Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 19:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ddcce8ef8fbef05fb9dd77d3362528ab9554c8a04b7eb0b064a6e868ad0da9fN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7ddcce8ef8fbef05fb9dd77d3362528ab9554c8a04b7eb0b064a6e868ad0da9fN.exe
-
Size
454KB
-
MD5
b3584e2fb38bdb558faa50d951f66f50
-
SHA1
f5f9f1da23c1e2fe7e7d45488b9e0b1ee99eb4b7
-
SHA256
7ddcce8ef8fbef05fb9dd77d3362528ab9554c8a04b7eb0b064a6e868ad0da9f
-
SHA512
abda1e2f2b3d27bec86a347069f84490ec44560a06ee02c96603d672c13d470fa98383f823b964a2e88b14025f85203ab90e261b9945480917b2d2c1b1917e43
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/1272-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/620-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-47-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2888-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-76-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2748-90-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2744-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-165-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2100-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-396-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1924-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-343-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1832-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-268-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2500-259-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1352-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-248-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1988-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-596-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2528-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-752-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1272-853-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1716-872-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-906-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2884-921-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2740-934-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1472-1048-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 620 480060.exe 2392 5jjpv.exe 1620 5rxrxrx.exe 2232 00022.exe 2888 vvdpd.exe 2840 48220.exe 2984 082802.exe 2716 04282.exe 2748 7dvjd.exe 2744 ppdjj.exe 2536 1bttth.exe 1012 00408.exe 2792 ffrxfrr.exe 1280 rlflxfl.exe 1976 dpdjv.exe 1064 hhtntt.exe 2332 vpdpj.exe 2100 0068006.exe 1988 c804002.exe 3064 jvppv.exe 444 862806.exe 1820 0840060.exe 292 486246.exe 1052 m8246.exe 1776 5nbhhn.exe 1352 420688.exe 2500 flfrfrl.exe 900 5htbhh.exe 532 486484.exe 968 dvpvd.exe 2044 7pjpp.exe 2620 88280.exe 1788 44826.exe 2660 tbbhbn.exe 2432 826806.exe 2772 vvdjj.exe 2668 680462.exe 2232 886246.exe 2312 fffrflx.exe 2896 828468.exe 3028 0002642.exe 2700 1thntb.exe 2828 jdpvv.exe 3052 486688.exe 2724 thbhtt.exe 1524 6088628.exe 1924 s0840.exe 1100 a6006.exe 2752 0044200.exe 2768 66420.exe 2792 fxxlrxf.exe 2172 6424008.exe 1840 ppjdv.exe 2040 4868064.exe 2920 jjdjp.exe 2904 e00886.exe 2100 400820.exe 828 46464.exe 2276 jjvjj.exe 1832 5frlrrf.exe 2548 vpjjv.exe 824 fxrllrf.exe 1348 vvjpj.exe 1020 208468.exe -
resource yara_rule behavioral1/memory/1272-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/620-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-790-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-872-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-913-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-935-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1148-984-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-1016-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-1048-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-1092-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-1107-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k66600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0044200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c860884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4866806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6404628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u680286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1272 wrote to memory of 620 1272 7ddcce8ef8fbef05fb9dd77d3362528ab9554c8a04b7eb0b064a6e868ad0da9fN.exe 30 PID 1272 wrote to memory of 620 1272 7ddcce8ef8fbef05fb9dd77d3362528ab9554c8a04b7eb0b064a6e868ad0da9fN.exe 30 PID 1272 wrote to memory of 620 1272 7ddcce8ef8fbef05fb9dd77d3362528ab9554c8a04b7eb0b064a6e868ad0da9fN.exe 30 PID 1272 wrote to memory of 620 1272 7ddcce8ef8fbef05fb9dd77d3362528ab9554c8a04b7eb0b064a6e868ad0da9fN.exe 30 PID 620 wrote to memory of 2392 620 480060.exe 31 PID 620 wrote to memory of 2392 620 480060.exe 31 PID 620 wrote to memory of 2392 620 480060.exe 31 PID 620 wrote to memory of 2392 620 480060.exe 31 PID 2392 wrote to memory of 1620 2392 5jjpv.exe 32 PID 2392 wrote to memory of 1620 2392 5jjpv.exe 32 PID 2392 wrote to memory of 1620 2392 5jjpv.exe 32 PID 2392 wrote to memory of 1620 2392 5jjpv.exe 32 PID 1620 wrote to memory of 2232 1620 5rxrxrx.exe 67 PID 1620 wrote to memory of 2232 1620 5rxrxrx.exe 67 PID 1620 wrote to memory of 2232 1620 5rxrxrx.exe 67 PID 1620 wrote to memory of 2232 1620 5rxrxrx.exe 67 PID 2232 wrote to memory of 2888 2232 00022.exe 34 PID 2232 wrote to memory of 2888 2232 00022.exe 34 PID 2232 wrote to memory of 2888 2232 00022.exe 34 PID 2232 wrote to memory of 2888 2232 00022.exe 34 PID 2888 wrote to memory of 2840 2888 vvdpd.exe 35 PID 2888 wrote to memory of 2840 2888 vvdpd.exe 35 PID 2888 wrote to memory of 2840 2888 vvdpd.exe 35 PID 2888 wrote to memory of 2840 2888 vvdpd.exe 35 PID 2840 wrote to memory of 2984 2840 48220.exe 36 PID 2840 wrote to memory of 2984 2840 48220.exe 36 PID 2840 wrote to memory of 2984 2840 48220.exe 36 PID 2840 wrote to memory of 2984 2840 48220.exe 36 PID 2984 wrote to memory of 2716 2984 082802.exe 37 PID 2984 wrote to memory of 2716 2984 082802.exe 37 PID 2984 wrote to memory of 2716 2984 082802.exe 37 PID 2984 wrote to memory of 2716 2984 082802.exe 37 PID 2716 wrote to memory of 2748 2716 04282.exe 38 PID 2716 wrote to memory of 2748 2716 04282.exe 38 PID 2716 wrote to memory of 2748 2716 04282.exe 38 PID 2716 wrote to memory of 2748 2716 04282.exe 38 PID 2748 wrote to memory of 2744 2748 7dvjd.exe 39 PID 2748 wrote to memory of 2744 2748 7dvjd.exe 39 PID 2748 wrote to memory of 2744 2748 7dvjd.exe 39 PID 2748 wrote to memory of 2744 2748 7dvjd.exe 39 PID 2744 wrote to memory of 2536 2744 ppdjj.exe 40 PID 2744 wrote to memory of 2536 2744 ppdjj.exe 40 PID 2744 wrote to memory of 2536 2744 ppdjj.exe 40 PID 2744 wrote to memory of 2536 2744 ppdjj.exe 40 PID 2536 wrote to memory of 1012 2536 1bttth.exe 41 PID 2536 wrote to memory of 1012 2536 1bttth.exe 41 PID 2536 wrote to memory of 1012 2536 1bttth.exe 41 PID 2536 wrote to memory of 1012 2536 1bttth.exe 41 PID 1012 wrote to memory of 2792 1012 00408.exe 80 PID 1012 wrote to memory of 2792 1012 00408.exe 80 PID 1012 wrote to memory of 2792 1012 00408.exe 80 PID 1012 wrote to memory of 2792 1012 00408.exe 80 PID 2792 wrote to memory of 1280 2792 ffrxfrr.exe 43 PID 2792 wrote to memory of 1280 2792 ffrxfrr.exe 43 PID 2792 wrote to memory of 1280 2792 ffrxfrr.exe 43 PID 2792 wrote to memory of 1280 2792 ffrxfrr.exe 43 PID 1280 wrote to memory of 1976 1280 rlflxfl.exe 44 PID 1280 wrote to memory of 1976 1280 rlflxfl.exe 44 PID 1280 wrote to memory of 1976 1280 rlflxfl.exe 44 PID 1280 wrote to memory of 1976 1280 rlflxfl.exe 44 PID 1976 wrote to memory of 1064 1976 dpdjv.exe 45 PID 1976 wrote to memory of 1064 1976 dpdjv.exe 45 PID 1976 wrote to memory of 1064 1976 dpdjv.exe 45 PID 1976 wrote to memory of 1064 1976 dpdjv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ddcce8ef8fbef05fb9dd77d3362528ab9554c8a04b7eb0b064a6e868ad0da9fN.exe"C:\Users\Admin\AppData\Local\Temp\7ddcce8ef8fbef05fb9dd77d3362528ab9554c8a04b7eb0b064a6e868ad0da9fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\480060.exec:\480060.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\5jjpv.exec:\5jjpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\5rxrxrx.exec:\5rxrxrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\00022.exec:\00022.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\vvdpd.exec:\vvdpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\48220.exec:\48220.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\082802.exec:\082802.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\04282.exec:\04282.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\7dvjd.exec:\7dvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\ppdjj.exec:\ppdjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\1bttth.exec:\1bttth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\00408.exec:\00408.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\ffrxfrr.exec:\ffrxfrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\rlflxfl.exec:\rlflxfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\dpdjv.exec:\dpdjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\hhtntt.exec:\hhtntt.exe17⤵
- Executes dropped EXE
PID:1064 -
\??\c:\vpdpj.exec:\vpdpj.exe18⤵
- Executes dropped EXE
PID:2332 -
\??\c:\0068006.exec:\0068006.exe19⤵
- Executes dropped EXE
PID:2100 -
\??\c:\c804002.exec:\c804002.exe20⤵
- Executes dropped EXE
PID:1988 -
\??\c:\jvppv.exec:\jvppv.exe21⤵
- Executes dropped EXE
PID:3064 -
\??\c:\862806.exec:\862806.exe22⤵
- Executes dropped EXE
PID:444 -
\??\c:\0840060.exec:\0840060.exe23⤵
- Executes dropped EXE
PID:1820 -
\??\c:\486246.exec:\486246.exe24⤵
- Executes dropped EXE
PID:292 -
\??\c:\m8246.exec:\m8246.exe25⤵
- Executes dropped EXE
PID:1052 -
\??\c:\5nbhhn.exec:\5nbhhn.exe26⤵
- Executes dropped EXE
PID:1776 -
\??\c:\420688.exec:\420688.exe27⤵
- Executes dropped EXE
PID:1352 -
\??\c:\flfrfrl.exec:\flfrfrl.exe28⤵
- Executes dropped EXE
PID:2500 -
\??\c:\5htbhh.exec:\5htbhh.exe29⤵
- Executes dropped EXE
PID:900 -
\??\c:\486484.exec:\486484.exe30⤵
- Executes dropped EXE
PID:532 -
\??\c:\dvpvd.exec:\dvpvd.exe31⤵
- Executes dropped EXE
PID:968 -
\??\c:\7pjpp.exec:\7pjpp.exe32⤵
- Executes dropped EXE
PID:2044 -
\??\c:\88280.exec:\88280.exe33⤵
- Executes dropped EXE
PID:2620 -
\??\c:\44826.exec:\44826.exe34⤵
- Executes dropped EXE
PID:1788 -
\??\c:\tbbhbn.exec:\tbbhbn.exe35⤵
- Executes dropped EXE
PID:2660 -
\??\c:\826806.exec:\826806.exe36⤵
- Executes dropped EXE
PID:2432 -
\??\c:\vvdjj.exec:\vvdjj.exe37⤵
- Executes dropped EXE
PID:2772 -
\??\c:\680462.exec:\680462.exe38⤵
- Executes dropped EXE
PID:2668 -
\??\c:\886246.exec:\886246.exe39⤵
- Executes dropped EXE
PID:2232 -
\??\c:\fffrflx.exec:\fffrflx.exe40⤵
- Executes dropped EXE
PID:2312 -
\??\c:\828468.exec:\828468.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896 -
\??\c:\0002642.exec:\0002642.exe42⤵
- Executes dropped EXE
PID:3028 -
\??\c:\1thntb.exec:\1thntb.exe43⤵
- Executes dropped EXE
PID:2700 -
\??\c:\jdpvv.exec:\jdpvv.exe44⤵
- Executes dropped EXE
PID:2828 -
\??\c:\486688.exec:\486688.exe45⤵
- Executes dropped EXE
PID:3052 -
\??\c:\thbhtt.exec:\thbhtt.exe46⤵
- Executes dropped EXE
PID:2724 -
\??\c:\6088628.exec:\6088628.exe47⤵
- Executes dropped EXE
PID:1524 -
\??\c:\s0840.exec:\s0840.exe48⤵
- Executes dropped EXE
PID:1924 -
\??\c:\a6006.exec:\a6006.exe49⤵
- Executes dropped EXE
PID:1100 -
\??\c:\0044200.exec:\0044200.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752 -
\??\c:\66420.exec:\66420.exe51⤵
- Executes dropped EXE
PID:2768 -
\??\c:\fxxlrxf.exec:\fxxlrxf.exe52⤵
- Executes dropped EXE
PID:2792 -
\??\c:\6424008.exec:\6424008.exe53⤵
- Executes dropped EXE
PID:2172 -
\??\c:\ppjdv.exec:\ppjdv.exe54⤵
- Executes dropped EXE
PID:1840 -
\??\c:\4868064.exec:\4868064.exe55⤵
- Executes dropped EXE
PID:2040 -
\??\c:\jjdjp.exec:\jjdjp.exe56⤵
- Executes dropped EXE
PID:2920 -
\??\c:\e00886.exec:\e00886.exe57⤵
- Executes dropped EXE
PID:2904 -
\??\c:\400820.exec:\400820.exe58⤵
- Executes dropped EXE
PID:2100 -
\??\c:\46464.exec:\46464.exe59⤵
- Executes dropped EXE
PID:828 -
\??\c:\jjvjj.exec:\jjvjj.exe60⤵
- Executes dropped EXE
PID:2276 -
\??\c:\5frlrrf.exec:\5frlrrf.exe61⤵
- Executes dropped EXE
PID:1832 -
\??\c:\vpjjv.exec:\vpjjv.exe62⤵
- Executes dropped EXE
PID:2548 -
\??\c:\fxrllrf.exec:\fxrllrf.exe63⤵
- Executes dropped EXE
PID:824 -
\??\c:\vvjpj.exec:\vvjpj.exe64⤵
- Executes dropped EXE
PID:1348 -
\??\c:\208468.exec:\208468.exe65⤵
- Executes dropped EXE
PID:1020 -
\??\c:\bnnnnt.exec:\bnnnnt.exe66⤵PID:2052
-
\??\c:\fxlflfl.exec:\fxlflfl.exe67⤵PID:892
-
\??\c:\pvjpp.exec:\pvjpp.exe68⤵PID:1948
-
\??\c:\vjvdj.exec:\vjvdj.exe69⤵PID:1236
-
\??\c:\080066.exec:\080066.exe70⤵PID:1316
-
\??\c:\64662.exec:\64662.exe71⤵PID:768
-
\??\c:\4804024.exec:\4804024.exe72⤵PID:2180
-
\??\c:\22264.exec:\22264.exe73⤵PID:876
-
\??\c:\1pdvv.exec:\1pdvv.exe74⤵PID:568
-
\??\c:\ntnttb.exec:\ntnttb.exe75⤵PID:2376
-
\??\c:\26662.exec:\26662.exe76⤵PID:2404
-
\??\c:\dpdvd.exec:\dpdvd.exe77⤵PID:1600
-
\??\c:\482800.exec:\482800.exe78⤵PID:620
-
\??\c:\6046284.exec:\6046284.exe79⤵PID:2660
-
\??\c:\jjpjp.exec:\jjpjp.exe80⤵PID:2352
-
\??\c:\626286.exec:\626286.exe81⤵PID:1336
-
\??\c:\7xlrrfr.exec:\7xlrrfr.exe82⤵PID:2668
-
\??\c:\ffrxrxl.exec:\ffrxrxl.exe83⤵PID:2796
-
\??\c:\4202868.exec:\4202868.exe84⤵PID:2412
-
\??\c:\206622.exec:\206622.exe85⤵PID:3000
-
\??\c:\7flfrrf.exec:\7flfrrf.exe86⤵PID:2728
-
\??\c:\hbtbnn.exec:\hbtbnn.exe87⤵PID:2856
-
\??\c:\jdvdj.exec:\jdvdj.exe88⤵PID:2304
-
\??\c:\4260600.exec:\4260600.exe89⤵PID:2264
-
\??\c:\tbbntt.exec:\tbbntt.exe90⤵PID:2528
-
\??\c:\86402.exec:\86402.exe91⤵PID:2544
-
\??\c:\m4846.exec:\m4846.exe92⤵PID:1496
-
\??\c:\8240202.exec:\8240202.exe93⤵PID:1696
-
\??\c:\s4846.exec:\s4846.exe94⤵PID:844
-
\??\c:\xrfrxrf.exec:\xrfrxrf.exe95⤵
- System Location Discovery: System Language Discovery
PID:852 -
\??\c:\tnhhbn.exec:\tnhhbn.exe96⤵PID:2364
-
\??\c:\bhnbth.exec:\bhnbth.exe97⤵PID:348
-
\??\c:\7bnntn.exec:\7bnntn.exe98⤵PID:2780
-
\??\c:\604468.exec:\604468.exe99⤵PID:2948
-
\??\c:\hhtbnn.exec:\hhtbnn.exe100⤵PID:2272
-
\??\c:\4806868.exec:\4806868.exe101⤵PID:1836
-
\??\c:\1bnhnn.exec:\1bnhnn.exe102⤵PID:320
-
\??\c:\nhntbh.exec:\nhntbh.exe103⤵PID:796
-
\??\c:\5bhhhb.exec:\5bhhhb.exe104⤵PID:2324
-
\??\c:\thttbb.exec:\thttbb.exe105⤵PID:2868
-
\??\c:\c428440.exec:\c428440.exe106⤵PID:1472
-
\??\c:\w02448.exec:\w02448.exe107⤵PID:1092
-
\??\c:\ddvvj.exec:\ddvvj.exe108⤵PID:2248
-
\??\c:\pdpvj.exec:\pdpvj.exe109⤵PID:3060
-
\??\c:\bhhbtt.exec:\bhhbtt.exe110⤵PID:2072
-
\??\c:\ppvjj.exec:\ppvjj.exe111⤵PID:1344
-
\??\c:\ppjvj.exec:\ppjvj.exe112⤵PID:1732
-
\??\c:\tthhtt.exec:\tthhtt.exe113⤵PID:336
-
\??\c:\26468.exec:\26468.exe114⤵PID:1540
-
\??\c:\8806460.exec:\8806460.exe115⤵PID:1700
-
\??\c:\4828686.exec:\4828686.exe116⤵PID:1992
-
\??\c:\2006880.exec:\2006880.exe117⤵PID:380
-
\??\c:\nnbnbb.exec:\nnbnbb.exe118⤵PID:1284
-
\??\c:\0028246.exec:\0028246.exe119⤵PID:1272
-
\??\c:\8206824.exec:\8206824.exe120⤵PID:1580
-
\??\c:\jjjdp.exec:\jjjdp.exe121⤵
- System Location Discovery: System Language Discovery
PID:1196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-