Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 05:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe
-
Size
456KB
-
MD5
3ffe60842436bfaf2ed6518cc3168a65
-
SHA1
ca384ddd1b715a366d8586e4147139e289922de8
-
SHA256
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea
-
SHA512
3aa3437cbb0b124a8224306bce01bdeb85e677f7ca4a5181c85e0e7610d606da529be5886fcc640533d80ac8deec62726c89eee447efbaeabce089e65d2989f7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 58 IoCs
resource yara_rule behavioral1/memory/1728-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-65-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/568-63-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2220-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-76-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2808-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-128-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1444-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-146-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2008-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-177-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3000-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-223-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/604-236-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/292-249-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/292-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-263-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2448-296-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2448-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-338-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2836-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-369-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2636-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-526-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2680-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-721-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2156-747-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2156-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-771-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1276-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-846-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-886-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1556-960-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-967-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/2936-1173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-1188-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2644-1205-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2644-1224-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1496-1237-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-1294-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2300 rrlrxlr.exe 1772 664688.exe 568 rfrlrlr.exe 2572 m2440.exe 2884 bbnnbb.exe 2764 82068.exe 2220 rrfrfxf.exe 2260 8284264.exe 2808 nbthtb.exe 2756 6462824.exe 2396 pjddd.exe 2064 vpjpv.exe 2280 3ffflll.exe 1444 thhbhh.exe 2056 8622602.exe 2008 684220.exe 2820 xxlrllr.exe 3000 o400646.exe 2184 vdppp.exe 2164 o688446.exe 1432 jvdpj.exe 348 246066.exe 2464 7nttbb.exe 1940 lfffxxf.exe 604 i806002.exe 292 dpvjp.exe 2500 htbbbb.exe 1744 86884.exe 1052 2448822.exe 1868 640622.exe 1056 6882600.exe 2448 424004.exe 2532 08440.exe 2288 lxffxrr.exe 2320 9flllfx.exe 2964 468882.exe 1028 jdpjj.exe 2740 hhbhbb.exe 2936 w42288.exe 3044 xllrrlr.exe 2796 xxlrflx.exe 2836 xlrrrrx.exe 2220 4240228.exe 2636 24268.exe 584 04684.exe 2684 4622266.exe 2676 rllrrrr.exe 1340 a2028.exe 2604 lfrxffl.exe 1512 flxrffl.exe 1032 tnbthh.exe 1444 thttbb.exe 2056 pjdjv.exe 316 08448.exe 2952 vvjjp.exe 2820 nbnhhh.exe 2472 240666.exe 2184 7rxlllr.exe 1368 rflflll.exe 2136 djjvv.exe 696 420466.exe 808 btttth.exe 2120 vpddj.exe 344 9pvpj.exe -
resource yara_rule behavioral1/memory/1728-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1368-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-721-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2156-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/344-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/800-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-960-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-968-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-1072-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-1110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-1148-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2936-1173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-1250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-1307-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0080482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e68808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i000628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8244882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 246000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 880448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2300 1728 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 31 PID 1728 wrote to memory of 2300 1728 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 31 PID 1728 wrote to memory of 2300 1728 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 31 PID 1728 wrote to memory of 2300 1728 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 31 PID 2300 wrote to memory of 1772 2300 rrlrxlr.exe 32 PID 2300 wrote to memory of 1772 2300 rrlrxlr.exe 32 PID 2300 wrote to memory of 1772 2300 rrlrxlr.exe 32 PID 2300 wrote to memory of 1772 2300 rrlrxlr.exe 32 PID 1772 wrote to memory of 568 1772 664688.exe 33 PID 1772 wrote to memory of 568 1772 664688.exe 33 PID 1772 wrote to memory of 568 1772 664688.exe 33 PID 1772 wrote to memory of 568 1772 664688.exe 33 PID 568 wrote to memory of 2572 568 rfrlrlr.exe 34 PID 568 wrote to memory of 2572 568 rfrlrlr.exe 34 PID 568 wrote to memory of 2572 568 rfrlrlr.exe 34 PID 568 wrote to memory of 2572 568 rfrlrlr.exe 34 PID 2572 wrote to memory of 2884 2572 m2440.exe 35 PID 2572 wrote to memory of 2884 2572 m2440.exe 35 PID 2572 wrote to memory of 2884 2572 m2440.exe 35 PID 2572 wrote to memory of 2884 2572 m2440.exe 35 PID 2884 wrote to memory of 2764 2884 bbnnbb.exe 36 PID 2884 wrote to memory of 2764 2884 bbnnbb.exe 36 PID 2884 wrote to memory of 2764 2884 bbnnbb.exe 36 PID 2884 wrote to memory of 2764 2884 bbnnbb.exe 36 PID 2764 wrote to memory of 2220 2764 82068.exe 37 PID 2764 wrote to memory of 2220 2764 82068.exe 37 PID 2764 wrote to memory of 2220 2764 82068.exe 37 PID 2764 wrote to memory of 2220 2764 82068.exe 37 PID 2220 wrote to memory of 2260 2220 rrfrfxf.exe 38 PID 2220 wrote to memory of 2260 2220 rrfrfxf.exe 38 PID 2220 wrote to memory of 2260 2220 rrfrfxf.exe 38 PID 2220 wrote to memory of 2260 2220 rrfrfxf.exe 38 PID 2260 wrote to memory of 2808 2260 8284264.exe 39 PID 2260 wrote to memory of 2808 2260 8284264.exe 39 PID 2260 wrote to memory of 2808 2260 8284264.exe 39 PID 2260 wrote to memory of 2808 2260 8284264.exe 39 PID 2808 wrote to memory of 2756 2808 nbthtb.exe 40 PID 2808 wrote to memory of 2756 2808 nbthtb.exe 40 PID 2808 wrote to memory of 2756 2808 nbthtb.exe 40 PID 2808 wrote to memory of 2756 2808 nbthtb.exe 40 PID 2756 wrote to memory of 2396 2756 6462824.exe 41 PID 2756 wrote to memory of 2396 2756 6462824.exe 41 PID 2756 wrote to memory of 2396 2756 6462824.exe 41 PID 2756 wrote to memory of 2396 2756 6462824.exe 41 PID 2396 wrote to memory of 2064 2396 pjddd.exe 42 PID 2396 wrote to memory of 2064 2396 pjddd.exe 42 PID 2396 wrote to memory of 2064 2396 pjddd.exe 42 PID 2396 wrote to memory of 2064 2396 pjddd.exe 42 PID 2064 wrote to memory of 2280 2064 vpjpv.exe 43 PID 2064 wrote to memory of 2280 2064 vpjpv.exe 43 PID 2064 wrote to memory of 2280 2064 vpjpv.exe 43 PID 2064 wrote to memory of 2280 2064 vpjpv.exe 43 PID 2280 wrote to memory of 1444 2280 3ffflll.exe 44 PID 2280 wrote to memory of 1444 2280 3ffflll.exe 44 PID 2280 wrote to memory of 1444 2280 3ffflll.exe 44 PID 2280 wrote to memory of 1444 2280 3ffflll.exe 44 PID 1444 wrote to memory of 2056 1444 thhbhh.exe 45 PID 1444 wrote to memory of 2056 1444 thhbhh.exe 45 PID 1444 wrote to memory of 2056 1444 thhbhh.exe 45 PID 1444 wrote to memory of 2056 1444 thhbhh.exe 45 PID 2056 wrote to memory of 2008 2056 8622602.exe 46 PID 2056 wrote to memory of 2008 2056 8622602.exe 46 PID 2056 wrote to memory of 2008 2056 8622602.exe 46 PID 2056 wrote to memory of 2008 2056 8622602.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe"C:\Users\Admin\AppData\Local\Temp\feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\rrlrxlr.exec:\rrlrxlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\664688.exec:\664688.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\rfrlrlr.exec:\rfrlrlr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
\??\c:\m2440.exec:\m2440.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\bbnnbb.exec:\bbnnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\82068.exec:\82068.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\rrfrfxf.exec:\rrfrfxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\8284264.exec:\8284264.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\nbthtb.exec:\nbthtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\6462824.exec:\6462824.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\pjddd.exec:\pjddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\vpjpv.exec:\vpjpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\3ffflll.exec:\3ffflll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\thhbhh.exec:\thhbhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\8622602.exec:\8622602.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\684220.exec:\684220.exe17⤵
- Executes dropped EXE
PID:2008 -
\??\c:\xxlrllr.exec:\xxlrllr.exe18⤵
- Executes dropped EXE
PID:2820 -
\??\c:\o400646.exec:\o400646.exe19⤵
- Executes dropped EXE
PID:3000 -
\??\c:\vdppp.exec:\vdppp.exe20⤵
- Executes dropped EXE
PID:2184 -
\??\c:\o688446.exec:\o688446.exe21⤵
- Executes dropped EXE
PID:2164 -
\??\c:\jvdpj.exec:\jvdpj.exe22⤵
- Executes dropped EXE
PID:1432 -
\??\c:\246066.exec:\246066.exe23⤵
- Executes dropped EXE
PID:348 -
\??\c:\7nttbb.exec:\7nttbb.exe24⤵
- Executes dropped EXE
PID:2464 -
\??\c:\lfffxxf.exec:\lfffxxf.exe25⤵
- Executes dropped EXE
PID:1940 -
\??\c:\i806002.exec:\i806002.exe26⤵
- Executes dropped EXE
PID:604 -
\??\c:\dpvjp.exec:\dpvjp.exe27⤵
- Executes dropped EXE
PID:292 -
\??\c:\htbbbb.exec:\htbbbb.exe28⤵
- Executes dropped EXE
PID:2500 -
\??\c:\86884.exec:\86884.exe29⤵
- Executes dropped EXE
PID:1744 -
\??\c:\2448822.exec:\2448822.exe30⤵
- Executes dropped EXE
PID:1052 -
\??\c:\640622.exec:\640622.exe31⤵
- Executes dropped EXE
PID:1868 -
\??\c:\6882600.exec:\6882600.exe32⤵
- Executes dropped EXE
PID:1056 -
\??\c:\424004.exec:\424004.exe33⤵
- Executes dropped EXE
PID:2448 -
\??\c:\08440.exec:\08440.exe34⤵
- Executes dropped EXE
PID:2532 -
\??\c:\lxffxrr.exec:\lxffxrr.exe35⤵
- Executes dropped EXE
PID:2288 -
\??\c:\9flllfx.exec:\9flllfx.exe36⤵
- Executes dropped EXE
PID:2320 -
\??\c:\468882.exec:\468882.exe37⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jdpjj.exec:\jdpjj.exe38⤵
- Executes dropped EXE
PID:1028 -
\??\c:\hhbhbb.exec:\hhbhbb.exe39⤵
- Executes dropped EXE
PID:2740 -
\??\c:\w42288.exec:\w42288.exe40⤵
- Executes dropped EXE
PID:2936 -
\??\c:\xllrrlr.exec:\xllrrlr.exe41⤵
- Executes dropped EXE
PID:3044 -
\??\c:\xxlrflx.exec:\xxlrflx.exe42⤵
- Executes dropped EXE
PID:2796 -
\??\c:\xlrrrrx.exec:\xlrrrrx.exe43⤵
- Executes dropped EXE
PID:2836 -
\??\c:\4240228.exec:\4240228.exe44⤵
- Executes dropped EXE
PID:2220 -
\??\c:\24268.exec:\24268.exe45⤵
- Executes dropped EXE
PID:2636 -
\??\c:\04684.exec:\04684.exe46⤵
- Executes dropped EXE
PID:584 -
\??\c:\4622266.exec:\4622266.exe47⤵
- Executes dropped EXE
PID:2684 -
\??\c:\rllrrrr.exec:\rllrrrr.exe48⤵
- Executes dropped EXE
PID:2676 -
\??\c:\a2028.exec:\a2028.exe49⤵
- Executes dropped EXE
PID:1340 -
\??\c:\lfrxffl.exec:\lfrxffl.exe50⤵
- Executes dropped EXE
PID:2604 -
\??\c:\flxrffl.exec:\flxrffl.exe51⤵
- Executes dropped EXE
PID:1512 -
\??\c:\tnbthh.exec:\tnbthh.exe52⤵
- Executes dropped EXE
PID:1032 -
\??\c:\thttbb.exec:\thttbb.exe53⤵
- Executes dropped EXE
PID:1444 -
\??\c:\pjdjv.exec:\pjdjv.exe54⤵
- Executes dropped EXE
PID:2056 -
\??\c:\08448.exec:\08448.exe55⤵
- Executes dropped EXE
PID:316 -
\??\c:\vvjjp.exec:\vvjjp.exe56⤵
- Executes dropped EXE
PID:2952 -
\??\c:\nbnhhh.exec:\nbnhhh.exe57⤵
- Executes dropped EXE
PID:2820 -
\??\c:\240666.exec:\240666.exe58⤵
- Executes dropped EXE
PID:2472 -
\??\c:\7rxlllr.exec:\7rxlllr.exe59⤵
- Executes dropped EXE
PID:2184 -
\??\c:\rflflll.exec:\rflflll.exe60⤵
- Executes dropped EXE
PID:1368 -
\??\c:\djjvv.exec:\djjvv.exe61⤵
- Executes dropped EXE
PID:2136 -
\??\c:\420466.exec:\420466.exe62⤵
- Executes dropped EXE
PID:696 -
\??\c:\btttth.exec:\btttth.exe63⤵
- Executes dropped EXE
PID:808 -
\??\c:\vpddj.exec:\vpddj.exe64⤵
- Executes dropped EXE
PID:2120 -
\??\c:\9pvpj.exec:\9pvpj.exe65⤵
- Executes dropped EXE
PID:344 -
\??\c:\btnthh.exec:\btnthh.exe66⤵PID:948
-
\??\c:\s0228.exec:\s0228.exe67⤵PID:2364
-
\??\c:\1jvdd.exec:\1jvdd.exe68⤵PID:2376
-
\??\c:\6466228.exec:\6466228.exe69⤵PID:1276
-
\??\c:\hbnhhh.exec:\hbnhhh.exe70⤵PID:2456
-
\??\c:\frlxllr.exec:\frlxllr.exe71⤵PID:2060
-
\??\c:\rfrxffl.exec:\rfrxffl.exe72⤵PID:2712
-
\??\c:\086622.exec:\086622.exe73⤵PID:3048
-
\??\c:\0822444.exec:\0822444.exe74⤵PID:1868
-
\??\c:\46888.exec:\46888.exe75⤵PID:1056
-
\??\c:\642884.exec:\642884.exe76⤵PID:1724
-
\??\c:\9hhhtt.exec:\9hhhtt.exe77⤵PID:2308
-
\??\c:\rxrxllr.exec:\rxrxllr.exe78⤵PID:2588
-
\??\c:\dpppv.exec:\dpppv.exe79⤵PID:1156
-
\??\c:\vjvpp.exec:\vjvpp.exe80⤵PID:2320
-
\??\c:\1jddd.exec:\1jddd.exe81⤵PID:2460
-
\??\c:\268406.exec:\268406.exe82⤵PID:1580
-
\??\c:\88624.exec:\88624.exe83⤵PID:2896
-
\??\c:\s8220.exec:\s8220.exe84⤵PID:2880
-
\??\c:\2466600.exec:\2466600.exe85⤵PID:2768
-
\??\c:\pjvdp.exec:\pjvdp.exe86⤵PID:2764
-
\??\c:\426022.exec:\426022.exe87⤵PID:1948
-
\??\c:\s6828.exec:\s6828.exe88⤵PID:2680
-
\??\c:\48040.exec:\48040.exe89⤵PID:2688
-
\??\c:\fxfxffl.exec:\fxfxffl.exe90⤵PID:2708
-
\??\c:\084448.exec:\084448.exe91⤵PID:2756
-
\??\c:\8800006.exec:\8800006.exe92⤵PID:2684
-
\??\c:\thnntt.exec:\thnntt.exe93⤵PID:2676
-
\??\c:\s8488.exec:\s8488.exe94⤵PID:1960
-
\??\c:\llxxlfr.exec:\llxxlfr.exe95⤵PID:2604
-
\??\c:\862282.exec:\862282.exe96⤵PID:1036
-
\??\c:\a2044.exec:\a2044.exe97⤵PID:1508
-
\??\c:\lfrlrrr.exec:\lfrlrrr.exe98⤵PID:2012
-
\??\c:\26624.exec:\26624.exe99⤵PID:1516
-
\??\c:\lflllfl.exec:\lflllfl.exe100⤵PID:2956
-
\??\c:\64242.exec:\64242.exe101⤵PID:2188
-
\??\c:\3lrxfxf.exec:\3lrxfxf.exe102⤵PID:2820
-
\??\c:\o866288.exec:\o866288.exe103⤵PID:2156
-
\??\c:\thhnnh.exec:\thhnnh.exe104⤵PID:1148
-
\??\c:\rfrlrrf.exec:\rfrlrrf.exe105⤵PID:2160
-
\??\c:\088222.exec:\088222.exe106⤵PID:1604
-
\??\c:\640000.exec:\640000.exe107⤵PID:1628
-
\??\c:\0404488.exec:\0404488.exe108⤵PID:912
-
\??\c:\5dvpv.exec:\5dvpv.exe109⤵PID:1256
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe110⤵PID:344
-
\??\c:\646626.exec:\646626.exe111⤵PID:604
-
\??\c:\i028822.exec:\i028822.exe112⤵PID:2992
-
\??\c:\q00022.exec:\q00022.exe113⤵PID:1648
-
\??\c:\8204668.exec:\8204668.exe114⤵PID:1276
-
\??\c:\u462440.exec:\u462440.exe115⤵PID:2100
-
\??\c:\046684.exec:\046684.exe116⤵PID:800
-
\??\c:\8824662.exec:\8824662.exe117⤵PID:1284
-
\??\c:\xrllxxr.exec:\xrllxxr.exe118⤵PID:2208
-
\??\c:\64068.exec:\64068.exe119⤵PID:2252
-
\??\c:\ppddj.exec:\ppddj.exe120⤵PID:2304
-
\??\c:\2028400.exec:\2028400.exe121⤵PID:1964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-