Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 00:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe
-
Size
453KB
-
MD5
c62a7499aca2c54cb3f372c42c28861c
-
SHA1
db514b565f7e4bd8055a0edf90c7f075a51d1952
-
SHA256
ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005
-
SHA512
6b1c7856961e5371691605b64b3299663f11e5a7a49d1b2a5d68cff3a9d5bdfb235ad2c795e879d58b74996d44f82f2777c4c04344161076a0b514f3d05b77f3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2972-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1856-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/936-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/936-264-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2368-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-344-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/3060-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-526-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2312-556-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1920-578-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1920-577-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2656-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/820-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-896-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-916-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2652-915-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2028-958-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2448-961-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2860-1002-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2516-1129-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1656-1342-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1628-1370-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2672-1379-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2520 9rlrlrl.exe 1856 02064.exe 2348 202284.exe 2904 jvvvp.exe 2740 g8062.exe 2980 vjvpj.exe 2844 rxfrllf.exe 1684 3vpvd.exe 2664 028226.exe 1784 e80460.exe 1668 xlxxfxf.exe 1052 rfllrlr.exe 1572 jvjjj.exe 1980 86284.exe 1892 1llffxx.exe 1320 fxffxrl.exe 1752 pdvjd.exe 2284 3thhnn.exe 3004 42406.exe 532 dvddv.exe 2180 e80226.exe 1804 4240662.exe 1392 nnbbhh.exe 936 dppdv.exe 788 60228.exe 2436 xlrrrll.exe 920 xrffxxr.exe 2292 9xfxfxx.exe 2464 2688668.exe 1776 htbhhb.exe 2368 4248888.exe 2136 646404.exe 2516 htbhbt.exe 1848 a8402.exe 2536 2400262.exe 2692 bnbbbb.exe 2248 c240664.exe 2348 8688266.exe 2736 o624662.exe 2328 vvddp.exe 2772 tnbbhh.exe 2812 jdjjj.exe 2656 bhnhtn.exe 1684 3dpjv.exe 3052 02440.exe 3060 hbhbhb.exe 1248 jvjjp.exe 564 864466.exe 1812 646260.exe 2872 9lxxxff.exe 2132 o062002.exe 2424 20628.exe 1720 802666.exe 1176 3pdpj.exe 2460 080444.exe 1432 w02244.exe 592 1llxrlf.exe 2596 xlxrffr.exe 264 6822480.exe 1680 xlrrrrr.exe 816 7flfxrx.exe 2180 0862224.exe 2120 xfrflrr.exe 1632 hthhnn.exe -
resource yara_rule behavioral1/memory/2972-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-167-0x0000000001C50000-0x0000000001C7A000-memory.dmp upx behavioral1/memory/1752-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/820-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-958-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/1976-981-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-1083-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-1102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-1140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-1153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-1202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-1221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-1312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-1350-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c046224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4622666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0286206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0862064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8268668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o200668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60284.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2520 2972 ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe 30 PID 2972 wrote to memory of 2520 2972 ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe 30 PID 2972 wrote to memory of 2520 2972 ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe 30 PID 2972 wrote to memory of 2520 2972 ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe 30 PID 2520 wrote to memory of 1856 2520 9rlrlrl.exe 31 PID 2520 wrote to memory of 1856 2520 9rlrlrl.exe 31 PID 2520 wrote to memory of 1856 2520 9rlrlrl.exe 31 PID 2520 wrote to memory of 1856 2520 9rlrlrl.exe 31 PID 1856 wrote to memory of 2348 1856 02064.exe 32 PID 1856 wrote to memory of 2348 1856 02064.exe 32 PID 1856 wrote to memory of 2348 1856 02064.exe 32 PID 1856 wrote to memory of 2348 1856 02064.exe 32 PID 2348 wrote to memory of 2904 2348 202284.exe 33 PID 2348 wrote to memory of 2904 2348 202284.exe 33 PID 2348 wrote to memory of 2904 2348 202284.exe 33 PID 2348 wrote to memory of 2904 2348 202284.exe 33 PID 2904 wrote to memory of 2740 2904 jvvvp.exe 34 PID 2904 wrote to memory of 2740 2904 jvvvp.exe 34 PID 2904 wrote to memory of 2740 2904 jvvvp.exe 34 PID 2904 wrote to memory of 2740 2904 jvvvp.exe 34 PID 2740 wrote to memory of 2980 2740 g8062.exe 35 PID 2740 wrote to memory of 2980 2740 g8062.exe 35 PID 2740 wrote to memory of 2980 2740 g8062.exe 35 PID 2740 wrote to memory of 2980 2740 g8062.exe 35 PID 2980 wrote to memory of 2844 2980 vjvpj.exe 36 PID 2980 wrote to memory of 2844 2980 vjvpj.exe 36 PID 2980 wrote to memory of 2844 2980 vjvpj.exe 36 PID 2980 wrote to memory of 2844 2980 vjvpj.exe 36 PID 2844 wrote to memory of 1684 2844 rxfrllf.exe 37 PID 2844 wrote to memory of 1684 2844 rxfrllf.exe 37 PID 2844 wrote to memory of 1684 2844 rxfrllf.exe 37 PID 2844 wrote to memory of 1684 2844 rxfrllf.exe 37 PID 1684 wrote to memory of 2664 1684 3vpvd.exe 38 PID 1684 wrote to memory of 2664 1684 3vpvd.exe 38 PID 1684 wrote to memory of 2664 1684 3vpvd.exe 38 PID 1684 wrote to memory of 2664 1684 3vpvd.exe 38 PID 2664 wrote to memory of 1784 2664 028226.exe 39 PID 2664 wrote to memory of 1784 2664 028226.exe 39 PID 2664 wrote to memory of 1784 2664 028226.exe 39 PID 2664 wrote to memory of 1784 2664 028226.exe 39 PID 1784 wrote to memory of 1668 1784 e80460.exe 40 PID 1784 wrote to memory of 1668 1784 e80460.exe 40 PID 1784 wrote to memory of 1668 1784 e80460.exe 40 PID 1784 wrote to memory of 1668 1784 e80460.exe 40 PID 1668 wrote to memory of 1052 1668 xlxxfxf.exe 41 PID 1668 wrote to memory of 1052 1668 xlxxfxf.exe 41 PID 1668 wrote to memory of 1052 1668 xlxxfxf.exe 41 PID 1668 wrote to memory of 1052 1668 xlxxfxf.exe 41 PID 1052 wrote to memory of 1572 1052 rfllrlr.exe 42 PID 1052 wrote to memory of 1572 1052 rfllrlr.exe 42 PID 1052 wrote to memory of 1572 1052 rfllrlr.exe 42 PID 1052 wrote to memory of 1572 1052 rfllrlr.exe 42 PID 1572 wrote to memory of 1980 1572 jvjjj.exe 43 PID 1572 wrote to memory of 1980 1572 jvjjj.exe 43 PID 1572 wrote to memory of 1980 1572 jvjjj.exe 43 PID 1572 wrote to memory of 1980 1572 jvjjj.exe 43 PID 1980 wrote to memory of 1892 1980 86284.exe 44 PID 1980 wrote to memory of 1892 1980 86284.exe 44 PID 1980 wrote to memory of 1892 1980 86284.exe 44 PID 1980 wrote to memory of 1892 1980 86284.exe 44 PID 1892 wrote to memory of 1320 1892 1llffxx.exe 45 PID 1892 wrote to memory of 1320 1892 1llffxx.exe 45 PID 1892 wrote to memory of 1320 1892 1llffxx.exe 45 PID 1892 wrote to memory of 1320 1892 1llffxx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe"C:\Users\Admin\AppData\Local\Temp\ac33a02a7230b42b8f4a3c15454f6e40d86b856d39ea17e75e27cdf9b1d3f005.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\9rlrlrl.exec:\9rlrlrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\02064.exec:\02064.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\202284.exec:\202284.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\jvvvp.exec:\jvvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\g8062.exec:\g8062.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\vjvpj.exec:\vjvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\rxfrllf.exec:\rxfrllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\3vpvd.exec:\3vpvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\028226.exec:\028226.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\e80460.exec:\e80460.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\xlxxfxf.exec:\xlxxfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\rfllrlr.exec:\rfllrlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\jvjjj.exec:\jvjjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\86284.exec:\86284.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\1llffxx.exec:\1llffxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\fxffxrl.exec:\fxffxrl.exe17⤵
- Executes dropped EXE
PID:1320 -
\??\c:\pdvjd.exec:\pdvjd.exe18⤵
- Executes dropped EXE
PID:1752 -
\??\c:\3thhnn.exec:\3thhnn.exe19⤵
- Executes dropped EXE
PID:2284 -
\??\c:\42406.exec:\42406.exe20⤵
- Executes dropped EXE
PID:3004 -
\??\c:\dvddv.exec:\dvddv.exe21⤵
- Executes dropped EXE
PID:532 -
\??\c:\e80226.exec:\e80226.exe22⤵
- Executes dropped EXE
PID:2180 -
\??\c:\4240662.exec:\4240662.exe23⤵
- Executes dropped EXE
PID:1804 -
\??\c:\nnbbhh.exec:\nnbbhh.exe24⤵
- Executes dropped EXE
PID:1392 -
\??\c:\dppdv.exec:\dppdv.exe25⤵
- Executes dropped EXE
PID:936 -
\??\c:\60228.exec:\60228.exe26⤵
- Executes dropped EXE
PID:788 -
\??\c:\xlrrrll.exec:\xlrrrll.exe27⤵
- Executes dropped EXE
PID:2436 -
\??\c:\xrffxxr.exec:\xrffxxr.exe28⤵
- Executes dropped EXE
PID:920 -
\??\c:\9xfxfxx.exec:\9xfxfxx.exe29⤵
- Executes dropped EXE
PID:2292 -
\??\c:\2688668.exec:\2688668.exe30⤵
- Executes dropped EXE
PID:2464 -
\??\c:\htbhhb.exec:\htbhhb.exe31⤵
- Executes dropped EXE
PID:1776 -
\??\c:\4248888.exec:\4248888.exe32⤵
- Executes dropped EXE
PID:2368 -
\??\c:\646404.exec:\646404.exe33⤵
- Executes dropped EXE
PID:2136 -
\??\c:\htbhbt.exec:\htbhbt.exe34⤵
- Executes dropped EXE
PID:2516 -
\??\c:\a8402.exec:\a8402.exe35⤵
- Executes dropped EXE
PID:1848 -
\??\c:\2400262.exec:\2400262.exe36⤵
- Executes dropped EXE
PID:2536 -
\??\c:\bnbbbb.exec:\bnbbbb.exe37⤵
- Executes dropped EXE
PID:2692 -
\??\c:\c240664.exec:\c240664.exe38⤵
- Executes dropped EXE
PID:2248 -
\??\c:\8688266.exec:\8688266.exe39⤵
- Executes dropped EXE
PID:2348 -
\??\c:\o624662.exec:\o624662.exe40⤵
- Executes dropped EXE
PID:2736 -
\??\c:\vvddp.exec:\vvddp.exe41⤵
- Executes dropped EXE
PID:2328 -
\??\c:\tnbbhh.exec:\tnbbhh.exe42⤵
- Executes dropped EXE
PID:2772 -
\??\c:\jdjjj.exec:\jdjjj.exe43⤵
- Executes dropped EXE
PID:2812 -
\??\c:\bhnhtn.exec:\bhnhtn.exe44⤵
- Executes dropped EXE
PID:2656 -
\??\c:\3dpjv.exec:\3dpjv.exe45⤵
- Executes dropped EXE
PID:1684 -
\??\c:\02440.exec:\02440.exe46⤵
- Executes dropped EXE
PID:3052 -
\??\c:\hbhbhb.exec:\hbhbhb.exe47⤵
- Executes dropped EXE
PID:3060 -
\??\c:\jvjjp.exec:\jvjjp.exe48⤵
- Executes dropped EXE
PID:1248 -
\??\c:\864466.exec:\864466.exe49⤵
- Executes dropped EXE
PID:564 -
\??\c:\646260.exec:\646260.exe50⤵
- Executes dropped EXE
PID:1812 -
\??\c:\9lxxxff.exec:\9lxxxff.exe51⤵
- Executes dropped EXE
PID:2872 -
\??\c:\o062002.exec:\o062002.exe52⤵
- Executes dropped EXE
PID:2132 -
\??\c:\20628.exec:\20628.exe53⤵
- Executes dropped EXE
PID:2424 -
\??\c:\802666.exec:\802666.exe54⤵
- Executes dropped EXE
PID:1720 -
\??\c:\3pdpj.exec:\3pdpj.exe55⤵
- Executes dropped EXE
PID:1176 -
\??\c:\080444.exec:\080444.exe56⤵
- Executes dropped EXE
PID:2460 -
\??\c:\w02244.exec:\w02244.exe57⤵
- Executes dropped EXE
PID:1432 -
\??\c:\1llxrlf.exec:\1llxrlf.exe58⤵
- Executes dropped EXE
PID:592 -
\??\c:\xlxrffr.exec:\xlxrffr.exe59⤵
- Executes dropped EXE
PID:2596 -
\??\c:\6822480.exec:\6822480.exe60⤵
- Executes dropped EXE
PID:264 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe61⤵
- Executes dropped EXE
PID:1680 -
\??\c:\7flfxrx.exec:\7flfxrx.exe62⤵
- Executes dropped EXE
PID:816 -
\??\c:\0862224.exec:\0862224.exe63⤵
- Executes dropped EXE
PID:2180 -
\??\c:\xfrflrr.exec:\xfrflrr.exe64⤵
- Executes dropped EXE
PID:2120 -
\??\c:\hthhnn.exec:\hthhnn.exe65⤵
- Executes dropped EXE
PID:1632 -
\??\c:\6862262.exec:\6862262.exe66⤵PID:1656
-
\??\c:\dvjjv.exec:\dvjjv.exe67⤵PID:1356
-
\??\c:\frxxfff.exec:\frxxfff.exe68⤵PID:1768
-
\??\c:\8240224.exec:\8240224.exe69⤵PID:1536
-
\??\c:\42062.exec:\42062.exe70⤵PID:1628
-
\??\c:\820066.exec:\820066.exe71⤵PID:920
-
\??\c:\408444.exec:\408444.exe72⤵PID:1032
-
\??\c:\82000.exec:\82000.exe73⤵PID:1688
-
\??\c:\lfxrfxx.exec:\lfxrfxx.exe74⤵PID:2312
-
\??\c:\i206228.exec:\i206228.exe75⤵PID:880
-
\??\c:\rlxxfff.exec:\rlxxfff.exe76⤵PID:2368
-
\??\c:\lxlffxl.exec:\lxlffxl.exe77⤵PID:1920
-
\??\c:\thtbbb.exec:\thtbbb.exe78⤵PID:1556
-
\??\c:\bnbhtt.exec:\bnbhtt.exe79⤵PID:1584
-
\??\c:\nnbnbh.exec:\nnbnbh.exe80⤵PID:2936
-
\??\c:\llflrfr.exec:\llflrfr.exe81⤵PID:2344
-
\??\c:\tntbbb.exec:\tntbbb.exe82⤵PID:2896
-
\??\c:\nbbbnn.exec:\nbbbnn.exe83⤵PID:2760
-
\??\c:\q24444.exec:\q24444.exe84⤵PID:2992
-
\??\c:\xlxflfl.exec:\xlxflfl.exe85⤵PID:2908
-
\??\c:\7xfxxxx.exec:\7xfxxxx.exe86⤵PID:2880
-
\??\c:\i802480.exec:\i802480.exe87⤵PID:2772
-
\??\c:\3jvpp.exec:\3jvpp.exe88⤵PID:2808
-
\??\c:\dpddd.exec:\dpddd.exe89⤵PID:2656
-
\??\c:\i088488.exec:\i088488.exe90⤵PID:2448
-
\??\c:\428244.exec:\428244.exe91⤵PID:1784
-
\??\c:\c044002.exec:\c044002.exe92⤵PID:1808
-
\??\c:\dpddj.exec:\dpddj.exe93⤵PID:1248
-
\??\c:\86024.exec:\86024.exe94⤵PID:1112
-
\??\c:\0466262.exec:\0466262.exe95⤵PID:2860
-
\??\c:\4020686.exec:\4020686.exe96⤵PID:2872
-
\??\c:\240848.exec:\240848.exe97⤵PID:2132
-
\??\c:\9rfxlfl.exec:\9rfxlfl.exe98⤵PID:2852
-
\??\c:\jdpjj.exec:\jdpjj.exe99⤵PID:2116
-
\??\c:\jvvpp.exec:\jvvpp.exe100⤵PID:2876
-
\??\c:\s0224.exec:\s0224.exe101⤵PID:1752
-
\??\c:\7bbtnh.exec:\7bbtnh.exe102⤵PID:3036
-
\??\c:\6462440.exec:\6462440.exe103⤵PID:820
-
\??\c:\9vppv.exec:\9vppv.exe104⤵PID:3012
-
\??\c:\s0660.exec:\s0660.exe105⤵PID:532
-
\??\c:\hnthbt.exec:\hnthbt.exe106⤵PID:2352
-
\??\c:\u428446.exec:\u428446.exe107⤵PID:2340
-
\??\c:\42400.exec:\42400.exe108⤵PID:268
-
\??\c:\8684624.exec:\8684624.exe109⤵PID:1492
-
\??\c:\bnhbht.exec:\bnhbht.exe110⤵PID:700
-
\??\c:\pdpvd.exec:\pdpvd.exe111⤵PID:396
-
\??\c:\thnbhn.exec:\thnbhn.exe112⤵PID:1596
-
\??\c:\i688266.exec:\i688266.exe113⤵PID:908
-
\??\c:\frrrxxx.exec:\frrrxxx.exe114⤵PID:2576
-
\??\c:\646688.exec:\646688.exe115⤵PID:2084
-
\??\c:\hbnttt.exec:\hbnttt.exe116⤵PID:2168
-
\??\c:\jdvvv.exec:\jdvvv.exe117⤵PID:2672
-
\??\c:\nbntbb.exec:\nbntbb.exe118⤵PID:2440
-
\??\c:\xxlrrlx.exec:\xxlrrlx.exe119⤵PID:3048
-
\??\c:\xlrrrfl.exec:\xlrrrfl.exe120⤵PID:2360
-
\??\c:\vjpvd.exec:\vjpvd.exe121⤵PID:2356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-