Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 01:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe
-
Size
456KB
-
MD5
714183fd35f02e3c36dd33b2ae0c167b
-
SHA1
a200a5211806ea86bf01d59864846228fb5f9608
-
SHA256
145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556
-
SHA512
d7a958dfb93c5a988c329769f67b49a814e67abc764f8bf710c907f4de5501bc1e854e1fccc7f3c8442594e0ceeb26ed55ea10aa86a6467281385525ea6cf252
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRh:q7Tc2NYHUrAwfMp3CDRh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2568-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-73-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2728-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-149-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1692-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/688-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/748-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-381-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2440-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-443-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1732-444-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2956-469-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2004-494-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2004-493-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1740-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-547-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2056-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-571-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1920-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-779-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2000-929-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1476-962-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1476-982-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1728-993-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2420-1029-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/3060-1062-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/844-1077-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2092-1107-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/580-1130-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2404 4248640.exe 2160 s2440.exe 2972 xfxrrlr.exe 1408 48444.exe 2860 3jvdd.exe 3020 48246.exe 2804 1tnnht.exe 2832 vvpjv.exe 2728 q26806.exe 2684 w08006.exe 584 vvvjp.exe 1744 pdvvj.exe 1900 0424240.exe 2836 3hntnn.exe 628 rlfxflr.exe 1648 20442.exe 2952 60242.exe 1976 dvppd.exe 1692 64662.exe 2712 ppvvd.exe 2708 2646880.exe 688 s6824.exe 1152 jvddv.exe 1784 nbtntb.exe 2576 2088040.exe 748 800000.exe 900 fxllrll.exe 2512 64606.exe 2056 ppjjj.exe 1944 rllfxxf.exe 896 5xrflrx.exe 2356 vdvpp.exe 1528 djvdj.exe 2416 tnbhhh.exe 696 vpdjj.exe 2332 xlxxfxx.exe 2824 dpvvd.exe 2764 04846.exe 2876 frffxll.exe 2816 htbttn.exe 2844 48484.exe 2700 pdvdv.exe 2896 djddj.exe 2780 7pvdv.exe 2628 0468406.exe 2684 1htnnh.exe 672 1vdjp.exe 2408 4626000.exe 1476 thbtbt.exe 2960 642626.exe 2440 20884.exe 1428 bbnbhb.exe 1872 rrlfllf.exe 1732 ffrxffl.exe 1920 k48462.exe 1516 08844.exe 2984 04280.exe 2956 vpvpp.exe 2336 7nhnbh.exe 2364 680640.exe 2272 0600868.exe 2004 i822480.exe 2672 0800624.exe 1916 222462.exe -
resource yara_rule behavioral1/memory/2568-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/748-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/672-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-443-0x0000000000330000-0x000000000035A000-memory.dmp upx behavioral1/memory/2956-469-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2004-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-718-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1920-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-995-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-1110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-1123-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8606884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8206464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w64222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fflflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4824002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8622884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4200662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k86248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2404 2568 145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe 30 PID 2568 wrote to memory of 2404 2568 145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe 30 PID 2568 wrote to memory of 2404 2568 145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe 30 PID 2568 wrote to memory of 2404 2568 145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe 30 PID 2404 wrote to memory of 2160 2404 4248640.exe 31 PID 2404 wrote to memory of 2160 2404 4248640.exe 31 PID 2404 wrote to memory of 2160 2404 4248640.exe 31 PID 2404 wrote to memory of 2160 2404 4248640.exe 31 PID 2160 wrote to memory of 2972 2160 s2440.exe 32 PID 2160 wrote to memory of 2972 2160 s2440.exe 32 PID 2160 wrote to memory of 2972 2160 s2440.exe 32 PID 2160 wrote to memory of 2972 2160 s2440.exe 32 PID 2972 wrote to memory of 1408 2972 xfxrrlr.exe 33 PID 2972 wrote to memory of 1408 2972 xfxrrlr.exe 33 PID 2972 wrote to memory of 1408 2972 xfxrrlr.exe 33 PID 2972 wrote to memory of 1408 2972 xfxrrlr.exe 33 PID 1408 wrote to memory of 2860 1408 48444.exe 34 PID 1408 wrote to memory of 2860 1408 48444.exe 34 PID 1408 wrote to memory of 2860 1408 48444.exe 34 PID 1408 wrote to memory of 2860 1408 48444.exe 34 PID 2860 wrote to memory of 3020 2860 3jvdd.exe 35 PID 2860 wrote to memory of 3020 2860 3jvdd.exe 35 PID 2860 wrote to memory of 3020 2860 3jvdd.exe 35 PID 2860 wrote to memory of 3020 2860 3jvdd.exe 35 PID 3020 wrote to memory of 2804 3020 48246.exe 36 PID 3020 wrote to memory of 2804 3020 48246.exe 36 PID 3020 wrote to memory of 2804 3020 48246.exe 36 PID 3020 wrote to memory of 2804 3020 48246.exe 36 PID 2804 wrote to memory of 2832 2804 1tnnht.exe 37 PID 2804 wrote to memory of 2832 2804 1tnnht.exe 37 PID 2804 wrote to memory of 2832 2804 1tnnht.exe 37 PID 2804 wrote to memory of 2832 2804 1tnnht.exe 37 PID 2832 wrote to memory of 2728 2832 vvpjv.exe 38 PID 2832 wrote to memory of 2728 2832 vvpjv.exe 38 PID 2832 wrote to memory of 2728 2832 vvpjv.exe 38 PID 2832 wrote to memory of 2728 2832 vvpjv.exe 38 PID 2728 wrote to memory of 2684 2728 q26806.exe 39 PID 2728 wrote to memory of 2684 2728 q26806.exe 39 PID 2728 wrote to memory of 2684 2728 q26806.exe 39 PID 2728 wrote to memory of 2684 2728 q26806.exe 39 PID 2684 wrote to memory of 584 2684 w08006.exe 40 PID 2684 wrote to memory of 584 2684 w08006.exe 40 PID 2684 wrote to memory of 584 2684 w08006.exe 40 PID 2684 wrote to memory of 584 2684 w08006.exe 40 PID 584 wrote to memory of 1744 584 vvvjp.exe 41 PID 584 wrote to memory of 1744 584 vvvjp.exe 41 PID 584 wrote to memory of 1744 584 vvvjp.exe 41 PID 584 wrote to memory of 1744 584 vvvjp.exe 41 PID 1744 wrote to memory of 1900 1744 pdvvj.exe 42 PID 1744 wrote to memory of 1900 1744 pdvvj.exe 42 PID 1744 wrote to memory of 1900 1744 pdvvj.exe 42 PID 1744 wrote to memory of 1900 1744 pdvvj.exe 42 PID 1900 wrote to memory of 2836 1900 0424240.exe 43 PID 1900 wrote to memory of 2836 1900 0424240.exe 43 PID 1900 wrote to memory of 2836 1900 0424240.exe 43 PID 1900 wrote to memory of 2836 1900 0424240.exe 43 PID 2836 wrote to memory of 628 2836 3hntnn.exe 44 PID 2836 wrote to memory of 628 2836 3hntnn.exe 44 PID 2836 wrote to memory of 628 2836 3hntnn.exe 44 PID 2836 wrote to memory of 628 2836 3hntnn.exe 44 PID 628 wrote to memory of 1648 628 rlfxflr.exe 45 PID 628 wrote to memory of 1648 628 rlfxflr.exe 45 PID 628 wrote to memory of 1648 628 rlfxflr.exe 45 PID 628 wrote to memory of 1648 628 rlfxflr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe"C:\Users\Admin\AppData\Local\Temp\145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\4248640.exec:\4248640.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\s2440.exec:\s2440.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\xfxrrlr.exec:\xfxrrlr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\48444.exec:\48444.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\3jvdd.exec:\3jvdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\48246.exec:\48246.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\1tnnht.exec:\1tnnht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\vvpjv.exec:\vvpjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\q26806.exec:\q26806.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\w08006.exec:\w08006.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\vvvjp.exec:\vvvjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
\??\c:\pdvvj.exec:\pdvvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\0424240.exec:\0424240.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\3hntnn.exec:\3hntnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\rlfxflr.exec:\rlfxflr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\20442.exec:\20442.exe17⤵
- Executes dropped EXE
PID:1648 -
\??\c:\60242.exec:\60242.exe18⤵
- Executes dropped EXE
PID:2952 -
\??\c:\dvppd.exec:\dvppd.exe19⤵
- Executes dropped EXE
PID:1976 -
\??\c:\64662.exec:\64662.exe20⤵
- Executes dropped EXE
PID:1692 -
\??\c:\ppvvd.exec:\ppvvd.exe21⤵
- Executes dropped EXE
PID:2712 -
\??\c:\2646880.exec:\2646880.exe22⤵
- Executes dropped EXE
PID:2708 -
\??\c:\s6824.exec:\s6824.exe23⤵
- Executes dropped EXE
PID:688 -
\??\c:\jvddv.exec:\jvddv.exe24⤵
- Executes dropped EXE
PID:1152 -
\??\c:\nbtntb.exec:\nbtntb.exe25⤵
- Executes dropped EXE
PID:1784 -
\??\c:\2088040.exec:\2088040.exe26⤵
- Executes dropped EXE
PID:2576 -
\??\c:\800000.exec:\800000.exe27⤵
- Executes dropped EXE
PID:748 -
\??\c:\fxllrll.exec:\fxllrll.exe28⤵
- Executes dropped EXE
PID:900 -
\??\c:\64606.exec:\64606.exe29⤵
- Executes dropped EXE
PID:2512 -
\??\c:\ppjjj.exec:\ppjjj.exe30⤵
- Executes dropped EXE
PID:2056 -
\??\c:\rllfxxf.exec:\rllfxxf.exe31⤵
- Executes dropped EXE
PID:1944 -
\??\c:\5xrflrx.exec:\5xrflrx.exe32⤵
- Executes dropped EXE
PID:896 -
\??\c:\vdvpp.exec:\vdvpp.exe33⤵
- Executes dropped EXE
PID:2356 -
\??\c:\djvdj.exec:\djvdj.exe34⤵
- Executes dropped EXE
PID:1528 -
\??\c:\tnbhhh.exec:\tnbhhh.exe35⤵
- Executes dropped EXE
PID:2416 -
\??\c:\vpdjj.exec:\vpdjj.exe36⤵
- Executes dropped EXE
PID:696 -
\??\c:\xlxxfxx.exec:\xlxxfxx.exe37⤵
- Executes dropped EXE
PID:2332 -
\??\c:\dpvvd.exec:\dpvvd.exe38⤵
- Executes dropped EXE
PID:2824 -
\??\c:\04846.exec:\04846.exe39⤵
- Executes dropped EXE
PID:2764 -
\??\c:\frffxll.exec:\frffxll.exe40⤵
- Executes dropped EXE
PID:2876 -
\??\c:\htbttn.exec:\htbttn.exe41⤵
- Executes dropped EXE
PID:2816 -
\??\c:\48484.exec:\48484.exe42⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pdvdv.exec:\pdvdv.exe43⤵
- Executes dropped EXE
PID:2700 -
\??\c:\djddj.exec:\djddj.exe44⤵
- Executes dropped EXE
PID:2896 -
\??\c:\7pvdv.exec:\7pvdv.exe45⤵
- Executes dropped EXE
PID:2780 -
\??\c:\0468406.exec:\0468406.exe46⤵
- Executes dropped EXE
PID:2628 -
\??\c:\1htnnh.exec:\1htnnh.exe47⤵
- Executes dropped EXE
PID:2684 -
\??\c:\1vdjp.exec:\1vdjp.exe48⤵
- Executes dropped EXE
PID:672 -
\??\c:\4626000.exec:\4626000.exe49⤵
- Executes dropped EXE
PID:2408 -
\??\c:\thbtbt.exec:\thbtbt.exe50⤵
- Executes dropped EXE
PID:1476 -
\??\c:\642626.exec:\642626.exe51⤵
- Executes dropped EXE
PID:2960 -
\??\c:\20884.exec:\20884.exe52⤵
- Executes dropped EXE
PID:2440 -
\??\c:\bbnbhb.exec:\bbnbhb.exe53⤵
- Executes dropped EXE
PID:1428 -
\??\c:\rrlfllf.exec:\rrlfllf.exe54⤵
- Executes dropped EXE
PID:1872 -
\??\c:\ffrxffl.exec:\ffrxffl.exe55⤵
- Executes dropped EXE
PID:1732 -
\??\c:\k48462.exec:\k48462.exe56⤵
- Executes dropped EXE
PID:1920 -
\??\c:\08844.exec:\08844.exe57⤵
- Executes dropped EXE
PID:1516 -
\??\c:\04280.exec:\04280.exe58⤵
- Executes dropped EXE
PID:2984 -
\??\c:\vpvpp.exec:\vpvpp.exe59⤵
- Executes dropped EXE
PID:2956 -
\??\c:\7nhnbh.exec:\7nhnbh.exe60⤵
- Executes dropped EXE
PID:2336 -
\??\c:\680640.exec:\680640.exe61⤵
- Executes dropped EXE
PID:2364 -
\??\c:\0600868.exec:\0600868.exe62⤵
- Executes dropped EXE
PID:2272 -
\??\c:\i822480.exec:\i822480.exe63⤵
- Executes dropped EXE
PID:2004 -
\??\c:\0800624.exec:\0800624.exe64⤵
- Executes dropped EXE
PID:2672 -
\??\c:\222462.exec:\222462.exe65⤵
- Executes dropped EXE
PID:1916 -
\??\c:\1vjvj.exec:\1vjvj.exe66⤵PID:1740
-
\??\c:\1hbttt.exec:\1hbttt.exe67⤵PID:1488
-
\??\c:\w68684.exec:\w68684.exe68⤵PID:2424
-
\??\c:\04842.exec:\04842.exe69⤵PID:2344
-
\??\c:\bnttbt.exec:\bnttbt.exe70⤵PID:2556
-
\??\c:\24044.exec:\24044.exe71⤵PID:1164
-
\??\c:\bbtbhh.exec:\bbtbhh.exe72⤵PID:2056
-
\??\c:\hnhtht.exec:\hnhtht.exe73⤵PID:2092
-
\??\c:\dpjjp.exec:\dpjjp.exe74⤵PID:1748
-
\??\c:\nbhthn.exec:\nbhthn.exe75⤵PID:2076
-
\??\c:\vpjjd.exec:\vpjjd.exe76⤵PID:2024
-
\??\c:\5lxxrrl.exec:\5lxxrrl.exe77⤵PID:580
-
\??\c:\6422842.exec:\6422842.exe78⤵PID:2172
-
\??\c:\pdppp.exec:\pdppp.exe79⤵PID:2828
-
\??\c:\082866.exec:\082866.exe80⤵PID:1424
-
\??\c:\4626262.exec:\4626262.exe81⤵PID:2872
-
\??\c:\o428006.exec:\o428006.exe82⤵PID:2860
-
\??\c:\hnbbbt.exec:\hnbbbt.exe83⤵PID:2848
-
\??\c:\k08806.exec:\k08806.exe84⤵PID:2732
-
\??\c:\jdjdd.exec:\jdjdd.exe85⤵PID:3020
-
\??\c:\080688.exec:\080688.exe86⤵PID:2700
-
\??\c:\ddvdv.exec:\ddvdv.exe87⤵PID:2788
-
\??\c:\llflxxr.exec:\llflxxr.exe88⤵PID:2728
-
\??\c:\66402.exec:\66402.exe89⤵PID:1656
-
\??\c:\nhhtbh.exec:\nhhtbh.exe90⤵PID:2268
-
\??\c:\646866.exec:\646866.exe91⤵PID:768
-
\??\c:\lfxlxxx.exec:\lfxlxxx.exe92⤵PID:1592
-
\??\c:\tnhhtb.exec:\tnhhtb.exe93⤵PID:1884
-
\??\c:\pddvj.exec:\pddvj.exe94⤵PID:1900
-
\??\c:\btnbnn.exec:\btnbnn.exe95⤵PID:2716
-
\??\c:\vpddp.exec:\vpddp.exe96⤵PID:2444
-
\??\c:\3nbbbh.exec:\3nbbbh.exe97⤵PID:1868
-
\??\c:\042204.exec:\042204.exe98⤵PID:1184
-
\??\c:\2668286.exec:\2668286.exe99⤵PID:1836
-
\??\c:\642806.exec:\642806.exe100⤵PID:1920
-
\??\c:\dvpdp.exec:\dvpdp.exe101⤵PID:2940
-
\??\c:\8262402.exec:\8262402.exe102⤵PID:1692
-
\??\c:\dvvjj.exec:\dvvjj.exe103⤵PID:2228
-
\??\c:\82006.exec:\82006.exe104⤵PID:1904
-
\??\c:\dvvvv.exec:\dvvvv.exe105⤵PID:1300
-
\??\c:\60628.exec:\60628.exe106⤵PID:2272
-
\??\c:\hbntbh.exec:\hbntbh.exe107⤵PID:1588
-
\??\c:\822422.exec:\822422.exe108⤵PID:1968
-
\??\c:\3vppv.exec:\3vppv.exe109⤵PID:1888
-
\??\c:\hhbtbb.exec:\hhbtbb.exe110⤵PID:1932
-
\??\c:\nhtnbt.exec:\nhtnbt.exe111⤵PID:1488
-
\??\c:\20220.exec:\20220.exe112⤵PID:748
-
\??\c:\0428446.exec:\0428446.exe113⤵PID:2380
-
\??\c:\nnnthn.exec:\nnnthn.exe114⤵PID:2560
-
\??\c:\0484002.exec:\0484002.exe115⤵PID:1652
-
\??\c:\hbthht.exec:\hbthht.exe116⤵PID:1436
-
\??\c:\s6406.exec:\s6406.exe117⤵PID:1432
-
\??\c:\nhhhnt.exec:\nhhhnt.exe118⤵
- System Location Discovery: System Language Discovery
PID:2568 -
\??\c:\xlxxlll.exec:\xlxxlll.exe119⤵PID:2284
-
\??\c:\xrxflxr.exec:\xrxflxr.exe120⤵PID:2692
-
\??\c:\tnhnhh.exec:\tnhnhh.exe121⤵PID:2176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-