Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 01:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe
-
Size
454KB
-
MD5
f8f6ec6fadaf04363fd0418180be5de2
-
SHA1
38e5b815fa41c5809c14e98a5ea577ed524661a9
-
SHA256
a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c
-
SHA512
99f2e9b4e8db08abe7a1ee59ae39871863bbb04fbeed8799f1883d242791492bfd60470878c1c52152775ce3ffa86452df8cac4d92c581e16358543a7d877e82
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2412-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-73-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2152-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-148-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1540-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/292-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/904-209-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2068-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/696-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-302-0x0000000077100000-0x000000007721F000-memory.dmp family_blackmoon behavioral1/memory/2636-300-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1500-310-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2612-315-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2612-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1320-419-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2372-436-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/804-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-470-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/904-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-561-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1152-574-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1536-587-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2504-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-766-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/764-809-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1488-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-898-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2516 bbhnhh.exe 2396 xlxlrrx.exe 2448 4806482.exe 1040 666826.exe 580 7jvjv.exe 2984 8644884.exe 2296 pjvdp.exe 2152 2666442.exe 2836 2242406.exe 2700 66420.exe 2368 m6006.exe 1432 pvvdv.exe 1484 fxxfxlf.exe 2656 3rrfrxl.exe 1624 jvpvj.exe 1744 5rfxfff.exe 1256 486288.exe 1540 q40448.exe 292 60408.exe 1520 vddvv.exe 904 7jvvj.exe 1936 5htbhh.exe 1872 7nbbnn.exe 1052 260022.exe 2068 2088006.exe 1340 08064.exe 1036 lfxfxfr.exe 2208 7lrrrrf.exe 696 60842.exe 876 6002484.exe 2416 xlxxxxl.exe 2636 48062.exe 2612 lrfxxxl.exe 2468 rfrxxrr.exe 2252 640626.exe 2536 646866.exe 2852 rlxfrxr.exe 2568 864806.exe 2992 642666.exe 2824 djdjp.exe 2180 20662.exe 2880 1rxrflx.exe 2804 00400.exe 2836 2028406.exe 2316 3htbbb.exe 2732 08666.exe 1156 pdjdj.exe 1304 20426.exe 1320 8482020.exe 1120 60680.exe 2372 608466.exe 2392 400048.exe 1248 9rfllrx.exe 496 xxllrxl.exe 804 9xlxlxf.exe 1540 w66626.exe 2900 ppdpv.exe 1324 k42284.exe 2668 ffrlxxf.exe 904 s4402.exe 1508 e20684.exe 2000 bbtbht.exe 2472 64880.exe 2004 fxrrrlr.exe -
resource yara_rule behavioral1/memory/2412-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-302-0x0000000077100000-0x000000007721F000-memory.dmp upx behavioral1/memory/2612-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/804-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/904-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-587-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/2396-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-809-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2224-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-899-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2606002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q02222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2516 2412 a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe 30 PID 2412 wrote to memory of 2516 2412 a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe 30 PID 2412 wrote to memory of 2516 2412 a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe 30 PID 2412 wrote to memory of 2516 2412 a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe 30 PID 2516 wrote to memory of 2396 2516 bbhnhh.exe 31 PID 2516 wrote to memory of 2396 2516 bbhnhh.exe 31 PID 2516 wrote to memory of 2396 2516 bbhnhh.exe 31 PID 2516 wrote to memory of 2396 2516 bbhnhh.exe 31 PID 2396 wrote to memory of 2448 2396 xlxlrrx.exe 32 PID 2396 wrote to memory of 2448 2396 xlxlrrx.exe 32 PID 2396 wrote to memory of 2448 2396 xlxlrrx.exe 32 PID 2396 wrote to memory of 2448 2396 xlxlrrx.exe 32 PID 2448 wrote to memory of 1040 2448 4806482.exe 33 PID 2448 wrote to memory of 1040 2448 4806482.exe 33 PID 2448 wrote to memory of 1040 2448 4806482.exe 33 PID 2448 wrote to memory of 1040 2448 4806482.exe 33 PID 1040 wrote to memory of 580 1040 666826.exe 34 PID 1040 wrote to memory of 580 1040 666826.exe 34 PID 1040 wrote to memory of 580 1040 666826.exe 34 PID 1040 wrote to memory of 580 1040 666826.exe 34 PID 580 wrote to memory of 2984 580 7jvjv.exe 35 PID 580 wrote to memory of 2984 580 7jvjv.exe 35 PID 580 wrote to memory of 2984 580 7jvjv.exe 35 PID 580 wrote to memory of 2984 580 7jvjv.exe 35 PID 2984 wrote to memory of 2296 2984 8644884.exe 36 PID 2984 wrote to memory of 2296 2984 8644884.exe 36 PID 2984 wrote to memory of 2296 2984 8644884.exe 36 PID 2984 wrote to memory of 2296 2984 8644884.exe 36 PID 2296 wrote to memory of 2152 2296 pjvdp.exe 37 PID 2296 wrote to memory of 2152 2296 pjvdp.exe 37 PID 2296 wrote to memory of 2152 2296 pjvdp.exe 37 PID 2296 wrote to memory of 2152 2296 pjvdp.exe 37 PID 2152 wrote to memory of 2836 2152 2666442.exe 38 PID 2152 wrote to memory of 2836 2152 2666442.exe 38 PID 2152 wrote to memory of 2836 2152 2666442.exe 38 PID 2152 wrote to memory of 2836 2152 2666442.exe 38 PID 2836 wrote to memory of 2700 2836 2242406.exe 39 PID 2836 wrote to memory of 2700 2836 2242406.exe 39 PID 2836 wrote to memory of 2700 2836 2242406.exe 39 PID 2836 wrote to memory of 2700 2836 2242406.exe 39 PID 2700 wrote to memory of 2368 2700 66420.exe 40 PID 2700 wrote to memory of 2368 2700 66420.exe 40 PID 2700 wrote to memory of 2368 2700 66420.exe 40 PID 2700 wrote to memory of 2368 2700 66420.exe 40 PID 2368 wrote to memory of 1432 2368 m6006.exe 41 PID 2368 wrote to memory of 1432 2368 m6006.exe 41 PID 2368 wrote to memory of 1432 2368 m6006.exe 41 PID 2368 wrote to memory of 1432 2368 m6006.exe 41 PID 1432 wrote to memory of 1484 1432 pvvdv.exe 42 PID 1432 wrote to memory of 1484 1432 pvvdv.exe 42 PID 1432 wrote to memory of 1484 1432 pvvdv.exe 42 PID 1432 wrote to memory of 1484 1432 pvvdv.exe 42 PID 1484 wrote to memory of 2656 1484 fxxfxlf.exe 43 PID 1484 wrote to memory of 2656 1484 fxxfxlf.exe 43 PID 1484 wrote to memory of 2656 1484 fxxfxlf.exe 43 PID 1484 wrote to memory of 2656 1484 fxxfxlf.exe 43 PID 2656 wrote to memory of 1624 2656 3rrfrxl.exe 44 PID 2656 wrote to memory of 1624 2656 3rrfrxl.exe 44 PID 2656 wrote to memory of 1624 2656 3rrfrxl.exe 44 PID 2656 wrote to memory of 1624 2656 3rrfrxl.exe 44 PID 1624 wrote to memory of 1744 1624 jvpvj.exe 45 PID 1624 wrote to memory of 1744 1624 jvpvj.exe 45 PID 1624 wrote to memory of 1744 1624 jvpvj.exe 45 PID 1624 wrote to memory of 1744 1624 jvpvj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe"C:\Users\Admin\AppData\Local\Temp\a650db69d805c629016e5705102f67b67ad7d55b8adcd2647b048d01f3aab36c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\bbhnhh.exec:\bbhnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\xlxlrrx.exec:\xlxlrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\4806482.exec:\4806482.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\666826.exec:\666826.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\7jvjv.exec:\7jvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:580 -
\??\c:\8644884.exec:\8644884.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\pjvdp.exec:\pjvdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\2666442.exec:\2666442.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\2242406.exec:\2242406.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\66420.exec:\66420.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\m6006.exec:\m6006.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\pvvdv.exec:\pvvdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\fxxfxlf.exec:\fxxfxlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\3rrfrxl.exec:\3rrfrxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\jvpvj.exec:\jvpvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\5rfxfff.exec:\5rfxfff.exe17⤵
- Executes dropped EXE
PID:1744 -
\??\c:\486288.exec:\486288.exe18⤵
- Executes dropped EXE
PID:1256 -
\??\c:\q40448.exec:\q40448.exe19⤵
- Executes dropped EXE
PID:1540 -
\??\c:\60408.exec:\60408.exe20⤵
- Executes dropped EXE
PID:292 -
\??\c:\vddvv.exec:\vddvv.exe21⤵
- Executes dropped EXE
PID:1520 -
\??\c:\7jvvj.exec:\7jvvj.exe22⤵
- Executes dropped EXE
PID:904 -
\??\c:\5htbhh.exec:\5htbhh.exe23⤵
- Executes dropped EXE
PID:1936 -
\??\c:\7nbbnn.exec:\7nbbnn.exe24⤵
- Executes dropped EXE
PID:1872 -
\??\c:\260022.exec:\260022.exe25⤵
- Executes dropped EXE
PID:1052 -
\??\c:\2088006.exec:\2088006.exe26⤵
- Executes dropped EXE
PID:2068 -
\??\c:\08064.exec:\08064.exe27⤵
- Executes dropped EXE
PID:1340 -
\??\c:\lfxfxfr.exec:\lfxfxfr.exe28⤵
- Executes dropped EXE
PID:1036 -
\??\c:\7lrrrrf.exec:\7lrrrrf.exe29⤵
- Executes dropped EXE
PID:2208 -
\??\c:\60842.exec:\60842.exe30⤵
- Executes dropped EXE
PID:696 -
\??\c:\6002484.exec:\6002484.exe31⤵
- Executes dropped EXE
PID:876 -
\??\c:\xlxxxxl.exec:\xlxxxxl.exe32⤵
- Executes dropped EXE
PID:2416 -
\??\c:\48062.exec:\48062.exe33⤵
- Executes dropped EXE
PID:2636 -
\??\c:\26884.exec:\26884.exe34⤵PID:1500
-
\??\c:\lrfxxxl.exec:\lrfxxxl.exe35⤵
- Executes dropped EXE
PID:2612 -
\??\c:\rfrxxrr.exec:\rfrxxrr.exe36⤵
- Executes dropped EXE
PID:2468 -
\??\c:\640626.exec:\640626.exe37⤵
- Executes dropped EXE
PID:2252 -
\??\c:\646866.exec:\646866.exe38⤵
- Executes dropped EXE
PID:2536 -
\??\c:\rlxfrxr.exec:\rlxfrxr.exe39⤵
- Executes dropped EXE
PID:2852 -
\??\c:\864806.exec:\864806.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
\??\c:\642666.exec:\642666.exe41⤵
- Executes dropped EXE
PID:2992 -
\??\c:\djdjp.exec:\djdjp.exe42⤵
- Executes dropped EXE
PID:2824 -
\??\c:\20662.exec:\20662.exe43⤵
- Executes dropped EXE
PID:2180 -
\??\c:\1rxrflx.exec:\1rxrflx.exe44⤵
- Executes dropped EXE
PID:2880 -
\??\c:\00400.exec:\00400.exe45⤵
- Executes dropped EXE
PID:2804 -
\??\c:\2028406.exec:\2028406.exe46⤵
- Executes dropped EXE
PID:2836 -
\??\c:\3htbbb.exec:\3htbbb.exe47⤵
- Executes dropped EXE
PID:2316 -
\??\c:\08666.exec:\08666.exe48⤵
- Executes dropped EXE
PID:2732 -
\??\c:\pdjdj.exec:\pdjdj.exe49⤵
- Executes dropped EXE
PID:1156 -
\??\c:\20426.exec:\20426.exe50⤵
- Executes dropped EXE
PID:1304 -
\??\c:\8482020.exec:\8482020.exe51⤵
- Executes dropped EXE
PID:1320 -
\??\c:\60680.exec:\60680.exe52⤵
- Executes dropped EXE
PID:1120 -
\??\c:\608466.exec:\608466.exe53⤵
- Executes dropped EXE
PID:2372 -
\??\c:\400048.exec:\400048.exe54⤵
- Executes dropped EXE
PID:2392 -
\??\c:\9rfllrx.exec:\9rfllrx.exe55⤵
- Executes dropped EXE
PID:1248 -
\??\c:\xxllrxl.exec:\xxllrxl.exe56⤵
- Executes dropped EXE
PID:496 -
\??\c:\9xlxlxf.exec:\9xlxlxf.exe57⤵
- Executes dropped EXE
PID:804 -
\??\c:\w66626.exec:\w66626.exe58⤵
- Executes dropped EXE
PID:1540 -
\??\c:\ppdpv.exec:\ppdpv.exe59⤵
- Executes dropped EXE
PID:2900 -
\??\c:\k42284.exec:\k42284.exe60⤵
- Executes dropped EXE
PID:1324 -
\??\c:\ffrlxxf.exec:\ffrlxxf.exe61⤵
- Executes dropped EXE
PID:2668 -
\??\c:\s4402.exec:\s4402.exe62⤵
- Executes dropped EXE
PID:904 -
\??\c:\e20684.exec:\e20684.exe63⤵
- Executes dropped EXE
PID:1508 -
\??\c:\bbtbht.exec:\bbtbht.exe64⤵
- Executes dropped EXE
PID:2000 -
\??\c:\64880.exec:\64880.exe65⤵
- Executes dropped EXE
PID:2472 -
\??\c:\fxrrrlr.exec:\fxrrrlr.exe66⤵
- Executes dropped EXE
PID:2004 -
\??\c:\28668.exec:\28668.exe67⤵PID:612
-
\??\c:\q20682.exec:\q20682.exe68⤵PID:1608
-
\??\c:\64888.exec:\64888.exe69⤵PID:3068
-
\??\c:\2088002.exec:\2088002.exe70⤵PID:2624
-
\??\c:\jvjpd.exec:\jvjpd.exe71⤵PID:1648
-
\??\c:\c640000.exec:\c640000.exe72⤵PID:552
-
\??\c:\0800628.exec:\0800628.exe73⤵PID:1152
-
\??\c:\4868406.exec:\4868406.exe74⤵PID:1820
-
\??\c:\jvjvj.exec:\jvjvj.exe75⤵PID:1536
-
\??\c:\c406286.exec:\c406286.exe76⤵PID:1492
-
\??\c:\046284.exec:\046284.exe77⤵PID:1716
-
\??\c:\4806224.exec:\4806224.exe78⤵PID:2396
-
\??\c:\266800.exec:\266800.exe79⤵PID:2504
-
\??\c:\5hbhhn.exec:\5hbhhn.exe80⤵PID:2784
-
\??\c:\lrrxrrf.exec:\lrrxrrf.exe81⤵PID:2800
-
\??\c:\ttthtb.exec:\ttthtb.exe82⤵PID:2216
-
\??\c:\086040.exec:\086040.exe83⤵PID:2940
-
\??\c:\64228.exec:\64228.exe84⤵PID:2856
-
\??\c:\8684608.exec:\8684608.exe85⤵PID:2956
-
\??\c:\nnntht.exec:\nnntht.exe86⤵PID:2420
-
\??\c:\c864668.exec:\c864668.exe87⤵PID:2708
-
\??\c:\xlxxffr.exec:\xlxxffr.exe88⤵PID:2704
-
\??\c:\608460.exec:\608460.exe89⤵PID:2836
-
\??\c:\1vvpv.exec:\1vvpv.exe90⤵PID:2488
-
\??\c:\4200262.exec:\4200262.exe91⤵PID:1788
-
\??\c:\04602.exec:\04602.exe92⤵PID:1156
-
\??\c:\6466880.exec:\6466880.exe93⤵PID:1304
-
\??\c:\228602.exec:\228602.exe94⤵PID:2020
-
\??\c:\5pjpv.exec:\5pjpv.exe95⤵PID:1120
-
\??\c:\a2062.exec:\a2062.exe96⤵
- System Location Discovery: System Language Discovery
PID:1260 -
\??\c:\dpjdj.exec:\dpjdj.exe97⤵PID:2392
-
\??\c:\084006.exec:\084006.exe98⤵PID:1748
-
\??\c:\jvjdj.exec:\jvjdj.exe99⤵PID:1672
-
\??\c:\pvjjp.exec:\pvjjp.exe100⤵PID:1256
-
\??\c:\ttbnbt.exec:\ttbnbt.exe101⤵PID:1540
-
\??\c:\g6468.exec:\g6468.exe102⤵PID:2728
-
\??\c:\lfflrxr.exec:\lfflrxr.exe103⤵PID:1324
-
\??\c:\2088046.exec:\2088046.exe104⤵PID:964
-
\??\c:\1dpdd.exec:\1dpdd.exe105⤵PID:1628
-
\??\c:\jvjdd.exec:\jvjdd.exe106⤵PID:1872
-
\??\c:\s4628.exec:\s4628.exe107⤵PID:2292
-
\??\c:\m6446.exec:\m6446.exe108⤵PID:2472
-
\??\c:\5lflllx.exec:\5lflllx.exe109⤵PID:2136
-
\??\c:\vdppv.exec:\vdppv.exe110⤵PID:764
-
\??\c:\42008.exec:\42008.exe111⤵PID:1944
-
\??\c:\e46888.exec:\e46888.exe112⤵PID:2224
-
\??\c:\vpddj.exec:\vpddj.exe113⤵PID:2620
-
\??\c:\04240.exec:\04240.exe114⤵PID:1764
-
\??\c:\g6446.exec:\g6446.exe115⤵PID:2628
-
\??\c:\jvjjj.exec:\jvjjj.exe116⤵PID:2412
-
\??\c:\s0002.exec:\s0002.exe117⤵PID:2108
-
\??\c:\464400.exec:\464400.exe118⤵PID:1612
-
\??\c:\lrrlrfx.exec:\lrrlrfx.exe119⤵PID:1488
-
\??\c:\7frrrrx.exec:\7frrrrx.exe120⤵PID:1616
-
\??\c:\q88828.exec:\q88828.exe121⤵PID:1712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-