\c:\i040284.exec:\i040284.exe32⤵
- Executes dropped EXE
PID:660 -
\??\c:\640688.exec:\640688.exe33⤵
- Executes dropped EXE
PID:2028 -
\??\c:\e02284.exec:\e02284.exe34⤵
- Executes dropped EXE
PID:2324 -
\??\c:\6404600.exec:\6404600.exe35⤵
- Executes dropped EXE
PID:1236 -
\??\c:\u480628.exec:\u480628.exe36⤵
- Executes dropped EXE
PID:2024 -
\??\c:\rllxlfl.exec:\rllxlfl.exe37⤵
- Executes dropped EXE
PID:2608 -
\??\c:\2022408.exec:\2022408.exe38⤵
- Executes dropped EXE
PID:1956 -
\??\c:\xlfrxrf.exec:\xlfrxrf.exe39⤵
- Executes dropped EXE
PID:2032 -
\??\c:\nhtnnh.exec:\nhtnnh.exe40⤵
- Executes dropped EXE
PID:1256 -
\??\c:\u206224.exec:\u206224.exe41⤵
- Executes dropped EXE
PID:1052 -
\??\c:\60840.exec:\60840.exe42⤵
- Executes dropped EXE
PID:2388 -
\??\c:\ffxllrx.exec:\ffxllrx.exe43⤵
- Executes dropped EXE
PID:2848 -
\??\c:\lfrrxrf.exec:\lfrrxrf.exe44⤵
- Executes dropped EXE
PID:2836 -
\??\c:\a2442.exec:\a2442.exe45⤵
- Executes dropped EXE
PID:772 -
\??\c:\9vpjp.exec:\9vpjp.exe46⤵
- Executes dropped EXE
PID:2268 -
\??\c:\24606.exec:\24606.exe47⤵
- Executes dropped EXE
PID:2004 -
\??\c:\jvjpd.exec:\jvjpd.exe48⤵
- Executes dropped EXE
PID:2660 -
\??\c:\bhbtnt.exec:\bhbtnt.exe49⤵
- Executes dropped EXE
PID:2064 -
\??\c:\2480406.exec:\2480406.exe50⤵
- Executes dropped EXE
PID:2976 -
\??\c:\bhhthb.exec:\bhhthb.exe51⤵
- Executes dropped EXE
PID:2964 -
\??\c:\6066802.exec:\6066802.exe52⤵
- Executes dropped EXE
PID:3012 -
\??\c:\i206820.exec:\i206820.exe53⤵
- Executes dropped EXE
PID:1372 -
\??\c:\rlxxxxx.exec:\rlxxxxx.exe54⤵
- Executes dropped EXE
PID:3020 -
\??\c:\hbnhnb.exec:\hbnhnb.exe55⤵
- Executes dropped EXE
PID:1180 -
\??\c:\04446.exec:\04446.exe56⤵
- Executes dropped EXE
PID:308 -
\??\c:\66468.exec:\66468.exe57⤵
- Executes dropped EXE
PID:1408 -
\??\c:\tnhnnn.exec:\tnhnnn.exe58⤵
- Executes dropped EXE
PID:2280 -
\??\c:\bbnbnh.exec:\bbnbnh.exe59⤵
- Executes dropped EXE
PID:2052 -
\??\c:\048022.exec:\048022.exe60⤵
- Executes dropped EXE
PID:2444 -
\??\c:\pjdjp.exec:\pjdjp.exe61⤵
- Executes dropped EXE
PID:1996 -
\??\c:\200004.exec:\200004.exe62⤵
- Executes dropped EXE
PID:384 -
\??\c:\vpdpv.exec:\vpdpv.exe63⤵
- Executes dropped EXE
PID:448 -
\??\c:\q08844.exec:\q08844.exe64⤵
- Executes dropped EXE
PID:476 -
\??\c:\048084.exec:\048084.exe65⤵
- Executes dropped EXE
PID:2092 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe66⤵PID:1680
-
\??\c:\64668.exec:\64668.exe67⤵PID:2400
-
\??\c:\vjvdj.exec:\vjvdj.exe68⤵PID:1528
-
\??\c:\a8228.exec:\a8228.exe69⤵PID:1908
-
\??\c:\2084008.exec:\2084008.exe70⤵PID:284
-
\??\c:\thbbnn.exec:\thbbnn.exe71⤵PID:1936
-
\??\c:\btbtbb.exec:\btbtbb.exe72⤵PID:2136
-
\??\c:\xlrxfff.exec:\xlrxfff.exe73⤵PID:980
-
\??\c:\6464646.exec:\6464646.exe74⤵PID:2380
-
\??\c:\4864662.exec:\4864662.exe75⤵PID:1480
-
\??\c:\jvjjj.exec:\jvjjj.exe76⤵PID:2540
-
\??\c:\26886.exec:\26886.exe77⤵PID:2040
-
\??\c:\1dpdd.exec:\1dpdd.exe78⤵PID:1940
-
\??\c:\9rffllr.exec:\9rffllr.exe79⤵PID:2724
-
\??\c:\dvjvj.exec:\dvjvj.exe80⤵PID:2928
-
\??\c:\bthhnn.exec:\bthhnn.exe81⤵PID:2032
-
\??\c:\ffrxflf.exec:\ffrxflf.exe82⤵PID:1076
-
\??\c:\m4280.exec:\m4280.exe83⤵PID:1052
-
\??\c:\q86622.exec:\q86622.exe84⤵PID:2776
-
\??\c:\lfrfllx.exec:\lfrfllx.exe85⤵PID:2864
-
\??\c:\04240.exec:\04240.exe86⤵PID:2836
-
\??\c:\206200.exec:\206200.exe87⤵PID:2880
-
\??\c:\202240.exec:\202240.exe88⤵PID:2760
-
\??\c:\w02244.exec:\w02244.exe89⤵PID:3000
-
\??\c:\7ttthh.exec:\7ttthh.exe90⤵PID:2536
-
\??\c:\o202846.exec:\o202846.exe91⤵PID:468
-
\??\c:\7dpvd.exec:\7dpvd.exe92⤵PID:804
-
\??\c:\26040.exec:\26040.exe93⤵PID:2496
-
\??\c:\q82200.exec:\q82200.exe94⤵PID:2492
-
\??\c:\dvvjd.exec:\dvvjd.exe95⤵PID:2896
-
\??\c:\60228.exec:\60228.exe96⤵PID:2988
-
\??\c:\9fllrxf.exec:\9fllrxf.exe97⤵PID:1148
-
\??\c:\606240.exec:\606240.exe98⤵PID:1896
-
\??\c:\3nhhtt.exec:\3nhhtt.exe99⤵PID:1804
-
\??\c:\tnhhbh.exec:\tnhhbh.exe100⤵PID:2544
-
\??\c:\2606624.exec:\2606624.exe101⤵PID:1972
-
\??\c:\pjdvv.exec:\pjdvv.exe102⤵PID:2564
-
\??\c:\8200820.exec:\8200820.exe103⤵PID:2444
-
\??\c:\lfrrffl.exec:\lfrrffl.exe104⤵PID:576
-
\??\c:\pppvv.exec:\pppvv.exe105⤵PID:384
-
\??\c:\jdppd.exec:\jdppd.exe106⤵PID:2384
-
\??\c:\k26246.exec:\k26246.exe107⤵PID:1712
-
\??\c:\xxrrfxl.exec:\xxrrfxl.exe108⤵PID:2984
-
\??\c:\48242.exec:\48242.exe109⤵PID:1680
-
\??\c:\xxrxflx.exec:\xxrxflx.exe110⤵PID:1576
-
\??\c:\3hthhh.exec:\3hthhh.exe111⤵PID:2428
-
\??\c:\btnnhh.exec:\btnnhh.exe112⤵PID:2420
-
\??\c:\864084.exec:\864084.exe113⤵PID:1464
-
\??\c:\086806.exec:\086806.exe114⤵PID:776
-
\??\c:\5dvpj.exec:\5dvpj.exe115⤵PID:1928
-
\??\c:\46406.exec:\46406.exe116⤵PID:2424
-
\??\c:\48688.exec:\48688.exe117⤵PID:2036
-
\??\c:\260244.exec:\260244.exe118⤵PID:1700
-
\??\c:\822800.exec:\822800.exe119⤵PID:2348
-
\??\c:\rrllrlr.exec:\rrllrlr.exe120⤵PID:2216
-
\??\c:\nnbbhh.exec:\nnbbhh.exe121⤵PID:1956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-