Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 10:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe
-
Size
454KB
-
MD5
9574dddf9dd091d6145be04fb9c0be2b
-
SHA1
a8e528988ff0a346f0a850f942d486da29ecf670
-
SHA256
6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e
-
SHA512
0430d267cc1dfacef4507b6c00358c7a58da3006cfadbfc1dfc9294901cfa600117ffabeabe7c8e43251accec0aa9d94b82b46685529d9d2419cb63b509eabeb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2080-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1340-97-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1340-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1000-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-197-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2928-195-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2204-214-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2928-224-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/864-233-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1940-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-232-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2420-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-267-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3008-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-288-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1516-286-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2268-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-319-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2732-348-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2724-353-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2620-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-399-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2116-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-589-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2500-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/556-836-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/272-844-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3064-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/556-860-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2064-877-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1844-975-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1388-982-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1000-1013-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2756-1202-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2556 jvjjd.exe 1884 6644224.exe 2296 a8040.exe 2684 5xllfff.exe 2696 9dpjd.exe 2748 hthbbt.exe 2880 080226.exe 2960 dpjdd.exe 2892 6466268.exe 1340 1vjjj.exe 2088 fxfffff.exe 2004 7rfrllf.exe 2660 02862.exe 2348 2028884.exe 2644 dpvdp.exe 1000 7hbhhh.exe 2768 thbtbb.exe 2828 jvddp.exe 2680 64668.exe 2928 4222880.exe 3036 vpvdj.exe 2204 208426.exe 948 3xrxxfl.exe 864 fxllrrf.exe 1940 pdppv.exe 1448 m0460.exe 2420 tbhthb.exe 3008 3rffrlx.exe 1464 1xxxfff.exe 1516 pdvvv.exe 2416 nntnbn.exe 2268 0800066.exe 2508 242240.exe 1832 86220.exe 2500 8408440.exe 2276 pdvvd.exe 2436 8648440.exe 2428 lrllrxx.exe 2732 9bhnnn.exe 2724 208408.exe 2128 5thntb.exe 2620 2088064.exe 2520 c466806.exe 2876 1pppp.exe 2084 3djdd.exe 320 a4884.exe 2312 q46284.exe 2116 rlfllrx.exe 2888 2466822.exe 1768 nhbhtb.exe 1696 lfxrfxf.exe 1660 5hbbhh.exe 2016 ttnhnn.exe 2256 86406.exe 1932 lxllxfr.exe 1912 xlxfllx.exe 2992 3vjjj.exe 1720 s0220.exe 2980 vdpvd.exe 408 tnbhtb.exe 1252 ffrxffr.exe 2332 m2446.exe 1304 3xlrxfl.exe 900 64684.exe -
resource yara_rule behavioral1/memory/2080-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1000-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-762-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1236-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/272-844-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3064-857-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-982-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-1044-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-1099-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-1314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-1339-0x0000000000330000-0x000000000035A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q86806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8600624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c466806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2556 2080 6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe 30 PID 2080 wrote to memory of 2556 2080 6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe 30 PID 2080 wrote to memory of 2556 2080 6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe 30 PID 2080 wrote to memory of 2556 2080 6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe 30 PID 2556 wrote to memory of 1884 2556 jvjjd.exe 31 PID 2556 wrote to memory of 1884 2556 jvjjd.exe 31 PID 2556 wrote to memory of 1884 2556 jvjjd.exe 31 PID 2556 wrote to memory of 1884 2556 jvjjd.exe 31 PID 1884 wrote to memory of 2296 1884 6644224.exe 32 PID 1884 wrote to memory of 2296 1884 6644224.exe 32 PID 1884 wrote to memory of 2296 1884 6644224.exe 32 PID 1884 wrote to memory of 2296 1884 6644224.exe 32 PID 2296 wrote to memory of 2684 2296 a8040.exe 33 PID 2296 wrote to memory of 2684 2296 a8040.exe 33 PID 2296 wrote to memory of 2684 2296 a8040.exe 33 PID 2296 wrote to memory of 2684 2296 a8040.exe 33 PID 2684 wrote to memory of 2696 2684 5xllfff.exe 34 PID 2684 wrote to memory of 2696 2684 5xllfff.exe 34 PID 2684 wrote to memory of 2696 2684 5xllfff.exe 34 PID 2684 wrote to memory of 2696 2684 5xllfff.exe 34 PID 2696 wrote to memory of 2748 2696 9dpjd.exe 35 PID 2696 wrote to memory of 2748 2696 9dpjd.exe 35 PID 2696 wrote to memory of 2748 2696 9dpjd.exe 35 PID 2696 wrote to memory of 2748 2696 9dpjd.exe 35 PID 2748 wrote to memory of 2880 2748 hthbbt.exe 36 PID 2748 wrote to memory of 2880 2748 hthbbt.exe 36 PID 2748 wrote to memory of 2880 2748 hthbbt.exe 36 PID 2748 wrote to memory of 2880 2748 hthbbt.exe 36 PID 2880 wrote to memory of 2960 2880 080226.exe 37 PID 2880 wrote to memory of 2960 2880 080226.exe 37 PID 2880 wrote to memory of 2960 2880 080226.exe 37 PID 2880 wrote to memory of 2960 2880 080226.exe 37 PID 2960 wrote to memory of 2892 2960 dpjdd.exe 38 PID 2960 wrote to memory of 2892 2960 dpjdd.exe 38 PID 2960 wrote to memory of 2892 2960 dpjdd.exe 38 PID 2960 wrote to memory of 2892 2960 dpjdd.exe 38 PID 2892 wrote to memory of 1340 2892 6466268.exe 39 PID 2892 wrote to memory of 1340 2892 6466268.exe 39 PID 2892 wrote to memory of 1340 2892 6466268.exe 39 PID 2892 wrote to memory of 1340 2892 6466268.exe 39 PID 1340 wrote to memory of 2088 1340 1vjjj.exe 40 PID 1340 wrote to memory of 2088 1340 1vjjj.exe 40 PID 1340 wrote to memory of 2088 1340 1vjjj.exe 40 PID 1340 wrote to memory of 2088 1340 1vjjj.exe 40 PID 2088 wrote to memory of 2004 2088 fxfffff.exe 41 PID 2088 wrote to memory of 2004 2088 fxfffff.exe 41 PID 2088 wrote to memory of 2004 2088 fxfffff.exe 41 PID 2088 wrote to memory of 2004 2088 fxfffff.exe 41 PID 2004 wrote to memory of 2660 2004 7rfrllf.exe 42 PID 2004 wrote to memory of 2660 2004 7rfrllf.exe 42 PID 2004 wrote to memory of 2660 2004 7rfrllf.exe 42 PID 2004 wrote to memory of 2660 2004 7rfrllf.exe 42 PID 2660 wrote to memory of 2348 2660 02862.exe 43 PID 2660 wrote to memory of 2348 2660 02862.exe 43 PID 2660 wrote to memory of 2348 2660 02862.exe 43 PID 2660 wrote to memory of 2348 2660 02862.exe 43 PID 2348 wrote to memory of 2644 2348 2028884.exe 44 PID 2348 wrote to memory of 2644 2348 2028884.exe 44 PID 2348 wrote to memory of 2644 2348 2028884.exe 44 PID 2348 wrote to memory of 2644 2348 2028884.exe 44 PID 2644 wrote to memory of 1000 2644 dpvdp.exe 45 PID 2644 wrote to memory of 1000 2644 dpvdp.exe 45 PID 2644 wrote to memory of 1000 2644 dpvdp.exe 45 PID 2644 wrote to memory of 1000 2644 dpvdp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe"C:\Users\Admin\AppData\Local\Temp\6ad36da52cffaa06ea3c68f0cbc97bfe15383b1984ac77f96d7d6f7cc4933f1e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\jvjjd.exec:\jvjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\6644224.exec:\6644224.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\a8040.exec:\a8040.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\5xllfff.exec:\5xllfff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\9dpjd.exec:\9dpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\hthbbt.exec:\hthbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\080226.exec:\080226.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\dpjdd.exec:\dpjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\6466268.exec:\6466268.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\1vjjj.exec:\1vjjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\fxfffff.exec:\fxfffff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\7rfrllf.exec:\7rfrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\02862.exec:\02862.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\2028884.exec:\2028884.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\dpvdp.exec:\dpvdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\7hbhhh.exec:\7hbhhh.exe17⤵
- Executes dropped EXE
PID:1000 -
\??\c:\thbtbb.exec:\thbtbb.exe18⤵
- Executes dropped EXE
PID:2768 -
\??\c:\jvddp.exec:\jvddp.exe19⤵
- Executes dropped EXE
PID:2828 -
\??\c:\64668.exec:\64668.exe20⤵
- Executes dropped EXE
PID:2680 -
\??\c:\4222880.exec:\4222880.exe21⤵
- Executes dropped EXE
PID:2928 -
\??\c:\vpvdj.exec:\vpvdj.exe22⤵
- Executes dropped EXE
PID:3036 -
\??\c:\208426.exec:\208426.exe23⤵
- Executes dropped EXE
PID:2204 -
\??\c:\3xrxxfl.exec:\3xrxxfl.exe24⤵
- Executes dropped EXE
PID:948 -
\??\c:\fxllrrf.exec:\fxllrrf.exe25⤵
- Executes dropped EXE
PID:864 -
\??\c:\pdppv.exec:\pdppv.exe26⤵
- Executes dropped EXE
PID:1940 -
\??\c:\m0460.exec:\m0460.exe27⤵
- Executes dropped EXE
PID:1448 -
\??\c:\tbhthb.exec:\tbhthb.exe28⤵
- Executes dropped EXE
PID:2420 -
\??\c:\3rffrlx.exec:\3rffrlx.exe29⤵
- Executes dropped EXE
PID:3008 -
\??\c:\1xxxfff.exec:\1xxxfff.exe30⤵
- Executes dropped EXE
PID:1464 -
\??\c:\pdvvv.exec:\pdvvv.exe31⤵
- Executes dropped EXE
PID:1516 -
\??\c:\nntnbn.exec:\nntnbn.exe32⤵
- Executes dropped EXE
PID:2416 -
\??\c:\0800066.exec:\0800066.exe33⤵
- Executes dropped EXE
PID:2268 -
\??\c:\242240.exec:\242240.exe34⤵
- Executes dropped EXE
PID:2508 -
\??\c:\86220.exec:\86220.exe35⤵
- Executes dropped EXE
PID:1832 -
\??\c:\8408440.exec:\8408440.exe36⤵
- Executes dropped EXE
PID:2500 -
\??\c:\pdvvd.exec:\pdvvd.exe37⤵
- Executes dropped EXE
PID:2276 -
\??\c:\8648440.exec:\8648440.exe38⤵
- Executes dropped EXE
PID:2436 -
\??\c:\lrllrxx.exec:\lrllrxx.exe39⤵
- Executes dropped EXE
PID:2428 -
\??\c:\9bhnnn.exec:\9bhnnn.exe40⤵
- Executes dropped EXE
PID:2732 -
\??\c:\208408.exec:\208408.exe41⤵
- Executes dropped EXE
PID:2724 -
\??\c:\5thntb.exec:\5thntb.exe42⤵
- Executes dropped EXE
PID:2128 -
\??\c:\2088064.exec:\2088064.exe43⤵
- Executes dropped EXE
PID:2620 -
\??\c:\c466806.exec:\c466806.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
\??\c:\1pppp.exec:\1pppp.exe45⤵
- Executes dropped EXE
PID:2876 -
\??\c:\3djdd.exec:\3djdd.exe46⤵
- Executes dropped EXE
PID:2084 -
\??\c:\a4884.exec:\a4884.exe47⤵
- Executes dropped EXE
PID:320 -
\??\c:\q46284.exec:\q46284.exe48⤵
- Executes dropped EXE
PID:2312 -
\??\c:\rlfllrx.exec:\rlfllrx.exe49⤵
- Executes dropped EXE
PID:2116 -
\??\c:\2466822.exec:\2466822.exe50⤵
- Executes dropped EXE
PID:2888 -
\??\c:\nhbhtb.exec:\nhbhtb.exe51⤵
- Executes dropped EXE
PID:1768 -
\??\c:\lfxrfxf.exec:\lfxrfxf.exe52⤵
- Executes dropped EXE
PID:1696 -
\??\c:\5hbbhh.exec:\5hbbhh.exe53⤵
- Executes dropped EXE
PID:1660 -
\??\c:\ttnhnn.exec:\ttnhnn.exe54⤵
- Executes dropped EXE
PID:2016 -
\??\c:\86406.exec:\86406.exe55⤵
- Executes dropped EXE
PID:2256 -
\??\c:\lxllxfr.exec:\lxllxfr.exe56⤵
- Executes dropped EXE
PID:1932 -
\??\c:\xlxfllx.exec:\xlxfllx.exe57⤵
- Executes dropped EXE
PID:1912 -
\??\c:\3vjjj.exec:\3vjjj.exe58⤵
- Executes dropped EXE
PID:2992 -
\??\c:\s0220.exec:\s0220.exe59⤵
- Executes dropped EXE
PID:1720 -
\??\c:\vdpvd.exec:\vdpvd.exe60⤵
- Executes dropped EXE
PID:2980 -
\??\c:\tnbhtb.exec:\tnbhtb.exe61⤵
- Executes dropped EXE
PID:408 -
\??\c:\ffrxffr.exec:\ffrxffr.exe62⤵
- Executes dropped EXE
PID:1252 -
\??\c:\m2446.exec:\m2446.exe63⤵
- Executes dropped EXE
PID:2332 -
\??\c:\3xlrxfl.exec:\3xlrxfl.exe64⤵
- Executes dropped EXE
PID:1304 -
\??\c:\64684.exec:\64684.exe65⤵
- Executes dropped EXE
PID:900 -
\??\c:\bbnbhh.exec:\bbnbhh.exe66⤵PID:1628
-
\??\c:\o244046.exec:\o244046.exe67⤵PID:1616
-
\??\c:\jjjpv.exec:\jjjpv.exe68⤵PID:1940
-
\??\c:\g4062.exec:\g4062.exe69⤵PID:2140
-
\??\c:\5rfffff.exec:\5rfffff.exe70⤵PID:1952
-
\??\c:\u644662.exec:\u644662.exe71⤵PID:3052
-
\??\c:\tttntb.exec:\tttntb.exe72⤵PID:980
-
\??\c:\7tbhhh.exec:\7tbhhh.exe73⤵PID:2408
-
\??\c:\tnhhnn.exec:\tnhhnn.exe74⤵PID:860
-
\??\c:\02822.exec:\02822.exe75⤵PID:1412
-
\??\c:\2428440.exec:\2428440.exe76⤵PID:2272
-
\??\c:\jvvjp.exec:\jvvjp.exe77⤵PID:1512
-
\??\c:\44828.exec:\44828.exe78⤵PID:1776
-
\??\c:\thtntt.exec:\thtntt.exe79⤵PID:2052
-
\??\c:\w80088.exec:\w80088.exe80⤵PID:2500
-
\??\c:\q60022.exec:\q60022.exe81⤵PID:2104
-
\??\c:\jppjp.exec:\jppjp.exe82⤵PID:2908
-
\??\c:\ppdjp.exec:\ppdjp.exe83⤵PID:2788
-
\??\c:\20840.exec:\20840.exe84⤵PID:2872
-
\??\c:\xrflxxr.exec:\xrflxxr.exe85⤵PID:2600
-
\??\c:\rrxxflr.exec:\rrxxflr.exe86⤵PID:2616
-
\??\c:\486066.exec:\486066.exe87⤵PID:2884
-
\??\c:\0422446.exec:\0422446.exe88⤵PID:2848
-
\??\c:\5ppvj.exec:\5ppvj.exe89⤵PID:2652
-
\??\c:\ththbt.exec:\ththbt.exe90⤵PID:2876
-
\??\c:\jvpvj.exec:\jvpvj.exe91⤵PID:1564
-
\??\c:\vjvvd.exec:\vjvvd.exe92⤵PID:320
-
\??\c:\jdppv.exec:\jdppv.exe93⤵PID:1716
-
\??\c:\lxfflrr.exec:\lxfflrr.exe94⤵
- System Location Discovery: System Language Discovery
PID:1844 -
\??\c:\rrfrffr.exec:\rrfrffr.exe95⤵PID:2888
-
\??\c:\5dpdj.exec:\5dpdj.exe96⤵PID:2660
-
\??\c:\llxrxxl.exec:\llxrxxl.exe97⤵PID:1696
-
\??\c:\1hnnnn.exec:\1hnnnn.exe98⤵PID:1816
-
\??\c:\tthhtt.exec:\tthhtt.exe99⤵PID:1656
-
\??\c:\nbtthh.exec:\nbtthh.exe100⤵PID:1000
-
\??\c:\vvjpd.exec:\vvjpd.exe101⤵PID:1932
-
\??\c:\e60068.exec:\e60068.exe102⤵PID:600
-
\??\c:\1frlrxx.exec:\1frlrxx.exe103⤵PID:2992
-
\??\c:\fxrrfxl.exec:\fxrrfxl.exe104⤵PID:2680
-
\??\c:\7vjdj.exec:\7vjdj.exe105⤵PID:3044
-
\??\c:\646628.exec:\646628.exe106⤵PID:2144
-
\??\c:\jvpjj.exec:\jvpjj.exe107⤵PID:2212
-
\??\c:\thbbbt.exec:\thbbbt.exe108⤵PID:1536
-
\??\c:\k82284.exec:\k82284.exe109⤵PID:1780
-
\??\c:\nbnhtn.exec:\nbnhtn.exe110⤵PID:1460
-
\??\c:\k64464.exec:\k64464.exe111⤵PID:1648
-
\??\c:\264028.exec:\264028.exe112⤵PID:1136
-
\??\c:\26846.exec:\26846.exe113⤵PID:1672
-
\??\c:\7fllrrx.exec:\7fllrrx.exe114⤵PID:3048
-
\??\c:\046060.exec:\046060.exe115⤵PID:1836
-
\??\c:\frxrxrx.exec:\frxrxrx.exe116⤵PID:1236
-
\??\c:\604428.exec:\604428.exe117⤵PID:556
-
\??\c:\1frxxxf.exec:\1frxxxf.exe118⤵PID:272
-
\??\c:\7djjj.exec:\7djjj.exe119⤵PID:880
-
\??\c:\dvddd.exec:\dvddd.exe120⤵PID:3064
-
\??\c:\42440.exec:\42440.exe121⤵PID:2080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-