Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 18:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe
-
Size
455KB
-
MD5
9857eaa42568b103d9f86b1554071cf8
-
SHA1
dd899c3b8e798fe17ad1d38cb81bdde486829503
-
SHA256
c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc
-
SHA512
d7ee82c6d64a2f4fb531e87c419f68ae90fc3942ae640b807f30df6677b5ddb96ebf481bde64c863920d408d0bb8ca19a1a8429f555fb0c8283b2a8434b57969
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR4:q7Tc2NYHUrAwfMp3CDR4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2432-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/308-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-833-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2464-992-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-1080-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2920-1189-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2860-889-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-852-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2308-651-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1876-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1016-470-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2188-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1212-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-271-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2952-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1140-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1880-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/764-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2300 m6884.exe 2772 rlrrxrx.exe 2784 flxlxfl.exe 2712 5bbhnn.exe 2876 1lxxrlr.exe 2548 q64866.exe 2672 rlffllf.exe 3000 3hhbhh.exe 792 402200.exe 584 1rfflff.exe 2648 5vvvd.exe 1952 jdppv.exe 1044 vpvpv.exe 764 i422884.exe 1816 5xfflff.exe 2836 bnbthb.exe 1880 m6440.exe 888 bnttbb.exe 2256 3tntbh.exe 2140 5xllxxx.exe 2160 424400.exe 672 9bbntt.exe 2920 6404448.exe 1140 60668.exe 2952 ttnhnt.exe 1552 rrflllr.exe 1440 7thbbb.exe 2064 vpjjd.exe 2464 jjddd.exe 2312 5tntbh.exe 2364 bththb.exe 1768 1hnntn.exe 1604 vjvdd.exe 2696 tnbtbb.exe 2800 486284.exe 2772 rlxxffl.exe 2652 bthnth.exe 2712 nhbhnn.exe 2564 7xrxxxf.exe 2600 64880.exe 1680 8088002.exe 816 3ntnbn.exe 2856 040400.exe 584 486240.exe 1276 408248.exe 1948 420628.exe 1520 dpvpp.exe 1800 m2668.exe 840 206682.exe 1212 0840840.exe 1644 48442.exe 2188 xxrrflr.exe 2132 bhhthh.exe 2168 lfxlrxf.exe 2044 xrllrrx.exe 1216 ffxlrfr.exe 1016 64686.exe 2956 k82062.exe 1752 g8628.exe 1876 jdpvp.exe 1552 8026600.exe 1440 pvpjj.exe 308 dpdjj.exe 2204 4826008.exe -
resource yara_rule behavioral1/memory/2432-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-833-0x00000000002C0000-0x00000000002EA000-memory.dmp upx behavioral1/memory/2464-992-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-1221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-1190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-1170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-1162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-1043-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-889-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-651-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/320-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/308-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-19-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c862842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2640620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfflrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2300 2432 c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe 30 PID 2432 wrote to memory of 2300 2432 c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe 30 PID 2432 wrote to memory of 2300 2432 c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe 30 PID 2432 wrote to memory of 2300 2432 c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe 30 PID 2300 wrote to memory of 2772 2300 m6884.exe 31 PID 2300 wrote to memory of 2772 2300 m6884.exe 31 PID 2300 wrote to memory of 2772 2300 m6884.exe 31 PID 2300 wrote to memory of 2772 2300 m6884.exe 31 PID 2772 wrote to memory of 2784 2772 rlrrxrx.exe 32 PID 2772 wrote to memory of 2784 2772 rlrrxrx.exe 32 PID 2772 wrote to memory of 2784 2772 rlrrxrx.exe 32 PID 2772 wrote to memory of 2784 2772 rlrrxrx.exe 32 PID 2784 wrote to memory of 2712 2784 flxlxfl.exe 33 PID 2784 wrote to memory of 2712 2784 flxlxfl.exe 33 PID 2784 wrote to memory of 2712 2784 flxlxfl.exe 33 PID 2784 wrote to memory of 2712 2784 flxlxfl.exe 33 PID 2712 wrote to memory of 2876 2712 5bbhnn.exe 34 PID 2712 wrote to memory of 2876 2712 5bbhnn.exe 34 PID 2712 wrote to memory of 2876 2712 5bbhnn.exe 34 PID 2712 wrote to memory of 2876 2712 5bbhnn.exe 34 PID 2876 wrote to memory of 2548 2876 1lxxrlr.exe 35 PID 2876 wrote to memory of 2548 2876 1lxxrlr.exe 35 PID 2876 wrote to memory of 2548 2876 1lxxrlr.exe 35 PID 2876 wrote to memory of 2548 2876 1lxxrlr.exe 35 PID 2548 wrote to memory of 2672 2548 q64866.exe 36 PID 2548 wrote to memory of 2672 2548 q64866.exe 36 PID 2548 wrote to memory of 2672 2548 q64866.exe 36 PID 2548 wrote to memory of 2672 2548 q64866.exe 36 PID 2672 wrote to memory of 3000 2672 rlffllf.exe 37 PID 2672 wrote to memory of 3000 2672 rlffllf.exe 37 PID 2672 wrote to memory of 3000 2672 rlffllf.exe 37 PID 2672 wrote to memory of 3000 2672 rlffllf.exe 37 PID 3000 wrote to memory of 792 3000 3hhbhh.exe 38 PID 3000 wrote to memory of 792 3000 3hhbhh.exe 38 PID 3000 wrote to memory of 792 3000 3hhbhh.exe 38 PID 3000 wrote to memory of 792 3000 3hhbhh.exe 38 PID 792 wrote to memory of 584 792 402200.exe 39 PID 792 wrote to memory of 584 792 402200.exe 39 PID 792 wrote to memory of 584 792 402200.exe 39 PID 792 wrote to memory of 584 792 402200.exe 39 PID 584 wrote to memory of 2648 584 1rfflff.exe 40 PID 584 wrote to memory of 2648 584 1rfflff.exe 40 PID 584 wrote to memory of 2648 584 1rfflff.exe 40 PID 584 wrote to memory of 2648 584 1rfflff.exe 40 PID 2648 wrote to memory of 1952 2648 5vvvd.exe 149 PID 2648 wrote to memory of 1952 2648 5vvvd.exe 149 PID 2648 wrote to memory of 1952 2648 5vvvd.exe 149 PID 2648 wrote to memory of 1952 2648 5vvvd.exe 149 PID 1952 wrote to memory of 1044 1952 jdppv.exe 42 PID 1952 wrote to memory of 1044 1952 jdppv.exe 42 PID 1952 wrote to memory of 1044 1952 jdppv.exe 42 PID 1952 wrote to memory of 1044 1952 jdppv.exe 42 PID 1044 wrote to memory of 764 1044 vpvpv.exe 43 PID 1044 wrote to memory of 764 1044 vpvpv.exe 43 PID 1044 wrote to memory of 764 1044 vpvpv.exe 43 PID 1044 wrote to memory of 764 1044 vpvpv.exe 43 PID 764 wrote to memory of 1816 764 i422884.exe 44 PID 764 wrote to memory of 1816 764 i422884.exe 44 PID 764 wrote to memory of 1816 764 i422884.exe 44 PID 764 wrote to memory of 1816 764 i422884.exe 44 PID 1816 wrote to memory of 2836 1816 5xfflff.exe 45 PID 1816 wrote to memory of 2836 1816 5xfflff.exe 45 PID 1816 wrote to memory of 2836 1816 5xfflff.exe 45 PID 1816 wrote to memory of 2836 1816 5xfflff.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe"C:\Users\Admin\AppData\Local\Temp\c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\m6884.exec:\m6884.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\rlrrxrx.exec:\rlrrxrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\flxlxfl.exec:\flxlxfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\5bbhnn.exec:\5bbhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\1lxxrlr.exec:\1lxxrlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\q64866.exec:\q64866.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\rlffllf.exec:\rlffllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\3hhbhh.exec:\3hhbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\402200.exec:\402200.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\1rfflff.exec:\1rfflff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\5vvvd.exec:\5vvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\jdppv.exec:\jdppv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\vpvpv.exec:\vpvpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\i422884.exec:\i422884.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\5xfflff.exec:\5xfflff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\bnbthb.exec:\bnbthb.exe17⤵
- Executes dropped EXE
PID:2836 -
\??\c:\m6440.exec:\m6440.exe18⤵
- Executes dropped EXE
PID:1880 -
\??\c:\bnttbb.exec:\bnttbb.exe19⤵
- Executes dropped EXE
PID:888 -
\??\c:\3tntbh.exec:\3tntbh.exe20⤵
- Executes dropped EXE
PID:2256 -
\??\c:\5xllxxx.exec:\5xllxxx.exe21⤵
- Executes dropped EXE
PID:2140 -
\??\c:\424400.exec:\424400.exe22⤵
- Executes dropped EXE
PID:2160 -
\??\c:\9bbntt.exec:\9bbntt.exe23⤵
- Executes dropped EXE
PID:672 -
\??\c:\6404448.exec:\6404448.exe24⤵
- Executes dropped EXE
PID:2920 -
\??\c:\60668.exec:\60668.exe25⤵
- Executes dropped EXE
PID:1140 -
\??\c:\ttnhnt.exec:\ttnhnt.exe26⤵
- Executes dropped EXE
PID:2952 -
\??\c:\rrflllr.exec:\rrflllr.exe27⤵
- Executes dropped EXE
PID:1552 -
\??\c:\7thbbb.exec:\7thbbb.exe28⤵
- Executes dropped EXE
PID:1440 -
\??\c:\vpjjd.exec:\vpjjd.exe29⤵
- Executes dropped EXE
PID:2064 -
\??\c:\jjddd.exec:\jjddd.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2464 -
\??\c:\5tntbh.exec:\5tntbh.exe31⤵
- Executes dropped EXE
PID:2312 -
\??\c:\bththb.exec:\bththb.exe32⤵
- Executes dropped EXE
PID:2364 -
\??\c:\1hnntn.exec:\1hnntn.exe33⤵
- Executes dropped EXE
PID:1768 -
\??\c:\vjvdd.exec:\vjvdd.exe34⤵
- Executes dropped EXE
PID:1604 -
\??\c:\tnbtbb.exec:\tnbtbb.exe35⤵
- Executes dropped EXE
PID:2696 -
\??\c:\486284.exec:\486284.exe36⤵
- Executes dropped EXE
PID:2800 -
\??\c:\rlxxffl.exec:\rlxxffl.exe37⤵
- Executes dropped EXE
PID:2772 -
\??\c:\bthnth.exec:\bthnth.exe38⤵
- Executes dropped EXE
PID:2652 -
\??\c:\nhbhnn.exec:\nhbhnn.exe39⤵
- Executes dropped EXE
PID:2712 -
\??\c:\7xrxxxf.exec:\7xrxxxf.exe40⤵
- Executes dropped EXE
PID:2564 -
\??\c:\64880.exec:\64880.exe41⤵
- Executes dropped EXE
PID:2600 -
\??\c:\8088002.exec:\8088002.exe42⤵
- Executes dropped EXE
PID:1680 -
\??\c:\3ntnbn.exec:\3ntnbn.exe43⤵
- Executes dropped EXE
PID:816 -
\??\c:\040400.exec:\040400.exe44⤵
- Executes dropped EXE
PID:2856 -
\??\c:\486240.exec:\486240.exe45⤵
- Executes dropped EXE
PID:584 -
\??\c:\408248.exec:\408248.exe46⤵
- Executes dropped EXE
PID:1276 -
\??\c:\420628.exec:\420628.exe47⤵
- Executes dropped EXE
PID:1948 -
\??\c:\dpvpp.exec:\dpvpp.exe48⤵
- Executes dropped EXE
PID:1520 -
\??\c:\m2668.exec:\m2668.exe49⤵
- Executes dropped EXE
PID:1800 -
\??\c:\206682.exec:\206682.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:840 -
\??\c:\0840840.exec:\0840840.exe51⤵
- Executes dropped EXE
PID:1212 -
\??\c:\48442.exec:\48442.exe52⤵
- Executes dropped EXE
PID:1644 -
\??\c:\xxrrflr.exec:\xxrrflr.exe53⤵
- Executes dropped EXE
PID:2188 -
\??\c:\bhhthh.exec:\bhhthh.exe54⤵
- Executes dropped EXE
PID:2132 -
\??\c:\lfxlrxf.exec:\lfxlrxf.exe55⤵
- Executes dropped EXE
PID:2168 -
\??\c:\xrllrrx.exec:\xrllrrx.exe56⤵
- Executes dropped EXE
PID:2044 -
\??\c:\ffxlrfr.exec:\ffxlrfr.exe57⤵
- Executes dropped EXE
PID:1216 -
\??\c:\64686.exec:\64686.exe58⤵
- Executes dropped EXE
PID:1016 -
\??\c:\k82062.exec:\k82062.exe59⤵
- Executes dropped EXE
PID:2956 -
\??\c:\g8628.exec:\g8628.exe60⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jdpvp.exec:\jdpvp.exe61⤵
- Executes dropped EXE
PID:1876 -
\??\c:\8026600.exec:\8026600.exe62⤵
- Executes dropped EXE
PID:1552 -
\??\c:\pvpjj.exec:\pvpjj.exe63⤵
- Executes dropped EXE
PID:1440 -
\??\c:\dpdjj.exec:\dpdjj.exe64⤵
- Executes dropped EXE
PID:308 -
\??\c:\4826008.exec:\4826008.exe65⤵
- Executes dropped EXE
PID:2204 -
\??\c:\llxxrrl.exec:\llxxrrl.exe66⤵PID:1756
-
\??\c:\ppjvv.exec:\ppjvv.exe67⤵PID:2364
-
\??\c:\5pvdd.exec:\5pvdd.exe68⤵PID:1712
-
\??\c:\ddvdj.exec:\ddvdj.exe69⤵PID:1152
-
\??\c:\6462862.exec:\6462862.exe70⤵PID:2692
-
\??\c:\8240240.exec:\8240240.exe71⤵PID:3068
-
\??\c:\6044464.exec:\6044464.exe72⤵PID:2404
-
\??\c:\btbbhn.exec:\btbbhn.exe73⤵PID:2584
-
\??\c:\xrfflfl.exec:\xrfflfl.exe74⤵PID:1740
-
\??\c:\ntntnt.exec:\ntntnt.exe75⤵PID:2016
-
\??\c:\tbhtth.exec:\tbhtth.exe76⤵PID:2424
-
\??\c:\60266.exec:\60266.exe77⤵PID:320
-
\??\c:\5xrxxxf.exec:\5xrxxxf.exe78⤵PID:1680
-
\??\c:\dvjjp.exec:\dvjjp.exe79⤵PID:816
-
\??\c:\nhttnn.exec:\nhttnn.exe80⤵PID:2880
-
\??\c:\426028.exec:\426028.exe81⤵PID:2004
-
\??\c:\86406.exec:\86406.exe82⤵PID:1940
-
\??\c:\5rrxffx.exec:\5rrxffx.exe83⤵PID:2248
-
\??\c:\vjppv.exec:\vjppv.exe84⤵PID:1496
-
\??\c:\4826884.exec:\4826884.exe85⤵PID:2456
-
\??\c:\vdjpd.exec:\vdjpd.exe86⤵PID:2308
-
\??\c:\m4628.exec:\m4628.exe87⤵PID:332
-
\??\c:\2466602.exec:\2466602.exe88⤵PID:1828
-
\??\c:\vdppp.exec:\vdppp.exe89⤵PID:2912
-
\??\c:\6040242.exec:\6040242.exe90⤵PID:1164
-
\??\c:\48204.exec:\48204.exe91⤵PID:2144
-
\??\c:\a2006.exec:\a2006.exe92⤵PID:2828
-
\??\c:\9rffllr.exec:\9rffllr.exe93⤵PID:2044
-
\??\c:\pjpvj.exec:\pjpvj.exe94⤵PID:1216
-
\??\c:\5rllxxf.exec:\5rllxxf.exe95⤵PID:1016
-
\??\c:\06466.exec:\06466.exe96⤵PID:2012
-
\??\c:\1bnntt.exec:\1bnntt.exe97⤵PID:276
-
\??\c:\64628.exec:\64628.exe98⤵PID:916
-
\??\c:\020408.exec:\020408.exe99⤵PID:3020
-
\??\c:\a6462.exec:\a6462.exe100⤵PID:2380
-
\??\c:\9hbhnt.exec:\9hbhnt.exe101⤵PID:2464
-
\??\c:\pdppd.exec:\pdppd.exe102⤵PID:1748
-
\??\c:\dddpd.exec:\dddpd.exe103⤵PID:996
-
\??\c:\rlxxlfr.exec:\rlxxlfr.exe104⤵PID:1104
-
\??\c:\tttbhh.exec:\tttbhh.exe105⤵PID:2412
-
\??\c:\fxlfxlf.exec:\fxlfxlf.exe106⤵PID:2752
-
\??\c:\u640846.exec:\u640846.exe107⤵PID:2660
-
\??\c:\ttbhtt.exec:\ttbhtt.exe108⤵PID:2808
-
\??\c:\4424684.exec:\4424684.exe109⤵PID:2748
-
\??\c:\0844406.exec:\0844406.exe110⤵PID:2848
-
\??\c:\jpjvj.exec:\jpjvj.exe111⤵PID:2652
-
\??\c:\1xfxxrr.exec:\1xfxxrr.exe112⤵PID:2560
-
\??\c:\lxrxrrx.exec:\lxrxrrx.exe113⤵PID:2136
-
\??\c:\ppjpj.exec:\ppjpj.exe114⤵PID:2724
-
\??\c:\04442.exec:\04442.exe115⤵PID:2600
-
\??\c:\2022884.exec:\2022884.exe116⤵PID:1028
-
\??\c:\80660.exec:\80660.exe117⤵PID:2588
-
\??\c:\fxfrrrf.exec:\fxfrrrf.exe118⤵PID:2332
-
\??\c:\5vvdd.exec:\5vvdd.exe119⤵PID:2856
-
\??\c:\600628.exec:\600628.exe120⤵PID:2708
-
\??\c:\04624.exec:\04624.exe121⤵PID:1952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-