Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 16:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe
-
Size
454KB
-
MD5
3d0c3ede265f4941fe4e5f167541b992
-
SHA1
d26ace4e53a45ea92ba1155d2b01c67ffa19c327
-
SHA256
00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7
-
SHA512
b3c52103b699c67c26432baf4b84dbb5aab6e7bf6d28bfbea438aa629cd1b4272ead9243f8e0392dca9ef9529731299e93900aa873040758595154b7c922411f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbej:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2352-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-125-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1792-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-145-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1264-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/752-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-192-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1616-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-210-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1204-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1176-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1456-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-554-0x0000000000270000-0x000000000029A000-memory.dmp family_blackmoon behavioral1/memory/2024-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-595-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2176-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-973-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-1023-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/264-1033-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/620-1048-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1356-1061-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1736-1087-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2368 242282.exe 2348 vjvdp.exe 2840 0806288.exe 2056 868800.exe 2532 btntbb.exe 2172 vjppp.exe 2808 800044.exe 2692 64482.exe 2832 8622440.exe 1916 808282.exe 2564 4244040.exe 1912 3vpdv.exe 3024 vjvvd.exe 1792 ffxxxfl.exe 2084 pdpjp.exe 752 8688006.exe 1264 4282222.exe 2860 20266.exe 2396 djdjv.exe 2916 84806.exe 1016 4262884.exe 448 w04464.exe 1616 82646.exe 1176 c866284.exe 1204 vvjpj.exe 908 w48462.exe 2696 664462.exe 2420 a4846.exe 2412 9bnnhh.exe 320 5nnntb.exe 896 i668624.exe 2480 1bbnbb.exe 2376 pjpvv.exe 2320 ttnnbh.exe 1608 8202442.exe 1952 6040228.exe 1996 882806.exe 1992 646844.exe 2128 tnhhtt.exe 2372 64842.exe 2668 xfxflrf.exe 2820 6844444.exe 2596 7xffrrx.exe 2220 4248002.exe 2616 5jdvj.exe 2576 2466606.exe 2632 04662.exe 2608 rxllrlr.exe 840 xxllrrf.exe 1484 nbbbtt.exe 1536 48006.exe 2312 806626.exe 2304 fxllxxl.exe 1456 frfflrx.exe 2648 8244242.exe 1700 dvvvj.exe 1908 486244.exe 2452 5pdjp.exe 2160 82664.exe 1480 k00682.exe 1016 3bbbtt.exe 1360 60840.exe 1720 c640684.exe 356 g8000.exe -
resource yara_rule behavioral1/memory/2352-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1176-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-875-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-973-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-1026-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-1094-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2688402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k00682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8688046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0806288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u862806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w20466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c466224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2368 2352 00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe 30 PID 2352 wrote to memory of 2368 2352 00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe 30 PID 2352 wrote to memory of 2368 2352 00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe 30 PID 2352 wrote to memory of 2368 2352 00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe 30 PID 2368 wrote to memory of 2348 2368 242282.exe 31 PID 2368 wrote to memory of 2348 2368 242282.exe 31 PID 2368 wrote to memory of 2348 2368 242282.exe 31 PID 2368 wrote to memory of 2348 2368 242282.exe 31 PID 2348 wrote to memory of 2840 2348 vjvdp.exe 32 PID 2348 wrote to memory of 2840 2348 vjvdp.exe 32 PID 2348 wrote to memory of 2840 2348 vjvdp.exe 32 PID 2348 wrote to memory of 2840 2348 vjvdp.exe 32 PID 2840 wrote to memory of 2056 2840 0806288.exe 33 PID 2840 wrote to memory of 2056 2840 0806288.exe 33 PID 2840 wrote to memory of 2056 2840 0806288.exe 33 PID 2840 wrote to memory of 2056 2840 0806288.exe 33 PID 2056 wrote to memory of 2532 2056 868800.exe 34 PID 2056 wrote to memory of 2532 2056 868800.exe 34 PID 2056 wrote to memory of 2532 2056 868800.exe 34 PID 2056 wrote to memory of 2532 2056 868800.exe 34 PID 2532 wrote to memory of 2172 2532 btntbb.exe 35 PID 2532 wrote to memory of 2172 2532 btntbb.exe 35 PID 2532 wrote to memory of 2172 2532 btntbb.exe 35 PID 2532 wrote to memory of 2172 2532 btntbb.exe 35 PID 2172 wrote to memory of 2808 2172 vjppp.exe 36 PID 2172 wrote to memory of 2808 2172 vjppp.exe 36 PID 2172 wrote to memory of 2808 2172 vjppp.exe 36 PID 2172 wrote to memory of 2808 2172 vjppp.exe 36 PID 2808 wrote to memory of 2692 2808 800044.exe 37 PID 2808 wrote to memory of 2692 2808 800044.exe 37 PID 2808 wrote to memory of 2692 2808 800044.exe 37 PID 2808 wrote to memory of 2692 2808 800044.exe 37 PID 2692 wrote to memory of 2832 2692 64482.exe 38 PID 2692 wrote to memory of 2832 2692 64482.exe 38 PID 2692 wrote to memory of 2832 2692 64482.exe 38 PID 2692 wrote to memory of 2832 2692 64482.exe 38 PID 2832 wrote to memory of 1916 2832 8622440.exe 39 PID 2832 wrote to memory of 1916 2832 8622440.exe 39 PID 2832 wrote to memory of 1916 2832 8622440.exe 39 PID 2832 wrote to memory of 1916 2832 8622440.exe 39 PID 1916 wrote to memory of 2564 1916 808282.exe 40 PID 1916 wrote to memory of 2564 1916 808282.exe 40 PID 1916 wrote to memory of 2564 1916 808282.exe 40 PID 1916 wrote to memory of 2564 1916 808282.exe 40 PID 2564 wrote to memory of 1912 2564 4244040.exe 41 PID 2564 wrote to memory of 1912 2564 4244040.exe 41 PID 2564 wrote to memory of 1912 2564 4244040.exe 41 PID 2564 wrote to memory of 1912 2564 4244040.exe 41 PID 1912 wrote to memory of 3024 1912 3vpdv.exe 42 PID 1912 wrote to memory of 3024 1912 3vpdv.exe 42 PID 1912 wrote to memory of 3024 1912 3vpdv.exe 42 PID 1912 wrote to memory of 3024 1912 3vpdv.exe 42 PID 3024 wrote to memory of 1792 3024 vjvvd.exe 43 PID 3024 wrote to memory of 1792 3024 vjvvd.exe 43 PID 3024 wrote to memory of 1792 3024 vjvvd.exe 43 PID 3024 wrote to memory of 1792 3024 vjvvd.exe 43 PID 1792 wrote to memory of 2084 1792 ffxxxfl.exe 44 PID 1792 wrote to memory of 2084 1792 ffxxxfl.exe 44 PID 1792 wrote to memory of 2084 1792 ffxxxfl.exe 44 PID 1792 wrote to memory of 2084 1792 ffxxxfl.exe 44 PID 2084 wrote to memory of 752 2084 pdpjp.exe 45 PID 2084 wrote to memory of 752 2084 pdpjp.exe 45 PID 2084 wrote to memory of 752 2084 pdpjp.exe 45 PID 2084 wrote to memory of 752 2084 pdpjp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe"C:\Users\Admin\AppData\Local\Temp\00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\242282.exec:\242282.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\vjvdp.exec:\vjvdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\0806288.exec:\0806288.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\868800.exec:\868800.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\btntbb.exec:\btntbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\vjppp.exec:\vjppp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\800044.exec:\800044.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\64482.exec:\64482.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\8622440.exec:\8622440.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\808282.exec:\808282.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\4244040.exec:\4244040.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\3vpdv.exec:\3vpdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\vjvvd.exec:\vjvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\ffxxxfl.exec:\ffxxxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\pdpjp.exec:\pdpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\8688006.exec:\8688006.exe17⤵
- Executes dropped EXE
PID:752 -
\??\c:\4282222.exec:\4282222.exe18⤵
- Executes dropped EXE
PID:1264 -
\??\c:\20266.exec:\20266.exe19⤵
- Executes dropped EXE
PID:2860 -
\??\c:\djdjv.exec:\djdjv.exe20⤵
- Executes dropped EXE
PID:2396 -
\??\c:\84806.exec:\84806.exe21⤵
- Executes dropped EXE
PID:2916 -
\??\c:\4262884.exec:\4262884.exe22⤵
- Executes dropped EXE
PID:1016 -
\??\c:\w04464.exec:\w04464.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\82646.exec:\82646.exe24⤵
- Executes dropped EXE
PID:1616 -
\??\c:\c866284.exec:\c866284.exe25⤵
- Executes dropped EXE
PID:1176 -
\??\c:\vvjpj.exec:\vvjpj.exe26⤵
- Executes dropped EXE
PID:1204 -
\??\c:\w48462.exec:\w48462.exe27⤵
- Executes dropped EXE
PID:908 -
\??\c:\664462.exec:\664462.exe28⤵
- Executes dropped EXE
PID:2696 -
\??\c:\a4846.exec:\a4846.exe29⤵
- Executes dropped EXE
PID:2420 -
\??\c:\9bnnhh.exec:\9bnnhh.exe30⤵
- Executes dropped EXE
PID:2412 -
\??\c:\5nnntb.exec:\5nnntb.exe31⤵
- Executes dropped EXE
PID:320 -
\??\c:\i668624.exec:\i668624.exe32⤵
- Executes dropped EXE
PID:896 -
\??\c:\1bbnbb.exec:\1bbnbb.exe33⤵
- Executes dropped EXE
PID:2480 -
\??\c:\pjpvv.exec:\pjpvv.exe34⤵
- Executes dropped EXE
PID:2376 -
\??\c:\ttnnbh.exec:\ttnnbh.exe35⤵
- Executes dropped EXE
PID:2320 -
\??\c:\8202442.exec:\8202442.exe36⤵
- Executes dropped EXE
PID:1608 -
\??\c:\6040228.exec:\6040228.exe37⤵
- Executes dropped EXE
PID:1952 -
\??\c:\882806.exec:\882806.exe38⤵
- Executes dropped EXE
PID:1996 -
\??\c:\646844.exec:\646844.exe39⤵
- Executes dropped EXE
PID:1992 -
\??\c:\tnhhtt.exec:\tnhhtt.exe40⤵
- Executes dropped EXE
PID:2128 -
\??\c:\64842.exec:\64842.exe41⤵
- Executes dropped EXE
PID:2372 -
\??\c:\xfxflrf.exec:\xfxflrf.exe42⤵
- Executes dropped EXE
PID:2668 -
\??\c:\6844444.exec:\6844444.exe43⤵
- Executes dropped EXE
PID:2820 -
\??\c:\7xffrrx.exec:\7xffrrx.exe44⤵
- Executes dropped EXE
PID:2596 -
\??\c:\4248002.exec:\4248002.exe45⤵
- Executes dropped EXE
PID:2220 -
\??\c:\5jdvj.exec:\5jdvj.exe46⤵
- Executes dropped EXE
PID:2616 -
\??\c:\2466606.exec:\2466606.exe47⤵
- Executes dropped EXE
PID:2576 -
\??\c:\04662.exec:\04662.exe48⤵
- Executes dropped EXE
PID:2632 -
\??\c:\rxllrlr.exec:\rxllrlr.exe49⤵
- Executes dropped EXE
PID:2608 -
\??\c:\xxllrrf.exec:\xxllrrf.exe50⤵
- Executes dropped EXE
PID:840 -
\??\c:\nbbbtt.exec:\nbbbtt.exe51⤵
- Executes dropped EXE
PID:1484 -
\??\c:\48006.exec:\48006.exe52⤵
- Executes dropped EXE
PID:1536 -
\??\c:\806626.exec:\806626.exe53⤵
- Executes dropped EXE
PID:2312 -
\??\c:\fxllxxl.exec:\fxllxxl.exe54⤵
- Executes dropped EXE
PID:2304 -
\??\c:\frfflrx.exec:\frfflrx.exe55⤵
- Executes dropped EXE
PID:1456 -
\??\c:\8244242.exec:\8244242.exe56⤵
- Executes dropped EXE
PID:2648 -
\??\c:\dvvvj.exec:\dvvvj.exe57⤵
- Executes dropped EXE
PID:1700 -
\??\c:\486244.exec:\486244.exe58⤵
- Executes dropped EXE
PID:1908 -
\??\c:\5pdjp.exec:\5pdjp.exe59⤵
- Executes dropped EXE
PID:2452 -
\??\c:\82664.exec:\82664.exe60⤵
- Executes dropped EXE
PID:2160 -
\??\c:\k00682.exec:\k00682.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480 -
\??\c:\3bbbtt.exec:\3bbbtt.exe62⤵
- Executes dropped EXE
PID:1016 -
\??\c:\60840.exec:\60840.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360 -
\??\c:\c640684.exec:\c640684.exe64⤵
- Executes dropped EXE
PID:1720 -
\??\c:\g8000.exec:\g8000.exe65⤵
- Executes dropped EXE
PID:356 -
\??\c:\6462880.exec:\6462880.exe66⤵PID:2088
-
\??\c:\868884.exec:\868884.exe67⤵PID:1032
-
\??\c:\jdddj.exec:\jdddj.exe68⤵PID:2016
-
\??\c:\dvvpj.exec:\dvvpj.exe69⤵PID:952
-
\??\c:\vjdjv.exec:\vjdjv.exe70⤵PID:1648
-
\??\c:\9xxrxxf.exec:\9xxrxxf.exe71⤵PID:2448
-
\??\c:\602248.exec:\602248.exe72⤵PID:1980
-
\??\c:\086800.exec:\086800.exe73⤵PID:584
-
\??\c:\a6688.exec:\a6688.exe74⤵PID:2476
-
\??\c:\802226.exec:\802226.exe75⤵PID:2024
-
\??\c:\2022002.exec:\2022002.exe76⤵PID:2316
-
\??\c:\1rxxrll.exec:\1rxxrll.exe77⤵PID:2500
-
\??\c:\2488268.exec:\2488268.exe78⤵PID:2840
-
\??\c:\9nbtbb.exec:\9nbtbb.exe79⤵PID:2096
-
\??\c:\0428402.exec:\0428402.exe80⤵PID:2060
-
\??\c:\nbbhbt.exec:\nbbhbt.exe81⤵PID:2516
-
\??\c:\c248628.exec:\c248628.exe82⤵PID:1748
-
\??\c:\3vjdd.exec:\3vjdd.exe83⤵PID:2816
-
\??\c:\rlxxflx.exec:\rlxxflx.exe84⤵PID:2684
-
\??\c:\m2044.exec:\m2044.exe85⤵PID:2692
-
\??\c:\7jvdj.exec:\7jvdj.exe86⤵PID:2724
-
\??\c:\5xlxxrx.exec:\5xlxxrx.exe87⤵PID:2596
-
\??\c:\pjvvd.exec:\pjvvd.exe88⤵PID:2584
-
\??\c:\24044.exec:\24044.exe89⤵PID:2616
-
\??\c:\q26682.exec:\q26682.exe90⤵PID:2556
-
\??\c:\k04460.exec:\k04460.exe91⤵PID:2496
-
\??\c:\pvdvd.exec:\pvdvd.exe92⤵PID:2608
-
\??\c:\646626.exec:\646626.exe93⤵PID:840
-
\??\c:\jvjjd.exec:\jvjjd.exe94⤵PID:2108
-
\??\c:\648840.exec:\648840.exe95⤵PID:2084
-
\??\c:\9fxxxxx.exec:\9fxxxxx.exe96⤵PID:2384
-
\??\c:\26406.exec:\26406.exe97⤵PID:1808
-
\??\c:\64664.exec:\64664.exe98⤵
- System Location Discovery: System Language Discovery
PID:1316 -
\??\c:\ddddj.exec:\ddddj.exe99⤵PID:2176
-
\??\c:\frfflff.exec:\frfflff.exe100⤵PID:2240
-
\??\c:\rrrfrlr.exec:\rrrfrlr.exe101⤵PID:596
-
\??\c:\i022402.exec:\i022402.exe102⤵PID:2396
-
\??\c:\g4600.exec:\g4600.exe103⤵PID:2856
-
\??\c:\dpddd.exec:\dpddd.exe104⤵PID:1592
-
\??\c:\u266660.exec:\u266660.exe105⤵PID:448
-
\??\c:\8688006.exec:\8688006.exe106⤵PID:2880
-
\??\c:\4682266.exec:\4682266.exe107⤵PID:640
-
\??\c:\vpvvv.exec:\vpvvv.exe108⤵PID:1596
-
\??\c:\e42848.exec:\e42848.exe109⤵PID:1556
-
\??\c:\rxlfxxf.exec:\rxlfxxf.exe110⤵PID:1036
-
\??\c:\thbbbh.exec:\thbbbh.exe111⤵PID:1564
-
\??\c:\0844622.exec:\0844622.exe112⤵PID:2020
-
\??\c:\5htttn.exec:\5htttn.exe113⤵PID:560
-
\??\c:\lxxrrll.exec:\lxxrrll.exe114⤵PID:1964
-
\??\c:\68600.exec:\68600.exe115⤵PID:1864
-
\??\c:\644448.exec:\644448.exe116⤵PID:584
-
\??\c:\xffffrx.exec:\xffffrx.exe117⤵PID:784
-
\??\c:\4284448.exec:\4284448.exe118⤵PID:2340
-
\??\c:\nbnnnh.exec:\nbnnnh.exe119⤵PID:2324
-
\??\c:\0282204.exec:\0282204.exe120⤵PID:2320
-
\??\c:\9jvjd.exec:\9jvjd.exe121⤵PID:1608
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-