Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 00:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe
-
Size
454KB
-
MD5
1390d192e4d3caaf5d1e113cbe77b659
-
SHA1
ae2efe64d9791170c790fb700a14ed4999ec667b
-
SHA256
91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051
-
SHA512
5698693d36b45f5a5b5cf591bc7b3eb702ac960f9cd00482d7f8c42abcc95310eb0030188ecad03319173d4f8516b1bd0ef4108a260e0cce849890b4d241b630
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/3048-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/284-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-42-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2336-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-78-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2812-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/828-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/744-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-375-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2724-382-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2584-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-448-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1392-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/656-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2664-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-790-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-873-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2120-876-0x0000000000280000-0x00000000002AA000-memory.dmp family_blackmoon behavioral1/memory/2224-1063-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/688-1200-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2796-1255-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2364-1349-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2484-1364-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3048 s4280.exe 2832 4860202.exe 284 288282.exe 2336 e64848.exe 2644 80666.exe 2760 46222.exe 2164 468422.exe 2924 nbbttt.exe 2900 w80064.exe 2812 m2884.exe 2556 lfrxxxf.exe 2720 pvvvp.exe 3032 4686606.exe 2016 u026228.exe 2112 9frfxxr.exe 1324 tththh.exe 1876 64606.exe 1488 9vddj.exe 1916 xlrrrrx.exe 2860 m2406.exe 2132 jvvvv.exe 2184 7frlllr.exe 828 dpppp.exe 2300 i026666.exe 1084 462282.exe 744 rflrrrx.exe 1548 u200006.exe 532 2004440.exe 2524 pdjpp.exe 572 0806662.exe 1048 46880.exe 1868 jvjjp.exe 3044 ffxxlrf.exe 1616 llfllrl.exe 2912 6400624.exe 1932 9rrfxxl.exe 2484 vpjjp.exe 1924 i662006.exe 2348 rllrflr.exe 3024 a6060.exe 2280 e86622.exe 2452 608844.exe 2704 9lfrffr.exe 2828 60280.exe 3036 dvjjp.exe 2840 m4280.exe 2724 60280.exe 2548 04842.exe 2584 206626.exe 1980 086062.exe 2600 860060.exe 1984 w60644.exe 2248 tnhhtb.exe 2092 xlllxxl.exe 1288 04220.exe 1148 vpjpd.exe 1920 w08288.exe 1392 8684846.exe 1768 0800840.exe 2876 ttbbhn.exe 2184 2028062.exe 1828 fxlrxxf.exe 1332 vjjvd.exe 1736 m0848.exe -
resource yara_rule behavioral1/memory/3048-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-78-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2812-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/828-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/744-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-310-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2484-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-375-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2548-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/656-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/284-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-783-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1800-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-854-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2768-873-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2120-876-0x0000000000280000-0x00000000002AA000-memory.dmp upx behavioral1/memory/2924-893-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-901-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-938-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/848-969-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-1037-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-1088-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-1163-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2724-1174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-1330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-1349-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2484-1364-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w08444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w44886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4206624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2984 wrote to memory of 3048 2984 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 30 PID 2984 wrote to memory of 3048 2984 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 30 PID 2984 wrote to memory of 3048 2984 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 30 PID 2984 wrote to memory of 3048 2984 91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe 30 PID 3048 wrote to memory of 2832 3048 s4280.exe 31 PID 3048 wrote to memory of 2832 3048 s4280.exe 31 PID 3048 wrote to memory of 2832 3048 s4280.exe 31 PID 3048 wrote to memory of 2832 3048 s4280.exe 31 PID 2832 wrote to memory of 284 2832 4860202.exe 32 PID 2832 wrote to memory of 284 2832 4860202.exe 32 PID 2832 wrote to memory of 284 2832 4860202.exe 32 PID 2832 wrote to memory of 284 2832 4860202.exe 32 PID 284 wrote to memory of 2336 284 288282.exe 33 PID 284 wrote to memory of 2336 284 288282.exe 33 PID 284 wrote to memory of 2336 284 288282.exe 33 PID 284 wrote to memory of 2336 284 288282.exe 33 PID 2336 wrote to memory of 2644 2336 e64848.exe 34 PID 2336 wrote to memory of 2644 2336 e64848.exe 34 PID 2336 wrote to memory of 2644 2336 e64848.exe 34 PID 2336 wrote to memory of 2644 2336 e64848.exe 34 PID 2644 wrote to memory of 2760 2644 80666.exe 35 PID 2644 wrote to memory of 2760 2644 80666.exe 35 PID 2644 wrote to memory of 2760 2644 80666.exe 35 PID 2644 wrote to memory of 2760 2644 80666.exe 35 PID 2760 wrote to memory of 2164 2760 46222.exe 36 PID 2760 wrote to memory of 2164 2760 46222.exe 36 PID 2760 wrote to memory of 2164 2760 46222.exe 36 PID 2760 wrote to memory of 2164 2760 46222.exe 36 PID 2164 wrote to memory of 2924 2164 468422.exe 37 PID 2164 wrote to memory of 2924 2164 468422.exe 37 PID 2164 wrote to memory of 2924 2164 468422.exe 37 PID 2164 wrote to memory of 2924 2164 468422.exe 37 PID 2924 wrote to memory of 2900 2924 nbbttt.exe 38 PID 2924 wrote to memory of 2900 2924 nbbttt.exe 38 PID 2924 wrote to memory of 2900 2924 nbbttt.exe 38 PID 2924 wrote to memory of 2900 2924 nbbttt.exe 38 PID 2900 wrote to memory of 2812 2900 w80064.exe 39 PID 2900 wrote to memory of 2812 2900 w80064.exe 39 PID 2900 wrote to memory of 2812 2900 w80064.exe 39 PID 2900 wrote to memory of 2812 2900 w80064.exe 39 PID 2812 wrote to memory of 2556 2812 m2884.exe 40 PID 2812 wrote to memory of 2556 2812 m2884.exe 40 PID 2812 wrote to memory of 2556 2812 m2884.exe 40 PID 2812 wrote to memory of 2556 2812 m2884.exe 40 PID 2556 wrote to memory of 2720 2556 lfrxxxf.exe 41 PID 2556 wrote to memory of 2720 2556 lfrxxxf.exe 41 PID 2556 wrote to memory of 2720 2556 lfrxxxf.exe 41 PID 2556 wrote to memory of 2720 2556 lfrxxxf.exe 41 PID 2720 wrote to memory of 3032 2720 pvvvp.exe 42 PID 2720 wrote to memory of 3032 2720 pvvvp.exe 42 PID 2720 wrote to memory of 3032 2720 pvvvp.exe 42 PID 2720 wrote to memory of 3032 2720 pvvvp.exe 42 PID 3032 wrote to memory of 2016 3032 4686606.exe 43 PID 3032 wrote to memory of 2016 3032 4686606.exe 43 PID 3032 wrote to memory of 2016 3032 4686606.exe 43 PID 3032 wrote to memory of 2016 3032 4686606.exe 43 PID 2016 wrote to memory of 2112 2016 u026228.exe 44 PID 2016 wrote to memory of 2112 2016 u026228.exe 44 PID 2016 wrote to memory of 2112 2016 u026228.exe 44 PID 2016 wrote to memory of 2112 2016 u026228.exe 44 PID 2112 wrote to memory of 1324 2112 9frfxxr.exe 45 PID 2112 wrote to memory of 1324 2112 9frfxxr.exe 45 PID 2112 wrote to memory of 1324 2112 9frfxxr.exe 45 PID 2112 wrote to memory of 1324 2112 9frfxxr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe"C:\Users\Admin\AppData\Local\Temp\91475bff7a076ca7ea758b4b746c35e3dc72cc71c19d339a364d3b63a1987051.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\s4280.exec:\s4280.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\4860202.exec:\4860202.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\288282.exec:\288282.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:284 -
\??\c:\e64848.exec:\e64848.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\80666.exec:\80666.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\46222.exec:\46222.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\468422.exec:\468422.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\nbbttt.exec:\nbbttt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\w80064.exec:\w80064.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\m2884.exec:\m2884.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\lfrxxxf.exec:\lfrxxxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\pvvvp.exec:\pvvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\4686606.exec:\4686606.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\u026228.exec:\u026228.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\9frfxxr.exec:\9frfxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\tththh.exec:\tththh.exe17⤵
- Executes dropped EXE
PID:1324 -
\??\c:\64606.exec:\64606.exe18⤵
- Executes dropped EXE
PID:1876 -
\??\c:\9vddj.exec:\9vddj.exe19⤵
- Executes dropped EXE
PID:1488 -
\??\c:\xlrrrrx.exec:\xlrrrrx.exe20⤵
- Executes dropped EXE
PID:1916 -
\??\c:\m2406.exec:\m2406.exe21⤵
- Executes dropped EXE
PID:2860 -
\??\c:\jvvvv.exec:\jvvvv.exe22⤵
- Executes dropped EXE
PID:2132 -
\??\c:\7frlllr.exec:\7frlllr.exe23⤵
- Executes dropped EXE
PID:2184 -
\??\c:\dpppp.exec:\dpppp.exe24⤵
- Executes dropped EXE
PID:828 -
\??\c:\i026666.exec:\i026666.exe25⤵
- Executes dropped EXE
PID:2300 -
\??\c:\462282.exec:\462282.exe26⤵
- Executes dropped EXE
PID:1084 -
\??\c:\rflrrrx.exec:\rflrrrx.exe27⤵
- Executes dropped EXE
PID:744 -
\??\c:\u200006.exec:\u200006.exe28⤵
- Executes dropped EXE
PID:1548 -
\??\c:\2004440.exec:\2004440.exe29⤵
- Executes dropped EXE
PID:532 -
\??\c:\pdjpp.exec:\pdjpp.exe30⤵
- Executes dropped EXE
PID:2524 -
\??\c:\0806662.exec:\0806662.exe31⤵
- Executes dropped EXE
PID:572 -
\??\c:\46880.exec:\46880.exe32⤵
- Executes dropped EXE
PID:1048 -
\??\c:\jvjjp.exec:\jvjjp.exe33⤵
- Executes dropped EXE
PID:1868 -
\??\c:\ffxxlrf.exec:\ffxxlrf.exe34⤵
- Executes dropped EXE
PID:3044 -
\??\c:\llfllrl.exec:\llfllrl.exe35⤵
- Executes dropped EXE
PID:1616 -
\??\c:\6400624.exec:\6400624.exe36⤵
- Executes dropped EXE
PID:2912 -
\??\c:\9rrfxxl.exec:\9rrfxxl.exe37⤵
- Executes dropped EXE
PID:1932 -
\??\c:\vpjjp.exec:\vpjjp.exe38⤵
- Executes dropped EXE
PID:2484 -
\??\c:\i662006.exec:\i662006.exe39⤵
- Executes dropped EXE
PID:1924 -
\??\c:\rllrflr.exec:\rllrflr.exe40⤵
- Executes dropped EXE
PID:2348 -
\??\c:\a6060.exec:\a6060.exe41⤵
- Executes dropped EXE
PID:3024 -
\??\c:\e86622.exec:\e86622.exe42⤵
- Executes dropped EXE
PID:2280 -
\??\c:\608844.exec:\608844.exe43⤵
- Executes dropped EXE
PID:2452 -
\??\c:\9lfrffr.exec:\9lfrffr.exe44⤵
- Executes dropped EXE
PID:2704 -
\??\c:\60280.exec:\60280.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828 -
\??\c:\dvjjp.exec:\dvjjp.exe46⤵
- Executes dropped EXE
PID:3036 -
\??\c:\m4280.exec:\m4280.exe47⤵
- Executes dropped EXE
PID:2840 -
\??\c:\60280.exec:\60280.exe48⤵
- Executes dropped EXE
PID:2724 -
\??\c:\04842.exec:\04842.exe49⤵
- Executes dropped EXE
PID:2548 -
\??\c:\206626.exec:\206626.exe50⤵
- Executes dropped EXE
PID:2584 -
\??\c:\086062.exec:\086062.exe51⤵
- Executes dropped EXE
PID:1980 -
\??\c:\860060.exec:\860060.exe52⤵
- Executes dropped EXE
PID:2600 -
\??\c:\w60644.exec:\w60644.exe53⤵
- Executes dropped EXE
PID:1984 -
\??\c:\tnhhtb.exec:\tnhhtb.exe54⤵
- Executes dropped EXE
PID:2248 -
\??\c:\xlllxxl.exec:\xlllxxl.exe55⤵
- Executes dropped EXE
PID:2092 -
\??\c:\04220.exec:\04220.exe56⤵
- Executes dropped EXE
PID:1288 -
\??\c:\vpjpd.exec:\vpjpd.exe57⤵
- Executes dropped EXE
PID:1148 -
\??\c:\w08288.exec:\w08288.exe58⤵
- Executes dropped EXE
PID:1920 -
\??\c:\8684846.exec:\8684846.exe59⤵
- Executes dropped EXE
PID:1392 -
\??\c:\0800840.exec:\0800840.exe60⤵
- Executes dropped EXE
PID:1768 -
\??\c:\ttbbhn.exec:\ttbbhn.exe61⤵
- Executes dropped EXE
PID:2876 -
\??\c:\2028062.exec:\2028062.exe62⤵
- Executes dropped EXE
PID:2184 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe63⤵
- Executes dropped EXE
PID:1828 -
\??\c:\vjjvd.exec:\vjjvd.exe64⤵
- Executes dropped EXE
PID:1332 -
\??\c:\m0848.exec:\m0848.exe65⤵
- Executes dropped EXE
PID:1736 -
\??\c:\1htbnt.exec:\1htbnt.exe66⤵PID:2376
-
\??\c:\3frrxfl.exec:\3frrxfl.exe67⤵PID:656
-
\??\c:\7vdjp.exec:\7vdjp.exe68⤵PID:1548
-
\??\c:\jdpvv.exec:\jdpvv.exe69⤵PID:2328
-
\??\c:\8688068.exec:\8688068.exe70⤵PID:552
-
\??\c:\1thhnt.exec:\1thhnt.exe71⤵PID:1776
-
\??\c:\frffrrl.exec:\frffrrl.exe72⤵PID:2416
-
\??\c:\428844.exec:\428844.exe73⤵PID:2204
-
\??\c:\260284.exec:\260284.exe74⤵
- System Location Discovery: System Language Discovery
PID:2216 -
\??\c:\3fflllr.exec:\3fflllr.exe75⤵PID:2992
-
\??\c:\nhhhnn.exec:\nhhhnn.exe76⤵PID:2488
-
\??\c:\7xlfxrr.exec:\7xlfxrr.exe77⤵PID:1800
-
\??\c:\hbtbtb.exec:\hbtbtb.exe78⤵PID:2464
-
\??\c:\5pjvp.exec:\5pjvp.exe79⤵PID:2076
-
\??\c:\1jjpv.exec:\1jjpv.exe80⤵PID:284
-
\??\c:\26846.exec:\26846.exe81⤵PID:2708
-
\??\c:\5nbthn.exec:\5nbthn.exe82⤵PID:2752
-
\??\c:\4262846.exec:\4262846.exe83⤵PID:2280
-
\??\c:\tntttt.exec:\tntttt.exe84⤵PID:2684
-
\??\c:\1pdvv.exec:\1pdvv.exe85⤵PID:2148
-
\??\c:\2022442.exec:\2022442.exe86⤵PID:2924
-
\??\c:\e80408.exec:\e80408.exe87⤵PID:2664
-
\??\c:\246022.exec:\246022.exe88⤵PID:1596
-
\??\c:\vpjjd.exec:\vpjjd.exe89⤵PID:2572
-
\??\c:\9hhbbb.exec:\9hhbbb.exe90⤵PID:3004
-
\??\c:\fxxfrxl.exec:\fxxfrxl.exe91⤵PID:1744
-
\??\c:\446284.exec:\446284.exe92⤵PID:2584
-
\??\c:\o866262.exec:\o866262.exe93⤵PID:1964
-
\??\c:\vjjjj.exec:\vjjjj.exe94⤵PID:372
-
\??\c:\xrlrfll.exec:\xrlrfll.exe95⤵PID:1740
-
\??\c:\86408.exec:\86408.exe96⤵PID:2044
-
\??\c:\3xrfxxx.exec:\3xrfxxx.exe97⤵PID:1816
-
\??\c:\vpddd.exec:\vpddd.exe98⤵PID:1144
-
\??\c:\q04444.exec:\q04444.exe99⤵PID:1444
-
\??\c:\802222.exec:\802222.exe100⤵PID:2796
-
\??\c:\0806220.exec:\0806220.exe101⤵PID:2844
-
\??\c:\3xrrxfr.exec:\3xrrxfr.exe102⤵PID:1768
-
\??\c:\0446402.exec:\0446402.exe103⤵PID:2152
-
\??\c:\pjjpv.exec:\pjjpv.exe104⤵PID:1624
-
\??\c:\vjvvj.exec:\vjvvj.exe105⤵PID:2160
-
\??\c:\82006.exec:\82006.exe106⤵PID:1720
-
\??\c:\pjddj.exec:\pjddj.exe107⤵PID:1220
-
\??\c:\lxffllx.exec:\lxffllx.exe108⤵PID:1556
-
\??\c:\vpjdj.exec:\vpjdj.exe109⤵PID:632
-
\??\c:\0866824.exec:\0866824.exe110⤵PID:1840
-
\??\c:\bnhnbh.exec:\bnhnbh.exe111⤵PID:2424
-
\??\c:\6006886.exec:\6006886.exe112⤵PID:984
-
\??\c:\028882.exec:\028882.exe113⤵PID:1764
-
\??\c:\g6288.exec:\g6288.exe114⤵PID:536
-
\??\c:\2084066.exec:\2084066.exe115⤵PID:2400
-
\??\c:\c028884.exec:\c028884.exe116⤵PID:1584
-
\??\c:\24482.exec:\24482.exe117⤵PID:1604
-
\??\c:\4866668.exec:\4866668.exe118⤵PID:1944
-
\??\c:\3dddj.exec:\3dddj.exe119⤵PID:1800
-
\??\c:\2066224.exec:\2066224.exe120⤵PID:2464
-
\??\c:\26408.exec:\26408.exe121⤵PID:2304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-