Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f0ccdc1089162a8f403fab61c0bbb432288685c636267bf7d46526a54a472df6.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f0ccdc1089162a8f403fab61c0bbb432288685c636267bf7d46526a54a472df6.exe
-
Size
454KB
-
MD5
8165b3c2d204b1bc6101179c13e0d5f8
-
SHA1
535e615dc79a5d7f4e22621b99c6a985a5e545ed
-
SHA256
f0ccdc1089162a8f403fab61c0bbb432288685c636267bf7d46526a54a472df6
-
SHA512
57131deaab82bc337f8ac55c4667547bf8c694da3ac4831f5d089fb8cd712be155fc592f9d3f5660573823d2418ebd0b39d639eefff3524ed71b84ff85f3697a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2716-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-12-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2816-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/716-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-199-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1632-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/376-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-235-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/764-288-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/764-290-0x0000000077B60000-0x0000000077C7F000-memory.dmp family_blackmoon behavioral1/memory/2808-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/784-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/340-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-581-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2276-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-774-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1208-821-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2840-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-935-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1284-1054-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2816 48880.exe 2736 ffxrlfr.exe 876 lflrxlx.exe 2636 g2682.exe 2604 q82824.exe 760 86402.exe 2276 4206886.exe 716 pjvvv.exe 2208 0428888.exe 2704 thnbbt.exe 2096 0822486.exe 2560 20208.exe 2916 4268068.exe 2980 4868440.exe 2976 m4460.exe 2120 nbhhbh.exe 1564 c602446.exe 768 nnbbnt.exe 2428 xrllrrf.exe 1924 fxfxlff.exe 2168 hbnbbh.exe 1632 q84622.exe 2136 4288006.exe 376 1bnntt.exe 1524 e22428.exe 3056 260240.exe 1004 3ththt.exe 1672 dpddj.exe 1616 hbhnnb.exe 1236 fxrfllx.exe 2004 264688.exe 764 dvpvd.exe 2808 hbbhnb.exe 2572 ddpdp.exe 2880 486648.exe 876 08628.exe 280 vjvvd.exe 2620 1xllrrf.exe 2668 u248888.exe 1736 042866.exe 784 vjjpd.exe 716 o620044.exe 1420 80000.exe 340 7bhbhb.exe 2304 xrlrflx.exe 2860 86468.exe 2560 w46622.exe 2876 tbthtb.exe 2660 dpddj.exe 2300 m4280.exe 576 nhbhnb.exe 2996 hbnbhh.exe 2516 06462.exe 2588 08246.exe 2464 a6046.exe 2400 q08422.exe 1224 82066.exe 956 86406.exe 1604 llflrfl.exe 2496 vpjjp.exe 2072 0422886.exe 2188 48684.exe 1812 pjdjp.exe 1524 vdpvd.exe -
resource yara_rule behavioral1/memory/2716-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-12-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2736-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/716-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/280-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/784-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/340-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-960-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-1047-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-1055-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q08260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2688482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w46622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2816 2716 f0ccdc1089162a8f403fab61c0bbb432288685c636267bf7d46526a54a472df6.exe 30 PID 2716 wrote to memory of 2816 2716 f0ccdc1089162a8f403fab61c0bbb432288685c636267bf7d46526a54a472df6.exe 30 PID 2716 wrote to memory of 2816 2716 f0ccdc1089162a8f403fab61c0bbb432288685c636267bf7d46526a54a472df6.exe 30 PID 2716 wrote to memory of 2816 2716 f0ccdc1089162a8f403fab61c0bbb432288685c636267bf7d46526a54a472df6.exe 30 PID 2816 wrote to memory of 2736 2816 48880.exe 31 PID 2816 wrote to memory of 2736 2816 48880.exe 31 PID 2816 wrote to memory of 2736 2816 48880.exe 31 PID 2816 wrote to memory of 2736 2816 48880.exe 31 PID 2736 wrote to memory of 876 2736 ffxrlfr.exe 32 PID 2736 wrote to memory of 876 2736 ffxrlfr.exe 32 PID 2736 wrote to memory of 876 2736 ffxrlfr.exe 32 PID 2736 wrote to memory of 876 2736 ffxrlfr.exe 32 PID 876 wrote to memory of 2636 876 lflrxlx.exe 33 PID 876 wrote to memory of 2636 876 lflrxlx.exe 33 PID 876 wrote to memory of 2636 876 lflrxlx.exe 33 PID 876 wrote to memory of 2636 876 lflrxlx.exe 33 PID 2636 wrote to memory of 2604 2636 g2682.exe 34 PID 2636 wrote to memory of 2604 2636 g2682.exe 34 PID 2636 wrote to memory of 2604 2636 g2682.exe 34 PID 2636 wrote to memory of 2604 2636 g2682.exe 34 PID 2604 wrote to memory of 760 2604 q82824.exe 35 PID 2604 wrote to memory of 760 2604 q82824.exe 35 PID 2604 wrote to memory of 760 2604 q82824.exe 35 PID 2604 wrote to memory of 760 2604 q82824.exe 35 PID 760 wrote to memory of 2276 760 86402.exe 36 PID 760 wrote to memory of 2276 760 86402.exe 36 PID 760 wrote to memory of 2276 760 86402.exe 36 PID 760 wrote to memory of 2276 760 86402.exe 36 PID 2276 wrote to memory of 716 2276 4206886.exe 37 PID 2276 wrote to memory of 716 2276 4206886.exe 37 PID 2276 wrote to memory of 716 2276 4206886.exe 37 PID 2276 wrote to memory of 716 2276 4206886.exe 37 PID 716 wrote to memory of 2208 716 pjvvv.exe 38 PID 716 wrote to memory of 2208 716 pjvvv.exe 38 PID 716 wrote to memory of 2208 716 pjvvv.exe 38 PID 716 wrote to memory of 2208 716 pjvvv.exe 38 PID 2208 wrote to memory of 2704 2208 0428888.exe 39 PID 2208 wrote to memory of 2704 2208 0428888.exe 39 PID 2208 wrote to memory of 2704 2208 0428888.exe 39 PID 2208 wrote to memory of 2704 2208 0428888.exe 39 PID 2704 wrote to memory of 2096 2704 thnbbt.exe 40 PID 2704 wrote to memory of 2096 2704 thnbbt.exe 40 PID 2704 wrote to memory of 2096 2704 thnbbt.exe 40 PID 2704 wrote to memory of 2096 2704 thnbbt.exe 40 PID 2096 wrote to memory of 2560 2096 0822486.exe 41 PID 2096 wrote to memory of 2560 2096 0822486.exe 41 PID 2096 wrote to memory of 2560 2096 0822486.exe 41 PID 2096 wrote to memory of 2560 2096 0822486.exe 41 PID 2560 wrote to memory of 2916 2560 20208.exe 42 PID 2560 wrote to memory of 2916 2560 20208.exe 42 PID 2560 wrote to memory of 2916 2560 20208.exe 42 PID 2560 wrote to memory of 2916 2560 20208.exe 42 PID 2916 wrote to memory of 2980 2916 4268068.exe 43 PID 2916 wrote to memory of 2980 2916 4268068.exe 43 PID 2916 wrote to memory of 2980 2916 4268068.exe 43 PID 2916 wrote to memory of 2980 2916 4268068.exe 43 PID 2980 wrote to memory of 2976 2980 4868440.exe 44 PID 2980 wrote to memory of 2976 2980 4868440.exe 44 PID 2980 wrote to memory of 2976 2980 4868440.exe 44 PID 2980 wrote to memory of 2976 2980 4868440.exe 44 PID 2976 wrote to memory of 2120 2976 m4460.exe 45 PID 2976 wrote to memory of 2120 2976 m4460.exe 45 PID 2976 wrote to memory of 2120 2976 m4460.exe 45 PID 2976 wrote to memory of 2120 2976 m4460.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0ccdc1089162a8f403fab61c0bbb432288685c636267bf7d46526a54a472df6.exe"C:\Users\Admin\AppData\Local\Temp\f0ccdc1089162a8f403fab61c0bbb432288685c636267bf7d46526a54a472df6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\48880.exec:\48880.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\ffxrlfr.exec:\ffxrlfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\lflrxlx.exec:\lflrxlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\g2682.exec:\g2682.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\q82824.exec:\q82824.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\86402.exec:\86402.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\4206886.exec:\4206886.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\pjvvv.exec:\pjvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\0428888.exec:\0428888.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\thnbbt.exec:\thnbbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\0822486.exec:\0822486.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\20208.exec:\20208.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\4268068.exec:\4268068.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\4868440.exec:\4868440.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\m4460.exec:\m4460.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\nbhhbh.exec:\nbhhbh.exe17⤵
- Executes dropped EXE
PID:2120 -
\??\c:\c602446.exec:\c602446.exe18⤵
- Executes dropped EXE
PID:1564 -
\??\c:\nnbbnt.exec:\nnbbnt.exe19⤵
- Executes dropped EXE
PID:768 -
\??\c:\xrllrrf.exec:\xrllrrf.exe20⤵
- Executes dropped EXE
PID:2428 -
\??\c:\fxfxlff.exec:\fxfxlff.exe21⤵
- Executes dropped EXE
PID:1924 -
\??\c:\hbnbbh.exec:\hbnbbh.exe22⤵
- Executes dropped EXE
PID:2168 -
\??\c:\q84622.exec:\q84622.exe23⤵
- Executes dropped EXE
PID:1632 -
\??\c:\4288006.exec:\4288006.exe24⤵
- Executes dropped EXE
PID:2136 -
\??\c:\1bnntt.exec:\1bnntt.exe25⤵
- Executes dropped EXE
PID:376 -
\??\c:\e22428.exec:\e22428.exe26⤵
- Executes dropped EXE
PID:1524 -
\??\c:\260240.exec:\260240.exe27⤵
- Executes dropped EXE
PID:3056 -
\??\c:\3ththt.exec:\3ththt.exe28⤵
- Executes dropped EXE
PID:1004 -
\??\c:\dpddj.exec:\dpddj.exe29⤵
- Executes dropped EXE
PID:1672 -
\??\c:\hbhnnb.exec:\hbhnnb.exe30⤵
- Executes dropped EXE
PID:1616 -
\??\c:\fxrfllx.exec:\fxrfllx.exe31⤵
- Executes dropped EXE
PID:1236 -
\??\c:\264688.exec:\264688.exe32⤵
- Executes dropped EXE
PID:2004 -
\??\c:\dvpvd.exec:\dvpvd.exe33⤵
- Executes dropped EXE
PID:764 -
\??\c:\i662888.exec:\i662888.exe34⤵PID:1536
-
\??\c:\hbbhnb.exec:\hbbhnb.exe35⤵
- Executes dropped EXE
PID:2808 -
\??\c:\ddpdp.exec:\ddpdp.exe36⤵
- Executes dropped EXE
PID:2572 -
\??\c:\486648.exec:\486648.exe37⤵
- Executes dropped EXE
PID:2880 -
\??\c:\08628.exec:\08628.exe38⤵
- Executes dropped EXE
PID:876 -
\??\c:\vjvvd.exec:\vjvvd.exe39⤵
- Executes dropped EXE
PID:280 -
\??\c:\1xllrrf.exec:\1xllrrf.exe40⤵
- Executes dropped EXE
PID:2620 -
\??\c:\u248888.exec:\u248888.exe41⤵
- Executes dropped EXE
PID:2668 -
\??\c:\042866.exec:\042866.exe42⤵
- Executes dropped EXE
PID:1736 -
\??\c:\vjjpd.exec:\vjjpd.exe43⤵
- Executes dropped EXE
PID:784 -
\??\c:\o620044.exec:\o620044.exe44⤵
- Executes dropped EXE
PID:716 -
\??\c:\80000.exec:\80000.exe45⤵
- Executes dropped EXE
PID:1420 -
\??\c:\7bhbhb.exec:\7bhbhb.exe46⤵
- Executes dropped EXE
PID:340 -
\??\c:\xrlrflx.exec:\xrlrflx.exe47⤵
- Executes dropped EXE
PID:2304 -
\??\c:\86468.exec:\86468.exe48⤵
- Executes dropped EXE
PID:2860 -
\??\c:\w46622.exec:\w46622.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560 -
\??\c:\tbthtb.exec:\tbthtb.exe50⤵
- Executes dropped EXE
PID:2876 -
\??\c:\dpddj.exec:\dpddj.exe51⤵
- Executes dropped EXE
PID:2660 -
\??\c:\m4280.exec:\m4280.exe52⤵
- Executes dropped EXE
PID:2300 -
\??\c:\nhbhnb.exec:\nhbhnb.exe53⤵
- Executes dropped EXE
PID:576 -
\??\c:\hbnbhh.exec:\hbnbhh.exe54⤵
- Executes dropped EXE
PID:2996 -
\??\c:\06462.exec:\06462.exe55⤵
- Executes dropped EXE
PID:2516 -
\??\c:\08246.exec:\08246.exe56⤵
- Executes dropped EXE
PID:2588 -
\??\c:\a6046.exec:\a6046.exe57⤵
- Executes dropped EXE
PID:2464 -
\??\c:\q08422.exec:\q08422.exe58⤵
- Executes dropped EXE
PID:2400 -
\??\c:\82066.exec:\82066.exe59⤵
- Executes dropped EXE
PID:1224 -
\??\c:\86406.exec:\86406.exe60⤵
- Executes dropped EXE
PID:956 -
\??\c:\llflrfl.exec:\llflrfl.exe61⤵
- Executes dropped EXE
PID:1604 -
\??\c:\vpjjp.exec:\vpjjp.exe62⤵
- Executes dropped EXE
PID:2496 -
\??\c:\0422886.exec:\0422886.exe63⤵
- Executes dropped EXE
PID:2072 -
\??\c:\48684.exec:\48684.exe64⤵
- Executes dropped EXE
PID:2188 -
\??\c:\pjdjp.exec:\pjdjp.exe65⤵
- Executes dropped EXE
PID:1812 -
\??\c:\vdpvd.exec:\vdpvd.exe66⤵
- Executes dropped EXE
PID:1524 -
\??\c:\c688662.exec:\c688662.exe67⤵PID:3056
-
\??\c:\7rfrfff.exec:\7rfrfff.exe68⤵PID:1912
-
\??\c:\606840.exec:\606840.exe69⤵PID:1004
-
\??\c:\g4666.exec:\g4666.exe70⤵PID:2520
-
\??\c:\jjdpv.exec:\jjdpv.exe71⤵PID:848
-
\??\c:\08222.exec:\08222.exe72⤵PID:288
-
\??\c:\864684.exec:\864684.exe73⤵PID:2404
-
\??\c:\q86244.exec:\q86244.exe74⤵PID:2056
-
\??\c:\6860006.exec:\6860006.exe75⤵PID:1512
-
\??\c:\a8222.exec:\a8222.exe76⤵PID:2764
-
\??\c:\60888.exec:\60888.exe77⤵PID:2736
-
\??\c:\c022228.exec:\c022228.exe78⤵PID:2848
-
\??\c:\7rfrffr.exec:\7rfrffr.exe79⤵PID:2080
-
\??\c:\080626.exec:\080626.exe80⤵PID:2672
-
\??\c:\frxxxxx.exec:\frxxxxx.exe81⤵
- System Location Discovery: System Language Discovery
PID:2652 -
\??\c:\640066.exec:\640066.exe82⤵PID:2488
-
\??\c:\c026284.exec:\c026284.exe83⤵PID:2864
-
\??\c:\9hbbhn.exec:\9hbbhn.exe84⤵PID:2276
-
\??\c:\hnnhtt.exec:\hnnhtt.exe85⤵PID:2264
-
\??\c:\pjvvv.exec:\pjvvv.exe86⤵PID:2192
-
\??\c:\262222.exec:\262222.exe87⤵PID:2208
-
\??\c:\w02282.exec:\w02282.exe88⤵PID:2988
-
\??\c:\dvpjd.exec:\dvpjd.exe89⤵PID:1732
-
\??\c:\dppvv.exec:\dppvv.exe90⤵PID:2964
-
\??\c:\6088064.exec:\6088064.exe91⤵PID:2856
-
\??\c:\i800004.exec:\i800004.exe92⤵PID:1744
-
\??\c:\dvpdj.exec:\dvpdj.exe93⤵PID:1740
-
\??\c:\e00660.exec:\e00660.exe94⤵PID:1756
-
\??\c:\hbntnn.exec:\hbntnn.exe95⤵PID:2088
-
\??\c:\nbnhnb.exec:\nbnhnb.exe96⤵PID:2348
-
\??\c:\c466828.exec:\c466828.exe97⤵PID:3044
-
\??\c:\xlrlxrx.exec:\xlrlxrx.exe98⤵PID:704
-
\??\c:\q60024.exec:\q60024.exe99⤵PID:1760
-
\??\c:\g0888.exec:\g0888.exe100⤵PID:1984
-
\??\c:\pjvdp.exec:\pjvdp.exe101⤵PID:1480
-
\??\c:\lxxrlff.exec:\lxxrlff.exe102⤵
- System Location Discovery: System Language Discovery
PID:1412 -
\??\c:\hbthnh.exec:\hbthnh.exe103⤵PID:1444
-
\??\c:\jdjdd.exec:\jdjdd.exe104⤵PID:1472
-
\??\c:\806686.exec:\806686.exe105⤵PID:1496
-
\??\c:\3jpjp.exec:\3jpjp.exe106⤵PID:1356
-
\??\c:\7frrxxr.exec:\7frrxxr.exe107⤵PID:780
-
\??\c:\jdpjp.exec:\jdpjp.exe108⤵PID:1980
-
\??\c:\1htnnh.exec:\1htnnh.exe109⤵PID:836
-
\??\c:\9jjpj.exec:\9jjpj.exe110⤵PID:2164
-
\??\c:\5flfffl.exec:\5flfffl.exe111⤵PID:1672
-
\??\c:\6402040.exec:\6402040.exe112⤵PID:316
-
\??\c:\4244006.exec:\4244006.exe113⤵PID:1208
-
\??\c:\20840.exec:\20840.exe114⤵PID:2148
-
\??\c:\642888.exec:\642888.exe115⤵PID:1532
-
\??\c:\bntbbh.exec:\bntbbh.exe116⤵PID:1636
-
\??\c:\xxflllr.exec:\xxflllr.exe117⤵PID:2824
-
\??\c:\xxrrxfr.exec:\xxrrxfr.exe118⤵PID:2744
-
\??\c:\4806224.exec:\4806224.exe119⤵PID:2872
-
\??\c:\dpvpj.exec:\dpvpj.exe120⤵PID:2880
-
\??\c:\6006686.exec:\6006686.exe121⤵PID:2848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-