Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 04:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
523837ddc1960fc86949e0583d00e2417464bd07c5cd5f47a8e55facd5f007b2N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
523837ddc1960fc86949e0583d00e2417464bd07c5cd5f47a8e55facd5f007b2N.exe
-
Size
453KB
-
MD5
2bd19230c57fec9220ce7811e7d0b120
-
SHA1
7368cde3edd34eef42f275f378538ab098ccf829
-
SHA256
523837ddc1960fc86949e0583d00e2417464bd07c5cd5f47a8e55facd5f007b2
-
SHA512
c1011791e2c3b35bfb4186a36bc468aad8a4d1fba64581ad4e62b641ba02fb4dbec2a3a66be01b012c19da17b0084878fdede0ccaaa2c434e5ce9cdebaa13d37
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2952-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/980-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-287-0x0000000076FF0000-0x000000007710F000-memory.dmp family_blackmoon behavioral1/memory/1528-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/544-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/496-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-746-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2180-779-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/668-791-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/668-793-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2828-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/980-906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-974-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2228-1069-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-1307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-1333-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1792-1352-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2784-1377-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1740 1tbtnn.exe 2952 6466608.exe 2868 jvdvp.exe 2904 3tthht.exe 2704 08828.exe 2612 2022880.exe 2096 64882.exe 1844 9vvvd.exe 980 flfxxxx.exe 2220 464400.exe 2544 jvdvv.exe 2076 xlrxxxx.exe 3032 vjvdp.exe 1856 1jvpv.exe 2884 bnbbhb.exe 3048 o200668.exe 2372 jjvjv.exe 1320 02006.exe 544 0806668.exe 796 24628.exe 1156 bhttbt.exe 1912 0862868.exe 2440 082684.exe 2036 bnnnnh.exe 1524 btthth.exe 948 thtnnh.exe 2020 46822.exe 900 6460662.exe 1528 80222.exe 1008 bnhhhh.exe 2340 646240.exe 2488 lxllrlr.exe 2512 040208.exe 1580 o240606.exe 2940 xlrrrfx.exe 2816 9tbntn.exe 2912 9hnbbb.exe 2184 20262.exe 2840 082822.exe 2656 m4266.exe 468 e24882.exe 2096 8684046.exe 1844 s0406.exe 496 e08828.exe 808 thbbbh.exe 2544 lfxxfxl.exe 2556 420466.exe 1924 642840.exe 1716 88082.exe 2884 lfrrxxl.exe 2632 k80840.exe 2144 g8888.exe 2108 ffxlfrf.exe 2320 062668.exe 1004 m0802.exe 1768 1frfllx.exe 3044 jvjpv.exe 2196 rlxrxfr.exe 860 m8680.exe 2552 m4802.exe 3008 nhttbb.exe 1040 nhbthb.exe 1524 jdpdj.exe 2960 680448.exe -
resource yara_rule behavioral1/memory/2952-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/468-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/496-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/496-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-746-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2520-800-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2340-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-1020-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-1069-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-1121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-1128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-1174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-1181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-1206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-1231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-1244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-1281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-1300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-1307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-1320-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6422008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 1740 2700 523837ddc1960fc86949e0583d00e2417464bd07c5cd5f47a8e55facd5f007b2N.exe 30 PID 2700 wrote to memory of 1740 2700 523837ddc1960fc86949e0583d00e2417464bd07c5cd5f47a8e55facd5f007b2N.exe 30 PID 2700 wrote to memory of 1740 2700 523837ddc1960fc86949e0583d00e2417464bd07c5cd5f47a8e55facd5f007b2N.exe 30 PID 2700 wrote to memory of 1740 2700 523837ddc1960fc86949e0583d00e2417464bd07c5cd5f47a8e55facd5f007b2N.exe 30 PID 1740 wrote to memory of 2952 1740 1tbtnn.exe 31 PID 1740 wrote to memory of 2952 1740 1tbtnn.exe 31 PID 1740 wrote to memory of 2952 1740 1tbtnn.exe 31 PID 1740 wrote to memory of 2952 1740 1tbtnn.exe 31 PID 2952 wrote to memory of 2868 2952 6466608.exe 32 PID 2952 wrote to memory of 2868 2952 6466608.exe 32 PID 2952 wrote to memory of 2868 2952 6466608.exe 32 PID 2952 wrote to memory of 2868 2952 6466608.exe 32 PID 2868 wrote to memory of 2904 2868 jvdvp.exe 33 PID 2868 wrote to memory of 2904 2868 jvdvp.exe 33 PID 2868 wrote to memory of 2904 2868 jvdvp.exe 33 PID 2868 wrote to memory of 2904 2868 jvdvp.exe 33 PID 2904 wrote to memory of 2704 2904 3tthht.exe 34 PID 2904 wrote to memory of 2704 2904 3tthht.exe 34 PID 2904 wrote to memory of 2704 2904 3tthht.exe 34 PID 2904 wrote to memory of 2704 2904 3tthht.exe 34 PID 2704 wrote to memory of 2612 2704 08828.exe 35 PID 2704 wrote to memory of 2612 2704 08828.exe 35 PID 2704 wrote to memory of 2612 2704 08828.exe 35 PID 2704 wrote to memory of 2612 2704 08828.exe 35 PID 2612 wrote to memory of 2096 2612 2022880.exe 72 PID 2612 wrote to memory of 2096 2612 2022880.exe 72 PID 2612 wrote to memory of 2096 2612 2022880.exe 72 PID 2612 wrote to memory of 2096 2612 2022880.exe 72 PID 2096 wrote to memory of 1844 2096 64882.exe 73 PID 2096 wrote to memory of 1844 2096 64882.exe 73 PID 2096 wrote to memory of 1844 2096 64882.exe 73 PID 2096 wrote to memory of 1844 2096 64882.exe 73 PID 1844 wrote to memory of 980 1844 9vvvd.exe 38 PID 1844 wrote to memory of 980 1844 9vvvd.exe 38 PID 1844 wrote to memory of 980 1844 9vvvd.exe 38 PID 1844 wrote to memory of 980 1844 9vvvd.exe 38 PID 980 wrote to memory of 2220 980 flfxxxx.exe 39 PID 980 wrote to memory of 2220 980 flfxxxx.exe 39 PID 980 wrote to memory of 2220 980 flfxxxx.exe 39 PID 980 wrote to memory of 2220 980 flfxxxx.exe 39 PID 2220 wrote to memory of 2544 2220 464400.exe 40 PID 2220 wrote to memory of 2544 2220 464400.exe 40 PID 2220 wrote to memory of 2544 2220 464400.exe 40 PID 2220 wrote to memory of 2544 2220 464400.exe 40 PID 2544 wrote to memory of 2076 2544 jvdvv.exe 41 PID 2544 wrote to memory of 2076 2544 jvdvv.exe 41 PID 2544 wrote to memory of 2076 2544 jvdvv.exe 41 PID 2544 wrote to memory of 2076 2544 jvdvv.exe 41 PID 2076 wrote to memory of 3032 2076 xlrxxxx.exe 42 PID 2076 wrote to memory of 3032 2076 xlrxxxx.exe 42 PID 2076 wrote to memory of 3032 2076 xlrxxxx.exe 42 PID 2076 wrote to memory of 3032 2076 xlrxxxx.exe 42 PID 3032 wrote to memory of 1856 3032 vjvdp.exe 43 PID 3032 wrote to memory of 1856 3032 vjvdp.exe 43 PID 3032 wrote to memory of 1856 3032 vjvdp.exe 43 PID 3032 wrote to memory of 1856 3032 vjvdp.exe 43 PID 1856 wrote to memory of 2884 1856 1jvpv.exe 44 PID 1856 wrote to memory of 2884 1856 1jvpv.exe 44 PID 1856 wrote to memory of 2884 1856 1jvpv.exe 44 PID 1856 wrote to memory of 2884 1856 1jvpv.exe 44 PID 2884 wrote to memory of 3048 2884 bnbbhb.exe 45 PID 2884 wrote to memory of 3048 2884 bnbbhb.exe 45 PID 2884 wrote to memory of 3048 2884 bnbbhb.exe 45 PID 2884 wrote to memory of 3048 2884 bnbbhb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\523837ddc1960fc86949e0583d00e2417464bd07c5cd5f47a8e55facd5f007b2N.exe"C:\Users\Admin\AppData\Local\Temp\523837ddc1960fc86949e0583d00e2417464bd07c5cd5f47a8e55facd5f007b2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\1tbtnn.exec:\1tbtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\6466608.exec:\6466608.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\jvdvp.exec:\jvdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\3tthht.exec:\3tthht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\08828.exec:\08828.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\2022880.exec:\2022880.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\64882.exec:\64882.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\9vvvd.exec:\9vvvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\flfxxxx.exec:\flfxxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\464400.exec:\464400.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\jvdvv.exec:\jvdvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\xlrxxxx.exec:\xlrxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\vjvdp.exec:\vjvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\1jvpv.exec:\1jvpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\bnbbhb.exec:\bnbbhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\o200668.exec:\o200668.exe17⤵
- Executes dropped EXE
PID:3048 -
\??\c:\jjvjv.exec:\jjvjv.exe18⤵
- Executes dropped EXE
PID:2372 -
\??\c:\02006.exec:\02006.exe19⤵
- Executes dropped EXE
PID:1320 -
\??\c:\0806668.exec:\0806668.exe20⤵
- Executes dropped EXE
PID:544 -
\??\c:\24628.exec:\24628.exe21⤵
- Executes dropped EXE
PID:796 -
\??\c:\bhttbt.exec:\bhttbt.exe22⤵
- Executes dropped EXE
PID:1156 -
\??\c:\0862868.exec:\0862868.exe23⤵
- Executes dropped EXE
PID:1912 -
\??\c:\082684.exec:\082684.exe24⤵
- Executes dropped EXE
PID:2440 -
\??\c:\bnnnnh.exec:\bnnnnh.exe25⤵
- Executes dropped EXE
PID:2036 -
\??\c:\btthth.exec:\btthth.exe26⤵
- Executes dropped EXE
PID:1524 -
\??\c:\thtnnh.exec:\thtnnh.exe27⤵
- Executes dropped EXE
PID:948 -
\??\c:\46822.exec:\46822.exe28⤵
- Executes dropped EXE
PID:2020 -
\??\c:\6460662.exec:\6460662.exe29⤵
- Executes dropped EXE
PID:900 -
\??\c:\80222.exec:\80222.exe30⤵
- Executes dropped EXE
PID:1528 -
\??\c:\bnhhhh.exec:\bnhhhh.exe31⤵
- Executes dropped EXE
PID:1008 -
\??\c:\646240.exec:\646240.exe32⤵
- Executes dropped EXE
PID:2340 -
\??\c:\lxllrlr.exec:\lxllrlr.exe33⤵
- Executes dropped EXE
PID:2488 -
\??\c:\040208.exec:\040208.exe34⤵
- Executes dropped EXE
PID:2512 -
\??\c:\bntnnh.exec:\bntnnh.exe35⤵PID:2796
-
\??\c:\o240606.exec:\o240606.exe36⤵
- Executes dropped EXE
PID:1580 -
\??\c:\xlrrrfx.exec:\xlrrrfx.exe37⤵
- Executes dropped EXE
PID:2940 -
\??\c:\9tbntn.exec:\9tbntn.exe38⤵
- Executes dropped EXE
PID:2816 -
\??\c:\9hnbbb.exec:\9hnbbb.exe39⤵
- Executes dropped EXE
PID:2912 -
\??\c:\20262.exec:\20262.exe40⤵
- Executes dropped EXE
PID:2184 -
\??\c:\082822.exec:\082822.exe41⤵
- Executes dropped EXE
PID:2840 -
\??\c:\m4266.exec:\m4266.exe42⤵
- Executes dropped EXE
PID:2656 -
\??\c:\e24882.exec:\e24882.exe43⤵
- Executes dropped EXE
PID:468 -
\??\c:\8684046.exec:\8684046.exe44⤵
- Executes dropped EXE
PID:2096 -
\??\c:\s0406.exec:\s0406.exe45⤵
- Executes dropped EXE
PID:1844 -
\??\c:\e08828.exec:\e08828.exe46⤵
- Executes dropped EXE
PID:496 -
\??\c:\thbbbh.exec:\thbbbh.exe47⤵
- Executes dropped EXE
PID:808 -
\??\c:\lfxxfxl.exec:\lfxxfxl.exe48⤵
- Executes dropped EXE
PID:2544 -
\??\c:\420466.exec:\420466.exe49⤵
- Executes dropped EXE
PID:2556 -
\??\c:\642840.exec:\642840.exe50⤵
- Executes dropped EXE
PID:1924 -
\??\c:\88082.exec:\88082.exe51⤵
- Executes dropped EXE
PID:1716 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe52⤵
- Executes dropped EXE
PID:2884 -
\??\c:\k80840.exec:\k80840.exe53⤵
- Executes dropped EXE
PID:2632 -
\??\c:\g8888.exec:\g8888.exe54⤵
- Executes dropped EXE
PID:2144 -
\??\c:\ffxlfrf.exec:\ffxlfrf.exe55⤵
- Executes dropped EXE
PID:2108 -
\??\c:\062668.exec:\062668.exe56⤵
- Executes dropped EXE
PID:2320 -
\??\c:\m0802.exec:\m0802.exe57⤵
- Executes dropped EXE
PID:1004 -
\??\c:\1frfllx.exec:\1frfllx.exe58⤵
- Executes dropped EXE
PID:1768 -
\??\c:\jvjpv.exec:\jvjpv.exe59⤵
- Executes dropped EXE
PID:3044 -
\??\c:\rlxrxfr.exec:\rlxrxfr.exe60⤵
- Executes dropped EXE
PID:2196 -
\??\c:\m8680.exec:\m8680.exe61⤵
- Executes dropped EXE
PID:860 -
\??\c:\m4802.exec:\m4802.exe62⤵
- Executes dropped EXE
PID:2552 -
\??\c:\nhttbb.exec:\nhttbb.exe63⤵
- Executes dropped EXE
PID:3008 -
\??\c:\nhbthb.exec:\nhbthb.exe64⤵
- Executes dropped EXE
PID:1040 -
\??\c:\jdpdj.exec:\jdpdj.exe65⤵
- Executes dropped EXE
PID:1524 -
\??\c:\680448.exec:\680448.exe66⤵
- Executes dropped EXE
PID:2960 -
\??\c:\8600002.exec:\8600002.exe67⤵PID:1648
-
\??\c:\nbnntb.exec:\nbnntb.exe68⤵PID:912
-
\??\c:\u444628.exec:\u444628.exe69⤵PID:2016
-
\??\c:\rfllrll.exec:\rfllrll.exe70⤵PID:2528
-
\??\c:\9bnnbb.exec:\9bnnbb.exe71⤵PID:560
-
\??\c:\0866000.exec:\0866000.exe72⤵PID:2932
-
\??\c:\flxxllr.exec:\flxxllr.exe73⤵PID:1728
-
\??\c:\7jpdv.exec:\7jpdv.exe74⤵PID:2380
-
\??\c:\0842884.exec:\0842884.exe75⤵PID:2700
-
\??\c:\c088488.exec:\c088488.exe76⤵PID:1992
-
\??\c:\20044.exec:\20044.exe77⤵PID:2720
-
\??\c:\a0226.exec:\a0226.exe78⤵PID:1712
-
\??\c:\08662.exec:\08662.exe79⤵PID:2788
-
\??\c:\86840.exec:\86840.exe80⤵PID:2156
-
\??\c:\82628.exec:\82628.exe81⤵PID:2856
-
\??\c:\42406.exec:\42406.exe82⤵PID:2940
-
\??\c:\pjdvj.exec:\pjdvj.exe83⤵PID:2840
-
\??\c:\3llllfx.exec:\3llllfx.exe84⤵PID:2728
-
\??\c:\5btttt.exec:\5btttt.exe85⤵PID:2620
-
\??\c:\080660.exec:\080660.exe86⤵PID:468
-
\??\c:\ffxxflx.exec:\ffxxflx.exe87⤵PID:1588
-
\??\c:\e82840.exec:\e82840.exe88⤵PID:1844
-
\??\c:\6800662.exec:\6800662.exe89⤵PID:2112
-
\??\c:\nbtbht.exec:\nbtbht.exe90⤵PID:3016
-
\??\c:\vpjpv.exec:\vpjpv.exe91⤵PID:2408
-
\??\c:\4644444.exec:\4644444.exe92⤵PID:2364
-
\??\c:\8626224.exec:\8626224.exe93⤵PID:2332
-
\??\c:\7frfffl.exec:\7frfffl.exe94⤵PID:2652
-
\??\c:\080622.exec:\080622.exe95⤵PID:1716
-
\??\c:\xlrffxf.exec:\xlrffxf.exe96⤵PID:1788
-
\??\c:\tntnbt.exec:\tntnbt.exe97⤵PID:2632
-
\??\c:\3tnthn.exec:\3tnthn.exe98⤵PID:1856
-
\??\c:\86840.exec:\86840.exe99⤵PID:908
-
\??\c:\k80060.exec:\k80060.exe100⤵PID:2320
-
\??\c:\88666.exec:\88666.exe101⤵PID:1308
-
\??\c:\2060044.exec:\2060044.exe102⤵PID:1768
-
\??\c:\dvvpp.exec:\dvvpp.exe103⤵PID:1912
-
\??\c:\nnbthh.exec:\nnbthh.exe104⤵PID:2416
-
\??\c:\vppvj.exec:\vppvj.exe105⤵PID:1500
-
\??\c:\lfrxflr.exec:\lfrxflr.exe106⤵PID:1112
-
\??\c:\jdvdp.exec:\jdvdp.exe107⤵PID:2244
-
\??\c:\42002.exec:\42002.exe108⤵PID:2964
-
\??\c:\e04088.exec:\e04088.exe109⤵PID:2920
-
\??\c:\fxflrrf.exec:\fxflrrf.exe110⤵PID:2180
-
\??\c:\u200268.exec:\u200268.exe111⤵PID:2188
-
\??\c:\lfxlxxl.exec:\lfxlxxl.exe112⤵PID:668
-
\??\c:\ppppd.exec:\ppppd.exe113⤵PID:2520
-
\??\c:\vpdjp.exec:\vpdjp.exe114⤵PID:1944
-
\??\c:\s8220.exec:\s8220.exe115⤵PID:2340
-
\??\c:\48662.exec:\48662.exe116⤵PID:2828
-
\??\c:\5lfrflx.exec:\5lfrflx.exe117⤵PID:2512
-
\??\c:\k24406.exec:\k24406.exe118⤵PID:2448
-
\??\c:\486840.exec:\486840.exe119⤵PID:2344
-
\??\c:\o240662.exec:\o240662.exe120⤵PID:2744
-
\??\c:\nnhnhb.exec:\nnhnhb.exe121⤵PID:2860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-