Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 01:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4241cffe9506c4942ba6323ead61f768a0a4e2d3e4c90c32bb2b402ec64a8a0.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b4241cffe9506c4942ba6323ead61f768a0a4e2d3e4c90c32bb2b402ec64a8a0.exe
-
Size
453KB
-
MD5
237db0dba06ba0ff851ab481e45b7465
-
SHA1
e52e1e83462c8b7e518d8c42d0c5a157c4530164
-
SHA256
b4241cffe9506c4942ba6323ead61f768a0a4e2d3e4c90c32bb2b402ec64a8a0
-
SHA512
627f7b6998f4c77d1bef4f78998998034085aa116a531abd8bc2665dab01af30f36609220f70eea20c92e4c839deda92d9b860f6f50a62672e66218ba43c3671
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeK:q7Tc2NYHUrAwfMp3CDK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2804-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-98-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2932-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/480-136-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/480-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-181-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1860-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/964-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-269-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2016-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-279-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2456-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-296-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-319-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2876-339-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2564-351-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2556-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-375-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2660-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-415-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2860-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1100-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-481-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/712-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-514-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2704-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-594-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2504-602-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2324 lxlrrrf.exe 2804 46222.exe 2752 a8002.exe 2676 lxxflfl.exe 2172 dpvvj.exe 2560 9vdvp.exe 3032 86446.exe 1424 3vdvv.exe 2932 rffffff.exe 3048 g4228.exe 588 jpvjp.exe 2068 q24400.exe 480 4626606.exe 2620 3thbhn.exe 2840 7vjjv.exe 1100 btbttn.exe 2036 k46660.exe 2408 826266.exe 444 i288888.exe 1860 dpppp.exe 1892 7hnbtt.exe 964 5ffrfff.exe 2980 bhbbhb.exe 1752 2640620.exe 1692 2066222.exe 2512 46262.exe 2000 46446.exe 2016 pjvpv.exe 2456 42402.exe 2144 pvvjp.exe 2704 2060044.exe 2820 jvjdp.exe 2812 rlxrxrx.exe 2564 7bnnnh.exe 2876 dpvpd.exe 2580 m4464.exe 2556 jpvvv.exe 1740 0422884.exe 2364 bthhht.exe 2600 rxlxfxr.exe 2832 xfrrxrx.exe 2660 6466228.exe 1800 86266.exe 2596 m8668.exe 1060 vjpjj.exe 2376 08002.exe 580 1htnnh.exe 2288 26880.exe 2860 dvpvj.exe 2856 4206842.exe 2840 1fxrffl.exe 1100 048800.exe 2060 i428446.exe 404 7jvdd.exe 2232 tnbtbb.exe 712 dvppv.exe 1120 xxlxrrl.exe 1892 jdppv.exe 940 btnthh.exe 2428 1lxxfff.exe 1532 5dppv.exe 1752 42064.exe 2080 2600846.exe 3000 k20662.exe -
resource yara_rule behavioral1/memory/2804-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/480-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/964-217-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/964-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/404-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/712-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-514-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/3000-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-615-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o682262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6040846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i824628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lflrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2204040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2080668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6084602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2060044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4206222.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2324 2308 b4241cffe9506c4942ba6323ead61f768a0a4e2d3e4c90c32bb2b402ec64a8a0.exe 31 PID 2308 wrote to memory of 2324 2308 b4241cffe9506c4942ba6323ead61f768a0a4e2d3e4c90c32bb2b402ec64a8a0.exe 31 PID 2308 wrote to memory of 2324 2308 b4241cffe9506c4942ba6323ead61f768a0a4e2d3e4c90c32bb2b402ec64a8a0.exe 31 PID 2308 wrote to memory of 2324 2308 b4241cffe9506c4942ba6323ead61f768a0a4e2d3e4c90c32bb2b402ec64a8a0.exe 31 PID 2324 wrote to memory of 2804 2324 lxlrrrf.exe 32 PID 2324 wrote to memory of 2804 2324 lxlrrrf.exe 32 PID 2324 wrote to memory of 2804 2324 lxlrrrf.exe 32 PID 2324 wrote to memory of 2804 2324 lxlrrrf.exe 32 PID 2804 wrote to memory of 2752 2804 46222.exe 33 PID 2804 wrote to memory of 2752 2804 46222.exe 33 PID 2804 wrote to memory of 2752 2804 46222.exe 33 PID 2804 wrote to memory of 2752 2804 46222.exe 33 PID 2752 wrote to memory of 2676 2752 a8002.exe 34 PID 2752 wrote to memory of 2676 2752 a8002.exe 34 PID 2752 wrote to memory of 2676 2752 a8002.exe 34 PID 2752 wrote to memory of 2676 2752 a8002.exe 34 PID 2676 wrote to memory of 2172 2676 lxxflfl.exe 35 PID 2676 wrote to memory of 2172 2676 lxxflfl.exe 35 PID 2676 wrote to memory of 2172 2676 lxxflfl.exe 35 PID 2676 wrote to memory of 2172 2676 lxxflfl.exe 35 PID 2172 wrote to memory of 2560 2172 dpvvj.exe 36 PID 2172 wrote to memory of 2560 2172 dpvvj.exe 36 PID 2172 wrote to memory of 2560 2172 dpvvj.exe 36 PID 2172 wrote to memory of 2560 2172 dpvvj.exe 36 PID 2560 wrote to memory of 3032 2560 9vdvp.exe 37 PID 2560 wrote to memory of 3032 2560 9vdvp.exe 37 PID 2560 wrote to memory of 3032 2560 9vdvp.exe 37 PID 2560 wrote to memory of 3032 2560 9vdvp.exe 37 PID 3032 wrote to memory of 1424 3032 86446.exe 38 PID 3032 wrote to memory of 1424 3032 86446.exe 38 PID 3032 wrote to memory of 1424 3032 86446.exe 38 PID 3032 wrote to memory of 1424 3032 86446.exe 38 PID 1424 wrote to memory of 2932 1424 3vdvv.exe 39 PID 1424 wrote to memory of 2932 1424 3vdvv.exe 39 PID 1424 wrote to memory of 2932 1424 3vdvv.exe 39 PID 1424 wrote to memory of 2932 1424 3vdvv.exe 39 PID 2932 wrote to memory of 3048 2932 rffffff.exe 40 PID 2932 wrote to memory of 3048 2932 rffffff.exe 40 PID 2932 wrote to memory of 3048 2932 rffffff.exe 40 PID 2932 wrote to memory of 3048 2932 rffffff.exe 40 PID 3048 wrote to memory of 588 3048 g4228.exe 41 PID 3048 wrote to memory of 588 3048 g4228.exe 41 PID 3048 wrote to memory of 588 3048 g4228.exe 41 PID 3048 wrote to memory of 588 3048 g4228.exe 41 PID 588 wrote to memory of 2068 588 jpvjp.exe 42 PID 588 wrote to memory of 2068 588 jpvjp.exe 42 PID 588 wrote to memory of 2068 588 jpvjp.exe 42 PID 588 wrote to memory of 2068 588 jpvjp.exe 42 PID 2068 wrote to memory of 480 2068 q24400.exe 43 PID 2068 wrote to memory of 480 2068 q24400.exe 43 PID 2068 wrote to memory of 480 2068 q24400.exe 43 PID 2068 wrote to memory of 480 2068 q24400.exe 43 PID 480 wrote to memory of 2620 480 4626606.exe 44 PID 480 wrote to memory of 2620 480 4626606.exe 44 PID 480 wrote to memory of 2620 480 4626606.exe 44 PID 480 wrote to memory of 2620 480 4626606.exe 44 PID 2620 wrote to memory of 2840 2620 3thbhn.exe 45 PID 2620 wrote to memory of 2840 2620 3thbhn.exe 45 PID 2620 wrote to memory of 2840 2620 3thbhn.exe 45 PID 2620 wrote to memory of 2840 2620 3thbhn.exe 45 PID 2840 wrote to memory of 1100 2840 7vjjv.exe 46 PID 2840 wrote to memory of 1100 2840 7vjjv.exe 46 PID 2840 wrote to memory of 1100 2840 7vjjv.exe 46 PID 2840 wrote to memory of 1100 2840 7vjjv.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4241cffe9506c4942ba6323ead61f768a0a4e2d3e4c90c32bb2b402ec64a8a0.exe"C:\Users\Admin\AppData\Local\Temp\b4241cffe9506c4942ba6323ead61f768a0a4e2d3e4c90c32bb2b402ec64a8a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\lxlrrrf.exec:\lxlrrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\46222.exec:\46222.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\a8002.exec:\a8002.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\lxxflfl.exec:\lxxflfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\dpvvj.exec:\dpvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\9vdvp.exec:\9vdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\86446.exec:\86446.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\3vdvv.exec:\3vdvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\rffffff.exec:\rffffff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\g4228.exec:\g4228.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\jpvjp.exec:\jpvjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588 -
\??\c:\q24400.exec:\q24400.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\4626606.exec:\4626606.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480 -
\??\c:\3thbhn.exec:\3thbhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\7vjjv.exec:\7vjjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\btbttn.exec:\btbttn.exe17⤵
- Executes dropped EXE
PID:1100 -
\??\c:\k46660.exec:\k46660.exe18⤵
- Executes dropped EXE
PID:2036 -
\??\c:\826266.exec:\826266.exe19⤵
- Executes dropped EXE
PID:2408 -
\??\c:\i288888.exec:\i288888.exe20⤵
- Executes dropped EXE
PID:444 -
\??\c:\dpppp.exec:\dpppp.exe21⤵
- Executes dropped EXE
PID:1860 -
\??\c:\7hnbtt.exec:\7hnbtt.exe22⤵
- Executes dropped EXE
PID:1892 -
\??\c:\5ffrfff.exec:\5ffrfff.exe23⤵
- Executes dropped EXE
PID:964 -
\??\c:\bhbbhb.exec:\bhbbhb.exe24⤵
- Executes dropped EXE
PID:2980 -
\??\c:\2640620.exec:\2640620.exe25⤵
- Executes dropped EXE
PID:1752 -
\??\c:\2066222.exec:\2066222.exe26⤵
- Executes dropped EXE
PID:1692 -
\??\c:\46262.exec:\46262.exe27⤵
- Executes dropped EXE
PID:2512 -
\??\c:\46446.exec:\46446.exe28⤵
- Executes dropped EXE
PID:2000 -
\??\c:\pjvpv.exec:\pjvpv.exe29⤵
- Executes dropped EXE
PID:2016 -
\??\c:\42402.exec:\42402.exe30⤵
- Executes dropped EXE
PID:2456 -
\??\c:\pvvjp.exec:\pvvjp.exe31⤵
- Executes dropped EXE
PID:2144 -
\??\c:\2060044.exec:\2060044.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704 -
\??\c:\jvjdp.exec:\jvjdp.exe33⤵
- Executes dropped EXE
PID:2820 -
\??\c:\rlxrxrx.exec:\rlxrxrx.exe34⤵
- Executes dropped EXE
PID:2812 -
\??\c:\7bnnnh.exec:\7bnnnh.exe35⤵
- Executes dropped EXE
PID:2564 -
\??\c:\dpvpd.exec:\dpvpd.exe36⤵
- Executes dropped EXE
PID:2876 -
\??\c:\m4464.exec:\m4464.exe37⤵
- Executes dropped EXE
PID:2580 -
\??\c:\jpvvv.exec:\jpvvv.exe38⤵
- Executes dropped EXE
PID:2556 -
\??\c:\0422884.exec:\0422884.exe39⤵
- Executes dropped EXE
PID:1740 -
\??\c:\bthhht.exec:\bthhht.exe40⤵
- Executes dropped EXE
PID:2364 -
\??\c:\rxlxfxr.exec:\rxlxfxr.exe41⤵
- Executes dropped EXE
PID:2600 -
\??\c:\xfrrxrx.exec:\xfrrxrx.exe42⤵
- Executes dropped EXE
PID:2832 -
\??\c:\6466228.exec:\6466228.exe43⤵
- Executes dropped EXE
PID:2660 -
\??\c:\86266.exec:\86266.exe44⤵
- Executes dropped EXE
PID:1800 -
\??\c:\m8668.exec:\m8668.exe45⤵
- Executes dropped EXE
PID:2596 -
\??\c:\vjpjj.exec:\vjpjj.exe46⤵
- Executes dropped EXE
PID:1060 -
\??\c:\08002.exec:\08002.exe47⤵
- Executes dropped EXE
PID:2376 -
\??\c:\1htnnh.exec:\1htnnh.exe48⤵
- Executes dropped EXE
PID:580 -
\??\c:\26880.exec:\26880.exe49⤵
- Executes dropped EXE
PID:2288 -
\??\c:\dvpvj.exec:\dvpvj.exe50⤵
- Executes dropped EXE
PID:2860 -
\??\c:\4206842.exec:\4206842.exe51⤵
- Executes dropped EXE
PID:2856 -
\??\c:\1fxrffl.exec:\1fxrffl.exe52⤵
- Executes dropped EXE
PID:2840 -
\??\c:\048800.exec:\048800.exe53⤵
- Executes dropped EXE
PID:1100 -
\??\c:\i428446.exec:\i428446.exe54⤵
- Executes dropped EXE
PID:2060 -
\??\c:\7jvdd.exec:\7jvdd.exe55⤵
- Executes dropped EXE
PID:404 -
\??\c:\tnbtbb.exec:\tnbtbb.exe56⤵
- Executes dropped EXE
PID:2232 -
\??\c:\dvppv.exec:\dvppv.exe57⤵
- Executes dropped EXE
PID:712 -
\??\c:\xxlxrrl.exec:\xxlxrrl.exe58⤵
- Executes dropped EXE
PID:1120 -
\??\c:\jdppv.exec:\jdppv.exe59⤵
- Executes dropped EXE
PID:1892 -
\??\c:\btnthh.exec:\btnthh.exe60⤵
- Executes dropped EXE
PID:940 -
\??\c:\1lxxfff.exec:\1lxxfff.exe61⤵
- Executes dropped EXE
PID:2428 -
\??\c:\5dppv.exec:\5dppv.exe62⤵
- Executes dropped EXE
PID:1532 -
\??\c:\42064.exec:\42064.exe63⤵
- Executes dropped EXE
PID:1752 -
\??\c:\2600846.exec:\2600846.exe64⤵
- Executes dropped EXE
PID:2080 -
\??\c:\k20662.exec:\k20662.exe65⤵
- Executes dropped EXE
PID:3000 -
\??\c:\5fxrfll.exec:\5fxrfll.exe66⤵PID:2332
-
\??\c:\djvjv.exec:\djvjv.exe67⤵PID:2000
-
\??\c:\9dvvv.exec:\9dvvv.exe68⤵PID:1852
-
\??\c:\04480.exec:\04480.exe69⤵PID:2088
-
\??\c:\486628.exec:\486628.exe70⤵PID:2456
-
\??\c:\648466.exec:\648466.exe71⤵PID:2504
-
\??\c:\bbnntt.exec:\bbnntt.exe72⤵PID:2212
-
\??\c:\086246.exec:\086246.exe73⤵PID:2704
-
\??\c:\8684406.exec:\8684406.exe74⤵PID:2712
-
\??\c:\0400228.exec:\0400228.exe75⤵PID:2804
-
\??\c:\lxllxxf.exec:\lxllxxf.exe76⤵PID:2948
-
\??\c:\64228.exec:\64228.exe77⤵PID:2676
-
\??\c:\0480224.exec:\0480224.exe78⤵PID:2608
-
\??\c:\4244846.exec:\4244846.exe79⤵PID:2760
-
\??\c:\btnntt.exec:\btnntt.exe80⤵PID:2552
-
\??\c:\42480.exec:\42480.exe81⤵PID:3056
-
\??\c:\w86248.exec:\w86248.exe82⤵PID:1760
-
\??\c:\20888.exec:\20888.exe83⤵PID:2924
-
\??\c:\pjdjd.exec:\pjdjd.exe84⤵PID:2832
-
\??\c:\048848.exec:\048848.exe85⤵PID:2356
-
\??\c:\042806.exec:\042806.exe86⤵PID:2156
-
\??\c:\26620.exec:\26620.exe87⤵PID:2596
-
\??\c:\6040620.exec:\6040620.exe88⤵PID:1616
-
\??\c:\jdvdj.exec:\jdvdj.exe89⤵PID:1196
-
\??\c:\862844.exec:\862844.exe90⤵PID:684
-
\??\c:\7pjjp.exec:\7pjjp.exe91⤵PID:2868
-
\??\c:\0480284.exec:\0480284.exe92⤵PID:2852
-
\??\c:\9lfllll.exec:\9lfllll.exe93⤵PID:1960
-
\??\c:\xlxflrx.exec:\xlxflrx.exe94⤵PID:2440
-
\??\c:\w40622.exec:\w40622.exe95⤵PID:1356
-
\??\c:\9dvdd.exec:\9dvdd.exe96⤵
- System Location Discovery: System Language Discovery
PID:2092 -
\??\c:\8262002.exec:\8262002.exe97⤵PID:840
-
\??\c:\btbbhn.exec:\btbbhn.exe98⤵PID:404
-
\??\c:\jdjjj.exec:\jdjjj.exe99⤵PID:2292
-
\??\c:\0484068.exec:\0484068.exe100⤵PID:3004
-
\??\c:\fxrlrll.exec:\fxrlrll.exe101⤵PID:780
-
\??\c:\dpjpd.exec:\dpjpd.exe102⤵PID:564
-
\??\c:\42002.exec:\42002.exe103⤵PID:1336
-
\??\c:\rfrlrrf.exec:\rfrlrrf.exe104⤵PID:2980
-
\??\c:\s4844.exec:\s4844.exe105⤵PID:1544
-
\??\c:\480240.exec:\480240.exe106⤵PID:272
-
\??\c:\64644.exec:\64644.exe107⤵PID:1656
-
\??\c:\86880.exec:\86880.exe108⤵PID:2348
-
\??\c:\640400.exec:\640400.exe109⤵PID:1788
-
\??\c:\ttthhh.exec:\ttthhh.exe110⤵PID:3024
-
\??\c:\5vdvv.exec:\5vdvv.exe111⤵PID:2016
-
\??\c:\c422840.exec:\c422840.exe112⤵PID:892
-
\??\c:\080688.exec:\080688.exe113⤵PID:2248
-
\??\c:\lfxxxrf.exec:\lfxxxrf.exe114⤵PID:1564
-
\??\c:\tnbnbh.exec:\tnbnbh.exe115⤵PID:2308
-
\??\c:\86460.exec:\86460.exe116⤵PID:1592
-
\??\c:\pvddd.exec:\pvddd.exe117⤵PID:2688
-
\??\c:\vvvdv.exec:\vvvdv.exe118⤵PID:2772
-
\??\c:\nnthhb.exec:\nnthhb.exe119⤵PID:2764
-
\??\c:\4040062.exec:\4040062.exe120⤵PID:2612
-
\??\c:\084444.exec:\084444.exe121⤵PID:2588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-