Analysis
-
max time kernel
105s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 19:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe
-
Size
456KB
-
MD5
bea6539d0a0597d9ed4a36085739c712
-
SHA1
c96dff2b19a4b7dac61df753bb3b8ec51046b600
-
SHA256
fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de
-
SHA512
f33fbf85be614a0f04993d0c40ada3977e47d518e043918fe9278d5bb4ab955303b30cea934a8521f7426903c4c9a1014b041cf9b64a146bb8f5faf43031381b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR2:q7Tc2NYHUrAwfMp3CDR2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/824-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-35-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-34-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1172-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/692-237-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1480-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-255-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/632-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1196-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/952-496-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2980-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1468-522-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/1576-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-590-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2796-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-630-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2644-646-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2028-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-738-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1588-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-813-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2936-975-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/1392-1002-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1660-1035-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2160 420288.exe 2716 rrlrfrr.exe 2780 vpjvd.exe 2852 c828402.exe 2864 e04688.exe 2624 a0822.exe 2636 5dpdp.exe 2124 vppvv.exe 2928 3dddp.exe 1308 266806.exe 2760 7tnbnb.exe 2876 5rlxffl.exe 2088 1vpvd.exe 2764 422822.exe 1944 28026.exe 1892 9nttbh.exe 2200 9lfxfxf.exe 3036 5hbttt.exe 2448 djjpd.exe 752 1jdjj.exe 2224 7jjdj.exe 620 k26684.exe 1172 8202408.exe 1900 hbnnth.exe 692 nhtnbb.exe 1480 lfxflrf.exe 632 2640224.exe 1044 0428068.exe 2472 dpvjj.exe 1640 bthntn.exe 888 tnbbnt.exe 2136 9xrxrxf.exe 884 xrfrxrf.exe 2208 k88422.exe 2680 424066.exe 2800 bttbnt.exe 2576 0424668.exe 2844 w00240.exe 2708 8266842.exe 2832 4484620.exe 2684 e86800.exe 1196 6084628.exe 2636 nbbbhn.exe 2976 048066.exe 2640 bthhnb.exe 1340 28666.exe 1308 hbtbth.exe 1920 666868.exe 1864 60246.exe 2996 jdjjp.exe 2668 lxxflxr.exe 2764 82682.exe 1944 9bbbhn.exe 1388 2022424.exe 1948 2080284.exe 3032 tnthbb.exe 2932 bbthtb.exe 1740 rxxlfxx.exe 300 vpjjv.exe 1872 648664.exe 1784 hbbbbb.exe 952 648866.exe 1656 800846.exe 1876 q42288.exe -
resource yara_rule behavioral1/memory/824-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-34-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2780-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1172-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/824-846-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-925-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-932-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-945-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-995-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-1035-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hthht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6026828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u484624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 220200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 824 wrote to memory of 2160 824 fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe 31 PID 824 wrote to memory of 2160 824 fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe 31 PID 824 wrote to memory of 2160 824 fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe 31 PID 824 wrote to memory of 2160 824 fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe 31 PID 2160 wrote to memory of 2716 2160 420288.exe 32 PID 2160 wrote to memory of 2716 2160 420288.exe 32 PID 2160 wrote to memory of 2716 2160 420288.exe 32 PID 2160 wrote to memory of 2716 2160 420288.exe 32 PID 2716 wrote to memory of 2780 2716 rrlrfrr.exe 33 PID 2716 wrote to memory of 2780 2716 rrlrfrr.exe 33 PID 2716 wrote to memory of 2780 2716 rrlrfrr.exe 33 PID 2716 wrote to memory of 2780 2716 rrlrfrr.exe 33 PID 2780 wrote to memory of 2852 2780 vpjvd.exe 34 PID 2780 wrote to memory of 2852 2780 vpjvd.exe 34 PID 2780 wrote to memory of 2852 2780 vpjvd.exe 34 PID 2780 wrote to memory of 2852 2780 vpjvd.exe 34 PID 2852 wrote to memory of 2864 2852 c828402.exe 35 PID 2852 wrote to memory of 2864 2852 c828402.exe 35 PID 2852 wrote to memory of 2864 2852 c828402.exe 35 PID 2852 wrote to memory of 2864 2852 c828402.exe 35 PID 2864 wrote to memory of 2624 2864 e04688.exe 36 PID 2864 wrote to memory of 2624 2864 e04688.exe 36 PID 2864 wrote to memory of 2624 2864 e04688.exe 36 PID 2864 wrote to memory of 2624 2864 e04688.exe 36 PID 2624 wrote to memory of 2636 2624 a0822.exe 37 PID 2624 wrote to memory of 2636 2624 a0822.exe 37 PID 2624 wrote to memory of 2636 2624 a0822.exe 37 PID 2624 wrote to memory of 2636 2624 a0822.exe 37 PID 2636 wrote to memory of 2124 2636 5dpdp.exe 38 PID 2636 wrote to memory of 2124 2636 5dpdp.exe 38 PID 2636 wrote to memory of 2124 2636 5dpdp.exe 38 PID 2636 wrote to memory of 2124 2636 5dpdp.exe 38 PID 2124 wrote to memory of 2928 2124 vppvv.exe 39 PID 2124 wrote to memory of 2928 2124 vppvv.exe 39 PID 2124 wrote to memory of 2928 2124 vppvv.exe 39 PID 2124 wrote to memory of 2928 2124 vppvv.exe 39 PID 2928 wrote to memory of 1308 2928 3dddp.exe 40 PID 2928 wrote to memory of 1308 2928 3dddp.exe 40 PID 2928 wrote to memory of 1308 2928 3dddp.exe 40 PID 2928 wrote to memory of 1308 2928 3dddp.exe 40 PID 1308 wrote to memory of 2760 1308 266806.exe 41 PID 1308 wrote to memory of 2760 1308 266806.exe 41 PID 1308 wrote to memory of 2760 1308 266806.exe 41 PID 1308 wrote to memory of 2760 1308 266806.exe 41 PID 2760 wrote to memory of 2876 2760 7tnbnb.exe 42 PID 2760 wrote to memory of 2876 2760 7tnbnb.exe 42 PID 2760 wrote to memory of 2876 2760 7tnbnb.exe 42 PID 2760 wrote to memory of 2876 2760 7tnbnb.exe 42 PID 2876 wrote to memory of 2088 2876 5rlxffl.exe 43 PID 2876 wrote to memory of 2088 2876 5rlxffl.exe 43 PID 2876 wrote to memory of 2088 2876 5rlxffl.exe 43 PID 2876 wrote to memory of 2088 2876 5rlxffl.exe 43 PID 2088 wrote to memory of 2764 2088 1vpvd.exe 44 PID 2088 wrote to memory of 2764 2088 1vpvd.exe 44 PID 2088 wrote to memory of 2764 2088 1vpvd.exe 44 PID 2088 wrote to memory of 2764 2088 1vpvd.exe 44 PID 2764 wrote to memory of 1944 2764 422822.exe 45 PID 2764 wrote to memory of 1944 2764 422822.exe 45 PID 2764 wrote to memory of 1944 2764 422822.exe 45 PID 2764 wrote to memory of 1944 2764 422822.exe 45 PID 1944 wrote to memory of 1892 1944 28026.exe 46 PID 1944 wrote to memory of 1892 1944 28026.exe 46 PID 1944 wrote to memory of 1892 1944 28026.exe 46 PID 1944 wrote to memory of 1892 1944 28026.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe"C:\Users\Admin\AppData\Local\Temp\fcae8d2661bf9bd1a4a0997762d99cae512aea271630535fffe7a26d100342de.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\420288.exec:\420288.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\rrlrfrr.exec:\rrlrfrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\vpjvd.exec:\vpjvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\c828402.exec:\c828402.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\e04688.exec:\e04688.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\a0822.exec:\a0822.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\5dpdp.exec:\5dpdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\vppvv.exec:\vppvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\3dddp.exec:\3dddp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\266806.exec:\266806.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\7tnbnb.exec:\7tnbnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\5rlxffl.exec:\5rlxffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\1vpvd.exec:\1vpvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\422822.exec:\422822.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\28026.exec:\28026.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\9nttbh.exec:\9nttbh.exe17⤵
- Executes dropped EXE
PID:1892 -
\??\c:\9lfxfxf.exec:\9lfxfxf.exe18⤵
- Executes dropped EXE
PID:2200 -
\??\c:\5hbttt.exec:\5hbttt.exe19⤵
- Executes dropped EXE
PID:3036 -
\??\c:\djjpd.exec:\djjpd.exe20⤵
- Executes dropped EXE
PID:2448 -
\??\c:\1jdjj.exec:\1jdjj.exe21⤵
- Executes dropped EXE
PID:752 -
\??\c:\7jjdj.exec:\7jjdj.exe22⤵
- Executes dropped EXE
PID:2224 -
\??\c:\k26684.exec:\k26684.exe23⤵
- Executes dropped EXE
PID:620 -
\??\c:\8202408.exec:\8202408.exe24⤵
- Executes dropped EXE
PID:1172 -
\??\c:\hbnnth.exec:\hbnnth.exe25⤵
- Executes dropped EXE
PID:1900 -
\??\c:\nhtnbb.exec:\nhtnbb.exe26⤵
- Executes dropped EXE
PID:692 -
\??\c:\lfxflrf.exec:\lfxflrf.exe27⤵
- Executes dropped EXE
PID:1480 -
\??\c:\2640224.exec:\2640224.exe28⤵
- Executes dropped EXE
PID:632 -
\??\c:\0428068.exec:\0428068.exe29⤵
- Executes dropped EXE
PID:1044 -
\??\c:\dpvjj.exec:\dpvjj.exe30⤵
- Executes dropped EXE
PID:2472 -
\??\c:\bthntn.exec:\bthntn.exe31⤵
- Executes dropped EXE
PID:1640 -
\??\c:\tnbbnt.exec:\tnbbnt.exe32⤵
- Executes dropped EXE
PID:888 -
\??\c:\9xrxrxf.exec:\9xrxrxf.exe33⤵
- Executes dropped EXE
PID:2136 -
\??\c:\xrfrxrf.exec:\xrfrxrf.exe34⤵
- Executes dropped EXE
PID:884 -
\??\c:\k88422.exec:\k88422.exe35⤵
- Executes dropped EXE
PID:2208 -
\??\c:\424066.exec:\424066.exe36⤵
- Executes dropped EXE
PID:2680 -
\??\c:\bttbnt.exec:\bttbnt.exe37⤵
- Executes dropped EXE
PID:2800 -
\??\c:\0424668.exec:\0424668.exe38⤵
- Executes dropped EXE
PID:2576 -
\??\c:\w00240.exec:\w00240.exe39⤵
- Executes dropped EXE
PID:2844 -
\??\c:\8266842.exec:\8266842.exe40⤵
- Executes dropped EXE
PID:2708 -
\??\c:\4484620.exec:\4484620.exe41⤵
- Executes dropped EXE
PID:2832 -
\??\c:\e86800.exec:\e86800.exe42⤵
- Executes dropped EXE
PID:2684 -
\??\c:\6084628.exec:\6084628.exe43⤵
- Executes dropped EXE
PID:1196 -
\??\c:\nbbbhn.exec:\nbbbhn.exe44⤵
- Executes dropped EXE
PID:2636 -
\??\c:\048066.exec:\048066.exe45⤵
- Executes dropped EXE
PID:2976 -
\??\c:\bthhnb.exec:\bthhnb.exe46⤵
- Executes dropped EXE
PID:2640 -
\??\c:\28666.exec:\28666.exe47⤵
- Executes dropped EXE
PID:1340 -
\??\c:\hbtbth.exec:\hbtbth.exe48⤵
- Executes dropped EXE
PID:1308 -
\??\c:\666868.exec:\666868.exe49⤵
- Executes dropped EXE
PID:1920 -
\??\c:\60246.exec:\60246.exe50⤵
- Executes dropped EXE
PID:1864 -
\??\c:\jdjjp.exec:\jdjjp.exe51⤵
- Executes dropped EXE
PID:2996 -
\??\c:\lxxflxr.exec:\lxxflxr.exe52⤵
- Executes dropped EXE
PID:2668 -
\??\c:\82682.exec:\82682.exe53⤵
- Executes dropped EXE
PID:2764 -
\??\c:\9bbbhn.exec:\9bbbhn.exe54⤵
- Executes dropped EXE
PID:1944 -
\??\c:\2022424.exec:\2022424.exe55⤵
- Executes dropped EXE
PID:1388 -
\??\c:\2080284.exec:\2080284.exe56⤵
- Executes dropped EXE
PID:1948 -
\??\c:\tnthbb.exec:\tnthbb.exe57⤵
- Executes dropped EXE
PID:3032 -
\??\c:\bbthtb.exec:\bbthtb.exe58⤵
- Executes dropped EXE
PID:2932 -
\??\c:\rxxlfxx.exec:\rxxlfxx.exe59⤵
- Executes dropped EXE
PID:1740 -
\??\c:\vpjjv.exec:\vpjjv.exe60⤵
- Executes dropped EXE
PID:300 -
\??\c:\648664.exec:\648664.exe61⤵
- Executes dropped EXE
PID:1872 -
\??\c:\hbbbbb.exec:\hbbbbb.exe62⤵
- Executes dropped EXE
PID:1784 -
\??\c:\648866.exec:\648866.exe63⤵
- Executes dropped EXE
PID:952 -
\??\c:\800846.exec:\800846.exe64⤵
- Executes dropped EXE
PID:1656 -
\??\c:\q42288.exec:\q42288.exe65⤵
- Executes dropped EXE
PID:1876 -
\??\c:\dpppj.exec:\dpppj.exe66⤵PID:2980
-
\??\c:\bbnhtb.exec:\bbnhtb.exe67⤵PID:1468
-
\??\c:\llfrxfr.exec:\llfrxfr.exe68⤵PID:1616
-
\??\c:\2800602.exec:\2800602.exe69⤵PID:2512
-
\??\c:\k48428.exec:\k48428.exe70⤵PID:984
-
\??\c:\s6062.exec:\s6062.exe71⤵PID:1576
-
\??\c:\046806.exec:\046806.exe72⤵PID:352
-
\??\c:\tbnhnh.exec:\tbnhnh.exe73⤵PID:2272
-
\??\c:\6622440.exec:\6622440.exe74⤵PID:2456
-
\??\c:\44400.exec:\44400.exe75⤵PID:2032
-
\??\c:\268028.exec:\268028.exe76⤵PID:1492
-
\??\c:\424040.exec:\424040.exe77⤵PID:2720
-
\??\c:\1flllrl.exec:\1flllrl.exe78⤵PID:2700
-
\??\c:\fxlxlrx.exec:\fxlxlrx.exe79⤵PID:3012
-
\??\c:\26408.exec:\26408.exe80⤵PID:2788
-
\??\c:\o206224.exec:\o206224.exe81⤵PID:2780
-
\??\c:\g4246.exec:\g4246.exe82⤵PID:2612
-
\??\c:\ntnbbt.exec:\ntnbbt.exe83⤵PID:2796
-
\??\c:\rxrfrfr.exec:\rxrfrfr.exe84⤵PID:2580
-
\??\c:\8824444.exec:\8824444.exe85⤵PID:2644
-
\??\c:\26462.exec:\26462.exe86⤵PID:2124
-
\??\c:\20224.exec:\20224.exe87⤵PID:2260
-
\??\c:\w20028.exec:\w20028.exe88⤵PID:2268
-
\??\c:\3nbttb.exec:\3nbttb.exe89⤵PID:1340
-
\??\c:\djdjv.exec:\djdjv.exe90⤵PID:2964
-
\??\c:\820640.exec:\820640.exe91⤵PID:1920
-
\??\c:\1pjvd.exec:\1pjvd.exe92⤵PID:540
-
\??\c:\5jvjp.exec:\5jvjp.exe93⤵PID:2884
-
\??\c:\9rrrrfl.exec:\9rrrrfl.exe94⤵PID:2748
-
\??\c:\s8288.exec:\s8288.exe95⤵PID:2028
-
\??\c:\ttthbt.exec:\ttthbt.exe96⤵PID:1928
-
\??\c:\86844.exec:\86844.exe97⤵PID:1988
-
\??\c:\lfxflrf.exec:\lfxflrf.exe98⤵PID:2200
-
\??\c:\0460044.exec:\0460044.exe99⤵PID:2244
-
\??\c:\ttnthh.exec:\ttnthh.exe100⤵PID:1696
-
\??\c:\208806.exec:\208806.exe101⤵PID:1588
-
\??\c:\jdvpd.exec:\jdvpd.exe102⤵PID:448
-
\??\c:\84280.exec:\84280.exe103⤵PID:1660
-
\??\c:\vvjpp.exec:\vvjpp.exe104⤵PID:2568
-
\??\c:\pjdpj.exec:\pjdpj.exe105⤵PID:1236
-
\??\c:\04628.exec:\04628.exe106⤵PID:1436
-
\??\c:\3pvdd.exec:\3pvdd.exe107⤵PID:296
-
\??\c:\0244040.exec:\0244040.exe108⤵PID:2348
-
\??\c:\m8000.exec:\m8000.exe109⤵PID:2980
-
\??\c:\jvjdd.exec:\jvjdd.exe110⤵PID:2060
-
\??\c:\lfrxlrr.exec:\lfrxlrr.exe111⤵PID:2492
-
\??\c:\88202.exec:\88202.exe112⤵PID:2292
-
\??\c:\jjddj.exec:\jjddj.exe113⤵PID:1720
-
\??\c:\e42288.exec:\e42288.exe114⤵PID:568
-
\??\c:\04846.exec:\04846.exe115⤵PID:352
-
\??\c:\486240.exec:\486240.exe116⤵PID:2296
-
\??\c:\a6060.exec:\a6060.exe117⤵PID:824
-
\??\c:\044468.exec:\044468.exe118⤵PID:2408
-
\??\c:\22020.exec:\22020.exe119⤵PID:2676
-
\??\c:\2206220.exec:\2206220.exe120⤵PID:2804
-
\??\c:\c200624.exec:\c200624.exe121⤵PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-