Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 19:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe
-
Size
456KB
-
MD5
b98f985e83248678de7723f497de6437
-
SHA1
49fb5cf04f2e827ce87926552a53d6c3bb0fc681
-
SHA256
ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4
-
SHA512
84e0922fce6494edfbf25b6fb5447bb5115b67adee9f01bc1ebbdd12ab6164527f52f3100bdbe3910b9524d13f1d2a46bee934c9e2a2b60d5c61b3d33cdb2ad0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/1684-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/576-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-84-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2752-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-146-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1120-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-316-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2444-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-443-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2084-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/304-569-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1220-583-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/304-590-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1692-592-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2592-601-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-650-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2728-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-699-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1620-770-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1600 680804.exe 2760 2460606.exe 576 6466262.exe 3020 6064248.exe 2784 6044040.exe 2968 lffxfxx.exe 2808 btnnbh.exe 2976 420626.exe 2076 86266.exe 2984 868408.exe 2752 424804.exe 2164 5dpvp.exe 1296 0046846.exe 3052 thnntt.exe 2776 1lrllxf.exe 2080 208448.exe 3028 a4282.exe 1796 fxllrrx.exe 2132 1jvpd.exe 2016 646660.exe 2172 jvjpp.exe 1120 1rffffl.exe 1764 vjvdj.exe 2360 4826262.exe 1660 8246284.exe 1980 frfxllr.exe 1328 c240008.exe 1804 60224.exe 2496 i688840.exe 2604 vpvvd.exe 1944 vdpjv.exe 1692 nhhntt.exe 1600 3xlrxxf.exe 2756 htnhtn.exe 2444 htnnbt.exe 2092 bthnbb.exe 2340 424406.exe 2784 rflflfl.exe 2932 04624.exe 2944 tbhhtn.exe 2236 a6462.exe 2808 6462840.exe 2976 thnnnt.exe 2888 8288062.exe 2688 5jvpv.exe 2536 rxrxllf.exe 2532 a8620.exe 2544 86068.exe 1244 pjpvd.exe 864 646004.exe 852 20628.exe 2884 pdvvd.exe 2776 nhtntt.exe 1260 thtthh.exe 108 a8208.exe 2352 040208.exe 1796 k84444.exe 2624 xxrxflf.exe 2084 9dvvj.exe 572 060004.exe 1792 202888.exe 1916 0468446.exe 2144 xrlxrrx.exe 1744 6044220.exe -
resource yara_rule behavioral1/memory/1684-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-102-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2164-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-125-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/3028-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-299-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2444-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-803-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8246284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8684220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o206884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k80620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1600 1684 ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe 30 PID 1684 wrote to memory of 1600 1684 ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe 30 PID 1684 wrote to memory of 1600 1684 ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe 30 PID 1684 wrote to memory of 1600 1684 ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe 30 PID 1600 wrote to memory of 2760 1600 680804.exe 31 PID 1600 wrote to memory of 2760 1600 680804.exe 31 PID 1600 wrote to memory of 2760 1600 680804.exe 31 PID 1600 wrote to memory of 2760 1600 680804.exe 31 PID 2760 wrote to memory of 576 2760 2460606.exe 32 PID 2760 wrote to memory of 576 2760 2460606.exe 32 PID 2760 wrote to memory of 576 2760 2460606.exe 32 PID 2760 wrote to memory of 576 2760 2460606.exe 32 PID 576 wrote to memory of 3020 576 6466262.exe 33 PID 576 wrote to memory of 3020 576 6466262.exe 33 PID 576 wrote to memory of 3020 576 6466262.exe 33 PID 576 wrote to memory of 3020 576 6466262.exe 33 PID 3020 wrote to memory of 2784 3020 6064248.exe 34 PID 3020 wrote to memory of 2784 3020 6064248.exe 34 PID 3020 wrote to memory of 2784 3020 6064248.exe 34 PID 3020 wrote to memory of 2784 3020 6064248.exe 34 PID 2784 wrote to memory of 2968 2784 6044040.exe 35 PID 2784 wrote to memory of 2968 2784 6044040.exe 35 PID 2784 wrote to memory of 2968 2784 6044040.exe 35 PID 2784 wrote to memory of 2968 2784 6044040.exe 35 PID 2968 wrote to memory of 2808 2968 lffxfxx.exe 36 PID 2968 wrote to memory of 2808 2968 lffxfxx.exe 36 PID 2968 wrote to memory of 2808 2968 lffxfxx.exe 36 PID 2968 wrote to memory of 2808 2968 lffxfxx.exe 36 PID 2808 wrote to memory of 2976 2808 btnnbh.exe 37 PID 2808 wrote to memory of 2976 2808 btnnbh.exe 37 PID 2808 wrote to memory of 2976 2808 btnnbh.exe 37 PID 2808 wrote to memory of 2976 2808 btnnbh.exe 37 PID 2976 wrote to memory of 2076 2976 420626.exe 38 PID 2976 wrote to memory of 2076 2976 420626.exe 38 PID 2976 wrote to memory of 2076 2976 420626.exe 38 PID 2976 wrote to memory of 2076 2976 420626.exe 38 PID 2076 wrote to memory of 2984 2076 86266.exe 39 PID 2076 wrote to memory of 2984 2076 86266.exe 39 PID 2076 wrote to memory of 2984 2076 86266.exe 39 PID 2076 wrote to memory of 2984 2076 86266.exe 39 PID 2984 wrote to memory of 2752 2984 868408.exe 40 PID 2984 wrote to memory of 2752 2984 868408.exe 40 PID 2984 wrote to memory of 2752 2984 868408.exe 40 PID 2984 wrote to memory of 2752 2984 868408.exe 40 PID 2752 wrote to memory of 2164 2752 424804.exe 41 PID 2752 wrote to memory of 2164 2752 424804.exe 41 PID 2752 wrote to memory of 2164 2752 424804.exe 41 PID 2752 wrote to memory of 2164 2752 424804.exe 41 PID 2164 wrote to memory of 1296 2164 5dpvp.exe 42 PID 2164 wrote to memory of 1296 2164 5dpvp.exe 42 PID 2164 wrote to memory of 1296 2164 5dpvp.exe 42 PID 2164 wrote to memory of 1296 2164 5dpvp.exe 42 PID 1296 wrote to memory of 3052 1296 0046846.exe 43 PID 1296 wrote to memory of 3052 1296 0046846.exe 43 PID 1296 wrote to memory of 3052 1296 0046846.exe 43 PID 1296 wrote to memory of 3052 1296 0046846.exe 43 PID 3052 wrote to memory of 2776 3052 thnntt.exe 44 PID 3052 wrote to memory of 2776 3052 thnntt.exe 44 PID 3052 wrote to memory of 2776 3052 thnntt.exe 44 PID 3052 wrote to memory of 2776 3052 thnntt.exe 44 PID 2776 wrote to memory of 2080 2776 1lrllxf.exe 45 PID 2776 wrote to memory of 2080 2776 1lrllxf.exe 45 PID 2776 wrote to memory of 2080 2776 1lrllxf.exe 45 PID 2776 wrote to memory of 2080 2776 1lrllxf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe"C:\Users\Admin\AppData\Local\Temp\ff2c58c69f88684f2434b5b58eeb5cf7dbf13a0542f08be3f2183b66f256f3d4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\680804.exec:\680804.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\2460606.exec:\2460606.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\6466262.exec:\6466262.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
\??\c:\6064248.exec:\6064248.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\6044040.exec:\6044040.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\lffxfxx.exec:\lffxfxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\btnnbh.exec:\btnnbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\420626.exec:\420626.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\86266.exec:\86266.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\868408.exec:\868408.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\424804.exec:\424804.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\5dpvp.exec:\5dpvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\0046846.exec:\0046846.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\thnntt.exec:\thnntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\1lrllxf.exec:\1lrllxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\208448.exec:\208448.exe17⤵
- Executes dropped EXE
PID:2080 -
\??\c:\a4282.exec:\a4282.exe18⤵
- Executes dropped EXE
PID:3028 -
\??\c:\fxllrrx.exec:\fxllrrx.exe19⤵
- Executes dropped EXE
PID:1796 -
\??\c:\1jvpd.exec:\1jvpd.exe20⤵
- Executes dropped EXE
PID:2132 -
\??\c:\646660.exec:\646660.exe21⤵
- Executes dropped EXE
PID:2016 -
\??\c:\jvjpp.exec:\jvjpp.exe22⤵
- Executes dropped EXE
PID:2172 -
\??\c:\1rffffl.exec:\1rffffl.exe23⤵
- Executes dropped EXE
PID:1120 -
\??\c:\vjvdj.exec:\vjvdj.exe24⤵
- Executes dropped EXE
PID:1764 -
\??\c:\4826262.exec:\4826262.exe25⤵
- Executes dropped EXE
PID:2360 -
\??\c:\8246284.exec:\8246284.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
\??\c:\frfxllr.exec:\frfxllr.exe27⤵
- Executes dropped EXE
PID:1980 -
\??\c:\c240008.exec:\c240008.exe28⤵
- Executes dropped EXE
PID:1328 -
\??\c:\60224.exec:\60224.exe29⤵
- Executes dropped EXE
PID:1804 -
\??\c:\i688840.exec:\i688840.exe30⤵
- Executes dropped EXE
PID:2496 -
\??\c:\vpvvd.exec:\vpvvd.exe31⤵
- Executes dropped EXE
PID:2604 -
\??\c:\vdpjv.exec:\vdpjv.exe32⤵
- Executes dropped EXE
PID:1944 -
\??\c:\nhhntt.exec:\nhhntt.exe33⤵
- Executes dropped EXE
PID:1692 -
\??\c:\3xlrxxf.exec:\3xlrxxf.exe34⤵
- Executes dropped EXE
PID:1600 -
\??\c:\htnhtn.exec:\htnhtn.exe35⤵
- Executes dropped EXE
PID:2756 -
\??\c:\htnnbt.exec:\htnnbt.exe36⤵
- Executes dropped EXE
PID:2444 -
\??\c:\bthnbb.exec:\bthnbb.exe37⤵
- Executes dropped EXE
PID:2092 -
\??\c:\424406.exec:\424406.exe38⤵
- Executes dropped EXE
PID:2340 -
\??\c:\rflflfl.exec:\rflflfl.exe39⤵
- Executes dropped EXE
PID:2784 -
\??\c:\04624.exec:\04624.exe40⤵
- Executes dropped EXE
PID:2932 -
\??\c:\tbhhtn.exec:\tbhhtn.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944 -
\??\c:\a6462.exec:\a6462.exe42⤵
- Executes dropped EXE
PID:2236 -
\??\c:\6462840.exec:\6462840.exe43⤵
- Executes dropped EXE
PID:2808 -
\??\c:\thnnnt.exec:\thnnnt.exe44⤵
- Executes dropped EXE
PID:2976 -
\??\c:\8288062.exec:\8288062.exe45⤵
- Executes dropped EXE
PID:2888 -
\??\c:\5jvpv.exec:\5jvpv.exe46⤵
- Executes dropped EXE
PID:2688 -
\??\c:\rxrxllf.exec:\rxrxllf.exe47⤵
- Executes dropped EXE
PID:2536 -
\??\c:\a8620.exec:\a8620.exe48⤵
- Executes dropped EXE
PID:2532 -
\??\c:\86068.exec:\86068.exe49⤵
- Executes dropped EXE
PID:2544 -
\??\c:\pjpvd.exec:\pjpvd.exe50⤵
- Executes dropped EXE
PID:1244 -
\??\c:\646004.exec:\646004.exe51⤵
- Executes dropped EXE
PID:864 -
\??\c:\20628.exec:\20628.exe52⤵
- Executes dropped EXE
PID:852 -
\??\c:\pdvvd.exec:\pdvvd.exe53⤵
- Executes dropped EXE
PID:2884 -
\??\c:\nhtntt.exec:\nhtntt.exe54⤵
- Executes dropped EXE
PID:2776 -
\??\c:\thtthh.exec:\thtthh.exe55⤵
- Executes dropped EXE
PID:1260 -
\??\c:\a8208.exec:\a8208.exe56⤵
- Executes dropped EXE
PID:108 -
\??\c:\040208.exec:\040208.exe57⤵
- Executes dropped EXE
PID:2352 -
\??\c:\k84444.exec:\k84444.exe58⤵
- Executes dropped EXE
PID:1796 -
\??\c:\xxrxflf.exec:\xxrxflf.exe59⤵
- Executes dropped EXE
PID:2624 -
\??\c:\9dvvj.exec:\9dvvj.exe60⤵
- Executes dropped EXE
PID:2084 -
\??\c:\060004.exec:\060004.exe61⤵
- Executes dropped EXE
PID:572 -
\??\c:\202888.exec:\202888.exe62⤵
- Executes dropped EXE
PID:1792 -
\??\c:\0468446.exec:\0468446.exe63⤵
- Executes dropped EXE
PID:1916 -
\??\c:\xrlxrrx.exec:\xrlxrrx.exe64⤵
- Executes dropped EXE
PID:2144 -
\??\c:\6044220.exec:\6044220.exe65⤵
- Executes dropped EXE
PID:1744 -
\??\c:\22024.exec:\22024.exe66⤵PID:2004
-
\??\c:\48486.exec:\48486.exe67⤵PID:1528
-
\??\c:\7rlxfxx.exec:\7rlxfxx.exe68⤵
- System Location Discovery: System Language Discovery
PID:1508 -
\??\c:\48620.exec:\48620.exe69⤵PID:1144
-
\??\c:\q60088.exec:\q60088.exe70⤵PID:2412
-
\??\c:\vpjpd.exec:\vpjpd.exe71⤵PID:2120
-
\??\c:\m6480.exec:\m6480.exe72⤵PID:2496
-
\??\c:\bbthnt.exec:\bbthnt.exe73⤵PID:304
-
\??\c:\a2682.exec:\a2682.exe74⤵PID:884
-
\??\c:\4228426.exec:\4228426.exe75⤵PID:1220
-
\??\c:\s4280.exec:\s4280.exe76⤵PID:1692
-
\??\c:\jjjdj.exec:\jjjdj.exe77⤵PID:2592
-
\??\c:\2642442.exec:\2642442.exe78⤵PID:2756
-
\??\c:\ffxlxlx.exec:\ffxlxlx.exe79⤵
- System Location Discovery: System Language Discovery
PID:316 -
\??\c:\048026.exec:\048026.exe80⤵PID:1572
-
\??\c:\k66428.exec:\k66428.exe81⤵PID:2340
-
\??\c:\e08406.exec:\e08406.exe82⤵PID:2816
-
\??\c:\26440.exec:\26440.exe83⤵PID:356
-
\??\c:\fxrrllf.exec:\fxrrllf.exe84⤵PID:2780
-
\??\c:\hbtbnn.exec:\hbtbnn.exe85⤵PID:2236
-
\??\c:\bhbbnt.exec:\bhbbnt.exe86⤵PID:2808
-
\??\c:\048442.exec:\048442.exe87⤵PID:2812
-
\??\c:\9hbhbh.exec:\9hbhbh.exe88⤵PID:2888
-
\??\c:\s6680.exec:\s6680.exe89⤵PID:2988
-
\??\c:\jdppd.exec:\jdppd.exe90⤵PID:2728
-
\??\c:\vvdjv.exec:\vvdjv.exe91⤵PID:1984
-
\??\c:\26840.exec:\26840.exe92⤵PID:1176
-
\??\c:\60282.exec:\60282.exe93⤵PID:2764
-
\??\c:\nbbbhb.exec:\nbbbhb.exe94⤵PID:1296
-
\??\c:\2084602.exec:\2084602.exe95⤵PID:2908
-
\??\c:\vjddj.exec:\vjddj.exe96⤵PID:2912
-
\??\c:\42464.exec:\42464.exe97⤵PID:2336
-
\??\c:\448404.exec:\448404.exe98⤵PID:1560
-
\??\c:\820644.exec:\820644.exe99⤵PID:1080
-
\??\c:\tntntn.exec:\tntntn.exe100⤵PID:1620
-
\??\c:\1hbhhh.exec:\1hbhhh.exe101⤵PID:1852
-
\??\c:\3lxfllx.exec:\3lxfllx.exe102⤵PID:2140
-
\??\c:\8244046.exec:\8244046.exe103⤵PID:1912
-
\??\c:\xrllrlf.exec:\xrllrlf.exe104⤵PID:2308
-
\??\c:\lrlfrfr.exec:\lrlfrfr.exe105⤵PID:772
-
\??\c:\pjdvj.exec:\pjdvj.exe106⤵PID:668
-
\??\c:\0044220.exec:\0044220.exe107⤵PID:620
-
\??\c:\0800244.exec:\0800244.exe108⤵PID:2480
-
\??\c:\5djdj.exec:\5djdj.exe109⤵PID:1660
-
\??\c:\04280.exec:\04280.exe110⤵PID:1980
-
\??\c:\8206886.exec:\8206886.exe111⤵PID:1976
-
\??\c:\4004426.exec:\4004426.exe112⤵PID:1504
-
\??\c:\22662.exec:\22662.exe113⤵PID:2060
-
\??\c:\lfrxllf.exec:\lfrxllf.exe114⤵PID:1316
-
\??\c:\40044.exec:\40044.exe115⤵PID:1688
-
\??\c:\88620.exec:\88620.exe116⤵PID:1724
-
\??\c:\c484220.exec:\c484220.exe117⤵PID:2224
-
\??\c:\jppvd.exec:\jppvd.exe118⤵PID:352
-
\??\c:\7jvpp.exec:\7jvpp.exe119⤵PID:1940
-
\??\c:\bnbthh.exec:\bnbthh.exe120⤵PID:576
-
\??\c:\7pdpv.exec:\7pdpv.exe121⤵PID:1576
-
\??\c:\3rrlfff.exec:\3rrlfff.exe122⤵
- System Location Discovery: System Language Discovery
PID:1736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-